Hello everyone.
Recently having gotten the Pixel XL coming from the Nexus 6P I noticed when attempting to enable tethering that the Pixel tried to call out to see if my device was provisioned or not and would fail because even though I use StraightTalk the Pixel thought I was an ATT customer because of the duplicate MCC/MNC that TracFone uses. I had used this same technique on previous devices and thought I'd give it a try on the Pixel. Much to my happiness the coding structures were the same.
I decompiled framework-res.apk and found all of the array references to 'CarrierEntitlement.Activity' and removed all (16 in total, for various MCC/MNC combinations) of them and it worked!
Attached is a zip that contains a shell script and a directory with the modified framework. I realize that there are posts documenting build.prop edits that can achieve the same result but I feel this method is cleaner and possibly easier. Once the modded framework is in place you can then delete the CarrierEntitlement.apk completely from /system.
To be honest, I was unaware of that until after I completed this project else my laziness would have likely kicked in LOL :laugh:
Installation is the same as the WETA mods found elsewhere in this forum. You will need 'Root Broweser' or any explorer tool that can execute shell scripts as root.
Inside the zip there is one directory. Copy it and its contents to the root of your sd_card. The end result directory path should look like this: /sdcard/mostyle
Inside the mostyle directory there exists a shell script entitled 'flash_mod.sh' that you will need to execute with root permissions. It should only take two to three seconds and the script will remove its files and your device will warm boot.
My thanks go out to @Mentalmuso whose scripting mine is directly based on and his pointers on rebuilding the apk.
Nice...will this work on a play store bought, on Verizon network pixel XL?
Sent from my Pixel XL using XDA-Developers mobile app
It should yes. I removed the code link for all carriers.
mostyle said:
I decompiled framework-res.apk and found all of the array references to 'CarrierEntitlement.Activity' and removed all (16 in total, for various MCC/MNC combinations) of them and it worked!
Click to expand...
Click to collapse
Good work brother!!! :good:
So you don't have to patch framework each time, modify the getCarrierEntitlement method like this, bind mount apk using su.d script, and it should work for the foreseeable future:
Code:
.method public static getCarrierEntitlement(Landroid/content/Context;)Lcom/google/android/carrierentitlement/CarrierEntitlement;
.registers 2
.param p0, "context" # Landroid/content/Context;
.prologue
.line 56
const/4 v0, 0x0
return-object v0
.end method
Was working for me earlier now says service not provided contact customer support? Any idea what changed. I extracted it and then executed it?
kirschdog1 said:
Was working for me earlier now says service not provided contact customer support? Any idea what changed. I extracted it and then executed it?
Click to expand...
Click to collapse
Strange that it would have been working and stopped. Not sure. Anything changed with your device? Update? Different mod? Worse case scenario attached your framework here and I'll see if it differs somehow.
mostyle said:
Strange that it would have been working and stopped. Not sure. Anything changed with your device? Update? Different mod? Worse case scenario attached your framework here and I'll see if it differs somehow.
Click to expand...
Click to collapse
I wonder if somehow dm-verity got turned on. It is supposed to fix "corruption" now, which means it is possible that changes to /system can be reverted if you boot normally with dm-verity on.
Fenny said:
I wonder if somehow dm-verity got turned on. It is supposed to fix "corruption" now, which means it is possible that changes to /system can be reverted if you boot normally with dm-verity on.
Click to expand...
Click to collapse
Interesting. Where does the replacement data originate from, the opposing mirror partition (system_a, system_b)?
If that is the case, wouldn't passed the modded data to both slots alleviate this?
I'll read up on dm_verity. I confess I know no details about it.
Interesting how dm_verity functions, with its multilayered crypto hashes. I confess I still don't see where the hash is originated from.
Just checked my device and the hotspot is still working as intended.
Mind screenshoting the error and I'll find the exact string in the resources and reverse the code to see where it's called.
mostyle said:
Interesting. Where does the replacement data originate from, the opposing mirror partition (system_a, system_b)?
If that is the case, wouldn't passed the modded data to both slots alleviate this?
I'll read up on dm_verify. I confess I know no details about it.
Click to expand...
Click to collapse
If you're Googling it, I would include the term "forward error correction" in your query.
*EDIT*
The recovery data is calculated using parity. I'll use bitwise xor as a simple example of the basic concept:
If you have a large enough set of data, you can reasonably assume that corruption should only occur on a contiguous set of blocks in any large amounts. If you assume that, you can store the xor result of a given set of bits stored at distributed locations on your storage volume.
Given the equation set:
Code:
A ^ B = C
C ^ B = A
A ^ C = B
You can see that it is possible to take a large string of xor functions and store the bitwise result as recovery data. Then using dm verity, since you know which bits are corrupt, you can easily solve for A, B, or C.
On a 3GB system partition, it is possible to recover 14-20 MB of contiguous data using FEC.
morpheousrx said:
Nice...will this work on a play store bought, on Verizon network pixel XL?
Sent from my Pixel XL using XDA-Developers mobile app
Click to expand...
Click to collapse
Just in case anybody else was wondering... Yes, it does. Play Store bought, Verizon UDP, works like a charm.
Sent from my Pixel XL using XDA-Developers mobile app
calbruc said:
Just in case anybody else was wondering... Yes, it does. Play Store bought, Verizon UDP, works like a charm.
Click to expand...
Click to collapse
I'm using a Nexus 6P updated to 7.1.1 and flashed a mod from XDA to get Pixel features going and now my 6P is recognized as a Pixel XL. Should I try this to enable tethering or look for a solution specific for the 6P?
Most definitely DO NOT.. Pixel features does not mean this is compatible with an OS from a different device.
mostyle said:
Most definitely DO NOT.. Pixel features does not mean this is compatible with an OS from a different device.
Click to expand...
Click to collapse
Cool, thank you. I'll have to look for another way then. I did like how simple it was on Marshmallow to just add a line of text and reboot to get it working.
Related
This software is currently in BETA status! This means that a lot of people have tested, and reported good results. There are still issues, but if you take note of the known issues and make sure to avoid them, you very likely will have no problems in using this fix. The worst this software should be able to do is force you to reflash your phone, by removing the battery and turning on the device with HOME+VOLDOWN+POWER + Odin and then following one of the many guides to flash a new firmware to your phone.
More questions about how this fix works? Check out the FAQ - http://forum.xda-developers.com/showpost.php?p=7620940&postcount=2
UPDATES:
There is currently a 2-3 version made by me that can be found here that has more features: http://forum.xda-developers.com/showthread.php?t=751864
Tayutama has made an update.zip version that is easy to install - http://forum.xda-developers.com/show...&postcount=208
Chainfire has a .NET version of this fix with some nice features - http://forum.xda-developers.com/showthread.php?t=751513
Ubuntu version is here: http://forum.xda-developers.com/showpost.php?p=7671640&postcount=583
[size=+2]DEPRECATED:[/size]
[size=+1]This lagfix is now marked as DEPRECATED and the following tool should probably be used in all circumstances that this one would be used in: http://forum.xda-developers.com/showthread.php?t=760571[/size]
Details about what this fix does:
Creates a VIRTUAL EXT2 filesystem inside the stock RFS filesystem on the internal SD card, with a 4KB block size. This means that this lag fix creates a buffer between the real filesystem and the android system. This buffer should reduce the amount of disk I/O required for all operations by utilizing EXT2 buffering, as well as not writing file access times to disk, etc. It allows only 1GB for application data at this stage, down from the 2GB of application data when running stock.
Folders that are currently supported:
/data/data
/data/system
/data/dalvik-cache
More folders can be added, and should help performance further.
Advantages for this fix over mimocan's fix
Does not require an external SD card.
Allows the external SD card to be removed and reinserted into the device.
Faster speed (Quadrant benchmarks of 2000+ vs 1700 for mimocan's fix)
Possible battery savings, by not requiring the external SD card to be always active.
Requirements for this fix
(Beta Release) The ability to reflash your device if something goes wrong.
Any firmware should work, including 2.2 froyo firmwares. (Tested!)
Rooted device - I used this: http://www.addictivetips.com/mobile...t-samsung-galaxy-s-i9000-with-a-single-click/
Busybox 1.17.1 from http://forum.xda-developers.com/showpost.php?p=7574130&postcount=229 -
You must have a busybox version installed that has mkfs.ext2. If unsure, install 1.17.1 from that thread!
That thread has an APK that you must sideload onto your device. Once installed, you will have a new application on your phone called "BusyBox Installer".
Run this application, and it will have a button to install busybox. Click the button, and it should install it for you!
If you have made a mistake and run this without the right busybox, there may be a solution for you! Check out this post: http://forum.xda-developers.com/showpost.php?p=7580071&postcount=187
A windows box to run the batch script. (Batch script does very little, you should be able to easily modify this to run in any enviroment.)
If you are already running mimocan's lag fix, check out this post: http://forum.xda-developers.com/showpost.php?p=7578137&postcount=85
How to run the one click fix
Place your phone into USB debugging mode: Settings->Applications->Development
Download the attached ZIP file.
Unzip to a folder of your choice.
Double click "lagfixme.bat"
Wait for it to complete.
How to remove the one click fix
Double click "unlagfixme.bat"
Wait for it to complete.
New Method for applying this lag fix
Tayutama has developed an update.zip version of this lag fix. I haven't tested it personally, but some people have had a lot of success with it. It should be more robust and less likely to cause you problems. I believe it avoids all rooting and busybox issues as well! Nice! Check out this helpful post by glockyboots for instructions. You must only use one lag fix, not both! http://forum.xda-developers.com/showpost.php?p=7587405&postcount=417
Known Issues
1) If you do not have 1GB of free space on /data, this fix won't be able to run. Looking into workarounds.
2) Script fails if your busybox does not have mkfs.ext2 - Solution is to update busybox - http://forum.xda-developers.com/showpost.php?p=7574130&postcount=229
3) Script will not work if you have previously used mimocan's fix on your current firmware. Try this to revert mimocan's fix: http://forum.xda-developers.com/showpost.php?p=7578137&postcount=85
4) Make sure your device is plugged in, and that you have the correct drivers. Permission denied errors usually mean that your device is not in USB debug mode. Settings->Applications->Development
Credits
Big thanks to mimocan for putting us all on the right track in how to sort out lag problems!
Big thanks to ykk_five for showing us all how well loopback filesystem mounting works!
Warning, this software is BETA QUALITY, and is known to function on a lot devices! You must have busybox 1.17.1 !
This doesn't meant that this won't break your phone and force you to reflash. It does mean that if you do everything properly and you read everything a few times, you very likely will have no issues!
What if im using mimocans fix. Will it work?
heman1310 said:
What if im using mimocans fix. Will it work?
Click to expand...
Click to collapse
Won't currently work with mimocans fix. I can make a slightly altered version that will work with mimocan, but if you could install mimocan, you should be able to open the .txt files and check how this is done, and do it yourself in ADB!
It seems a bit strange to have two lag fixes installed at once anyway...
Nice! Looks ok at a glance! Though I see you have changed the directory name and the loop file..
kalpik said:
Nice! Looks ok at a glance! Though I see you have changed the directory name and the loop file..
Click to expand...
Click to collapse
I based this off my script from yesterday, so it has the names I used and not the names other people used. Feel free to just edit the text files to change the names.
Important part to note is that this fix is intended (eventually when all issues have been sorted out) for people who have no idea what linux is!
RyanZA said:
I based this off my script from yesterday, so it has the names I used and not the names other people used. Feel free to just edit the text files to change the names.
Important part to note is that this fix is intended (eventually when all issues have been sorted out) for people who have no idea what linux is!
Click to expand...
Click to collapse
EXACTLY! And good job for the effort! Too bad I already applied the fix manually, so don't feel like doing it all over again. Though if you really need to test it out, let me know, ill waste another half an hour
RyanZA said:
Important part to note is that this fix is intended (eventually when all issues have been sorted out) for people who have no idea what linux is!
Click to expand...
Click to collapse
nice work RyanZA but i think it wouldn't harm people to know that they ARE in fact using linux behind that fancy ui ... this is after all a dev-forum
Great job ............. I have a question (noob).... And the device? Should I connect it to my computer at what time, and in which way the usb cable?
Have I to save or transfer some file (extracted from lagfix) for the galaxy samsung s?
Tanks.
jodue said:
nice work RyanZA but i think it wouldn't harm people to know that they ARE in fact using linux behind that fancy ui ... this is after all a dev-forum
Click to expand...
Click to collapse
you are right, but be sure there will be lots of people that want this, that eaven dont know how windows works, they just want to use it ;-)
edit: the first proof ;-)
@bucklino connect your rooted galaxy s to usb...
FadeFx said:
you are right, but be sure there will be lots of people that want this, that eaven dont know how windows works, they just want to use it ;-)
Click to expand...
Click to collapse
hehe, yeah i guess so
... i'm already looking forward to "[Q] Will the new improved one click lagg-fix make my head explode?"
jodue said:
nice work RyanZA but i think it wouldn't harm people to know that they ARE in fact using linux behind that fancy ui ... this is after all a dev-forum
Click to expand...
Click to collapse
It actually looks more like they are using DOS at this point. The fancy ui is just a little coloured text window for now. I might make this into a proper GUI at some point if I'm bored!
bucklino said:
Great job ............. I have a question (noob).... And the device? Should I connect it to my computer at what time, and in which way the usb cable?
Have I to save or transfer some file (extracted from lagfix) for the galaxy samsung s?
Tanks.
Click to expand...
Click to collapse
You don't have to do anything! That's the point!
You put your device into debug mode. Settings->Applications->Development
You plug the device in.
You double click "lagfixme.bat"
Bang!
Just gotta make sure that its rooted, and has busybox (well, it needs mkfs.ext2 included in busybox).
It worked well for me thanks
[Q] will this lag fix also fix the delivery lag of my galaxy s?
it was supposed to arrive last wednesday, today i caled the guy and he told me i get it this week... however he´s a friend of mine and i trust him. just cant wait so long...............
RyanZA said:
It actually looks more like they are using DOS at this point. The fancy ui is just a little coloured text window for now. I might make this into a proper GUI at some point if I'm bored!
You don't have to do anything! That's the point!
You put your device into debug mode. Settings->Applications->Development
You plug the device in.
You double click "lagfixme.bat"
Bang!
Just gotta make sure that its rooted, and has busybox (well, it needs mkfs.ext2 included in busybox).
Click to expand...
Click to collapse
Tanks again!!!!
FadeFx said:
[Q] will this lag fix also fix the delivery lag of my galaxy s?
it was supposed to arrive last wednesday, today i caled the guy and he told me i get it this week... however he´s a friend of mine and i trust him. just cant wait so long...............
Click to expand...
Click to collapse
hm, that sux! i had to wait about 2 weeks when i ordered my htc magic because they f***** it up. terrible 2 weeks of watching/reading reviews and crying. this time i ordered from amazon and got it 3 days later ...
good luck for your lagging problem
how to confirm tat its completed without any problem ?
it shows "
Setting up permissions
All Complete!
Script complete!
Press any key to continue . . ."
but i did a benchmark test its still 899 same as before i do this.
hq83 said:
how to confirm tat its completed without any problem ?
it shows "
Setting up permissions
All Complete!
Script complete!
Press any key to continue . . ."
but i did a benchmark test its still 899 same as before i do this.
Click to expand...
Click to collapse
have you applied any other fix previously?
have you rebooted since you applied the fix?
hq83 said:
how to confirm tat its completed without any problem ?
it shows "
Setting up permissions
All Complete!
Script complete!
Press any key to continue . . ."
but i did a benchmark test its still 899 same as before i do this.
Click to expand...
Click to collapse
Huh... hmm..
Do you still have the log window open? If you could paste the full log here I can take a look. Like I said, alpha...
Your files may be in different locations than mine, or you may not have the right busybox.
FadeFx said:
[Q] will this lag fix also fix the delivery lag of my galaxy s?
it was supposed to arrive last wednesday, today i caled the guy and he told me i get it this week... however he´s a friend of mine and i trust him. just cant wait so long...............
Click to expand...
Click to collapse
[A] If you apply this fix to the delivery/schedule systems of goods transporters, delevery times will be halved worldwide .
jodue said:
have you applied any other fix previously?
have you rebooted since you applied the fix?
Click to expand...
Click to collapse
nope.
was on JM2 without any fix.
yes did a reboot after that.
Hey,
I've been researching the OP3 bootloader and the bootloader warning and I've found a possible method to hide it.
There is a file "emmc_appsboot.mbn" which contains information and strings (see content below). I'm not sure if modifying the file causes booting problems. I've examined the file and found something about verifying various files and blocking the boot process. I'm looking for someone who could help me and explain things. What do you think? If it's going to brick, would it be unbrickable?
Strings:
"Start >"
"< More options"
"Your device has been unlocker and cann't be trusted"
"To learn more, visit: g.co/placeholder"
"If no key pressed:
Your device will boot in 5 seconds"
Something about blocking the boot:
This phone has been flashed with unauthorized software & is locked. Call your mobile operator for additional support.Please note that repair/return for this issue may have additional cost.
boot_verifier: keystore length is invalid
I'm thinking about replacing all these texts with spaces to make the screen look blank. That's the way to "hide" the text, but there's still going to be the 5 seconds delay.
Download link to the file: http://d-h.st/SQID (Uploading attachments wasn't working when I posted this)
EDIT: Feel free to examine the file with a hex editor. Search for those strings to find the position.
There're already two threads dealing with the bootloader warning:
http://forum.xda-developers.com/oneplus-3/how-to/help-how-to-remove-device-unlocked-t3425028/page7
http://forum.xda-developers.com/oneplus-3/help/request-remove-bootloader-unlocked-t3405485
meiser said:
There're already two threads dealing with the bootloader warning:
http://forum.xda-developers.com/oneplus-3/how-to/help-how-to-remove-device-unlocked-t3425028/page7
http://forum.xda-developers.com/oneplus-3/help/request-remove-bootloader-unlocked-t3405485
Click to expand...
Click to collapse
I know, but neither one is dealing with this exact file/method. There is of course the "logo.bin", but I don't think it includes the warning message as I've found it from the file I discovered.
santeri3700 said:
I know, but neither one is dealing with this exact file/method. There is of course the "logo.bin", but I don't think it includes the warning message as I've found it from the file I discovered.
Click to expand...
Click to collapse
the "warning" message is inside the aboot....at the moment there's no way to modify this file....but....we will see.
lance2010 said:
the "warning" message is inside the aboot....at the moment there's no way to modify this file....but....we will see.
Click to expand...
Click to collapse
Isn't it possible to modify the hex codes? Or is it the verification that is the problem in this case?
Edit: I've seen that people edit this file with success.
santeri3700 said:
Isn't it possible to modify the hex codes? Or is it the verification that is the problem in this case?
Edit: I've seen that people edit this file with success.
Click to expand...
Click to collapse
where did you see it running?
editing is not the problem, flashing it back is not the problem...but the phone won't start, even if you change a single bit !
there's an checksum active even if you set your phone to unlock_critical...
lance2010 said:
where did you see it running?
editing is not the problem, flashing it back is not the problem...but the phone won't start, even if you change a single bit !
there's an checksum active even if you set your phone to unlock_critical...
Click to expand...
Click to collapse
It was a Samsung and a Xiaomi device (partition and bl unlocking stuff, so not exactly related to this). The checksum is what I'm after.
Unfortunately I don't have enough experience and I don't know if it's even possible to do this.
I'm wonder what exactly happens if I edited the code to have only "spaces" or "NBSP".
Would I get any response from the device? Would I see any error codes on the screen?
I'm too unsure to risk my device. But thanks for the answer!
if you not know how to use the OP3 unbrick tool, let it be..in result you got an unbootable device if you change anything inside the bootloader.
It can't be changed.
Has anyone already found out how to access or enable the USB diag mode for connecting to QXDM?
Thanks!
just curious, for what reason?
noidea24 said:
just curious, for what reason?
Click to expand...
Click to collapse
Well, I work as an engineer in the IMS core environment
noidea24 said:
just curious, for what reason?
Click to expand...
Click to collapse
I would like diag mode to use the DFS Tool to enable/disable LTE bands.
hate to bump an old thread, but did anyone ever figure this out?
Madscotsman said:
hate to bump an old thread, but did anyone ever figure this out?
Click to expand...
Click to collapse
I think maybe google disabled this,I also want this
For Generic HTC devices,such command with root shell may could open the DIAG PORYT
echo 1 > /sys/devices/virtual/android_usb/android0/f_diag/func_en
But Google AOSP HTC devices....................
Someone has already solved this Problem but due to the negative attitude of the USERs of PIXEL,so.....................
Looking for the answer to this as well. It's needed for DFS and QPST (QXDM).
Every phone has some particular way to do this and so far I haven't found it on this phone. The Nexus 6 was super easy and I was hoping this one would be too. (On the Nexus 6 all you had to do was select BP Tools from the boot menu. Then it booted like normal but with the diag port enabled. Other phones you have to write to or create a particular file, or there's a dialer code but the usual tricks aren't working here.)
KlokWerk said:
Looking for the answer to this as well. It's needed for DFS and QPST (QXDM).
Every phone has some particular way to do this and so far I haven't found it on this phone. The Nexus 6 was super easy and I was hoping this one would be too. (On the Nexus 6 all you had to do was select BP Tools from the boot menu. Then it booted like normal but with the diag port enabled. Other phones you have to write to or create a particular file, or there's a dialer code but the usual tricks aren't working here.)
Click to expand...
Click to collapse
Have you tried using these commands with terminal emulator?
su
echo 1 > /sys/devices/virtual/android_usb/android0/f_diag/on
xdadevnube said:
Have you tried using these commands with terminal emulator?
su
echo 1 > /sys/devices/virtual/android_usb/android0/f_diag/on
Click to expand...
Click to collapse
Oh crud, I just noticed I was replying to a Pixel XL thread rather than a Pixel thread. You'd think they'd be similar.... does your method work on the Pixel XL, though? If you've tried that and say it works I may actually switch, if I can't figure out how to connect this Pixel.
When I try this on the Pixel (sku G2PW4100 running 7.1.1) I just get "Permission denied", even as superuser, even after changing the f_diag folder permissions to allow writes.
You're getting it to work on the G2PW2100, I guess? 7.1.1?
KlokWerk said:
Oh crud, I just noticed I was replying to a Pixel XL thread rather than a Pixel thread. You'd think they'd be similar.... does your method work on the Pixel XL, though? If you've tried that and say it works I may actually switch, if I can't figure out how to connect this Pixel.
When I try this on the Pixel (sku G2PW4100 running 7.1.1) I just get "Permission denied", even as superuser, even after changing the f_diag folder permissions to allow writes.
You're getting it to work on the G2PW2100, I guess? 7.1.1?
Click to expand...
Click to collapse
I apologize for not specifying that I don't have a Pixel or Pixel XL yet.
I know the command I posted above works on the HTC m8. I had almost given up on diag mode on that device until I tried that command.
It sounds like you're on the right track, but unfortunately my understanding is fairly limited. Hopefully somebody with more knowledge can chime in.
I've never messed with this, but I'm looking through the history here to see if there's a clue.
https://github.com/CallMeAldy/devic...f587b26156180b3/init.common.diag.rc.userdebug
...
PaulPizz said:
I believe I have found a way to enter DM Mode on the Pixel XL..
==Instructions==
- Makes sure you are rooted. <-- *If you are not and do not know how, Please do your research*
- Download and install the GalaxyTools3.1.2 app
- Tap the GalaxyTools3.1.2 App, grant it Super User permissions
- Once you are in the GalaxyTools3.1.2 app scroll down and tap "GTUSBItil" Button
- This will open up the "UART" Menu which you should be able to use to select DM+Modem+ADB
==Downloads==
- GalaxyTools3.1.2
** I have not figured out how to get the device to work with DFS.. If anyone figures it out please report back. Id like to know..**
Click to expand...
Click to collapse
Have you tried the "hacked" HTC Modem driver? If you get a list of Unknown devices in Windows Device Manager, you may be able to get install the modem driver and get QXDM or DFS working.
Let me know if you need any of those files.
xdadevnube said:
Have you tried the "hacked" HTC Modem driver? If you get a list of Unknown devices in Windows Device Manager, you may be able to get install the modem driver and get QXDM or DFS working.
Let me know if you need any of those files.
Click to expand...
Click to collapse
I think it just shows up as adb. Im not in front of my computer right now. But send it. I'll check it out. Thanks
Sent from my Pixel XL using Tapatalk
PaulPizz said:
I think it just shows up as adb. Im not in front of my computer right now. But send it. I'll check it out. Thanks
Sent from my Pixel XL using Tapatalk
Click to expand...
Click to collapse
Awesome! I'll send it when I get to a computer tonight.
I don't have a Pixel yet, so I'm not able to try it myself.
EDIT: Here is the modem driver.
View attachment 4081431
The recommended solution does not work, no com port is added in the device manager.
Hi,
I am desperately looking for the solution for enabling diag mode of Pixel XL phones. Any update regarding this would be very helpful.
Thanks.
I tried to build a userdebug build from AOSP but I didn't get very far (first attempt at it, and it kept failing after 1-3 hours).
So cancelled that endeavor and installed the latest Lineage from InvisibleK which was built as userdebug.
>adb shell
>su
>setprop sys.usb.config diag,adb
PC tried to install new drivers (as expected since it has a different vendor/product id). Qualcomm HS-USB Diagnostics 903D (COM14) showed up under Ports. Unknown ADB Interface couldn't install drivers, though. All the tools seem to be working fine.
I have to quit for now, but hopefully that's a start for you.
I wanted to build the stock build as userdebug because that's how you get the diag USB modes enabled. They were stripped from the -user builds.
Edit 1: Phone shows up in QPST now.
Edit 2: Phone shows up in QXDM after setting Target port in Communication setting.
Edit 3: I am not sure if I had installed the drivers linked in this thread, already. The driver version I have is 2.1.04
If someone can install a non-T-Mobile SIM and let me know what their NV 65538 is, I'd appreciate it.
Edit: This value did not change with a Cricket Sim in versus a T-Mobile SIM.
I was able to dump the RDC that is provisioned to my 640 XL prototype. I dumped it and renamed it with a .bin extension. Have a couple of questions for those that know more about as I currently know little.
1. What is the RDC file, meaning what does it consist of? Or how is it used?
2. Where is it written when writing it from thor2? Or where is it stored on the phone?
3. Can it be re-used or is it good only for the one device it is provisioned to?
So, I am not sure if "dump" is the correct term to use here, as the command from thor2 would include the option -readrdc which sends it to a file that you choose...So it is reading something from the phone and generating a file...
I opened the file in hex editor but see little about its contents. It is small in size, about 804 bytes. I tried to write it to a different device same model but it failed with a specific error "Certificate error 25 (0x19) (0)"
Thanks.
Where to get prototypes phone?
nate0 said:
I was able to dump the RDC that is provisioned to my 640 XL prototype. I dumped it and renamed it with a .bin extension. Have a couple of questions for those that know more about as I currently know little.
1. What is the RDC file, meaning what does it consist of? Or how is it used?
2. Where is it written when writing it from thor2? Or where is it stored on the phone?
3. Can it be re-used or is it good only for the one device it is provisioned to?
So, I am not sure if "dump" is the correct term to use here, as the command from thor2 would include the option -readrdc which sends it to a file that you choose...So it is reading something from the phone and generating a file...
I opened the file in hex editor but see little about its contents. It is small in size, about 804 bytes. I tried to write it to a different device same model but it failed with a specific error "Certificate error 25 (0x19) (0)"
Thanks.
Click to expand...
Click to collapse
A RDC file is a research and development certificate tied to the device hardware it came with, it will only work on the device it was shipped with, having the same IMEI, hardware serial number and everything unique, you can't use them with other devices at all.
@gus33000
I was almost certain it was unique to the device it was installed in. Does it reside on the boot partition? Thanks for sharing.
nate0 said:
@gus33000
I was almost certain it was unique to the device it was installed in. Does it reside on the boot partition? Thanks for sharing.
Click to expand...
Click to collapse
It's in DPP along with all other provisioned data specific to the phone, you won't be able to do anything with it, just abort, you'll loose time and you'll most likely brick devices.
Was only wanting to know more about it. Thanks again.
nate0 said:
Was only wanting to know more about it. Thanks again.
Click to expand...
Click to collapse
Also as a tip, never overwrite MODEM*, SSD, and DPP with the ones from another phone, it will be destructive for prototypes. I advise you make a full backup of the prototype emmc first, before doing anything, (even if it's just reflashing with a ffu, it's very important to back everything up in mass storage using something like Win32 disk imager), if you however for some reason ever end up with wrong MODEM*, DPP and/or SSD, boot to flash app, switch to download mode, send the emergency payloads for that device RM, and write the rdc, writing it without DLOAD won't work.
DPP is the one nice to work with but never copy and replace, delete and eventually copy over onto it
I need this file
Can you help
Kidsnet said:
I need this file
Click to expand...
Click to collapse
I sold this phone along with dozens of other Lumias and Windows Phones over 2 years ago. I do not own the phone anymore, and I unlikely will find that RDC file if I even backed it up. It would be almost to you unless you are the new owner of this exact device that I dumped it from. Are you planning to use the file for any other reason?
I got a refurbished mobile came locked so i have to fl it since its demanding protection key so i need help
nate0 said:
I sold this phone along with dozens of other Lumias and Windows Phones over 2 years ago. I do not own the phone anymore, and I unlikely will find that RDC file if I even backed it up. It would be almost to you unless you are the new owner of this exact device that I dumped it from. Are you planning to use the file for any other reason
Click to expand...
Click to collapse
Kidsnet said:
I got a refurbished mobile came locked so i have to fl it since its demanding protection key so i need help
Click to expand...
Click to collapse
They are coming already locked, or if there's any tool i can download so that it will vo well with m
Sounds like the lock you are seeing is like a safety net lock. Someone must have had windows on it but had logged in with their account in Windows 10 mobile and set up the Reset protection with their Microsoft account. There is a method to remove that but it is quite dangerous and could ruin the phone.
There is a way to by pass it though as a work around so that you can use the phone but every time you hard reset it it will always lock back.
nate0 said:
Sounds like the lock you are seeing is like a safety net lock. Someone must have had windows on it but had logged in with their account in Windows 10 mobile and set up the Reset protection with their Microsoft account. There is a method to remove that but it is quite dangerous and could ruin the phone.
There is a way to by pass it though as a work around so that you can use the phone but every time you hard reset it it will always lock back.
Click to expand...
Click to collapse
@Kidsnet this is especially a problem for a lumia 640/640 xl. Because what happens is that if they upgraded it to Windows 10 mobile and enabled the protection but you reflash it back to Windows phone 8 you will unlikely set yourself up to not even get a workaround to get in the phone. Since the provisioning of W10M and WP8 are completely different.
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
devmihkel said:
For good or for bad NOT everything appears correct, except the running 17.x version... As of now neither the "commercial jailbreak" supports new versions (well yes they were using exactly the same file to start with Also 16.51.x or newer appears to be no go: uconnect-8-4-8-4an-update
EDIT: haven't got 17.09.07 to try, but on 17.11.07 manifest.lua has changed and the last block/ search keyword is "ota_update" instead. Otherwise all the same, image valid after the edit and script.sh gets fired - at least on 16.33.29 that is @HanJ67 Did you actually try to mount installer.iso after the edit and checked /etc/manifest.lua for the end result before?
Click to expand...
Click to collapse
devmihkel said:
Yeah, 2nd attempt is much better as last lua block is correctly terminated and your script might actually run, but unfortunately no successful 17.x runs have been reported so far SWF scripts are not involved in update/jail-breaking run, these ones become relevant only once you are in (and need to enable some app or wifi or navi features etc). Afaik 17.x blocks ethernet dongle usage as well, but let's see if even the USB driver/link gets activated at all?
Click to expand...
Click to collapse
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Do You have an idea how to connect by USB2LAN adapter to uConnect ?
Do You know if there is an UART pins on the mainboard ?
itsJRod said:
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Click to expand...
Click to collapse
Hello, any news about it?
hi,
can you explain how to change SSH key in "ifs-cmc.bin" file?
thanks a lot
itsJRod said:
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Click to expand...
Click to collapse
sofro1988 said:
Hello, any news about it?
Click to expand...
Click to collapse
I have not had had much time to work on this.
I actually had an idea last week that brought me back to this. I plan to use a custom flash drive to present an unmodified ISO for verification, then swap nand to an identical image that has been he's edited to enable usb Ethernet and add a custom key for ssh access.
I thought to stack a NAND on top of the original on a is flash drive, then breakout the Chip Enable pin to a switch. I've seen this done for with guys modifying game consoles to be able to run modified firmware.
Once the 2nd NAND is in place I will restore an image of the original nand containing the unmodified update, then hex edit the required portions to allow access after updating.
If this method works, I should be able to pass the verification with the original nand chip, then switch it (hopefully there's a big enough window to do this by hand) then present the modified nand before it begins the flash procedure.
Hopefully someone more intimately familiar with the update scripts can verify I'm not missing anything in the process
Tajadela said:
hi,
can you explain how to change SSH key in "ifs-cmc.bin" file?
thanks a lot
Click to expand...
Click to collapse
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
itsJRod said:
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
Click to expand...
Click to collapse
thanks for answer.
I saw an ssh key with the hex editor, but I would like to see exactly what you have replaced.
if it's not too much trouble, it would be interesting to see with some screenshots the changes you've made.
So we could work on two fronts. The idea of the double nand is good, but not very simple to make ...
Just thinking out loud here, when you say it passes the initial check, does it then give you any confirmation of that or any message on the screen before rebooting to upgrade mode?
Sent from my CLT-L09 using Tapatalk
SquithyX said:
Just thinking out loud here, when you say it passes the initial check, does it then give you any confirmation of that or any message on the screen before rebooting to upgrade mode?
Sent from my CLT-L09 using Tapatalk
Click to expand...
Click to collapse
I tried much the same thing -- the swdl.upd is another CDROM filesystem:
martinb$ file swdl.upd
swdl.upd: ISO 9660 CD-ROM filesystem data 'CDROM'
It contains three more .iso files : installer.iso, primary.iso, and secondary.iso
installer.iso is a CDROM image, but is not mountable on my linux system
primary.iso is a CDROM image, and has the usual /bin, /etc/, and /usr filesystem for an install
the /bin directory has one file - update_nand
the /etc directory has the usual mfgVersiontxt, nand_partion.txt, system_etfs_postinstall.txt, system_mmc_postinstall.txt and version.txt
the /usr/share directory is all the firmware for various components - EQ, HD_FIRMWARE, IFS, MMC_IFS_EXTENSION,OTA,SIERRA_WIRELESS,V850, and XM_FIRMWARE
What's interesting to me is that they did update the SIERRA_WIRELESS firmware -- and have done some housecleaning:
Code:
#---------------------------------
# sierra_wireless_disable_flowcontrol.file
# \d == 1 second delay
SAY " Send AT \n"
'' AT\r
OK \d
SAY "Disable flow control\n"
'' at+ifc=0,0\r
OK \d
SAY "Send SMS command CNMI\n"
'' at+cnmi=2,1,0,1,0\r
OK \d
SAY "Clear emergency number list\n"
'' AT!NVENUM=0\r
OK \d
SAY "Set emergency number to 911\n"
'' AT!NVENUM=1,"911"\r
OK \d
SAY "Save Setting\n"
'' at&w\r
OK \d
#---------------------------------
Also in the IFS directory, when you hexedit the ifs-cmc.bin file it reveals another little treat... an SSH root public key ( not as nice as a private key, but hey )
(Sorry about the formatting, this is cut/paste right out of the hex editor)
Code:
ssh-rsa [email protected]
2E..IwU.Q....njle8r9nrJ7h8atg4WfqswU0C0Rk/Ezs/sQs5ZA6ES82MQONjHBd7mw
uo8h0xfj3KeeSHMXCEBpmU26guNE4EqfvdioLFCDUxtvMYswlUZjsvd/NYz9lnUZg2hy
pwzFQjXgSzmHVrHjkKKvq7Rak/85vGZrJKxlvHnowA8JIl1tVNVQjPMNgDDJabaETtfw
LL1KlvAzI81cKOG/3IRn9lU6qyYqyG+zYoza0nN\..7/AtxdL481k81Go5c3NQTnkl2U
68lbu8CpnwrYCU098owLmxdI4kF5UOL4R61ItJuwz30JSESgT..!8RDgM6XEiHUpK9yW
vvRg+vbGWT/oQn0GQ== [email protected]
in /usr/share/MMC_IFS_EXTENSION/bin/cisco.sh and dlink.sh there's another good hint - what adapter you need for USB ethernet
Code:
#!/bin/sh
# Handle an Ethernet connection via the CISCO Linksys USB300M adapter
or
Code:
#!/bin/sh
# Handle an Ethernet connection via the D-Link DUB-E100 adapter
The static IP it brings up if no DHCP is offered is : 192.168.6.1
There's tons more in there -- like the V850 chip has access to the Sierra Wireless CDMA modem, but can configure it for voice calls through the car speakers:
"AT!AVSETPROFILE=8,1,1,0,5" ( embedded in the cmcioc.bin update file )
secondary.iso is a CDROM image and only has /etc/ and /usr
the /etc/ directory has speech_mmc_preinstall.txt and xlets_mmc1_preinstall.txt
the /usr/ directory has /usr/share/speech and /usr/share/xlets ( tons of information about sensors in the car, etc in xlets )
martinbogo1 said:
I tried much the same thing -- the swdl.upd is another CDROM filesystem:
martinb$ file swdl.upd
swdl.upd: ISO 9660 CD-ROM filesystem data 'CDROM'
It contains three more .iso files : installer.iso, primary.iso, and secondary.iso
installer.iso is a CDROM image, but is not mountable on my linux system
primary.iso is a CDROM image, and has the usual /bin, /etc/, and /usr filesystem for an install
the /bin directory has one file - update_nand
the /etc directory has the usual mfgVersiontxt, nand_partion.txt, system_etfs_postinstall.txt, system_mmc_postinstall.txt and version.txt
the /usr/share directory is all the firmware for various components - EQ, HD_FIRMWARE, IFS, MMC_IFS_EXTENSION,OTA,SIERRA_WIRELESS,V850, and XM_FIRMWARE
What's interesting to me is that they did update the SIERRA_WIRELESS firmware -- and have done some housecleaning:
Code:
#---------------------------------
# sierra_wireless_disable_flowcontrol.file
# \d == 1 second delay
SAY " Send AT \n"
'' AT\r
OK \d
SAY "Disable flow control\n"
'' at+ifc=0,0\r
OK \d
SAY "Send SMS command CNMI\n"
'' at+cnmi=2,1,0,1,0\r
OK \d
SAY "Clear emergency number list\n"
'' AT!NVENUM=0\r
OK \d
SAY "Set emergency number to 911\n"
'' AT!NVENUM=1,"911"\r
OK \d
SAY "Save Setting\n"
'' at&w\r
OK \d
#---------------------------------
Also in the IFS directory, when you hexedit the ifs-cmc.bin file it reveals another little treat... an SSH root public key ( not as nice as a private key, but hey )
(Sorry about the formatting, this is cut/paste right out of the hex editor)
Code:
ssh-rsa [email protected]
2E..IwU.Q....njle8r9nrJ7h8atg4WfqswU0C0Rk/Ezs/sQs5ZA6ES82MQONjHBd7mw
uo8h0xfj3KeeSHMXCEBpmU26guNE4EqfvdioLFCDUxtvMYswlUZjsvd/NYz9lnUZg2hy
pwzFQjXgSzmHVrHjkKKvq7Rak/85vGZrJKxlvHnowA8JIl1tVNVQjPMNgDDJabaETtfw
LL1KlvAzI81cKOG/3IRn9lU6qyYqyG+zYoza0nN\..7/AtxdL481k81Go5c3NQTnkl2U
68lbu8CpnwrYCU098owLmxdI4kF5UOL4R61ItJuwz30JSESgT..!8RDgM6XEiHUpK9yW
vvRg+vbGWT/oQn0GQ== [email protected]
in /usr/share/MMC_IFS_EXTENSION/bin/cisco.sh and dlink.sh there's another good hint - what adapter you need for USB ethernet
Code:
#!/bin/sh
# Handle an Ethernet connection via the CISCO Linksys USB300M adapter
or
Code:
#!/bin/sh
# Handle an Ethernet connection via the D-Link DUB-E100 adapter
The static IP it brings up if no DHCP is offered is : 192.168.6.1
There's tons more in there -- like the V850 chip has access to the Sierra Wireless CDMA modem, but can configure it for voice calls through the car speakers:
"AT!AVSETPROFILE=8,1,1,0,5" ( embedded in the cmcioc.bin update file )
secondary.iso is a CDROM image and only has /etc/ and /usr
the /etc/ directory has speech_mmc_preinstall.txt and xlets_mmc1_preinstall.txt
the /usr/ directory has /usr/share/speech and /usr/share/xlets ( tons of information about sensors in the car, etc in xlets )
Click to expand...
Click to collapse
Have you tried connecting to it?
Sent from my iPhone using Tapatalk
sofro1988 said:
Have you tried connecting to it?
Sent from my iPhone using Tapatalk
Click to expand...
Click to collapse
I managed to connect with the cisco adapter (usb / ethernet), but I don't know the root password. is the problem at the moment insurmountable ..
Using a cisco connector, I have gotten the ethernet to come up, but that's it. At the moment, there doesn't seem to be anything I can connect to.
@Tajadela - sounds like you at least were able to either SSH or telnet in to a port... I'm on software version 17.43.01 .. which are you on, and what year vehicle? ( Jeep Grand Cherokee, 2015, Uconnect 8.4AN with the 3G Sierra Aircard modem for Sprint )
martinbogo1 said:
Using a cisco connector, I have gotten the ethernet to come up, but that's it. At the moment, there doesn't seem to be anything I can connect to.
@Tajadela - sounds like you at least were able to either SSH or telnet in to a port... I'm on software version 17.43.01 .. which are you on, and what year vehicle? ( Jeep Grand Cherokee, 2015, Uconnect 8.4AN with the 3G Sierra Aircard modem for Sprint )
Click to expand...
Click to collapse
I connected in telnet on a uconnect 6.5 with firmware 15.xx.xx. You can connect to Uconnect with static IP it brings up if no DHCP is offered is: 192.168.6.1
itsJRod said:
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
Click to expand...
Click to collapse
after rsa key replaced, do you have recalculate the checksum of UPD file?
have you replaced the first 64 bytes of the file?
thanks
@itsJRod, isn't it that you would like to explain the procedure to replace the RSA key in the swdl file? thank you
Hello,
have you made any progress? I am a bit lost. I put the EU uconnect MY15 to US dodge charger MY16 and Perf Pages were working fine even on 16.16.13, although after upgrade to 17.x (17.46.0.1 right now) I am meeting the problem of expired subscription (which is not possible to have on EU radio).
I am considering basically three solutions:
a) going back to US radio, but modify the language pack/nav/FM frequencies (it is doable, but I do not know how, although I can pay for it relatively less than time invested)
b) downgrade to 16.16.13 - I have no clue how to do it, I tried to put swdl.upd with swdl.iso as and installer.iso with no luck of course.
c) take xlets from KIM2/ of 16.16.13 to KIM23 of 17.46.0.1 secondary.iso - this is probably preferred way but I do not know how to make it to pass ISO validation.
Of course root on uconnect is extremely nice to have but I will be fully satisfied with Perf Pages working again.
Hello.
I'm hoping the community can help me out. I have a RAM 1500 with the RA4 (was running the 17.11.07 software that I got pushed to me OTS style a couple years ago. Since them problems, radio turn on delay, no GPS and cellular phone warning popup.
I was told to do the 18.45 update which I got from driveuconnect.com, but this has essentially bricked my radio with the "bolo update failed" error and it is looping continuously
I have tried many ways to modify the update software's manifest.lua script to try to get rid of the sierra wireless portion by manually editing, hex editing, etc but always get the "please insert the USB card" screen.
Uconnect is obviously completely worthless to help me and the dealer wants me to pay them money to tell me what I already know. I know I can pay 300 and send my radio to infotainemnt.com to get it repaired, but I would like to solve this on my own is possible, because I would like to further modify the software to make it more custom and unique.
From my reading the 17x version keeps you from downgrading to a version that can be hacked easily.
Everything seems like it should be pretty straight forward as I have a lot of experience in programming and embedded devices.
It seems they are validating the ISOs using some mechanism, I believe I have tried all of tricks/methods
I have searched the code to see if I can find the iso MD5 or SHA256 hashes that ioc_check is probably using to figure out I changed somethign but nothing work.
I have even tried the swapping the flash drives after validation but it seems they are using the ISos they already copied to continue the process, I then end u getting some invalid errors or the update just crashes out
I got other updates from the link: http://www.mydrive.ch/
http://www.mydrive.ch/http://www.mydrive.ch/
username: [email protected]
Password: gasolio
Havent tried all of them yet, but pretty sure they wont work, due to the 17x security changes.
Any help would be appreciated grealty, I really dont want to shell out any cash for something a company told me to to and due to their screw up with bricking modems, this is now bricking my radio.
Thanks to all in advance !!!
djmjr77 said:
Hello.
I'm hoping the community can help me out. I have a RAM 1500 with the RA4 (was running the 17.11.07 software that I got pushed to me OTS style a couple years ago. Since them problems, radio turn on delay, no GPS and cellular phone warning popup.
I was told to do the 18.45 update which I got from driveuconnect.com, but this has essentially bricked my radio with the "bolo update failed" error and it is looping continuously
I have tried many ways to modify the update software's manifest.lua script to try to get rid of the sierra wireless portion by manually editing, hex editing, etc but always get the "please insert the USB card" screen.
Uconnect is obviously completely worthless to help me and the dealer wants me to pay them money to tell me what I already know. I know I can pay 300 and send my radio to infotainemnt.com to get it repaired, but I would like to solve this on my own is possible, because I would like to further modify the software to make it more custom and unique.
From my reading the 17x version keeps you from downgrading to a version that can be hacked easily.
Everything seems like it should be pretty straight forward as I have a lot of experience in programming and embedded devices.
It seems they are validating the ISOs using some mechanism, I believe I have tried all of tricks/methods
I have searched the code to see if I can find the iso MD5 or SHA256 hashes that ioc_check is probably using to figure out I changed somethign but nothing work.
I have even tried the swapping the flash drives after validation but it seems they are using the ISos they already copied to continue the process, I then end u getting some invalid errors or the update just crashes out
I got other updates from the link: http://www.mydrive.ch/
http://www.mydrive.ch/http://www.mydrive.ch/
username: [email protected]
Password: gasolio
Havent tried all of them yet, but pretty sure they wont work, due to the 17x security changes.
Any help would be appreciated grealty, I really dont want to shell out any cash for something a company told me to to and due to their screw up with bricking modems, this is now bricking my radio.
Thanks to all in advance !!!
Click to expand...
Click to collapse
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
djmjr77 said:
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
Click to expand...
Click to collapse
I created an account just to reply to this and All I have to say is you're literally an absolute life saver. I've been working on this every day for two weeks now, trying every trick people said, trying every USB, every format, every version and nothing ever worked from me. Uconnect support was absolutely no help and it was a lot of back-and-forth finger pointing and no you need to reach out to this person between them and the dealership. Dealership tried to charge me for a Proxy Alignment when I asked to just update my damn radio stuck in this loop.
I have a 2015 Jeep Cherokee 8.4AN VP4 NA Head Unit 68238619AJ. I was updating from 17.11.07 to 18.45.01 and got stuck at the step 11 1% and would get a failed sierra wireless every time and then got in that "bolo update failed" loop..Well to fix it just now all I did was download the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in the previous comment and quick format to FAT32 on a 16GB Micro Center USB extracted the files from 16.33.29 to the USB with 7ZIP, plugged in like normal and BOOM it ran the first step restarted and I had a working radio again showing update 18.45.01.
(So i'm assuming you don't have to do the S Byte thing I didn't even mess with it I just used the 16.33.29 to bypass step 11 since that version only has 14 steps and 18.45.01 was already preloaded from attempting before. My navigation still is the wrong address but I don't care about all that just thankful to have my radio back before my wife killed me for trying to update it by myself. )
I hope this helps someone else one day because it took some deep research and hours on hours of forum hoping to finally find the solution. <3
djmjr77 said:
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
Click to expand...
Click to collapse
Do you have another link to download the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe files? I am trying to help a friend of mine they way this helped me. Thank you again for this!