Preface
With this guide I can officially deprecate the other guide I wrote, as we will no longer have to hack together a solution by loading profiles for other carriers. Meaning, that this should just work provided an mbn exists for your carrier - doesn't matter from which device. This has been reported to work on TMO in the US, which did not work with my other method.
Prerequsities
* You must have working DIAG mode. See my other thread for more information on how to set that up.
Downloads
* AsusVoLTE v1.0.1
* EfsTools 0.10 modded 1.2
* EFS items
* Xiaomi Mi 9T MBNs (optional)
Step 1 - setting props
Install the AsusVoLTE app from above, make sure to upgrade if you already have it installed. Run the app and press the Enable VoLTE button; this should set some properties on the device to force-enable VoLTE after we have also done the other steps below. If you already enable VoLTE using my old method you can safely skip this step.
If you prefer to not use the app, simply run this in an adb shell:
Code:
setprop persist.vendor.dbg.ims_volte_enable 1
setprop persist.vendor.dbg.volte_avail_ovr 1
setprop persist.vendor.dbg.vt_avail_ovr 1
setprop persist.vendor.dbg.wfc_avail_ovr 1
If you are unable to set those properties for whatever reason, like if you have returned to stock after flashing the mbn and no longer have root, there is another possibility to force VoLTE/VoWiFi; There's a secret code you can use to force-enable it, but unfortunately it does not survive a reboot (not sure why ASUS didn't make it persistent).
Enter this in the dialler:
Code:
*#*#3642623344#*#*
The number will clear itself, and you shouldn't see any output if it succeeded.
When you have done this, go to (System) Settings -> Mobile network and toggle Mobile data off then on again. You should hopefully see the VoWiFi or VoLTE icon in the status bar now, but like I said above you will have to redo this if you reboot the phone - so if you can, please use the properties method instead.
Step 2 - making sure it works
Before we begin, make sure you close down QPST, otherwise EfsTools will error out because there can not be two clients connected at once.
Unzip EfsTools from above, open up a cmd window and cd to the directory where you extracted it. Depending on how you connect to diag you will need to modify EfsTools.exe.config - if you're connecting via USB you most likely won't have to do anything as it will find the port automatically, unless you have more than one port, in which case you can simply change port from Auto to the COM port of the phone (for example COM13).
If you are connected via wifi you will need to change port to 2500 (or whatever port you used in the AsusVoLTE app) and remote to true. So the efstool line should look something like this:
Code:
<efstool port="2500" remote="true" baudrate="38400" password="FFFFFFFFFFFFFFFF" spc="000000"/>
You can test the connection by running this in the cmd window:
Code:
EfsTools.exe efsInfo
This should report back some info if everything is working. If not, try rebooting the device and redo the bits from the DIAG guide.
Step 3 - disabling mcfg
Extract efs.zip from above to the same directory as EfsTools.exe, and make sure the mcfg_autoselect_by_uim file is there. Now simply run this in the cmd window, one line at a time:
Code:
EfsTools.exe writeFile -i mcfg_autoselect_by_uim -o /nv/item_files/mcfg/mcfg_autoselect_by_uim
EfsTools.exe writeFile -i mcfg_autoselect_by_uim -o /nv/item_files/mcfg/mcfg_autoselect_by_uim -s 1
If everything worked you should see no error messages.
Step 4 - writing mbn
If you are using the Xiaomi Mi 9T mbns zip from above, move it to the EfsTools directory and extract it. Now we simply need to find the mbn for your carrier.
The mbn directory structure is generally laid out like this: <region>/<carrier>/commerci/<country>/mcfg_sw.mbn. For example, the one for my carrier is eu/h3g/commerci/se/mcfg_sw.mbn. Copy the mcfg_sw.mbn file to the same directory as the EfsTools.exe, then go to the cmd window you opened and type this:
Code:
EfsTools.exe uploadDirectory -i mcfg_sw.mbn -o / -v
To get it working on the second SIM slot you will also have to run this:
Code:
EfsTools.exe uploadDirectory -i mcfg_sw.mbn -o / -s 1
If it has worked you should see a bunch of output, but no errors. Try rebooting now, and hopefully after it has booted you will have fully functional VoLTE and VoWiFi.
Source code:
AsusVoLTE - Github
EfsTools - Github
Let me know if this works for you, or if you have any questions.
Regards
I cannot for the life of me get either method to work. Connected via USB. DIAG mode driver is loaded on COM1, even changed Baud rate on the COM port in device manager to 38400. USB method gives me "Critical Error: Bad Command" Remote method does not send any information but indefinitely runs. I'm really not sure what else to try. Im on the latest WW Firmware with Magisk root. Is there anything else I can check? Are you on the 8 GB Tencent version?
xbamaris1` said:
I cannot for the life of me get either method to work. Connected via USB. DIAG mode driver is loaded on COM1, even changed Baud rate on the COM port in device manager to 38400. USB method gives me "Critical Error: Bad Command" Remote method does not send any information but indefinitely runs. I'm really not sure what else to try. Im on the latest WW Firmware with Magisk root. Is there anything else I can check? Are you on the 8 GB Tencent version?
Click to expand...
Click to collapse
Is COM1 the only port available? What does it identify itself as in Device Manager? It should be a Qualcomm ... 902d device.
I'm on the tencent version, yeah, so it should be working for you as well.
HomerSp said:
Is COM1 the only port available? What does it identify itself as in Device Manager? It should be a Qualcomm ... 902d device.
I'm on the tencent version, yeah, so it should be working for you as well.
Click to expand...
Click to collapse
I changed it to that, I'm even trying this on a completely different computer to see. Now its on COM3 on the different system with that driver. I even recently did a full WW firmware flash and factory reset as well. So its pretty much completely stock other than Root and the Apps you made / modified.
Still, Critical error. Bad Command when running efsTools efsInfo
What version of the driver does it say for you?
Edit: When you're able to access efs, What does your sys.usb.state say? I have rndis,adb shown but sys.usb.config is set for rndis,diag,adb. Does your sys.usb.state have diag included?
Use serial port 'COM13'
Critical error. The requested resource is in use.
Use serial port 'COM13'
Critical error. The requested resource is in use.
Use serial port 'COM13'
Critical error. The requested resource is in use.
I keep getting the following error and I'm not sure what the cause may be. Is it possible that a video tutorial could be made to help out in beginning as I'm not sure what I'm doing wrong on my end.
Thank you so much for your work on this though! It is nothing short of amazing.
Does it matter which USB port we use on the device? I've tested both the bottom and the side and neither are working.
Cammarratta said:
Use serial port 'COM13'
Critical error. The requested resource is in use.
Use serial port 'COM13'
Critical error. The requested resource is in use.
Use serial port 'COM13'
Critical error. The requested resource is in use.
I keep getting the following error and I'm not sure what the cause may be. Is it possible that a video tutorial could be made to help out in beginning as I'm not sure what I'm doing wrong on my end.
Thank you so much for your work on this though! It is nothing short of amazing.
Does it matter which USB port we use on the device? I've tested both the bottom and the side and neither are working.
Click to expand...
Click to collapse
Make sure you dont have QPST server running. Its not required if using the tools. I ran into this issue and realized thats what it was that was using it.
How do I make sure the server is not running? I've rebooted and checked but I'm not seeing anything/indication of it doing so. Thank you in advance!
Cammarratta said:
How do I make sure the server is not running? I've rebooted and checked but I'm not seeing anything/indication of it doing so. Thank you in advance!
Click to expand...
Click to collapse
Open up QPST Configuration > at the top click Server > then Stop QPST Server. After that, see if efsTools give you anything. (efsTools efsInfo)
Hrmmm still not working on my end. Not sure what I'm doing wrong but I'll give it a rest for the time being.
My qserver keeps saying that it cannot find my USB or phone either. So I might be missing something. I'll Uninstall and try again though
Cammarratta said:
Hrmmm still not working on my end. Not sure what I'm doing wrong but I'll give it a rest for the time being.
My qserver keeps saying that it cannot find my USB or phone either. So I might be missing something. I'll Uninstall and try again though
Click to expand...
Click to collapse
What does it say for you? It won't find it if you turn it off. What is the COM port / driver that shows up in Device Manager
xbamaris1` said:
I changed it to that, I'm even trying this on a completely different computer to see. Now its on COM3 on the different system with that driver. I even recently did a full WW firmware flash and factory reset as well. So its pretty much completely stock other than Root and the Apps you made / modified.
Still, Critical error. Bad Command when running efsTools efsInfo
What version of the driver does it say for you?
Edit: When you're able to access efs, What does your sys.usb.state say? I have rndis,adb shown but sys.usb.config is set for rndis,diag,adb. Does your sys.usb.state have diag included?
Click to expand...
Click to collapse
Could you try this updated EfsTools: https://github.com/HomerSp/EfsTools...modded-1.1/EfsTools-0.10-modded-1.1-win32.zip Hopefully it should work for you.
sys.usb.state is supposed to say just rndis,adb - diag will only be listed in sys.usb.config.
HomerSp said:
Preface
With this guide I can officially deprecate the other guide I wrote, as we will no longer have to hack together a solution by loading profiles for other carriers. Meaning, that this should just work provided an mbn exists for your carrier - doesn't matter from which device. This has been reported to work on TMO in the US, which did not work with my other method.
Prerequsities
* You must have working DIAG mode. See my other thread for more information on how to set that up.
Downloads
* AsusVoLTE v1.0.1
* EfsTools 0.10 modded 1.1
* EFS items
* Xiaomi Mi 9T MBNs (optional)
Step 1 - setting props
Install the AsusVoLTE app from above, make sure to upgrade if you already have it installed. Run the app and press the Enable VoLTE button; this should set some properties on the device to force-enable VoLTE after we have also done the other steps below. If you already enable VoLTE using my old method you can safely skip this step.
Step 2 - making sure it works
Before we begin, make sure you close down QPST, otherwise EfsTools will error out because there can not be two clients connected at once.
Unzip EfsTools from above, open up a cmd window and cd to the directory where you extracted it. Depending on how you connect to diag you will need to modify EfsTools.exe.config - if you're connecting via USB you most likely won't have to do anything as it will find the port automatically, unless you have more than one port, in which case you can simply change port from Auto to the COM port of the phone (for example COM13).
If you are connected via wifi you will need to change port to 2500 (or whatever port you used in the AsusVoLTE app) and remote to true. So the efstool line should look something like this:
You can test the connection by running this in the cmd window:
This should report back some info if everything is working. If not, try rebooting the device and redo the bits from the DIAG guide.
Step 3 - disabling mcfg
Extract efs.zip from above to the same directory as EfsTools.exe, and make sure the mcfg_autoselect_by_uim file is there. Now simply run this in the cmd window, one line at a time:
If everything worked you should see no error messages.
Step 4 - writing mbn
If you are using the Xiaomi Mi 9T mbns zip from above, move it to the EfsTools directory and extract it. Now we simply need to find the mbn for your carrier.
The mbn directory structure is generally laid out like this: <region>/<carrier>/commerci/<country>/mcfg_sw.mbn. For example, the one for my carrier is eu/h3g/commerci/se/mcfg_sw.mbn. Copy the mcfg_sw.mbn file to the same directory as the EfsTools.exe, then go to the cmd window you opened and type this:
If it has worked you should see a bunch of output, but no errors. Try rebooting now, and hopefully after it has booted you will have fully functional VoLTE and VoWiFi.
Source code:
AsusVoLTE - Github
EfsTools - Github
Let me know if this works for you, or if you have any questions.
Regards
Click to expand...
Click to collapse
Absolutely genius, your work here is greatly appreciated everything is working perfectly VoLTE and VoWiFi with caller display
I used the EE mbn included in the Xiaomi Mi 9T MBNs provided , So for anyone on EE i can say it works without a problem.
Thank you :good:HomerSp
in device manager it shows up as
Qualcomm HS-USB Android DIAG 902D (COM13)
EDIT: It started working oddly enough. Which mi9 file would I flash for tmobile USA to test?
Thank you in advance for this!
Edit 2: got it working! Had to Uninstall, reinstall qpst, open up app and click enable DIAG, then stop the server in qstp and input the commands and it worked!
HomerSp said:
Could you try this updated EfsTools: https://github.com/HomerSp/EfsTools...modded-1.1/EfsTools-0.10-modded-1.1-win32.zip Hopefully it should work for you.
sys.usb.state is supposed to say just rndis,adb - diag will only be listed in sys.usb.config.
Click to expand...
Click to collapse
Thought so, just wanted to make sure.
https://imgur.com/a/WZvKteM is what I get. Is it possible to go back to an earlier RAW rom? I want to see if theres something in earlier ROMS that will make it work. I'm just at a loss. I'm not sure what I'm missing for this to work.
@HomerSp, thanks so much for all your efforts and skills - works a charm on ee UK using Mi9T MBN's
xbamaris1` said:
I cannot for the life of me get either method to work. Connected via USB. DIAG mode driver is loaded on COM1, even changed Baud rate on the COM port in device manager to 38400. USB method gives me "Critical Error: Bad Command" Remote method does not send any information but indefinitely runs. I'm really not sure what else to try. Im on the latest WW Firmware with Magisk root. Is there anything else I can check? Are you on the 8 GB Tencent version?
Click to expand...
Click to collapse
Same issue as you, i had it working at the start then it just stopped altogether. Hoping a next asus update could reset whatever i did to it and retry it again
Mine is getting stuck on "Use serial port 'COM5'" and nothing happens after that. Any recommendations how to make it work?
killerdvd said:
Mine is getting stuck on "Use serial port 'COM5'" and nothing happens after that. Any recommendations how to make it work?
Click to expand...
Click to collapse
I had to Uninstall qpst entirely, reinstall it. Then plug my phone in, open up the Asus volteapp and hit enable DIAG, my device then showed up in device manager, then I stopped the qpst server and it worked for me just fine. Using windows 10 with latest update.
Cammarratta said:
I had to Uninstall qpst entirely, reinstall it. Then plug my phone in, open up the Asus volteapp and hit enable DIAG, my device then showed up in device manager, then I stopped the qpst server and it worked for me just fine. Using windows 10 with latest update.
Click to expand...
Click to collapse
Thanks for the quick response. My device is already showing in device manager with COM 6. I never installed QPST since is not needed for USB connection. QPST is not even mention on OP.
I want to say the first part says that you need to have DIAG enabled.
Prerequsities
* You must have working DIAG mode. See my other thread for more information on how to set that up.
Click to expand...
Click to collapse
Which I think needed QPST installed. Unless I'm sadly mistaken, then please disregard!
Related
Hello there.
I have been having the 'stupidly set baseband to USA and unable to change back' issue with my Nexus 5x, using a European version. I live in Croatia, so as you would imagine this has meant a complete loss of signal/mobile operator/3g etc.
As per my other thread in Nexus 5x help and troubleshooting,
http://forum.xda-developers.com/nexus-5x/help/usa-baseband-set-european-model-t3252879
I have exhausted other options and have come to the realisation that as per other users issues with other phones that the use of QPST tools and using a clean QCN file to inject into my phone is the only course of action left. However, I have no knowledge of such things (not to say that I am unable to inform myself).
I emailed a developer with regards to users issues with Nexus 5 phones (not 5x), and he said that I need to enter this mode on my phone.
Could anyone help me out with this, and in general with this issue? As some have tried to help but unfortunately my thread has more of my own replies than other users. (In elaborating on steps taken to resolve my misery).
I am not looking for a 'one button fix', I have educated myself far and beyond with regards to this issue, I just need some more expert help so that I can sort this out myself.
Please, anyone?
Marko
Thank God.
I can actually get a new phone. Help not needed in the end.
Thanks anyway.
Marko
was.once.dead said:
Thank God.
I can actually get a new phone. Help not needed in the end.
Thanks anyway.
Marko
Click to expand...
Click to collapse
glad you got your probelm fixed dont know if this will help you or others but if you press *#*#4636#*#* your phone will enter a radio diagnostics tool where you can set your preferred network type and also select your radio baseband by using the 3 dots at the top. For my 5X i can select USA BAnd or Band mode 6, Band mode 7.
sorry if this is OT and not related to your issue.
Thank you for your input. However my phone does not have those options. Only USA band, which led to this week long stress for me. Im going to be able to get a replacement device in the end, so im happy about that, but this issue is unfortunately somewhat of a one way street wherin the usual simple solutions or even more complex adb, fastboot, etc etc things do not bring about any resolutions.
Again, thanks for trying to help but its a phone to phone kind of thing.
Marko
Best advice I can give. Don't mess with the basebands
zelendel said:
Best advice I can give. Don't mess with the basebands
Click to expand...
Click to collapse
Best advice ever...
But.... If you are really hot on getting the 5x into diagnostic mode to run QPST, QXDM, etc., do this. (I did this on my 5x to obtain the QCN file to check out the NV and EFS items, grab QXDM logs, etc.)
1. Use Heisenberg's most excellent step-by-step tutorial on unlocking the boot loader, rooting the phone, and installing super user apk.
2. Once rooted, connect the phone to a PC and open up adb, then issue the adb shell command.
3. Once in adb shell, type: su -c 'setprop sys.usb.config diag,adb'
4. At this point, you should see a pop up on the phone to authorize super user access. Click to allow access.
5. Now you will probably have to load a driver on the computer for diag access. I got lucky (since I have a mess of drivers on my computer) and the driver loaded automatically. As I recall, my computer selected qcusbser.sys. Seems to be a pretty generic QCOM driver vs. an LG specific driver.
6. You now have diag access. You will have to run steps 2 - 3 after each phone reboot. In other words, these steps aren't "sticky" between reboots.
7. ????
8. Profit
I did this and it worked for me.
clivemckracken said:
Best advice ever...
But.... If you are really hot on getting the 5x into diagnostic mode to run QPST, QXDM, etc., do this. (I did this on my 5x to obtain the QCN file to check out the NV and EFS items, grab QXDM logs, etc.)
1. Use Heisenberg's most excellent step-by-step tutorial on unlocking the boot loader, rooting the phone, and installing super user apk.
2. Once rooted, connect the phone to a PC and open up adb, then issue the adb shell command.
3. Once in adb shell, type: su -c 'setprop sys.usb.config diag,adb'
4. At this point, you should see a pop up on the phone to authorize super user access. Click to allow access.
5. Now you will probably have to load a driver on the computer for diag access. I got lucky (since I have a mess of drivers on my computer) and the driver loaded automatically. As I recall, my computer selected qcusbser.sys. Seems to be a pretty generic QCOM driver vs. an LG specific driver.
6. You now have diag access. You will have to run steps 2 - 3 after each phone reboot. In other words, these steps aren't "sticky" between reboots.
7. ????
8. Profit
I did this and it worked for me.
Click to expand...
Click to collapse
Please give me the global version of rfnv files:good:
Please give me the global version of rfnv files
Sorry, bro. I only have the values from my US version.
Has anyone already found out how to access or enable the USB diag mode for connecting to QXDM?
Thanks!
just curious, for what reason?
noidea24 said:
just curious, for what reason?
Click to expand...
Click to collapse
Well, I work as an engineer in the IMS core environment
noidea24 said:
just curious, for what reason?
Click to expand...
Click to collapse
I would like diag mode to use the DFS Tool to enable/disable LTE bands.
hate to bump an old thread, but did anyone ever figure this out?
Madscotsman said:
hate to bump an old thread, but did anyone ever figure this out?
Click to expand...
Click to collapse
I think maybe google disabled this,I also want this
For Generic HTC devices,such command with root shell may could open the DIAG PORYT
echo 1 > /sys/devices/virtual/android_usb/android0/f_diag/func_en
But Google AOSP HTC devices....................
Someone has already solved this Problem but due to the negative attitude of the USERs of PIXEL,so.....................
Looking for the answer to this as well. It's needed for DFS and QPST (QXDM).
Every phone has some particular way to do this and so far I haven't found it on this phone. The Nexus 6 was super easy and I was hoping this one would be too. (On the Nexus 6 all you had to do was select BP Tools from the boot menu. Then it booted like normal but with the diag port enabled. Other phones you have to write to or create a particular file, or there's a dialer code but the usual tricks aren't working here.)
KlokWerk said:
Looking for the answer to this as well. It's needed for DFS and QPST (QXDM).
Every phone has some particular way to do this and so far I haven't found it on this phone. The Nexus 6 was super easy and I was hoping this one would be too. (On the Nexus 6 all you had to do was select BP Tools from the boot menu. Then it booted like normal but with the diag port enabled. Other phones you have to write to or create a particular file, or there's a dialer code but the usual tricks aren't working here.)
Click to expand...
Click to collapse
Have you tried using these commands with terminal emulator?
su
echo 1 > /sys/devices/virtual/android_usb/android0/f_diag/on
xdadevnube said:
Have you tried using these commands with terminal emulator?
su
echo 1 > /sys/devices/virtual/android_usb/android0/f_diag/on
Click to expand...
Click to collapse
Oh crud, I just noticed I was replying to a Pixel XL thread rather than a Pixel thread. You'd think they'd be similar.... does your method work on the Pixel XL, though? If you've tried that and say it works I may actually switch, if I can't figure out how to connect this Pixel.
When I try this on the Pixel (sku G2PW4100 running 7.1.1) I just get "Permission denied", even as superuser, even after changing the f_diag folder permissions to allow writes.
You're getting it to work on the G2PW2100, I guess? 7.1.1?
KlokWerk said:
Oh crud, I just noticed I was replying to a Pixel XL thread rather than a Pixel thread. You'd think they'd be similar.... does your method work on the Pixel XL, though? If you've tried that and say it works I may actually switch, if I can't figure out how to connect this Pixel.
When I try this on the Pixel (sku G2PW4100 running 7.1.1) I just get "Permission denied", even as superuser, even after changing the f_diag folder permissions to allow writes.
You're getting it to work on the G2PW2100, I guess? 7.1.1?
Click to expand...
Click to collapse
I apologize for not specifying that I don't have a Pixel or Pixel XL yet.
I know the command I posted above works on the HTC m8. I had almost given up on diag mode on that device until I tried that command.
It sounds like you're on the right track, but unfortunately my understanding is fairly limited. Hopefully somebody with more knowledge can chime in.
I've never messed with this, but I'm looking through the history here to see if there's a clue.
https://github.com/CallMeAldy/devic...f587b26156180b3/init.common.diag.rc.userdebug
...
PaulPizz said:
I believe I have found a way to enter DM Mode on the Pixel XL..
==Instructions==
- Makes sure you are rooted. <-- *If you are not and do not know how, Please do your research*
- Download and install the GalaxyTools3.1.2 app
- Tap the GalaxyTools3.1.2 App, grant it Super User permissions
- Once you are in the GalaxyTools3.1.2 app scroll down and tap "GTUSBItil" Button
- This will open up the "UART" Menu which you should be able to use to select DM+Modem+ADB
==Downloads==
- GalaxyTools3.1.2
** I have not figured out how to get the device to work with DFS.. If anyone figures it out please report back. Id like to know..**
Click to expand...
Click to collapse
Have you tried the "hacked" HTC Modem driver? If you get a list of Unknown devices in Windows Device Manager, you may be able to get install the modem driver and get QXDM or DFS working.
Let me know if you need any of those files.
xdadevnube said:
Have you tried the "hacked" HTC Modem driver? If you get a list of Unknown devices in Windows Device Manager, you may be able to get install the modem driver and get QXDM or DFS working.
Let me know if you need any of those files.
Click to expand...
Click to collapse
I think it just shows up as adb. Im not in front of my computer right now. But send it. I'll check it out. Thanks
Sent from my Pixel XL using Tapatalk
PaulPizz said:
I think it just shows up as adb. Im not in front of my computer right now. But send it. I'll check it out. Thanks
Sent from my Pixel XL using Tapatalk
Click to expand...
Click to collapse
Awesome! I'll send it when I get to a computer tonight.
I don't have a Pixel yet, so I'm not able to try it myself.
EDIT: Here is the modem driver.
View attachment 4081431
The recommended solution does not work, no com port is added in the device manager.
Hi,
I am desperately looking for the solution for enabling diag mode of Pixel XL phones. Any update regarding this would be very helpful.
Thanks.
I tried to build a userdebug build from AOSP but I didn't get very far (first attempt at it, and it kept failing after 1-3 hours).
So cancelled that endeavor and installed the latest Lineage from InvisibleK which was built as userdebug.
>adb shell
>su
>setprop sys.usb.config diag,adb
PC tried to install new drivers (as expected since it has a different vendor/product id). Qualcomm HS-USB Diagnostics 903D (COM14) showed up under Ports. Unknown ADB Interface couldn't install drivers, though. All the tools seem to be working fine.
I have to quit for now, but hopefully that's a start for you.
I wanted to build the stock build as userdebug because that's how you get the diag USB modes enabled. They were stripped from the -user builds.
Edit 1: Phone shows up in QPST now.
Edit 2: Phone shows up in QXDM after setting Target port in Communication setting.
Edit 3: I am not sure if I had installed the drivers linked in this thread, already. The driver version I have is 2.1.04
If someone can install a non-T-Mobile SIM and let me know what their NV 65538 is, I'd appreciate it.
Edit: This value did not change with a Cricket Sim in versus a T-Mobile SIM.
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
devmihkel said:
For good or for bad NOT everything appears correct, except the running 17.x version... As of now neither the "commercial jailbreak" supports new versions (well yes they were using exactly the same file to start with Also 16.51.x or newer appears to be no go: uconnect-8-4-8-4an-update
EDIT: haven't got 17.09.07 to try, but on 17.11.07 manifest.lua has changed and the last block/ search keyword is "ota_update" instead. Otherwise all the same, image valid after the edit and script.sh gets fired - at least on 16.33.29 that is @HanJ67 Did you actually try to mount installer.iso after the edit and checked /etc/manifest.lua for the end result before?
Click to expand...
Click to collapse
devmihkel said:
Yeah, 2nd attempt is much better as last lua block is correctly terminated and your script might actually run, but unfortunately no successful 17.x runs have been reported so far SWF scripts are not involved in update/jail-breaking run, these ones become relevant only once you are in (and need to enable some app or wifi or navi features etc). Afaik 17.x blocks ethernet dongle usage as well, but let's see if even the USB driver/link gets activated at all?
Click to expand...
Click to collapse
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Do You have an idea how to connect by USB2LAN adapter to uConnect ?
Do You know if there is an UART pins on the mainboard ?
itsJRod said:
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Click to expand...
Click to collapse
Hello, any news about it?
hi,
can you explain how to change SSH key in "ifs-cmc.bin" file?
thanks a lot
itsJRod said:
I was posting some questions in the "Rooted Jeep Cherokee '14 Uconnect" thread but I've started this new thread for the 17.xx versions because the methods (if we are able to identify them) aren't the same as the 16.33.29 and earlier firmwares...
I am still trying to crack into that unit with the 17.11.07 software. I have a D-Link USB Ethernet but its a HW revision D and I believe I would need a B if we can get ethernet enabled at all.
Also, if we can get Ethernet enabled we will still need to get SSH password or key.
Do you have a 16.33.29 version I can try this on? I'm wondering if it will get me far enough to execute the "manifest.lua HD_Update" hack you and @HanJ67 were discussing.
I've used the 17.43.01, then finally found a 17.11.07 and had no luck there either.
In my latest attempts on the 17.11.07, I was able to hex edit the "ifs-cmc.bin" on the UPD and replaced the SSH-RSA key with my own. I think this bin will be flashed to the MMC during an update.
That SWDL.UPD got past the initial check and rebooted into update mode, but then it fails the second ISO check and loops. I had to use an unmodified image to finish the update and get back up and running.
I keep reading about making changes only after the 2048 Byte mark in the older versions with the "S" at 0x80. Is this still relevant
in later ISO/UPD images and to the second ISO check?
Right now, I'm looking to find a way to disable that check so that my modified .bin will be written to disk? I think this route would work to also modifying and getting WiFi enabled after a flash of the edited image.
If I had I 16.33.29 or similar older UPD version to attempt the HD_UPDATE hack in the Manifest.lua file I would give that a shot to be thorough.
Click to expand...
Click to collapse
sofro1988 said:
Hello, any news about it?
Click to expand...
Click to collapse
I have not had had much time to work on this.
I actually had an idea last week that brought me back to this. I plan to use a custom flash drive to present an unmodified ISO for verification, then swap nand to an identical image that has been he's edited to enable usb Ethernet and add a custom key for ssh access.
I thought to stack a NAND on top of the original on a is flash drive, then breakout the Chip Enable pin to a switch. I've seen this done for with guys modifying game consoles to be able to run modified firmware.
Once the 2nd NAND is in place I will restore an image of the original nand containing the unmodified update, then hex edit the required portions to allow access after updating.
If this method works, I should be able to pass the verification with the original nand chip, then switch it (hopefully there's a big enough window to do this by hand) then present the modified nand before it begins the flash procedure.
Hopefully someone more intimately familiar with the update scripts can verify I'm not missing anything in the process
Tajadela said:
hi,
can you explain how to change SSH key in "ifs-cmc.bin" file?
thanks a lot
Click to expand...
Click to collapse
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
itsJRod said:
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
Click to expand...
Click to collapse
thanks for answer.
I saw an ssh key with the hex editor, but I would like to see exactly what you have replaced.
if it's not too much trouble, it would be interesting to see with some screenshots the changes you've made.
So we could work on two fronts. The idea of the double nand is good, but not very simple to make ...
Just thinking out loud here, when you say it passes the initial check, does it then give you any confirmation of that or any message on the screen before rebooting to upgrade mode?
Sent from my CLT-L09 using Tapatalk
SquithyX said:
Just thinking out loud here, when you say it passes the initial check, does it then give you any confirmation of that or any message on the screen before rebooting to upgrade mode?
Sent from my CLT-L09 using Tapatalk
Click to expand...
Click to collapse
I tried much the same thing -- the swdl.upd is another CDROM filesystem:
martinb$ file swdl.upd
swdl.upd: ISO 9660 CD-ROM filesystem data 'CDROM'
It contains three more .iso files : installer.iso, primary.iso, and secondary.iso
installer.iso is a CDROM image, but is not mountable on my linux system
primary.iso is a CDROM image, and has the usual /bin, /etc/, and /usr filesystem for an install
the /bin directory has one file - update_nand
the /etc directory has the usual mfgVersiontxt, nand_partion.txt, system_etfs_postinstall.txt, system_mmc_postinstall.txt and version.txt
the /usr/share directory is all the firmware for various components - EQ, HD_FIRMWARE, IFS, MMC_IFS_EXTENSION,OTA,SIERRA_WIRELESS,V850, and XM_FIRMWARE
What's interesting to me is that they did update the SIERRA_WIRELESS firmware -- and have done some housecleaning:
Code:
#---------------------------------
# sierra_wireless_disable_flowcontrol.file
# \d == 1 second delay
SAY " Send AT \n"
'' AT\r
OK \d
SAY "Disable flow control\n"
'' at+ifc=0,0\r
OK \d
SAY "Send SMS command CNMI\n"
'' at+cnmi=2,1,0,1,0\r
OK \d
SAY "Clear emergency number list\n"
'' AT!NVENUM=0\r
OK \d
SAY "Set emergency number to 911\n"
'' AT!NVENUM=1,"911"\r
OK \d
SAY "Save Setting\n"
'' at&w\r
OK \d
#---------------------------------
Also in the IFS directory, when you hexedit the ifs-cmc.bin file it reveals another little treat... an SSH root public key ( not as nice as a private key, but hey )
(Sorry about the formatting, this is cut/paste right out of the hex editor)
Code:
ssh-rsa [email protected]
2E..IwU.Q....njle8r9nrJ7h8atg4WfqswU0C0Rk/Ezs/sQs5ZA6ES82MQONjHBd7mw
uo8h0xfj3KeeSHMXCEBpmU26guNE4EqfvdioLFCDUxtvMYswlUZjsvd/NYz9lnUZg2hy
pwzFQjXgSzmHVrHjkKKvq7Rak/85vGZrJKxlvHnowA8JIl1tVNVQjPMNgDDJabaETtfw
LL1KlvAzI81cKOG/3IRn9lU6qyYqyG+zYoza0nN\..7/AtxdL481k81Go5c3NQTnkl2U
68lbu8CpnwrYCU098owLmxdI4kF5UOL4R61ItJuwz30JSESgT..!8RDgM6XEiHUpK9yW
vvRg+vbGWT/oQn0GQ== [email protected]
in /usr/share/MMC_IFS_EXTENSION/bin/cisco.sh and dlink.sh there's another good hint - what adapter you need for USB ethernet
Code:
#!/bin/sh
# Handle an Ethernet connection via the CISCO Linksys USB300M adapter
or
Code:
#!/bin/sh
# Handle an Ethernet connection via the D-Link DUB-E100 adapter
The static IP it brings up if no DHCP is offered is : 192.168.6.1
There's tons more in there -- like the V850 chip has access to the Sierra Wireless CDMA modem, but can configure it for voice calls through the car speakers:
"AT!AVSETPROFILE=8,1,1,0,5" ( embedded in the cmcioc.bin update file )
secondary.iso is a CDROM image and only has /etc/ and /usr
the /etc/ directory has speech_mmc_preinstall.txt and xlets_mmc1_preinstall.txt
the /usr/ directory has /usr/share/speech and /usr/share/xlets ( tons of information about sensors in the car, etc in xlets )
martinbogo1 said:
I tried much the same thing -- the swdl.upd is another CDROM filesystem:
martinb$ file swdl.upd
swdl.upd: ISO 9660 CD-ROM filesystem data 'CDROM'
It contains three more .iso files : installer.iso, primary.iso, and secondary.iso
installer.iso is a CDROM image, but is not mountable on my linux system
primary.iso is a CDROM image, and has the usual /bin, /etc/, and /usr filesystem for an install
the /bin directory has one file - update_nand
the /etc directory has the usual mfgVersiontxt, nand_partion.txt, system_etfs_postinstall.txt, system_mmc_postinstall.txt and version.txt
the /usr/share directory is all the firmware for various components - EQ, HD_FIRMWARE, IFS, MMC_IFS_EXTENSION,OTA,SIERRA_WIRELESS,V850, and XM_FIRMWARE
What's interesting to me is that they did update the SIERRA_WIRELESS firmware -- and have done some housecleaning:
Code:
#---------------------------------
# sierra_wireless_disable_flowcontrol.file
# \d == 1 second delay
SAY " Send AT \n"
'' AT\r
OK \d
SAY "Disable flow control\n"
'' at+ifc=0,0\r
OK \d
SAY "Send SMS command CNMI\n"
'' at+cnmi=2,1,0,1,0\r
OK \d
SAY "Clear emergency number list\n"
'' AT!NVENUM=0\r
OK \d
SAY "Set emergency number to 911\n"
'' AT!NVENUM=1,"911"\r
OK \d
SAY "Save Setting\n"
'' at&w\r
OK \d
#---------------------------------
Also in the IFS directory, when you hexedit the ifs-cmc.bin file it reveals another little treat... an SSH root public key ( not as nice as a private key, but hey )
(Sorry about the formatting, this is cut/paste right out of the hex editor)
Code:
ssh-rsa [email protected]
2E..IwU.Q....njle8r9nrJ7h8atg4WfqswU0C0Rk/Ezs/sQs5ZA6ES82MQONjHBd7mw
uo8h0xfj3KeeSHMXCEBpmU26guNE4EqfvdioLFCDUxtvMYswlUZjsvd/NYz9lnUZg2hy
pwzFQjXgSzmHVrHjkKKvq7Rak/85vGZrJKxlvHnowA8JIl1tVNVQjPMNgDDJabaETtfw
LL1KlvAzI81cKOG/3IRn9lU6qyYqyG+zYoza0nN\..7/AtxdL481k81Go5c3NQTnkl2U
68lbu8CpnwrYCU098owLmxdI4kF5UOL4R61ItJuwz30JSESgT..!8RDgM6XEiHUpK9yW
vvRg+vbGWT/oQn0GQ== [email protected]
in /usr/share/MMC_IFS_EXTENSION/bin/cisco.sh and dlink.sh there's another good hint - what adapter you need for USB ethernet
Code:
#!/bin/sh
# Handle an Ethernet connection via the CISCO Linksys USB300M adapter
or
Code:
#!/bin/sh
# Handle an Ethernet connection via the D-Link DUB-E100 adapter
The static IP it brings up if no DHCP is offered is : 192.168.6.1
There's tons more in there -- like the V850 chip has access to the Sierra Wireless CDMA modem, but can configure it for voice calls through the car speakers:
"AT!AVSETPROFILE=8,1,1,0,5" ( embedded in the cmcioc.bin update file )
secondary.iso is a CDROM image and only has /etc/ and /usr
the /etc/ directory has speech_mmc_preinstall.txt and xlets_mmc1_preinstall.txt
the /usr/ directory has /usr/share/speech and /usr/share/xlets ( tons of information about sensors in the car, etc in xlets )
Click to expand...
Click to collapse
Have you tried connecting to it?
Sent from my iPhone using Tapatalk
sofro1988 said:
Have you tried connecting to it?
Sent from my iPhone using Tapatalk
Click to expand...
Click to collapse
I managed to connect with the cisco adapter (usb / ethernet), but I don't know the root password. is the problem at the moment insurmountable ..
Using a cisco connector, I have gotten the ethernet to come up, but that's it. At the moment, there doesn't seem to be anything I can connect to.
@Tajadela - sounds like you at least were able to either SSH or telnet in to a port... I'm on software version 17.43.01 .. which are you on, and what year vehicle? ( Jeep Grand Cherokee, 2015, Uconnect 8.4AN with the 3G Sierra Aircard modem for Sprint )
martinbogo1 said:
Using a cisco connector, I have gotten the ethernet to come up, but that's it. At the moment, there doesn't seem to be anything I can connect to.
@Tajadela - sounds like you at least were able to either SSH or telnet in to a port... I'm on software version 17.43.01 .. which are you on, and what year vehicle? ( Jeep Grand Cherokee, 2015, Uconnect 8.4AN with the 3G Sierra Aircard modem for Sprint )
Click to expand...
Click to collapse
I connected in telnet on a uconnect 6.5 with firmware 15.xx.xx. You can connect to Uconnect with static IP it brings up if no DHCP is offered is: 192.168.6.1
itsJRod said:
I used a hex editor to find the Ssh RSA key and replace it. This passed the initial check to reboot into update mode, but wouldn't pass the full check in update mode. I'm hoping my attempt below will pass that check and still update with the modifications.
Click to expand...
Click to collapse
after rsa key replaced, do you have recalculate the checksum of UPD file?
have you replaced the first 64 bytes of the file?
thanks
@itsJRod, isn't it that you would like to explain the procedure to replace the RSA key in the swdl file? thank you
Hello,
have you made any progress? I am a bit lost. I put the EU uconnect MY15 to US dodge charger MY16 and Perf Pages were working fine even on 16.16.13, although after upgrade to 17.x (17.46.0.1 right now) I am meeting the problem of expired subscription (which is not possible to have on EU radio).
I am considering basically three solutions:
a) going back to US radio, but modify the language pack/nav/FM frequencies (it is doable, but I do not know how, although I can pay for it relatively less than time invested)
b) downgrade to 16.16.13 - I have no clue how to do it, I tried to put swdl.upd with swdl.iso as and installer.iso with no luck of course.
c) take xlets from KIM2/ of 16.16.13 to KIM23 of 17.46.0.1 secondary.iso - this is probably preferred way but I do not know how to make it to pass ISO validation.
Of course root on uconnect is extremely nice to have but I will be fully satisfied with Perf Pages working again.
Hello.
I'm hoping the community can help me out. I have a RAM 1500 with the RA4 (was running the 17.11.07 software that I got pushed to me OTS style a couple years ago. Since them problems, radio turn on delay, no GPS and cellular phone warning popup.
I was told to do the 18.45 update which I got from driveuconnect.com, but this has essentially bricked my radio with the "bolo update failed" error and it is looping continuously
I have tried many ways to modify the update software's manifest.lua script to try to get rid of the sierra wireless portion by manually editing, hex editing, etc but always get the "please insert the USB card" screen.
Uconnect is obviously completely worthless to help me and the dealer wants me to pay them money to tell me what I already know. I know I can pay 300 and send my radio to infotainemnt.com to get it repaired, but I would like to solve this on my own is possible, because I would like to further modify the software to make it more custom and unique.
From my reading the 17x version keeps you from downgrading to a version that can be hacked easily.
Everything seems like it should be pretty straight forward as I have a lot of experience in programming and embedded devices.
It seems they are validating the ISOs using some mechanism, I believe I have tried all of tricks/methods
I have searched the code to see if I can find the iso MD5 or SHA256 hashes that ioc_check is probably using to figure out I changed somethign but nothing work.
I have even tried the swapping the flash drives after validation but it seems they are using the ISos they already copied to continue the process, I then end u getting some invalid errors or the update just crashes out
I got other updates from the link: http://www.mydrive.ch/
http://www.mydrive.ch/http://www.mydrive.ch/
username: [email protected]
Password: gasolio
Havent tried all of them yet, but pretty sure they wont work, due to the 17x security changes.
Any help would be appreciated grealty, I really dont want to shell out any cash for something a company told me to to and due to their screw up with bricking modems, this is now bricking my radio.
Thanks to all in advance !!!
djmjr77 said:
Hello.
I'm hoping the community can help me out. I have a RAM 1500 with the RA4 (was running the 17.11.07 software that I got pushed to me OTS style a couple years ago. Since them problems, radio turn on delay, no GPS and cellular phone warning popup.
I was told to do the 18.45 update which I got from driveuconnect.com, but this has essentially bricked my radio with the "bolo update failed" error and it is looping continuously
I have tried many ways to modify the update software's manifest.lua script to try to get rid of the sierra wireless portion by manually editing, hex editing, etc but always get the "please insert the USB card" screen.
Uconnect is obviously completely worthless to help me and the dealer wants me to pay them money to tell me what I already know. I know I can pay 300 and send my radio to infotainemnt.com to get it repaired, but I would like to solve this on my own is possible, because I would like to further modify the software to make it more custom and unique.
From my reading the 17x version keeps you from downgrading to a version that can be hacked easily.
Everything seems like it should be pretty straight forward as I have a lot of experience in programming and embedded devices.
It seems they are validating the ISOs using some mechanism, I believe I have tried all of tricks/methods
I have searched the code to see if I can find the iso MD5 or SHA256 hashes that ioc_check is probably using to figure out I changed somethign but nothing work.
I have even tried the swapping the flash drives after validation but it seems they are using the ISos they already copied to continue the process, I then end u getting some invalid errors or the update just crashes out
I got other updates from the link: http://www.mydrive.ch/
http://www.mydrive.ch/http://www.mydrive.ch/
username: [email protected]
Password: gasolio
Havent tried all of them yet, but pretty sure they wont work, due to the 17x security changes.
Any help would be appreciated grealty, I really dont want to shell out any cash for something a company told me to to and due to their screw up with bricking modems, this is now bricking my radio.
Thanks to all in advance !!!
Click to expand...
Click to collapse
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
djmjr77 said:
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
Click to expand...
Click to collapse
I created an account just to reply to this and All I have to say is you're literally an absolute life saver. I've been working on this every day for two weeks now, trying every trick people said, trying every USB, every format, every version and nothing ever worked from me. Uconnect support was absolutely no help and it was a lot of back-and-forth finger pointing and no you need to reach out to this person between them and the dealership. Dealership tried to charge me for a Proxy Alignment when I asked to just update my damn radio stuck in this loop.
I have a 2015 Jeep Cherokee 8.4AN VP4 NA Head Unit 68238619AJ. I was updating from 17.11.07 to 18.45.01 and got stuck at the step 11 1% and would get a failed sierra wireless every time and then got in that "bolo update failed" loop..Well to fix it just now all I did was download the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in the previous comment and quick format to FAT32 on a 16GB Micro Center USB extracted the files from 16.33.29 to the USB with 7ZIP, plugged in like normal and BOOM it ran the first step restarted and I had a working radio again showing update 18.45.01.
(So i'm assuming you don't have to do the S Byte thing I didn't even mess with it I just used the 16.33.29 to bypass step 11 since that version only has 14 steps and 18.45.01 was already preloaded from attempting before. My navigation still is the wrong address but I don't care about all that just thankful to have my radio back before my wife killed me for trying to update it by myself. )
I hope this helps someone else one day because it took some deep research and hours on hours of forum hoping to finally find the solution. <3
djmjr77 said:
Just to follow up for anyone who reads this in the future.
I was able to get my uconnect working again a few minutes ago.
As my previous post stated I got stuck in the "bolo update failed" loop.
I downloaded the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe update from the url posted in my previous comment.
I did the S Byte HEX Mod to the swdl.iso file, loaded it and the swdl.upd file on a thumb drive. Used Hxd on windows. Followed the section in the Uconnect exploitation PDF:
https://www.google.com/url?sa=t&source=web&rct=j&url=http://illmatics.com/Remote%2520Car%2520Hacking.pdf&ved=2ahUKEwjZsOGNl5nyAhWhGVkFHZy2AnAQFnoECAcQAg&usg=AOvVaw0NAi3a1eh-IRd3n1VHv-ys
When I plugged it in, it started with the update process, after the first unit, the screen said the Uconnect had to restart, please wait..
And whalaa my radio worked again!!! It even says it has the 18.45 firmware on it.. go figure.. Navigation still does not work, but thats most likely because the sierra wireless card is bad.
I cannot say for sure the S Byte thing did anything, because I'm not messing with this anymore, almost had to buy a new radio.
I would say try it with out, then with it if it doesn't work.
This could also be a fluke with my particular unit, but at least its something else to try than pay 600+ dollars!!
Good luck to anyone else who goes through this mess!!!
Click to expand...
Click to collapse
Do you have another link to download the UCONNECT_8.4AN_RA4_16.33.29_MY16.exe files? I am trying to help a friend of mine they way this helped me. Thank you again for this!
OOPS!
You were following guides on XDA, and throwing random commands in ADB from the posts under the guides (DON'T DO THIS!) and now your slick new ROG phone 2 doesn't have mobile data, calls, wifi, or bluetooth. You quickly find out that flashing the phone with any firmware old or new, doesn't help you, as this issue is directly linked to your chip in your phone.
I quickly found that I needed a QCN file from someone with a rog 2 phone, however I could not get any help here on XDA except from the user Greatuser123, who did not want to give out his QCN file (understandably), but did send me some notes to try and help with other tools.
With nothing working, and no QCN file, I ordered another ROG 2 and waited for it in the mail. After it got here, I quickly extracted the QCN file, replaced the IMEI's in it, and used QPST to restore my phone.
I am simply writing this guide with the generic QCN file with my info masked out of it, so no one has to go through what I went through.
Common issue
This most commonly happens with ROG 2 Phones from the commands:
DO NOT RUN THESE COMMANDS UNLESS YOU KNOW WHAT YOU ARE DOING!
(spaced command to ensure no one runs this!)
fastboot erase modem st 1
fastboot erase modem st 2
Click to expand...
Click to collapse
On most phones, on a reboot, these partitions would be restored on reboot, but not on most ROG's.
Prerequisites
Rooted Phone
QPST
Qualcomm USB drivers
IMEI Converter
Platform Tools
The Fix
Follow the above root linked video, or find the root thread for your phone here on XDA, and root your phone. This will not work unless you are rooted, although I do not know how you would get into this mess without having your phone rooted already.
Install QPST tools
Install Qualcomm USB drivers
Download the attached zip "good_qcn.zip" and extract the .QCN file anywhere on your machine
Open the .QCN file with any Hex Editor (I used HxD) and search for the Hex-Values: 08 3A 85 99 99 99 99 99 99
NOTE: There will be TWO locations with this value. This is where your IMEI_1 and IMEI_2 will go. Your IMEI_2 goes into the FIRST occurrence, while your IMEI_1 goes in the second.
Download the IMEI Converter app and type in your IMEI_1 and click "Convert", place the converted hex output into a notepad or similar
Do the same for your IMEI_2 and place it in the same location
Now that you have the HEX version of both your IMEI's, paste your IMEI_2 in the FIRST occurrence of the fake IMEI in the QCN file
Paste your IMEI_1 in the last occurrence of the fake IMEI and now save your new .QCN file.
Ensure your device is in USB Debugging Mode.
Download and extract the Platform Tools if you do not have them already.
Plug your phone into your computer using either port
Navigate to your extracted Platform Tools and in a Command Line type "adb devices" to ensure your device is visible.
Run a shell with "adb shell" and elevate your permission with "su"
Now it is time to enable Diag mode by running "setprop sys.usb.config rndis,diag,adb"
At this time, if you installed the Qualcomm Drivers, your device manager should have a port similar to "Qualcomm HS-USB Diag". If not keeping trying to re-enter diag mode and ensure the drivers are correct.
Open up "QPST Configuration" which was installed earlier. You should see your phone listed under "Active Phones". Click "Start Clients" -> "Software Download"
The Port field of the QPST Software Download should list your phone, if not something is wrong.
Click "Restore", and in the xQCN field, click "Browse", change the file type from XQCN to QCN, and select your newly made QCN file
Click "Start", and once the process is done, restart your phone
Conclusion
If all went well, your phone should now have all its bells and whistles again. Sometimes it may require a Factory Reset, and this should always be the practice anyways. If you have mobile data, but only H+ or EDGE, dial *#*#4636#*#* on your phone and ensure LTE is provisioned.
Good luck guys!
Special thanks to: Greatuser123 for helping when no one else would, and HomerSp for his many useful guides that some tools and knowledge was borrowed from.
Hi bro, Nice to meet you and I did my best to help you out, as I spent some stress on this when I was one of the first people that suffered with this issue. And gladly you solved it, bro you misunderstood badly about I did not want to give you the qcn, I was going to give you my qcn file but first I was asking to you for some proof , photo of same phone as me and the package to know that you are not going to change or edit badly ( doing mischievousness) as you never sent the proof I did not send the qcn file.. you can re check again your messages. Bro
Thank you very much for this, life saver.
My wifi and bluetooth works fine but I cannot get my mobile to power back on. When I go into the menu mobile power is just not there :/
Do you have the global or the cn version?
BlazingBullets said:
Thank you very much for this, life saver.
My wifi and bluetooth works fine but I cannot get my mobile to power back on. When I go into the menu mobile power is just not there :/
Do you have the global or the cn version?
Click to expand...
Click to collapse
This QCN came from a global device, but I imagine this could be used to recover the mobile at least temporary to fully fix the device, no matter the origins.
Sorry for the delay.
Greatuser123 said:
Hi bro, Nice to meet you and I did my best to help you out, as I spent some stress on this when I was one of the first people that suffered with this issue. And gladly you solved it, bro you misunderstood badly about I did not want to give you the qcn, I was going to give you my qcn file but first I was asking to you for some proof , photo of same phone as me and the package to know that you are not going to change or edit badly ( doing mischievousness) as you never sent the proof I did not send the qcn file.. you can re check again your messages. Bro
Click to expand...
Click to collapse
No no, please do not think I meant you by that. It was other users (understandably) that questioned my motives before you. I absolutely would have taken you up on your offer if I did not already have the phone on the way Either way, I really appreciate your help during this, and I hope you continue to help other users the same way you did for me.
decrypterfixer said:
This QCN came from a global device, but I imagine this could be used to recover the mobile at least temporary to fully fix the device, no matter the origins.
Sorry for the delay.
Click to expand...
Click to collapse
After a lot of heart ache and even making an EDL cable I could not get cell network back. I"ve sent it into ASUS to get fixed. I have made a few backups and will diff them when I get my device back so hopefully I can see what they have fixed so others don't have to experience this.
BlazingBullets said:
After a lot of heart ache and even making an EDL cable I could not get cell network back. I"ve sent it into ASUS to get fixed. I have made a few backups and will diff them when I get my device back so hopefully I can see what they have fixed so others don't have to experience this.
Click to expand...
Click to collapse
I can help u
Well done mate you will be a hero someday haha good job ?
Leevii2208 said:
I can help u
Click to expand...
Click to collapse
Please provide your support ouvertly here and not via social media!
I've edited your post; please refer to https://forum.xda-developers.com/oneplus-5t/how-to/telegram-chat-channels-forward-t3765018
not work
ty but not working or i did wrong. i wrote (change my imei, two way u and other program) and post new "good.qcn" (i see finished in QPST Software). i restart phone but nothing change. i think phone in document just "read-only".
I want redmagic 3 qcn file
good job bro
Is it works for rog phone 3?
I can't find that hex
hello friends 08 3A 85 99 99 99 99 99 99 no found please help me
Hi, perfect post friend. Im try backup qcn to my Rog Phone 3, but when try said Satuts: Memory Backup Failer and Errors: Disr Error while write to file, any solution to this? I appreciate your help.
decrypterfixer said:
OOPS!
You were following guides on XDA, and throwing random commands in ADB from the posts under the guides (DON'T DO THIS!) and now your slick new ROG phone 2 doesn't have mobile data, calls, wifi, or bluetooth. You quickly find out that flashing the phone with any firmware old or new, doesn't help you, as this issue is directly linked to your chip in your phone.
I quickly found that I needed a QCN file from someone with a rog 2 phone, however I could not get any help here on XDA except from the user Greatuser123, who did not want to give out his QCN file (understandably), but did send me some notes to try and help with other tools.
With nothing working, and no QCN file, I ordered another ROG 2 and waited for it in the mail. After it got here, I quickly extracted the QCN file, replaced the IMEI's in it, and used QPST to restore my phone.
I am simply writing this guide with the generic QCN file with my info masked out of it, so no one has to go through what I went through.
Common issue
This most commonly happens with ROG 2 Phones from the commands:
DO NOT RUN THESE COMMANDS UNLESS YOU KNOW WHAT YOU ARE DOING!
(spaced command to ensure no one runs this!)
On most phones, on a reboot, these partitions would be restored on reboot, but not on most ROG's.
Prerequisites
Rooted Phone
QPST
Qualcomm USB drivers
IMEI Converter
Platform Tools
The Fix
Follow the above root linked video, or find the root thread for your phone here on XDA, and root your phone. This will not work unless you are rooted, although I do not know how you would get into this mess without having your phone rooted already.
Install QPST tools
Install Qualcomm USB drivers
Download the attached zip "good_qcn.zip" and extract the .QCN file anywhere on your machine
Open the .QCN file with any Hex Editor (I used HxD) and search for the Hex-Values: 08 3A 85 99 99 99 99 99 99
NOTE: There will be TWO locations with this value. This is where your IMEI_1 and IMEI_2 will go. Your IMEI_2 goes into the FIRST occurrence, while your IMEI_1 goes in the second.
Download the IMEI Converter app and type in your IMEI_1 and click "Convert", place the converted hex output into a notepad or similar
Do the same for your IMEI_2 and place it in the same location
Now that you have the HEX version of both your IMEI's, paste your IMEI_2 in the FIRST occurrence of the fake IMEI in the QCN file
Paste your IMEI_1 in the last occurrence of the fake IMEI and now save your new .QCN file.
Ensure your device is in USB Debugging Mode.
Download and extract the Platform Tools if you do not have them already.
Plug your phone into your computer using either port
Navigate to your extracted Platform Tools and in a Command Line type "adb devices" to ensure your device is visible.
Run a shell with "adb shell" and elevate your permission with "su"
Now it is time to enable Diag mode by running "setprop sys.usb.config rndis,diag,adb"
At this time, if you installed the Qualcomm Drivers, your device manager should have a port similar to "Qualcomm HS-USB Diag". If not keeping trying to re-enter diag mode and ensure the drivers are correct.
Open up "QPST Configuration" which was installed earlier. You should see your phone listed under "Active Phones". Click "Start Clients" -> "Software Download"
The Port field of the QPST Software Download should list your phone, if not something is wrong.
Click "Restore", and in the xQCN field, click "Browse", change the file type from XQCN to QCN, and select your newly made QCN file
Click "Start", and once the process is done, restart your phone
Conclusion
If all went well, your phone should now have all its bells and whistles again. Sometimes it may require a Factory Reset, and this should always be the practice anyways. If you have mobile data, but only H+ or EDGE, dial *#*#4636#*#* on your phone and ensure LTE is provisioned.
Good luck guys!
Special thanks to: Greatuser123 for helping when no one else would, and HomerSp for his many useful guides that some tools and knowledge was borrowed from.
Click to expand...
Click to collapse
I tried it till finish, but when I check, I lost my wifi mac address (status unavailable) and my imei still unknown. And now I wanna retry, I stuck at QPST Configuration application at step 17, it sometimes detected the phone, sometimes don't, it make me can't continue to click "star clients", (check in device manager, nothing wrong). can you help me?
sure which device rog 2 or 3?
gjkhan said:
sure which device rog 2 or 3?
Click to expand...
Click to collapse
uhhg that's a issue just download visual c++ redistributable 2010 sp1 x86 and it should be fine
gjkhan said:
sure which device rog 2 or 3?
Click to expand...
Click to collapse
Rog2. The port keep blinking when in QPST Tools, sometimes it detected, sometimes don't, so I can't copy the qcn to the phone. And also I don't know what's wrong with the qcn, I had follow the instruction, but it not works
hmmm use another pc or cable.
gjkhan said:
hmmm use another pc or cable.
Click to expand...
Click to collapse
Try itt but problem still persist
While trying to install a Custom ROM, all went wrong with a hard bricked Redmi Note 8T as result.
Have been able to revive the phone in EDL mode (Test Points method). Now running again on MIUI Global 12.5.5 (RCXEUXM).
However, the IMEI's are nulled, can't activate a SIM card. Only WiFi works.
A first, essential step in the process to repair the IMEI's, is to open the diag mode. Found a few methods, but none of these methods work.
Not via *#*#717717#*#* (Open diag failed), not via adb devices // adb shell // su // setprop sys.usb.config diag,adb (Permission denied).
The phone is rooted with Magisk; recovery OrangeFox.
Does anyone have a helpful suggestion how to proceed?
Follow-on: Meanwhile, I've been able to open the Diag-mode. Apparently, one or two switches in Magisk had masked the rooting of the phone.
Now on to editing the qcn-file with the correct IMEI's. First,I have to figure out the location of the two IMEI's, and then to correct these into the correct values.
To be continued...
gjongbloed said:
While trying to install a Custom ROM, all went wrong with a hard bricked Redmi Note 8T as result.
Have been able to revive the phone in EDL mode (Test Points method). Now running again on MIUI Global 12.5.5 (RCXEUXM).
However, the IMEI's are nulled, can't activate a SIM card. Only WiFi works.
A first, essential step in the process to repair the IMEI's, is to open the diag mode. Found a few methods, but none of these methods work.
Not via *#*#717717#*#* (Open diag failed), not via adb devices // adb shell // su // setprop sys.usb.config diag,adb (Permission denied).
The phone is rooted with Magisk; recovery OrangeFox.
Does anyone have a helpful suggestion how to proceed?
Follow-on: Meanwhile, I've been able to open the Diag-mode. Apparently, one or two switches in Magisk had masked the rooting of the phone.
Now on to editing the qcn-file with the correct IMEI's. First,I have to figure out the location of the two IMEI's, and then to correct these into the correct values.
To be continued...
Click to expand...
Click to collapse
I have had the same problem with my previous Redmi Note 3. And I tried so may ways to re-write the IMEI number. Finally I found a little software on the net and using my computer I was able to re-write the IMEI number to the phone. I was a long time back, so I dont remember the exact name of the software. It was something like IMEI writer (root). Connected the phone which was also rooted. Then opened the software on my PC and the software asked for superuser access, which I granted on the phone. Then there from the pc using the software I entered the IMEI numbers for both sim1 & 2, and applied then reboot phone. After reboot, the phone then detected the simcards and the imei were back.
chris5k said:
I have had the same problem with my previous Redmi Note 3. And I tried so may ways to re-write the IMEI number. Finally I found a little software on the net and using my computer I was able to re-write the IMEI number to the phone. I was a long time back, so I dont remember the exact name of the software. It was something like IMEI writer (root). Connected the phone which was also rooted. Then opened the software on my PC and the software asked for superuser access, which I granted on the phone. Then there from the pc using the software I entered the IMEI numbers for both sim1 & 2, and applied then reboot phone. After reboot, the phone then detected the simcards and the imei were back.
Click to expand...
Click to collapse
My current problem: I can find a .qcn file and have to edit it with the proper IMEI's. Found a Qualcomm IMEI Rebuilder tool, but that tool doesn't work. With a Hex-editor it is difficult to find the proper location. Found the location of one IMEI and then saved the file with a different name. Loading that file into the Rebuilder tool indeed shows (one) correct IMEI. Have installed that file with QFIL, but when I check with *#06#, it shows a completely different IMEI...
Meanwhile, I've searched for IMEI write (root). Found IMEI Tools (ROOT)_1.4_apkcombo.com.apk.
Prooved incompatible for my phone.
Then found qualcomm-smartphone-write-imei-tool-v1.01.apk
Tried that out, but couldn't establish communication with the diag-COMport.
In fact, I can't activate the diag mode any longer... Tried and re-tried, but all in vain.
When I enter the last command ('setprop .... etc.), communication via the USB port is also stopped. Re-establishing that doesn't make a difference. No COMport appearing in device manager or in QFIL...
You need special tools like UMT or Hydra to write Note 8 imei
engage4 said:
You need special tools like UMT or Hydra to write Note 8 imei
Click to expand...
Click to collapse
UMT works with dongle? Price?
I tried Hydra, but got a Trojan Horse warning, and therefore broke off installation.
Umt needs dongle.
First restore original qcn(unedited) then try flashing ENG firmware.
!! Iam not responisble if anything wrong happens with your phone.