HELP with G4 Unlocking project!!!! - G4

It was suggested in this thread that those unlocking their Wizard devices through IMEI Check, download USB-Monitor (available HERE free for 30 days as shareware) and run it BEFORE RUNNING THE IMEI CHECK SOFTWARE ON THEIR DEVICE!
Then post the results to the FORUM.
I propose that we use this thread to do that, so a SIMPLE AND FREE unlock method can be found!
Before you start in on me about taking one for the team, I PAID TO UNLOCK MY G3 WITH IMEI CHECK TOO! (And if I'd have known I could have helped by doing this, I would have!)
I feel it would be an excellent way to repay the entire wizard community for their wonderful time and effort!
And NO, this is NOT something I'm doing myself, I'm just trying to get the ball rolling!

i will gladly post dumped info after imei check unlocking procedure. cuz i think its too expensive . im planing to do this in abt two weeks.

blazoner said:
It was suggested in this thread that those unlocking their Wizard devices through IMEI Check, download USB-Monitor (available HERE free for 30 days as shareware) and run it BEFORE RUNNING THE IMEI CHECK SOFTWARE ON THEIR DEVICE!
Then post the results to the FORUM.
I propose that we use this thread to do that, so a SIMPLE AND FREE unlock method can be found!
Before you start in on me about taking one for the team, I PAID TO UNLOCK MY G3 WITH IMEI CHECK TOO! (And if I'd have known I could have helped by doing this, I would have!)
I feel it would be an excellent way to repay the entire wizard community for their wonderful time and effort!
And NO, this is NOT something I'm doing myself, I'm just trying to get the ball rolling!
Click to expand...
Click to collapse
i have been working on this with another member,i will post my findings later,i also plan to ask for help from 2 members that undestand more that me about rom unlocking logs.

Thanks for taking notice, Faria!
It's some of the discussion about your 3.0.0.0 ROM's that has inspired me to get this started.
I figure the more objective (system provided) information we have, the closer we are to a simple solution.
Looking forward to any findings!

faria said:
i have been working on this with another member,i will post my findings later,i also plan to ask for help from 2 members that undestand more that me about rom unlocking logs.
Click to expand...
Click to collapse
hello mine is cid unlocked but if you need me to try anything give me a bell
iam on g4
spl/ipl 2.21
faria rc1 12mb
ext v3
rom 3.0
radio02.47.11

Mine is CID unlocked using the IMEI site:
G4 - i-mate k-jam
IPL/SPL 2.16.0001
ROM Faria RC1 8mb
ExtROM v3
Radio 2.47.11
Happy to help if i can

Not going to work
I just tried to run the IMEI software again while run USB monitor, but the IMEI software can not connect to the phon with the monitor program running. I tried 5 times

still cid locked here. I plan to unlock as soon as I get done getting all the crumb-snatcher's xmas shopping done . I will be sure to to what I can to help with logs/etc.

cptcafne said:
I just tried to run the IMEI software again while run USB monitor, but the IMEI software can not connect to the phon with the monitor program running. I tried 5 times
Click to expand...
Click to collapse
Bad news
Somebody else ?

usb-monitor log file
hello,
i've just unlocking my Wizard devices through IMEI Check...And i've log file from usb-monitor !!
But file size is over 2mb !

fla242 said:
hello,
i've just unlocking my Wizard devices through IMEI Check...And i've log file from usb-monitor !!
But file size is over 2mb !
Click to expand...
Click to collapse
Cool! I was just about to assume that the IMEI Check software checked for usb monitor, etc. and disallowed running the two together.
Can you zip the file and upload it?
If you don't have a zip program, google winzip, or winrar.
If the file is text based, it shoul zip nice!
Forgive the spelling, I'm sitting on the side of the road waiting on a tow-truck....

oops!
NIX THAT! DON'T POST YOUR IMEI INFO!!
We'll get in touch and make arrangements!

blazoner said:
NIX THAT! DON'T POST YOUR IMEI INFO!!
We'll get in touch and make arrangements!
Click to expand...
Click to collapse
That's what i'm tell me

Mine is Locked

Have a look at this thread in order to understand how this was done in the Hermes:
Reverse engineering the HERMES imei-check unlocker
The bootloader commands for the Hermes are explained in these wiki pages, you _really_ need to do something similar for the wizard:
Hermes Bootloader Information
Hermes Radio Bootloader and AT command interpreter
Some hints that may help you:
1. You can run the unlocker as many times as you want, it doesn't matter if you've already cid unlocked your device, the imei-check unlocker will behave the same.
2. In order for the USB monitor capture to be useful, you need to click on the "COMPLETE" tab and when you have captured it, export it as ANSI TEXT.
3. If the app fails (communication error) you need to create 2 admin users, 1 for running usb monitor and the other for running the unlocker. Use right click, "run as..." and then select the other admin user. You need to repeat this process several times until you can successfully get the log.
4. be careful on what you post here, as imei-check has intelectual property rights on their work. Do not "copy" their solution, but reimplement it in another way.

look its not intellectual property simply because its a solution around a software lock put on by the manufacturer ...this voids the warrantee anyway. post it simply because you can don't worry about intellectual property

goldcard
and what about goldcard(http://forum.xda-developers.com/showthread.php?t=270952)? is it way to flash whithout unlockCID?

docdoc8 said:
look its not intellectual property simply because its a solution around a software lock put on by the manufacturer ...this voids the warrantee anyway. post it simply because you can don't worry about intellectual property
Click to expand...
Click to collapse
It's intellectual property simply because it's their solution. DON'T post it, unless you want to be named in their lawsuit! Furthermore, DON'T post it because none of us can afford having xda-developers closed down because they are getting sued!
The trick is that the ultimate solution was designed by HTC. IME Check just exploits it.
Therefore, if we can see what IMEI Check is doing, we can find a different way of doing the same thing!
As an example:
IMEI Check rolls a ball by pushing it with a stick, so we blow on it to make it move, or we dig under it to make it roll downhill.
Either way, we can't be accused of doing it the same way they are, but we're still rolling the ball.

if anyone will sue xda developers it will not be IMEI Check it will be the HTC or the companies involved in making the phones/MDA's. Remember its the company who made the phone G4 so people couldn't mod it.
i doubt IMEI check has the money for lenghy court costs.
plus if you reverse engineer IMEI's way of Unlocking but change the order of doing it your essentially copying them anyway.
Just my opinion.
anyway this site is great, keep up the good work fellas.

Is there a way of checking if you're PDA is locked o not?

Related

Cingular 3125 and OMAP Overclocker?

Has anyone gotten the following application running?
Omapclock and Omapclockplusv0.0.4.cab
When I install it I get the following error when the phone powers on.
Initilization Failed. Reason: Can't map I/O.
I also get the error when I attempt to launch Omap Consule.
Thoughts? Suggestions? I e-mailed the creator of the tool, hopoing he'll reply. If he does, I'll post the answer here.
JIM
I am having the same problem.
From what I've read on this and various other forums, this is due to the phone not being unlocked.
Unlocked and now OmapOverclocker works!
I downloaded and used this free tool to unlock my 3125. That application error has gone away and I'm running at 240Mhz with a noticable improvement in performance.
As usual, THANK YOU!
Everyone in this forum is always helpful!
JIM
Cool.
Where did you get the unlock tool? Is it a CID unlock, SIM unlock or both?
Ulocker Tool
I do not remember where I got it, forgot to bookmark it.
Here's the file in a .zip format.
JIM
Re: Ulocker Tool
jhrain said:
I do not remember where I got it, forgot to bookmark it.
Here's the file in a .zip format.
JIM
Click to expand...
Click to collapse
Here's my e-mail address if you have difficulty downloading this unlocker.
jamesrainey[@]sbcglobal.net
Hello,
the unclocker can be downloaded but is empty... Can you post it again ? thanks
I think this one will work. You must run it from your PC when the phone is connected to ActiveSync. You must change a few registry entries before you do this. Google "qtek 8500 application unlock" and you will find instructions.
(Forum didn't allow me to attach the file, don't know why, but download it using the link below)
http://download.yousendit.com/C266A378100E349F
anyone have this tool anymore?
http://wiki.spv-developers.com/HTC_Application_Unlock_Guide
This is the link to app unlock your 3125. Now my question is after you get the omp clock on your phone how do you get the settings to stay you can change it 240 and if you check back later the phone it will be back to were it was before you changed it.
http://wiki.spv-developers.com/HTC_Application_Unlock_Guide
This is the link to app unlock your 3125. Now my question is after you get the omp clock on your phone how do you get the settings to stay you can change it 240 and if you check back later the phone it will be back to were it was before you changed it.
Bump to the top
I did the app unlock, the regedits, and i got the omapclock to work. But like everyone else, I am having problems with the omapclockplus to keep the overclock after a suspension or turning off. Anyone have a detailed how to??? I have read and re read nearly every thread about this topic. I am coming from a wizard to this strtrek so smartphone is a bit different for me. thanks for the help.
Hi, i would also like to know how to keep the clock speed to stay overclocked after resume.......i've followed the instructions on this website as well as this website
http://www.nicque.com/PQz/OmapClockPlus.htm
but i still cant get it to overclock after resume......i did try the smartskey program and omapclock when i had my wizard but the smartkey program is not compatible for smartphones.......
Hey guys, just found this:
http://www.modaco.com/index.php?automodule=downloads&showfile=1640
Not sure if it'll work though as it's built for a Tornado.
I tried that program. It works, but there is limit to the OC speeds? Anyone know how to hack the program so that you can OC it further?

SE Update Engine

Watching the Sony Ericsson PC Application on a repair today I noticed that it was downloading and installing an update engine.
Maybe I'm day dreaming but I believe this will hold the key to the bootloader issues. This engine should be what's controlling the bootloader while loading to OS image to the Qualcomm chip.
So my hypothesis is that if we can pull this update engine out of the application by removing the rest of the application we can use the tools and UI from any of the DEV or HTC ROM loader applications to control said engine. Basically what we'd be doing is taking their tool and wrapping a new shell around it to control what we need and are legally entitled to make our devices do.
Thoughts?
--------------------------------------------------------------------------------------------------
============================================================================
--------------------------------------------------------------------------------------------------
FOLLOWING TWO PAGES OF YOUR RESPONSES:
Okay guys. The secret to the bootloader is actually inside of the PC Companion application with SEUS. We need to figure out how to wrap a different Windows UI around this. Basically take all the critical guts and use the RUU loader found on device sites like Rhodium, HD2, etc... and only use it's UI. So to get this is there a way to watch in real time what files PC Companion and SEUS are downloading while in the repair stages of operation?
If this is not possible we need to remember that SE develops a lot more Symbian than Android. Some of the chip security could be the same found in those devices. I've included a link that may help guide us. I haven't wrapped my head 100% around this concept but at least I have a strong grasp on solutions!
http:// developer. symbian. org/wiki/index.php/What_are_the_product_development_kits%3F
This product development kit is geared towards hardware and if you scroll down some will see details on accessing the Kernel Taster Kit which is a subset of the PDK which enables the creation of new baseports and device drivers. Because SE is probably using a BIOS designed for Symbian this could likely help us with our quest. Or ultimately give us a big FU to Sony and give us Symbian 3^ on our Xperia... so basically one hell of a sweet as Vivaz. The Mini Pro could replicate the Vivaz Pro.
Hey, the idea is nice. But Basically thats what was done with X10flash. X10flash is based on SEUS, it takes all update functions out of SEUS and lets us flash what we want to.
The Problem is that there is no function for flashing the Bootloader.
We have the loader.sin which controls the flashing on phone itself. What is needed is a loader.sin which unlocks Bootloader or or or
So the idea is not bad but was there before And X10flash is the result
Regards
Bin4ry
Why X10flash need the DeviceID, and SEUS not ?
I try to find a way to flash without DeviceID... is it a dream too?
Thol said:
Why X10flash need the DeviceID, and SEUS not ?
I try to find a way to flash without DeviceID... is it a dream too?
Click to expand...
Click to collapse
Flashing with a DeviceID would be tricky since you need to know what hardware the program should speak with. SEUS probably finds out the ID automatically while we have to find it manually.
then who had work about this problem ?
i want to help him... i want to know what ways are already searched... to don't loose my time in theses bad way ...
So now I have a question...
If we need to change the bootloader in order to get new roms, then why do Sony not need that?
An other thing, how is the bootloader locked, is it a des-key or what?
I am just trying to understand the problems here...
Sent from my X10i using XDA App
Thol said:
Why X10flash need the DeviceID, and SEUS not ?
I try to find a way to flash without DeviceID... is it a dream too?
Click to expand...
Click to collapse
SEUS has an automatic detection, but is is tricky to find, because we can only decompile the java JAR's which are located in plugins folder. If you decompile them you get only function names like a b c d e f g etc. And because of this its very hard to follow these.
So DeviceID is the minior Problem we have, so we don't spent time in automatic detection as we have a method with decon, grep and cut. (I think this is totally okay for now) If we have finally a way around BL we can spent more time in making the flashin Process with X10flash more cute.
pshdo said:
If we need to change the bootloader in order to get new roms, then why do Sony not need that?
Click to expand...
Click to collapse
Because the firmware is signed
The problem is less the flashing. Even if we can flash what we want the Bootloader checks the signature on every boot, so we are running the wrong way to think about altering the flash process. We must look in other areas.
Regards
Bin4ry
had you try to switch the X10 BL with an another device with same specs ?
Bin4ry said:
Because the firmware is signed
The problem is less the flashing. Even if we can flash what we want the Bootloader checks the signature on every boot, so we are running the wrong way to think about altering the flash process. We must look in other areas.
Regards
Bin4ry
Click to expand...
Click to collapse
Any luck on disassembling the BL? If we're insanely lucky then all that sets the retail loader apart from the dev loader is a debug flag or something. It would seem counterintuitive to write a complete separate bootloader just for development when the standard qualcomm should work just fine.
Even if we don't have access to the unsigned loader from SE we could perhaps compare the X10 bootloader with the stock one from Qualcomm's SDK and if those look similar. If the SE one is a modified version of the reference BL we might be able to figure out what bits to flip in order to enable debug-mode.
Bin4ry said:
Because the firmware is signed
The problem is less the flashing. Even if we can flash what we want the Bootloader checks the signature on every boot, so we are running the wrong way to think about altering the flash process. We must look in other areas.
Regards
Bin4ry
Click to expand...
Click to collapse
So if I understand correct (I probably don't), then the more updates Sony put out, the more likely it is that we can figure out how the lock works ?
All the updates from Sony should pass that lock in order to work, right?
Sent from my X10i using XDA App
Thol said:
had you try to switch the X10 BL with an another device with same specs ?
Click to expand...
Click to collapse
Tryed and failed (Was one of the first thing we tryed )
ddewbofh said:
Any luck on disassembling the BL? If we're insanely lucky then all that sets the retail loader apart from the dev loader is a debug flag or something. It would seem counterintuitive to write a complete separate bootloader just for development when the standard qualcomm should work just fine.
Even if we don't have access to the unsigned loader from SE we could perhaps compare the X10 bootloader with the stock one from Qualcomm's SDK and if those look similar. If the SE one is a modified version of the reference BL we might be able to figure out what bits to flip in order to enable debug-mode.
Click to expand...
Click to collapse
Yep thats what i'm trying. The original Qualcomm does not load, but we must have some value which can be set on S1Loader because if you take a look with a simple hexeditor then you see some normal strings which are about Debug etc.
So feel free to help me pushing the Loader through IDA or smth. to find a way to do smth.
I think if we can manage to find the DBG value we could be lucky and get the S1Loader switch our normal BL to DEV or DBG mode.
Worth a try
pshdo said:
So if I understand correct (I probably don't), then the more updates Sony put out, the more likely it is that we can figure out how the lock works ?
All the updates from Sony should pass that lock in order to work, right?
Sent from my X10i using XDA App
Click to expand...
Click to collapse
No sorry. There is no way to crack the key. Its to hard encoded, with actual power of Computers you will calculate the key for approx 10^27 years
Even if you have 1000 updates :/
Regards
Bin4ry
Bin4ry we believe in your mathematic scientic powers!
Go go go ! You will have pscychological support from us !!!
Everybody.. support our team !
GO GO crack the boot you can do it ! The people believe in you !!!! I believe in you ! My wife believe in you
We love you man !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Bin4ry said:
No sorry. There is no way to crack the key. Its to hard encoded, with actual power of Computers you will calculate the key for approx 10^27 years
Even if you have 1000 updates :/
Regards
Bin4ry
Click to expand...
Click to collapse
Thank you for the answer...
Someone have cracked lots of other stuff in the past, eg satellite and a lot other things, so if someone can setup a search engine, perhaps we can all help... it COULD be hard, but no one know for sure...
But that offcource means that we need to know exactly what we are looking for...
Is it kind of a management key or?
Not that I know anything about searching offcource...
Sent from my X10i using XDA App
Hello Binary,
When you try to flash a new boot loader does it check that you're flashing a valid loader or will it let you flash anything you want? And if you were to flash anything you want (even just a whole load of 0s) would that mean that your phone would be destroyed or is there a recovery method? Can you simply write back over it with a good loader?
Also, has anyone read out the SE loader? And if so can it be disassembled? And if that has been done, roughly how many lines of assembly code is it?
Sorry about all the questions but I'm interested in this stuff but it's awkward to find a good starting point.
Sent from my X10i using XDA App

[Q] [ROOT] S-OFF HTC Wildfire S (Marvel) using JTAG

Hey xda-developers,
first, I would like to apologize for my imperfect English. It's not my first language.
Next think I would like to mention: I am new to this forum and got a warning when I was about to post this in the "Android software and hacking general" section. I got told that one will get banned for posting anything "not development-related" here, (quote) "meaning, if you're not posting a ROM" (/quote).
Well, my post is definitely development-related. However, I am not exactly about to post a ROM. Instead, I am about to develop an S-OFF method for the phone. Obviously, this is development-related, but the result of my development activity obviously won't be a ROM, but (hopefully) a new S-OFF method. However, I decided that it is more safe to post it here. I definitely do not want to get banned from this forum. I want to continue using this account in order to ask for support and keep you up-to-date about my progress, so I decided it is better not to post in the development section. Moderators, please feel free to move this post wherever you consider it appropriate. Thanks.
The question I have is: Is it possible to gain S-OFF on a stock HTC Wildfire S (Marvel, Qualcomm Snapdragon MSM7227, HBOOT-0.90.0000, MICROP-0451, RADIO-7.53.39.03M, Android 2.3.7, S-ON) using a suitable JTAG debugger?
I am a computer scientist specializing on high performance computing and IT security and I have the opportunity of getting access to a JTAG debugger (OpenOCD) and interface at university. I imagine the device security is something like a binary flag inside the Flash memory and raw access to Flash memory could be obtained using the device's JTAG interface. However, I would like to make sure that I do not waste time on the university's devices fiddling around with the phone and not getting anything done in the end. So I would like to prepare as thoroughly as possible, before bringing my phone to the laboratory. So the first question I have: Does anyone see a problem with this attempt or know for sure, whether this will work or not (at least in principle)?
Furthermore, I would like to ask you for any references about what can be done on these devices using the JTAG interface, as well as any references about where the "device security flag" is located inside the on-chip memory of the device.
I will try to gain access to a JTAG debugger and break the device security, documenting everything as thoroughly as possible in the progress. I will then try to use the experience gained from the debugging session, in order to get a software S-OFF done (think like Revolutionary, which unfortunately doesn't support the MSM7227 chipset of the Marvel yet), enabling more HTC phones to be rooted without resorting to the expensive xtc-clip method.
Thank you very much for your support. Maybe together, we can get some sort of universal software method for rooting/S-OFF done, at least for the HTC devices.
Good to see someone pushing hard for the Wildfire S-off cause! Wishing you luck mate.
Come on devs, give him your insights! (wish I could help)
hope u will find a way to unlock without xtc clip.
If u need help or tester, we wait for you
@DEV's:
Please help us to become an unlocked bootloader!
I have no idea what you're talking about, but I hope someone has.
Good luck, I really hope you're going to succeed!
All our hope are with you...
mybe we can try to unlock bootloade, if we become the unlock_code.bin from here:
http://forum.xda-developers.com/showthread.php?p=20197444
and can modify it for wildfire S
ONeill123 said:
mybe we can try to unlock bootloade, if we become the unlock_code.bin from here:
http://forum.xda-developers.com/showthread.php?p=20197444
and can modify it for wildfire S
Click to expand...
Click to collapse
This is the official unlocking from HTCdev, right? Unfortunately, you can only unlock the HTC Evo, Flyer and Sensation. HTC announced that "all 2011 models going forward" will be unlocked (which would include the WFS, as it was released May 2011), but HTC have not yet announced WHEN they will do so, so I'm still sceptical.
First thing we need to do is find out, where the security flag is located in the phone's memory. I will then try to set/reset (I'm not sure whether S-ON is device security flag SET or RESET, but I will just check its state as the device is currently S-ON and write the opposite value back) this bit via JTAG. Afterwards, the device should be S-OFF (like if you would have used the xtc-clip on the device).
Next thing will be the construction of an exploit that will give you root access inside the Android OS (you probably cannot access low-level things like the NAND memory by software without root access) by some "privilege escalation" mechanism (probably by "overtaking" the context of a privileged system process).
Well. As soon as we have root access, software S-OFF should just be flipping of the bit we located during our JTAG session by means of our (now hopefully privileged) software process. This should enable us to S-OFF phones via a software exploit, so that the users won't have to acquire (and operate) a JTAG debugger themselves for gaining S-OFF (they are quite expensive and difficult to operate).
When there is no information available about where the security flag is stored in the NAND, this can get really really hard. If this information is already known, we will "only" have to find an exploit for getting root access inside the Android system and then write some code which does the exploit and turns off device security afterwards. If someone knows, where and how device-security is encoded in the NAND (or can make an educated guess), then please tell it here! If someone thinks that this method is not working, please tell it here (and also tell why you think it will fail)! If someone has alternative methods, please mention them here! If someone has experience with JTAG debugging and/or programming on ARM or embedded systems in general, I'd ask that person to provide support.
Thank you very much in advance. I'll see if I can get some forensics interested in this project here at the university, as there will probably be a lot of data to skim through (datasheets, memory dumps, etc.) in order to find the exact memory address at which the device security flag is stored.
Oh God, let's give this man (no.human.being & all others that trying it) all money and power needed to S-OFF Wildfire S(hit) (**** because of Sense. Just hating it). If this may lead to official support of Cyanogen Rom, I will be the happiest man on earth right there.
BTW .. i am willing to buy even XTC-Clip, it can S-OFF the phone. But there is no ROM :-(
Good luck, people are waiting for this ...
RoSi™ said:
Oh God, let's give this man (no.human.being & all others that trying it) all money and power needed to S-OFF Wildfire S(hit) (**** because of Sense. Just hating it). If this may lead to official support of Cyanogen Rom, I will be the happiest man on earth right there.
BTW .. i am willing to buy even XTC-Clip, it can S-OFF the phone. But there is no ROM :-(
Good luck, people are waiting for this ...
Click to expand...
Click to collapse
RoSi™ why not use this rom here?
no.human.being said:
Hey xda-developers,
first, I would like to apologize for my imperfect English. It's not my first language.
Next think I would like to mention: I am new to this forum and got a warning when I was about to post this in the "Android software and hacking general" section. I got told that one will get banned for posting anything "not development-related" here, (quote) "meaning, if you're not posting a ROM" (/quote).
Well, my post is definitely development-related. However, I am not exactly about to post a ROM. Instead, I am about to develop an S-OFF method for the phone. Obviously, this is development-related, but the result of my development activity obviously won't be a ROM, but (hopefully) a new S-OFF method. However, I decided that it is more safe to post it here. I definitely do not want to get banned from this forum. I want to continue using this account in order to ask for support and keep you up-to-date about my progress, so I decided it is better not to post in the development section. Moderators, please feel free to move this post wherever you consider it appropriate. Thanks.
The question I have is: Is it possible to gain S-OFF on a stock HTC Wildfire S (Marvel, Qualcomm Snapdragon MSM7227, HBOOT-0.90.0000, MICROP-0451, RADIO-7.53.39.03M, Android 2.3.7, S-ON) using a suitable JTAG debugger?
I am a computer scientist specializing on high performance computing and IT security and I have the opportunity of getting access to a JTAG debugger (OpenOCD) and interface at university. I imagine the device security is something like a binary flag inside the Flash memory and raw access to Flash memory could be obtained using the device's JTAG interface. However, I would like to make sure that I do not waste time on the university's devices fiddling around with the phone and not getting anything done in the end. So I would like to prepare as thoroughly as possible, before bringing my phone to the laboratory. So the first question I have: Does anyone see a problem with this attempt or know for sure, whether this will work or not (at least in principle)?
Furthermore, I would like to ask you for any references about what can be done on these devices using the JTAG interface, as well as any references about where the "device security flag" is located inside the on-chip memory of the device.
I will try to gain access to a JTAG debugger and break the device security, documenting everything as thoroughly as possible in the progress. I will then try to use the experience gained from the debugging session, in order to get a software S-OFF done (think like Revolutionary, which unfortunately doesn't support the MSM7227 chipset of the Marvel yet), enabling more HTC phones to be rooted without resorting to the expensive xtc-clip method.
Thank you very much for your support. Maybe together, we can get some sort of universal software method for rooting/S-OFF done, at least for the HTC devices.
Click to expand...
Click to collapse
Nice! Wish I knew all this JTAG stuff, then I could stop being an idiot most of the time. Good Luck!
Im Waiting for trying this.
Great work you started , im waiting for a test , succes !
ciripian said:
Great work you started , im waiting for a test , succes !
Click to expand...
Click to collapse
This thread is dead in principle. Basically all the work is being done here.
One of the reasons that it is dead is because NHB doesn't have the right tools and knowledge (no offence)
Sent from my HTC Wildfire S A510e using XDA
Reserved.
I figured out how to configure OpenOCD and how to make the board operate without the Lithium battery, but I can't get JTAG to work properly. I suspect that the electrical connection via the JTAG adapter is too unreliable.
how to s-off htc (unlocked bootloader) and root
I have unlocled my htc wildfire s through official htcdev.com tutorial.But it is still s-on .how to s-off my wildfire s a510e . please help me .
I am unable to root .when I formatted in FAT32 system sd card and put PG76IMG.zip into sd card and start into hboot menu,nothing happens. it does not detect any thing,what should i do? can i root my htc wfs with s-on if no then how to s-ocf it.
please help me.
Thanks in advance.
amjadiqbaltarar said:
I have unlocled my htc wildfire s through official htcdev.com tutorial.But it is still s-on .how to s-off my wildfire s a510e . please help me .
I am unable to root .when I formatted in FAT32 system sd card and put PG76IMG.zip into sd card and start into hboot menu,nothing happens. it does not detect any thing,what should i do? can i root my htc wfs with s-on if no then how to s-ocf it.
please help me.
Thanks in advance.
Click to expand...
Click to collapse
yes you can root without s off look for guides in Wildfire s forum install recovery first then install root.zip
Jtag Pinout
no.human.being said:
I figured out how to configure OpenOCD and how to make the board operate without the Lithium battery, but I can't get JTAG to work properly. I suspect that the electrical connection via the JTAG adapter is too unreliable.
Click to expand...
Click to collapse
Sorry to jump on an old thread..by the ways to communicate via jtag you must sold proper wires on jtag points on pcb... I can help you for providing you correct pinouts .... As I am using Jtag...
We no longer need it.
"I have my moments even at 27. I may have to grow old, but I damn sure don't have to grow up " - Axis
How s off htc wfs 2012
no.human.being said:
Hey xda-developers,
first, I would like to apologize for my imperfect English. It's not my first language.
Next think I would like to mention: I am new to this forum and got a warning when I was about to post this in the "Android software and hacking general" section. I got told that one will get banned for posting anything "not development-related" here, (quote) "meaning, if you're not posting a ROM" (/quote).
Well, my post is definitely development-related. However, I am not exactly about to post a ROM. Instead, I am about to develop an S-OFF method for the phone. Obviously, this is development-related, but the result of my development activity obviously won't be a ROM, but (hopefully) a new S-OFF method. However, I decided that it is more safe to post it here. I definitely do not want to get banned from this forum. I want to continue using this account in order to ask for support and keep you up-to-date about my progress, so I decided it is better not to post in the development section. Moderators, please feel free to move this post wherever you consider it appropriate. Thanks.
The question I have is: Is it possible to gain S-OFF on a stock HTC Wildfire S (Marvel, Qualcomm Snapdragon MSM7227, HBOOT-0.90.0000, MICROP-0451, RADIO-7.53.39.03M, Android 2.3.7, S-ON) using a suitable JTAG debugger?
I am a computer scientist specializing on high performance computing and IT security and I have the opportunity of getting access to a JTAG debugger (OpenOCD) and interface at university. I imagine the device security is something like a binary flag inside the Flash memory and raw access to Flash memory could be obtained using the device's JTAG interface. However, I would like to make sure that I do not waste time on the university's devices fiddling around with the phone and not getting anything done in the end. So I would like to prepare as thoroughly as possible, before bringing my phone to the laboratory. So the first question I have: Does anyone see a problem with this attempt or know for sure, whether this will work or not (at least in principle)?
Furthermore, I would like to ask you for any references about what can be done on these devices using the JTAG interface, as well as any references about where the "device security flag" is located inside the on-chip memory of the device.
I will try to gain access to a JTAG debugger and break the device security, documenting everything as thoroughly as possible in the progress. I will then try to use the experience gained from the debugging session, in order to get a software S-OFF done (think like Revolutionary, which unfortunately doesn't support the MSM7227 chipset of the Marvel yet), enabling more HTC phones to be rooted without resorting to the expensive xtc-clip method.
Thank you very much for your support. Maybe together, we can get some sort of universal software method for rooting/S-OFF done, at least for the HTC devices.
Click to expand...
Click to collapse
Hi
any body help me to s off my htc wfs...
i tried so many method from this forum...i have unlocked bootloader....and also rooted...while installing ROM there is no error...every thing saying success...but after reboot no update....
this may happen becaz of my device still in S OFF??
pls give me a solution to S OFF my device....

Is there a way to unlock the Galaxy Light to use on another Carrier manualy?

I bought a sgh-t399n at a garage sale recently and quickly rooted the phone and installed TWRP Recovery and CM12 on it. I called Metro and T-Mobile ( After flashing their firmware) for the unlock code but of course they refused to give it to me. So i tried 2 or 3 different unlock by IMEI websites as well as every single unlock app and software I could find while running logcat. The best lead I've gotten was the S.G.S. Unlock Tool app. It says it found the code but the results are null. In the logcat the system denies permission saying that the app was sending request as -2 when it was 0 and that it needed "android.permission.INTERACT_ACROSS_USERS_FULL" to accsess the info. Now I'm not a Dev by any definition of the term, nor am I any kind of hacker but I have learned a good bit from these forums over the last couple of years and my gut tells me this can be done with a little patients and some help from the good folks at XDA. Any imput on the subject is greatly appreciated.
You won't be able to unlock on CM12, have to have the stock firmware and OS installed.
yeah install stock system and any code should work without issue
If you unlock on stock system and then flash cyanogen, will it be fine?
-Tofu- said:
If you unlock on stock system and then flash cyanogen, will it be fine?
Click to expand...
Click to collapse
Yes.
es0tericcha0s said:
Yes.
Click to expand...
Click to collapse
The unlock code must be hidden on one of the partitions of the device it's self though right? Possibly in the EFS partion? Also how would i change thepermissions of an app to allow in to interact acroo all users?
Whether or not the code is in EFS, you still can't unlock on CM.
No I understand that. It is currently on the T-Mobile stock T399 firmware flashed with odin but still could not get an unlock code . Also i would like to learn to unlock these phones for future devices.
So it is not requesting an unlock code when you have a non T-Mobile SIM card installed? How odd... It should. If not, either it's already unlocked, or something else is going on. Have you tried both the Metro and Tmo firmware? Only the newest T-Mobile and Metro phones are not supported by unlocking via code as they use the Unlock app. As far as unlocking yourself, your best bet would be to get an unlock box like z3x or Octopus if you plan on doing a lot of them. If it's just 1 every year or 2, then it wouldn't make sense. Some phones have ways to unlock via root and hacks, but not all and it is becoming less common now as more manufacturers are making the ways to unlock more difficult either via encryption or other means.
The unlock companies I tried were unable to get a code by imei. Therefore I was never able to put in a real code. I've looked in to the z3x but it is way outta my price range as I am only a novice tinker. I just figured since the code must be in the programing of the phone somewhere then it was just a matter of locating the partition and file in which it was hidden and then decoding it. Is it possible to change an apps or users permissions? If so how?
rkey1000 said:
The unlock companies I tried were unable to get a code by imei. Therefore I was never able to put in a real code. I've looked in to the z3x but it is way outta my price range as I am only a novice tinker. I just figured since the code must be in the programing of the phone somewhere then it was just a matter of locating the partition and file in which it was hidden and then decoding it. Is it possible to change an apps or users permissions? If so how?
Click to expand...
Click to collapse
I believe the app Root explorer allows you to change permissions on items.
It does, but nothing Root Explorer can do will help you find an unlock code, unfortunately. If the phone does not ask for a code when inserting another carrier's SIM, then that's the issue that would need to be resolved before anything else.
Sorry if I've been unclear. The phone dose ask for a code when a sim from a different carrier is put in but after trying 3 unlock by IMEI companies none of them were able to generate a code by IMEI. As for the permissions issue, I have an app that claims to find the codes but only says "null" in the results column. After going through the log cat it says the app is running as user 0 but is requesting info as user -2 and that it needs the permission " INTERACT_ACROSS_USERS_FULL" to show the info. So i was hoping to learn how i grant said app that permission and see if it would show the code?
solidus636 said:
yeah install stock system and any code should work without issue
Click to expand...
Click to collapse
can you paste a link to the stock system?
Could anyone PLEASE PLEASE PLEASE PLEASE PLEASE give me a working unlock code for my metro pcs phone email me [email protected] or [email protected] thank you.
Running into the same problem only im on a non rooted system. I need a solution to get the codes needed to unlock it from T-mobile and need them without running hardware as all i have is hardware from the old days. Software would be a choice if anyone knows of anything reliable. Services I am also willing to pay for if cheap and working.

Samsung Galaxy A10e - Is this the right place to be???

Hi!
I recently purchased a Verizon-build Samsung Galaxy A10e (the "economy Flagship" / little-brother of the A10) but XDA has very little information on this phone. Would this be the best place to try to find/request information?
Thanks for your help!
where can i get more developer information on this phone
Give it some time before developers start posting, since the phone was released only a couple of monthes ago. It will be a good minute before you start seeing significant posts for the galaxy a10 e. Keep updating by searching on a regular basis. Check howardforums or android central as well.
On another note:
Some of us need to know the a10e galaxy update to android 10, anyone got then lastest news on that yet? I got one with metro pcs.
Thx
Sent from my SM-A102U using Tapatalk
yea like alot of sites keep saying galaxy a10e will not be getting android 10 and one ui 2.0 but the fail to see samsung own site says they will probavly in may or june of 2020
Also using an SM-A102U device, I believe the official Android 10 date is sometime in the first half of 2020. I believe March.
What would really help us is pHH-Treble support for these devices and Android 10, which I can't find any info for, aside from a GSI post on the Galaxy a20, which has (essentially) the same Exynos chip.
timba123 said:
On the metro variant I was trying to figure out bootloader unlock and the phone vibrated and a yellow exclamation ! Appeared at bottom of black screen. What is that?
Click to expand...
Click to collapse
depends on wat u mean by trying to figure it out lol.. if its like any the other usa variants its not unlockable which is why u dont see oem unlock
timba123 said:
This.
Click to expand...
Click to collapse
i dont kno wat that is but seems to be a indicator for your charger.. maybe not fast charging or something.. i assume the device is off when you get this screen.. if its off and plugged in via pc it could simply be indicating its not fast charging as its being charged from the usb port.
Sent from my SM-N976V using Tapatalk
timba123 said:
It's not off exactly. Kinda reminds me of system crash on eng fac roms. I've seen articles about older devices and it meaning no battery or no charging like you say. Guess I got over excited for nothing lol. Though it might be a hackable situation etc or different mode of some kind.
Click to expand...
Click to collapse
Yea.. and fyi, a common misconception is "eng fac" roms are two completely different things lol.. it's a pet peeve of mine which I owe to all the firmware sites and generic "guides" on the web lol.
They always refer to factory/combo roms as "eng" when they are not eng at all.. fac roms are debuggable (ro.debuggable=1) and permissive and adb enabled by default and dmv disabled with a bare bone os mainly used for testing or fixing issues with the device.
Eng on the other hand is typically a stockish build with su binary by default (allows actual adb root shell) is permissive, verity disabled, contains other high level engineering software etc etc that is supposed to be used by engineers to test their software and things of that nature. My sampwnd root for s8/s8+ for example used eng system.img to gain root. Older devices did have eng boot.img many used to root devices but since s8 and newer they are no longer used because samsung implemented security measures to where u cant flash or run them without an eng token and device being in actual eng mode. Eng tokens are hard to find as they are device specific and need to be generated on samsung servers at which if u can find someone willing to make one they are usually expensive since they need to have a legit business, purchase a signing cert from samsung to be able to generate eng tokens as well as they typically need to also pay for each individual token which just the signing cert alone I've heard various prices from thousands to 100k lol. Then after all that if you have an eng token and device is in eng mode then it's not the same as a bl unlock as you would need to flash eng firmware which is another adventure to locate and probably another pretty penny.
Rant on eng/fac differences is over lmao.
On a side note, I'm working on something that "might" work... according to my dev buddies it will work.. it's a process tho as I need to generate some custom files and I never did this before (I mainly use usa locked snaps) .. but if all goes as planned with some trickery could probably unlock the bl and at the very least root the device.. stay tuned lol
timba123 said:
On the metro variant I was trying to figure out bootloader unlock and the phone vibrated and a yellow exclamation ! Appeared at bottom of black screen. What is that?
Click to expand...
Click to collapse
I also tried (with my limited knowledge here) to enable OEM bootloader unlock by changing the settings flag in the phone but have not had luck. I talk about what I tried to do/have a screenshot showing where the system has it looked in this post:
https://forum.xda-developers.com/ga...rint-oem-lock-developer-t3963898/post80909957
I have also looked at using Tasker/other tools to try to change something here or to see if there's an intent or action or something that will trigger the unlock but haven't had luck.
timba123 said:
So since this is the only A10e root thread. I'll post here. After browsing the internet I found out that Samsung changed some security. Now fac combo cant be flashed with 3.14 odin which newer devices like our A10e will not work with odin 3.13 and before patched or not. A new odin needs to be made. Patched. And the new Security for samsung.
Click to expand...
Click to collapse
This isnt new information. I do not think a new/patched odin will work since it uses a token system. Trying to flash will say you need approval to use factory binary.
With that being said you can use a factory bin token which will then allow you to flash combo rom.
There are ways to bypass need for a token but they are not public.
Also tokens are device specific and if you can find someone to get them they are not free.
Side question that's not totally related but I'm finding conflicting answers online:
Does the A10e NOT have USB-OTG capabilities? :-/
I don't have a USB-C OTG cable to test myself. I realize this phone purposely does not have some features/capabilities that I guess are supposedly deemed more "premium," in order to keep this phone in a class I've heard described as "Economy-Flagship," (lol ). Hence: no wireless charging, no fingerprint reader, no gyroscope, no proximity sensor (this exclusion is kind of annoying - surely I can't be the only person experiencing the annoying phenomenon of chronic cheekbone-call-muting? ). But overall, I'm super happy with this phone!
I also wish I could disable Knox but I don't think that's possible without the OEM bootloader unlock setting enabled.
timba123 said:
No not new info but figured alot of people especially new people could use the info. Lol they sure are locking down phones. I wonder what influence the NSA etc have.
Click to expand...
Click to collapse
govt contracts are definitely a big part of it.. every device manufacturer wants that govt money lol
elliwigy said:
govt contracts are definitely a big part of it.. every device manufacturer wants that govt money lol
Click to expand...
Click to collapse
^This makes a lot of sense.
Sorry for my english. I'm looking for help ... i was 3 weeks in US and i lost my phone. So i buyed this A10e with boost mobile but i didn't activate it because they were trying to force me to buy a monthly subscription, wich i didn't... I bring the phone just for wifi use because is a phone with good specs for the price of 90$... and then the horror shows in a form of Harassing message ... trying to make me "accept terms and conditions" and then Boom the phone was restricted from data usage and other things, i tried to unlock the OEM and nothing, also i wipe the phone and it works fine but it keeps harassing with sudden appears of that screen asking if you accept, the icon of that screen is a peace of chess. So my question is ... Can i force an instalation of other rom? in sammobile is a international rom, so, even if i can't unlock the oem , can i install it? is there a way to root the device without the oem unlock? Thanks in advance
reyesergio23 said:
Sorry for my english. I'm looking for help ... i was 3 weeks in US and i lost my phone. So i buyed this A10e with boost mobile but i didn't activate it because they were trying to force me to buy a monthly subscription, wich i didn't... I bring the phone just for wifi use because is a phone with good specs for the price of 90$... and then the horror shows in a form of Harassing message ... trying to make me "accept terms and conditions" and then Boom the phone was restricted from data usage and other things, i tried to unlock the OEM and nothing, also i wipe the phone and it works fine but it keeps harassing with sudden appears of that screen asking if you accept, the icon of that screen is a peace of chess. So my question is ... Can i force an instalation of other rom? in sammobile is a international rom, so, even if i can't unlock the oem , can i install it? is there a way to root the device without the oem unlock? Thanks in advance
Click to expand...
Click to collapse
no.. bl is locked.. only stock official firmware can be flashed
timba123 said:
Found a rooted AP tar but gives SHA error using Odin 3.14
Click to expand...
Click to collapse
doesnt work.. ur getting error bcuz its modified which cant use bcuz bl is locked
timba123 said:
Seems to be verizon firmware by the bootloader number etc. The firmware I posted pics of. I'd upload it but my browser keeps crashing trying to upload it
---------- Post added at 04:42 AM ---------- Previous post was at 04:25 AM ----------
https://support.halabtech.com/index.php?a=downloads&b=file&c=download&id=200612
Looks like root kernel for metro or tmobile
Click to expand...
Click to collapse
correct.. all it is is stock firmware with a rooted/patched kernel for unlockable variants
Combination File, for FRP & bootloop Repair
http://www.mediafire.com/file/ekejzhig7b9zx7r/ROMProvider.COM_SM-A102USQU1ASF1.rar/file
mark332 said:
Combination File, for FRP & bootloop Repair
http://www.mediafire.com/file/ekejzhig7b9zx7r/ROMProvider.COM_SM-A102USQU1ASF1.rar/file
Click to expand...
Click to collapse
how do you expect people to flash it without a factory binary token?
timba123 said:
Is OTP similar or related to the factory token? Like a password?
Click to expand...
Click to collapse
nope.. otp more of a one time password.. the token is something that uses device specific identifiers that then gets sent to a server where it gets signed and sent back.. then it needs to b physically flashed to the device
Sent from my SM-G977P using Tapatalk

Categories

Resources