Related
I'm currently running Resurrection Remix (Marshmallow 6.0.1) with an (obviously) unlocked bootloader (version 80.0F) on my Sprint (CDMA) Moto E variant XT1526 and RingPlus as my carrier.
I assume it has GSM capabilities like other CDMA variants, so I'd like to perform a Domestic SIM Unlock since I already have the MSL from RingPlus. Inserting an active GSM SIM doesn't show the prompt I'm used to (the one where entering the MSL would perform the unlock). If I knew where the hidden menu (com.qualcomm.qualcommsettings on KK) is located, I could do it that way, but it's my understanding that that was considered a security flaw and it has been "fixed" on LP and MM.
Anyway, I thought I might try downgrading to KK to perform a SIM unlock and then flashing back to MM. I realize downgrading could cause a hard brick, depending on the bootloader. My phone came preloaded with LP (5.0.2, I think), so I'm betting the BL won't let me downgrade to KK...but I wanted to check with you guys, first. And, while I'm at it, find out how low I can downgrade with the BL version I've got (am I stuck with 5.0.2 or 5.1.1?).
TIA!
rczrider said:
I'm currently running Resurrection Remix (Marshmallow 6.0.1) with an (obviously) unlocked bootloader (version 80.0F) on my Sprint (CDMA) Moto E variant XT1526 and RingPlus as my carrier.
I assume it has GSM capabilities like other CDMA variants, so I'd like to perform a Domestic SIM Unlock since I already have the MSL from RingPlus. Inserting an active GSM SIM doesn't show the prompt I'm used to (the one where entering the MSL would perform the unlock). If I knew where the hidden menu (com.qualcomm.qualcommsettings on KK) is located, I could do it that way, but it's my understanding that that was considered a security flaw and it has been "fixed" on LP and MM.
Anyway, I thought I might try downgrading to KK to perform a SIM unlock and then flashing back to MM. I realize downgrading could cause a hard brick, depending on the bootloader. My phone came preloaded with LP (5.0.2, I think), so I'm betting the BL won't let me downgrade to KK...but I wanted to check with you guys, first. And, while I'm at it, find out how low I can downgrade with the BL version I've got (am I stuck with 5.0.2 or 5.1.1?).
TIA!
Click to expand...
Click to collapse
Pretty sure this device released with 5.0.2. Not aware of any KK roms for it.
Sent from my SAMSUNG-SM-G920A using Tapatalk
The Moto E 2015 never had Kitkat. :silly:
dandrumheller said:
Pretty sure this device released with 5.0.2. Not aware of any KK roms for it.
Click to expand...
Click to collapse
xtermmin said:
The Moto E 2015 never had Kitkat. :silly:
Click to expand...
Click to collapse
Lerp derp. That's going to make it significantly more challenging, then, won't it?
rczrider said:
Lerp derp. That's going to make it significantly more challenging, then, won't it?
Click to expand...
Click to collapse
I actually found out how to access the Qualcomm menu on my xt1526. One of the things I found In there was changing the CDMA subscription. It had 3 options: use ruim if available, ruim/Sim/ and nv. The only thing is it needs an "spc" code to change it.
hydroman202 said:
I actually found out how to access the Qualcomm menu on my xt1526. One of the things I found In there was changing the CDMA subscription. It had 3 options: use ruim if available, ruim/Sim/ and nv. The only thing is it needs an "spc" code to change it.
Click to expand...
Click to collapse
Which version of Android are you running? That's not even a hidden menu for me, that's just in Settings > Cellular networks > CDMA subscription
That said, I only have two options: RUIM/SIM and NV. I can't imagine NV is useful (it's for non-LTE CDMA, right?) and RUIM/SIM is already selected on my phone. It doesn't ask for any code if I flip between them.
rczrider said:
Which version of Android are you running? That's not even a hidden menu for me, that's just in Settings > Cellular networks > CDMA subscription
That said, I only have two options: RUIM/SIM and NV. I can't imagine NV is useful (it's for non-LTE CDMA, right?) and RUIM/SIM is already selected on my phone. It doesn't ask for any code if I flip between them.
Click to expand...
Click to collapse
Sorry, I should have been more specific. You have to download adw launcher, and then create a custom short cut, then click on pick your activity, then select activities. you will see a bunch of options underneath. Find Qualcomm.qualcommsettings. under there, click the first one. It will take you to a menu with various options. There will be one that says CDMA subscriptions. That's where you will find the options I mentioned before.
hydroman202 said:
Sorry, I should have been more specific. You have to download adw launcher, and then create a custom short cut, then click on pick your activity, then select activities. you will see a bunch of options underneath. Find Qualcomm.qualcommsettings. under there, click the first one. It will take you to a menu with various options. There will be one that says CDMA subscriptions. That's where you will find the options I mentioned before.
Click to expand...
Click to collapse
I downloaded ADW and sure enough, it has different/more options than doing the same through Nova.
That said, I still have access to "CDMA subscriptions" without having to link to it via a hidden menu and ADW. And when I go through ADW as you suggested, the only options I have regarding Qualcomm are on the "root" (they're not under anything else) and they are:
com.qualcomm.qcrilmsgtunnel
com.qualcomm.timeservice
I can't add them as links. They simply don't do anything.
rczrider said:
I downloaded ADW and sure enough, it has different/more options than doing the same through Nova.
That said, I still have access to "CDMA subscriptions" without having to link to it via a hidden menu and ADW. And when I go through ADW as you suggested, the only options I have regarding Qualcomm are on the "root" (they're not under anything else) and they are:
com.qualcomm.qcrilmsgtunnel
com.qualcomm.timeservice
I can't add them as links. They simply don't do anything.
Click to expand...
Click to collapse
Maybe this sceenshot will make things a little clearer. Select the picture with the Q on it. And Im on stock lollipop by the way.
hydroman202 said:
Maybe this sceenshot will make things a little clearer. Select the picture with the Q on it. And Im on stock lollipop by the way.
Click to expand...
Click to collapse
Yeah, I don't have that option. I'm on Marshmallow, though.
So maybe being on LP is a better bet for getting the phone SIM unlocked. Can I downgrade to Lollipop with the 80.0F bootloader? And if so, can I do both 5.0.2 and 5.1.1? This phone isn't my DD, but I don't want to brick it if I can help it.
rczrider said:
Yeah, I don't have that option. I'm on Marshmallow, though.
So maybe being on LP is a better bet for getting the phone SIM unlocked. Can I downgrade to Lollipop with the 80.0F bootloader? And if so, can I do both 5.0.2 and 5.1.1? This phone isn't my DD, but I don't want to brick it if I can help it.
Click to expand...
Click to collapse
What i would do is download the stock lolliopop rom by superr from android forums, the latest one, then flash that in twrp. As for having issues with the downgrade, I haven't run across any using the above procedure.
hydroman202 said:
I actually found out how to access the Qualcomm menu on my xt1526. One of the things I found In there was changing the CDMA subscription. It had 3 options: use ruim if available, ruim/Sim/ and nv. The only thing is it needs an "spc" code to change it.
Click to expand...
Click to collapse
But how does one go about getting the spc code? Isn't that the same as the msl number? Because I tried my msl number to no success.
Hi,
Originally I had opened this thread in LG 5 AT&T forum. But, after a request from @Nitro1max1, I understood that he is right and it should be reached for more useres.
Please find the link for requesting LG to open our bootloader - https://www.change.org/p/lg-electro...utm_source=share_petition&utm_medium=copylink
Hopefully, we could make a change together.
last thing, this is the origina thread - https://forum.xda-developers.com/at...se-kdz-tot-t3587926/post71887733#post71887733
I will switch updating here since it will be more convinent to update in one single place.
Cheers,
Mor
stop
What happens when we reach 100 people?
Hopefully, LG will pay attention to our request. This device is no longer a valuable asset for LG (the newly LG G6 is out), therefore I guess we will have a fair odds with getting an unlocking method.
H840 now officially can unlock bootloader
I signed even though I know they will give a sh...t
The real question is who is the one who holds the responsibility for locking the bootloader,LG or AT&T?
I've included both of then in the petition, but, it will be easier to know who have the upper hand here.
About the H840, they are so lucky
Well, I got some idea that might work - but, maybe someone will prove me wrong.
While searching around for methods to unlock the boot-loader for AT&T varient, I came across lots of information about bricked phones. A method that had been proposed there, is to use some device that have JTAG protocol in order to revive the phone.
Digging around the JTAG subject, I found out that it's basicly an interface that have the ability to write new bootloader and pushing new .kdz images.
So, with using some common sense, it might be, that AT&Ts owners could use this method in order to flash the european bootloader into their system and bypassing this whole signed bootloader issue. after that, flashing a new european .kdz file will support this new bootloader that will transform the phone to EU modle.
Only thing is the IMEI and other modem related drivers needs to be taken in consideration.
What do you think about it?
P.S - I'm trying to get in touch with some JTAG box that might give a clearer picture about this subject.
ForMartha said:
Well, I got some idea that might work - but, maybe someone will prove me wrong.
While searching around for methods to unlock the boot-loader for AT&T varient, I came across lots of information about bricked phones. A method that had been proposed there, is to use some device that have JTAG protocol in order to revive the phone.
Digging around the JTAG subject, I found out that it's basicly an interface that have the ability to write new bootloader and pushing new .kdz images.
So, with using some common sense, it might be, that AT&Ts owners could use this method in order to flash the european bootloader into their system and bypassing this whole signed bootloader issue. after that, flashing a new european .kdz file will support this new bootloader that will transform the phone to EU modle.
Only thing is the IMEI and other modem related drivers needs to be taken in consideration.
What do you think about it?
P.S - I'm trying to get in touch with some JTAG box that might give a clearer picture about this subject.
Click to expand...
Click to collapse
No... nononononono. JTAG will not work, look around the threads. I'll say it one more time:
THE ONLY WAY, ONLY. WAY. THIS PHONE WILL GET A BOOTLOADER UNLOCK OR PERSISTANT ROOT IS BY CREATING A NEW EXPLOIT. DONE. THAT'S IT. LITERALLY NOTHING ELSE WILL WORK.
Honestly Annoying said:
No... nononononono. JTAG will not work, look around the threads. I'll say it one more time:
THE ONLY WAY, ONLY. WAY. THIS PHONE WILL GET A BOOTLOADER UNLOCK OR PERSISTANT ROOT IS BY CREATING A NEW EXPLOIT. DONE. THAT'S IT. LITERALLY NOTHING ELSE WILL WORK.
Click to expand...
Click to collapse
Well - you made your point with saying it.
I had looked in the threads but I didn't understand what lockes us with flashing new boot partition using JTAG method (it's like mounting the entire emmc to a point where it can be written with new bootloader etc.)
Please let me know what I'm missing here..
ForMartha said:
Well - you made your point with saying it.
I had looked in the threads but I didn't understand what lockes us with flashing new boot partition using JTAG method (it's like mounting the entire emmc to a point where it can be written with new bootloader etc.)
Please let me know what I'm missing here..
Click to expand...
Click to collapse
You can find the full explanation if you dig around, but basically for the G5 (and most devices) the bootloader unlock is not located in aboot, it is an actual change in the whole bootchain. You can modify aboot to disable a sig check, but that is not the same as unlocking the bootloader and doing so will break the signature of the aboot.img and hard brick your device.
Question is, what is the real differance between H850 to H820. they are sharing the same physical parts, but the bootloader is diffarent. so, by using external tool that will flash the new bootloader, it could be done, right?
Signed.
Honestly Annoying said:
THE ONLY WAY, ONLY. WAY. THIS PHONE WILL GET A BOOTLOADER UNLOCK OR PERSISTANT ROOT IS BY CREATING A NEW EXPLOIT. DONE. THAT'S IT. LITERALLY NOTHING ELSE WILL WORK.
Click to expand...
Click to collapse
few days ago LG G5 SE (H840 - Euro) was added to list of unlockable devices (probably it's a coincidence and not related to this petition, but also give a hope to owner of other G5 devices)
ayaromenok said:
few days ago LG G5 SE (H840 - Euro) was added to list of unlockable devices (probably it's a coincidence and not related to this petition, but also give a hope to owner of other G5 devices)
Click to expand...
Click to collapse
Yep, I agree. I tend to belive that it's LG's move. let's hope that they will do the same for the H820.
Meanwhile, I've spend sime time speaking with @autoprime (thanks for your time!) and the way he sees it is the following :
1. Finding some exploit in the H820 bootloader that will pretty much will effect all the other devices. Question is, if one will find it - will he share it on XDA or sell it to Qualcomm or LG. Time will tell.
2. Finding some leaked debug bootloader (one which the development team is using or the tech system) - That way we will be able to flash custom boot.img (AKA some open recovery).
Meanwhile, I'm doing some digging around for finding exploits.
Now, let's have our finger crossed for one to happen.
ForMartha said:
The real question is who is the one who holds the responsibility for locking the bootloader,LG or AT&T?
I've included both of then in the petition, but, it will be easier to know who have the upper hand
Click to expand...
Click to collapse
You have to take into account that for carrier-specific models, the CARRIER is actually the customer of LG, not the end user.
Only if you buy an unlocked device you are LG's customer.
So I'd guess that LG cannot provide a bootloader unlock for carrier-specific devices, this goes against the contract. Of course things change when the carrier agrees to the unlocking. But do you really think your carrier will allow this?
T-Mobile USA doesn't seem to care, but Verizon and AT&T?
Here in Europe carriers sell the regular H850, they "just" add additional bloat, so you can flash stock KDZs and unlock the bootloader. But the American carriers seem to stick to a different approach. Customers need to vote with their wallets to change this, but I think most people just don't care.
Well said BabelHuber,
Still, I have wish that it will be released eventually.
LG needs to do this or it will be my last LG phone.
Signed
Signed
Hi all,
I had my S9+ unlocked, but then I flashed stock back (just boot/system/vendor, probably not the same version as the rest), and since then, I can no longer OEM unlock.
I can select the option, and initiate the unlock, this will even actually factory reset the device.
But then, if I go to bootloader, it says FRP unlocked, OEM locked.
I've tried flashing a full firmware, but the result remains the system.
FWIW, I flash usng heimdall not Odin. I'll probably try with Odin, but I expect to get the same result.
I think I've found in the logs the reason for that behaviour:
I have ro.frp.pst = /dev/block/dummy
While it should be /dev/block/persist
I've checked in all partition in the firmware I've flashed if there was any reason some part of the firmware set this to dummy, and I didn't find anything.
I couldn't even find any reference to /dev/block/dummy at all!
So, does someone have some clue about my issue?
Thanks!
Ok, so some updates from my part, I've found the culprit of ro.frp.pst = /dev/block/dummy
That's @jesec's OEM lock protection patch:
https://forum.xda-developers.com/showpost.php?p=75893923&postcount=3
Part of the patch is to set ro.frp.pst=/dev/block/dummy
I guess that the stock ROM I flashed somehow reseted FRP anyway.
If I had an EFS backup, the fix would be easy, but guess what... I don't...
So now I'm currently looking for ways to backup EFS, without root obviously. (or a way to root with closed bootloader)
phhusson said:
Ok, so some updates from my part, I've found the culprit of ro.frp.pst = /dev/block/dummy
That's @jesec's OEM lock protection patch:
https://forum.xda-developers.com/showpost.php?p=75893923&postcount=3
Part of the patch is to set ro.frp.pst=/dev/block/dummy
I guess that the stock ROM I flashed somehow reseted FRP anyway.
If I had an EFS backup, the fix would be easy, but guess what... I don't...
So now I'm currently looking for ways to backup EFS, without root obviously. (or a way to root with closed bootloader)
Click to expand...
Click to collapse
This just happened to me too. My factory.prop change came from a rmm bypass zip floating around that everyone was using to stop going to custom rom jail. The big difference here is I didn't try to (or want to) relock my bootloader, instead some GSI rom I was trying out did it for me without even a prompt, I don't know when. I just eventually rebooted and suddenly couldn't boot. My only guess on that front is I did once I think accidentally disable the developer settings area, which the rom may have decided it was a good idea to turn everything off in there.
Anyway, did you figure this out? I have multiple efs backups, but I can't find a way to actually restore one without root. Even the z3x can't do it without root and it doesn't have temp root shell ability for the 9650. On the s8 you could always flash efs via odin using a efs.img.ext4 file in a normal tar, but I made one like I've done on the s8 and I get secure check fail in download mode.
My only last recourse is to try and completely erase efs, imei and all and then hope that you can still toggle oem unlock without an imei. If so then I should be set as I can just root and restore my backup. But if not, I'm now even more boned.
Similar issue
Hello to everyone! :laugh:
I think that I have a similar issue with my Galaxy S9
I recently installed an android 9.0 GSI image.
After disabling developer options in settings and rebooting the phone it never completed the boot process.
It was showing "Custom binary blocked by FRP lock" error.
I successfully restored stock firmware through odin, but the phone is OEM and FRP locked.
I tried many times to toggle on OEM unlock through developer settings with no result, even though the phone goes through a factory reset.
Do you guys find out if there is any possible way at this stage to OEM unlock this device ?
phhusson said:
Ok, so some updates from my part, I've found the culprit of ro.frp.pst = /dev/block/dummy
That's @jesec's OEM lock protection patch:
https://forum.xda-developers.com/showpost.php?p=75893923&postcount=3
Part of the patch is to set ro.frp.pst=/dev/block/dummy
I guess that the stock ROM I flashed somehow reseted FRP anyway.
If I had an EFS backup, the fix would be easy, but guess what... I don't...
So now I'm currently looking for ways to backup EFS, without root obviously. (or a way to root with closed bootloader)
Click to expand...
Click to collapse
Did you ever fix this issue?
Interceptor777 said:
Did you ever fix this issue?
Click to expand...
Click to collapse
I managed to fix this. It resulted in another 7d jail session but I did manage to figure out a way to fool the device into resetting efs, and in a way that did not erase the important stuff (I think thanks to backup, but maybe not).
If you find yourself stuck like this, let me know and I'll help
partcyborg said:
I managed to fix this. It resulted in another 7d jail session but I did manage to figure out a way to fool the device into resetting efs, and in a way that did not erase the important stuff (I think thanks to backup, but maybe not).
If you find yourself stuck like this, let me know and I'll help
Click to expand...
Click to collapse
Hey! Thanks!
Could you tell me how you wiped EFS with a locked bootloader? I'm planning on flashing combo firmware to test some modem settings which are locked even with root on stock and I want to be able to go back to stock just in case and not wait 7 days.
Thanks for your help!
Interceptor777 said:
Hey! Thanks!
Could you tell me how you wiped EFS with a locked bootloader? I'm planning on flashing combo firmware to test some modem settings which are locked even with root on stock and I want to be able to go back to stock just in case and not wait 7 days.
Thanks for your help!
Click to expand...
Click to collapse
Wiping efs will not erase the RMM lock. The only thing it fixed was the very specific issue where your bootloader is relocked by non-samsung rom which doesn't look at the frp partition and when you try to unlock again from a Samsung rom, it does try to look at the frp partition which it can't find because the RMM bypass zip sets ro.frp.pst to /dev/block/dummy in /efs/factory.prop. when this happens you're basically screwed because you can't unlock without that prop being set right, and nothing erases that prop file and without root your can't even see it much less change it.
Luckily I found a nice loophole that let me overwrite the entire efs filesystem thus erasing the prop (but not the special data at the end fortunately) and allowing me to unlock again, but the act of doing this resulted in another 7d RMM jail which was annoying but given I was perm locked before it seemed like an ok trade ?.
What settings are you trying to adjust? I'm not aware of anything that combo has open that you can't get to with rooted stock provided you twiddle all the knobs in efs correctly. Did you set factory ON & keystr OFF an HiddenMenu ON?
partcyborg said:
Wiping efs will not erase the RMM lock. The only thing it fixed was the very specific issue where your bootloader is relocked by non-samsung rom which doesn't look at the frp partition and when you try to unlock again from a Samsung rom, it does try to look at the frp partition which it can't find because the RMM bypass zip sets ro.frp.pst to /dev/block/dummy in /efs/factory.prop. when this happens you're basically screwed because you can't unlock without that prop being set right, and nothing erases that prop file and without root your can't even see it much less change it.
Luckily I found a nice loophole that let me overwrite the entire efs filesystem thus erasing the prop (but not the special data at the end fortunately) and allowing me to unlock again, but the act of doing this resulted in another 7d RMM jail which was annoying but given I was perm locked before it seemed like an ok trade .
What settings are you trying to adjust? I'm not aware of anything that combo has open that you can't get to with rooted stock provided you twiddle all the knobs in efs correctly. Did you set factory ON & keystr OFF an HiddenMenu ON?
Click to expand...
Click to collapse
Hey, I'm trying to adjust LTE Cat Control settings and LTE Carrier Aggregation settings. These seetings are all available through the RIL Service Mode Main Activity, however Main Activity has been completely gimped and disabled in stock. Not only is it impossible to launch, I'm pretty sure at this point the package is just empty since it just force closes upon launch.
I said **** it and flashed combo firmware yesterday, and just like I thought, the menu was there and you don't even need root to access it. You just need to dial the code in the IME dialer. On stock, the only way to get to this menu was either by launching the activity (doesn't work anymore), using a su shell and broadcasting the code (also doesn't work anymore) or just broadcasting the code without su (never worked).
Luckily Samsung doesn't relock bootloader anymore by flashing stock so RMM Prenormal won't be an issue for me.
Also to cllarify, this is the main service menu that contains every other LTE service menu.
Also what do you mean by factory ON and those other things?
Interceptor777 said:
Hey, I'm trying to adjust LTE Cat Control settings and LTE Carrier Aggregation settings. These seetings are all available through the RIL Service Mode Main Activity, however Main Activity has been completely gimped and disabled in stock. Not only is it impossible to launch, I'm pretty sure at this point the package is just empty since it just force closes upon launch.
I said **** it and flashed combo firmware yesterday, and just like I thought, the menu was there and you don't even need root to access it. You just need to dial the code in the IME dialer. On stock, the only way to get to this menu was either by launching the activity (doesn't work anymore), using a su shell and broadcasting the code (also doesn't work anymore) or just broadcasting the code without su (never worked).
Luckily Samsung doesn't relock bootloader anymore by flashing stock so RMM Prenormal won't be an issue for me.
Also to cllarify, this is the main service menu that contains every other LTE service menu.
Also what do you mean by factory ON and those other things?
Click to expand...
Click to collapse
Exactly as I suspected ?
You don't need combo to get into ril service menu, you just need the settings I spoke of set correctly. I know this first hand as I got into mine this way, no combo necessary.
To turn all the hidden stuff on, you need a combination of the following 3 flags set as given below, and to be on a csc that does not block secret codes/service menus
The flags are all files in efs that need specific values in them. For ease of use I just wrote them all as commands you can copy/paste into a terminal with root or in TWRP recovery after mounting /efs
OBLIGATORY WARNING: USE AT YOUR OWN RISK! modifying efs can be dangerous in that if you mess it up badly you can lose your imei and render your phone radioless. To anyone else reading this, don't do this unless you know what you are doing with it and why.
/efs/FactoryApp/factorymode ON
Code:
echo -n ON > /efs/FactoryApp/factorymode
/efs/FactoryApp/keystr OFF
Code:
echo -n OFF > /efs/FactoryApp/keystr
/efs/carrier/HiddenMenu ON
Code:
mkdir -p /efs/carrier; echo -n ON > /efs/carrier/HiddenMenu
*NOTE: this one is slightly different because at least on one of my devices the carrier directory did not exist at first as there are no other files in it, so this command is modified to create it if it's not there already.
Run those 3 commands after running su if you do this from adb or a term emulator while booted, or as I said you can do it from TWRP just be sure /efs is mounted first as it's not by default. Then reboot and you should be able to either use shortcut master to get to RIL servicemode (and a few more other goodies too), or you can always just open up either DRParser app or stock Samsung phone and enter *#27663368378# and it should pop right up.
If for some reason it doesn't let me know, there are more things to try including changing CSC, and there is a global hidden menu prop that wasn't necessary for me as the 9650s don't have the actual HiddenMenu app installed at all, but the above was all I had to do to get things working
As for the CSC thing idk if any of the cscs in whatever region you were running do this, or if even any cscs in the 9650 do it at all even but on Samsung "XXXXU" devices sold in the USA certain carriers block all hidden menu type access no matter what, so if this doesn't work take a backup and change your CSC and see if that fixes it.
Interceptor777 said:
Luckily Samsung doesn't relock bootloader anymore by flashing stock so RMM Prenormal won't be an issue for me.
Click to expand...
Click to collapse
I'm not sure what you mean by "doesn't relock bootloader anymore", but if you reflash stock vendor without flashing the RMM bypass your bootloader will be relocked and you will be unable to unlock it again for 7 days. This is precisely what I was talking about
partcyborg said:
Exactly as I suspected ?
You don't need combo to get into ril service menu, you just need the settings I spoke of set correctly. I know this first hand as I got into mine this way, no combo necessary.
To turn all the hidden stuff on, you need a combination of the following 3 flags set as given below, and to be on a csc that does not block secret codes/service menus
The flags are all files in efs that need specific values in them. For ease of use I just wrote them all as commands you can copy/paste into a terminal with root or in TWRP recovery after mounting /efs
OBLIGATORY WARNING: USE AT YOUR OWN RISK! modifying efs can be dangerous in that if you mess it up badly you can lose your imei and render your phone radioless. To anyone else reading this, don't do this unless you know what you are doing with it and why.
/efs/FactoryApp/factorymode ON
/efs/FactoryApp/keystr OFF
/efs/carrier/HiddenMenu ON
*NOTE: this one is slightly different because at least on one of my devices the carrier directory did not exist at first as there are no other files in it, so this command is modified to create it if it's not there already.
Run those 3 commands after running su if you do this from adb or a term emulator while booted, or as I said you can do it from TWRP just be sure /efs is mounted first as it's not by default. Then reboot and you should be able to either use shortcut master to get to RIL servicemode (and a few more other goodies too), or you can always just open up either DRParser app or stock Samsung phone and enter *#27663368378# and it should pop right up.
If for some reason it doesn't let me know, there are more things to try including changing CSC, and there is a global hidden menu prop that wasn't necessary for me as the 9650s don't have the actual HiddenMenu app installed at all, but the above was all I had to do to get things working
As for the CSC thing idk if any of the cscs in whatever region you were running do this, or if even any cscs in the 9650 do it at all even but on Samsung "XXXXU" devices sold in the USA certain carriers block all hidden menu type access no matter what, so if this doesn't work take a backup and change your CSC and see if that fixes it.
I'm not sure what you mean by "doesn't relock bootloader anymore", but if you reflash stock vendor without flashing the RMM bypass your bootloader will be relocked and you will be unable to unlock it again for 7 days. This is precisely what I was talking about
Click to expand...
Click to collapse
Hey, unfortunately it didn't work for me ;(
I tried it with TMB USA CSC and also on XEU CSC.
Maybe I also need to change that hiddenmenu prop? My phone actually has the hiddenmenu app.
partcyborg said:
Exactly as I suspected ?
You don't need combo to get into ril service menu, you just need the settings I spoke of set correctly. I know this first hand as I got into mine this way, no combo necessary.
To turn all the hidden stuff on, you need a combination of the following 3 flags set as given below, and to be on a csc that does not block secret codes/service menus
The flags are all files in efs that need specific values in them. For ease of use I just wrote them all as commands you can copy/paste into a terminal with root or in TWRP recovery after mounting /efs
OBLIGATORY WARNING: USE AT YOUR OWN RISK! modifying efs can be dangerous in that if you mess it up badly you can lose your imei and render your phone radioless. To anyone else reading this, don't do this unless you know what you are doing with it and why.
/efs/FactoryApp/factorymode ON
/efs/FactoryApp/keystr OFF
/efs/carrier/HiddenMenu ON
*NOTE: this one is slightly different because at least on one of my devices the carrier directory did not exist at first as there are no other files in it, so this command is modified to create it if it's not there already.
Run those 3 commands after running su if you do this from adb or a term emulator while booted, or as I said you can do it from TWRP just be sure /efs is mounted first as it's not by default. Then reboot and you should be able to either use shortcut master to get to RIL servicemode (and a few more other goodies too), or you can always just open up either DRParser app or stock Samsung phone and enter *#27663368378# and it should pop right up.
If for some reason it doesn't let me know, there are more things to try including changing CSC, and there is a global hidden menu prop that wasn't necessary for me as the 9650s don't have the actual HiddenMenu app installed at all, but the above was all I had to do to get things working
As for the CSC thing idk if any of the cscs in whatever region you were running do this, or if even any cscs in the 9650 do it at all even but on Samsung "XXXXU" devices sold in the USA certain carriers block all hidden menu type access no matter what, so if this doesn't work take a backup and change your CSC and see if that fixes it.
I'm not sure what you mean by "doesn't relock bootloader anymore", but if you reflash stock vendor without flashing the RMM bypass your bootloader will be relocked and you will be unable to unlock it again for 7 days. This is precisely what I was talking about
Click to expand...
Click to collapse
Hey! Nevermind that last comment.
I had to change my CSC from TMB to XAA which is USA unlocked, and I also added the hiddenmenu prop, and it's finally ****ing working now! Dialing the code in dialer brings up the menu.
Thanks so much for your help!
partcyborg said:
Exactly as I suspected ?
You don't need combo to get into ril service menu, you just need the settings I spoke of set correctly. I know this first hand as I got into mine this way, no combo necessary.
To turn all the hidden stuff on, you need a combination of the following 3 flags set as given below, and to be on a csc that does not block secret codes/service menus
The flags are all files in efs that need specific values in them. For ease of use I just wrote them all as commands you can copy/paste into a terminal with root or in TWRP recovery after mounting /efs
OBLIGATORY WARNING: USE AT YOUR OWN RISK! modifying efs can be dangerous in that if you mess it up badly you can lose your imei and render your phone radioless. To anyone else reading this, don't do this unless you know what you are doing with it and why.
/efs/FactoryApp/factorymode ON
/efs/FactoryApp/keystr OFF
/efs/carrier/HiddenMenu ON
*NOTE: this one is slightly different because at least on one of my devices the carrier directory did not exist at first as there are no other files in it, so this command is modified to create it if it's not there already.
Run those 3 commands after running su if you do this from adb or a term emulator while booted, or as I said you can do it from TWRP just be sure /efs is mounted first as it's not by default. Then reboot and you should be able to either use shortcut master to get to RIL servicemode (and a few more other goodies too), or you can always just open up either DRParser app or stock Samsung phone and enter *#27663368378# and it should pop right up.
If for some reason it doesn't let me know, there are more things to try including changing CSC, and there is a global hidden menu prop that wasn't necessary for me as the 9650s don't have the actual HiddenMenu app installed at all, but the above was all I had to do to get things working
As for the CSC thing idk if any of the cscs in whatever region you were running do this, or if even any cscs in the 9650 do it at all even but on Samsung "XXXXU" devices sold in the USA certain carriers block all hidden menu type access no matter what, so if this doesn't work take a backup and change your CSC and see if that fixes it.
I'm not sure what you mean by "doesn't relock bootloader anymore", but if you reflash stock vendor without flashing the RMM bypass your bootloader will be relocked and you will be unable to unlock it again for 7 days. This is precisely what I was talking about
Click to expand...
Click to collapse
Sorry for spam lol but I was wondering if you had any knowledge on how I can enable more carrier aggregation combos.
Currently my phone is not listing 4+12 as a supported combo even though I know 100% the modem supports that. My Exynos S7 and S8 had that combo out of the box.
I've got service menu but I just need to enable that combo to fix my ****ty LTE.
Thanks for a your help.
Interceptor777 said:
Sorry for spam lol but I was wondering if you had any knowledge on how I can enable more carrier aggregation combos.
Currently my phone is not listing 4+12 as a supported combo even though I know 100% the modem supports that. My Exynos S7 and S8 had that combo out of the box.
I've got service menu but I just need to enable that combo to fix my ****ty LTE.
Thanks for a your help.
Click to expand...
Click to collapse
Sorry, unfortunately this isn't an area I've had much experience with in terms of how it works and stuff. I can get to the service mode menu and everything I can find in there that I am at least aware of being related to CA (having "CA" in the menu items) looks to be enabled. It's possible this setting could be in the CSC data which is frustratingly encrypted on s9/+ firmwares, although there is a way to decrypt/reencrypt them but I haven't actually tried it and looked for myself
partcyborg said:
Sorry, unfortunately this isn't an area I've had much experience with in terms of how it works and stuff. I can get to the service mode menu and everything I can find in there that I am at least aware of being related to CA (having "CA" in the menu items) looks to be enabled. It's possible this setting could be in the CSC data which is frustratingly encrypted on s9/+ firmwares, although there is a way to decrypt/reencrypt them but I haven't actually tried it and looked for myself
Click to expand...
Click to collapse
Hey, so I found out how the CSC blocks the service menu, it uses the file in /system/omc/XXX/etc/XXX_keystrings.dat and in /system/etc/XXX_keystrings.dat.
Someone made a script to decrypt this file and edit it: https://github.com/chenxiaolong/keystrings-decrypter
However, my phone does not accept the decrypted file. It will only read the encrypted file.
I have no useful knowledge regarding scripts, would you have any idea how to encrypt the file again using a script similar to that one? Thank you.
partcyborg said:
Wiping efs will not erase the RMM lock. The only thing it fixed was the very specific issue where your bootloader is relocked by non-samsung rom which doesn't look at the frp partition and when you try to unlock again from a Samsung rom, it does try to look at the frp partition which it can't find because the RMM bypass zip sets ro.frp.pst to /dev/block/dummy in /efs/factory.prop. when this happens you're basically screwed because you can't unlock without that prop being set right, and nothing erases that prop file and without root your can't even see it much less change it.
Luckily I found a nice loophole that let me overwrite the entire efs filesystem thus erasing the prop (but not the special data at the end fortunately) and allowing me to unlock again, but the act of doing this resulted in another 7d RMM jail which was annoying but given I was perm locked before it seemed like an ok trade .
What settings are you trying to adjust? I'm not aware of anything that combo has open that you can't get to with rooted stock provided you twiddle all the knobs in efs correctly. Did you set factory ON & keystr OFF an HiddenMenu ON?
Click to expand...
Click to collapse
Hello, I was having the same issue that ro.frp.pst was set to /dev/block/dummy and my phone was permanently locked.
It just said "PersistentDataBlockService: java.io.FileNotFoundException: /dev/block/dummy (Permission denied)" -- I flashed 3rd party files and went back to stock and this happened.
Could you elaborate about the nice loophole that could let me overwrite the efs filesystem and erase the prop?
Thank you!
haojixu said:
Hello, I was having the same issue that ro.frp.pst was set to /dev/block/dummy and my phone was permanently locked.
It just said "PersistentDataBlockService: java.io.FileNotFoundException: /dev/block/dummy (Permission denied)" -- I flashed 3rd party files and went back to stock and this happened.
Could you elaborate about the nice loophole that could let me overwrite the efs filesystem and erase the prop?
Thank you!
Click to expand...
Click to collapse
What device? Is it a g9650?
phhusson said:
Hi all,
I had my S9+ unlocked, but then I flashed stock back (just boot/system/vendor, probably not the same version as the rest), and since then, I can no longer OEM unlock.
I can select the option, and initiate the unlock, this will even actually factory reset the device.
But then, if I go to bootloader, it says FRP unlocked, OEM locked.
I've tried flashing a full firmware, but the result remains the system.
FWIW, I flash usng heimdall not Odin. I'll probably try with Odin, but I expect to get the same result.
I think I've found in the logs the reason for that behaviour:
I have ro.frp.pst = /dev/block/dummy
While it should be /dev/block/persist
I've checked in all partition in the firmware I've flashed if there was any reason some part of the firmware set this to dummy, and I didn't find anything.
I couldn't even find any reference to /dev/block/dummy at all!
So, does someone have some clue about my issue?
Thanks!
Click to expand...
Click to collapse
Look at his post https://forum.xda-developers.com/showthread.php?p=78208022
Sent from my [device_name] using XDA-Developers Legacy app
Johnny camaro said:
Look at his post https://forum.xda-developers.com/showthread.php?p=78208022
Click to expand...
Click to collapse
2 minor things:
1) phutton already said way back this isn't an issue for him anymore
2) even if he was, the link you posted literally has nothing to do with the issue at hand, nor does it contain even links to anything that could even be used in the process of fixing it.
...
I guess by "minor" I meant "can not be distinguished from entering a few random words from this thread into ask jeves and selecting a website at random" ?
partcyborg said:
What device? Is it a g9650?
Click to expand...
Click to collapse
It was a N960N. I solved the issue, but thank you anyway. I just flashed the efs file as a tar zip from the stock image. The IMEI was reset but everything went back to normal.
Hi everyone, I've followed the WTF thread to unlock the bootloader on a V30 H933 (the Canadian version), but even after unlocking there's no fastboot support on the phone, only the US998 version seems to have it. Trouble is that Rogers, my local operator, only supports VoLTE and VoWiFi on their recognized devices - I tried having US998 running on my phone, calling their support and possibly getting some actual configuration I could put on the phone, but their response was "your phone is defective and needs to be replaced".
All that said, my goal here is to somehow install TWRP on this phone and root under the original ROM, so I can have the features I need from the network. So far, I've been pretty unsuccessful in this, so my plead would be: could anyone chime in to help me either
flash the minimal necessary over US998 to get H933 functionality/network information back as to reenable VoLTE and VoWiFi on my operator
come up with an update.zip or some other file I could use to flash a Magisk-patched boot.img
pack a full flashable ZIP image of the Canadian ROM (my last attempt at this left the phone in bootloop)
an alternative idea I haven't thought about that could help?
Ideally, at the end of the process, I'd like to have TWRP and Magisk installed on the phone, but I could settle for simply Magisk.
Once again, any help or pointers are more than welcome and appreciated.
I think you can extract a h933 kdz and flash individual partitions that do not have to do with recovery or the bootloader. You can probably use the dd command for it. I think the partitions you dont flash are anything with boot in it, abl and recovery. There may be a few more however.
The Elite said:
I think you can extract a h933 kdz and flash individual partitions that do not have to do with recovery or the bootloader. You can probably use the dd command for it. I think the partitions you dont flash are anything with boot in it, abl and recovery. There may be a few more however.
Click to expand...
Click to collapse
I tried something similar, extracted a KDZ and put the necessary BIN files on a flashable ZIP I found around. All I achieved was bootlooping the device...
I have an H933 on Freedom Mobile, and running the stock FM firmware. The loss of VOWIFI (and VoLTE) are exactly what i thought would happen if I proceed with flashing to US998.
I think #1 is right; that you may be able to restore access to network specific functionality but it would depend on being able to isolate the specific required "patch".
With this in mind, take a look at this post from the WTF! Thread:
https://forum.xda-developers.com/showthread.php?p=76613814
That user flashed some files (modem binaries from the original device firmware I think) and was able to restore VOWIFI and VoLTE functionality on the Verizon network.
Sent from my LG-H933 using Tapatalk
My h933 converted to us998 says that my volte is enabled
cre4per said:
My h933 converted to us998 says that my volte is enabled
Click to expand...
Click to collapse
What menu is that from @cre4per? Have you had the opportunity to confirm staying on LTE while receiving a call?
That would be good news to hear VoLTE working on a Canadian network using a generic phone model (instead of proprietary stuff).
Sent from my LG-US998 using Tapatalk
Mad Medik said:
What menu is that from @cre4per? Have you had the opportunity to confirm staying on LTE while receiving a call?
That would be good news to hear VoLTE working on a Canadian network using a generic phone model (instead of proprietary stuff).
Sent from my LG-US998 using Tapatalk
Click to expand...
Click to collapse
*#*#4636#*#*,
and to be honest i never really noticed, will do some checks today to see if i stay on lte, will let you know
cre4per said:
*#*#4636#*#*,
and to be honest i never really noticed, will do some checks today to see if i stay on lte, will let you know
Click to expand...
Click to collapse
Looking at this this morning. I don't think that is an indication that you are connected to a VoLTE service; just that your device is ready to accept it if the right service becomes available. I have that switch turned on and the service menu even says the voice network is LTE too (see image below) but Freedom Mobile doesn't even offer VoLTE service so it isn't possible that I actually have VoLTE operational.
I would interpret the LTE provision switch as turning on or off the functionality in your device, not a connection authorization from the network. Sort of like turning on the HD calling option on your device; it allows the possibility but won't do anything unless the service provider has the capability and authorizes it on your connection.
If someone has VoLTE working, could you check the menu cited by @cre4per, then hit the options (3 dots) and in there, select IMS service status? It lools like this is where you *should* see if the network has connected you to their VoLTE service (see image below).
I don't know how to interpret the, "Voice Network: LTE" on the main menu screen.
Just check and switches to 3g on calls also when going into that ims menu says unavailable
GryphonBR said:
I tried something similar, extracted a KDZ and put the necessary BIN files on a flashable ZIP I found around. All I achieved was bootlooping the device...
Click to expand...
Click to collapse
Out of all the partitions which ones did you flash and which ones did you not flash? Also was the h933 kdz also for oreo?
-deleted-
cre4per said:
My h933 converted to us998 says that my volte is enabled
Click to expand...
Click to collapse
As @Mad Medik mentioned, so far I don't know of any Canadian operators enabling VoLTE (or VoWiFi for that matter) to generic phones. I have a Rogers P10 Plus that's registered under my account as my main phone and which I reflashed to have these features available, but it just won't work. I've had extended arguments with Rogers representatives about it, and the 1+3T I'm presently using even have the same config your phone is showing: VoLTE Provisioned, but IMS shows as Not Registered so nothing else works. I'm waiting on an LS998 I bought to arrive, I'll try flashing H933 on it to see if it actually allows me to register on IMS.
The Elite said:
Out of all the partitions which ones did you flash and which ones did you not flash? Also was the h933 kdz also for oreo?
Click to expand...
Click to collapse
KDZ was for Oreo, indeed. It was the one I used to bring the phone to the latest (at the moment) update available.
As for which partitions I flashed, I was gonna give you a list, but to make it short the only partition not flashed was recovery.
GryphonBR said:
As @Mad Medik
KDZ was for Oreo, indeed. It was the one I used to bring the phone to the latest (at the moment) update available.
As for which partitions I flashed, I was gonna give you a list, but to make it short the only partition not flashed was recovery.
Click to expand...
Click to collapse
As far as I know there are some boot partitions that should not be flashed, which may have caused the soft brick. I know autoprime used to make these zips for the G3 and runningnak3d made one for the V10, you might want to cross reference the partitions they used and what they didnt. Probably the V10 first because the G3 is relatively ancient. I think in essence you should just be able to flash boot, system and modem and rpm though, but you would need 2 combine the split up system images after the extract.
The Elite said:
As far as I know there are some boot partitions that should not be flashed, which may have caused the soft brick. I know autoprime used to make these zips for the G3 and runningnak3d made one for the V10, you might want to cross reference the partitions they used and what they didnt. Probably the V10 first because the G3 is relatively ancient. I think in essence you should just be able to flash boot, system and modem and rpm though, but you would need 2 combine the split up system images after the extract.
Click to expand...
Click to collapse
The reason why I was flashing everything is because I used this thread to recover from a previous soft brick I stumbled upon. Upon speaking to the thread creator, he mentioned I should be able to follow a similar process to achieve an H933 flashable file. Did that and, well, managed to soft brick the phone... I might try your idea, though.
So, from my knowledge of attempting to get VoLTE working on an HTC 10, I suspect you won't get VoLTE working on anything other than Rogers H933 firmware. For whatever reason, the programming required for VoLTE isn't on the USIM card in your phone, but rather programmed into the phone by the provider. This means, unless your phone model is sold and supported for VoLTE on the provider you wish to use it on, you're screwed like I was, trying to get VoLTE working on my HTC 10 on Rogers.
This being said, the good news is we are back to CDMA tech here, where the only thing preventing you from using your third party phone with your provider is knowing what code to enter, and what parameters to program in. Since my H933 is on Telus, my programming won't do you much good.
What you're looking for is the IMS settings or IP Multimedia Subsystem settings, as this is what carries the VoIP packets that consist of VoLTE. If someone were to post the settings from their Rogers H933, you may be able to get VoLTE working on US998 firmware.
Why not just flash system and boot? After unlocked and rooted of course.. Lg up partition DL will let you flash individual partitions. I would have done it that way for my carrier but there is no kdz available..
JWnSC said:
Why not just flash system and boot? After unlocked and rooted of course.. Lg up partition DL will let you flash individual partitions. I would have done it that way for my carrier but there is no kdz available..
Click to expand...
Click to collapse
I tried that last night just bootloops
cre4per said:
I tried that last night just bootloops
Click to expand...
Click to collapse
Did you wipe data?
JWnSC said:
Did you wipe data?
Click to expand...
Click to collapse
Yea. Then went to restore and the restore wouldn't even work anymore. Was saying there was no partitions backed up but I had use that restore numerous of times trying to get los to boot very strange had to start back from scratch
Anyone with H933 from freedom mobile convert to US988? I'm just wondering how the service is after the change. I'm reading mixed reports but once modems extracted and compared there was a difference.
Hi,
I'm new to actual android development, but interested in making things for this phone. One thing I'm not sure how to deal with, though, is the different variants - I don't quite understand how different or similar they are.
I've bought mine from the USA OnePlus store, and I'm assuming there are at least some system differences from the ones bought from T-Mobile or Metro PCS. I'm not sure how deep they go, but for starts, I think gathering some information through fastboot could be useful.
When I reboot into fastboot, my phone reports "VARIANT - SM_ UFS". When I connect to a computer, and run the "fastboot getvars all" command, it outputs the following text: https://gist.github.com/daboross/589165a72b0df4904a05d75c3f6b7802.
If you've got fastboot set up, and a different variant - either one bought from T-Mobile, one bought from Metro PCS, or another one you suspect is different at all, could you run the same "fastboot getvar all" command, and upload the output to a pastebin?
The more the merrier - it will be easy to look at two files and see if they're identical or not. So if you're wondering whether or not posting yours will be helpful, and have the time, post it!
Note: I recommend editing out the "serialno" value as I have. Probably no harm in exposing it, but better safe than sorry.
If anyone in here has more experience or other ways to get easy information about what could be different, I definitely welcome the advice. My main goal is to have a rough idea of whether a TWRP build, or LineageOS build, that works on my device will work on other variants without modification - and if they don't, how much modification will be needed.
Thanks!
---
Edit: if you could gather the output of "adb shell getprop" while running the regular OS, that would also be greatly appreciated! Here's my output for that: https://gist.github.com/daboross/8b1a837d36ed986c1075e9d11bff8e7a
I have a T-Mobile Nord N200. Here is the value of fastboot getvar all: https://gist.github.com/lzgmc/aef8d427fc23711dacadf48820db497d
Here is the value of adb shell getprop: https://gist.github.com/lzgmc/46a01f26810ffa709c00e19a936a30b7
T-mobile and metropcs versions are identical.
Nice, thanks!
Looks like a few things differ - I hadn't expected a different model number, but we have that - DE2117 vs DE2118 and name OnePlusN200 vs OnePlusN200TMO.
There's the difference in stock rom builds, which I was expecting.
There's a different "vendor.boot.project_codename" - dre9 on the OnePlusN200, dre8t on the OnePlusN200TMO. I don't know if this is a difference in rom builds, or built in.
Other than that, everything else seems the same. Partition layout is the same. I don't see any immediate reasons why a recovery couldn't work for both, though of course we'll need to test that.
googlephoneFKLenAsh said:
T-mobile and metropcs versions are identical.
Click to expand...
Click to collapse
When looking at installed apps from factory, it includes all packages for both companies. My guess is they just run a script to select which active ones run for each.
daboross said:
Nice, thanks!
Looks like a few things differ - I hadn't expected a different model number, but we have that - DE2117 vs DE2118 and name OnePlusN200 vs OnePlusN200TMO.
There's the difference in stock rom builds, which I was expecting.
There's a different "vendor.boot.project_codename" - dre9 on the OnePlusN200, dre8t on the OnePlusN200TMO. I don't know if this is a difference in rom builds, or built in.
Other than that, everything else seems the same. Partition layout is the same. I don't see any immediate reasons why a recovery couldn't work for both, though of course we'll need to test that.
Click to expand...
Click to collapse
"OnePlusN200" is the OnePlus store bought one, "OnePlusN200TMO" is the T-Mobile and Metro(PCS) model. OnePlusN200 receives all updates, while OnePlusN200TMO only receives updates that T-Mobile authorizes.
For example: The latest OTA update available to OnePlusN200TMO devices is 11.0.1.7, while the OnePlusN200 gets the 11.0.2.0 OTA.