PDA

View Full Version : HOW TO WORK WITH SEMC PDA PHONES



the_laser
02-05-2010, 12:51 PM
first, basics.

SEMC created few types of PDA:

db200x+nexperia (SYMBIAN OS)
m600,w950,w960,p1,p990

such phones have two security type - NEW and OLD.
Identify button will show security type - it will write "NEW SECURITY detected" with NEW security phones.

if is better to install PDA phone drivers and PDA flash drivers before any operation.

phone drivers:


for that you need to download phones.rar from support or from SEMC (http://ma3.extranet.sonyericsson.com/drivers)
turn on phone. in "connections manager->usb" select "normal mode".
now, attach cable.
windows will ask you for drivers, point it to corresponding folder within extracted phones.rar.
you must have "semc xxx usb modem" and "semc xxx application port" if drivers correctly installed.
now, turn phone off and detach it.


flash drivers:


power on smartphone in fw update mode.

- for p990/m600 press and hold "@" on TURNED OFF phone, then attach dcu60.
- for w950,w960,p1 press and hold "C" on TURNED OFF phone, then attach dcu60.

windows will ask you for a drivers. drivers in %setool2 dist%\drivers\Smartphone_Drivers



S1 OPEN (SYMBIAN OS) ( ti omap + db3xxx )
satio,vivaz,vivaz pro

S1 QUALCOMM,MT BASED (ANDROID OS)
all other models

the_laser
02-05-2010, 12:52 PM
FLASHING OF A1-BASED PDA PHONES

download needed firmware package.
add it to firmware area on PDA tab.
DO NOT UNZIP PACKAGE, JUST ADD IT AS IS.
on settings,check "signed mode"
press flash

note, if phone have BROWN domain, you must FIRST flash conversion packs:


for m600,w950,p990:
for brown cid 36: pda_ccpu_convert_red49_signed_brown36.zip
for brown cid 49: pda_ccpu_convert_red49_signed_brown49.zip
for w960,p1:
for brown cid 49: pda_ccpu_convert_red53_signed_brown49.zip

the_laser
02-05-2010, 12:52 PM
UNLOCKING OF A1-BASED PDA PHONES

if you want to UNLOCK NEW SECURITY phone -

check "use server" and enter your login/password.
please check FAQ article about credit consumptions for your phone.

press unlock button and insert cable to phone,while holding appropriate key on phone.
follow program directions.

if you want to UNLOCK OLD SECURITY phone -

UNCHECK "use server".
BE SURE you have latest REST files.

now, you need install drivers for flashing.
for that, poweron smartphone in fw update mode.

- for p990/m600 press and hold "@" on TURNED OFF phone, then attach dcu60.
- for w950 press and hold "C" on TURNED OFF phone, then attach dcu60.

windows will ask you for a drivers. drivers in %setool2 dist%\drivers\Smartphone_Drivers

now, when all preparations finished - press unlock button and insert cable to phone,while holding appropriate key on phone.
follow program directions.

the_laser
02-05-2010, 12:56 PM
FLASHING OF S1-OPEN PDA PHONES (Satio,Vivaz,Vivaz pro)

download needed firmware package.
add it to firmware area on PDA tab.
DO NOT UNPACK .ZIP PACKAGE, JUST ADD IT AS IS.
on settings,check "signed mode"
press flash

connect turned off phone while holding "green" button.

FLASHING OF S1-ANDROID PDA PHONES (x10,x10 mini,x10 mini pro,etc)

download needed firmware package.
( two main files,both REQUIRED. APP - OS kernel, radio part, FSP - user and android OS system data,
CDF - internal storage contents, eLabel - electronic label )
add it to firmware area on PDA tab.
Order is IMPORTANT - ALWAYS add APP part first, then FSP, then eLabel, then CDF
Some MT-based phones can be irreversible killed, if APP part is NOT first package to flash.

UNPACK package archive, if packed (unzip,unrar, but DO NOT unpack *.sin_file_set itself ), ADD *.file_set to firmware area
on settings,check "signed mode"
press flash

connect turned off phone while holding "BACK" button.

the_laser
02-05-2010, 12:56 PM
UNLOCKING OF S1-OPEN PDA PHONES

select USB as interface. that is REQUIRED.
select phone model
settings - check ONLY "signed mode (using server)", "do full unlock instead of usercode reset", fill your login details.

back to original tab, press unlock, "GREEN BUTTON"

if signature is calculated - you will receive 'SUCCESS' response, otherwise you will receive error code.
if calculation is success, then signature will be saved in backup\%imei% folder in your setool2 directory.
next, backup will be created so you will be able to restore phone if something will go wrong.
procedure will continue,phone will be switched off and unlocked.
remember, if something will go wrong - you have a backup of security units.
please check "credits consumption" FAQ post for info about number of credits.


UNLOCKING OF S1-ANDROID PDA PHONES

server based full official unlock method. Only available, when s1 signature server online

select USB as interface. that is REQUIRED.
select phone model
settings - check ONLY "signed mode (using server)", "do full unlock instead of usercode reset", fill your login details.

back to original tab, press unlock, hold "BACK BUTTON" and insert cable to powered off phone.

if signature is calculated - you will receive 'SUCCESS' response, otherwise you will receive error code.
if calculation is success, then signature will be saved in backup\%imei% folder in your setool2 directory
(following unlock attempts, if something had happen with phone - cable disconnect,etc - during unlock - will be free as long as signature remains there )

next, backup will be created so you will be able to restore phone if something will go wrong.
procedure will continue,phone will be switched off and unlocked.
remember, if something will go wrong - you have a backup of security units.
please check "credits consumption" FAQ post for info about number of credits.

server based full unlock method using alternative security bypass

please read that (http://support.setool.net/showthread.php?15-HOW-TO-WORK-WITH-SEMC-PDA-PHONES&p=61524&viewfull=1#post61524) post


GESTURE LOCK/USER PASSWORD RESED FOR S1-ANDROID PDA PHONES

check signed mode only, press unlock.
hold "BACK BUTTON" and insert cable to powered off phone.

if phone has blocked attempts counter, then you need reflash phone after lock reset.

the_laser
02-07-2010, 11:37 PM
POSSIBLE PROBLEMS

DB200X+NEXPERIA

damaged SCRC (imei mismatch), damaged seczone, damaged gdfs,damaged CCPU EROM

1. go to emptyboard tab
2. select model
3. on settings, check "signed mode", fill login details
4. press reset, connect phone
5. if gdfs structure okay, skip that step, otherwise add to firmware are gdfs in ssw format: one of

DB2001_G700_GDFS_IN_SSW_FORMAT.SSW
DB2001_M600_GDFS_IN_SSW_FORMAT.ssw
DB2001_P1_GDFS_IN_SSW_FORMAT.ssw
DB2001_P990_GDFS_IN_SSW_FORMAT.ssw
6. add to firmware area correct EROM
for m600,w950,p990: pda_ccpu_convert_red49_BROWN_CID49_DB2001.software
for w960,p1: pda_ccpu_convert_red53_BROWN_CID49_DB2001.software
7. press flash
8. reflash phone on usual PDA tab if needed.

phone could not boot using dcu60, erom version timeout error,etc

ACPU EROM damaged, to restore it


1. select correct PDA model
2. find corresponding EROM in dist\eroms\, add it to firmware area
3. select correct com port. ufs,usb can't be used for that operation.
4. press recovery
5. connect turned off phone
6. reflash phone via USB with normal firmware


S1 OPEN

phone could not boot and blinks red, you CAN flash phone

unlock phone using full signature unlock

phone stuck on white screen

reflash clean file system files, then flash normal firmware

phone could not boot and blinks red, you CAN NOT flash phone

if phone aid 004 - that is brick, can't be repaired by known 3rd party tools
if phone aid 001,002,003 - you need to perform trim area repair process:

first, make flash readout with options: signed mode,use alternative security bypass.
start 80021000
len 00200000
MID 01
"read spare" UNCHECKED
"read as ssw" UNCHECKED

you will get trim area image readout.

now lets determine if hwconfig present and not mismatched.
get and hex editor (hiew, winhex or simular)

using editor search function, locate in readout bytes d3 07 00 00
now check attached picture.

if imei is your, then you can try to fix phone.
if imei is not your and you do not have backup - send phone to semc.

now, lets extract needed trim area units and build script.

1.
you need to copy binary data from "data start" till "data end" (inclusive)
then convert binary data to its ASCII values (with same winhex)

1069

add script command to data

example, from example file read_80021000_00200000_35681003102941.bin:
1068



tawrite:000207d301000000027704000000000000001D0000 00000000006A14663FD6E722880E288A943EFF3CB95479416F 3F7700000247000101C001BE308201BA30820123A003020102 020101300D06092A864886F70D0101050500301E311C301A06 03550403141353315F4857436F6E665F526F6F745F61316563 301E170D3030313131373139303630345A170D323031313139 3139303630345A3019311730150603550403140E53315F4857 436F6E665F6131656330819F300D06092A864886F70D010101 050003818D0030818902818100C62E8DB0D1E86E5015210830 F15BD56B8EE9F4339A377D346257028B700E6CEC207E83E5E4 C76C901A2CF1577AE466FB4C8164E111C43A9A6763847D4C78 77C5DBCC11AC153897CD6ECD77D5D59B7D9FC255EEBCA97929 964C2684BFABA5481765390B03015046986C9AEE7A0C9D754F E4164C237640549783D9F28B056AFA530203010001A30D300B 30090603551D1304023000300D06092A864886F70D01010505 000381810057BE9BD213A7350190EBFF832B91083A0D74FD5E 42B96560590D9FA4B78EBE556CF7E2D0E841F477D2578283E3 205E14E2A46014B1D1475C15C7B7DBB348905B43D2D5605DA5 461A8CFC88EEAD39BE85499EBC848A59F37575065CE753859C B29BB7FDA9805F7065E2A2C2ED3F9E9D519FBDD28C83FE55C3 3E9475E4765FCD9B0100808B505BE83576D2876CF09B332EAC 0EEBD1F14E98072C98A4F492CD38A80265BD7C406DA1400367 B9BA46970CB467DC825AC7EAC08DD72FDE4894CEDC60E2CE28 1E6E45A0B372ACB8ED548A3B5114B17A8C42FF131C94B43612 7BF3AFF865F7CBA6C58665C6584DB4DAF2EC9D05B87344DC95 6044CFE1E98761EA3ADF61C9D3A30002000000000000000000 00000000000000000000000000000000000000000000000000 00040002000100010001000100003568100310294100000000 2C00140CFFC34243D2191FE06C9265337027FA605069F20014 C14561448A5B50B6292EBE92B421D26CBFBDC54C

2. using editor search function, locate in readout bytes da 07 00 00.
extract binary data ( method very same as shown on picture ), add script command



tawrite:000207da3C3B2B0D083B7915E34D77D8E6435A1C2F FF36DC000000000000000000000000FF000000000000000000 00000000000000000000000000000000000000000000000000 000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFF000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 000000000000000000000000000000009A1063006AF6C5FA39 B0BABBEE5A8EC78CD3380024CB85626500000000551E000100 1E000055551E0001001E000055551E0001001E000055551E00 01001E000055551E0001001E000055551E0001001E00005500 00000000000000000000000000000000000000000000000000 0000106400283288EF30958212E12BEB1D148AD7C5EA57CB78 290000000000000000000000000000000000000000000100

3. using editor search function, locate in readout bytes 51 08 00 00.
extract binary data ( method very same as shown on picture ), add script command



tawrite:000208510003001C00010019000207DA270F023D00 10000007DA270F00470068000000F3019807FDA629760BA18A 972C9E0FF8516AD296D83AAD4A07AC552FF9C6608DB7BB68B3 16CCED722FA0DEA690F59031732E71C1A9C2FAF71D1B16373E 88858E72BD346BD4B07D6245C89556040F3D1E739567343244 A15268C3DFA515E41CACBC4B368FB924B6770971D1966F0A4A 8D707A21060D73112DF88AEA4CE6E5308125795CEB88C4F553 A28EFC34FF346257BA858050B0EC28E8EDFA47681AB9F07568 CA8A225826F90943376A5A4E54FB4D087F5BD08CF3F35521DB 5C73E13253F4DAA68FA0F902C47FA5ECDA64674FF23A69D4ED DDC6A93C2A58D4183FDB7195647F1FA5F9644EE130544E23A7 5F80DCBFB98600090200000000000002FC0001027502733082 026F308201D8A003020102020100300D06092A864886F70D01 010505003077310B3009060355040613025345312F302D0603 55040A1326536F6E79204572696373736F6E204D6F62696C65 20436F6D6D756E69636174696F6E7320414231173015060355 040B130E466C617368205365637572697479311E301C060355 04031315536F6E79204572696373736F6E20534C20526F6F74 301E170D3030303130313138303030305A170D323030313031 3138303030305A3073310B3009060355040613025345312F30 2D060355040A1326536F6E79204572696373736F6E204D6F62 696C6520436F6D6D756E69636174696F6E7320414231173015 060355040B130E466C617368205365637572697479311A3018 06035504031311536F6E79204572696373736F6E20534C4630 819F300D06092A864886F70D010101050003818D0030818902 818100D7C855C8F5F20A47302F9D1CB193907C8D01BEF67A20 508CFF76C1CC5385BFCC90D805236000C3017BB3AF36D24561 435199B482384570AF445AF2B78BF544B1C83CD6DF39E320A8 D96674B6672B66225D2AD74BBCDE89999A688C0A7AF8E08031 9F2873B67B285B6F1D00535D083C8B68C556BBB1CBEC7ACBE7 D274409E84270203010001A30F300D300B0603551D0F040403 020780300D06092A864886F70D0101050500038181009096A0 87A4A2D7594888E2624EBB13FAEDBE5174C220410BD049BB62 8961BA18D370DF79527607EA533C931F14A094F0214BAFAD89 FA3DADDBAC24BC1AE32211F668397745011F55D715B869874E 464575988DF1D789594C86AE9310C8F4D00C3CBAB55595A63B 3818FAB01A687EEAB3376176C8FE9A693A0283E57B94CD362A 010080C511236A07BD6CD5D2F1D58B0E6EE887C15C0AACAACC 56CAC126EB183ADC0AECBFF5081B49F3B6EB04AA3A0EB0B47D 5B7B8C60830F8BC7B6450A64F0E925D40BABB25949AA89D283 9CFDA4594818853013106C74F0A407D23BDC4C4630729C1469 F6345F0930DAE37406DC02BA4049B54E3906F19D2821D3BF35 1A65FC8FA5B3

4. you have now 3 big string.
copy them into one file (each string should be on one line !)
add 4-th script command in the end of file


tawrite:0002FDE800


you have own fixup file.
1067

proceed to http://support.setool.net/showthread.php?2071-U1i-SATIO-DEAD&p=15855&viewfull=1#post15855

notice, that is you will get simlock tampered message after fix procedure, you NEED to unlock phone using signature server.

tutorial video by Aishur: http://www.4shared.com/folder/RCU5KkCO/Satio_fixup.html

m_taheri written tool for automatic fixup creation. (http://support.setool.net/showthread.php?31644-A-small-app-for-making-fixup-script-for-satio&p=79065&viewfull=1#post79065)

S1 ANDROID

q:
i had unlocked my phone using alternative security bypass method, but phone not unlocked.

a:
you did not set all required settings.
you must check "signed mode", "alternative security bypass mode", "do full unlock instead of usercode reset"


q:
i had unlocked my phone using alternative security bypass method, my settings are correct, i lost 4 credits,
but phone not unlocked.

a:
just reflash phone with required firmware ( android 2.1 ) and repeat procedure.
no further credits will be required.

the_laser
10-07-2010, 02:09 PM
script to change keyboard layout for u8 vivaz pro.



// To set u8 keypad layout
//
// Values:
// 00000000 = QWERTY
// 01000000 = QWERTY for NAM
// 02000000 = QWERTZ
// 03000000 = AZERTY
// 04000000 = QWERTY
// 05000000 = QWERTY Sweden/Finland/Denmark/Norway
// 06000000 = Chinese Stroke/QWERTY
// 07000000 = Chinese Bopomofo/QWERTY
// 08000000 = Cyrillic/QWERTY
// 09000000 = QWERTY Brazilian Portuguese
// 0A000000 = Hebrew/QWERTY
// 0B000000 = Arabic/QWERTY
// 0C000000 = Greek/QWERTY
// 0D000000 = Thai/QWERTY

tawrite:000213BA06000000

the_laser
07-11-2011, 05:12 PM
q:
which s1 android based phones i can unlock using alternative security bypass ?

a:
you can use that method for
x10i,x10i,s0-o1b, e10,e15,e16,u20 phones.
lt15,mt15,r800 and other msm8255-based phones require very simple testpoint to perform alternative security bypass.
x10i,x10i,s0-o1b, e10,e15,e16,u20 phones can also use testpoint method (complex, but powerful ) for unlock/repair

q:
how to unlock s1 android based phones, based on msm7227,qsd8250 using alternative security bypass without testpoint ?

a:
Here is procedure.

1.
make sure you have firmware with android 2.x, NOT 1.6.
flash required firmware, if needed.



2.
power on phone without sim card, go to menu->settings->applications->development, enable "usb debugging"
connect phone to PC, install drivers from setool2 distr ( drivers\ADB_Drivers)

hint:
i suggest you to import DisableADBNumbering.reg (1365) , however this is not required.

3.
select proper phone model.
select USB as interface
on settings check signed mode, use alternative security bypass, do full unlock instead usercode reset
press unlock

when prompted, detach phone, turn it on fully, connect it again.
( or you can leave phone on cable, then power it on manually )

when program tells "warming up...", manually power on phone fully, cause it will automatically enter charging mode.

after you see "GETTING ROOT ACCESS ..." DO NOT TOUCH PHONE until procedure complete.

DO NOT DETACH PHONE FROM CABLE AFTER PROCEDURE STARTED, YOU CAN KILL YOUR PHONE.
DO NOT REMOVE BATTERY FROM PHONE AFTER PROCEDURE STARTED, YOU CAN KILL YOUR PHONE.
SUCH KILLED PHONES CAN BE REPAIRED WITH RESURRECTION CABLES.


possible problems:

problem:
you getting "Can't get ROOT rights", "err: 00000005","err: 00000002" during process

solution:
disable antivirus, especially if you using "kaspersky antivirus", i recommend Doctor Web (http://www.drweb.com)
do NOT run setool2 from restricted accounts.
do NOT run setool2 from read-only media.

problem:
it can happen ( very unlikely, though ) that ADB server will not recognize phone after reboot

solution:
IF phone not detecting automatically and on status bar you can see "waiting for phone...", again - only in that case - disconnect phone from usb and connect it again, procedure should continue.

if not, well, repeat from start.


q:
how to unlock s1 android based phones, based on msm7227,qsd8250, using alternative security bypass using testpoint?

a:
Here is procedure.

FIRMWARE VERSION DOES NOT MATTER, WHEN USING TESTPOINT METHOD

1.
prepare for testpoint operation.
check testpoints location for your phone model in dist\docs\s1_qualcomm_uart_cables or use GPG cable set
open testpoints for access
if you do not have GPG cable set, get some needle with wire, connect it to phone GND ( battery minus ) or to USB cable shield, etc.

Notice, that most of UART "boxes" for sony ericsson phones have 2 UARTs : DTMS/DFMS and CTMS/CFMS ( TX/RX ) on RJ45 connector.
you need to connect DTMS, noted on schematics, to TX ( CTMS ) pin on RJ45 connector, DFMS from schematics to CFMS ( RX ) pin on RJ45.

2.
select proper phone model.
select COM as interface.
on settings check signed mode, use alternative security bypass, do full unlock instead usercode reset, use testpoint (gnd type)
fill login/password and check if account valid.

press unlock

when prompted, execute steps in EXACT order:


remove cable from phone,
remove battery from phone,
attach testpoint ( turn on switch on cable set )
insert cable to phone, HOLDING TESTPOINT ( cable set switch in "on" position )
press "ready"
when prompted detach testpoint
press "ready"
install drivers from dist\drivers\USBFlash_driver\ ( if asked )



إن شاء الله phone will be unlocked.

q:
how to unlock s1 android based phones, based on qsd8x55, using alternative security bypass using testpoint?

a:
Here is procedure.

1.
prepare for testpoint operation.
check testpoint location for your phone model in dist\docs\
open testpoint for access
get some needle with wire, connect it to phone gnd ( battery minus ) or to usb cable shield, etc.

2.
select proper phone model.
select USB as interface.
on settings check signed mode, use alternative security bypass, do full unlock instead usercode reset
fill login/password and check if account valid.

press unlock

when prompted, execute steps in EXACT order:


remove cable from phone,
remove battery from phone,
attach testpoint
press "ready"
insert cable to phone, HOLDING TESTPOINT
install drivers from dist\drivers\USBFlash_driver\
make sure that driver for qhusb_dload ( device, which will appear after successful testpoint ) is installed from dist\drivers\usbflash_drivers and named "ZEUS Flash Device".
Install driver manually, if testpoint driver named otherwise.

when prompted detach testpoint
press "ready"



إن شاء الله phone will be unlocked.

the_laser
08-23-2011, 01:35 PM
q:
my semc 8x55-based smartphone can't be detected by PC or detecting as "QHUSB_DLOAD".
my semc 7227-based smartphone can't be detected by PC.
my semc 8250-based smartphone can't be detected by PC.

a:
at least semc boot damaged

step I.

for 8x55-based phones select USB as interface, then

1. pda tab, select corresponding phone model
2. options tab, check : signed mode, alternative security bypass
3. pda tab, press "recovery"

for 7227,8250-based phones select COM as interface, then

1. pda tab, select corresponding phone model
2. options tab, check : signed mode, alternative security bypass, use testpoint ("GND" type)
3. pda tab, press "recovery"

important notice:
for msm7227 phones, insert battery in phone after you attached testpoint.
for x10 phone connect RED dot to GND permanently during entire testpoint procedure




if you get next output


MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]

and do not have trim area backup, thats bad, but you still can fix phone : check next post (http://support.setool.net/showthread.php?15-HOW-TO-WORK-WITH-SEMC-PDA-PHONES&p=70745&viewfull=1#post70745)



step II.

1. pda tab, select corresponding model
2. options tab, check : signed mode
3. pda tab, add needed firmware files ( DO NOT UNPACK ) ( BOTH APP and FSP) to fw area
4. press "flash"

q:
during second stage of testpoint unlock procedure i made testpoint wrong/disconnect phone/etc - my phone dead, but i have security units backup.


a:
that can be fixed easy enough.

step I.

for 8x55-based phones select USB as interface, then

1. pda tab, select corresponding phone model
2. options tab, check : signed mode, alternative security bypass
3. pda tab, press "recovery"

for 7227,8250-based phones select COM as interface, then

1. pda tab, select corresponding phone model
2. options tab, check : signed mode, alternative security bypass, use testpoint ("GND" type)
3. pda tab, press "recovery"



if you will get output like


MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]

then and only then perform next step, otherwise skip to step IV


step II.

1. pda tab, select corresponding model
2. options tab, check : signed mode, alternative security bypass, format gdfs during write

for 7227,8250-based phones select COM as interface and
2. options tab, check : signed mode, alternative security bypass, use testpoint ("GND" type), format gdfs during write

3. pda tab, select trim area package files for your phone model ( DO NOT UNPACK, DO NOT UNZIP, DO NOT TOUCH IT IN ANY WAY ) in misc. edit
4. press "write gdfs"

step III.

1. pda tab, select corresponding model
2. options tab, check : signed mode, alternative security bypass

for 7227,8250-based phones select COM as interface and
2. options tab, check : signed mode, alternative security bypass, use testpoint ("GND" type), format gdfs during write

3. pda tab, select YOUR BACKUP SCRIPT
4. press "write script"

step IV.

1. pda tab, select corresponding model
2. options tab, check : signed mode
3. pda tab, add needed firmware files ( DO NOT UNPACK ) ( BOTH APP and FSP) to fw area
4. press "flash"

the_laser
10-23-2011, 08:32 PM
q:
how to repair totally damaged s1 android phones, based on msm7227,qsd8250, using alternative security bypass using testpoint?

a:
Here is procedure.

okay, here is example how to resurrect totally dead x10 phone.
so, we have x10 phone with totally erased semcboot and trim area.
phone does not turn on, does not connect to pc anyhow.

lets resurrect it.

run setool2, select x10 as model, select com port as interface
( one where GPG resurrection cables connected )

1.
on options set signed mode,altbypass mode, use testpoint (gnd type)

2.
connect GPG x10 resurrection craddle to phone, press RECOVERY
follow program instructions.

important notice:
for msm7227 phones, insert battery in phone after you attached testpoint.
for x10 phone connect RED dot to GND permanently during all testpoint procedure

btw, as phone has erased semcboot, you do not need apply testpoint that time.
however, that is very special case, so for simplicity lets apply testpoint all time.

here is operation output:



SIGNED MODE (USING SERVER)
ALTERNATIVE SECURITY BYPASS ENABLED
CFG:110010000010

DETACH USB CABLE FROM PHONE
REMOVE BATTERY FROM PHONE
ATTACH TESTPOINT
ATTACH USB CABLE TO PHONE,THEN PRESS "READY"

PROCESSING ...
REMOVE TESTPOINT NOW, THEN PRESS "READY"

RUNNING S1_LOADER VER "R4A024"
SWITCHING TO "USB" ...
PLEASE ATTACH TURNED OFF PHONE NOW

RUNNING S1_LOADER VER "R4A024"
LOADER AID: 0001
FLASH ID: "002C/00B3"
LOADER VERSION: "r4A024"


WRITING SEMCBOOT ...
Checking TA ...
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_set_config_failed ]
Writing config ...
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
Formatting ...
Checking MISC TA ...
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
Writing config ...
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
Formatting ...
SUCCESS



now we recovered semcboot and prepared trim area for loading.
if phone only had erased semcboot, it will already work after that step.
but our phone TOTALLY damaged, so lets proceed with second step:

we need now load trim area.
Please skip this step, if your phone do not have damaged trim area ( errors like: "TA_invalid,_format_may_be_required" )

options are same for step1 + "format gdfs when writing" checked,
select 1595 in misc.edit and press "write gdfs".
( any trim area, read from corresponding model live phone will work )
follow program instructions.

here is operation output:



SIGNED MODE (USING SERVER)
ALTERNATIVE SECURITY BYPASS ENABLED
CFG:110010000110
Will write GDFS now.

DETACH USB CABLE FROM PHONE
REMOVE BATTERY FROM PHONE
ATTACH TESTPOINT
ATTACH USB CABLE TO PHONE,THEN PRESS "READY"

PROCESSING ...
REMOVE TESTPOINT NOW, THEN PRESS "READY"

RUNNING S1_LOADER VER "R4A024"
SWITCHING TO "USB" ...
PLEASE ATTACH TURNED OFF PHONE NOW

RUNNING S1_LOADER VER "R4A024"
LOADER AID: 0001
FLASH ID: "002C/00B3"
LOADER VERSION: "r4A024"

Can't get IMEI
will write 1010 units
done
will write 53 units
done
Phone detached
Elapsed: 23 secs.


finally, we need rebuild imei and security zone.
for that, check same options as for step1 + "do full unlock instead of usercode reset","allow to change imei when unlocking" checked,
press "unlock/repair", follow program instructions

here is operation output:




THAT ACTION IS ILLEGAL,IF YOU DOING IT
FOR ANY PURPOSE, OTHER THAN REPAIR PHONE

SIGNED MODE (USING SERVER)
ALTERNATIVE SECURITY BYPASS ENABLED
CFG:110010010010

DETACH USB CABLE FROM PHONE
REMOVE BATTERY FROM PHONE
ATTACH TESTPOINT
ATTACH USB CABLE TO PHONE,THEN PRESS "READY"

PROCESSING ...
REMOVE TESTPOINT NOW, THEN PRESS "READY"

RUNNING S1_LOADER VER "R4A024"
SWITCHING TO "USB" ...
PLEASE ATTACH TURNED OFF PHONE NOW

RUNNING S1_LOADER VER "R4A024"
LOADER AID: 0001
FLASH ID: "002C/00B3"
LOADER VERSION: "r4A024"

Can't get IMEI
REQUESTED : 359419030xxxxx
Checking for HWConfig ...
Waiting for calculation process ...
RESPONSE: "SUCCESS" [826]
Checking for signature ...
signature found, skipping calculation
WRITING SEMCBOOT ...
WRITING HWCONFIG ...
Unlock DONE
Elapsed: 20 secs.


from now on, phone is full repaired, testpoint cradle not needed.
reflash phone with any suitable firmware.

q:
how to repair totally damaged s1 android phones, based on qsd8x55, using alternative security bypass using testpoint?

a:
operation is very same, just select usb as interface and do not check "use testpoint (gnd type)"

the_laser
11-20-2011, 05:03 AM
q:
i'm updated my 8x55-based phone using OTA, however phone turned off and can't power on anymore, blinking green led, short vibration.
i tried to reflash it, but nothing helps.

a:
write next script ( save commands in text file, select text file in misc edit, signed mode, press write script )



tawrite:000208BD00000000
tawrite:000208FD00000000

the_laser
05-19-2012, 07:32 AM
q:
i'm trying to unlock msm8x55-based phone, i'm sure that procedure done properly, but i'm always receive error:



SIGNED MODE (USING SERVER)
ALTERNATIVE SECURITY BYPASS ENABLED
CFG:110000000000

DETACH USB CABLE FROM PHONE
REMOVE BATTERY FROM PHONE
ATTACH TESTPOINT
PRESS "READY", THEN ATTACH USB CABLE TO PHONE

will use DLOAD protocol ...
0806010100900000
0D1450424C5F446F776E6C6F6164657256455231
030006
030006
030006
PROCESSING ...
REMOVE TESTPOINT NOW, THEN PRESS "READY"

qcReceivePacket: can't get packet start
IF TESTPOINT DONE OK,THIS IS NOT SUPPORTED MCU REVISION
CAN'T LOAD IDENTIFICATION LOADER

a:

bad luck, that is mcu with fixed security flaw and you can not unlock,repair trim area, repair semcboot, rebuild hwconfig using altbypass method.

the_laser
11-21-2012, 10:38 AM
phones chipset specifications ( select any model, based on this chipset, to service phone ) ( assigned by family )



SO-03D, Xperia Acro HD, msm8x60
SO-02D, Xperia NX (SO-02D), msm8x60
IS12S , Xperia Acro HD(IS12S), msm8x60

SO-04D, Xperia GX , msm8260A
SO-05D, Xperia SX (SO-05D) , msm8260A

SO-01D, Xperia PLAY (SO-01D), msm8x55
SO-01B, Xperia X10 (SO-01B) , qsd8255
SO-01C, Xperia arc (SO-01C), msm8x55, anzu
SO-02C, Xperia acro (SO-02C), msm8x55, azusa
SO-03C, Xperia ray, msm8x55
S51SE , S51SE , msm8x55 , xperia mini , smultron

xperia v branch:
LT25i , xperia v, msm8260A (msm8960)
LT25c , xperia vc, msm8260A (msm8960)
SOL21 , Xperia VL, AU by KDDI, msm8260A (msm8960)
SO-01E, xperia AX, NTT DoCoMo, msm8260A (msm8960)

xperia t branch:
LT30, Xperia T, msm8260A (msm8960)
LT30at, Xperia TL, msm8260A (msm8960)




st26_xperia_J,
c1504_xperia_E,
c1505_xperia_E,
c1604_xperia_E_dual,
c1605_xperia_E_dual : msm7227A




st21_xperia_tipo,
st23_xperia_miro : msm7225A




c6502_xperia_zl,
c6503_xperia_zl,
c6506_xperia_zl,
c6602_xperia_z,
c6603_xperia_z : apq8064+mdm9xxx

c5302_xperia_sp,
c5303_xperia_sp
C5306__xperia_sp: msm8260A (msm8960T)

c2104_xperia_L
c2105_xperia_L : msm8230

the_laser
11-20-2013, 04:36 PM
About alternative security bypass unlock for st21,st21i2,st23,st26,c1504,c1505,c1604,c1605 phones

1. select proper phone model
2. check signed mode + altbypass + do full unlock
3. press unlock and follow program instructions

Our users tested all supported phones - and every phone was unlocked

To prevent possible problems, in second step, when setool2 ask you to power on phone, disconnect cable from phone, power on phone FULLY, wait at least 30 seconds to allow sluggish android fully start up, then enable USB debugging and only then connect phone.

if root procedure will fail ( hang on "Please wait ...." for long time or abort with error ) please press "stop" button and repeat procedure.
it it will fail again, please fill complain with identify output , flash phone with different firmware version and retry.

notice :
- phone will NOT have network until procedure will complete
- you CAN root phone with any other tool BEFORE attempt to process it with setool2
- pretty please remove any resident antiviruses, malware monitors, spy programs,debuggers and so on before operation.

processed phone CAN be flashed with any other 3rd-party tools, which using original sony loaders.
processed phone CAN be flashed with SEUS
processed phone CAN NOT be FOTA upgraded
processed phone WILL have UNLOCKED fastboot ( unlocked bootloader )

you CAN NOT flash or fix octopus-processed phones using this setool2 version.
setool2 will refuse to process such phones.
you should wait, until they get my proper patches and integrate it into their software with security units rebuild.
finally, until i'll have reliable way to fix such phones without need to have live phone, i'll not enable IMEI change.

your phone will not be killed and will be unlocked, in šāʾAllāh