Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: HOW TO WORK WITH SEMC PDA PHONES

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Administrator
    Join Date
    Feb 2010
    Posts
    18,785

    Default HOW TO WORK WITH SEMC PDA PHONES

    first, basics.

    SEMC created few types of PDA:

    db200x+nexperia (SYMBIAN OS)
    m600,w950,w960,p1,p990

    such phones have two security type - NEW and OLD.
    Identify button will show security type - it will write "NEW SECURITY detected" with NEW security phones.

    if is better to install PDA phone drivers and PDA flash drivers before any operation.

    phone drivers:
    for that you need to download phones.rar from support or from SEMC
    turn on phone. in "connections manager->usb" select "normal mode".
    now, attach cable.
    windows will ask you for drivers, point it to corresponding folder within extracted phones.rar.
    you must have "semc xxx usb modem" and "semc xxx application port" if drivers correctly installed.
    now, turn phone off and detach it.
    flash drivers:
    power on smartphone in fw update mode.

    - for p990/m600 press and hold "@" on TURNED OFF phone, then attach dcu60.
    - for w950,w960,p1 press and hold "C" on TURNED OFF phone, then attach dcu60.

    windows will ask you for a drivers. drivers in %setool2 dist%\drivers\Smartphone_Drivers

    S1 OPEN (SYMBIAN OS) ( ti omap + db3xxx )
    satio,vivaz,vivaz pro

    S1 QUALCOMM,MT BASED (ANDROID OS)
    all other models


  2. #2
    Administrator
    Join Date
    Feb 2010
    Posts
    18,785

    Default

    FLASHING OF A1-BASED PDA PHONES

    download needed firmware package.
    add it to firmware area on PDA tab.
    DO NOT UNZIP PACKAGE, JUST ADD IT AS IS.
    on settings,check "signed mode"
    press flash

    note, if phone have BROWN domain, you must FIRST flash conversion packs:

    for m600,w950,p990:
    for brown cid 36: pda_ccpu_convert_red49_signed_brown36.zip
    for brown cid 49: pda_ccpu_convert_red49_signed_brown49.zip
    for w960,p1:
    for brown cid 49: pda_ccpu_convert_red53_signed_brown49.zip


  3. #3
    Administrator
    Join Date
    Feb 2010
    Posts
    18,785

    Default

    UNLOCKING OF A1-BASED PDA PHONES

    if you want to UNLOCK NEW SECURITY phone -

    check "use server" and enter your login/password.
    please check FAQ article about credit consumptions for your phone.

    press unlock button and insert cable to phone,while holding appropriate key on phone.
    follow program directions.

    if you want to UNLOCK OLD SECURITY phone -

    UNCHECK "use server".
    BE SURE you have latest REST files.

    now, you need install drivers for flashing.
    for that, poweron smartphone in fw update mode.

    - for p990/m600 press and hold "@" on TURNED OFF phone, then attach dcu60.
    - for w950 press and hold "C" on TURNED OFF phone, then attach dcu60.

    windows will ask you for a drivers. drivers in %setool2 dist%\drivers\Smartphone_Drivers

    now, when all preparations finished - press unlock button and insert cable to phone,while holding appropriate key on phone.
    follow program directions.


  4. #4
    Administrator
    Join Date
    Feb 2010
    Posts
    18,785

    Default

    UNLOCKING OF S1-OPEN PDA PHONES

    select USB as interface. that is REQUIRED.
    select phone model
    settings - check ONLY "signed mode (using server)", "do full unlock instead of usercode reset", fill your login details.

    back to original tab, press unlock, "GREEN BUTTON"

    if signature is calculated - you will receive 'SUCCESS' response, otherwise you will receive error code.
    if calculation is success, then signature will be saved in backup\%imei% folder in your setool2 directory.
    next, backup will be created so you will be able to restore phone if something will go wrong.
    procedure will continue,phone will be switched off and unlocked.
    remember, if something will go wrong - you have a backup of security units.
    please check "credits consumption" FAQ post for info about number of credits.


    UNLOCKING OF S1-ANDROID PDA PHONES


    server based full official unlock method. Only available, when s1 signature server online

    select USB as interface. that is REQUIRED.
    select phone model
    settings - check ONLY "signed mode (using server)", "do full unlock instead of usercode reset", fill your login details.

    back to original tab, press unlock, hold "BACK BUTTON" and insert cable to powered off phone.

    if signature is calculated - you will receive 'SUCCESS' response, otherwise you will receive error code.
    if calculation is success, then signature will be saved in backup\%imei% folder in your setool2 directory
    (following unlock attempts, if something had happen with phone - cable disconnect,etc - during unlock - will be free as long as signature remains there )

    next, backup will be created so you will be able to restore phone if something will go wrong.
    procedure will continue,phone will be switched off and unlocked.
    remember, if something will go wrong - you have a backup of security units.
    please check "credits consumption" FAQ post for info about number of credits.

    server based full unlock method using alternative security bypass

    please read that post


    GESTURE LOCK/USER PASSWORD RESED FOR S1-ANDROID PDA PHONES


    check signed mode only, press unlock.
    hold "BACK BUTTON" and insert cable to powered off phone.

    if phone has blocked attempts counter, then you need reflash phone after lock reset.


  5. #5
    Administrator
    Join Date
    Feb 2010
    Posts
    18,785

    Default

    FLASHING OF S1-OPEN PDA PHONES (Satio,Vivaz,Vivaz pro)

    download needed firmware package.
    add it to firmware area on PDA tab.
    DO NOT UNPACK .ZIP PACKAGE, JUST ADD IT AS IS.
    on settings,check "signed mode"
    press flash

    connect turned off phone while holding "green" button.

    FLASHING OF S1-ANDROID PDA PHONES (x10,x10 mini,x10 mini pro,etc)

    download needed firmware package.
    ( two main files,both REQUIRED. APP - OS kernel, radio part, FSP - user and android OS system data,
    CDF - internal storage contents, eLabel - electronic label )
    add it to firmware area on PDA tab.
    Order is IMPORTANT - ALWAYS add APP part first, then FSP, then eLabel, then CDF
    Some MT-based phones can be irreversible killed, if APP part is NOT first package to flash.

    UNPACK package archive, if packed (unzip,unrar, but DO NOT unpack *.sin_file_set itself ), ADD *.file_set to firmware area
    on settings,check "signed mode"
    press flash

    connect turned off phone while holding "BACK" button.


  6. #6
    Administrator
    Join Date
    Feb 2010
    Posts
    18,785

    Default

    POSSIBLE PROBLEMS

    DB200X+NEXPERIA

    damaged SCRC (imei mismatch), damaged seczone, damaged gdfs,damaged CCPU EROM

    1. go to emptyboard tab
    2. select model
    3. on settings, check "signed mode", fill login details
    4. press reset, connect phone
    5. if gdfs structure okay, skip that step, otherwise add to firmware are gdfs in ssw format: one of

    DB2001_G700_GDFS_IN_SSW_FORMAT.SSW
    DB2001_M600_GDFS_IN_SSW_FORMAT.ssw
    DB2001_P1_GDFS_IN_SSW_FORMAT.ssw
    DB2001_P990_GDFS_IN_SSW_FORMAT.ssw
    6. add to firmware area correct EROM
    for m600,w950,p990: pda_ccpu_convert_red49_BROWN_CID49_DB2001.software
    for w960,p1: pda_ccpu_convert_red53_BROWN_CID49_DB2001.software
    7. press flash
    8. reflash phone on usual PDA tab if needed.

    phone could not boot using dcu60, erom version timeout error,etc

    ACPU EROM damaged, to restore it

    1. select correct PDA model
    2. find corresponding EROM in dist\eroms\, add it to firmware area
    3. select correct com port. ufs,usb can't be used for that operation.
    4. press recovery
    5. connect turned off phone
    6. reflash phone via USB with normal firmware


    S1 OPEN

    phone could not boot and blinks red, you CAN flash phone

    unlock phone using full signature unlock

    phone stuck on white screen

    reflash clean file system files, then flash normal firmware

    phone could not boot and blinks red, you CAN NOT flash phone

    if phone aid 004 - that is brick, can't be repaired by known 3rd party tools
    if phone aid 001,002,003 - you need to perform trim area repair process:

    first, make flash readout with options: signed mode,use alternative security bypass.
    start 80021000
    len 00200000
    MID 01
    "read spare" UNCHECKED
    "read as ssw" UNCHECKED

    you will get trim area image readout.

    now lets determine if hwconfig present and not mismatched.
    get and hex editor (hiew, winhex or simular)

    using editor search function, locate in readout bytes d3 07 00 00
    now check attached picture.

    if imei is your, then you can try to fix phone.
    if imei is not your and you do not have backup - send phone to semc.

    now, lets extract needed trim area units and build script.

    1.
    you need to copy binary data from "data start" till "data end" (inclusive)
    then convert binary data to its ASCII values (with same winhex)

    trim_area_unit_example.jpg

    add script command to data

    example, from example file read_80021000_00200000_35681003102941.bin:
    read_80021000_00200000_35681003102941.zip

    Code:
    tawrite:000207d301000000027704000000000000001D000000000000006A14663FD6E722880E288A943EFF3CB95479416F3F7700000247000101C001BE308201BA30820123A003020102020101300D06092A864886F70D0101050500301E311C301A0603550403141353315F4857436F6E665F526F6F745F61316563301E170D3030313131373139303630345A170D3230313131393139303630345A3019311730150603550403140E53315F4857436F6E665F6131656330819F300D06092A864886F70D010101050003818D0030818902818100C62E8DB0D1E86E5015210830F15BD56B8EE9F4339A377D346257028B700E6CEC207E83E5E4C76C901A2CF1577AE466FB4C8164E111C43A9A6763847D4C7877C5DBCC11AC153897CD6ECD77D5D59B7D9FC255EEBCA97929964C2684BFABA5481765390B03015046986C9AEE7A0C9D754FE4164C237640549783D9F28B056AFA530203010001A30D300B30090603551D1304023000300D06092A864886F70D01010505000381810057BE9BD213A7350190EBFF832B91083A0D74FD5E42B96560590D9FA4B78EBE556CF7E2D0E841F477D2578283E3205E14E2A46014B1D1475C15C7B7DBB348905B43D2D5605DA5461A8CFC88EEAD39BE85499EBC848A59F37575065CE753859CB29BB7FDA9805F7065E2A2C2ED3F9E9D519FBDD28C83FE55C33E9475E4765FCD9B0100808B505BE83576D2876CF09B332EAC0EEBD1F14E98072C98A4F492CD38A80265BD7C406DA1400367B9BA46970CB467DC825AC7EAC08DD72FDE4894CEDC60E2CE281E6E45A0B372ACB8ED548A3B5114B17A8C42FF131C94B436127BF3AFF865F7CBA6C58665C6584DB4DAF2EC9D05B87344DC956044CFE1E98761EA3ADF61C9D3A3000200000000000000000000000000000000000000000000000000000000000000000000000400020001000100010001000035681003102941000000002C00140CFFC34243D2191FE06C9265337027FA605069F20014C14561448A5B50B6292EBE92B421D26CBFBDC54C
    2. using editor search function, locate in readout bytes da 07 00 00.
    extract binary data ( method very same as shown on picture ), add script command

    Code:
    tawrite:000207da3C3B2B0D083B7915E34D77D8E6435A1C2FFF36DC000000000000000000000000FF00000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000009A1063006AF6C5FA39B0BABBEE5A8EC78CD3380024CB85626500000000551E0001001E000055551E0001001E000055551E0001001E000055551E0001001E000055551E0001001E000055551E0001001E00005500000000000000000000000000000000000000000000000000000000106400283288EF30958212E12BEB1D148AD7C5EA57CB78290000000000000000000000000000000000000000000100
    3. using editor search function, locate in readout bytes 51 08 00 00.
    extract binary data ( method very same as shown on picture ), add script command

    Code:
    tawrite:000208510003001C00010019000207DA270F023D0010000007DA270F00470068000000F3019807FDA629760BA18A972C9E0FF8516AD296D83AAD4A07AC552FF9C6608DB7BB68B316CCED722FA0DEA690F59031732E71C1A9C2FAF71D1B16373E88858E72BD346BD4B07D6245C89556040F3D1E739567343244A15268C3DFA515E41CACBC4B368FB924B6770971D1966F0A4A8D707A21060D73112DF88AEA4CE6E5308125795CEB88C4F553A28EFC34FF346257BA858050B0EC28E8EDFA47681AB9F07568CA8A225826F90943376A5A4E54FB4D087F5BD08CF3F35521DB5C73E13253F4DAA68FA0F902C47FA5ECDA64674FF23A69D4EDDDC6A93C2A58D4183FDB7195647F1FA5F9644EE130544E23A75F80DCBFB98600090200000000000002FC0001027502733082026F308201D8A003020102020100300D06092A864886F70D01010505003077310B3009060355040613025345312F302D060355040A1326536F6E79204572696373736F6E204D6F62696C6520436F6D6D756E69636174696F6E7320414231173015060355040B130E466C617368205365637572697479311E301C06035504031315536F6E79204572696373736F6E20534C20526F6F74301E170D3030303130313138303030305A170D3230303130313138303030305A3073310B3009060355040613025345312F302D060355040A1326536F6E79204572696373736F6E204D6F62696C6520436F6D6D756E69636174696F6E7320414231173015060355040B130E466C617368205365637572697479311A301806035504031311536F6E79204572696373736F6E20534C4630819F300D06092A864886F70D010101050003818D0030818902818100D7C855C8F5F20A47302F9D1CB193907C8D01BEF67A20508CFF76C1CC5385BFCC90D805236000C3017BB3AF36D24561435199B482384570AF445AF2B78BF544B1C83CD6DF39E320A8D96674B6672B66225D2AD74BBCDE89999A688C0A7AF8E080319F2873B67B285B6F1D00535D083C8B68C556BBB1CBEC7ACBE7D274409E84270203010001A30F300D300B0603551D0F040403020780300D06092A864886F70D0101050500038181009096A087A4A2D7594888E2624EBB13FAEDBE5174C220410BD049BB628961BA18D370DF79527607EA533C931F14A094F0214BAFAD89FA3DADDBAC24BC1AE32211F668397745011F55D715B869874E464575988DF1D789594C86AE9310C8F4D00C3CBAB55595A63B3818FAB01A687EEAB3376176C8FE9A693A0283E57B94CD362A010080C511236A07BD6CD5D2F1D58B0E6EE887C15C0AACAACC56CAC126EB183ADC0AECBFF5081B49F3B6EB04AA3A0EB0B47D5B7B8C60830F8BC7B6450A64F0E925D40BABB25949AA89D2839CFDA4594818853013106C74F0A407D23BDC4C4630729C1469F6345F0930DAE37406DC02BA4049B54E3906F19D2821D3BF351A65FC8FA5B3
    4. you have now 3 big string.
    copy them into one file (each string should be on one line !)
    add 4-th script command in the end of file
    Code:
    tawrite:0002FDE800
    you have own fixup file.
    fixup_35681003102941.txt

    proceed to http://support.setool.net/showthread...ll=1#post15855

    notice, that is you will get simlock tampered message after fix procedure, you NEED to unlock phone using signature server.

    tutorial video by Aishur: http://www.4shared.com/folder/RCU5KkCO/Satio_fixup.html

    m_taheri written tool for automatic fixup creation.

    S1 ANDROID

    q:
    i had unlocked my phone using alternative security bypass method, but phone not unlocked.

    a:
    you did not set all required settings.
    you must check "signed mode", "alternative security bypass mode", "do full unlock instead of usercode reset"


    q:
    i had unlocked my phone using alternative security bypass method, my settings are correct, i lost 4 credits,
    but phone not unlocked.

    a:
    just reflash phone with required firmware ( android 2.1 ) and repeat procedure.
    no further credits will be required.


  7. #7
    Administrator
    Join Date
    Feb 2010
    Posts
    18,785

    Default

    script to change keyboard layout for u8 vivaz pro.

    Code:
    // To set u8 keypad layout
    //
    // Values:
    // 00000000	= QWERTY
    // 01000000	= QWERTY for NAM
    // 02000000 	= QWERTZ
    // 03000000 	= AZERTY
    // 04000000 	= QWERTY
    // 05000000 	= QWERTY Sweden/Finland/Denmark/Norway
    // 06000000 	= Chinese Stroke/QWERTY
    // 07000000 	= Chinese Bopomofo/QWERTY
    // 08000000 	= Cyrillic/QWERTY
    // 09000000 	= QWERTY Brazilian Portuguese
    // 0A000000 	= Hebrew/QWERTY
    // 0B000000 	= Arabic/QWERTY
    // 0C000000 	= Greek/QWERTY
    // 0D000000 	= Thai/QWERTY
    
    tawrite:000213BA06000000


  8. #8
    Administrator
    Join Date
    Feb 2010
    Posts
    18,785

    Default

    q:
    which s1 android based phones i can unlock using alternative security bypass ?

    a:
    you can use that method for
    x10i,x10i,s0-o1b, e10,e15,e16,u20 phones.
    lt15,mt15,r800 and other msm8255-based phones require very simple testpoint to perform alternative security bypass.
    x10i,x10i,s0-o1b, e10,e15,e16,u20 phones can also use testpoint method (complex, but powerful ) for unlock/repair

    q:
    how to unlock s1 android based phones, based on msm7227,qsd8250 using alternative security bypass without testpoint ?

    a:
    Here is procedure.

    1.
    make sure you have firmware with android 2.x, NOT 1.6.
    flash required firmware, if needed.



    2.
    power on phone without sim card, go to menu->settings->applications->development, enable "usb debugging"
    connect phone to PC, install drivers from setool2 distr ( drivers\ADB_Drivers)


    hint:
    i suggest you to import DisableADBNumbering.reg (DisableADBNumbering.zip) , however this is not required.

    3.
    select proper phone model.
    select USB as interface
    on settings check signed mode, use alternative security bypass, do full unlock instead usercode reset
    press unlock

    when prompted, detach phone, turn it on fully, connect it again.
    ( or you can leave phone on cable, then power it on manually )

    when program tells "warming up...", manually power on phone fully, cause it will automatically enter charging mode.

    after you see "GETTING ROOT ACCESS ..." DO NOT TOUCH PHONE until procedure complete.

    DO NOT DETACH PHONE FROM CABLE AFTER PROCEDURE STARTED, YOU CAN KILL YOUR PHONE.
    DO NOT REMOVE BATTERY FROM PHONE AFTER PROCEDURE STARTED, YOU CAN KILL YOUR PHONE.
    SUCH KILLED PHONES CAN BE REPAIRED WITH RESURRECTION CABLES.


    possible problems:

    problem:
    you getting "Can't get ROOT rights", "err: 00000005","err: 00000002" during process

    solution:
    disable antivirus, especially if you using "kaspersky antivirus", i recommend Doctor Web
    do NOT run setool2 from restricted accounts.
    do NOT run setool2 from read-only media.

    problem:
    it can happen ( very unlikely, though ) that ADB server will not recognize phone after reboot

    solution:
    IF phone not detecting automatically and on status bar you can see "waiting for phone...", again - only in that case - disconnect phone from usb and connect it again, procedure should continue.

    if not, well, repeat from start.


    q:
    how to unlock s1 android based phones, based on msm7227,qsd8250, using alternative security bypass using testpoint?

    a:
    Here is procedure.

    FIRMWARE VERSION DOES NOT MATTER, WHEN USING TESTPOINT METHOD

    1.
    prepare for testpoint operation.
    check testpoints location for your phone model in dist\docs\s1_qualcomm_uart_cables or use GPG cable set
    open testpoints for access
    if you do not have GPG cable set, get some needle with wire, connect it to phone GND ( battery minus ) or to USB cable shield, etc.

    Notice, that most of UART "boxes" for sony ericsson phones have 2 UARTs : DTMS/DFMS and CTMS/CFMS ( TX/RX ) on RJ45 connector.
    you need to connect DTMS, noted on schematics, to TX ( CTMS ) pin on RJ45 connector, DFMS from schematics to CFMS ( RX ) pin on RJ45.


    2.
    select proper phone model.
    select COM as interface.
    on settings check signed mode, use alternative security bypass, do full unlock instead usercode reset, use testpoint (gnd type)
    fill login/password and check if account valid.

    press unlock

    when prompted, execute steps in EXACT order:

    1. remove cable from phone,
    2. remove battery from phone,
    3. attach testpoint ( turn on switch on cable set )
    4. insert cable to phone, HOLDING TESTPOINT ( cable set switch in "on" position )
    5. press "ready"
    6. when prompted detach testpoint
    7. press "ready"
    8. install drivers from dist\drivers\USBFlash_driver\ ( if asked )


    إن شاء الله phone will be unlocked.

    q:
    how to unlock s1 android based phones, based on qsd8x55, using alternative security bypass using testpoint?

    a:
    Here is procedure.

    1.
    prepare for testpoint operation.
    check testpoint location for your phone model in dist\docs\
    open testpoint for access
    get some needle with wire, connect it to phone gnd ( battery minus ) or to usb cable shield, etc.

    2.
    select proper phone model.
    select USB as interface.
    on settings check signed mode, use alternative security bypass, do full unlock instead usercode reset
    fill login/password and check if account valid.

    press unlock

    when prompted, execute steps in EXACT order:

    1. remove cable from phone,
    2. remove battery from phone,
    3. attach testpoint
    4. press "ready"
    5. insert cable to phone, HOLDING TESTPOINT
    6. install drivers from dist\drivers\USBFlash_driver\
      make sure that driver for qhusb_dload ( device, which will appear after successful testpoint ) is installed from dist\drivers\usbflash_drivers and named "ZEUS Flash Device".
      Install driver manually, if testpoint driver named otherwise.
    7. when prompted detach testpoint
    8. press "ready"


    إن شاء الله phone will be unlocked.


  9. #9
    Administrator
    Join Date
    Feb 2010
    Posts
    18,785

    Default

    q:
    my semc 8x55-based smartphone can't be detected by PC or detecting as "QHUSB_DLOAD".
    my semc 7227-based smartphone can't be detected by PC.
    my semc 8250-based smartphone can't be detected by PC.

    a:
    at least semc boot damaged

    step I.

    for 8x55-based phones select USB as interface, then

    1. pda tab, select corresponding phone model
    2. options tab, check : signed mode, alternative security bypass
    3. pda tab, press "recovery"

    for 7227,8250-based phones select COM as interface, then

    1. pda tab, select corresponding phone model
    2. options tab, check : signed mode, alternative security bypass, use testpoint ("GND" type)
    3. pda tab, press "recovery"

    important notice:
    for msm7227 phones, insert battery in phone after you attached testpoint.
    for x10 phone connect RED dot to GND permanently during entire testpoint procedure



    if you get next output
    Code:
    MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
    MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
    and do not have trim area backup, thats bad, but you still can fix phone : check next post

    step II.

    1. pda tab, select corresponding model
    2. options tab, check : signed mode
    3. pda tab, add needed firmware files ( DO NOT UNPACK ) ( BOTH APP and FSP) to fw area
    4. press "flash"

    q:
    during second stage of testpoint unlock procedure i made testpoint wrong/disconnect phone/etc - my phone dead, but i have security units backup.


    a:
    that can be fixed easy enough.

    step I.

    for 8x55-based phones select USB as interface, then

    1. pda tab, select corresponding phone model
    2. options tab, check : signed mode, alternative security bypass
    3. pda tab, press "recovery"

    for 7227,8250-based phones select COM as interface, then

    1. pda tab, select corresponding phone model
    2. options tab, check : signed mode, alternative security bypass, use testpoint ("GND" type)
    3. pda tab, press "recovery"

    if you will get output like
    Code:
    MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
    MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
    then and only then perform next step, otherwise skip to step IV
    step II.

    1. pda tab, select corresponding model
    2. options tab, check : signed mode, alternative security bypass, format gdfs during write

    for 7227,8250-based phones select COM as interface and
    2. options tab, check : signed mode, alternative security bypass, use testpoint ("GND" type), format gdfs during write

    3. pda tab, select trim area package files for your phone model ( DO NOT UNPACK, DO NOT UNZIP, DO NOT TOUCH IT IN ANY WAY ) in misc. edit
    4. press "write gdfs"

    step III.

    1. pda tab, select corresponding model
    2. options tab, check : signed mode, alternative security bypass

    for 7227,8250-based phones select COM as interface and
    2. options tab, check : signed mode, alternative security bypass, use testpoint ("GND" type), format gdfs during write

    3. pda tab, select YOUR BACKUP SCRIPT
    4. press "write script"

    step IV.

    1. pda tab, select corresponding model
    2. options tab, check : signed mode
    3. pda tab, add needed firmware files ( DO NOT UNPACK ) ( BOTH APP and FSP) to fw area
    4. press "flash"


  10. #10
    Administrator
    Join Date
    Feb 2010
    Posts
    18,785

    Default

    q:
    how to repair totally damaged s1 android phones, based on msm7227,qsd8250, using alternative security bypass using testpoint?

    a:
    Here is procedure.

    okay, here is example how to resurrect totally dead x10 phone.
    so, we have x10 phone with totally erased semcboot and trim area.
    phone does not turn on, does not connect to pc anyhow.

    lets resurrect it.

    run setool2, select x10 as model, select com port as interface
    ( one where GPG resurrection cables connected )

    1.
    on options set signed mode,altbypass mode, use testpoint (gnd type)

    2.
    connect GPG x10 resurrection craddle to phone, press RECOVERY
    follow program instructions.

    important notice:
    for msm7227 phones, insert battery in phone after you attached testpoint.
    for x10 phone connect RED dot to GND permanently during all testpoint procedure


    btw, as phone has erased semcboot, you do not need apply testpoint that time.
    however, that is very special case, so for simplicity lets apply testpoint all time.

    here is operation output:

    Code:
    SIGNED MODE (USING SERVER)
    ALTERNATIVE SECURITY BYPASS ENABLED
    CFG:110010000010
     
    DETACH USB CABLE FROM PHONE
    REMOVE BATTERY FROM PHONE
    ATTACH TESTPOINT
    ATTACH USB CABLE TO PHONE,THEN PRESS "READY"
     
    PROCESSING ...
    REMOVE TESTPOINT NOW, THEN PRESS "READY"
     
    RUNNING S1_LOADER VER "R4A024"
    SWITCHING TO "USB" ...
    PLEASE ATTACH TURNED OFF PHONE NOW
     
    RUNNING S1_LOADER VER "R4A024"
    LOADER AID: 0001
    FLASH ID: "002C/00B3"
    LOADER VERSION: "r4A024"
     
     
    WRITING SEMCBOOT ...
    Checking TA ...
    MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_set_config_failed ]
    Writing config ...
    MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
    Formatting ...
    Checking MISC TA ...
    MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
    Writing config ...
    MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
    Formatting ...
    SUCCESS

    now we recovered semcboot and prepared trim area for loading.
    if phone only had erased semcboot, it will already work after that step.
    but our phone TOTALLY damaged, so lets proceed with second step:

    we need now load trim area.
    Please skip this step, if your phone do not have damaged trim area ( errors like: "TA_invalid,_format_may_be_required" )

    options are same for step1 + "format gdfs when writing" checked,
    select x10.zip in misc.edit and press "write gdfs".
    ( any trim area, read from corresponding model live phone will work )
    follow program instructions.

    here is operation output:

    Code:
    SIGNED MODE (USING SERVER)
    ALTERNATIVE SECURITY BYPASS ENABLED
    CFG:110010000110
    Will write GDFS now.
     
    DETACH USB CABLE FROM PHONE
    REMOVE BATTERY FROM PHONE
    ATTACH TESTPOINT
    ATTACH USB CABLE TO PHONE,THEN PRESS "READY"
     
    PROCESSING ...
    REMOVE TESTPOINT NOW, THEN PRESS "READY"
     
    RUNNING S1_LOADER VER "R4A024"
    SWITCHING TO "USB" ...
    PLEASE ATTACH TURNED OFF PHONE NOW
     
    RUNNING S1_LOADER VER "R4A024"
    LOADER AID: 0001
    FLASH ID: "002C/00B3"
    LOADER VERSION: "r4A024"
     
    Can't get IMEI
    will write 1010 units
    done
    will write 53 units
    done
    Phone detached
    Elapsed: 23 secs.
    finally, we need rebuild imei and security zone.
    for that, check same options as for step1 + "do full unlock instead of usercode reset","allow to change imei when unlocking" checked,
    press "unlock/repair", follow program instructions

    here is operation output:

    Code:
     
    THAT ACTION IS ILLEGAL,IF YOU DOING IT
    FOR ANY PURPOSE, OTHER THAN REPAIR PHONE
     
    SIGNED MODE (USING SERVER)
    ALTERNATIVE SECURITY BYPASS ENABLED
    CFG:110010010010
     
    DETACH USB CABLE FROM PHONE
    REMOVE BATTERY FROM PHONE
    ATTACH TESTPOINT
    ATTACH USB CABLE TO PHONE,THEN PRESS "READY"
     
    PROCESSING ...
    REMOVE TESTPOINT NOW, THEN PRESS "READY"
     
    RUNNING S1_LOADER VER "R4A024"
    SWITCHING TO "USB" ...
    PLEASE ATTACH TURNED OFF PHONE NOW
     
    RUNNING S1_LOADER VER "R4A024"
    LOADER AID: 0001
    FLASH ID: "002C/00B3"
    LOADER VERSION: "r4A024"
     
    Can't get IMEI
    REQUESTED : 359419030xxxxx
    Checking for HWConfig ...
    Waiting for calculation process ...
    RESPONSE: "SUCCESS" [826]
    Checking for signature ...
    signature found, skipping calculation
    WRITING SEMCBOOT ...
    WRITING HWCONFIG ...
    Unlock DONE
    Elapsed: 20 secs.
    from now on, phone is full repaired, testpoint cradle not needed.
    reflash phone with any suitable firmware.

    q:
    how to repair totally damaged s1 android phones, based on qsd8x55, using alternative security bypass using testpoint?

    a:
    operation is very same, just select usb as interface and do not check "use testpoint (gnd type)"


Similar Threads

  1. HOW TO WORK WITH A2-BASED PHONES
    By the_laser in forum F.A.Q.
    Replies: 6
    Last Post: 04-27-2012, 05:11 PM
  2. HOW TO WORK WITH SEMC ODM PHONES
    By the_laser in forum F.A.Q.
    Replies: 7
    Last Post: 03-25-2011, 05:03 PM
  3. HOW TO WORK WITH A1-BASED PHONES
    By the_laser in forum F.A.Q.
    Replies: 5
    Last Post: 02-06-2010, 09:04 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •