this maybe the firmware we are looking for, but he says he TRIED flashing which gives him qualcomm, for HW rev. 2.3, and we are already on 2.4.
Last edited:
You didnt try the driver i had posted earlier in this thread, did you? For me QPST is working fine on windows 7 both with lumia 710 and 800.so i tried to get this working, but cannot get the driver for it
You didnt try the driver i had posted earlier in this thread, did you? For me QPST is working fine on windows 7 both with lumia 710 and 800.
It's just the firmware for the country code for my phone from navifirm+, I'll try to set up a link later, so you can play around. I do think there is a "bug" with my phone though, as it won't short vibrate when I press vol up + power (tried it on my gf's lumia 800, that has 2.3 and 12070 and it immediately made the short vibrate and went black screen, I didn't have a pc to test if it went into qualcomm or nokia dload though - but I assume it went into qualcomm, since it's one of the first batches and was never ncs flashed.
Edit: here is the link http://dl.dropbox.com/u/24268926/059L7F7.7z
Hey guys, can't you make an .exe for windows, so we can easily root our windows phones? Regards.
Sent from my Windows Phone 7.5 using Board Express
So, I tried reconstructing the SplashScreen.dll and other GFX driver files (from XIP), but either I miss something or I just absolutely suck at using OSBuilder.
Must be useful for getting the right memory addresses and GPIOs for LK.
Could someone tell me how to get this done?
Attached:
ULZ files.zip:
* FFU update with updateWP, failing when checking the file after it has erased the OS & data partitions
* Nokia OSBL firmware update (the recovery) after having erased the flash.
And updatewp's own log, it's in spanish (native language) but easy enough to read (or use translate.google.com)
Those .ulz files are opened with USBlyzer. They have a fully functional trial version. Sorry for using proprietary software but it was the only fully working solution I found that worked (and don't want to be messing around passing all this through ethernet to sniff it with linux wireshark): http://www.usblyzer.com/
Hi biktor_gj,
I tried to open your usb-sniffs, but it failes, cause my usblyzer is ver 2.0 Build 25 and reports, that your files are older, unsupported version. Which one do u use?
BTW: Did not have the chance (and time) to sniff the second part after reboot yet. There is a difficulty to manage the device change, when the nokia boots into the service mode. USBLyzer doesn't care about the newly created device and I'm not fast enough to change it to sniff that device, so I did not get the first handshake pakets, which are so important to get (possibly) the cert and private key that decrypt the mtpz-session.
Regards
BTW2: Have a crazy thought: What would be, if the encryption of the snapshot made by zune before update, is only the encryption done by mtpz, nothing more. Then it should be as simple as to find the encryption scheme and parameters of that encryption process to decrypt such a backup to original data stream and store into a imgfs-partition. If further a tool exists, that can extract files from that imgfs-partition and rebuild it after changing something (something like OSbuilder, enhanced with a feature to extract and rebuild the "user"-part of dumps), you should be able to change any file in that backup, which does not have a signature. The (offline in backup) stored registry-files shouldn't have a signature, because registry is dynamically merged from different parts at runtime, and changes with any newly installed app. so interop unlock could be possible and also the restore of all settings, app, mails, sms ... all in one. What a dream!
Hey, I used version 1.6 which is what I had at hand at the time... anyway I think one of the files is corrupt, so I have to find some time to redo the whole mess on the locked lumia. I'll send you a new file as soon as I find time to do it.
About the backup... If you're doing it with Zune putting the phone in offline mode before doing the backup you'll have a hard time catching those packets. It's easier if you just put it in uLDR mode (camera+power), then connect to the PC, start capturing, and then run updateWP.exe to do the backup for you... What I don't know if it will require to flash a FFU afterwards (since I'm only playing with this I never had anything to save from any phone )
The problem with the backup is it is just from the userstore, so if some registry keys are read only... they won't be overwritten when flashing back, unless, maybe, if storage write protect is disabled in wmstore driver, which can't be touched unless you have full unlock... but worth a try anyway
Are you sure the backup is only userstore? I think I once restored a device and my developer unlock was back with the restore. Also it restores your OS and FW; is this included in the userstore?
ROM:0003D074 ; ---------------------------------------------------------------------------
ROM:0003D074
ROM:0003D074 loc_3D074 ; CODE XREF: ROM:0003D050j
ROM:0003D074 MOV R3, #0
ROM:0003D078 MOV R2, #1
ROM:0003D07C MOV R1, #3
ROM:0003D080 STMFA SP, {R0-R3}
ROM:0003D084 MOV R0, LR
ROM:0003D088 MOV R2, R5
ROM:0003D08C MOV R1, R12
ROM:0003D090 MOV R3, R6
ROM:0003D094 STR R7, [SP]
ROM:0003D098 BL sub_66918
ROM:0003D09C CMP R0, #1
ROM:0003D0A0 MOVEQ R0, #0
ROM:0003D0A4 BEQ loc_3D0B8
ROM:0003D0A8 ADR R1, aCcirsassapss_0 ; "CciRsaSsaPssSign - RSA_SIGN returned an"...
ROM:0003D0AC MOV R0, R4
ROM:0003D0B0 BLX sub_787AC
ROM:0003D0B4
ROM:0003D0B4 loc_3D0B4 ; CODE XREF: ROM:0003D044j
ROM:0003D0B4 ; ROM:0003D060j ...
ROM:0003D0B4 MOV R0, #0x20 ; ' '
ROM:0003D0B8
ROM:0003D0B8 loc_3D0B8 ; CODE XREF: ROM:0003D0A4j
ROM:0003D0B8 ADD SP, SP, #0x14
ROM:0003D0BC LDMFD SP!, {R4-R7,PC}
ROM:0003D0C0
Sure? not at all, but the last backup I did occupied like 30 mb and the OS is 400Mb. Maybe the modified registry keys are saved too and that's why you got developer unlock back? No idea really...
Hi biktor_gj,
I tried to open your usb-sniffs, but it failes, cause my usblyzer is ver 2.0 Build 25 and reports, that your files are older, unsupported version. Which one do u use?
BTW: Did not have the chance (and time) to sniff the second part after reboot yet. There is a difficulty to manage the device change, when the nokia boots into the service mode. USBLyzer doesn't care about the newly created device and I'm not fast enough to change it to sniff that device, so I did not get the first handshake pakets, which are so important to get (possibly) the cert and private key that decrypt the mtpz-session.
Sure? not at all, but the last backup I did occupied like 30 mb and the OS is 400Mb. Maybe the modified registry keys are saved too and that's why you got developer unlock back? No idea really...
My Backups are always 6,5 GB of data, my phone had 5 gB free memory so there seems a difference to the whole partition size of 15 GB, except the backuped date are compressed and encrypted.
And I managed now the complete sniff. In capture settings one can activate the capture of hotplugged devices, so the complete process from starting backup with WP7easybackup, boot recycle and starting the backupprocess is sniffed. This is the good news, the bad is: Obvoious the protocol of making the backup is mtpz, the way of encryption is a other then described here. No Certificates are involved. So the question: Is someone of you able to analyze the mtp(z) protocol from my usb capture? I'ld pm that files, cause the sniffs contain UIDs of the phone.
Regards
0x1000: "PTP_OPCODE_UNDEFINED"
0x1001: "PTP_OPCODE_GETDEVICEINFO"
0x1002: "PTP_OPCODE_OPENSESSION"
0x1003: "PTP_OPCODE_CLOSESESSION"
0x1004: "PTP_OPCODE_GETSTORAGEIDS"
0x1005: "PTP_OPCODE_GETSTORAGEINFO"
0x1006: "PTP_OPCODE_GETNUMOBJECTS"
0x1007: "PTP_OPCODE_GETOBJECTHANDLES"
0x1008: "PTP_OPCODE_GETOBJECTINFO"
0x1009: "PTP_OPCODE_GETOBJECT"
0x100A: "PTP_OPCODE_GETTHUMB"
0x100B: "PTP_OPCODE_DELETEOBJECT"
0x100C: "PTP_OPCODE_SENDOBJECTINFO"
0x100D: "PTP_OPCODE_SENDOBJECT"
0x100E: "PTP_OPCODE_INITIATECAPTURE"
0x100F: "PTP_OPCODE_FORMATSTORE"
0x1010: "PTP_OPCODE_RESETDEVICE"
0x1011: "PTP_OPCODE_SELFTEST"
0x1012: "PTP_OPCODE_SETOBJECTPROTECTION"
0x1013: "PTP_OPCODE_POWERDOWN"
0x1014: "PTP_OPCODE_GETDEVICEPROPDESC"
0x1015: "PTP_OPCODE_GETDEVICEPROPVALUE"
0x1016: "PTP_OPCODE_SETDEVICEPROPVALUE"
0x1017: "PTP_OPCODE_RESETDEVICEPROPVALUE"
0x1018: "PTP_OPCODE_TERMINATECAPTURE"
0x1019: "PTP_OPCODE_MOVEOBJECT"
0x101A: "PTP_OPCODE_COPYOBJECT"
0x101B: "PTP_OPCODE_GETPARTIALOBJECT"
0x101C: "PTP_OPCODE_INITIATEOPENCAPTURE"
0x6101: "LUAP_OPCODE_OPENCONNECTION"
0x6102: "LUAP_OPCODE_CLOSECONNECTION"
0x6103: "LUAP_OPCODE_SENDBUFFER"
0x6104: "LUAP_OPCODE_RECEIVEBUFFER"
0x6105: "WATSON_OPCODE_RECEIVEFILE"
0x6106: "WATSON_OPCODE_CLEARDUMPS"
0x6107: "MTPZ_OPCODE_SEND_DEVICE_DATABASE"
0x6107: "MTPZ_OPCODE_SEND_DEVICE_DB"
0x6108: "POWER_OPCODE_GETGASGAUGEINFO"
0x6109: "TEST_SENDFILE_OPCODE_SENDFILEPATH"
0x610A: "TEST_SENDFILE_OPCODE_SENDFILEOBJECT"
0x610B: "TEST_SENDFILE_OPCODE_RECVFILEOBJECT"
0x9101: "JAN_OPCODE_GETSECURETIMECHALLENGE"
0x9102: "JAN_OPCODE_SETSECURETIMERESPONSE"
0x9103: "JAN_OPCODE_SETLICENSERESPONSE"
0x9104: "JAN_OPCODE_GETSYNCLIST"
0x9105: "JAN_OPCODE_SENDMETERCHALLENGEQUERY"
0x9106: "JAN_OPCODE_GETMETERCHALLENGE"
0x9107: "JAN_OPCODE_SETMETERRESPONSE"
0x9108: "JAN_OPCODE_CLEANDATASTORE"
0x9109: "JAN_OPCODE_GETLICENSESTATE"
0x910A: "JAN_OPCODE_SENDJANUSCOMMAND"
0x910B: "JAN_OPCODE_SENDJANUSREQUEST"
0x9170: "MTP_OPCODE_AAVT_OPENMEDIASESSION"
0x9171: "MTP_OPCODE_AAVT_CLOSEMEDIASESSION"
0x9172: "MTP_OPCODE_AAVT_GETNEXTDATABLOCK"
0x9173: "MTP_OPCODE_AAVT_SETCURRENTTIMEPOSITION"
0x9180: "MTP_OPCODE_WMDRMND_SENDREGISTRATIONREQUEST"
0x9181: "MTP_OPCODE_WMDRMND_GETREGISTRATIONRESPONSE"
0x9182: "MTP_OPCODE_WMDRMND_GETPROXIMITYCHALLENGE"
0x9183: "MTP_OPCODE_WMDRMND_SENDPROXIMITYRESPONSE"
0x9184: "MTP_OPCODE_WMDRMND_SENDWMDRMNDLICENSEREQUEST"
0x9185: "MTP_OPCODE_WMDRMND_GETWMDRMNDLICENSERESPONSE"
0x9201: "WMP_OPCODE_GETMODIFIEDPUIDS"
0x9202: "WMP_OPCODE_GETACQUIREDCONTENT"
0x9204: "WMP_OPCODE_COMMITFIRMWARE"
0x9212: "ARGO_OPCODE_SETHANDSHAKECHALLENGE"
0x9213: "ARGO_OPCODE_GETHANDSHAKERESPONSE"
0x9214: "ARGO_OPCODE_STARTSYNC"
0x9215: "ARGO_OPCODE_STOPSYNC"
0x9216: "ARGO_OPCODE_RESETHANDSHAKE"
0x9217: "MTPZ_OPCODE_RETRIEVEDEVICEDATABASE"
0x9218: "MTPZ_OPCODE_GETMODIFIEDITEMS"
0x9219: "MTPZ_OPCODE_GETACQUIREDITEMS"
0x921A: "MTP_OPCODE_AUTO_OPENMEDIASESSION"
0x921B: "MTP_OPCODE_AUTO_CLOSEMEDIASESSION"
0x921C: "MTP_OPCODE_AUTO_GETNEXTDATABLOCK"
0x921D: "MTP_OPCODE_AUTO_SETCURRENTTIMEPOSITION"
0x9220: "XNA_OPCODE_OPENCONNECTION"
0x9221: "XNA_OPCODE_CLOSECONNECTION"
0x9222: "XNA_OPCODE_SENDBUFFER"
0x9223: "XNA_OPCODE_RECEIVEBUFFER"
0x9224: "MTPZ_OPCODE_GET_WLAN_NIC_CAPABILITY"
0x9225: "MTPZ_OPCODE_GET_WLAN_NETWORK_LIST"
0x9226: "MTPZ_OPCODE_GET_WLAN_PROFILE_LIST"
0x9227: "MTPZ_OPCODE_SET_WLAN_PROFILE_LIST"
0x9228: "MTPZ_OPCODE_TEST_WLAN_CONFIGURATION"
0x9229: "MTPZ_OPCODE_RESET_TO_FACTORY_DEFAULTS"
0x922A: "MTPZ_OPCODE_SET_SYNC_PROGRESS"
0x922B: "MTPZ_OPCODE_PASSTHROUGH_CONTROL"
0x922C: "MTPZ_OPCODE_PASSTHROUGH_SEND_DATA"
0x922D: "MTPZ_OPCODE_PASSTHROUGH_RECEIVE_DATA"
0x922E: "MTPZ_OPCODE_MARKETPLACE_SET_CREDENTIALS"
0x922F: "MTPZ_OPCODE_GET_CLOUD_SYNC_PROGRESS"
0x9230: "MTPZ_OPCODE_CLOUD_SYNC_CONTROL"
0x9231: "MTPZ_OPCODE_SET_PROXY_INFO"
0x9232: "MTPZ_OPCODE_REPLACEOBJECT"
0x9233: "MTPZ_OPCODE_TEST_WLAN_SYNC_CONNECTION"
0x9234: "MTPZ_OPCODE_GET_DEVICE_ASSETS"
0x9240: "MANUF_OPCODE_CREATEKEYVAULT"
0x9242: "MANUF_OPCODE_BLOWFUSES"
0x9243: "MANUF_OPCODE_SETMODELID"
0x9300: "DU_OPCODE_GETASYNCOPSTATUS"
0x9301: "DU_OPCODE_CANCELASYNCOP"
0x9302: "DU_OPCODE_STARTUPDATESCAN"
0x9303: "DU_OPCODE_GETUPDATESCANRESULTS"
0x9304: "DU_OPCODE_PREINSTALLCLEANUP"
0x9305: "DU_OPCODE_STARTMAINOSPREINSTALLACTIONS"
0x9306: "DU_OPCODE_REBOOT"
0x9307: "DU_OPCODE_STARTPREBACKUPACTIONS"
0x9308: "DU_OPCODE_STARTPRERESTOREACTIONS"
0x9309: "DU_OPCODE_STARTULDRPREINSTALLACTIONS"
0x930A: "DU_OPCODE_STARTIUINSTALL"
0x930B: "DU_OPCODE_GETINSTALLRESULTS"
0x930C: "DU_OPCODE_REPORTDOWNLOADSTATUS"
0x930D: "DU_OPCODE_SETLOGGING"
0x930E: "DU_OPCODE_GETDEVICEUPDATELOG"
0x930F: "DU_OPCODE_GETDUOBJECTINFO"
0x9310: "DU_OPCODE_GETDUOBJECT"
0x9311: "DU_OPCODE_SENDDUOBJECTINFO"
0x9312: "DU_OPCODE_GETERRORLOG"
0x9313: "DU_OPCODE_PLUGIN_SYNC_GET"
0x9314: "DU_OPCODE_PLUGIN_SYNC_SET"
0x9315: "DU_OPCODE_SENDDUOBJECT"
0x9316: "DU_OPCODE_STARTPOSTBACKUPACTIONS"
0x9317: "DU_OPCODE_STARTPOSTRESTOREACTIONS"
0x9350: "MTPZ_OPCODE_SENDCSPQUERY"
0x9351: "MTPZ_OPCODE_GETCSPRESPONSE"
0x9360: "MTPZ_OPCODE_MOBILE_PSEUDOHANDSHAKE"
0x9361: "MTPZ_OPCODE_MOBILE_STARTSYNC"
0x9362: "MTPZ_OPCODE_MOBILE_STOPSYNC"
0x9363: "MTPZ_OPCODE_MOBILE_PSEUDOHANDSHAKERESET"
0x9364: "MTPZ_OPCODE_FORCE_APP_UPDATE"
0x9365: "MTPZ_OPCODE_ASYNC_FORMATSTORE"
0x9366: "MTPZ_OPCODE_ASYNC_FORMATSTORE_GETSTATUS"
0x9401: "MTPZ_OPCODE_PMX_MARKSPACE_GETCHALLENGE"
0x9402: "MTPZ_OPCODE_PMX_MARKSPACE_SETCHALLENGE"
0x9801: "MTP_OPCODE_GETOBJECTPROPSSUPPORTED"
0x9802: "MTP_OPCODE_GETOBJECTPROPDESC"
0x9803: "MTP_OPCODE_GETOBJECTPROPVALUE"
0x9804: "MTP_OPCODE_SETOBJECTPROPVALUE"
0x9805: "MTP_OPCODE_GETOBJECTPROPLIST"
0x9806: "MTP_OPCODE_SETOBJECTPROPLIST"
0x9807: "MTP_OPCODE_GETINTERDEPENDENTPROPDESC"
0x9808: "MTP_OPCODE_SENDOBJECTPROPLIST"
0x9810: "MTP_OPCODE_GETOBJECTREFERENCES"
0x9811: "MTP_OPCODE_SETOBJECTREFERENCES"
0x9888: "TEST_OPCODE_DELAYEDRESPONSE"
I don't know if its an issue with the 710 tango full unlock or just me,
but the field test app is not working. Hangs are "Loading..." after pressing ##643#
I'd suggest renaming on of the colors. Would be great if it was possible to interop the phone without losing data.
Ok L710 fully unlocked
Those 2 parts are wrong. I used to narod.ru
---------- Post added at 07:29 PM ---------- Previous post was at 06:40 PM ----------
http://www.youtube.com/watch?v=-rQbFp7yasc