5,595,964 Members 31,417 Now Online
XDA Developers Android and Mobile Development Forum

[NEWS]UNLOCK BOOTLOADER for 11w29 +

Tip us?
B.Jay Old
#41  
Guest
Thanks Meter
Posts: n/a
Quote:
Originally Posted by vislavskid View Post
I will try to by credits via alertpay ,the price is 15 euro ,to se is it working unlocking bootloader via wotanserver unlocking tool.

Sent from my X8 using XDA App

---------- Post added at 04:13 PM ---------- Previous post was at 04:08 PM ----------

Only paypal
Too bad.

Anyway, if you somehow do it and you get the info/picture about how the UART testpins cabling is being done please (with icing and cherry on top) post (or PM me, in case you don't want to make it public) that bit of intel - might save me some trouble in doing wild guesses on the pins.

At the moment I'm in no real hurry as the Arduino MEGA will not arrive until Wednesday/Thursday this coming week - though I already fetched the programmer manual and started to study about how to write a program for the Arduino (looks incredibly simple).
 
vislavskid
Old
#42  
vislavskid's Avatar
Senior Member
Thanks Meter 9
Posts: 109
Join Date: Jan 2012
Location: ruski krstur
If i try i will pm you ,only problem is that paypal, becouse i use alertpay
 
baiclark
Old
(Last edited by baiclark; 27th February 2012 at 08:52 AM.)
#43  
baiclark's Avatar
Senior Member - OP
Thanks Meter 101
Posts: 166
Join Date: Jan 2012
Location: Cebu
these pins drive me crazy..haha..anyway i downloaded the s1tool found in this link

until now, i cant find the correct pin to ground..


EDIT: im just confused because for the 2011 devices, they only need to tap one testpin..but for x8, there is no clear testpin to tap to GND...instead, they placed the numbers 4,5,6,7,8..does this mean we have to tap those?hew
 
baiclark
Old
#44  
baiclark's Avatar
Senior Member - OP
Thanks Meter 101
Posts: 166
Join Date: Jan 2012
Location: Cebu
Default hew...a little more!

this is from the_laser himself..

he said in this page:


how to unlock s1 android based phones, based on msm7227,qsd8250, using alternative security bypass using testpoint?

a:
Here is procedure.

FIRMWARE VERSION DOES NOT MATTER, WHEN USING TESTPOINT METHOD

1.
prepare for testpoint operation.
check testpoints location for your phone model in dist\docs\s1_qualcomm_uart_cables or use GPG cable set
open testpoints for access

if you do not have GPG cable set, get some needle with wire, connect it to phone gnd ( battery minus ) or to usb cable shield, etc.

2.
select proper phone model.
select COM as interface.
on settings check signed mode, use alternative security bypass, do full unlock instead usercode reset, use testpoint (gnd type)
fill login/password and check if account valid.

press unlock

when prompted, execute steps in EXACT order:
remove cable from phone,
remove battery from phone,
attach testpoint ( turn on switch on cable set )
insert cable to phone, HOLDING TESTPOINT ( cable set switch in "on" position )
press "ready"
when prompted detach testpoint
press "ready"
install drivers from dist\drivers\USBFlash_driver\ ( if asked )

phone will be unlocked.



ON THE OTHER HAND, on the same page, there was a TUTORIAL for repairing msm7227 BRICKED phones..


here you go


q:
how to repair totally damaged s1 android phones, based on msm7227,qsd8250, using alternative security bypass using testpoint?

a:
Here is procedure.

okay, here is example how to resurrect totally dead x10 phone.
so, we have x10 phone with totally erased semcboot and trim area.
phone does not turn on, does not connect to pc anyhow.

lets resurrect it.

run setool2, select x10 as model, select com port as interface
( one where GPG resurrection cables connected )

1.
on options set signed mode,altbypass mode, use testpoint (gnd type)

2.
connect GPG x10 resurrection craddle to phone, press RECOVERY
follow program instructions.

important notice:
for msm7227 phones, insert battery in phone after you attached testpoint.


btw, as phone has erased semcboot, you do not need apply testpoint that time.
however, that is very special case, so for simplicity lets apply testpoint all time.

here is operation output:

Code:
SIGNED MODE (USING SERVER)
ALTERNATIVE SECURITY BYPASS ENABLED
CFG:110010000010

DETACH USB CABLE FROM PHONE
REMOVE BATTERY FROM PHONE
ATTACH TESTPOINT
ATTACH USB CABLE TO PHONE,THEN PRESS "READY"

PROCESSING ...
REMOVE TESTPOINT NOW, THEN PRESS "READY"

RUNNING S1_LOADER VER "R4A024"
SWITCHING TO "USB" ...
PLEASE ATTACH TURNED OFF PHONE NOW

RUNNING S1_LOADER VER "R4A024"
LOADER AID: 0001
FLASH ID: "002C/00B3"
LOADER VERSION: "r4A024"


WRITING SEMCBOOT ...
Checking TA ...
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_set_config_failed ]
Writing config ...
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
Formatting ...
Checking MISC TA ...
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
Writing config ...
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
Formatting ...
SUCCESS


now we recovered semcboot and prepared trim area for loading.
if phone only had erased semcboot, it will already work after that step.
but our phone TOTALLY damaged, so lets proceed with second step:

we need now load trim area.

options are same for step1 + "format gdfs when writing" checked,
select x10.zip in misc.edit and press "write gdfs".
( any trim area, read from corresponding model live phone will work )
follow program instructions.

here is operation output:

Code:
SIGNED MODE (USING SERVER)
ALTERNATIVE SECURITY BYPASS ENABLED
CFG:110010000110
Will write GDFS now.

DETACH USB CABLE FROM PHONE
REMOVE BATTERY FROM PHONE
ATTACH TESTPOINT
ATTACH USB CABLE TO PHONE,THEN PRESS "READY"

PROCESSING ...
REMOVE TESTPOINT NOW, THEN PRESS "READY"

RUNNING S1_LOADER VER "R4A024"
SWITCHING TO "USB" ...
PLEASE ATTACH TURNED OFF PHONE NOW

RUNNING S1_LOADER VER "R4A024"
LOADER AID: 0001
FLASH ID: "002C/00B3"
LOADER VERSION: "r4A024"

Can't get IMEI
will write 1010 units
done
will write 53 units
done
Phone detached
Elapsed: 23 secs.


finally, we need rebuild imei and security zone.
for that, check same options as for step1 + "do full unlock instead of usercode reset","allow to change imei when unlocking" checked,
press "unlock/repair", follow program instructions

here is operation output:

Code:

THAT ACTION IS ILLEGAL,IF YOU DOING IT
FOR ANY PURPOSE, OTHER THAN REPAIR PHONE

SIGNED MODE (USING SERVER)
ALTERNATIVE SECURITY BYPASS ENABLED
CFG:110010010010

DETACH USB CABLE FROM PHONE
REMOVE BATTERY FROM PHONE
ATTACH TESTPOINT
ATTACH USB CABLE TO PHONE,THEN PRESS "READY"

PROCESSING ...
REMOVE TESTPOINT NOW, THEN PRESS "READY"

RUNNING S1_LOADER VER "R4A024"
SWITCHING TO "USB" ...
PLEASE ATTACH TURNED OFF PHONE NOW

RUNNING S1_LOADER VER "R4A024"
LOADER AID: 0001
FLASH ID: "002C/00B3"
LOADER VERSION: "r4A024"

Can't get IMEI
REQUESTED : 359419030xxxxx
Checking for HWConfig ...
Waiting for calculation process ...
RESPONSE: "SUCCESS" [826]
Checking for signature ...
signature found, skipping calculation
WRITING SEMCBOOT ...
WRITING HWCONFIG ...
Unlock DONE
Elapsed: 20 secs.


from now on, phone is full repaired, testpoint cradle not needed.
reflash phone with any suitable firmware.


now my only question is...based on this statement,"check testpoints location for your phone model in dist\docs\s1_qualcomm_uart_cables or use GPG cable set
open testpoints for access
" which is highlighted as purple....where can we find this one?where is the dist\docs\s1_qualcomm_uart_cables?

if we find this, then we will be able to revive our dead x8 phones..

kind regards,
baiclark
The Following User Says Thank You to baiclark For This Useful Post: [ Click to Expand ]
 
wilbso
Old
#45  
wilbso's Avatar
Senior Member
Thanks Meter 243
Posts: 1,366
Join Date: Aug 2011
Location: XDA

 
DONATE TO ME
Quote:
Originally Posted by B.Jay View Post
Too bad.

Anyway, if you somehow do it and you get the info/picture about how the UART testpins cabling is being done please (with icing and cherry on top) post (or PM me, in case you don't want to make it public) that bit of intel - might save me some trouble in doing wild guesses on the pins.

At the moment I'm in no real hurry as the Arduino MEGA will not arrive until Wednesday/Thursday this coming week - though I already fetched the programmer manual and started to study about how to write a program for the Arduino (looks incredibly simple).
LOL, in any way can help? i doubt so but it will give me something to do
Quote:
Originally Posted by baiclark View Post
this is from the_laser himself..

he said in this page:


how to unlock s1 android based phones, based on msm7227,qsd8250, using alternative security bypass using testpoint?

a:
Here is procedure.

FIRMWARE VERSION DOES NOT MATTER, WHEN USING TESTPOINT METHOD

1.
prepare for testpoint operation.
check testpoints location for your phone model in dist\docs\s1_qualcomm_uart_cables or use GPG cable set
open testpoints for access

if you do not have GPG cable set, get some needle with wire, connect it to phone gnd ( battery minus ) or to usb cable shield, etc.

2.
select proper phone model.
select COM as interface.
on settings check signed mode, use alternative security bypass, do full unlock instead usercode reset, use testpoint (gnd type)
fill login/password and check if account valid.

press unlock

when prompted, execute steps in EXACT order:
remove cable from phone,
remove battery from phone,
attach testpoint ( turn on switch on cable set )
insert cable to phone, HOLDING TESTPOINT ( cable set switch in "on" position )
press "ready"
when prompted detach testpoint
press "ready"
install drivers from dist\drivers\USBFlash_driver\ ( if asked )

phone will be unlocked.



ON THE OTHER HAND, on the same page, there was a TUTORIAL for repairing msm7227 BRICKED phones..


here you go


q:
how to repair totally damaged s1 android phones, based on msm7227,qsd8250, using alternative security bypass using testpoint?

a:
Here is procedure.

okay, here is example how to resurrect totally dead x10 phone.
so, we have x10 phone with totally erased semcboot and trim area.
phone does not turn on, does not connect to pc anyhow.

lets resurrect it.

run setool2, select x10 as model, select com port as interface
( one where GPG resurrection cables connected )

1.
on options set signed mode,altbypass mode, use testpoint (gnd type)

2.
connect GPG x10 resurrection craddle to phone, press RECOVERY
follow program instructions.

important notice:
for msm7227 phones, insert battery in phone after you attached testpoint.


btw, as phone has erased semcboot, you do not need apply testpoint that time.
however, that is very special case, so for simplicity lets apply testpoint all time.

here is operation output:

Code:
SIGNED MODE (USING SERVER)
ALTERNATIVE SECURITY BYPASS ENABLED
CFG:110010000010

DETACH USB CABLE FROM PHONE
REMOVE BATTERY FROM PHONE
ATTACH TESTPOINT
ATTACH USB CABLE TO PHONE,THEN PRESS "READY"

PROCESSING ...
REMOVE TESTPOINT NOW, THEN PRESS "READY"

RUNNING S1_LOADER VER "R4A024"
SWITCHING TO "USB" ...
PLEASE ATTACH TURNED OFF PHONE NOW

RUNNING S1_LOADER VER "R4A024"
LOADER AID: 0001
FLASH ID: "002C/00B3"
LOADER VERSION: "r4A024"


WRITING SEMCBOOT ...
Checking TA ...
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_set_config_failed ]
Writing config ...
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
Formatting ...
Checking MISC TA ...
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
Writing config ...
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
Formatting ...
SUCCESS


now we recovered semcboot and prepared trim area for loading.
if phone only had erased semcboot, it will already work after that step.
but our phone TOTALLY damaged, so lets proceed with second step:

we need now load trim area.

options are same for step1 + "format gdfs when writing" checked,
select x10.zip in misc.edit and press "write gdfs".
( any trim area, read from corresponding model live phone will work )
follow program instructions.

here is operation output:

Code:
SIGNED MODE (USING SERVER)
ALTERNATIVE SECURITY BYPASS ENABLED
CFG:110010000110
Will write GDFS now.

DETACH USB CABLE FROM PHONE
REMOVE BATTERY FROM PHONE
ATTACH TESTPOINT
ATTACH USB CABLE TO PHONE,THEN PRESS "READY"

PROCESSING ...
REMOVE TESTPOINT NOW, THEN PRESS "READY"

RUNNING S1_LOADER VER "R4A024"
SWITCHING TO "USB" ...
PLEASE ATTACH TURNED OFF PHONE NOW

RUNNING S1_LOADER VER "R4A024"
LOADER AID: 0001
FLASH ID: "002C/00B3"
LOADER VERSION: "r4A024"

Can't get IMEI
will write 1010 units
done
will write 53 units
done
Phone detached
Elapsed: 23 secs.


finally, we need rebuild imei and security zone.
for that, check same options as for step1 + "do full unlock instead of usercode reset","allow to change imei when unlocking" checked,
press "unlock/repair", follow program instructions

here is operation output:

Code:

THAT ACTION IS ILLEGAL,IF YOU DOING IT
FOR ANY PURPOSE, OTHER THAN REPAIR PHONE

SIGNED MODE (USING SERVER)
ALTERNATIVE SECURITY BYPASS ENABLED
CFG:110010010010

DETACH USB CABLE FROM PHONE
REMOVE BATTERY FROM PHONE
ATTACH TESTPOINT
ATTACH USB CABLE TO PHONE,THEN PRESS "READY"

PROCESSING ...
REMOVE TESTPOINT NOW, THEN PRESS "READY"

RUNNING S1_LOADER VER "R4A024"
SWITCHING TO "USB" ...
PLEASE ATTACH TURNED OFF PHONE NOW

RUNNING S1_LOADER VER "R4A024"
LOADER AID: 0001
FLASH ID: "002C/00B3"
LOADER VERSION: "r4A024"

Can't get IMEI
REQUESTED : 359419030xxxxx
Checking for HWConfig ...
Waiting for calculation process ...
RESPONSE: "SUCCESS" [826]
Checking for signature ...
signature found, skipping calculation
WRITING SEMCBOOT ...
WRITING HWCONFIG ...
Unlock DONE
Elapsed: 20 secs.


from now on, phone is full repaired, testpoint cradle not needed.
reflash phone with any suitable firmware.


now my only question is...based on this statement,"check testpoints location for your phone model in dist\docs\s1_qualcomm_uart_cables or use GPG cable set
open testpoints for access
" which is highlighted as purple....where can we find this one?where is the dist\docs\s1_qualcomm_uart_cables?

if we find this, then we will be able to revive our dead x8 phones..

kind regards,
baiclark
well, obviously we will have to look into the system, but its not even visible there last time i check.
My irc channel: @freenode #wilbso
Contact me by that if you need help.
I ignore all private messages regarding your phone.If you wanna contact me ^^^

My work
I've lost all the links. So im starting fresh. Will update soon
 
8cpaiw
Old
#46  
8cpaiw's Avatar
Senior Member
Thanks Meter 122
Posts: 413
Join Date: Feb 2012
so can i unbrick my phone with that method???

---------- Post added at 11:24 AM ---------- Previous post was at 10:56 AM ----------

When will I be able to download setool2?
Just because I don't,doesn't mean I can't

My Phone:

 


Name:Sony Ericsson Xperia x8
Status:Working
Bootloader:LOCKED(12W03)
ROM:Ginger DX v31
Digitizer:Cypress
Overclock:729 Mhz

Using MegaBass Beats

STOCK ROM for X8/W8

Thanks for the download link





B.Jay Old
(Last edited by B.Jay; 28th February 2012 at 04:40 PM.)
#47  
Guest
Thanks Meter
Posts: n/a
Quote:
Originally Posted by baiclark View Post
these pins drive me crazy..haha..anyway i downloaded the s1tool found in this link

until now, i cant find the correct pin to ground..


EDIT: im just confused because for the 2011 devices, they only need to tap one testpin..but for x8, there is no clear testpin to tap to GND...instead, they placed the numbers 4,5,6,7,8..does this mean we have to tap those?hew
Congrats, you already figured out that the link you posted above is for the 2011 line Xperia devices, not the 2010 X8/W8/X10mini(Pro)...

To crack down on the testpins (on the W/X8 - remove the battery, remove the huge white sticker below the battery glued onto the PCB. At the top/right there's an area of 8 pins - that's the SEPORT Testpins Matrix.

I already documented how pins 4-8 are connected by following their routing in the Schematics Manual.

While I can see that there's something going on at the pins on my Oscilloscope I yet have to probe the pins to see what I can get from there.

Like I wrote - I ordered an Arduino MEGA (which should arrive tomorrow or on thursday) to have a programmable I/O device to try and read the pins.

Going by the plain pinout I lack the idea if there's a need to pull one of the pins to ground (to enable the ALT_BYPASS - much like the USB Jig with the Sammy devices, but in our case the X8 doesn't care about Jig's - or in other words: to set the CPU into UART mode hence enabling UART comm on the testpins) or which of these pins may act as a UART at what I/O speeds.

Looking at what has been documented about the X10 testpins it actually requires a cable connection plus a switch to short two pins (seems that switch is what triggers the ALT_BYPASS).

Also, s1tool isn't able to do the "hard brick recovery" - in best case s1tool may be able to unlock the boot loader by ALT_BYPASS (that, however, first needs to be confirmed AFTER we worked out how we can possibly make a UART connection to the testpins matrix).

Quote:
Originally Posted by baiclark View Post
now my only question is...based on this statement,"check testpoints location for your phone model in dist\docs\s1_qualcomm_uart_cables or use GPG cable set
open testpoints for access
" which is highlighted as purple....where can we find this one?where is the dist\docs\s1_qualcomm_uart_cables?

if we find this, then we will be able to revive our dead x8 phones..
Since no one can provide that bit of intel (physical connection to the testpins) that's why we need to try to work it out ourselves. I read the line you quoted in magenta myself in the past, but there's no download I could find including that directory/file (which would be incredibly helpful as that may reveal how the Qualcomm cables are routed to the SEPORT).

The only new info I found in your post is that it seems possible to maybe work out a how-brew hard unbrick method if there's a way to flash the ROM through the UART (in which case the I/O speed must be rather high, because it would take eternally long to transfer ~250MB of ROM data at low comm rates).
 
beastfren
Old
#48  
beastfren's Avatar
Member
Thanks Meter 8
Posts: 69
Join Date: Nov 2011
Location: Lipa City
i have 11w34 x8, but i still manage to unlock my bootloader.

now using SDE 1.0 + naa kernel
 
baiclark
Old
#49  
baiclark's Avatar
Senior Member - OP
Thanks Meter 101
Posts: 166
Join Date: Jan 2012
Location: Cebu
Quote:
Originally Posted by B.Jay View Post
Congrats, you already figured out that the link you posted above is for the 2011 line Xperia devices, not the 2010 X8/W8/X10mini(Pro).
yeah i know its for 2011..what i think is that, s1tool supports and detects x8, so i think its also possible to try this method..with the idea of the testpins that is..

anyways, sorry for giving you a headache B.jay... because of my threads, a lot of people asks you nonsense things..i just feel like sharing what i have for future references...my apologies..
B.Jay Old
#50  
Guest
Thanks Meter
Posts: n/a
Quote:
Originally Posted by baiclark View Post
anyways, sorry for giving you a headache B.jay... because of my threads, a lot of people asks you nonsense things..i just feel like sharing what i have for future references...my apologies..
Well, the last drop in the bucket was a certain some (I'm not going to name here) who just recently hard bricked his phone because he chose to simply not listen to me, the hard brick warning thread, and every other hard brick warning that's around, but has nothing better to do than to bug me by PM about how this resurrection can be done (as if I would know - I didn't hard brick my X8, I actually need it as a research device).

What blows me off my chair here is the total unwillingness of some people (*points finger to the ones who PM me about whatever they did wrong*) to do some research of their own but simply resort to PM in case they can't find their "fix" within seconds. Everything they possibly need to know about the thing you posted can be found by searching on Google, and I'm pretty sure setool.net is pretty hard to miss if they can come up with a somewhat intelligent search query.

Anyway - I posted my rant in the General board already and will ignore help requests by PM from now on ... it's not worth the trouble.

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes