May 19th, 2008
With my new and revolutionary tool "FrankenKaiser" you can now finally jailbreak your locked to "Radio from Hell" Kaiser
======================================================
DISCLAIMER: This method involves erasing SPL & OS and requires correct data entry by the user. I will not take any responsibility for any malfunctions and or damages caused by using this method and software.
======================================================
Pay attention: this method will only work on a Kaiser device with radio version 1.65.17.10 (check your radio version in the boot splash screen!)
Note that you can not use copy & paste with MTTY, you must type the data exactly as written in the steps below. If in a step it is said to type a command always type them without the quotes.
Note that during the entire procedure you should uncheck "Allow usb connections" in Activesync.
I have tested the method on my own Kaiser, which was security locked and had original 1.65.17.10 installed. I'm on WinXP btw. GSLEON3 also succesfully unbricked his Kaiser with FrankenKaiser which had radio 1.64.08.21 installed. That should give you some confidence
So read very carefully and apply following instructions:
0) download and unzip the attached files on your PC in a single directory.
It contains all needed to jailbreak or unbrick your device, such as MTTY 1.42, my revolutionary FrankenKaiser program, screenshots to accompany this readme, the appropriate drivers to connect to the radio bootloader ("Drivers MotoQ"), and two softload SPLs (SPL1.56-KAIS-unbricker.nb and sspl-0.92-jumpspl-force-usb.nb)
1) Enter tricolor bootloader and make absolutely sure you have a HardSPL installed (either "olipof" or "1.1.JockyW"). If not you must first install a HardSPL.
2) Connect with MTTY (USB) and type "rtask a" followed by Enter, then type "radata 90000000 1" followed by enter (Note that this is not echoed to screen!!). In some rare cases after "radata 90000000 1" you may see "HTCSUN 0[=(HTCE". When that happens type "radata A0000000 2000"
Close MTTY and replug the USB cable. If you haven't installed them yet, your PC will now prompt you to install three drivers. Do a manual install of the MotoQ drivers. After the drivers are installed look them up in device manager and check which COM port is allocated to "Qualcomm diagnostics interface (COMxx)" => see screenshot "1. device manager search com.JPG" (on my PC it is COM4 but it may be anything else!).
If the driver is connected to COM10 or higher you should reallocate it to a COM port lower than COM10. Go in device manager and rightclick on "qualcomm diagnositcs interface 6000 (com18)". Enter properties -> Port Settings -> Advanced -> Change COM port number to an unused port number below COM10. If you have nothing free below COM10 disable a device which uses a COM and change to that COM port. Reboot your PC afterwards.
3) Remove and reinsert battery and enter tricolor bootloader, and connect with MTTY (USB)
hit enter and when the Cmd> prompt is shown type "task 2a" (this erases SPL, OS and Splash, we used to call that a "hard brick") => see screenshot "2. mtty-tricolor - task 2a.JPG"
After power cycling, the device will now enter the radio bootloader called oemsbl. Utterly the phone will look dead and the display is black, but it is still possible to connect with MTTY using the COM port as found in step 2. I indicate that in the next steps with MTTY (COMn) => see screenshot "3. mtty-com-connect.JPG". Also note that you never have to redo steps 1-3 again.
4) Remove and reinsert battery, switch on and connect with MTTY (COMn). Type "setboot", if you are connected correctly the reply should be "ARM9BootMode:0". If you see nothing check in device manager if the drivers are loaded. If you got the reply to "setboot" you can type "radata 90000000 1" which will put the phone in a special "dload mode". In some rare cases after "radata 90000000 1" you see "HTCSUN 0[=(HTCE" and the phone will not change state to dload mode. When that happens type "radata A0000000 2000" and this time nothing should be returned on screen and the phone changed to dload mode.
Again note that, like in step 2, nothing is echoed to screen!!
Close MTTY.
5) Replug USB cable !!
6) Run FrankenKaiser in a DOS box: FrankenKaiser-V1.9517.exe /dev/com9 SPL1.56-KAIS-unbricker.nb
(note substitute /dev/com9 by the com port indicated by diag driver in device manager, e.g. /dev/com4 on my PC)
You should see:
If you don't see "7e 02 6a d3 7e" underneath the line "Just be patient while I'm working ...", you have either not replugged the usb cable, not installed the drivers correctly or type the wrong com port (/dev/comx) in the command line parameters.
=> see screenshot "4. dos box - frankenkaiser.JPG"
7) Run MTTY (COMn) and carefully enter following commands:
echo_on (the reply in MTTY should be "ECHO ON MODE")
setboot 1
=> see screenshot "5. mtty-echo_on setboot 1.JPG"
mb 9de8bc => dump HTC security area
mw 9de8bc 1 31313131 (replaces first half CID by SuperCID "1111")
mw 9de8c0 1 31313131 (replaces second half CID by SuperCID "1111")
mw 9de8e4 1 00000000 (Sets security flag to 0, sec unlocked)
mb 9de8bc => dump HTC security area again and check if CID and security flag are modified in memory
=> see screenshot "6. mtty-mb 9de8bc.JPG"
setinfo
powerdown
=> see screenshot "7. mtty- setinfo - powerdown.JPG"
Close MTTY
At this point your Kaiser is unjailed, security unlocked (and SIM unlocked) and SuperCID Now we need to prepare another run with FrankenKaiser to softload a SPL which will allow us to flash a HardSPL. In principle steps 1-7 need never to be done again.
8a) Unplug usb cable, remove and reinsert battery, replug usb cable and then power on. Connect with MTTY (COMn):
- type "echo_on". (the reply in MTTY should be "ECHO ON MODE". if you see that it means you never have to perform steps 1-7 again. If you don't, something went wrong in steps 1-7 or there is a connectivity problem)
- type "setboot 1" (you should see "ARM9BootMode:1").
- Close MTTY !!
8b) Unplug usb cable, remove and reinsert battery, replug usb cable and then power on. Connect with MTTY (COMn):
- type "echo_on". (you should see "ECHO ON MODE")
- type "dload" to put phone in dload mode.
- Close MTTY !!
9) Replug USB cable and then wait 10 seconds
10) Run FrankenKaiser in a DOS box: FrankenKaiser-V1.9517.exe /dev/com9 SPL1.56-KAIS-unbricker.nb
(note substitute /dev/com9 by the com port indicated by diag driver in device manager).
You should see the lines:
Just be patient while I'm working ...
7e 02 6a d3 7e
FrankenKaiser will prompt you to replug the usb cable. After you have done that you should wait about 10 seconds before proceeding with step 11.
11) Run MTTY (COMn)
- type "echo_on" (you should see "ECHO ON MODE", if not then there is a connectivity issue: close MTTY, unplug usb cable, wait 10 seconds, replug usb cable and repeat step 11.)
- type "setboot 0" (you should see "ARM9BootMode:0")
- type "cego" => tri-color screen should be visible and the reply in MTTY should be "Boot CE manually..." followed on the next line by "Done."
=> see screenshot "8. mtty-setboot 0 - cego.JPG"
If after "cego" you don't see a tri-color bootloader screen, then unplug usb cable and unplug and reinsert battery and try steps 8-11 again.
If still no tri-color screen, then repeat again but this time in step 10 run FrankenKaiser with the other SPL "sspl-0.92-jumpspl-force-usb.nb".
Close MTTY
12) Replug USB cable and flash HardSPL
13) Remove and reinsert battery, enter tricolor bootloader and flash Splash
14) Remove and reinsert battery, enter tricolor bootloader and flash OS
15) Remove and reinsert battery, enter tricolor bootloader and flash Radio
Note: at step 13 it's probably also possible to flash a full ROM update, I prefer to do it bits and pieces.
This I hope shows the power of FrankenKaiser: it manages to unjail, security unlock, SIM unlock and superCID a device which is basically in a bricked state w/o the need to flash a patched radio. Look forward to other FrankenKaiser tools such as a fast SPL loader and radio dumper.
Special versions of FrankenKaiser will be released for the new HTC models Diamond and Raphael and more
With my new and revolutionary tool "FrankenKaiser" you can now finally jailbreak your locked to "Radio from Hell" Kaiser
======================================================
DISCLAIMER: This method involves erasing SPL & OS and requires correct data entry by the user. I will not take any responsibility for any malfunctions and or damages caused by using this method and software.
======================================================
Pay attention: this method will only work on a Kaiser device with radio version 1.65.17.10 (check your radio version in the boot splash screen!)
Note that you can not use copy & paste with MTTY, you must type the data exactly as written in the steps below. If in a step it is said to type a command always type them without the quotes.
Note that during the entire procedure you should uncheck "Allow usb connections" in Activesync.
I have tested the method on my own Kaiser, which was security locked and had original 1.65.17.10 installed. I'm on WinXP btw. GSLEON3 also succesfully unbricked his Kaiser with FrankenKaiser which had radio 1.64.08.21 installed. That should give you some confidence
So read very carefully and apply following instructions:
0) download and unzip the attached files on your PC in a single directory.
It contains all needed to jailbreak or unbrick your device, such as MTTY 1.42, my revolutionary FrankenKaiser program, screenshots to accompany this readme, the appropriate drivers to connect to the radio bootloader ("Drivers MotoQ"), and two softload SPLs (SPL1.56-KAIS-unbricker.nb and sspl-0.92-jumpspl-force-usb.nb)
1) Enter tricolor bootloader and make absolutely sure you have a HardSPL installed (either "olipof" or "1.1.JockyW"). If not you must first install a HardSPL.
2) Connect with MTTY (USB) and type "rtask a" followed by Enter, then type "radata 90000000 1" followed by enter (Note that this is not echoed to screen!!). In some rare cases after "radata 90000000 1" you may see "HTCSUN 0[=(HTCE". When that happens type "radata A0000000 2000"
Close MTTY and replug the USB cable. If you haven't installed them yet, your PC will now prompt you to install three drivers. Do a manual install of the MotoQ drivers. After the drivers are installed look them up in device manager and check which COM port is allocated to "Qualcomm diagnostics interface (COMxx)" => see screenshot "1. device manager search com.JPG" (on my PC it is COM4 but it may be anything else!).
If the driver is connected to COM10 or higher you should reallocate it to a COM port lower than COM10. Go in device manager and rightclick on "qualcomm diagnositcs interface 6000 (com18)". Enter properties -> Port Settings -> Advanced -> Change COM port number to an unused port number below COM10. If you have nothing free below COM10 disable a device which uses a COM and change to that COM port. Reboot your PC afterwards.
3) Remove and reinsert battery and enter tricolor bootloader, and connect with MTTY (USB)
hit enter and when the Cmd> prompt is shown type "task 2a" (this erases SPL, OS and Splash, we used to call that a "hard brick") => see screenshot "2. mtty-tricolor - task 2a.JPG"
After power cycling, the device will now enter the radio bootloader called oemsbl. Utterly the phone will look dead and the display is black, but it is still possible to connect with MTTY using the COM port as found in step 2. I indicate that in the next steps with MTTY (COMn) => see screenshot "3. mtty-com-connect.JPG". Also note that you never have to redo steps 1-3 again.
4) Remove and reinsert battery, switch on and connect with MTTY (COMn). Type "setboot", if you are connected correctly the reply should be "ARM9BootMode:0". If you see nothing check in device manager if the drivers are loaded. If you got the reply to "setboot" you can type "radata 90000000 1" which will put the phone in a special "dload mode". In some rare cases after "radata 90000000 1" you see "HTCSUN 0[=(HTCE" and the phone will not change state to dload mode. When that happens type "radata A0000000 2000" and this time nothing should be returned on screen and the phone changed to dload mode.
Again note that, like in step 2, nothing is echoed to screen!!
Close MTTY.
5) Replug USB cable !!
6) Run FrankenKaiser in a DOS box: FrankenKaiser-V1.9517.exe /dev/com9 SPL1.56-KAIS-unbricker.nb
(note substitute /dev/com9 by the com port indicated by diag driver in device manager, e.g. /dev/com4 on my PC)
You should see:
Code:
=== FrankenKaiser Unbricker for HTC Kaiser (c)2008 by jockyw2001
=== Jailbreaker for the 'Radio from Hell 1.65.17.10'
=== Donations happily accepted, paypal to [email]jocky_wilson@hotmail.com[/email]
=== ATTENTION: only use this particular version with Kaiser:
=== radio version R1.65.17.10 - oemsbl HTC_BOOT V1.9517
SPL file read
Just be patient while I'm working ...
7e 02 6a d3 7e
Replug USB cable now!
Connect with MTTY and follow instructions !!!
If you don't see "7e 02 6a d3 7e" underneath the line "Just be patient while I'm working ...", you have either not replugged the usb cable, not installed the drivers correctly or type the wrong com port (/dev/comx) in the command line parameters.
=> see screenshot "4. dos box - frankenkaiser.JPG"
7) Run MTTY (COMn) and carefully enter following commands:
echo_on (the reply in MTTY should be "ECHO ON MODE")
setboot 1
=> see screenshot "5. mtty-echo_on setboot 1.JPG"
mb 9de8bc => dump HTC security area
mw 9de8bc 1 31313131 (replaces first half CID by SuperCID "1111")
mw 9de8c0 1 31313131 (replaces second half CID by SuperCID "1111")
mw 9de8e4 1 00000000 (Sets security flag to 0, sec unlocked)
mb 9de8bc => dump HTC security area again and check if CID and security flag are modified in memory
=> see screenshot "6. mtty-mb 9de8bc.JPG"
setinfo
powerdown
=> see screenshot "7. mtty- setinfo - powerdown.JPG"
Close MTTY
At this point your Kaiser is unjailed, security unlocked (and SIM unlocked) and SuperCID Now we need to prepare another run with FrankenKaiser to softload a SPL which will allow us to flash a HardSPL. In principle steps 1-7 need never to be done again.
8a) Unplug usb cable, remove and reinsert battery, replug usb cable and then power on. Connect with MTTY (COMn):
- type "echo_on". (the reply in MTTY should be "ECHO ON MODE". if you see that it means you never have to perform steps 1-7 again. If you don't, something went wrong in steps 1-7 or there is a connectivity problem)
- type "setboot 1" (you should see "ARM9BootMode:1").
- Close MTTY !!
8b) Unplug usb cable, remove and reinsert battery, replug usb cable and then power on. Connect with MTTY (COMn):
- type "echo_on". (you should see "ECHO ON MODE")
- type "dload" to put phone in dload mode.
- Close MTTY !!
9) Replug USB cable and then wait 10 seconds
10) Run FrankenKaiser in a DOS box: FrankenKaiser-V1.9517.exe /dev/com9 SPL1.56-KAIS-unbricker.nb
(note substitute /dev/com9 by the com port indicated by diag driver in device manager).
You should see the lines:
Just be patient while I'm working ...
7e 02 6a d3 7e
FrankenKaiser will prompt you to replug the usb cable. After you have done that you should wait about 10 seconds before proceeding with step 11.
11) Run MTTY (COMn)
- type "echo_on" (you should see "ECHO ON MODE", if not then there is a connectivity issue: close MTTY, unplug usb cable, wait 10 seconds, replug usb cable and repeat step 11.)
- type "setboot 0" (you should see "ARM9BootMode:0")
- type "cego" => tri-color screen should be visible and the reply in MTTY should be "Boot CE manually..." followed on the next line by "Done."
=> see screenshot "8. mtty-setboot 0 - cego.JPG"
If after "cego" you don't see a tri-color bootloader screen, then unplug usb cable and unplug and reinsert battery and try steps 8-11 again.
If still no tri-color screen, then repeat again but this time in step 10 run FrankenKaiser with the other SPL "sspl-0.92-jumpspl-force-usb.nb".
Close MTTY
12) Replug USB cable and flash HardSPL
13) Remove and reinsert battery, enter tricolor bootloader and flash Splash
14) Remove and reinsert battery, enter tricolor bootloader and flash OS
15) Remove and reinsert battery, enter tricolor bootloader and flash Radio
Note: at step 13 it's probably also possible to flash a full ROM update, I prefer to do it bits and pieces.
This I hope shows the power of FrankenKaiser: it manages to unjail, security unlock, SIM unlock and superCID a device which is basically in a bricked state w/o the need to flash a patched radio. Look forward to other FrankenKaiser tools such as a fast SPL loader and radio dumper.
Special versions of FrankenKaiser will be released for the new HTC models Diamond and Raphael and more
Attachments
Last edited: