[SUCCESS] Interop-Unlocking LUMIA - with JTAG

Search This thread
By:
Advanced…
L

lordmaxey

Senior Member
May 6, 2012
314
303
Hi there:)

Well, as we really need Interop Unlock for our Lumia phones, i decided to check this out myself.
As i already have ATF Box for a long time, i decided to buy JTAG activation and dolphin clip + lumia jigs, that i do not have to solder my phone.
Also i have ordered a Lumia 520 testing phone on ebay.

So, as the ATF Team made an awesome JTAG software update, i'm trying to interop unlock that Lumia 520 the hardware way, as just software seems to be too tough...

Well, what i did so far:
1. Freshly flashed Lumia 520 RM-914 with latest stock rom
2. Did the setup/beginning after turning it on for 1st time
3. developer unlocked it with SDK on PC
4. Made Full Dump with JTAG from dev-unlocked phone
5. Mounted MainOS partition of dump with program "OSFMount" (-->appears as Local harddisk example drive E: )
6.Loaded the SOFTWARE hive with regedit on PC from "E:\Windows\System32\config"
7. Edited the following values:
PortalUrlInt = http://127.0.0.1
PortalUrlProd = http://127.0.0.1
MaxUnsignedApp = 10003
8. unloaded SOFTWARE hive
9. unmounted dump-image
10. wrote image back via jtag

I thought it might be a good Idea to dev-unlock the phone before messing with the registry, to make sure "DeveloperUnlockState = 1" gets written the "legal" way, as the key is not available in registry before.
Maybe it's better to just modify an existing key, than adding a new one...


Well, long story short: The result is not totally satisfying.:(

After writing the modified image back to the EMMC, the phone is booting up, but i can NOT deploy homebrew apps that require interop unlock, like @GoodDayToDies "EnableAllSideloading.xap" for example.
But i can deploy "nomal" apps like @cpuguys "Toastlauncher" and @GoodDayToDies "Webserver"

The weird thing: If i check the reg-values via WebServer on the Phone, i can see my edited values.
So the changes ARE written to the phone. The phone just doesn't use them...

So, the good thing: phone is booting with modified rom :good:
But, the bad thing: Changes are not working. :confused:


EDIT:

SUCCESS!!!
After adding
ID_CAP_DEVELOPERUNLOCK_API.jpg

i could successfully sideload "EnableAllSideloading.xap"

After executing enableallsideloading i could sideload latest WPHTweaks build.

Now i have 3rd tile row enabled! :)
Lumia_520_3rd_tile_row.jpg


awesome!


Also member @myst02 is working on interop-unlocking the lumia phones. So we decided to make this a together-project.
See his achievements here: http://xdaforums.com/showthread.php?t=2713098&page=10 :good:
 

Attachments

  • WP_20140401_18_28_00_Pro.jpg
    WP_20140401_18_28_00_Pro.jpg
    250.6 KB · Views: 10,331
  • WP_20140403_22_06_51_Pro.jpg
    WP_20140403_22_06_51_Pro.jpg
    252.6 KB · Views: 20,367
  • WP_20140403_22_07_24_Pro.jpg
    WP_20140403_22_07_24_Pro.jpg
    256.5 KB · Views: 10,340
  • Webserver01.JPG
    Webserver01.JPG
    35.8 KB · Views: 8,399
  • Webserver02.JPG
    Webserver02.JPG
    59 KB · Views: 7,610
  • Webserver03.JPG
    Webserver03.JPG
    55.6 KB · Views: 6,632
Last edited:
  • Like
Reactions: SandraMichael, Bhg73, HATA28 and 26 others
error0x0000034

error0x0000034

Senior Member
Dec 28, 2013
57
35
wparea.de
to be able to sideload EnableAllSideloading.xap you need to change following registry key:

Software\Microsoft\SecurityManager\CapabilityClasses
add: MultiSz String
name: ID_CAP_DEVELOPERUNLOCK_API
value: CAPABILITY_CLASS_THIRD_PARTY_APPLICATIONS

have fun.
 
  • Like
Reactions: Luxon, myst02 and lordmaxey
N

ngame

Senior Member
Mar 13, 2012
1,126
554
Mashad
Wow you did a fantastic job
as @error0x0000034 mentioned you forget to open DeveloperUnlock_API
Software\Microsoft\SecurityManager\CapabilityClass es
add: MultiSz String
name: ID_CAP_DEVELOPERUNLOCK_API
value: CAPABILITY_CLASS_THIRD_PARTY_APPLICATIONS
 
  • Like
Reactions: lordmaxey
L

lordmaxey

Senior Member
May 6, 2012
314
303
sensboston said:
BTW, it's not a real "hack", and not acceptable/affordable for the 99.9% Lumia users and developers...
Click to expand...
Click to collapse
Yeah, but it's at least something worth trying :D

ngame said:
Wow you did a fantastic job
as @error0x0000034 mentioned you forget to open DeveloperUnlock_API
Software\Microsoft\SecurityManager\CapabilityClass es
add: MultiSz String
name: ID_CAP_DEVELOPERUNLOCK_API
value: CAPABILITY_CLASS_THIRD_PARTY_APPLICATIONS
Click to expand...
Click to collapse
Oh, i see...
I'm just wondering that this CAP was not secessary on Ativ S?
Or am i wrong?
I really thought it was just the 3 regkeys quoted in the first post... :confused:
 
N

ngame

Senior Member
Mar 13, 2012
1,126
554
Mashad
lordmaxey said:
Yeah, but it's at least something worth trying :D


Oh, i see...
I'm just wondering that this CAP was not secessary on Ativ S?
Or am i wrong?
I really thought it was just the 3 regkeys quoted in the first post... :confused:
Click to expand...
Click to collapse

I don't remember Ativ S Interop but I know it had a BootStrap app
maybe that app unlock this api i'm not sure but I know you have to open this cap first to run EnableAllCapabilities
 
  • Like
Reactions: lordmaxey
ceesheim

ceesheim

Retired Forum Moderator
Jun 11, 2009
3,457
2,288
No Android Fanboys Please !!!
Nice work :good:

so now , you can make a small bussines with this :D
interop unlock for only *** $ :D

and you are now the one and only interop unlocked retail Lumia owner :D
 
Last edited:
L

lordmaxey

Senior Member
May 6, 2012
314
303
ceesheim said:
Nice work :good:

so now , you can make a small bussines with this :D
interop unlock for only *** $ :D
Click to expand...
Click to collapse
Haha :D Yay, i'm going to be rich :D *lol*

ceesheim said:
and you are now the one and only interop unlocked retail Lumia owner :D
Click to expand...
Click to collapse
No, not yet.
I'm trying to deploy the bootstrap samsung app to the 520 this afternoon. If it works, i maybe can deploy the other apps.
If not, i'm trying to open that CAP by editing the Dump again and writing it back via JTAG.

We'll see, but i'm curious :)

btw: Why are these damn smileys always displayed in the next line?
 
  • Like
Reactions: Leo_zodiac
error0x0000034

error0x0000034

Senior Member
Dec 28, 2013
57
35
wparea.de
lordmaxey said:
Haha :D Yay, i'm going to be rich :D *lol*


No, not yet.
I'm trying to deploy the bootstrap samsung app to the 520 this afternoon. If it works, i maybe can deploy the other apps.
If not, i'm trying to open that CAP by editing the Dump again and writing it back via JTAG.

We'll see, but i'm curious :)

btw: Why are these damn smileys always displayed in the next line?
Click to expand...
Click to collapse

Samsung Bootstrap uses some Samsung-specific DLLs as far as I know. This won't help you, tried this already on my Huawei Ascend W1. This won't work on your Lumia either I think. But its worth a try of course.

You'll have to edit the registry key I mentioned before to be able to sideload EnableAllSideloading.xap. You need to load the SOFTWARE file from Windows/System32/config again into your registry and edit following key. Maybe try using a registry editor on your phone before using the method you described above, but I don't think that this will work. So, you probably have no other choice than opening up your device again and edit the SOFTWARE reg-file. Then sideload EnableAllSideloading.xap and you'll be able to sideload pretty much everything you want.

Question for more experienced devs and hackers:
Is there a registry tweak or some settings anywhere else on the phone that we can access though JTAG and that allows us to boot the phone (Lumia in this case) as a mass storage device with full filesystem access? Like on the Huawei Ascend W1. This would simplify the process of changing registry keys a lot.

Best regards and good luck.
 
  • Like
Reactions: ngame
-W_O_L_F-

-W_O_L_F-

Senior Member
Jul 10, 2010
1,030
941
Moscow
lordmaxey said:
Haha :D Yay, i'm going to be rich :D *lol*


No, not yet.
I'm trying to deploy the bootstrap samsung app to the 520 this afternoon. If it works, i maybe can deploy the other apps.
If not, i'm trying to open that CAP by editing the Dump again and writing it back via JTAG.

We'll see, but i'm curious :)

btw: Why are these damn smileys always displayed in the next line?
Click to expand...
Click to collapse
Bootstrap Samsung will not work on Lumia.
 
  • Like
Reactions: lordmaxey
L

lordmaxey

Senior Member
May 6, 2012
314
303
error0x0000034 said:
Samsung Bootstrap uses some Samsung-specific DLLs as far as I know. This won't help you, tried this already on my Huawei Ascend W1. This won't work on your Lumia either I think. But its worth a try of course.

You'll have to edit the registry key I mentioned before to be able to sideload EnableAllSideloading.xap. You need to load the SOFTWARE file from Windows/System32/config again into your registry and edit following key. Maybe try using a registry editor on your phone before using the method you described above, but I don't think that this will work. So, you probably have no other choice than opening up your device again and edit the SOFTWARE reg-file. Then sideload EnableAllSideloading.xap and you'll be able to sideload pretty much everything you want.
Click to expand...
Click to collapse
Like this then, right?
ID_CAP_DEVELOPERUNLOCK_API.jpg

Ok, I'll try this next week, i sadly won't have time this weekend.


error0x0000034 said:
Question for more experienced devs and hackers:
Is there a registry tweak or some settings anywhere else on the phone that we can access though JTAG and that allows us to boot the phone (Lumia in this case) as a mass storage device with full filesystem access? Like on the Huawei Ascend W1. This would simplify the process of changing registry keys a lot.

Best regards and good luck.
Click to expand...
Click to collapse
No. once JTAG halts the phone, it's halted. You can't just "pause" the phone, make changes and continue booting. Sadly.
So, only chance is by writing the modified dump back.
 

Attachments

  • ID_CAP_DEVELOPERUNLOCK_API.jpg
    ID_CAP_DEVELOPERUNLOCK_API.jpg
    44 KB · Views: 234
Last edited:
reker

reker

Senior Member
May 23, 2009
124
168
Shanghai
It's not for Lumia only, it's a universal method for every WP8 devices (including emulator) that could enter MassStorage mode

And the Bootstrap app is not a magic, it use the system service by Samsung to modify the CapabilityClasses registry key mentioned by above and this could be done by modify reg hive directly
 
Last edited:
  • Like
Reactions: lordmaxey
error0x0000034

error0x0000034

Senior Member
Dec 28, 2013
57
35
wparea.de
lordmaxey said:
Like this then, right?
ID_CAP_DEVELOPERUNLOCK_API.jpg

Ok, I'll try this next week, i sadly won't have time this weekend.
Click to expand...
Click to collapse

exactly. I have done this on my Ascend W1 several times, but its easier, because I can enter Mass Storage Mode through bootloader.

No. once JTAG halts the phone, it's halted. You can't just "pause" the phone, make changes and continue booting. Sadly.
So, only chance is by writing the modified dump back.
Click to expand...
Click to collapse

I don't know how JTAG method works exactly, I only know that the device needed isn't cheap and can restore bricked phones. How it works? I have no idea, but I'm sure I'll learn quickly.
I will do some research on that soon. I'm a learning noob. :cyclops:

best regards,
error0x0000034
 
L

lordmaxey

Senior Member
May 6, 2012
314
303
error0x0000034 said:
I don't know how JTAG method works exactly, I only know that the device needed isn't cheap and can restore bricked phones. How it works? I have no idea, but I'm sure I'll learn quickly.
I will do some research on that soon. I'm a learning noob. :cyclops:
Click to expand...
Click to collapse

Me neither :D
Most credits go to X-Shadow from advance-box team.
Because i had the Idea of modifying the phone dump and read/write via JTAG.
But usually, ATF only supported bootloader repair via JTAG. So i contacted X-Shadow and within only two weeks he updated the jtag-application, and added Custom Read/Write to every part of the EMMC.

That's how i could dump the rom, modify it and write it back.
Absolutely awesome work from that team, just releasing a software because of ONE single inquiry. :) :good::good::good:
 
  • Like
Reactions: th0mas96, compu829, DaemonOnx and 2 others
G

GoodDayToDie

Inactive Recognized Developer
Jan 20, 2011
6,066
2,933
Seattle
Aw crap, I totally forgot to tell you to test a pure-interop app (like the bootstrap one). You interop-unlocked but failed to capability-unlock, and most WP8 homebrew requires both so of course you couldn't sideload it. DERP :(

But hey, if you successfully edited the capability class of ID_CAP_DEVELOPERUNLOCK_API - and it looks like you did, or could - then you can use EnableAllSideloading to capability-unlock the phone (it just edits all the other capabilities' classes). I could probably also write a "BootstrapNokia" app if you'd like; I think we have interop-based registry functions for WP8 Lumias, which would allow (for example) making SamWP8 Tools work on your Nokia as well.
 
L

lordmaxey

Senior Member
May 6, 2012
314
303
SamWP8 tools on Nokia would be great. :)
I'll check that monday evening, when i'm back at my computer.

I'll keep you informed :)
 
N

ngame

Senior Member
Mar 13, 2012
1,126
554
Mashad
GoodDayToDie said:
Aw crap, I totally forgot to tell you to test a pure-interop app (like the bootstrap one). You interop-unlocked but failed to capability-unlock, and most WP8 homebrew requires both so of course you couldn't sideload it. DERP :(

But hey, if you successfully edited the capability class of ID_CAP_DEVELOPERUNLOCK_API - and it looks like you did, or could - then you can use EnableAllSideloading to capability-unlock the phone (it just edits all the other capabilities' classes). I could probably also write a "BootstrapNokia" app if you'd like; I think we have interop-based registry functions for WP8 Lumias, which would allow (for example) making SamWP8 Tools work on your Nokia as well.
Click to expand...
Click to collapse

isn't it better to put FCROUTER and other samsung dlls in Windows folder?
as far as i know ID_CAP_INTEROPSERVICES allow it
 
You must log in or register to reply here.

Similar threads

G
[XAP][GUIDE] Interop Unlock for WP8 + all Capabilities
Replies
615
Views
317K
L
Luxon
V
[XAP] vcREG:Lumia Reg Editor+Jailbreak WP8 version NO LONGER SUPPORTED
Replies
550
Views
362K
M
marelizebarn@gmail.com
Heathcliff74
Windows Phone Internals - Unlock bootloader, enable Root Access, create Custom ROM
Replies
959
Views
482K
T
TIE_Interceptor
W
[XAP] ROM Rebuilder, interop unlock + all capabilities
Replies
345
Views
157K
tze_vitamin
tze_vitamin
H
[Tutorial]Lumia Only - Unlocking BootLoader And Flashing Custom Rom Written Tutorial
Replies
39
Views
116K
vin2077
vin2077

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 29
    L
    lordmaxey
    Hi there:)

    Well, as we really need Interop Unlock for our Lumia phones, i decided to check this out myself.
    As i already have ATF Box for a long time, i decided to buy JTAG activation and dolphin clip + lumia jigs, that i do not have to solder my phone.
    Also i have ordered a Lumia 520 testing phone on ebay.

    So, as the ATF Team made an awesome JTAG software update, i'm trying to interop unlock that Lumia 520 the hardware way, as just software seems to be too tough...

    Well, what i did so far:
    1. Freshly flashed Lumia 520 RM-914 with latest stock rom
    2. Did the setup/beginning after turning it on for 1st time
    3. developer unlocked it with SDK on PC
    4. Made Full Dump with JTAG from dev-unlocked phone
    5. Mounted MainOS partition of dump with program "OSFMount" (-->appears as Local harddisk example drive E: )
    6.Loaded the SOFTWARE hive with regedit on PC from "E:\Windows\System32\config"
    7. Edited the following values:
    PortalUrlInt = http://127.0.0.1
    PortalUrlProd = http://127.0.0.1
    MaxUnsignedApp = 10003
    8. unloaded SOFTWARE hive
    9. unmounted dump-image
    10. wrote image back via jtag

    I thought it might be a good Idea to dev-unlock the phone before messing with the registry, to make sure "DeveloperUnlockState = 1" gets written the "legal" way, as the key is not available in registry before.
    Maybe it's better to just modify an existing key, than adding a new one...


    Well, long story short: The result is not totally satisfying.:(

    After writing the modified image back to the EMMC, the phone is booting up, but i can NOT deploy homebrew apps that require interop unlock, like @GoodDayToDies "EnableAllSideloading.xap" for example.
    But i can deploy "nomal" apps like @cpuguys "Toastlauncher" and @GoodDayToDies "Webserver"

    The weird thing: If i check the reg-values via WebServer on the Phone, i can see my edited values.
    So the changes ARE written to the phone. The phone just doesn't use them...

    So, the good thing: phone is booting with modified rom :good:
    But, the bad thing: Changes are not working. :confused:


    EDIT:

    SUCCESS!!!
    After adding
    ID_CAP_DEVELOPERUNLOCK_API.jpg

    i could successfully sideload "EnableAllSideloading.xap"

    After executing enableallsideloading i could sideload latest WPHTweaks build.

    Now i have 3rd tile row enabled! :)
    Lumia_520_3rd_tile_row.jpg


    awesome!


    Also member @myst02 is working on interop-unlocking the lumia phones. So we decided to make this a together-project.
    See his achievements here: http://xdaforums.com/showthread.php?t=2713098&page=10     :good:
    View
    15
    L
    lordmaxey
    Ok - i finally received my AT&T Lumia 520 (RM-915) from ebay :)

    So - as i don't really need 2 520s, i'm willing to donate my interop unlocked RM-914 phone - the one with the broken screen - to a clever developer ;)
    So, i first though about @GoodDayToDie: Would you like to have my Rm-914 Lumia 520?
    Maybe this would help you researching the not-working EnableAllSideloading on 8.1...

    So, if you would like to have it, i'd be happy to send it to you.
    I just need to know, if it's better to give it interop unlock on GDR3 or 8.1 to you.

    Just let me know if you're interested or name another dev who might need the phone.
    View
    15
    G
    GoodDayToDie
    Interop-unlocked Lumia 520 has arrived! I haven't had time to hack on it yet, but I've got plans. HUGE thanks to @lordmaxey for this!
    View
    12
    S
    skiddd
    ultrashot said:
    Sorry, chinese guys were doing this for ages and hit news multiple times with it :D
    Also, I was constantly reminding everyone that unlock via JTAG is possible ;)

    There is one *bad* point in making this method public: according to docs, JTAG must be disabled. But Nokia doesn't really disable it the way Microsoft wants everyone to follow. I wouldn't tell you what can happen after this becoming public.
    Click to expand...
    Click to collapse



    Hi,

    Just some info about JTAG on Nokia Lumias...

    Nokia Disables it in the QFUSE, but there is a bug/hole in Qualcomm SOCs that enables you to still use JTAG Debugging by using unorthodox ways of HALTING (Entrer DEBUG Mode).

    This bug/hole was already rectified starting Snapdragon 800 (MSM8974 and its "family members), that is why there is currently no 3rd Party JTAG Box that can support these new SOCs if the Device Manufaturer sets the correct JTAG disable bits in QFUSE. I heard it is still possible via SWD but will very limited memory access. This holds true not only for Nokia, but for all other Manufacturers as well (Samsung, LG, HTC etc). Anything below Snapdragon 800 (with very few exceptions) can be debugged via JTAG even if the Manufacturer disables all JTAG bits in the QFUSE.

    For Snapdragon 800, not all is lost. One can still use ISP for the eMMC if the CLK, CMD, DATA0 lines are exposed on the PCB (which is usually the case because of external pull-up resistors to VccQ).

    Now as this method (Interop Unlock via JTAG) might be frowned upon because of the "hardware-approach" nature of the hack, it may still prove to be useful for developers who still want to explore a software-approach hack. I mean the developer will have more control "exploring" the possibilities when he is working on an already "unlocked" device.


    Anyway, I am willing to donate my Engineering Lumia 925 with "z" apps to any Senior Developer who is determined to find a "software only" hack.

    I will also provide a complimentary JTAG Box + Complete set of JIGS to allow "solderless" JTAG connection for the Lumia 925 (Just in case the Developer needs to revive the phone or if he wants to perform the hardware-method interop unlock on it).


    The reason for my generosity is nothing sinister. I simply have no practical use for this phone anymore and I am always a big supporter to anything Nokia...



    Best Regards,
    ATF Developer
    View
    10
    L
    lordmaxey
    SUCCESS!!

    SUCCESS!!!
    After adding
    ID_CAP_DEVELOPERUNLOCK_API.jpg

    i could successfully sideload "EnableAllSideloading.xap"

    After executing enableallsideloading i could sideload latest WPHTweaks build.

    Now i have 3rd tile row enabled! :)
    Lumia_520_3rd_tile_row.jpg


    awesome!
    View

New posts