FAQ SETOOL – SUPPORT SETOOL

HOW TO WORK WITH SEMC ODM PHONES

FLASHING OF SEMC ODM PHONES

1. select correct model
2. use com/ufs as interface
3. add to firmware area needed firmware
4. press flash

UNLOCKING OF SEMC ODM PHONES

broadcom based – z300,j210,j220

1. select model
2. select com/ufs as interface
3. uncheck all settings
4. press unlock
5. power on phone with unsupported sim card, press *<<*, enter readed codes.

if you have “not allowed” while entering codes, just reflash phone

calypso lite based – j110,j120,k200,k220

1. select model
2. select com/ufs as interface
3. uncheck all settings
4. press unlock

for k200,k220 this is full unlock and security zone will be automatically fixed.
for j110,j120 this is special firmware patch – after unlock, power on phone, press *<<* with unsupported card and enter any 8 digits as code for each lock.
phone will accept code and unlock will be permanent.

note, that j110,j120 phones with damaged security zone are not supported.

POSSIBLE PROBLEMS WITH S1 PHONES

damaged trim area , IMEI could not be read, simlocks state “tampered” or “0”

first, we need to restore trim area, for this :

1. select correct model
2. on settings, check “signed mode”,”enable alternative security bypass”
3. add to firmware area

if you have neptune-based phone – W302_TA.SSW
if you have t280,t303,r306,r300,k330,w205,Tilde phone – R300_TA.SSW
if you have t250 phone – t250_ta.ssw
if you have Z250,z320,t270 phone – z320_ta.ssw
if you have j132 phone – j132_ta.ssw

4. press flash

you can use trim area in .bin format to restore trim area, for this select trim area in misc. edit, check “signed mode”,”altbypass mode”,”format gdfs when writing” and press “write gdfs”

now trim area structure restored and phone should be signed with s1 signature server.
it is recommended to restore phone original IMEI first, for this :

1. create text file with contents:

taread:000107D1

2. select proper model, check on settings only “signed mode”, select created file in misc. field
3. press “write script”, file will be created in form %imei%.txt
4. look at file in notepad, you will see IMEI inside in very simple form, change IMEI to original and save file
5. select changed file in misc. field and again press write script
6. check with identify if you set correct IMEI, repeat 4,5 until success

now you need to unlock phone using signature server, consult corresponding FAQ post for that.

note, that alternative security bypass not available for phones with aid 0004, you can not fix aid004 phone with damaged trim area.

phone simlock okay, not tampered, but phone stucked,slow,rebooting. flashing not help.

most probably, internal file system gone to winds. you need to write fullflash from working phone or write clean file system, then reflash phone
check support area for that files.
please note, that all neptune-based phones can be cured with w302_fullflash,etc (check trim area repair case)
in most cases, alternative security bypass needed for writing fullflash.

note, that alternative security bypass not available for phones with aid 0004.

phone can’t be detected at all

semcboot somehow got damaged ( while it is never touched by any process )

procedure to fix:

1. select correct model
2. on settings check “signed mode”
3. add EROM to firmware tab.
if you have neptune based phone: 1207-7713_EROM_S1_NEPTUN_HS_SEMC_SIMLOCK_R7A024.sin
if you have locosto based phone, then select situable from:
J132_EROM_S1_LOCOSTO_HS_USB_R5A038_64k.sin
K330_T280_T270_EROM_S1_LOCOSTO_HS_R5A028.sin
R300_R306_T303_S1_LOCOSTO_HS_R5A031_128.SIN
for w395 CXC1250616_EROM_S1_LOCOSTO_HS_USB_FLAFLA_R5A038.si n will do job
T250_CXC1250616_EROM_S1_LOCOSTO_HS_R5A022.sin
Z250_Z320_EROM_S1_LOCOSTO_HS_R5A023.sin

4.press recovery

check if phone trim area/simlock are okay by doing identify.
repair simlock or trim area if needed.

note, that semcboot repair not available for phones with aid 0004.

POSSIBLE PROBLEMS WITH ODM PHONES.

phone hang, can’t save photo,etc

1. write repair flash from support area
2. unlock phone
3. flash phone with latest firmware

note, that k200,k220 has two flash ic types, select samsung repair flash if you flash manu id=0xEC,
select spansion repair flash for all other types.

How to enter network unlock code for w150 (Yendo) phone ?

ENTER #123456789# TO CHECK SOFTWARE AND CHECK LOCK STATUS
ENTER #987654321# AND SELECT RED AND PUT CODE

HOW TO WORK WITH A1-BASED PHONES

FLASHING OF DB2000,DB2010 PHONES

common for all CID:
1. go to semc tab, select proper model
2. add to firmware area correct MAIN, FS IMAGE parts of firmware. order not important.
3. select in misc. field needed CUSTPACK (.zip archive with customization files)
4. if you do not have CUSTPACK, you MUST check on settings “customize phone after flash”
5. please read notes below
6. set other settings according your needs.
7. back to semc tab, press flash.

CID 17,24,41,42,54

unsigned mode
3. skip
4. skip
5. on settings, uncheck signed mode, alternative security bypass, preloader security bypass,customize phone after flash.

for BROWN CID 41,42,73 you must disassemble phone and do testpoint operation.
testpoint is simple GND wire attached to specific points on phone board.
(upload testpoint pictures)
in that case, step 5 will be:

5. on settings, check only “use tespoint (gnd method)”

you can use special ‘dual” usb+serial cable in order to significantly increase flashing speed for such phones.
you can not use script for such phones.

CID 16,29,36,37,49
signed mode
5. check signed mode

unsigned mode
5. on settings, uncheck “signed mode”, “alternative security bypass”

you can only use USB as interface for phones with CID 49, some CID 36 phones can be upgraded to CID 49 via writing of corresponding EROM.
restoration files required for phones with CID 49

CID 50,51,52,53

signed mode
5. check signed mode

standalone altbypass mode
5. check “signed mode”, “use alternative security bypass”

restoration files required
bypass package required
please read FAQ post about alternative security bypass.

that is preferred mode if you want to do some additional operations during flashing process.
starting from v1.1280 this method do not require restoration and bypass package files.
however, you can not use USB as interface in this method anymore

please note, that if you put in misc. edit any file, which is NOT custpack archive, it will be treated as script command file.

UNLOCKING OF DB2000,DB2010 PHONES

CID 17

1. select com/ufs as interface
2. go to lg tab
3. select correct model
4. on settings tab, uncheck all settings.
5. back on lg tab
6. press unlock button

please note, than recent firmwares can’t be unlocked with such method,use cid 41,42 path or downgrade firmware.

CID 24

1. select com/ufs as interface
2. go to sharp tab
3. select correct model
4. on settings tab, uncheck all settings.
5. back on sharp tab
6. press unlock button

in some cases you must flash special patched firmware from support area before unlock.

CID 41,42

1. select com/ufs as interface
2. go to lg tab
3. select correct model
4. on settings tab, uncheck all settings.
5. back on lg tab
6. press unlock button

Skip next instructions, if you using setool2 >= v1.1104
if phone BROWN CID 41,42 then you must disassemble phone and do very easy testpoint.
testpoint is simple GND wire , attached to needed point on phone board.

step 4 should be like that:

4. on settings tab, check “use testpoint (gnd method):

testpoint pictures : 8180 testpoint.jpg u8380tpbestcool9ay.jpg

CID 16,29,36,37

1. select com/ufs as interface
2. go to semc tab
3. select correct model
4. on settings tab, uncheck all settings.
5. back on semc tab
6. press unlock button

that CID is obsolete and upgrade to CID 49 via writing corresponding EROM recommended.
you can not use USB as interface for such phones with CID.

recovery operation supported for such phones, damaged EROM can be restored without problems.
no any special files required for such phones.

CID 49

standalone method

1. select com/ufs/usb as interface
2. go to semc tab
3. select correct model
4. on settings tab, uncheck all settings.
5. back on semc tab
6. press unlock button

you can not use USB as interface, if SCRC damaged ( IMEI mismatch in IDENTIFY output )
restoration files required for that method.
that files could be downloaded from support area or created automatically :
place main part of unsupported firmware in firmware area,press identify and attach phone with unsupported firmware.

this method is removed from setool2 ( starting from v1.1280 ), use reset-based standalone unlock.

CSCA method

1. select usb as interface
2. go to semc tab
3. select correct model
4. on settings tab, check “signed mode”
5. back on semc tab
6. press unlock button

that is not recommended method for unlocking such phones, slow and useless.
you can not repair damaged SCRC via that method.

recovery operation not supported for such phones, reset operation should be used in order to repair damaged EROM.
you can repair damaged GDFS, damaged SCRC standalone for such phones.

CID 50,51,52,53

standalone patch unlock method via alternative security bypass

1. select com/ufs/usb as interface
2. go to semc tab
3. select correct model
4. on settings tab, check “signed mode”,”alternative security bypass”
5. back on semc tab
6. press unlock button

you can not use that method , if SCRC damaged ( IMEI mismatch in IDENTIFY output )
restoration files required for that method.
bypass packages required for that method.
please read FAQ post about alternative security bypass.

this method is removed from setool2 ( starting from v1.1280 ), use standalone reset-based method

standalone RESET-based method

1. select com/ufs as interface
2. go to semc tab
3. select correct model
4. on settings tab, check “signed mode”,”alternative security bypass”
5. back on semc tab
6. press unlock button

that is recommended method to use with that phones
you can fix SCRC using that method

CSCA method

1. select usb as interface
2. go to semc tab
3. select correct model
4. on settings tab, check “signed mode”
5. back on semc tab
6. press unlock button

please note,that phones with cid51,52,53 require credits and internet access in order to unlock using CSCA method.
that is obsolete method, should not be used,because it long and credit-consuming

recovery operation not supported for such phones,
reset operation should be used in order to repair damaged EROM,damaged GDFS, damaged SCRC.

CID 54

1. select com/ufs as interface
2. go to lg tab
3. select correct model
4. on settings tab, uncheck all settings.
5. back on lg tab.
6. add to firmware area special patched firmware from support area.
7. press flash

if any trouble happens, you must reflash phone with original ( not patched ) firmware.

testpoint picture to use, when original firmware can’t be flashed : tp8550.JPG

CID 73

disassemble phone.

1. select com/ufs as interface
2. go to sharp tab
3. select correct model
4. on settings tab, check “use tespoint (gnd method)”
5. back on sharp tab
6. press unlock button, attach testpoint when asked

testpoint pictures : 703SH%202006%20no%20need%20open%20the%20phone.jpg64ed070aeeb5eb62d36dca8d45c7b618.JPG

FLASHING OF DB2020,PNX5230 PHONES

common for all CID:
1. go to semc tab, select proper model
2. add to firmware area correct MAIN, FS IMAGE parts of firmware. order not important.
3. select in misc. field needed CUSTPACK (.zip archive with customization files)
4. if you do not have CUSTPACK, you MUST check on settings “customize phone after flash”
5. please read notes below
6. set other settings according your needs.
7. back to semc tab, press flash.

CID 36
such phones should be upgraded to CID 49 via writing of corresponding EROM.

CID 49,51,52,53

signed mode
5. check signed mode

that is preferred mode if you need just flash phone.

standalone altbypass mode
5. check “signed mode”, “use alternative security bypass”

restoration files required
bypass package required
please read FAQ post about alternative security bypass.

starting from v1.1280 this method only requires restoration and bypass package files for PNX5230-based phones.

that is preferred mode if you want to do some additional operations during flashing process.

please note, that if you put in misc. edit any file, which is NOT custpack archive, it will be treated as script command file.

UNLOCKING OF DB2020,PNX5230 PHONES

CID 36

that CID is obsolete and upgrade to CID 49 via recovery to CID 49, then writing corresponing EROM required.
recovery operation supported for such phones, damaged EROM can be restored without problems.

CID 49,51,52,53

CSCA method

1. select com/ufs/usb as interface
2. go to semc tab
3. select correct model
4. on settings tab, check “signed mode”,”do full unlock instead usercode reset”
5. back on semc tab
6. press unlock button

that is obsolete method for unlocking such phones.
it should only be used if you want to full unlock PNX5230-based phones.
you can not repair damaged SCRC via that method.

standalone patch unlock method via alternative security bypass

1. select com/ufs/usb as interface
2. go to semc tab
3. select correct model
4. on settings tab, check “signed mode”,”alternative security bypass”
5. back on semc tab
6. press unlock button

you can not use that method , if SCRC damaged ( IMEI mismatch in IDENTIFY output )
restoration files required for that method.
bypass packages required for that method.
please read FAQ post about alternative security bypass.

this method is removed from setool2 ( starting from v1.1280 ) and only used in PNX5230-based phones.

RESET-based method

standalone RESET-based method

1. select com/ufs/usb as interface
2. go to semc tab
3. select correct model
4. on settings tab, check “signed mode”,”alternative security bypass”
5. back on semc tab
6. press unlock button

that method is NOT supported on PNX5230-based phones.
that is recommended method to unlock DB2020-based phones.

recovery operation not supported for DB2020 phones, reset operation should be used in order to repair damaged EROM.
you can repair damaged GDFS, damaged SCRC via reset operation for such phones.

POSSIBLE PROBLEMS

after flash, phone said “configuration error,please contact provider

write custpack or use “customize phone after flash” option.

alternative security bypass failed because of missing rest file,phone dead

get rest file, check only preloader security bypass and press unlock or
reflash supported firmware with “signed mode” only checked

damaged security units, damaged gdfs area,damaged EROM

CID 16,17,24,29,36,37

1. select proper model
2. on settings, check “format gdfs when writing”
3. press recovery
4. add to firmware area proper EROM if applicable
5. press flash
6. add to misc. field gdfs in .bin format
7. press write gdfs
8. press unlock
9. reflash phone

CID 41,42,54,73

disassemble phone.

1. select proper model
2. on settings, check “format gdfs when writing”, “use testpoint (gnd method)”
3. add to misc. field gdfs in .bin format
4. press write gdfs
5. press unlock
6. reflash phone

you must use testpoint for such phones (upload testpoint pictures)

CID 49

1. select proper model
2. on settings, check “unlock during flash process”
3. add to firmware area proper gdfs in ssw format
4. if desired, add to firmware area proper main,fsimage
5. press flash

please note, if EROM damaged on such phones, you must execute reset operation.

CID 50,51,52,53

this is so-called reset procedure.

1. go to emptyboard tab
2. select proper model
3. on settings, check “signed mode”
4. press recovery
5. after succeful recovery
6. on settings uncheck all
7. if gdfs totally damaged, add to firmware area proper gdfs in ssw format,otherwise skip that step
8. add to firmware area proper EROM (EROM CID >= OTP CID)
9. press flash
10. if needed,reflash phone on usual semc tab with needed settings.

HOW TO WORK WITH A2-BASED PHONES

FLASHING OF A2 PHONES

common for all CID:
1. go to semc a2 tab, select proper model
2. add to firmware area correct MAIN, FS IMAGE parts of firmware. order not important.
3. select in misc. field needed CUSTPACK (.zip archive with customization files)
4. if you do not have CUSTPACK, you MUST check on settings “customize phone after flash”
5. set “signed mode” on settings tab.
6. set other settings according your needs.
7. back to semc a2 tab, press flash.

CID 26,54,60,185,186

skip step 3,4.

UNLOCKING OF A2 PHONES

CID 49,51,52,53

standalone usercode reset
1. select proper model
2. on settings, check “signed mode”
3. back to semc a2 tab, press unlock

CID 49,51,52,53

standalone full reset-based unlock

1. select proper model
2. select needed domain (leave “current” for no change)
3. on settings, check “signed mode”,”use alternative security bypass”
4. back to semc a2 tab, press unlock

that method can fix damaged SCRC and fixing SEMCBOOT automatically.
that is preferred method for such phones.

server-based full signature unlock

1. select proper model
2. on settings, check “signed mode”,”do full unlock instead usercode reset”,fill login details
3. back to semc a2 tab, press unlock

that method can not fix SCRC.

CID 80,81

server-based full signature unlock

1. select proper model
2. on settings, check “signed mode”,”do full unlock instead usercode reset”,fill login details
3. back to semc a2 tab, press unlock

that method can not fix SCRC.

if s1 signature server offline, you can not use quick (without modem drivers) unlock.
instead, you should :

1.
select proper model
2.
on settings, check
“signed mode”,
“do full unlock instead usercode reset”,
“disable flash mode activation for semc a2 phones”,
fill login details
3.
back to semc a2 tab, press unlock
4.
when prompted, install phone modem drivers
(they can be found in drivers\Modem_Drivers or will be automatically installed if you install semc pc suite)
5.
when you will get message “unlock done” – do not remove cable or battery,
wait until phone automatically power on, otherwise you will get 5 locks and need to repeat procedure.

you can not unlock last SEMC A2 phone ( j108 ) with CSCA method, use special bypass mode.
you MUST flash r7cXXX firmware version to be able unlock w20 phone with CSCA method.

CID 26,54,60,185,186

standalone full unlock

1. select proper model
2. on settings, check “signed mode”
3. back to semc a2 tab, press unlock

that method can fix SCRC.
that is preferred method to unlock such phones.

POSSIBLE PROBLEMS AND METHODS OF REPAIR

CID 49,51,52,53

damaged trim area (ta_open errors)

1. select proper model or model,based on same chipset
2.

3.

4. set ecc mode: none (0)
5. on settings, check only signed mode
6. press flash
7. get gdfs package from proper model working phone, add it to misc. field
8. press write gdfs
9. unlock phone using alternative security bypass mode
10. reflash phone fully.

alternative way, need to use at least setool2 1.08

1. select proper model or model,based on same chipset
2.

3. select in misc. edit proper gdfs package, DO NOT unzip gdfs package, just select it as is.
4. on settings, check only signed mode
5. press write gdfs
6. unlock phone using alternative security bypass mode
7. reflash phone fully.

phone does not startup or stuck on “please wait”

unlock phone using alternative security bypass

CID 54

phone stuck on lg logo.
first reflash phone fully with latest firmware version.
if that not help, then

1. select proper model, on settings check only “signed mode”
2.

3. press flash
4. press unlock
5. press “clear names”
6. reflash phone fully with required firmware

if phone still hangs on lg logo, redo operation with different step 2:
2.

6. if needed, write gdfs package from proper model working phone, unlock phone after

CID 60,185,186

1. unlock phone
2. reflash phone
3. if needed, write gdfs package from proper model working phone, unlock phone after

special post regarding lg gt40x phones, can be used as reference for other lg db3200-based cid54 phones.

user MUST use setool2 version at least 1.083.

i will use “BIN_GT400AT-00-V10e-EUR-XX-JUN-07-2010+0” as example, cause i like it 

if phone in “dead state”:

1. best scenario, should work always

if phone in “working state”:

1. best scenario

it is absolutely necessary to use fix files from setool2 version at least 1.083

if you will check “use high speed usb flashing” – you will save at least 3 minutes, so worth to check.
when “switching…” message will appear, windows will find and install usbflash drivers.
if switching process fails, just repeat procedure.

HOW TO CONNECT SAMSUNG M5650, SGH-A697, SGH-A797

1. power off phone

2.
Connect the cable to M5650 while you press Volume Down + Camera key and connect to PC via USB cable
Connect the cable to SGH-A697 while you press 1 + 0 and connect to PC via USB cable
Connect the cable to SGH-A797 while you press 1 + message key and connect to PC via USB cable

q:
how to unlock j108 phone without s1 signature server to be online ?

a:
you need to have setool2 v1.1285 or higher.
you need to have test sim card ( with mnc/mcc 00101 ) in phone.
you need to have memory card in phone.
you need to have valid username/password with at least 3 credits.
phone should be in working state.

procedure is complicated and definitely NOT for beginners.

1.
flash any R7EA011 firmware into phone.
fully power on phone, wait until phone setup will be completed.
this is absolute requirement.

important !
do identify before unlock steps or make trim area backup.
that will greatly help you if anything will go wrong.

2.
run setool2, check that valid username/password entered, then go to “j108 bypass” tab.
press “upload executor package”

insert test sim card, memory card, connect powered off phone while holding “C” button
after initial procedure, disconnect phone , power on it, wait until setup complete and power off phone again.

3.
press “upload executor extractor”

insert test sim card, memory card, connect powered off phone while holding “C” button
after initial procedure, disconnect phone , power on it, wait until setup complete

set usb connection in phone options to “file transfer” ,connect phone to cable and copy from memory card “other\executor.b” to setool2\backup\%imei% .
setool2 will open that folder for you in minimized state, check taskbar.

( if your system recognize phone as MTP device, you can copy file without setting USB connection to “file transfer” )

power off phone.

4.
press “unlock phone”

insert test sim card ( can use accepted operator sim card ), memory card, connect powered off phone while holding “C” button
after initial procedure, disconnect phone , power on it,

set usb connection in phone options to “other OS”
install phone MODEM drivers, if required ( dist\drivers\Modem_Drivers )
wait, until setool2 finish procedure.

after setool2 finish procedure, do not disconnect phone from cable, do not remove phone battery, until phone powers on by itself.
otherwise you need to restore secunits backup and repeat step 3 from beginning.

this is not patch unlock, phone unlock is permanent

important !
delete executor from games !
cause once user will run executor, phone will enter “5-locks” state …
the only way to fix it – restore secunits backup and run unlock procedure again, from step 3 , no more credits required

It is not 100% confirmed, but it looks like, that if next steps meets

you CAN just perform standard CSCA unlock and phone will be successfully unlocked.
of course, you DO NOT need any additional credits.

HOW TO WORK WITH SEMC PDA PHONES

first, basics.

SEMC created few types of PDA:

db200x+nexperia (SYMBIAN OS)
m600,w950,w960,p1,p990

such phones have two security type – NEW and OLD.
Identify button will show security type – it will write “NEW SECURITY detected” with NEW security phones.

if is better to install PDA phone drivers and PDA flash drivers before any operation.

phone drivers:

flash drivers:

S1 OPEN (SYMBIAN OS) ( ti omap + db3xxx )
satio,vivaz,vivaz pro

S1 QUALCOMM,MT BASED (ANDROID OS)
all other models

FLASHING OF A1-BASED PDA PHONES

download needed firmware package.
add it to firmware area on PDA tab.
DO NOT UNZIP PACKAGE, JUST ADD IT AS IS.
on settings,check “signed mode”
press flash

note, if phone have BROWN domain, you must FIRST flash conversion packs:

UNLOCKING OF A1-BASED PDA PHONES

if you want to UNLOCK NEW SECURITY phone –

check “use server” and enter your login/password.
please check FAQ article about credit consumptions for your phone.

press unlock button and insert cable to phone,while holding appropriate key on phone.
follow program directions.

if you want to UNLOCK OLD SECURITY phone –

UNCHECK “use server”.
BE SURE you have latest REST files.

now, you need install drivers for flashing.
for that, poweron smartphone in fw update mode.

– for p990/m600 press and hold “@” on TURNED OFF phone, then attach dcu60.
– for w950 press and hold “C” on TURNED OFF phone, then attach dcu60.

windows will ask you for a drivers. drivers in %setool2 dist%\drivers\Smartphone_Drivers

now, when all preparations finished – press unlock button and insert cable to phone,while holding appropriate key on phone.
follow program directions.

FLASHING OF S1-OPEN PDA PHONES (Satio,Vivaz,Vivaz pro)

download needed firmware package.
add it to firmware area on PDA tab.
DO NOT UNPACK .ZIP PACKAGE, JUST ADD IT AS IS.
on settings,check “signed mode”
press flash

connect turned off phone while holding “green” button.

FLASHING OF S1-ANDROID PDA PHONES (x10,x10 mini,x10 mini pro,etc)

download needed firmware package.
( two main files,both REQUIRED. APP – OS kernel, radio part, FSP – user and android OS system data,
CDF – internal storage contents, eLabel – electronic label )
add it to firmware area on PDA tab.
Order is IMPORTANT – ALWAYS add APP part first, then FSP, then eLabel, then CDF
Some MT-based phones can be irreversible killed, if APP part is NOT first package to flash.

UNPACK package archive, if packed (unzip,unrar, but DO NOT unpack *.sin_file_set itself ), ADD *.file_set to firmware area
on settings,check “signed mode”
press flash

connect turned off phone while holding “BACK” button.

UNLOCKING OF S1-OPEN PDA PHONES

select USB as interface. that is REQUIRED.
select phone model
settings – check ONLY “signed mode (using server)”, “do full unlock instead of usercode reset”, fill your login details.

back to original tab, press unlock, “GREEN BUTTON”

if signature is calculated – you will receive ‘SUCCESS’ response, otherwise you will receive error code.
if calculation is success, then signature will be saved in backup\%imei% folder in your setool2 directory.
next, backup will be created so you will be able to restore phone if something will go wrong.
procedure will continue,phone will be switched off and unlocked.
remember, if something will go wrong – you have a backup of security units.
please check “credits consumption” FAQ post for info about number of credits.

UNLOCKING OF S1-ANDROID PDA PHONES

server based full official unlock method. Only available, when s1 signature server online

select USB as interface. that is REQUIRED.
select phone model
settings – check ONLY “signed mode (using server)”, “do full unlock instead of usercode reset”, fill your login details.

back to original tab, press unlock, hold “BACK BUTTON” and insert cable to powered off phone.

if signature is calculated – you will receive ‘SUCCESS’ response, otherwise you will receive error code.
if calculation is success, then signature will be saved in backup\%imei% folder in your setool2 directory
(following unlock attempts, if something had happen with phone – cable disconnect,etc – during unlock – will be free as long as signature remains there )

next, backup will be created so you will be able to restore phone if something will go wrong.
procedure will continue,phone will be switched off and unlocked.
remember, if something will go wrong – you have a backup of security units.
please check “credits consumption” FAQ post for info about number of credits.

server based full unlock method using alternative security bypass

please read that post

GESTURE LOCK/USER PASSWORD RESED FOR S1-ANDROID PDA PHONES

check signed mode only, press unlock.
hold “BACK BUTTON” and insert cable to powered off phone.

if phone has blocked attempts counter, then you need reflash phone after lock reset.

POSSIBLE PROBLEMS

DB200X+NEXPERIA

damaged SCRC (imei mismatch), damaged seczone, damaged gdfs,damaged CCPU EROM

1. go to emptyboard tab
2. select model
3. on settings, check “signed mode”, fill login details
4. press reset, connect phone
5. if gdfs structure okay, skip that step, otherwise add to firmware are gdfs in ssw format: one of

6. add to firmware area correct EROM

7. press flash
8. reflash phone on usual PDA tab if needed.

phone could not boot using dcu60, erom version timeout error,etc

ACPU EROM damaged, to restore it

S1 OPEN

phone could not boot and blinks red, you CAN flash phone

unlock phone using full signature unlock

phone stuck on white screen

reflash clean file system files, then flash normal firmware

phone could not boot and blinks red, you CAN NOT flash phone

if phone aid 004 – that is brick, can’t be repaired by known 3rd party tools
if phone aid 001,002,003 – you need to perform trim area repair process:

first, make flash readout with options: signed mode,use alternative security bypass.
start 80021000
len 00200000
MID 01
“read spare” UNCHECKED
“read as ssw” UNCHECKED

you will get trim area image readout.

now lets determine if hwconfig present and not mismatched.
get and hex editor (hiew, winhex or simular)

using editor search function, locate in readout bytes d3 07 00 00
now check attached picture.

if imei is your, then you can try to fix phone.
if imei is not your and you do not have backup – send phone to semc.

now, lets extract needed trim area units and build script.

1.
you need to copy binary data from “data start” till “data end” (inclusive)
then convert binary data to its ASCII values (with same winhex)

trim_area_unit_example.jpg

add script command to data

example, from example file read_80021000_00200000_35681003102941.bin:
read_80021000_00200000_35681003102941.zip

tawrite:000207d301000000027704000000000000001D000000000000006A14663FD6E722880E288A943EFF3CB95479416F3F7700000247000101C001BE308201BA30820123A003020102020101300D06092A864886F70D0101050500301E311C301A0603550403141353315F4857436F6E665F526F6F745F61316563301E170D3030313131373139303630345A170D3230313131393139303630345A3019311730150603550403140E53315F4857436F6E665F6131656330819F300D06092A864886F70D010101050003818D0030818902818100C62E8DB0D1E86E5015210830F15BD56B8EE9F4339A377D346257028B700E6CEC207E83E5E4C76C901A2CF1577AE466FB4C8164E111C43A9A6763847D4C7877C5DBCC11AC153897CD6ECD77D5D59B7D9FC255EEBCA97929964C2684BFABA5481765390B03015046986C9AEE7A0C9D754FE4164C237640549783D9F28B056AFA530203010001A30D300B30090603551D1304023000300D06092A864886F70D01010505000381810057BE9BD213A7350190EBFF832B91083A0D74FD5E42B96560590D9FA4B78EBE556CF7E2D0E841F477D2578283E3205E14E2A46014B1D1475C15C7B7DBB348905B43D2D5605DA5461A8CFC88EEAD39BE85499EBC848A59F37575065CE753859CB29BB7FDA9805F7065E2A2C2ED3F9E9D519FBDD28C83FE55C33E9475E4765FCD9B0100808B505BE83576D2876CF09B332EAC0EEBD1F14E98072C98A4F492CD38A80265BD7C406DA1400367B9BA46970CB467DC825AC7EAC08DD72FDE4894CEDC60E2CE281E6E45A0B372ACB8ED548A3B5114B17A8C42FF131C94B436127BF3AFF865F7CBA6C58665C6584DB4DAF2EC9D05B87344DC956044CFE1E98761EA3ADF61C9D3A3000200000000000000000000000000000000000000000000000000000000000000000000000400020001000100010001000035681003102941000000002C00140CFFC34243D2191FE06C9265337027FA605069F20014C14561448A5B50B6292EBE92B421D26CBFBDC54C

2. using editor search function, locate in readout bytes da 07 00 00.
extract binary data ( method very same as shown on picture ), add script command

tawrite:000207da3C3B2B0D083B7915E34D77D8E6435A1C2FFF36DC000000000000000000000000FF00000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000009A1063006AF6C5FA39B0BABBEE5A8EC78CD3380024CB85626500000000551E0001001E000055551E0001001E000055551E0001001E000055551E0001001E000055551E0001001E000055551E0001001E00005500000000000000000000000000000000000000000000000000000000106400283288EF30958212E12BEB1D148AD7C5EA57CB78290000000000000000000000000000000000000000000100

3. using editor search function, locate in readout bytes 51 08 00 00.
extract binary data ( method very same as shown on picture ), add script command

tawrite:000208510003001C00010019000207DA270F023D0010000007DA270F00470068000000F3019807FDA629760BA18A972C9E0FF8516AD296D83AAD4A07AC552FF9C6608DB7BB68B316CCED722FA0DEA690F59031732E71C1A9C2FAF71D1B16373E88858E72BD346BD4B07D6245C89556040F3D1E739567343244A15268C3DFA515E41CACBC4B368FB924B6770971D1966F0A4A8D707A21060D73112DF88AEA4CE6E5308125795CEB88C4F553A28EFC34FF346257BA858050B0EC28E8EDFA47681AB9F07568CA8A225826F90943376A5A4E54FB4D087F5BD08CF3F35521DB5C73E13253F4DAA68FA0F902C47FA5ECDA64674FF23A69D4EDDDC6A93C2A58D4183FDB7195647F1FA5F9644EE130544E23A75F80DCBFB98600090200000000000002FC0001027502733082026F308201D8A003020102020100300D06092A864886F70D01010505003077310B3009060355040613025345312F302D060355040A1326536F6E79204572696373736F6E204D6F62696C6520436F6D6D756E69636174696F6E7320414231173015060355040B130E466C617368205365637572697479311E301C06035504031315536F6E79204572696373736F6E20534C20526F6F74301E170D3030303130313138303030305A170D3230303130313138303030305A3073310B3009060355040613025345312F302D060355040A1326536F6E79204572696373736F6E204D6F62696C6520436F6D6D756E69636174696F6E7320414231173015060355040B130E466C617368205365637572697479311A301806035504031311536F6E79204572696373736F6E20534C4630819F300D06092A864886F70D010101050003818D0030818902818100D7C855C8F5F20A47302F9D1CB193907C8D01BEF67A20508CFF76C1CC5385BFCC90D805236000C3017BB3AF36D24561435199B482384570AF445AF2B78BF544B1C83CD6DF39E320A8D96674B6672B66225D2AD74BBCDE89999A688C0A7AF8E080319F2873B67B285B6F1D00535D083C8B68C556BBB1CBEC7ACBE7D274409E84270203010001A30F300D300B0603551D0F040403020780300D06092A864886F70D0101050500038181009096A087A4A2D7594888E2624EBB13FAEDBE5174C220410BD049BB628961BA18D370DF79527607EA533C931F14A094F0214BAFAD89FA3DADDBAC24BC1AE32211F668397745011F55D715B869874E464575988DF1D789594C86AE9310C8F4D00C3CBAB55595A63B3818FAB01A687EEAB3376176C8FE9A693A0283E57B94CD362A010080C511236A07BD6CD5D2F1D58B0E6EE887C15C0AACAACC56CAC126EB183ADC0AECBFF5081B49F3B6EB04AA3A0EB0B47D5B7B8C60830F8BC7B6450A64F0E925D40BABB25949AA89D2839CFDA4594818853013106C74F0A407D23BDC4C4630729C1469F6345F0930DAE37406DC02BA4049B54E3906F19D2821D3BF351A65FC8FA5B3

4. you have now 3 big string.
copy them into one file (each string should be on one line !)
add 4-th script command in the end of file

tawrite:0002FDE800

you have own fixup file.
fixup_35681003102941.txt

proceed to http://support.setool.net/showthread…ll=1#post15855

notice, that is you will get simlock tampered message after fix procedure, you NEED to unlock phone using signature server.

tutorial video by Aishur: http://www.4shared.com/folder/RCU5KkCO/Satio_fixup.html

m_taheri written tool for automatic fixup creation.

S1 ANDROID

q:
i had unlocked my phone using alternative security bypass method, but phone not unlocked.

a:
you did not set all required settings.
you must check “signed mode”, “alternative security bypass mode”, “do full unlock instead of usercode reset”

q:
i had unlocked my phone using alternative security bypass method, my settings are correct, i lost 4 credits,
but phone not unlocked.

a:
just reflash phone with required firmware ( android 2.1 ) and repeat procedure.
no further credits will be required.

q:
which s1 android based phones i can unlock using alternative security bypass ?

a:
you can use that method for
x10i,x10i,s0-o1b, e10,e15,e16,u20 phones.
lt15,mt15,r800 and other msm8255-based phones require very simple testpoint to perform alternative security bypass.
x10i,x10i,s0-o1b, e10,e15,e16,u20 phones can also use testpoint method (complex, but powerful ) for unlock/repair

q:
how to unlock s1 android based phones, based on msm7227,qsd8250 using alternative security bypass without testpoint ?

a:
Here is procedure.

1.
make sure you have firmware with android 2.x, NOT 1.6.
flash required firmware, if needed.

2.
power on phone without sim card, go to menu->settings->applications->development, enable “usb debugging”
connect phone to PC, install drivers from setool2 distr ( drivers\ADB_Drivers)

hint:
i suggest you to import DisableADBNumbering.reg (DisableADBNumbering.zip) , however this is not required.

3.
select proper phone model.
select USB as interface
on settings check signed mode, use alternative security bypass, do full unlock instead usercode reset
press unlock

when prompted, detach phone, turn it on fully, connect it again.
( or you can leave phone on cable, then power it on manually )

when program tells “warming up…”, manually power on phone fully, cause it will automatically enter charging mode.

after you see “GETTING ROOT ACCESS …” DO NOT TOUCH PHONE until procedure complete.

DO NOT DETACH PHONE FROM CABLE AFTER PROCEDURE STARTED, YOU CAN KILL YOUR PHONE.
DO NOT REMOVE BATTERY FROM PHONE AFTER PROCEDURE STARTED, YOU CAN KILL YOUR PHONE.
SUCH KILLED PHONES CAN BE REPAIRED WITH RESURRECTION CABLES.

possible problems:

problem:
you getting “Can’t get ROOT rights”, “err: 00000005″,”err: 00000002” during process

solution:
disable antivirus, especially if you using “kaspersky antivirus”, i recommend Doctor Web
do NOT run setool2 from restricted accounts.
do NOT run setool2 from read-only media.

problem:
it can happen ( very unlikely, though ) that ADB server will not recognize phone after reboot

solution:
IF phone not detecting automatically and on status bar you can see “waiting for phone…”, again – only in that case – disconnect phone from usb and connect it again, procedure should continue.

if not, well, repeat from start.

q:
how to unlock s1 android based phones, based on msm7227,qsd8250, using alternative security bypass using testpoint?

a:
Here is procedure.

FIRMWARE VERSION DOES NOT MATTER, WHEN USING TESTPOINT METHOD

1.
prepare for testpoint operation.
check testpoints location for your phone model in dist\docs\s1_qualcomm_uart_cables or use GPG cable set
open testpoints for access
if you do not have GPG cable set, get some needle with wire, connect it to phone GND ( battery minus ) or to USB cable shield, etc.

Notice, that most of UART “boxes” for sony ericsson phones have 2 UARTs : DTMS/DFMS and CTMS/CFMS ( TX/RX ) on RJ45 connector.
you need to connect DTMS, noted on schematics, to TX ( CTMS ) pin on RJ45 connector, DFMS from schematics to CFMS ( RX ) pin on RJ45.

2.
select proper phone model.
select COM as interface.
on settings check signed mode, use alternative security bypass, do full unlock instead usercode reset, use testpoint (gnd type)
fill login/password and check if account valid.

press unlock

when prompted, execute steps in EXACT order:

1. remove cable from phone,
2. remove battery from phone,
3. attach testpoint ( turn on switch on cable set )
4. insert cable to phone, HOLDING TESTPOINT ( cable set switch in “on” position )
5. press “ready”
6. when prompted detach testpoint
7. press “ready”
8. install drivers from dist\drivers\USBFlash_driver\ ( if asked )

إن شاء الله phone will be unlocked.

q:
how to unlock s1 android based phones, based on qsd8x55, using alternative security bypass using testpoint?

a:
Here is procedure.

1.
prepare for testpoint operation.
check testpoint location for your phone model in dist\docs\
open testpoint for access
get some needle with wire, connect it to phone gnd ( battery minus ) or to usb cable shield, etc.

2.
select proper phone model.
select USB as interface.
on settings check signed mode, use alternative security bypass, do full unlock instead usercode reset
fill login/password and check if account valid.

press unlock

when prompted, execute steps in EXACT order:

1. remove cable from phone,
2. remove battery from phone,
3. attach testpoint
4. press “ready”
5. insert cable to phone, HOLDING TESTPOINT
6. install drivers from dist\drivers\USBFlash_driver\
   make sure that driver for qhusb_dload ( device, which will appear after successful testpoint ) is installed from dist\drivers\usbflash_drivers and named “ZEUS Flash Device”.
   Install driver manually, if testpoint driver named otherwise.
   
7. when prompted detach testpoint
8. press “ready”

إن شاء الله phone will be unlocked.

q:
my semc 8×55-based smartphone can’t be detected by PC or detecting as “QHUSB_DLOAD”.
my semc 7227-based smartphone can’t be detected by PC.
my semc 8250-based smartphone can’t be detected by PC.

a:
at least semc boot damaged

step I.

for 8×55-based phones select USB as interface, then

1. pda tab, select corresponding phone model
2. options tab, check : signed mode, alternative security bypass
3. pda tab, press “recovery”

for 7227,8250-based phones select COM as interface, then

1. pda tab, select corresponding phone model
2. options tab, check : signed mode, alternative security bypass, use testpoint (“GND” type)
3. pda tab, press “recovery”

important notice:
for msm7227 phones, insert battery in phone after you attached testpoint.
for x10 phone connect RED dot to GND permanently during entire testpoint procedure

MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]

step II.

1. pda tab, select corresponding model
2. options tab, check : signed mode
3. pda tab, add needed firmware files ( DO NOT UNPACK ) ( BOTH APP and FSP) to fw area
4. press “flash”

q:
during second stage of testpoint unlock procedure i made testpoint wrong/disconnect phone/etc – my phone dead, but i have security units backup.

a:
that can be fixed easy enough.

step I.

for 8×55-based phones select USB as interface, then

1. pda tab, select corresponding phone model
2. options tab, check : signed mode, alternative security bypass
3. pda tab, press “recovery”

for 7227,8250-based phones select COM as interface, then

1. pda tab, select corresponding phone model
2. options tab, check : signed mode, alternative security bypass, use testpoint (“GND” type)
3. pda tab, press “recovery”

MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]

step II.

1. pda tab, select corresponding model
2. options tab, check : signed mode, alternative security bypass, format gdfs during write

for 7227,8250-based phones select COM as interface and
2. options tab, check : signed mode, alternative security bypass, use testpoint (“GND” type), format gdfs during write

3. pda tab, select trim area package files for your phone model ( DO NOT UNPACK, DO NOT UNZIP, DO NOT TOUCH IT IN ANY WAY ) in misc. edit
4. press “write gdfs”

step III.

1. pda tab, select corresponding model
2. options tab, check : signed mode, alternative security bypass

for 7227,8250-based phones select COM as interface and
2. options tab, check : signed mode, alternative security bypass, use testpoint (“GND” type), format gdfs during write

3. pda tab, select YOUR BACKUP SCRIPT
4. press “write script”

step IV.

1. pda tab, select corresponding model
2. options tab, check : signed mode
3. pda tab, add needed firmware files ( DO NOT UNPACK ) ( BOTH APP and FSP) to fw area
4. press “flash”

q:
how to repair totally damaged s1 android phones, based on msm7227,qsd8250, using alternative security bypass using testpoint?

a:
Here is procedure.

okay, here is example how to resurrect totally dead x10 phone.
so, we have x10 phone with totally erased semcboot and trim area.
phone does not turn on, does not connect to pc anyhow.

lets resurrect it.

run setool2, select x10 as model, select com port as interface
( one where GPG resurrection cables connected )

1.
on options set signed mode,altbypass mode, use testpoint (gnd type)

2.
connect GPG x10 resurrection craddle to phone, press RECOVERY
follow program instructions.

important notice:
for msm7227 phones, insert battery in phone after you attached testpoint.
for x10 phone connect RED dot to GND permanently during all testpoint procedure

btw, as phone has erased semcboot, you do not need apply testpoint that time.
however, that is very special case, so for simplicity lets apply testpoint all time.

here is operation output:

SIGNED MODE (USING SERVER)
ALTERNATIVE SECURITY BYPASS ENABLED
CFG:110010000010
 
DETACH USB CABLE FROM PHONE
REMOVE BATTERY FROM PHONE
ATTACH TESTPOINT
ATTACH USB CABLE TO PHONE,THEN PRESS "READY"
 
PROCESSING ...
REMOVE TESTPOINT NOW, THEN PRESS "READY"
 
RUNNING S1_LOADER VER "R4A024"
SWITCHING TO "USB" ...
PLEASE ATTACH TURNED OFF PHONE NOW
 
RUNNING S1_LOADER VER "R4A024"
LOADER AID: 0001
FLASH ID: "002C/00B3"
LOADER VERSION: "r4A024"
 
 
WRITING SEMCBOOT ...
Checking TA ...
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_set_config_failed ]
Writing config ...
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
Formatting ...
Checking MISC TA ...
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
Writing config ...
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
Formatting ...
SUCCESS

now we recovered semcboot and prepared trim area for loading.
if phone only had erased semcboot, it will already work after that step.
but our phone TOTALLY damaged, so lets proceed with second step:

we need now load trim area.
Please skip this step, if your phone do not have damaged trim area ( errors like: “TA_invalid,_format_may_be_required” )

options are same for step1 + “format gdfs when writing” checked,
select x10.zip in misc.edit and press “write gdfs”.
( any trim area, read from corresponding model live phone will work )
follow program instructions.

here is operation output:

SIGNED MODE (USING SERVER)
ALTERNATIVE SECURITY BYPASS ENABLED
CFG:110010000110
Will write GDFS now.
 
DETACH USB CABLE FROM PHONE
REMOVE BATTERY FROM PHONE
ATTACH TESTPOINT
ATTACH USB CABLE TO PHONE,THEN PRESS "READY"
 
PROCESSING ...
REMOVE TESTPOINT NOW, THEN PRESS "READY"
 
RUNNING S1_LOADER VER "R4A024"
SWITCHING TO "USB" ...
PLEASE ATTACH TURNED OFF PHONE NOW
 
RUNNING S1_LOADER VER "R4A024"
LOADER AID: 0001
FLASH ID: "002C/00B3"
LOADER VERSION: "r4A024"
 
Can't get IMEI
will write 1010 units
done
will write 53 units
done
Phone detached
Elapsed: 23 secs.

finally, we need rebuild imei and security zone.
for that, check same options as for step1 + “do full unlock instead of usercode reset”,”allow to change imei when unlocking” checked,
press “unlock/repair”, follow program instructions

here is operation output:

 
THAT ACTION IS ILLEGAL,IF YOU DOING IT
FOR ANY PURPOSE, OTHER THAN REPAIR PHONE
 
SIGNED MODE (USING SERVER)
ALTERNATIVE SECURITY BYPASS ENABLED
CFG:110010010010
 
DETACH USB CABLE FROM PHONE
REMOVE BATTERY FROM PHONE
ATTACH TESTPOINT
ATTACH USB CABLE TO PHONE,THEN PRESS "READY"
 
PROCESSING ...
REMOVE TESTPOINT NOW, THEN PRESS "READY"
 
RUNNING S1_LOADER VER "R4A024"
SWITCHING TO "USB" ...
PLEASE ATTACH TURNED OFF PHONE NOW
 
RUNNING S1_LOADER VER "R4A024"
LOADER AID: 0001
FLASH ID: "002C/00B3"
LOADER VERSION: "r4A024"
 
Can't get IMEI
REQUESTED : 359419030xxxxx
Checking for HWConfig ...
Waiting for calculation process ...
RESPONSE: "SUCCESS" [826]
Checking for signature ...
signature found, skipping calculation
WRITING SEMCBOOT ...
WRITING HWCONFIG ...
Unlock DONE
Elapsed: 20 secs.

from now on, phone is full repaired, testpoint cradle not needed.
reflash phone with any suitable firmware.

q:
how to repair totally damaged s1 android phones, based on qsd8x55, using alternative security bypass using testpoint?

a:
operation is very same, just select usb as interface and do not check “use testpoint (gnd type)”