HOW TO WORK WITH SEMC ODM PHONES
some basics
SEMC ODM phones divided on two big branch:
obsolete cheap phones,where each phone has own specific approach
j110,j120,j210,j220,z300,k200,k220,etcthis phones don’t have anything common with SEMC structure.
Current generation, so-called S1 phones – they based on TI chipsets, STEricsson (former philips) chipsets
j132,z320,t250,w302,f305,s312,w100,w150,etc.this phones has S1 SOMC structure: color,cid (aid), signatures,etc.
FLASHING OF SEMC S1-BASED ODM PHONES
1. select correct model
2. use com/ufs/usb as interface
3. check “signed mode”
3. add to firmware area needed firmware files
4. press flashnotes:
some old locosto s1 phones do not support USB as interfaceif you want to flash brown firmware or readout, step 3 will be:
3. check “signed mode”,”alternative security bypass”about SEMC S1 ODM files structure:
1. neptune-based (w302,s302,f305) , ST-Ericsson-based (w100,w150)
firmware contains 3 required parts:
– main (ex: R1BA017_1207_9123_GENERIC_HS_YG_RED.software)
– fs (ex: R1BA017_1207_9132_FS_ADRIATIC_HS_YG_RED.software)
– customization (ex: R6A_F305_CDF_1215_9665__FS__Entel_PCS_CL.software)you need to flash all 3 files to get phone working with desired languages.
F305, S302, W302 SW flash should be done without memory card inserted.
If memory card is inserted during flash the flash can fail.If you encounter this problem,the phone does not startup correctly after flash, please wait 2-3 minutes
then reinsert the battery and start the phone again.
The phone should now start normally and the SW has been correctly updated.
Please note that the SW is flashed correctly and this will not cause any future startup problem.2. locosto arima (t250,t280,k330,t303,r300)
contains 2 required parts– main + language R5CA005_OLGA_ARIMA_AMERICA_2_CXC1251008_RED.softwa re
– customization R7A_CDA102866_307__FS__Movistar_Guatemala.software3. locosto foxconn (z250,z320,r306,j132)
– main R1BA008_1212_9858_MC_JIALI_RED.software
– icons R1BA011_1211_6339_ICN_JIALI_RED.software
(this files reside in archives like MODELx_FWVER_common.rar)
– fs+language R1BA008_1211_6093_MALAYSIA_JIALI_RED.software
– custpack R9A_R306_CDA_1212_6282__FS__Customized_SG.software
UNLOCKING OF SEMC S1-BASED ODM PHONES
server-based full signature method
1. select correct model
2. on settings, check “signed mode”, “do full unlock instead of usercode reset”
3. back to odm tab
4. press unlockthat method can fix damaged security zone.
that method depends of external service, so it can be offline any time.standalone patch method
1. select correct model
2. uncheck all settings
3. back to odm tab
4. press unlocknote, that such method will work only for old security locosto-based phones.
if you will get error while attempting to do that method – you have new security phone and should try other methods.server-based patch method
1. select correct model
2. on settings, check “signed mode”, “use alternative security bypass”
3. back to odm tab
4. press unlockthat method can not fix security zone.
that method is standalone in setool2 versions, greater than 1.0user code reset
1. select correct model
2. on settings, check “signed mode”
3. back to odm tab
4. press unlocknote,that some old firmware not support usercode reset, so if standart code will not work after reset, reflash phone with latest firmware.
FLASHING OF SEMC ODM PHONES
1. select correct model
2. use com/ufs as interface
3. add to firmware area needed firmware
4. press flash
UNLOCKING OF SEMC ODM PHONES
broadcom based – z300,j210,j220
1. select model
2. select com/ufs as interface
3. uncheck all settings
4. press unlock
5. power on phone with unsupported sim card, press *<<*, enter readed codes.if you have “not allowed” while entering codes, just reflash phone
calypso lite based – j110,j120,k200,k220
1. select model
2. select com/ufs as interface
3. uncheck all settings
4. press unlockfor k200,k220 this is full unlock and security zone will be automatically fixed.
for j110,j120 this is special firmware patch – after unlock, power on phone, press *<<* with unsupported card and enter any 8 digits as code for each lock.
phone will accept code and unlock will be permanent.note, that j110,j120 phones with damaged security zone are not supported.
POSSIBLE PROBLEMS WITH S1 PHONES
damaged trim area , IMEI could not be read, simlocks state “tampered” or “0”
first, we need to restore trim area, for this :
1. select correct model
2. on settings, check “signed mode”,”enable alternative security bypass”
3. add to firmware areaif you have neptune-based phone – W302_TA.SSW
if you have t280,t303,r306,r300,k330,w205,Tilde phone – R300_TA.SSW
if you have t250 phone – t250_ta.ssw
if you have Z250,z320,t270 phone – z320_ta.ssw
if you have j132 phone – j132_ta.ssw4. press flash
you can use trim area in .bin format to restore trim area, for this select trim area in misc. edit, check “signed mode”,”altbypass mode”,”format gdfs when writing” and press “write gdfs”
now trim area structure restored and phone should be signed with s1 signature server.
it is recommended to restore phone original IMEI first, for this :1. create text file with contents:
taread:000107D1
2. select proper model, check on settings only “signed mode”, select created file in misc. field
3. press “write script”, file will be created in form %imei%.txt
4. look at file in notepad, you will see IMEI inside in very simple form, change IMEI to original and save file
5. select changed file in misc. field and again press write script
6. check with identify if you set correct IMEI, repeat 4,5 until successnow you need to unlock phone using signature server, consult corresponding FAQ post for that.
note, that alternative security bypass not available for phones with aid 0004, you can not fix aid004 phone with damaged trim area.
phone simlock okay, not tampered, but phone stucked,slow,rebooting. flashing not help.
most probably, internal file system gone to winds. you need to write fullflash from working phone or write clean file system, then reflash phone
check support area for that files.
please note, that all neptune-based phones can be cured with w302_fullflash,etc (check trim area repair case)
in most cases, alternative security bypass needed for writing fullflash.note, that alternative security bypass not available for phones with aid 0004.
phone can’t be detected at all
semcboot somehow got damaged ( while it is never touched by any process )
procedure to fix:
1. select correct model
2. on settings check “signed mode”
3. add EROM to firmware tab.
if you have neptune based phone: 1207-7713_EROM_S1_NEPTUN_HS_SEMC_SIMLOCK_R7A024.sin
if you have locosto based phone, then select situable from:
J132_EROM_S1_LOCOSTO_HS_USB_R5A038_64k.sin
K330_T280_T270_EROM_S1_LOCOSTO_HS_R5A028.sin
R300_R306_T303_S1_LOCOSTO_HS_R5A031_128.SIN
for w395 CXC1250616_EROM_S1_LOCOSTO_HS_USB_FLAFLA_R5A038.si n will do job
T250_CXC1250616_EROM_S1_LOCOSTO_HS_R5A022.sin
Z250_Z320_EROM_S1_LOCOSTO_HS_R5A023.sin4.press recovery
check if phone trim area/simlock are okay by doing identify.
repair simlock or trim area if needed.note, that semcboot repair not available for phones with aid 0004.
POSSIBLE PROBLEMS WITH ODM PHONES.
phone hang, can’t save photo,etc
1. write repair flash from support area
2. unlock phone
3. flash phone with latest firmwarenote, that k200,k220 has two flash ic types, select samsung repair flash if you flash manu id=0xEC,
select spansion repair flash for all other types.
How to enter network unlock code for w150 (Yendo) phone ?
ENTER #123456789# TO CHECK SOFTWARE AND CHECK LOCK STATUS
ENTER #987654321# AND SELECT RED AND PUT CODE
HOW TO WORK WITH A1-BASED PHONES
FLASHING OF DB2000,DB2010 PHONES
common for all CID:
1. go to semc tab, select proper model
2. add to firmware area correct MAIN, FS IMAGE parts of firmware. order not important.
3. select in misc. field needed CUSTPACK (.zip archive with customization files)
4. if you do not have CUSTPACK, you MUST check on settings “customize phone after flash”
5. please read notes below
6. set other settings according your needs.
7. back to semc tab, press flash.CID 17,24,41,42,54
unsigned mode
3. skip
4. skip
5. on settings, uncheck signed mode, alternative security bypass, preloader security bypass,customize phone after flash.for BROWN CID 41,42,73 you must disassemble phone and do testpoint operation.
testpoint is simple GND wire attached to specific points on phone board.
(upload testpoint pictures)
in that case, step 5 will be:5. on settings, check only “use tespoint (gnd method)”
you can use special ‘dual” usb+serial cable in order to significantly increase flashing speed for such phones.
you can not use script for such phones.CID 16,29,36,37,49
signed mode
5. check signed modeunsigned mode
5. on settings, uncheck “signed mode”, “alternative security bypass”you can only use USB as interface for phones with CID 49, some CID 36 phones can be upgraded to CID 49 via writing of corresponding EROM.
restoration files required for phones with CID 49CID 50,51,52,53
signed mode
5. check signed modestandalone altbypass mode
5. check “signed mode”, “use alternative security bypass”restoration files required
bypass package required
please read FAQ post about alternative security bypass.that is preferred mode if you want to do some additional operations during flashing process.
starting from v1.1280 this method do not require restoration and bypass package files.
however, you can not use USB as interface in this method anymoreplease note, that if you put in misc. edit any file, which is NOT custpack archive, it will be treated as script command file.
UNLOCKING OF DB2000,DB2010 PHONES
CID 17
1. select com/ufs as interface
2. go to lg tab
3. select correct model
4. on settings tab, uncheck all settings.
5. back on lg tab
6. press unlock buttonplease note, than recent firmwares can’t be unlocked with such method,use cid 41,42 path or downgrade firmware.
CID 24
1. select com/ufs as interface
2. go to sharp tab
3. select correct model
4. on settings tab, uncheck all settings.
5. back on sharp tab
6. press unlock buttonin some cases you must flash special patched firmware from support area before unlock.
CID 41,42
1. select com/ufs as interface
2. go to lg tab
3. select correct model
4. on settings tab, uncheck all settings.
5. back on lg tab
6. press unlock buttonSkip next instructions, if you using setool2 >= v1.1104
if phone BROWN CID 41,42 then you must disassemble phone and do very easy testpoint.
testpoint is simple GND wire , attached to needed point on phone board.step 4 should be like that:
4. on settings tab, check “use testpoint (gnd method):
testpoint pictures : 8180 testpoint.jpg u8380tpbestcool9ay.jpg
CID 16,29,36,37
1. select com/ufs as interface
2. go to semc tab
3. select correct model
4. on settings tab, uncheck all settings.
5. back on semc tab
6. press unlock buttonthat CID is obsolete and upgrade to CID 49 via writing corresponding EROM recommended.
you can not use USB as interface for such phones with CID.recovery operation supported for such phones, damaged EROM can be restored without problems.
no any special files required for such phones.CID 49
standalone method
1. select com/ufs/usb as interface
2. go to semc tab
3. select correct model
4. on settings tab, uncheck all settings.
5. back on semc tab
6. press unlock buttonyou can not use USB as interface, if SCRC damaged ( IMEI mismatch in IDENTIFY output )
restoration files required for that method.
that files could be downloaded from support area or created automatically :
place main part of unsupported firmware in firmware area,press identify and attach phone with unsupported firmware.this method is removed from setool2 ( starting from v1.1280 ), use reset-based standalone unlock.
CSCA method
1. select usb as interface
2. go to semc tab
3. select correct model
4. on settings tab, check “signed mode”
5. back on semc tab
6. press unlock buttonthat is not recommended method for unlocking such phones, slow and useless.
you can not repair damaged SCRC via that method.recovery operation not supported for such phones, reset operation should be used in order to repair damaged EROM.
you can repair damaged GDFS, damaged SCRC standalone for such phones.CID 50,51,52,53
standalone patch unlock method via alternative security bypass
1. select com/ufs/usb as interface
2. go to semc tab
3. select correct model
4. on settings tab, check “signed mode”,”alternative security bypass”
5. back on semc tab
6. press unlock buttonyou can not use that method , if SCRC damaged ( IMEI mismatch in IDENTIFY output )
restoration files required for that method.
bypass packages required for that method.
please read FAQ post about alternative security bypass.this method is removed from setool2 ( starting from v1.1280 ), use standalone reset-based method
standalone RESET-based method
1. select com/ufs as interface
2. go to semc tab
3. select correct model
4. on settings tab, check “signed mode”,”alternative security bypass”
5. back on semc tab
6. press unlock buttonthat is recommended method to use with that phones
you can fix SCRC using that methodCSCA method
1. select usb as interface
2. go to semc tab
3. select correct model
4. on settings tab, check “signed mode”
5. back on semc tab
6. press unlock buttonplease note,that phones with cid51,52,53 require credits and internet access in order to unlock using CSCA method.
that is obsolete method, should not be used,because it long and credit-consumingrecovery operation not supported for such phones,
reset operation should be used in order to repair damaged EROM,damaged GDFS, damaged SCRC.CID 54
1. select com/ufs as interface
2. go to lg tab
3. select correct model
4. on settings tab, uncheck all settings.
5. back on lg tab.
6. add to firmware area special patched firmware from support area.
7. press flashif any trouble happens, you must reflash phone with original ( not patched ) firmware.
testpoint picture to use, when original firmware can’t be flashed : tp8550.JPG
CID 73
disassemble phone.
1. select com/ufs as interface
2. go to sharp tab
3. select correct model
4. on settings tab, check “use tespoint (gnd method)”
5. back on sharp tab
6. press unlock button, attach testpoint when askedtestpoint pictures : 703SH%202006%20no%20need%20open%20the%20phone.jpg64ed070aeeb5eb62d36dca8d45c7b618.JPG
FLASHING OF DB2020,PNX5230 PHONES
common for all CID:
1. go to semc tab, select proper model
2. add to firmware area correct MAIN, FS IMAGE parts of firmware. order not important.
3. select in misc. field needed CUSTPACK (.zip archive with customization files)
4. if you do not have CUSTPACK, you MUST check on settings “customize phone after flash”
5. please read notes below
6. set other settings according your needs.
7. back to semc tab, press flash.CID 36
such phones should be upgraded to CID 49 via writing of corresponding EROM.CID 49,51,52,53
signed mode
5. check signed modethat is preferred mode if you need just flash phone.
standalone altbypass mode
5. check “signed mode”, “use alternative security bypass”restoration files required
bypass package required
please read FAQ post about alternative security bypass.starting from v1.1280 this method only requires restoration and bypass package files for PNX5230-based phones.
that is preferred mode if you want to do some additional operations during flashing process.
please note, that if you put in misc. edit any file, which is NOT custpack archive, it will be treated as script command file.
UNLOCKING OF DB2020,PNX5230 PHONES
CID 36
that CID is obsolete and upgrade to CID 49 via recovery to CID 49, then writing corresponing EROM required.
recovery operation supported for such phones, damaged EROM can be restored without problems.CID 49,51,52,53
CSCA method
1. select com/ufs/usb as interface
2. go to semc tab
3. select correct model
4. on settings tab, check “signed mode”,”do full unlock instead usercode reset”
5. back on semc tab
6. press unlock buttonthat is obsolete method for unlocking such phones.
it should only be used if you want to full unlock PNX5230-based phones.
you can not repair damaged SCRC via that method.standalone patch unlock method via alternative security bypass
1. select com/ufs/usb as interface
2. go to semc tab
3. select correct model
4. on settings tab, check “signed mode”,”alternative security bypass”
5. back on semc tab
6. press unlock buttonyou can not use that method , if SCRC damaged ( IMEI mismatch in IDENTIFY output )
restoration files required for that method.
bypass packages required for that method.
please read FAQ post about alternative security bypass.this method is removed from setool2 ( starting from v1.1280 ) and only used in PNX5230-based phones.
RESET-based method
standalone RESET-based method
1. select com/ufs/usb as interface
2. go to semc tab
3. select correct model
4. on settings tab, check “signed mode”,”alternative security bypass”
5. back on semc tab
6. press unlock buttonthat method is NOT supported on PNX5230-based phones.
that is recommended method to unlock DB2020-based phones.recovery operation not supported for DB2020 phones, reset operation should be used in order to repair damaged EROM.
you can repair damaged GDFS, damaged SCRC via reset operation for such phones.
POSSIBLE PROBLEMS
after flash, phone said “configuration error,please contact provider
write custpack or use “customize phone after flash” option.
alternative security bypass failed because of missing rest file,phone dead
get rest file, check only preloader security bypass and press unlock or
reflash supported firmware with “signed mode” only checkeddamaged security units, damaged gdfs area,damaged EROM
CID 16,17,24,29,36,37
1. select proper model
2. on settings, check “format gdfs when writing”
3. press recovery
4. add to firmware area proper EROM if applicable
5. press flash
6. add to misc. field gdfs in .bin format
7. press write gdfs
8. press unlock
9. reflash phoneCID 41,42,54,73
disassemble phone.
1. select proper model
2. on settings, check “format gdfs when writing”, “use testpoint (gnd method)”
3. add to misc. field gdfs in .bin format
4. press write gdfs
5. press unlock
6. reflash phoneyou must use testpoint for such phones (upload testpoint pictures)
CID 49
1. select proper model
2. on settings, check “unlock during flash process”
3. add to firmware area proper gdfs in ssw format
4. if desired, add to firmware area proper main,fsimage
5. press flashplease note, if EROM damaged on such phones, you must execute reset operation.
CID 50,51,52,53
this is so-called reset procedure.
1. go to emptyboard tab
2. select proper model
3. on settings, check “signed mode”
4. press recovery
5. after succeful recovery
6. on settings uncheck all
7. if gdfs totally damaged, add to firmware area proper gdfs in ssw format,otherwise skip that step
8. add to firmware area proper EROM (EROM CID >= OTP CID)
9. press flash
10. if needed,reflash phone on usual semc tab with needed settings.
HOW TO WORK WITH A2-BASED PHONES
FLASHING OF A2 PHONES
common for all CID:
1. go to semc a2 tab, select proper model
2. add to firmware area correct MAIN, FS IMAGE parts of firmware. order not important.
3. select in misc. field needed CUSTPACK (.zip archive with customization files)
4. if you do not have CUSTPACK, you MUST check on settings “customize phone after flash”
5. set “signed mode” on settings tab.
6. set other settings according your needs.
7. back to semc a2 tab, press flash.CID 26,54,60,185,186
skip step 3,4.
UNLOCKING OF A2 PHONES
CID 49,51,52,53
standalone usercode reset
1. select proper model
2. on settings, check “signed mode”
3. back to semc a2 tab, press unlock
CID 49,51,52,53
standalone full reset-based unlock
1. select proper model
2. select needed domain (leave “current” for no change)
3. on settings, check “signed mode”,”use alternative security bypass”
4. back to semc a2 tab, press unlock
that method can fix damaged SCRC and fixing SEMCBOOT automatically.
that is preferred method for such phones.
server-based full signature unlock
1. select proper model
2. on settings, check “signed mode”,”do full unlock instead usercode reset”,fill login details
3. back to semc a2 tab, press unlock
that method can not fix SCRC.
CID 80,81
server-based full signature unlock
1. select proper model
2. on settings, check “signed mode”,”do full unlock instead usercode reset”,fill login details
3. back to semc a2 tab, press unlock
that method can not fix SCRC.
if s1 signature server offline, you can not use quick (without modem drivers) unlock.
instead, you should :
1.
select proper model
2.
on settings, check
“signed mode”,
“do full unlock instead usercode reset”,
“disable flash mode activation for semc a2 phones”,
fill login details
3.
back to semc a2 tab, press unlock
4.
when prompted, install phone modem drivers
(they can be found in drivers\Modem_Drivers or will be automatically installed if you install semc pc suite)
5.
when you will get message “unlock done” – do not remove cable or battery,
wait until phone automatically power on, otherwise you will get 5 locks and need to repeat procedure.
you can not unlock last SEMC A2 phone ( j108 ) with CSCA method, use special bypass mode.
you MUST flash r7cXXX firmware version to be able unlock w20 phone with CSCA method.
CID 26,54,60,185,186
standalone full unlock
1. select proper model
2. on settings, check “signed mode”
3. back to semc a2 tab, press unlock
that method can fix SCRC.
that is preferred method to unlock such phones.
POSSIBLE PROBLEMS AND METHODS OF REPAIR
CID 49,51,52,53
damaged trim area (ta_open errors)
1. select proper model or model,based on same chipset
2.
convert phone to r&d (brown) domain, for that unlock phone in alternative security bypass mode with brown domain set.
3.
if your phone based on db3200 chipset – add to firmware area elle_ta.ssw
if your phone based on db3210 chipset – add to firmware area Shiho_TA.ssw
if your phone based on db3350 chipset – add to firmware area aino_ta.ssw
(exception should be done for latest db3350 phones: w20,j10,j20 – aino_ta.ssw will not work for them)
4. set ecc mode: none (0)
5. on settings, check only signed mode
6. press flash
7. get gdfs package from proper model working phone, add it to misc. field
8. press write gdfs
9. unlock phone using alternative security bypass mode
10. reflash phone fully.
alternative way, need to use at least setool2 1.08
1. select proper model or model,based on same chipset
2.
convert phone to r&d (brown) domain, for that unlock phone in alternative security bypass mode with brown domain set.
3. select in misc. edit proper gdfs package, DO NOT unzip gdfs package, just select it as is.
4. on settings, check only signed mode
5. press write gdfs
6. unlock phone using alternative security bypass mode
7. reflash phone fully.
phone does not startup or stuck on “please wait”
unlock phone using alternative security bypass
CID 54
phone stuck on lg logo.
first reflash phone fully with latest firmware version.
if that not help, then
1. select proper model, on settings check only “signed mode”
2.
if your phone db3200, add to firmware area gt505_syspart_fix.ssw
3. press flash
4. press unlock
5. press “clear names”
6. reflash phone fully with required firmware
if phone still hangs on lg logo, redo operation with different step 2:
2.
if your phone db3200, add to firmware area gt505_syspart_fix.ssw,gt505_drm_fix.ssw ( or corresponding model files )
6. if needed, write gdfs package from proper model working phone, unlock phone after
CID 60,185,186
1. unlock phone
2. reflash phone
3. if needed, write gdfs package from proper model working phone, unlock phone after
special post regarding lg gt40x phones, can be used as reference for other lg db3200-based cid54 phones.
user MUST use setool2 version at least 1.083.
i will use “BIN_GT400AT-00-V10e-EUR-XX-JUN-07-2010+0” as example, cause i like it
if phone in “dead state”:
1. best scenario, should work always
select gt400, options: signed mode, add to firmware area in order:
GT40x_cxc000000_APPLICATION_PHONE_SB_IAR-ARM-NAND.ssw
GT400_CXC_FS_CABS_LP_NAND_commercial_EUR_OPEN.ssw
GT40x_CXC_LGPXO_SYS_CABS_LP_NAND_commercial.ssw
gt400_syspart_fix.ssw
gt505_drm_fix.ssw
add to misc edit
gt400_update_gdfs_20100324.gdf.gdfs
press flash
press unlock
power on phone and enjoy power of setool2 ;)
if phone in “working state”:
1. best scenario
select gt400, options: signed mode
press unlock
power on phone and enjoy power of setool2 ;)
it is absolutely necessary to use fix files from setool2 version at least 1.083
if you will check “use high speed usb flashing” – you will save at least 3 minutes, so worth to check.
when “switching…” message will appear, windows will find and install usbflash drivers.
if switching process fails, just repeat procedure.
HOW TO CONNECT SAMSUNG M5650, SGH-A697, SGH-A797
1. power off phone
2.
Connect the cable to M5650 while you press Volume Down + Camera key and connect to PC via USB cable
Connect the cable to SGH-A697 while you press 1 + 0 and connect to PC via USB cable
Connect the cable to SGH-A797 while you press 1 + message key and connect to PC via USB cable
q:
how to unlock j108 phone without s1 signature server to be online ?
a:
you need to have setool2 v1.1285 or higher.
you need to have test sim card ( with mnc/mcc 00101 ) in phone.
you need to have memory card in phone.
you need to have valid username/password with at least 3 credits.
phone should be in working state.
procedure is complicated and definitely NOT for beginners.
1.
flash any R7EA011 firmware into phone.
fully power on phone, wait until phone setup will be completed.
this is absolute requirement.
important !
do identify before unlock steps or make trim area backup.
that will greatly help you if anything will go wrong.
2.
run setool2, check that valid username/password entered, then go to “j108 bypass” tab.
press “upload executor package”
insert test sim card, memory card, connect powered off phone while holding “C” button
after initial procedure, disconnect phone , power on it, wait until setup complete and power off phone again.
3.
press “upload executor extractor”
insert test sim card, memory card, connect powered off phone while holding “C” button
after initial procedure, disconnect phone , power on it, wait until setup complete
set usb connection in phone options to “file transfer” ,connect phone to cable and copy from memory card “other\executor.b” to setool2\backup\%imei% .
setool2 will open that folder for you in minimized state, check taskbar.
( if your system recognize phone as MTP device, you can copy file without setting USB connection to “file transfer” )
power off phone.
4.
press “unlock phone”
insert test sim card ( can use accepted operator sim card ), memory card, connect powered off phone while holding “C” button
after initial procedure, disconnect phone , power on it,
set usb connection in phone options to “other OS”
install phone MODEM drivers, if required ( dist\drivers\Modem_Drivers )
wait, until setool2 finish procedure.
after setool2 finish procedure, do not disconnect phone from cable, do not remove phone battery, until phone powers on by itself.
otherwise you need to restore secunits backup and repeat step 3 from beginning.
this is not patch unlock, phone unlock is permanent
important !
delete executor from games !
cause once user will run executor, phone will enter “5-locks” state …
the only way to fix it – restore secunits backup and run unlock procedure again, from step 3 , no more credits required
It is not 100% confirmed, but it looks like, that if next steps meets
1. j108 phone was unlocked by unique setool2 bypass method
2. user run executor and phone became 5-locks
3. you do not have security units backup for phone
you CAN just perform standard CSCA unlock and phone will be successfully unlocked.
of course, you DO NOT need any additional credits.
HOW TO WORK WITH SEMC PDA PHONES
first, basics.
SEMC created few types of PDA:
db200x+nexperia (SYMBIAN OS)
m600,w950,w960,p1,p990
such phones have two security type – NEW and OLD.
Identify button will show security type – it will write “NEW SECURITY detected” with NEW security phones.
if is better to install PDA phone drivers and PDA flash drivers before any operation.
phone drivers:
for that you need to download phones.rar from support or from SEMC
turn on phone. in “connections manager->usb” select “normal mode”.
now, attach cable.
windows will ask you for drivers, point it to corresponding folder within extracted phones.rar.
you must have “semc xxx usb modem” and “semc xxx application port” if drivers correctly installed.
now, turn phone off and detach it.
flash drivers:
power on smartphone in fw update mode.
– for p990/m600 press and hold “@” on TURNED OFF phone, then attach dcu60.
– for w950,w960,p1 press and hold “C” on TURNED OFF phone, then attach dcu60.
windows will ask you for a drivers. drivers in %setool2 dist%\drivers\Smartphone_Drivers
S1 OPEN (SYMBIAN OS) ( ti omap + db3xxx )
satio,vivaz,vivaz pro
S1 QUALCOMM,MT BASED (ANDROID OS)
all other models
FLASHING OF A1-BASED PDA PHONES
download needed firmware package.
add it to firmware area on PDA tab.
DO NOT UNZIP PACKAGE, JUST ADD IT AS IS.
on settings,check “signed mode”
press flash
note, if phone have BROWN domain, you must FIRST flash conversion packs:
for brown cid 36: pda_ccpu_convert_red49_signed_brown36.zip
for brown cid 49: pda_ccpu_convert_red49_signed_brown49.zip
for w960,p1:
for brown cid 49: pda_ccpu_convert_red53_signed_brown49.zip
UNLOCKING OF A1-BASED PDA PHONES
if you want to UNLOCK NEW SECURITY phone –
check “use server” and enter your login/password.
please check FAQ article about credit consumptions for your phone.
press unlock button and insert cable to phone,while holding appropriate key on phone.
follow program directions.
if you want to UNLOCK OLD SECURITY phone –
UNCHECK “use server”.
BE SURE you have latest REST files.
now, you need install drivers for flashing.
for that, poweron smartphone in fw update mode.
– for p990/m600 press and hold “@” on TURNED OFF phone, then attach dcu60.
– for w950 press and hold “C” on TURNED OFF phone, then attach dcu60.
windows will ask you for a drivers. drivers in %setool2 dist%\drivers\Smartphone_Drivers
now, when all preparations finished – press unlock button and insert cable to phone,while holding appropriate key on phone.
follow program directions.
FLASHING OF S1-OPEN PDA PHONES (Satio,Vivaz,Vivaz pro)
download needed firmware package.
add it to firmware area on PDA tab.
DO NOT UNPACK .ZIP PACKAGE, JUST ADD IT AS IS.
on settings,check “signed mode”
press flash
connect turned off phone while holding “green” button.
FLASHING OF S1-ANDROID PDA PHONES (x10,x10 mini,x10 mini pro,etc)
download needed firmware package.
( two main files,both REQUIRED. APP – OS kernel, radio part, FSP – user and android OS system data,
CDF – internal storage contents, eLabel – electronic label )
add it to firmware area on PDA tab.
Order is IMPORTANT – ALWAYS add APP part first, then FSP, then eLabel, then CDF
Some MT-based phones can be irreversible killed, if APP part is NOT first package to flash.
UNPACK package archive, if packed (unzip,unrar, but DO NOT unpack *.sin_file_set itself ), ADD *.file_set to firmware area
on settings,check “signed mode”
press flash
connect turned off phone while holding “BACK” button.
UNLOCKING OF S1-OPEN PDA PHONES
select USB as interface. that is REQUIRED.
select phone model
settings – check ONLY “signed mode (using server)”, “do full unlock instead of usercode reset”, fill your login details.
back to original tab, press unlock, “GREEN BUTTON”
if signature is calculated – you will receive ‘SUCCESS’ response, otherwise you will receive error code.
if calculation is success, then signature will be saved in backup\%imei% folder in your setool2 directory.
next, backup will be created so you will be able to restore phone if something will go wrong.
procedure will continue,phone will be switched off and unlocked.
remember, if something will go wrong – you have a backup of security units.
please check “credits consumption” FAQ post for info about number of credits.
UNLOCKING OF S1-ANDROID PDA PHONES
server based full official unlock method. Only available, when s1 signature server online
select USB as interface. that is REQUIRED.
select phone model
settings – check ONLY “signed mode (using server)”, “do full unlock instead of usercode reset”, fill your login details.
back to original tab, press unlock, hold “BACK BUTTON” and insert cable to powered off phone.
if signature is calculated – you will receive ‘SUCCESS’ response, otherwise you will receive error code.
if calculation is success, then signature will be saved in backup\%imei% folder in your setool2 directory
(following unlock attempts, if something had happen with phone – cable disconnect,etc – during unlock – will be free as long as signature remains there )
next, backup will be created so you will be able to restore phone if something will go wrong.
procedure will continue,phone will be switched off and unlocked.
remember, if something will go wrong – you have a backup of security units.
please check “credits consumption” FAQ post for info about number of credits.
server based full unlock method using alternative security bypass
please read that post
GESTURE LOCK/USER PASSWORD RESED FOR S1-ANDROID PDA PHONES
check signed mode only, press unlock.
hold “BACK BUTTON” and insert cable to powered off phone.
if phone has blocked attempts counter, then you need reflash phone after lock reset.
POSSIBLE PROBLEMS
DB200X+NEXPERIA
damaged SCRC (imei mismatch), damaged seczone, damaged gdfs,damaged CCPU EROM
1. go to emptyboard tab
2. select model
3. on settings, check “signed mode”, fill login details
4. press reset, connect phone
5. if gdfs structure okay, skip that step, otherwise add to firmware are gdfs in ssw format: one of
DB2001_M600_GDFS_IN_SSW_FORMAT.ssw
DB2001_P1_GDFS_IN_SSW_FORMAT.ssw
DB2001_P990_GDFS_IN_SSW_FORMAT.ssw
6. add to firmware area correct EROM
for w960,p1: pda_ccpu_convert_red53_BROWN_CID49_DB2001.software
7. press flash
8. reflash phone on usual PDA tab if needed.
phone could not boot using dcu60, erom version timeout error,etc
ACPU EROM damaged, to restore it
2. find corresponding EROM in dist\eroms\, add it to firmware area
3. select correct com port. ufs,usb can’t be used for that operation.
4. press recovery
5. connect turned off phone
6. reflash phone via USB with normal firmware
S1 OPEN
phone could not boot and blinks red, you CAN flash phone
unlock phone using full signature unlock
phone stuck on white screen
reflash clean file system files, then flash normal firmware
phone could not boot and blinks red, you CAN NOT flash phone
if phone aid 004 – that is brick, can’t be repaired by known 3rd party tools
if phone aid 001,002,003 – you need to perform trim area repair process:
first, make flash readout with options: signed mode,use alternative security bypass.
start 80021000
len 00200000
MID 01
“read spare” UNCHECKED
“read as ssw” UNCHECKED
you will get trim area image readout.
now lets determine if hwconfig present and not mismatched.
get and hex editor (hiew, winhex or simular)
using editor search function, locate in readout bytes d3 07 00 00
now check attached picture.
if imei is your, then you can try to fix phone.
if imei is not your and you do not have backup – send phone to semc.
now, lets extract needed trim area units and build script.
1.
you need to copy binary data from “data start” till “data end” (inclusive)
then convert binary data to its ASCII values (with same winhex)
add script command to data
example, from example file read_80021000_00200000_35681003102941.bin:
read_80021000_00200000_35681003102941.zip
tawrite:000207d301000000027704000000000000001D000000000000006A14663FD6E722880E288A943EFF3CB95479416F3F7700000247000101C001BE308201BA30820123A003020102020101300D06092A864886F70D0101050500301E311C301A0603550403141353315F4857436F6E665F526F6F745F61316563301E170D3030313131373139303630345A170D3230313131393139303630345A3019311730150603550403140E53315F4857436F6E665F6131656330819F300D06092A864886F70D010101050003818D0030818902818100C62E8DB0D1E86E5015210830F15BD56B8EE9F4339A377D346257028B700E6CEC207E83E5E4C76C901A2CF1577AE466FB4C8164E111C43A9A6763847D4C7877C5DBCC11AC153897CD6ECD77D5D59B7D9FC255EEBCA97929964C2684BFABA5481765390B03015046986C9AEE7A0C9D754FE4164C237640549783D9F28B056AFA530203010001A30D300B30090603551D1304023000300D06092A864886F70D01010505000381810057BE9BD213A7350190EBFF832B91083A0D74FD5E42B96560590D9FA4B78EBE556CF7E2D0E841F477D2578283E3205E14E2A46014B1D1475C15C7B7DBB348905B43D2D5605DA5461A8CFC88EEAD39BE85499EBC848A59F37575065CE753859CB29BB7FDA9805F7065E2A2C2ED3F9E9D519FBDD28C83FE55C33E9475E4765FCD9B0100808B505BE83576D2876CF09B332EAC0EEBD1F14E98072C98A4F492CD38A80265BD7C406DA1400367B9BA46970CB467DC825AC7EAC08DD72FDE4894CEDC60E2CE281E6E45A0B372ACB8ED548A3B5114B17A8C42FF131C94B436127BF3AFF865F7CBA6C58665C6584DB4DAF2EC9D05B87344DC956044CFE1E98761EA3ADF61C9D3A3000200000000000000000000000000000000000000000000000000000000000000000000000400020001000100010001000035681003102941000000002C00140CFFC34243D2191FE06C9265337027FA605069F20014C14561448A5B50B6292EBE92B421D26CBFBDC54C
2. using editor search function, locate in readout bytes da 07 00 00.
extract binary data ( method very same as shown on picture ), add script command
tawrite:000207da3C3B2B0D083B7915E34D77D8E6435A1C2FFF36DC000000000000000000000000FF00000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000009A1063006AF6C5FA39B0BABBEE5A8EC78CD3380024CB85626500000000551E0001001E000055551E0001001E000055551E0001001E000055551E0001001E000055551E0001001E000055551E0001001E00005500000000000000000000000000000000000000000000000000000000106400283288EF30958212E12BEB1D148AD7C5EA57CB78290000000000000000000000000000000000000000000100
3. using editor search function, locate in readout bytes 51 08 00 00.
extract binary data ( method very same as shown on picture ), add script command
tawrite:000208510003001C00010019000207DA270F023D0010000007DA270F00470068000000F3019807FDA629760BA18A972C9E0FF8516AD296D83AAD4A07AC552FF9C6608DB7BB68B316CCED722FA0DEA690F59031732E71C1A9C2FAF71D1B16373E88858E72BD346BD4B07D6245C89556040F3D1E739567343244A15268C3DFA515E41CACBC4B368FB924B6770971D1966F0A4A8D707A21060D73112DF88AEA4CE6E5308125795CEB88C4F553A28EFC34FF346257BA858050B0EC28E8EDFA47681AB9F07568CA8A225826F90943376A5A4E54FB4D087F5BD08CF3F35521DB5C73E13253F4DAA68FA0F902C47FA5ECDA64674FF23A69D4EDDDC6A93C2A58D4183FDB7195647F1FA5F9644EE130544E23A75F80DCBFB98600090200000000000002FC0001027502733082026F308201D8A003020102020100300D06092A864886F70D01010505003077310B3009060355040613025345312F302D060355040A1326536F6E79204572696373736F6E204D6F62696C6520436F6D6D756E69636174696F6E7320414231173015060355040B130E466C617368205365637572697479311E301C06035504031315536F6E79204572696373736F6E20534C20526F6F74301E170D3030303130313138303030305A170D3230303130313138303030305A3073310B3009060355040613025345312F302D060355040A1326536F6E79204572696373736F6E204D6F62696C6520436F6D6D756E69636174696F6E7320414231173015060355040B130E466C617368205365637572697479311A301806035504031311536F6E79204572696373736F6E20534C4630819F300D06092A864886F70D010101050003818D0030818902818100D7C855C8F5F20A47302F9D1CB193907C8D01BEF67A20508CFF76C1CC5385BFCC90D805236000C3017BB3AF36D24561435199B482384570AF445AF2B78BF544B1C83CD6DF39E320A8D96674B6672B66225D2AD74BBCDE89999A688C0A7AF8E080319F2873B67B285B6F1D00535D083C8B68C556BBB1CBEC7ACBE7D274409E84270203010001A30F300D300B0603551D0F040403020780300D06092A864886F70D0101050500038181009096A087A4A2D7594888E2624EBB13FAEDBE5174C220410BD049BB628961BA18D370DF79527607EA533C931F14A094F0214BAFAD89FA3DADDBAC24BC1AE32211F668397745011F55D715B869874E464575988DF1D789594C86AE9310C8F4D00C3CBAB55595A63B3818FAB01A687EEAB3376176C8FE9A693A0283E57B94CD362A010080C511236A07BD6CD5D2F1D58B0E6EE887C15C0AACAACC56CAC126EB183ADC0AECBFF5081B49F3B6EB04AA3A0EB0B47D5B7B8C60830F8BC7B6450A64F0E925D40BABB25949AA89D2839CFDA4594818853013106C74F0A407D23BDC4C4630729C1469F6345F0930DAE37406DC02BA4049B54E3906F19D2821D3BF351A65FC8FA5B3
4. you have now 3 big string.
copy them into one file (each string should be on one line !)
add 4-th script command in the end of file
tawrite:0002FDE800
you have own fixup file.
fixup_35681003102941.txt
proceed to http://support.setool.net/showthread…ll=1#post15855
notice, that is you will get simlock tampered message after fix procedure, you NEED to unlock phone using signature server.
tutorial video by Aishur: http://www.4shared.com/folder/RCU5KkCO/Satio_fixup.html
m_taheri written tool for automatic fixup creation.
S1 ANDROID
q:
i had unlocked my phone using alternative security bypass method, but phone not unlocked.
a:
you did not set all required settings.
you must check “signed mode”, “alternative security bypass mode”, “do full unlock instead of usercode reset”
q:
i had unlocked my phone using alternative security bypass method, my settings are correct, i lost 4 credits,
but phone not unlocked.
a:
just reflash phone with required firmware ( android 2.1 ) and repeat procedure.
no further credits will be required.
q:
which s1 android based phones i can unlock using alternative security bypass ?
a:
you can use that method for
x10i,x10i,s0-o1b, e10,e15,e16,u20 phones.
lt15,mt15,r800 and other msm8255-based phones require very simple testpoint to perform alternative security bypass.
x10i,x10i,s0-o1b, e10,e15,e16,u20 phones can also use testpoint method (complex, but powerful ) for unlock/repair
q:
how to unlock s1 android based phones, based on msm7227,qsd8250 using alternative security bypass without testpoint ?
a:
Here is procedure.
1.
make sure you have firmware with android 2.x, NOT 1.6.
flash required firmware, if needed.
2.
power on phone without sim card, go to menu->settings->applications->development, enable “usb debugging”
connect phone to PC, install drivers from setool2 distr ( drivers\ADB_Drivers)
hint:
i suggest you to import DisableADBNumbering.reg (DisableADBNumbering.zip) , however this is not required.
3.
select proper phone model.
select USB as interface
on settings check signed mode, use alternative security bypass, do full unlock instead usercode reset
press unlock
when prompted, detach phone, turn it on fully, connect it again.
( or you can leave phone on cable, then power it on manually )
when program tells “warming up…”, manually power on phone fully, cause it will automatically enter charging mode.
after you see “GETTING ROOT ACCESS …” DO NOT TOUCH PHONE until procedure complete.
DO NOT DETACH PHONE FROM CABLE AFTER PROCEDURE STARTED, YOU CAN KILL YOUR PHONE.
DO NOT REMOVE BATTERY FROM PHONE AFTER PROCEDURE STARTED, YOU CAN KILL YOUR PHONE.
SUCH KILLED PHONES CAN BE REPAIRED WITH RESURRECTION CABLES.
possible problems:
problem:
you getting “Can’t get ROOT rights”, “err: 00000005″,”err: 00000002” during process
solution:
disable antivirus, especially if you using “kaspersky antivirus”, i recommend Doctor Web
do NOT run setool2 from restricted accounts.
do NOT run setool2 from read-only media.
problem:
it can happen ( very unlikely, though ) that ADB server will not recognize phone after reboot
solution:
IF phone not detecting automatically and on status bar you can see “waiting for phone…”, again – only in that case – disconnect phone from usb and connect it again, procedure should continue.
if not, well, repeat from start.
q:
how to unlock s1 android based phones, based on msm7227,qsd8250, using alternative security bypass using testpoint?
a:
Here is procedure.
FIRMWARE VERSION DOES NOT MATTER, WHEN USING TESTPOINT METHOD
1.
prepare for testpoint operation.
check testpoints location for your phone model in dist\docs\s1_qualcomm_uart_cables or use GPG cable set
open testpoints for access
if you do not have GPG cable set, get some needle with wire, connect it to phone GND ( battery minus ) or to USB cable shield, etc.
Notice, that most of UART “boxes” for sony ericsson phones have 2 UARTs : DTMS/DFMS and CTMS/CFMS ( TX/RX ) on RJ45 connector.
you need to connect DTMS, noted on schematics, to TX ( CTMS ) pin on RJ45 connector, DFMS from schematics to CFMS ( RX ) pin on RJ45.
2.
select proper phone model.
select COM as interface.
on settings check signed mode, use alternative security bypass, do full unlock instead usercode reset, use testpoint (gnd type)
fill login/password and check if account valid.
press unlock
when prompted, execute steps in EXACT order:
- remove cable from phone,
- remove battery from phone,
- attach testpoint ( turn on switch on cable set )
- insert cable to phone, HOLDING TESTPOINT ( cable set switch in “on” position )
- press “ready”
- when prompted detach testpoint
- press “ready”
- install drivers from dist\drivers\USBFlash_driver\ ( if asked )
إن شاء الله phone will be unlocked.
q:
how to unlock s1 android based phones, based on qsd8x55, using alternative security bypass using testpoint?
a:
Here is procedure.
1.
prepare for testpoint operation.
check testpoint location for your phone model in dist\docs\
open testpoint for access
get some needle with wire, connect it to phone gnd ( battery minus ) or to usb cable shield, etc.
2.
select proper phone model.
select USB as interface.
on settings check signed mode, use alternative security bypass, do full unlock instead usercode reset
fill login/password and check if account valid.
press unlock
when prompted, execute steps in EXACT order:
- remove cable from phone,
- remove battery from phone,
- attach testpoint
- press “ready”
- insert cable to phone, HOLDING TESTPOINT
- install drivers from dist\drivers\USBFlash_driver\
make sure that driver for qhusb_dload ( device, which will appear after successful testpoint ) is installed from dist\drivers\usbflash_drivers and named “ZEUS Flash Device”.
Install driver manually, if testpoint driver named otherwise.
- when prompted detach testpoint
- press “ready”
إن شاء الله phone will be unlocked.
q:
my semc 8×55-based smartphone can’t be detected by PC or detecting as “QHUSB_DLOAD”.
my semc 7227-based smartphone can’t be detected by PC.
my semc 8250-based smartphone can’t be detected by PC.
a:
at least semc boot damaged
step I.
for 8×55-based phones select USB as interface, then
1. pda tab, select corresponding phone model
2. options tab, check : signed mode, alternative security bypass
3. pda tab, press “recovery”
for 7227,8250-based phones select COM as interface, then
1. pda tab, select corresponding phone model
2. options tab, check : signed mode, alternative security bypass, use testpoint (“GND” type)
3. pda tab, press “recovery”
important notice:
for msm7227 phones, insert battery in phone after you attached testpoint.
for x10 phone connect RED dot to GND permanently during entire testpoint procedure
if you get next output
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ] MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
and do not have trim area backup, thats bad, but you still can fix phone : check next post
step II.
1. pda tab, select corresponding model
2. options tab, check : signed mode
3. pda tab, add needed firmware files ( DO NOT UNPACK ) ( BOTH APP and FSP) to fw area
4. press “flash”
q:
during second stage of testpoint unlock procedure i made testpoint wrong/disconnect phone/etc – my phone dead, but i have security units backup.
a:
that can be fixed easy enough.
step I.
for 8×55-based phones select USB as interface, then
1. pda tab, select corresponding phone model
2. options tab, check : signed mode, alternative security bypass
3. pda tab, press “recovery”
for 7227,8250-based phones select COM as interface, then
1. pda tab, select corresponding phone model
2. options tab, check : signed mode, alternative security bypass, use testpoint (“GND” type)
3. pda tab, press “recovery”
if you will get output like
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ] MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
then and only then perform next step, otherwise skip to step IV
step II.
1. pda tab, select corresponding model
2. options tab, check : signed mode, alternative security bypass, format gdfs during write
for 7227,8250-based phones select COM as interface and
2. options tab, check : signed mode, alternative security bypass, use testpoint (“GND” type), format gdfs during write
3. pda tab, select trim area package files for your phone model ( DO NOT UNPACK, DO NOT UNZIP, DO NOT TOUCH IT IN ANY WAY ) in misc. edit
4. press “write gdfs”
step III.
1. pda tab, select corresponding model
2. options tab, check : signed mode, alternative security bypass
for 7227,8250-based phones select COM as interface and
2. options tab, check : signed mode, alternative security bypass, use testpoint (“GND” type), format gdfs during write
3. pda tab, select YOUR BACKUP SCRIPT
4. press “write script”
step IV.
1. pda tab, select corresponding model
2. options tab, check : signed mode
3. pda tab, add needed firmware files ( DO NOT UNPACK ) ( BOTH APP and FSP) to fw area
4. press “flash”
q:
how to repair totally damaged s1 android phones, based on msm7227,qsd8250, using alternative security bypass using testpoint?
a:
Here is procedure.
okay, here is example how to resurrect totally dead x10 phone.
so, we have x10 phone with totally erased semcboot and trim area.
phone does not turn on, does not connect to pc anyhow.
lets resurrect it.
run setool2, select x10 as model, select com port as interface
( one where GPG resurrection cables connected )
1.
on options set signed mode,altbypass mode, use testpoint (gnd type)
2.
connect GPG x10 resurrection craddle to phone, press RECOVERY
follow program instructions.
important notice:
for msm7227 phones, insert battery in phone after you attached testpoint.
for x10 phone connect RED dot to GND permanently during all testpoint procedure
btw, as phone has erased semcboot, you do not need apply testpoint that time.
however, that is very special case, so for simplicity lets apply testpoint all time.
here is operation output:
SIGNED MODE (USING SERVER) ALTERNATIVE SECURITY BYPASS ENABLED CFG:110010000010 DETACH USB CABLE FROM PHONE REMOVE BATTERY FROM PHONE ATTACH TESTPOINT ATTACH USB CABLE TO PHONE,THEN PRESS "READY" PROCESSING ... REMOVE TESTPOINT NOW, THEN PRESS "READY" RUNNING S1_LOADER VER "R4A024" SWITCHING TO "USB" ... PLEASE ATTACH TURNED OFF PHONE NOW RUNNING S1_LOADER VER "R4A024" LOADER AID: 0001 FLASH ID: "002C/00B3" LOADER VERSION: "r4A024" WRITING SEMCBOOT ... Checking TA ... MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_set_config_failed ] Writing config ... MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ] Formatting ... Checking MISC TA ... MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ] Writing config ... MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ] Formatting ... SUCCESS
now we recovered semcboot and prepared trim area for loading.
if phone only had erased semcboot, it will already work after that step.
but our phone TOTALLY damaged, so lets proceed with second step:
we need now load trim area.
Please skip this step, if your phone do not have damaged trim area ( errors like: “TA_invalid,_format_may_be_required” )
options are same for step1 + “format gdfs when writing” checked,
select x10.zip in misc.edit and press “write gdfs”.
( any trim area, read from corresponding model live phone will work )
follow program instructions.
here is operation output:
SIGNED MODE (USING SERVER) ALTERNATIVE SECURITY BYPASS ENABLED CFG:110010000110 Will write GDFS now. DETACH USB CABLE FROM PHONE REMOVE BATTERY FROM PHONE ATTACH TESTPOINT ATTACH USB CABLE TO PHONE,THEN PRESS "READY" PROCESSING ... REMOVE TESTPOINT NOW, THEN PRESS "READY" RUNNING S1_LOADER VER "R4A024" SWITCHING TO "USB" ... PLEASE ATTACH TURNED OFF PHONE NOW RUNNING S1_LOADER VER "R4A024" LOADER AID: 0001 FLASH ID: "002C/00B3" LOADER VERSION: "r4A024" Can't get IMEI will write 1010 units done will write 53 units done Phone detached Elapsed: 23 secs.
finally, we need rebuild imei and security zone.
for that, check same options as for step1 + “do full unlock instead of usercode reset”,”allow to change imei when unlocking” checked,
press “unlock/repair”, follow program instructions
here is operation output:
THAT ACTION IS ILLEGAL,IF YOU DOING IT FOR ANY PURPOSE, OTHER THAN REPAIR PHONE SIGNED MODE (USING SERVER) ALTERNATIVE SECURITY BYPASS ENABLED CFG:110010010010 DETACH USB CABLE FROM PHONE REMOVE BATTERY FROM PHONE ATTACH TESTPOINT ATTACH USB CABLE TO PHONE,THEN PRESS "READY" PROCESSING ... REMOVE TESTPOINT NOW, THEN PRESS "READY" RUNNING S1_LOADER VER "R4A024" SWITCHING TO "USB" ... PLEASE ATTACH TURNED OFF PHONE NOW RUNNING S1_LOADER VER "R4A024" LOADER AID: 0001 FLASH ID: "002C/00B3" LOADER VERSION: "r4A024" Can't get IMEI REQUESTED : 359419030xxxxx Checking for HWConfig ... Waiting for calculation process ... RESPONSE: "SUCCESS" [826] Checking for signature ... signature found, skipping calculation WRITING SEMCBOOT ... WRITING HWCONFIG ... Unlock DONE Elapsed: 20 secs.
from now on, phone is full repaired, testpoint cradle not needed.
reflash phone with any suitable firmware.
q:
how to repair totally damaged s1 android phones, based on qsd8x55, using alternative security bypass using testpoint?
a:
operation is very same, just select usb as interface and do not check “use testpoint (gnd type)”