Work with semc pda phones

[sundar]

first, basics.

SEMC created few types of PDA:

db200x+nexperia (SYMBIAN OS)
m600,w950,w960,p1,p990

such phones have two security type - NEW and OLD.
Identify button will show security type - it will write "NEW SECURITY detected" with NEW security phones.

if is better to install PDA phone drivers and PDA flash drivers before any operation.

phone drivers:

Code: [Select]

for that you need to download phones.rar from support or from SEMC
turn on phone. in "connections manager->usb" select "normal mode".
now, attach cable.
windows will ask you for drivers, point it to corresponding folder within extracted phones.rar.
you must have "semc xxx usb modem" and "semc xxx application port" if drivers correctly installed.
now, turn phone off and detach it.
flash drivers:

Code: [Select]

power on smartphone in fw update mode.

- for p990/m600 press and hold "@" on TURNED OFF phone, then attach dcu60.
- for w950,w960,p1 press and hold "C" on TURNED OFF phone, then attach dcu60.

windows will ask you for a drivers. drivers in %setool2 dist%\drivers\Smartphone_Drivers

S1 OPEN (SYMBIAN OS)
satio,vivaz,vivaz pro

S1 QUALCOMM BASED (ANDROID OS)
x10,x10mini,x10mini pro,xperia neo,xperia play,xperia arc, many more upcoming models

[sundar]

FLASHING OF A1-BASED PDA PHONES
 
download needed firmware package.
add it to firmware area on PDA tab.
DO NOT UNZIP PACKAGE, JUST ADD IT AS IS.
on settings,check "signed mode"
press flash
 
note, if phone have BROWN domain, you must FIRST flash conversion packs:
 
 

for m600,w950,p990:
for brown cid 36: pda_ccpu_convert_red49_signed_brown36.zip
for brown cid 49: pda_ccpu_convert_red49_signed_brown49.zip
for w960,p1:
for brown cid 49: pda_ccpu_convert_red53_signed_brown49.zip

[/COLOR]

[sundar]

UNLOCKING OF A1-BASED PDA PHONES

if you want to UNLOCK NEW SECURITY phone -

check "use server" and enter your login/password.
please check FAQ article about credit consumptions for your phone.

press unlock button and insert cable to phone,while holding appropriate key on phone.
follow program directions.

if you want to UNLOCK OLD SECURITY phone -

UNCHECK "use server".
BE SURE you have latest REST files.

now, you need install drivers for flashing.
for that, poweron smartphone in fw update mode.

- for p990/m600 press and hold "@" on TURNED OFF phone, then attach dcu60.
- for w950 press and hold "C" on TURNED OFF phone, then attach dcu60.

windows will ask you for a drivers. drivers in %setool2 dist%\drivers\Smartphone_Drivers

now, when all preparations finished - press unlock button and insert cable to phone,while holding appropriate key on phone.
follow program directions.

[sundar]

FLASHING OF S1-OPEN PDA PHONES (Satio,Vivaz,Vivaz pro)

download needed firmware package.
add it to firmware area on PDA tab.
DO NOT UNPACK .ZIP PACKAGE, JUST ADD IT AS IS.
on settings,check "signed mode"
press flash

connect turned off phone while holding "green" button.

FLASHING OF S1-ANDROID PDA PHONES (x10,x10 mini,x10 mini pro,etc)

download needed firmware package. ( two files,both REQUIRED. APP - os kernel, radio part, FSP - user and android os system data)
add it to firmware area on PDA tab.
UNPACK PACKAGE (unzip,unrar, DO NOT unpack *.file_set ), ADD *.file_set to firmware area
on settings,check "signed mode"
press flash

connect turned off phone while holding "BACK" button.

[sundar]

UNLOCKING OF S1-OPEN PDA PHONES

select USB as interface. that is REQUIRED.
select phone model
settings - check ONLY "signed mode (using server)", "do full unlock instead of usercode reset", fill your login details.

back to original tab, press unlock, "GREEN BUTTON"

if signature is calculated - you will receive 'SUCCESS' response, otherwise you will receive error code.
if calculation is success, then signature will be saved in backup\%imei% folder in your setool2 directory.
next, backup will be created so you will be able to restore phone if something will go wrong.
procedure will continue,phone will be switched off and unlocked.
remember, if something will go wrong - you have a backup of security units.
please check "credits consumption" FAQ post for info about number of credits.


UNLOCKING OF S1-ANDROID PDA PHONES

server based full official unlock method. Only available, when s1 signature server online

select USB as interface. that is REQUIRED.
select phone model
settings - check ONLY "signed mode (using server)", "do full unlock instead of usercode reset", fill your login details.

back to original tab, press unlock, hold "BACK BUTTON" and insert cable to powered off phone.

if signature is calculated - you will receive 'SUCCESS' response, otherwise you will receive error code.
if calculation is success, then signature will be saved in backup\%imei% folder in your setool2 directory
(following unlock attempts, if something had happen with phone - cable disconnect,etc - during unlock - will be free as long as signature remains there )

next, backup will be created so you will be able to restore phone if something will go wrong.
procedure will continue,phone will be switched off and unlocked.
remember, if something will go wrong - you have a backup of security units.
please check "credits consumption" FAQ post for info about number of credits.

server based full unlock method using alternative security bypass

please read that post


GESTURE LOCK/USER PASSWORD RESED FOR S1-ANDROID PDA PHONES

check signed mode only, press unlock.
hold "BACK BUTTON" and insert cable to powered off phone.

if phone has blocked attempts counter, then you need reflash phone after lock reset.

[sundar]

POSSIBLE PROBLEMS
 
DB200X+NEXPERIA
 
damaged SCRC (imei mismatch), damaged seczone, damaged gdfs,damaged CCPU EROM
 
1. go to emptyboard tab
2. select model
3. on settings, check "signed mode", fill login details
4. press reset, connect phone
5. if gdfs structure okay, skip that step, otherwise add to firmware are gdfs in ssw format: one of

DB2001_G700_GDFS_IN_SSW_FORMAT.SSW
DB2001_M600_GDFS_IN_SSW_FORMAT.ssw
DB2001_P1_GDFS_IN_SSW_FORMAT.ssw
DB2001_P990_GDFS_IN_SSW_FORMAT.ssw

6. add to firmware area correct EROM

for m600,w950,p990: pda_ccpu_convert_red49_BROWN_CID49_DB2001.software

[/COLOR]

for w960,p1: pda_ccpu_convert_red53_BROWN_CID49_DB2001.software

7. press flash
8. reflash phone on usual PDA tab if needed.
 
phone could not boot using dcu60, erom version timeout error,etc
 
ACPU EROM damaged, to restore it
 

1. select correct PDA model
2. find corresponding EROM in dist\eroms\, add it to firmware area
3. select correct com/ufs port
4. press recovery
5. connect turned off phone
6. reflash phone via USB with normal firmware

 
S1 OPEN
 
phone could not boot and blinks red, you CAN flash phone
 
unlock phone using full signature unlock
 
phone stuck on white screen
 
reflash clean file system files, then flash normal firmware
 
phone could not boot and blinks red, you CAN NOT flash phone
 
if phone aid 004 - that is brick, can't be repaired by known 3rd party tools
if phone aid 001,002,003 - you need to perform trim area repair process:
 
first, make flash readout with options: signed mode,use alternative security bypass.
start 80021000
len 00200000
MID 01
"read spare" UNCHECKED
"read as ssw" UNCHECKED
 
you will get trim area image readout.
 
now lets determine if hwconfig present and not mismatched.
get and hex editor (hiew, winhex or simular)
 
using editor search function, locate in readout bytes d3 07 00 00
now check attached picture.
 
if imei is your, then you can try to fix phone.
if imei is not your and you do not have backup - send phone to semc.
 
now, lets extract needed trim area units and build script.
 
1.
you need to copy binary data from "data start" till "data end" (inclusive)
then convert binary data to its ASCII values (with same winhex)
 

 
add script command to data
 
example, from example file read_80021000_00200000_35681003102941.bin:
read_80021000_00200000_35681003102941.zip
 
Code:
tawrite:000207d301000000027704000000000000001D000000000000006A14663FD6E722880E288A943EFF3CB95479416F3F7700000247000101C001BE308201BA30820123A003020102020101300D06092A864886F70D0101050500301E311C301A0603550403141353315F4857436F6E665F526F6F745F61316563301E170D3030313131373139303630345A170D3230313131393139303630345A3019311730150603550403140E53315F4857436F6E665F6131656330819F300D06092A864886F70D010101050003818D0030818902818100C62E8DB0D1E86E5015210830F15BD56B8EE9F4339A377D346257028B700E6CEC207E83E5E4C76C901A2CF1577AE466FB4C8164E111C43A9A6763847D4C7877C5DBCC11AC153897CD6ECD77D5D59B7D9FC255EEBCA97929964C2684BFABA5481765390B03015046986C9AEE7A0C9D754FE4164C237640549783D9F28B056AFA530203010001A30D300B30090603551D1304023000300D06092A864886F70D01010505000381810057BE9BD213A7350190EBFF832B91083A0D74FD5E42B96560590D9FA4B78EBE556CF7E2D0E841F477D2578283E3205E14E2A46014B1D1475C15C7B7DBB348905B43D2D5605DA5461A8CFC88EEAD39BE85499EBC848A59F37575065CE753859CB29BB7FDA9805F7065E2A2C2ED3F9E9D519FBDD28C83FE55C33E9475E4765FCD9B0100808B505BE83576D2876CF09B332EAC0EEBD1F14E98072C98A4F492CD38A80265BD7C406DA1400367B9BA46970CB467DC825AC7EAC08DD72FDE4894CEDC60E2CE281E6E45A0B372ACB8ED548A3B5114B17A8C42FF131C94B436127BF3AFF865F7CBA6C58665C6584DB4DAF2EC9D05B87344DC956044CFE1E98761EA3ADF61C9D3A3000200000000000000000000000000000000000000000000000000000000000000000000000400020001000100010001000035681003102941000000002C00140CFFC34243D2191FE06C9265337027FA605069F20014C14561448A5B50B6292EBE92B421D26CBFBDC54C
2. using editor search function, locate in readout bytes da 07 00 00.
extract binary data ( method very same as shown on picture ), add script command
 

tawrite:000207da3C3B2B0D083B7915E34D77D8E6435A1C2FFF36DC000000000000000000000000FF00000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000009A1063006AF6C5FA39B0BABBEE5A8EC78CD3380024CB85626500000000551E0001001E000055551E0001001E000055551E0001001E000055551E0001001E000055551E0001001E000055551E0001001E00005500000000000000000000000000000000000000000000000000000000106400283288EF30958212E12BEB1D148AD7C5EA57CB78290000000000000000000000000000000000000000000100
3. using editor search function, locate in readout bytes 51 08 00 00.
extract binary data ( method very same as shown on picture ), add script command
 

[/COLOR]
tawrite:000208510003001C00010019000207DA270F023D0010000007DA270F00470068000000F3019807FDA629760BA18A972C9E0FF8516AD296D83AAD4A07AC552FF9C6608DB7BB68B316CCED722FA0DEA690F59031732E71C1A9C2FAF71D1B16373E88858E72BD346BD4B07D6245C89556040F3D1E739567343244A15268C3DFA515E41CACBC4B368FB924B6770971D1966F0A4A8D707A21060D73112DF88AEA4CE6E5308125795CEB88C4F553A28EFC34FF346257BA858050B0EC28E8EDFA47681AB9F07568CA8A225826F90943376A5A4E54FB4D087F5BD08CF3F35521DB5C73E13253F4DAA68FA0F902C47FA5ECDA64674FF23A69D4EDDDC6A93C2A58D4183FDB7195647F1FA5F9644EE130544E23A75F80DCBFB98600090200000000000002FC0001027502733082026F308201D8A003020102020100300D06092A864886F70D01010505003077310B3009060355040613025345312F302D060355040A1326536F6E79204572696373736F6E204D6F62696C6520436F6D6D756E69636174696F6E7320414231173015060355040B130E466C617368205365637572697479311E301C06035504031315536F6E79204572696373736F6E20534C20526F6F74301E170D3030303130313138303030305A170D3230303130313138303030305A3073310B3009060355040613025345312F302D060355040A1326536F6E79204572696373736F6E204D6F62696C6520436F6D6D756E69636174696F6E7320414231173015060355040B130E466C617368205365637572697479311A301806035504031311536F6E79204572696373736F6E20534C4630819F300D06092A864886F70D010101050003818D0030818902818100D7C855C8F5F20A47302F9D1CB193907C8D01BEF67A20508CFF76C1CC5385BFCC90D805236000C3017BB3AF36D24561435199B482384570AF445AF2B78BF544B1C83CD6DF39E320A8D96674B6672B66225D2AD74BBCDE89999A688C0A7AF8E080319F2873B67B285B6F1D00535D083C8B68C556BBB1CBEC7ACBE7D274409E84270203010001A30F300D300B0603551D0F040403020780300D06092A864886F70D0101050500038181009096A087A4A2D7594888E2624EBB13FAEDBE5174C220410BD049BB628961BA18D370DF79527607EA533C931F14A094F0214BAFAD89FA3DADDBAC24BC1AE32211F668397745011F55D715B869874E464575988DF1D789594C86AE9310C8F4D00C3CBAB55595A63B3818FAB01A687EEAB3376176C8FE9A693A0283E57B94CD362A010080C511236A07BD6CD5D2F1D58B0E6EE887C15C0AACAACC56CAC126EB183ADC0AECBFF5081B49F3B6EB04AA3A0EB0B47D5B7B8C60830F8BC7B6450A64F0E925D40BABB25949AA89D2839CFDA4594818853013106C74F0A407D23BDC4C4630729C1469F6345F0930DAE37406DC02BA4049B54E3906F19D2821D3BF351A65FC8FA5B3
4. you have now 3 big string.
copy them into one file (each string should be on one line !)
add 4-th script command in the end of file
Code:
tawrite:0002FDE800
you have own fixup file.
fixup_35681003102941.txt
 
proceed to http://support.setool.net/showthread...ll=1#post15855
 
notice, that is you will get simlock tampered message after fix procedure, you NEED to unlock phone using signature server.
 
tutorial video by Aishur: http://www.4shared.com/file/s3jvvxIV...xup_video.html
 
 
S1 ANDROID
 
q:
i had unlocked my phone using alternative security bypass method, but phone not unlocked.
 
a:
you did not set all required settings.
you must check "signed mode", "alternative security bypass mode", "do full unlock instead of usercode reset"
 
 
q:
i had unlocked my phone using alternative security bypass method, my settings are correct, i lost 4 credits,
but phone not unlocked.
 
a:
just reflash phone with required firmware ( android 2.1 ) and repeat procedure.
no further credits will be required.[/COLOR]

[sundar]

script to change keyboard layout for u8 vivaz pro.
 
 

// To set u8 keypad layout//// Values:// 00000000    = QWERTY// 01000000    = QWERTY for NAM// 02000000     = QWERTZ// 03000000     = AZERTY// 04000000     = QWERTY// 05000000     = QWERTY Sweden/Finland/Denmark/Norway// 06000000     = Chinese Stroke/QWERTY// 07000000     = Chinese Bopomofo/QWERTY// 08000000     = Cyrillic/QWERTY// 09000000     = QWERTY Brazilian Portuguese// 0A000000     = Hebrew/QWERTY// 0B000000     = Arabic/QWERTY// 0C000000     = Greek/QWERTY// 0D000000     = Thai/QWERTYtawrite:000213BA06000000

[/COLOR]

[sundar]

q:
which s1 android based phones i can unlock using alternative security bypass ?

a:
you can use that method for
x10i,x10i,s0-o1b, e10,e15,e16,u20 phones.
lt15,mt15,r800 and other msm8255-based phones require very simple testpoint to perform alternative security bypass.

q:
how to unlock s1 android based phones using alternative security bypass ?

a:
Here is procedure.

1.
make sure you have firmware with android 2.x, NOT 1.6.
firmware 2.3 is NOT supported, downgrade to 2.1.
flash required firmware, if needed.



2.
power on phone without sim card, go to menu->settings->applications->development, enable "usb debugging"
connect phone to PC, install drivers from setool2 distr ( drivers\ADB_Drivers)

hint:
i suggest to import DisableADBNumbering.reg (DisableADBNumbering.zip) , however that is not required.

3.
select proper phone model.
on settings check signed mode, use alternative security bypass, do full unlock instead usercode reset
press unlock

when prompted, detach phone, turn it on fully, connect it again.
( or you can leave phone on cable, then power it on manually )

when program tells "warming up...", manually power on phone fully, cause it will automatically enter charging mode.

after you see "GETTING ROOT ACCESS ..." DO NOT TOUCH PHONE until procedure complete.

DO NOT DETACH PHONE FROM CABLE AFTER PROCEDURE STARTED, YOU CAN KILL YOUR PHONE, ONLY RIFF JTAG WILL HELP
DO NOT REMOVE BATTERY FROM PHONE AFTER PROCEDURE STARTED, YOU CAN KILL YOUR PHONE, ONLY RIFF JTAG WILL HELP


possible problems:

you getting "err: 00000005","err: 00000002" during process.

solution:
disable antivirus, especially if you using "koshmarsky antivirus", i recommend Doctor Web
do NOT run setool2 from restricted accounts.
do NOT run setool2 from read-only media.

problem:
it can happen ( very unlikely, though ) that ADB server will not recognize phone after reboot

solution:
IF phone not detecting automatically and on status bar you can see "waiting for phone...", again - only in that case - disconnect phone from usb and connect it again, procedure should continue.

if not, well, repeat from start.


q:
how to unlock s1 android based phones using alternative security bypass using testpoint?

a:
first, that is ONLY applicable to phones, based on msm8255 chipset - lt15,mt15,r800, some upcoming models.
Here is procedure.

1.
prepare for testpoint operation.
check testpoint location for your phone model in dist\docs\
open testpoint for access
get some needle with wire, connect it to phone gnd ( battery minus ) or to usb cable shield, etc.

2.
select proper phone model.
on settings check signed mode, use alternative security bypass, do full unlock instead usercode reset
fill login/password and check if account valid.

press unlock

when prompted, execute steps in EXACT order:

• remove cable from phone,
• remove battery from phone,
• attach testpoint
• press "ready"
• insert cable to phone, HOLDING TESTPOINT
• install drivers from dist\drivers\USBFlash_driver\
• when prompted detach testpoint
  
• press "ready"

إن شاء الله phone will be unlocked.[/COLOR]