Sony Ericsson PDA
Basics
SEMC created few types of PDA:
db200x+nexperia (SYMBIAN OS)
m600,w950,w960,p1,p990
such phones have two security type - NEW and OLD.
Identify button will show security type - it will write "NEW SECURITY detected" with NEW security phones.
it is better to install PDA phone drivers and PDA flash drivers before any operation.
S1 OPEN (SYMBIAN OS) ( ti omap + db3xxx )
satio,vivaz,vivaz pro
S1 QUALCOMM,MT BASED (ANDROID OS)
all other models
Quick Navigation
FLASHING OF A1-BASED PDA PHONES
add firmware to firmware area on PDA tab.
DO NOT UNZIP PACKAGE, JUST ADD IT AS IS.
on settings,check "signed mode"
press flash
note, if phone have BROWN domain, you must FIRST flash conversion packs:
for m600,w950,p990:
for brown cid 36: pda_ccpu_convert_red49_signed_brown36.zip
for brown cid 49: pda_ccpu_convert_red49_signed_brown49.zip
for w960,p1:
for brown cid 49: pda_ccpu_convert_red53_signed_brown49.zip
UNLOCKING OF A1-BASED PDA PHONES
if you want to UNLOCK NEW SECURITY phone:
check "use server" and enter your login/password.
please check FAQ article about credit consumptions for your phone.
press unlock button and insert cable to phone,while holding appropriate key on phone.
follow program directions.
if you want to UNLOCK OLD SECURITY phone:
UNCHECK "use server".
BE SURE you have latest REST files.
now, you need install drivers for flashing.
for that, poweron smartphone in fw update mode.
- for p990/m600 press and hold "@" on TURNED OFF phone, then attach dcu60.
- for w950 press and hold "C" on TURNED OFF phone, then attach dcu60.
windows will ask you for a drivers. drivers in %setool2 dist%\drivers\Smartphone_Drivers
now, when all preparations finished - press unlock button and insert cable to phone,while holding appropriate key on phone.
follow program directions.
FLASHING OF S1-OPEN PDA PHONES (Satio,Vivaz,Vivaz pro)
add firmware to firmware area on PDA tab.
DO NOT UNPACK .ZIP PACKAGE, JUST ADD IT AS IS.
on settings,check "signed mode"
press flash
connect turned off phone while holding "green" button.
FLASHING S1-ANDROID PDA PHONES (x10,x10 mini,x10 mini pro,etc)
two main files,both REQUIRED. APP - OS kernel, radio part, FSP - user and android OS system data,
CDF - internal storage contents, eLabel - electronic label )
add it to firmware area on PDA tab.
Order is IMPORTANT - ALWAYS add APP part first, then FSP, then eLabel, then CDF
Some MT-based phones can be irreversible killed, if APP part is NOT first package to flash.
UNPACK package archive, if packed (unzip,unrar, but DO NOT unpack *.sin_file_set itself ), ADD *.file_set to firmware area
on settings,check "signed mode"
press flash
connect turned off phone while holding "BACK" button.
UNLOCKING OF S1-OPEN PDA PHONES
select USB as interface. that is REQUIRED.
select phone model
settings - check ONLY "signed mode (using server)", "do full unlock instead of usercode reset", fill your login details.
back to original tab, press unlock, "GREEN BUTTON"
if signature is calculated - you will receive 'SUCCESS' response, otherwise you will receive error code.
if calculation is success, then signature will be saved in backup\%imei% folder in your setool2 directory.
next, backup will be created so you will be able to restore phone if something will go wrong.
procedure will continue,phone will be switched off and unlocked.
remember, if something will go wrong - you have a backup of security units.
please check "credits consumption" FAQ post for info about number of credits.
UNLOCKING OF S1-ANDROID PDA PHONES
server based full official unlock method. Only available, when s1 signature server online
select USB as interface. that is REQUIRED.
select phone model
settings - check ONLY "signed mode (using server)", "do full unlock instead of usercode reset", fill your login details.
back to original tab, press unlock, hold "BACK BUTTON" and insert cable to powered off phone.
if signature is calculated - you will receive 'SUCCESS' response, otherwise you will receive error code.
if calculation is success, then signature will be saved in backup\%imei% folder in your setool2 directory
(following unlock attempts, if something had happen with phone - cable disconnect,etc - during unlock - will be free as long as signature remains there )
next, backup will be created so you will be able to restore phone if something will go wrong.
procedure will continue,phone will be switched off and unlocked.
remember, if something will go wrong - you have a backup of security units.
please check "credits consumption" FAQ post for info about number of credits.
server based full unlock method using alternative security bypass
GESTURE LOCK/USER PASSWORD RESED FOR S1-ANDROID PDA PHONES
check signed mode only, press unlock.
hold "BACK BUTTON" and insert cable to powered off phone.
if phone has blocked attempts counter, then you need reflash phone after lock reset.
PROBLEMS AND RECOVERY - A1 BASED PHONES
damaged SCRC (imei mismatch), damaged seczone, damaged gdfs,damaged CCPU EROM
1. go to emptyboard tab
2. select model
3. on settings, check "signed mode", fill login details
4. press reset, connect phone
5. if gdfs structure okay, skip that step, otherwise add to firmware are gdfs in ssw format: one of
DB2001_G700_GDFS_IN_SSW_FORMAT.SSW
DB2001_M600_GDFS_IN_SSW_FORMAT.ssw
DB2001_P1_GDFS_IN_SSW_FORMAT.ssw
DB2001_P990_GDFS_IN_SSW_FORMAT.ssw
6. add to firmware area correct EROM
for m600,w950,p990: pda_ccpu_convert_red49_BROWN_CID49_DB2001.software
for w960,p1: pda_ccpu_convert_red53_BROWN_CID49_DB2001.software
7. press flash
8. reflash phone on usual PDA tab if needed.
phone could not boot using dcu60, erom version timeout error,etc
ACPU EROM damaged, to restore it
1. select correct PDA model
2. find corresponding EROM in dist\eroms\, add it to firmware area
3. select correct com port. ufs,usb can't be used for that operation.
4. press recovery
5. connect turned off phone
6. reflash phone via USB with normal firmware
PROBLEMS AND RECOVERY - S1 OPEN
phone could not boot and blinks red, you CAN flash phone
unlock phone using full signature unlock
phone stuck on white screen
reflash clean file system files, then flash normal firmware
phone could not boot and blinks red, you CAN NOT flash phone
if phone aid 004 - that is brick, can't be repaired by known 3rd party tools
if phone aid 001,002,003 - you need to perform trim area repair process:
first, make flash readout with options: signed mode,use alternative security bypass.
start 80021000
len 00200000
MID 01
"read spare" UNCHECKED
"read as ssw" UNCHECKED
you will get trim area image readout.
now lets determine if hwconfig present and not mismatched.
get and hex editor (hiew, winhex or simular)
using editor search function, locate in readout bytes d3 07 00 00
now check attached picture.
if imei is your, then you can try to fix phone.
if imei is not your and you do not have backup - brick
now, lets extract needed trim area units and build script.
1. you need to copy binary data from "data start" till "data end" (inclusive)
then convert binary data to its ASCII values (with same winhex)
trim_area_unit_example.jpg
add script command to data
example, from example file read_80021000_00200000_35681003102941.bin:
read_80021000_00200000_35681003102941.zip
tawrite:000207d301000000027704000000000000001D000000000000006A14663FD6E722880E288A943EFF3CB95479416F3F7700000247000101C001BE308201BA30820123A003020102020101300D06092A864886F70D0101050500301E311C301A0603550403141353315F4857436F6E665F526F6F745F61316563301E170D3030313131373139303630345A170D3230313131393139303630345A3019311730150603550403140E53315F4857436F6E665F6131656330819F300D06092A864886F70D010101050003818D0030818902818100C62E8DB0D1E86E5015210830F15BD56B8EE9F4339A377D346257028B700E6CEC207E83E5E4C76C901A2CF1577AE466FB4C8164E111C43A9A6763847D4C7877C5DBCC11AC153897CD6ECD77D5D59B7D9FC255EEBCA97929964C2684BFABA5481765390B03015046986C9AEE7A0C9D754FE4164C237640549783D9F28B056AFA530203010001A30D300B30090603551D1304023000300D06092A864886F70D01010505000381810057BE9BD213A7350190EBFF832B91083A0D74FD5E42B96560590D9FA4B78EBE556CF7E2D0E841F477D2578283E3205E14E2A46014B1D1475C15C7B7DBB348905B43D2D5605DA5461A8CFC88EEAD39BE85499EBC848A59F37575065CE753859CB29BB7FDA9805F7065E2A2C2ED3F9E9D519FBDD28C83FE55C33E9475E4765FCD9B0100808B505BE83576D2876CF09B332EAC0EEBD1F14E98072C98A4F492CD38A80265BD7C406DA1400367B9BA46970CB467DC825AC7EAC08DD72FDE4894CEDC60E2CE281E6E45A0B372ACB8ED548A3B5114B17A8C42FF131C94B436127BF3AFF865F7CBA6C58665C6584DB4DAF2EC9D05B87344DC956044CFE1E98761EA3ADF61C9D3A3000200000000000000000000000000000000000000000000000000000000000000000000000400020001000100010001000035681003102941000000002C00140CFFC34243D2191FE06C9265337027FA605069F20014C14561448A5B50B6292EBE92B421D26CBFBDC54C
2. using editor search function, locate in readout bytes da 07 00 00.
extract binary data ( method very same as shown on picture ), add script command
tawrite:000207da3C3B2B0D083B7915E34D77D8E6435A1C2FFF36DC000000000000000000000000FF00000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000009A1063006AF6C5FA39B0BABBEE5A8EC78CD3380024CB85626500000000551E0001001E000055551E0001001E000055551E0001001E000055551E0001001E000055551E0001001E000055551E0001001E00005500000000000000000000000000000000000000000000000000000000106400283288EF30958212E12BEB1D148AD7C5EA57CB78290000000000000000000000000000000000000000000100
3. using editor search function, locate in readout bytes 51 08 00 00.
extract binary data ( method very same as shown on picture ), add script command
tawrite:000208510003001C00010019000207DA270F023D0010000007DA270F00470068000000F3019807FDA629760BA18A972C9E0FF8516AD296D83AAD4A07AC552FF9C6608DB7BB68B316CCED722FA0DEA690F59031732E71C1A9C2FAF71D1B16373E88858E72BD346BD4B07D6245C89556040F3D1E739567343244A15268C3DFA515E41CACBC4B368FB924B6770971D1966F0A4A8D707A21060D73112DF88AEA4CE6E5308125795CEB88C4F553A28EFC34FF346257BA858050B0EC28E8EDFA47681AB9F07568CA8A225826F90943376A5A4E54FB4D087F5BD08CF3F35521DB5C73E13253F4DAA68FA0F902C47FA5ECDA64674FF23A69D4EDDDC6A93C2A58D4183FDB7195647F1FA5F9644EE130544E23A75F80DCBFB98600090200000000000002FC0001027502733082026F308201D8A003020102020100300D06092A864886F70D01010505003077310B3009060355040613025345312F302D060355040A1326536F6E79204572696373736F6E204D6F62696C6520436F6D6D756E69636174696F6E7320414231173015060355040B130E466C617368205365637572697479311E301C06035504031315536F6E79204572696373736F6E20534C20526F6F74301E170D3030303130313138303030305A170D3230303130313138303030305A3073310B3009060355040613025345312F302D060355040A1326536F6E79204572696373736F6E204D6F62696C6520436F6D6D756E69636174696F6E7320414231173015060355040B130E466C617368205365637572697479311A301806035504031311536F6E79204572696373736F6E20534C4630819F300D06092A864886F70D010101050003818D0030818902818100D7C855C8F5F20A47302F9D1CB193907C8D01BEF67A20508CFF76C1CC5385BFCC90D805236000C3017BB3AF36D24561435199B482384570AF445AF2B78BF544B1C83CD6DF39E320A8D96674B6672B66225D2AD74BBCDE89999A688C0A7AF8E080319F2873B67B285B6F1D00535D083C8B68C556BBB1CBEC7ACBE7D274409E84270203010001A30F300D300B0603551D0F040403020780300D06092A864886F70D0101050500038181009096A087A4A2D7594888E2624EBB13FAEDBE5174C220410BD049BB628961BA18D370DF79527607EA533C931F14A094F0214BAFAD89FA3DADDBAC24BC1AE32211F668397745011F55D715B869874E464575988DF1D789594C86AE9310C8F4D00C3CBAB55595A63B3818FAB01A687EEAB3376176C8FE9A693A0283E57B94CD362A010080C511236A07BD6CD5D2F1D58B0E6EE887C15C0AACAACC56CAC126EB183ADC0AECBFF5081B49F3B6EB04AA3A0EB0B47D5B7B8C60830F8BC7B6450A64F0E925D40BABB25949AA89D2839CFDA4594818853013106C74F0A407D23BDC4C4630729C1469F6345F0930DAE37406DC02BA4049B54E3906F19D2821D3BF351A65FC8FA5B3
4. you have now 3 big string.
copy them into one file (each string should be on one line !)
add 4-th script command in the end of file
tawrite:0002FDE800
you have own fixup file.
fixup_35681003102941.txt
proceed to http://support.setool.net/showthread.php?2071-U1i-SATIO-DEAD&p=15855&viewfull=1#post15855
notice, that is you will get simlock tampered message after fix procedure, you NEED to unlock phone using signature server.
tutorial video by Aishur: http://www.4shared.com/folder/RCU5KkCO/Satio_fixup.html
m_taheri written tool for automatic fixup creation.
PROBLEMS AND RECOVERY - S1 ANDROID
q: i had unlocked my phone using alternative security bypass method, but phone not unlocked.
a: you did not set all required settings.
you must check "signed mode", "alternative security bypass mode", "do full unlock instead of usercode reset"
q: i had unlocked my phone using alternative security bypass method, my settings are correct, i lost 4 credits, but phone not unlocked.
a: just reflash phone with required firmware ( android 2.1 ) and repeat procedure.
no further credits will be required.
q: which s1 android based phones i can unlock using alternative security bypass ?
a: you can use that method for
x10i,x10i,s0-o1b, e10,e15,e16,u20 phones.
lt15,mt15,r800 and other msm8255-based phones require very simple testpoint to perform alternative security bypass.
x10i,x10i,s0-o1b, e10,e15,e16,u20 phones can also use testpoint method (complex, but powerful ) for unlock/repair
q: how to unlock s1 android based phones, based on msm7227,qsd8250 using alternative security bypass without testpoint ?
a: Here is procedure.
1. make sure you have firmware with android 2.x, NOT 1.6. flash required firmware, if needed.
2. power on phone without sim card, go to menu->settings->applications->development, enable "usb debugging"
connect phone to PC, install drivers from setool2 distr ( drivers\ADB_Drivers)
hint: i suggest you to import DisableADBNumbering.reg (DisableADBNumbering.zip) , however this is not required.
3. select proper phone model, select USB as interface. on settings check signed mode, use alternative security bypass, do full unlock instead usercode reset
press unlock
when prompted, detach phone, turn it on fully, connect it again.
( or you can leave phone on cable, then power it on manually )
when program tells "warming up...", manually power on phone fully, cause it will automatically enter charging mode.
after you see "GETTING ROOT ACCESS ..." DO NOT TOUCH PHONE until procedure complete.
DO NOT DETACH PHONE FROM CABLE AFTER PROCEDURE STARTED, YOU CAN KILL YOUR PHONE.
DO NOT REMOVE BATTERY FROM PHONE AFTER PROCEDURE STARTED, YOU CAN KILL YOUR PHONE.
SUCH KILLED PHONES CAN BE REPAIRED WITH RESURRECTION CABLES.
possible problems:
problem: you getting "Can't get ROOT rights", "err: 00000005","err: 00000002" during process
solution: disable antivirus, especially if you using "kaspersky antivirus", i recommend Doctor Web
do NOT run setool2 from restricted accounts.
do NOT run setool2 from read-only media.
problem: it can happen ( very unlikely, though ) that ADB server will not recognize phone after reboot
solution: IF phone not detecting automatically and on status bar you can see "waiting for phone...", again - only in that case - disconnect phone from usb and connect it again, procedure should continue.
if not, well, repeat from start.
q: how to unlock s1 android based phones, based on msm7227,qsd8250, using alternative security bypass using testpoint?
a: Here is procedure.
FIRMWARE VERSION DOES NOT MATTER, WHEN USING TESTPOINT METHOD
1. prepare for testpoint operation.
check testpoints location for your phone model in dist\docs\s1_qualcomm_uart_cables or use GPG cable set
open testpoints for access
if you do not have GPG cable set, get some needle with wire, connect it to phone GND ( battery minus ) or to USB cable shield, etc.
Notice, that most of UART "boxes" for sony ericsson phones have 2 UARTs : DTMS/DFMS and CTMS/CFMS ( TX/RX ) on RJ45 connector.
you need to connect DTMS, noted on schematics, to TX ( CTMS ) pin on RJ45 connector, DFMS from schematics to CFMS ( RX ) pin on RJ45.
2. select proper phone model. select COM as interface.
on settings check signed mode, use alternative security bypass, do full unlock instead usercode reset, use testpoint (gnd type)
fill login/password and check if account valid.
press unlock
when prompted, execute steps in EXACT order:
remove cable from phone,
remove battery from phone,
attach testpoint ( turn on switch on cable set )
insert cable to phone, HOLDING TESTPOINT ( cable set switch in "on" position )
press "ready"
when prompted detach testpoint
press "ready"
install drivers from dist\drivers\USBFlash_driver\ ( if asked )
phone will be unlocked.
q: how to unlock s1 android based phones, based on qsd8x55, using alternative security bypass using testpoint?
a: Here is procedure.
1. prepare for testpoint operation.
check testpoint location for your phone model in dist\docs\
open testpoint for access
get some needle with wire, connect it to phone gnd ( battery minus ) or to usb cable shield, etc.
2. select proper phone model. select USB as interface.
on settings check signed mode, use alternative security bypass, do full unlock instead usercode reset
fill login/password and check if account valid.
press unlock
when prompted, execute steps in EXACT order:
remove cable from phone,
remove battery from phone,
attach testpoint
press "ready"
insert cable to phone, HOLDING TESTPOINT
install drivers from dist\drivers\USBFlash_driver\
make sure that driver for qhusb_dload ( device, which will appear after successful testpoint ) is installed from dist\drivers\usbflash_drivers and named "ZEUS Flash Device".
Install driver manually, if testpoint driver named otherwise.
when prompted detach testpoint
press "ready"
phone will be unlocked.
q: my semc 8x55-based smartphone can't be detected by PC or detecting as "QHUSB_DLOAD".
my semc 7227-based smartphone can't be detected by PC.
my semc 8250-based smartphone can't be detected by PC.
a: at least semc boot damaged
step I.
for 8x55-based phones select USB as interface, then
1. pda tab, select corresponding phone model
2. options tab, check : signed mode, alternative security bypass
3. pda tab, press "recovery"
for 7227,8250-based phones select COM as interface, then
1. pda tab, select corresponding phone model
2. options tab, check : signed mode, alternative security bypass, use testpoint ("GND" type)
3. pda tab, press "recovery"
important notice:
for msm7227 phones, insert battery in phone after you attached testpoint.
for x10 phone connect RED dot to GND permanently during entire testpoint procedure
if you get next output:
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
and do not have trim area backup, thats bad, but you still can fix phone : check here
step II.
1. pda tab, select corresponding model
2. options tab, check : signed mode
3. pda tab, add needed firmware files ( DO NOT UNPACK ) ( BOTH APP and FSP) to fw area
4. press "flash"
q: during second stage of testpoint unlock procedure i made testpoint wrong/disconnect phone/etc - my phone dead, but i have security units backup.
a: that can be fixed easy enough.
step I.
for 8x55-based phones select USB as interface, then
1. pda tab, select corresponding phone model
2. options tab, check : signed mode, alternative security bypass
3. pda tab, press "recovery"
for 7227,8250-based phones select COM as interface, then
1. pda tab, select corresponding phone model
2. options tab, check : signed mode, alternative security bypass, use testpoint ("GND" type)
3. pda tab, press "recovery"
if you will get output like
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
then and only then perform next step, otherwise skip to step IV
step II.
1. pda tab, select corresponding model
2. options tab, check : signed mode, alternative security bypass, format gdfs during write
for 7227,8250-based phones select COM as interface and
2. options tab, check : signed mode, alternative security bypass, use testpoint ("GND" type), format gdfs during write
3. pda tab, select trim area package files for your phone model ( DO NOT UNPACK, DO NOT UNZIP, DO NOT TOUCH IT IN ANY WAY ) in misc. edit
4. press "write gdfs"
step III.
1. pda tab, select corresponding model
2. options tab, check : signed mode, alternative security bypass
for 7227,8250-based phones select COM as interface and
2. options tab, check : signed mode, alternative security bypass, use testpoint ("GND" type), format gdfs during write
3. pda tab, select YOUR BACKUP SCRIPT
4. press "write script"
step IV.
1. pda tab, select corresponding model
2. options tab, check : signed mode
3. pda tab, add needed firmware files ( DO NOT UNPACK ) ( BOTH APP and FSP) to fw area
4. press "flash"
q: how to repair totally damaged s1 android phones, based on msm7227,qsd8250, using alternative security bypass using testpoint?
a: Here is procedure.
okay, here is example how to resurrect totally dead x10 phone. so, we have x10 phone with totally erased semcboot and trim area. phone does not turn on, does not connect to pc anyhow.
select x10 as model, select com port as interface ( one where GPG resurrection cables connected )
1. on options set signed mode,altbypass mode, use testpoint (gnd type)
2. connect GPG x10 resurrection craddle to phone, press RECOVERY
follow program instructions.
important notice:
for msm7227 phones, insert battery in phone after you attached testpoint.
for x10 phone connect RED dot to GND permanently during all testpoint procedure
btw, as phone has erased semcboot, you do not need apply testpoint that time.
however, that is very special case, so for simplicity lets apply testpoint all time.
here is operation output:
SIGNED MODE (USING SERVER)
ALTERNATIVE SECURITY BYPASS ENABLED
CFG:110010000010
DETACH USB CABLE FROM PHONE
REMOVE BATTERY FROM PHONE
ATTACH TESTPOINT
ATTACH USB CABLE TO PHONE,THEN PRESS "READY"
PROCESSING ...
REMOVE TESTPOINT NOW, THEN PRESS "READY"
RUNNING S1_LOADER VER "R4A024"
SWITCHING TO "USB" ...
PLEASE ATTACH TURNED OFF PHONE NOW
RUNNING S1_LOADER VER "R4A024"
LOADER AID: 0001
FLASH ID: "002C/00B3"
LOADER VERSION: "r4A024"
WRITING SEMCBOOT ...
Checking TA ...
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_set_config_failed ]
Writing config ...
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
Formatting ...
Checking MISC TA ...
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
Writing config ...
MINOR ERROR [ MISC_CLASS: MISC_ERROR, TA_invalid,_format_may_be_required ]
Formatting ...
SUCCESS
now we recovered semcboot and prepared trim area for loading.
if phone only had erased semcboot, it will already work after that step.
but our phone TOTALLY damaged, so lets proceed with second step:
we need now load trim area.
Please skip this step, if your phone do not have damaged trim area ( errors like: "TA_invalid,_format_may_be_required" )
options are same for step1 + "format gdfs when writing" checked,
select x10.zip in misc.edit and press "write gdfs".
( any trim area, read from corresponding model live phone will work )
follow program instructions.
here is operation output:
SIGNED MODE (USING SERVER)
ALTERNATIVE SECURITY BYPASS ENABLED
CFG:110010000110
Will write GDFS now.
DETACH USB CABLE FROM PHONE
REMOVE BATTERY FROM PHONE
ATTACH TESTPOINT
ATTACH USB CABLE TO PHONE,THEN PRESS "READY"
PROCESSING ...
REMOVE TESTPOINT NOW, THEN PRESS "READY"
RUNNING S1_LOADER VER "R4A024"
SWITCHING TO "USB" ...
PLEASE ATTACH TURNED OFF PHONE NOW
RUNNING S1_LOADER VER "R4A024"
LOADER AID: 0001
FLASH ID: "002C/00B3"
LOADER VERSION: "r4A024"
Can't get IMEI
will write 1010 units
done
will write 53 units
done
Phone detached
Elapsed: 23 secs.
finally, we need rebuild imei and security zone.
for that, check same options as for step1 + "do full unlock instead of usercode reset","allow to change imei when unlocking" checked,
press "unlock/repair", follow program instructions
here is operation output:
THAT ACTION IS ILLEGAL,IF YOU DOING IT
FOR ANY PURPOSE, OTHER THAN REPAIR PHONE
SIGNED MODE (USING SERVER)
ALTERNATIVE SECURITY BYPASS ENABLED
CFG:110010010010
DETACH USB CABLE FROM PHONE
REMOVE BATTERY FROM PHONE
ATTACH TESTPOINT
ATTACH USB CABLE TO PHONE,THEN PRESS "READY"
PROCESSING ...
REMOVE TESTPOINT NOW, THEN PRESS "READY"
RUNNING S1_LOADER VER "R4A024"
SWITCHING TO "USB" ...
PLEASE ATTACH TURNED OFF PHONE NOW
RUNNING S1_LOADER VER "R4A024"
LOADER AID: 0001
FLASH ID: "002C/00B3"
LOADER VERSION: "r4A024"
Can't get IMEI
REQUESTED : 359419030xxxxx
Checking for HWConfig ...
Waiting for calculation process ...
RESPONSE: "SUCCESS" [826]
Checking for signature ...
signature found, skipping calculation
WRITING SEMCBOOT ...
WRITING HWCONFIG ...
Unlock DONE
Elapsed: 20 secs.
from now on, phone is full repaired, testpoint cradle not needed.
reflash phone with any suitable firmware.
q: how to repair totally damaged s1 android phones, based on qsd8x55, using alternative security bypass using testpoint?
a: operation is very same, just select usb as interface and do not check "use testpoint (gnd type)"