Nie jesteś zalogowany. Proszę się zalogować lub zarejestrować.
eko.one.pl → Posty przez stich86
Strony Poprzednia 1 … 14 15 16
so may be i've found steps to put back in fastboot..
anyway i've uploaded also ZTERW and ZTEFILE via fastboot, but still same error on bootloader about /devinfo and the modem is recognized as before..
i don't know what i'm missing...
@ stich86 Could you upload all your files from common and this content file to some server?
i'll try to do this evening..
in meantime i've broken the modem again 
now I cannot get working the procedure that i've following to reach fastboot status 
No, ADB should work just like that in Windows as well - maybe save for installing a driver for that USB function. I just had included it in my OpenWrt build, it is freely available as a package as well.
But on Windows at the current time I’ve two com port (NUMA+DIAGNOSTIC) and the modem
If I’m doing “adb devices” there is any system..
It is probably visible as some kind of unknown device, you can try the "devices by connections" view in the device manager to find it, and install "Android ADB interface" for it by hand.
I'll try to see, but I didn't see any "Unknown Devices" on the list
BTW, where did you get factory image for Nordic modem? I have one modem from Nordic lying around, I could play with it too, and it's the best to get the matching factory FW.
What about that? Is that TELIA_MF286DMODULEV1.0.0B02 image?
you can find a list of firmware in this MEGA folder: https://mega.nz/folder/q98SUIrL#oKTAYrYxVD1mUkBL0E41iw
Also, even before flashing I get the same error about missing devinfo partition.
Do you have any other logs after that? This is where my modem freezes and no ports are visible.
No, because if you look at cmdline of kernel, console is redirect to /dev/HSL0, I think this is another UART console not the same one of the bootloader. And looks like that the bootloader is blocked and don't accept any input
Anyway, I'm not able to properly start SB3.0 flashing even after your modification of contents.xml. For some reason, after loading the loader through 9008 QDLoader mode, modem shows up as 19d2:0076 in Sahara Memory dump mode. There is some data transfer, and then modem reboots, and hangs at the linux prompt again.
Which QPST version do you use? It seems to cause exactly the same behaviour on other modem taken out from MF286A.
I'm using latest one.. so in you case after reflashing modem in the correct way it tries to boot the system. The problem is that I need to boot it in fastboot mode to flash missing partition
So the router itself seems to see the modem, but obviously isn't allowed to bring up 4G because it not fully recognized
adb devices on the MF286D shell doesn't found any device
No, ADB should work just like that in Windows as well - maybe save for installing a driver for that USB function. I just had included it in my OpenWrt build, it is freely available as a package as well.
But on Windows at the current time I’ve two com port (NUMA+DIAGNOSTIC) and the modem
If I’m doing “adb devices” there is any system..
That should be these two files:
mdm9650-etc_rw.ubifs
mdm9650-zterwfs.ubi
I wonder which partition is it. I was able to dump all of the partitions on my modem, except for EFS and MIBIB, trying to dump which caused instant reboot, and for some models even reset to QDLoader (9008) mode.
This is what I have on my modem:root@zte-mf286d:~# adb shell cat /proc/mtd * daemon not running. starting it now on port 5037 * * daemon started successfully * dev: size erasesize name mtd0: 00280000 00040000 "sbl" mtd1: 00280000 00040000 "mibib" mtd2: 00b00000 00040000 "efs2" mtd3: 00380000 00040000 "tz" mtd4: 00340000 00040000 "rpm" mtd5: 00b00000 00040000 "efsbak" mtd6: 00100000 00040000 "aboot" mtd7: 00f00000 00040000 "boot" mtd8: 00080000 00040000 "scrub" mtd9: 04700000 00040000 "modem" mtd10: 00180000 00040000 "misc" mtd11: 00f00000 00040000 "recovery" mtd12: 00180000 00040000 "fota" mtd13: 02800000 00040000 "recoveryfs" mtd14: 015c0000 00040000 "ztefile" mtd15: 09100000 00040000 "zterw" mtd16: 0a600000 00040000 "system"
May be I’ve broken ztefile/zterw partitions?
Only way to enter ADB is to put the module on the router?
Ok i was able to dump NV using Sales NETport, then configured QPST to 192.168.32.1:10005 and Software Download apps to backup the whole thing.
Restored the new backup on the old modem, but it’s still recognizes as before and the IMEI and other info are the same also with the new NV.
I’ve played with AT commands on the AT/COM interface defined as modem and looks like the modem is working. I was able to scan network and register the SIM. Now I think that the missing devinfo doesn’t present the modem as expected, so original firmware don’t want to recognize the modem and the SIM card
May be if we have possibility to access working modem via ADB or fastboot it’s possible to dump whole partiton and write the two one broken.. it should make it works again
Any suggestion is very appreciated:)
I've a problem right now..
the working modem is not recognized with current installed driver on Windows.
I've 5 devices (3 of them called zte wcdma technologies msm, on RDIS and one RSM or something like that), so I cannot use any of known tool to backup the EFS or NV partition.
Any suggestion?
You'll likely need to restore EFS partition contents to get IMEI back, or play with the QXDM and a dump from a working modem. Care to share modified contents.xml? I wanted to avoid that, but I guess that's the easiest route after all.
Yes, i'll try to dump the EFS or NV from another MDM9250 that is working, obliviously I'll need to write back the old IMEI to avoid overlap.
Regarding contents.xml, i've put these file into this folder:
C:\common\common:
Directory of C:\common\common
13/06/2022 22:13 <DIR> .
13/06/2022 22:13 <DIR> ..
02/11/2019 03:12 452.132 appsboot.mbn
02/11/2019 03:12 108.164 armprg.bin
29/03/2019 05:01 21.854.643 asr_mod.tar.gz
29/03/2019 05:01 21.696.338 asr_mod_nord.tar.gz
24/02/2022 15:58 8.388.608 bootnordic.bak
21/10/2019 08:08 430 config
21/01/2020 06:07 7.749 config.zip
12/10/2019 08:58 1.224.704 efs.mbn
02/11/2019 03:12 107.128 ENPRG9x55.mbn
02/11/2019 03:12 107.128 e_armprg.bin
02/11/2019 03:12 56.123.392 mdm-image-mdm9650.ubifs
02/11/2019 03:12 11.796.480 mdm-recovery-image-mdm9650.ubi
02/11/2019 03:12 8.943.616 mdm9650-boot-recovery.img
02/11/2019 03:12 8.943.616 mdm9650-boot.img
02/11/2019 03:12 3.301.376 mdm9650-etc_rw.ubifs
02/11/2019 03:12 3.301.376 mdm9650-fw.ubifs
02/11/2019 03:12 3.301.376 mdm9650-log.ubifs
02/11/2019 03:17 65.273.856 mdm9650-sysfs.ubi
02/11/2019 03:12 10.747.904 mdm9650-zterwfs.ubi
24/02/2022 15:48 8.388.608 mtd8.bin
02/11/2019 03:12 49.545.216 NON-HLOS.ubi
30/10/2019 02:40 65.536 norplusnand-system-partition-ipq40xx.bin
02/11/2019 03:12 108.164 NPRG9x55.mbn
02/11/2019 03:12 492 partition.mbn
02/11/2019 03:12 5.176 partition_nand.xml
04/11/2019 02:53 73 pstcrc.txt
25/04/2022 15:00 38.797.312 root_uImage
14/01/2022 21:13 38.797.312 root_uImageorig
30/10/2019 02:40 20.447.232 root_uImage_s
02/11/2019 03:12 167.220 rpm.mbn
02/11/2019 03:12 229.968 sbl1.mbn
31/10/2019 05:24 79 SHA256SUMS
21/01/2020 08:04 79 SHA256SUMS2
12/01/2022 14:49 8.196 smsbootsect.bak
02/11/2019 03:12 456.316 tz.mbn
30/10/2019 02:40 573.227 uboot.bin
30/10/2019 02:45 4.677.632 web.img
02/11/2019 03:17 3.301.376 ztedata.ubifs
20/09/2019 05:06 475 zte_dload_boot.xml
20/09/2019 05:06 1.852 zte_dload_explain.xml
Then i've changed this part on the content.xml
<build>
<name>common</name>
<role>common</role>
<chipset>MDM9650</chipset>
<build_id>MDM9650.LE.1.2.c1-00016-NBOOT.GENNCH.NEFS.PROD-1</build_id>
<windows_root_path>.\</windows_root_path>
<linux_root_path>./</linux_root_path>
<image_dir>common</image_dir>
<download_file get_binary="True" minimized="true">
<file_name>partition.mbn</file_name>
<file_path>common/</file_path>
</download_file>
<download_file get_binary="True" minimized="true">
<file_name>NON-HLOS.ubi</file_name>
<file_path>common/</file_path>
</download_file>
<file_ref get_binary="True" partition="modem" minimized="true" fastboot="modem">
<file_name>NON-HLOS.ubi</file_name>
<file_path>common/</file_path>
</file_ref>
<partition_file>
<file_name>partition_nand.xml</file_name>
<file_path>common/</file_path>
</partition_file>
</build>
Essentially i've removed "build" dir word from ubi\mbn files and "config" word from partition_nand.xml.
Then i've run "Software Download" program from QPST, go to SB 3.0 tab and point the file contents.xml into "C:\common", send the write command and the modem was restored and booted in fastboot (because there was corrupted OS):
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1-00311
S - IMAGE_VARIANT_STRING=MAATANAZA
S - OEM_IMAGE_VERSION_STRING=scl_xa242_062
S - Boot Interface: NAND
S - Secure Boot: Off
S - Boot Config @ 0x000a602c = 0x000000a1
S - JTAG ID @ 0x000a607c = 0x100320e1
S - OEM ID @ 0x000a6080 = 0x00000000
S - Serial Number @ 0x000a4128 = 0x19146b45
S - OEM Config Row 0 @ 0x000a4150 = 0x0900000000000000
S - OEM Config Row 1 @ 0x000a4158 = 0x0000000000000000
S - Feature Config Row 0 @ 0x000a4160 = 0x14000000000009a0
S - Feature Config Row 1 @ 0x000a4168 = 0x0342f80200000005
B - 3343 - PBL, Start
B - 6753 - bootable_media_detect_entry, Start
B - 8072 - bootable_media_detect_success, Start
B - 8077 - elf_loader_entry, Start
B - 11486 - auth_hash_seg_entry, Start
B - 11737 - auth_hash_seg_exit, Start
B - 60249 - elf_segs_hash_verify_entry, Start
B - 112846 - PBL, End
B - 127093 - SBL1, Start
B - 220911 - pm_device_init, Start
B - 281271 - PM_SET_VAL:Skip
D - 59261 - pm_device_init, Delta
B - 282430 - usb: usb: hs_phy_nondrive_start
B - 286456 - usb: usb: hs_phy_nondrive_finish
B - 289841 - boot_config_data_table_init, Start
D - 0 - boot_config_data_table_init, Delta - (0 Bytes)
B - 299967 - CDT Version:3,Platform ID:8,Major ID:1,Minor ID:0,Subtype:0
B - 306677 - sbl1_ddr_set_params, Start
D - 30 - sbl1_ddr_set_params, Delta
B - 314180 - Pre_DDR_clock_init, Start
D - 366 - Pre_DDR_clock_init, Delta
B - 329186 - pm_driver_init, Start
D - 1799 - pm_driver_init, Delta
B - 331047 - clock_init, Start
D - 152 - clock_init, Delta
B - 335774 - boot_flash_init, Start
D - 33184 - boot_flash_init, Delta
B - 376431 - Image Load, Start
D - 39345 - QSEE Image Loaded, Delta - (394044 Bytes)
B - 415806 - QSEE Execution, Start
D - 65910 - QSEE Execution, Delta
D - 213 - boot_pm_post_tz_device_init, Delta
B - 485316 - Image Load, Start
D - 19520 - RPM Image Loaded, Delta - (161732 Bytes)
B - 657641 - ZTE_POWER_ON_NORMAL
B - 709613 - Image Load, Start
D - 37942 - APPSBL Image Loaded, Delta - (426228 Bytes)
B - 747555 - sbl1_efs_handle_cookies, Start
D - 0 - sbl1_efs_handle_cookies, Delta
B - 754905 - SBL1, End
D - 630069 - SBL1, Delta
S - Throughput, 10000 KB/s (982068 Bytes, 93720 us)
S - DDR Frequency, 518 MHz
S - Core 0 Frequency, 1190 MHz
Android Bootloader - UART_DM Initialized!!!
[0] welcome to lk[0] SCM call: 0x2000601 failed with :fffffffc
[0] Failed to initialize SCM
[10] platform_init()
[10] target_init()
[10] Waiting for the RPM to populate smd channel table
[10] smem ptable found: ver: 4 len: 17
[20] ERROR: No devinfo partition found
[20] Neither 'config' nor 'frp' partition found
[20] zte_power_on_ctrl no operation
[30] ----fota cookie is [0xffffffff]----
[30] smem_power->efs_crash = 0x0
[30] zte_crash_flag not found
[40] ERROR: Invalid boot image header
[40] ERROR: Could not do normal boot. Reverting to fastboot mode.
[50] scm call to check secure boot fuses failed
[50] fastboot_init()
After that I've installed Google USB driver for the Fastboot interface and i've used these fastboot command (inside the C:\common\common folder) to restore System, Boot, Recovery and Modem partitions:
>fastboot.exe flash boot mdm9650-boot.img
sending2 'boot' (8734 KB)...
OKAY [ 0.386s]
writing2 'boot'...
OKAY [ 1.220s]
finished. total time: 1.606s>fastboot.exe flash system mdm9650-sysfs.ubi
sending2 'system' (63744 KB)...
OKAY [ 2.991s]
writing2 'system'...
OKAY [ 9.078s]
finished. total time: 12.073s>fastboot.exe flash system mdm9650-sysfs.ubi
sending2 'system' (63744 KB)...
OKAY [ 3.741s]
writing2 'system'...
OKAY [ 9.420s]
finished. total time: 13.161s>fastboot.exe flash modem NON-HLOS.ubi
sending2 'modem' (48384 KB)...
OKAY [ 2.647s]
writing2 'modem'...
OKAY [ 6.688s]
finished. total time: 9.335s>fastboot.exe flash recovery mdm9650-boot-recovery.img
sending2 'recovery' (8734 KB)...
OKAY [ 0.544s]
writing2 'recovery'...
OKAY [ 1.227s]
finished. total time: 1.770s>fastboot reboot
rebooting...finished. total time: 0.008s
and this is the output from modem console:
[292090] fastboot: processing commands
[404810] fastboot: download:00887800
[405200] fastboot: flash:boot
[405200] Verified the BOOT_MAGIC in image header
[405200] writing 8945664 bytes to 'boot'
[406400] flash_write_image: success
[406400] partition 'boot' updated
[426610] fastboot: download:03e40000
[429610] fastboot: flash:system
[429610] writing 65273856 bytes to 'system'
[438670] partition 'system' updated
[440950] fastboot: download:03e40000
[444690] fastboot: flash:system
[444690] writing 65273856 bytes to 'system'
[454100] partition 'system' updated
[461690] fastboot: download:02f40000
[464350] fastboot: flash:modem
[464350] writing 49545216 bytes to 'modem'
[471010] partition 'modem' updated
[485600] fastboot: download:00887800
[486150] fastboot: flash:recovery
[486150] Verified the BOOT_MAGIC in image header
[486150] writing 8945664 bytes to 'recovery'
[487350] flash_write_image: success
[487350] partition 'recovery' updated
[494540] fastboot: reboot
[494540] rebooting the device
This is the bootlog of a restored one, please note the errors that i'm trying to fix:
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1-00311
S - IMAGE_VARIANT_STRING=MAATANAZA
S - OEM_IMAGE_VERSION_STRING=scl_xa242_062
S - Boot Interface: NAND
S - Secure Boot: Off
S - Boot Config @ 0x000a602c = 0x000000a1
S - JTAG ID @ 0x000a607c = 0x100320e1
S - OEM ID @ 0x000a6080 = 0x00000000
S - Serial Number @ 0x000a4128 = 0x19146b45
S - OEM Config Row 0 @ 0x000a4150 = 0x0900000000000000
S - OEM Config Row 1 @ 0x000a4158 = 0x0000000000000000
S - Feature Config Row 0 @ 0x000a4160 = 0x14000000000009a0
S - Feature Config Row 1 @ 0x000a4168 = 0x0342f80200000005
B - 3343 - PBL, Start
B - 6753 - bootable_media_detect_entry, Start
B - 8089 - bootable_media_detect_success, Start
B - 8094 - elf_loader_entry, Start
B - 11503 - auth_hash_seg_entry, Start
B - 11758 - auth_hash_seg_exit, Start
B - 60269 - elf_segs_hash_verify_entry, Start
B - 112866 - PBL, End
B - 125263 - SBL1, Start
B - 216916 - pm_device_init, Start
B - 277214 - PM_SET_VAL:Skip
D - 59261 - pm_device_init, Delta
B - 278404 - usb: usb: hs_phy_nondrive_start
B - 282399 - usb: usb: hs_phy_nondrive_finish
B - 285785 - boot_config_data_table_init, Start
D - 0 - boot_config_data_table_init, Delta - (0 Bytes)
B - 295911 - CDT Version:3,Platform ID:8,Major ID:1,Minor ID:0,Subtype:0
B - 302621 - sbl1_ddr_set_params, Start
D - 30 - sbl1_ddr_set_params, Delta
B - 310124 - Pre_DDR_clock_init, Start
D - 366 - Pre_DDR_clock_init, Delta
B - 325130 - pm_driver_init, Start
D - 1799 - pm_driver_init, Delta
B - 326990 - clock_init, Start
D - 152 - clock_init, Delta
B - 331718 - boot_flash_init, Start
D - 33184 - boot_flash_init, Delta
B - 372374 - Image Load, Start
D - 39345 - QSEE Image Loaded, Delta - (394044 Bytes)
B - 411750 - QSEE Execution, Start
D - 65910 - QSEE Execution, Delta
D - 213 - boot_pm_post_tz_device_init, Delta
B - 481259 - Image Load, Start
D - 19520 - RPM Image Loaded, Delta - (161732 Bytes)
B - 653584 - ZTE_POWER_ON_NORMAL
B - 705526 - Image Load, Start
D - 37942 - APPSBL Image Loaded, Delta - (426228 Bytes)
B - 743498 - sbl1_efs_handle_cookies, Start
D - 0 - sbl1_efs_handle_cookies, Delta
B - 750849 - SBL1, End
D - 627843 - SBL1, Delta
S - Throughput, 10000 KB/s (982068 Bytes, 93750 us)
S - DDR Frequency, 518 MHz
S - Core 0 Frequency, 1190 MHz
Android Bootloader - UART_DM Initialized!!!
[0] welcome to lk[0] SCM call: 0x2000601 failed with :fffffffc
[0] Failed to initialize SCM
[10] platform_init()
[10] target_init()
[10] Waiting for the RPM to populate smd channel table
[10] smem ptable found: ver: 4 len: 17[20] ERROR: No devinfo partition found
[20] Neither 'config' nor 'frp' partition found
[20] zte_power_on_ctrl no operation
[30] ----fota cookie is [0xffffffff]----
[30] smem_power->efs_crash = 0x0
[30] zte_crash_flag not found
[40] Loading (boot) image (8941568): start
[870] Loading (boot) image (8941568): done
[870] Authenticating boot image (8941568): start
[950] Authenticating boot image: done return value = 1
[990] DTB Total entry: 170, DTB version: 3
[990] Using DTB entry 0x0000011b/00010001/0x00000008/0 for device 0x0000011b/00010001/0x00010008/0
[1000] cmdline: noinitrd rw console=ttyHSL0,115200,n8 androidboot.hardware=qcomehci-hcd.park=3 msm_rtb.filter=0x37 lpm_levels.sleep_disabled=1 earlycon=msm_hsl_uart,0x78b1000 androidboot.serialno=19146b45 androidboot.authorized_kernel=true androidboot.baseba[1020] Updating device tree: start
[1080] Updating device tree: done
[1090] Channel alloc freed
[1100] booting linux @ 0x80008000, ramdisk @ 0x80008000 (0), tags/device tree @0x82000000
In this state modem is recognized by MF286D or PC with 3 ports, but AT command "ATI" reports no IMEI
No, it failed on "entering the recovery mode" on modem, because it already is in this mode.
Hi Leo-Pl I was able to restore the modem. After doing on mode 9008, using SB 3.0 and modify content.xml in the right way, the modem restored all needed info until stuck in fastboot. Then installed Google USB driver and flash the needed file with fastboot (boot, system, recovery and modem). Now the module is correctly recognized but the NVRAM is broken… so no IMEI and I think other information
I’ll try to read those information from a working modem.. but any hints how to do? May be with revskills?
Thx
@stich86: A Finnish mobile network operator.
so you was able to recovery the modem module? I don't undestand..
Po kolejnym małym sukcesie z przeflashowaniem fabrycznym softem starego MF283+, celem podbicia wersji modemu, zrobiłem kolejne podejście do tematu. Tym razem zaczynając od MF286A, próbując wgrywać fabryczną paczkę z DNA (dzięki @arekm), ale niestety poległem - przynajmniej na razie. Trzeba spatchować plik /usr/bin/facSvr, by nie próbował wprowadzać modemu w tryb download, bo sceglony modem już się w nim znajduje - update wywala się na wykonaniu w pętli komendy AT+ZCDRUN=E.
Wiedza o Sales_WAT_NetPort też okazuje się przydatna, bo oszczędza to mocno rozkręcania by podpiąć się QPST. No nic, myślę jak to ugryźć, ale chyba skończy się Ghidrą lub czymś podobnym i zrepakowanym rootfsem z podmienioną binarką. Jak znajdę dłuższą chwilę.
Na OpenWrt to samo da się osiągnąć tym poleceniem:
socat tcp-listen:10005,fork,reuseaddr open:/dev/ttyUSB0,b115200,cfmakerawOczywiście socata trzeba sobie najpierw doinstalować. Na sprawnym MF286 poprawnie wykrył mi się tym sposobem MDM9635.
BTW, czy ktoś posiada MF283+ z softem CR_ORAMF283+V1.0.0B08? Fajnie byłoby zrzucić go z żywego egzemplarza, bo OTA update już go nie znajduje.
can you explain better what is DNA?
thanks
I see. Then I got the modes wrong. This bootpoint is used to enter EDL mode. I was able to enter this fastboot only once and then I did not manage to do it again. As if putting something into this crap caused that he doesn't want to go in there anymore. Forgive me for the mistake with these modes
If you want to put anything into it, he always had EDL 9008 mode. At this diagnostic, he didn't want to talk.
so it should be on 9008 mode also to use qtools and QSL?
thx
I don't know if it's the only way. I did it by trial and error. I didn't care about this modem. He might even be freaking out while looking for these pins. In my opinion, the manufacturer of this modem should not exist at all because it did not provide such important things as what we are trying to fix here. The manufacturer should predict what could happen to such a modem and give specific procedures how to bring it back to life. The producer blew it. In the first post of this thread you have a pinout uart
in post #212 you have reached fastboot after using QSL..
Do you remeber which file used? and modem was on 9008 mode or diagnostic? In diagnostic as i've said, when QSL is openend the modem reset itself each 5 seconds
Yes, I remember. It is described in this thread but I don't remember which post. You have a boot point next to the ESMT. It has to be short-circuited to GND for a moment and then it is visible as 9008
so the only way is to use the Test Point?
I'll try to solder TTL to see in which state is the modem, because I cannot read the partition layout in any way
Yes. You have the same symptoms as my mod. Unfortunately, I don't know how to move it forward yet. I checked all available and known methods that I could do on windows and linux. Leo had an idea to send a parcel via adb but so far he hasn't written whether he pushed or not
How did you enter in Fastboot mode?
Do you remember?
thx
Hi all
@smereka
@Leo-PL
any progress? i've a ZTE MF286D with broken 4G module.
Module was removed from the modem and inserted into PC via MiniPCIe-2-USB adapter, now it stuck into "ZTE Diagnostic Port"
Using qtools, sometime I was able to switch on "Qualcomm 9008 mode", but I don't know which file pass to QFIL.
If I'm opening QPST, the modem will connect/disconnet each 5 seconds
Thx for any help
Strony Poprzednia 1 … 14 15 16
eko.one.pl → Posty przez stich86
Forum oparte o PunBB, wspierane przez Informer Technologies, Inc