326 Odpowiedź przez stich86 (edytowany przez stich86 2022-06-20 15:20:30)

  • Zarejestrowany: 2022-05-24
  • Posty: 392

Odp: Modem od routera MF286D

I’ve tried to edit the XQCN file to change IMEI, but looks like it’s not allowed and it stays with the same of the working module where the backup was taken. Also Qualcomm NV Tools denies the write of IMEI because it’s marked as read-only

I’ve to find a way to change it…

EDIT: a little update.. some NV items in the memory are write-protected and IMEI is one of these.. So the only way is to brick/erase EFS and load XQCN/QCN file with the new IMEI. I should hope that brick EFS doens't bring back modem in the wrong way big_smile

327 Odpowiedź przez smereka

  • Zarejestrowany: 2014-07-09
  • Posty: 2,328

Odp: Modem od routera MF286D

So write down what you did that finally works. Can you give an instruction?

328 Odpowiedź przez stich86 (edytowany przez stich86 2022-06-20 10:33:05)

  • Zarejestrowany: 2022-05-24
  • Posty: 392

Odp: Modem od routera MF286D

smereka napisał/a:

So write down what you did that finally works. Can you give an instruction?

I need to fix IMEI issue before.. because on the procedure it's important to load an XQCN backup, otherwise you will never bring up the module

I've to broke it again and check if the steps that i've followed can be certified or not (hope to get it back in the same state that I need big_smile)

329 Odpowiedź przez smereka

  • Zarejestrowany: 2014-07-09
  • Posty: 2,328

Odp: Modem od routera MF286D

After specifying this content in SB3.0,% goes and in the uart console I have the following logs after this whole procedure:

Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1-00311
S - IMAGE_VARIANT_STRING=MAATANAZA
S - OEM_IMAGE_VERSION_STRING=scl_xa242_062
S - Boot Interface: NAND
S - Secure Boot: Off
S - Boot Config @ 0x000a602c = 0x000000a1
S - JTAG ID @ 0x000a607c = 0x100320e1
S - OEM ID @ 0x000a6080 = 0x00000000
S - Serial Number @ 0x000a4128 = 0x100caf6f
S - OEM Config Row 0 @ 0x000a4150 = 0x0900000000000000
S - OEM Config Row 1 @ 0x000a4158 = 0x0000000000000000
S - Feature Config Row 0 @ 0x000a4160 = 0x14000000000009a0
S - Feature Config Row 1 @ 0x000a4168 = 0x0342f80200000005
B -      3324 - PBL, Start
B -      6728 - bootable_media_detect_entry, Start
B -      8035 - bootable_media_detect_success, Start
B -      8040 - elf_loader_entry, Start
B -     11449 - auth_hash_seg_entry, Start
B -     11701 - auth_hash_seg_exit, Start
B -     60212 - elf_segs_hash_verify_entry, Start
B -    112810 - PBL, End
B -    123769 - SBL1, Start
B -    215238 - pm_device_init, Start
B -    275384 - PM_SET_VAL:Skip
D -     59109 - pm_device_init, Delta
B -    276574 - usb: usb: hs_phy_nondrive_start
B -    280569 - usb: usb: hs_phy_nondrive_finish
B -    283955 - boot_config_data_table_init, Start
D -         0 - boot_config_data_table_init, Delta - (0 Bytes)
B -    294081 - CDT Version:3,Platform ID:8,Major ID:1,Minor ID:0,Subtype:0
B -    300791 - sbl1_ddr_set_params, Start
D -        30 - sbl1_ddr_set_params, Delta
B -    308294 - Pre_DDR_clock_init, Start
D -       366 - Pre_DDR_clock_init, Delta
B -    323300 - pm_driver_init, Start
D -      1799 - pm_driver_init, Delta
B -    325160 - clock_init, Start
D -       183 - clock_init, Delta
B -    329827 - boot_flash_init, Start
D -     33001 - boot_flash_init, Delta
B -    370270 - Image Load, Start
D -     39162 - QSEE Image Loaded, Delta - (394044 Bytes)
B -    409462 - QSEE Execution, Start
D -     65941 - QSEE Execution, Delta
D -       213 - boot_pm_post_tz_device_init, Delta
B -    479002 - Image Load, Start
D -     19551 - RPM Image Loaded, Delta - (161732 Bytes)
B -    651358 - ZTE_POWER_ON_NORMAL
B -    703299 - Image Load, Start
D -     38003 - APPSBL Image Loaded, Delta - (426228 Bytes)
B -    741302 - sbl1_efs_handle_cookies, Start
D -         0 - sbl1_efs_handle_cookies, Delta
B -    748653 - SBL1, End
D -    627171 - SBL1, Delta
S - Throughput, 10000 KB/s  (982068 Bytes,  93661 us)
S - DDR Frequency, 518 MHz
S - Core 0 Frequency, 1190 MHz
Android Bootloader - UART_DM Initialized!!!
[0] welcome to lk

[0] SCM call: 0x2000601 failed with :fffffffc
[0] Failed to initialize SCM
[10] platform_init()
[10] target_init()
[10] Waiting for the RPM to populate smd channel table
[10] smem ptable found: ver: 4 len: 17
[20] ERROR: No devinfo partition found
[20] Neither 'config' nor 'frp' partition found
[20] zte_power_on_ctrl no operation
[30] ----fota cookie is [0xffffffff]----
[30] smem_power->efs_crash = 0x0
[30]  zte_crash_flag not  found
[40] Loading (boot) image (8941568): start
[870] Loading (boot) image (8941568): done
[870] Authenticating boot image (8941568): start
[950] Authenticating boot image: done return value = 1
[980] DTB Total entry: 170, DTB version: 3
[990] Using DTB entry 0x0000011b/00010001/0x00000008/0 for device 0x0000011b/00010001/0x00010008/0
[1000] cmdline: noinitrd  rw console=ttyHSL0,115200,n8 androidboot.hardware=qcom ehci-hcd.park=3 msm_rtb.filter=0x37 lpm_levels.sleep_disabled=1  earlycon=msm_hsl_uart,0x78b1000  an                                                        droidboot.serialno=100caf6f androidboot.authorized_kernel=true androidboot.baseba[1020] Updating device tree: start
[1080] Updating device tree: done
[1090] Channel alloc freed
[1100] booting linux @ 0x80008000, ramdisk @ 0x80008000 (0), tags/device tree @ 0x82000000

And so it restarts over and over again. So that it lacks the correct IMEI?

330 Odpowiedź przez pawol

  • pawol
  • Użytkownik
  • Nieaktywny
  • Zarejestrowany: 2018-09-19
  • Posty: 669

Odp: Modem od routera MF286D

I understand that modem recovery procedure is validated. Destribe it in details, please

331 Odpowiedź przez smereka

  • Zarejestrowany: 2014-07-09
  • Posty: 2,328

Odp: Modem od routera MF286D

Napisał że z imei walczy więc poczekajmy cierpliwie... smile

332 Odpowiedź przez stich86

  • Zarejestrowany: 2022-05-24
  • Posty: 392

Odp: Modem od routera MF286D

smereka napisał/a:

After specifying this content in SB3.0,% goes and in the uart console I have the following logs after this whole procedure:

Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1-00311
S - IMAGE_VARIANT_STRING=MAATANAZA
S - OEM_IMAGE_VERSION_STRING=scl_xa242_062
S - Boot Interface: NAND
S - Secure Boot: Off
S - Boot Config @ 0x000a602c = 0x000000a1
S - JTAG ID @ 0x000a607c = 0x100320e1
S - OEM ID @ 0x000a6080 = 0x00000000
S - Serial Number @ 0x000a4128 = 0x100caf6f
S - OEM Config Row 0 @ 0x000a4150 = 0x0900000000000000
S - OEM Config Row 1 @ 0x000a4158 = 0x0000000000000000
S - Feature Config Row 0 @ 0x000a4160 = 0x14000000000009a0
S - Feature Config Row 1 @ 0x000a4168 = 0x0342f80200000005
B -      3324 - PBL, Start
B -      6728 - bootable_media_detect_entry, Start
B -      8035 - bootable_media_detect_success, Start
B -      8040 - elf_loader_entry, Start
B -     11449 - auth_hash_seg_entry, Start
B -     11701 - auth_hash_seg_exit, Start
B -     60212 - elf_segs_hash_verify_entry, Start
B -    112810 - PBL, End
B -    123769 - SBL1, Start
B -    215238 - pm_device_init, Start
B -    275384 - PM_SET_VAL:Skip
D -     59109 - pm_device_init, Delta
B -    276574 - usb: usb: hs_phy_nondrive_start
B -    280569 - usb: usb: hs_phy_nondrive_finish
B -    283955 - boot_config_data_table_init, Start
D -         0 - boot_config_data_table_init, Delta - (0 Bytes)
B -    294081 - CDT Version:3,Platform ID:8,Major ID:1,Minor ID:0,Subtype:0
B -    300791 - sbl1_ddr_set_params, Start
D -        30 - sbl1_ddr_set_params, Delta
B -    308294 - Pre_DDR_clock_init, Start
D -       366 - Pre_DDR_clock_init, Delta
B -    323300 - pm_driver_init, Start
D -      1799 - pm_driver_init, Delta
B -    325160 - clock_init, Start
D -       183 - clock_init, Delta
B -    329827 - boot_flash_init, Start
D -     33001 - boot_flash_init, Delta
B -    370270 - Image Load, Start
D -     39162 - QSEE Image Loaded, Delta - (394044 Bytes)
B -    409462 - QSEE Execution, Start
D -     65941 - QSEE Execution, Delta
D -       213 - boot_pm_post_tz_device_init, Delta
B -    479002 - Image Load, Start
D -     19551 - RPM Image Loaded, Delta - (161732 Bytes)
B -    651358 - ZTE_POWER_ON_NORMAL
B -    703299 - Image Load, Start
D -     38003 - APPSBL Image Loaded, Delta - (426228 Bytes)
B -    741302 - sbl1_efs_handle_cookies, Start
D -         0 - sbl1_efs_handle_cookies, Delta
B -    748653 - SBL1, End
D -    627171 - SBL1, Delta
S - Throughput, 10000 KB/s  (982068 Bytes,  93661 us)
S - DDR Frequency, 518 MHz
S - Core 0 Frequency, 1190 MHz
Android Bootloader - UART_DM Initialized!!!
[0] welcome to lk

[0] SCM call: 0x2000601 failed with :fffffffc
[0] Failed to initialize SCM
[10] platform_init()
[10] target_init()
[10] Waiting for the RPM to populate smd channel table
[10] smem ptable found: ver: 4 len: 17
[20] ERROR: No devinfo partition found
[20] Neither 'config' nor 'frp' partition found
[20] zte_power_on_ctrl no operation
[30] ----fota cookie is [0xffffffff]----
[30] smem_power->efs_crash = 0x0
[30]  zte_crash_flag not  found
[40] Loading (boot) image (8941568): start
[870] Loading (boot) image (8941568): done
[870] Authenticating boot image (8941568): start
[950] Authenticating boot image: done return value = 1
[980] DTB Total entry: 170, DTB version: 3
[990] Using DTB entry 0x0000011b/00010001/0x00000008/0 for device 0x0000011b/00010001/0x00010008/0
[1000] cmdline: noinitrd  rw console=ttyHSL0,115200,n8 androidboot.hardware=qcom ehci-hcd.park=3 msm_rtb.filter=0x37 lpm_levels.sleep_disabled=1  earlycon=msm_hsl_uart,0x78b1000  an                                                        droidboot.serialno=100caf6f androidboot.authorized_kernel=true androidboot.baseba[1020] Updating device tree: start
[1080] Updating device tree: done
[1090] Channel alloc freed
[1100] booting linux @ 0x80008000, ramdisk @ 0x80008000 (0), tags/device tree @ 0x82000000

And so it restarts over and over again. So that it lacks the correct IMEI?

have you used my latest partition_nand.xml on the MEGA folder?

333 Odpowiedź przez stich86 (edytowany przez stich86 2022-06-20 15:19:49)

  • Zarejestrowany: 2022-05-24
  • Posty: 392

Odp: Modem od routera MF286D

pawol napisał/a:

I understand that modem recovery procedure is validated. Destribe it in details, please

still not, because on all of my attemps I got the MDM login shell (which this module refuse to get input from TX line), but the modem was not in the desired state (3 COMs as generic device and not like the working module, so missing ADB and all RNIS stuff).

I've done an attempt yesterday (flashing ALL without modem firmware) and then restore a XQCN from a working module, this has booted the modem in correct way (3 COMs + ADB shell + RNIS\RNIC)

Try it again tonight to see if I can found the correct way to do all tasks (it's important to restore the XQCN with correct IMEI)

334 Odpowiedź przez smereka (edytowany przez smereka 2022-06-20 15:30:10)

  • Zarejestrowany: 2014-07-09
  • Posty: 2,328

Odp: Modem od routera MF286D

stich86 napisał/a:
smereka napisał/a:

After specifying this content in SB3.0,% goes and in the uart console I have the following logs after this whole procedure:

Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1-00311
S - IMAGE_VARIANT_STRING=MAATANAZA
S - OEM_IMAGE_VERSION_STRING=scl_xa242_062
S - Boot Interface: NAND
S - Secure Boot: Off
S - Boot Config @ 0x000a602c = 0x000000a1
S - JTAG ID @ 0x000a607c = 0x100320e1
S - OEM ID @ 0x000a6080 = 0x00000000
S - Serial Number @ 0x000a4128 = 0x100caf6f
S - OEM Config Row 0 @ 0x000a4150 = 0x0900000000000000
S - OEM Config Row 1 @ 0x000a4158 = 0x0000000000000000
S - Feature Config Row 0 @ 0x000a4160 = 0x14000000000009a0
S - Feature Config Row 1 @ 0x000a4168 = 0x0342f80200000005
B -      3324 - PBL, Start
B -      6728 - bootable_media_detect_entry, Start
B -      8035 - bootable_media_detect_success, Start
B -      8040 - elf_loader_entry, Start
B -     11449 - auth_hash_seg_entry, Start
B -     11701 - auth_hash_seg_exit, Start
B -     60212 - elf_segs_hash_verify_entry, Start
B -    112810 - PBL, End
B -    123769 - SBL1, Start
B -    215238 - pm_device_init, Start
B -    275384 - PM_SET_VAL:Skip
D -     59109 - pm_device_init, Delta
B -    276574 - usb: usb: hs_phy_nondrive_start
B -    280569 - usb: usb: hs_phy_nondrive_finish
B -    283955 - boot_config_data_table_init, Start
D -         0 - boot_config_data_table_init, Delta - (0 Bytes)
B -    294081 - CDT Version:3,Platform ID:8,Major ID:1,Minor ID:0,Subtype:0
B -    300791 - sbl1_ddr_set_params, Start
D -        30 - sbl1_ddr_set_params, Delta
B -    308294 - Pre_DDR_clock_init, Start
D -       366 - Pre_DDR_clock_init, Delta
B -    323300 - pm_driver_init, Start
D -      1799 - pm_driver_init, Delta
B -    325160 - clock_init, Start
D -       183 - clock_init, Delta
B -    329827 - boot_flash_init, Start
D -     33001 - boot_flash_init, Delta
B -    370270 - Image Load, Start
D -     39162 - QSEE Image Loaded, Delta - (394044 Bytes)
B -    409462 - QSEE Execution, Start
D -     65941 - QSEE Execution, Delta
D -       213 - boot_pm_post_tz_device_init, Delta
B -    479002 - Image Load, Start
D -     19551 - RPM Image Loaded, Delta - (161732 Bytes)
B -    651358 - ZTE_POWER_ON_NORMAL
B -    703299 - Image Load, Start
D -     38003 - APPSBL Image Loaded, Delta - (426228 Bytes)
B -    741302 - sbl1_efs_handle_cookies, Start
D -         0 - sbl1_efs_handle_cookies, Delta
B -    748653 - SBL1, End
D -    627171 - SBL1, Delta
S - Throughput, 10000 KB/s  (982068 Bytes,  93661 us)
S - DDR Frequency, 518 MHz
S - Core 0 Frequency, 1190 MHz
Android Bootloader - UART_DM Initialized!!!
[0] welcome to lk

[0] SCM call: 0x2000601 failed with :fffffffc
[0] Failed to initialize SCM
[10] platform_init()
[10] target_init()
[10] Waiting for the RPM to populate smd channel table
[10] smem ptable found: ver: 4 len: 17
[20] ERROR: No devinfo partition found
[20] Neither 'config' nor 'frp' partition found
[20] zte_power_on_ctrl no operation
[30] ----fota cookie is [0xffffffff]----
[30] smem_power->efs_crash = 0x0
[30]  zte_crash_flag not  found
[40] Loading (boot) image (8941568): start
[870] Loading (boot) image (8941568): done
[870] Authenticating boot image (8941568): start
[950] Authenticating boot image: done return value = 1
[980] DTB Total entry: 170, DTB version: 3
[990] Using DTB entry 0x0000011b/00010001/0x00000008/0 for device 0x0000011b/00010001/0x00010008/0
[1000] cmdline: noinitrd  rw console=ttyHSL0,115200,n8 androidboot.hardware=qcom ehci-hcd.park=3 msm_rtb.filter=0x37 lpm_levels.sleep_disabled=1  earlycon=msm_hsl_uart,0x78b1000  an                                                        droidboot.serialno=100caf6f androidboot.authorized_kernel=true androidboot.baseba[1020] Updating device tree: start
[1080] Updating device tree: done
[1090] Channel alloc freed
[1100] booting linux @ 0x80008000, ramdisk @ 0x80008000 (0), tags/device tree @ 0x82000000

And so it restarts over and over again. So that it lacks the correct IMEI?

have you used my latest partition_nand.xml on the MEGA folder?



Yes from your folder


You can also write how to restore the modem to work having just these saved partitions from the working modem. Most of the people here have more than one mf286d router, so they'll make a copy of it and put it in a dead body. And then when you see how to do imei with it, we'll update the information

335 Odpowiedź przez stich86

  • Zarejestrowany: 2022-05-24
  • Posty: 392

Odp: Modem od routera MF286D

smereka napisał/a:
stich86 napisał/a:
smereka napisał/a:

After specifying this content in SB3.0,% goes and in the uart console I have the following logs after this whole procedure:

Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1-00311
S - IMAGE_VARIANT_STRING=MAATANAZA
S - OEM_IMAGE_VERSION_STRING=scl_xa242_062
S - Boot Interface: NAND
S - Secure Boot: Off
S - Boot Config @ 0x000a602c = 0x000000a1
S - JTAG ID @ 0x000a607c = 0x100320e1
S - OEM ID @ 0x000a6080 = 0x00000000
S - Serial Number @ 0x000a4128 = 0x100caf6f
S - OEM Config Row 0 @ 0x000a4150 = 0x0900000000000000
S - OEM Config Row 1 @ 0x000a4158 = 0x0000000000000000
S - Feature Config Row 0 @ 0x000a4160 = 0x14000000000009a0
S - Feature Config Row 1 @ 0x000a4168 = 0x0342f80200000005
B -      3324 - PBL, Start
B -      6728 - bootable_media_detect_entry, Start
B -      8035 - bootable_media_detect_success, Start
B -      8040 - elf_loader_entry, Start
B -     11449 - auth_hash_seg_entry, Start
B -     11701 - auth_hash_seg_exit, Start
B -     60212 - elf_segs_hash_verify_entry, Start
B -    112810 - PBL, End
B -    123769 - SBL1, Start
B -    215238 - pm_device_init, Start
B -    275384 - PM_SET_VAL:Skip
D -     59109 - pm_device_init, Delta
B -    276574 - usb: usb: hs_phy_nondrive_start
B -    280569 - usb: usb: hs_phy_nondrive_finish
B -    283955 - boot_config_data_table_init, Start
D -         0 - boot_config_data_table_init, Delta - (0 Bytes)
B -    294081 - CDT Version:3,Platform ID:8,Major ID:1,Minor ID:0,Subtype:0
B -    300791 - sbl1_ddr_set_params, Start
D -        30 - sbl1_ddr_set_params, Delta
B -    308294 - Pre_DDR_clock_init, Start
D -       366 - Pre_DDR_clock_init, Delta
B -    323300 - pm_driver_init, Start
D -      1799 - pm_driver_init, Delta
B -    325160 - clock_init, Start
D -       183 - clock_init, Delta
B -    329827 - boot_flash_init, Start
D -     33001 - boot_flash_init, Delta
B -    370270 - Image Load, Start
D -     39162 - QSEE Image Loaded, Delta - (394044 Bytes)
B -    409462 - QSEE Execution, Start
D -     65941 - QSEE Execution, Delta
D -       213 - boot_pm_post_tz_device_init, Delta
B -    479002 - Image Load, Start
D -     19551 - RPM Image Loaded, Delta - (161732 Bytes)
B -    651358 - ZTE_POWER_ON_NORMAL
B -    703299 - Image Load, Start
D -     38003 - APPSBL Image Loaded, Delta - (426228 Bytes)
B -    741302 - sbl1_efs_handle_cookies, Start
D -         0 - sbl1_efs_handle_cookies, Delta
B -    748653 - SBL1, End
D -    627171 - SBL1, Delta
S - Throughput, 10000 KB/s  (982068 Bytes,  93661 us)
S - DDR Frequency, 518 MHz
S - Core 0 Frequency, 1190 MHz
Android Bootloader - UART_DM Initialized!!!
[0] welcome to lk

[0] SCM call: 0x2000601 failed with :fffffffc
[0] Failed to initialize SCM
[10] platform_init()
[10] target_init()
[10] Waiting for the RPM to populate smd channel table
[10] smem ptable found: ver: 4 len: 17
[20] ERROR: No devinfo partition found
[20] Neither 'config' nor 'frp' partition found
[20] zte_power_on_ctrl no operation
[30] ----fota cookie is [0xffffffff]----
[30] smem_power->efs_crash = 0x0
[30]  zte_crash_flag not  found
[40] Loading (boot) image (8941568): start
[870] Loading (boot) image (8941568): done
[870] Authenticating boot image (8941568): start
[950] Authenticating boot image: done return value = 1
[980] DTB Total entry: 170, DTB version: 3
[990] Using DTB entry 0x0000011b/00010001/0x00000008/0 for device 0x0000011b/00010001/0x00010008/0
[1000] cmdline: noinitrd  rw console=ttyHSL0,115200,n8 androidboot.hardware=qcom ehci-hcd.park=3 msm_rtb.filter=0x37 lpm_levels.sleep_disabled=1  earlycon=msm_hsl_uart,0x78b1000  an                                                        droidboot.serialno=100caf6f androidboot.authorized_kernel=true androidboot.baseba[1020] Updating device tree: start
[1080] Updating device tree: done
[1090] Channel alloc freed
[1100] booting linux @ 0x80008000, ramdisk @ 0x80008000 (0), tags/device tree @ 0x82000000

And so it restarts over and over again. So that it lacks the correct IMEI?

have you used my latest partition_nand.xml on the MEGA folder?



Yes from your folder

i've uploaded new one (with correct recoveryfs partition), please try again and let me know

336 Odpowiedź przez smereka (edytowany przez smereka 2022-06-20 15:38:08)

  • Zarejestrowany: 2014-07-09
  • Posty: 2,328

Odp: Modem od routera MF286D

Ok I just check it

so it's enough to replace this file in the common folder, right?

337 Odpowiedź przez stich86

  • Zarejestrowany: 2022-05-24
  • Posty: 392

Odp: Modem od routera MF286D

smereka napisał/a:

Ok I just check it

so it's enough to replace this file in the common folder, right?

yes

338 Odpowiedź przez smereka (edytowany przez smereka 2022-06-20 15:50:05)

  • Zarejestrowany: 2014-07-09
  • Posty: 2,328

Odp: Modem od routera MF286D

Now he had 2-3 minutes of everything and other talk in general;) In windows like you are now. ZTE NMEA, ZTE DIAGNOSTIC and ZTE USB propietary

Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1-00311
S - IMAGE_VARIANT_STRING=MAATANAZA
S - OEM_IMAGE_VERSION_STRING=scl_xa242_062
S - Boot Interface: NAND
S - Secure Boot: Off
S - Boot Config @ 0x000a602c = 0x000000a1
S - JTAG ID @ 0x000a607c = 0x100320e1
S - OEM ID @ 0x000a6080 = 0x00000000
S - Serial Number @ 0x000a4128 = 0x100caf6f
S - OEM Config Row 0 @ 0x000a4150 = 0x0900000000000000
S - OEM Config Row 1 @ 0x000a4158 = 0x0000000000000000
S - Feature Config Row 0 @ 0x000a4160 = 0x14000000000009a0
S - Feature Config Row 1 @ 0x000a4168 = 0x0342f80200000005
B -      3324 - PBL, Start
B -      6727 - bootable_media_detect_entry, Start
B -   1433225 - bootable_media_detect_success, Start
B -   1433229 - elf_loader_entry, Start
B -   1436638 - auth_hash_seg_entry, Start
B -   1436890 - auth_hash_seg_exit, Start
B -   1489795 - elf_segs_hash_verify_entry, Start
B -   1542392 - PBL, End
B -   1544032 - SBL1, Start
B -   1634373 - pm_device_init, Start
B -   1694366 - PM_SET_VAL:Skip
D -     58956 - pm_device_init, Delta
B -   1695525 - usb: usb: hs_phy_nondrive_start
B -   1699521 - usb: usb: hs_phy_nondrive_finish
B -   1702906 - boot_config_data_table_init, Start
D -         0 - boot_config_data_table_init, Delta - (0 Bytes)
B -   1713032 - CDT Version:3,Platform ID:8,Major ID:1,Minor ID:0,Subtype:0
B -   1719742 - sbl1_ddr_set_params, Start
D -        30 - sbl1_ddr_set_params, Delta
B -   1727245 - Pre_DDR_clock_init, Start
D -       366 - Pre_DDR_clock_init, Delta
B -   1742251 - pm_driver_init, Start
D -      1799 - pm_driver_init, Delta
B -   1744112 - clock_init, Start
D -       152 - clock_init, Delta
B -   1748839 - boot_flash_init, Start
D -     32726 - boot_flash_init, Delta
B -   1789038 - Image Load, Start
D -     39192 - QSEE Image Loaded, Delta - (394044 Bytes)
B -   1828231 - QSEE Execution, Start
D -     65941 - QSEE Execution, Delta
D -       213 - boot_pm_post_tz_device_init, Delta
B -   1897771 - Image Load, Start
D -     19459 - RPM Image Loaded, Delta - (161732 Bytes)
B -   2070035 - ZTE_POWER_ON_NORMAL
B -   2122007 - Image Load, Start
D -     37973 - APPSBL Image Loaded, Delta - (426228 Bytes)
B -   2159979 - sbl1_efs_handle_cookies, Start
D -         0 - sbl1_efs_handle_cookies, Delta
B -   2167299 - SBL1, End
D -    625555 - SBL1, Delta
S - Throughput, 10000 KB/s  (982068 Bytes,  93537 us)
S - DDR Frequency, 518 MHz
S - Core 0 Frequency, 1190 MHz
Android Bootloader - UART_DM Initialized!!!
[0] welcome to lk

[0] SCM call: 0x2000601 failed with :fffffffc
[0] Failed to initialize SCM
[10] platform_init()
[10] target_init()
[10] Waiting for the RPM to populate smd channel table
[10] smem ptable found: ver: 4 len: 17
[20] ERROR: No devinfo partition found
[20] Neither 'config' nor 'frp' partition found
[20] zte_power_on_ctrl no operation
[30] ----fota cookie is [0xffffffff]----
[30] smem_power->efs_crash = 0x0
[30]  zte_crash_flag not  found
[40] Loading (boot) image (8941568): start
[870] Loading (boot) image (8941568): done
[870] Authenticating boot image (8941568): start
[950] Authenticating boot image: done return value = 1
[980] DTB Total entry: 170, DTB version: 3
[990] Using DTB entry 0x0000011b/00010001/0x00000008/0 for device 0x0000011b/000                                                                                                                                                             10001/0x00010008/0
[1000] cmdline: noinitrd  rw console=ttyHSL0,115200,n8 androidboot.hardware=qcom                                                                                                                                                              ehci-hcd.park=3 msm_rtb.filter=0x37 lpm_levels.sleep_disabled=1  earlycon=msm_h                                                                                                                                                             sl_uart,0x78b1000  androidboot.serialno=100caf6f androidboot.authorized_kernel=t                                                                                                                                                             rue androidboot.baseba[1020] Updating device tree: start
[1080] Updating device tree: done
[1090] Channel alloc freed
[1100] booting linux @ 0x80008000, ramdisk @ 0x80008000 (0), tags/device tree @                                                                                                                                                              0x82000000
[   26.157603] console [ttyHSL0] enabled
[   26.171544] msm_serial_hsl_init: driver initialized
[   26.180129] cnss_pinctrl_init: Can not get active pin state!
[   26.200152] cnss_probe: Failed to enable PCIe RC0!

msm 201911020732 mdm9650 /dev/ttyHSL0

mdm9650 login:

msm 201911020732 mdm9650 /dev/ttyHSL0

mdm9650 login:

339 Odpowiedź przez stich86 (edytowany przez stich86 2022-06-20 15:53:45)

  • Zarejestrowany: 2022-05-24
  • Posty: 392

Odp: Modem od routera MF286D

good, you should have also modem recognized on windows\linux machine.
How many TTY/COM do you see?

if you have TX\RX UART working, please try with these credentials:

root\zte9x15

340 Odpowiedź przez smereka

  • Zarejestrowany: 2014-07-09
  • Posty: 2,328

Odp: Modem od routera MF286D

On linux machine I check tomorrow. Now I have to go out. On windows COM I have zte nmea and zte diagnostic. And in modem section I have ZTE priopieraty USB modem

341 Odpowiedź przez stich86 (edytowany przez stich86 2022-06-20 15:58:15)

  • Zarejestrowany: 2022-05-24
  • Posty: 392

Odp: Modem od routera MF286D

yes on "ZTE USB propietary" you can try to connect with TeraTerm/Putty and issue ATI command to see if the modem is up

Now from that part I need to rebuild what i've done to make it switch in the correct way.. and hopefully if your UART is working we can debug it and check WHY doesn't start all adb\ZTE stuff

if you can share:

dmesg or "cat /proc/kmsg" and all logs into /var/log

As my understanding, if the modem is online too early, the script "misc-daemon" break..

342 Odpowiedź przez smereka (edytowany przez smereka 2022-06-20 16:01:12)

  • Zarejestrowany: 2014-07-09
  • Posty: 2,328

Odp: Modem od routera MF286D

ATQ0E0V1
OK

OK

OK

OK
ATI
Manufacturer: ZTE CORPORATION
Model: MF286DMODULE
Revision: PV_ZTE_MF286DMODULEV1.0.0B08
SVN: 01
IMEI:
+GCAP: +CGSM

OK



Incredible. The dead man begins to pant slowly smile

343 Odpowiedź przez stich86

  • Zarejestrowany: 2022-05-24
  • Posty: 392

Odp: Modem od routera MF286D

smereka napisał/a:

ATQ0E0V1
OK

OK

OK

OK
ATI
Manufacturer: ZTE CORPORATION
Model: MF286DMODULE
Revision: PV_ZTE_MF286DMODULEV1.0.0B08
SVN: 01
IMEI:
+GCAP: +CGSM

OK



Incredible. The dead man begins to pant slowly smile

Ok so you have broken EFS..
tonight I’ll try to upload XQCN and how to modify IMEI on that so you can try to write it back with QPST wink

344 Odpowiedź przez smereka (edytowany przez smereka 2022-06-20 16:06:11)

  • Zarejestrowany: 2014-07-09
  • Posty: 2,328

Odp: Modem od routera MF286D

I discovered something interesting:

login: root
password: oelinux123


mdm9650 login: root
Password:
root@mdm9650:~#

Work for me


Link for this password for mr1100 https://blog.skitisu.com/hack-netgear-m … uter-root/

345 Odpowiedź przez smereka

  • Zarejestrowany: 2014-07-09
  • Posty: 2,328

Odp: Modem od routera MF286D

root@mdm9650:~# df -h
Filesystem                Size      Used Available Use% Mounted on
ubi0:rootfs              71.7M     49.0M     22.8M  68% /
tmpfs                    64.0K      4.0K     60.0K   6% /dev
tmpfs                    62.8M     24.0K     62.8M   0% /run
tmpfs                    62.8M    112.0K     62.7M   0% /var/volatile
tmpfs                    62.8M         0     62.8M   0% /media/ram
tmpfs                    62.8M    112.0K     62.7M   0% /var/lib
/dev/ubi1_0              51.0M     40.6M     10.4M  80% /firmware
ubi0:fwfs                 5.9M     64.0K      5.9M   1% /lib/firmware
ubi0:ztedata             52.8M     36.0K     52.8M   0% /usr/zte_web
ubi3:etcrwfs             34.2M     80.0K     34.1M   0% /etc_rw
ubi3:cachefs             56.9M     32.0K     56.9M   0% /cache
ubi3:logfs               20.0M    124.0K     19.9M   1% /logfs
root@mdm9650:~#

346 Odpowiedź przez stich86

  • Zarejestrowany: 2022-05-24
  • Posty: 392

Odp: Modem od routera MF286D

smereka napisał/a:

I discovered something interesting:

login: root
password: oelinux123


mdm9650 login: root
Password:
root@mdm9650:~#

Work for me


Link for this password for mr1100 https://blog.skitisu.com/hack-netgear-m … uter-root/

Amazing smile
So now we can debug why the module doesn’t start in correct way

Please send me the logs asked if you can smile

347 Odpowiedź przez smereka

  • Zarejestrowany: 2014-07-09
  • Posty: 2,328

Odp: Modem od routera MF286D

root@mdm9650:~# cat /proc/cpuinfo
processor       : 0
model name      : ARMv7 Processor rev 5 (v7l)
BogoMIPS        : 38.40
Features        : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x0
CPU part        : 0xc07
CPU revision    : 5

Hardware        : Qualcomm Technologies, Inc MDM9650
Revision        : 0000
Serial          : 0000000000000000
Processor       : ARMv7 Processor rev 5 (v7l)
root@mdm9650:~#

348 Odpowiedź przez smereka

  • Zarejestrowany: 2014-07-09
  • Posty: 2,328

Odp: Modem od routera MF286D

Which exactly logs?

349 Odpowiedź przez stich86

  • Zarejestrowany: 2022-05-24
  • Posty: 392

Odp: Modem od routera MF286D

smereka napisał/a:

Which exactly logs?

Dmesg, cat /proc/kmsg and all logs into /var/log

350 Odpowiedź przez Leo-PL

  • Leo-PL
  • Użytkownik
  • Nieaktywny
  • Zarejestrowany: 2019-11-05
  • Posty: 502

Odp: Modem od routera MF286D

Holy crap. I'm amazed with what was accomplished here!
Tonight I'll dig out my 1.8V level shifter for SPI flash programming, and use it to connect both directions of console, and then try to perform the factory programming once agian.