Nie jesteś zalogowany. Proszę się zalogować lub zarejestrować.
eko.one.pl → Sprzęt / Hardware → Modem od routera MF286D
Strony Poprzednia 1 … 19 20 21 22 23 … 36 Następna
Zaloguj się lub zarejestruj by napisać odpowiedź
I've done an update over ZTE framework on a virgin MF286D, bad news.. the framework is using same protocol (Sahara) of QPST to upload firmware on the modem.
On the router there is a daemon called facSvr that is doing all the stuff. So may be with this program is it possible to comunicate also with QPST remote server
Here is the full log: https://mega.nz/file/61RSnLxD#tCrmZ7qhd … Nkihg2D0dE
if anyone is interested 
Here is uploaded image.zip , with updates Elisa B03 to Elisa1 B06 , and at the same time modem from BD_ELISAFIMF286DMODV1.0.0B03 to BD_ELISAFIMF286DMODV1.0.1B01
https://www.mediafire.com/file/m6bxg5di … 6.zip/file
I did same attempt on the virgin router and the modem stuck at B01… still don’t understand how he got the B06 
Only way is to play with Qtools and try to dump the rootFS and modem partition.. better to have all, but EFS cannot be readed..
Try witch his IMEI , perhaps you get same updates....
Try witch his IMEI , perhaps you get same updates....
Can I swap IMEI just on nvram right? I’ve seen that username is passed using the IMEI
yes , nv set should be enough.
EDIT : And start from new Elisa framework , since there could be difference ( this Elisa and Elisa1 is suspicious...)
yes , nv set should be enough
Ok I got it.. looks like the version is Elisa1_B11D on his modem
I’ll try later to check update
What do you mean for “New ELISA framework”?
All modem here in Italy was converted using TIM2ELISAB02
Yes , but in very baf case even first update can Vary for "prooer" and "not proper" IMEI ,and you already recived one ...
But ofcourse set IMEI first on existing one.
Yes , but in very baf case even first update can Vary for "prooer" and "not proper" IMEI ,and you already recived one ...
But ofcourse set IMEI first on existing one.
nice catch.. using that IMEI i got this update:
01:02:27 UP>>[update_control.c:628]out version=MF286D_Elisa1_B11D
01:02:27 UP>>[update_control.c:640]inner version=CR_ELISAFIMF286DV1.0.1B09
01:02:27 UP>>[update_control.c:662]inner integrate version=ELISA_FI_MF286DV1.0.1B09
01:02:27 UP>>[update_control.c:651]outer integrate version=ELISA_FI_MF286DV1.0.1B09
01:02:27 UP>>[update_control.c:2449]Oh,yes,Upgrade Successful.
and modem now is updated to 1.0.1B06 (don't understand why they are using all build numbers that doesn't match between GUI, router and modem....)
Tomorrow i'll upload this package, so we have the full update path also for ELISA B11D
So only proper IMEI gives OTA to Elisa1_B11D (and modem 1.0.1B06) , otherwise is stays on Elisa1_B06 (and modem 1.0.1B01) ?
Do you know ,what to do to start update after insrting image.zip in folder /etc_rw/fota/ ? It should be done something ( flag in mtd0 ?) , otherwise on next boot file will be deleted.
So only proper IMEI gives OTA to Elisa1_B11D (and modem 1.0.1B06) , otherwise is stays on Elisa1_B06 (and modem 1.0.1B01) ?
It looks like that modems from 2021 got this update, new one are stuck on the B06. Don’t know why..
Do you know ,what to do to start update after insrting image.zip in folder /etc_rw/fota/ ? It should be done something ( flag in mtd0 ?) , otherwise on next boot file will be deleted.
I’ve to see the logs. There are some flags applied and removed during the process.
All stuff is processed by a ZTE bin
you can find here latest image.zip and also md5 for Elisa1:
I finally got the 286D modem to flash, on a fresh laptop with fresh Win7 install, which was a PITA in 2022. But anyway, that qtools incantations were the key, SB3.0 is now going on. BTW. I noticed that it is possible to skip certain partitions, most notably EFS, when you select "Edit". Also, I think I know what failed before. To run qtools, QPST MUST be closed, otherwise it will occupy the serial port, and this is what qtools were complaining about, after all.
But this is still to no avail. After flashing, the modem seems to behave exactly the same as previously. I suspect that charge pump in NAND flash went bust, and thus the memory went read-only ;_;
I've had this happen on a totally different device in the past ;-)
At least by using qtools, I can try dumping the flash contents now.
@stich86, where did you get your qtools build? I'm looking for possibly newer one - one on github lacks the chipset support I need - -k12 is invalid chipset code - I wanted to recompile them under Linux.
Edit, nevermind: found this in that fork: https://github.com/Maks-2012/qtools
I finally got the 286D modem to flash, on a fresh laptop with fresh Win7 install, which was a PITA in 2022. But anyway, that qtools incantations were the key, SB3.0 is now going on. BTW. I noticed that it is possible to skip certain partitions, most notably EFS, when you select "Edit". Also, I think I know what failed before. To run qtools, QPST MUST be closed, otherwise it will occupy the serial port, and this is what qtools were complaining about, after all.
But this is still to no avail. After flashing, the modem seems to behave exactly the same as previously. I suspect that charge pump in NAND flash went bust, and thus the memory went read-only ;_;
I've had this happen on a totally different device in the past ;-)At least by using qtools, I can try dumping the flash contents now.
@stich86, where did you get your qtools build? I'm looking for possibly newer one - one on github lacks the chipset support I need - -k12 is invalid chipset code - I wanted to recompile them under Linux.
Edit, nevermind: found this in that fork: https://github.com/Maks-2012/qtools
I’m in contact with a friend that has the same issue. SB3.0 seems to write but then on reboot modem is in the same status as before..
in my qtools package there is loader for k12, it's just a configuration into a file called chipset.cfg that where there are specified the two bootloader files
Do you have a picture of your NAND? This friend has a different one from my modem and another one.
Mine start with FMXXXX, while his is H9XXXX
When you enter 9008 mode with qtools using the commands, can you try to change last one in this way?
qdload.exe -k12 -q -pX
qcommand.exe -pX -c "m 193d100 1"
qcommand.exe -pX -c "d 7980001 4"
we have done some tests on his modem with qtools, looks like that the modem refues partition.mbn, so it cannot be written..
Just tried those commands - I entered QDL successfully, SB 3.0 went through the same as yesterday, but still nothing written to flash. Mine is FM68<something> - I wasn't able to copy the model when SB3.0 was doing its thing. I haven't figured out how to dump the image with qtools yet, "edl" still doesn't want to cooperate.
Thanks for th heads up on chipset.cfg, I'll look into that.
Edit: my NAND chip is the same model as in the first post, probably like yours.
Just tried those commands - I entered QDL successfully, SB 3.0 went through the same as yesterday, but still nothing written to flash. Mine is FM68<something> - I wasn't able to copy the model when SB3.0 was doing its thing. I haven't figured out how to dump the image with qtools yet, "edl" still doesn't want to cooperate.
Thanks for th heads up on chipset.cfg, I'll look into that.
Edit: my NAND chip is the same model as in the first post, probably like yours.
ok so It cannot be a problem of the flash chip.
May be is just da flag into the NAND that prevent the write
for QTOOLS you should load Emergency BL after modem is in 9008 mode in this way:
qdload.exe -k12 -i -pX
and check if you see P-Table with:
qrflash.exe -k12 -s@ -m -pX
in this mode you can issue commands qr{w}direct
@Leo-PL
we got it!
problem is here:
[30] ----fota cookie is [0xffffffff]----
Check your bootloader logs, if the fota cookie is not empty, this stupid module will restart it self each time on recoveryfs.
The only way to resolve this issue is to erase fota partition (/dev/mtd12) so the aboot will start the system on the rootfs instead of recoveryfs
Looks like when the modem is on recovery, only way to get prompt on the console is on the ZTE itself and not on the USB adapter
@Leo-PL
we got it!
problem is here:
[30] ----fota cookie is [0xffffffff]----
Check your bootloader logs, if the fota cookie is not empty, this stupid module will restart it self each time on recoveryfs.
The only way to resolve this issue is to erase fota partition (/dev/mtd12) so the aboot will start the system on the rootfs instead of recoveryfsLooks like when the modem is on recovery, only way to get prompt on the console is on the ZTE itself and not on the USB adapter
I have this exact value - what is the expected one?
My boot log is here: https://gist.github.com/Leo-PL/c35b7d87 … 952023f3bf
stich86 napisał/a:@Leo-PL
we got it!
problem is here:
[30] ----fota cookie is [0xffffffff]----
Check your bootloader logs, if the fota cookie is not empty, this stupid module will restart it self each time on recoveryfs.
The only way to resolve this issue is to erase fota partition (/dev/mtd12) so the aboot will start the system on the rootfs instead of recoveryfsLooks like when the modem is on recovery, only way to get prompt on the console is on the ZTE itself and not on the USB adapter
I have this exact value - what is the expected one?
My boot log is here: https://gist.github.com/Leo-PL/c35b7d87 … 952023f3bf
yes it should be 0xffffffff
your looks good, it's booting from the right partition.
If you write only files until aboot, do you get "fastboot_init"?
Ok, I managed to dump the first partitions (up to fota) using qtools. It's slow as molasses, but it works. 13 to 16 are ongoing. Since I have the modem in the right mode, what do you suggest to do? I think of erasing "boot" and "recovery", so I can update all the rest via fastboot, or get dump from my working B11 modem and try flashing that from qtools directly.
This is my partition table:
============================================================
00 0 00000a ff 01 00 00 LNX 0:SBL
01 a 00000a ff 01 ff 00 LNX 0:MIBIB
02 14 00002c ff 01 00 00 LNX 0:EFS2
03 40 00000e ff 01 00 00 LNX 0:TZ
04 4e 00000d ff 01 00 00 LNX 0:RPM
05 5b 00002c ff 01 00 00 LNX 0:EFSBAK
06 87 000004 ff 01 00 00 LNX 0:aboot
07 8b 00003c ff 01 00 00 LNX 0:boot
08 c7 000002 ff 01 00 00 LNX 0:SCRUB
09 c9 00011c ff 01 00 00 LNX 0:modem
10 1e5 000006 ff 01 00 00 LNX 0:misc
11 1eb 00003c ff 01 00 00 LNX 0:recovery
12 227 0006ff 00 ff 01 00 STD 0:fota
13 22d00 00a000 00 ff 01 00 STD
14 2cd00 005700 00 ff 01 00 STD
15 32400 024400 00 ff 01 00 STD
16 56800 029800 00 ff 01 00 STD
============================================================What I see in the output of qrflash looks like ton of ECC errors, at least one per erase block. Too bad that cyrylic output in my console is mangled up on Windows.
When I tried writing partitions only up to U-boot, nothing has changed, likely because in that case SB3.0 process doesn't erase unselected partitions.
Ok, I managed to dump the first partitions (up to fota) using qtools. It's slow as molasses, but it works. 13 to 16 are ongoing. Since I have the modem in the right mode, what do you suggest to do? I think of erasing "boot" and "recovery", so I can update all the rest via fastboot, or get dump from my working B11 modem and try flashing that from qtools directly.
This is my partition table:
============================================================ 00 0 00000a ff 01 00 00 LNX 0:SBL 01 a 00000a ff 01 ff 00 LNX 0:MIBIB 02 14 00002c ff 01 00 00 LNX 0:EFS2 03 40 00000e ff 01 00 00 LNX 0:TZ 04 4e 00000d ff 01 00 00 LNX 0:RPM 05 5b 00002c ff 01 00 00 LNX 0:EFSBAK 06 87 000004 ff 01 00 00 LNX 0:aboot 07 8b 00003c ff 01 00 00 LNX 0:boot 08 c7 000002 ff 01 00 00 LNX 0:SCRUB 09 c9 00011c ff 01 00 00 LNX 0:modem 10 1e5 000006 ff 01 00 00 LNX 0:misc 11 1eb 00003c ff 01 00 00 LNX 0:recovery 12 227 0006ff 00 ff 01 00 STD 0:fota 13 22d00 00a000 00 ff 01 00 STD 14 2cd00 005700 00 ff 01 00 STD 15 32400 024400 00 ff 01 00 STD 16 56800 029800 00 ff 01 00 STD ============================================================What I see in the output of qrflash looks like ton of ECC errors, at least one per erase block. Too bad that cyrylic output in my console is mangled up on Windows.
When I tried writing partitions only up to U-boot, nothing has changed, likely because in that case SB3.0 process doesn't erase unselected partitions.
Yea erase boot and recovery, leave aboot so it will switch to fastboot mode and you can write all other partitions in this way:
fastboot flash boot mdm9650-boot.img
fastboot flash system mdm9650-sysfs.ubi
fastboot flash modem NON-HLOS.ubi
fastboot flash recovery mdm9650-boot-recovery.img
fastboot flash zterw mdm9650-zterwfs.ubi
fastboot flash recoveryfs mdm-recovery-image-mdm9650.ubi
Ok, makes sense - I'll try. First I'll let it finish dumping the current content. This is going to take a few hours, at least.
Do you think it makes sense to use images dumped from working B11 unit (since they are both plain images anyway) or go with the ones from factory package?
Also, I think I'll go with recovery and boot as the last partitions, to be able to quickly re-enter fastboot until the final step.
Ok, makes sense - I'll try. First I'll let it finish dumping the current content. This is going to take a few hours, at least.
Do you think it makes sense to use images dumped from working B11 unit (since they are both plain images anyway) or go with the ones from factory package?
If you are able to write full flash with qtools make sense. But you have to erase EFS and load a dummy one to avoid IMEI overlap
Can you share qtools command used to dump? I don’t have too much success
I hope that the original IMEI had survived at the time being. If not, I have one to spare, from its original case. The router board did not survive, it was the parts donor for other board. I'll play with that once I get successful boot. And if it did get overwritten during the previous SB3.0 runs, then loading dummy QCN will be easy.
Regarding the command to dump:
qrflash.exe -k12 -s@ -o mf286d_modem.bin -pXI must have missed something, because individual partitions are written to disk anyway.
And, surprise surprise - contents of EFS2 and EFSBAK partitions is the same, though through ADB working modems wouldn't give up the first one, they happily give up the backup. So it turns out, that I actually have proper backups of my modems :-D
@stich86, could you show your partition table? I feel that something is off with mine.
This is what I extracted from partition.mbn from the recovery folder:
============================================================
00 8 000002 ff 01 00 fe LNX 0:SBL
01 6 000004 ff 01 ff fe LNX 0:MIBIB
02 2800 000400 ff 01 00 ff LNX 0:EFS2
03 bb8 00012c ff 01 00 ff LNX 0:TZ
04 bb8 000100 ff 01 00 ff LNX 0:RPM
05 2800 000400 ff 01 00 ff LNX 0:EFSBAK
06 300 000032 ff 01 00 ff LNX 0:aboot
07 3800 000400 ff 01 00 ff LNX 0:boot
08 32 000032 ff 01 00 ff LNX 0:SCRUB
09 11170 0009c4 ff 01 00 ff LNX 0:modem
10 4d4 000100 ff 01 00 ff LNX 0:misc
11 3800 000400 ff 01 00 ff LNX 0:recovery
12 4d4 000100 ff 01 00 ff LNX 0:fota
13 9c00 000400 ff 01 00 ff LNX 0:recoveryfs
14 4e20 0007d0 ff 01 00 ff LNX 0:ZTEFILE
15 21c00 002800 ff 01 00 ff LNX 0:ZTERW
16 ffffffff 00ffff ff 01 00 ff LNX 0:system
============================================================I hope that the original IMEI had survived at the time being. If not, I have one to spare, from its original case. The router board did not survive, it was the parts donor for other board. I'll play with that once I get successful boot. And if it did get overwritten during the previous SB3.0 runs, then loading dummy QCN will be easy.
Regarding the command to dump:qrflash.exe -k12 -s@ -o mf286d_modem.bin -pXI must have missed something, because individual partitions are written to disk anyway.
And, surprise surprise - contents of EFS2 and EFSBAK partitions is the same, though through ADB working modems wouldn't give up the first one, they happily give up the backup. So it turns out, that I actually have proper backups of my modems :-D
@stich86, could you show your partition table? I feel that something is off with mine.
This is what I extracted from partition.mbn from the recovery folder:============================================================ 00 8 000002 ff 01 00 fe LNX 0:SBL 01 6 000004 ff 01 ff fe LNX 0:MIBIB 02 2800 000400 ff 01 00 ff LNX 0:EFS2 03 bb8 00012c ff 01 00 ff LNX 0:TZ 04 bb8 000100 ff 01 00 ff LNX 0:RPM 05 2800 000400 ff 01 00 ff LNX 0:EFSBAK 06 300 000032 ff 01 00 ff LNX 0:aboot 07 3800 000400 ff 01 00 ff LNX 0:boot 08 32 000032 ff 01 00 ff LNX 0:SCRUB 09 11170 0009c4 ff 01 00 ff LNX 0:modem 10 4d4 000100 ff 01 00 ff LNX 0:misc 11 3800 000400 ff 01 00 ff LNX 0:recovery 12 4d4 000100 ff 01 00 ff LNX 0:fota 13 9c00 000400 ff 01 00 ff LNX 0:recoveryfs 14 4e20 0007d0 ff 01 00 ff LNX 0:ZTEFILE 15 21c00 002800 ff 01 00 ff LNX 0:ZTERW 16 ffffffff 00ffff ff 01 00 ff LNX 0:system ============================================================
i'll try to dump this evening, both my MF286D now are installed so i've to unmount one of them to do the flash layout dump
Strony Poprzednia 1 … 19 20 21 22 23 … 36 Następna
Zaloguj się lub zarejestruj by napisać odpowiedź
eko.one.pl → Sprzęt / Hardware → Modem od routera MF286D
Forum oparte o PunBB, wspierane przez Informer Technologies, Inc