不TP修复A65开机蓝屏闪一下故障
不TP修复A65开机蓝屏闪一下故障有本地网友求助,正好自己有DCA-510刷机线,又刷(破解)过自己的水货M65,就拿来看下。先用V_Klay 3.3和Freia 1.5连都连不上,但能检测到开机,和我自己那台死翘翘的M55不一样,那台一点反应也没有;SST则缺少一个啥DLL,不能用。再试验,用Joker V0343连上了,感觉有戏:
HWID: 230 (A65)
A65C lg8 Sw06 16.09.04 18:13:12
IMEI: 354495003396383
DisplayID: 37, Philips Epson S1D15G14
Code(05): OTP closed
Code(08): BootKEY is unknown
Code(0D): Keys are registered in BCORE
Code(10): Minimal access to BFB
Code(15): Complete condition
Code(19): Monitoring is switched on
Code(1D): Blocks 5121,5122,5123 are present
Battery Voltage 3896 mV.
SecurityMode: Customer
当时想,没有BKey,也没有SST,估计刷FullFlash有困难,就按“A65起死回生全过程”教程试验下DEFRAG EEP 看看可行,操作成功了,但手机还是起不来,失败!再想还是先备份下FullFlash比较稳妥,就最高速921600读出来了
然后根据我刷M65的经验,最关键是算BKey和SKey,用Calc SKey一算:
Test and Calc Skey...
Skey not found! BCORE HASH incorrect for this phone FSN!
Use ReCalc Keys in BCORE!
看来就是硬刷的FullFlash,这里我把概念稍微说下,详细的要到65版看“刷机死机及暴力破解水机的修复及解锁”教程(http://mobile.0110.cn/viewthread.php?tid=212840&extra=page%3D7)。西门子为了防止玩家刷机,后来的型号或版本升级成需要BKey才能联机进行敏感操作,SKey则是用来特殊操作的。手机的Flash里面有个IMEI和HASH,不管是BKey还是SKey,都需要算法和这两个值比对符合才算通过,手机里OTP的IMEI是写过就不能再改的,硬刷的FullFlash是别的机子的,写进去必然导致和HASH不匹配,算不出可用的BKey和SKey,这时候唯一的办法就自己写个SKey,算出HASH来,再把手机里面的HASH也改了,那就通了(但是这个软件为什么能不用Key或TP就能改HASH这种敏感部位,我就搞不懂了)。如果这个办法不奏效,那就只有TP了。
在这之前,我已经把A65打开了,找到了TP点,但实在是太细小了,年纪大了,眼神又不济,感觉要操作很困难。仔细想想,还是ReCalc Keys,拼人品吧。一点重算键(用OTP IMEI),不想这软件不象后来的x65PapuaUtils还问你要不要写,直接就重新刷Flash了:
Start...
Cancel.
Start...
Loa由于非常钦佩楼主,不得不说声好! BootsModel(A65)...
Sen由于非常钦佩楼主,不得不说声好! StartBoot Ok.
Sen由于非常钦佩楼主,不得不说声好! MainBoot Ok.
Com3 115200 BAUD: Ok.
SIEMENS A65C lg8 Sw06
Soft FlashID: 0089/8856
FlashID: 0089/8856
Flash Size: 16Mb
Region(1): Blocks 255, Size 64Kb
Region(2): Blocks 8, Size 8Kb
Start EEPROM segments at addres 0x7C0000
FSN: 334C8A3C -> PhoneID: 3C8A4C33
OTP IMEI: 354495003396383
HASH: 56A175B3751BD7CFEC9C95DE1AF1688C
Read EEP0067 block (ver00), size 20 bytes - Ok.
Read EEP0076 block (ver00), size 10 bytes - Ok.
Read EEP5005 block (ver00), size 64 bytes - Ok.
Read EEP5007 block (ver00), size 10 bytes - Ok.
Read EEP5008 block (ver00), size 224 bytes - Ok.
Read EEP5009 block (ver00), size 10 bytes - Ok.
Read EEP5012 block (ver00), size 12 bytes - Ok.
Read EEP5077 block (ver00), size 232 bytes - Ok.
Read EEP5093 block (ver00), size 76 bytes - Ok.
Read EEP5121 block (ver00), size 56 bytes - Ok.
Read EEP5122 block (ver00), size 6 bytes - Ok.
Read EEP5123 block (ver00), size 12 bytes - Ok.
EEPROM blocks is written in ".\Backup\A65Clg8Sw06_Backup080527221302.eep" file.
12 factory EEP blocks are read out and are saved.
Start...
Loa由于非常钦佩楼主,不得不说声好! BootsModel(A65)...
Sen由于非常钦佩楼主,不得不说声好! StartBoot Ok.
Sen由于非常钦佩楼主,不得不说声好! MainBoot Ok.
Com3 115200 BAUD: Ok.
SIEMENS A65C lg8 Sw06
Soft FlashID: 0089/8856
FlashID: 0089/8856
Flash Size: 16Mb
Region(1): Blocks 255, Size 64Kb
Region(2): Blocks 8, Size 8Kb
Start EEPROM segments at addres 0x7C0000
FSN: 334C8A3C -> PhoneID: 3C8A4C33
OTP IMEI: 354495003396383
HASH: 56A175B3751BD7CFEC9C95DE1AF1688C
Use OTP IMEI: 354495003396383
USE SKEY: 12345678
*#0000*12345678# - Network Lock
*#0001*12345678# - Service Provider Lock
*#0002*12345678# - Corporate Code
*#0003*12345678# - Phone Code
*#0004*12345678# - Network Subset Lock
*#0005*12345678# - Only Sim
Read BCORE addr: 0x800000 size: 0x010000...
BCORE backup in ".\Backup\A65Clg8Sw06_BCORE_080527221411.bin" file.
Write BCORE at addr: 0x800000...
Change BCORE HASH - Ok.
Read EEPROM addr: 0x7C0000 size: 0x030000...
EEPROM backup in ".\Backup\A65Clg8Sw06_EEPROM_080527221434.bin" file.
Write EEPROM addr: 0x7C0000 size: 0x030000...
Change BOOTKEY - Ok.
Change EEP0076 - Ok.
Change EEP5009 - Ok.
Change EEP5077 - Ok.
Change EEP5121 - Ok.
Change EEP5122 - Ok.
Change EEP5123 - Ok.
Start...
Cancel.
Start...
Loa由于非常钦佩楼主,不得不说声好! ServiceBoot...
Sen由于非常钦佩楼主,不得不说声好! ServiceBoot Ok.
BFB Speed 115200 Baud - Ok.
HWID: 230 (A65)
A65C lg8 Sw06 16.09.04 18:13:12
IMEI: 354495003396383
DisplayID: 37, Philips Epson S1D15G14
Code(05): OTP closed
Code(09): BootKEY is written in EEPROM
Code(0D): Keys are registered in BCORE
Code(10): Minimal access to BFB
Code(15): Complete condition
Code(19): Monitoring is switched on
Code(1C): Block 5123 is not found
Battery Voltage 3882 mV.
SecurityMode: Customer
刷进去了,注意上面重启动后“BootKEY is written in EEPROM”,但是手机还是起不来,看来还是要刷FullFlash了,还没下载呢,天已经晚了,且待第二天了。
第二天我想了想,先把备份的EEP重新刷回去,恢复原状,这样除了Key重写过,还是原样,不过也还是起不来。
下载FullFlash,到处找,真不容易,同时也搜索网页看相关资料,看E文网页了解到Joker V0343版本刷A65的FullFlash有问题,而0295版本可以,下载了一个(http://papuas.allsiemens.com/JokerV0295.rar)。在某论坛注册,下载了一个 中维51在线_A65_SST 测试OK.rar。从网页资料看,A65的Flash芯片分AMD和Intel的,还不能写错,这个A65的 FlashID: 0089/8856,找到页面说是Intel的,但我下载的这个FullFlash到底是哪种呢?我可不想先刷刷看再说,搞不好就挂了,不过这也难不到我,用Smeleter v7.89打开bin文件一看:
Fullflash :E:\DIY\西门子手机\M55\刷机工具\A65_FullFlash\A65_SST 测试OK.bin
大小 :1000000 = 16M = 16777216
固件 :A65C v7 lg8
加载基点 :0
手机 :A65C
装配日期 :19.10.04 / 14:40:47
FlashID :0089/8856 = 5689
再和我保存的FullFlash比较:
E:\DIY\西门子手机\M55\刷机工具\JokerV0295\A65Clg8Sw06_00-100_FF.bin
大小 :1000000 = 16M = 16777216
固件 :A65C v6 lg8
加载基点 :0
手机 :A65C
装配日期 :16.09.04 / 18:13:12
FlashID :0089/8856 = 5689
FlashID匹配,都是Intel的,语言lg8也匹配,版本新的是7老的是6,刷应该没问题。昨天看手机电压3882 mV不太够,用手机自己充,一晚上没充进去,改用万能充,进去了。改用0295版本刷,为保险起见,再用该版本最高速备份FullFlash一次,并把各个局部也备份了下,然后用115200速度开刷,选项是除了ReCalc Keys都勾上:
Open file "E:\DIY\西门子手机\M55\刷机工具\A65_FullFlash\A65_SST 测试OK.bin" for write in Flash.
FullFlash file used FlashID: 0089/8856
Start...
Loa由于非常钦佩楼主,不得不说声好! BootsModel(A65)...
Sen由于非常钦佩楼主,不得不说声好! StartBoot Ok.
Sen由于非常钦佩楼主,不得不说声好! MainBoot Ok.
Com3 115200 BAUD: Ok.
SIEMENS A65C lg8 Sw06
FlashID: 0089/8856
Flash Size: 16Mb
Region(1): Blocks 255, Size 64Kb
Region(2): Blocks 8, Size 8Kb
Window RAM block: 4096Kb
Start EEPROM segments at addres 0x7C0000
FSN: 334C8A3C -> PhoneID: 3C8A4C33
OTP IMEI: 354495003396383
HASH: 14A1A1E4323DEC7ACA968AD1C8A18CE4
Read EEP0067 block (ver00), size 20 bytes - Ok.
Read EEP0076 block (ver00), size 10 bytes - Ok.
Read EEP5005 block (ver00), size 64 bytes - Ok.
Read EEP5007 block (ver00), size 10 bytes - Ok.
Read EEP5008 block (ver00), size 224 bytes - Ok.
Read EEP5009 block (ver00), size 10 bytes - Ok.
Read EEP5077 block (ver00), size 232 bytes - Ok.
Read EEP5121 block (ver00), size 56 bytes - Ok.
Read EEP5122 block (ver00), size 6 bytes - Ok.
Read EEP5123 block (ver00), size 12 bytes - Ok.
EEPROM blocks is written in ".\Backup\A65Clg8Sw06_Backup080528205019.eep" file.
Restore EEP0067 - Ok.
Restore EEP5005 - Ok.
Restore EEP5007 - Ok.
Data file "E:\DIY\西门子手机\M55\刷机工具\A65_FullFlash\A65_SST 测试OK.bin".
Write Flash addr: 0x000000 size: 0x1000000 - Ok.
刷好重启动,还是不起来,再进service模式看:
Start...
Loa由于非常钦佩楼主,不得不说声好! ServiceBoot...
Sen由于非常钦佩楼主,不得不说声好! ServiceBoot Ok.
HWID: 230
A65C lg8 Sw07 19.10.04 14:40:47
IMEI: 354495003396383
FlagStatus: 0
DisplayID: 37, Philips Epson S1D15G14
Code(05): OTP closed
Code(08): BootKEY is unknown
Code(0D): Keys are registered in BCORE
Code(10): Minimal access to BFB
Code(15): Complete condition
Code(19): Monitoring is switched on
Code(1D): Blocks 5121,5122,5123 are present
Battery Voltage 3978mV.
SecurityMode: Customer
我注意到BootKEY is unknown,再Cacl SKey看下
Start...
Loa由于非常钦佩楼主,不得不说声好! BootsModel(A65)...
Sen由于非常钦佩楼主,不得不说声好! StartBoot Ok.
Sen由于非常钦佩楼主,不得不说声好! MainBoot Ok.
Com3 115200 BAUD: Ok.
SIEMENS A65C lg8 Sw07
FlashID: 0089/8856
Flash Size: 16Mb
Region(1): Blocks 255, Size 64Kb
Region(2): Blocks 8, Size 8Kb
Window RAM block: 4096Kb
Start EEPROM segments at addres 0x7C0000
FSN: 334C8A3C -> PhoneID: 3C8A4C33
OTP IMEI: 354495003396383
HASH: 14A1A1E4323DEC7ACA968AD1C8A18CE4
Boot terminated...
Calk Skey...
BOOTKEY: 7A525C0778884CB8D64EF14BF59F36FE
SKEY: 12345678
说明没问题啊,HASH没问题,用Keys应该是可以连的。本来还想看看是不是需要什么别的修复办法,是不是要调对比度什么的。但是我想前面我已经把BKey写进EEPROM了,现在又unknown没了,还是先把BKey写进去再说。为了保险起见,我又用开始的0343版本Recalc All Keys,不想原来能写进去,这次不行了,干脆一不做二不休,用论坛下载的最新的V0356b Inofficial版本来刷吧,这下成功了,再一开机,哈哈,起来了,拿自己的Sim卡上去测试下接电话收短信都没问题,也能充电,成功了!后来给机主,他还说7版本比6版本快很多呢。
其实回顾开始,当初用V0295版刷的时候,要选中ReCalc Keys,估计一次就解决了。不TP就能联机刷,也不知道是不是要看运气,反正我搜索时看到SX1就算有了BKey和SKey,还是要TP才能刷,看来刷机只能具体到时候看了,但是原理要弄懂,出现异常才好找到解决办法,备份虽然我这次没用到,还是建议大家注意。另外55系列的软件,好像除了这个Joker都不能用BKey联机,那一般只有TP,不知道如果BKey写进去EEPROM了,这些软件可能直接刷,没时间不试验了。 是转贴吗?没看太明白!。。。怎么还有对话? 我就是那个机主,大哥很会替别人着想,真是好人!!!!!!!! 原帖由 flyloveyaya 于 2008-6-3 12:44 发表 http://mobile.0110.cn/images/common/back.gif
是转贴吗?没看太明白!。。。怎么还有对话?
不是,是原创
“由于非常钦佩楼主,不得不说声好!”=“ding”
我对这个论坛编程的人也不得不佩服啊,你要替换也在单词级别替换啊,居然就单词就能切割开替换。。。。
[ 本帖最后由 wdq4587 于 2008-6-3 15:30 编辑 ]
页:
[1]