LG KM900 Arena - Firmware Modifizieren (Fraggers Bastelstube)

[Fragger255 0]

ìch bekomme seid Stunden/Tagen/Wochen keine verbindung mit meinem Km900 hin. PCSuite funzt, Wechseldatenträger funzt, jedoch funzt es nicht wenn ich das ks360 oder das kp500 oder das Flashtool nutzen möchte, es kommt immer ein Timeout oder im ks und Kp tool, "For NAND systems an EBl must used(oder so ähnlich)). Hab vorhin alle Treiber neu installiert ändert aber am fehler nur wenig,.

Wenn ich mein Handy ohne Akku und Sim anstecke, erscheint im Hardware Manager nur kurz der Flash Utility Treiber ist das richtig so, nach ca 5s verschwindet er wieder .

Treibervers.

Modem Treiber 4.9.4

Flas Usb treiber 1.0.0.6

oder hat es vielleicht damit was zu tun das ich ne flb Datei von ner Vodafone Fw hab, selbst aber ne O2 fw drauf hab ? und er deshalb meine Datei nicht nimmt?

oder hat jemand die flb datei für die aktuelle O2 FW?

das ichs malmit der ausprobieren könnte?

EDI>T hab im inet gefunden das es an der Treiberinstallation liegen muss.

Kann mir jemand genau die Treiber verlinken welche ich benutzen muss?

ich weiss nich 100%ig obs jetzt geht, aber ich glaube man darf auf garkeinen Fal die IFWD_.. .dll in dem kp500 ordner ersetzen,. !!

mhh

die CUST Theme wird fast komplett erstellt dann kommt ein timeout?! woran liegt das denn ?

€dit:

weiss oder hat dazu keiner was?

es ladet bis 70% die datei herunter, im ks und kp tool , wie auch im flashtool,., dann brichts ab mit nem Timeout

Edit von xPatriicK // https://www.handy-faq.de/forum/lg_km900_arena_forum/106119-lg_km900_arena_firmware_modifikation_methode_1_a.html

bearbeitet July 12, 2010 von pzumk

[pbalanq 0]

In the dynamic part, you found many informations about SSH, but it seems work with Usim :-((((

But i found to command on UDP and try to open the communication on this way !

thisd file is my dynamic part ( hong-kong open V10b_00 )

https://www.megaupload.com/?d=QR7JPI43

I know nothing on SSH or UDP communication :-(((

I found to that the amdoem part is a boot disk with the description like windows 95 or 98 !

very strange way ;-))) I explore all the part unreadable with edithexa to found some key to open the IP communication ;-)))

I try your test user but nothing work ...

[iulica1122 0]

I'm wondering if they really mean SSH. Where did you find something about UDP?

Are you able to get a login prompt? If so, how did you get it?

[pbalanq 0]

2009-08-26 22:26:18.437 WinSCP Version 4.2.1 (Build 428) (OS 5.1.2600 Service Pack 3)

. 2009-08-26 22:26:18.437 Login time: mercredi 26 août 2009 22:26:18

. 2009-08-26 22:26:18.437 --------------------------------------------------------------------------

. 2009-08-26 22:26:18.437 Session name: root@192.168.0.110

. 2009-08-26 22:26:18.437 Host name: 192.168.0.110 (Port: 21)

. 2009-08-26 22:26:18.437 User name: root (Password: Yes, Key file: No)

. 2009-08-26 22:26:18.437 Tunnel: No

. 2009-08-26 22:26:18.453 Transfer Protocol: FTP

. 2009-08-26 22:26:18.453 Ping type: C, Ping interval: 30 sec; Timeout: 15 sec

. 2009-08-26 22:26:18.453 Proxy: none

. 2009-08-26 22:26:18.453 FTP: FTPS: None; Passive: No

. 2009-08-26 22:26:18.453 Local directory: default, Remote directory: home, Update: No, Cache: Yes

. 2009-08-26 22:26:18.453 Cache directory changes: Yes, Permanent: Yes

. 2009-08-26 22:26:18.453 DST mode: 1

. 2009-08-26 22:26:18.453 --------------------------------------------------------------------------

. 2009-08-26 22:26:18.531 Connecting to 192.168.0.110 ...

. 2009-08-26 22:26:19.578 Aucune connexion n'a pu être établie car l'ordinateur cible l'a expressément refusée.

. 2009-08-26 22:26:19.578 Connection failed.

* 2009-08-26 22:26:19.593 (ESshFatal) Connection failed.

* 2009-08-26 22:26:19.593 Aucune connexion n'a pu être établie car l'ordinateur cible l'a expressément refusée.

* 2009-08-26 22:26:19.593 Connection failed.

give me some command in UDP mode, I try it

idem in SSH

[iulica1122 0]

I think there is no SSH-daemon ... I only get connection refused, just as you get.

SSH via UDP is senseless, you normally need TCP.

I did a portscan, there are no open ports on the Arena.

I think, SSH is the wrong path.

EDIT: Is there any application, with which I can open any port on the Arena?

[kapu 0]

Do think you could upload a firmware with full java rights?

[pbalanq 0]

@iulica1122 : some expression in dynamic part. If something tell to you explain us !

the best way to test is go on internet and navigate ... on handy-faq.de ;-))) and testing upd or SSH during this time.

@open_udp_socket: opening udp socket

@udp_set_nsapi: nsapi = %d

ip_input: UDP packet to DHCP client port %u

@udp_bind(ipaddr = %u.%u.%u.%u , port = %u)

EIPERF UDP Client: Start h¾tEMode Index ==> %d Error: IPERF Semaphore Init fail

UDP: Total %d data (%d bytes) is sent

IPERF UDP Client: End

tx_tcp_fill = %d

tx_udp_fill = %d

tx_icmp_fill = %d

rx_iph_good = %d

rx_iph_bad = %d

rx_tcp_good = %d

rx_tcp_bad = %d

rx_udp_good = %d

rx_udp_bad = %d

rx_icmp_good = %d

rx_icmp_bad = %d

tx_tcp_errinj = %d

tx_udp_errinj = %d

tx_icmp_errinj = %d

rx_tcp_errinj = %d

rx_udp_errinj = %d

rx_icmp_errinj = %d

[iulica1122 0]

I'll take a look at that later...

At the moment, I'm playing around with the USB Test Options in the Service Menü, if you check out the "AMD" menu, you'll see, it sounds interesting, however, I could not yet access the OEM partition.

And it's draining my battery.

[pbalanq 0]

I already test this part but I can't access to these partitions

[Fragger255 0]

can we not use a brute force attack?

when i have moe time next week, i would install new widgets,

@pbalanq a few pages before, is a tut, how do you can change the java rights on your phone,

[pbalanq 0]

I think :

Widget call aren't include in data base, it will be possible that widget applications can be called by java internal server !

https://127.0.0.1:8088/test/getNextApp.jad

https://%s/JdtsServer/jad/1/getNextApp.jad

The system is scannig folder for found applications.

Other information : cust part = /sys/ in the mobile reference

[pbalanq 0]

do you know that ?

Cairo 1.4.12

https://bugs.freedesktop.org/enter_bug.cgi?product=cairo

[Fragger255 0]

when widgets are called by internal server, can i load widgets in the widget folder, and hope that the system them will been accept?

or what do you mean ?

i cant open your link

[pbalanq 0]

I think it's one of the condition !

I have a firmware from orange FR. In the root part i have the widget "weather" but we can't use it from the widget screen.

at this time I don't know where is the main calling process for widget.

freedesktop cairo seem to be called from the dynamic part of firmware, for inform someone that the system bugg !

I found in the dinamic part the full list of command of an operating system. But it seems be use for call settings for the mobile

ver get version information

cmds generate a short list of available commands

up reinitialize and mark adapter up (operational)

down reset and mark adapter down (disabled)

out mark adapter down but do not reset hardware(disabled)

On dualband cards, cards must be bandlocked before use.

clk set board clock state.

return error for set_clk attempt if the driver is not down

0: clock off

1: clock on restart Restart driver. Driver must already be down.

reboot Reboot platform radio Set the radio on or off.

"on" or "off"

dump Give suboption "list" to list various suboptions

srclear Clear the srom

srdump print contents of SPROM to stdout

optional byte count may be used to specify SPROM size

srwrite Write the srom:

srwrite byteoffset value

ciswrite Write specified <file> to the SDIO CIS source (either SROM or OTP)

cisdump Display the content of the SDIO CIS source

-b <file> -- also write raw bytes to <file>

<len> -- optional count of bytes to display (must be even)

cis_source Display which source is used for the SDIO CIS

nvram_dump print nvram variables to stdout

nvset set an nvram variable

name=value (no spaces around '=')

nvget get the value of an nvram variable nvram_get

revinfo get hardware revision information

msglevel set driver console debugging message bitvector

type 'wl msglevel ?' for values PM set driver power management mode:

0: CAM (constantly awake)

1: PS (power-save)

2: FAST PS

mode wake set driver power-save mode sleep state:

0: core-managed

1: awake

promisc set promiscuous mode ethernet address reception

0 - disable

1 - enable monitor

set monitor mode

0 - disable

1 - enable active monitor mode (interface still operates) frag Deprecated.

Use fragthresh. rts Deprecated. Use rtsthresh.

cwmin Set the cwmin. (integer [1, 255])

cwmax Set the cwmax. (integer [256, 2047])

srl Set the short retry limit. (integer [1, 255])

lrl Set the long retry limit. (integer [1, 255])

rate force a fixed rate:

valid values for 802.11a are (6, 9, 12, 18, 24, 36, 48, 54)

valid values for 802.11b are (1, 2, 5.5, 11)

valid values for 802.11g are (1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54)

-1 (default) means automatically determine the best rate

mrate force a fixed multicast rate:

valid values for 802.11a are (6, 9, 12, 18, 24, 36, 48, 54)

valid values for 802.11b are (1, 2, 5.5, 11)

valid values for 802.11g are (1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54)

-1 (default) means automatically determine the best rate

a_rate force a fixed rate for the A PHY:

valid values for 802.11a are (6, 9, 12, 18, 24, 36, 48, 54)

-1 (default) means automatically determine the best rate

a_mrate force a fixed multicast rate for the A PHY:

valid values for 802.11a are (6, 9, 12, 18, 24, 36, 48, 54)

-1 (default) means automatically determine the best rate

bg_rate force a fixed rate for the B/G PHY:

valid values for 802.11b are (1, 2, 5.5, 11)

valid values for 802.11g are (1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54)

-1 (default) means automatically determine the best rate

bg_mrate force a fixed multicast rate for the B/G PHY:

valid values for 802.11b are (1, 2, 5.5, 11)

valid values for 802.11g are (1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54)

-1 (default) means automatically determine the best rate

infra Set Infrastructure mode: 0 (IBSS) or 1 (Infra BSS)

ap Set AP mode: 0 (STA) or 1 (AP)

bssid Get the BSSID value, error if STA and not associated

bssmax get number of BSSes channel Set the channel:

valid channels for 802.11b/g (2.4GHz band) are 1 through 14

valid channels for 802.11a (5 GHz band) are:

36, 40, 44, 48, 52, 56, 60, 64,

100, 104, 108, 112, 116,120, 124, 128, 132, 136, 140,

149, 153, 157, 161,

184, 188, 192, 196, 200, 204, 208, 212, 216

cur_mcsset Get the current mcs set

chanspecs Get all the valid chanspecs (default: all within current locale):

-b band (5(a) or 2(b/g))

-w bandwidth, 10,20 or 40

[-c country_abbrev]

chanspec Set <channel>[a,b][n][u,l]

channel number (0-224)

band a=5G, b=2G, default to 2G if channel <= 14

bandwidth, n=10, non for 20 & 40

ctl sideband, l=lower, u=upper

OR Set channel with legacy format:

-c channel number (0-224)

-b band (5(a) or 2(b/g))

-w bandwidth, 10,20 or 40

-s ctl sideband, -1=lower, 0=none, 1=upper

dfs_channel_forced Set <channel>[a,b][n][u,l]

channel number (0-224)

band a=5G, b=2G, default to 2G if channel <= 14

bandwidth, n=10, non for 20 & 40

ctl sideband, l=lower, u=upper

tssi Get the tssi value from radio

txpwr Set tx power in milliwatts. Range [1, 84].

txpwr1 Set tx power in in various units. Choose one of (default: dbm):

-d dbm units

-q quarter dbm units

-m milliwatt units

Can be combined with:

-o turn on override to disable regulatory and other limitations

Use wl txpwr -1 to restore defaults txpathpwr Turn the tx path power on or off on 2050 radios

txpwrlimit Return current tx power limit powerindex Set the transmit power for A band(0-63).

-1 - default value

atten Set the transmit attenuation for B band. Args: bb radio txctl1.

auto to revert to automatic control

manual to supspend automatic control

phyreg Get/Set a phy register:

offset [ value ] [ band ] radioreg Get/Set a radio register:

offset [ value ] [ band/core ] ucflags Get/Set ucode flags 1, 2, 3(16 bits each)

offset [ value ] [ band ] shmem Get/Set a shared memory location:

offset [ value ] [band ] macreg Get/Set any mac registers(include IHR and SB):

macreg offset size[2,4] [ value ] [ band ]

ucantdiv Enable/disable ucode antenna diversity (1/0 or on/off)

gpioout Set any GPIO pins to any value. Use with caution as GPIOs would be assigned to chipcommon

Usage: gpiomask gpioval

ampdu_tid enable/disable per-tid ampdu;

usage: wl ampdu_tid <tid> [0/1]

ampdu_send_addba send addba to specified ea-tid;

usage: wl ampdu_send_addba <tid> <ea>

ampdu_send_delba send delba to specified ea-tid;

usage: wl ampdu_send_delba <tid> <ea>

ampdu_clear_dump clear ampdu counters dpt_deny adds/removes ea to dpt deny list

usage: wl dpt_deny <ea> <add,remove>

dpt_endpoint creates/updates/deletes dpt endpoint for ea

usage: wl dpt_endpoint <create, update, delete> <ea>

and so on but it's to hard to read ;-))))

[Fragger255 0]

wow thats nice, can you tell me in wich file you have found that and what you have all inscpectet?

[pbalanq 0]

In the dynamic part.

It seem that the amdoem part have a booting part. If we can dowload this part in the mobile, we can test another OS ;-)

[Fragger255 0]

yeah, but how does de download drom this partition works? have you the bytes?

[pbalanq 0]

You need to analyse the file 01_psi_large_block_16_bit_paging.flb of your firmware to get address and length of each part. I explain how to reach address in the forum : forum mobile [ GC900 Firmware ] and many other things.

[Fragger255 0]

which dynamic oart do you mean, i cant fopund this files in de amd_oem, amd_bl1, amd_data; root oder cust partition

i cant open oder update the database over the service menu, always the message appears "Failure"

bearbeitet August 31, 2009 von Fragger255

[iulica1122 0]

I need to download to the phone a modified version of the following file:

Cust-Partition\LGAPP\Media\Flex\OPEN\Flex_GB.ini

Is is possible and if yes, how shall I proceed best? Thanks

EDIT: Seems to work ...

bearbeitet August 31, 2009 von iulica1122

[Fragger255 0]

yeah its possible, you can change what you want.