Root [Merit] ZTE Merit Touchscreen Bricked after *983*29873283# code

[bethnesbitt]

Hey beth, I have 3 merits that I want to get unlock via the method you tried, I remember that to get to the black screen was easy when I first did it but the one I have are seemingly hard to get to make the screen go black, can you post what you did to get to go black? I have tried the same steps I did before but they aren't working, am starting to think that Tracfone may have patched those holes with newer merits.

You said to put the avail card image on the sdcard in the image folder. Shut down then hold home up volume and power. It does a flash to 100% fails and a black screen.

I did it installing avail stock, didn't work with stocknet10. The screen went black, as in, it just powered off. When I rebooted nothing changed. Did get that com port briefly but then it finished booting.

In qpst tools and that unlock proggy from madaco you can get a com port dialing *983*87274 select only diag. But then it goes to 4% says to turn off phone, remove battery hold down volume and reconnect to PC. I tried but it kept restarting after second logo. If you do nothing it tries itself but nothing happens.

I really want to unlock it for my bf. His phone is a cheapo. We live 45 min from Walmart, and CC fees is not worth it.

 

[stayboogy]

Wanted to actually see if I could unlock the phone with a program I got a hold of that is for unlocking the avail. Don't really care if it is bootloader or FTM, according to these programs it has to be FTM anyways.

Tried resetting the flag, even tried through File Manager w/root, got as far as being able to change from 0 to 1 with that program but as soon as I exited out it went right back to 0.

Even tried all of the suggestions mcmelln, held the home up volume and power at the same time, did the image update thingy that he had posted, got the blank screen. Pulled the battery out and plugged in to pc while holding all differant combinations of buttons.

Everything but the FTM mode worked, even when I did the *983*87274 and selected only diaglog, showed as com port.

At one point it almost acted as it was going to get to FTM, the unlock software went from 4% to 6% while on the bootlogo, then lost my com port and the phone just rebooted.

I guess I can be hard headed when it comes to seeing if something works, for example, got a new china tablet from Irulu, 512mb app storage, 2.11gb phone storage.

Read it couldn't be rooted, I rooted it.

Read that the MTK6572 app storage could not be extended all the way to the phone storage. One on XDA said that it wasn't worth the root, shoot...

Heh, pulled the EBR1 figured out how to do that in a hex editor, went from 512mb to 2.5mb for app storage. Looked all over the web how to do it, couldn't find anybody that either knew how or was willing to write a tutorial, or kept saying you had to edit the MBR, wrong, just the EBR1

Wrote a tutorial myself

Elizabeth's Blogger Wikis: Tutorial: How to increase partition on MediaTek Tablets MTK6572, MTK6577 and others

I guess I was seeing the nand storage as a sdcard or pc harddrive because of that.

yeah, all i meant was that you'll just give yourself a headache worrying with FTM for this phone. you're not the first one to go down the rabbit hole here lol. i wish i had more info to give you.

you can take a look at the attached file inside the zip--this is the file board file for the roamer kernel.

zte messed with usb settings for all its phones in gb, as well as altered the code to use the i2c chip to control for the bridge between the kernel and the actual hardware. there are other i2c devices that don't do what this one does. zte just has a way of fudging everything up with their devices and the kernel.

they don't even release complete kernel sources most of time as they purposely remove headers and alter builds to use proprietary headers from non-open source code. i really like the simplicity of their devices, but, they are horrible when it comes to actually being a contributive member of the development community...

 

[bethnesbitt]

yeah, all i meant was that you'll just give yourself a headache worrying with FTM for this phone. you're not the first one to go down the rabbit hole here lol. i wish i had more info to give you.

you can take a look at the attached file inside the zip--this is the file board file for the roamer kernel.

zte messed with usb settings for all its phones in gb, as well as altered the code to use the i2c chip to control for the bridge between the kernel and the actual hardware. there are other i2c devices that don't do what this one does. zte just has a way of fudging everything up with their devices and the kernel.

they don't even release complete kernel sources most of time as they purposely remove headers and alter builds to use proprietary headers from non-open source code. i really like the simplicity of their devices, but, they are horrible when it comes to actually being a contributive member of the development community...

I got this new tablet sim unlocked. It was so easy to root install cwm and mod the ebr1. So easy it took me a month to figure it out. Wish I got this first. Could have gotten 2 for what I paid for the merit and had $30 left.

 

[bethnesbitt]

I have seen this phone do odd things, for example:

One of area51 root methods actually let you plug the phone in and turn it all the way on without the battery in, when you try with stock or any new root methods it doesn't work.

Also, there was a code I entered once that said it would sim unlock the phone, this was just before I bricked the touchscreen, and you know, it worked kinda. It didn't unlock it but when I put a at&t sim in, didn't give me the PUK message, just showed a message invalid sim while in lock screen mode. Let me log in, think it was an older root method from area51 that let me do those things.

Also the fact that the *983*AXUPDATE works using an avail rom but not a net10 rom.

 

[stayboogy]

the differences between devices lies in the other partitions that are not mounted in /root by the system.

oem and misc and persist

these differ from carrier i'm sure. a dd pulls the whole partition which will always be the same size on all devices, but the contents are different. i've checked the .img's in a hex and they are indeed different.

there is no known way to mount these .img's as loop devices to see what's on them. i'd really like to figure it out a way to extract them or mount them that way i could mesh with the splash screen and update to the open source charger, among other things...

 

[micallan_17]

When i do this i get a fota which is not present on the merit, but ever since i converted the merit to an avail it is on mine.
$ su
# cat proc/mtd
dev: size erasesize name
mtd0: 00600000 00020000 "recovery"
mtd1: 00400000 00020000 "boot"
mtd2: 00180000 00020000 "splash"
mtd3: 00080000 00020000 "misc"
mtd4: 03980000 00020000 "cache"
mtd5: 0dc00000 00020000 "system"
mtd6: 0a280000 00020000 "userdata"
mtd7: 00100000 00020000 "oem"
mtd8: 00180000 00020000 "persist"
mtd9: 00f00000 00020000 "fota"

 

[bethnesbitt]

When i do this i get a fota which is not present on the merit, but ever since i converted the merit to an avail it is on mine.
$ su
# cat proc/mtd
dev: size erasesize name
mtd0: 00600000 00020000 "recovery"
mtd1: 00400000 00020000 "boot"
mtd2: 00180000 00020000 "splash"
mtd3: 00080000 00020000 "misc"
mtd4: 03980000 00020000 "cache"
mtd5: 0dc00000 00020000 "system"
mtd6: 0a280000 00020000 "userdata"
mtd7: 00100000 00020000 "oem"
mtd8: 00180000 00020000 "persist"
mtd9: 00f00000 00020000 "fota"

Did you ever put net10 back on and do that?

 

[bethnesbitt]

mclln-7 I saw the pic you posted here holding the phone in FTM mode.

I was wondering, did you have a simcard in at the time?

Did you try with a at&t sim?

Did you have st service?

I lost my st sim some time ago so not sure what would happen.

 

[bethnesbitt]

Did you ever put net10 back on and do that?

When I do a Google search for ftm z990g, there are two posts where you say, "I got ftm mode when I turned the phone to avail".

Did you flash avail stock or a rooted avail first via ADb or recovery

Were you using z990g stock or rooted rom.

Was your phone rooted when you got fTM

Did you flash that v880 ROM posted with the other files

Heh trying to refresh your memory.

 

[micallan_17]

Hey again beth (I've been calling you beth and I hope it's ok hehe), to answer your first post, when I do cat proc/mtd on the merit that is not unlocked yet I get this:

[HIGH]# cat proc/mtd
cat proc/mtd
dev: size erasesize name
mtd0: 00600000 00020000 "recovery"
mtd1: 00400000 00020000 "boot"
mtd2: 00180000 00020000 "splash"
mtd3: 00080000 00020000 "misc"
mtd4: 03980000 00020000 "cache"
mtd5: 0dc00000 00020000 "system"
mtd6: 0a280000 00020000 "userdata"
mtd7: 00100000 00020000 "oem"
mtd8: 00180000 00020000 "persist"
#[/HIGH]

while on the merit that we were able to flash/unlock originally gives the output I posted lastnight. I do not have any of the merits on stock merit roms, I have them on an avail stock rom but I lock my merit stock rom so I cant flash it back.

for your second question; it does not matter what sim card you have to get ftm, that picture was taken after we were able to flash/unlock/convert the merit to an avail. as I do not live in the US I don't have US sims, the device works great with my local carrier.

for you final post; From the day we got the merit on our hands the first thing we did was to flash an avail rom to it, which was rooted, then we started working on getting it flashed and root was always present, we did so many different things that we lost track of all we did , one we were able to flash it, it was on a stock avail rom which was not rooted, but we easily got root after following the avail root guides available online.

Feel free to ask for any other questions

micallan_17

 

[bethnesbitt]

Hey again beth (I've been calling you beth and I hope it's ok hehe), to answer your first post, when I do cat proc/mtd on the merit that is not unlocked yet I get this:

[HIGH]# cat proc/mtd
cat proc/mtd
dev: size erasesize name
mtd0: 00600000 00020000 "recovery"
mtd1: 00400000 00020000 "boot"
mtd2: 00180000 00020000 "splash"
mtd3: 00080000 00020000 "misc"
mtd4: 03980000 00020000 "cache"
mtd5: 0dc00000 00020000 "system"
mtd6: 0a280000 00020000 "userdata"
mtd7: 00100000 00020000 "oem"
mtd8: 00180000 00020000 "persist"
#[/HIGH]

while on the merit that we were able to flash/unlock originally gives the output I posted lastnight. I do not have any of the merits on stock merit roms, I have them on an avail stock rom but I lock my merit stock rom so I cant flash it back.

for your second question; it does not matter what sim card you have to get ftm, that picture was taken after we were able to flash/unlock/convert the merit to an avail. as I do not live in the US I don't have US sims, the device works great with my local carrier.

for you final post; From the day we got the merit on our hands the first thing we did was to flash an avail rom to it, which was rooted, then we started working on getting it flashed and root was always present, we did so many different things that we lost track of all we did , one we were able to flash it, it was on a stock avail rom which was not rooted, but we easily got root after following the avail root guides available online.

Feel free to ask for any other questions

micallan_17

so what service provider was it originally?

Mine is net10, not sure if other countries use net10/straighttalk.

I was just looking at these partitions, was wondering if anybody ever actually took the avail mtd/mtd8 and did a dd=if/sdcard/mtd8.img dd=of/mtd/mtd8

the other way around, I have to go back to page #3 to remember what stayboogy said exactly

so what if I were to do a dd=if/sdcard/mtd9.img of=/sdcard/mtd9.img ,< - your fota partition.

heh probably dreaming but that would put ftm mode out if it did work and save a headache.

 

[micallan_17]

I tried doing the dd but it never flashes anything, the merit i havr is a net10 device which i had flown down to my country

 

[bethnesbitt]

Hey beth, I have 3 merits that I want to get unlock via the method you tried, I remember that to get to the black screen was easy when I first did it but the one I have are seemingly hard to get to make the screen go black, can you post what you did to get to go black? I have tried the same steps I did before but they aren't working, am starting to think that Tracfone may have patched those holes with newer merits.

OMG, you need a blog to take notes.

I found this, LOL

micallan_17
Posted 17 March 2013 - 05:21 PM

• Newbie
• 
• Members
• 
• 4 posts

• Gender:Male
• Devices:ZTE Merit unlocked
• Twitter:@twindos17

am Happy to report that this guide works for the ZTE Merit From Tracfone Wireless, in my findings I think me and my twin are the first to ever accomplish this since I have not seen anything like this before, I warn it was very difficult but we managed to flash the merit to convert it to a full AT&T Avail from the firmware up. the phone works perfectly too. since am not allowed to discuss unlocking here it also unlocked the phone using the other guide some where around this forum

Edited by micallan_17, 17 March 2013 - 05:22 PM.

 

[bethnesbitt]

THere is something about this:

P020111229057903885482.exe

did you download that? it's not on the zte website anymore but it's supposed to be the FTM fix

 

[stayboogy]

no joke, the first day i got my merit over two years ago, i booted to ftm.

funny thing is that i have only been able to do it about three times since then, and only after restoring the nandroid i made of the phone without it ever booting to the system for the first time. but i can't duplicate this every time i try either.


just as well because FTM is virtually useless for this phone.


interesting about the fota partition... probably just a mount point for /cache/fota which is present on all the devices, i think. it's set up in the init.rc of the ramdisk anyway. of course i never noticed it for the first several months i had the phone though.

 

[bethnesbitt]

Stayboogy

Have you ever looked at the phone in qpst tools? In qpst when I do *983*87274 and select only diag, it sees the phone. I even figured out how to flash the avail flash program I have, but same thing... DL mode

If FTM is useless what about unlocking?

Can it be unlocked. I found a zte tool, did *983*87274 and it found it. Even though it has a avail root ROM still sees it as z990g.

Everything I try to flash the avail armprg.bin etc wants download mode.

I was looking at the radio settings and see a button for OEM but its disabled. I wanted to see if I could open that OEM partition and see what that was.

I don't have a fota partition.

That's why I mentioned blogging, taking notes. In collage our professors were always preaching about note taking, now I know why.

Going through forums and looking for a post about something you successfully did 3 weeks ago can be so time consuming. Let's not forget those times the dog crapped on our paper notes and awe s**t I formatted my HD since that one rom media fire deleted.

 

[stayboogy]

Stayboogy

Have you ever looked at the phone in qpst tools? In qpst when I do *983*87274 and select only diag, it sees the phone. I even figured out how to flash the avail flash program I have, but same thing... DL mode

If FTM is useless what about unlocking?

Can it be unlocked. I found a zte tool, did *983*87274 and it found it. Even though it has a avail root ROM still sees it as z990g.

Everything I try to flash the avail armprg.bin etc wants download mode.

I was looking at the radio settings and see a button for OEM but its disabled. I wanted to see if I could open that OEM partition and see what that was.

I don't have a fota partition.

That's why I mentioned blogging, taking notes. In collage our professors were always preaching about note taking, now I know why.

Going through forums and looking for a post about something you successfully did 3 weeks ago can be so time consuming. Let's not forget those times the dog crapped on our paper notes and awe s**t I formatted my HD since that one rom media fire deleted.

i suppose it would be helpful for unlocking the carrier lock, but, then again, why try to use such a low level device on another carrier in the first place...

that's my thoughts anyway.

qpst tool has never done anything for me. i heard the explorer included in the tool will allow browsing of the other partitions, but it's never once seen the phone in my experience. but, i've never really spent much time with it either.

i have this extra phone i bought a week ago, and i'd like to disassemble it and figure out how to dump the whole contents of the nand into a readable format. this is above my pay grade however lol

 

[bethnesbitt]

i suppose it would be helpful for unlocking the carrier lock, but, then again, why try to use such a low level device on another carrier in the first place...

that's my thoughts anyway.

qpst tool has never done anything for me. i heard the explorer included in the tool will allow browsing of the other partitions, but it's never once seen the phone in my experience. but, i've never really spent much time with it either.

i have this extra phone i bought a week ago, and i'd like to disassemble it and figure out how to dump the whole contents of the nand into a readable format. this is above my pay grade however lol

My bfs phone is a $20 Samsung Verizon so it would be an upgrade for him.

Ya, qpst let's you see the partitions using an explorer. The *983* 87284 then only diag does it.

As for FTM I think it's a time thing, doing it at the exact moment, maybe letting go after so many seconds or hitting the right combination after powering on.

I wanted to remove the first three splash at boot to see if I could view the boot info. Kind of like hitting escape to get to bios on a PC at the right moment.

Maybe I'll try that tomorrow.

 

[stayboogy]

My bfs phone is a $20 Samsung Verizon so it would be an upgrade for him.

Ya, qpst let's you see the partitions using an explorer. The *983* 87284 then only diag does it.

As for FTM I think it's a time thing, doing it at the exact moment, maybe letting go after so many seconds or hitting the right combination after powering on.

I wanted to remove the first three splash at boot to see if I could view the boot info. Kind of like hitting escape to get to bios on a PC at the right moment.

Maybe I'll try that tomorrow.

there's only one splash screen.

the second is the boot.img logo.

there isn't a third.

this is what you want

adb wait-for-device && adb shell dmesg

 

[bethnesbitt]

Man, just my luck, while playing around with wanting to get into FTM mode, I downloaded the Net10 stock merit, formatted my boot and recovery than flashed the Net10 stock merit recovery.img via fastboot. Still did not get FTM mode, but during the process formatted my SD card and just my luck, my card reader died.

Now I'm stuck in unrooted until my new card reader comes in the mail (live way way out and what you have to pay at CVS for a card reader is not worth the $10 in gas).

Unless there is a hack to format my phone with a combination of keys or enable usb storage, I can't try this until my reader comes in the mail.

Will try though and report with the outcome, thanks

I don't think you can change this flag by editing it.

adb wait-for-device && adb shell dmesg > dmesg.txt

Spoiler

<6>[01-01 00:00:00.000000] [0: swapper]Initializing cgroup subsys cpu
<5>[01-01 00:00:00.000000] [0: swapper]Linux version 2.6.35.7-perf+ (carl@desktop) (gcc version 4.4.3 (GCC) ) #5 PREEMPT Fri $
<4>[01-01 00:00:00.000000] [0: swapper]CPU: ARMv6-compatible processor [4117b365] revision 5 (ARMv6TEJ), cr=00c5387f
<4>[01-01 00:00:00.000000] [0: swapper]CPU: VIPT aliasing data cache, VIPT aliasing instruction cache
<4>[01-01 00:00:00.000000] [0: swapper]Machine: roamer
<6>[01-01 00:00:00.000000] [0: swapper][ZYF@FTM]parse_tag_zteftm: zte FTM disable !

THen down a bit it shows:

Spoiler

<4>[01-01 00:00:00.670000] [1: swapper]usb: config_ftm_from_tag, 323
<4>[01-01 00:00:00.670000] [1: swapper]usb: config_ftm_from_tag, 331: ftm_mode disable
<3>[01-01 00:00:00.670000] [1: swapper]register_android_function 944 usb_mass_storage
<3>[01-01 00:00:00.670000] [1: swapper]register_android_function 944 diag
<3>[01-01 00:00:00.670000] [1: swapper]register_android_function 944 modem
<3>[01-01 00:00:00.670000] [1: swapper]register_android_function 944 nmea
<3>[01-01 00:00:00.670000] [1: swapper]register_android_function 944 at

Below the FTM Disabled, where it says diag you can see those functions by dialing *983*87274 and press all functions. Makes me wonder if enabling FTM has something to do with those *983* functions.

As for changing the value of zte_ftm_flag, unless the screen showed FTM, it is going to be 0 I think.

If you could set it to 1 and make it stick then you might have a problem getting out of FTM mode because now it would be stuck on a value greater then 0?

But if you pressed the right combination of buttons at the right moment or found the correct setting in those *983* codes, then it might be greater then 0 at FTM but reset back to 0 at reboot.

 

[bethnesbitt]

I found the info for the touchscreen, it's in sys/devices/i2c-0/0-0022/ under the file name.

 

[bethnesbitt]

micallan_17

I have some good news and I have some bad news.

The good news is, I have an idea how you actually got FTM mode to work. When you used the unlocker program, you changed the NVRAM by flashing one of their, either the armprg.bin, armprgZTE.bin or the channel1.nvm. Which one you used is the question, now I think the reason this worked is because because before you rebooted, in one post you mentioned removing the battery and then replacing it.

When you boot all the way back to the phone, your nvram settings change back to default. When I tried flashing one of the ones provided, it worked somewhat worked. Noticed a lag while programs loaded more so then when just restarting the phone. This is because the NVRAM was going back to the defaults and the IMEI was correcting itself.

Now to get FTM to stick, you need to flash a working .nvm with a working FTM mode then press the correct combination of keys. If I could get my hands on one of the ZTE phones that has a working FTM mode and duplicate that, it just might be fixable

The FTM is written in the nvram, here is how:

Spoiler

As mentioned about setting the Flag from 0 to 1, well this is where you have to do it, the flag will be greater then zero, only when in FTM mode. I need the actual correct hex code, you can change that value, I tried it but when I pulled the zte_ftm_flag file it still says 0, that is because I'm not in FTM mode. If you where to pull the file while in FTM mode then it would probably be a differant value.

The bad new, I do not know what the hex value is, aside from the avail and z990g, they are written incorrectly obviously. What I would need is the value from another like phone, maybe the gen2 or v880. You can change the hex value using this tool, it's just knowing what the hex value is.

 

[bethnesbitt]

Actually, let me rephrase.

On the phone you converted, can you get to FTM?

I'm thinking that what you did is because your touchscreen was broken, you where pulling the battery to reboot your phone.

During normal shutdown and startup the nvram resets to default, you may have restored a channel1.nvm from a different phone, pulled your battery, put it back in and got FTM mode. The t-flash update was just a coincidence, probably had nothing to do with anything else.

I'm trying these channel1.nvm that came with the flasher files but they don't seem to be working, maybe because they are for the concord and gen2?

ANyways something you could try is.

1. backup your nvram from the avail convert
2. unplug it from the usb
3. on the merit phone dial *983*87274 and select only diag. make sure usb dubbing is off
4. plug that into the usb
5. navigate to where the files are from the image extract
6. get the com port
7. restore nvram
8. pull the battery
9. put it back in and try to get FTM mode

 

[stayboogy]

micallan_17

I have some good news and I have some bad news.

The good news is, I have an idea how you actually got FTM mode to work. When you used the unlocker program, you changed the NVRAM by flashing one of their, either the armprg.bin, armprgZTE.bin or the channel1.nvm. Which one you used is the question, now I think the reason this worked is because because before you rebooted, in one post you mentioned removing the battery and then replacing it.

When you boot all the way back to the phone, your nvram settings change back to default. When I tried flashing one of the ones provided, it worked somewhat worked. Noticed a lag while programs loaded more so then when just restarting the phone. This is because the NVRAM was going back to the defaults and the IMEI was correcting itself.

Now to get FTM to stick, you need to flash a working .nvm with a working FTM mode then press the correct combination of keys. If I could get my hands on one of the ZTE phones that has a working FTM mode and duplicate that, it just might be fixable

The FTM is written in the nvram, here is how:

Spoiler

As mentioned about setting the Flag from 0 to 1, well this is where you have to do it, the flag will be greater then zero, only when in FTM mode. I need the actual correct hex code, you can change that value, I tried it but when I pulled the zte_ftm_flag file it still says 0, that is because I'm not in FTM mode. If you where to pull the file while in FTM mode then it would probably be a differant value.

The bad new, I do not know what the hex value is, aside from the avail and z990g, they are written incorrectly obviously. What I would need is the value from another like phone, maybe the gen2 or v880. You can change the hex value using this tool, it's just knowing what the hex value is.

i'm curious what you mean by gen2, because the avail / merit are already generation 2 zte devices (meaning gen 2 bootloader)...

 

[bethnesbitt]

i'm curious what you mean by gen2, because the avail / merit are already generation 2 zte devices (meaning gen 2 bootloader)...

Are they now? I have flasher files for the gen2 along with a channel1.nvm that the IMEI was removed from. Wonder what would happen if i installed that boot and recovery, hmmm.

These flasher files, the one for the v880 and one called gen2 both have a channel1 rar included, inside is just called channel1 when you add the extension .nvm it lets you restore in the flasher program. I can successfully in diag mode, backup my nvram and restore it. I keep trying to flash the generic v880 channel1.nvm, this is what m_7 uploaded, was originally on madaco.

As for the v880, I don't have the actually have those recovery and .mdn files but have a file that extracted the t-avail image in .mdn alone with the boot, recovery etc... Also, when you extract the v880 unlocker rar, there is there is a rar file with a channel1 in it. When you rename it channel1.nvm it actually lets you restore it.

My bad, the gen2 is for the blade, what would happen if I flashed those?