I did a lot of research and found this document:
https://www.google.com/url?sa=t&rct...=pkNkluLoc8FfIfXRK3K57g&bvm=bv.75097201,d.aWw
When I mentioned about the soc being higher then zero while in FTM mode was correct, quoted from attached file:
- If the FTM NV flag NV_FTM_MODE_I, is inactive (0) and RF Cal NV is valid, then the FTM NV flag remains inactive and the mobile powers up to normal AMSS operating mode.
- If the FTM NV flag NV_FTM_MODE_I, is inactive (0) and RF Cal NV is invalid, then the FTM NV flag will be set to FTM_MODE and the mobile goes to FTM mode.
There is more there if you want to read it. If you look at those files that the TPT extract tool extracts from that T-AVAIL update, you will notice a file called amss.mbn and ammshdbl.mdn. These are what sets the FTM flag when the correct combination of keys are pressed.
Also, FTM mode happens somewhere between the NVRAM and just before boot. I ran that adb wait command that stayboogy posted and while in CWM recovery, noticed that it did not say FTM flag disabled. So the flag has to be activated before it hits boot.
Compared your .qcn with my .qcn, they are identical, both hex codes are identical down to the 00.
Did a hex to text convert and the RF cal actually converts to 4.0.33 down arrow, hysterical.
If you can figure out a way to flash the amss.mbn files from the t-avail update, you should get FTM mode. The reason this doesn't work on the newer phones, where it probably did at one point in time on older models, is when the merit first came out, the image.bin was apparently unlocking phones. That is why it doesn't really work on the newer merits all the most of the time.
Stayboogy mentioned getting to FTM mode but couldn't duplicate it, probably because he got lucky doing the t-avail update flash. Not sure if he did it on one phone but not another, he may have never even realized he inadvertently unlocked his merit to an avail by performing the tcard flash. FOr those phones he did format, that flasher program will probably fix those phones that he successfully flashed the update with, if he can get into FTM. If he does get into FTM on those phones, he probably converted it to an avail or it was already an avail. That is how he can unbrick his formated nand flash phones.
I did try a few things and created new image.bin files from something I read on madaco, that all you need are these four files to flash.
- If the rom overwrites the part of the phone responsible for TPT and this part of the rom is corrupt. Be extra careful when flashing a rom containing the following files: oemsbl.mbn, amss.mbn and qcsbl.mbn (delete those). The following four are required for a TPT flash: appsboot.mbn appsboothd.mbn partition.mbn & partition_zte.mbn.
- There is no recovery if the TPT part of the phone is damaged. Otherwise TPT is able to recover the phone by flashing a rom that contains all partitions that need to be recovered.
Well I tried that and it actually was successful, yet, it would not let me get into dfu mode, so I reflashed with just the .mdn files and removed all the rom files, recovery, boot, system, etc...
Because of a bad recovery flash and not being able to remove the boot, i'm stuck in dfu mode. If I could remove the boot, could easily fix the recovery in fastboot mode, but the freaken thing is stuck on the at&t logo, can't figure out how to remove the boot since my recovery is screwed up.
.