i've try back to 050 but still same
last night i found your post on 4pda with modemst.zip than i try to flash it
i've flash m070 again, surprise, superuser, modemst and baseband 470 and now all problem solved
thank you so much doctoror
-
After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.
[ROM] [Stock] C811 M070 firmware ZIP file (4.1.2)
- Thread starter ad_rai
- Start date
i've try back to 050 but still same
last night i found your post on 4pda with modemst.zip than i try to flash it
i've flash m070 again, surprise, superuser, modemst and baseband 470 and now all problem solved
thank you so much doctoror
Weird. Anyway it's great to hear your problem solved. Thanks for sharing what you've tried.i've try back to 050 but still same
last night i found your post on 4pda with modemst.zip than i try to flash it
i've flash m070 again, surprise, superuser, modemst and baseband 470 and now all problem solved
thank you so much doctoror
Last edited:
yup it's a little bit annoying
i try to flash baseband 050 with 070 but the problem come again, so i used 470 with 070 and without camera issue
Installing modemst from CA-201L was not the best fix. The modemst storage parts should be cleared instead.
The procedure is now implemented in all of my baseband packages. So, in order to achieve the same result, install this baseband after the ROM in OP.
Note: that the fix may be already implemented in OP ROM , I don't remember.
Note: this baseband in link above is only valid for M070 system.
Sounds very strange, since if you flashed back to M050 it should have worked if the M070 was the reason.
Maybe it's a coincidence and you should have lost the signal in your location anyway? Or maybe it's your mobile network ISP problem?
Unfortunately I' not sure I can help you out with this one.
BTW I use this ROM and 3G is working for me, but I have the problem with mobile data sometimes not being enabled until I toggle Airplane Mode after turning "mobile data" on.
yahyazadeh58
Newbie
Do you know how the problem of USSD language in chinese languagge can be solved. it mad me crazy. I did a lot, but it had not any result so far.
Unfortunately I don't, and I don't know anyone who knows if and how can we do this.
dung199551
Lurker
anyone has full image from a fresh/live casio g'zone c811/ca201l? my phone is hard bricking because i flash zip rom via emmc dl tool( it not work because missing program0.xml file then my phone has bricked), now when i connect phone to pc, detect hs-usb9008, i backup a image from emmc raw tool ( like photo) and i had messed it up after that( format mmc disk, creat new partition, write another image with winhex).when i use emmc raw tool to rewrite my backup image and mmc disk get back like before i messed it up! i think this way can give the life back to my phone, but i dont have a image from a fresh/live phone. anyone has it can upload in this thread,pls!
space_cat
Well-Known Member
I can't help you with a perfect image, but maybe something here will help:
https://drive.google.com/folderview?id=0B8WMeyaGRgqaVVplWURHWjRlQlk&usp=sharing
dung199551
Lurker
anyone can help me get a full image,pls? this is guide
su
dd if=/dev/block/mmcblk0 of=/storage/sdcard1/backup.img bs=512 count=30535646
The size of the “backup.img” is around 16 GB, However, if you compressed it, it would be around 2 GB.
- Format your external MicroSD card, and the size of this SD card should be morethan 16 GB , which is the size of the whole partition.
- Do a full factory reset, meaning wipe your cache, data, and internal storage using either CWM, TWRP, or PhillzTouch.
- Insert the SD card to your phone and connect your mobile with ADB, type:
su
dd if=/dev/block/mmcblk0 of=/storage/sdcard1/backup.img bs=512 count=30535646
The size of the “backup.img” is around 16 GB, However, if you compressed it, it would be around 2 GB.
dung199551
Lurker
thankyou
Last edited:
Sorry, link is dead.
Please tell how modem FW could affect camera drivers/settings? Modem FW partition (FAT32) contains code and some common data (i.e. excluding ModemST/NVRAM unique modem calibration data) exclusively for Hexagon command set based modem RF controller part of SoC. Camera drivers stored somewhere in system partition witten for the main ARM application processor of the SoC. Drivers just communicate with hardware camera controller (integrated with camera sensor) and establish API interface for Camera related apps. These parts are not crossed in common.
Why did you removed links to ModemSTx images? There are people around who could explore and test some techs. ModemST are most probably strongly encrypted, however they could contain some parts that are not accessible through standard NVRAM access intefaces/API's. I don't have device to explore. In most cases NVRAM store unique RF calibration settings and IMEI's, MAC's and other ID's as it made in Qualcomm reference designs. However, some idiot makers can customize their loaders/FW to store some data in other places, like in some Samsung models which store NVRAM in separate Ext? EFS partition.
It would be nice if people will publish .qcn backups from QPST -> Software download -> Backup, corresponding to particular ModemSTx images. Everyone could be able to backup/restore whole NVRAM and it's parts, valuable on his opinion.
It would be much better for all people around the wotld (except some bastards in "Verizon & co") if we will explore and make it clear how to reflash/recover/fix/change/etc this device and every byte of it for every country and every man who bought this "unsupported" bullshit.
It seems IMEI's and other ID's are stored in some other place in this device as ModemST erasing doesn't lead to the IMEI loss (null at *#o6#) and network registration failure. However, in common, NVRAM stores RF calibration data, which can not be recovered unless you can test and calibrate device on the professional calibration stand. This one is, most probably, accessible only in a factory environment so it would always be better to be on the safe side and backup NVRAM as ModemSTx images and .qcn QPST backups before any experiments. ID's storage location should also be discovered to be able to fix any broken devices and revert back their original ID's. Furthermore, even ID changing is NOT some kind denied in most countries. UK is just a small part of the Earth.
Definitely, UK laws absolutely shouldn't prevent ppl to fix their devices around the World in any case. One more time, let people decide which method they would like to use (which one help them better) to resolve their problems. I'll publish ModemST images as soon as I will get various ones.
This "special" baseband is now covered by the "Encryption Key". It seems like Mega, being a "secure" cloud, can't get access to the private personal data of their valuable users. Never heard something more laughful.
Read Snowden related articles, guys. All the "clouds" do steal every byte you store there and share it with agencies around the World (not only law enforcement and last ones might act not only to enforce laws). Furthermore, they sell any data and secrets to everyone, who can pay enough. They're not interested in $2000 you have hidden under your pillow for the next vacation. Only "serious" wholesale corporate buyers with reputation are welcomed. Information has always been a valuable good. The more info you can access and proceed, the more powerful you will be. Now it's accessible for every bastard around the world, should he have enough money.
Doctoror, please share the Decryption key unless this FW is the same as one accessible on the Google's cloud.
Thank you!Folder is empty! Have some one erased all the secret infos?
This link is only a half the year old. "ZOG" reacts very quickly nowadays. )) Almost all the links are dead...It was a surprise for me too. It was long time ago, but as far as I remember users have reported that the camera did not work when they flashed 470 baseband on M040 / M050 / M070.
It seems like the software writes something to modemst, something that is incompatible between Korean and US versions, probably due format or encryption changes. So as soon as I found out that clearing fixes boot issue, I decided that it was better to remove the dirty fix that was copying some caches or whatever the data really was.
Unfortunately I've deleted that file since then. I really doubt that someone would decrypt it and make use of it.
Here's a link to baseband M070.This "special" baseband is now covered by the "Encryption Key". It seems like Mega, being a "secure" cloud, can't get access to the private personal data of their valuable users. Never heard something more laughful.
Doctoror, please share the Decryption key unless this FW is the same as one accessible on the Google's cloud.
I noticed that the server hosting that files are dead just some weeks ago... and the original NEC Casio EUT server, which is the source of these files, are shut down long ago. Yes, I can write about how to decode these EUT files as the phone is discontinued and NEC Casio is not active on the market anymore if there is interest.
Here is the link to full firmware:
https://mega.nz/#!8NVV1bhB
Thank you!
I can't imagine what in modem FW could lead camera to failure.
There could be the problems when you flash Main FW from the one device and Modem FW from another This is predicable because there could be differences in Android<->ModemFW API's.
What is ModemST
ModemST1 and ModemST2 are the two partitions that hold Qualcomm EFS - proprietary encrypted data scructure, containing NVRAM and (may be) some other proprietary data.
There is also FSG partition (abbreviated File System Gold) which should contain clear factory image of EFS (backup). However this partition often doesn't used to recreate damaged EFS structures.
Some facts about EFS (mostly called NVRAM because NVRAM is main and only part stored on the EFS):
Please not confuse Qualcomm EFS with other EFS called techs, like Windows EFS, other EFS types in Android phones, like Samsung's one. The only common here is the abbreviated name.
EFS always contains NVRAM, however some customized FW can store NVRAM in other places. E.g. some Samsung Galaxy series store NVRAM in the separate database, located on the standard ext4 partition, mounted to the Android.
EFS always contains only the data, no code there.
EFS is always encrypted, however there could be some very rare customized modem FW's that does NOT encrypt EFS.
I have never heard the one have decrypted EFS. I would like to decrypt but don't know how. Too much labour/time req'd to explore.
EFS encryption is customized in every device and often changes when global FW updates ocure (like Android version change). This could lead to FW incompatibility and disability to flash back to the previous FW. Another limitation of such a downgrades related to the partition shifts. Some partitions could be resized upon FW upgrade so to downgrade you should resize them back. I've noticed C811_M070_baseband.zip has rare 100MB modem partition images, however another images are more 'generic' 64Mb sized. Real data size inside is about 40MB (It's standard FAT32 image).
Some devices use device specific encryption keys (hardware keys), so the ported ModemSTx paritions will not decrypt on the identical device, and this will lead to the modem failure and connectivity absence. It seems Casio didn't used such keys.
In most cases NVRAM stores IMEI(s), MAC's (later referred as I and M to avoid relevancy checks) and other ID's (excluding Android ID). However some custom designs store ID's in other places. It seems Casio use encrypted EFS to store NVRAM but I can't realize why didn't anyone notices IMEI loss after ModemSTx erasure. It seems Casio store ID'd somewhere else. I've no device to explore.
NVRAM store RF calibration variables. NVRAM loss should lead to loss of the calibration settings.
To calibrate device back you should have rare RF calibration equipment also suitable to write setting to the particular device's NVRAM. The only place where this equipment could be found is Casio's original assembly facility.
However, in case of the NVRAM/EFS damage/loss, modem FW will reinitialize NVRAM with default values. Some FW have enough values to fully init NVRAM and bring the 'default' connectivity back. Some (may be) could be reinited by the FSG data. Some will require to write some NVRAM backup that will allow modem FW to start correctly. I never heard some Qualcomm based device have had valuable connectivity loss due to the calibration issues. You can always clone NVRAM from the identical device and it will back the 'normal' connectivity. But no warranties, as usually.
Full NVRAM database / files backup can be made with QPST .
QPST nor Android/apps don't work with NVRAM directly. They work with the ModemFW and ModemFW is the only code which manage NVRAM and EFS itself.
QPST works with the Modem FW via diagnostics COM port using Qualcomm proprietary binary protocol. Android works with ModemFW via the more standard RIL API.
Use QPST-> Software Download -> Backup to be on the safe side. Other QPST related tools can miss some NVRAM parts! Old and outdated RF_NV_ITEM_Manager, able to edit NVRAM directly on the devices often damage NVRAM on the modern devices. Backup procedure will create .qcn file with all the valuable NVRAM contents in the binary UNencrypted form (or XML-encoded binary). You can use QCNView util (QPST bundled) to edit ITEM's and files and export/import ITEM's to the text files. Most ITEM's contain binary values, so you should know what this ITEM can and should hold to fix or change some parameters. There are thousands of ITEMs in the NVRAM. Very complicated to explore and understand all, especially w/o docs.
You can Restore .qcn backup to the another (identical, sometimes similar) device even though ModemST encryption keys may differ, so the whole ModemSTx partitions exchange would be impossible. In most cases you should patch I's/M's before flashing .qcn to the another deivce to obey the I designation rules and warranty conditions. Notr that empty (null) and All-zeros I's are not accepted by most provider's cell's as acceptable, so the connectivity will not be possible unless you flash in some acceptable I's. Interesting fact, most providers in Russia accept 'Chinese' I's like 123456789012345 independently of the fact that millions of devices in the world have this (or similar) I and this I doesn't pass Luna algorithm check, required by the GSM standard.
I changing (not fixing) is a crime only in the UK. Some countries deny I changes with no/small penalties. In most countries (incl Russia) nobody cares which I you have. Furthermore.,nowadays, tracking of the citizens (domestic of intl.) is not I based, to be correct, it is not I-only based. There are much more powerful on-the-fly tracking techs available to the modern agencies. That's why they don't care.
If you're really wanted, you can't escape unless you will simply drop all the phones and CC's and will not get another ones. Also you, most probably, should never contact anyone who you have ever contacted online/offilne before. Trust me. Matrix never sleeps. In most cases NCK and other lock's data also stored in NVRAM. Data can be plain binary flags/codes or encrypted in some encoded blocks. Deleting the whole block in most cases will lock the device. and you should write some encrypted block with 'unlocked flag inside' to unlock device. Many devices do NOT store NCK data in NVRAM. Once I saw NCK data was stored in the secret part of EFS, but not in the NVRAM itself nor in the standard file system, replicable by the QPST. Separate partitions with proprietary data structures can be used to store locks.
Some particular ModemST images still available with corresponding ModemFW in this post
http://androidforums.com/threads/rom-stock-jelly-bean-4-1-2-m040.803260/page-8#post-6753655
Read description there at first!
Link: https://app.box.com/s/zuxfb9jupkwka4sq1cmf
You can flash that FW and ModemST, then reboot and make NVRAM backup by QPST to the . qcn file.
The flash back your preferred modem FW (reboot) and try to restore .QCN. This should import settings and avoid you ModemST encryption problems. But this does not warrant you problem solvation.
also, most probably you can find in NVRAM and edit settings related to the LTE channels support and add or remove some preferred there.
Sorry guys, wanna sleep...
There could be another valuable proprietary partitions.
You should always look the way to get full flash of the working device (and way to restore) to be on the safe side. Casio allows to get full flash using QHSUSB_DLOAD 9006 mode (eMMC is mapped to PC as Mass Storage Device, discussed here widely). This mode provided by the SBL so it will not be available in case of partition damage or SBL level loader failure. To restore bricked device use QPST eMMC Tool and Casio C811 loaders published here nu nugiedha: http://androidforums.com/threads/casio-c811-soft-brick-possible-fix.967172/
You can read instructions and discussion (in Russian) in the 4pda.ru Casio C!-201L topic.
http://4pda.ru/forum/index.php?showtopic=497930&view=findpost&p=50105534
Thank you ad_rai, but
If you can't realize what's problem try lo logout of mega, or better try to get link from another browser/profile to be clear. It's not your omission. For a last year Mega trying to "monetize" users.Mega.nz said:
You can notice it will not allow to get big files w/o reg at all. When you reg it will start to DL, but connection 'unfortunately' may broke at any moment. Once I've lost a few hours trying to get 400MB FW. They lead you to pay for premium services, may be to get some apps. FTA.
The only adequate way is to use jDownloader (this one is also >100MB monster) which foolish Mega's complicated flash boolshit and get [free] files w/o problems.
Best way is to use another clouds for sharing. GD seems to work satifiable (don't store private files there). MediaFire is one more reliable intl service. Some Russian clouds like Yandex Disk or Cloud.mail.ru is also recommended for speed, simplicity and reliability, however they have Russian UI and it's problem for the intl users.
Baidu is great one, w/ 2TB free space, but it requires reg (in practice) and it's impossible to reg w/o mobile/SMS, then big problem to get SMS back to the foreign numbers (relatively to Chinese).
Ouch! Thank you very much! This one is accessible!
New getting to explore
Unfortunately jDownloader can't get links (sure Mega have updated 'security')
Web download fails as usually
Get with official MegaSync client and account, no other options seems to be available.
Update:
I also assume this is the full of the official Casio G'zOne Commando C811 Firmware M070 sold form the North American market and contain corresponding Modem FW with North American LTE bands.
Please correct me if its incorrect, add any valuable describing info if available.
Got file, going to explore.
New getting to explore
Unfortunately jDownloader can't get links (sure Mega have updated 'security')
Web download fails as usually
Get with official MegaSync client and account, no other options seems to be available.
Update:
I also assume this is the full of the official Casio G'zOne Commando C811 Firmware M070 sold form the North American market and contain corresponding Modem FW with North American LTE bands.
Please correct me if its incorrect, add any valuable describing info if available.
Got file, going to explore.
Last edited:
Ouch!
It seems to be not the full bot some kind of factory firmware containing all/most of the partitions and GPT block in separate files. ModemFW and ModemSTx parition images are not included for some reason.
Full flash image consists of all the internal flash sectors of the flash device as they laid down to the real flash chip in the device. In this context we.re talking about a full image of the USER_PART hardware partition of the internal device eMMC. There is also BOOTx_PART _HardWare_ partition containing PBL. PBL is almost impossible to damage and PBL dumping/flashing is complicated thing which we don't know how to do. PBL flashing is most probably actual only in case of eMMC/eMCP IC replacing. So we are talking about of full of the USER _HardWaRe_ partition, which contains rest of the data stored in the device.
Anyway this is very valuable.
Theory:
To flash this FW to the broken phone with GPT recovered by the loader above, we should, being in eMMC access mode (QHDISD_DLOAD 9006), write full GPT image (provided) to the beginning of the eMMC (sectors 0-34), then flash partition images to the partitions described by this written GPT.
You should use some kind of the sector leve editing software (e.g. DMDE). WinHex is also possible to use, but it will most probably not understand eMMC partition structures.
GPT backup stored somewhere in the end of the eMMC (last sectors or close, look for GPT partitioning standards). It's optional but better to write it later.
You can use FastBoot mode (if available in this model) to write the rest of partition images in the simple command line interface as soon as correct full GPT is recovered and loaders all the secondary loaders are loading correctly (SBLx, RPM, TZ.
Practice:
I see very strange GPT images. They do NOT contain partition names as I've expected.
I don't see any GPT related signatures inside not DMDE see them.
May be files are some kind encoded/encrypted or damaged.
You can look for the correct GPT in the MSImage file in the loader archive (see link above)
But, that GPT is only filled with partitions of the SBL related loaders. The rest of the partitions are not described there. That's problem.
What tool have you used to flash this FW? Especially GPT related. Where this FW came from?
It seems to be not the full bot some kind of factory firmware containing all/most of the partitions and GPT block in separate files. ModemFW and ModemSTx parition images are not included for some reason.
Full flash image consists of all the internal flash sectors of the flash device as they laid down to the real flash chip in the device. In this context we.re talking about a full image of the USER_PART hardware partition of the internal device eMMC. There is also BOOTx_PART _HardWare_ partition containing PBL. PBL is almost impossible to damage and PBL dumping/flashing is complicated thing which we don't know how to do. PBL flashing is most probably actual only in case of eMMC/eMCP IC replacing. So we are talking about of full of the USER _HardWaRe_ partition, which contains rest of the data stored in the device.
Anyway this is very valuable.
Theory:
To flash this FW to the broken phone with GPT recovered by the loader above, we should, being in eMMC access mode (QHDISD_DLOAD 9006), write full GPT image (provided) to the beginning of the eMMC (sectors 0-34), then flash partition images to the partitions described by this written GPT.
You should use some kind of the sector leve editing software (e.g. DMDE). WinHex is also possible to use, but it will most probably not understand eMMC partition structures.
GPT backup stored somewhere in the end of the eMMC (last sectors or close, look for GPT partitioning standards). It's optional but better to write it later.
You can use FastBoot mode (if available in this model) to write the rest of partition images in the simple command line interface as soon as correct full GPT is recovered and loaders all the secondary loaders are loading correctly (SBLx, RPM, TZ.
Practice:
I see very strange GPT images. They do NOT contain partition names as I've expected.
I don't see any GPT related signatures inside not DMDE see them.
May be files are some kind encoded/encrypted or damaged.
You can look for the correct GPT in the MSImage file in the loader archive (see link above)
But, that GPT is only filled with partitions of the SBL related loaders. The rest of the partitions are not described there. That's problem.
What tool have you used to flash this FW? Especially GPT related. Where this FW came from?
Update:
I also assume this is the full of the official Casio G'zOne Commando C811 Firmware M070 sold form the North American market and contain corresponding Modem FW with North American LTE bands.
Please correct me if its incorrect, add any valuable describing info if available.
Got file, going to explore.
These files came from http://ncmc-eut.necam.com/ server when it was alive, which is not available anymore. On C811 image there is an EUT tool to reflash firmware, I extracted URLs and methods to access that server and fetched the file. So the modem image here is designed to have US 700MHz band (forgot the exact number).
Although the original file extension is ".mbn", it is XOR encrypted and uses some custom header structure. I will post the raw files and header decoder soon.
Do not complain me about modemst and other missing contents, as they were not there from the first place. I used CWM recovery to flash these to my CA-201L and never bricked my phone beyond recovery failure.
Moreover, I don't have access to my CA-201L right now so no further experiments are possible at the moment.