Special thanks to dream team for their nice solution;
This one done too though little hard.

-- Security Bypass------------------------------------------------------------
User selected phone W880 using Test Point boot mode
Stage 1 started
1) Turn OFF the phone.
2) Connect the phone to DreamBox cable.
Boot Responce = 5A
Processor ID = 99000301FFFFFFFF (DB2020 / DB2030)
NOR Flash ID = 897E
OTP Status = LOCKED
OTP IMEI = 357774-01-836595-6
OTP CID = 51
EROM Color = 4 : RED
EROM CID = 52
Hint : Now the probe might be disconnected
Processing ...
Error : Failed.

--- Security Bypass------------------------------------------------------------
User selected phone W880 using Test Point boot mode
Stage 1 started
1) Turn OFF the phone.
2) Connect the phone to DreamBox cable.
Boot Responce = 5A
Processor ID = 99000301FFFFFFFF (DB2020 / DB2030)
NOR Flash ID = 897E
OTP Status = LOCKED
OTP IMEI = 357774-01-836595-6
OTP CID = 51
EROM Color = 4 : RED
EROM CID = 52
Hint : Now the probe might be disconnected
Processing ...
Stage 1 completed succesfully
Stage 2 start
Timeout detected
Error : Failed.

--- Security Bypass------------------------------------------------------------
User selected phone W880 using Test Point boot mode
1) Turn OFF the phone.
2) Connect the phone to DreamBox cable.
Boot Responce = 5A
Processor ID = 99000301FFFFFFFF (DB2020 / DB2030)
NOR Flash ID = 897E
OTP Status = LOCKED
OTP IMEI = 357774-01-836595-6
OTP CID = 51
EROM Color = 4 : RED
EROM CID = 52
Stage 2 start
Hint : Now the probe might be disconnected
Processing...
Entering Security Bypass mode ...
1) Turn OFF the phone.
2) Connect the phone to DreamBox cable.
Boot Responce = 5A
Processor ID = 99000301FFFFFFFF (DB2020 / DB2030)
Sending Application ...
NOR Flash ID = 897E
OTP Status = LOCKED
OTP IMEI = 357774-01-836595-6
OTP CID = 51
EROM Color = 4 : RED
EROM CID = 52
Baseband Chip ID = 9900
Phone ID = 23808E7515303FCC
Finalizing ...
Stage 2 completed succesfully
Done.

--- Unlock and Repair----------------------------------------------------------
User selected phone W880 using Security Bypass boot mode
1) Turn OFF the phone.
2) Connect the phone to DreamBox cable.
Boot Responce = 5A
Processor ID = 99000301FFFFFFFF (DB2020 / DB2030)
Sending Application ...
NOR Flash ID = 897E
OTP Status = LOCKED
OTP IMEI = 357774-01-836595-6
OTP CID = 51
EROM Color = 4 : RED
EROM CID = 52
Baseband Chip ID = 9900
Phone ID = 23808E7515303FCC
Reading GDFS...
Testing security ...
GDFS 0013 Hash OK
GDFS 0006 Hash OK
GDFS 000E Hash OK
GDFS 001C Hash OK
Unlocking ...
Testing security ...
GDFS 0013 Hash OK
GDFS 0006 Hash OK
GDFS 000E Hash OK
GDFS 001C Hash OK
Generating GDFS...
Writing GDFS...
Done.

I'm still astonished on one thing,look at the log below.It's identification from this phone after repair process by dreambox tried on usb:

SERVER SUPPORT ENABLED.
ChipID:9900,EMP protocol:0301
erom_readvar: error reading unit 1/851
error while reading security units
SECURITY UNITS CAN'T BE READ !
DAMAGED FIRMWARE/GDFS OR EMPTY PHONE
Can't load ID loader !
Elapsed: 10 secs.


And this is identification on com port:

SERVER SUPPORT ENABLED.
Open COM port OK
ChipID:9900,EMP protocol:0301
Speed:921600
Flash ID check:897E
Flash props sent ok
OTP LOCKED:1 CID:51 PAF:1 IMEI:35777401836595 CERT:N/A
FLASH CID:52 COLOR:RED

Model:W880i
Brand:Generic
MAPP CXC article: R6BC002 prgCXC1250646_CHINA_AI
MAPP CXC version: R6BC002
Language Package:M_EAST_N_AFR
CDA article: CDA12345678/123
CDA version: R2A
Default article: cxc1250651
Default version: R6BC002
PROVIDER: 000-00
SIMLOCKS NOT DETECTED

RESTORATION FILE NOT PRESENT
"R6BC002_CXC1250646_CHINA_AI"
YOU MUST PERFORM FULL FLASHING FOR PATCH UNLOCK

Elapsed: 6 secs.


All things ok but want to know why setool no more identifies the phone on USB? :confused::confused:

Ask the setool supporters.

special tnx to meisam for repairing thise fhone
maleki;)

I'm still astonished on one thing,look at the log below.It's identification from this phone after repair process by dreambox tried on usb:

SERVER SUPPORT ENABLED.
ChipID:9900,EMP protocol:0301
erom_readvar: error reading unit 1/851
error while reading security units
SECURITY UNITS CAN'T BE READ !
DAMAGED FIRMWARE/GDFS OR EMPTY PHONE
Can't load ID loader !
Elapsed: 10 secs.


And this is identification on com port:

SERVER SUPPORT ENABLED.
Open COM port OK
ChipID:9900,EMP protocol:0301
Speed:921600
Flash ID check:897E
Flash props sent ok
OTP LOCKED:1 CID:51 PAF:1 IMEI:35777401836595 CERT:N/A
FLASH CID:52 COLOR:RED

Model:W880i
Brand:Generic
MAPP CXC article: R6BC002 prgCXC1250646_CHINA_AI
MAPP CXC version: R6BC002
Language Package:M_EAST_N_AFR
CDA article: CDA12345678/123
CDA version: R2A
Default article: cxc1250651
Default version: R6BC002
PROVIDER: 000-00
SIMLOCKS NOT DETECTED

RESTORATION FILE NOT PRESENT
"R6BC002_CXC1250646_CHINA_AI"
YOU MUST PERFORM FULL FLASHING FOR PATCH UNLOCK

Elapsed: 6 secs.


All things ok but want to know why setool no more identifies the phone on USB? :confused::confused:



Yes

You also cant update your Phone with SEUS

dream box programmer for unknown reasons completely erasing simlock signature during "repair".
(block 0x1 unit 0x851 for db202x series)

setool2 (as any other normal tools) making security backup before doing anything.

cause it can't find simlock signature, it shows error and terminate procedure.

solution is extremly simple - write any simlock signature inside phone after dreambox.

to dreambox programmers:

please, not erase simlock signature, fill it with 0xff, for example.
also, instead of writing abnormal custom loader patch into erom, why you not write patched erom with NOPed out header/prologue/payload checks?

dream box programmer for unknown reasons completely erasing simlock signature during "repair".
(block 0x1 unit 0x851 for db202x series)

setool2 (as any other normal tools) making security backup before doing anything.

cause it can't find simlock signature, it shows error and terminate procedure.

solution is extremly simple - write any simlock signature inside phone after dreambox.

to dreambox programmers:

please, not erase simlock signature, fill it with 0xff, for example.
also, instead of writing abnormal custom loader patch into erom, why you not write patched erom with NOPed out header/prologue/payload checks?

APPLE TEAM is totally agree with "the_laser"......
@dream Box Team
Plz Notice That Things....................
Thnaks
br
admin
apple team

dream box programmer for unknown reasons completely erasing simlock signature during "repair".
(block 0x1 unit 0x851 for db202x series)

setool2 (as any other normal tools) making security backup before doing anything.

cause it can't find simlock signature, it shows error and terminate procedure.

solution is extremly simple - write any simlock signature inside phone after dreambox.

to dreambox programmers:

please, not erase simlock signature, fill it with 0xff, for example.
also, instead of writing abnormal custom loader patch into erom, why you not write patched erom with NOPed out header/prologue/payload checks?

hehehehe......
nice opinion from laser...
hope someday u want to learn build some hardware device..

br,
kevin168

please, not erase simlock signature, fill it with 0xff, for example.
also, instead of writing abnormal custom loader patch into erom, why you not write patched erom with NOPed out header/prologue/payload checks?

There are cases when simlock signature is absent because phone was never locked and EROM does not support simlock signature check (EROM name WITHOUT "_SIMLOCK_"). In our case we remove signature check, remove "_SIMLOCK_" and remove signature block.
There is no need for SeTool2 to generate error and stop procedure if this block is absent. Just backup all other security blocks and continue.

Our "abnormal custom loader" helps us to reuse code from other projects.