Database Users

ROMs and getting it onto the PPC

OK I have the tmo PPC its already got 2003 on it and I know the loader is 5.15, other info that might be needed.
ROM 4.01.16 ENG
Radio 6.25.02
OK I want to get my own cooked ROM onto this, I know I know use the SD card method, well I don't have one and after getting this thing can't get one for a while either. I have the cradle that it comes with and have put software into etc, I have tried some unlock ROM software to find it didn't work etc etc. after cooking ROM and running it it tells me in a DOS window:
Error getconntiontype - An Existing connecitonwas forcibly closed by the remote host.
error getting connectiontype
so basicly I need to find a way to get this into my PPC via activesync or something. sorry for bad post a little tired but I think people will understand and be able to help me or tell me I need SD card and wait until I get one.

I think you can use xdatools to flash the rom direct from xda memory, choose the nbf file as source then choose the xda device memory as destination from the drop down box in destination section.

OK tried that but can't access the PPC with xdatools so that won't work. thats for trying though.

TMO ROMs are known to resist exe flashing ... use the SD method and you are lucky to have the boo loader 5.15

Well glad to know that my boot loader is a good one, now to find a SD card I can borrow to do this with, should I use a 32 or 64 or does it really matter as long as it holds the file.

64 megabytes is needed really, I have had a problem with 32 meg, it looks like it is programmed but when i flash it there is always a problem.

macgyver33 talked about having a 2003 version. Can anyone tell me where to get it? I mean european one (900-1800 MHz). Or at least the PDA part of it? And yet haven't found quiet an exact explanation of "SD method" - any suggestions? Thanx a lot!

Bootloader v.5.17 locked
BL v.5.17 + TMO ROM. I am not able to downgrade the bootloader or change ROM.
I've tried using:
Cooked ROM.EXE - No way
(Error: GetConnectionType - An existing connection was forcibly closed by the remote host. Error getting connectiontype)
XDA OS Image Tool - No way
(Error: Same as above)
ITSTools - pnewbootloader - No way
(Error: Unable to find flash info offset, cannot disable bootloader writeprotect)
SD Method - No way
In bootloader mode (soft-reset while pressing on/off button), I have no options: Even with an SD card with OS image inside, there's no way to start ROM download as there is no option to choose...
Any idea?
Thx

Check this thread

Thanks Biso007.
No way. My XDA doesn't load the bootloader in a proper way:
1. Inserted th SD card in his slot
2. Answered "No" to format the card
3. Soft-reset while pressing on/off button (so to enter in bootloader mode)
4. Display turns off
5. No Wallaby Bootloader screen, so no action to take...
6. Wait... Nothing.
7. I've also tried to press the "Action" button so to start the SD downloading... Nothing
8. Wait... Nothing.
6. It needs another soft-reset to exit this state (a not working bootloader mode, I suppose)
7. It turns on "normally".
Any further idea? :-(
Thanks

if I'm not wrong, I couldn't see that you ran the 5.17 patch first ... without it your device will never detect the SD file ... chech the thread again

wdata USB command to flash ROM

Dears,
wdata command can write data to P3300. It is possible to use this command to upgrade ROM and get around the CID lock?
If so we can make a RUU program to flash anything into ROM.
Is this pssible?

ylatsj said:
Dears,
wdata command can write data to P3300. It is possible to use this command to upgrade ROM and get around the CID lock?
If so we can make a RUU program to flash anything into ROM.
Is this pssible?
Click to expand...
Click to collapse
Of course its a good idea but I think the process is much more complicated. The update proccess depends not only on ROMUpdateUtility but also depends on the Bootloaders security. If the bootloader does not open the port for entering data, no data can be entered so no ROM update can be done. Bootloader opens the port only when the CID in the ROM file maches with the device's CID and the Signature is intact. Thats why we need USPL that does not check CID and Signature.

Tamagochi said:
Of course its a good idea but I think the process is much more complicated. The update proccess depends not only on ROMUpdateUtility but also depends on the Bootloaders security. If the bootloader does not open the port for entering data, no data can be entered so no ROM update can be done. Bootloader opens the port only when the CID in the ROM file maches with the device's CID and the Signature is intact. Thats why we need USPL that does not check CID and Signature.
Click to expand...
Click to collapse
I thought IPL won't check CID lock for wdata command. So I guess we can use wdata to flush anything into ROM (a clean,pure WM without any headers)
And we don't use ROMUpdateUtility but write an application to directly deal with the USB port on bootloder.
The purpose is to save hundreds of bricked phones. The current SuperCID program doesn't work with bootloader mode!!!
Anyone can tell me what address the Artemis OS begins with so that I can make the USB applicaiton to try to flush OS to the ROM address?

great!!
I think POF can help you
He is active in Hermes treads

ylatsj said:
I thought IPL won't check CID lock for wdata command. So I guess we can use wdata to flush anything into ROM (a clean,pure WM without any headers)
And we don't use ROMUpdateUtility but write an application to directly deal with the USB port on bootloder.
The purpose is to save hundreds of bricked phones. The current SuperCID program doesn't work with bootloader mode!!!
Anyone can tell me what address the Artemis OS begins with so that I can make the USB applicaiton to try to flush OS to the ROM address?
Click to expand...
Click to collapse
I dont think so, the SPL is like a bodyguard. To be able to write to the flashROM, some ports should be opened (enable write mode). Only the SPL can enable write mode, and it is very stubborn. Every time an application tries to write to the DOC, it asks for the CID and Signature. If these info do not match with the ones inside the DOC, it will refuse to enable write mode. You can fool it with CID but you cannot fool it with Signature unless you can imitate the signature and use it to sign the ROM file.
So the problem is how to imitate the signature or to extract it from a signed one.

Tamagochi said:
I dont think so, the SPL is like a bodyguard. To be able to write to the flashROM, some ports should be opened (enable write mode). Only the SPL can enable write mode, and it is very stubborn. Every time an application tries to write to the DOC, it asks for the CID and Signature. If these info do not match with the ones inside the DOC, it will refuse to enable write mode. You can fool it with CID but you cannot fool it with Signature unless you can imitate the signature and use it to sign the ROM file.
So the problem is how to imitate the signature or to extract it from a signed one.
Click to expand...
Click to collapse
First, sorry for q on first post and no introduction.
Basically, im male, so didn't rtfm until I got stuck...CID Locked device...botched WM6 upgrade...blah blah...bootscreen...blah...you know the score.
This thread has piqued my interest though. I am a programmer with quite a bit of experience of embedded devices. I figured that there is some way to do something like this...but not really sure how as documentation is a bit thin on the ground!
What does the wdata command actually do? My understanding is that it copies arbitary data into the devices address space...but where from? We have a dst and len, but what is the src?
wdata [Len [StartAddr]]
I assume that the flash-rom is simply mapped into linear address space.

gamefreaks said:
First, sorry for q on first post and no introduction.
Basically, im male, so didn't rtfm until I got stuck...CID Locked device...botched WM6 upgrade...blah blah...bootscreen...blah...you know the score.
This thread has piqued my interest though. I am a programmer with quite a bit of experience of embedded devices. I figured that there is some way to do something like this...but not really sure how as documentation is a bit thin on the ground!
What does the wdata command actually do? My understanding is that it copies arbitary data into the devices address space...but where from? We have a dst and len, but what is the src?
wdata [Len [StartAddr]]
I assume that the flash-rom is simply mapped into linear address space.
Click to expand...
Click to collapse
This is what I thought as well that the flash-rom is simply mapped into linear address space. But I don't know where it sits and which segment is for IPL,SPL,OS,EXTROM. etc...
And I am not sure if the IPL will secure the ROM write when it execute the "WDATA" command.
Here is the introduction for WDATA command
wdata [StartAddr Len]
Write data to memory(if write to ROM, need erase first).
StartAddr : Start address of memory.
Len : How many bytes will be written.
Length must not more than 0x10000 bytes(buffer limitation).
Write to RAM: 4 bytes(CRC checksum limitation).
1 byte(in user mode).
Write to ROM: 4 bytes(CRC checksum limitation).
2(16-bit)/4(32-bit) bytes(in user mode).
Write to ROM(16-bit data bus): 32 bytes(writebuffer mode).
Write to ROM(32-bit data bus): 64 bytes(writebuffer mode).
Length must be 4 bytes boundary(CRC checksum) if not in user mode.
After command execute, then send out the data to terminal.
Data format: HTCS(4 bytes)+DATA+checksum(4 bytes, if not in user mode)+HTCE(4 bytes).
Also please check this URL
http://forum.xda-developers.com/archive/index.php/t-285112.html
Pay atttention on this
Write data to memory(if write to ROM, need erase first).
"If write to ROM" This means the ROM is for sure being mapped into the memory space. And what important is that WDATA doesn't talk to the IPL on any CID information. This possibly means that IPL won't stop a write to ROM.
So it is worth to give a try here. The information we need before make the USB application is:
1) Where does the ROM start inside the memory address space
2) Where does the OS start and end
3) How to erase the ROM before WDATA (Another USB command but what is it)
Actually, if we know where the IPL starts we could even directly flush the IPL to Pof's superCID. But this is a little dangerous becasue it is possible to crash the IPL ROM so that the Artemis even can't start bootloader. So better not do it but to flush the OS only and make the birck start first. Then use Pof's baby to flush the SuperCID.
OK, long post. Hope we can have more experts in this thread. Thank you folks for your attention on my topic.

69xx bootloader command for extracting ROM

Hello,
please, if somebody has more information about bootloader commands supported by HP iPAQ hw6900 series (HTC Sable) to share on this thread with us
Will be very helpful if we can extract ROM image through the bootloader of this iPAQ

I dont know much, i know nothing indeeed, however i found somewhere a pack of files for the Wizard that were supposed to work for the sable, however they didnt, but there is this particular file, that when ran in the sable made appear a folder called "2" with an icon of a storage card and which rpely the contents of the root of the device (but for itself i mean no 2 folder inside the 2 folder lol)
I dont know if it is of some use but i definitevely want to perform a corporate install of windows in my sable and kill all that HP crap that comes in bundled

How to enter bootloader
Just press ACTION+POWER+reset with stylus and hold this combinaison for a few seconds, you'll see a screen without backlight (so you must be under bright light to see it) going into bootloader mode.
Put your device on the cradle (which I suspect you had connected it to your PC)
using mtty, connect to your USB Port (or Serial port if serial cradle)
type "password BOOTLOADER" and use "h" as an help command.
Now you can dump a ROM from Bootloader
The command should be sth like "r2sd"
Read the manual of this command "h r2sd full" and use it to dump your ROM on the SDCard
Now you can dump the raw ROM image from SD Card Reader using ntrw.exe
EDIT: going to bootloader mode seem to hard reset your device, backup FIRST!

HI Boris,
where to find the manual ETC.
A RAW ROM maens a bin file? how to convert then to something readable modifiable.... i understand that this is the main issue now.

I want to see a computer file which isn't binary based....
or a full text ROM
In fact, for me a raw ROM is a ROM-file which has been extracted from the device... The difference with a ROM-to-install is the encryption which is not present with raw dumps (to be checked).
Raw dumps can be modified and then re-updated but it needs some operations that are command-line based...
Once you got your raw ROM on SD, copy it to PC using ntrw, you have to find the correct tool to dump the content (dumprom should do the work)
Remember to keep the raw ROM as a backup, and work with a copy of the raw ROM.
You can also cut/paste the file into parts (OS, EXTROM...).
Logically, if you got the original ROM file (the german one) and the same taken from the device (raw ROM), we should be able to modify some existing tools to work with 69xx ROM files and cook some ROMs.
in bootloader mode: type
"h COMMANDNAME full" should show full manual of COMMANDNAME.
To have more informations, once you know if your bootloader has d2s or r2sd ... command name, search for it on wiki and you should have more informations and examples on the specific command.

I need to extract the ROM from one of these as well. I am getting into bootloader and trying to dump the rom to 256MB SD as follows...
USB>
USB>
USB>password BOOTLOADER
HTCSPass.<YHTCEUSB>d2s
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
d.total_lba=7A000
d.block_size=200
d.RCA=B368
d.drv_type=40000000
d.busWidth=1
Total card size=F400000
SDCARDD2S+,cStoragePlatformType=FF
Then the device just sits there with Cal Checksum on the screen. I get no response from NTTY or device until I restart.
I read on another thread that it might be locked. I also read that there may be a password to get into another level of access. See http://mobilitytoday.com/forum/showthread.php?t=15217 for details.
I have to get this cracked as I want to restore my good any network ROM onto a network specific device.
Anyone got any other ideas?

Matt4444 said:
Then the device just sits there with Cal Checksum on the screen. I get no response from NTTY or device until I restart.
Click to expand...
Click to collapse
The checksum calculation is a long process, try to wait longer...
Anyway your SD should have been written... have you tried to read it?
EDIT: Does it show ******** or direct checksum calculation? (how long is the process)

I let it run for over an hour the first time but that was with a 1GB SD card and I understand that it would take longer with 1GB.
I haven't actually looked to see if there is anything on the card(s) as I just assumed it hadn't worked. Other threads say that the device gives you progress or at least some response from the MTTY to say it was done.
I have to shoot to a meeting but will try again when I get back...

b0ris747 said:
Just press ACTION+POWER+reset with stylus and hold this combinaison for a few seconds, you'll see a screen without backlight (so you must be under bright light to see it) going into bootloader mode.
Put your device on the cradle (which I suspect you had connected it to your PC)
using mtty, connect to your USB Port (or Serial port if serial cradle)
type "password BOOTLOADER" and use "h" as an help command.
Now you can dump a ROM from Bootloader
The command should be sth like "r2sd"
Read the manual of this command "h r2sd full" and use it to dump your ROM on the SDCard
Now you can dump the raw ROM image from SD Card Reader using ntrw.exe
EDIT: going to bootloader mode seem to hard reset your device, backup FIRST!
Click to expand...
Click to collapse
yes, nice but does not work in 69xx's bootloader. while executing d2s command the device loops on "Calculating checksum" point and nothing happens even after an hour of waiting .. :-(

That is the same problem I am having. I read on another thread that dmc874 (who seems to know what he is talking about) thought it was related to the device being locked. See http://mobilitytoday.com/forum/showthread.php?p=68783
I am now trying to research the locking to see if there is anything I can do to unlock it... anyone else got any ideas?

Does anybody tried to upload a .NBA image through bootloader?
Someone to know the command for sending through bootloader to certain address locations?

What about pdocread or such tools?
Method to dump ROM from wizard using pdocread: http://www.spv-developers.com/forum/showthread.php?t=2888

Does Anyone Know Where I Can Get A English Rom For My IPAQ hw6955 Whitch Is Currently In French Please Help..

b0ris747 said:
Just press ACTION+POWER+reset with stylus and hold this combinaison for a few seconds, you'll see a screen without backlight (so you must be under bright light to see it) going into bootloader mode.
Put your device on the cradle (which I suspect you had connected it to your PC)
using mtty, connect to your USB Port (or Serial port if serial cradle)
type "password BOOTLOADER" and use "h" as an help command.
Now you can dump a ROM from Bootloader
The command should be sth like "r2sd"
Read the manual of this command "h r2sd full" and use it to dump your ROM on the SDCard
Now you can dump the raw ROM image from SD Card Reader using ntrw.exe
EDIT: going to bootloader mode seem to hard reset your device, backup FIRST!
Click to expand...
Click to collapse
..hey great info on how to get to bootloader,, i have a tmobile wing and need to get to the boot loader screen please tell me specifically wat i have to do.. also wat do u mean by action button???????

mafioso617 said:
..hey great info on how to get to bootloader,, i have a tmobile wing and need to get to the boot loader screen please tell me specifically wat i have to do.. also wat do u mean by action button???????
Click to expand...
Click to collapse
Action button = push directional pad in no direction
Anyway it won't work...
Maybe a method based on this:
http://forum.xda-developers.com/showthread.php?p=1480853
I'm looking for a french dump!
I'm also looking for a crazy volunteer to test an english ROM (It probably won't update, but I'd like to see the resut and I've got no such device Magician, Beetles and Prophet only...)

b0ris747....
My pda Hp 6915..normal english 1.21UK rom. hp sites german rom download. Hp6915 update error. error code display vG.30.
Hard reset end soft reset not fonksionert.
Help me.
Not: not english speak sory.

http://forum.xda-developers.com/showthread.php?t=309357

good! Can it works for eten x500?

nixo79 said:
Does anybody tried to upload a .NBA image through bootloader?
Someone to know the command for sending through bootloader to certain address locations?
Click to expand...
Click to collapse
This is information for the BEETLES, Should not be too different than the 6900, If anyone could backup a 6900 series radio, and upload it, alot of us would be grateful.
Source: http://blogs.unbolt.net/index.php/brinley/2007/07/31/ipaq_6515_dead_gsm_after_failed_firmware
Extract of my RadioROM
I extracted from start address of 60000000 with a length of 800000 what I think is my radio rom and this can be downloaded at
http://www.bold.net.au/~behave/radioROM.zip
I came up with this address from experimentation and addresses from other XDAs and extracted with the following command
USB>d2s 60000000 800000
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
pc->drive.total_lba=1EB400
pc->drive.num_heads=0
pc->drive.sec_p_track=0
pc->drive.num_cylinders=0
pc->drive.block_size=200
pc->drive.features=0
pc->drive.RCA=CFAD
pc->drive.drv_type=40000000
pc->drive.securedAreaSize=0
pc->drive.securityDrv=0
pc->drive.busWidth=1
pc->drive.erasedSize=0
Total card size=3D680000
SDCARDD2S+,cStoragePlatformType=FF
********************************
Store image to SD/MMC card successful.
Anything higher and the dump fails.
USB>d2s 60000000 800001
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
pc->drive.total_lba=1EB400
pc->drive.num_heads=0
pc->drive.sec_p_track=0
pc->drive.num_cylinders=0
pc->drive.block_size=200
pc->drive.features=0
pc->drive.RCA=CFAD
pc->drive.drv_type=40000000
pc->drive.securedAreaSize=0
pc->drive.securityDrv=0
pc->drive.busWidth=1
pc->drive.erasedSize=0
Total card size=3D680000
********************************Read radio flash is fail!
The size of the uncompressed ROM is around 1gig because I only have 1gig sd cards to dump the ROM on.
You will probably need a 1gig or larger SD card, dim92 tried writing to a smaller card and the IPAQ doesn’t recognize it but you are welcome to give it a try on smaller cards as most of the image are 0s anyway.
Once you have written the image on to an sd card (use any of the bigrom guides using ntrw), pop it into the IPAQ and enter boot loader mode (power + joystick + reset). It should show up with “Download Sections: 1 press power to start".
Press power button and it should show “Updating radio". Let it finish and if it completed with no errors, power up to see if the mobile phone works. If it still does not work, try running the beetles radio patch now. If this too does not work, try running the LATEST rom from HP.
Useful utilities
iPAQDisk
http://www.xs4all.nl/~itsme
HOWTO: Change serial number and model number for HP IPAQ 6515
HP IPAQ 6515 Bootloader password
Exploring HP IPAQ 6515e bootloader

Nazeroth said:
I dont know much, i know nothing indeeed, however i found somewhere a pack of files for the Wizard that were supposed to work for the sable, however they didnt, but there is this particular file, that when ran in the sable made appear a folder called "2" with an icon of a storage card and which rpely the contents of the root of the device (but for itself i mean no 2 folder inside the 2 folder lol)
I dont know if it is of some use but i definitevely want to perform a corporate install of windows in my sable and kill all that HP crap that comes in bundled
Click to expand...
Click to collapse
Hi buddy,thanks for your attachment.
But I gotta tell ya this doesn't work in hp6915,coz all the ROM in the internet do not have ExtRom.nbf,so nobody's device had flashed the Extended Rom in device...then the Unlock tool will not work in this.
Anyway,thank you
Brose

[17 March][Q] - stock in Bootloader - dead?! - with pic

hi
i need help on my htc hd2 - stock in bootloader... LOOK PIC
i tryed all HSPL VERSIONS - same error BAD ID
i tryed ORIGINAL ROM - HTC HD2-RUU_Leo_S_Orange_FR-B2B_3.14.73.2_Radio_15.42.50.11U_2.15.50.14_LEO ( DOWNLOADED FROM HTC WITH SERIAL NUMBER) ERROR 244 - INVALID ID
i tryed flashing with sdcard leoimg.nbh but i get error 00058002
can any one advise what could i do - please post links to
Pic

at what % does the install fail?

Bad ID means that the rom isn't matching the region of the phone. Sounds to me like the CID got corrupt. You need to create a goldcard, and with that, you can write any rom from any region onto it - just like if it were hardspl'd.
I'm typing this on my phone, but look on here for instructions on how to make a goldcard: you'll need psas,google it. I own it, and can generate you the files for your sdcard's serial number..
Sent from my HTC HD2 using XDA App

Boradan said:
at what % does the install fail?
Click to expand...
Click to collapse
it fails at 1% when trying to install from ruu - pc
with sdcard at the begining - loading... and then shows error 00058002
thanks for replying
during ruu it shows in phone this image

foil said:
I own it, and can generate you the files for your sdcard's serial number..
Click to expand...
Click to collapse
can i contact you at email or ( will it cast me if yes how much)
thanks for replying

ubejd said:
can i contact you at email or ( will it cast me if yes how much)
thanks for replying
Click to expand...
Click to collapse
Go here:
http://psas.revskills.de/?q=node/ and download the PSAS free version.
This will only work if you have another windows mobile phone that you can put your card into. Put your card into that phone and connect it to activesync.
Run Rev Skills and select: Menu- Hardware Forensics- WINCE SD Card Utils and select 'get serial and disk ID'
When you get the disk ID, PM it to me or foil and we can generate the goldcard image for you.
Andy

Except that even mythical gold cards are device dependant, so it will look at the corrupted devID on line one of the bootloader screen and say "this isn't a hd2" and stop.

Boradan said:
Go here:
http://psas.revskills.de/?q=node/ and download the PSAS free version.
This will only work if you have another windows mobile phone that you can put your card into. Put your card into that phone and connect it to activesync.
Run Rev Skills and select: Menu- Hardware Forensics- WINCE SD Card Utils and select 'get serial and disk ID'
When you get the disk ID, PM it to me or foil and we can generate the goldcard image for you.
Andy
Click to expand...
Click to collapse
thank you for your help
but i solved by trying with another battery fully charged and sendit to a friend who has jtag method

I have the same problem, how did you solve it ?
please help!

n__mil said:
I have the same problem, how did you solve it ?
please help!
Click to expand...
Click to collapse
i sendit to a friend who has Riff box with jtag and done

[Q] Partially bricked Universal

Hi everyone! This is my first post and I would like to thank You all for great job done on this forum, I'm rather beginner but already gathered a lot of knowledge by reading various posts
My first post will be about HTC Universal, that came to me few days ago. From first look it's an amazing piece of hardware and I would like to make it working, because (obviously) it is not
Uni's characteristics:
Black O2 XDA Exec
NAND Flash - DiskOnChip G4
Uni's behaviour:
after turning on is showing bootloader screen with some artifacts and following info:
R 1.17.00
G 42.53.P8
O D. 08.81 TML
can access bootloader menu (three yes/no settings, KITL) - same artifacts are here too
combination of backlight+power+reset gives black screen
hard reset doesn't change anything, screen with O and X is ok, with no artifacts
device is not recognized by PC so I cannot flash it (dev 0000, ven 0000 on windows / cannot enumerate on linux) - USB transmit lines are ok because situation changes after choosing KITL mode (every other is unrecognized)
Already done:
I thought it may be damaged USB port, but I succesfully managed to make it work after choosing KITL mode from bootloader menu (backlight? + reset). It doesn't accept any commands through mtty but at least installed in windows as HTC Sync Device (not remember correctly?) and showed some prompt in console (KITL$ ?).
I didn't really know what KITL is so i googled for other methods of unbricking and found amazing discussion between scholbert and roglio in topic about rescuing uni from scratch via JTAG. So I remodelled my adapter to the same as Wiggler2 and connected to mainboard. However, my situation, if I understand correctly, is not the same as scholberts or roglios was. I have working IPL and partially working SPL, that is, I think I have
Is there any method of writing SPL into ram and running it in this situation? Maybe then USB will be working and let me flash new firmware? I found solutions like this for some other HTCs but I don't really know how to load something into RAM, because it looks like it is unaccessible at the moment (errors in openocd, zeroes readed by urjtag). I'm working with newest openocd version, it recognizes PXA270 without problem, same as urjtag.
Or is it possible to restore Uni via KITL mode? Maybe I try to download software required in topic about Hermes and run it at some free time, but I have to connect my old windows box to internet
I'll be very thankful for every answer and I hope that this Uni will work once again
P.S.: I'm sorry if some of statements are not understoodable, I lack possibility of using english daily and practicing it, so my english is little poor
Best Regards, Karol
#------
Ah, yes, I forgot. Not black screen after combination of backlight+power+reset, but Serial + v2.01. Does not react to USB. If I connect USB first, then reset, it's "USB v2.01" - device not recognized. The same with SD card inserted -> reset -> "USB v2.01" -> took card -> unrecognized...

Welcome to forums,
Have a read on the thread just above this one, you´ll find almost all you need

Hi!
Thank You for your answer. I have already read this and other topics regarding "stuck at bootloader" and other problems, and tried all the provided solutions, with no luck
The main problem is usb not working properly. I'd rather not suspect hardware damage, because it works in KITL mode.
#---
I've done some more research. Downloaded and installed Platform Builder, and following instruction for hermes (changing only processor type) tried to run system through KITL, but with no success, image (awfully small - about 900kB) was downloaded to device, but there was no answer from it - KITL screen have not changed.
After few tries I focused on another method - based on tomal's SDFlash_G3. I took 416 byte header found later in topic about SDFlash (OllieD's) and connected it with decrypted official nk.nbf image from O2 and later with one from tomal's rom.
My device was reacting kind of strange while trying to recognize rom from card. For first, it haven't tried at all, not until I !removed! MMC card! (instead of this later I was hovering the sd card slot pin responsible for card detect).
Then, there was two scenarios:
first, when I took card too fast after entering bootloader, it showed message about too short rom
second, where I waited some more seconds, it showed error about sections=1 and not allowing to update
So I searched about this section=1 error and found that it is incompatibility between 416 byte header and rom image - header points that there should be more sections in rom, but there is only one.
Don't really know how to change it, is there any documentation about header structure?
In topic about SDFlash_G3 there was mentioned that this method is "without 2nd device", but I haven't found anything about "with 2nd device", is it worth giving a try?
Can someone provide me with mmc/sd card image (compressed of course) with backup from G4 Universal device done with d2s command?
I'll be very thankful for any help.
Best regards, Karol