I wrote this guide because i got frustrated at the seeming impossibility of downgrading a 2.21+ SPL ROM on my Wizard to CID unlock it, and the fact that lokiwiz did not work either.
After a day of research it became apparent that this was far from the truth, and that it was easily unlockable. All the tools were out there, just there wasn't a guide to help direct someone through all the steps.
Well this is that guide.
I've tried to make it newbie friendly, and although this has only been tested on my wizard, i see no reason why this wouldn't work on the Typhoon(infact most of the tools used are originally for the Typhoon) and Tornado seeing as they have almost identical boot loaders.
The guide comes with the usual warning:
“If you manage to brick your phone, it wasn't my fault ”
I cant stress this point enough though, get a few numbers wrong in some of the commands in the guide, and you could break your phone, tripple check everything you type in!!
Attached is the guide in a zipped version in html and .doc format (html for those of you that cant be arsed with MS Word files)
Enjoy
This guide works on G3 phones only, regardless of ROM version, but i see little point in going through all these steps when for 90% of you, lokiwiz should work fine. So i suggest you only use this guide if you are having trouble with lokiwiz, and/or you a 2.21+ SPL G3 Wizard.
**EDIT**Guide back up and updated
Looks good Craptree,
Unfortunately I don't own a G4 device to try it on.
Would love to hear some feedback from users that have a G4 CID Locked Wizard and used this how-to to succesfully CID unlock their G4 Wizard.
Regards,
Molski
Thankyou
keep up the good work Molski
Firstly good work, that was some reading and collating you did , I ive worked my way through but when i come to write the unlocked.nb file back using " pdocwrite -n 1 unlocked.nb" i get this error
CopyFileToTFFS(unlocked.nb:0, 0, 00010000)
ERROR: ITWriteDisk - A device attached to the system is not functioning.
can you shed some light.
Ok ive done some snooping around should the last command be something like
pdocwrite -n 1 0 0x10000 unlocked.nb ??
I have tried this method. And got cid.bin file from the device. How can I convert the cid.bin to cid.nf file? Will this command "perl typhooncidedit.pl cid.bin" will generate the cid.nf file? I don't get it. Please help me. Thanks!
Hi im by no means anywahere near an expert (as you can see from my posting above) but from my limited experience i can say no, perl typhooncidedit.pl cid.bin will read the current file , though note you need to reboot after installing Active Perl and there seems to be a spelling mistake in the commands in the howto its typhooncidedit_pl note the underscore not a full stop.
Its the command "perl typhooncidedit_pl cid.bin -c 11111111 -w unlocked.bin" that creates the file to be written back to the phone. However this is where it ends for me as i cant get the next stage to work just yet and am a little weary of playing around without mor einformed guidence in case i brick the device.
problem with soulcage
when I try to download the package with the crypt-des i got this message:
soulcage.net
This domain name expired on 10/09/2006 and is pending renewal or deletion.
is there any other place to get this package?!?
weird i did it last night and it worked, i even just reopened activeperl and it rececked with no errors, you are downloading the package through activeperl arent you ?
I'm also getting the ITWriteDisk errror and the problem with the Crypt-DES repository. Found Crypt-DES at http://theory.uwinnipeg.ca/ppms/ in the end.
wblqx - oops, looks like i got muddled up with my file name extensions. it doesnt matter if the files a .nb or .bin, theyre both identical. just reference the file you have. so if you have a cid.bin, the command would be
perl typhooncidedit.pl cid.bin -c 11111111 -w unlocked.nb
flipside101 - hmmm im not quiet sure why it wont let you write the file back...all i can sugest is to make sure that cert_spcs.cab and enablerapi.cab have been loaded onto your phone. have you tried copying the files onto your phone and running them manualy?
PS - ive chaged the orignal guides to avoid this confusion in the future wblqx
Ok, I got the crypt-des from here: http://theoryx5.uwinnipeg.ca/ppms/package.xml
and it's version 2.05 from Dave Parishere and this is what I have here:
I got the cid.bin file and this is what I read "inside" it:
D:\qtek\cid>perl typhooncidedit.pl cid.bin
0x0000 - version : 00000001
0xfff8 - checksum: keyix=48: f75b0704 - f2c82199ed8f7449
0x01a0 - keyindex: 000000e600000000 -> 230
0x1930 - cid key : 'MODULESN'
0x0160 - cid : 0008:'WIZQTK01' 0e0f101112131415161718191a1b1c1d1e1f20212223
0x1c80 - lockflag: 0000000000000000
0x0140 - imei : 3563840009225810
0x1d00 - lock 0 : 7bea42ec25ae4b6eac30b47d9691fdac
0x1d10 - lock 1 : 4a02f79b693fe782ad1cf1a9133fc981
0x1d20 - lock 2 : 5afd85493fd413c46b2a28d3ead12c0e
0x1d30 - lock 3 : c82b3203be8574b85f141684499d1d85
0x1d40 - lock 4 : ea60e2bc84f2f60fc730cea22b3147ab
0x4000 - mncmcc : f5a235190000000000000000875f796f5cd3ce3ed6b1a16fc7cef324eed501e8
(the locks codes appears to be crypted, is that correct?)
then I did the perl typhooncidedit.pl cid.bin -c 11111111 -w unlocked.nb and got it:
D:\qtek\cid>perl typhooncidedit.pl cid.bin -c 11111111 -w unlocked.nb
0x0000 - version : 00000001
0xfff8 - checksum: keyix=48: f75b0704 - f2c82199ed8f7449
0x01a0 - keyindex: 000000e600000000 -> 230
0x1930 - cid key : 'MODULESN'
0x0160 - cid : 0008:'WIZQTK01' 0e0f101112131415161718191a1b1c1d1e1f20212223
0x1c80 - lockflag: 0000000000000000
0x0140 - imei : 3563840009225810
0x1d00 - lock 0 : 7bea42ec25ae4b6eac30b47d9691fdac
0x1d10 - lock 1 : 4a02f79b693fe782ad1cf1a9133fc981
0x1d20 - lock 2 : 5afd85493fd413c46b2a28d3ead12c0e
0x1d30 - lock 3 : c82b3203be8574b85f141684499d1d85
0x1d40 - lock 4 : ea60e2bc84f2f60fc730cea22b3147ab
0x4000 - mncmcc : f5a235190000000000000000875f796f5cd3ce3ed6b1a16fc7cef324eed501e8
olddata: 6d18c04e8ed463a6460f100469464259621e8365aeb43277cf2858b925828379
newdata: 95ea23df0bf16432cf7be60912a5cbdedee342037c9d3bd3dee342037c9d3bd3
newsum=3c8b458b encsum=4e3630065084dd42
and at least the: pdocwrite -n 1 unlocked.nb gave me this:
D:\qtek\cid>pdocwrite -n 1 unlocked.nb
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 96 10 01 04 13 1d 11 2c 15 03 06 c5
CopyFileToTFFS(unlocked.nb:0, 0, 00010000)
ERROR: ITWriteDisk - An internal error occurred.
captree, do you have any clue about what is wrong?
here is the unlocked.nb:
D:\qtek\cid>perl typhooncidedit.pl unlocked.nb
0x0000 - version : 00000001
0xfff8 - checksum: keyix=48: 3c8b458b - 4e3630065084dd42
0x01a0 - keyindex: 000000e600000000 -> 230
0x1930 - cid key : 'MODULESN'
0x0160 - cid : 0008:'11111111' 00000000000000000000000000000000000000000000
0x1c80 - lockflag: 0000000000000000
0x0140 - imei : 3563840009225810
0x1d00 - lock 0 : 7bea42ec25ae4b6eac30b47d9691fdac
0x1d10 - lock 1 : 4a02f79b693fe782ad1cf1a9133fc981
0x1d20 - lock 2 : 5afd85493fd413c46b2a28d3ead12c0e
0x1d30 - lock 3 : c82b3203be8574b85f141684499d1d85
0x1d40 - lock 4 : ea60e2bc84f2f60fc730cea22b3147ab
0x4000 - mncmcc : f5a235190000000000000000875f796f5cd3ce3ed6b1a16fc7cef324eed501e8
Hi Craptree, no i tried the manual running of rapi but i still get the same error
D:\XDA\CID>pdocwrite -n 1 unlocked.bin
CopyFileToTFFS(unlocked.bin:0, 0, 00010000)
ERROR: ITWriteDisk - A device attached to the system is not functioning.
In case its any help heres some info on the locked and unlocked files
LOCKED
D:\XDA\CID>perl typhooncidedit_pl cid.bin
0x0000 - version : 00000001
0xfff8 - checksum: keyix=55: 431ca7b6 - fa9d45e5b52e53c3
0x01a0 - keyindex: 0000004a00000000 -> 74
0x1450 - cid key : 32421a0edf4fa9d6
0x0160 - cid : 0008:'WIZO2B01' 0e0f101112131415161718191a1b1c1d1e1f20212223
0x1c80 - lockflag: 0000000000000000
0x0140 - imei : 3563830004598750
0x1d00 - lock 0 : a2a9faccbbfbc0d94497e96264896558
0x1d10 - lock 1 : 58ff98fb2af1350f7fca4f890f358808
0x1d20 - lock 2 : 7b53c3aa8c9d522e46e73b558d75f287
0x1d30 - lock 3 : 0e92d1ddbc64b8e5f8c9950a0bf33284
0x1d40 - lock 4 : 92895c989f8ac37c77b97eadef53e5dc
0x4000 - mncmcc : 095ce2420000000000000000c7c8aba45e2c4b0f8d5e300ab86152430094117c
UNLOCKED
D:\XDA\CID>perl typhooncidedit_pl unlocked.bin
0x0000 - version : 00000001
0xfff8 - checksum: keyix=55: 7d3a21f5 - fdee2cb45bfc5c18
0x01a0 - keyindex: 0000004a00000000 -> 74
0x1450 - cid key : 32421a0edf4fa9d6
0x0160 - cid : 0008:'11111111' 00000000000000000000000000000000000000000000
0x1c80 - lockflag: 0000000000000000
0x0140 - imei : 3563830004598750
0x1d00 - lock 0 : a2a9faccbbfbc0d94497e96264896558
0x1d10 - lock 1 : 58ff98fb2af1350f7fca4f890f358808
0x1d20 - lock 2 : 7b53c3aa8c9d522e46e73b558d75f287
0x1d30 - lock 3 : 0e92d1ddbc64b8e5f8c9950a0bf33284
0x1d40 - lock 4 : 92895c989f8ac37c77b97eadef53e5dc
0x4000 - mncmcc : 095ce2420000000000000000c7c8aba45e2c4b0f8d5e300ab86152430094117c
Hello,
First I have to say this initiative for a CID unlock guide is GREAT !
Unfortunately, I went to the same process and also got write error in the end.
Here's for me :
- Had to use Crypt-DES from http://theoryx5.uwinnipeg.ca/ppms/package.xml while Soulcage.net access is off (or so it seems)
- Installed Cert_SPCS.cab and EnableRapi.cab both using .bat and manual installation
- Was able to get the CID.bin & modify without problem
- Last operation results in following error:
"3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 3a 20 01 02 23 2a 12 8d 01 09 05 40
CopyFileToTFFS(cid_unlocked.nb:0, 0, 00010000)
ERROR: ITWriteDisk - Internal error" (translated from French).
My CID binaries :
## perl typhooncidedit.pl cid_original.bin
0x0000 - version : 00000001
0xfff8 - checksum: keyix=40: 1cab1674 - 37f31b4a27fe4616
0x01a0 - keyindex: 000000d900000000 -> 217
0x18c8 - cid key : 'MODULESN'
0x0160 - cid : 0008:'WIZQTK24' 0e0f101112131415161718191a1b1c1d1e1f20212223
0x1c80 - lockflag: 0000000000000000
0x0140 - imei : 3563840001521300
0x1d00 - lock 0 : 76a905824418f065eefd32cbfb611d28
0x1d10 - lock 1 : 91450180424a15f000bdd1851e5fbb51
0x1d20 - lock 2 : c14cc13d337415f59b71512adfb0319d
0x1d30 - lock 3 : 8b62365380a7f3436e43a4299ce97c0d
0x1d40 - lock 4 : 867bbb89c9d3593a72621810278c89db
0x4000 - mncmcc : 762173b9000000000000000091bcf2bbcf1921a206e6fd057e61d6c08f467a95
## perl typhooncidedit.pl cid_unlocked.nb
0x0000 - version : 00000001
0xfff8 - checksum: keyix=40: 500ec10b - c44c8893515dcabf
0x01a0 - keyindex: 000000d900000000 -> 217
0x18c8 - cid key : 'MODULESN'
0x0160 - cid : 0008:'11111111' 00000000000000000000000000000000000000000000
0x1c80 - lockflag: 0000000000000000
0x0140 - imei : 3563840001521300
0x1d00 - lock 0 : 76a905824418f065eefd32cbfb611d28
0x1d10 - lock 1 : 91450180424a15f000bdd1851e5fbb51
0x1d20 - lock 2 : c14cc13d337415f59b71512adfb0319d
0x1d30 - lock 3 : 8b62365380a7f3436e43a4299ce97c0d
0x1d40 - lock 4 : 867bbb89c9d3593a72621810278c89db
0x4000 - mncmcc : 762173b9000000000000000091bcf2bbcf1921a206e6fd057e61d6c08f467a95
Could this be because we had to use a different Crypt-DES package ? Or shall we look some other reason ?
Thanks and good luck
Sylvain
This is weird, it looks like its worked no one except me
sorry...
my wizard was a G3, but it was locked into 2.26 spl, and refused to be
unlocked with lokiwiz (as G3's with 2.21+ roms seem to have the same problem with cid unlocking that G4's do), or any thing else, and this manual way was the
only thing that did the job for me...
I have two reasons, and i fear its the first one...
1)G3 2.21+ CID locked phones don't have the same problem with CID unlocking that G4's do. So this solution may only work on G3 2.21+ phones
2)I semi downgraded the phone with ftp://xda:[email protected]__RUU_Wizard_1050412_WWE_101_11210_WWE.exe first (it downgraded everything except the spl), then did all the steps layed out in the guide.
riz
jubanet - yea, it appears the lock code is encrypted. if someone with the crypted lock code cid.bin files could send me one, i can see if it appears unencrypted on my version of crypt-des
craptree said:
jubanet - yea, it appears the lock code is encrypted. if someone with the crypted lock code cid.bin files could send me one, i can see if it appears unencrypted on my version of crypt-des
Click to expand...
Click to collapse
here it is!
craptree said:
This is weird, it looks like its worked no one except me
sorry...
my wizard was a G3, but it was locked into 2.26 spl, and refused to be
unlocked with lokiwiz (as G3's with 2.21+ roms seem to have the same problem with cid unlocking that G4's do), or any thing else, and this manual way was the
only thing that did the job for me...
I have two reasons, and i fear its the first one...
1)G3 2.21+ CID locked phones don't have the same problem with CID unlocking that G4's do. So this solution may only work on G3 2.21+ phones
2)I semi downgraded the phone with ftp://xda:[email protected]__RUU_Wizard_1050412_WWE_101_11210_WWE.exe first (it downgraded everything except the spl), then did all the steps layed out in the guide.
riz
Click to expand...
Click to collapse
hummm...
everyboody says that's impossible to CID unlock the G4...
I'll try downgrading to that rom (without touching the ipl/spl)
@ craptree
Im on a g3 2.21.4.1 o2 wizard, so similar to yours, ill try the partial downgrade
Might be a stupid question but the subject says that it's a CID and SIM unlock. The doc only meantions SIM unlock.
LordPhong said:
Might be a stupid question but the subject says that it's a CID and SIM unlock. The doc only meantions SIM unlock.
Click to expand...
Click to collapse
The only bit in the doc thats about SIM unlocking is
"**The number at 0x1d00 is your sim unlock code. Write it down somewhere and use it to sim unlock your phone (i.e. when you insert a different providers sim card, it will ask you for a code)"
The rest is purely about the cid
Below are some commands for Artemis.
For the moment still did not find a command to backup existing ROM.
There are some interesting ones related to debug and use of TFTP.
Commands are case sensitive.
Looks like battery is charging while in bootloader mode. It was not a case with Prophet.
regards,
fdp24
*******************************************
Cmd>fm
Wrong parameters of FM Command!!
Usage:
fm [command] [frequency]
where:
if[command] = i Initialize FM.
if[command] = o Power on FM.
if[command] = f Power off FM.
if[command] = t Tune FM channel to [frequency].
if[command] = a FM auto seek test.
if[command] = m Mono(1) or Stereo(0).
if[command] = v Volume (0x00 - 0x0F).
if[command] = u Mute(0)
if[command] = g AGC(1)
if[command] = h Set seek threshold (0x00 - 0xFF).
if[command] = s Seek Up(1) or Down(0).
if[command] = r Get RSSI (0x00 - 0xFF).
if[command] = c Get current channel [frequency].
if[command] = d Get RDS data (1 - 10 groups of data).
*******************************************
Cmd>cpldver
xsvfExecute - CpldType=1
SUCCESS - Completed XSVF execution.
CPLD Ver[0]=1
CPLD Ver[1]=FC
CPLD Ver[2]=26
CPLD Ver[3]=5
Unknown yet.
*******************************************
Cmd>SetDsbDBGMSGT
Unknown yet.
*******************************************
Cmd>ReadExtROM
Dump Ext ROM to MTTY terminal
*******************************************
Cmd>WLANReset
Usage:
WLANReset 1(or0)
set SDIO: 0-WLAN ;1-SDMC.
Cmd>WLANReset 0
WLANReset(FALSE)
Cmd>WLANReset 1
WLANReset(TRUE)
*******************************************
Cmd>SDSelect
Usage:
SDSelect 1(or0)
set SDIO: 0-WLAN ;1-SDMC.
Cmd>SDSelect 1
Select SD Card
*******************************************
Cmd>emapiWlanMac
Notice: This MAC address takes effect only when your platform is EEPRON-less configuration. Please use (emapiTest) to verify it !
Copying GSM DATA image to SDRAM:00004000
Wlan data header ++++++++++++++++++++
Signature : 0xEE1250
UpdateStatus : 0x2
UpdateCount : 0xA
BodyLength : 0x1A1
BodyCRC : 0x4349311B
Wlan data header --------------------------
0x00000000
0x00000009
0x0000002D
0x000000D2
0x000000D5
0x000000FB
*******************************************
Cmd>emapiTest
+emapiTest
1. Power on WLAN
2. Reset WLAN
3. Switch MUX to WLAN
4. Enable WLAN clock
5. Init WLAN SDIO interface
6. DeviceID Test
DeviceID = 403xxxx
EEPROMless configuration!
-emapiTest
*******************************************
Cmd>emapiPwrDwn
*******************************************
Cmd>emapiRead
Parameter Wrong!!
*******************************************
Cmd>getdevinfo
Need password!
*******************************************
Cmd>wdata
Usage:
wdata [StartAddr Len]
Write data to memory(if write to ROM, need erase first).
StartAddr : Start address of memory.
Len : How many bytes will be written.
Length must not more than 0x10000 bytes(buffer limitation).
Write to RAM: 4 bytes(CRC checksum limitation).
1 byte(in user mode).
Write to ROM: 4 bytes(CRC checksum limitation).
2(16-bit)/4(32-bit) bytes(in user mode).
Write to ROM(16-bit data bus): 32 bytes(writebuffer mode).
Write to ROM(32-bit data bus): 64 bytes(writebuffer mode).
Length must be 4 bytes boundary(CRC checksum) if not in user mode.
After command execute, then send out the data to terminal.
Data format: HTCS(4 bytes)+DATA+checksum(4 bytes, if not in user mode)+HTCE(4 bytes).
*******************************************
Cmd>password
Usage:
password [String]
Enter the password string to enable wdata, erase and rbmc functions.
*******************************************
Cmd>set
Usage:
set [Type Value]
Set control flags.
Type(hex) : Control function types.
Value(hex) : Setting values for types.
Type 1(Operation mode): 1(auto) and 0(user).
Type 2(Back color on/off): 1(on) and 0(off).
Type 4(Front color value): 16 bits data
Type 5(Background color value): 16 bits data
Type 6(Set color of screen): Fill color to whole screen one time.
Current flag settings:
Type 1(Operation mode flag): g_cOpModeFlag=(0x0).
Type 2(Back color flag): cBackColorShowFlag=(0x0).
Type 4(Front color): g_dwFColor24bit=(0x0).
Type 5(Background color): g_dwBColor24bit=(0xFFFFFF).
Type 6(Set color of screen): None.
Type 32: Unlock Flash Command
Set control flags.
*******************************************
Cmd>SetDebugMethod
Copying GSM DATA image to SDRAM:00004000
Default DebugTransport Value =00000000
Current Usage:
0 No Debug
A UART MTTY Output Debug Message
B USB MTTY Output Debug Message
*******************************************
Cmd>checksum
Usage:
checksum addr len
Return CRC checksum of memory.
In user mode: Show 4 bytes of CRC checksum value on display of terminal.
In auto mode: Send 4 bytes of CRC checksum value to terminal with data format.
*******************************************
Cmd>ResetDevice
no comments
*******************************************
**When CID is locked.
Cmd>ls
clean up the image temp buffer at 0x8C100000 Length 0x03A00000
BOOTLOAD_PAGE_TABLE_BASE_C_VIRTUAL= 0x8C080000
Clear image temp buffer done .
MTTYDownloadImage
Not allow operation!
Error : DownloadImage return error (code = 0xFFFFFFFF)
**When CID is locked.
*******************************************
**When CID unlocked
Cmd>ls
clean up the image temp buffer at 0x8C100000 Length 0x03A00000
BOOTLOAD_PAGE_TABLE_BASE_C_VIRTUAL= 0x8C080000
Clear image temp buffer done .
MTTYDownloadImage
start download
==CreateFile err==
**When CID unlocked
*******************************************
Cmd>GPSRouting
Dump code to mtty console.
*******************************************
Cmd>BTRouting
Dump code to mtty console.
*******************************************
Cmd>BTRouting
+GSM_Modem_Init : include DAGON
Copying GSM DATA image to SDRAM:00004000
GSM - dwSize = 3479D
GSM Page0
GSM - dwSize = 45457
GSM Page1
GSM - dwSize = 4B768
GSM Page2
GSM - dwSize = 4E0A9
GSM Page3
GSM - dwSize = 4B4C4
GSM Page4
GSM - dwSize = 4C71F
GSM Page5
GSM - dwSize = 2958E
GSM Page6
GSM - dwSize = E8D8
GSM Page7
Copying GSM CODE image to SDRAM:00000000
ARMBOOT = 1 --> boot from CS3
Reset ARM 7 -- ok
Please close MTTY USB connection and open BT Testing program...
*******************************************
Wow.. Very VERY nice!
Wow fdp24
Please how did you found out all those comands ?
I'm curious and in the need of unbricking some.
can we use any of therse comands to make the SimLockTool_Artemis_Excalibur tool work
Got an XDA orbit two days back and it won't boot. Once when booted, it got stuck in the splash screen saying O2 and showed the protocols:
IPL:1.25.001
SPL:1.25.000
GSM:2.67.90
OS:1.25.00
Click to expand...
Click to collapse
It didn't go past this screen and a 4-sec press on power button switched it off. Any number of soft resets wouldn't solve the issue and there was this peculiar problem of the screen going dull and then fully dark, but u can see that the device is not off coz the screen is letting out a dull glow. Resetting switched off the phone.
Thinking it might be a battery issue, plugged in the USB power, but then there was no indication that it was charging. After sometime tried switching on and the unit was dead. Pulled out the battery and reinserted after
arnd 10 mins and did a hard reset. (Pulling battery out and reinserting was done so many times that I'd from now on refer to it as BOutReIn-10min;10min being the time it stayed out)Booted after the hard reset and it
started showing charge indication-orange, green n all.Then after setting the preferences, worked for abt 2 mins and the same problem of screen going dull and black gradually. Soft resets, hard resets, trying bootloader mode - nothing works. Just a brick with a nice thumbdial and trackball.DEAD.
Downloaded the Original O2 Uk ROM Image ARTEIMG.nbh
BOutReIn-30min and tried flashing the ROM from PC.75% and the same
dimming of the screen, but in another pattern of going up from the bottom.
BOutReIn-5min and tried flashing from SD card.
After the "Reading from Sd card" message, while installing first OS, it showed same problem.
Finding that the timing of the problem is connected to the time the battery is out (or the time the unit is not being used), BOutReIn-6hrs and tried SD card flashing which went successful, but when the unit reset after the process, it got stuck in bootloader.Oh Oh! More problematic? Donno..Another reset, still BL.One more, still in BL, but the the screen went dull after 2-3 secs. It hasn't come out of the BL since then.
Possible reasons
1.Corrupt OS(most probable)
2.corrupt bootloader(less probable, but not impossible.the fact that it shows bootloader means it is intact,i think)
3.Mainboard problem(least probable, but seeing the way things go, i had started to suspect this, especially coz of the screen dimming)
Click to expand...
Click to collapse
Gotta be something inside which gets heated up or cuts out. So opened it up and cleaned the whole interior and this guide, alongwith commonsense, came handy.
Then i found a small button cell soldered to the board. The presence of this really caught my attention coz i have had bad experiences with such things in older mobile phones and GPS units. My eTrex Vista went bad after some days of non-use and I found a leaking internal rechargeable cell just like this(3.3v), soldered to the board and it served the purpose of powering the memory where the system settings are saved. That GPS unit didn't come with a flash memory; tho Garmin learnt it fast and switched to Flashroms. Actually the only way of saving such things in GPS units is keeping operational batteries in the unit always and checking them frequently.
A quick check gave the cell voltage as 0.65v which is too low for such chemistry. Then connected the USB charger to the board and measured at the terminals and it was the same. it showed that it is not getting any
supply. Also, there was slight corrosion on the button cell body, which indicated that it might start leaking anytime, if not already. Cleaned up the body, brushed the whole area clean of any impurities and recharged it
using 2 duracells connected to the +/_ terminals and the voltage climbed to 1.7v. Kept it like that for sometime and checked the voltage once more, which showed 1.5v. This showed rapid voltage falling and that is not good news. The battery surely is on its last leg.
Not wanting to give up, and to test really whether the cell contributes to the system settings (otherwise, what is it there for?), connected everything rt back and did an SD card flashing which was successful and the unit booted after reset and started charging and everything was going smooth. Showed splash screen and when it was about to get into the customization phase, the screen began to dim.....
Sad, but I think that's at least some point to start. The board is having problems and that's why it doesn't charge the internal cell and the Artemis worked while the cell still had charge. When kept on working, the internal cell has discharged enough and more and that can be the beginning of so many problems which show up in bricked units (mostly Artemis).
No power
No charging
Stuck on bootloader
unit hanging when using
Now I don't think I can service the board successfully myself.Even professional servicing would be very costly. An alternative would be to replace the board.
Now i would like to know if such an internal rechargeable cell is there in other HTC devices. If so, then it is the culprit. If this is there in only Artemis-based PDAs having GPS, then it may or may not be the problem as it might be there just for the GPS, just like in older Garmins. Also, if that is the case, new GPS PDAs won't be having that cell too, after learning from such a mistake.
Let the discussion begin!!!
Hi-Res pics are here:
Internal Rechargeable cell
Close-up of the cell
Artemis Bootloader Commands
While researching on the problem and its possible solutions, I stumbled upon this information on a Trinity discussion board. This is very valuable information (read last resort) to those out there like me whose Orbits are not stable/dead. (No pun intended )Giving due credit to its author, fdp24, I am posting it here.
The actual thread is here.
fdp24 said:
rbmc is not in spl in Artemis device. On Trinity probably too.
These are some commands for Artemis:
Could be similarity for Trinity
CASE SENSITIVE!
Cmd>fm
Wrong parameters of FM Command!!
Usage:
fm [command] [frequency]
where:
if[command] = i Initialize FM.
if[command] = o Power on FM.
if[command] = f Power off FM.
if[command] = t Tune FM channel to [frequency].
if[command] = a FM auto seek test.
if[command] = m Mono(1) or Stereo(0).
if[command] = v Volume (0x00 - 0x0F).
if[command] = u Mute(0)
if[command] = g AGC(1)
if[command] = h Set seek threshold (0x00 - 0xFF).
if[command] = s Seek Up(1) or Down(0).
if[command] = r Get RSSI (0x00 - 0xFF).
if[command] = c Get current channel [frequency].
if[command] = d Get RDS data (1 - 10 groups of data).
************************************************** ************************************************** *
Cmd>cpldver
xsvfExecute - CpldType=1
SUCCESS - Completed XSVF execution.
CPLD Ver[0]=1
CPLD Ver[1]=FC
CPLD Ver[2]=26
CPLD Ver[3]=5
SetDsbDBGMSGT
Unknown yet.
************************************************** ************************************************** *
Cmd>ReadExtROM
Dump Ext ROM to MTTY terminal
************************************************** ************************************************** *
Cmd>WLANReset
Usage:
WLANReset 1(or0)
set SDIO: 0-WLAN ;1-SDMC.
Cmd>WLANReset 0
WLANReset(FALSE)
Cmd>WLANReset 1
WLANReset(TRUE)
************************************************** ************************************************** *
Cmd>SDSelect
Usage:
SDSelect 1(or0)
set SDIO: 0-WLAN ;1-SDMC.
Cmd>SDSelect 1
Select SD Card
************************************************** ************************************************** *
Cmd>emapiWlanMac
Notice: This MAC address takes effect only when your platform is EEPRON-less configuration. Please use (emapiTest) to verify it !
Copying GSM DATA image to SDRAM:00004000
Wlan data header ++++++++++++++++++++
Signature : 0xEE1250
UpdateStatus : 0x2
UpdateCount : 0xA
BodyLength : 0x1A1
BodyCRC : 0x4349311B
Wlan data header --------------------------
0x00000000
0x00000009
0x0000002D
0x000000D2
0x000000D5
0x000000FB
************************************************** ************************************************** *
Cmd>emapiTest
+emapiTest
1. Power on WLAN
2. Reset WLAN
3. Switch MUX to WLAN
4. Enable WLAN clock
5. Init WLAN SDIO interface
6. DeviceID Test
DeviceID = 4030xxx
EEPROMless configuration!
-emapiTest
************************************************** ************************************************** *
Cmd>emapiPwrDwn
************************************************** ************************************************** *
Cmd>emapiRead
Parameter Wrong!!
************************************************** ************************************************** *
Cmd>getdevinfo
Need password!
************************************************** ************************************************** *
Cmd>wdata
Usage:
wdata [StartAddr Len]
Write data to memory(if write to ROM, need erase first).
StartAddr : Start address of memory.
Len : How many bytes will be written.
Length must not more than 0x10000 bytes(buffer limitation).
Write to RAM: 4 bytes(CRC checksum limitation).
1 byte(in user mode).
Write to ROM: 4 bytes(CRC checksum limitation).
2(16-bit)/4(32-bit) bytes(in user mode).
Write to ROM(16-bit data bus): 32 bytes(writebuffer mode).
Write to ROM(32-bit data bus): 64 bytes(writebuffer mode).
Length must be 4 bytes boundary(CRC checksum) if not in user mode.
After command execute, then send out the data to terminal.
Data format: HTCS(4 bytes)+DATA+checksum(4 bytes, if not in user mode)+HTCE(4 bytes).
************************************************** ************************************************** *
Cmd>password
Usage:
password [String]
Enter the password string to enable wdata, erase and rbmc functions.
************************************************** ************************************************** *
Cmd>set
Usage:
set [Type Value]
Set control flags.
Type(hex) : Control function types.
Value(hex) : Setting values for types.
Type 1(Operation mode): 1(auto) and 0(user).
Type 2(Back color on/off): 1(on) and 0(off).
Type 4(Front color value): 16 bits data
Type 5(Background color value): 16 bits data
Type 6(Set color of screen): Fill color to whole screen one time.
Current flag settings:
Type 1(Operation mode flag): g_cOpModeFlag=(0x0).
Type 2(Back color flag): cBackColorShowFlag=(0x0).
Type 4(Front color): g_dwFColor24bit=(0x0).
Type 5(Background color): g_dwBColor24bit=(0xFFFFFF).
Type 6(Set color of screen): None.
Type 32: Unlock Flash Command
Set control flags.
************************************************** ************************************************** *
Cmd>SetDebugMethod
Copying GSM DATA image to SDRAM:00004000
Default DebugTransport Value =00000000
Current Usage:
0 No Debug
A UART MTTY Output Debug Message
B USB MTTY Output Debug Message
************************************************** ************************************************** *
Cmd>checksum
Usage:
checksum addr len
Return CRC checksum of memory.
In user mode: Show 4 bytes of CRC checksum value on display of terminal.
In auto mode: Send 4 bytes of CRC checksum value to terminal with data format.
************************************************** ************************************************** *
Cmd>ResetDevice
no comments
************************************************** ************************************************** *
**When CID is locked.
Cmd>ls
clean up the image temp buffer at 0x8C100000 Length 0x03A00000
BOOTLOAD_PAGE_TABLE_BASE_C_VIRTUAL= 0x8C080000
Clear image temp buffer done .
MTTYDownloadImage
Not allow operation!
Error : DownloadImage return error (code = 0xFFFFFFFF)
**When CID is locked.
************************************************** ************************************************** *
**When CID unlocked
Cmd>ls
clean up the image temp buffer at 0x8C100000 Length 0x03A00000
BOOTLOAD_PAGE_TABLE_BASE_C_VIRTUAL= 0x8C080000
Clear image temp buffer done .
MTTYDownloadImage
start download
==CreateFile err==
**When CID unlocked
************************************************** ************************************************** *
Cmd>GPSRouting
Dump code to mtty console.
************************************************** ************************************************** *
Cmd>BTRouting
Dump code to mtty console.
************************************************** ************************************************** *
Cmd>BTRouting
+GSM_Modem_Init : include DAGON
Copying GSM DATA image to SDRAM:00004000
GSM - dwSize = 3479D
GSM Page0
GSM - dwSize = 45457
GSM Page1
GSM - dwSize = 4B768
GSM Page2
GSM - dwSize = 4E0A9
GSM Page3
GSM - dwSize = 4B4C4
GSM Page4
GSM - dwSize = 4C71F
GSM Page5
GSM - dwSize = 2958E
GSM Page6
GSM - dwSize = E8D8
GSM Page7
Copying GSM CODE image to SDRAM:00000000
ARMBOOT = 1 --> boot from CS3
Reset ARM 7 -- ok
Please close MTTY USB connection and open BT Testing program...
************************************************** ************************************************** *
************************************************** ************************************************** *
************************************************** ************************************************** *
************************************************** ************************************************** *
************************************************** ************************************************** *
************************************************** ************************************************** *
password BsaD5SeoA - this is static password used during flashing device. (USB sniffer)
battery seems to be charging during bootloader.
If you stuck at bootloader during manipulations with commands, try this:
password BsaD5SeoA
ruurun 0
Alternatively, you can run rom flasher even on CID locked device. It will give you error message about Device ID or something, but your device will be back to normal and boot normally.
Click to expand...
Click to collapse
SOLVED!!!
The Orbit unit is up and running now....!!!!!WOOOOOOOOOOHOOOOOOOOOO!!!
I'll post what all i did to get it up.
now i really think the internal rechargeable cell is the culprit.
But for now, I'm one happy person, even if the Orbit in question is not mine.
GSM-working
GPS-working
Bluetooth-working
IR-working
USB charging
camera-working
sd card-working
fm radio-working
mouse ball and thumbwheel-working
Wifi-not turning on(need to investigate on this)
htc 3300 error 300
no waaaaawwwwooooooooooooo iii
htc p3300 briked with error 300 help help:mad
hellllllllllllllllllllllllllllllllllllps boys pof pof
newwws newwws
what happend this forum can be help us my artelis blocked error 300 in
all rom
Hi. This is a message to experts.
Loiking at bootloader in my broken ELFIN, well lets better say death, because even with GOLD CARD couldnt get alive, i found a commnad called wdata. This this the screen result:
==========================================================
Cmd>wdata
Usage:
wdata [StartAddr Len]
Write data to memory(if write to ROM, need erase first).
StartAddr : Start address of memory.
Len : How many bytes will be written.
Length must not more than 0x10000 bytes(buffer limitation).
Write to RAM: 4 bytes(CRC checksum limitation).
1 byte(in user mode).
Write to ROM: 4 bytes(CRC checksum limitation).
2(16-bit)/4(32-bit) bytes(in user mode).
Write to ROM(16-bit data bus): 32 bytes(writebuffer mode).
Write to ROM(32-bit data bus): 64 bytes(writebuffer mode).
Length must be 4 bytes boundary(CRC checksum) if not in user mode.
After command execute, then send out the data to terminal.
Data format: HTCS(4 bytes)+DATA+checksum(4 bytes, if not in user mode)+HTCE(4 bytes).
==========================================================
So the question is. Is there any way of using that command to access the F****** g_cKeyCardSecurityLevel = FF register and modify it?.
Anyone knows whats the memory position of that register?, if so, How can i change it?
Hopping anwsers.
Thanks
i try change rom by worng file now stock in boot loader
ATHE100
IPL-V2.02
ATHE100
SPL-V3.05.0000
flash again with official rom for HTC Athena >> http://shipped-roms.com/index.php?category=windows%20mobile&model=Athena
try many official rom but error invalid vender id and model id
pls how i know my device CID
MA7MOD_GSM said:
try many official rom but error invalid vender id and model id
pls how i know my device CID
Click to expand...
Click to collapse
doing set 32 command in mtty console !
in response you will see g_cKeyCardSecurityLevel = 00 or
g_cKeyCardSecurityLevel = FF
00 - is unlocked
FF - locked
in response you will see g_cKeyCardSecurityLevel = 00 or
g_cKeyCardSecurityLevel = FF
i know cid locked but i need to know what orignal rom for my device
there any method to know CID MODEL FOR ATHENA
thanks
MA7MOD_GSM said:
in response you will see g_cKeyCardSecurityLevel = 00 or
g_cKeyCardSecurityLevel = FF
i know cid locked but i need to know what orignal rom for my device
there any method to know CID MODEL FOR ATHENA
thanks
Click to expand...
Click to collapse
Operating System that is embedded from the manufacturer are WM 5.0