Dears,
wdata command can write data to P3300. It is possible to use this command to upgrade ROM and get around the CID lock?
If so we can make a RUU program to flash anything into ROM.
Is this pssible?
ylatsj said:
Dears,
wdata command can write data to P3300. It is possible to use this command to upgrade ROM and get around the CID lock?
If so we can make a RUU program to flash anything into ROM.
Is this pssible?
Click to expand...
Click to collapse
Of course its a good idea but I think the process is much more complicated. The update proccess depends not only on ROMUpdateUtility but also depends on the Bootloaders security. If the bootloader does not open the port for entering data, no data can be entered so no ROM update can be done. Bootloader opens the port only when the CID in the ROM file maches with the device's CID and the Signature is intact. Thats why we need USPL that does not check CID and Signature.
Tamagochi said:
Of course its a good idea but I think the process is much more complicated. The update proccess depends not only on ROMUpdateUtility but also depends on the Bootloaders security. If the bootloader does not open the port for entering data, no data can be entered so no ROM update can be done. Bootloader opens the port only when the CID in the ROM file maches with the device's CID and the Signature is intact. Thats why we need USPL that does not check CID and Signature.
Click to expand...
Click to collapse
I thought IPL won't check CID lock for wdata command. So I guess we can use wdata to flush anything into ROM (a clean,pure WM without any headers)
And we don't use ROMUpdateUtility but write an application to directly deal with the USB port on bootloder.
The purpose is to save hundreds of bricked phones. The current SuperCID program doesn't work with bootloader mode!!!
Anyone can tell me what address the Artemis OS begins with so that I can make the USB applicaiton to try to flush OS to the ROM address?
great!!
I think POF can help you
He is active in Hermes treads
ylatsj said:
I thought IPL won't check CID lock for wdata command. So I guess we can use wdata to flush anything into ROM (a clean,pure WM without any headers)
And we don't use ROMUpdateUtility but write an application to directly deal with the USB port on bootloder.
The purpose is to save hundreds of bricked phones. The current SuperCID program doesn't work with bootloader mode!!!
Anyone can tell me what address the Artemis OS begins with so that I can make the USB applicaiton to try to flush OS to the ROM address?
Click to expand...
Click to collapse
I dont think so, the SPL is like a bodyguard. To be able to write to the flashROM, some ports should be opened (enable write mode). Only the SPL can enable write mode, and it is very stubborn. Every time an application tries to write to the DOC, it asks for the CID and Signature. If these info do not match with the ones inside the DOC, it will refuse to enable write mode. You can fool it with CID but you cannot fool it with Signature unless you can imitate the signature and use it to sign the ROM file.
So the problem is how to imitate the signature or to extract it from a signed one.
Tamagochi said:
I dont think so, the SPL is like a bodyguard. To be able to write to the flashROM, some ports should be opened (enable write mode). Only the SPL can enable write mode, and it is very stubborn. Every time an application tries to write to the DOC, it asks for the CID and Signature. If these info do not match with the ones inside the DOC, it will refuse to enable write mode. You can fool it with CID but you cannot fool it with Signature unless you can imitate the signature and use it to sign the ROM file.
So the problem is how to imitate the signature or to extract it from a signed one.
Click to expand...
Click to collapse
First, sorry for q on first post and no introduction.
Basically, im male, so didn't rtfm until I got stuck...CID Locked device...botched WM6 upgrade...blah blah...bootscreen...blah...you know the score.
This thread has piqued my interest though. I am a programmer with quite a bit of experience of embedded devices. I figured that there is some way to do something like this...but not really sure how as documentation is a bit thin on the ground!
What does the wdata command actually do? My understanding is that it copies arbitary data into the devices address space...but where from? We have a dst and len, but what is the src?
wdata [Len [StartAddr]]
I assume that the flash-rom is simply mapped into linear address space.
gamefreaks said:
First, sorry for q on first post and no introduction.
Basically, im male, so didn't rtfm until I got stuck...CID Locked device...botched WM6 upgrade...blah blah...bootscreen...blah...you know the score.
This thread has piqued my interest though. I am a programmer with quite a bit of experience of embedded devices. I figured that there is some way to do something like this...but not really sure how as documentation is a bit thin on the ground!
What does the wdata command actually do? My understanding is that it copies arbitary data into the devices address space...but where from? We have a dst and len, but what is the src?
wdata [Len [StartAddr]]
I assume that the flash-rom is simply mapped into linear address space.
Click to expand...
Click to collapse
This is what I thought as well that the flash-rom is simply mapped into linear address space. But I don't know where it sits and which segment is for IPL,SPL,OS,EXTROM. etc...
And I am not sure if the IPL will secure the ROM write when it execute the "WDATA" command.
Here is the introduction for WDATA command
wdata [StartAddr Len]
Write data to memory(if write to ROM, need erase first).
StartAddr : Start address of memory.
Len : How many bytes will be written.
Length must not more than 0x10000 bytes(buffer limitation).
Write to RAM: 4 bytes(CRC checksum limitation).
1 byte(in user mode).
Write to ROM: 4 bytes(CRC checksum limitation).
2(16-bit)/4(32-bit) bytes(in user mode).
Write to ROM(16-bit data bus): 32 bytes(writebuffer mode).
Write to ROM(32-bit data bus): 64 bytes(writebuffer mode).
Length must be 4 bytes boundary(CRC checksum) if not in user mode.
After command execute, then send out the data to terminal.
Data format: HTCS(4 bytes)+DATA+checksum(4 bytes, if not in user mode)+HTCE(4 bytes).
Also please check this URL
http://forum.xda-developers.com/archive/index.php/t-285112.html
Pay atttention on this
Write data to memory(if write to ROM, need erase first).
"If write to ROM" This means the ROM is for sure being mapped into the memory space. And what important is that WDATA doesn't talk to the IPL on any CID information. This possibly means that IPL won't stop a write to ROM.
So it is worth to give a try here. The information we need before make the USB application is:
1) Where does the ROM start inside the memory address space
2) Where does the OS start and end
3) How to erase the ROM before WDATA (Another USB command but what is it)
Actually, if we know where the IPL starts we could even directly flush the IPL to Pof's superCID. But this is a little dangerous becasue it is possible to crash the IPL ROM so that the Artemis even can't start bootloader. So better not do it but to flush the OS only and make the birck start first. Then use Pof's baby to flush the SuperCID.
OK, long post. Hope we can have more experts in this thread. Thank you folks for your attention on my topic.
Related
Hello. I have a question. May be any of our mastahackers can explain
What are the deepest changes of ROM still safe?
As "safe" I understand - I still can start bootloader and recover: start upgrade/downgrade using any of good NBFa and can still use my device?
As "unsafe" I understand "I've got a brick".
As I was able to find - changes of partitions table can be unsafe.
I think, that bootloader doesn't depend on device drivers [for example disk or USB drivers], because I can downgrade to Wm2003 using ActiveSync 3.x, but I'm not sure.
Many thanks in advance. You are fantastic guys
baniaczek said:
As I was able to find - changes of partitions table can be unsafe.
Click to expand...
Click to collapse
They are safe. In the worst case I had to reflash WM2003. For BlueAngel unsafe operation is playing with TRUEFFS partitions. The binary partition contains some data, for example BT chip MAC-address. You would not get a brick if you'll destory it, but your MAC would be zeroed (though there is a tool that can rewrite it).
But be careful, theoretically it is possible to force ROM to rewrite bootloader, in this case you'll get a brick.
I think, that bootloader doesn't depend on device drivers [for example disk or USB drivers], because I can downgrade to Wm2003 using ActiveSync 3.x, but I'm not sure.
Click to expand...
Click to collapse
Bootloader is completely independent from OS image. Once I've flushed a garbage into the ROM (incorrectly encrypted NBF file) and still was able to recover.
Many, many thanks
But... how does one use the bootloader? i mean... i got my 9100, CID unlocked and flashed with the 'official' 2.8.7.1 rom... then i make the activesync connection... then i go into RAPI mode and run the "enterbootloader.exe" i see in the \windows folder (heh, handy)
and... then? what do i do? :/
Hi there
Didn't know if this was the right place to post. But im developing this tool for flashing ROMs onto HTC devices. And when the flash process is done, im displaying the IMEI number on the display, so that the users can pack the devices back to their original box, without having to disassemble the unit, to find the right IMEI.
In the previous phones i developed this tool to, which covers MAGICIAN, ALPINE, BLUEANGEL, SABLE and BEETLES i did like this:
rtask a (enter radio bootloader)
rtask 7 (enter GSM Command debugging
AT+CGSM (get an info string that contains the IMEI)
I dont know if this was the right procedure, but it worked for me. But the new TyTN device doesnt recognize the rtask 7 command, and i just can't seem to find a way to get the IMEI no. now. If someone knows about this, please help.
Thanks in advance.
jbj
Here is the wiki page with information of the Hermes bootloader:
http://wiki.xda-developers.com/index.php?pagename=Hermes_BootLoader
I think the problem is that when you do "rtask a" you are in radio bootloader, and then you cannot enter "rtask 7" because rtask is not a valid radio bootloader command.
Is your tool available somewhere?
Unfortunately not... were using it in out company, because HTCs tool only flashes 1 phone at a time. We are selling ~1 million devices per year, so we needed another tool so i've developed this tool, so we can flash up to 16 devices at a time. But the company owns the program and the code, so i can't share it. BUT i'm willing to answer any questions which i can answer, regarding the flashing process.
OK, regarding your answer, in the "old" days i could do an rtask 7 after entering radio bootloader.... but it doesnt seem to work anymore. But there might have been another way.
ok, have u tried without "rtask a"... I mean just issuing "rtask 7" and "AT+CGSM"?
I don't know what you're using to debug this, but in mtty or minicom you cannot see the output when you talk to radio/gsm bootloader. A good idea is to use a USB monitor software and see what the bootloader really replies, I listed some here: i like the one from HHD software.
http://forum.xda-developers.com/showpost.php?p=1023730&postcount=43
Let me know if you have a better / easier way to talk to the radio bootloader
Ahhh, ok... I tried with MTTY first, but i can just code it directly into my program. Its ready for sending and receiving data. Ill try the different setups, though my program instead, and come back when i know some more.
OK just tried a few different scenarios:
1)
rtask a (enter bootloader)
- Doesnt return with "USB>"
rtask 7
- returns "Invalid cmd..!"
AT+CGSN
- Returns "0" and a linefeed.
2)
This time without the rtask a
rtask 7
- returns "rtask 7USB>" and 0x13
AT+CGSN
- Returns "AT+CGSN Command Error !!USB>"
So... Still can't.
You should see something like 'AT-Command Interpreter ready', which bootloader version are you using?
Try issuing "[email protected]_USB" before "AT+CGSN" and see what happens...
pof said:
You should see something like 'AT-Command Interpreter ready', which bootloader version are you using?
Try issuing "[email protected]_USB" before "AT+CGSN" and see what happens...
Click to expand...
Click to collapse
I know, that was the message i got with all the previous phones. I'll try that command...
EDIT: Ok, when passing the command "[email protected]_USB" i get the message "Command Error !!". I passed it in between rtask 7 and AT+CGSN. But without the rtask a command.
Ok, just bumping this one last time. I hoped someone here could give me an option.
I'm curious too... if no one answers and you find it yourself please post it here, i'm suscribed to the thread.
YES... I got it.
After doing some testing and probing, i started throwing some random "rtask" commands to the phone... Well, turns out that "rtask b" is the old "rtask 7", which is the AT Command debugger.
So if anyone would be so kind to notify the dude whos doing this document
http://wiki.xda-developers.com/index.php?pagename=Hermes_BootLoader
So he can keep it up to date?
And if you want to exit the AT Command Interpreter, you have to write "retuoR"
rtask a still works like before.
Thanks for your info, this is a great finding
Wiki bootloader page updated...
Dear everybody,
I have also killed my 2 day old MDA compact 3 by using the PDAMobiz_Dopod_P800W_AKU301_v1.1.2_PowerMap.exe (Feel really frustrated about it)
It will not load windows only
IPL 1.13.0001
SPL 1.13.0001
GSM 02.49.90
OS 1.28.0.0
I've tried a lot but nothing has worked so far. Now my last resort is using XDA tools to make a bootable sd card.
Is there anyone who make a file that the artemis can use of an SD card?
I would be very much obliged!
did you do CID unlock before installing new ROM?
CID unlock is not required for flashing the PDAMobiz Powermap 1.1.2 ROM. Just make sure you follow the right instructions. I did it and you can find it here:
http://forum.xda-developers.com/showthread.php?t=294830&page=2
But make sure that you have synced your Outlook data on desktop as there is something wrong with restoring from backup file the PIM related info (I use Spb Backup, but seems it is same with any backup application)
http://forum.xda-developers.com/showthread.php?t=295295
more info.
ianvanhaaren:
1. Please provide more info what exactly happens when you try to turn on your device.
2. What type of error you have when you try to re-flash device? At what percent it stops.
3. Connect device to USB, disable USB connection in activesync. Start mtty console, choose USB type connection (mtty attached, in case you need it).
4. type set 32 in console. send this output.
If CID area on device is corrupted, for the moment only imei-check who knows how to re-calculate this area. Even so, if device won't boot in windows it will not help. You need to connect to device thru jtag interface, in order to load modified spl into ram and perform writing into security area, to recover it. Imei-check says, they know jtag for Artemis.
It may cost you a bit of money.
If you have an option to send it to service center, do it. It would be your best choice.
Regards.
Hello,
please, if somebody has more information about bootloader commands supported by HP iPAQ hw6900 series (HTC Sable) to share on this thread with us
Will be very helpful if we can extract ROM image through the bootloader of this iPAQ
I dont know much, i know nothing indeeed, however i found somewhere a pack of files for the Wizard that were supposed to work for the sable, however they didnt, but there is this particular file, that when ran in the sable made appear a folder called "2" with an icon of a storage card and which rpely the contents of the root of the device (but for itself i mean no 2 folder inside the 2 folder lol)
I dont know if it is of some use but i definitevely want to perform a corporate install of windows in my sable and kill all that HP crap that comes in bundled
How to enter bootloader
Just press ACTION+POWER+reset with stylus and hold this combinaison for a few seconds, you'll see a screen without backlight (so you must be under bright light to see it) going into bootloader mode.
Put your device on the cradle (which I suspect you had connected it to your PC)
using mtty, connect to your USB Port (or Serial port if serial cradle)
type "password BOOTLOADER" and use "h" as an help command.
Now you can dump a ROM from Bootloader
The command should be sth like "r2sd"
Read the manual of this command "h r2sd full" and use it to dump your ROM on the SDCard
Now you can dump the raw ROM image from SD Card Reader using ntrw.exe
EDIT: going to bootloader mode seem to hard reset your device, backup FIRST!
HI Boris,
where to find the manual ETC.
A RAW ROM maens a bin file? how to convert then to something readable modifiable.... i understand that this is the main issue now.
I want to see a computer file which isn't binary based....
or a full text ROM
In fact, for me a raw ROM is a ROM-file which has been extracted from the device... The difference with a ROM-to-install is the encryption which is not present with raw dumps (to be checked).
Raw dumps can be modified and then re-updated but it needs some operations that are command-line based...
Once you got your raw ROM on SD, copy it to PC using ntrw, you have to find the correct tool to dump the content (dumprom should do the work)
Remember to keep the raw ROM as a backup, and work with a copy of the raw ROM.
You can also cut/paste the file into parts (OS, EXTROM...).
Logically, if you got the original ROM file (the german one) and the same taken from the device (raw ROM), we should be able to modify some existing tools to work with 69xx ROM files and cook some ROMs.
in bootloader mode: type
"h COMMANDNAME full" should show full manual of COMMANDNAME.
To have more informations, once you know if your bootloader has d2s or r2sd ... command name, search for it on wiki and you should have more informations and examples on the specific command.
I need to extract the ROM from one of these as well. I am getting into bootloader and trying to dump the rom to 256MB SD as follows...
USB>
USB>
USB>password BOOTLOADER
HTCSPass.<YHTCEUSB>d2s
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
d.total_lba=7A000
d.block_size=200
d.RCA=B368
d.drv_type=40000000
d.busWidth=1
Total card size=F400000
SDCARDD2S+,cStoragePlatformType=FF
Then the device just sits there with Cal Checksum on the screen. I get no response from NTTY or device until I restart.
I read on another thread that it might be locked. I also read that there may be a password to get into another level of access. See http://mobilitytoday.com/forum/showthread.php?t=15217 for details.
I have to get this cracked as I want to restore my good any network ROM onto a network specific device.
Anyone got any other ideas?
Matt4444 said:
Then the device just sits there with Cal Checksum on the screen. I get no response from NTTY or device until I restart.
Click to expand...
Click to collapse
The checksum calculation is a long process, try to wait longer...
Anyway your SD should have been written... have you tried to read it?
EDIT: Does it show ******** or direct checksum calculation? (how long is the process)
I let it run for over an hour the first time but that was with a 1GB SD card and I understand that it would take longer with 1GB.
I haven't actually looked to see if there is anything on the card(s) as I just assumed it hadn't worked. Other threads say that the device gives you progress or at least some response from the MTTY to say it was done.
I have to shoot to a meeting but will try again when I get back...
b0ris747 said:
Just press ACTION+POWER+reset with stylus and hold this combinaison for a few seconds, you'll see a screen without backlight (so you must be under bright light to see it) going into bootloader mode.
Put your device on the cradle (which I suspect you had connected it to your PC)
using mtty, connect to your USB Port (or Serial port if serial cradle)
type "password BOOTLOADER" and use "h" as an help command.
Now you can dump a ROM from Bootloader
The command should be sth like "r2sd"
Read the manual of this command "h r2sd full" and use it to dump your ROM on the SDCard
Now you can dump the raw ROM image from SD Card Reader using ntrw.exe
EDIT: going to bootloader mode seem to hard reset your device, backup FIRST!
Click to expand...
Click to collapse
yes, nice but does not work in 69xx's bootloader. while executing d2s command the device loops on "Calculating checksum" point and nothing happens even after an hour of waiting .. :-(
That is the same problem I am having. I read on another thread that dmc874 (who seems to know what he is talking about) thought it was related to the device being locked. See http://mobilitytoday.com/forum/showthread.php?p=68783
I am now trying to research the locking to see if there is anything I can do to unlock it... anyone else got any ideas?
Does anybody tried to upload a .NBA image through bootloader?
Someone to know the command for sending through bootloader to certain address locations?
What about pdocread or such tools?
Method to dump ROM from wizard using pdocread: http://www.spv-developers.com/forum/showthread.php?t=2888
Does Anyone Know Where I Can Get A English Rom For My IPAQ hw6955 Whitch Is Currently In French Please Help..
b0ris747 said:
Just press ACTION+POWER+reset with stylus and hold this combinaison for a few seconds, you'll see a screen without backlight (so you must be under bright light to see it) going into bootloader mode.
Put your device on the cradle (which I suspect you had connected it to your PC)
using mtty, connect to your USB Port (or Serial port if serial cradle)
type "password BOOTLOADER" and use "h" as an help command.
Now you can dump a ROM from Bootloader
The command should be sth like "r2sd"
Read the manual of this command "h r2sd full" and use it to dump your ROM on the SDCard
Now you can dump the raw ROM image from SD Card Reader using ntrw.exe
EDIT: going to bootloader mode seem to hard reset your device, backup FIRST!
Click to expand...
Click to collapse
..hey great info on how to get to bootloader,, i have a tmobile wing and need to get to the boot loader screen please tell me specifically wat i have to do.. also wat do u mean by action button???????
mafioso617 said:
..hey great info on how to get to bootloader,, i have a tmobile wing and need to get to the boot loader screen please tell me specifically wat i have to do.. also wat do u mean by action button???????
Click to expand...
Click to collapse
Action button = push directional pad in no direction
Anyway it won't work...
Maybe a method based on this:
http://forum.xda-developers.com/showthread.php?p=1480853
I'm looking for a french dump!
I'm also looking for a crazy volunteer to test an english ROM (It probably won't update, but I'd like to see the resut and I've got no such device Magician, Beetles and Prophet only...)
b0ris747....
My pda Hp 6915..normal english 1.21UK rom. hp sites german rom download. Hp6915 update error. error code display vG.30.
Hard reset end soft reset not fonksionert.
Help me.
Not: not english speak sory.
http://forum.xda-developers.com/showthread.php?t=309357
good! Can it works for eten x500?
nixo79 said:
Does anybody tried to upload a .NBA image through bootloader?
Someone to know the command for sending through bootloader to certain address locations?
Click to expand...
Click to collapse
This is information for the BEETLES, Should not be too different than the 6900, If anyone could backup a 6900 series radio, and upload it, alot of us would be grateful.
Source: http://blogs.unbolt.net/index.php/brinley/2007/07/31/ipaq_6515_dead_gsm_after_failed_firmware
Extract of my RadioROM
I extracted from start address of 60000000 with a length of 800000 what I think is my radio rom and this can be downloaded at
http://www.bold.net.au/~behave/radioROM.zip
I came up with this address from experimentation and addresses from other XDAs and extracted with the following command
USB>d2s 60000000 800000
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
pc->drive.total_lba=1EB400
pc->drive.num_heads=0
pc->drive.sec_p_track=0
pc->drive.num_cylinders=0
pc->drive.block_size=200
pc->drive.features=0
pc->drive.RCA=CFAD
pc->drive.drv_type=40000000
pc->drive.securedAreaSize=0
pc->drive.securityDrv=0
pc->drive.busWidth=1
pc->drive.erasedSize=0
Total card size=3D680000
SDCARDD2S+,cStoragePlatformType=FF
********************************
Store image to SD/MMC card successful.
Anything higher and the dump fails.
USB>d2s 60000000 800001
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
pc->drive.total_lba=1EB400
pc->drive.num_heads=0
pc->drive.sec_p_track=0
pc->drive.num_cylinders=0
pc->drive.block_size=200
pc->drive.features=0
pc->drive.RCA=CFAD
pc->drive.drv_type=40000000
pc->drive.securedAreaSize=0
pc->drive.securityDrv=0
pc->drive.busWidth=1
pc->drive.erasedSize=0
Total card size=3D680000
********************************Read radio flash is fail!
The size of the uncompressed ROM is around 1gig because I only have 1gig sd cards to dump the ROM on.
You will probably need a 1gig or larger SD card, dim92 tried writing to a smaller card and the IPAQ doesn’t recognize it but you are welcome to give it a try on smaller cards as most of the image are 0s anyway.
Once you have written the image on to an sd card (use any of the bigrom guides using ntrw), pop it into the IPAQ and enter boot loader mode (power + joystick + reset). It should show up with “Download Sections: 1 press power to start".
Press power button and it should show “Updating radio". Let it finish and if it completed with no errors, power up to see if the mobile phone works. If it still does not work, try running the beetles radio patch now. If this too does not work, try running the LATEST rom from HP.
Useful utilities
iPAQDisk
http://www.xs4all.nl/~itsme
HOWTO: Change serial number and model number for HP IPAQ 6515
HP IPAQ 6515 Bootloader password
Exploring HP IPAQ 6515e bootloader
Nazeroth said:
I dont know much, i know nothing indeeed, however i found somewhere a pack of files for the Wizard that were supposed to work for the sable, however they didnt, but there is this particular file, that when ran in the sable made appear a folder called "2" with an icon of a storage card and which rpely the contents of the root of the device (but for itself i mean no 2 folder inside the 2 folder lol)
I dont know if it is of some use but i definitevely want to perform a corporate install of windows in my sable and kill all that HP crap that comes in bundled
Click to expand...
Click to collapse
Hi buddy,thanks for your attachment.
But I gotta tell ya this doesn't work in hp6915,coz all the ROM in the internet do not have ExtRom.nbf,so nobody's device had flashed the Extended Rom in device...then the Unlock tool will not work in this.
Anyway,thank you
Brose
hi i am trying to upgrade my Typhoon to 6.1 but i haver got to the point in the upgrading process in which i need to restart and press 0 for the IU the only issue is i do not recive this message and i cannot get any further.
Edit: my SPL is 2.05.0130
you must go to the patched SPL 1.09 for Typhoon befor you go any further.
yes it is true said tobbie, with 1.09 SPL you can flash any rom like WM6.1 or WM6.5 on your Typhoon
for SPL 1:09 Can you get HERE
oh well ive tried poatching the spl before but i just recive errorr 260 or 240 and i cannont make no progress i have tried using a different computer but to no avail
oh well... if the device is still original, then you must follow a sequence of actions to allow such upgrade.
These should be mentioned in any custom rom thread. Essentially you must get the SPL 1.09 on the device then you can load any custom ROM.
1. application unlock the old OS
2. CID unlock the device with lokiwiz toolset
3. load SPL 1.09
4. load custom ROM
good luck!
I belive i have already application unlocked and supercided it with lokiwiz toolset but i have peforemd a hard reset due to that connection issue, would that haver affected it in anyway? thanks
If you are back the old WM2k3 and you cannot upgrade the SPL, then lokiwiz probably has not super-CID your device. To check, connect your device in Bootloader mode to mtty (with AS having USB disabled) and enter "info 1" (no quotes) then try "info 2" (no quotes) and report both results.
Not sure about above myself as I have no device at hand today to check right now.
Hard reset does not affect the CID or SIM Unlock - these are stored in the encrpyted area of the ROM (64kb Block) that is not affected by Hard-Rest or OS-flashing.
sorry for my noobiness but it will not show in mtty i have tried the usb drivers? but the phone does not show in mtty
You must make sure that Active Sync (Windows XP) or Mobile Device Center is not using the USB port to connect the device. You can disable the use in Active Sync selecting the "Connections" menu and then disabling there.
Reconnect the device and restart mtty. The USB button will be there only if the USB connection is accessible and the device is connected to the USB port.
sorry for the bump but ive came back to my phone and i am having so my trouble superCIDin the phone i have done everything by the book, ive hard reset the phone and tried everything again and now SDA unclokder says "phone is not unlockable" and the lokiwiz.bat will not super cid it.
Look at mediafire in my kitchen folder here:
http://www.mediafire.com/?3tt15dyp4mbuu
the "...one time per device" ZIP has all tools inside. There is another (on board application unlock) that will do the trick. It installs a tool on the device, execute it there first and then start SDA Unlock. No need to reboot as the changed security policies are active immediately.
i downloaded your kitchen and i ran the htcunlock the the sda unlocker still says the phone is unlockable
So these Orange devices are quite resistant to application unlock. Did you notice that the HTC Unlocker kind of "remote controls" a registry editor? It may be that the changes did not really go through.
It is quite complicated and a lot of trial and error what you will have to do and I cannot advise in detail as I have no such device.
Key is that the application that changes the policy on the device is permitted to do so. Usually as well SDA Unlocker (remotely via the RAPI Policy) or the signed Registry editor controlled via HTC Unlocker can do that. It all goes to the registry keys in HKLM\Security\Policies\Policies where the relevant policy IDs have to assigned the right values (role permissions). You can use the free CE-Command (from ghisler.com) which has a registry tool built in or the same registry editor that HTC Unlcok controls to check if the values that the tools try to write are really written or not. I suspect they are simply NOT written. If you cannot find a tool that can change the policy, then there is another way around this:
The Gold Card method. Get the trial version of "revskills" from www.revskills.com and create a gold card with the device for the "Typhoon". With this card in the device, the SPL will allow ANY (also non Orange) signed ROM to be loaded. Use any non Orange shipped ROM for the Typhoon and load it to the device. This OS should allow to change the application lock and also allow the further steps.
Mind that ROMs for the Feeler or Amadeus have different key-handling (especially for the joystick) - so best you get also a Typhoon ROM for that exercise.
I think in the Tornado Forum was once a description how to unlock a Cingular 2125, possibly similar actions may allow you the first step. Not sure here though.
thanks for your help i beelive that your tool changes the registrey values correctly im nnot sure about this i have tried running it a few times but with the same results
Just to reassure that: Your device is not CID unlocked yet after all the trials you did? What does the SPL tell when you enter "info 2" in mtty connected?
Do you know how to work with a PC registry editor and to connect with the device? There are several that can do that, e.g. "Registry Workshop" or "Smartione" or "CE Regeditor". All these can connect to the device via Active Sync and read out the HKLM\Security\Policies\Policies branch.
Could you just post the export of that branch here?
You can also do that on board the device with CECmd, get into virtual two window mode, on one side go to the branch above (exactly, on top of the second "\Policies"), on the other in any file-directory, can also be root. Then on the registry side press "5" for copy and confirm to copy the "\Policies" branch to the other side. You get a text file called "policies.reg" - attach or post it here.
Finally you could search for the Microsoft tool "security configuration manager". This allows to select the security model "Security off" - once applied to the device the lokiwiz should run with success.