Database Users

Bootloader vs device drivers

Hello. I have a question. May be any of our mastahackers can explain
What are the deepest changes of ROM still safe?
As "safe" I understand - I still can start bootloader and recover: start upgrade/downgrade using any of good NBFa and can still use my device?
As "unsafe" I understand "I've got a brick".
As I was able to find - changes of partitions table can be unsafe.
I think, that bootloader doesn't depend on device drivers [for example disk or USB drivers], because I can downgrade to Wm2003 using ActiveSync 3.x, but I'm not sure.
Many thanks in advance. You are fantastic guys

baniaczek said:
As I was able to find - changes of partitions table can be unsafe.
Click to expand...
Click to collapse
They are safe. In the worst case I had to reflash WM2003. For BlueAngel unsafe operation is playing with TRUEFFS partitions. The binary partition contains some data, for example BT chip MAC-address. You would not get a brick if you'll destory it, but your MAC would be zeroed (though there is a tool that can rewrite it).
But be careful, theoretically it is possible to force ROM to rewrite bootloader, in this case you'll get a brick.
I think, that bootloader doesn't depend on device drivers [for example disk or USB drivers], because I can downgrade to Wm2003 using ActiveSync 3.x, but I'm not sure.
Click to expand...
Click to collapse
Bootloader is completely independent from OS image. Once I've flushed a garbage into the ROM (incorrectly encrypted NBF file) and still was able to recover.

Many, many thanks

But... how does one use the bootloader? i mean... i got my 9100, CID unlocked and flashed with the 'official' 2.8.7.1 rom... then i make the activesync connection... then i go into RAPI mode and run the "enterbootloader.exe" i see in the \windows folder (heh, handy)
and... then? what do i do? :/

Get IMEI from Bootloader

Hi there
Didn't know if this was the right place to post. But im developing this tool for flashing ROMs onto HTC devices. And when the flash process is done, im displaying the IMEI number on the display, so that the users can pack the devices back to their original box, without having to disassemble the unit, to find the right IMEI.
In the previous phones i developed this tool to, which covers MAGICIAN, ALPINE, BLUEANGEL, SABLE and BEETLES i did like this:
rtask a (enter radio bootloader)
rtask 7 (enter GSM Command debugging
AT+CGSM (get an info string that contains the IMEI)
I dont know if this was the right procedure, but it worked for me. But the new TyTN device doesnt recognize the rtask 7 command, and i just can't seem to find a way to get the IMEI no. now. If someone knows about this, please help.
Thanks in advance.
jbj

Here is the wiki page with information of the Hermes bootloader:
http://wiki.xda-developers.com/index.php?pagename=Hermes_BootLoader
I think the problem is that when you do "rtask a" you are in radio bootloader, and then you cannot enter "rtask 7" because rtask is not a valid radio bootloader command.
Is your tool available somewhere?

Unfortunately not... were using it in out company, because HTCs tool only flashes 1 phone at a time. We are selling ~1 million devices per year, so we needed another tool so i've developed this tool, so we can flash up to 16 devices at a time. But the company owns the program and the code, so i can't share it. BUT i'm willing to answer any questions which i can answer, regarding the flashing process.
OK, regarding your answer, in the "old" days i could do an rtask 7 after entering radio bootloader.... but it doesnt seem to work anymore. But there might have been another way.

ok, have u tried without "rtask a"... I mean just issuing "rtask 7" and "AT+CGSM"?
I don't know what you're using to debug this, but in mtty or minicom you cannot see the output when you talk to radio/gsm bootloader. A good idea is to use a USB monitor software and see what the bootloader really replies, I listed some here: i like the one from HHD software.
http://forum.xda-developers.com/showpost.php?p=1023730&postcount=43
Let me know if you have a better / easier way to talk to the radio bootloader

Ahhh, ok... I tried with MTTY first, but i can just code it directly into my program. Its ready for sending and receiving data. Ill try the different setups, though my program instead, and come back when i know some more.

OK just tried a few different scenarios:
1)
rtask a (enter bootloader)
- Doesnt return with "USB>"
rtask 7
- returns "Invalid cmd..!"
AT+CGSN
- Returns "0" and a linefeed.
2)
This time without the rtask a
rtask 7
- returns "rtask 7USB>" and 0x13
AT+CGSN
- Returns "AT+CGSN Command Error !!USB>"
So... Still can't.

You should see something like 'AT-Command Interpreter ready', which bootloader version are you using?
Try issuing "[email protected]_USB" before "AT+CGSN" and see what happens...

pof said:
You should see something like 'AT-Command Interpreter ready', which bootloader version are you using?
Try issuing "[email protected]_USB" before "AT+CGSN" and see what happens...
Click to expand...
Click to collapse
I know, that was the message i got with all the previous phones. I'll try that command...
EDIT: Ok, when passing the command "[email protected]_USB" i get the message "Command Error !!". I passed it in between rtask 7 and AT+CGSN. But without the rtask a command.

Ok, just bumping this one last time. I hoped someone here could give me an option.

I'm curious too... if no one answers and you find it yourself please post it here, i'm suscribed to the thread.

YES... I got it.
After doing some testing and probing, i started throwing some random "rtask" commands to the phone... Well, turns out that "rtask b" is the old "rtask 7", which is the AT Command debugger.
So if anyone would be so kind to notify the dude whos doing this document
http://wiki.xda-developers.com/index.php?pagename=Hermes_BootLoader
So he can keep it up to date?
And if you want to exit the AT Command Interpreter, you have to write "retuoR"
rtask a still works like before.

Thanks for your info, this is a great finding
Wiki bootloader page updated...

How to save my Artemis by sd card

Dear everybody,
I have also killed my 2 day old MDA compact 3 by using the PDAMobiz_Dopod_P800W_AKU301_v1.1.2_PowerMap.exe (Feel really frustrated about it)
It will not load windows only
IPL 1.13.0001
SPL 1.13.0001
GSM 02.49.90
OS 1.28.0.0
I've tried a lot but nothing has worked so far. Now my last resort is using XDA tools to make a bootable sd card.
Is there anyone who make a file that the artemis can use of an SD card?
I would be very much obliged!

did you do CID unlock before installing new ROM?

CID unlock is not required for flashing the PDAMobiz Powermap 1.1.2 ROM. Just make sure you follow the right instructions. I did it and you can find it here:
http://forum.xda-developers.com/showthread.php?t=294830&page=2
But make sure that you have synced your Outlook data on desktop as there is something wrong with restoring from backup file the PIM related info (I use Spb Backup, but seems it is same with any backup application)
http://forum.xda-developers.com/showthread.php?t=295295

more info.
ianvanhaaren:
1. Please provide more info what exactly happens when you try to turn on your device.
2. What type of error you have when you try to re-flash device? At what percent it stops.
3. Connect device to USB, disable USB connection in activesync. Start mtty console, choose USB type connection (mtty attached, in case you need it).
4. type set 32 in console. send this output.
If CID area on device is corrupted, for the moment only imei-check who knows how to re-calculate this area. Even so, if device won't boot in windows it will not help. You need to connect to device thru jtag interface, in order to load modified spl into ram and perform writing into security area, to recover it. Imei-check says, they know jtag for Artemis.
It may cost you a bit of money.
If you have an option to send it to service center, do it. It would be your best choice.
Regards.

69xx bootloader command for extracting ROM

Hello,
please, if somebody has more information about bootloader commands supported by HP iPAQ hw6900 series (HTC Sable) to share on this thread with us
Will be very helpful if we can extract ROM image through the bootloader of this iPAQ

I dont know much, i know nothing indeeed, however i found somewhere a pack of files for the Wizard that were supposed to work for the sable, however they didnt, but there is this particular file, that when ran in the sable made appear a folder called "2" with an icon of a storage card and which rpely the contents of the root of the device (but for itself i mean no 2 folder inside the 2 folder lol)
I dont know if it is of some use but i definitevely want to perform a corporate install of windows in my sable and kill all that HP crap that comes in bundled

How to enter bootloader
Just press ACTION+POWER+reset with stylus and hold this combinaison for a few seconds, you'll see a screen without backlight (so you must be under bright light to see it) going into bootloader mode.
Put your device on the cradle (which I suspect you had connected it to your PC)
using mtty, connect to your USB Port (or Serial port if serial cradle)
type "password BOOTLOADER" and use "h" as an help command.
Now you can dump a ROM from Bootloader
The command should be sth like "r2sd"
Read the manual of this command "h r2sd full" and use it to dump your ROM on the SDCard
Now you can dump the raw ROM image from SD Card Reader using ntrw.exe
EDIT: going to bootloader mode seem to hard reset your device, backup FIRST!

HI Boris,
where to find the manual ETC.
A RAW ROM maens a bin file? how to convert then to something readable modifiable.... i understand that this is the main issue now.

I want to see a computer file which isn't binary based....
or a full text ROM
In fact, for me a raw ROM is a ROM-file which has been extracted from the device... The difference with a ROM-to-install is the encryption which is not present with raw dumps (to be checked).
Raw dumps can be modified and then re-updated but it needs some operations that are command-line based...
Once you got your raw ROM on SD, copy it to PC using ntrw, you have to find the correct tool to dump the content (dumprom should do the work)
Remember to keep the raw ROM as a backup, and work with a copy of the raw ROM.
You can also cut/paste the file into parts (OS, EXTROM...).
Logically, if you got the original ROM file (the german one) and the same taken from the device (raw ROM), we should be able to modify some existing tools to work with 69xx ROM files and cook some ROMs.
in bootloader mode: type
"h COMMANDNAME full" should show full manual of COMMANDNAME.
To have more informations, once you know if your bootloader has d2s or r2sd ... command name, search for it on wiki and you should have more informations and examples on the specific command.

I need to extract the ROM from one of these as well. I am getting into bootloader and trying to dump the rom to 256MB SD as follows...
USB>
USB>
USB>password BOOTLOADER
HTCSPass.<YHTCEUSB>d2s
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
d.total_lba=7A000
d.block_size=200
d.RCA=B368
d.drv_type=40000000
d.busWidth=1
Total card size=F400000
SDCARDD2S+,cStoragePlatformType=FF
Then the device just sits there with Cal Checksum on the screen. I get no response from NTTY or device until I restart.
I read on another thread that it might be locked. I also read that there may be a password to get into another level of access. See http://mobilitytoday.com/forum/showthread.php?t=15217 for details.
I have to get this cracked as I want to restore my good any network ROM onto a network specific device.
Anyone got any other ideas?

Matt4444 said:
Then the device just sits there with Cal Checksum on the screen. I get no response from NTTY or device until I restart.
Click to expand...
Click to collapse
The checksum calculation is a long process, try to wait longer...
Anyway your SD should have been written... have you tried to read it?
EDIT: Does it show ******** or direct checksum calculation? (how long is the process)

I let it run for over an hour the first time but that was with a 1GB SD card and I understand that it would take longer with 1GB.
I haven't actually looked to see if there is anything on the card(s) as I just assumed it hadn't worked. Other threads say that the device gives you progress or at least some response from the MTTY to say it was done.
I have to shoot to a meeting but will try again when I get back...

b0ris747 said:
Just press ACTION+POWER+reset with stylus and hold this combinaison for a few seconds, you'll see a screen without backlight (so you must be under bright light to see it) going into bootloader mode.
Put your device on the cradle (which I suspect you had connected it to your PC)
using mtty, connect to your USB Port (or Serial port if serial cradle)
type "password BOOTLOADER" and use "h" as an help command.
Now you can dump a ROM from Bootloader
The command should be sth like "r2sd"
Read the manual of this command "h r2sd full" and use it to dump your ROM on the SDCard
Now you can dump the raw ROM image from SD Card Reader using ntrw.exe
EDIT: going to bootloader mode seem to hard reset your device, backup FIRST!
Click to expand...
Click to collapse
yes, nice but does not work in 69xx's bootloader. while executing d2s command the device loops on "Calculating checksum" point and nothing happens even after an hour of waiting .. :-(

That is the same problem I am having. I read on another thread that dmc874 (who seems to know what he is talking about) thought it was related to the device being locked. See http://mobilitytoday.com/forum/showthread.php?p=68783
I am now trying to research the locking to see if there is anything I can do to unlock it... anyone else got any ideas?

Does anybody tried to upload a .NBA image through bootloader?
Someone to know the command for sending through bootloader to certain address locations?

What about pdocread or such tools?
Method to dump ROM from wizard using pdocread: http://www.spv-developers.com/forum/showthread.php?t=2888

Does Anyone Know Where I Can Get A English Rom For My IPAQ hw6955 Whitch Is Currently In French Please Help..

b0ris747 said:
Just press ACTION+POWER+reset with stylus and hold this combinaison for a few seconds, you'll see a screen without backlight (so you must be under bright light to see it) going into bootloader mode.
Put your device on the cradle (which I suspect you had connected it to your PC)
using mtty, connect to your USB Port (or Serial port if serial cradle)
type "password BOOTLOADER" and use "h" as an help command.
Now you can dump a ROM from Bootloader
The command should be sth like "r2sd"
Read the manual of this command "h r2sd full" and use it to dump your ROM on the SDCard
Now you can dump the raw ROM image from SD Card Reader using ntrw.exe
EDIT: going to bootloader mode seem to hard reset your device, backup FIRST!
Click to expand...
Click to collapse
..hey great info on how to get to bootloader,, i have a tmobile wing and need to get to the boot loader screen please tell me specifically wat i have to do.. also wat do u mean by action button???????

mafioso617 said:
..hey great info on how to get to bootloader,, i have a tmobile wing and need to get to the boot loader screen please tell me specifically wat i have to do.. also wat do u mean by action button???????
Click to expand...
Click to collapse
Action button = push directional pad in no direction
Anyway it won't work...
Maybe a method based on this:
http://forum.xda-developers.com/showthread.php?p=1480853
I'm looking for a french dump!
I'm also looking for a crazy volunteer to test an english ROM (It probably won't update, but I'd like to see the resut and I've got no such device Magician, Beetles and Prophet only...)

b0ris747....
My pda Hp 6915..normal english 1.21UK rom. hp sites german rom download. Hp6915 update error. error code display vG.30.
Hard reset end soft reset not fonksionert.
Help me.
Not: not english speak sory.

http://forum.xda-developers.com/showthread.php?t=309357

good! Can it works for eten x500?

nixo79 said:
Does anybody tried to upload a .NBA image through bootloader?
Someone to know the command for sending through bootloader to certain address locations?
Click to expand...
Click to collapse
This is information for the BEETLES, Should not be too different than the 6900, If anyone could backup a 6900 series radio, and upload it, alot of us would be grateful.
Source: http://blogs.unbolt.net/index.php/brinley/2007/07/31/ipaq_6515_dead_gsm_after_failed_firmware
Extract of my RadioROM
I extracted from start address of 60000000 with a length of 800000 what I think is my radio rom and this can be downloaded at
http://www.bold.net.au/~behave/radioROM.zip
I came up with this address from experimentation and addresses from other XDAs and extracted with the following command
USB>d2s 60000000 800000
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
pc->drive.total_lba=1EB400
pc->drive.num_heads=0
pc->drive.sec_p_track=0
pc->drive.num_cylinders=0
pc->drive.block_size=200
pc->drive.features=0
pc->drive.RCA=CFAD
pc->drive.drv_type=40000000
pc->drive.securedAreaSize=0
pc->drive.securityDrv=0
pc->drive.busWidth=1
pc->drive.erasedSize=0
Total card size=3D680000
SDCARDD2S+,cStoragePlatformType=FF
********************************
Store image to SD/MMC card successful.
Anything higher and the dump fails.
USB>d2s 60000000 800001
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
pc->drive.total_lba=1EB400
pc->drive.num_heads=0
pc->drive.sec_p_track=0
pc->drive.num_cylinders=0
pc->drive.block_size=200
pc->drive.features=0
pc->drive.RCA=CFAD
pc->drive.drv_type=40000000
pc->drive.securedAreaSize=0
pc->drive.securityDrv=0
pc->drive.busWidth=1
pc->drive.erasedSize=0
Total card size=3D680000
********************************Read radio flash is fail!
The size of the uncompressed ROM is around 1gig because I only have 1gig sd cards to dump the ROM on.
You will probably need a 1gig or larger SD card, dim92 tried writing to a smaller card and the IPAQ doesn’t recognize it but you are welcome to give it a try on smaller cards as most of the image are 0s anyway.
Once you have written the image on to an sd card (use any of the bigrom guides using ntrw), pop it into the IPAQ and enter boot loader mode (power + joystick + reset). It should show up with “Download Sections: 1 press power to start".
Press power button and it should show “Updating radio". Let it finish and if it completed with no errors, power up to see if the mobile phone works. If it still does not work, try running the beetles radio patch now. If this too does not work, try running the LATEST rom from HP.
Useful utilities
iPAQDisk
http://www.xs4all.nl/~itsme
HOWTO: Change serial number and model number for HP IPAQ 6515
HP IPAQ 6515 Bootloader password
Exploring HP IPAQ 6515e bootloader

Nazeroth said:
I dont know much, i know nothing indeeed, however i found somewhere a pack of files for the Wizard that were supposed to work for the sable, however they didnt, but there is this particular file, that when ran in the sable made appear a folder called "2" with an icon of a storage card and which rpely the contents of the root of the device (but for itself i mean no 2 folder inside the 2 folder lol)
I dont know if it is of some use but i definitevely want to perform a corporate install of windows in my sable and kill all that HP crap that comes in bundled
Click to expand...
Click to collapse
Hi buddy,thanks for your attachment.
But I gotta tell ya this doesn't work in hp6915,coz all the ROM in the internet do not have ExtRom.nbf,so nobody's device had flashed the Extended Rom in device...then the Unlock tool will not work in this.
Anyway,thank you
Brose

[Q] Stuck Upgrading

hi i am trying to upgrade my Typhoon to 6.1 but i haver got to the point in the upgrading process in which i need to restart and press 0 for the IU the only issue is i do not recive this message and i cannot get any further.
Edit: my SPL is 2.05.0130

you must go to the patched SPL 1.09 for Typhoon befor you go any further.

yes it is true said tobbie, with 1.09 SPL you can flash any rom like WM6.1 or WM6.5 on your Typhoon
for SPL 1:09 Can you get HERE

oh well ive tried poatching the spl before but i just recive errorr 260 or 240 and i cannont make no progress i have tried using a different computer but to no avail

oh well... if the device is still original, then you must follow a sequence of actions to allow such upgrade.
These should be mentioned in any custom rom thread. Essentially you must get the SPL 1.09 on the device then you can load any custom ROM.
1. application unlock the old OS
2. CID unlock the device with lokiwiz toolset
3. load SPL 1.09
4. load custom ROM
good luck!

I belive i have already application unlocked and supercided it with lokiwiz toolset but i have peforemd a hard reset due to that connection issue, would that haver affected it in anyway? thanks

If you are back the old WM2k3 and you cannot upgrade the SPL, then lokiwiz probably has not super-CID your device. To check, connect your device in Bootloader mode to mtty (with AS having USB disabled) and enter "info 1" (no quotes) then try "info 2" (no quotes) and report both results.
Not sure about above myself as I have no device at hand today to check right now.
Hard reset does not affect the CID or SIM Unlock - these are stored in the encrpyted area of the ROM (64kb Block) that is not affected by Hard-Rest or OS-flashing.

sorry for my noobiness but it will not show in mtty i have tried the usb drivers? but the phone does not show in mtty

You must make sure that Active Sync (Windows XP) or Mobile Device Center is not using the USB port to connect the device. You can disable the use in Active Sync selecting the "Connections" menu and then disabling there.
Reconnect the device and restart mtty. The USB button will be there only if the USB connection is accessible and the device is connected to the USB port.

sorry for the bump but ive came back to my phone and i am having so my trouble superCIDin the phone i have done everything by the book, ive hard reset the phone and tried everything again and now SDA unclokder says "phone is not unlockable" and the lokiwiz.bat will not super cid it.

Look at mediafire in my kitchen folder here:
http://www.mediafire.com/?3tt15dyp4mbuu
the "...one time per device" ZIP has all tools inside. There is another (on board application unlock) that will do the trick. It installs a tool on the device, execute it there first and then start SDA Unlock. No need to reboot as the changed security policies are active immediately.

i downloaded your kitchen and i ran the htcunlock the the sda unlocker still says the phone is unlockable

So these Orange devices are quite resistant to application unlock. Did you notice that the HTC Unlocker kind of "remote controls" a registry editor? It may be that the changes did not really go through.
It is quite complicated and a lot of trial and error what you will have to do and I cannot advise in detail as I have no such device.
Key is that the application that changes the policy on the device is permitted to do so. Usually as well SDA Unlocker (remotely via the RAPI Policy) or the signed Registry editor controlled via HTC Unlocker can do that. It all goes to the registry keys in HKLM\Security\Policies\Policies where the relevant policy IDs have to assigned the right values (role permissions). You can use the free CE-Command (from ghisler.com) which has a registry tool built in or the same registry editor that HTC Unlcok controls to check if the values that the tools try to write are really written or not. I suspect they are simply NOT written. If you cannot find a tool that can change the policy, then there is another way around this:
The Gold Card method. Get the trial version of "revskills" from www.revskills.com and create a gold card with the device for the "Typhoon". With this card in the device, the SPL will allow ANY (also non Orange) signed ROM to be loaded. Use any non Orange shipped ROM for the Typhoon and load it to the device. This OS should allow to change the application lock and also allow the further steps.
Mind that ROMs for the Feeler or Amadeus have different key-handling (especially for the joystick) - so best you get also a Typhoon ROM for that exercise.
I think in the Tornado Forum was once a description how to unlock a Cingular 2125, possibly similar actions may allow you the first step. Not sure here though.

thanks for your help i beelive that your tool changes the registrey values correctly im nnot sure about this i have tried running it a few times but with the same results

Just to reassure that: Your device is not CID unlocked yet after all the trials you did? What does the SPL tell when you enter "info 2" in mtty connected?
Do you know how to work with a PC registry editor and to connect with the device? There are several that can do that, e.g. "Registry Workshop" or "Smartione" or "CE Regeditor". All these can connect to the device via Active Sync and read out the HKLM\Security\Policies\Policies branch.
Could you just post the export of that branch here?
You can also do that on board the device with CECmd, get into virtual two window mode, on one side go to the branch above (exactly, on top of the second "\Policies"), on the other in any file-directory, can also be root. Then on the registry side press "5" for copy and confirm to copy the "\Policies" branch to the other side. You get a text file called "policies.reg" - attach or post it here.
Finally you could search for the Microsoft tool "security configuration manager". This allows to select the security model "Security off" - once applied to the device the lokiwiz should run with success.