I get a wm6 rom for spv c500!
but there are some problem still to slove.
you can see more information here
http://www.ioicn.com.cn/bbs/viewthread.php?tid=220661&highlight=%D5%E6%D5%FD%2Bwm6
you can download it here:
http://www.91files.com/?6QH3PDS9X2TPHF6PNIN3
etli22 said:
I get a wm6 rom for spv c500!
but there are some problem still to slove.
you can see more information here
http://www.ioicn.com.cn/bbs/viewthread.php?tid=220661&highlight=%D5%E6%D5%FD%2Bwm6
you can download it here:
http://www.91files.com/?6QH3PDS9X2TPHF6PNIN3
Click to expand...
Click to collapse
i love to help but i cant get past the login screen
支持.:d :d
the link with informations don't work.. i had downloaded the .bin rom.. but how to use.. it seem don't work..
Translation:
Look at the real 5 × 5 WM6 system, placed on the real machine 565 Photo-ROM backup test-machine try to brush ...... July 8 : Today inadvertently found a Taiwan version of the Orange 565, loom over from Europe is the only one Taiwan, is a very special system could be found WM6 system, the real WM6 system. English interface, we found this on the self-evident by now, I am sure we will soon be used WM6 ROM! Picture -- if I can be the backup this ROM onto hard Kai tests Boot first self-test screen and the 5 × 5 WM5 screen, IPL and SPL with a 5 × 5 WM5 are the same, only the middle of the two firms more English : IU BUILD TEST ONLY, the second screen is a green WM6 photographs, But there is a third photo (which seems redundant), before entering the desktop also set up a Wizard, located at the time of reciprocity. On the table found time to date can click on the column is entered, is entering the phone and Bluetooth options, retelling, In setting can also find this option in IE have found some improvements, retelling, the other to look at the map. If the estimate is wrong, In some foreign websites should be related to the release can ROM 6 and 9 House floor, there are 565 pictures of WM6 July 9 : This place is for pictures, using 838 as the perturbation, is not very clear, sorry, no digital camera : ((also asked some people not groundless speculation, I was JS) If some people do not believe that -- I have no means of the system The default is not unlocked, yesterday there are today in this ROM backup, but has always failed. find time to go back at some research with the backup ROM batch file backup ROM Unlock always unsuccessful, carefully consider the study, or not to try, simply check the registry. the original question is simple : HKLM \ Security \ Policies \ Policies \ directory no 000 0101b this one! try to direct this WORD D added value, restart, the batch file backup ROM. 0 × length is 2.7 million, backup and success! nb finally received documents, is still testing document integrity, the next step to try to backup ROM card, we waited for July 10 : first place this afternoon NB ROM format test, ROM size 39.936 M, spfans2006 brother here to thank the help and warned that the integrity of ROM without testing, SPL changes need to upgrade, with SPL values PdocRead order to extract, SPL new needs in 1064 under the upgrading of the original 109 upgrade to be wrong, SPL new spfans2006 brother has been released. I will not link the. Friends of interest for the test, I will continue to work hard 91Files download address : http : / / 7 www.91files.com/?6QH3PDS9X2TPHF6PNIN3 November : last night to try to backup ROM cards, but always errors, backup progress stopped, then loom there Bai - ping, Examination of the case several times, finally emerging Bai - ping without pulling data lines, waiting, and Bai - ping loom after reopening Data cards will be extracted, but only a few file size K, frustration and abandon the time being ...... July 12 : Backup last night to try to brush the ROM machine, which ended in failure, after detecting ROM information, but also to re-ROM backup, Upload and before the ROM is no difference, I can not guarantee ROM other information integrity, But some OS is a complete, and then extracted with a new SPL, estimates should be included. For some models may also need to bypass the IU detection, this is a problem with this ROM earthen jar of LMOs and released BIN format, we can test, My progress has been very slow, and what is left we see the July 13 : Today saw the Friends of Brush forum success wow wow, this is really hope [the tie in the final Cainozoic 2007-7-13 05 : 01 PM edit] Annex : your user group can not be downloaded or View Annex Search more articles related topics : System
Huh?!
giuseppebitonti said:
Look at the real 5 × 5 WM6 system, placed on the real machine 565 Photo-ROM backup test-machine try to brush ...... July 8 : Today inadvertently found a Taiwan version of the Orange 565, loom over.........
Click to expand...
Click to collapse
...huh?
Have I gone utterly nuts and forgotten how to read - or dosn't that last post really make any sense?
DazzaMc said:
...huh?
Have I gone utterly nuts and forgotten how to read - or dosn't that last post really make any sense?
Click to expand...
Click to collapse
Probably a babelfish translation or similar...
Related
Hey Folks,
After a long weekend of reversing I am about 95% done in reversing IMEI-CHECK's unlocker for the Wizard.
The application is protected by Themida which is in my view the leading protector on the market currently (yes better than execryptor).
The unlocker has Ring0 protection, Emulated API's, Resource Encryption + Lots more fun and games.
Now onto what I have found so far.
The GUI stuff:
Code:
set 1 0
set 5 ffffffff
set 2 0
set 6 000000
set 4 000000
progressbar 0 239 0 255 ffffff 100 0
shmsg 0 0 " . : | Wizard Unlock | : ."
info 1
shmsg 3 0 " ..detecting device.."
set 32 2
info 0
shmsg 4 0 " >>> Wizard found"
Is plain to see, but the evil work is well tucked away in a procedure which is pushed onto the VirtualMachine.
So I still need to fish that out (loooonnnng task)...
However the very most interesting part (I find) is the existance of a ROM inside the unlocker.
Now I am not sure if this is the bootloader/gsm rom however it certainly seems VERY interesting that it is included.
Download:
http://rapidshare.com/files/12763879/_00CC0000.mem
For those who wish to analyse it and let me know which it is and if anything has been altered.
It might well just be standard, who knows :S
The following tools are also 'picked up':
Filenames:
Code:
PORTMON.exe
SnoopyPro.exe
Device Monitor.exe
Window Titles:
Code:
Portmon Class
SnoopyPro
USB Monitor
Device Monitor
Serious Serious Kudos to the developer, Very impressive work indeed!
By making this, he has almost made himself a license to print cash.
Since he has NO terms about his programs what so ever then there is no legal problems with what I am doing to his application.
He is probably too scared of HTC anyway, since he is decompiling their firmwares in order to make the product. (Which is outlawed in HTC's terms)
Anyway....
Watch this space
Very interesting, would information gathered from the Wizard unlocker lead to cracking the Treo 750 unlocker? Or any other phone that imei-check supports for that matter?
Whiterat said:
After a long weekend of reversing I am about 95% done in reversing IMEI-CHECK's unlocker for the Wizard.
Click to expand...
Click to collapse
Great, will you disclose your findings? there was an earlier post about the unlocker for G4 wizards, here (see comment #36):
http://forum.xda-developers.com/showthread.php?t=284312
Whiterat said:
However the very most interesting part (I find) is the existance of a ROM inside the unlocker.
Now I am not sure if this is the bootloader/gsm rom however it certainly seems VERY interesting that it is included.
Click to expand...
Click to collapse
It seems that this is the patched SPL that is flashed on the first unlocking step, it is modified so that when it is told to flash an splash screen, it flashes the security area, overwriting the CID.
Whiterat said:
For those who wish to analyse it and let me know which it is and if anything has been altered.
It might well just be standard, who knows :S
Click to expand...
Click to collapse
I will load it at IDA and compare with a normal wizard SPL...
Whiterat said:
Serious Serious Kudos to the developer, Very impressive work indeed!
By making this, he has almost made himself a license to print cash.
Click to expand...
Click to collapse
Yes, the imei-check guys are doing great job with their unlockers... similar method is used in artemis unlocker too. They load a modified SPL in RAM and jump to its physical address from WinCE, this modified SPL shows the DOC ID in help of "set" command and allows flashing unsigned code, then they use obtained DOC ID info to patch the security area by sending a "fake" splash screen, same as in wizard unlocker.
Whiterat said:
Watch this space
Click to expand...
Click to collapse
I will
phoa not much point in me continuing!
You've got the whole lot there!
I'm a lover not a coder, I simply reverse in order to help others succeed.
Since you have all important info anyway, Not really going to be of much help here
P.S do you have any sigs for IDA or any scripts?
I dont like having to sift through manually as binary file......
Whiterat said:
phoa not much point in me continuing!
You've got the whole lot there!
Click to expand...
Click to collapse
Well I didn't want to discourage you on continuing the reversing process, I just pointed you to the thread where we discussed about the unlocking method a while ago...
I admire the fact that you reached that far only disassembling / debugging the binary, what we actually did to have the full process was capturing it with USB monitor; the unlocker can be tricked if you run the usb monitor process as one user, ant the unlocker as a different user, but imei-check seem to have corrected this 'bug' in newer unlockers.
Whiterat said:
Since you have all important info anyway, Not really going to be of much help here
Click to expand...
Click to collapse
We don't have _all_ the important info, we have the commands that the unlocker sends to the bootloader, but the data sent to flash the security area is actually different in every phone, so flashing what is sent in one phone to another phone will actually brick it.
I think it can be helpful if you manage to reverse the algorithm that the unlocker uses to generate the code which is flashed on the security area, this can't be done capturing usb traffic, this has to be reversed from the binary, and Themida is not easy to break as you sure have noticed
Whiterat said:
P.S do you have any sigs for IDA or any scripts?
I dont like having to sift through manually as binary file......
Click to expand...
Click to collapse
No sorry, i don't have any... I am not very used to IDA, started using it few months ago and still learning new things about it everytime I start it
Ah cool I will look into it a bit further
(Need to get a friend to code a tool to remove the junk code)
e.g
PUSH EAX
PUSH EDX
MOV EAX,2282
INC EAX
DEC EDX
POP EDX
POP EAX
Since it is popping those registers off the stack, its actually altered nothing
Themida is a cow, Because my friend didnt manage to make a start on the junk code remover (and I didnt realise there was a virtualised function) I just did each Import by hand (approx 4 hours lol)
Also rebuilt the OEP by hand too, not too hard since it was VC++6.
I have a G4 which I have unlocked with Imei-Calc (thus I have the key file, which I *think* might decrypt parts of the program, or possibly is part of an encrypted rom.)
3 Last things:
1. Can the G3/G4 chip be worked out by IMEI, i.e IMEI represents a date and the chips were only used after a certain date? or is this tool generic for G3/G4 ?
2. Do you have an SPL for 2.08.10
3. How can I dump my SPL (bearing in mind my only minisd has a full backup of my rom, Just in case crossbow gets a little ugly for my liking)
Ohh one last thing, kbdus.dll on Crossbow.....Is there a kbduk.dll as far as you know?
My Wizard has british keyboard and all the chars are shifted +1.....
Thats my next major task I think before continuing on this thing
Btw, To use the usb logger on newer versions of IMEI-CALC, just rename the exe and change the class name
Hi..Answer on the "Last Three Things"
1.) No one cannot identify G3/G4 with imei.If u lok carefully the place below yr battery u will find a"G4" written besides yr imei no.In G3, nothing is written.The most commeon way is to check IPL/SPL .001 in the end is G4.
2) Take a ROM which has 2.08 SPL. and use typho5.exe to dismantle the ROM parts.If ROM is release recently then you will find IPL/SPL for G3/G4 both.Chek the threads here..
3) As such crossbow ROM has no IPL/SPL..if u know what ROM u were using prior to that, u can apply above to dump yr ipl SPL..secondly you can do this with awizard1.3 beta.
I hope this helps
Hi,
I open this thread in the hope that this might help other people in the future (I found it quite time-consuming to find out the relevant information).
Motivation: My Polaris (actually from O2) had lately a servere graphics error which disappeared after a soft reset, but the day after it refused booting:
after pressing the power button, the provider-logo is shown (appearing with some minor graphics errors) and after 30 seconds the device reboots again. Before doing a hard reset or sending it to HTC, I wanted to backup the NAND-Memory, from which I can - hopefully - restore some data, especially Notes, Short Messages and some contacts.
I spent a lot of time finding out the possible ways of ROM dumping. To summarize what is not possible:
Dumping to MicroSD-card is not possible, since "r2sd" (or "d2s") is not available on the Polaris
Dumping via "itsutils" and "pdocread" is not possible, because it requires a properly running Windows Mobile on the Polaris
Please correct me, if I am wrong.
The only available method seems to be:
Start the Polaris in bootloader mode and connect it to the PC via USB
With HTCFlasher (great tool btw! Alternatively mtty/ttermpro) issue the commands
password BsaD5SeoA
set 1e 1
rbmc
I know that rbmc can be told a start-address and length, but I do not know these addresses. In the first moment this seems to work, even though it is quite slow (~8 KB/s, at the moment the dump is at 71 MB). However, after a first peek into the dump, I noticed that the dump might be partially corrupted, due to some seemingly randomly inserted bytes (mostly with value 0x00). For example: at offset 0x39110 there seems to be a Delivery Confirmation of a Short Message: Instead of "Systemadministrator" it reads "Sys.temadmin.i.rator" (the dots are 0x00, 0x82, 0x81). Or again at offset 0x3D1C0 it reads "Sy.stemadmi.ni.rator" (dots are 0x00, 0x04, 0x81).
I use the latest version of HTCFlasher on linux-2.4.32 with the usb-serial-source of linux-2.4.28.
My questions:
Is there something to keep in mind when using rbmc on the polaris?
...probably regarding usb host buffer sizes? In in this thread pof suggests to use two rbmc's to dump the splashscreen.
Is there another way to perform the dump?
Yeah me too
Yeah I wanted to do something similar with my Kaiser. I wanted to dump the various winCE partitions from bootloader.
I started two threads
http://forum.xda-developers.com/showthread.php?t=481964
and
http://forum.xda-developers.com/showthread.php?t=480410
As you will see the only advice I got was "try using QMAT".
Unfortunately, QMAT is an extremely complicated piece of software and only runs for ten minutes at a time unless you are willing to pay for it.
IMO there should be a simple answer to this but nobody cares enough to read our threads...
Hi,
My name is Wen from WMPoweruser and we recently decided to take up your case and try our best and get a ROM for the TG01. At the current status the chances of the TG01 getting a cooked ROM is currently low because the lack of a HardSPL, but I got word of another method of flashing.
EDIT: I3v5y is working on it, and soon enough we will have enough for his test device, and the ROM status is currently unknown, just doing some research as to if we can move some things around and tweak it to get a result. He is a professional at that.
Total $250.... We have enough for a UK TG01
Status
Unlocker/Flasher:Searching for a method of unlocking.. with the help of some people and Flar
ROM:We have more than enough cooks for that sadly only one in the UKThanks,
Wen
Hi wen, i'm very glad to hear this news you are giving us.
TG01 users will be very excited and happy when the custom works on the TG01
i don't mind donating to help the TG01 be able to have custom roms on it.
Also is it possible to hardspl the TG01 like you can hardspl the xperia x1 (my old phone)
Thanks, sam
sagam12 said:
Hi wen, i'm very glad to hear this news you are giving us.
TG01 users will be very excited and happy when the custom works on the TG01
i don't mind donating to help the TG01 be able to have custom roms on it.
Also is it possible to hardspl the TG01 like you can hardspl the xperia x1 (my old phone)
Thanks, sam
Click to expand...
Click to collapse
Thats is what I am trying to find, and is what our biggest problem is
There is a method to push the rom flashing using the pins beside sim card holder.
Read here:
FINALLY!! there is a way to ressurect dead TG01's after flashing:
1. Format SD card (FAT32)
2. Copy SDDL+.exe(not sure if it's needed)
3. Copy whole PRG folder with desired .tsw update (i think best will be the one dedicated to your language version
4. under sim card slot you'll find black plastic sticker (little bit hard to remove)
5. after removal of plastic sticker there are 3 pins
6. put battery back turn phone on
7. shorten 1 and 3 pin with cable and push reset button
8. white screen should come up and bootloader will load rom from your SD
9. Voila! Your TG01 is alive
tested by 2 spanish TG01 users and by polish TG01 user.
In case I'm not responsible for any damage you make by trying this method.
Hi Wen,
Custom ROM can be possible.The rom is decrypted by cotulla, but the resultant .nb0 has a wiered structure.It is still has some extra bytes, which has a weired parition table.Working on it as how to normalise.Hex copy paste also doesnt work properly.If this is done, then I am risking my tg01 for custom rom development.
Wen(WM) said:
Hi,
My name is Wen from WMPoweruser and we recently decided to take up your case and try our best and get a ROM for the TG01. At the current status the chances of the TG01 getting a cooked ROM is currently low because the lack of a HardSPL, but I got word of another method of flashing.
I want to get all the current information about ROMz for the TG01 like HardSPL status, Cooks, Dumps and anything else that could help us get this ROM started and cooking. We currently have 8 cooks at hand and if we can get some help getting a HardSPL or anything going, we can have a good ROM released fast from someone like NRG, Shadowline, Ark, Captain Throwback or any of our good cooks, but they do need a test device. So if anyone wants to donate let me know so I will add a Cotton, but I am sure no one does.
Thanks, and I hope we get cooking soon
Wen
Click to expand...
Click to collapse
Hi Wen,
I think there is no need to create HardSPL for TG01. Protection of TG01 is half-broken.
First, we've got program called ".TSW Tools", that helps to decrypt encoded .TSW image file. You can get the software here: http://cotulla.pp.ru/Misc.html
Second, when we have .bin image, we need to decrypt it.
@Globalbus form forum.pdaclub.pl told us something about the .bin:
1. The block of image that could be intresting begins at 0x50F4000 and goes to the end.
2. MBR tells us the following arrangement: ULDR, XIP, IMGFS, FAT (with initiation sector)
3. Checksums:
Every 0x200 bites some trash (0xFF)
Every 0x200 bites some checksum (CRC32?)
And NAND control blocks.
I translated it the best i could. I hope, that I helped you.
Come on, everybody with expert knowledge get it on now, i will donate..
get this started
RE
kosiek said:
Hi Wen,
I think there is no need to create HardSPL for TG01. Protection of TG01 is half-broken.
First, we've got program called ".TSW Tools", that helps to decrypt encoded .TSW image file. You can get the software here: ...
Second, when we have .bin image, we need to decrypt it.
@Globalbus form forum.pdaclub.pl told us something about the .bin:
1. The block of image that could be intresting begins at 0x50F4000 and goes to the end.
2. MBR tells us the following arrangement: ULDR, XIP, IMGFS, FAT (with initiation sector)
3. Checksums:
Every 0x200 bites some trash (0xFF)
Every 0x200 bites some checksum (CRC32?)
And NAND control blocks.
I translated it the best i could. I hope, that I helped you.
Click to expand...
Click to collapse
WOW this sounds good even though i don't understand half of it lol
also, wen i've donated $5 hope it helps, only small but i don't even work so sorry can't be more than $5
Good luck!
So here is a resume of all work made by TG01 user or not:
1- Dump OEM/SYS TG01 (by ABM30) =
http://forum.xda-developers.com/showpost.php?p=5500122&postcount=253
2- Tool to extract file from .TSW (by cotulla) =
http://cotulla.pp.ru/Misc.html
Quote:
we can decode tsw files to bin but TG01 bin differs little bit from standard bin images here is what an experienced cook said:
The important to us part of image starts 0x50F4000 till endof
MBR looks:
-ULDR, XIP, IMGFS, FAT (with initiation fragment)
Checksums:
every 0x200 bajts (0xFF)
every 0x200 bajts checksum (CRC32?)
And standard NAND control blocks.
3- Force bootloader to flash any official rom after wrong flash (by nico101)=
http://forum.xda-developers.com/showpost.php?p=5487567&postcount=245
i have my own sim unlocked TG01 that i am also will to donate for testing purposes if needs be.
but i would like it back and hopefully not bricked either, but we apparently have debricking instructions!!
come on cooks lets get cooking!!!
And the ball is rolling Will be donating as soon as payday hits
I can provide Wm6.5 O2 21856 DE dump and rare WM 6.1 PL (wasn't relased officially it's from show off phone for polish orange
We have I3v5y working on the ROM and we he says it should not be too hard, so lets just hope and he is going to need a test device
Very good news.
Thank you so much!
Fantastic news Thankyou very much!!!!!
well so far I have 20 and the device is 450 and I guess if we are close, I will take over the rest, also the flash method is the one that you guys said, so ya.
Wen(WM) said:
We have I3v5y working on the ROM and we he says it should not be too hard, so lets just hope and he is going to need a test device
Click to expand...
Click to collapse
Thats Good News
so good
It is a fantastic news really and thx to Wen, I hope the ROM will be release very soon.
And my device is a japanese version, hoping the unlock method.
Wen(WM) said:
well so far I have 20 and the device is 450 and I guess if we are close, I will take over the rest, also the flash method is the one that you guys said, so ya.
Click to expand...
Click to collapse
Don't panic it will come.
I plan to pay 50e but i forget my account paypal since longtime.
I just need to active it.
I have $110 so far, so 1/3 of the way there.
The SMT5600 is app unlocked and, I think, Super CID (via lokiwiz02_173 but how verify?) but no ROM changes as of yet as I want to make a backup of the original ROM before proceeding further.
After problems getting a term program to work (now using nueTTYConsole on Vista) I am able to get what appear to be complete ROM backups.
Procedure summary:
WinHex zero fill 64MB SD
USB bootloader SMT5600 with 64MB SD
r2sd all (via nueTTYConsole-12-v0.1-spackr)
SD back to PC [no to format query]
psdread E: 0 31328768 ipl.bin (using itsutl050119)
Status messages from the r2sd all command appear to be good and complete but no two backups, using the exact same procedure, are ever identical when binary compared with WinMerge. Size is, of course, the same but WinMerge always reports 'two' differences in what seems to be the same general area of the images: The first is very near the front of the image (WinMerge reports as 'lines', line 3) and the other at the very tail end.
Is that normal (maybe because TIME, or some other dynamic variable, changes or scratch storage?), is there a better backup procedure, and how can I verify the backups are good before I flash a new one and forever lose the original?
Thanks in advance for any enlightenment offered.
To check if it works - just restore the backups before doing anything else.
Follow the whole procedure (including psdread and - after reformatting the card - psdwrite again) to restore your device via the card. As a first try leave out the device external activities and restore immediately afterwards from the card just written.
For me it works well (on the SDA 2 - where no official update exists, a Hurricane device - but this generic handling is identical afaik) and the difference in the backups are normal.
Mind that the size of the read/write to card includes the bootsector, so don't miss the last 512 bytes. As far I remember there were two different size readings with two methods to verify the image size. The r2sd size is smaller than the size of bytes different to null on card.
To check for SuperCID enter "info 2" in the terminalprogram, it should report HTCSuperCID at the end.
tobbbie said:
To check if it works - just restore the backups before doing anything else.
Follow the whole procedure (including psdread and - after reformatting the card - psdwrite again) to restore your device via the card. As a first try leave out the device external activities and restore immediately afterwards from the card just written.
Click to expand...
Click to collapse
Thanks for the reply
Yes, I thought about doing a test restore, but, considering the problems I'd already had, wasn't sure if it might do something like not mention there being a 'problem' till it was half way through, leaving me with a scrambled ROM.
I take it you're saying it'll checksum first and no even start if things don't look good?
tobbbie said:
For me it works well (on the SDA 2 - where no official update exists, a Hurricane device - but this generic handling is identical afaik) and the difference in the backups are normal.
Mind that the size of the read/write to card includes the bootsector, so don't miss the last 512 bytes. As far I remember there were two different size readings with two methods to verify the image size. The r2sd size is smaller than the size of bytes different to null on card.
Click to expand...
Click to collapse
Hmm. I saw the confusion about SMT5600 image size but I'm not sure what you're saying here about the bootsector and "different to null."
Speaking of which, what would be wrong with just making a 64M save and, ok, you've save a pile of extraneous 0's along with it but, so what? Might be irritating if I were putting it on rapidshare but for a personal backup is there any down side to it?
tobbbie said:
To check for SuperCID enter "info 2" in the terminalprogram, it should report HTCSuperCID at the end.
Click to expand...
Click to collapse
Thanks. Good to know.
Something apparently went wrong somewhere because I didn't get that report but I'll try again.
The r2sd is a command that HTC has implemented in the SPL (Secondary Program Loader). I am not aware of checksums or other safety measures - it will as I noticed following the procedure detect if there is an image on the card, which type of image and if you want to restore.
The difference in size is that r2sd reports one size "x" after the image was taken, but if you count the bytes until when the card shows the zeros you will notice that this offset on card is 512 bytes larger than the r2sd reported size. So when using psdread you have to take the larger size. Indeed it is no problem to write more to the file and restore more as well with psdwrite. The restore procedure in the SPL will anyway know how much to restore - it just needs to find ALL bytes, including the last 512
I think there is no risk attached to the procedure, go ahead!
The only danger is if something goes wrong with the IPL (Initial Program Loader) or SPL because they open the door to the device handling.
Sadly you MUST deal with SPL to upgrade to WM5+ afaik, so be very sure to select the right IPL and SPL that matches your device HW (OMAP 730, 750 or 850) and intended OS Version. Also take care not to enter any command in the SPL except the ones you are supposed to enter - it may kill your device as well. Do never use "format all" or "doctest" - you have a brick then.
tobbbie said:
The r2sd is a command that HTC has implemented in the SPL (Secondary Program Loader). I am not aware of checksums or other safety measures - it will as I noticed following the procedure detect if there is an image on the card, which type of image and if you want to restore.
Click to expand...
Click to collapse
Well, I am certainly no expert on this thing but r2sd spits out a wealth of information, including checksums, and I was sort of guessing based on what I'd do if I'd made it. Just that, if you're going to calculate them, it seems a shame to not use them. But, hey, I've seen stranger things done.
tobbbie said:
The difference in size is that r2sd reports one size "x" after the image was taken, but if you count the bytes until when the card shows the zeros you will notice that this offset on card is 512 bytes larger than the r2sd reported size. So when using psdread you have to take the larger size. Indeed it is no problem to write more to the file and restore more as well with psdwrite. The restore procedure in the SPL will anyway know how much to restore - it just needs to find ALL bytes, including the last 512
Click to expand...
Click to collapse
Oh, OK. I wasn't going by r2sd. I opened it up in WinHex, found the end of data, and compared that to the size mentioned on "Backup your Typhoon ROM - WinMo @ MoDaCo." The 'corrected' number there matched well enough.
But now that I think of it, I did that because I *did* look at r2sd and it seemed too small. So you've explained it. Good.
tobbbie said:
I think there is no risk attached to the procedure, go ahead!
Click to expand...
Click to collapse
How can there be no risk if it doesn't check anything?
tobbbie said:
The only danger is if something goes wrong with the IPL (Initial Program Loader) or SPL because they open the door to the device handling.
Click to expand...
Click to collapse
Oh, I think I see what you mean. You're suggesting that if I've cut the ROM image short then only that part will fail but the loader should still be good so I could recover by burning another (good) ROM image.
Well, perhaps, but that would mean I don't have a valid backup and couldn't make one since it would be trashed in the bad flash. Or so it seems to me.
tobbbie said:
Sadly you MUST deal with SPL to upgrade to WM5+ afaik, so be very sure to select the right IPL and SPL that matches your device HW (OMAP 730, 750 or 850) and intended OS Version. Also take care not to enter any command in the SPL except the ones you are supposed to enter - it may kill your device as well. Do never use "format all" or "doctest" - you have a brick then.
Click to expand...
Click to collapse
I was thinking of going straight to WM6.x per
karhoe.net/guide-upgrading-htc-feelertyphoonamadeus-to-windows-mobile-6-update-september-06-2008.html
which involves changing the loader first via Patched_RUU
Do you think going to WM5 first is a safer procedure?
I said I was not aware of any checking - but as I have not written the SPL, I simply do not know it. You are right that reporting stuff like this makes it highly probable that upon restore a check on the image should be done before restoring. Try it out, if you like
WM5 or WM6 does not make a difference what the SPL is concerned. Afaik you have to use the same anyway. The device is tight in memory anyway, so don't expect miracles.
Go ahead, either dare it or leave it...
tobbbie said:
I said I was not aware of any checking - but as I have not written the SPL, I simply do not know it. You are right that reporting stuff like this makes it highly probable that upon restore a check on the image should be done before restoring. Try it out, if you like
Click to expand...
Click to collapse
Hehe. Yeah.
I was sort of hoping someone else had already stepped off that cliff and could tell me what the ground was like before I dove in
tobbbie said:
WM5 or WM6 does not make a difference what the SPL is concerned. Afaik you have to use the same anyway. The device is tight in memory anyway, so don't expect miracles.
Go ahead, either dare it or leave it...
Click to expand...
Click to collapse
The primary aim was to get bluetooth a2dp but the incentive may have diminshed, depending on how another project works out.
Thanks again for the help.
I would not bet on A2DP - I have it in the Tornado and the CPU use is much higher due to additional compression on the BT interface. Player + BT overhead is getting to average above 80% CPU (depending no the settings, but for good quality is like this) - it will also drain your battery much faster.
The Typhoon, Hurricane and Tornado have identical good analog Audio capabilities (I measured them with RMAA - see www.rightmark.org) and make a perfect music player as they are.
If your device is SuperCID you can take any other Typhoon ROM - you must just be sure that r2sd will save your bootloader + OS if you want to go back to WM2k3. I have done this already on my Amadeus (and went back to WM2k3) and this can still serve as a nice musicplayer.
tobbbie said:
I would not bet on A2DP - I have it in the Tornado and the CPU use is much higher due to additional compression on the BT interface. Player + BT overhead is getting to average above 80% CPU (depending no the settings, but for good quality is like this) - it will also drain your battery much faster.
The Typhoon, Hurricane and Tornado have identical good analog Audio capabilities (I measured them with RMAA - see www.rightmark.org) and make a perfect music player as they are.
If your device is SuperCID you can take any other Typhoon ROM - you must just be sure that r2sd will save your bootloader + OS if you want to go back to WM2k3. I have done this already on my Amadeus (and went back to WM2k3) and this can still serve as a nice musicplayer.
Click to expand...
Click to collapse
I admire people who can make these flash things work because it never does for me. I've now got an SMT5600 that will do nothing but display a rainbow boot screen and error out regardless of what ROM I try.
That's why I didn't try this till I had a new phone.
Hey that thread has a long history - what happened in the meantime?
3 colour screen does not mean the device is dead yet. You still have a bootloader that works and this is the thing to start from in any case.
What do the lines tell in the 3 color bars?
Did you already upload the changed SPL (I think it was 1.09) that allows to flash ROMs of WM5 or WM6 on that original WM2k3 device? If so, the you need to revert back to old SPL first before you can upload the original ROMs again.
tobbbie said:
Hey that thread has a long history - what happened in the meantime?
Click to expand...
Click to collapse
I put it on hold pending a new phone and other things cropped up.
Frankly, I had 2003 pretty well tricked out with SmartToolkit and gStart.
tobbbie said:
3 colour screen does not mean the device is dead yet. You still have a bootloader that works and this is the thing to start from in any case. What do the lines tell in the 3 color bars?
Click to expand...
Click to collapse
I swear it wasn't a troll but no sooner than I posted it wouldn't flash I managed a flash and I'm not sure why this worked when the others failed.
I was trying to verify the hard spl, getting info, etc. To make that easier I turned 'ui' on during boot and, just for chuckles expecting nothing, I tried flash again. You know, the definition of 'insanity'. Low and hold the dern thing flew.
As far as I know nothing was different other than 'ui' on. Same tools, same wm6.5 bin file, etc.
tobbbie said:
Did you already upload the changed SPL (I think it was 1.09) that allows to flash ROMs of WM5 or WM6 on that original WM2k3 device? If so, the you need to revert back to old SPL first before you can upload the original ROMs again.
Click to expand...
Click to collapse
You have no idea how helpful mentioning "1.09" is. The SPL flash program opines something like changing to v 5.000 but that number shows up no where and no where does it tell you to look for '1.09'. There are other confusions, like saying the existing device was 'Orlando' (I think it was), but I guess that's moot now.
Anyway, it's now running WM6.5 and I have a new toy to fiddle with inbetween playing with Android on my Tilt 2.
Thank you for the help.
Glad it worked now
The older (wm2k3) devices could only be updated with a binary transfer protocol (the .BIN file - which can be confused with other ".bin" in the scope of cooking in general). To enable the reception of the MTTY command "l" (for Load) and the execution of the related actions, the SPL must be in "UI" (User Interface) mode - this is the key for further flashing - and it must be mentioned in all such upgrade manuals. Also mind that other terminal programs (like TerraTerm) have not implemented that protocol. So only MTTY works for that purpose! As I am struggling currently with porting a Tornado ROM to the Hurricane I have come quite deep into that topic recently.
Are you having the WM65 from aleut now on the device? I think it is very tight on RAM now, so what are the memory key-data from settings->about after a reboot? You should repeat that with the standard home screen (Windows default) which is less memory greedy.
The way back to WM2k3 is not so easy as you must replace the SPL with the original one first before you can get back to the original OS. Whenever you mess with SPL it is a potentially dangerous action as failure doing that right will result in a bricked device.
tobbbie said:
Glad it worked now
The older (wm2k3) devices could only be updated with a binary transfer protocol (the .BIN file - which can be confused with other ".bin" in the scope of cooking in general). To enable the reception of the MTTY command "l" (for Load) and the execution of the related actions, the SPL must be in "UI" (User Interface) mode - this is the key for further flashing - and it must be mentioned in all such upgrade manuals. Also mind that other terminal programs (like TerraTerm) have not implemented that protocol. So only MTTY works for that purpose! As I am struggling currently with porting a Tornado ROM to the Hurricane I have come quite deep into that topic recently.
Click to expand...
Click to collapse
So I discovered after missing the little '0' in the instructions.
tobbbie said:
Are you having the WM65 from aleut now on the device? I think it is very tight on RAM now, so what are the memory key-data from settings->about after a reboot? You should repeat that with the standard home screen (Windows default) which is less memory greedy.
Click to expand...
Click to collapse
Yes, I originally flashed Aleuts 6.5 but I've since reflashed with his 6.1.
tobbbie said:
The way back to WM2k3 is not so easy as you must replace the SPL with the original one first before you can get back to the original OS. Whenever you mess with SPL it is a potentially dangerous action as failure doing that right will result in a bricked device.
Click to expand...
Click to collapse
Yep, flashing SPL is the most vulnerable but I don't think I'll be going back to 2003. Although, I might try WM5 if that has more free memory.
With most things I plan on using installed there's 8.5Meg free at boot and while that sounds laughable by today's standards there's only 22Meg total for a more impressive sounding '38% free' Although, as soon as you touch the thing almost half of that is gone.
Hello all. I am very sorry to bother you all but I have been trying to upgrade my phone for the last 4 months and have almost given up. I saw the film about noods and really left it to the last resort! have an OMNIA 7 on:
7.10.7740.16 trying to go to 8107 for now but would like to go to windows 7.8 if possible
Fimware: 2424.11.112
Boot loader 6.4.09
I tired Zune: got error 80180008
Asked Microsoft: no help
Read forums and tried cab sender to send 8107 (+ languages) by Heathcliff: got same error but now know a bit more helphowto.cab.pkr ERROR CODE: 0x80180008 invalid signature ) (. (thanks Heathcliff!)
Tried sending firmaware: worked!
Tried sending just language packs (got 6 on my phone) only partial loaded to 7.10.8099
I Read more on forum: tried sending certificates to phone by e-mail. Tried installing various certificates on computer. Tried sending a previous help how to cab (from previous O.S. cab via e-mail to phone (thought it might be missing). Tried partial unlock but, as expected, did nothing.
After reading more on this site, I have seen that the certificates have expired on the CAB files (downloaded from "force ugrade") and so guess it has nothing to do with phone or windows (tried windows xp, vista and 7 ultimate). Asking for a new cert. seems like playing tomb raider to me.
.details about error:
ERROR: 0x80180008 : Updatevalidator in ULDR reported this error. Update cannot continue.
ERROR: E_INVALID_SIGNATURE: Signature validation failed for following Delete Package.
Package: \OSRoot\Application Data\Microsoft\DeviceUpdate\Packages\FB6757FA-7853-4C50-9239-A2C975F81FC4.1.pks\helphowto.cab.pkr FROM Version: 0.0.0.0 TO Version: 0.0.0.0 GUID = {6A540B21-B5C0-4D24-8903-B5B5EB97DF58}
1980-03-21T19:45:43Z:: VerifySignatures failed for graph with base name of HelpHowTo. Trying to find another path.
1980-03-21T19:45:43Z:: BuildReturnValues: Returning HRESULT 0x80180008
=====================================================================
1980-03-21T19:45:43Z:: GOOD PACKAGES AND BAD PACKAGES LIST
=====================================================================
1980-03-21T19:45:43Z:: BAD PACKAGE 1
1980-03-21T19:45:43Z:: : helphowto.cab.pkr ERROR CODE: 0x80180008
1980-03-21T19:45:43Z:: Total number of Bad Packages: 1
1980-03-21T19:45:43Z:: Process Failed with code 0x80180008
Phone works OK except for key board drop so it is not the end of the world I guess. As a last chance I would be to try seven eighter. I have seen that some people even stuck on 7720 have been able to upgrade. However, In one thread you said we can’t roll back. Another one you said it SHOULD be possible to burn a back up back to the phone.
I have seen other questions on ths and other forums about error 8018008 but I have not found an answer that helps.
I Know it is my problem but if someone could find the time to help to answer these questions:
1. to burn a back up back to the phone, will cab sender work ? I have read that zune does not.is there another tool? The tool heathcliff mentioned, does not work with the latest version zune.
2. I have seen other people on 7720 been able to go to 7.8 with seven eighter but I have seen they have had someproblems (I think mainly due to wrong language pack selection issues)-. Do you think it would work for me even if I get this error? If there was not a problem of rolling back I wold gve it a go.
3. Is there something else I can do (except buy a new phone)
Thanks and sorry if this is in the wrong place or I have broken any rules un- intentionally !
Martinxp
Hi,
If you want 7.8, switch to custom rom => look at my signature.
hBk0dY said:
Hi,
If you want 7.8, switch to custom rom => look at my signature.
Click to expand...
Click to collapse
Thanks I will read carefully and let you know. However, If I understand correctly though, the Magldr software unlocks my phone so I can load the immage ROM?
The only other doubt I have is about the memory on my phone. the Samsung site says nothing but an test report I found in WINDOSTECA says it should have 576mb RAM and 512MB ROM. Any one know if it is valid and if it is enough?......also where is the thanks button?
thanks again Misterxp
Yes Magldr unlocks your phone. Samsung omnia 7 as 512Mo of RAM and 8Go of memory, that's enough to install a custom rom.
512MB ROM is the size of the Rom (thus the system). This size can vary depending on the rom.
Thanks Button => http://i70.servimg.com/u/f70/17/66/30/68/captur14.png
problem solved
yippeeeeee
I solved the problem!
I decided that if flashing a custom ROM would solve it then so would flashing the official ROM. Hence I read all I could about official Samsung ROMS, chose the one which was not so old "I8700XXKC1_Many_PROVIDERS_NODO (7.10.7390), Chose the CSC for Italy because I live in Italy and then woke up one morning and went for it.
I followed all the instructions to the letter but had read them 100 times before! I formated the phone holding the Power + Volume DOWN + Camera buttons, followed the instructions in this thread: http://forum.xda-developers.com/showthread.php?t=973420 by Heathcliff and then, after all was done (went very smoothly, I connected to Zune and went all the way to 7.8. I had to cancel the update a couple of times because zune blocked but all went well in the end.
In between updates, I changed the names of the back up folder, so that zune created another in case I had to go back. I made this a habit in the past and meant I was sure I Always had a back up. (sometimes zune will cancel a backup if the process does not go correctly and, if you don't save back ups you end up with no back up!). When I finally got to 7.8 I used CAB SENDER to send an old CAB which I knew could not be installed and in that way I got a back up of my final version with all my apps installed. I did this because, once there are no more updates, zune does not install anything and so does not make a back up either. It is the easest way I have found but there may be another, I tried the various back up programmes but could never get them to work. I don't think my way does any harm to the phone but some one else more expert than me might know. The main thing I learnt is how important it is to have a back up and save the back up. It saved me a few times. Once, when trying other ways to fix the phone, I tried to restore with zune, but it kept giving an error. However, I managed with CAB SENDER. Once, another time, I got as far as 18% and even Cab sender kept giving an error. I took out the battery and waited a few minutes (before shooting my self!) and it worked! Anyway, thanks to you all at Xda and I will send a donation as soon as I get the chance to load Paypal. bye from Mister Xp