Related
Hey Folks,
After a long weekend of reversing I am about 95% done in reversing IMEI-CHECK's unlocker for the Wizard.
The application is protected by Themida which is in my view the leading protector on the market currently (yes better than execryptor).
The unlocker has Ring0 protection, Emulated API's, Resource Encryption + Lots more fun and games.
Now onto what I have found so far.
The GUI stuff:
Code:
set 1 0
set 5 ffffffff
set 2 0
set 6 000000
set 4 000000
progressbar 0 239 0 255 ffffff 100 0
shmsg 0 0 " . : | Wizard Unlock | : ."
info 1
shmsg 3 0 " ..detecting device.."
set 32 2
info 0
shmsg 4 0 " >>> Wizard found"
Is plain to see, but the evil work is well tucked away in a procedure which is pushed onto the VirtualMachine.
So I still need to fish that out (loooonnnng task)...
However the very most interesting part (I find) is the existance of a ROM inside the unlocker.
Now I am not sure if this is the bootloader/gsm rom however it certainly seems VERY interesting that it is included.
Download:
http://rapidshare.com/files/12763879/_00CC0000.mem
For those who wish to analyse it and let me know which it is and if anything has been altered.
It might well just be standard, who knows :S
The following tools are also 'picked up':
Filenames:
Code:
PORTMON.exe
SnoopyPro.exe
Device Monitor.exe
Window Titles:
Code:
Portmon Class
SnoopyPro
USB Monitor
Device Monitor
Serious Serious Kudos to the developer, Very impressive work indeed!
By making this, he has almost made himself a license to print cash.
Since he has NO terms about his programs what so ever then there is no legal problems with what I am doing to his application.
He is probably too scared of HTC anyway, since he is decompiling their firmwares in order to make the product. (Which is outlawed in HTC's terms)
Anyway....
Watch this space
Very interesting, would information gathered from the Wizard unlocker lead to cracking the Treo 750 unlocker? Or any other phone that imei-check supports for that matter?
Whiterat said:
After a long weekend of reversing I am about 95% done in reversing IMEI-CHECK's unlocker for the Wizard.
Click to expand...
Click to collapse
Great, will you disclose your findings? there was an earlier post about the unlocker for G4 wizards, here (see comment #36):
http://forum.xda-developers.com/showthread.php?t=284312
Whiterat said:
However the very most interesting part (I find) is the existance of a ROM inside the unlocker.
Now I am not sure if this is the bootloader/gsm rom however it certainly seems VERY interesting that it is included.
Click to expand...
Click to collapse
It seems that this is the patched SPL that is flashed on the first unlocking step, it is modified so that when it is told to flash an splash screen, it flashes the security area, overwriting the CID.
Whiterat said:
For those who wish to analyse it and let me know which it is and if anything has been altered.
It might well just be standard, who knows :S
Click to expand...
Click to collapse
I will load it at IDA and compare with a normal wizard SPL...
Whiterat said:
Serious Serious Kudos to the developer, Very impressive work indeed!
By making this, he has almost made himself a license to print cash.
Click to expand...
Click to collapse
Yes, the imei-check guys are doing great job with their unlockers... similar method is used in artemis unlocker too. They load a modified SPL in RAM and jump to its physical address from WinCE, this modified SPL shows the DOC ID in help of "set" command and allows flashing unsigned code, then they use obtained DOC ID info to patch the security area by sending a "fake" splash screen, same as in wizard unlocker.
Whiterat said:
Watch this space
Click to expand...
Click to collapse
I will
phoa not much point in me continuing!
You've got the whole lot there!
I'm a lover not a coder, I simply reverse in order to help others succeed.
Since you have all important info anyway, Not really going to be of much help here
P.S do you have any sigs for IDA or any scripts?
I dont like having to sift through manually as binary file......
Whiterat said:
phoa not much point in me continuing!
You've got the whole lot there!
Click to expand...
Click to collapse
Well I didn't want to discourage you on continuing the reversing process, I just pointed you to the thread where we discussed about the unlocking method a while ago...
I admire the fact that you reached that far only disassembling / debugging the binary, what we actually did to have the full process was capturing it with USB monitor; the unlocker can be tricked if you run the usb monitor process as one user, ant the unlocker as a different user, but imei-check seem to have corrected this 'bug' in newer unlockers.
Whiterat said:
Since you have all important info anyway, Not really going to be of much help here
Click to expand...
Click to collapse
We don't have _all_ the important info, we have the commands that the unlocker sends to the bootloader, but the data sent to flash the security area is actually different in every phone, so flashing what is sent in one phone to another phone will actually brick it.
I think it can be helpful if you manage to reverse the algorithm that the unlocker uses to generate the code which is flashed on the security area, this can't be done capturing usb traffic, this has to be reversed from the binary, and Themida is not easy to break as you sure have noticed
Whiterat said:
P.S do you have any sigs for IDA or any scripts?
I dont like having to sift through manually as binary file......
Click to expand...
Click to collapse
No sorry, i don't have any... I am not very used to IDA, started using it few months ago and still learning new things about it everytime I start it
Ah cool I will look into it a bit further
(Need to get a friend to code a tool to remove the junk code)
e.g
PUSH EAX
PUSH EDX
MOV EAX,2282
INC EAX
DEC EDX
POP EDX
POP EAX
Since it is popping those registers off the stack, its actually altered nothing
Themida is a cow, Because my friend didnt manage to make a start on the junk code remover (and I didnt realise there was a virtualised function) I just did each Import by hand (approx 4 hours lol)
Also rebuilt the OEP by hand too, not too hard since it was VC++6.
I have a G4 which I have unlocked with Imei-Calc (thus I have the key file, which I *think* might decrypt parts of the program, or possibly is part of an encrypted rom.)
3 Last things:
1. Can the G3/G4 chip be worked out by IMEI, i.e IMEI represents a date and the chips were only used after a certain date? or is this tool generic for G3/G4 ?
2. Do you have an SPL for 2.08.10
3. How can I dump my SPL (bearing in mind my only minisd has a full backup of my rom, Just in case crossbow gets a little ugly for my liking)
Ohh one last thing, kbdus.dll on Crossbow.....Is there a kbduk.dll as far as you know?
My Wizard has british keyboard and all the chars are shifted +1.....
Thats my next major task I think before continuing on this thing
Btw, To use the usb logger on newer versions of IMEI-CALC, just rename the exe and change the class name
Hi..Answer on the "Last Three Things"
1.) No one cannot identify G3/G4 with imei.If u lok carefully the place below yr battery u will find a"G4" written besides yr imei no.In G3, nothing is written.The most commeon way is to check IPL/SPL .001 in the end is G4.
2) Take a ROM which has 2.08 SPL. and use typho5.exe to dismantle the ROM parts.If ROM is release recently then you will find IPL/SPL for G3/G4 both.Chek the threads here..
3) As such crossbow ROM has no IPL/SPL..if u know what ROM u were using prior to that, u can apply above to dump yr ipl SPL..secondly you can do this with awizard1.3 beta.
I hope this helps
Hi,
Apologies in advance if I'm covering old ground.
I'm trying to re-flash a WM6 rom after my previous attempt just left me with the 4 colour screen permanently and as the links to mtty1.42.rar seem to be broken at the moment I decided to re-flash with a different rom.
the problem is that even though I can get the unit into boot-loader mode and the update software appears to see the BA when it checks versions etc. as soon as I hit the upgrade button the BA screen blanks and I get Error 112: CE ROM UPDATE ERROR.
I've tried different roms, different usb ports and different versions of activesync all with the same result.
Any help on this would be great and hopefully I haven't 'bricked' the unit.
Cheers
Duncan
Do you have PH20A2 or PH20B device?
mtty utility can be found using search button
It's a PH20B.
I've now found mtty after a fair bit of searching on other forums..now to see if I can make some sense of it's commands.
A further update: it seems that I've managed to corrupt just the OS part of the ROM. I managed a radio update successfully which means all the USB connection is fine for updating. It just can't access the OS part of the ROM.
Is there anyway to manually format that area of ROM so I can in effect install over clean unit? Infortunately I can't make sense of the mtty commands and don't know what memory address and for how log I should perform the format.
Cheers Duncan
try reflashing
You should know how to use search - however here is the link
http://forum.xda-developers.com/showthread.php?t=348030&highlight=mtty
(Is that hard to put "mtty" in the search field and set BA section only? )
Further update:
Now I don't even get the 4 colour screen. After soft and hard reset I get a dead device. I can put the device into bootloader mode (serial/usb) but as soon as the update software attempts to copy the rom across the screen blanks and I get the ROM Update Error.
Now my thought is to try and flash with the original rom for the device as I have another unit available but using the link from the BA wiki for dumping the ROM doesn't work. I have also tried searching for 'ROM Dump' within the BA section of the forum but there don't seem to be any definitive instructions for this, everyone just keeps asking why not use the wiki or search funtion....
I have used the wiki and the search funstion and I seem to be the first with this situation.
Soft Reset - Nothing
Hard Reset - Nothing
Bootloader - Able to flash the radio rom but as sson as i try to flash the OS rom the screen blanks and I get Error 112: CE ROM Update Error. When I take the device out of the cradle the screen comes back on with the Serial 2.xx screen and I'm back to square one.
I've tried to use the wiki to dump an exisiting working rom but the link on the wiki is broken. I have also searched the BA forum for these intructions but they're not covered as they're already in the wiki..... or not as the case is.
I appreciate you regular users get fed up with noobs coming on and expexting you to do all the work for them but so far I've spent 3 days searching both this site and others to try and resurect my device. I'm not dumb or lazy and would love to be able to do all this myself but without instructions I'm flying somewhat blind.
Any help would be great..... please??
[off topic]
no need for apologies...
we started once like you... some are far worse...
knowing one part and boasting with air on their heads...
since you managed to explain yourself on your first post.
knowing what to search (E.G. MTTY 1.42.rar)
you definitely searched the forum before you posted AND
you stated that the links are not working... that proves it.
we are the one who is sorry because some others think
that they are high and mighty, it sometimes blurs the opinion making.
i dont like opinionated people because i admit that am one too... sometimes...
but that doesnt mean i hate them...
[on-topic]
you never told us what happened when you tried the mtty procedure.
is your last post the result of your mtty experience?
please elaborate how did you end up with that... what did you do before you soft-reset and hard-reset?
SilverSamurai,
Thanks for the quick response.
After my last 'apparently' successful re-flash with Helmi's latest WM6 rom when I hard reset the device I had nothing but a blank black screen, no power LED or anything. Soft-reset was the same. I can reset into bootloader and the PC detects the device when I place it in the cradle. The first part of the update seems to work although it never detects the current OS installed, it always says upgrade from ' ' to 'ver 6.0.0' which is wierd because it always used to say the previous OS version. When I then hit next the progress bar shows on the PC but the BA screen immediately blanks and eventually the PC gives the ROM update error.
I have managed to re-flash the radio rom in this state which proved that I still have access tho the device from the PC.
Using mtty I can run through all the commands to recover from the 4 colour lines screen (even though I'm beyond that point).
USB>set 14 0
HTCST ÚÈÒHTCEUSB>task 28
DOC_format_HW+
DOCInfoTableinitHW+
Binary0:dwSize=80000
BINFS0:dwSize=0
FAT0:dwSize=1000000
FAT1:dwSize=2BA0000
All:dwSize=3C20000
USB>task 0
USB>
It's almost as if the last flash didn't complete and has left the area for the OS 'dirty' with what ever it did manage to flash. What I was hoping to try was to re-format the entire OS section of memory and then try to re-flash again. Using mtty it says you can format sections of memory by stating a start address and the length you want to format but I don't have clue what these should be.
I've tried flashing with WM6, WM5 and a compatible version of 2003 with the same result every time. I would like to dump a rom from another BA I have and try with that but as mentioned earlier the link for that is down at the moment.
I think that's about it. If you need any more info let me know.
Many thanks
Duncan.
let's relist the things you did.
USB>set 14 0
Click to expand...
Click to collapse
1. start OS after a reset
result:
HTCST ÚÈÒHTCE
USB>task 28
Click to expand...
Click to collapse
2. format doc (Disc-On-Chip)
result:
DOC_format_HW+
DOCInfoTableinitHW+
Binary0:dwSize=80000
BINFS0:dwSize=0
FAT0:dwSize=1000000
FAT1:dwSize=2BA0000
All:dwSize=3C20000
USB>task 0
Click to expand...
Click to collapse
3. do hardware clear boot.
Click to expand...
Click to collapse
since i dont want to experiment with my sole BA...
i tried to search for solution...
and with some of my computer instincts i came up with this suggestion...
try this command before "task 28"
"task 7 0" <-- this is the "Do flash ROM lock/unlock" command
"task 2a" <-- fix bad blocks on MFG bootloader and Storage
then try to reflash your BA.
my sources one | two
although it's not BA but i think mtty commands are generic.
it's worth a try.
SS,
Still no joy, it's exactly as it was before.
Just reading through some more posts for bootloader ant it seems at least one other person has the same problem - http://forum.xda-developers.com/showthread.php?t=345181&highlight=bootloader and no resolution posted for that either.
I think I may have got it beyond the point of return.
I've just tried to flash from the blank screen I end up with from the initial attempt and it still detects the device but fails in exactly the same way.
awww... im sorry to hear that.
but dont lose hope.
i'll try to read some more and search for solutions.
and i hope someone with the same problem as
yours that had their BA fixed comes to the foreground.
[off topic]
hmm... come to think of it... we're both Marvel SuperVillains
SilverSamurai said:
awww... im sorry to hear that.
but dont lose hope.
i'll try to read some more and search for solutions.
and i hope someone with the same problem as
yours that had their BA fixed comes to the foreground.
[off topic]
hmm... come to think of it... we're both Marvel SuperVillains
Click to expand...
Click to collapse
These steps are from my notes. Follow these steps. It worked for me last time i tried (3 months back)
2. Stop ActiveSync, by Task Manager (press Ctrl + Alt + Delete)
kill two processes rapimgr.exe and wcescomm.exe
3. put your device into Bootloader Mode by pressing Power + Record Button and Soft Reset.
4. Run mtty (from downloaded) Choose WCEUSBSH001
5. type "set 14 0" without the quotes to tell bootloader to boot the OS after reset.
6. type "task 28" to get your device formatted
7. type "task 0" to ask your device reboot
8. take the device out of the cradle, and manually reset it if it does not do that already.
i think he did all of those already,
that's why i posted this in response to his mtty experience.
wouldnt hurt to try it again though.
A bit more info:
I tried the mtty solution again but still the same result.
I finally managed to find the instructions for dumping and exisiting rom to SD card and pulled one from a working unit. I put the card into the faulty BA and booted into bootloader. Pressed 'Power Button' to flash from card and it appeared it was going to work........ until it got to 12% then it failed with the message 'Download Fail'. So still no better off.
What I'm going to try now as it seems anything is worth a try is use the address ranges used to dump the rom to try and format all 3 sections. See if that will give me a clean base to try and re-flash from the sd card. My only worry is if it will format the section of ROM used to store the bootloader info.
I'll post my results shortly.
Now I need to know how to get the bootloader password to enable me to use the 'erase' command through mtty.
The hunt coninues....
Yet more developments.
As the update from SD failed I thought I'd see if it was possible to dump the current contents of the rom to SD using the following
“d2s 80000000 02000000“
“d2s 60000000 00300000 sd a“
“d2s 70000000 01080000 sd a“
The first 2 commands completed fine and checksum was OK. On the 3r command 'd2s 70000000 01080000 sd a' it errored with the following result
USB>d2s 70000000 01080000 sd a
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
pc->drive.total_lba=1E8000
pc->drive.num_heads=0
pc->drive.sec_p_track=0
pc->drive.num_cylinders=0
pc->drive.block_size=200
pc->drive.features=0
pc->drive.RCA=B368
pc->drive.drv_type=40000000
pc->drive.securedAreaSize=0
pc->drive.securityDrv=0
pc->drive.busWidth=1
pc->drive.erasedSize=0
Total card size=3D000000
DOCInfoTableinitHW+
Binary0:dwSize=80000
BINFS0:dwSize=0
FAT0:dwSize=1000000
FAT1:dwSize=2BA0000
All:dwSize=3C20000
DOC_ReadBinary is fail: dwStartAddress=0,dwReadSize=40000.
DOC_ReadBinary is fail: dwStartAddress=0,dwTempReadLength=40000.
*DOC_ReadBinary is fail: dwStartAddress=40000,dwTempReadLength=40000.
*****************************************************************dwCheckSum of Storage=95609D16
cSectionNum=2
psImageSectionInfo[cSectionNum].dwCheckSum=0
psImageSectionInfo[cSectionNum].dwLength=1080000
Stored image of SD/MMC card checksum error!
Now my guess is the Doc_Read_Fail bits are the corrupt part of the rom. If I can find a way to repair these I could then try re-flashing the rom.
what was "task 2a"'s result?
i think that's the chkdsk option of mtty.
we're dissecting the innards of the bootloader.
little by little as we go along the way...
im learning something, i hope you can find the fix for your problem.
SilverSamurai,
Thanks for the help you gave but the unit has finally had enough and totally locked. No power or anything no matter how I try to reset it. I've tried charging for hours, discharging for hours, left the battery out for hours but to no avail. It seemed to take exception to me dumping the rom contents to the SD card. Maybe there was a hardware problem ?? Not sure.
I'll have to see if I can wangle another unit from the company I work for as we're currently selling a bunch that were purchased for a failed IT project on ebay.
it was sad to hear/read that.
anyways. at least we tried to revive it. but dont throw it away.
maybe someday there will be ways how to ressurect your BA.
Happy Computing! err... Mobile Computing!
I'm a newb in the sense that I'm new to the whole Windows Mobile Devices. As my location of this thread, I have a T-Mobile Wing.
I'm a current web designer and I'm learning to program/code. Especially for mobile devices first. So I am computer literate just a newb using roms, windows mobile in general. I believe I can follow on very easily.
I will edit this post to add the answers and explain them in more details, etc. as I learn them for future cookers/newbies/etc.
I have searched around the forums, learned a lot but still have questions hopefully some pro cookers could answer and maybe use this as a ref for all beginner newbs. I have the link to the wing/herald xda wiki/atlas, etc.
BUT STILL....
I'm on Windows Vista 64 bit. Maybe this is my problems? I take that into possibility. Within a week I'll have XP back on this computer as well.
[1]
I understand if your SPL/IPL is above 4.0+ you can hardspl your device. (DO NOT ATTEMPT TO HARDSPL YOUR DEVICE IF IT IS UNDER 4.0! IT WILL BRICK IT!)
I aslo heard of a uspl method where it hardspls your deivce JUST FOR THE NEW ROM YOU"RE INSTALLING.
I read that hardspl will hardspl your device forever but since then it's now reversable correct? Just curious about this, not a big deal either way.
NEWBS IF YOU WANT TO CHECK YOUR IPL/SPL VERSIONS : take your stylus out and soft reset your device by pushing your stylus into the small hole just under the volume slider on the left side of your phone and hold the camera button as it boots up until you see 3 grad colors. red blue, etc. it will then display your version numbers.
[2]
I wanted to learn how to cook, since I felt it wouldn't be too hard since I have a good background with computers, etc.
So.... I started following this thread:
http://forum.xda-developers.com/showthread.php?t=341243
I found a few others including the ones displayed with the hypercore download thread. But I stuck with this one as a first attempt and have not tried any others yet. I know I should but this one just bugged me, haha.
I did all steps accurately and did them again to double check...... but when I go to BuildOS.exe the top of the screen displays:
"the system cannot find the batch label specified"
Is this bad? I remember reading a long time ago about the format being unix and not dos, yatta yatta it would bring this error up but that can NOT be the possibility since everyone else has used this guys thread to create custom roms. Any ideas?
[3] (Cont'd from Question [2])
I also get some error trying to do step 2 in the BuildOS.exe menu, which is.... build OS.nb from SYS and Oem..... that error is file not specified... so i believe it has something to do with the batch error at the top, maybe? Ive tried this step 2 several times and actually got it to work and displayed new os.nb is saved in hypercore/build.... which i went there and didnt see it, but i see one inside the ROM folder... I assume this is the one I want? Perhaps?
[4] (Cont'd from Question [2])
When I try option number 3 in the BuildOS.exe menu I get this message
Save to desktop as........ as what? lol. I assumed the same name, leave it the same.... well the OS.nb was not at the location it specified. (hypercore/tools/convert) lol.
Again tho the save as problem.... I believe it all has to do with the batch file, it's like not fetching/displaying the file name.... if not it meant to leave it the same name? Anyway why is it not in the location specified?
[5]
This is what it displays after clicking enter, of course again no RUU folder found, I figured this with the previous errors. But heres what the flash option in the BuildOS.exe menu does err.... rather displays......
Again Place the _____ here..... still all the batch file problem?
[6]
Again dealing with this screen, is it ok that after Device: its blank? aka not displaying the propper htc model for the wing 3450 or whatever it is, I forget.
The SMT5600 is app unlocked and, I think, Super CID (via lokiwiz02_173 but how verify?) but no ROM changes as of yet as I want to make a backup of the original ROM before proceeding further.
After problems getting a term program to work (now using nueTTYConsole on Vista) I am able to get what appear to be complete ROM backups.
Procedure summary:
WinHex zero fill 64MB SD
USB bootloader SMT5600 with 64MB SD
r2sd all (via nueTTYConsole-12-v0.1-spackr)
SD back to PC [no to format query]
psdread E: 0 31328768 ipl.bin (using itsutl050119)
Status messages from the r2sd all command appear to be good and complete but no two backups, using the exact same procedure, are ever identical when binary compared with WinMerge. Size is, of course, the same but WinMerge always reports 'two' differences in what seems to be the same general area of the images: The first is very near the front of the image (WinMerge reports as 'lines', line 3) and the other at the very tail end.
Is that normal (maybe because TIME, or some other dynamic variable, changes or scratch storage?), is there a better backup procedure, and how can I verify the backups are good before I flash a new one and forever lose the original?
Thanks in advance for any enlightenment offered.
To check if it works - just restore the backups before doing anything else.
Follow the whole procedure (including psdread and - after reformatting the card - psdwrite again) to restore your device via the card. As a first try leave out the device external activities and restore immediately afterwards from the card just written.
For me it works well (on the SDA 2 - where no official update exists, a Hurricane device - but this generic handling is identical afaik) and the difference in the backups are normal.
Mind that the size of the read/write to card includes the bootsector, so don't miss the last 512 bytes. As far I remember there were two different size readings with two methods to verify the image size. The r2sd size is smaller than the size of bytes different to null on card.
To check for SuperCID enter "info 2" in the terminalprogram, it should report HTCSuperCID at the end.
tobbbie said:
To check if it works - just restore the backups before doing anything else.
Follow the whole procedure (including psdread and - after reformatting the card - psdwrite again) to restore your device via the card. As a first try leave out the device external activities and restore immediately afterwards from the card just written.
Click to expand...
Click to collapse
Thanks for the reply
Yes, I thought about doing a test restore, but, considering the problems I'd already had, wasn't sure if it might do something like not mention there being a 'problem' till it was half way through, leaving me with a scrambled ROM.
I take it you're saying it'll checksum first and no even start if things don't look good?
tobbbie said:
For me it works well (on the SDA 2 - where no official update exists, a Hurricane device - but this generic handling is identical afaik) and the difference in the backups are normal.
Mind that the size of the read/write to card includes the bootsector, so don't miss the last 512 bytes. As far I remember there were two different size readings with two methods to verify the image size. The r2sd size is smaller than the size of bytes different to null on card.
Click to expand...
Click to collapse
Hmm. I saw the confusion about SMT5600 image size but I'm not sure what you're saying here about the bootsector and "different to null."
Speaking of which, what would be wrong with just making a 64M save and, ok, you've save a pile of extraneous 0's along with it but, so what? Might be irritating if I were putting it on rapidshare but for a personal backup is there any down side to it?
tobbbie said:
To check for SuperCID enter "info 2" in the terminalprogram, it should report HTCSuperCID at the end.
Click to expand...
Click to collapse
Thanks. Good to know.
Something apparently went wrong somewhere because I didn't get that report but I'll try again.
The r2sd is a command that HTC has implemented in the SPL (Secondary Program Loader). I am not aware of checksums or other safety measures - it will as I noticed following the procedure detect if there is an image on the card, which type of image and if you want to restore.
The difference in size is that r2sd reports one size "x" after the image was taken, but if you count the bytes until when the card shows the zeros you will notice that this offset on card is 512 bytes larger than the r2sd reported size. So when using psdread you have to take the larger size. Indeed it is no problem to write more to the file and restore more as well with psdwrite. The restore procedure in the SPL will anyway know how much to restore - it just needs to find ALL bytes, including the last 512
I think there is no risk attached to the procedure, go ahead!
The only danger is if something goes wrong with the IPL (Initial Program Loader) or SPL because they open the door to the device handling.
Sadly you MUST deal with SPL to upgrade to WM5+ afaik, so be very sure to select the right IPL and SPL that matches your device HW (OMAP 730, 750 or 850) and intended OS Version. Also take care not to enter any command in the SPL except the ones you are supposed to enter - it may kill your device as well. Do never use "format all" or "doctest" - you have a brick then.
tobbbie said:
The r2sd is a command that HTC has implemented in the SPL (Secondary Program Loader). I am not aware of checksums or other safety measures - it will as I noticed following the procedure detect if there is an image on the card, which type of image and if you want to restore.
Click to expand...
Click to collapse
Well, I am certainly no expert on this thing but r2sd spits out a wealth of information, including checksums, and I was sort of guessing based on what I'd do if I'd made it. Just that, if you're going to calculate them, it seems a shame to not use them. But, hey, I've seen stranger things done.
tobbbie said:
The difference in size is that r2sd reports one size "x" after the image was taken, but if you count the bytes until when the card shows the zeros you will notice that this offset on card is 512 bytes larger than the r2sd reported size. So when using psdread you have to take the larger size. Indeed it is no problem to write more to the file and restore more as well with psdwrite. The restore procedure in the SPL will anyway know how much to restore - it just needs to find ALL bytes, including the last 512
Click to expand...
Click to collapse
Oh, OK. I wasn't going by r2sd. I opened it up in WinHex, found the end of data, and compared that to the size mentioned on "Backup your Typhoon ROM - WinMo @ MoDaCo." The 'corrected' number there matched well enough.
But now that I think of it, I did that because I *did* look at r2sd and it seemed too small. So you've explained it. Good.
tobbbie said:
I think there is no risk attached to the procedure, go ahead!
Click to expand...
Click to collapse
How can there be no risk if it doesn't check anything?
tobbbie said:
The only danger is if something goes wrong with the IPL (Initial Program Loader) or SPL because they open the door to the device handling.
Click to expand...
Click to collapse
Oh, I think I see what you mean. You're suggesting that if I've cut the ROM image short then only that part will fail but the loader should still be good so I could recover by burning another (good) ROM image.
Well, perhaps, but that would mean I don't have a valid backup and couldn't make one since it would be trashed in the bad flash. Or so it seems to me.
tobbbie said:
Sadly you MUST deal with SPL to upgrade to WM5+ afaik, so be very sure to select the right IPL and SPL that matches your device HW (OMAP 730, 750 or 850) and intended OS Version. Also take care not to enter any command in the SPL except the ones you are supposed to enter - it may kill your device as well. Do never use "format all" or "doctest" - you have a brick then.
Click to expand...
Click to collapse
I was thinking of going straight to WM6.x per
karhoe.net/guide-upgrading-htc-feelertyphoonamadeus-to-windows-mobile-6-update-september-06-2008.html
which involves changing the loader first via Patched_RUU
Do you think going to WM5 first is a safer procedure?
I said I was not aware of any checking - but as I have not written the SPL, I simply do not know it. You are right that reporting stuff like this makes it highly probable that upon restore a check on the image should be done before restoring. Try it out, if you like
WM5 or WM6 does not make a difference what the SPL is concerned. Afaik you have to use the same anyway. The device is tight in memory anyway, so don't expect miracles.
Go ahead, either dare it or leave it...
tobbbie said:
I said I was not aware of any checking - but as I have not written the SPL, I simply do not know it. You are right that reporting stuff like this makes it highly probable that upon restore a check on the image should be done before restoring. Try it out, if you like
Click to expand...
Click to collapse
Hehe. Yeah.
I was sort of hoping someone else had already stepped off that cliff and could tell me what the ground was like before I dove in
tobbbie said:
WM5 or WM6 does not make a difference what the SPL is concerned. Afaik you have to use the same anyway. The device is tight in memory anyway, so don't expect miracles.
Go ahead, either dare it or leave it...
Click to expand...
Click to collapse
The primary aim was to get bluetooth a2dp but the incentive may have diminshed, depending on how another project works out.
Thanks again for the help.
I would not bet on A2DP - I have it in the Tornado and the CPU use is much higher due to additional compression on the BT interface. Player + BT overhead is getting to average above 80% CPU (depending no the settings, but for good quality is like this) - it will also drain your battery much faster.
The Typhoon, Hurricane and Tornado have identical good analog Audio capabilities (I measured them with RMAA - see www.rightmark.org) and make a perfect music player as they are.
If your device is SuperCID you can take any other Typhoon ROM - you must just be sure that r2sd will save your bootloader + OS if you want to go back to WM2k3. I have done this already on my Amadeus (and went back to WM2k3) and this can still serve as a nice musicplayer.
tobbbie said:
I would not bet on A2DP - I have it in the Tornado and the CPU use is much higher due to additional compression on the BT interface. Player + BT overhead is getting to average above 80% CPU (depending no the settings, but for good quality is like this) - it will also drain your battery much faster.
The Typhoon, Hurricane and Tornado have identical good analog Audio capabilities (I measured them with RMAA - see www.rightmark.org) and make a perfect music player as they are.
If your device is SuperCID you can take any other Typhoon ROM - you must just be sure that r2sd will save your bootloader + OS if you want to go back to WM2k3. I have done this already on my Amadeus (and went back to WM2k3) and this can still serve as a nice musicplayer.
Click to expand...
Click to collapse
I admire people who can make these flash things work because it never does for me. I've now got an SMT5600 that will do nothing but display a rainbow boot screen and error out regardless of what ROM I try.
That's why I didn't try this till I had a new phone.
Hey that thread has a long history - what happened in the meantime?
3 colour screen does not mean the device is dead yet. You still have a bootloader that works and this is the thing to start from in any case.
What do the lines tell in the 3 color bars?
Did you already upload the changed SPL (I think it was 1.09) that allows to flash ROMs of WM5 or WM6 on that original WM2k3 device? If so, the you need to revert back to old SPL first before you can upload the original ROMs again.
tobbbie said:
Hey that thread has a long history - what happened in the meantime?
Click to expand...
Click to collapse
I put it on hold pending a new phone and other things cropped up.
Frankly, I had 2003 pretty well tricked out with SmartToolkit and gStart.
tobbbie said:
3 colour screen does not mean the device is dead yet. You still have a bootloader that works and this is the thing to start from in any case. What do the lines tell in the 3 color bars?
Click to expand...
Click to collapse
I swear it wasn't a troll but no sooner than I posted it wouldn't flash I managed a flash and I'm not sure why this worked when the others failed.
I was trying to verify the hard spl, getting info, etc. To make that easier I turned 'ui' on during boot and, just for chuckles expecting nothing, I tried flash again. You know, the definition of 'insanity'. Low and hold the dern thing flew.
As far as I know nothing was different other than 'ui' on. Same tools, same wm6.5 bin file, etc.
tobbbie said:
Did you already upload the changed SPL (I think it was 1.09) that allows to flash ROMs of WM5 or WM6 on that original WM2k3 device? If so, the you need to revert back to old SPL first before you can upload the original ROMs again.
Click to expand...
Click to collapse
You have no idea how helpful mentioning "1.09" is. The SPL flash program opines something like changing to v 5.000 but that number shows up no where and no where does it tell you to look for '1.09'. There are other confusions, like saying the existing device was 'Orlando' (I think it was), but I guess that's moot now.
Anyway, it's now running WM6.5 and I have a new toy to fiddle with inbetween playing with Android on my Tilt 2.
Thank you for the help.
Glad it worked now
The older (wm2k3) devices could only be updated with a binary transfer protocol (the .BIN file - which can be confused with other ".bin" in the scope of cooking in general). To enable the reception of the MTTY command "l" (for Load) and the execution of the related actions, the SPL must be in "UI" (User Interface) mode - this is the key for further flashing - and it must be mentioned in all such upgrade manuals. Also mind that other terminal programs (like TerraTerm) have not implemented that protocol. So only MTTY works for that purpose! As I am struggling currently with porting a Tornado ROM to the Hurricane I have come quite deep into that topic recently.
Are you having the WM65 from aleut now on the device? I think it is very tight on RAM now, so what are the memory key-data from settings->about after a reboot? You should repeat that with the standard home screen (Windows default) which is less memory greedy.
The way back to WM2k3 is not so easy as you must replace the SPL with the original one first before you can get back to the original OS. Whenever you mess with SPL it is a potentially dangerous action as failure doing that right will result in a bricked device.
tobbbie said:
Glad it worked now
The older (wm2k3) devices could only be updated with a binary transfer protocol (the .BIN file - which can be confused with other ".bin" in the scope of cooking in general). To enable the reception of the MTTY command "l" (for Load) and the execution of the related actions, the SPL must be in "UI" (User Interface) mode - this is the key for further flashing - and it must be mentioned in all such upgrade manuals. Also mind that other terminal programs (like TerraTerm) have not implemented that protocol. So only MTTY works for that purpose! As I am struggling currently with porting a Tornado ROM to the Hurricane I have come quite deep into that topic recently.
Click to expand...
Click to collapse
So I discovered after missing the little '0' in the instructions.
tobbbie said:
Are you having the WM65 from aleut now on the device? I think it is very tight on RAM now, so what are the memory key-data from settings->about after a reboot? You should repeat that with the standard home screen (Windows default) which is less memory greedy.
Click to expand...
Click to collapse
Yes, I originally flashed Aleuts 6.5 but I've since reflashed with his 6.1.
tobbbie said:
The way back to WM2k3 is not so easy as you must replace the SPL with the original one first before you can get back to the original OS. Whenever you mess with SPL it is a potentially dangerous action as failure doing that right will result in a bricked device.
Click to expand...
Click to collapse
Yep, flashing SPL is the most vulnerable but I don't think I'll be going back to 2003. Although, I might try WM5 if that has more free memory.
With most things I plan on using installed there's 8.5Meg free at boot and while that sounds laughable by today's standards there's only 22Meg total for a more impressive sounding '38% free' Although, as soon as you touch the thing almost half of that is gone.
Hello all. I am very sorry to bother you all but I have been trying to upgrade my phone for the last 4 months and have almost given up. I saw the film about noods and really left it to the last resort! have an OMNIA 7 on:
7.10.7740.16 trying to go to 8107 for now but would like to go to windows 7.8 if possible
Fimware: 2424.11.112
Boot loader 6.4.09
I tired Zune: got error 80180008
Asked Microsoft: no help
Read forums and tried cab sender to send 8107 (+ languages) by Heathcliff: got same error but now know a bit more helphowto.cab.pkr ERROR CODE: 0x80180008 invalid signature ) (. (thanks Heathcliff!)
Tried sending firmaware: worked!
Tried sending just language packs (got 6 on my phone) only partial loaded to 7.10.8099
I Read more on forum: tried sending certificates to phone by e-mail. Tried installing various certificates on computer. Tried sending a previous help how to cab (from previous O.S. cab via e-mail to phone (thought it might be missing). Tried partial unlock but, as expected, did nothing.
After reading more on this site, I have seen that the certificates have expired on the CAB files (downloaded from "force ugrade") and so guess it has nothing to do with phone or windows (tried windows xp, vista and 7 ultimate). Asking for a new cert. seems like playing tomb raider to me.
.details about error:
ERROR: 0x80180008 : Updatevalidator in ULDR reported this error. Update cannot continue.
ERROR: E_INVALID_SIGNATURE: Signature validation failed for following Delete Package.
Package: \OSRoot\Application Data\Microsoft\DeviceUpdate\Packages\FB6757FA-7853-4C50-9239-A2C975F81FC4.1.pks\helphowto.cab.pkr FROM Version: 0.0.0.0 TO Version: 0.0.0.0 GUID = {6A540B21-B5C0-4D24-8903-B5B5EB97DF58}
1980-03-21T19:45:43Z:: VerifySignatures failed for graph with base name of HelpHowTo. Trying to find another path.
1980-03-21T19:45:43Z:: BuildReturnValues: Returning HRESULT 0x80180008
=====================================================================
1980-03-21T19:45:43Z:: GOOD PACKAGES AND BAD PACKAGES LIST
=====================================================================
1980-03-21T19:45:43Z:: BAD PACKAGE 1
1980-03-21T19:45:43Z:: : helphowto.cab.pkr ERROR CODE: 0x80180008
1980-03-21T19:45:43Z:: Total number of Bad Packages: 1
1980-03-21T19:45:43Z:: Process Failed with code 0x80180008
Phone works OK except for key board drop so it is not the end of the world I guess. As a last chance I would be to try seven eighter. I have seen that some people even stuck on 7720 have been able to upgrade. However, In one thread you said we can’t roll back. Another one you said it SHOULD be possible to burn a back up back to the phone.
I have seen other questions on ths and other forums about error 8018008 but I have not found an answer that helps.
I Know it is my problem but if someone could find the time to help to answer these questions:
1. to burn a back up back to the phone, will cab sender work ? I have read that zune does not.is there another tool? The tool heathcliff mentioned, does not work with the latest version zune.
2. I have seen other people on 7720 been able to go to 7.8 with seven eighter but I have seen they have had someproblems (I think mainly due to wrong language pack selection issues)-. Do you think it would work for me even if I get this error? If there was not a problem of rolling back I wold gve it a go.
3. Is there something else I can do (except buy a new phone)
Thanks and sorry if this is in the wrong place or I have broken any rules un- intentionally !
Martinxp
Hi,
If you want 7.8, switch to custom rom => look at my signature.
hBk0dY said:
Hi,
If you want 7.8, switch to custom rom => look at my signature.
Click to expand...
Click to collapse
Thanks I will read carefully and let you know. However, If I understand correctly though, the Magldr software unlocks my phone so I can load the immage ROM?
The only other doubt I have is about the memory on my phone. the Samsung site says nothing but an test report I found in WINDOSTECA says it should have 576mb RAM and 512MB ROM. Any one know if it is valid and if it is enough?......also where is the thanks button?
thanks again Misterxp
Yes Magldr unlocks your phone. Samsung omnia 7 as 512Mo of RAM and 8Go of memory, that's enough to install a custom rom.
512MB ROM is the size of the Rom (thus the system). This size can vary depending on the rom.
Thanks Button => http://i70.servimg.com/u/f70/17/66/30/68/captur14.png
problem solved
yippeeeeee
I solved the problem!
I decided that if flashing a custom ROM would solve it then so would flashing the official ROM. Hence I read all I could about official Samsung ROMS, chose the one which was not so old "I8700XXKC1_Many_PROVIDERS_NODO (7.10.7390), Chose the CSC for Italy because I live in Italy and then woke up one morning and went for it.
I followed all the instructions to the letter but had read them 100 times before! I formated the phone holding the Power + Volume DOWN + Camera buttons, followed the instructions in this thread: http://forum.xda-developers.com/showthread.php?t=973420 by Heathcliff and then, after all was done (went very smoothly, I connected to Zune and went all the way to 7.8. I had to cancel the update a couple of times because zune blocked but all went well in the end.
In between updates, I changed the names of the back up folder, so that zune created another in case I had to go back. I made this a habit in the past and meant I was sure I Always had a back up. (sometimes zune will cancel a backup if the process does not go correctly and, if you don't save back ups you end up with no back up!). When I finally got to 7.8 I used CAB SENDER to send an old CAB which I knew could not be installed and in that way I got a back up of my final version with all my apps installed. I did this because, once there are no more updates, zune does not install anything and so does not make a back up either. It is the easest way I have found but there may be another, I tried the various back up programmes but could never get them to work. I don't think my way does any harm to the phone but some one else more expert than me might know. The main thing I learnt is how important it is to have a back up and save the back up. It saved me a few times. Once, when trying other ways to fix the phone, I tried to restore with zune, but it kept giving an error. However, I managed with CAB SENDER. Once, another time, I got as far as 18% and even Cab sender kept giving an error. I took out the battery and waited a few minutes (before shooting my self!) and it worked! Anyway, thanks to you all at Xda and I will send a donation as soon as I get the chance to load Paypal. bye from Mister Xp