I try to boot Android on MS800 and see the text:
Stating Android...
./init
ANDROID sh: can't access tty; job control turned off
[2.210243] warning: 'rild' uses 32-bit capabilities (legacy support in use)
_(cursor blink)
and after a while white screen.
Please, help. How to fix it?
Related
Hi I just killed my bootloader and just read http://xda-developers.com/jtag/
anyone else has succeed using this method?
please share more experiences before i open my Xda O2
also i search lil bit more deep on the net and found this doc on how to built the ByteBlaster
http://www10.brinkster.com/nsfreecore/Build%20your%20own%20ByteBlaster!.htm
which one is good? ByteBlaster or Xilink ? or both are the same?
TIA
other option
Hi,
Probably your best bet is: http://xda-developers.com/phpBB/viewtopic.php?t=2079
Only if this fails I would start to think about JTAG.
hmm my xda is really dead no bootloader at all,
i put on the cradle with power
Usb detected as USB Device not recognized
trying the bootloaderfix -> failed, nothing happened :|
I think its the JTAG way
is the simpliest JTAG cable download with only 5 resistors and db25 can help?
just like the one on http://openwince.sourceforge.net/jtag/iPAQ-3600/
this simpliest JTAG schematic:
http://openwince.sourceforge.net/jtag/iPAQ-3600/images/interface.png
or do we really need to build ByteBlaster/ Xilink board?
W4XY, please let me know
TIA
jtag
Ah my mistake. I confused the byteblaster with the bootblaster (another tool to write bootloaders).
About the interface I'm not sure. I would think that it should work with the simple one. Mostly because the iPAQ and XDA are similar enough. The more complex interfaces are a bit better because they do clean voltage level conversion. I suspect that the reason the simple interface works is because 3.3V is also seen as 1 for a 5V parallel port.
I've used a ByteBlaster cable. If you try the simple one let us know if it works.
I thought that I read somewhere that if the SD Card had the bootloader on it, the PocketPC would try and boot from the SD Card. Am I wrong?
I haven't tried it, but how else does the Manufacture restore a dead rom?
It seems that it should be able to use an alternate boot device if the first one fails.
??????
Wade
You can only boot from SD if a working OS is running. Now it is possible that PocketPC still works with a dead bootloader, and then you can reflash the bootloader in a number of ways. However if both are dead also the manufacturer will have to use jtag or other incircuit means to reflash the device. Normally this happens in the factory or with specific personalization hardware. The XDA has no backup boot ROM.
Hiya,
I just opened my XDA, wow looks like jungle for me! lil bit hard for newbie
well i read about a small patch for Jtag,
http://xda-developers.com/jtag/
"...I created a small patch to version 0.4 that takes care of flipping the bit just before erasing and writing of the flash. You can download the patch here"
download the patch where?
Thanks in advance
Brumie
Where can i download the patch for jtag 0.4
Hi,
Where can i download the patch for jtag 0.4?
or how can i access to the cvs version of jtag 0.4 with the poke command.
thanks
cvs version
Hi,
Sorry for not getting back to this, currently at CCC working on some other stuff.
The CVS version can be found at http://openwince.sf.net
or more precisely here: http://sourceforge.net/cvs/?group_id=52603
The patch will be there latest next week.
patch
thanks for your answer.
i finally got access to the cvs server and will try it monday with teh xilinx cable
have a nice time at the CCC ;-)
cvs version of jtag :-(
i tried to compile the jtag cvs version from yesterday
but i get error messages after make :-(
snip
###########
make[1]: Entering directory `/usr/local/src/cvsroot/jtag'
Making all in libbrux
make[2]: Entering directory `/usr/local/src/cvsroot/jtag/libbrux'
if gcc -DPACKAGE_NAME=\"libbrux\" -DPACKAGE_TARNAME=\"libbrux\" -DPACKAGE_VERSIO
N=\"0.1\" -DPACKAGE_STRING=\"libbrux\ 0.1\" -DPACKAGE_BUGREPORT=\"\" -DPACKAGE=\
"libbrux\" -DVERSION=\"0.1\" -D_GNU_SOURCE=1 -I. -I. -I/usr/local/include/ope
nwince -I/usr/local/include/openwince/device -I/usr/local/include/openwince/arm
-I./.. -I./../include -g -O2 -Wall -MT cmd.o -MD -MP -MF ".deps/cmd.Tpo" \
-c -o cmd.o `test -f 'cmd/cmd.c' || echo './'`cmd/cmd.c; \
then mv ".deps/cmd.Tpo" ".deps/cmd.Po"; \
else rm -f ".deps/cmd.Tpo"; exit 1; \
fi
cmd/cmd.c: In function `cmd_run':
cmd/cmd.c:40: error: `cmds' undeclared (first use in this function)
cmd/cmd.c:40: error: (Each undeclared identifier is reported only once
cmd/cmd.c:40: error: for each function it appears in.)
cmd/cmd.c: In function `cmd_get_number':
cmd/cmd.c:77: warning: comparison between signed and unsigned
cmd/cmd.c:82: warning: comparison between signed and unsigned
make[2]: *** [cmd.o] Error 1
make[2]: Leaving directory `/usr/local/src/cvsroot/jtag/libbrux'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/usr/local/src/cvsroot/jtag'
make: *** [all] Error 2
snip
#############
It is possible to make a full working source version availiable for download ?
thanks
klaus
Hello, I am a Treo 650 guy and have made a lot of progress in hacking various aspects of the phone, including custom roms, dun, and several others. However most all of these hacks have been accomplished without the bootloader. I have found the bootloader on the phone is known as the Sausalito Bootloader and is a spin-off of HTC's many. It appears to offer a similar list of commands:
Bootload Start
pmsys =0xA171A808
HTC Sausalito Bootloader Version : BOOTLOAD V0.24
Built on Apr 14 2005 at 15:
Copyright (c) 2003 High Tech Computer Corporation
++Check BT Router
>>?
Available monitor commands are:
? [command]
h [command]
mb [StartAddr [Count [Filler]]] --- Display/Set memory
mh [StartAddr [Count [Filler]]] --- Display/Set memory
mw [StartAddr [Count [Filler]]] --- Display/Set memory
l [pathname] --- Start a BIN file download via MTTY
lr [pathname] --- Same as above, but run it when complete
tftp --- Start a BIN file download via tFtp
flashtest --- This appears to try writing to every byte of memory, it will kill a phone!
jump [addr] --- Jump to a memory address
touch --- Touch Screen Test
touchssp --- Touch SSPx panel test??
idle --- Put the CPU into idle state
sense --- Put the CPU into sense state
standby --- Put the CPU into standby state
sleep --- Put the CPU into sleep state
deepsleep --- Put the CPU into deepsleep state
fcs [CLKCFG] --- Alter the CPU freq.
keytest --- Keypad test
pi2ctest --- Power I2C bus tests
debug
flashtype 0 (or 1)
rdoc 0(IPL)/1(SPL)/2(XIPKERNEL)/3(BINFS)
os
upload [addr] [size] --- Upload memory to terminal - writes binary to your connection!
pwr [0:normal; 1:idle; 2:standby; 3:sleep; 5:sense;
wpdoc [0/1] KEY
usb --- USB debug mode enable
led [1:LED1; 2:LED2; 3:LED3 ]
r2sd [command]
sd2r
rtask [Type[Value]]
rroute
rtest
rimgdata
jmptoos
pwm
audio
btrouter
vibratortest
audiogsm
audiocdma
dsdoc 1 or 0
gsm460
hwt
gsmdl
---------
However I have found the r2sd and other commands do not work with the palm OS on the phone. They can read the bootloader, but not the operating system. When I flash a custom rom to the phone via the palm programs we use, it is sent as a zip file with a matching md5 checksum. I am looking for a method to restore dead phones via the bootloader as it appears to always remain working to date. However I believe the only method is going to be the same as the Wallaby bootloader patch hack. Using a SD card to write a small program that will act as a reader/writer/and eraser of flash memory.
Can anyone please point me in the right direction? I'm pretty experienced with development, but I've never tried much cross-platform stuff before. Thanks,
Shadowmite
I am seeking information on any methods or tools that exist to help in resolving/debugging OS freezes/crashes/lock-ups.
Is there:
- any way to enable a type of system log, or to locally capture the kernel messages (usually visible via KITL)?
- any way to drop the phone into KITL mode upon a lock-up?
- any tool that will activate when a system exception/error/etc. occurs?
Hi,
I've been porting a large number of linux based programs to the Gizmondo (CE 4.2 device).
One of the main issues is the broken c-runtime of CE, specifically the lack of current dir support (not to mention no posix layer ). At any rate I wanted to be able to hook fopen etc. to call my own functions which would handle current dir.
To do this I thought I'd make some nice and easy IAT hooking code, that was until I discovered how complex this was on CE (relative to Win32 that is).
After much head scratching and looking at the stellar work of those such as mamaich, itsme etc. I finally managed to get it right.
I hope this is useful to someone (I searched this board, but couldn't find any code, though I do remember someone asking how to do it) and have attached a zip file with the hooking code. In order to use this you will need to provide your own undoc.h with the relevant kernel struct and function definitions for your wince flavour.
Once again, I stand on the shoulders of giants, without whom this would not have been possible
Enjoy
-(e)
Beatiful~
You are genius~
Thank you.
Wow~
You are so beautiful~ ^_____^
Thank you.
I just wanted to start asking questions here... sweetlilmre, THANK YOU VERY MUCH!!!
excellent job~
thank you
Does anybody have undoc.h created for windows mobile 6 (wince 5.x)? If not, where should I look for the undocumented type info?
Hi~ JKingDev
I have ever created undoc.h with referencing "private" directroty.
"private" directory is installed with Platform builder. ( I used Platform Builder 5.0 )
If PB is installed, then C:\WINCE500\PUBLIC and C:\WINCE500\PRIVATE is created.
( I don't know Window Mobile 6.0 environment. )
p.s :
If you can translate KOREAN, then visit http://www.digipine.com/programming/1310.
This site has attached file "WinCE_ARM_Hook.zip". ( bottom side )
It is not my post, maybe it is posted by "jung cheulwon".
Hi all,
first of all, thank you sweetlilmre for posting this.
Your solution works perfectly fine for platforms based on Win CE 5, e.g. Win Mobile 6.1 and Win Mobile 6.5.3.
However it does unfortunately not work on Win CE 6 and Win CE 7.
I assume that this is due to changes in the memory architecture of Win CE 6 and higher.
Does anyone have a clue on how to port the "Deep IAT Hooking" solution on Win CE 6 and Win CE 7?
Some techical details on what i have tried so far...
Code:
[INDENT]
PROC WINAPI DeepHookImportedFunction(
LPCWSTR pwszModuleToHook, // Module to intercept calls to
LPCWSTR pwszFunctionToHook, // Function to intercept calls to
PROC pfnNewProc, // New function (replaces old function)
LPWSTR* ppwszExcludeList // List of module names to exclude from the hook
) {
PROC pfnOriginalProc;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc;
PIMAGE_THUNK_DATA pThunk;
PPROCESS pProcess;
struct info inf;
PMODULE pmods;
LPVOID baseptr;
BOOL bHooked = FALSE;
SetKMode(TRUE);
// Get current process struct from KData
pProcess = KData.pCurPrc;
// Get process import descriptor
[B][COLOR="Red"]inf = pProcess->e32.e32_unit[IMP];[/COLOR][/B]
[/INDENT]
The program crashes (at the red marked spot) when i try to access the member
Code:
pProcess->e32
.
This is because the structure
Code:
pProcess
is filled up by the value zero only.
This happens quite early in the implementation, therefore i didn't proceed very far. I still hope that somebody can help me out with this case.
Kind regards
I've been trying to bring a locked and bricked TyTN back to life without the manufacturer rom to work with (Canada Rogers).
I've built a PB image with Windows CE 5.0 following the wiki instructions.
http://wiki.xda-developers.com/index.php?pagename=PB_KITL_HERMES
I'm using virtualbox and xp sp3
The image builds and loads to the attached device - semi success
I've added the release directory modules (blank dlls)
ril.dll
rilgsm.dll
serial_cmd.dll
stk_service.dl
Instead of seeing a splash screen I now just see a blank screen.
I can see TP events triggering in the debug window so I'm definitely connected but at this point I'm stuck.
I've got no interface to work with....
the last couple of messages in the debug window are "netui not ready".
Any clues as to what I'm missing.
thanks much.