Related
Hi!
I have Siemens SX56.
Are there any reasons to DOWNGRADE my BootLoader from current version 5.22 to 5.15?
What is mechanism of downgrade?
Is this dangerous?
Thank You!
I am sking because I can NOT uograde my SX56 from 2002 to 2003
pmemdump 0x80001880 0x40
80001880 20 00 00 00 20 72 30 00 ff ff 00 f1 e0 07 1f 00 ... r0.........
80001890 00 00 00 00 20 20 20 20 56 35 2e 32 32 20 20 20 .... V5.22
800018a0 20 00 00 00 20 20 42 6f 6f 74 6c 6f 61 64 65 72 ... Bootloader
800018b0 20 00 00 00 20 57 41 4c 4c 41 42 59 20 00 00 00
...WALLABY ...
Help! How can I downgrade my bootloader?
I tried:
pnewbootloader.exe bl515.nb0
Unable to find flash info offset, cannot disable bootloader writeprotect
I have been read all forum, but I can't solve my problem
I have 5.22 boot loader and can not upgrade to 2003
Have you tried the "fix broken bootloader" option in xdatools.
cruisin-thru said:
Have you tried the "fix broken bootloader" option in xdatools.
Click to expand...
Click to collapse
How to do?
I tried:
pnewbootloader.exe bl515.nb0
look at the picture
http://wiki.xda-developers.com/wiki/XDAtools
Rudegar said:
look at the picture
http://wiki.xda-developers.com/wiki/XDAtools
Click to expand...
Click to collapse
This script have the same line:
pnewbootloader bootloader_v5_15.nb0
ERROR: ITReadProcessMemory -
Unable to find flash info offset, cannot disable bootloader writeprotect
I have exactly the same problem.. Anyone find the solution to this problem??I am not able to downgrade my bootloader.. I want to do this because I want to go from Xda SE rom back to ppc2002..
helpp... anyone...
I posted an updated pnewbootloader in another thread which addresses this.
http://forum.xda-developers.com/viewtopic.php?t=11417
Which ROM version do you have ?
I apparently did not have the pput.exe program. I downloaded the zip file with the pput.exe and it downgraded my bootloader successfully !
very very cool.. now if only i can figure out how to get the bootloader to restore from my sd card. Whenever i soft-reset by holding the power button it takes me to the bootloader screen and then to diagnostics... where in the world is the restore from SD option.. or is it doing that because I have the SD car (256 MB in the wrong format). I did write the card using xdatools.. hmm..
I am assuming you downgraded to 5.15
If your image is written to SD card 1k header format it should automatically see the image and display the menu.
Ok..Using XDArit1.exe fixed the problem.. There seems to be some issue with using OSImageTool (from XDATools) to write to the SD card.. maybe i used the wrong option.. but anyway I got the XDA to boot and upgrade from the SD card .. now I have the PPC2002 ROM running successfully..
I wrote this guide because i got frustrated at the seeming impossibility of downgrading a 2.21+ SPL ROM on my Wizard to CID unlock it, and the fact that lokiwiz did not work either.
After a day of research it became apparent that this was far from the truth, and that it was easily unlockable. All the tools were out there, just there wasn't a guide to help direct someone through all the steps.
Well this is that guide.
I've tried to make it newbie friendly, and although this has only been tested on my wizard, i see no reason why this wouldn't work on the Typhoon(infact most of the tools used are originally for the Typhoon) and Tornado seeing as they have almost identical boot loaders.
The guide comes with the usual warning:
“If you manage to brick your phone, it wasn't my fault ”
I cant stress this point enough though, get a few numbers wrong in some of the commands in the guide, and you could break your phone, tripple check everything you type in!!
Attached is the guide in a zipped version in html and .doc format (html for those of you that cant be arsed with MS Word files)
Enjoy
This guide works on G3 phones only, regardless of ROM version, but i see little point in going through all these steps when for 90% of you, lokiwiz should work fine. So i suggest you only use this guide if you are having trouble with lokiwiz, and/or you a 2.21+ SPL G3 Wizard.
**EDIT**Guide back up and updated
Looks good Craptree,
Unfortunately I don't own a G4 device to try it on.
Would love to hear some feedback from users that have a G4 CID Locked Wizard and used this how-to to succesfully CID unlock their G4 Wizard.
Regards,
Molski
Thankyou
keep up the good work Molski
Firstly good work, that was some reading and collating you did , I ive worked my way through but when i come to write the unlocked.nb file back using " pdocwrite -n 1 unlocked.nb" i get this error
CopyFileToTFFS(unlocked.nb:0, 0, 00010000)
ERROR: ITWriteDisk - A device attached to the system is not functioning.
can you shed some light.
Ok ive done some snooping around should the last command be something like
pdocwrite -n 1 0 0x10000 unlocked.nb ??
I have tried this method. And got cid.bin file from the device. How can I convert the cid.bin to cid.nf file? Will this command "perl typhooncidedit.pl cid.bin" will generate the cid.nf file? I don't get it. Please help me. Thanks!
Hi im by no means anywahere near an expert (as you can see from my posting above) but from my limited experience i can say no, perl typhooncidedit.pl cid.bin will read the current file , though note you need to reboot after installing Active Perl and there seems to be a spelling mistake in the commands in the howto its typhooncidedit_pl note the underscore not a full stop.
Its the command "perl typhooncidedit_pl cid.bin -c 11111111 -w unlocked.bin" that creates the file to be written back to the phone. However this is where it ends for me as i cant get the next stage to work just yet and am a little weary of playing around without mor einformed guidence in case i brick the device.
problem with soulcage
when I try to download the package with the crypt-des i got this message:
soulcage.net
This domain name expired on 10/09/2006 and is pending renewal or deletion.
is there any other place to get this package?!?
weird i did it last night and it worked, i even just reopened activeperl and it rececked with no errors, you are downloading the package through activeperl arent you ?
I'm also getting the ITWriteDisk errror and the problem with the Crypt-DES repository. Found Crypt-DES at http://theory.uwinnipeg.ca/ppms/ in the end.
wblqx - oops, looks like i got muddled up with my file name extensions. it doesnt matter if the files a .nb or .bin, theyre both identical. just reference the file you have. so if you have a cid.bin, the command would be
perl typhooncidedit.pl cid.bin -c 11111111 -w unlocked.nb
flipside101 - hmmm im not quiet sure why it wont let you write the file back...all i can sugest is to make sure that cert_spcs.cab and enablerapi.cab have been loaded onto your phone. have you tried copying the files onto your phone and running them manualy?
PS - ive chaged the orignal guides to avoid this confusion in the future wblqx
Ok, I got the crypt-des from here: http://theoryx5.uwinnipeg.ca/ppms/package.xml
and it's version 2.05 from Dave Parishere and this is what I have here:
I got the cid.bin file and this is what I read "inside" it:
D:\qtek\cid>perl typhooncidedit.pl cid.bin
0x0000 - version : 00000001
0xfff8 - checksum: keyix=48: f75b0704 - f2c82199ed8f7449
0x01a0 - keyindex: 000000e600000000 -> 230
0x1930 - cid key : 'MODULESN'
0x0160 - cid : 0008:'WIZQTK01' 0e0f101112131415161718191a1b1c1d1e1f20212223
0x1c80 - lockflag: 0000000000000000
0x0140 - imei : 3563840009225810
0x1d00 - lock 0 : 7bea42ec25ae4b6eac30b47d9691fdac
0x1d10 - lock 1 : 4a02f79b693fe782ad1cf1a9133fc981
0x1d20 - lock 2 : 5afd85493fd413c46b2a28d3ead12c0e
0x1d30 - lock 3 : c82b3203be8574b85f141684499d1d85
0x1d40 - lock 4 : ea60e2bc84f2f60fc730cea22b3147ab
0x4000 - mncmcc : f5a235190000000000000000875f796f5cd3ce3ed6b1a16fc7cef324eed501e8
(the locks codes appears to be crypted, is that correct?)
then I did the perl typhooncidedit.pl cid.bin -c 11111111 -w unlocked.nb and got it:
D:\qtek\cid>perl typhooncidedit.pl cid.bin -c 11111111 -w unlocked.nb
0x0000 - version : 00000001
0xfff8 - checksum: keyix=48: f75b0704 - f2c82199ed8f7449
0x01a0 - keyindex: 000000e600000000 -> 230
0x1930 - cid key : 'MODULESN'
0x0160 - cid : 0008:'WIZQTK01' 0e0f101112131415161718191a1b1c1d1e1f20212223
0x1c80 - lockflag: 0000000000000000
0x0140 - imei : 3563840009225810
0x1d00 - lock 0 : 7bea42ec25ae4b6eac30b47d9691fdac
0x1d10 - lock 1 : 4a02f79b693fe782ad1cf1a9133fc981
0x1d20 - lock 2 : 5afd85493fd413c46b2a28d3ead12c0e
0x1d30 - lock 3 : c82b3203be8574b85f141684499d1d85
0x1d40 - lock 4 : ea60e2bc84f2f60fc730cea22b3147ab
0x4000 - mncmcc : f5a235190000000000000000875f796f5cd3ce3ed6b1a16fc7cef324eed501e8
olddata: 6d18c04e8ed463a6460f100469464259621e8365aeb43277cf2858b925828379
newdata: 95ea23df0bf16432cf7be60912a5cbdedee342037c9d3bd3dee342037c9d3bd3
newsum=3c8b458b encsum=4e3630065084dd42
and at least the: pdocwrite -n 1 unlocked.nb gave me this:
D:\qtek\cid>pdocwrite -n 1 unlocked.nb
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 96 10 01 04 13 1d 11 2c 15 03 06 c5
CopyFileToTFFS(unlocked.nb:0, 0, 00010000)
ERROR: ITWriteDisk - An internal error occurred.
captree, do you have any clue about what is wrong?
here is the unlocked.nb:
D:\qtek\cid>perl typhooncidedit.pl unlocked.nb
0x0000 - version : 00000001
0xfff8 - checksum: keyix=48: 3c8b458b - 4e3630065084dd42
0x01a0 - keyindex: 000000e600000000 -> 230
0x1930 - cid key : 'MODULESN'
0x0160 - cid : 0008:'11111111' 00000000000000000000000000000000000000000000
0x1c80 - lockflag: 0000000000000000
0x0140 - imei : 3563840009225810
0x1d00 - lock 0 : 7bea42ec25ae4b6eac30b47d9691fdac
0x1d10 - lock 1 : 4a02f79b693fe782ad1cf1a9133fc981
0x1d20 - lock 2 : 5afd85493fd413c46b2a28d3ead12c0e
0x1d30 - lock 3 : c82b3203be8574b85f141684499d1d85
0x1d40 - lock 4 : ea60e2bc84f2f60fc730cea22b3147ab
0x4000 - mncmcc : f5a235190000000000000000875f796f5cd3ce3ed6b1a16fc7cef324eed501e8
Hi Craptree, no i tried the manual running of rapi but i still get the same error
D:\XDA\CID>pdocwrite -n 1 unlocked.bin
CopyFileToTFFS(unlocked.bin:0, 0, 00010000)
ERROR: ITWriteDisk - A device attached to the system is not functioning.
In case its any help heres some info on the locked and unlocked files
LOCKED
D:\XDA\CID>perl typhooncidedit_pl cid.bin
0x0000 - version : 00000001
0xfff8 - checksum: keyix=55: 431ca7b6 - fa9d45e5b52e53c3
0x01a0 - keyindex: 0000004a00000000 -> 74
0x1450 - cid key : 32421a0edf4fa9d6
0x0160 - cid : 0008:'WIZO2B01' 0e0f101112131415161718191a1b1c1d1e1f20212223
0x1c80 - lockflag: 0000000000000000
0x0140 - imei : 3563830004598750
0x1d00 - lock 0 : a2a9faccbbfbc0d94497e96264896558
0x1d10 - lock 1 : 58ff98fb2af1350f7fca4f890f358808
0x1d20 - lock 2 : 7b53c3aa8c9d522e46e73b558d75f287
0x1d30 - lock 3 : 0e92d1ddbc64b8e5f8c9950a0bf33284
0x1d40 - lock 4 : 92895c989f8ac37c77b97eadef53e5dc
0x4000 - mncmcc : 095ce2420000000000000000c7c8aba45e2c4b0f8d5e300ab86152430094117c
UNLOCKED
D:\XDA\CID>perl typhooncidedit_pl unlocked.bin
0x0000 - version : 00000001
0xfff8 - checksum: keyix=55: 7d3a21f5 - fdee2cb45bfc5c18
0x01a0 - keyindex: 0000004a00000000 -> 74
0x1450 - cid key : 32421a0edf4fa9d6
0x0160 - cid : 0008:'11111111' 00000000000000000000000000000000000000000000
0x1c80 - lockflag: 0000000000000000
0x0140 - imei : 3563830004598750
0x1d00 - lock 0 : a2a9faccbbfbc0d94497e96264896558
0x1d10 - lock 1 : 58ff98fb2af1350f7fca4f890f358808
0x1d20 - lock 2 : 7b53c3aa8c9d522e46e73b558d75f287
0x1d30 - lock 3 : 0e92d1ddbc64b8e5f8c9950a0bf33284
0x1d40 - lock 4 : 92895c989f8ac37c77b97eadef53e5dc
0x4000 - mncmcc : 095ce2420000000000000000c7c8aba45e2c4b0f8d5e300ab86152430094117c
Hello,
First I have to say this initiative for a CID unlock guide is GREAT !
Unfortunately, I went to the same process and also got write error in the end.
Here's for me :
- Had to use Crypt-DES from http://theoryx5.uwinnipeg.ca/ppms/package.xml while Soulcage.net access is off (or so it seems)
- Installed Cert_SPCS.cab and EnableRapi.cab both using .bat and manual installation
- Was able to get the CID.bin & modify without problem
- Last operation results in following error:
"3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 3a 20 01 02 23 2a 12 8d 01 09 05 40
CopyFileToTFFS(cid_unlocked.nb:0, 0, 00010000)
ERROR: ITWriteDisk - Internal error" (translated from French).
My CID binaries :
## perl typhooncidedit.pl cid_original.bin
0x0000 - version : 00000001
0xfff8 - checksum: keyix=40: 1cab1674 - 37f31b4a27fe4616
0x01a0 - keyindex: 000000d900000000 -> 217
0x18c8 - cid key : 'MODULESN'
0x0160 - cid : 0008:'WIZQTK24' 0e0f101112131415161718191a1b1c1d1e1f20212223
0x1c80 - lockflag: 0000000000000000
0x0140 - imei : 3563840001521300
0x1d00 - lock 0 : 76a905824418f065eefd32cbfb611d28
0x1d10 - lock 1 : 91450180424a15f000bdd1851e5fbb51
0x1d20 - lock 2 : c14cc13d337415f59b71512adfb0319d
0x1d30 - lock 3 : 8b62365380a7f3436e43a4299ce97c0d
0x1d40 - lock 4 : 867bbb89c9d3593a72621810278c89db
0x4000 - mncmcc : 762173b9000000000000000091bcf2bbcf1921a206e6fd057e61d6c08f467a95
## perl typhooncidedit.pl cid_unlocked.nb
0x0000 - version : 00000001
0xfff8 - checksum: keyix=40: 500ec10b - c44c8893515dcabf
0x01a0 - keyindex: 000000d900000000 -> 217
0x18c8 - cid key : 'MODULESN'
0x0160 - cid : 0008:'11111111' 00000000000000000000000000000000000000000000
0x1c80 - lockflag: 0000000000000000
0x0140 - imei : 3563840001521300
0x1d00 - lock 0 : 76a905824418f065eefd32cbfb611d28
0x1d10 - lock 1 : 91450180424a15f000bdd1851e5fbb51
0x1d20 - lock 2 : c14cc13d337415f59b71512adfb0319d
0x1d30 - lock 3 : 8b62365380a7f3436e43a4299ce97c0d
0x1d40 - lock 4 : 867bbb89c9d3593a72621810278c89db
0x4000 - mncmcc : 762173b9000000000000000091bcf2bbcf1921a206e6fd057e61d6c08f467a95
Could this be because we had to use a different Crypt-DES package ? Or shall we look some other reason ?
Thanks and good luck
Sylvain
This is weird, it looks like its worked no one except me
sorry...
my wizard was a G3, but it was locked into 2.26 spl, and refused to be
unlocked with lokiwiz (as G3's with 2.21+ roms seem to have the same problem with cid unlocking that G4's do), or any thing else, and this manual way was the
only thing that did the job for me...
I have two reasons, and i fear its the first one...
1)G3 2.21+ CID locked phones don't have the same problem with CID unlocking that G4's do. So this solution may only work on G3 2.21+ phones
2)I semi downgraded the phone with ftp://xda:[email protected]__RUU_Wizard_1050412_WWE_101_11210_WWE.exe first (it downgraded everything except the spl), then did all the steps layed out in the guide.
riz
jubanet - yea, it appears the lock code is encrypted. if someone with the crypted lock code cid.bin files could send me one, i can see if it appears unencrypted on my version of crypt-des
craptree said:
jubanet - yea, it appears the lock code is encrypted. if someone with the crypted lock code cid.bin files could send me one, i can see if it appears unencrypted on my version of crypt-des
Click to expand...
Click to collapse
here it is!
craptree said:
This is weird, it looks like its worked no one except me
sorry...
my wizard was a G3, but it was locked into 2.26 spl, and refused to be
unlocked with lokiwiz (as G3's with 2.21+ roms seem to have the same problem with cid unlocking that G4's do), or any thing else, and this manual way was the
only thing that did the job for me...
I have two reasons, and i fear its the first one...
1)G3 2.21+ CID locked phones don't have the same problem with CID unlocking that G4's do. So this solution may only work on G3 2.21+ phones
2)I semi downgraded the phone with ftp://xda:[email protected]__RUU_Wizard_1050412_WWE_101_11210_WWE.exe first (it downgraded everything except the spl), then did all the steps layed out in the guide.
riz
Click to expand...
Click to collapse
hummm...
everyboody says that's impossible to CID unlock the G4...
I'll try downgrading to that rom (without touching the ipl/spl)
@ craptree
Im on a g3 2.21.4.1 o2 wizard, so similar to yours, ill try the partial downgrade
Might be a stupid question but the subject says that it's a CID and SIM unlock. The doc only meantions SIM unlock.
LordPhong said:
Might be a stupid question but the subject says that it's a CID and SIM unlock. The doc only meantions SIM unlock.
Click to expand...
Click to collapse
The only bit in the doc thats about SIM unlocking is
"**The number at 0x1d00 is your sim unlock code. Write it down somewhere and use it to sim unlock your phone (i.e. when you insert a different providers sim card, it will ask you for a code)"
The rest is purely about the cid
Hi all,
I am new to this forum and happy to be part of it. I am facing one problem. Hope you all can take a look at this.
I have an EAP-SIM application which needs to be ported to Windows CE Pocket PC 2003. It will probably run on HP iPAQ. I need to get the IMSI of the SIM card and run the GSM (A3/A5/A8) algorithms through my application.
After a lot of research, i found it might be possible through AT commands and with the help of RIL(Radio Interface Layer). I tried some samples, but is not working properly. I saw some AT commands in this link
http://ftp.rz.tu-bs.de/pub/mirror/cc..._log_commented
Next I tried this with RIL.
I need to know how i can get IMSI and send some PDU to the SIM card to run the algorithm. Is it possible ? through RIL ? AT command ? . Your valuable help or suggestion is expected.
-------------------------------------------------------------------
const BYTE SELECT_FILE_CMD[] = {(BYTE)0xA0, (BYTE)0xA4, (BYTE)0x00, (BYTE)0x00, (BYTE)0x02,(BYTE)0x3F,(BYTE)0x00};
const BYTE GSM_DIR_CMD[] = {(BYTE)0xA0, (BYTE)0xA4, (BYTE)0x00, (BYTE)0x00, (BYTE)0x02,(BYTE)0x7F,(BYTE)0x20};
const BYTE SELECT_EF_IMSI_CMD[] = {(BYTE)0xA0, (BYTE)0xA4, (BYTE)0x00, (BYTE)0x00, (BYTE)0x02,(BYTE)0x6F,(BYTE)0x07};
const BYTE GET_IMSI_CMD[] = {(BYTE)0xA0,(BYTE)0xB0,(BYTE)0x00,(BYTE)0x00, (BYTE)0x09 };
const BYTE READ_IMSI_CMD[] = {(BYTE)0xA0,(BYTE)0xC0,(BYTE)0x00,(BYTE)0x00, (BYTE)0x09 };
result = RIL_Initialize(1, ResultCallback, NotifyCallback, dwNotificationClasses, g_dwParam, &g_hRil);
res_UserIdentity = RIL_GetUserIdentity(g_hRil);
//res_SelectFile = RIL_SendSimCmd(g_hRil, SELECT_FILE_CMD,sizeof(SELECT_FILE_CMD));
//res_Select_IMSI = RIL_SendSimCmd(g_hRil, SELECT_EF_IMSI_CMD,sizeof(SELECT_EF_IMSI_CMD));
//res_Get_IMSI = RIL_SendSimCmd(g_hRil, GET_IMSI_CMD,sizeof(GET_IMSI_CMD));
//res_Read_IMSI = RIL_SendSimCmd(g_hRil, READ_IMSI_CMD,sizeof(READ_IMSI_CMD));
-------------------------------------------------------
Thanks,
Hi, could you repost the link you added, its not working when I click on it.
The commands to select the IMSI seem correct, you have the address right, although I think you might have the last 2 in the wrong order. The 0xb0 command is read binary, and 0xc0 is get response. Typically you would select 3f00, 7f20, 6f07, then send the response command with the length as the final byte (given as the second returned byte from the previous command). You then use the read binary command with the length as the final byte.
Having said that, as you already know the length, you could skip the response command altogether.
here is the trace from my PC based program im developing when selecting the IMSI:
A0 A4 00 00 02 3F 00
A0 A4 00 00 02 7F 20
A0 A4 00 00 02 6F 07
9F 0F
A0 C0 00 00 0F
90 00 00 00 00 09 6F 07 04 00 1D 00 1D 01 02 00 00
A0 B0 00 00 09
IMSI: 90 00 ......
Hi,
Thanks for your reply. Please find the link below
http://ftp.rz.tu-bs.de/pub/mirror/ccc_Chaos_Computer_Club/ftp.ccc.de/gsm/gsm_log_commented
The real problem is am using RIL. In RIL_SenSimCmd ( ), the error code i got is
80004001 which means its not implemented. I am using HP iPAQ. Does this execution of AT commands depends upon the mobile phone ? As you mentioned about your PC program,Are you using smart card reader or something else ? Can you please tell me how you did it ?
Right now am just trying to send a single AT command to select the GSM file after RIL initialization. That itself is failing.
const BYTE GSM_DIR_CMD[] = {(BYTE)0xA0, (BYTE)0xA4, (BYTE)0x00, (BYTE)0x00, (BYTE)0x02 ,(BYTE)0x7F,(BYTE)0x20};
result = RIL_Initialize(1, ResultCallback, NotifyCallback, dwNotificationClasses, g_dwParam, &g_hRil);
if (result < 0)
{
wsprintf(szString,L"RIL_Init-%d",result);
ShowMessage(szString);
}
res_GSMDir = RIL_SendSimCmd(g_hRil, GSM_DIR_CMD,sizeof(GSM_DIR_CMD));
if (res_GSMDir < 0)
{
wsprintf(szString,L"res_GSMDir %x",res_GSMDir);
ShowMessage(szString);
print_error(-1 * res_GSMDir);
}
So I assume my iPAQ is not allowing me to execute commands ?. Please give a brief about this. Please let me know if you didnt get the link. I wil send it to your mail id..
Thanks,
My knowledge with AT commands and RIL is limited im afraid, but I'd guess ipaq's dont use the standard AT commands. The error being returned would suggest to me that the command is incorrect and not recognised, so you're probably sending it in the wrong format.
All I can do is point you to a few links you probably have already looked at, namely microsofts msdn article on RIL application
http://msdn2.microsoft.com/en-us/library/ms894929.aspx
and handhelds site, which may contain useful info on your device that could help in development.
http://handhelds.org/
As for my program, im writting it in VC++ using the scard platform. And yes, im using a card reader.
The command structure is:
CCardServer::SCardCommand(LPCSTR Cmd, LPSTR DataIn, INT DataInLen, LPSTR DataOut, INT DataOutLen)
Hi sanal,
sanal said:
... I have an EAP-SIM application which needs to be ported to Windows CE Pocket PC 2003.
Click to expand...
Click to collapse
EAP-SIM --> i wish you good luck
sanal said:
... I need to get the IMSI of the SIM card and run the GSM (A3/A5/A8) algorithms through my application.
After a lot of research, i found it might be possible through AT commands and with the help of RIL(Radio Interface Layer). I tried some samples, but is not working properly. I saw some AT commands in this link
Click to expand...
Click to collapse
why not using SIM Manager? see SIM Manager Reference at MSDN.
This API is available for PocketPC 2002 and later..
Here a codesnippet out of SIMSpider, which i've written some time ago..
(if SIM Manager fails, then it's probably not implemented by hp for your device..)
Code:
// dwAddress:
// 0x6F07: IMSI
// 0x6F20: KC Ciphering Key
void ReadSIM ( DWORD dwAddress )
{
HSIM hSim;
HRESULT hr = SimInitialize ( 0, NULL, NULL, &hSim );
if ( hr == S_OK )
{
SIMRECORDINFO sri;
memset ( &sri, 0, sizeof(sri) );
sri.cbSize = sizeof(sri);
hr = SimGetRecordInfo ( hSim, dwAddress, &sri );
if ( hr == S_OK )
{
DWORD dwBytesRead;
BYTE pBuf [ 4096 ];
hr = SimReadRecord ( hSim, dwAddress, sri.dwRecordType, NULL, (LPBYTE)pBuf, sizeof(pBuf), &dwBytesRead );
if ( hr == S_OK )
{
// here you can decode the data according to gsm-spec
// e.g. http://www.ttfn.net/techno/smartcards/gsm11-11.pdf
}
else
wprintf ( L"Failed to read Record!" );
}
hr = SimDeinitialize ( hSim );
}
else
wprintf ( L"SimInitialize failed with %08X", hr );
}
for EAP-SIM you may need the ciphering key too.. don't know for sure..
for decoding the sim-files you can find any needed info e.g. in http://www.ttfn.net/techno/smartcards/gsm11-11.pdf
and so on...
hope it helps
Cheers,
ikarus
Hi ikarus,
Thanks a lot for your reply. I am reached half way. Got IMSI and Kc with SIM Manager. What to do with the Run GSM Algorithms. I think for that we need to send some commands to SIM. I have no hope of doing algorithms execution through SIM manager. Any idea ?
Hello sanal,
you're right. With SIM Manager there seems to be no way for running gsm algorithms.
Furthermore i'm not sure if you really need the imsi and kc.
As far as i know for eap-sim you send the algorithm (sim) a random, which the nas (respectively the authentication-entity behind) sends to you.
I'm not very well experienced with this, so you're on your own.
hm.. you could have a look at RIL_SendRestrictedSimCmd, but there is no constant for "Run GSM Algorithm".
You could also try RIL_SendSimCmd and format the command according to gsm-specs. In the mentioned document there is a chapter 9 - Description of the commands ..
(but i guess an official gsm-spec would be more helpful)
Maybe another user can help more?
good luck !
ikarus
yes I think needs to do more research. Particularly whether iPAQ supports this AT commands. Bcoz as of i know phones restrict this command AT+CSIM. As you mentioned i have already checked the specs ,
as limbmaster said i need to check whether am sending the commands correct or wrong. But my doubt is when i try AT+CSIM through serial com, it says error. then This is bcoz phone is not allowing you. Then how RIL will work.. Anyway need to look how GSM algorithm can be done.
Hi All!
Before crash my Orbit(UK) has:
IPL: 1.25.0001
SPL: 1.25.0000
GSM: 02.67.90
OS: 1.25.00
In About was: OS 5.1.342 (Build 15096.3.0.0)
I have try to flash this ROM:
PDAVIET from PhamQuang
http://www.pdaviet.net/showpost.php?p=124633&postcount=313
(pass PDAVIET)
and made an mistake: I dont flash Artemis Update SPL (USPL) v.01 ( http://forum.xda-developers.com/showthread.php?t=311403 ) before PDAVIET from PhamQuang
Now my Orbit is freese after start on bootscreen.
But I CAN ENTER to Bootloader.
Help me to ident official ROM (and give link to file, please) or say what can I do in this situation.
I've try this ROM's:
O2 XDA Orbit 3.4.207 GER - say: FEHLER [244] : UNGULTIGE MODELL ID
T-mobile UK 1.13.110 - say: ERROR [294] : INVALID VENDER ID
English Dopod 1.25.707 - say: ERROR [244] : INVALID MODEL ID
ART_HTCFRA_11240601_026790_FRA_SHIP.exe -say: ERROR [244] : INVALID MODEL ID
ART_HTCWWE_11140501_024990_WWE_Test_R.exe -say: ERROR [244] : INVALID MODEL ID
ART_HTCWWE_11240501_026790_WWE_Test.exe -say: ERROR [244] : INVALID MODEL ID
DVG said:
Hi All!
Before crash my Orbit(UK) has:
IPL: 1.25.0001
SPL: 1.25.0000
GSM: 02.67.90
OS: 1.25.00
In About was: OS 5.1.342 (Build 15096.3.0.0)
I have try to flash this ROM:
PDAVIET from PhamQuang
http://www.pdaviet.net/showpost.php?p=124633&postcount=313
(pass PDAVIET)
and made an mistake: I dont flash Artemis Update SPL (USPL) v.01 ( http://forum.xda-developers.com/showthread.php?t=311403 ) before PDAVIET from PhamQuang
Now my Orbit is freese after start on bootscreen.
But I CAN ENTER to Bootloader.
Help me to ident official ROM (and give link to file, please) or say what can I do in this situation.
I've try this ROM's:
O2 XDA Orbit 3.4.207 GER - say: FEHLER [244] : UNGULTIGE MODELL ID
T-mobile UK 1.13.110 - say: ERROR [294] : INVALID VENDER ID
English Dopod 1.25.707 - say: ERROR [244] : INVALID MODEL ID
ART_HTCFRA_11240601_026790_FRA_SHIP.exe -say: ERROR [244] : INVALID MODEL ID
ART_HTCWWE_11140501_024990_WWE_Test_R.exe -say: ERROR [244] : INVALID MODEL ID
ART_HTCWWE_11240501_026790_WWE_Test.exe -say: ERROR [244] : INVALID MODEL ID
Click to expand...
Click to collapse
Try this with the file:
Attempt - start the device in mode bootloader. Disconnect AS and start mtty. Choose USB.
Take on one commands ( not copy/paste).
set 32
password BsaD5SeoA
ruurun 0
ResetDevice
An other thing you can try is this provided by stewd:
WARNING THIS WORKED FOR ME THERE IS NO GUARANTEE IT WILL WORK FOR YOU BUT I DON'T SEE WHY NOT TO BE HONEST (SORRY FOR THE CAPS)
Having succesfully bricked my orbit like several others, I spent the morning scratching my head....
I think it was caused by rebooting after running USPL, and then runnig the ROM upgrade....anyway........
My Orbit was stuck on the initial boot O2 screen with red writing on it
IPL 1.25.0001
SPL 1.25.0000
GSM 02.67.90
OS 3.4.0.0
Oh bollocks says I.....
What I did
Download german rom update from german site
http://www.o2online.de/nw/support/do...bit/index.html
Using WinRAR
http://www.win-rar.com/index.php?id=160&dl=wrar370.exe
Extract/Remove files from executable update file to folder on desktop or somewhere handy.
Locate nbh file from blue and black ROM or any ROM for that matter
Place in german update folder using same name as german file
ie. RUU_signed.nbh
Start Orbit in bootloader mode,
Press and hold record button and soft reset,
Plug in USB to PC,
Navigate to your extracted update folder, run ROMupdateUtility.exe, Instructions are in German,
But basically.........
Wieter = next
Abbrechen = Cancel
aktualisieren = update
The update completes succesfully and you have WM6 and an unbricked Orbit......
WOOHOO !
pvdhelm said:
Try this with the file:
Attempt - start the device in mode bootloader. Disconnect AS and start mtty. Choose USB.
Take on one commands ( not copy/paste).
set 32
password BsaD5SeoA
ruurun 0
ResetDevice
Click to expand...
Click to collapse
After that, Orbit is restart..
...and freeze on bootscreen.
On screen is only HTC wallpaper and this text:
IPL: 1.12.0001
SPL: 1.12.0000
GSM: 02.67.90
OS: 3.4.0.0
Click to expand...
Click to collapse
pvdhelm said:
What I did
Download german rom update from german site
http://www.o2online.de/nw/support/do...bit/index.html
Using WinRAR
http://www.win-rar.com/index.php?id=160&dl=wrar370.exe
Extract/Remove files from executable update file to folder on desktop or somewhere handy.
Locate nbh file from blue and black ROM or any ROM for that matter
Place in german update folder using same name as german file
ie. RUU_signed.nbh
Start Orbit in bootloader mode,
Press and hold record button and soft reset,
Plug in USB to PC,
Navigate to your extracted update folder, run ROMupdateUtility.exe, Instructions are in German,
Click to expand...
Click to collapse
In this case:
My Orbit is start's upgrade, but in 3% - reboot and:
On screen is only HTC wallpaper and this text:
IPL: 1.12.0001
SPL: 1.12.0000
GSM: 02.67.90
OS: 3.4.0.0
Click to expand...
Click to collapse
In this time on PC - FEHLER [270]: UPDATE-FEHLER
Any other ideas?
imei-check
you will have to send it to a repair center..i had the same issue
you can also send it to the guys at imei-check.co.uk but they accept only EU shipments..the repair will cost you 40£ + 7£
zipper9 said:
you will have to send it to a repair center..i had the same issue
you can also send it to the guys at imei-check.co.uk but they accept only EU shipments..the repair will cost you 40£ + 7£
Click to expand...
Click to collapse
Only this way?
I'm not from UK.
Anybody else?
Still actually.
The fourth day without phone.
pvdhelm
You see that give ????
Your file SPL from Hermes !!!
If you load this on artemis -brick!
My "getdevinfo" is:
41 52 54 45 32 30 30 30 30 00 00 00 00 00 00 00 ARTE20000.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
4F 32 5F 5F 5F 30 30 31 00 00 00 00 00 00 00 00 O2___001........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
Click to expand...
Click to collapse
DVG said:
My "getdevinfo" is:
Click to expand...
Click to collapse
Your Orbit is actually from O2 UK (CID: O2___001). You have to find a ROM for O2 Orbit UK then. Unfortunately, no one has it at the moment, and O2 UK does not seem to release the update soon. You have to wait then, I guess!
One thing I wonder: This code was returned by "getdevinfo" command from within mtty or from nbh file that you tried to flash? Usually "getdevinfo" in mtty returns only ARTE10000, ARTE20000 or ARTE30000
Use USB sniffer and see command getdevinfo
my device ARTE10000 and CID 11111111 (SuperCID )
Code:
Cmd>
67 g
67 g
65 e
65 e
74 t
74 t
64 d
64 d
65 e
65 e
76 v
76 v
69 i
69 i
6e n
6e n
66 f
66 f
6f o
6f o
0d .
0d 0a ..
48 54 43 53 HTCS
41 52 54 45 31 30 30 30 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ARTE10000.......
31 31 31 31 31 31 31 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11111111........
00 00 ..
e3 a4 ef 19 ....
48 54 43 45 HTCE
0d 0a ..
43 6d 64 3e Cmd>
YEAH!!! I've succesfully unbrik my Artemis!!! I'm too happy!!!
fabbio87 said:
YEAH!!! I've succesfully unbrik my Artemis!!! I'm too happy!!!
Click to expand...
Click to collapse
By what method?
Whit this method (posteb by PVDHELM)
Download german rom update from german site
http://www.o2online.de/nw/support/do...bit/index.html
Using WinRAR
http://www.win-rar.com/index.php?id=160&dl=wrar370.exe
Extract/Remove files from executable update file to folder on desktop or somewhere handy.
Locate nbh file from blue and black ROM or any ROM for that matter
Place in german update folder using same name as german file
ie. RUU_signed.nbh
Start Orbit in bootloader mode,
Press and hold record button and soft reset,
Plug in USB to PC,
Navigate to your extracted update folder, run ROMupdateUtility.exe, Instructions are in German,
But basically.........
Wieter = next
Abbrechen = Cancel
aktualisieren = update
For me this method work! I've an Italian No Brand Artemis (HTC P3300) with CID Lock and without Sim Lock.
fabbio87 said:
Whit this method (posteb by PVDHELM)
Click to expand...
Click to collapse
It means that you have a German Artemis device, but my Orbit - had UK firmware basically. And now I can't find it.
No, my phone is Italian, not german!
fabbio87 said:
No, my phone is Italian, not german!
Click to expand...
Click to collapse
You are lucky! I am sure your device is CID UNLOCKED (may be you did not know) so you could flash Black and Blue ROM. This ROM was made by HTC ROM tool and signed with SuperCID. Congratulations! You can now flash any ROM you build by HTCRT.
I don't know if my HTC is CID unlock, how can i do to know if it is? I've never try to unlock it, i only flash the USPL...
fabbio87 said:
how can i do to know if it is?
Click to expand...
Click to collapse
Turn off USB connection in ActiveSync.
Take mtty and any USB sniffer.
In mtty chose USB connection.
And then TYPE:
set 32
password BsaD5SeoA
getdevinfo
ruurun 0
ResetDevice
After getdevinfo command see what in USB sniffer. If there CID 11111111 - you are lucky - it Super CID - your device is CID Unlocked.
My problem is still actually.
Change PagePool via ActiveSync
for PPC
Special thanks to:
Paradis_pal for his great job for Prophet here. None of this could be done without him
Tom_codon for his support
Step 1:
Connect your PPC with PC via AS
Step 2:
Backup your PoolSize: (so you can restore if something goes wrong)
Backup.bat : Backup your PoolSize
Restore.bat : Restore your PoolSize
Choose your favourite PoolSize :
PP4mb.bat : Change your PoolSize to 4Mb
PP6mb.bat : Change your PoolSize to 6Mb
PP8mb.bat : Change your PoolSize to 8Mb
PP10mb.bat : Change your PoolSize to 10Mb
PP12mb.bat : Change your PoolSize to 12MbStep 3:
Soft Reset
Support:
Prophet - Wizard
Artemis - Love
Trinity
Hemes
Elf
... Working on the others
Troubleshooting: If your PPC hasn't been set to Low Security mode, you need to copy EnableRapi.cab to your PPC and install it first before changing the PoolSize (most cooked ROMs in our forum don't need this step)
Great work, man.
I'll give a try in my Hermes and in my Wizard and report back.
Thanks in advance for your effort.
EDIT: Well, i try fisrt to backup the PP (less intrussive) and modify the BAT to the right byte in Schaps ROM. This is the modified BAT...
@echo off
cls
echo ***********************************************************************
echo * Backup poolsize for HERMES *
echo ***********************************************************************
pause
pdocread 0x3ABC92 1 backup.nb
echo.
echo Poolsize backuped successful !
echo.
pause
When i execute a obtain this error:
***********************************************************************
* Backup poolsize for HERMES *
***********************************************************************
Presione una tecla para continuar . . .
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
CopyTFFSToFile(0x3abc92, 0x1, backup.nb)
ERROR: ITReadDisk - Error interno.
Poolsize backuped successful !
Presione una tecla para continuar . . .
And the 0x3abc92 is the right byte in this case.
i will give a try
i hope you know, that not all roms may be treated like this...
only 4.0.0.0, 1413, all these with pp info at $3abc92
318 probably not...i do not know 'bout newer ones.
Does it work on O2 Flame?
thanks so much for mentioned my name, it means a lot to me
Greetings,
Anybody tried it with hermes, if it is working or not??
nothin said:
i hope you know, that not all roms may be treated like this...
only 4.0.0.0, 1413, all these with pp info at $3abc92
318 probably not...i do not know 'bout newer ones.
Click to expand...
Click to collapse
you are right the offset of wm5 is different from wm6 in mines for prophet, it depends in the os.nb, we need to look for the right offset
check my wm5 offset
Hey, thanks for this, great job.
_____
What a great piece of land we got in 1948 - Thanks!
Nice work my friend..!
Anyone tried it on Trinity?
Excellent
No sweat.
Could have tried the long version I read on Modaco.
This one is realy nice. Very sweet....
Thanks...
jcespi2005 said:
Great work, man.
I'll give a try in my Hermes and in my Wizard and report back.
Thanks in advance for your effort.
EDIT: Well, i try fisrt to backup the PP (less intrussive) and modify the BAT to the right byte in Schaps ROM. This is the modified BAT...
@echo off
cls
echo ***********************************************************************
echo * Backup poolsize for HERMES *
echo ***********************************************************************
pause
pdocread 0x3ABC92 1 backup.nb
echo.
echo Poolsize backuped successful !
echo.
pause
When i execute a obtain this error:
***********************************************************************
* Backup poolsize for HERMES *
***********************************************************************
Presione una tecla para continuar . . .
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
CopyTFFSToFile(0x3abc92, 0x1, backup.nb)
ERROR: ITReadDisk - Error interno.
Poolsize backuped successful !
Presione una tecla para continuar . . .
And the 0x3abc92 is the right byte in this case.
Click to expand...
Click to collapse
I have the same problem --
CopyTFFSToFile(0x0, 0x37e0000, Part02.dump)
ERROR: ITReadDisk : read 00000000 bytes - A device attached to the system is not
functioning.
Maybe it's the ROM
ww2250 said:
Anyone tried it on Trinity?
Click to expand...
Click to collapse
didn't work on trinity...
install EnableRapi.cab, soft reset then Connect PPC with PC via AS, run PP8mb.bat, soft reset but nothing changed with my minis, what's wrong (runing wm6 5.2 v3.18)?
Help Please !
Could someone provide some step by step instructions? I know it was explained but I just need more in-depth instructions. Im using the Sprint Touch & would like to increase my pagepool size to 32mb's. TIA
download link foк trinity doesn't work
I have no use for this on my kaiser bc i find pagepool doesnt really make much of a differnce lol. But my friend could really use this to get touchflo2d to work on his apache. Any chance this program would support the apache? Thanks!
For the Herald
Here are the files to change the pagepool for the Herlad. Follow the same instructions on the first page.
Original thread....
http://forum.xda-developers.com/showthread.php?t=324955