How do the flashing techniques bypass bootloader security? - Upgrading, Modifying and Unlocking

Since most of the retail HTC devices are bootloader locked, how do the flashing tools bypass this? In my experience if you go into bootloader flashing mode on a Himalaya or Blue Angel, if you try and use the mtty utility to flash a bin image using "l image.bin" you get an error of:
"Not allow operation" which means that the bootloader is locked to prevent flashing. Obviously the tools posted here don't hit this obstacle so I'm curious how that works. Also if you use the tools posted here to flash a different ROM, do any of these upgrades end up rewriting the bootloader as well to end up giving you an unlocked bootloader that would accept the load (l) commands to flash images?
I thought these devices required a special SDIO card only HTC has to unlock the bootloader.
Thanks for the info.

Bootloader
You can unlock some settings by using the PASSWORD BOOTLOADER command
worked for my HTC audiovox vx6600 Harrier (Verizon CDMA) but to load the .bin file with l It didn't seem to work I got not allowed, a way around that was to interrupt the process when doing a real upgrade and it should but u in a DBG> mode then u can do l file.bin (ones u connect using mtty) I've been wondering how do u send a .bin file using mtty, I didn't see any options besides downloading from it, but not uploading to it... can u help me with that step? where do I put the .bin file? or will it open a "file open" window when I type that command?

Thats interesting! What does the PASSWORD BOOTLOADER do and where do you enter that command?
Can you detail more about what upgrade you interupted and how you interrupted it? Where do you see the debug mode? I would have tjought that interrupting the ROM flash would not affect the ability to access the load (l) command.
OK, to use a bin file you need to do this. Simply put the bin file in the same PC directory as the mtty utility (ie mtty16.exe) and then once you bring up the app in USB flashing mode you press Enter to get the prompt and then just type: l flash.bin
Basically whatever the local file name is type that name. If you want to place the image somewhere else then it would be something like:
l c:\flash.bin
Just keep the filename short to make it foolproof to type.
Let me know if you get get this to work. I'm curious if once this is done and you again boot up into USB flash mode and use mtty and then use the load command, do you now get it to work or do you again see the Not allow operation error.
What I am hoping is if doing a process of getting a new image on a Blue Angel (Harrier in your case) gets the bootloader in a state where it could be backed up and then restored onto a different device allowing its bootloader to be flash unlocked.
Have you seen any tools posted here to back up and restore the
BlueAngel bootloader?
This is fun stuff!

Hey, thanks, awesome, have u tried the command "d2s" (disk to storage) and "s2d" (storage to disk) ? those commands where not enabled until i typed PASSWORD BOOTLOADER and it gave me a success notice... I'll post the info i have for them.
usage_cmd_d2s
Usage:
d2s [StartAddr [Len [Type [Append[SkipStartAddr SkipLen]]]]]
Backup memory to storage.
StartAddr : Start address for backup(0xA0040000).
Len : Length of memory will be backup. And if not given value, it will be
Total ROM size on board - ((StartAddress & 0x0FFFFFFF) - (ROM base address(0) & 0x0FFFFFFF)).
Type : Which storage(cf/sd) type will be selected(cf).
Append : Backup methods(a/).
SkipStartAddr : Start address of skip area(0x0).
SkipLen : Skip length(0x0).
Skip area must be less than or equal to one block size of flash.
Skip area must not over two blocks, must inside one block.
Nand flash: Skip area size need be page boundary.
Nor flash: Skip area size need be DWORD boundary.
usage_cmd_s2d
Usage:
s2d
Restore memory from storage.
I currently have the 1.02 bootloader so it might be different for u.. also
h = help
and supposively ones u unblocked the bootloader u can do h full which should give u even more options, but that didn't work, which is weird, I think they took the h command out, eventhough they left all the info in the loader, cause u can always do a hexdump on any bootloader and u can figure the commands and their usage..
also here's how to unlock it.. this worked after I typed the password as well.. the only thing that didn't work was l i think (or atleast that i've tried)
usage_cmd_task
Usage:
task [Type [Value [Value1]]]
Type,Value and Value1 are both DWORD(hex).
Value and Value1 are ignore in some case.
Type(hex) 0: Do hardware clear boot.
Type(hex) 7: Do flash ROM lock/unlock and [value]: 1(lock) and 0(unlock).
Oh here's a little howto:
example how to flash the extended rom and radio Simultaneously
first copy the first 3 M of the radio to sd:
d2s 60000000 00300000
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
Total card size=1D30000ze=0
****************
Store image to SD/MMC card successful.
and now append the extended rom to the sd card:
d2s 70080000 01000000 sd a
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
Total card size=1D30000ze=0
DOCInfoTableinitHW+
Binary0:dwSize=80000
BINFS0:dwSize=0
FAT0:dwSize=1000000
FAT1:dwSize=EA0000
All:dwSize=1F20000
****************************************************************
Store image to SD/MMC card successful.
then when you insert the sdcard, and then boot into bootloader mode, the following happens: on the display, you see a message 'sections=2', and 'press power to flash'. after pressing the power button, you see the following output on the serial port:
Flash ROM mapping total size = 2000000
Flash ID = 89,8802
Trumbull INTEL StrataFlash 128 Mbit MEMORY (K3/k18) found
dwROMTotalSize = 2000000
wTotalChip = 2
HTC Integrated Re-Flash Utility for bootloader Version:1.29 HIMALAYAS PVT version:1.02
MainBoardID = 4
Built at: Sep 24 2003 18:17:06
Copyright (c) 1998-2002 High Tech Computer Corporation
Turbo Mode Frequency = 398 MHz
Run Mode Frequency = 199 MHz
Memory Frequency = 100 MHz
SDRAM Frequency = 100 MHz
Main=0x90035EE4
LCD Power ON!
ATI Chip Id=0x56441002
DOCInfoTableinitHW+
Binary0:dwSize=80000
BINFS0:dwSize=0
FAT0:dwSize=1000000
FAT1:dwSize=EA0000
All:dwSize=1F20000
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
Total card size=1D30000ze=0
Radio flash Updating...
************
SD/MMC download to ROM is successful!
DOCInfoTableinitHW+
Binary0:dwSize=80000
BINFS0:dwSize=0
FAT0:dwSize=1000000
FAT1:dwSize=EA0000
All:dwSize=1F20000
DOC flash Updating...
****************************************************************
SD/MMC download to ROM is successful!
now both the radio and extended rom are upgraded!

That great info. You posted the syntax for the Task command but didn't say how you used it.
after the USB> prompt what did you type?
I'm assuming you use mtty and then do:
USB> PASSWORD BOOTLOADER
and then perhaps:
USB> task xx
but I dont know what values you used
and then:
USB> ds2 step #1
USB> ds2 step#2
so once you did that what ROM did you decide to load? I assume you went for some sort of CDMA flavor? What did you end up gaining from the upgrade since you were probbaly already on Windows Mobile 2003 SE
Thanks!

looks like PASSWORD BOOTLOADER does not work. I got:
USB>PASSWORD BOOTLOADER
Invalid command : PASSWORD
For a help screen, use command ? or h
is that how it works?
How did you do the method from your original post where you somehow interrupted a flash and then were able to use the l command?
Thanks.

No it should have said something similar to this:
USB>l
Not allow operation!
USB>help
Invalid command : help
For a help screen, use command ? or h
USB>password boot
HTCSInvalid password.R¿ËPHTCEUSB>
USB>password bootloader
HTCSInvalid password.R¿ËPHTCEUSB>
USB>password BOOTLOADER
HTCSPass.<YHTCEUSB>BOOTLOADER
I did a couple typos so u can see what I get when it doesn't like the password.
I havn't decided on what to load I was trying to load the latest bootloader which is for the himalaya, and I did what u said l c:\wall515.bin and it said something like :F=c:\wall515.bin and then preparing to send, and nothing happened after that, the terminal locked i did a couple ctrl + (a key) to try and get out it seems that i got out with ctrl + a (perhaps abort) ?
I did realize though that I was in the CDMA DBG> section, not just the DBG> like before this might be because I interrupted a radio upgrade, and not a regular WCE upgrade / etc so I'm going to try and do it again, this is my main phone so I have to keep it working so I immediately just undid everything.
and as for the syntax for d2s:
d2s hex_start_location amount_to_copy
so for example say my RADIO starts at address 60000000 and I want to copy 5MB then the proper command would be
ds2 60000000 00500000
you should get something like
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
Total card size=1D50000ze=0
****************
Store image to SD/MMC card successful.
but u will have to be identified in order for any of the commands to work, what version do u have (what phone, model, etc.. ) GSM or CDMA? etc
I also have a program that can be used to dump the ROM from the command prompt.. u might of heard of it already, dumprom.exe and memdump.exe and a new one called mtrw which seems promesing but it doesn't seem to allow u to enter a password I think it's programmed to do that automagically, i'm going to try and get the source code, and fix it so it does.. also get a closer look on what it's actually doing
p.s the syntax of the others are basically the same
for task u would do something like
task 7 0
Type(hex) 7: Do flash ROM lock/unlock and [value]: 1(lock) and 0(unlock).
also check out this site:
http://wiki.xda-developers.com/wiki/HimalayaBootloader
alrighty heading to bed
tty tommorow

That password technique worked but didn't really have an effect. I was already able to do the d2s command.
I sure would like to get the (l) command working and get past the Not allow operation! error.
Did you say you had been trying a Himalaya bootloader on your Harrier?
I have never seen that DBG> mode you were referring to. how do you get into that mode?
Thanks for the great info.

I did it just by chance, right as you start loading ur shipped rom using the himauptdate or what ever program u use.. it will first erase the rom/ram what I did, (risking my BA, but luckely it's still dummy proof at that point) was unplug the phone, from the cradle right as it hit the 100% (erased completed) then I plugged it right back in, and I got the BDG> instead of the usual USB> I decided to see what would be different and l was available, I didn't know how to use it at the time (now I know thanks to you). if u have a copy of the dumped bootloader u can use a hexeditor I use xvi32, which can be found in the xda-dev's FTP. if u look around, u can see some readable data, I've looked at it throughly and thus thats how I figured the password.. here's the part that shows the different modes, so u can see there is BDG> mode
Addr 0 1 2 3 4 5 6 7 8 9 A B C D E F 0 2 4 6 8 A C E
-------- ---- ---- ---- ---- ---- ---- ---- ---- ----------------
00002a00 4873 0390 0000 0000 0000 0000 0000 0000 Hs..............
00002a10 0000 0000 0100 0000 6c77 0000 7072 6f75 ........lw..prou
00002a20 7465 7200 6368 6563 6b73 756d 0000 0000 ter.checksum....
00002a30 7764 6174 6100 0000 6572 6173 6500 0000 wdata...erase...
00002a40 7262 6d63 0000 0000 7461 736b 0000 0000 rbmc....task....
00002a50 7365 7400 7368 6d73 6700 0000 6432 7300 set.shmsg...d2s.
00002a60 6c6e 6200 6c00 0000 7061 7373 776f 7264 lnb.l...password
00002a70 0000 0000 696e 666f 0000 0000 7374 7269 ....info....stri
00002a80 6e67 0000 6d77 0000 6d68 0000 6d62 0000 ng..mw..mh..mb..
00002a90 0a0a 2a2a 2a20 5365 7269 616c 2070 6f72 ..*** Serial por
00002aa0 7420 7761 7320 7265 2d69 6e69 7469 616c t was re-initial
00002ab0 697a 6564 2064 7565 2074 6f20 756e 6578 ized due to unex
00002ac0 7065 6374 6564 2070 726f 626c 656d 202a pected problem *
00002ad0 2a2a 0a0a 0000 0000 4442 473e 0000 0000 **......DBG>....
00002ae0 5553 423e 0000 0000 5345 523e 0000 0000 USB>....SER>....
00002af0 3f00 0000 0d00 0000 0820 0800 546f 6f20 ?........ ..Too
Addr 0 1 2 3 4 5 6 7 8 9 A B C D E F 0 2 4 6 8 A C E
-------- ---- ---- ---- ---- ---- ---- ---- ---- ----------------
00002b00 6d61 6e79 2061 7267 756d 656e 7473 0a00 many arguments..
00002b10 466f 7220 6120 6865 6c70 2073 6372 6565 For a help scree
00002b20 6e2c 2075 7365 2063 6f6d 6d61 6e64 203f n, use command ?
00002b30 206f 7220 680a 0000 4d61 7820 4379 6c69 or h...Max Cyli
00002b40 6e64 6572 203a 2025 752c 204d 6178 2048 nder : %u, Max H
00002b50 6561 6420 3a20 2575 2c20 4d61 7820 5365 ead : %u, Max Se
00002b60 6374 6f72 203a 2025 752c 2054 6f74 616c ctor : %u, Total
00002b70 2073 7061 6365 203a 2025 7520 4b42 0a0d space : %u KB..
00002b80 0000 0000 4669 7277 6172 6520 7265 7669 ....Firware revi
00002b90 7369 6f6e 203a 2025 730a 0000 4d6f 6465 sion : %s...Mode
00002ba0 6c20 6e75 6d62 6572 203a 2025 730a 0000 l number : %s...
00002bb0 2573 0a00 4346 5265 6164 5365 6374 6f72 %s..CFReadSector
00002bc0 572d 3a20 7743 796c 696e 6465 723d 2578 W-: wCylinder=%x
00002bd0 2c63 6248 6561 643d 2578 2c63 6253 6563 ,cbHead=%x,cbSec
00002be0 746f 723d 2578 2c62 5374 6174 7573 3d25 tor=%x,bStatus=%
00002bf0 780d 0a00 4346 5772 6974 6553 6563 746f x...CFWriteSecto
I'm about to try and see if I can get in the DBG> mode, hopefully it wasn't just a lucky shot and it's easy to duplicate again..
anyways i'll keep u posted

grabbing that bootloader
I saw you said that you dumped the bootloader. I have not seen a tool that does that for a BlueAngel & Harrier. Ideally if somebody came up with an unlocked bootloader then that tool could maybe be used to dujmp that unlocked bootload and then push it to another device.
It sounds like your interrupt technique might be safest to try with an upgrade that only is doing the ROM and nothing else. if there is one thing I've seen hose HTC devices up badly is a messed up radio flash.
Have you been interrupting an upgrade using BaUpgradeUt.exe or doing a boot and restoring from SD card?

Re: grabbing that bootloader
obelix said:
I saw you said that you dumped the bootloader. I have not seen a tool that does that for a BlueAngel & Harrier.
Click to expand...
Click to collapse
what? Any tool that dumps ROM can dump a bootloader. Or even more. You can extract bootloader from any ROM update.

I dont doubt it but without knowing how large and the location of a Blue Angel bootloader I wouldn't know where to begin. I wouldn't necessarily want a bootloader from a ROM update as it would be more useful to extract a bootloader from a bootloader unlocked device and then use that to unlock another. HTC has most of its retail Blue Angel & Hima devices bootloader locked so that if you prefer to go through the mtty utility and do a "l blueangel.bin" technique to flash the OS thats going to fail. So that leaves converting a .bin to a .nbf file or replacing the locked bootloader with one thats unlocked.
Are there places in the wiki that detail the positions of the bootloader within Blue Angel memory?

zxvf, did you say you were using the himaupdate program to do the flash? I thought that BaUpgradeUt.exe needed to be used. BaUpgradeUt.exe does not give any messages that say that say it is erasing ROM. Also since the BaUpgradeUt.exe depends on an ActiveSync connection, how can you start the upgrade and then disconnect at the right moment and then plug in the cable and get to mtty? I only know about getting to the command line interface via the mtty app.
Curious to hear more!

Seems that the guy above is having a leaked version of Magneto for BlueAngel and he is not willing to share it.
There is no .bin file out there from HTC. Only Microsoft released the Magneto update as a .bin file.
So before helping him he should clarify why he want all the info from here and is not sharing his Magneto image.
John

nope no Magneto stuff. I am strictly trying to work out the the innards of the mtty program and how to get past the locked bootloader. I could have been doing this on my Wallaby and Himalaya as well but am playing with the BA for now. From what I hear you'll never see Magneto on a Blue Angel, its already end of life. If it ever shows up it will simply be some mobile operator's experiment. I dont trust those folks to release any upgrades, they only want to sell new devices.

Bootloader dumping and flashing
I seriously advise you not to try that...
I tried that on 2 different Blue Angels an they go trashed.
Back to scrap.
Although you can get the exact blocks to extract and the exact memory intervals they are allocated in you have no way to determine if thay are the same on the "destination" BA, Therefore, you take an enormous risk on doing this.
I tried to do thatbecause on Portugal Operators sim-locked BA the lock information is actually on the bootloader.
Till now... No luck.
I even considered payinf the £20 IMEI-CHECK ask for but i think that it is not as thrilling as trying to do it by yourself, with your own work and burnt lashes. Apart from that, £20 are allways £20 :wink:
By the way, any development on the BA sim-unlocking ?
Cheers

sorry for not responding any sooner but I hadn't been able to get online, anyways, there are MANY tools as mamiach (pardon if I typed it incorrectly) that you can use to extract the bootloader, and I'm actually quiet confused on what program I've used I though they were just different versions, and a little bit different, never actually knew one was for upgrades and the other one was for full installs.. what I think I did was while it was trying to right to the bootloader I must have interrupted it and it might have immediately put it self in full acess / dbg mode (this is just IMHO) in order to save it self.. because I do recall it even said it on the screen I've tried and tried, and i'm kinda close to giving up thus, It's been twice that I almost didn't have a phone :/ if you need any programs u are sure to find them on the xda-dev FTP, and/or my website http://www.hexcode.net/xda-dev its a mirror or XDA-DEV that the Admin's been using to restore the site.. I'm currently in the process of installing Windows Mobile 2005, but not having much luck, I'm going to keep on trying, oh yea, when I unpluged it, I right away plugged it into the cradle again, and made activesync disabled, and start mtty and thats how I got the DBG> mode. other then that I'm not sure what to say, there are also programs that suppose to help u with installing new bootloaders like pnewbootloader.exe but they seem to be for the XDA2 so I'm not sure if they work, also if this might be of any help another password I've found that they are using is AYaLaMiH (himalaya spelled backwords) hope that helps.. ciao

HOW TO ENTER CDMA DBG> mode (BOOTLOADER Full admin mode)
EUREKA I'VE GOT IT...
I should be making a wiki page instead of posting here but these are the steps that are needed to enter CDMA DBG> mode which allows the use of extended commands like l, rbmc, s2d, d2s etc.. full access it seems..
here's the commands I used.
hope they work, I was wrong about the password being BOOTLOADER infact thats a password that most sellers have to do a few fixes, but not give them full control to screw up our devices..
I don't really know much about the commands except the info that they return, so just bear with me and follow along if u really wanan get to this, as of getting to the CDMA DBG> isn't dangerous u are not writing anything (YET) in order to get there, just modifying some switches etc.
ok so first the password: 40r0~0y~~5~0000
so type
USB>password |40r0~0y~~5~0000
u should get "HTCSPass1.CMˆËHTCEUSB>"
[DONT PRESS ENTER/RETURN JUST CONTINUE TO TYPE]
HTCSPass1.CMˆËHTCEUSB>set 1 0
This makes it so the Operation mode currently is set to "User" (maybe allows user interaction, not sure)
type set 5 7777 (not really sure if this is needed, all it does is set the background color value to 7777)
not the last command rtask a
here's what mine looks like
USB>shmsg 5 0 " Upgrade "
USB>shmsg 7 0 " Radio Stack "
USB>shmsg 9 0 "Please Wait..."
USB>rtask a
Radio image flash by external bootloader.
ÿ
HTC Integrated Re-Flash Utility for Harrier
This version is used for developig CDMA system
Copyright (c) 2003 High Tech Computer Corporatio
CDMA DBG>h
now if I type
l (DONT DO THIS UNLESS UR READY LOOK AT THE SYNTAX FIRST) I was stupid enough to just try it I got this
CDMA DBG>l
start cdma download
instead of the "not allowed or what ever that error was.."
now I hope this doesn't do something bad to my device, but I can't seem to get out.. *GULP*
Anyways thats all the info I have, hope it helps in any way Cheers.

P.S you can look at the syntax of 'l' if u search in the wiki pages.. information brought to us by itsme here is a direct link to his page. I'll also paste the 'l''s section here..
http://www.xs4all.nl/~itsme/projects/xda/bl-ii-usage.html
syntax for 'l':
usage_cmd_l = sub_9004C74C(1)
sub_9004C74C
Usage:
l [path_name [startAddr offset ["cp"]]]
Download BIN file across from serial/USB port.
Startaddr offset(MSB bit is a sign bit): Start address offset of every packet in bin file.
When 'cp' is given, it will just compare data of file with ROM image.
When path_name is not given, the file to be downloaded is determined
by ppfs on the host.
Otherwise, path_name on the host is downloaded regardless the ppfs setting.
The file must be in the format of BIN (preprocessed SRE).
The code is auto-launched once downloaded.
Auto-launched is disabled after downloading.

Nice job zxvf! Thats some good digging. I didn't follow this section before getting to the Debug mode:
USB>shmsg 5 0 " Upgrade "
USB>shmsg 7 0 " Radio Stack "
USB>shmsg 9 0 "Please Wait..."
USB>rtask a
Radio image flash by external bootloader.
What is shmsg and rtask doing? Do the shmsg commands actually do some upgrades and if so from what image? I have never seen them and wonder what those steps do.

Related

Restore the radio rom via sd card dumped from a 6515

Hi everyone,
I have an hw6515 that can not have Rom update via USB cable and Active Sync (error 606 timeout between UBS and bootloader). However, I got roms images like Bigrom or Ipaq disks for SD card that works fine, but having no Radio rom working. I have only PDA functions not Cell phone.
I see the solution from xda-developers for Blueangel xda, but it is not for my model of ipaq. Then I need to know if there is any Rom image for hw 6515 with Radio Rom working that I could get or way to upgrade Rom using USB.
Hence I would be eternally grateful if someone have a radio rom image dumped from a 6515 or is willing to help me out by extracting it from their 6515.
If successful, I will announce my findings and host the radio rom.
Thanks
Radio Stack problems hw651x why cant we get some help with this model Ipaq?
I have the same issue with a Ipaq HW6515a which thinks it's a HW6510a now.
I have been reading the forums for about a month now, and have tried almost everything to fix the Radio Stack misssing on this "HTC Beetles" device.
my best guess is that either a CID lock is preventing it, or seems to be missing the CID all together. When I do a Info 2 .. nothing is returned.
After exentisive logging and analyzing it seems that when I run a offical rom update for my device.. it enters after it enters into the radio flash by external bootloader it does a "rtask 10 1" command, then a "rinfo" command.
the whole proccess seems to stop/lockup and fail at that porint.
I have searched the whole web, many long hours looking for the p10504_BT_HP_PATCH_BETA.EXE file.. not sure what the offical name of the beetle gsm radio fix is called.
I cant seem to locate it, but would love a copy or even a log of the successfull output from running it.
the only other thing I can think of is manualy uploading the RadioOS and RadioFS to the device. which isnt hard to do, but what I lack is the adress location to place them.
Also not sure if I need to erase some areas first of if I can just lnb them up with the correct syntax.
What I have writen here is not all inclusive. I willing to be more detailed about what I have tried and failed and what seems to work, or even what I know I'm missing if anyone wants to know.
In general the HP IPAQ HW561(0,5) users need help fixing a botched radio rom upgrade that an offical HP rom release caused.
Thanks!
Reply
makebillions said:
I have the same issue with a Ipaq HW6515a which thinks it's a HW6510a now.
I have been reading the forums for about a month now, and have tried almost everything to fix the Radio Stack misssing on this "HTC Beetles" device.
my best guess is that either a CID lock is preventing it, or seems to be missing the CID all together. When I do a Info 2 .. nothing is returned.
After exentisive logging and analyzing it seems that when I run a offical rom update for my device.. it enters after it enters into the radio flash by external bootloader it does a "rtask 10 1" command, then a "rinfo" command.
the whole proccess seems to stop/lockup and fail at that porint.
I have searched the whole web, many long hours looking for the p10504_BT_HP_PATCH_BETA.EXE file.. not sure what the offical name of the beetle gsm radio fix is called.
I cant seem to locate it, but would love a copy or even a log of the successfull output from running it.
the only other thing I can think of is manualy uploading the RadioOS and RadioFS to the device. which isnt hard to do, but what I lack is the adress location to place them.
Also not sure if I need to erase some areas first of if I can just lnb them up with the correct syntax.
What I have writen here is not all inclusive. I willing to be more detailed about what I have tried and failed and what seems to work, or even what I know I'm missing if anyone wants to know.
In general the HP IPAQ HW561(0,5) users need help fixing a botched radio rom upgrade that an offical HP rom release caused.
Thanks!
Click to expand...
Click to collapse
Nice that you have much more experience than me. Just few questions:
1 - How can we update manually the Radio Rom and Radio file system?
2 - Do you know the syntax and program to do that?
3 - Is in Windos, DOS or Linux plataform?
4 - Have you tried to execute the process of decrypt the Radio Rom files and tried to map the memory?
I think I´ve ready some thing about this patch in mobility today (http://mobilitytoday.com/forum/showthread.php?t=12702). I´m about to start to analize (hexeditor) my entire rom trying to find what are the address that we should use in this case, of updating manually.
can we update manually the Radio Rom and Radio file system
Nice that you have much more experience than me. Just few questions:
1 - How can we update manually the Radio Rom and Radio file system?
** best I can tell if normaly with the offical Rom upgrade utility, just remove the CeOS and Extrom lines from the .ini file... However that is not working for me. If we knew where the radioOS and RadioFS files where to be placed in rom, we could use mtty to manualy erase the rom address areas and then upload the radio stack to that location and then finalize it by writing it to rom, probably would need to hard boot afterwards.
2 - Do you know the syntax and program to do that?
this is very rough and off the top of my head, dont attempt this.. just an basic example (taken from another thread, which I tried and didnt work for me)
open mtty
USB> password 0000000000000000
USB> set 1e 1
USB> password 0000000000000000
HTCSPass1.CMˆËHTCEUSB> erase a0040000 c80000
HTCST ÚÈÒHTCEUSB>password 0000000000000000
HTCSPass1.CMˆËHTCEUSB> erase a0cc0000 c80000
HTCST ÚÈÒHTCEUSB>password 0000000000000000
HTCSPass1.CMˆËHTCEUSB> erase a1940000 640000
HTCST ÚÈÒHTCEUSB> set 1e 0
USB>
USB>lnb c:\ipaq651x\RadioOS.nb0
Dont have an example of the output at moment.. but you need to edit the file and remove part of the begining before you are able to upload it with the lnb command. ( used a program do that for me, HX4700_BootLoader) I just used it to exit the files, it does auto try and upload them, but I dont think it places it in the correct place in rom.
USB> password 0000000000000000
USB> set 1e 1
USB> password 0000000000000000
HTCSPass1.CMˆËHTCEUSB> wdata a0040000 c80000
HTCST ÚÈÒHTCEUSB>password 0000000000000000
HTCSPass1.CMˆËHTCEUSB> wdata a0cc0000 c80000
HTCST ÚÈÒHTCEUSB>password 0000000000000000
HTCSPass1.CMˆËHTCEUSB> wdata a1940000 640000
HTCST ÚÈÒHTCEUSB> set 1e 0
USB>
Then would have to repeat for the RadioFS...
I know the address above are not correct, and my method is a bit of a guess from what I've seen from how quite a few of the other phones radio upgrade.
I have not seen how to Radio Stack Flash via SD... best I can tell we need a specail SD chip from HTC that has "special" encoding to flash the GSM Radio Rom to the phone.
3 - Is in Windos, DOS or Linux plataform?
windows for most of what I've attempted.. Well alot in the CMD prompt in windows.
Also Active sync 3.8 seems to be alot better with the 6515 then the newer version.
I know you need to have a full battery and be pluggedinto the power, also need a direct connection into the usb.. NO USB HUB in the middle..
I seen a few people who pulled the battery out for a bit.. then placed it back in.. when it got to the aline screen, they placed it into bootloader mode.. (Power-joystickDown-&-Reset) at same time.. just press the reset while holding the other too.. till the logo is in the middle and Serial is on top and .21 on bottem.. .. place it in the charger and run an offical rom upgrade.
Didnt work for me (tried like 150 times) but seems like it should.
4 - Have you tried to execute the process of decrypt the Radio Rom files and tried to map the memory?
you can use mtty to get a memory map.. didnt seem as usefull as it sounds.
I think I´ve ready some thing about this patch in mobility today (http://mobilitytoday.com/forum/showthread.php?t=12702). I´m about to start to analize (hexeditor) my entire rom trying to find what are the address that we should use in this case, of updating manually.
let me know if you figure anything out. I know there are people here who probably have a copy of the HTC Beetles GSM BT HP Radio Patch Beta that was circulating earlier this year, I would love a copy. I wish someone would just write us a patch, cause there are lots of 651x(5,0{a-?}) phone that the cellular part is missing.
Meanwhile I need to go rebuild my laptop.. I downloaded an stupid evil (HTC Atom Unlocker.exe) from the xda ftp site and it trashed the other computer I was working on. didnt get my data, just I'm at game over on that computer.. need to format and start reloading my o/s. almost want to donate my ipaq 6500 to the person who wrote the program that messed up my windows install.. then I know they would be busy for quite a while trying to get the gsm working, and have less time to try and creatively distroy stuff that is not broken.
Hope I helped sorry took a day or so..
Mb

Broken Radio ROM blocks official O2 rom, MaUpgradeUt_noID.exe fails "error 114"....

Broken Radio ROM blocks official O2 rom, MaUpgradeUt_noID.exe fails "error 114"....
Hello
I hope someone here is able to help me.
I have spent the whole of the last 48 hours (no sleep) trying to fix my O2 XDA Exec. I *believe* that I have tried everything suggested on this forum and on Buzz's site but there is just so much on here now that I may well have missed something.
History:
Over the last few months, my phone has gradually got more inconsistent - dropping calls, refusing to answer calls, losing signal and so on. On Jan 1st, I turned it on and it had lost all my settings - Opera reg code, Wifi encryption, O2 net settings, etc.
I spent the last week with sometimes having network, sometimes not. Finally it just gave up altogether. In Settings>System>Device Info, "Radio Version", "Protocol version" and "IMEI" are all completely blank. When booting, the red text states "No GSM".
Reading around this site it appeared that I should be able to reinstall the radio ROM from the official O2 download however this errored with the Incorrect Country Code error. I have carried out full hard resets and still cannot get any Radio ROM visible. I assume that the lack of IMEI is affecting the official O2 downloads?
Since then, I have tried most variations on this site of ROM installs using MaUpgradeUt_noID.exe suggested in the wiki (with and without entering mtty code: "set 14 0").
Full three-part ROM and radio-only ROM install attempts all fail with the Error 114 "Radio Rom Update Error" (the radio ROM is always attempted first).
The only success I have seen was an update of Bootloader from 1.00 to 1.01 which worked completely perfectly and proved that the PC can indeed connect to the XDA when it feels like it.
After two days of earning no money ( I am self-employed) and no money to spend on support, I wonder if anybody has another suggestion for me?
In case it helps: ROM version: 1.30.107 WWE, ROM date: 04/11/06, ExtROM version: 1.30.162 WWE
All advice welcome
Thanks
Leapy
extract everything from the exe and do an upgrade without the radio.nbf
did you read what he said? its the radio that's bad and needs replacing
i don't know, sorry
poussin69 said:
extract everything from the exe and do an upgrade without the radio.nbf
Click to expand...
Click to collapse
I am now totally confused.
I know there was a smiley at the end of your comment, I just can't work out if you are being funny or astute (or both?). Can you explain how reinstalling the non-radio ROMs will help? Would that restore the IMEI?
TIA
Leapy
Midget_1990 said:
i don't know, sorry
Click to expand...
Click to collapse
Thanks for responding anyway. At least I am not crying alone in the wilderness.
It would be terrific to find a fix, though.
Try to flash the radio from Buzz's unlocker with MaUpgrade_NoID.exe
http://www.buzzdev.net/index.php?option=com_content&task=view&id=78&Itemid=1
pof said:
Try to flash the radio from Buzz's unlocker with MaUpgrade_NoID.exe
Click to expand...
Click to collapse
Thank you for the suggestion, I just tried as you proposed. "Error 114 - Radio ROM Update Error" *sob*!
It's a real shame. It's actually the ideal phone for my needs.
Leapy
1. Disable Activesync (connection settings -> uncheck "allow USB connections").
2. Put universal in bootloader mode
3. Connect device to computer using USB cable.
4. Start HHD Usb monitor (trial version is OK).
5. File -> New session -> USB Monitor -> Select USB device where your phone is connected -> Check "request view" -> Finish
6. In the upper part there are two tabs: basic and complete. Click on "Complete".
7. Click on MaUpgrade_NoID.exe and start the radio flashing process, if everything went fine you should see all the USB traffic output on USB monitor window.
8. When radio upgrade fails, click on Edit -> Export and Save as type "ANSI Text files".
9. Save the text file and zip it.
10. Attach the output here or upload it to ftp if it's too big.
Only with this we can see exactly why it fails
Good luck!
http://forum.xda-developers.com/showthread.php?p=994444#post994444
first as recomended i disabled usb from activesync
then downloaded mtty 1.42
connected the usb and started mtty
chose usb
white screen.....
typed set 14 0...
some gibrish on the screen....
ran the rom update....but it informed me that the rom is not for my device...
typed task 0 in mtty (not sure bout the command but its on page 2 of the forum)
ran the update....nothing same error....
now i saw that my universals screen was blank....
removed the battery....and then restarted my universal....
this might help you...
rtask 0/1/3/4
pof said:
1. Disable Activesync (connection settings -> uncheck "allow USB connections").
2. Put universal in bootloader mode
3. Connect device to computer using USB cable.
4. Start HHD Usb monitor (trial version is OK).
5. File -> New session -> USB Monitor -> Select USB device where your phone is connected -> Check "request view" -> Finish
6. In the upper part there are two tabs: basic and complete. Click on "Complete".
7. Click on MaUpgrade_NoID.exe and start the radio flashing process, if everything went fine you should see all the USB traffic output on USB monitor window.
8. When radio upgrade fails, click on Edit -> Export and Save as type "ANSI Text files".
9. Save the text file and zip it.
10. Attach the output here or upload it to ftp if it's too big.
Only with this we can see exactly why it fails
Good luck!
Click to expand...
Click to collapse
Thank you. I think I did everything exactly as you instructed.
Please find attached the zipped log file.
I would welcome your advice.
Leapy
Radio is corrupted, and device cannot check SecLevel (wait interpreter timeout), it returns default seclevel=FF (unprivileged) and correct CID (O2___001), however when switching to radio bootloader to upgrade the radio, device doesn't answer to any 'rerase' command, that's why the utility gives out flashing after receiving no response to 3 "rerase 0 10000" commands.
Probably this is a bit "crazy", but if it is your last chance... try the following commands in mtty, and try to upgrade the radio again after this:
Code:
USB> password 0000000000000000
USB> set 1e 1
USB> erase a0040000 c80000
USB> erase a0cc0000 c80000
USB> erase a1940000 640000
USB> set 1e 0
Don't do it if you can fix your device by any other means (warranty, service centre, etc...) because I'm not sure if it will work or not
Error 114: Radio Rom Update Error
WOW I have the same problem.....
but this commands for mtty...did nothing to my problem.
ERROR 114: RADIO ROM UPDATE ERROR
I don't know if that helps you....on my PDA it says Upgrade Radio Stack Please Wait...
I have the perfect phone....but it is not a phone anymore...and I go crazy.
Is there any way to update the radio rom from SD card??
Please Help
posted reply to incorrect post - cannot delete post - ignore. Please see next post.
pof said:
Radio is corrupted, and device cannot check SecLevel (wait interpreter timeout), it returns default seclevel=FF (unprivileged) and correct CID (O2___001), however when switching to radio bootloader to upgrade the radio, device doesn't answer to any 'rerase' command, that's why the utility gives out flashing after receiving no response to 3 "rerase 0 10000" commands.
Probably this is a bit "crazy", but if it is your last chance... try the following commands in mtty, and try to upgrade the radio again after this:
Code:
USB> password 0000000000000000
USB> set 1e 1
USB> erase a0040000 c80000
USB> erase a0cc0000 c80000
USB> erase a1940000 640000
USB> set 1e 0
Don't do it if you can fix your device by any other means (warranty, service centre, etc...) because I'm not sure if it will work or not
Click to expand...
Click to collapse
Well, I too am a little "crazy" so I did as you suggest.
I tried to put Buzz's "unlock" radio v 0.0.0.0 ROM on using MaUpgradeUt_noID.exe. And guess what, it fails again but with a different error!
Error 150: ROM UPGRADE UTILITY ERROR. "This rom upgrade utility is not designed for your device. Please get proper ROM Upgrade Utility and try again!"
I attach the USB Monitor log if it proves any use?
I will try and use the official O2 ROMs and see how that goes.
Thanks again for your assistance, I truly appreciate it.
Leapy
To Leapy...
How did this problem started to you??
I have been using this phone for 1 week, after that I changed my SIM card with another one called MAGIC-SIM card, (programmable) with 8 SIM numbers.
After that day ALL the **** started!!!!!
I had problems during my dialing the number on phonepad...
when I was trying to make a call... it hang up.
After some soft reset...it didn't ask me for PIN.
After a hard reset.... on boot screen it said NO GSM
and then on antenna icon on the top of the screen the antenna had a little x on the right side.
Then the known problem ERROR 114: RADIO ROM UPDATE ERROR
I can update any rom I want but not the Radio ROM
leapy said:
I will try and use the official O2 ROMs and see how that goes.
Click to expand...
Click to collapse
well, I tried the O2 update and just got the generic "CID" error - twice. So I guess I am no nearer fixing this issue...
All advice welcome.
Leapy
leapy said:
Well, I too am a little "crazy" so I did as you suggest.
[...]
I attach the USB Monitor log if it proves any use?
Click to expand...
Click to collapse
Sorry but the capture was from the erase commands... not from the failed radio flash... please try to flash 0.0.0.0 radio again and attach the right capture... also make sure activesync is not running when starting the radio upgrade, and if it fails once, run MaUpgradeUtility twice without disconnecting the device from USB.
my friend got the exact same problem with his EXEC, and send it back to O2, they charge him apprx USD500 for mainboard replacement.....(fiuhh.....)
pof said:
Sorry but the capture was from the erase commands... not from the failed radio flash... please try to flash 0.0.0.0 radio again and attach the right capture... also make sure activesync is not running when starting the radio upgrade, and if it fails once, run MaUpgradeUtility twice without disconnecting the device from USB.
Click to expand...
Click to collapse
Thanks for your continued assistance.
I tried twice with the 0.0.0.0 radio ROM and this time the error has reverted to Error 114 again. With both these attempts, I noticed that the displayed "currently installed" ROM versions were blank - previously I saw the actual on-board version numbers. Not sure if that indicates anything?
Capture logs attached:
leapy said:
Not sure if that indicates anything?
Click to expand...
Click to collapse
That indicates you previously had activesync enabled and now don't.
Exactly same error as before, radio bootloader is not responding when the RUU sends 'rinfo' and 'rerase' commands to it, then the RUU gives up trying.
You can backup the radio ROM from another device with "d2s 60000000 00800000", and theoretically you should be able to load it into yours by using "L" command... but I'm not experienced with universal bootloader and can't say for sure if this will work and the right commands to do it... so please wait until someone reads this and can help you more than me, or research by yourself if you have the time to do it

Error 114 Upgrading Radio. No GSM. No IMEI.No Protocol. The CID is Locked (Level=FF)

Error 114 when upgrading Radio an Vodafon V1640 (Spain).
Display "No GSM". No IMEI. No version Protocol...
Windows Mobile (CE) Run OK and Upgrading this OK.
Extended ROM run OK and Upgrading this OK.
The CID is Locked:
in mtty.exe:
USB>task 32
Level=FF
USB>
Impossible Mission upgrading all ROMS Radio (including Room of Buzz, 0.00.0 and the rest 1.04, 1.06, 1.08, 1.09, 1.11, etc etc).
And I Exec the tool of Buzz from the HTC Universal, it DOES NOT WORK.
I have tried everything. ...¿¿¿ Exists some solution for this problem ???
Hi, which method have you followed to upgrade your device?
(Excuses for my bad English)
I have a Vodafone V1640 (Spanish) and unlock this with the tool of Buzz, (From Radio original version 1.09 TO Radio version 0.0.0.0). Soft Reset, and exec the Unlocker of Buzz from my HTC.
Up to here all OK. YES, I work the unlocker. All OK.
But, later 4 or 5 days, and various soft-reset and one hard-reset, I have a next message on the display at reboot:
"No GSM",
and not recognize my SIM Card, and not have IMEI, and not have Protocol...
In addition, either, I can not install other Radio ROM, because i have the next error:
ERROR 114 RADIO ROM UPDATED ERROR
this with all of radio roms possibles (1.03 , 1.04, 1.05, 1.06, 1.08, 1.09, 1.11...)
Desperate, also upgrade the Bootloader (from the original 1.00 TO 1.01)
All equal, Same error.
After 3 months I have seen that there is people who happen to him just like to my, but with other models of HTC (ex. Hermes), Unfortunately , I believe that there is no solution for the HTC Universal .
I believe that my error was no upgrade later the special radio 0.00.00 TO Radio 1.11 for example, AND Upgrade the Bootloader 1.00 TO 1.01 .
Now that the situation is this:
- The Radio does not work, ¿¿Is corrupted, Broken??
- I cannot update the Radio (Error 114)
- Wit the tool mtty, type:
USB>task 32
Level=FF (Not SuperCID !!!)
USB>
either, now, the tool of Buzz does not work ( it works, but it does not do anything ) .
This user have the same problem:
http://forum.xda-developers.com/showthread.php?t=289260
And the This classification I have Type 1a :
http://forum.xda-developers.com/showthread.php?t=286755
but this is for HERMES , Not for HTC Universal, I proved it but it did not work .
Please, can yo help me? ¿¿has solution this disaster for HTC Universal (Vodafone V1640 Spain)?
Excuses for my bad English!!
¡¡and thanks for any answer!!
Ok, let's see ... what I really meant was are you upgrading with your device in "bootloader mode" or once WinCE is booted?
If you're doing it with the WinCE already running, please try putting your device on bootloader (Power+Light+Reset) and run again Buzz's unlocker (with Ma_UpgradeNoID.exe).
If this method doesn't work take a look to this thread:
http://forum.xda-developers.com/showthread.php?t=289260
It talks about reflashing your radio using an SD image dumped from another device, this could harm your Universal...so don't blame me!
Currently there's not radio dumped in the ftp so I will try to get it tonight or maybe tomorrow, I have installed on my device 1.14.10.
Hope the first method will work!
thank you very much for the answer...
Please, you could explain to me like flash the radio with a SD Card (step by step).
I have all the Radio Roms, but never I upgrade by the SD Card, (the format that must have, etc etc). Always I upgrade flasheado by USB.
Thanks
And I have read if the CID is Locked (is my case) it will not work either because he command "lbl" from mtty.exe it not work .....
Oh mon Dieuuu (
Ok, the dumped Radio rom 1.14.10 it's now here.
I have never perform this, but as far as I understand you have to make a raw copy of my dumped image to a blank SD card, insert it on your device and get into the bootloader.
Wait some seconds and something will be written on your display, just asking to press power to begin with the flashing.
But again I'm just guessing....
BTW, I did the image file using linux command 'dd' so if you use linux as well it should be easy to restore it to an SD card. Sorry I can't tell about windows.
Good luck!
thanks , I download the file, and to copy a my Sd Card with ntrw.exe
F:\>ntrw write Universal-radio.img j:
NTRW v2.00
Removeable media
Cylinders: 0:62
TracksPerCylinder: 2
SectorsPerTrack: 63
BytesPerSector: 512
bufsize is 65536
63569920 bytes written
ALL OK, (my SD Card is the 512 MB). Input the Card in the device, soft-reset, enter the bootloader... and Not Run. ¿?¿?
Any have idea? that I make bad?
I will continue investigating….
Help, How to Load the Rom by SD Card?
Help, How to Load the Rom by SD Card?
In mtty 1.42 and 1.16 , the command s2d
Level = FF
USB>s2d
Invalid command : s2d
For a help screen, use command ? or h
USB>
Howto load the ROM from SD Card to the device?
And with the format?
Please help, this is my last hope...
Hmm maybe I did something wrong....may I assume you're Spanish? If so please feel free to contact me privately and I could send you my little 64MB SD card, I have tested it and works, I mean I didn't flash my device with it but I've seen the option to do the flashing
as far as i know the card MUST be 128mb (taken from the service manual and my personal experience)
Midget_1990 said:
as far as i know the card MUST be 128mb (taken from the service manual and my personal experience)
Click to expand...
Click to collapse
I thought it was more a matter of space than a real requirement cause I just dumped the full radio (~16MiB).
Could someone please confirm this?
Thanks.
I obtaining a card of 128 MB and I have repeated the process.
F:\>ntrw.exe write uni.img j:
NTRW v2.00
Removeable media
Cylinders: 0:15
TracksPerCylinder: 255
SectorsPerTrack: 63
BytesPerSector: 512
bufsize is 65536
63569920 bytes written
F:\>
I enter bootloader with the sd card and it does not pass anything.
Not to be because the security level is Level = FF (and not is SuperCD) ???
From mytt, type task 32:
USB>task 32
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
d.total_lba=3BF00
d.block_size=200
d.RCA=1
d.drv_type=40000000
d.busWidth=1
Total card size=77E0000
Wait interpreter timeout
Level = FF
USB>
Tripledes, I have sent you a private message
tomsan said:
Tripledes, I have sent you a private message
Click to expand...
Click to collapse
I have the same problem of "no GSm",could you please send me the massage too. Thanks
no GSM
thanks you guy! I have step by step, and when I updated by sd card, the screen show me "sections=1 not allow update". who can give me more advise,
I have same problem.
the rom headers r differrent..u need to copy the headers.I know that for a ce rom first 416 bytes r to b copied..for radio i don't know..may be someone can tell here
tecumseh said:
I have the same problem of "no GSm",could you please send me the massage too. Thanks
Click to expand...
Click to collapse
Hello,
Same problem here, http://forum.xda-developers.com/showthread.php?p=3187581#post3187581
Did you solved??? How
Rui

Another bricked Universal

Seems to have been a run on these!
I have an SPV M5000 that was happily-ish running WM6 (as in my sig), and decided to pass it on to someone and put it back to Orange WM5 firmware.
Well, something went wrong, and now it's stuck with no Radio ROM; I've done the MTTY/Task 28 stuff, I've tried every ROM I can lay my hands on, and I'm having a couple of basic issues:
If I use the generic RUU update, it doesn't want to write the ROM. It just sits there at 0% with the device presumably waiting to get something. Eventually it times out with error 114. Then goes into recovery, and crashes.
If I try any others, including the Orange ROM, it complains that it has an invalid country code. Since this WAS a UK M5000, I used Jwright's M5000 ROM, and I have no idea why this would be changed or broken.
Obviously the bootloader appears to be working, but I don't seem to be able to get a Radio ROM onto it. I'm using an iMac booted into Windows XP since my Vista machine is, well, running Vista.
I really don't want to throw this unit away (and trust me, if I can't make it work by the time I give up it WILL be hurled into the nearest solid object then beaten to a pulp with my iPhone).
Well, I've tried everything on the forum; it's refusing to accept a Radio ROM, even though I've flashed the other parts with success. The only thing I haven't tried is SD-card upload since no-one has actually said "how" this works - how to prepare the SD card for use, for example, what the file should be - so I assume nobody knows this.
I've even tried the MTTY "erase" commands as suggested by Pof, and pretty much the only thing left is trying to update with the Linux tool that won't really help me much as I don't have a Linux setup.
I must admit that with the level of expertise on these forums, I can't find a solution to this, but with all of that - and no doubt if anyone was awake to read this I'd have been told to search (which is, of course, what I've been doing for the past 5 hours, along with flashing, rebooting, trying different cables, etc) - and still no working machine, I can only assume my M5000 is scrap due to some weird bug. Not worth spending money on to repair.
So, how shall I destroy it? Run over it with the car? Switch it on (obviously everything APART from GSM is working fine, with the lovely extended battery) and then set fire too it and see how long it'll run for? Freeze it? Smack it with a large hammer? Drive to Dover and see if I can get a strong enough catapult to send it to France, where it will HAVE to unlock itself by law?
(Edit: Tried it with the FlipStart; clean install of ActiveSync 4.5 - still nothing).
What's that stuff about "device ID not compatible"?
01:56:49:905 [msg] : Version : [2.11].
01:56:49:905 [msg] : Config Info : [857873],[1],[0],[0],[1],[0],[0],[1].
01:56:49:968 [msg] : MSystemFile Not Exist !
01:56:49:968 [msg] : CEFile Not Exist !
01:56:49:999 [msg] : Current in CE Mode.
01:56:54:280 [msg] : Device BL VER : [] [].
01:56:54:280 [err] : Device CID Error.
01:56:54:280 [msg] : Update Image. CE : [0], MSystem : [0], Radio : [1]
01:56:59:046 [msg] : Check Ac in CE mode. AC : [1]
01:56:59:046 [msg] : IsBL. BL : [0]
01:57:03:280 [msg] : Enter BL OK.
01:57:07:296 [msg] : Disconnect ActiveSync .... [2]
01:57:07:296 [msg] : Start Get Connect Port.
01:57:07:468 [msg] : Current in BL Mode. Open Port : [\\.\WCEUSBSH001] OK.
01:57:29:187 [msg] : Get Device Backup ID.
01:57:29:187 [msg] : Device BL VER : [1.01 ] [].
01:57:29:187 [msg] : Device ID Is Incompatible.
01:57:31:187 [msg] : =============================================
01:57:31:187 [msg] : START UpdateRadio !
01:57:40:077 [msg] : Check Radio Level 0 [704].
01:57:41:655 [msg] : RUpgrade 0 : 0 Start.
02:02:22:952 [err] : RWipe Data Error.
02:02:23:421 [err] : BL UpdateRadio Error.
02:02:23:421 [msg] : START UnInitialization !
02:02:23:437 [msg] : END UnInitialization !
02:02:28:812 [msg] : START UnInitialization !
02:02:28:812 [msg] : END UnInitialization !
Click to expand...
Click to collapse
Was the device unlocked before flashing to wm6? You could also try flashing on a Windows XP machine..hope this works for you.
Or try this..Got it from Laurentius
1) The radio stack is screwed, you don't get GSM signal and the phone says unknown SIM status
2) Device won't start after trying to unlock it with HTC Universal Unlocker (HTC_Uni_SIM_Unlock_v1)
Here is how to fix it:
1)Disable activesync on your computer by right click on activesync icon -> connection settings -> uncheck "allow USB connections". (( Done! ))
2)Put your Hermes (( Universal )) in bootloader mode
3) Connect device to computer using USB cable. (( Done with Original Cable ))
4) Open mtty.exe and select USB port, then connect.
Hit enter twice, you will see the "USB>" prompt. (( Okay but i usually get the USB> prompt with single hit of Enter ))
Type the following commands (do not copy paste!!!) (( I type them ))
USB> password 0000000000000000 (( Returns: HTCSPass1.CMˆËHTCEUSB> ))
USB> set 1e 1 (( Returns: USB> ))
USB> erase a0040000 c80000 (( Returns: HTCST ÚÈÒHTCEUSB> ))
USB> erase a0cc0000 c80000 ((Returns: HTCST ÚÈÒHTCEUSB> ))
USB> erase a1940000 640000 (( Returns: HTCST ÚÈÒHTCEUSB> ))
USB> set 1e 0 ((Returns: USB> ))
(( Then i close the window of MTTY and proceed to step 5 ))
5) Reset your phone and put it back in bootloader mode (( Here i take my Universal off the usb cable, soft reset it with the stylus and without letting it to boot i switch it into the bootloader mode again and get "Serial & v1.01" on the screen's header and footer ))
6) If your bootloader version is different than 1.04 then Flash Bootloader version 1.04 (( I simply ignore this step as this could be for Hermes users only not for UNIVERSAL Users - Pls. correct me if i'm wrong ))
7) Flash the patched radio used to simunlock the Hermes (( I do it with HTC_Uni_Unlock_v1 it has radio version 0.00.00 BUT still it gets stuck at 0% and after sometime gives the same error 114. Cannot Update Radio ROM ))
Your phone should be alive again (( Its Not ))
<---]]]]
clemsyn said:
Was the device unlocked before flashing to wm6? You could also try flashing on a Windows XP machine..hope this works for you.
Click to expand...
Click to collapse
Um...
I'm using an iMac booted into Windows XP
The FlipStart is also running Windows XP.
And it was SIM-unlocked by Orange; it wasn't SuperCID, and I flashed the "Orange M5000" version of Jwright's Crossbow ROM with no issues (apart from the Crossbow bugs).
clemsyn said:
Or try this..Got it from Laurentius
1) The radio stack is screwed, you don't get GSM signal and the phone says unknown SIM status
<snip>
Your phone should be alive again (( Its Not ))
<---]]]]
Click to expand...
Click to collapse
Tried that, one of the first ones I found. Now IIRC the bits in brackets are his results as he tried it. The last line says it didn't work. Which is precisely what happened for me, too!
At present the ROM update won't progress at all. Before it would reach 99% then fail. I'm wondering if the battery, despite showing 100%, is actually not charging correctly and it needs more power to erase the Flash.
Well, let it charge all night in case it was a power issue (it has a high-capacity battery), tried the Radio ROM, tried the 'task 28' path, tried Universal_SIM_Unlock with MaUpgradeIt - wiped the ROM, no problem reflashing with CE/ExtROM, but no Radio. Just cannot install it period.
Task 32 gives me FF - CID is corrupted, basically. Can't flash Radio 0.00.00, can't flash any radio at all.
Is there any way around this, or is it (as it seems from extensive forum searches including Buzzdev) scrap now? Is there a way to flash an ID to it, and if so, is there any way that the IMEI is damaged, or if so restorable, or will the phone be useless even if I can get a ROM onto it?
I don't get it, as I did nothing stupid with this; I've flashed loads of devices, I even flashed (and risked bricking in a BIG way) a brand new iPhone without headaches. Seems to be a lot of Universals suffering this lately - what is causing it?
Have u tried task 28 55aa
clemsyn said:
Have u tried task 28 55aa
Click to expand...
Click to collapse
Again, from the first post in the thread:
"Well, something went wrong, and now it's stuck with no Radio ROM; I've done the MTTY/Task 28 stuff, I've tried every ROM I can lay my hands on, and I'm having a couple of basic issues:"
I appreciate the attempts to help, but what I am looking for is some insight into what has gone wrong, not blind attempts to try any solution - I've tried it all already in the hope something would work. I think that the issue is very low-level, and I don't know how it becomes corrupted - but I have a suspicion that many Unis have been bricked in the same way and the reason no-one has posted a definitive solution is that there isn't one.
you did not mention if you were flashing with the SD card inserted into the unit (or have you but I failed to read it).
there is one flashing problem here somewhere and the issue was solved when the SD card was removed from the Uni before flashing.
Good question, and no - no SD card, no SIM card; I think I remembered this from the original Uni_Unlocker stuff which I'd been going to try before finding out Orange would unlock it for me anyway.
In fact, I'd like to try flashing FROM SIM card if anyone could provide a dump, but no-one seems to have been able to in the threads I have read - since the information about how the SD-Flash works is somewhat scarce, the service manual says "you can", but not what format the data should be in, or how the process works. Merely, how it can be initiated.
And I also suspect that with corrupted CID, I couldn't access the flash routines anyway, since all the radio flash tools appear to depend on this Sec level being "open". Some sort of direct hardware flash - maybe via JTAG - may be the only way around it, though I noticed the Hermes solution which runs under Linux would appear to work by "forcing" the data somehow.
I have the same problem. And confirm, can not upgrade...
... by SDCard, because I get and error :
"Update not allowed!"
The situation is:
- All ROms WinCE updated run OK! and function correctly: Wifi, Bluetooth...
- All Extended updated ROMS run OK!
- But any Radio Rom cannot ben updated, include the special Rom of Buzz.
I have the same error 114. Device Display "NO GSM", and not have IMEI, not have Protocol.... The phone is OUT of Service.
The problem is the CID is scratched or the Radio bootloader is broken. After 2 years there is still no solution For the Universal devices, But for devices Hermes If there is solution:
http://forum.xda-developers.com/showthread.php?t=286755
please guys, pof, buzzz, HEEELP for The Universal's brickeds Devices
¡¡pleasee....!!
p.d.: (sorry for my bad english)

Bricked diamond...

Alright i have a telus HTC diamond (CDMA) and iv unlocked it with cmonex bootloader (The CDMA version on PPCGeeks). I dont know wut i touched but now my phone doesnt boot into windows, it just keeps resetting... When i type rtask c into MTTY (I can still get into the bootloader) it says
Calibration
No Card inserted
HTC_SMEM_CE_RADIO_DBG_FLAG: 300
Enter Radio Image
Iv tried flashing the sprint shipped rom with radio but that did not work...
does any1 have any idea of how to fix this?
CashMoney18 said:
Alright i have a telus HTC diamond (CDMA) and iv unlocked it with cmonex bootloader (The CDMA version on PPCGeeks). I dont know wut i touched but now my phone doesnt boot into windows, it just keeps resetting... When i type rtask c into MTTY (I can still get into the bootloader) it says
Calibration
No Card inserted
HTC_SMEM_CE_RADIO_DBG_FLAG: 300
Enter Radio Image
Iv tried flashing the sprint shipped rom with radio but that did not work...
does any1 have any idea of how to fix this?
Click to expand...
Click to collapse
You MUST install HardSPL before doing anything else........also, try a hard reset......
i do have a hardSPL... i have 0.43.CMONEX on the phone right now and i already tried hard reset many times but it does not work...
CashMoney18 said:
i do have a hardSPL... i have 0.43.CMONEX on the phone right now and i already tried hard reset many times but it does not work...
Click to expand...
Click to collapse
try this one....
http://forum.xda-developers.com/attachment.php?attachmentid=37669&d=1177280888
good luck
that will brick my phone 4ever... i have a CDMA Diamond... thats a GSM hardSPL not a CDMA hardSPL... i have the right hardSPL that is not the problem...
CashMoney18 said:
that will brick my phone 4ever... i have a CDMA Diamond... thats a GSM hardSPL not a CDMA hardSPL... i have the right hardSPL that is not the problem...
Click to expand...
Click to collapse
Sorry about that. my mistake.........
When did that first occur ?
After flashing Hard SPL ?
Anything we need to know about that ?
Could be that NAND is broken. Do a check on bad blocks.
Cya,
Viper BJK
No it was not flashing of the hardSPL... it must have happened when i was trying to figure out how to change the esn... only thing i cud think of that i did wrong was I did the QMAT security unlock with HTC on command which was in the QMAT manual... but i dont think that would brick it like this... would it? also how would i do a bad block check on a diamond... could u list the commands in order? i dont want to mess it up even more...
EDIT: Well apparently i do have bad blocks... what to do now? is that the reason why i cant boot into windows?
It also says my device name is a samsung... which i dont think is right...
Cmd>info 8
--- 2K bytes sector version ---
DEVICE NAME=samsung_k9k2g08
DEVICE ID=0xAA
DEVICE MAKER ID=0xEC
PAGE SIZE=0x800
TOTAL PAGE SIZE=0x840
BLOCK COUNT=0x800
BLOCK PAGE=0x40
Checking block information
BLOCK 523 (0x20B) is bad block
BLOCK 869 (0x365) is bad block
BLOCK 1696 (0x6A0) is bad block
Partition[0], type=0x20, start=0x2, total=0x63E
Partition[1], type=0x23, start=0x640, total=0x800
Partition[2], type=0x25, start=0xE40, total=0xE900
Partition[3], type=0x4, start=0xF740, total=0xC340
CE Total Length(with sector info) = 0x7C1BA00
CE CheckSum Length(without sector info) = 0x7BA0000
Click to expand...
Click to collapse
bump... for viper 2 c
1. Ok ... what command did you use using QMAT ?
2. Did you change any bootmethod or anything else with for example debugtool ?
The bad blocks seem to be not the problem.
the commands i used in QMAT were "rseed" and "rpass" "set 16 0"
i also followed these steps after the brick
1. Get mtty
2. Connect to USB, press enter
3. Type task 32, enter <--Donno what is it for
4. Type 28, enter <--format DOC
5. Flash CE Rom only
6. Hard Reset
but that did not work either...
Also could you give me some examples of commands on changing bootmethod as im not sure if i used any... and i did not touch any debug tools...
CashMoney18 said:
the commands i used in QMAT were "rseed" and "rpass" "set 16 0"
i also followed these steps after the brick
1. Get mtty
2. Connect to USB, press enter
3. Type task 32, enter <--Donno what is it for
4. Type 28, enter <--format DOC
5. Flash CE Rom only
6. Hard Reset
but that did not work either...
Also could you give me some examples of commands on changing bootmethod as im not sure if i used any... and i did not touch any debug tools...
Click to expand...
Click to collapse
ok here's some tips/ideas:
try typing "boot" in mtty or qmat
if this doesn't get the OS booting then you can try "set 14 0"
if that's no good, then to read config flags you can use "readconfig" (as you have MFG spl), all values should come back as 0x0, if not, let us know.
for bootmodes you can check your current bootmode in oemsbl after rtask a. you can try setting it to 0 ("setboot 0" command after typing "rtask a") but i dont think that's the issue.
(note, all the other commands i listed are not for rtask, only setboot is.)
alright i tried all the commands and heres the results
When i type just "boot" the device just keeps reseting
When i type "set 14 0" it comes back with a string of
HTCST ÚÈÒHTCE
and doesnt do anything
"readconfig" all the values are 0x0 like they should be i suppose
and when trying "setboot 0" it gives me an invalid cmd error while in rtask...
HTC_SMEM_CE_RADIO_DBG_FLAG: 300
doesn't seem to be 0x0. You are sure that all items in readconfig are 0x0 ?
Ok ... it seems that the bootmode is incorrectly set.
Try to "setboot 0" after "rtask a".
That will only work if your device is security unlocked
Yes im sure that there all 0x0... unless im looking at the wrong thing but HTC_SMEM_CE_RADIO_DBG_FLAG is not in the readconfig...
Also it tells me that setboot 0 is an invalid command... and im pretty sure im security unlocked (SuperCID and the bootloader says security unlocked at the top)... only thing i can think of is maybe the 0.43.CMONEX bootloader does not have the setboot command...
Cmd>rtask a
Enter Radio Bootloader
POWER ON PMIC VREG_USB : SUCCESS!
ECHO ON MODE
setboot 0
Invalid cmd!...
readCID
@CID: 00000000
Click to expand...
Click to collapse
EDIT: Alright so i just found this new command "checkimage" and it came up with
Cmd>checkimage
SPL CRC checksum = 0x40142266 CE CRC checksum = bad=0x300
bad=0x45A
0xA069868D ExtROM CRC checksum = 0x0
Click to expand...
Click to collapse
which is where i believe the HTC_SMEM_CE_RADIO_DBG_FLAG: 300 is coming from... any ideas?
Ahh ok .... way better.
Yes, setboot is only available on MFG Bootloader.
As you can see, the CE OS CRC failed. So you need to flash CE OS again.
Be sure that you flash a valid ROM. Try an original one from HTC.
Maybe you've got a connection problem whilst uploading. Try to flash again using another PC
If that doesn't work out, it seems your nand flash is broken.
Cya,
Viper BJK
alright so i flashed the original sprint shipped rom again buh that did not fix the checkimage error... so any more ideas on how i may fix this
NAND broken as in theres no way of fixing it ?
Also i got a tip from someone aty ppcgeeks to flash the radio via rtask... would that make a diffrence as opposed to flashing normally through the bootloader and RUU?
Err flashing via rtask is possible ... but it's really user-un-friendly and more risky
I guess they thought about rwfactory command ...
I'll rethink the options in the next days and will come back to you.
Cya,
Viper BJK
Alright so heres another update on my progress or not so progress... lol
I flashed the verizon CDMA radio that was just released (For the HTC TOUCHPRO but works on the diamond as well) and now instead of the phone resetting it just keeps vibrating right after the touch diamond text/Red info screen...
I really guess your NAND is broken ....

Categories

Resources