Develop Bugs

How do the flashing techniques bypass bootloader security?

Since most of the retail HTC devices are bootloader locked, how do the flashing tools bypass this? In my experience if you go into bootloader flashing mode on a Himalaya or Blue Angel, if you try and use the mtty utility to flash a bin image using "l image.bin" you get an error of:
"Not allow operation" which means that the bootloader is locked to prevent flashing. Obviously the tools posted here don't hit this obstacle so I'm curious how that works. Also if you use the tools posted here to flash a different ROM, do any of these upgrades end up rewriting the bootloader as well to end up giving you an unlocked bootloader that would accept the load (l) commands to flash images?
I thought these devices required a special SDIO card only HTC has to unlock the bootloader.
Thanks for the info.

Bootloader
You can unlock some settings by using the PASSWORD BOOTLOADER command
worked for my HTC audiovox vx6600 Harrier (Verizon CDMA) but to load the .bin file with l It didn't seem to work I got not allowed, a way around that was to interrupt the process when doing a real upgrade and it should but u in a DBG> mode then u can do l file.bin (ones u connect using mtty) I've been wondering how do u send a .bin file using mtty, I didn't see any options besides downloading from it, but not uploading to it... can u help me with that step? where do I put the .bin file? or will it open a "file open" window when I type that command?

Thats interesting! What does the PASSWORD BOOTLOADER do and where do you enter that command?
Can you detail more about what upgrade you interupted and how you interrupted it? Where do you see the debug mode? I would have tjought that interrupting the ROM flash would not affect the ability to access the load (l) command.
OK, to use a bin file you need to do this. Simply put the bin file in the same PC directory as the mtty utility (ie mtty16.exe) and then once you bring up the app in USB flashing mode you press Enter to get the prompt and then just type: l flash.bin
Basically whatever the local file name is type that name. If you want to place the image somewhere else then it would be something like:
l c:\flash.bin
Just keep the filename short to make it foolproof to type.
Let me know if you get get this to work. I'm curious if once this is done and you again boot up into USB flash mode and use mtty and then use the load command, do you now get it to work or do you again see the Not allow operation error.
What I am hoping is if doing a process of getting a new image on a Blue Angel (Harrier in your case) gets the bootloader in a state where it could be backed up and then restored onto a different device allowing its bootloader to be flash unlocked.
Have you seen any tools posted here to back up and restore the
BlueAngel bootloader?
This is fun stuff!

Hey, thanks, awesome, have u tried the command "d2s" (disk to storage) and "s2d" (storage to disk) ? those commands where not enabled until i typed PASSWORD BOOTLOADER and it gave me a success notice... I'll post the info i have for them.
usage_cmd_d2s
Usage:
d2s [StartAddr [Len [Type [Append[SkipStartAddr SkipLen]]]]]
Backup memory to storage.
StartAddr : Start address for backup(0xA0040000).
Len : Length of memory will be backup. And if not given value, it will be
Total ROM size on board - ((StartAddress & 0x0FFFFFFF) - (ROM base address(0) & 0x0FFFFFFF)).
Type : Which storage(cf/sd) type will be selected(cf).
Append : Backup methods(a/).
SkipStartAddr : Start address of skip area(0x0).
SkipLen : Skip length(0x0).
Skip area must be less than or equal to one block size of flash.
Skip area must not over two blocks, must inside one block.
Nand flash: Skip area size need be page boundary.
Nor flash: Skip area size need be DWORD boundary.
usage_cmd_s2d
Usage:
s2d
Restore memory from storage.
I currently have the 1.02 bootloader so it might be different for u.. also
h = help
and supposively ones u unblocked the bootloader u can do h full which should give u even more options, but that didn't work, which is weird, I think they took the h command out, eventhough they left all the info in the loader, cause u can always do a hexdump on any bootloader and u can figure the commands and their usage..
also here's how to unlock it.. this worked after I typed the password as well.. the only thing that didn't work was l i think (or atleast that i've tried)
usage_cmd_task
Usage:
task [Type [Value [Value1]]]
Type,Value and Value1 are both DWORD(hex).
Value and Value1 are ignore in some case.
Type(hex) 0: Do hardware clear boot.
Type(hex) 7: Do flash ROM lock/unlock and [value]: 1(lock) and 0(unlock).
Oh here's a little howto:
example how to flash the extended rom and radio Simultaneously
first copy the first 3 M of the radio to sd:
d2s 60000000 00300000
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
Total card size=1D30000ze=0
****************
Store image to SD/MMC card successful.
and now append the extended rom to the sd card:
d2s 70080000 01000000 sd a
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
Total card size=1D30000ze=0
DOCInfoTableinitHW+
Binary0:dwSize=80000
BINFS0:dwSize=0
FAT0:dwSize=1000000
FAT1:dwSize=EA0000
All:dwSize=1F20000
****************************************************************
Store image to SD/MMC card successful.
then when you insert the sdcard, and then boot into bootloader mode, the following happens: on the display, you see a message 'sections=2', and 'press power to flash'. after pressing the power button, you see the following output on the serial port:
Flash ROM mapping total size = 2000000
Flash ID = 89,8802
Trumbull INTEL StrataFlash 128 Mbit MEMORY (K3/k18) found
dwROMTotalSize = 2000000
wTotalChip = 2
HTC Integrated Re-Flash Utility for bootloader Version:1.29 HIMALAYAS PVT version:1.02
MainBoardID = 4
Built at: Sep 24 2003 18:17:06
Copyright (c) 1998-2002 High Tech Computer Corporation
Turbo Mode Frequency = 398 MHz
Run Mode Frequency = 199 MHz
Memory Frequency = 100 MHz
SDRAM Frequency = 100 MHz
Main=0x90035EE4
LCD Power ON!
ATI Chip Id=0x56441002
DOCInfoTableinitHW+
Binary0:dwSize=80000
BINFS0:dwSize=0
FAT0:dwSize=1000000
FAT1:dwSize=EA0000
All:dwSize=1F20000
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
Total card size=1D30000ze=0
Radio flash Updating...
************
SD/MMC download to ROM is successful!
DOCInfoTableinitHW+
Binary0:dwSize=80000
BINFS0:dwSize=0
FAT0:dwSize=1000000
FAT1:dwSize=EA0000
All:dwSize=1F20000
DOC flash Updating...
****************************************************************
SD/MMC download to ROM is successful!
now both the radio and extended rom are upgraded!

That great info. You posted the syntax for the Task command but didn't say how you used it.
after the USB> prompt what did you type?
I'm assuming you use mtty and then do:
USB> PASSWORD BOOTLOADER
and then perhaps:
USB> task xx
but I dont know what values you used
and then:
USB> ds2 step #1
USB> ds2 step#2
so once you did that what ROM did you decide to load? I assume you went for some sort of CDMA flavor? What did you end up gaining from the upgrade since you were probbaly already on Windows Mobile 2003 SE
Thanks!

looks like PASSWORD BOOTLOADER does not work. I got:
USB>PASSWORD BOOTLOADER
Invalid command : PASSWORD
For a help screen, use command ? or h
is that how it works?
How did you do the method from your original post where you somehow interrupted a flash and then were able to use the l command?
Thanks.

No it should have said something similar to this:
USB>l
Not allow operation!
USB>help
Invalid command : help
For a help screen, use command ? or h
USB>password boot
HTCSInvalid password.R¿ËPHTCEUSB>
USB>password bootloader
HTCSInvalid password.R¿ËPHTCEUSB>
USB>password BOOTLOADER
HTCSPass.<YHTCEUSB>BOOTLOADER
I did a couple typos so u can see what I get when it doesn't like the password.
I havn't decided on what to load I was trying to load the latest bootloader which is for the himalaya, and I did what u said l c:\wall515.bin and it said something like :F=c:\wall515.bin and then preparing to send, and nothing happened after that, the terminal locked i did a couple ctrl + (a key) to try and get out it seems that i got out with ctrl + a (perhaps abort) ?
I did realize though that I was in the CDMA DBG> section, not just the DBG> like before this might be because I interrupted a radio upgrade, and not a regular WCE upgrade / etc so I'm going to try and do it again, this is my main phone so I have to keep it working so I immediately just undid everything.
and as for the syntax for d2s:
d2s hex_start_location amount_to_copy
so for example say my RADIO starts at address 60000000 and I want to copy 5MB then the proper command would be
ds2 60000000 00500000
you should get something like
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
Total card size=1D50000ze=0
****************
Store image to SD/MMC card successful.
but u will have to be identified in order for any of the commands to work, what version do u have (what phone, model, etc.. ) GSM or CDMA? etc
I also have a program that can be used to dump the ROM from the command prompt.. u might of heard of it already, dumprom.exe and memdump.exe and a new one called mtrw which seems promesing but it doesn't seem to allow u to enter a password I think it's programmed to do that automagically, i'm going to try and get the source code, and fix it so it does.. also get a closer look on what it's actually doing
p.s the syntax of the others are basically the same
for task u would do something like
task 7 0
Type(hex) 7: Do flash ROM lock/unlock and [value]: 1(lock) and 0(unlock).
also check out this site:
http://wiki.xda-developers.com/wiki/HimalayaBootloader
alrighty heading to bed
tty tommorow

That password technique worked but didn't really have an effect. I was already able to do the d2s command.
I sure would like to get the (l) command working and get past the Not allow operation! error.
Did you say you had been trying a Himalaya bootloader on your Harrier?
I have never seen that DBG> mode you were referring to. how do you get into that mode?
Thanks for the great info.

I did it just by chance, right as you start loading ur shipped rom using the himauptdate or what ever program u use.. it will first erase the rom/ram what I did, (risking my BA, but luckely it's still dummy proof at that point) was unplug the phone, from the cradle right as it hit the 100% (erased completed) then I plugged it right back in, and I got the BDG> instead of the usual USB> I decided to see what would be different and l was available, I didn't know how to use it at the time (now I know thanks to you). if u have a copy of the dumped bootloader u can use a hexeditor I use xvi32, which can be found in the xda-dev's FTP. if u look around, u can see some readable data, I've looked at it throughly and thus thats how I figured the password.. here's the part that shows the different modes, so u can see there is BDG> mode
Addr 0 1 2 3 4 5 6 7 8 9 A B C D E F 0 2 4 6 8 A C E
-------- ---- ---- ---- ---- ---- ---- ---- ---- ----------------
00002a00 4873 0390 0000 0000 0000 0000 0000 0000 Hs..............
00002a10 0000 0000 0100 0000 6c77 0000 7072 6f75 ........lw..prou
00002a20 7465 7200 6368 6563 6b73 756d 0000 0000 ter.checksum....
00002a30 7764 6174 6100 0000 6572 6173 6500 0000 wdata...erase...
00002a40 7262 6d63 0000 0000 7461 736b 0000 0000 rbmc....task....
00002a50 7365 7400 7368 6d73 6700 0000 6432 7300 set.shmsg...d2s.
00002a60 6c6e 6200 6c00 0000 7061 7373 776f 7264 lnb.l...password
00002a70 0000 0000 696e 666f 0000 0000 7374 7269 ....info....stri
00002a80 6e67 0000 6d77 0000 6d68 0000 6d62 0000 ng..mw..mh..mb..
00002a90 0a0a 2a2a 2a20 5365 7269 616c 2070 6f72 ..*** Serial por
00002aa0 7420 7761 7320 7265 2d69 6e69 7469 616c t was re-initial
00002ab0 697a 6564 2064 7565 2074 6f20 756e 6578 ized due to unex
00002ac0 7065 6374 6564 2070 726f 626c 656d 202a pected problem *
00002ad0 2a2a 0a0a 0000 0000 4442 473e 0000 0000 **......DBG>....
00002ae0 5553 423e 0000 0000 5345 523e 0000 0000 USB>....SER>....
00002af0 3f00 0000 0d00 0000 0820 0800 546f 6f20 ?........ ..Too
Addr 0 1 2 3 4 5 6 7 8 9 A B C D E F 0 2 4 6 8 A C E
-------- ---- ---- ---- ---- ---- ---- ---- ---- ----------------
00002b00 6d61 6e79 2061 7267 756d 656e 7473 0a00 many arguments..
00002b10 466f 7220 6120 6865 6c70 2073 6372 6565 For a help scree
00002b20 6e2c 2075 7365 2063 6f6d 6d61 6e64 203f n, use command ?
00002b30 206f 7220 680a 0000 4d61 7820 4379 6c69 or h...Max Cyli
00002b40 6e64 6572 203a 2025 752c 204d 6178 2048 nder : %u, Max H
00002b50 6561 6420 3a20 2575 2c20 4d61 7820 5365 ead : %u, Max Se
00002b60 6374 6f72 203a 2025 752c 2054 6f74 616c ctor : %u, Total
00002b70 2073 7061 6365 203a 2025 7520 4b42 0a0d space : %u KB..
00002b80 0000 0000 4669 7277 6172 6520 7265 7669 ....Firware revi
00002b90 7369 6f6e 203a 2025 730a 0000 4d6f 6465 sion : %s...Mode
00002ba0 6c20 6e75 6d62 6572 203a 2025 730a 0000 l number : %s...
00002bb0 2573 0a00 4346 5265 6164 5365 6374 6f72 %s..CFReadSector
00002bc0 572d 3a20 7743 796c 696e 6465 723d 2578 W-: wCylinder=%x
00002bd0 2c63 6248 6561 643d 2578 2c63 6253 6563 ,cbHead=%x,cbSec
00002be0 746f 723d 2578 2c62 5374 6174 7573 3d25 tor=%x,bStatus=%
00002bf0 780d 0a00 4346 5772 6974 6553 6563 746f x...CFWriteSecto
I'm about to try and see if I can get in the DBG> mode, hopefully it wasn't just a lucky shot and it's easy to duplicate again..
anyways i'll keep u posted

grabbing that bootloader
I saw you said that you dumped the bootloader. I have not seen a tool that does that for a BlueAngel & Harrier. Ideally if somebody came up with an unlocked bootloader then that tool could maybe be used to dujmp that unlocked bootload and then push it to another device.
It sounds like your interrupt technique might be safest to try with an upgrade that only is doing the ROM and nothing else. if there is one thing I've seen hose HTC devices up badly is a messed up radio flash.
Have you been interrupting an upgrade using BaUpgradeUt.exe or doing a boot and restoring from SD card?

Re: grabbing that bootloader
obelix said:
I saw you said that you dumped the bootloader. I have not seen a tool that does that for a BlueAngel & Harrier.
Click to expand...
Click to collapse
what? Any tool that dumps ROM can dump a bootloader. Or even more. You can extract bootloader from any ROM update.

I dont doubt it but without knowing how large and the location of a Blue Angel bootloader I wouldn't know where to begin. I wouldn't necessarily want a bootloader from a ROM update as it would be more useful to extract a bootloader from a bootloader unlocked device and then use that to unlock another. HTC has most of its retail Blue Angel & Hima devices bootloader locked so that if you prefer to go through the mtty utility and do a "l blueangel.bin" technique to flash the OS thats going to fail. So that leaves converting a .bin to a .nbf file or replacing the locked bootloader with one thats unlocked.
Are there places in the wiki that detail the positions of the bootloader within Blue Angel memory?

zxvf, did you say you were using the himaupdate program to do the flash? I thought that BaUpgradeUt.exe needed to be used. BaUpgradeUt.exe does not give any messages that say that say it is erasing ROM. Also since the BaUpgradeUt.exe depends on an ActiveSync connection, how can you start the upgrade and then disconnect at the right moment and then plug in the cable and get to mtty? I only know about getting to the command line interface via the mtty app.
Curious to hear more!

Seems that the guy above is having a leaked version of Magneto for BlueAngel and he is not willing to share it.
There is no .bin file out there from HTC. Only Microsoft released the Magneto update as a .bin file.
So before helping him he should clarify why he want all the info from here and is not sharing his Magneto image.
John

nope no Magneto stuff. I am strictly trying to work out the the innards of the mtty program and how to get past the locked bootloader. I could have been doing this on my Wallaby and Himalaya as well but am playing with the BA for now. From what I hear you'll never see Magneto on a Blue Angel, its already end of life. If it ever shows up it will simply be some mobile operator's experiment. I dont trust those folks to release any upgrades, they only want to sell new devices.

Bootloader dumping and flashing
I seriously advise you not to try that...
I tried that on 2 different Blue Angels an they go trashed.
Back to scrap.
Although you can get the exact blocks to extract and the exact memory intervals they are allocated in you have no way to determine if thay are the same on the "destination" BA, Therefore, you take an enormous risk on doing this.
I tried to do thatbecause on Portugal Operators sim-locked BA the lock information is actually on the bootloader.
Till now... No luck.
I even considered payinf the £20 IMEI-CHECK ask for but i think that it is not as thrilling as trying to do it by yourself, with your own work and burnt lashes. Apart from that, £20 are allways £20 :wink:
By the way, any development on the BA sim-unlocking ?
Cheers

sorry for not responding any sooner but I hadn't been able to get online, anyways, there are MANY tools as mamiach (pardon if I typed it incorrectly) that you can use to extract the bootloader, and I'm actually quiet confused on what program I've used I though they were just different versions, and a little bit different, never actually knew one was for upgrades and the other one was for full installs.. what I think I did was while it was trying to right to the bootloader I must have interrupted it and it might have immediately put it self in full acess / dbg mode (this is just IMHO) in order to save it self.. because I do recall it even said it on the screen I've tried and tried, and i'm kinda close to giving up thus, It's been twice that I almost didn't have a phone :/ if you need any programs u are sure to find them on the xda-dev FTP, and/or my website http://www.hexcode.net/xda-dev its a mirror or XDA-DEV that the Admin's been using to restore the site.. I'm currently in the process of installing Windows Mobile 2005, but not having much luck, I'm going to keep on trying, oh yea, when I unpluged it, I right away plugged it into the cradle again, and made activesync disabled, and start mtty and thats how I got the DBG> mode. other then that I'm not sure what to say, there are also programs that suppose to help u with installing new bootloaders like pnewbootloader.exe but they seem to be for the XDA2 so I'm not sure if they work, also if this might be of any help another password I've found that they are using is AYaLaMiH (himalaya spelled backwords) hope that helps.. ciao

HOW TO ENTER CDMA DBG> mode (BOOTLOADER Full admin mode)
EUREKA I'VE GOT IT...
I should be making a wiki page instead of posting here but these are the steps that are needed to enter CDMA DBG> mode which allows the use of extended commands like l, rbmc, s2d, d2s etc.. full access it seems..
here's the commands I used.
hope they work, I was wrong about the password being BOOTLOADER infact thats a password that most sellers have to do a few fixes, but not give them full control to screw up our devices..
I don't really know much about the commands except the info that they return, so just bear with me and follow along if u really wanan get to this, as of getting to the CDMA DBG> isn't dangerous u are not writing anything (YET) in order to get there, just modifying some switches etc.
ok so first the password: 40r0~0y~~5~0000
so type
USB>password |40r0~0y~~5~0000
u should get "HTCSPass1.CMˆËHTCEUSB>"
[DONT PRESS ENTER/RETURN JUST CONTINUE TO TYPE]
HTCSPass1.CMˆËHTCEUSB>set 1 0
This makes it so the Operation mode currently is set to "User" (maybe allows user interaction, not sure)
type set 5 7777 (not really sure if this is needed, all it does is set the background color value to 7777)
not the last command rtask a
here's what mine looks like
USB>shmsg 5 0 " Upgrade "
USB>shmsg 7 0 " Radio Stack "
USB>shmsg 9 0 "Please Wait..."
USB>rtask a
Radio image flash by external bootloader.
ÿ
HTC Integrated Re-Flash Utility for Harrier
This version is used for developig CDMA system
Copyright (c) 2003 High Tech Computer Corporatio
CDMA DBG>h
now if I type
l (DONT DO THIS UNLESS UR READY LOOK AT THE SYNTAX FIRST) I was stupid enough to just try it I got this
CDMA DBG>l
start cdma download
instead of the "not allowed or what ever that error was.."
now I hope this doesn't do something bad to my device, but I can't seem to get out.. *GULP*
Anyways thats all the info I have, hope it helps in any way Cheers.

P.S you can look at the syntax of 'l' if u search in the wiki pages.. information brought to us by itsme here is a direct link to his page. I'll also paste the 'l''s section here..
http://www.xs4all.nl/~itsme/projects/xda/bl-ii-usage.html
syntax for 'l':
usage_cmd_l = sub_9004C74C(1)
sub_9004C74C
Usage:
l [path_name [startAddr offset ["cp"]]]
Download BIN file across from serial/USB port.
Startaddr offset(MSB bit is a sign bit): Start address offset of every packet in bin file.
When 'cp' is given, it will just compare data of file with ROM image.
When path_name is not given, the file to be downloaded is determined
by ppfs on the host.
Otherwise, path_name on the host is downloaded regardless the ppfs setting.
The file must be in the format of BIN (preprocessed SRE).
The code is auto-launched once downloaded.
Auto-launched is disabled after downloading.

Nice job zxvf! Thats some good digging. I didn't follow this section before getting to the Debug mode:
USB>shmsg 5 0 " Upgrade "
USB>shmsg 7 0 " Radio Stack "
USB>shmsg 9 0 "Please Wait..."
USB>rtask a
Radio image flash by external bootloader.
What is shmsg and rtask doing? Do the shmsg commands actually do some upgrades and if so from what image? I have never seen them and wonder what those steps do.

Universal ROM

Do we have a solution to change the german ROM to the english one , yet ?
Thanks.

mda pro english rom upgrade
hello and gd day i am holding in my hands the mda pro from t-mobile in germany but i am not a german languge speaker and there for asking if any one already have a soltion for changing the rom to english ?
thanks a lot

backing up the device with 'd2s'
If somebody needs it, here it is how to backing up the device with 'd2s'
-insert a sd card on your device (128mb SD card),
-press light + power + reset (you will see unlighted screen with some words and number called bootloader)
-connect your device to your PC with the USB cable and disable USB on Active sync
-run MTTY.exe and select USB
-press enter, type d2s and press enter again (that command backups only the ROM in to SD and is the prefered way), or you can type:
d2s 60000000 00800000 8M radio rom
d2s 70000000 00100000 sd a 1M SPL
d2s 70100000 04000000 sd a 64.00 M OS TrueFFS
d2s 74100000 00a00000 sd a 10.00 M extrom DSK2ART00 fatfsd
d2s 74b00000 02c40000 sd a 44.25 M root filesystem TRUEFFS
-when finish (you'll see it by device display) get the SD and insert it to a cards reader
-for to copy the file in SD Card to your PC you have to use NTRW and run it with this command: c:/ntrw read MDAuniv.nb1 x: (x is your card reader so replace with the letter of your card reader and have NTRW in C
-after that you should have in C: a file called MDAuniv.nb1 and you can post it here!
good luck

Dubi told me:
Do you have a Universal machine? did you try the suggested procedure?
In mine - JasJar Imate one, the monitor program of the boot loader does not allow d2s commands.. it will reply with Operation not alloowed!.
Besides, in several cases if you mess with the rom, it might refuse to boot again.. be carefull!
Regards,
Dubi
And I answered:
Hi,
No I don't have a HTC Universal and I was going to buy a German MDA PRO and I'd need WWE OS!!
There must be a way to dump Universal's ROM, but until I haven't it I can't try.
I think you should go in to bootloader with password :
the bootloader password: 'UNIVERSAL'
extended rom password: SiRevInu
That's all guys, and if you have any suggestion, pleas post it, here!

yah.
I have a machine but I can't unlock it, can u help me?

Ok, complete indication to *complete* Backup MDA PRO

Please, if someone has MDA PRO with original ROM can use this indications to completely backup it (and upload it to
ftp://ftp.xda-developers.com/Uploads/Universal/
please!!!)
What you need:
MDA Pro ;-)
USB cable
PC
1 sd card or mmc card (at least 128MB)
MTTY.EXE (you can find it in internet but the version can use usb connection and not only COM connection)
NTRW.EXE (you can find it in internet.this file must to be copied on your pc on C:\ not in other folders)
If you have ActiveSync installed on your PC on ActiveSync connection settings uncheck USB connection
Before connecting your MDA you should bring it into the boot loader mode. This can be done by simultaneously pressing power + camera buttons and at the same time the soft reset button with the stylus.
The password to enter bootloader is UNIVERSAL
insert a BLANK sd-card
Link the usb cable
Run MTTY.EXE and select USB connection
After that a terminal window will popup in that window.
Type (if you want to backup operating system):
d2s 70100000 04000000
or type (if you want to backup extended rom):
d2s 74100000 00a00000
and press enter. Your MDA will start copying the ROM to the sd card. The screen of your MDA will be dark (no light), but you will see it counting up to 100%. When it reaches 100% it will say it is calculating the checksum. Give it some time till its done and it will say checksum ok.
Please note that there are others command to type due to what you want to obtain.They are:
d2s 60000000 00800000 8M radio rom
d2s 70000000 00100000 1M SPL
d2s 70100000 04000000 64.00 M OS TrueFFS
d2s 74100000 00a00000 10.00 M extrom DSK2ART00 fatfsd
d2s 74b00000 02c40000 44.25 M root filesystem TRUEFFS
After finishing the transfer of the German ROM from your MDA to the SD card, put your SD card into an SD card reader connected to your pc. Your pc might pop up a warning message that says your SD Card is not formatted would you like to format? Click No and open a Command prompt (DOS) window.
Change directory to your root directory (cd c:\) and run the command ntrw read German.nb1 x: where x is the drive letter of your sd card. That command will create the ROM Backup file of your German ROM into your C drive root directory by the name of German.nb1. Make sure you keep German.nb1 in a safe place and use a copy of that file for the rest of the procedure. Note that after finishing the copy from your SD card to German.nb1 file ntrw might give you an error, just don’t pay attention to it.
Luca
(excuse me for my bad english!)

Error message
I have an MDA PRO on Netherlands origional ROM. I am not able to use MTTY.exe to back up my ROM. I follow your procedure with the following exceptions:
1. "Before connecting your MDA you should bring it into the boot loader mode. This can be done by simultaneously pressing power + camera buttons and at the same time the soft reset button with the stylus."
NOTE: Bootloader mode is the dark screen that says "Serial" (unplugged) or "USB" (plugged). I can only access this by using POWER + LIGHT + SOFT RESET.
2. "Run MTTY.EXE and select USB connection. After that a terminal window will popup in that window."
NOTE: Is it necessary after this step to run the command "password UNIVERSAL"?
3. "Type d2s 70100000 04000000"
NOTE: I, as with others, recieve the following error:
USB>d2s
Not allow operation!
USB>d2s 70100000 04000000
Not allow operation!
This final error is where I am stuck. Thanks in advance to anyone who can advise!

I have exactly the same issue as nedbsd.........
Using original Dutch T-Mobile rom:
version: 1.12.42
date: 08/23/05
radio: 1.00.02
protocol: 42.33.P8
ext. rom: 1.12.125 WWE

Hmm... this isn't working for me either. It looks like the MDA Pro is taking the password but not staying in the right mode.
The transcript from MTTY looks like this:
USB>password UNIVERSAL
HTCSPass.<YHTCEUSB>d2s 70100000 04000000
Not allow operation!
USB>
Which is a bit of a mess. It does seem that this is the right password, however, as if I type in a different password I get an error message:
USB>password BADPASS
HTCSInvalid password.R¿ËPHTCEUSB>
This is from a standard English MDA PRO. Any ideas?

MDA Pro Rom backup
So, no fresh ideas :?:
same problems as above:
first stage - password UNIVERSAL
HTCSPass.<YHTCEUSB>
looks like OK
then 2ds
Invalid command : 2ds
or by Topogigi advice
h full
Invalid command : h

MDA Pro Rom backup
really Invalid command-
password UNIVERSAL
HTCSPass.<YHTCEUSB>d2s 70100000 04000000
Not allow operation!
USB>
etc.

This sounds very strange to me. From the beginning of the pocketpc era the bootloader was provided with a comprehensive help feature that you could recall with the command "h full"....

Topogigi said:
This sounds very strange to me. From the beginning of the pocketpc era the bootloader was provided with a comprehensive help feature that you could recall with the command "h full"....
Click to expand...
Click to collapse
Well, you are not the only one that finds it strange, there is about a dozen threads allready about people trying to figure out how to make a rom-image from the universal. No succes so far!
The commands published here on the wiki page just don't work.....

Yup, I've already read all the threads forum-wide concerning the efforts people made to get a rom dump, but noone suggested to try with "h". So, I was curious to see what would happen, that's all! :wink:
BTW, you can notice yourself that there is something very strange in the result you reported in the other thread:
password UNIVERSAL
HTCSPass.< YHTCEUSB>h full
Invalid command : h
For a help screen, use command ? or h
USB>
Click to expand...
Click to collapse
:shock:
That drives me to think that our problems are password related. Perhaps "UNIVERSAL" is a valid password, but with all the commands disabled... :?:

Any success ?
password UNIVERSAL
HTCSPass.<YHTCEUSB>d2s 70100000 04000000
Not allow operation!
USB>
ROM-Verion: 1.13.156 GER
ROM-Date: 09/28/05
Radio-Version: 1.04.10
ExtROM-Version: 1.13.163
Provider: Vodafone

Any update or solution on the backup?

unfortunately not yet ...

@ciapal
what is your bootloader version please???
THANX
buzz

Mine is 0.60 :roll:

.60 here too

hmm, i have 1.00 and i always get "Not allow operation!"
buzz

ah..Anyone has find out how to get the rom....i want to know
ah..Anyone has find out how to get the rom....i want to know

Semi dead htc universal (vodafone VPA IV) :(

Hi All,
Please, help me with my PDA.
I got used htc universal (vodafone VPA IV). He is semi dead. Device has following problems:
1. display is black-and-white (or grey colored)
2. touchscreen doesn't work
3. device was not dissasembled (there are no stickers removed) and has no damage marks
4. while loading, it shows "NO GSM" D 1.13.56 GER
5. Of course, GSM functions aren't working.
6. I can bypass 'please tap screen...' during first mobile win loading (after hard reset) but then I cann't see task bar.
7. Keyboard of device works but, for example, win-key (with windows logo) does not open main menu for me.
8. On the desktop, I can go into time-settings page, user info, messaging, tasks, appointments, wireless settings menu, baterry meny, screen alignment, calendar, contacts.
9. Bluetooth works, wireless - I'am not sure.
10. I can sync PDA with PC, and with activesync browse and change files on PDA.
I think, from this classification, I have Type 1a.
When I tried to flash my device with Universal_Vodafone_11362_WWE_ROM, UNI_QTEK_13077_176_10900_WWE_Ship and HTC_Uni_SIM_Unlock_v1, I got always radio ROM upgrade error: 114 (upgraiding stops at 0%). While using MTTY116, I am getting "level = FF" after task 32, "not allowed" after d2s commands.
I tried already
USB> password 0000000000000000
USB> set 1e 1
USB> erase a0040000 c80000
USB> erase a0cc0000 c80000
USB> erase a1940000 640000
USB> set 1e 0
Click to expand...
Click to collapse
Also I tried to flash HTC_Uni_SIM_Unlock_v1 to get superCID (but radio ROM error 114).
Here is my log from usb-monitor (in the process of upgrading and receiving "error 114" message).
What can I do with my device? Will be upgrading using SD card helpfull in this situation or I have no chances?
Thanks for any help.

Join the club.......
http://forum.xda-developers.com/showthread.php?t=289260
Exactly the same problem

someone can help me with mtty???

hi all,
I am trying to make the radio work again using this procedure:
http://wiki.xda-developers.com/index.php?pagename=Hermes_UpgradeProblems#problem5
but I got a problem and I'd like if someone can help me.
The problem is that I start mtty, I connect the phone in bootloader, I put USB and the I hit twice enter, but the prompt is always CMD>, doesn't change in USB>; I tried many times hitting enter twice, but nothing changes.
How can I do it?
thankyou
Mick

Don't work that's not a problem its just the version of mtty you are using, it should still work.

i am going crazy...I am tring the guide step by step, but when I try tu update radio,it get stuck.
I am with NO GSM and NO IMEI in this moment.
please
help me
(maybe on msn messenger or skype this way I can tell my problems directly)

in Mtty try typing:
task 32
you should get level = 0 to say your device is SuperCID if not you could try the SDcard Method http://forum.xda-developers.com/showthread.php?t=293651&highlight=task+32

thank you markafreeman,
I followed your instruction and I vas able to get level = 0,
but the problem is still that I have Cmd> prompt instead USB.
(can it be a driver problems??)
anyway, I wrote as the guide says:
Cmd> password BsaD5SeoA
Cmd> set 1e 1
Cmd> erase a0040000 c80000
Cmd> erase a0cc0000 c80000
Cmd> erase a1940000 640000
Cmd> set 1e 0
I closed the mtty, restart the PDA on the bootloader again (HERM100, IPL-1.04 Spl-2.10.Olipro) and I sent the official old ROM RUU_Hermes_QTEK_ITA_2.11.258.1_102_6275_1.38.00.10_108_Ship, it starts but get stuck at 13% and then I got on the pc error 262, upgrading error!
I tried twice and it stops always at 13%

UP!!please...somebody give me hope !

I'd probably try the SDcard method I posted earlier at that point.

On some versions of MTTY it shows CMD on some it shows USB, nothing to worry about.

thank you markafreeman:
I tried to do that, but when it start to write radio,it just stops.
thank you drummer10630:
I didn't see any changes in the phones,also if I try with Cmd> prompt
when I go to install RADIO,it stops

Hmmm the other thing I've seen people suggesting with connection problems is on the hermes go to settings and usb to pc and untick the advanceed netowrk option.

mickscores said:
hi all,
I am trying to make the radio work again using this procedure:
http://wiki.xda-developers.com/index.php?pagename=Hermes_UpgradeProblems#problem5
but I got a problem and I'd like if someone can help me.
The problem is that I start mtty, I connect the phone in bootloader, I put USB and the I hit twice enter, but the prompt is always CMD>, doesn't change in USB>; I tried many times hitting enter twice, but nothing changes.
How can I do it?
thankyou
Mick
Click to expand...
Click to collapse
task 28 55aa
then flash again!

Thank you yyyuanye,
I tried your command, it told me that something was formatted, then I tried to re-flash form SD card, but it stops when it's flashing the RADIO.
if you got any idea form me...please...I will be waiting for it.
the Mtty communicate with my Herm because it replies with the coomands Cmd> info, so now it's not a mtty problem anymore.
I don't know, but maybe, in mtty there is a command that erase everything on the radio and make it ready for a new installation.