1. Run Debug Tool
2. Set [5]Debug flags to '435' as 0b110110011
3. Set [8]Radio Flags to '1795' as 0b11100000011
According to the help, it enables "Enable ATCMD Log", "Enable RIL Ioctl Log","MARM use UART","MARM use USB","MARM use SD", I don't know their meanings.
4. Reset device
then my diamond stuck on bootloader screen, i reflashed the rom and it doesn't help. I am sure at least the hardspl works.
can anyone help to unbrick it?
I'll repeat the same here as on MSN so it's useful for others maybe:
if you dont know the meanings why are you playing? I know you have MFG SPL, so warning here, if anyone wants to play like this, make sure you have MFG SPL installed first because then it is easy to fix the problem. (non MFG SPL : still possible to fix but then you'd have to flash a file via lnbs command, a bit more painful.)
basically, you have to set the flags back to get OS booting; in MFG SPL, using mtty or qmat, simply send the following command: eraseconfig
PS: "MARM use USB","MARM use SD" -> these two are not a problem, one of the rest is what ****ted OS (not sure which). and, when you set marm use USB / SD, windows mobile will not have access to them (but SPL will), so that is kind of pointless.
thanks a lot to cmonex.
I found i am not the first one play too much with htc debug tools.
here is another thread with similar problem that solved by cmonex too..
http://forum.xda-developers.com/showthread.php?p=2852488
I've been on this board a few years now and I have never even heard of htc debug tools. I also don't know its purpose so I wouldn't play with it, period.
I made a big mistake,
2. Set [5]Debug flags to '435' as Wrong:0b110110011Right:0b10000110101
3. Set [8]Radio Flags to '1795' as Wrong:0b11100000011 Right: 0b1011110010101
the field in debug tools is intepreted as in hex format.
BTW, I confirmed "MARM use UART"(Radio Flags to 1xx) may stick the mobile.
Related
I think i may have come up with a way to CID unlock the G4 version of HTC Prophet, but i need help to complete some gaps.
As far as i can tell (and please correct me if i'm wrong) the only reason why the "downgrade&unlockcid" procedure doesn't work is because "pdocwrite.exe" can't write back the unlocked file. So, if we could find a way to write that information the problem should be solved...
I think that by performing the following steps one could do the unlocking:
- create an ActiveSync connection;
- run "unlockcid.bat" to get the "acidunlocked.bin" file;
- get the checksum of the "acidunlocked.bin" file;
- restart Prophet in bootloader mode;
- run "Rom Update Utility" and cancel after a successful "Verifying information..." window;
- use a TTY program to connect to the PDA and issue the following commands:
>ruustart
>ruuformat ???? 10000
>wdata ???? 10000
>HTCS
>"acidunlocked.bin content"
>"4-byte acidunlocked.bin checksum"
>HTCE
>ruuflashdoc ???? 10000 "4-byte acidunlocked.bin checksum"
>ruurun 0
>ResetDevice
The knowledge i lack is the exact memory address to place the information.
Also, is the data retrieved by "pdocread" in a "raw" format? And can it be directly written to the DOC by this method?
I think i'm very close, but i really help with these few things before taking the last step... i don't want to end up with an expensive brick.
PS.: i would like to thank all the people in the xda-developers, modaco and spv-developers forums, and all the other guys who have been "burning their brains out" to find solutions, and without whom i could never have gone this far (if one can call THIS "far"... )
Alright,
I notice this phone gets very little attention by the community, however, I like the phone, form factor, etc..
I am looking to "cook" my own HardSPL for this phone. Other providers now support GPS, EVDO RevA, Win Mobile 6.1, and I'm still stuck in what I feel is the ice age..
Please note that any instructions with a prompt are to be done in dos..
So far, I have done the following to extract the SPL:
1) Download HTC update for phone and extract using appropriate zip program
2) c:\>NBHextract RUU_***.nbh
This should leave you with a slew of .nb files - one will be named XX_SPL.nb
Now, to disasm this SPL, you can either go straight to IDA PRO or take an intermediate step using dumprom - dumprom creates a pe.exe and handles the offsets for you, so it puts you a step ahead, imo.
1) c:\>mkdir SPLDISASM
2) c:\>dumprom -5 -d SPLDISASM XX_SPL.nb
Now, in the SPLDISASM folder, you should have an exe file that you can now open in IDA PRO.
Now, here's where it is starting to get foggy for me. I followed the same process to dump the stock SPL and the HardSPL from a Hermes phone and I am in the process of hand tracing and hand comparing it to see how SuperCID/Write protection/Protected FF writes is implemented in the HardSPL - hoping that I can port the differences to my phone.
So, I pose the following to the experts:
1) In order to test my HardSPL once it is complete, can I run it as a SSPL and load a new ruu as a test - or will that mean certain death to my device?
2) Now that I'm this far into the code, i've come to realize that reassembling the code will be a lot of pain. Do you guys disasm/asm, or do you just hand edit in a hex editor?
3) Any suggestions to look out for, any ideas, etc?
Let me finish with a few disclaimers
1) To the experts: I have no intention of reverse engineering the HardSPL codebase - if I do use any of the code I have found, I will be sure to give props to the people involved and ask for permission before distributing. I am not looking to profit or scam or steal ideas, i am simply looking at how to make my phone better.
2) To the beggers: I have nothing to release at this time, this is all vaporware, I don't know when it will be done, I don't even know if it's do-able. I'm just trying ATM.
3) To the beginners: any or all of the advice above can probably wreck your device. This is by no way a means to unlock your phone, it's just my thought stream as I take what I believe are the preliminary steps to make my Libra the phone it's meant to be.
desquirr decompiler
I am now using the desquirr decompiler plugin for IDA PRO - it's dumping the subroutines into rudimentry c code.
I am now far closer to understanding what it is my device does; as well as understanding some of the hardspl code.
I recommend this tool if you are also SPL "cooking"
More Progress!
No Replies yet? Man, this is starting to feel like a blog..
Okay, I have managed to dump my Libra SPL, and I have disassembled it, and I have also decompiled it - Well, partially.
All the subfunctions are now represented in C - it's not particularily the most efficient c code I've ever seen, but it's readable. You'll get a hang for it and start to notice the FOR loops, IF/ELSE, WHILE structures.. Multiple return values.. etc.. etc.
I have decided to attach the Stock Libra SPL - I am hoping that I can eventually turn this into a tutorial to build your own custom SPLS for devices that aren't supported by the general community (note, this is high risk stuff..)
Hopefully this will serve as a reference to the community as I progress.
I do hope I get a little feedback too. If I'm going down the wrong path in terms of my approach, or for sharing this project with the community, it would be good to know.
Once again, small disclaimer - this file will not do anything for your phone as of yet.. Just a development step.. (I hope...)
MegaHambone said:
1) In order to test my HardSPL once it is complete, can I run it as a SSPL and load a new ruu as a test - or will that mean certain death to my device?
Click to expand...
Click to collapse
The hard part is to make a patched SPL run as Soft SPL from within OS.
You can try pof's JumpSPL and/or Haret to start your SPL, however I'm not sure these will run on smartphone platform at all. If not, JumpSPL source code should be available, so you can try to figure it out.
Be sure you don't overwrite your stock SPL or radio when flashing a custom ROM with RUU, this is the best way to brick it!
Unless you really can't go without flashing a HardSPL, IMO it's safer to keep the stock SPL flashed for recovery purposes.
HardSpl to add new commands
I'm happy to hear that somebody is working on a hard SPL for HTC S720. Here's the deal, I really want to change esn in this phone but I realized that for now it's not possible.
It's a MSM7500.
**I've tryied QPST but the version 2.7 only support MSN6500.
**I've tried QXDM 3.9.19 and still can't write the new esn. It says read only.
_________________________
How to put it not in read only?
Could I use a anykind of ready/writer to change info directly on the chip?
-----------------------------
**CDMA Workshop 2.7 all kind os ESN write doesn't work.
-----So, two options left:
1- either I desolder the esn chip and change it for a new one (to be honest, I haven't discovered yet if the esn is inside the MSM or on a different chip. If it's the case (on a diff. chip) it's a bit a pain in the but to do but it's still an option.
2 - I want to try shadowmite's method for writing the ESN into a PPC6800. Again it need to be done in high level via MTTY.
Concerning MTTY I cannot run commands because I can't put the phone on the boot loader screen.
I will try to run RUU wich will put the phone in bootloader screen. And then try mtty.
If this fail, I guess my only hope will be a hard spl.
I guess I've said a ton of thing that gonna make me look like a newbie (wich I am in prgramming).
Any suggestion...? Or any help I could bring to create this hard spl?
I am using HTC S720 in India. Currently I am using windows 6. Is it possible to make it work for windows 6.1. Telus ROM for HTC S720 is already available.
HardSPL for HTC5800/S720/LIBRA
I am currently trying to create a HardSPL for this phone and am having a hard time. I really need a solution for this and if anyone can create a HardSPL the company I work for is willing to pay a reward.
Why not try get a goldcard for it.Try ask at http://psas.revskills.de/ or if you know anyone with a axebox i think they do goldcards
Hi, I have a big Problem with my Diamond
I can't boot the Diamond, only in bootloader
Does anybody has an idea how to change the SPL or the ROM ?
Or is there a possibilty to get Jumpspl on my device (i can't access windows)
Thank You for your help, I really appreciate it.
Hi,
I have sort of the same problem, except I have a US DIAM110. If you have found the original stock ROM for your device, try that. It has to work; JumpSPL only works from Windows.
~codeslicer
try using mtty it work for me- diamond 100
and try another usb in ur pc and flash olinex 1.93 again
Flash via RUU, hrad reset, if still in bootloader, Mtty task 8
......
Thank You!!!
bummer
have you tried using a custom RUU to install your stock rom?
extract the stock rom from official RUU and use the custom RUUs that can be found here.
one more thing, you might want to grab the old drivers for mobile device sync and make sure the old drivers are loaded. vista and w7 usually rollback the drivers.
might not work, but worth a shot eh...
hey i had the same problem i tried evrything and it didnt work just like you so i went to htc service center and the flashed my rom back to the box rom check out if there is an htc service centre near you.
Thank You....!!!
Try, with mtty:
Code:
Task 29
Task 8
then remove the device, enter bootloader, and try flashing. Maybe, post to us the output of
Code:
info 0
info 1
info 2
... info 8
etc up to info 10 I think
You can also try pmming Olipro or cmonex, or try looking around on how to do a CID unlock (imei-check or something like that does it, but it's been reverse engineered by now).
Finally, if you're about ready to give up, you can run "task 2A" which FORMATS EVERYTHING. You could be left with a brick. But there's a chance your SPL will be saved and whatever's causing the problem to be removed. Again, I don't recommend it; it's a very powerful command.
Best of luck.
~codeslicer
Thanks codeslicer...
Thanks......
Have the same Problem
i`m also from germany:
Diam300
SPL-193 OliNex
There seems to be a problem with the HSPL?
i tried to flash another H-SPL, but it jups from 0% direktly to 100% and restarts?!
There seems to be a problem?!
codeslicer said:
Try, with mtty:
Code:
Task 29
Task 8
Finally, if you're about ready to give up, you can run "task 2A" which FORMATS EVERYTHING. You could be left with a brick. But there's a chance your SPL will be saved and whatever's causing the problem to be removed. Again, I don't recommend it; it's a very powerful command.
Best of luck.
~codeslicer
Click to expand...
Click to collapse
excuse me...what does it mean "FORMATS EVERYTHING"???
after "task 2A" the first thing to do will be flashin hardspl and then a ROM ???
ok, it is possible to flash roms and radios... but it is impossible to flash any spl!
so whats wrong?
/edit: is it possible to flash SPL on another way? in some "do whatever it says"-way?
the fact that i previously installed XANDROID has nothing to do with the problem,does it?
Bumpt to Top.
Noone an idea?
Can anybody do a checksum with mtty, who has also olinex 1.93 an post the result? i want to check SPL etc. CRC Checksum.
THX!
Still the question: what does the Task 2a on the diamond!?
ok, those who are currios: task 2a doesn´t work neither.... :-/
Lord,
Hard-SPL is protected, which is why it is called "Hard". It is written in "hard" on the memory to prevent it from accidentally being erased. Therefore the memory where Hard-SPL itself resides is protected so a bad flash won't brick your device.
In order to modify the bootloader (in your case it's Hard-SPL at the moment), you have to use Soft-SPL, which "softly" remains in the memory, but is not actually "written" in the memory. To do that, you get something called Jump-SPL. Find it, and execute the .bat program when your device is connected via ActiveSync. Accept the prompt on your device, and the screen will turn black. Now flash the new SPL (bootloader) that you want to install. If you mess up here you can brick your device, but installation is fast.
~codeslicer
Also, when you use mtty, you cannot copy and paste. The program only works when you TYPE it in. So do be careful with Task 2A and do not resort to these tactics unless your device has been fully bricked.
~codeslicer
Hi,
I'll only get my fist Android phone (HTC Desire) in a few days, so I'm fairly new to this, and have a fews questions :
What does a GoldCard do? Does it only disable the CID check, or also the signature check, or more? And if it also disables the signature check, isn't it enough to root the phone (just make a system image that contains the su utility)?
About unlocking : I've seen that other HTC phones can be unlocked by sending an [email protected] command to the radio from the SPL. What prevents us to do the same on the Nexus and Desire? My guess here would be the lack of a physical serial port on these devices ... and this is my next question.
Do someone have info about a possible access to a serial debug port on the Nexus and Desire?
About the security: I've had a quick look at the SPL, and it seems that the security byte is located in memory right after the IMEI and CID. So my guess is that the security is also controlled by the IPL & radio chip. And in the SPL, there is a reference to an [email protected] command ... I haven't looked deeper, but my guess is as good as yours
About the SPL: I think I have found a few interresting things:
- among the different modes (RRU, Fastboot, hboot ...), there is one called SIMLOCK, which seems to read the SD card, and uses the different files it contains to update the phone (MCC & MNC, IMEI, cid.txt ...). I think it might be used to send AT commands to the radio chip, to update those info, or am I wrong ?
- there seems to be one function that reads the security byte and check if its LSB is equal to 0, at offset 0xFC080 of what might be a SRAM. We could just replace the body of this function by a "MOV R0, #0", to bypass the security check, and have the SPL behave as if security were off. But then, the signature check would fail, wouldn't it? Or could a GoldCard prevent this signature check?
So in the end, if I got it right, I think there would be at least two ways to disable security on both the Nexus and Desire, given that their "logic architecture" (hardware, firmware, memory map ...) is extremely similar :
1/ find the serial debug port on the device, send the correct AT commands to the radio chip, that would make it flip to security=off.
2/ use an exploit to gain root privileges from android userland, then write a patched SPL to the correct /dev/mtdblock device with security check disabled. SPL should then behave as if security were off.
3/ maybe disassemble a bit more of this SD card update mode and learn how to craft one that would turn security off. My latest guess is that this mode might for instance take the content of "cid.txt", prepend "[email protected]=" to it, and send the whole string as a command to the radio chip. But I'm not sure yet if a security update is possible in this mode.
Also, for reference : when using a debugger/disassembler, the SPL should be loaded at 0x8E000000, and the entry point is at offset 0x1000. I haven't looked at the IPL/radio yet, any hints ?
So, do you have any (helpful) thoughts about this, or am I completely wrong ?
Edit: Ok, it seems to work now, I modified the above message. Please ignore (or delete, if you can) this post.
Pleast note that the "(AT)" in the above post should be replaced by the "@" sign. Seems I need a moderator to validate my account.
pipomolo42 said:
Do someone have info about a possible access to a serial debug port on the Nexus and Desire?
Click to expand...
Click to collapse
It seems I haven't searched well enough, as access to the Nexus serial port is described here : http://forum.xda-developers.com/showthread.php?t=625434
I just ebayed a CP2102 board, and I'll try it when I get my Desire.
Guys, I'm having kind of a situation here:
I installed Rogers HTC 621 - 1.30.631.2 (WM6)
http://www.mediafire.com/download.php?5xuh3jv2yg4
That I found here:
http://forum.xda-developers.com/showthread.php?t=381726
The problem is that, now, when I want to leave this ROM because I've been having some problems with it, it won't update. I've tried using SDA Unlock but it hasn't worked out. It always shows: unlockable phone, and right after this box it shows: phone unlocked. But it isn't. Could you guys help me solve this problem?!
Whenever I try installing any .cab files it shows the following message:
Installation was unsuccessful. The program or setting cannot be installed because it does not have sufficient system permissions.
If you could help me solve this only problem I wouldn't even need to update the ROM...
Try the attached HTC Unlock. It is a wrapped signed registry editor that is scripted to change the relevant Policy settings in the registry. Run the .exe on the PC, it will install the program on the device and you find it in Start -> Accessories -> HTC Unlock.
Basically you need to change the RAPI (Remote API) Policy to allow changes e.g. via SDA Unlock.
tobbbie said:
Try the attached HTC Unlock. It is a wrapped signed registry editor that is scripted to change the relevant Policy settings in the registry. Run the .exe on the PC, it will install the program on the device and you find it in Start -> Accessories -> HTC Unlock.
Basically you need to change the RAPI (Remote API) Policy to allow changes e.g. via SDA Unlock.
Click to expand...
Click to collapse
Well, I've tried what you suggested and I'm really thankful, but it didn't work out. I still can't install .cab files and I still can't ulock the cell phone with SDA Security Unlocker because it says "phone is not unlockable".
How I wish anyone could help me...
Did you finally also execute the HTC Unlocker from the Start -> Accessories folder? You should see the registry editor change some settings. For the RAPI part the x'1001 is the policy and it must be set to 1.
There is a more complicated method - doing this by the Microsoft Security Configuration Manager. Hard to find the link to download, look here: http://www.microsoft.com/download/en/details.aspx?id=998 This allows to apply dedicated security profiles (sets of Policies) to the device. If this works however also depends on the active settings in the device OS however. You may need to load the Development Certificates first via Menu "Device -> Add Dev..."
Would it not be the easiest case to just revert to the original ROM for the device? There the CID matches when updating and then you don't need the sequence of "old-OS application Unlock, load patched SPL, load new OS" - simply because the original SPL will pass the CID check. Get to http://www.shipped-roms.com/index.php?category=windows mobile&model=Excalibur and see if you find it.
Which was the original ROM you had on it?
Problem solved.
After looking in some other posts here on XDA I found many solutions and, by working out on them together, I could finally fix it.
I used SP Allow Certificate, SDK Certs, Exc USPL and, in the end, it really mattered.
Thanks to all you guys who keep up with feeding the forum.