Better Mobile App

Fix and prevent ROM upgrade/downgrade Country ID errors

Updated 25th September - Summary points added at bottom of post.
Updated 27th September - More detail concerning DeviceData and use of HEX editor added.
IMPORTANT: Updated 28th September - I now know that if you have bootloader v1.06 on your XDA II, you cannot downgrade your ROM (at the moment). We will see if we can find a way round this but cannot promise anything. My thanks to gerald8297 for his patience and help using his device and thus enabling me and him to determine this.
Please read all of this post before attempting any upgrade.
This post is the second of two posts and (hopefully) contains the solution to the Country ID error problem during upgrade/downgrade of the XDA II. The first post contains the background and conclusions to an investigation into the problem and can be found here:
ROM upgrade/downgrade Country ID errors - an investigation
If you haven't already done so, I recommend that you read it so that you are aware of the reasons for the following procedures.
Firstly, something I must say to protect myself .
The procedures described in this post are the ones I used on my own XDA II and they worked for me. Although they should work for anyone else, there can be no guarantee. I cannot be held responsible or liable for any damage to, or malfunction of, your device caused by a failed upgrade. By deciding to upgrade your XDA II, you are taking full responsibility for any consequences arising out of doing so, and you may void your warranty. Flashing the ROM may cause Data Loss or even Device Malfunction.
Secondly, I would like to acknowledge all the posters to this forum for, in one way or another, providing clues to the solution to this problem and also a big thank you to itsme and softworkz for the utilities and information that have proved so helpful. And, of course, thanks to my friend merlin_uk whose input was invaluable.
These procedures require the following tools:
xda2nbftool: A description, explanation of passwords required, examples of usage and a download link for xda2nbftool are here.
A Hex editor: Any Hex Editor will do, but this is the one I used and which I describe the use of here.
IMPORTANT: Make a full backup of your XDA II as all data in main memory will be erased. Storage card and storage data should remain intact (but don't take my word for it!).
NOTE: The passwords specified in the commands and the exact format I used may be different for you depending on the version of HimaUpgradeUt you intend to use. See here for more information. Also, the operator and language strings used by me may be different to those you need to use. Don't just copy the commands listed below verbatim. Check what you need first. In my case my original operator ID was O2, but it got changed to CDL because of the reasons stated in my first post. Therefore, I wanted to get my device back to O2. This meant, for the first upgrade, using CDL as the operator ID in the nbf headers (to get past the verification) and O2 in the extra block of data (to set my device back), and then for the second upgrade, I was able to specify the correct operator for me (O2) in the nbf headers.
Obtain the set of upgrade files you require. If you have an operator-provided .EXE file, you can extract the files using Winzip or Winrar. The set of files will normally consist of:
[list:def15107cd]HimaClearJumpCode.exe
HimaGetDeviceData.exe
HimaUpgradeUt.exe
ms_.nbf
NK.nbf
Radio_.nbf
[*]Copy all these files into a folder of your choice on your PC (it is probably easier to create a new folder), then copy the xda2nbftool.exe program into the same folder.
[*]Copy the HimaGetDeviceData.exe file to any folder on your device.
Warning: DO NOT under any circumstances copy and run HimaClearJumpCode.exe on your device as it will render it unbootable. It is used by the upgrade utility to put you device into bootloader mode prior to upgrading.
[*]Execute HimaGetDeviceData.exe on your device. There will be no visible indication that it has run, but it will produce a file called DeviceData.txt in the Windows folder of the device.
Here is an example of the contents of DeviceData.txt:
Code:
U S B 3 2 1 . 7 2 . 0 0 W W E P H 1 0 C D L W W E 1 . 7 2 . 1 2 6 1 . 1 4 . 0 0
"USB 32 1.72.00WWE " is the OS Version
"PH10" is the Device Type
"CDL" is the Operator ID
"WWE" is the Language ID
"1.72.126" is the Extended ROM Version
"1.14.00" is the Radio Version
Obviously the actual content will depend on your device, but the layout of the information will be the same.
[*]Copy the DeviceData.txt file to your PC and open it using Notepad. Make a note of the current operator ID and language ID specified in this file (see step 4 above), for use later. These values are what your device is currently set to and it may surprise you to find that they are different from what you expected!. I will refer to these noted values as <operator> and <language>, to avoid confusion with specific values.
[*]Start a command prompt session on your PC and set your current directory to the folder used in step 2.
[*]Extract the decrypted versions of the nbf files by entering the following commands at the command prompt (but see note above):
Code:
xda2nbftool -x NK.nbf NK.nba 0x20040304
xda2nbftool -x ms_.nbf ms_.nba 0x20040305
xda2nbftool -x Radio_.nbf Radio_.nba 0x20040306
[*]Now modify the operator and language strings in the nbfs using the values noted from the DeviceData.txt file above by entering the following commands at the command prompt substituting <operator> and <language> with the noted values (but see note above):
Code:
xda2nbftool -sd PH10 -so <operator> -sl <language> NK.nba
xda2nbftool -sd PH10 -so <operator> -sl <language> ms_.nba
xda2nbftool -sd PH10 -so <operator> -sl <language> Radio_.nba
[*]Run the hex editor and in that open the file ms_.nba. If you are using xvi32, it will display the hex contents of the file to the left of the window and the character representation to the right of the window. At offset 74 (0x4A) you will see the operator string your device will be set to and at offset 94 (0x5E) you will see the language string your device will be set to.
NB. Your device will be set to these values irrespective of the values specified in the normal nbf headers.
To change the operator ID:
Click on the Address menu item then click on Goto.
In the window that is displayed, ensure decimal and absolute are selected, type 74 into the entry field then click OK. This will position you at the operator string location.
Using either character entry on the right or hex entry on the left, enter the operator string device should be (or what you want it to be ). Note that any non-used character positions should be edited to contain null (0x00) which can only be entered in the left hand side of the window.
To change the language ID:
Again, click on the Address menu item then click on Goto.
In the window that is displayed, ensure decimal and absolute are selected, type 94 into the entry field then click OK. This will position you at the language string location.
Using either character entry on the right or hex entry on the left, enter the language string your device should be. Again, any non-used character positions should be edited to contain null (0x00) which can only be entered in the left hand side of the window.
[*]Save the ms_.nba file.
[*]Update the crc values for each of the decrypted files by entering the following commands at the command prompt:
Code:
xda2nbftool -c -u NK.nba
xda2nbftool -c -u ms_.nba
xda2nbftool -c -u Radio_.nba
[*]Encrypt the files back into the nbf files by entering the following commands at the command prompt (but see note above):
Code:
xda2nbftool -x NK.nba NK.nbf 0x20040304
xda2nbftool -x ms_.nba ms_.nbf 0x20040305
xda2nbftool -x Radio_.nba Radio_.nbf 0x20040306
[*]Delete the nba files using Windows Explorer or by entering the following command at the command prompt:
Code:
del *.nba
[*]Run the upgrade from Windows Explorer by executing HimaUpGradeUt.exe
The first part of the upgrade is the verification process which is non-destructive, in which it generates the DeviceData.txt file on the device then compares the information in it to the information in your nbf headers (specifically the device type, the operator and the language). If an error is displayed, double check the steps detailed above and try again.
If all is well it will then display the current and new settings and give you the option to proceed with the upgrade. If you cancel at this point, nothing has changed on your device.
[*]Click the upgrade button... ONLY if you want to proceed with the upgrade.
Go make a coffee or even dinner because it takes at least 30 minutes to complete the full upgrade.
As eDsuB has pointed out, it is possible that the upgrade will fail or stop for some other reason and you are left with the bootloader screen (screen is dark and may display 'SERIAL' or 'USB'). If this happens, don't be too alarmed. Just remove your device from the cradle, reset your device, replace it in the cradle and restart the upgrade.
You may even still hit a Country ID error after it has started the upgrade, but I believe that it is some other sort of problem and it just reports it as Country ID error. If you do end up with a bootloader screen, and this was the first of two upgrades, it is OK to restart the upgrade using the second one - that is, the one with the nbf headers and the extra data in ms_.nbf set to the correct language and operator.
[*]Once the 'Congratulations' window appears, the upgrade is complete (even though the device may still indicate that the radio upgrade is in progress).
[*]Remove you device from the cradle and hard reset.[/list:def15107cd]
Hopefully your XDA II is now upgraded/downgraded.
To summarise
If, as was the case with me, you have successfully run a previous upgrade and your device has been unwittingly configured with an incorrect operator ID, you will need to run the steps detailed above twice. The first time, it is purely to set the device's language and operator IDs back to their correct values, with the nbf headers needing to be set to the incorrect values in order to allow the upgrade to proceed. The second time then becomes the 'real' upgrade, because, this time, in step 8, you will be using the desired language and operator IDs which will now match those of your device.
The information specified in the extra block of data in the operators ROM image (ms_.nbf) is used to set the device/operator/language in the device. It doesn't need to match what the device is set to already. It is this information which HimaGetDeviceData will retrieve at the beginning of any subsequent upgrade and return via the DeviceData.txt file.
The information specified in the nbf headers of all the ROM images (NK.nbf, ms_.nbf and Radio_.nbf) is used to set the device/operator/language in the software of the device. It must match the device/operator/language currently specified in the device.
Neither the ER2003Edit tool nor xda2nbftool, by themselves, update the extra block of data in the ROM image.
Anyone upgrading should check and amend (using step 9), if necessary, the information contained in the extra block of data in the operators ROM before performing any upgrade. This should be done even if the nbf headers are already correctly configured. Failure to check could lead to your device being set to an unwanted operator ID or language ID at the end of the upgrade.
Feedback concerning these procedures is most welcome. If any errors or omissions exist, please post a reply to let me know so that I can correct them. Also, please post a reply if you upgrade successfully, stating the original version/operator/language and the new version/operator/language. By doing this it will help others decide whether to upgrade or not.

You are missing a possible step that often occurs during 15.
The upgrade is canceled because of some vague reason and the device is stuck in bootloader (USB or SERIAL on screen).
This is the point when cold sweat starts drippingof your forehead . . .
Remedy: Reset device and restart the upgrade. It will take longer than 30 minutes. I flashed two times now and this happened both times . . .(didnt have any country-id or language issues)
Also: In the posting you should mention the operator you use is CDL (chances are that people take your posting literally wich for sure get a lot in the country-id trouble.)

Thanks to edsub for his comments. His advice has been incorporated into the post.

maybe this post should be sticky so it will not be lost in the mists of time

A new hope is born
Impressive discoery by dcs.
Anyway, can anyone confirm that this method is usable or workable for downgrading imate ver1.72WWE to Asia Rom 1.60 WWE.
One major doubt that, if the xda2 is in 1.72 and presumably it was wrong operator coded CDL, so the changes (suggestion by dcs) should take place on the 1.72 imate rom again or the 1.60 Asia Rom.
I once tried to change the 1.60 Rom using er2000edit to set the operator name to CDL instead of O2. The first upgrade screen was passed successfully but i was blocked in the 2nd screen which left me cold dead xda2 with 1.06 serial.
I guess much research shall be done before pursing this method. Anyhow it was a good finding. :lol:

This method does work…
I too was in a position were I could not upgrade or downgrade my O2 XDAII ROM because the operator code on the device had been changed to CDL…
Following dcs’s method sorts this nasty problem out once and for all – I can now downgrade, upgrade to any version of ROM I want!!!
Nice one dcs!!

I have exactly the same problem like yours. Thanks to dcs for your hard work.

I have updated the post slightly to (hopefully) lessen confusion about operator and language values used.

maybe incorporate this post in wiki.xda-developers.com ?

Answer to gerald8297 post - A new hope is born
Theoretically it shouldn't matter which version of the upgrade you run first.
The first upgrade is done purely to set your device operator and language values back to the values they should be (or the values you want them to be), and the nbf headers will have to match the values currently defined in your device.
The second upgrade is done to actually install the version of software you want onto your device. The nbf headers should be configured to match the (now correct) operator and language values defined in the device. Also the ms_.nbf file should be checked to ensure the extra block of data isn't going to set your device back to an unwanted value.
You say that your previous attempt at a downgrade failed at the second screen. Do you mean that the OS was installed, but it failed at the extended ROM part? If so, did you edit all 3 nbf file with ER2003Edit to set the operator before running the upgrade? If you only edited the NK.nbf file it would explain what happened. If this is the case, and you are stuck on the bootloader screen, you should be able to reset your device and rerun the upgrade.
It looks like you used the same i-mate 1.172.00WWE upgrade as I did in which case your device has been set to operator CDL and language WWE.
Good luck!

I have updated the post by adding some summary points at the end. These, hopefully will provide a better overall understanding.

FINALLY!!!!! IT WORKED!!! Thanks 102035492304923049 million times, dcs. This is the manual to use!

Excellent! I am very pleased.

Updates Made
I have made a few changes to the post to try and make things a little clearer

IMPORTANT
Updated with information about downgrading restriction.

dcs,
I am now at step 13
I edited ms_.nba ONLY using the hex editor. The 74th block is set the CDL so i changed it to O2 and put a null value on the 76th block where L of CDL used to be.
WWE remains as WWE. I am about to proceed but just a few questions.
(1)since this is my first upgrade, i need only run this once right?
(2) is ms_.nba the only file i need to edit or i also need to edit the Radio_.nba and NK.nba files?
So after upgrading... my xda2 should be 1.72 WWE and 1.17 radio right?
Thanks for all the updates on your post. Things are getting a bit clearer.

i3oyi3astos said:
dcs,
I am now at step 13
I edited ms_.nba ONLY using the hex editor. The 74th block is set the CDL so i changed it to O2 and put a null value on the 76th block where L of CDL used to be.
WWE remains as WWE. I am about to proceed but just a few questions.
(1)since this is my first upgrade, i need only run this once right?
(2) is ms_.nba the only file i need to edit or i also need to edit the Radio_.nba and NK.nba files?
So after upgrading... my xda2 should be 1.72 WWE and 1.17 radio right?
Thanks for all the updates on your post. Things are getting a bit clearer.
Click to expand...
Click to collapse
(1) As it is your first upgrade, you should only need to run it once, as long as the your device information (retrieved in DeviceData.txt) is already set to the values you want (in your case, O2 and WWE). Two upgrades are required only if the device information is incorrect to start with.
(2) Only the ms_.nba file requires editing with the hex editor.
You can see what versions of OS, Extended ROM, and Radio you are upgrading to in step 14, before you click the Upgrade button.
Hopefully, all should progress OK now

@dcs: This topic is getting better and better.
I would vote to have your info instead on the wiki pages instead of the info that is there now on upgrading.
Because there is a risk of others still wanting to stick to the old info, for starters you may want to setup a new wiki page that is linked to from the old 'upgrade' wiki page.
Its quite simple to create a wiki page, as I have just experienced for a subject on IIWPO.

I have stumbled upon sumthing last night.....
1. Waxx's Rom would make my XDA2 a CDL Device right? (I upgraded without modification of Waxx's ROM)
2. Waxx's ROM uses O2 headers (verified through ER2003edit) and the extra code on MS_.nbf says its CDL
3. If I loaded Waxx's ROM (which I did) it would turn my unit from an O2 to CDL.... correct? I could not verify since my GETDEVICE Data does not work... I dunno why.
4. Here comes the weird part..... I followed your instructions to modify my operator to become O2 again..... (change headers and offset 74).... If I understand it correctly, I should change Waxx's ROM headers from O2 to CDL ( to pass the operator test..am I correct?) and I should change OFFSET 74 to O2... correct?
5. When I tried upgrading.... (all headers = CDL, Offset = O2).... the upgrade failed.... error 120 (country code error...me thinks)....
6. I tried changing all headers to O2 and offset was still set to O2..... tried a second time..... and it worked.... get device data works now.... and it says I have an O2 machine
7. IMO Radio rom 1.17 is better than 1.14..... thanks for your help mr DCS, Mr Waxx, Mr. Gollum

Z-man said:
I have stumbled upon sumthing last night.....
1. Waxx's Rom would make my XDA2 a CDL Device right? (I upgraded without modification of Waxx's ROM)
2. Waxx's ROM uses O2 headers (verified through ER2003edit) and the extra code on MS_.nbf says its CDL
3. If I loaded Waxx's ROM (which I did) it would turn my unit from an O2 to CDL.... correct? I could not verify since my GETDEVICE Data does not work... I dunno why.
4. Here comes the weird part..... I followed your instructions to modify my operator to become O2 again..... (change headers and offset 74).... If I understand it correctly, I should change Waxx's ROM headers from O2 to CDL ( to pass the operator test..am I correct?) and I should change OFFSET 74 to O2... correct?
5. When I tried upgrading.... (all headers = CDL, Offset = O2).... the upgrade failed.... error 120 (country code error...me thinks)....
6. I tried changing all headers to O2 and offset was still set to O2..... tried a second time..... and it worked.... get device data works now.... and it says I have an O2 machine
7. IMO Radio rom 1.17 is better than 1.14..... thanks for your help mr DCS, Mr Waxx, Mr. Gollum
Click to expand...
Click to collapse
I think the error must have been related to the problem with HimaGetDeviceData, because everything you did was correct and your assumptions were also correct. Perhaps the first attempt failed, but at the same time it sorted out the HimaGetDeviceData, and also got as far as setting your device to O2?
Difficult to say what happened exactly, but main thing is you are up and running - Well Done!

Qtek 8500 unlock

Hello,
I need help unlocking (simlocked - pda is working) Qtek 8500 from austrian "ONE" provider. Also, I need to change language (from german to english). Since I am new in this windows based phones, I would appreciate any help u people can provide me...
I cant unlock it online, since I dont have paypal account. My country is not listed.
THANK YOU.
Dejan

Here is CID unlocking procedure, that was posted few days ago by Zone-MR. I have unlocked my Qtek8500 and installed a new ROM version 3.6.251.0. :
1. Application unlock your phone using regeditstg and do the following :
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1001 = 2 -->Change the value data from 2 to 1
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1005 = 16 --> Change the value data from 16 to 40
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1017 = 128 --> Change the value data from 128 to 144
Reboot the phone
2. Run SDA_ApplicationUnlock tool. Reboot the phone after it finishes.
3. Download itsutil.zip from http://www.xs4all.nl/~itsme/projects/xda/tools.html , version from 2005-6-28. There is even newer version, but with that version you can not use pdocread without arguments.
4. Connect the phone with activesync
5. Run Command Prompt, go to subfolder named "build" in itsutils folder, and run pdocread without arguments
6. Note the value of "uniqueid". It will be something like : "00 00 00 00 12 03 02 14 3b 07 1b b2 04 05 07 54"
7. run pdocread again with these arguments : "pdocread -n 1 0x000000 0x10000 -b 0x4000 original-bdk1.nb". This will make original-bdk1.nb file in build folder (where the pdocread is located).
8. Upload this file and value of uniqueid to http://www.spv-developers.com/strtrkCID/. It will open a new page after few seconds. Go to bottom of the page and click the link "Download patched BDK1"
9. Download the file (it will be named like "supercidxxxxxxx.bin) to "build" folder
10. Run the pdocwrite from command prompt with these arguments : "pdocwrite -n 1 supercidxxxxxxx.bin 0x000000 0x10000 -b 0x4000". Replace supercidxxxxxxx.bin with the original name of downloaded file from step 9.
11. Wait 15-20 seconds and that is it. Reboot the phone and install the ROM you like

Still not working...
Thank you damird,
I have done everything as you described. Now I have ROM ver. 3.6.251.0 downoaded from ftp.xda...
But my Qtek is still SIM LOCKED!! When I insert sim card, following message appears:
NETWORK IS LOCKED. PLEASE INPUT UNLOCK CODE.
Please help me with this.

IMEI Check
well, i think you have to use the imei check solution
http://www.imei-check.co.uk/f600unlock.php

Cant use imei check
Imei check will be the problem, since my country is not listed in paypal. Simply cant pay it!
Is there any other option?

Paypal
send me the money, i'll pay for you !!!!!

envelope?
All I can do is to send u the money inside trackable envelope. It is not secure, but if I couldnt find other option, I will do that. THANK YOU! It would be 20 GBP, right?
Please wait week or two in order to find another solution... If not, I will contact you.
Thank you again.

How can I find out the value of DOCID?
How can I find out the value of DOCID? What is DOCID?

damird said:
Here is CID unlocking procedure, that was posted few days ago by Zone-MR. I have unlocked my Qtek8500 and installed a new ROM version 3.6.251.0. :
1. Application unlock your phone using regeditstg and do the following :
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1001 = 2 -->Change the value data from 2 to 1
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1005 = 16 --> Change the value data from 16 to 40
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1017 = 128 --> Change the value data from 128 to 144
Reboot the phone
2. Run SDA_ApplicationUnlock tool. Reboot the phone after it finishes.
Click to expand...
Click to collapse
I cannot edit register to change setup, the access id denied....
How can I unlock my phone? Note it is not branded and it works with all SIM, but if I install a new ROM it refuse it...
thanks for the help

Dead wlan due to erased eeprom? *SOLVED*

Needed tools:
PuTTY ver.6 or above
Plink
Active Sync 4.5
any Hex editor
MTTY1.exe ver 1.11a
Windows PC
SPL 2.30 Olipro
SPL 1.01 MFG pack
SPL 1.10 Oli w/custom RUU
SPL 1.04 w/custom RUU
DUTTY'S Good .NB Tool
Win Rar
Hermes with working wlan
There are steps for the user with the device with the working wlan eeprom, and steps for the user with the device with the corrupted or missing wlan eeprom. Basically what you will be doing is cloning the MAC of a device with a working wlan, editing it, and flashing it to your device with the non-working wlan.
Steps for Working Wlan Device:
You need to get SPL Oli 2.30 (found on the XDA DEV FTP Site in the HERMES/HardSPL folder) on the working device. You can do this by following the downgrading bootloader page at:
http://www.mrvanx.org/cms/index.php?option=com_content&task=view&id=59&Itemid=27
Assuming you have HardSPL v7 on your device (as most of you have been doing upgrades and downgrades), follow the steps to downgrade to Oli 1.10 then to SPL 1.04, (read and execute carefully)
then use DUTTY'S Good .NB Tool...
http://forum.xda-developers.com/showthread.php?t=296311
...to convert the SPL Oli 2.30 .nb file contained in the .rar you downloaded (use WinRar to extact) to an .nbh file (RUU_signed) THEN flash SPL 2.30 (you can use the same custom RRUwrapper you used to flash to 1.04 by putting it in the same folder, but move the RUU_signed.nbh of 1.04 to another folder first, then put it back when your finished)
Download PuTTY and Plink and copy them into your C:\Windows\Temp folder
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Put your device in bootloader mode and disable USB connections in Active Sync
Connect to the PC and open PuTTY
Click SERIAL, and make the speed 115200, and type \\.\WCEUSBSH001 (all CAPS) in the space for SERIAL LINE (overwrite what is there) or connect with MTTY first...
http://forum.xda-developers.com/download.php?id=9864
... and copy and paste the address into PuTTY then close MTTY. Type HERMES into the space named SAVED SESSIONS and hit SAVE. Hit OPEN. Press ENTER to get a CMD prompt...you will see a green cursor. Type Task 32 and it will return Level=0. Ok, close PuTTY as you have verified that it's working.
Sometimes your device will be seen as \\.\WCEUSBSH002 or \\.\WCEUSBSH003, just use which ever it connects to.
Now the next bit is tricky because you you will do it "blind" as in this mode, Plink does not have local echo so you won't see what you're typing.
Go to START/RUN/CMD
This opens a DOS window. Change directories to C:\Temp and type the following:
plink HERMES > herm1.nb (hit ENTER TWICE) (you will see the new file herm1.nb written in your Temp folder) (notice the spaces before and after the > sign)
Now type the following and hit ENTER (once) after each command:
task 32
password 0000000000000000 (that's 16 zeros)
set 1e 1
rbmc me.txt 500a0000 40000
that will copy the wlan section of the eeprom nand to the file called herm1.nb. You can right click on the file, select properties, and see that it grows to 256k-257k.
When it's done creating the file (to 256k or 257k, you'll see it doesn't get any bigger), press CTRL C in DOS to close plink and it saves the file at 257k size.
Open the file in a Hex Editor, and remove all the non usable Hex Data (basically the commands you typed) between offsets 00000000-00000140 up thru the Hex equivalent of the word HTCS. Delete the data so that you actually delete the word HTCS. Then at the end of the file, offset (00040000), delete from the very end of the file (right to left) thru the word HTCE. You delete the Hex equivalent of the word HTCE. You can leave the D+ ] there as we're only going to write 40000 bytes. Now the now MAC address is at ROW 0001F850 with two bytes at row 0001F860. The MAC reads backwards. Save it as herm1.nb (but not in the same folder as the original).
Now, since you've basically cloned another's MAC address (already allocated to another device), it's necessary that you change your MAC address ASAP. Instructions on how to do that below:
In the edited herm1.nb file, go to the MAC Address at offset 0001F850 and change the 2nd, 3rd and 4th bytes from the right... (it's your MAC address in reverse), to ANY numbers you like, keeping the same format. This 6 byte sequence is your NEW MAC ADDRESS. The last 3 numbers of the MAC (which appear in opposite order) can be "invented".
You now have the eeprom flash file to be transfered to the non working device...
Steps for Non-working Wlan Device:
Using the methods on MrVanx's downgrading SPL page...
http://www.mrvanx.org/cms/index.php?option=com_content&task=view&id=59&Itemid=27
...downgrade again to SPL 1.04, then flash SPL 1.01 MFG. When flashing and using SPL 1.01 MFG, some users suggest you only use the version of MTTY that comes with the MFG Pack.
http://wiki.xda-developers.com/index.php?pagename=Hermes_BootloaderMFG
Read the full instructions before flashing.
Ok, now that you have verified that you have SPL 1.01 MFG on the device, put in bootloader mode, disable USB connections in Active Sync. Connect the device and open MTTY. Make sure you have copied your herm1.nb file into the same folder as MTTY.
Connect to the device (\\.\WCEUSBSH001)
and hit ENTER to get a CMD prompt
Now type the following:
task 32
password 0000000000000000
set 1e 1
lnb herm1.nb 500a0000 40000
Hitting ENTER after each command.
When it's done, close MTTY and reboot your device and verify that your Wlan is now working...
Then I recommend flashing HardSPL v7 or SPL 2.30 to your device right away (because you know you won't leave your device alone and we don't want you bricking your Hermes, do we?)
BTW, if you want to do a full backup of you FULL eeprom nand at any time, connect as before and type these commands:
plink HERMES > full.nb (hit ENTER twice)
task 32 (hit ENTER once and only once from now on after every command)
password 0000000000000000
set 1e 1
rbmc me.txt 50000000 7fff800
watch your file grow to 128 MB.
If you ever need to flash the entire eeprom nand, just edit it as above so you take out the commands you typed (HTCS-HTCE) and you're good to go...
Thanks go out to Pof and Olipro for doing the initial research on this issue. And also to members Laikos and Panzer who helped tremendously.
Tested on Cingular 8525 Wm6 VP3G modified AT&T rom, and Orange m3100 WM6 cooked rom based on Dopod 3.54.707.3 rom.
*NOTE* Olipro just posted later in this thread
"just to point out guys;
to flash 2.30.Olipro, just convert it into an NBH then run SSPL on your phone and go ahead with the flash, same goes for loading any other SPL, just load SSPL first (or use Custom RUU with the NBH and select force SSPL) the downgrading is unnecessary"
another member (dan1967) suggested that one only have to use SPL 2.60 Oli Hard SPL v9 Developer Edition to do this procedure and one can avoid the upgrading and downgrading of bootloaders...
Member alakentu has translated this method into Spanish. The thread is here:
http://forum.xda-developers.com/showthread.php?t=364751
***DISCLAIMER.....TRY AT YOUR OWN RISK, WE ARE NOT RESPONSIBLE FOR ANY MALFUNCTIONS OR OTHER ISSUES THAT MAY OCCUR.***
For those of you who used my guide to fixing your dead Wlan on Hermes, please feel free to make a donation via paypal if you feel I've helped you in some way. Any amount will be very much appreciated, and I could really use the cash, hee hee, thanks in advance. Just click the PayPal Logo below to donate.

cool !! I try this if i found a phone with no dead wlan

nice.........

It's possible to just hand code the WLAN EEPROM Value to your dead WLAN EEPROM too. Download your dead EEPROM and Edit the location mentioned by drummer.
Warning: It took about 30 mins to hand code the WLAN EEPROM DATA.

Would it be possible for someone to extract the eeprom file from a working wlan device, "zero-out" the MAC address portion, or replace with 'FF' or some other 'dummy' value, and post this here, so those of us without access to a working device can use to flash our damaged devices?
By "blanking-out" the MAC address in the attached file, you dont risk having your MAC address used by everybody, so there is no "legal" risk, and help us without a working device to fix ours...
Thanks for the solution guys and hopefully you can post the file here for us to use.
Good work !!

Thank you very much for this solution !!!! Great job!
But as said chrisvor, could you post an extract of a working Eeprom for thoose who don't have one please...
Thank you !

drummer,
first of all is to say thanks to you all who put in their time and effort in resolving this problem
so my question is... can you post the file of working wlan bit for us, without that i can't solve this problem... =(

Thanks!!!
Thank you so much for this!!!!
I will try to reviving my X01HT WiFi later!
Great Job!!!!

Someone has repaired his hermes ??

nicoebra said:
Someone has repaired his hermes ??
Click to expand...
Click to collapse
I did. And so did Laikos. Actually, he fixed his about 20 minutes before I did, he is a better editor than I am. Why do you think we did the research? We both had devices with non-working wlans, and now they're working again.
...and no, we're not posting, or sending anyone the file. You have to find a friend that will help you, as your trust in each other will safeguard against any possible mis-use of this technique.

laikos said:
It's possible to just hand code the WLAN EEPROM Value to your dead WLAN EEPROM too. Download your dead EEPROM and Edit the location mentioned by drummer.
Warning: It took about 30 mins to hand code the WLAN EEPROM DATA.
Click to expand...
Click to collapse
I don't believe that this is a good idea, as you don't know what else (from EEPROMcode) is corrupted!!
The MAC address is the only visible part to us...

pop20032004 said:
I don't believe that this is a good idea, as you don't know what else (from EEPROMcode) is corrupted!!
The MAC address is the only visible part to us...
Click to expand...
Click to collapse
How did you come to that conclusion?
All Laikos was suggesting, is you could type in the data, rather than replace the data by "cloning" it from another's device. Once you know the offsets, which you do if you read this technique, it's quite easy, although time consuming. So far, each file we have examined have had the identical wlan signatures, and identical first three numbers of the MAC address. That suggests that HTC was assigned a set of MAC addresses by OUI for their use.
BTW, using SPL 2.30 oli, you can change your backup CID, and model number (Hermes 100, 200, 300, or whatever you want to change it to like "Hermes 911").

Help
I believe that would be better than someone give the instructions detailed for those that they do not have other device to the hand to extract the EEPROM, extract your corrupt EEPROM and edit it.
In my case, live in Mexico city and these devices are extremely rare of seeing by here.
As soon as if someone can help me to obtain the file of a EEPROM will be I thanked what is.

Open the file in a Hex Editor, and remove all the non usable Hex Data (basically the commands you typed) between offsets 00000000-00000140 up thru the Hex equivalent of the word HTCS. Delete the data so that you actually delete the word HTCS. Then at the end of the file, offset (00040000), delete from the very end of the file (right to left) thru the word HTCE. You delete the Hex equivalent of the word HTCE. You can leave the D+ ] there as we're only going to write 40000 bytes. Now the now MAC address is at ROW 0001F850 with two bytes at row 0001F860. The MAC reads backwards. Save it as herm1.nb (but not in the same folder as the original).
i can't edit file " herm1.nb"
you can guide again or help me to edit my file.

Hello,
Is it normal that my file herm1.nb is rained large that 30Mo at the time of that creation, thank you.
-------------
Edit:I excuse myself I have to make an error the first handling, I succeeded in having the file herm1.nb has 256 Ko (262 ' 439 bytes).
If I do not modify the mac address that you it will occur on the other apparatus, thank you

drummer10630 said:
...and no, we're not posting, or sending anyone the file. You have to find a friend that will help you, as your trust in each other will safeguard against any possible mis-use of this technique.
Click to expand...
Click to collapse
@drummer10630: I do appreciate all your and Laikos efforts to solve this problem and to let the whole community know the method so everybody can fix their devices... however, the reason I asked if anybody could post the file was not a sign of "laziness", rather it is due to the lack of friends who have a TyTN or who want to void their warranty by flashing a non-official bootloader in order to "do me the favor" of extracting their eeprom data.
If any of you guys have extracted the eeprom and you have edited it to include your MAC address, could you please edit a COPY of this file, put "FF" in all the bytes of the MAC address (which is the only thing that "ties" this file to your purchased device and hence yourself), and post it here for us "tytn-friend-less" people to use?
Many thanks for EVERYBODY's efforts in solving this
Thanks and kudos go to Pof and Oli ofcourse, due to whom none of this would be ever possible !!
Chris

I have tried to get the code from a working Vario II using Des' SSPL, to avoid all the flashing of a working device, but got
Code:
USB>task 32
Level = 0
USB>password 0000000000000000
HTCSPass1.
CMËHTCEUSB>set 1e 1
USB>rbmc me.txt 500a0000 40000
GetExtRomData+(): *pszPathName=me.txt, dwStartAddress=500A0000, dwLength=40000
USB>c=40000
... and no dump.
Is there a workaround?

jrp said:
I have tried to get the code from a working Vario II using Des' SSPL, to avoid all the flashing of a working device, but got
Code:
USB>task 32
Level = 0
USB>password 0000000000000000
HTCSPass1.
CMËHTCEUSB>set 1e 1
USB>rbmc me.txt 500a0000 40000
GetExtRomData+(): *pszPathName=me.txt, dwStartAddress=500A0000, dwLength=40000
USB>c=40000
... and no dump.
Is there a workaround?
Click to expand...
Click to collapse
According to the #1 post, you HAVE TO follow the instructions, i.e. downgrading to SPL 1.04, 1.01 MFG, Olipro 2.30, in order to save the eprom from the working device.... no shortcut I'm afraid

I removed the lines 00000000-00000140
But I do not have information with the line 0001F850 and 0001F860 is this normal? , thank you.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

Quick question.... Could I dump the WLAN eeprom from a Wizard? Dont think so, but I thought I'd ask since I have a wizard lying around too....

My gf's Star Trek needs help

I got my GF a Qtek 8500 to replace her razor and she likes it, but it has been acting weird.
It doesn't show missed calls or any call history and when you compose a text messege and try to add a recipient there are no contacts.
it has Rom version: 1.02.251.1
help please
Thanks

Here you will find the link for the latest qtek rom:
http://wiki.xda-developers.com/index.php?pagename=HTC_StrTrk
I think this update will solve these problems.

Can someone explain what commands I need to type in the command line to finish my CID unlock. I don't really know the command line very well thanks
Here is what I need to do...
5. Run Command Prompt, go to your temp folder and then into a subfolder named "build" ( IN the folder you extracted ex c:\temp). Run pdocread without arguments.
6. Note the value of "uniqueid" produced. It will be something like: 00 00 00 00 12 03 02 14 3b 07 1b b2 04 05 07 54
7. Run pdocread again with these arguments: pdocread -n 1 0x000000 0x10000 -b 0x4000 original-bdk1.nb This will create a "original-bdk1.nb" file in the build folder (where the pdocread is located).
8. Upload this file and value of uniqueid to http://www.spv-developers.com/strtrkCID It will open a new page after few seconds. Go to the bottom of the page and click the link "Download patched BDK1"
9. Download the file (it will be named like "supercidxxxxxxx.bin) to the "build" folder.
10. Run pdocwrite from command prompt again but with these arguments: pdocwrite -n 1 supercidxxxxxxx.bin 0x000000 0x10000 -b 0x4000 Replace supercidxxxxxxx.bin with the original name of downloaded file from step 9.

Okay, I ran the commands with the arguments that were needed and it made the file that in need in the "Build" folder, but when I try to upload it to http://www.spv-developers.com/strtrkCID/ and put in my DOCID it does nothing....
Apparently it is soppsed to give me a file to download, but it just clears out and does nothing.
What do I do?

Error [244] : Invalid model id

Hello
Please help me return the model number,
cause when I try to change my rom I always get the same error Error [244] : Invalid model id.
Now I have
some strange symbols in bootloader.
This appeared after I'd tryed to change mac using mtty, as I have created bin file for SPL 1.xx
Please help me

Hi,
You need to carry out the instructions to the letter in post 33 HERE and it will sort your problem, read it all very careful, its easy to make a mistake if you're not paying attention.
regards
Jay

Thanks Jay.
It works again.

You're welcome, glad it helped
Regards
Jay

here's an experimental program I made to make the process more automatic so users can fix their own wifi without our help.
this is good for both corrupt modelid and corrupt wifi, and fixes both at the same time.
STEP BY STEP:
1. download attachment at the end of the post for mac1.exe (requires .net 2.0 installed on the PC)
2. you will also need to download the other attachment in this post for the mtty program.
3. enter bootloader (tricolour screen) manually by pressing and holding camera button all the way in (yes I mean that, press it in as hard as you can!!), while doing a reset, then keep the camera button held until you see the tricolour screen.
4. disable USB in activesync (wmdc if you have vista - in this case, do not kill wmdc, just disable usb in it!!!)
5. run mtty and select USB option from the dropdown box!
6. then press enter in main window that comes up, see if that gives you Cmd>
7. now you should have Cmd>, if not, re-check if you did the above steps right until you get Cmd>
8. now run the mac1.exe, type in your MAC address you want to use for the Athena, if you have SPL 3.xx reported on the tricolour screen, then use the button for SPL 3.xx, otherwise if you have SPL 1.xx reported, use button for 1.xx.
9. this should have generated a .bin file for you, copy that bin file in the folder of mtty.
10. now, in mtty, type (do not copypaste!) this command: task 32
11. this should return Level = 0
12. now, you must only do one of the two following commands:
- if you have SPL 3.xx, then type (do not copypaste!!) this command: lnb filename.bin 76508000
(there filename is the name of the .bin file you generated - don't forget to put .bin after filename, as the full name is needed).
- OR, if you have SPL 1.xx, then the command is different (do not copypaste!!): lnbs filename.bin 75108000
(there filename is the name of the .bin file you generated - don't forget to put .bin after filename, as the full name is needed).
NOTE, the command starts with a lowercase "L", not "I"!
WARNING: PLEASE DO NOT MIX UP THESE TWO DIFFERENT COMMANDS!!!
if this info helps: most people will have SPL 3.xx, and if you have AP4 (not vanilla) already running then you're definitely 3.xx
13. mtty will popup a window asking "OK", you press OK!
if you get "Fail to synchronize with the host (1)", then make sure you did follow step by step. if still same error, try placing mtty and the bin file under C:\.
14. now the file downloads, if mtty reports it flashed the file, and at the end "code entrypoint unknown", then that's it, now boot back to WM and see if wifi works.
edit: see raskell's mtty tutorial too, #36. post in this thread
if you *really* can't manage to get it working, you can still feel free to PM me.
let me know if this program and step by step description helped any.
Attached Files
File Type: zip mac1.zip (6.3 KB, 2125 views)
File Type: zip mtty_0513_Test.zip (553.9 KB, 2613 views)

Ameo
Pfff i have tried everthing what i could find and nothing works. i managed to get the driver working from usb on windows 7 but it keeps showing the bootloader! with some strange marks. i flashed it with 1.2 Olipro and im afraid it will never work again any suggestions left?
Greetings