Needed tools:
PuTTY ver.6 or above
Plink
Active Sync 4.5
any Hex editor
MTTY1.exe ver 1.11a
Windows PC
SPL 2.30 Olipro
SPL 1.01 MFG pack
SPL 1.10 Oli w/custom RUU
SPL 1.04 w/custom RUU
DUTTY'S Good .NB Tool
Win Rar
Hermes with working wlan
There are steps for the user with the device with the working wlan eeprom, and steps for the user with the device with the corrupted or missing wlan eeprom. Basically what you will be doing is cloning the MAC of a device with a working wlan, editing it, and flashing it to your device with the non-working wlan.
Steps for Working Wlan Device:
You need to get SPL Oli 2.30 (found on the XDA DEV FTP Site in the HERMES/HardSPL folder) on the working device. You can do this by following the downgrading bootloader page at:
http://www.mrvanx.org/cms/index.php?option=com_content&task=view&id=59&Itemid=27
Assuming you have HardSPL v7 on your device (as most of you have been doing upgrades and downgrades), follow the steps to downgrade to Oli 1.10 then to SPL 1.04, (read and execute carefully)
then use DUTTY'S Good .NB Tool...
http://forum.xda-developers.com/showthread.php?t=296311
...to convert the SPL Oli 2.30 .nb file contained in the .rar you downloaded (use WinRar to extact) to an .nbh file (RUU_signed) THEN flash SPL 2.30 (you can use the same custom RRUwrapper you used to flash to 1.04 by putting it in the same folder, but move the RUU_signed.nbh of 1.04 to another folder first, then put it back when your finished)
Download PuTTY and Plink and copy them into your C:\Windows\Temp folder
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Put your device in bootloader mode and disable USB connections in Active Sync
Connect to the PC and open PuTTY
Click SERIAL, and make the speed 115200, and type \\.\WCEUSBSH001 (all CAPS) in the space for SERIAL LINE (overwrite what is there) or connect with MTTY first...
http://forum.xda-developers.com/download.php?id=9864
... and copy and paste the address into PuTTY then close MTTY. Type HERMES into the space named SAVED SESSIONS and hit SAVE. Hit OPEN. Press ENTER to get a CMD prompt...you will see a green cursor. Type Task 32 and it will return Level=0. Ok, close PuTTY as you have verified that it's working.
Sometimes your device will be seen as \\.\WCEUSBSH002 or \\.\WCEUSBSH003, just use which ever it connects to.
Now the next bit is tricky because you you will do it "blind" as in this mode, Plink does not have local echo so you won't see what you're typing.
Go to START/RUN/CMD
This opens a DOS window. Change directories to C:\Temp and type the following:
plink HERMES > herm1.nb (hit ENTER TWICE) (you will see the new file herm1.nb written in your Temp folder) (notice the spaces before and after the > sign)
Now type the following and hit ENTER (once) after each command:
task 32
password 0000000000000000 (that's 16 zeros)
set 1e 1
rbmc me.txt 500a0000 40000
that will copy the wlan section of the eeprom nand to the file called herm1.nb. You can right click on the file, select properties, and see that it grows to 256k-257k.
When it's done creating the file (to 256k or 257k, you'll see it doesn't get any bigger), press CTRL C in DOS to close plink and it saves the file at 257k size.
Open the file in a Hex Editor, and remove all the non usable Hex Data (basically the commands you typed) between offsets 00000000-00000140 up thru the Hex equivalent of the word HTCS. Delete the data so that you actually delete the word HTCS. Then at the end of the file, offset (00040000), delete from the very end of the file (right to left) thru the word HTCE. You delete the Hex equivalent of the word HTCE. You can leave the D+ ] there as we're only going to write 40000 bytes. Now the now MAC address is at ROW 0001F850 with two bytes at row 0001F860. The MAC reads backwards. Save it as herm1.nb (but not in the same folder as the original).
Now, since you've basically cloned another's MAC address (already allocated to another device), it's necessary that you change your MAC address ASAP. Instructions on how to do that below:
In the edited herm1.nb file, go to the MAC Address at offset 0001F850 and change the 2nd, 3rd and 4th bytes from the right... (it's your MAC address in reverse), to ANY numbers you like, keeping the same format. This 6 byte sequence is your NEW MAC ADDRESS. The last 3 numbers of the MAC (which appear in opposite order) can be "invented".
You now have the eeprom flash file to be transfered to the non working device...
Steps for Non-working Wlan Device:
Using the methods on MrVanx's downgrading SPL page...
http://www.mrvanx.org/cms/index.php?option=com_content&task=view&id=59&Itemid=27
...downgrade again to SPL 1.04, then flash SPL 1.01 MFG. When flashing and using SPL 1.01 MFG, some users suggest you only use the version of MTTY that comes with the MFG Pack.
http://wiki.xda-developers.com/index.php?pagename=Hermes_BootloaderMFG
Read the full instructions before flashing.
Ok, now that you have verified that you have SPL 1.01 MFG on the device, put in bootloader mode, disable USB connections in Active Sync. Connect the device and open MTTY. Make sure you have copied your herm1.nb file into the same folder as MTTY.
Connect to the device (\\.\WCEUSBSH001)
and hit ENTER to get a CMD prompt
Now type the following:
task 32
password 0000000000000000
set 1e 1
lnb herm1.nb 500a0000 40000
Hitting ENTER after each command.
When it's done, close MTTY and reboot your device and verify that your Wlan is now working...
Then I recommend flashing HardSPL v7 or SPL 2.30 to your device right away (because you know you won't leave your device alone and we don't want you bricking your Hermes, do we?)
BTW, if you want to do a full backup of you FULL eeprom nand at any time, connect as before and type these commands:
plink HERMES > full.nb (hit ENTER twice)
task 32 (hit ENTER once and only once from now on after every command)
password 0000000000000000
set 1e 1
rbmc me.txt 50000000 7fff800
watch your file grow to 128 MB.
If you ever need to flash the entire eeprom nand, just edit it as above so you take out the commands you typed (HTCS-HTCE) and you're good to go...
Thanks go out to Pof and Olipro for doing the initial research on this issue. And also to members Laikos and Panzer who helped tremendously.
Tested on Cingular 8525 Wm6 VP3G modified AT&T rom, and Orange m3100 WM6 cooked rom based on Dopod 3.54.707.3 rom.
*NOTE* Olipro just posted later in this thread
"just to point out guys;
to flash 2.30.Olipro, just convert it into an NBH then run SSPL on your phone and go ahead with the flash, same goes for loading any other SPL, just load SSPL first (or use Custom RUU with the NBH and select force SSPL) the downgrading is unnecessary"
another member (dan1967) suggested that one only have to use SPL 2.60 Oli Hard SPL v9 Developer Edition to do this procedure and one can avoid the upgrading and downgrading of bootloaders...
Member alakentu has translated this method into Spanish. The thread is here:
http://forum.xda-developers.com/showthread.php?t=364751
***DISCLAIMER.....TRY AT YOUR OWN RISK, WE ARE NOT RESPONSIBLE FOR ANY MALFUNCTIONS OR OTHER ISSUES THAT MAY OCCUR.***
For those of you who used my guide to fixing your dead Wlan on Hermes, please feel free to make a donation via paypal if you feel I've helped you in some way. Any amount will be very much appreciated, and I could really use the cash, hee hee, thanks in advance. Just click the PayPal Logo below to donate.
cool !! I try this if i found a phone with no dead wlan
nice.........
It's possible to just hand code the WLAN EEPROM Value to your dead WLAN EEPROM too. Download your dead EEPROM and Edit the location mentioned by drummer.
Warning: It took about 30 mins to hand code the WLAN EEPROM DATA.
Would it be possible for someone to extract the eeprom file from a working wlan device, "zero-out" the MAC address portion, or replace with 'FF' or some other 'dummy' value, and post this here, so those of us without access to a working device can use to flash our damaged devices?
By "blanking-out" the MAC address in the attached file, you dont risk having your MAC address used by everybody, so there is no "legal" risk, and help us without a working device to fix ours...
Thanks for the solution guys and hopefully you can post the file here for us to use.
Good work !!
Thank you very much for this solution !!!! Great job!
But as said chrisvor, could you post an extract of a working Eeprom for thoose who don't have one please...
Thank you !
drummer,
first of all is to say thanks to you all who put in their time and effort in resolving this problem
so my question is... can you post the file of working wlan bit for us, without that i can't solve this problem... =(
Thanks!!!
Thank you so much for this!!!!
I will try to reviving my X01HT WiFi later!
Great Job!!!!
Someone has repaired his hermes ??
nicoebra said:
Someone has repaired his hermes ??
Click to expand...
Click to collapse
I did. And so did Laikos. Actually, he fixed his about 20 minutes before I did, he is a better editor than I am. Why do you think we did the research? We both had devices with non-working wlans, and now they're working again.
...and no, we're not posting, or sending anyone the file. You have to find a friend that will help you, as your trust in each other will safeguard against any possible mis-use of this technique.
laikos said:
It's possible to just hand code the WLAN EEPROM Value to your dead WLAN EEPROM too. Download your dead EEPROM and Edit the location mentioned by drummer.
Warning: It took about 30 mins to hand code the WLAN EEPROM DATA.
Click to expand...
Click to collapse
I don't believe that this is a good idea, as you don't know what else (from EEPROMcode) is corrupted!!
The MAC address is the only visible part to us...
pop20032004 said:
I don't believe that this is a good idea, as you don't know what else (from EEPROMcode) is corrupted!!
The MAC address is the only visible part to us...
Click to expand...
Click to collapse
How did you come to that conclusion?
All Laikos was suggesting, is you could type in the data, rather than replace the data by "cloning" it from another's device. Once you know the offsets, which you do if you read this technique, it's quite easy, although time consuming. So far, each file we have examined have had the identical wlan signatures, and identical first three numbers of the MAC address. That suggests that HTC was assigned a set of MAC addresses by OUI for their use.
BTW, using SPL 2.30 oli, you can change your backup CID, and model number (Hermes 100, 200, 300, or whatever you want to change it to like "Hermes 911").
Help
I believe that would be better than someone give the instructions detailed for those that they do not have other device to the hand to extract the EEPROM, extract your corrupt EEPROM and edit it.
In my case, live in Mexico city and these devices are extremely rare of seeing by here.
As soon as if someone can help me to obtain the file of a EEPROM will be I thanked what is.
Open the file in a Hex Editor, and remove all the non usable Hex Data (basically the commands you typed) between offsets 00000000-00000140 up thru the Hex equivalent of the word HTCS. Delete the data so that you actually delete the word HTCS. Then at the end of the file, offset (00040000), delete from the very end of the file (right to left) thru the word HTCE. You delete the Hex equivalent of the word HTCE. You can leave the D+ ] there as we're only going to write 40000 bytes. Now the now MAC address is at ROW 0001F850 with two bytes at row 0001F860. The MAC reads backwards. Save it as herm1.nb (but not in the same folder as the original).
i can't edit file " herm1.nb"
you can guide again or help me to edit my file.
Hello,
Is it normal that my file herm1.nb is rained large that 30Mo at the time of that creation, thank you.
-------------
Edit:I excuse myself I have to make an error the first handling, I succeeded in having the file herm1.nb has 256 Ko (262 ' 439 bytes).
If I do not modify the mac address that you it will occur on the other apparatus, thank you
drummer10630 said:
...and no, we're not posting, or sending anyone the file. You have to find a friend that will help you, as your trust in each other will safeguard against any possible mis-use of this technique.
Click to expand...
Click to collapse
@drummer10630: I do appreciate all your and Laikos efforts to solve this problem and to let the whole community know the method so everybody can fix their devices... however, the reason I asked if anybody could post the file was not a sign of "laziness", rather it is due to the lack of friends who have a TyTN or who want to void their warranty by flashing a non-official bootloader in order to "do me the favor" of extracting their eeprom data.
If any of you guys have extracted the eeprom and you have edited it to include your MAC address, could you please edit a COPY of this file, put "FF" in all the bytes of the MAC address (which is the only thing that "ties" this file to your purchased device and hence yourself), and post it here for us "tytn-friend-less" people to use?
Many thanks for EVERYBODY's efforts in solving this
Thanks and kudos go to Pof and Oli ofcourse, due to whom none of this would be ever possible !!
Chris
I have tried to get the code from a working Vario II using Des' SSPL, to avoid all the flashing of a working device, but got
Code:
USB>task 32
Level = 0
USB>password 0000000000000000
HTCSPass1.
CMËHTCEUSB>set 1e 1
USB>rbmc me.txt 500a0000 40000
GetExtRomData+(): *pszPathName=me.txt, dwStartAddress=500A0000, dwLength=40000
USB>c=40000
... and no dump.
Is there a workaround?
jrp said:
I have tried to get the code from a working Vario II using Des' SSPL, to avoid all the flashing of a working device, but got
Code:
USB>task 32
Level = 0
USB>password 0000000000000000
HTCSPass1.
CMËHTCEUSB>set 1e 1
USB>rbmc me.txt 500a0000 40000
GetExtRomData+(): *pszPathName=me.txt, dwStartAddress=500A0000, dwLength=40000
USB>c=40000
... and no dump.
Is there a workaround?
Click to expand...
Click to collapse
According to the #1 post, you HAVE TO follow the instructions, i.e. downgrading to SPL 1.04, 1.01 MFG, Olipro 2.30, in order to save the eprom from the working device.... no shortcut I'm afraid
I removed the lines 00000000-00000140
But I do not have information with the line 0001F850 and 0001F860 is this normal? , thank you.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Quick question.... Could I dump the WLAN eeprom from a Wizard? Dont think so, but I thought I'd ask since I have a wizard lying around too....
Related
I'm truly sorry about the delay.
I've finally got round to posting a a STAR100 SuperCID guide.
1. Get itsutils: http://www.xs4all.nl/~itsme/projects/xda/tools.html
2. Run pdocread.exe with no args. Take a note of the "uniqueid" value.
3. Run "pdocread -n 1 0x000000 0x10000 -b 0x4000 original-bdk1.nb" - you'll get a file.
4. Head over to http://www.spv-developers.com/strtrkCID/. Feed it the DOCID and the file you got from steps 2 and 3. It'll give you back anoter file.
5. Run "pdocwrite -n 1 patchedfile.bin 0x000000 0x10000 -b 0x4000" where patchedfile.bin is obviously to be replaced with the patched file you got from step 4.
6. There is no 6. Report feedback.
Click to expand...
Click to collapse
All credit goes to itsme - he wrote all the tools and scripts which made all this possible.
Spawning script: perl startrek_cidedit.pl cid1e62995dd1db197b00b697388760b5e3.bin -i DOPOD601 -c 11111111 -o supercid1e62995.bin 2>&1
decrypting
bufend=44bdd4609845fd0931a871b4a31ddba42d4b96386f9 e9c5dff947c035432fc15
result=b2c7c4eede400853eb232eba436f394b3d75a9adf4c e9a1e452b26ea9059dc59
sha64k=8a7e3a8462b8c851ac125710d44abc05da4916f215e 331f98420db7ae5d87a5d
buffer checksum failed
why ?
Looks like the DOCID value you entered is incorrect. It should be a long stream of hex numbers.
Fantastic !!! Working Ok on SPV F600. Now, we need how to simunlock this smartphone.
Thank you very much Zone Mr.
i run pdocread in step 1 and got a dos screen that desaper in a second,and were i find the file in step 2.
Zone-MR said:
Looks like the DOCID value you entered is incorrect. It should be a long stream of hex numbers.
Click to expand...
Click to collapse
thank you Zone-MR,can u tell me how to get a long stream of hex numbers.
wlinsong said:
thank you Zone-MR,can u tell me how to get a long stream of hex numbers.
Click to expand...
Click to collapse
i know how to do,thank Zone-MR very very much
is there someone know how to flash rom use T-flash Card?
someone can't get the docid ,because you must use the old one!
I tried to do first step but when I ran pdocread.exe I get the following message :
Could not update itsutils.dll to the current version, maybe it is inuse?
try restarting your device, or restart activesync
or maybe your device is application-locked.
I've app-unlocked my device, activesync works ok, and restarting does not help. Phone is Qtek8500.
Any ideas?
Thanks
Is the script to calculate CID area for startrek available?
I think this should use the same method on Artemis or Herald, the problem is that they have G4 DOC and we'll not be able to use pdocwrite, but on those phones we're already able to place a hacked SPL in mem with psetmem.exe and jump into it's address with modified haret version. If we have the right CID area we can use the hacked SPL to flash it.
sorry for the ignorance...
I have downloaded itsutils but where is the dpocread.exe??
do I have to connect to the device with the mtty??
Maybe a bit more explanation
I've CID unlocked my Qtek 8500 and installed new ROM 3.6.251.0. Thanks Zone, great work!
Maybe it would be useful to write more detailed instructions, so here it is :
1. Application unlock your phone using regeditstg and do the following :
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1001 = 2 -->Change the value data from 2 to 1
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1005 = 16 --> Change the value data from 16 to 40
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1017 = 128 --> Change the value data from 128 to 144
Reboot the phone
2. Run SDA_ApplicationUnlock tool. Reboot the phone after it finishes.
3. Download itsutil.zip from http://www.xs4all.nl/~itsme/projects/xda/tools.html , version from 2005-6-28. There is even newer version, but with that version you can not use pdocread without arguments.
4. Connect the phone with activesync
5. Run Command Prompt, go to subfolder named "build" in itsutils folder, and run pdocread without arguments
6. Note the value of "uniqueid". It will be something like : "00 00 00 00 12 03 02 14 3b 07 1b b2 04 05 07 54"
7. run pdocread again with these arguments : "pdocread -n 1 0x000000 0x10000 -b 0x4000 original-bdk1.nb". This will make original-bdk1.nb file in build folder (where the pdocread is located).
8. Upload this file and value of uniqueid to http://www.spv-developers.com/strtrkCID/. It will open a new page after few seconds. Go to bottom of the page and click the link "Download patched BDK1"
9. Download the file (it will be named like "supercidxxxxxxx.bin) to "build" folder
10. Run the pdocwrite from command prompt with these arguments : "pdocwrite -n 1 supercidxxxxxxx.bin 0x000000 0x10000 -b 0x4000". Replace supercidxxxxxxx.bin with the original name of downloaded file from step 9.
11. Wait 15-20 seconds and that is it. Reboot the phone and install the ROM you like
It works! I've got now 3.6.251.0_02.67.30 on my Qtek!
Thank's, damird, your guide is unreplaceble for such lamers like me
But maybe anyone can suggest me were can i find and how to install (if it possible) Russian t9 or only russian lang to input? Or maybe how to rollback to original ROM with this that lang... (1.02.261.1)
Thank's
added:
Problem's gone, Russian T9 added.
Damird!
Cheers mate
Hello, can you share with us this script to calculate CID area in StarTrek?
With this script we can SimUnlock the StarTrek very easy (at least I think...)
Thank you very much.
I'm confused here... is CID unlock not the same with SIM unlock?
my carrier is tmob but I'm getting cing 3125 at ebay so I need to SIM unlock the phone for it to work on tmob right?
wow, pof, I can't wait for it! i had bought one herald in China but wireless was disable by default. I hope I could unlock the CID and get a WWE rom to enable the wireless.
sokelut said:
I'm confused here... is CID unlock not the same with SIM unlock?
my carrier is tmob but I'm getting cing 3125 at ebay so I need to SIM unlock the phone for it to work on tmob right?
Click to expand...
Click to collapse
Correct, you still need to pay to carrier unlock the phone. Check the wiki for links to a few services that are known to work.
CID unlock? Error installing ROM
I'm getting an ERROR [294] INVALID VENDER ID
I did the CID unlock
It starts to install the rom but when it gets to 4% I get this error. How do i fix this?
Can anyone help?!
Need a little clarification
Im stuck in steps 3-11. I've downloaded itsutils and I don't know how to proceed.
Hello,
i try to flash bootloader 1.01 mfg according to http://wiki.xda-developers.com/index.php?pagename=Hermes_BootloaderMFG
It hangs after
USB> lnbs SPL-1.01.nbs 50020000
...
start NB image download
According to other threads this behavior exists if mtty can not find the file. But the file is in the same directory as mtty.
Does anybody has an idea what is wrong?
Thanks
Andreas
did you do the "Task 32" first? and if you did did you get "Level = 00"
yes, but i only one 0
USB>task 32
Level = 0
USB> lnbs SPL-1.01.nbs 50020000
i got some output at this point, but i cannot remember exactly
???
? 50020000
? 00000000
????
The last line was: start NB image download
My device is SuperCID. SPL 1.09
there's your problem then; you need SPL-1.04.
I suggest you load Hard-SPL and try again...
also, might I heartily recommend that instead you download my MFG pack and use SSPL with 1.01 rather than flash it to your device... or at least use my patched 1.01 (create an NBH)
I get that message whenever I do not type the name of the file correctly, like for example, sp1-1.01.nbs instead of spL-1.01.nbs (the latter being the correct spelling). Just my two cents..
I had 1.09 before, coz I updated with full RUU versions of roms (like 2.06.502.3 cingy or 2.05.255.1 HTC), and I had no problem to downgrade to 1.01 MFG and now to 1.01 oli... I also used mtty, device was supercid, used commands was
USB>task 32
Level = 0
USB> lnbs SPL-1.01.nbs 50020000
USB> task 8
If I remember correctly, task 8 automatically SW reset herm... maybe I am lucky one?
take a look at your mtty icon. Does it say MFC or does it look like a serial connector. If it says MFC then you have the wrong version of mtty.
my guess: it says "MFC"
Thanks for all your answers. At the moment a'm at work and cannot try your suggestions.
But i have some further questions:
>olipro: there's your problem then; you need SPL-1.04.
According to the wiki:
"This is a very special bootloader which can be flashed in any bootloader version BUT to flash it your Hermes must be SuperCID first..."
...can be flashed in any bootloader... what does this mean? i thougt i can flash it from 1.09. sinmae was able to do it. (or did i miss something)
>crazyut: wrong file name
i checked this several times. i typed the right name, but i do not now whats the working directory of mtty. i put the nb-file in the same directory as mtty and startet mtty from a dos-prompt. so this should be ok.
>Sleuth255: wrong version of mtty
i tried to investigate this yesterday. somebody said he has version 1.11a. i have version 0.01. it says MFS. so this should be the problem. but this is the version from the wiki:
http://wiki.xda-developers.com/index.php?pagename=Hermes_BootLoader
http://wiki.xda-developers.com/uploads/mtty.exe
where can i get the right version? (at google i found mttty (3 t))
Thank
Andreas
Use the mtty.exe included in this pack, mtty and nbs file in the same dir.
Sensation !!!!
We have found a method to restore dead Boot for
Atom, Atom Exec, Rover G5, Orsio n725, HP6815 (may be the all 68xx series).
We found JTAG and developed the recovery technology!
FAQ is translating from Russian and will be written.
Autor's Alex_Beda & 1stMASTER
--------------------------------------
Manual to restore dead BootLoader
Atom, Atom Exec, Rover G5, Orsio n725, HP6815 (may be the all 68xx series).
© Copyright to Alex_Beda & 1stMASTER
PDA-HACK.NET Team http://pda-hack.net
If our article has helped you, you can donate the Web Money
WMID 378286389551
for WMZ: Z396747110007
for WME: E114645323227
for WMR: R351032339900
Thanks to all who helped.
Thanks to Winterice for the technical assistance and moral support.
Thanks to ant 125 for useful information
Thanks to Allbest, deniska.75, Borozavr, Erke for moral support.
Symptoms:
The device is not switching on, not entering bootloader.
(most often after the firmware from a memory card)
React to connect charger.
if the battery insert and connect charger, it orage led must be lit .
if the battery remove and connect charger, it orange led must be flashing.
There is only one way for restore bootloader.
Reflashing flash memory in the PXA272 using JTAG.
This procedure consists of two parts.
Hardware (making cable for reflashing) and software (reflashing).
Hardware part:
This pinouts JTAG of Atom Exec, Rover G5, Orsio n725, O2 Atom, O2 Atom Exec
At O2 Atom (not Exec) is the only internal contacts. Located near the Camera button.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
There are contacts inside the device, near the buttons CAMERA,
for access them, you need to open device.
There are contacts from the outside, near the SIM connector.
All contacts is working
For inside contacts need this connector
http://i218.photobucket.com/albums/cc23/alex_beda/raz012.jpg
You can so using connector from floppy drive 5.25”. (autor vic180)
http://i218.photobucket.com/albums/cc23/alex_beda/PICT0267-.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/PICT0262-.jpg
LPT connector for PC
http://i218.photobucket.com/albums/cc23/alex_beda/LPT1.jpg
Cable length of a 35-40 sm
This connector for outside contacts
Result connector from connector for floppy drive 5.25"
http://i218.photobucket.com/albums/cc23/alex_beda/raz1.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/raz3.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/vid2.jpg
for fixation connector need make this
Or other
http://i218.photobucket.com/albums/cc23/alex_beda/kreplenie.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/vidkrepl.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/vidobsh.jpg
Software part.
[url]http://wiki.xda-developers.com/uploads/RepairBootLoader.zip[/URL]
In attached file is the programm JFlashmm,
in the same directory BOOTLOADER from АТОМ ЕХЕС (ebo_a.nb0) from First Firmware,
and driver the giveio needed for working cable.
If you have O2 Atom (not ЕХЕС), it must be in the folder jflash_mm Deleted file ebo_a.nb0,
copyng the file boot.nb0 from O2 Atom firmware in the jflash_mm folder and renaming this file in ebo_a.nb0.
Before connecting LPT connector , you want to press and hold
micro button near to the sim connector.
http://i218.photobucket.com/albums/cc23/alex_beda/knopka.jpg
For example: sticker on the button.
Ground from LPT connector, connecting on ground the device
(using the crocodile connector)
http://i218.photobucket.com/albums/cc23/alex_beda/ground.jpg
Connect cable to LPT port of PC.
Connect charge to the device
Orange LED is blinking.
If LED not blinking,
Check pressed the micro button.
check fixation the button.
Installing the driver giveio from attached file.
Now you can restore BootLoader.
BootLoader needs to be restored in two places.
Need boot flashing to adress 0 and address 3f400.
In folder jflash_mm there is a file start.bat.
Inside this file:
jflashmm pxa27x32 ebo_a.nb0 P 0 PAR
jflashmm pxa27x32 ebo_a.nb0 P 3F40000 PAR
So file ebo_a.nb0 (boot from атом exec) will be flashing in two places,
To adress 0 and adress 3f40000, data send to parallel port.
Execute start.bat, if all right , you correct making cable,
it must detect processor.
If message screen on "file *.DAT not find", press Soft Reset.
the program will ask you «bla-bla-bla» Y/N? Press Y
-------
JFLASH Version 5.01.007
COPYRIGHT (C) 2000 - 2003 Intel Corporation
PLATFORM SELECTION:
Processor= PXA27x
Development System= Mainstone
Data Version= 1.00.002
PXA27x revision ??
Found flash type: 28F256L18B
Unlocking block at address 0
Erasing block at address 0
Unlocking block at address 10000
Erasing block at address 10000
Unlocking block at address 20000
Erasing block at address 20000
Unlocking block at address 30000
Erasing block at address 30000
Unlocking block at address 40000
Erasing block at address 40000
Starting programming
Using BUFFER programming mode...
Writing flash at hex address 3fe80, 99.85% done
Programming done
Starting Verify
Verifying flash at hex address 3ff68, 99.94% done
Verification successful!
------------
So too for the second time in firmware to address 3f4000
You can disconnect charger and cable.
Enter bootloader :
Press Camera button, insert battery and press Soft Reset.
If everything was done correctly, it bootloader is running!!!
Now, as usual (almost)
Connect the device to PC.
Run update firmware for you device.
Must go update firmware.
If all right, it .......
Operation system update, bootloader update,
Running update ExtROM, but, it should freezes at 6 %!!!!
Disconnect usb cable from device, Enter Hard Reset!!!
Device must switch on, calibrating touch screen etc.
Run again update firmware for you device.
© Copyright to Alex_Beda & 1stMASTER
Also, you might want to list the hardware we need so we can go look for it.
Ultimate Chicken said:
Also, you might want to list the hardware we need so we can go look for it.
Click to expand...
Click to collapse
Need 4 resistors 100 Om, LPT connector and
old cable for the floppy drive 5.25 ".
This is a great fine. Once you have finalized this one. Please post it in the WIKI. I have constantly updated it with relevant information for our device.
Coola
thnx for this guys....i didnt flash my atom yet because i was afraid of the boot loader problems i ve read in here.now there is no need to worry
greekfragma said:
Coola
thnx for this guys....i didnt flash my atom yet because i was afraid of the boot loader problems i ve read in here.now there is no need to worry
Click to expand...
Click to collapse
The Atom never had a problem with the bootloader. Its the Atom Exec that has it. Also, the solution the common problems with the Atom upgrading has been posted in the Wiki already.
thnx for the fast reply jiggs and sorry for the mis-writing of my post......i have atom exec and i wrote atom just to shorten my post.sorry again for the mess
keep walking mate.u are doing marvelous job in here
oh finally there's solution..i have a dead bootloader o2 ATOM..and service center said i have to replace my BOARD..and it will cost a lot..
keep it up..bro..
thankz..
-=[serialzs]=-
I dont have the O2 Atom and I dont access to the O2 Atom.
The technology will be one, but other pinouts contact (may be)
The time is dancing!!!
Tehnology is working on O2 Atom, O2 Atom Exec, Rover G5, Orsio n725.
TESTED !!!
Nice to hear
See
http://wiki.xda-developers.com/index.php?pagename=HTC_Atom
Problems (Read here before posting on Forum):
Dead Boot Loader on O2 Atom, O2 Atom Exec, Rover G5, Orsio n725
Manual to restore dead BootLoader
Atom, Atom Exec, Rover G5, Orsio n725, HP6815 (may be the all 68xx series).
© Copyright to Alex_Beda & 1stMASTER
Thanks to all who helped.
Thanks to Winterice for the technical assistance and moral support.
Thanks to ant 125 for useful information
Thanks to Allbest, deniska.75, Borozavr, Erke for moral support.
Symptoms:
The device is not switching on, not entering bootloader.
(most often after the firmware from a memory card)
React to connect charger.
if the battery insert and connect charger, it orage led must be lit .
if the battery remove and connect charger, it orange led must be flashing.
There is only one way for restore bootloader.
Reflashing flash memory in the PXA272 using JTAG.
This procedure consists of two parts.
Hardware (making cable for reflashing) and software (reflashing).
Hardware part:
This pinouts JTAG of Atom Exec, Rover G5, Orsio n725, O2 Atom, J2 Atom Exec
At O2 Atom (not Exec) is the only internal contacts. Located near the Camera button.
There are contacts inside the device, near the buttons CAMERA,
for access them, you need to open device.
There are contacts from the outside, near the SIM connector.
All contacts is working
For inside contacts need this connector
http://i218.photobucket.com/albums/cc23/alex_beda/raz012.jpg
You can so using connector from floppy drive 5.25”. (autor vic180)
http://i218.photobucket.com/albums/cc23/alex_beda/PICT0267-.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/PICT0262-.jpg
LPT connector for PC
http://i218.photobucket.com/albums/cc23/alex_beda/LPT1.jpg
Cable length of a 35-40 sm
This connector for outside contacts
Result connector from connector for floppy drive 5.25"
http://i218.photobucket.com/albums/cc23/alex_beda/raz1.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/raz3.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/vid2.jpg
for fixation connector need make this
Or other
http://i218.photobucket.com/albums/cc23/alex_beda/kreplenie.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/vidkrepl.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/vidobsh.jpg
Software part.
[url]http://wiki.xda-developers.com/uploads/RepairBootLoader.zip[/URL]
In attached file is the programm JFlashmm,
in the same directory BOOTLOADER from АТОМ ЕХЕС (ebo_a.nb0) from First Firmware,
and driver the giveio needed for working cable.
If you have O2 Atom (not ЕХЕС), it must be in the folder jflash_mm Deleted file ebo_a.nb0,
copyng the fileeboot.nb0 from O2 Atom firmware in the jflash_mm folder and renaming this file in ebo_a.nb0.
Before connecting LPT connector , you want to press and hold
micro button near to the sim connector.
http://i218.photobucket.com/albums/cc23/alex_beda/knopka.jpg
For example: sticker on the button.
Ground from LPT connector, connecting on ground the device
(using the crocodile connector)
http://i218.photobucket.com/albums/cc23/alex_beda/ground.jpg
Connect cable to LPT port of PC.
Connect charge to the device
Orange LED is blinking.
If LED not blinking,
Check pressed the micro button.
check fixation the button.
Installing the driver giveio from attached file.
Now you can restore BootLoader.
BootLoader needs to be restored in two places.
Need boot flashing to adress 0 and address 3f400.
In folder jflash_mm there is a file start.bat.
Inside this file:
jflashmm pxa27x32 ebo_a.nb0 P 0 PAR
jflashmm pxa27x32 ebo_a.nb0 P 3F40000 PAR
So file ebo_a.nb0 (boot from атом exec) will be flashing in two places,
To adress 0 and adress 3f40000, data send to parallel port.
Execute start.bat, if all right , you correct making cable,
it must detect processor.
If message screen on "file *.DAT not find", press Soft Reset.
the program will ask you «bla-bla-bla» Y/N? Press Y
-------
JFLASH Version 5.01.007
COPYRIGHT (C) 2000 - 2003 Intel Corporation
PLATFORM SELECTION:
Processor= PXA27x
Development System= Mainstone
Data Version= 1.00.002
PXA27x revision ??
Found flash type: 28F256L18B
Unlocking block at address 0
Erasing block at address 0
Unlocking block at address 10000
Erasing block at address 10000
Unlocking block at address 20000
Erasing block at address 20000
Unlocking block at address 30000
Erasing block at address 30000
Unlocking block at address 40000
Erasing block at address 40000
Starting programming
Using BUFFER programming mode...
Writing flash at hex address 3fe80, 99.85% done
Programming done
Starting Verify
Verifying flash at hex address 3ff68, 99.94% done
Verification successful!
------------
So too for the second time in firmware to address 3f4000
You can disconnect charger and cable.
Enter bootloader :
Press Camera button, insert battery and press Soft Reset.
If everything was done correctly, it bootloader is running!!!
Now, as usual (almost)
Connect the device to PC.
Run update firmware for you device.
Must go update firmware.
If all right, it .......
Operation system update, bootloader update,
Running update ExtROM, but, it should freezes at 6 %!!!!
Disconnect usb cable from device, Enter Hard Reset!!!
Device must switch on, calibrating touch screen etc.
Run again update firmware for you device.
© Copyright to Alex_Beda & 1stMASTER
serialzs said:
oh finally there's solution..i have a dead bootloader o2 ATOM..and service center said i have to replace my BOARD..and it will cost a lot..
keep it up..bro..
thankz..
-=[serialzs]=-
Click to expand...
Click to collapse
hey brother, i was in the same shoes as yours a few days ago.
had a dead bootloader since i upgraded using SD card...
there is a slight chance you can revive your atom this way (which i revived mine)
unplug the battery for a few days - then when you plug the battery in, observe the power light and the hangup button, see if it has a very quick red flash. if it does, you might be in luck.
now, hold the action button (circle button in the middle) and keep plugging and unplugging the battery in the atom. do the same on the power button and the camera button. mine worked with the action button, and it booted into the bootloader menu again!
now im flashing the original rom in the unit =)
How much can be explained?
My method is available for dead bootloader.
Absolutely dead bootloader.
(full erased, flashing the not correct file etc)
kazuni
You message - offtop and flud.
Read forums.
Read documentations.
You bootloader IS NOT DEAD!
If bootloader is dead, this programm is not correct (or no programm) in the ROM.
Programm not working.
Not enter in bootloader.
Flashing with SD card impossible.
Symptoms:
The device is not switching on, not entering bootloader.
(most often after the firmware from a memory card)
React to connect charger.
if the battery insert and connect charger, it orage led must be lit .
if the battery remove and connect charger, it orange led must be flashing.
There is only one way for restore bootloader.
Reflashing flash memory in the PXA272 using JTAG.
Click to expand...
Click to collapse
wow . thanks . although my xda atom never bricked but I'm happy that it will never happend. with your method we never see bricked atom again
alex_beda said:
How much can be explained?
My method is available for dead bootloader.
Absolutely dead bootloader.
(full erased, flashing the not correct file etc)
kazuni
You message - offtop and flud.
- #1 i am not replying your topic, i am merely helping the others and see if my method works.
Read forums.
-duh, who wouldn't read the forum.
Read documentations.
You bootloader IS NOT DEAD!
i didn't say my bootloader is dead or not dead.
If bootloader is dead, this programm is not correct (or no programm) in the ROM.
Programm not working.
Not enter in bootloader.
Flashing with SD card impossible.
Click to expand...
Click to collapse
i am just replying another person, if you have not noticed, i specifically quoted his post, not YOUR thread.
kazuni said:
i am just replying another person, if you have not noticed, i specifically quoted his post, not YOUR thread.
Click to expand...
Click to collapse
Sorry if you are offended
But your method apply for only not absolutely dead bootloader.
if bootloader is absolutely dead -
Not enter in bootloader.
Flashing with SD card impossible.
Device is dead.
Only replace board in Service center,
or reflashing with JTAG.
Is this applicable to Atom Life? I have tried but I got this error:
C:\Boot\JFlash_MM>start.bat
C:\Boot\JFlash_MM>jflashmm pxa27x32 ebo_a.nb0 N 0 PAR
JFLASH Version 5.01.007
COPYRIGHT (C) 2000 - 2003 Intel Corporation
PLATFORM SELECTION:
Processor= PXA27x
Development System= Mainstone
Data Version= 1.00.001
PXA27x revision ??
Upper and Lower flash memory ID does not match.
You may have a damaged flash memory.
Upper half reads: FFFF
Lower half reads: 0
Failed to read the Flash ID. Retrying 4 more times...
Upper and Lower flash memory ID does not match.
You may have a damaged flash memory.
Upper half reads: 90
Lower half reads: 0
Failed to read the Flash ID. Retrying 3 more times...
Upper and Lower flash memory ID does not match.
You may have a damaged flash memory.
Upper half reads: 90
Lower half reads: 0
Failed to read the Flash ID. Retrying 2 more times...
Upper and Lower flash memory ID does not match.
You may have a damaged flash memory.
Upper half reads: 90
Lower half reads: 0
Failed to read the Flash ID. Retrying 1 more times...
Failed to read the Flash ID. Retrying 0 more times...
Cannot open input file: Flash_0_2_32.dat
This program supports flash devices defined by DAT files
contained in the same directory as the executable program.
If the file cannot be opened, there are four possibilities:
1 - The flash device installed is not supported.
2 - The flash device is a licensed product.
3 - The device ID could not be read, resulting in a poorly
constructed filename. The first numeric value in the
filename is the device ID. Verify this value with the
component specification.
4 - The memory bus is not functional. Check all CPLD and FPGA
devices. Make sure that you are using the correct
platform data file.
Mr. Jiggs... Kabayan. Is there any service center of O2 Atom in the Philippines, my atom life is dead due to SD card upgrade. I am here in KSA where the services is not available. Thanks.
Can I use it for PROPHET!!
alex_beda said:
Sensation !!!!
We have found a method to restore dead Boot for
Atom Exec, Rover G5, Orsio n725, and may be Atom (Atom may be, not tested).
We found JTAG and developed the recovery technology!
FAQ is translating from Russian and will be written.
Autor's Alex_Beda & 1stMASTER
Please wait 1-3 days.
Click to expand...
Click to collapse
Hey Buddy
I know its foolish on my part but can I use this method on my o2 Neo --prophet
It does not boot at all.Al that I get when I put it to wall charger is a ORANGE LED which even remains when I remove the Batt..
Soe time again it diapperars.In either cases the area near the USB tends to get very very HOT.
Sometimes I feel it will just bust because of this heat!!
Pls do reply
Ok guys,
i think i'm in a sort of big trouble. I got SPL1.2, i was installing this Miky ROM and then at 91% Windows Mobile Device Center crashed on my pc. Now what i have is a 7500 booting with strange lines on the screen and then fading to white. I tried to pull out the battery and then to recover but nothing is working. I broke my 7500??? Why God is never here when i need him???
See if you can get into bootloader (tri color screen) if you can flash a factory rom. Have a look here, you should find what you need or a link to the needed resources http://forum.xda-developers.com/showthread.php?t=429013
Cheers
BR
***Why You Try This !!!___carefully step by step !!!!!!!!
cmonex
Senior Member Join Date: Jul 2006
Location: Budapest
Posts: 2,314
--------------------------------------------------------------------------------
here's an experimental program I made to make the process more automatic so users can fix their own wifi without our help.
this is good for both corrupt modelid and corrupt wifi, and fixes both at the same time.
STEP BY STEP:
1. download attachment at the end of the post for mac1.exe (requires .net 2.0 installed on the PC)
2. you will also need to download the other attachment in this post for the mtty program.
3. enter bootloader (tricolour screen) manually by pressing and holding camera button all the way in (yes I mean that, press it in as hard as you can!!), while doing a reset, then keep the camera button held until you see the tricolour screen.
4. disable USB in activesync (wmdc if you have vista - in this case, do not kill wmdc, just disable usb in it!!!)
5. run mtty and select USB option from the dropdown box!
6. then press enter in main window that comes up, see if that gives you Cmd>
7. now you should have Cmd>, if not, re-check if you did the above steps right until you get Cmd>
8. now run the mac1.exe, type in your MAC address you want to use for the Athena, if you have SPL 3.xx reported on the tricolour screen, then use the button for SPL 3.xx, otherwise if you have SPL 1.xx reported, use button for 1.xx.
9. this should have generated a .bin file for you, copy that bin file in the folder of mtty.
10. now, in mtty, type (do not copypaste!) this command: task 32
11. this should return Level = 0
12. now, you must only do one of the two following commands:
- if you have SPL 3.xx, then type (do not copypaste!!) this command: lnb filename.bin 76508000
(there filename is the name of the .bin file you generated - don't forget to put .bin after filename, as the full name is needed).
- OR, if you have SPL 1.xx, then the command is different (do not copypaste!!): lnbs filename.bin 75108000
(there filename is the name of the .bin file you generated - don't forget to put .bin after filename, as the full name is needed).
NOTE, the command starts with a lowercase "L", not "I"!
WARNING: PLEASE DO NOT MIX UP THESE TWO DIFFERENT COMMANDS!!!
if this info helps: most people will have SPL 3.xx, and if you have AP4 (not vanilla) already running then you're definitely 3.xx
13. mtty will popup a window asking "OK", you press OK!
if you get "Fail to synchronize with the host (1)", then make sure you did follow step by step. if still same error, try placing mtty and the bin file under C:\.
14. now the file downloads, if mtty reports it flashed the file, and at the end "code entrypoint unknown", then that's it, now boot back to WM and see if wifi works.
edit: see raskell's mtty tutorial too, #36. post in this thread
if you *really* can't manage to get it working, you can still feel free to PM me.
let me know if this program and step by step description helped any.
Attached Files mac1.zip (6.3 KB, 1585 views)
mtty_0513_Test.zip (553.9 KB, 1883 views)
__________________
Here is direct link__on floor #33 ===>
http://forum.xda-developers.com/showthread.php?t=387454&highlight=mtty&page=4
Good Luck!!!
Hello
Please help me return the model number,
cause when I try to change my rom I always get the same error Error [244] : Invalid model id.
Now I have
some strange symbols in bootloader.
This appeared after I'd tryed to change mac using mtty, as I have created bin file for SPL 1.xx
Please help me
Hi,
You need to carry out the instructions to the letter in post 33 HERE and it will sort your problem, read it all very careful, its easy to make a mistake if you're not paying attention.
regards
Jay
Thanks Jay.
It works again.
You're welcome, glad it helped
Regards
Jay
here's an experimental program I made to make the process more automatic so users can fix their own wifi without our help.
this is good for both corrupt modelid and corrupt wifi, and fixes both at the same time.
STEP BY STEP:
1. download attachment at the end of the post for mac1.exe (requires .net 2.0 installed on the PC)
2. you will also need to download the other attachment in this post for the mtty program.
3. enter bootloader (tricolour screen) manually by pressing and holding camera button all the way in (yes I mean that, press it in as hard as you can!!), while doing a reset, then keep the camera button held until you see the tricolour screen.
4. disable USB in activesync (wmdc if you have vista - in this case, do not kill wmdc, just disable usb in it!!!)
5. run mtty and select USB option from the dropdown box!
6. then press enter in main window that comes up, see if that gives you Cmd>
7. now you should have Cmd>, if not, re-check if you did the above steps right until you get Cmd>
8. now run the mac1.exe, type in your MAC address you want to use for the Athena, if you have SPL 3.xx reported on the tricolour screen, then use the button for SPL 3.xx, otherwise if you have SPL 1.xx reported, use button for 1.xx.
9. this should have generated a .bin file for you, copy that bin file in the folder of mtty.
10. now, in mtty, type (do not copypaste!) this command: task 32
11. this should return Level = 0
12. now, you must only do one of the two following commands:
- if you have SPL 3.xx, then type (do not copypaste!!) this command: lnb filename.bin 76508000
(there filename is the name of the .bin file you generated - don't forget to put .bin after filename, as the full name is needed).
- OR, if you have SPL 1.xx, then the command is different (do not copypaste!!): lnbs filename.bin 75108000
(there filename is the name of the .bin file you generated - don't forget to put .bin after filename, as the full name is needed).
NOTE, the command starts with a lowercase "L", not "I"!
WARNING: PLEASE DO NOT MIX UP THESE TWO DIFFERENT COMMANDS!!!
if this info helps: most people will have SPL 3.xx, and if you have AP4 (not vanilla) already running then you're definitely 3.xx
13. mtty will popup a window asking "OK", you press OK!
if you get "Fail to synchronize with the host (1)", then make sure you did follow step by step. if still same error, try placing mtty and the bin file under C:\.
14. now the file downloads, if mtty reports it flashed the file, and at the end "code entrypoint unknown", then that's it, now boot back to WM and see if wifi works.
edit: see raskell's mtty tutorial too, #36. post in this thread
if you *really* can't manage to get it working, you can still feel free to PM me.
let me know if this program and step by step description helped any.
Attached Files
File Type: zip mac1.zip (6.3 KB, 2125 views)
File Type: zip mtty_0513_Test.zip (553.9 KB, 2613 views)
Ameo
Pfff i have tried everthing what i could find and nothing works. i managed to get the driver working from usb on windows 7 but it keeps showing the bootloader! with some strange marks. i flashed it with 1.2 Olipro and im afraid it will never work again any suggestions left?
Greetings