Fix and prevent ROM upgrade/downgrade Country ID errors - MDA II, XDA II, 2060 ROM Development

Updated 25th September - Summary points added at bottom of post.
Updated 27th September - More detail concerning DeviceData and use of HEX editor added.
IMPORTANT: Updated 28th September - I now know that if you have bootloader v1.06 on your XDA II, you cannot downgrade your ROM (at the moment). We will see if we can find a way round this but cannot promise anything. My thanks to gerald8297 for his patience and help using his device and thus enabling me and him to determine this.
Please read all of this post before attempting any upgrade.
This post is the second of two posts and (hopefully) contains the solution to the Country ID error problem during upgrade/downgrade of the XDA II. The first post contains the background and conclusions to an investigation into the problem and can be found here:
ROM upgrade/downgrade Country ID errors - an investigation
If you haven't already done so, I recommend that you read it so that you are aware of the reasons for the following procedures.
Firstly, something I must say to protect myself .
The procedures described in this post are the ones I used on my own XDA II and they worked for me. Although they should work for anyone else, there can be no guarantee. I cannot be held responsible or liable for any damage to, or malfunction of, your device caused by a failed upgrade. By deciding to upgrade your XDA II, you are taking full responsibility for any consequences arising out of doing so, and you may void your warranty. Flashing the ROM may cause Data Loss or even Device Malfunction.
Secondly, I would like to acknowledge all the posters to this forum for, in one way or another, providing clues to the solution to this problem and also a big thank you to itsme and softworkz for the utilities and information that have proved so helpful. And, of course, thanks to my friend merlin_uk whose input was invaluable.
These procedures require the following tools:
xda2nbftool: A description, explanation of passwords required, examples of usage and a download link for xda2nbftool are here.
A Hex editor: Any Hex Editor will do, but this is the one I used and which I describe the use of here.
IMPORTANT: Make a full backup of your XDA II as all data in main memory will be erased. Storage card and storage data should remain intact (but don't take my word for it!).
NOTE: The passwords specified in the commands and the exact format I used may be different for you depending on the version of HimaUpgradeUt you intend to use. See here for more information. Also, the operator and language strings used by me may be different to those you need to use. Don't just copy the commands listed below verbatim. Check what you need first. In my case my original operator ID was O2, but it got changed to CDL because of the reasons stated in my first post. Therefore, I wanted to get my device back to O2. This meant, for the first upgrade, using CDL as the operator ID in the nbf headers (to get past the verification) and O2 in the extra block of data (to set my device back), and then for the second upgrade, I was able to specify the correct operator for me (O2) in the nbf headers.
Obtain the set of upgrade files you require. If you have an operator-provided .EXE file, you can extract the files using Winzip or Winrar. The set of files will normally consist of:
[list:def15107cd]HimaClearJumpCode.exe
HimaGetDeviceData.exe
HimaUpgradeUt.exe
ms_.nbf
NK.nbf
Radio_.nbf
[*]Copy all these files into a folder of your choice on your PC (it is probably easier to create a new folder), then copy the xda2nbftool.exe program into the same folder.
[*]Copy the HimaGetDeviceData.exe file to any folder on your device.
Warning: DO NOT under any circumstances copy and run HimaClearJumpCode.exe on your device as it will render it unbootable. It is used by the upgrade utility to put you device into bootloader mode prior to upgrading.
[*]Execute HimaGetDeviceData.exe on your device. There will be no visible indication that it has run, but it will produce a file called DeviceData.txt in the Windows folder of the device.
Here is an example of the contents of DeviceData.txt:
Code:
U S B 3 2 1 . 7 2 . 0 0 W W E P H 1 0 C D L W W E 1 . 7 2 . 1 2 6 1 . 1 4 . 0 0
"USB 32 1.72.00WWE " is the OS Version
"PH10" is the Device Type
"CDL" is the Operator ID
"WWE" is the Language ID
"1.72.126" is the Extended ROM Version
"1.14.00" is the Radio Version
Obviously the actual content will depend on your device, but the layout of the information will be the same.
[*]Copy the DeviceData.txt file to your PC and open it using Notepad. Make a note of the current operator ID and language ID specified in this file (see step 4 above), for use later. These values are what your device is currently set to and it may surprise you to find that they are different from what you expected!. I will refer to these noted values as <operator> and <language>, to avoid confusion with specific values.
[*]Start a command prompt session on your PC and set your current directory to the folder used in step 2.
[*]Extract the decrypted versions of the nbf files by entering the following commands at the command prompt (but see note above):
Code:
xda2nbftool -x NK.nbf NK.nba 0x20040304
xda2nbftool -x ms_.nbf ms_.nba 0x20040305
xda2nbftool -x Radio_.nbf Radio_.nba 0x20040306
[*]Now modify the operator and language strings in the nbfs using the values noted from the DeviceData.txt file above by entering the following commands at the command prompt substituting <operator> and <language> with the noted values (but see note above):
Code:
xda2nbftool -sd PH10 -so <operator> -sl <language> NK.nba
xda2nbftool -sd PH10 -so <operator> -sl <language> ms_.nba
xda2nbftool -sd PH10 -so <operator> -sl <language> Radio_.nba
[*]Run the hex editor and in that open the file ms_.nba. If you are using xvi32, it will display the hex contents of the file to the left of the window and the character representation to the right of the window. At offset 74 (0x4A) you will see the operator string your device will be set to and at offset 94 (0x5E) you will see the language string your device will be set to.
NB. Your device will be set to these values irrespective of the values specified in the normal nbf headers.
To change the operator ID:
Click on the Address menu item then click on Goto.
In the window that is displayed, ensure decimal and absolute are selected, type 74 into the entry field then click OK. This will position you at the operator string location.
Using either character entry on the right or hex entry on the left, enter the operator string device should be (or what you want it to be ). Note that any non-used character positions should be edited to contain null (0x00) which can only be entered in the left hand side of the window.
To change the language ID:
Again, click on the Address menu item then click on Goto.
In the window that is displayed, ensure decimal and absolute are selected, type 94 into the entry field then click OK. This will position you at the language string location.
Using either character entry on the right or hex entry on the left, enter the language string your device should be. Again, any non-used character positions should be edited to contain null (0x00) which can only be entered in the left hand side of the window.
[*]Save the ms_.nba file.
[*]Update the crc values for each of the decrypted files by entering the following commands at the command prompt:
Code:
xda2nbftool -c -u NK.nba
xda2nbftool -c -u ms_.nba
xda2nbftool -c -u Radio_.nba
[*]Encrypt the files back into the nbf files by entering the following commands at the command prompt (but see note above):
Code:
xda2nbftool -x NK.nba NK.nbf 0x20040304
xda2nbftool -x ms_.nba ms_.nbf 0x20040305
xda2nbftool -x Radio_.nba Radio_.nbf 0x20040306
[*]Delete the nba files using Windows Explorer or by entering the following command at the command prompt:
Code:
del *.nba
[*]Run the upgrade from Windows Explorer by executing HimaUpGradeUt.exe
The first part of the upgrade is the verification process which is non-destructive, in which it generates the DeviceData.txt file on the device then compares the information in it to the information in your nbf headers (specifically the device type, the operator and the language). If an error is displayed, double check the steps detailed above and try again.
If all is well it will then display the current and new settings and give you the option to proceed with the upgrade. If you cancel at this point, nothing has changed on your device.
[*]Click the upgrade button... ONLY if you want to proceed with the upgrade.
Go make a coffee or even dinner because it takes at least 30 minutes to complete the full upgrade.
As eDsuB has pointed out, it is possible that the upgrade will fail or stop for some other reason and you are left with the bootloader screen (screen is dark and may display 'SERIAL' or 'USB'). If this happens, don't be too alarmed. Just remove your device from the cradle, reset your device, replace it in the cradle and restart the upgrade.
You may even still hit a Country ID error after it has started the upgrade, but I believe that it is some other sort of problem and it just reports it as Country ID error. If you do end up with a bootloader screen, and this was the first of two upgrades, it is OK to restart the upgrade using the second one - that is, the one with the nbf headers and the extra data in ms_.nbf set to the correct language and operator.
[*]Once the 'Congratulations' window appears, the upgrade is complete (even though the device may still indicate that the radio upgrade is in progress).
[*]Remove you device from the cradle and hard reset.[/list:def15107cd]
Hopefully your XDA II is now upgraded/downgraded.
To summarise
If, as was the case with me, you have successfully run a previous upgrade and your device has been unwittingly configured with an incorrect operator ID, you will need to run the steps detailed above twice. The first time, it is purely to set the device's language and operator IDs back to their correct values, with the nbf headers needing to be set to the incorrect values in order to allow the upgrade to proceed. The second time then becomes the 'real' upgrade, because, this time, in step 8, you will be using the desired language and operator IDs which will now match those of your device.
The information specified in the extra block of data in the operators ROM image (ms_.nbf) is used to set the device/operator/language in the device. It doesn't need to match what the device is set to already. It is this information which HimaGetDeviceData will retrieve at the beginning of any subsequent upgrade and return via the DeviceData.txt file.
The information specified in the nbf headers of all the ROM images (NK.nbf, ms_.nbf and Radio_.nbf) is used to set the device/operator/language in the software of the device. It must match the device/operator/language currently specified in the device.
Neither the ER2003Edit tool nor xda2nbftool, by themselves, update the extra block of data in the ROM image.
Anyone upgrading should check and amend (using step 9), if necessary, the information contained in the extra block of data in the operators ROM before performing any upgrade. This should be done even if the nbf headers are already correctly configured. Failure to check could lead to your device being set to an unwanted operator ID or language ID at the end of the upgrade.
Feedback concerning these procedures is most welcome. If any errors or omissions exist, please post a reply to let me know so that I can correct them. Also, please post a reply if you upgrade successfully, stating the original version/operator/language and the new version/operator/language. By doing this it will help others decide whether to upgrade or not.

You are missing a possible step that often occurs during 15.
The upgrade is canceled because of some vague reason and the device is stuck in bootloader (USB or SERIAL on screen).
This is the point when cold sweat starts drippingof your forehead . . .
Remedy: Reset device and restart the upgrade. It will take longer than 30 minutes. I flashed two times now and this happened both times . . .(didnt have any country-id or language issues)
Also: In the posting you should mention the operator you use is CDL (chances are that people take your posting literally wich for sure get a lot in the country-id trouble.)

Thanks to edsub for his comments. His advice has been incorporated into the post.

maybe this post should be sticky so it will not be lost in the mists of time

A new hope is born
Impressive discoery by dcs.
Anyway, can anyone confirm that this method is usable or workable for downgrading imate ver1.72WWE to Asia Rom 1.60 WWE.
One major doubt that, if the xda2 is in 1.72 and presumably it was wrong operator coded CDL, so the changes (suggestion by dcs) should take place on the 1.72 imate rom again or the 1.60 Asia Rom.
I once tried to change the 1.60 Rom using er2000edit to set the operator name to CDL instead of O2. The first upgrade screen was passed successfully but i was blocked in the 2nd screen which left me cold dead xda2 with 1.06 serial.
I guess much research shall be done before pursing this method. Anyhow it was a good finding. :lol:

This method does work…
I too was in a position were I could not upgrade or downgrade my O2 XDAII ROM because the operator code on the device had been changed to CDL…
Following dcs’s method sorts this nasty problem out once and for all – I can now downgrade, upgrade to any version of ROM I want!!!
Nice one dcs!!

I have exactly the same problem like yours. Thanks to dcs for your hard work.

I have updated the post slightly to (hopefully) lessen confusion about operator and language values used.

maybe incorporate this post in wiki.xda-developers.com ?

Answer to gerald8297 post - A new hope is born
Theoretically it shouldn't matter which version of the upgrade you run first.
The first upgrade is done purely to set your device operator and language values back to the values they should be (or the values you want them to be), and the nbf headers will have to match the values currently defined in your device.
The second upgrade is done to actually install the version of software you want onto your device. The nbf headers should be configured to match the (now correct) operator and language values defined in the device. Also the ms_.nbf file should be checked to ensure the extra block of data isn't going to set your device back to an unwanted value.
You say that your previous attempt at a downgrade failed at the second screen. Do you mean that the OS was installed, but it failed at the extended ROM part? If so, did you edit all 3 nbf file with ER2003Edit to set the operator before running the upgrade? If you only edited the NK.nbf file it would explain what happened. If this is the case, and you are stuck on the bootloader screen, you should be able to reset your device and rerun the upgrade.
It looks like you used the same i-mate 1.172.00WWE upgrade as I did in which case your device has been set to operator CDL and language WWE.
Good luck!

I have updated the post by adding some summary points at the end. These, hopefully will provide a better overall understanding.

FINALLY!!!!! IT WORKED!!! Thanks 102035492304923049 million times, dcs. This is the manual to use!

Excellent! I am very pleased.

Updates Made
I have made a few changes to the post to try and make things a little clearer

IMPORTANT
Updated with information about downgrading restriction.

dcs,
I am now at step 13
I edited ms_.nba ONLY using the hex editor. The 74th block is set the CDL so i changed it to O2 and put a null value on the 76th block where L of CDL used to be.
WWE remains as WWE. I am about to proceed but just a few questions.
(1)since this is my first upgrade, i need only run this once right?
(2) is ms_.nba the only file i need to edit or i also need to edit the Radio_.nba and NK.nba files?
So after upgrading... my xda2 should be 1.72 WWE and 1.17 radio right?
Thanks for all the updates on your post. Things are getting a bit clearer.

i3oyi3astos said:
dcs,
I am now at step 13
I edited ms_.nba ONLY using the hex editor. The 74th block is set the CDL so i changed it to O2 and put a null value on the 76th block where L of CDL used to be.
WWE remains as WWE. I am about to proceed but just a few questions.
(1)since this is my first upgrade, i need only run this once right?
(2) is ms_.nba the only file i need to edit or i also need to edit the Radio_.nba and NK.nba files?
So after upgrading... my xda2 should be 1.72 WWE and 1.17 radio right?
Thanks for all the updates on your post. Things are getting a bit clearer.
Click to expand...
Click to collapse
(1) As it is your first upgrade, you should only need to run it once, as long as the your device information (retrieved in DeviceData.txt) is already set to the values you want (in your case, O2 and WWE). Two upgrades are required only if the device information is incorrect to start with.
(2) Only the ms_.nba file requires editing with the hex editor.
You can see what versions of OS, Extended ROM, and Radio you are upgrading to in step 14, before you click the Upgrade button.
Hopefully, all should progress OK now

@dcs: This topic is getting better and better.
I would vote to have your info instead on the wiki pages instead of the info that is there now on upgrading.
Because there is a risk of others still wanting to stick to the old info, for starters you may want to setup a new wiki page that is linked to from the old 'upgrade' wiki page.
Its quite simple to create a wiki page, as I have just experienced for a subject on IIWPO.

I have stumbled upon sumthing last night.....
1. Waxx's Rom would make my XDA2 a CDL Device right? (I upgraded without modification of Waxx's ROM)
2. Waxx's ROM uses O2 headers (verified through ER2003edit) and the extra code on MS_.nbf says its CDL
3. If I loaded Waxx's ROM (which I did) it would turn my unit from an O2 to CDL.... correct? I could not verify since my GETDEVICE Data does not work... I dunno why.
4. Here comes the weird part..... I followed your instructions to modify my operator to become O2 again..... (change headers and offset 74).... If I understand it correctly, I should change Waxx's ROM headers from O2 to CDL ( to pass the operator test..am I correct?) and I should change OFFSET 74 to O2... correct?
5. When I tried upgrading.... (all headers = CDL, Offset = O2).... the upgrade failed.... error 120 (country code error...me thinks)....
6. I tried changing all headers to O2 and offset was still set to O2..... tried a second time..... and it worked.... get device data works now.... and it says I have an O2 machine
7. IMO Radio rom 1.17 is better than 1.14..... thanks for your help mr DCS, Mr Waxx, Mr. Gollum

Z-man said:
I have stumbled upon sumthing last night.....
1. Waxx's Rom would make my XDA2 a CDL Device right? (I upgraded without modification of Waxx's ROM)
2. Waxx's ROM uses O2 headers (verified through ER2003edit) and the extra code on MS_.nbf says its CDL
3. If I loaded Waxx's ROM (which I did) it would turn my unit from an O2 to CDL.... correct? I could not verify since my GETDEVICE Data does not work... I dunno why.
4. Here comes the weird part..... I followed your instructions to modify my operator to become O2 again..... (change headers and offset 74).... If I understand it correctly, I should change Waxx's ROM headers from O2 to CDL ( to pass the operator test..am I correct?) and I should change OFFSET 74 to O2... correct?
5. When I tried upgrading.... (all headers = CDL, Offset = O2).... the upgrade failed.... error 120 (country code error...me thinks)....
6. I tried changing all headers to O2 and offset was still set to O2..... tried a second time..... and it worked.... get device data works now.... and it says I have an O2 machine
7. IMO Radio rom 1.17 is better than 1.14..... thanks for your help mr DCS, Mr Waxx, Mr. Gollum
Click to expand...
Click to collapse
I think the error must have been related to the problem with HimaGetDeviceData, because everything you did was correct and your assumptions were also correct. Perhaps the first attempt failed, but at the same time it sorted out the HimaGetDeviceData, and also got as far as setting your device to O2?
Difficult to say what happened exactly, but main thing is you are up and running - Well Done!

Related

After trying to flash a preproduction qtek 9600 (hermes)

Hello ;
I tried to flash my preproduction Herme with SD card, copied the french image in the root folder of the microSD after renaming it to 'HERMIMG.nbh' , restarted the phone with boot loader here is what I get :
Checking image file...
after about 20sec..
No image file!
PLEASE HELP
thanks
There are some preproduction models where you cannot upgrade using the HERMIMG.nbh on fat32 microSD card, I have one of them too. My original rom is in chinese and I have bootloader version 0.94.
I haven't tryied it yet, but the process should be something like this:
1) Extract contents from NBH upgrade file using itsme tools nbh2dbh.pl and nbh2decode.pl. Make sure the NBH you use has bootloader version 1.04.
2) Create a custom NBF upgrade out of the IPL.nb and SPL.nb you have extracted, use typhoonbfdecode.pl with -s, -r ipl and -r spl. This should make a "bootloader-only" upgrade.
3) Use MaUpgrade_NoID.exe to upgrade the bootloader on your device, this will only work on preproduction devices as they have 'wdata' command in bootloader 0.94, and the upgrading process should be the same.
Once you have upgraded it to bootloader 1.04 then you will be able to update to any rom using the usual Hermes upgrades found on the wiki.
Blocked at 2nd step
Error message :
C:\Documents and Settings\Administrateur\Bureau\Nouveau dossier (3)>perl typhoon
nbfdecode.pl -s -r ipl.nb -r spl.nb
Option r, key "ipl.nb", requires a value
Option r, key "spl.nb", requires a value
Usage: typhoonnbfdecode.pl filename
lists contents of filename
or typhoonnbfdecode.pl [-i] [-v] -x infile
extract modules
-i decode as sd header image
-t file is tornado nbf, with large header
-v also list headers
-s convert SPL to memory image
or typhoonnbfdecode.pl [-r module=file] [-p param=value] -c outfile
create new nbf
-s convert SPL memory image to nbf image
-t file is tornado nbf, with large header
-r specify the modules to read, module can be one of:
os, ipl, spl, splash or gsm
-p specify the header values, param can be one of:
device, language, magic, operator, flags, version or blversion
or typhoonnbfdecode.pl [-r module=file] [-p param=value] -d outfile
create sdcard image
-r specify the modules to read, module can be one of:
os, ipl, spl, splash or gsm
-p specify the header values, param can be one of:
docuniqueid, blversion, cid, seclevel, timestart, timeend
keys, cardid
Ohh help!
ohh no:
Actually I cannot do anything with that error :
Usage: typhoonnbfdecode.pl filename lists contents of filename
here is my command :
C:\Documents and Settings\Administrateur\Bureau\Nouveau dossier (3)>perl typhoonnbfdecode.pl -s -r ipl= ipl.nb -r spl=spl.nb -c nk.nbf
where is the error?
Again..
Well the error was a space ... lol --> ipl= ipl.nb
Corrected it and :
read 00020000 for ipl from ipl.nb
no IPL at 4 in IPL image
Means what ???
mcilias said:
Well the error was a space ... lol --> ipl= ipl.nb
Corrected it and :
read 00020000 for ipl from ipl.nb
no IPL at 4 in IPL image
Means what ???
Click to expand...
Click to collapse
You need to add option "-f" to your parameters to bypass the safety checks (the checks are written for WM2003 roms), be sure to have the latest version of typhoonnbfdecode when you do that.
Still confused
After adding the -f here is the result :
C:\Documents and Settings\Administrateur\Bureau\Nouveau dossier (3)>perl typhoon
nbfdecode.pl -s -f -r ipl=ipl.nb -r spl=spl.nb -c 123.nbf
read 00020000 for ipl from ipl.nb
no IPL at 4 in IPL image
read 00040000 for spl from spl.nb
spl image: 00080000 bytes
no BOOTLOAD at 0x2004 in SPL image
blversion 1.0.0.0
device SP3i
entrycount 2
flags 17
language ENGLISH
magic HTC
operator CDL___02
version 1.0.0.0
91000000 00080000 fd748c72 spl
90000000 00020000 68f14038 ipl
enc: 91000000 00080000 fd748c72 spl
enc: 90000000 00020000 68f14038 ipl
is that ok? is the file ready to upgrade with?
2- I don't know how to use it with MaUpgradeUt_noID.exe
it is asking for RUU.dll , I put the one in the original ROM and I have this error : UpdateRadio not found in the library of dynamic RUU.dll links (translated from french)
Please help me to upgrade this bootloader
thanks
mcilias said:
perl typhoonnbfdecode.pl -s -f -r ipl=ipl.nb -r spl=spl.nb -c 123.nbf
[...]
is that ok? is the file ready to upgrade with?
Click to expand...
Click to collapse
Should be ok, but only for preproducion Hermes units.
mcilias said:
2- I don't know how to use it with MaUpgradeUt_noID.exe
it is asking for RUU.dll , I put the one in the original ROM and I have this error : UpdateRadio not found in the library of dynamic RUU.dll links (translated from french)
Click to expand...
Click to collapse
You need MaUpgradeUt_noID.exe, RUU.dll and UI.dll and RUU.conf with the right settings (download older non-hermes upgrades to compare).
The file you created should be named nk.nbf or ms_.nbf (i'm not sure) and be in the same folder of the upgrade utility.
Good luck!
..
in original ROM I have RUU.dll and RUUUI.dll not UI.dll , I don't have RUU.conf I copied one from QTEK S100 ROM and I don't know info to change the config and it gives me the same error.
the error always comes but when I change the RUU.dll to the S100 one it opens the wizard.. I think that MaUpgradeUt_noID.exe is not compatible with the ROM of the herme ...
PLEASE LOOK AT PAGE 2
Production Hermes == bootloader >= 1.04 == command to flash ROM 'wdatah' == command to flash rado rom 'rwdata' == Utility Files: (ROMUpgradeUt.exe RUU.dll RUUUI.dll HERMIMG.nbh)
Preproduction Hermes == bootloader <= 0.94 == command to flash ROM 'wdata' == command to flash radio rom 'rwdata' == Utility Files: (MaUpgradeUt_noID.exe RUU.conf RUU.dll UI.dll radio_.nbf ms_.nbf nk.nbf)
So, for bootloader 0.94 you need to use an OLD RUU which flashes NBF files using 'wdata' command and not 'wdatah' command, not compatible with Shipped hermes upgrades in NBH format, that's why you need to convert NBH to NBF.
I might do it and publish the upgrade, but I'd like to extract the bootloader from my preproduction Hermes first and there's no known method yet. So, if you don't do it yourself you'll need to wait, sorry.
..
so as I understand, I have to use an old RUU for herme which is not available actually?
would the S100 one work? without causing any problem?
What should I do exactly now?
Can I please have instant contact with you? msn or so?
Thanks
mcilias said:
so as I understand, I have to use an old RUU for herme which is not available actually?
would the S100 one work? without causing any problem?
Click to expand...
Click to collapse
Yes, it is available from older HTC devices (not TyTN/Hermes).
Use the MaUpgradeUT_NoID utility, was originally writen for magician but should be fine with your preproduction bootloader.
I used all files of S100 RUU.dll + UI.dll + RUU.conf + ms_.nbf + radio_.nbf + nk.nbf ... says successfuly but it did nothing to the pda no action !
Pda Lost ?
Still no solution for this case ? Did I lose my pda phone forever?
I am quite busy ATM and cannot give this a try, if no one comes with a solution I might do it myself during the weekend and post the update or progress done, so please be patient
thanks but please don't forget me
NO SOLUTION !!???!!..
So there is no solution for this ****ing preproduction herme?
should I send it to recycle ?
HI,
could you please let me know version of your Preprod Hermes bootloader? Thanks.
Preprod HTC devices has fuctionaly limited bootloader. Therefore you must flash bootloader to 1.03 version at least.
hello
it's 0.92 how can i flash boot loader? i tried lot of solution .. it doesn't work !
mcilias said:
it's 0.92 how can i flash boot loader? i tried lot of solution .. it doesn't work !
Click to expand...
Click to collapse
Solution found, I upgraded one preproduction hermes with bootloader 0.94 (IPL-0.16, SPL-0.94) to a 1.04 bootloader and now I can flash any shipped rom on it:
http://wiki.xda-developers.com/index.php?pagename=Hermes_Howto_Bootloader104

STRTRK CID Unlock

I'm truly sorry about the delay.
I've finally got round to posting a a STAR100 SuperCID guide.
1. Get itsutils: http://www.xs4all.nl/~itsme/projects/xda/tools.html
2. Run pdocread.exe with no args. Take a note of the "uniqueid" value.
3. Run "pdocread -n 1 0x000000 0x10000 -b 0x4000 original-bdk1.nb" - you'll get a file.
4. Head over to http://www.spv-developers.com/strtrkCID/. Feed it the DOCID and the file you got from steps 2 and 3. It'll give you back anoter file.
5. Run "pdocwrite -n 1 patchedfile.bin 0x000000 0x10000 -b 0x4000" where patchedfile.bin is obviously to be replaced with the patched file you got from step 4.
6. There is no 6. Report feedback.
Click to expand...
Click to collapse
All credit goes to itsme - he wrote all the tools and scripts which made all this possible.
Spawning script: perl startrek_cidedit.pl cid1e62995dd1db197b00b697388760b5e3.bin -i DOPOD601 -c 11111111 -o supercid1e62995.bin 2>&1
decrypting
bufend=44bdd4609845fd0931a871b4a31ddba42d4b96386f9 e9c5dff947c035432fc15
result=b2c7c4eede400853eb232eba436f394b3d75a9adf4c e9a1e452b26ea9059dc59
sha64k=8a7e3a8462b8c851ac125710d44abc05da4916f215e 331f98420db7ae5d87a5d
buffer checksum failed
why ?
Looks like the DOCID value you entered is incorrect. It should be a long stream of hex numbers.
Fantastic !!! Working Ok on SPV F600. Now, we need how to simunlock this smartphone.
Thank you very much Zone Mr.
i run pdocread in step 1 and got a dos screen that desaper in a second,and were i find the file in step 2.
Zone-MR said:
Looks like the DOCID value you entered is incorrect. It should be a long stream of hex numbers.
Click to expand...
Click to collapse
thank you Zone-MR,can u tell me how to get a long stream of hex numbers.
wlinsong said:
thank you Zone-MR,can u tell me how to get a long stream of hex numbers.
Click to expand...
Click to collapse
i know how to do,thank Zone-MR very very much
is there someone know how to flash rom use T-flash Card?
someone can't get the docid ,because you must use the old one!
I tried to do first step but when I ran pdocread.exe I get the following message :
Could not update itsutils.dll to the current version, maybe it is inuse?
try restarting your device, or restart activesync
or maybe your device is application-locked.
I've app-unlocked my device, activesync works ok, and restarting does not help. Phone is Qtek8500.
Any ideas?
Thanks
Is the script to calculate CID area for startrek available?
I think this should use the same method on Artemis or Herald, the problem is that they have G4 DOC and we'll not be able to use pdocwrite, but on those phones we're already able to place a hacked SPL in mem with psetmem.exe and jump into it's address with modified haret version. If we have the right CID area we can use the hacked SPL to flash it.
sorry for the ignorance...
I have downloaded itsutils but where is the dpocread.exe??
do I have to connect to the device with the mtty??
Maybe a bit more explanation
I've CID unlocked my Qtek 8500 and installed new ROM 3.6.251.0. Thanks Zone, great work!
Maybe it would be useful to write more detailed instructions, so here it is :
1. Application unlock your phone using regeditstg and do the following :
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1001 = 2 -->Change the value data from 2 to 1
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1005 = 16 --> Change the value data from 16 to 40
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1017 = 128 --> Change the value data from 128 to 144
Reboot the phone
2. Run SDA_ApplicationUnlock tool. Reboot the phone after it finishes.
3. Download itsutil.zip from http://www.xs4all.nl/~itsme/projects/xda/tools.html , version from 2005-6-28. There is even newer version, but with that version you can not use pdocread without arguments.
4. Connect the phone with activesync
5. Run Command Prompt, go to subfolder named "build" in itsutils folder, and run pdocread without arguments
6. Note the value of "uniqueid". It will be something like : "00 00 00 00 12 03 02 14 3b 07 1b b2 04 05 07 54"
7. run pdocread again with these arguments : "pdocread -n 1 0x000000 0x10000 -b 0x4000 original-bdk1.nb". This will make original-bdk1.nb file in build folder (where the pdocread is located).
8. Upload this file and value of uniqueid to http://www.spv-developers.com/strtrkCID/. It will open a new page after few seconds. Go to bottom of the page and click the link "Download patched BDK1"
9. Download the file (it will be named like "supercidxxxxxxx.bin) to "build" folder
10. Run the pdocwrite from command prompt with these arguments : "pdocwrite -n 1 supercidxxxxxxx.bin 0x000000 0x10000 -b 0x4000". Replace supercidxxxxxxx.bin with the original name of downloaded file from step 9.
11. Wait 15-20 seconds and that is it. Reboot the phone and install the ROM you like
It works! I've got now 3.6.251.0_02.67.30 on my Qtek!
Thank's, damird, your guide is unreplaceble for such lamers like me
But maybe anyone can suggest me were can i find and how to install (if it possible) Russian t9 or only russian lang to input? Or maybe how to rollback to original ROM with this that lang... (1.02.261.1)
Thank's
added:
Problem's gone, Russian T9 added.
Damird!
Cheers mate
Hello, can you share with us this script to calculate CID area in StarTrek?
With this script we can SimUnlock the StarTrek very easy (at least I think...)
Thank you very much.
I'm confused here... is CID unlock not the same with SIM unlock?
my carrier is tmob but I'm getting cing 3125 at ebay so I need to SIM unlock the phone for it to work on tmob right?
wow, pof, I can't wait for it! i had bought one herald in China but wireless was disable by default. I hope I could unlock the CID and get a WWE rom to enable the wireless.
sokelut said:
I'm confused here... is CID unlock not the same with SIM unlock?
my carrier is tmob but I'm getting cing 3125 at ebay so I need to SIM unlock the phone for it to work on tmob right?
Click to expand...
Click to collapse
Correct, you still need to pay to carrier unlock the phone. Check the wiki for links to a few services that are known to work.
CID unlock? Error installing ROM
I'm getting an ERROR [294] INVALID VENDER ID
I did the CID unlock
It starts to install the rom but when it gets to 4% I get this error. How do i fix this?
Can anyone help?!
Need a little clarification
Im stuck in steps 3-11. I've downloaded itsutils and I don't know how to proceed.

Dead wlan due to erased eeprom? *SOLVED*

Needed tools:
PuTTY ver.6 or above
Plink
Active Sync 4.5
any Hex editor
MTTY1.exe ver 1.11a
Windows PC
SPL 2.30 Olipro
SPL 1.01 MFG pack
SPL 1.10 Oli w/custom RUU
SPL 1.04 w/custom RUU
DUTTY'S Good .NB Tool
Win Rar
Hermes with working wlan
There are steps for the user with the device with the working wlan eeprom, and steps for the user with the device with the corrupted or missing wlan eeprom. Basically what you will be doing is cloning the MAC of a device with a working wlan, editing it, and flashing it to your device with the non-working wlan.
Steps for Working Wlan Device:
You need to get SPL Oli 2.30 (found on the XDA DEV FTP Site in the HERMES/HardSPL folder) on the working device. You can do this by following the downgrading bootloader page at:
http://www.mrvanx.org/cms/index.php?option=com_content&task=view&id=59&Itemid=27
Assuming you have HardSPL v7 on your device (as most of you have been doing upgrades and downgrades), follow the steps to downgrade to Oli 1.10 then to SPL 1.04, (read and execute carefully)
then use DUTTY'S Good .NB Tool...
http://forum.xda-developers.com/showthread.php?t=296311
...to convert the SPL Oli 2.30 .nb file contained in the .rar you downloaded (use WinRar to extact) to an .nbh file (RUU_signed) THEN flash SPL 2.30 (you can use the same custom RRUwrapper you used to flash to 1.04 by putting it in the same folder, but move the RUU_signed.nbh of 1.04 to another folder first, then put it back when your finished)
Download PuTTY and Plink and copy them into your C:\Windows\Temp folder
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Put your device in bootloader mode and disable USB connections in Active Sync
Connect to the PC and open PuTTY
Click SERIAL, and make the speed 115200, and type \\.\WCEUSBSH001 (all CAPS) in the space for SERIAL LINE (overwrite what is there) or connect with MTTY first...
http://forum.xda-developers.com/download.php?id=9864
... and copy and paste the address into PuTTY then close MTTY. Type HERMES into the space named SAVED SESSIONS and hit SAVE. Hit OPEN. Press ENTER to get a CMD prompt...you will see a green cursor. Type Task 32 and it will return Level=0. Ok, close PuTTY as you have verified that it's working.
Sometimes your device will be seen as \\.\WCEUSBSH002 or \\.\WCEUSBSH003, just use which ever it connects to.
Now the next bit is tricky because you you will do it "blind" as in this mode, Plink does not have local echo so you won't see what you're typing.
Go to START/RUN/CMD
This opens a DOS window. Change directories to C:\Temp and type the following:
plink HERMES > herm1.nb (hit ENTER TWICE) (you will see the new file herm1.nb written in your Temp folder) (notice the spaces before and after the > sign)
Now type the following and hit ENTER (once) after each command:
task 32
password 0000000000000000 (that's 16 zeros)
set 1e 1
rbmc me.txt 500a0000 40000
that will copy the wlan section of the eeprom nand to the file called herm1.nb. You can right click on the file, select properties, and see that it grows to 256k-257k.
When it's done creating the file (to 256k or 257k, you'll see it doesn't get any bigger), press CTRL C in DOS to close plink and it saves the file at 257k size.
Open the file in a Hex Editor, and remove all the non usable Hex Data (basically the commands you typed) between offsets 00000000-00000140 up thru the Hex equivalent of the word HTCS. Delete the data so that you actually delete the word HTCS. Then at the end of the file, offset (00040000), delete from the very end of the file (right to left) thru the word HTCE. You delete the Hex equivalent of the word HTCE. You can leave the D+ ] there as we're only going to write 40000 bytes. Now the now MAC address is at ROW 0001F850 with two bytes at row 0001F860. The MAC reads backwards. Save it as herm1.nb (but not in the same folder as the original).
Now, since you've basically cloned another's MAC address (already allocated to another device), it's necessary that you change your MAC address ASAP. Instructions on how to do that below:
In the edited herm1.nb file, go to the MAC Address at offset 0001F850 and change the 2nd, 3rd and 4th bytes from the right... (it's your MAC address in reverse), to ANY numbers you like, keeping the same format. This 6 byte sequence is your NEW MAC ADDRESS. The last 3 numbers of the MAC (which appear in opposite order) can be "invented".
You now have the eeprom flash file to be transfered to the non working device...
Steps for Non-working Wlan Device:
Using the methods on MrVanx's downgrading SPL page...
http://www.mrvanx.org/cms/index.php?option=com_content&task=view&id=59&Itemid=27
...downgrade again to SPL 1.04, then flash SPL 1.01 MFG. When flashing and using SPL 1.01 MFG, some users suggest you only use the version of MTTY that comes with the MFG Pack.
http://wiki.xda-developers.com/index.php?pagename=Hermes_BootloaderMFG
Read the full instructions before flashing.
Ok, now that you have verified that you have SPL 1.01 MFG on the device, put in bootloader mode, disable USB connections in Active Sync. Connect the device and open MTTY. Make sure you have copied your herm1.nb file into the same folder as MTTY.
Connect to the device (\\.\WCEUSBSH001)
and hit ENTER to get a CMD prompt
Now type the following:
task 32
password 0000000000000000
set 1e 1
lnb herm1.nb 500a0000 40000
Hitting ENTER after each command.
When it's done, close MTTY and reboot your device and verify that your Wlan is now working...
Then I recommend flashing HardSPL v7 or SPL 2.30 to your device right away (because you know you won't leave your device alone and we don't want you bricking your Hermes, do we?)
BTW, if you want to do a full backup of you FULL eeprom nand at any time, connect as before and type these commands:
plink HERMES > full.nb (hit ENTER twice)
task 32 (hit ENTER once and only once from now on after every command)
password 0000000000000000
set 1e 1
rbmc me.txt 50000000 7fff800
watch your file grow to 128 MB.
If you ever need to flash the entire eeprom nand, just edit it as above so you take out the commands you typed (HTCS-HTCE) and you're good to go...
Thanks go out to Pof and Olipro for doing the initial research on this issue. And also to members Laikos and Panzer who helped tremendously.
Tested on Cingular 8525 Wm6 VP3G modified AT&T rom, and Orange m3100 WM6 cooked rom based on Dopod 3.54.707.3 rom.
*NOTE* Olipro just posted later in this thread
"just to point out guys;
to flash 2.30.Olipro, just convert it into an NBH then run SSPL on your phone and go ahead with the flash, same goes for loading any other SPL, just load SSPL first (or use Custom RUU with the NBH and select force SSPL) the downgrading is unnecessary"
another member (dan1967) suggested that one only have to use SPL 2.60 Oli Hard SPL v9 Developer Edition to do this procedure and one can avoid the upgrading and downgrading of bootloaders...
Member alakentu has translated this method into Spanish. The thread is here:
http://forum.xda-developers.com/showthread.php?t=364751
***DISCLAIMER.....TRY AT YOUR OWN RISK, WE ARE NOT RESPONSIBLE FOR ANY MALFUNCTIONS OR OTHER ISSUES THAT MAY OCCUR.***
For those of you who used my guide to fixing your dead Wlan on Hermes, please feel free to make a donation via paypal if you feel I've helped you in some way. Any amount will be very much appreciated, and I could really use the cash, hee hee, thanks in advance. Just click the PayPal Logo below to donate.
cool !! I try this if i found a phone with no dead wlan
nice.........
It's possible to just hand code the WLAN EEPROM Value to your dead WLAN EEPROM too. Download your dead EEPROM and Edit the location mentioned by drummer.
Warning: It took about 30 mins to hand code the WLAN EEPROM DATA.
Would it be possible for someone to extract the eeprom file from a working wlan device, "zero-out" the MAC address portion, or replace with 'FF' or some other 'dummy' value, and post this here, so those of us without access to a working device can use to flash our damaged devices?
By "blanking-out" the MAC address in the attached file, you dont risk having your MAC address used by everybody, so there is no "legal" risk, and help us without a working device to fix ours...
Thanks for the solution guys and hopefully you can post the file here for us to use.
Good work !!
Thank you very much for this solution !!!! Great job!
But as said chrisvor, could you post an extract of a working Eeprom for thoose who don't have one please...
Thank you !
drummer,
first of all is to say thanks to you all who put in their time and effort in resolving this problem
so my question is... can you post the file of working wlan bit for us, without that i can't solve this problem... =(
Thanks!!!
Thank you so much for this!!!!
I will try to reviving my X01HT WiFi later!
Great Job!!!!
Someone has repaired his hermes ??
nicoebra said:
Someone has repaired his hermes ??
Click to expand...
Click to collapse
I did. And so did Laikos. Actually, he fixed his about 20 minutes before I did, he is a better editor than I am. Why do you think we did the research? We both had devices with non-working wlans, and now they're working again.
...and no, we're not posting, or sending anyone the file. You have to find a friend that will help you, as your trust in each other will safeguard against any possible mis-use of this technique.
laikos said:
It's possible to just hand code the WLAN EEPROM Value to your dead WLAN EEPROM too. Download your dead EEPROM and Edit the location mentioned by drummer.
Warning: It took about 30 mins to hand code the WLAN EEPROM DATA.
Click to expand...
Click to collapse
I don't believe that this is a good idea, as you don't know what else (from EEPROMcode) is corrupted!!
The MAC address is the only visible part to us...
pop20032004 said:
I don't believe that this is a good idea, as you don't know what else (from EEPROMcode) is corrupted!!
The MAC address is the only visible part to us...
Click to expand...
Click to collapse
How did you come to that conclusion?
All Laikos was suggesting, is you could type in the data, rather than replace the data by "cloning" it from another's device. Once you know the offsets, which you do if you read this technique, it's quite easy, although time consuming. So far, each file we have examined have had the identical wlan signatures, and identical first three numbers of the MAC address. That suggests that HTC was assigned a set of MAC addresses by OUI for their use.
BTW, using SPL 2.30 oli, you can change your backup CID, and model number (Hermes 100, 200, 300, or whatever you want to change it to like "Hermes 911").
Help
I believe that would be better than someone give the instructions detailed for those that they do not have other device to the hand to extract the EEPROM, extract your corrupt EEPROM and edit it.
In my case, live in Mexico city and these devices are extremely rare of seeing by here.
As soon as if someone can help me to obtain the file of a EEPROM will be I thanked what is.
Open the file in a Hex Editor, and remove all the non usable Hex Data (basically the commands you typed) between offsets 00000000-00000140 up thru the Hex equivalent of the word HTCS. Delete the data so that you actually delete the word HTCS. Then at the end of the file, offset (00040000), delete from the very end of the file (right to left) thru the word HTCE. You delete the Hex equivalent of the word HTCE. You can leave the D+ ] there as we're only going to write 40000 bytes. Now the now MAC address is at ROW 0001F850 with two bytes at row 0001F860. The MAC reads backwards. Save it as herm1.nb (but not in the same folder as the original).
i can't edit file " herm1.nb"
you can guide again or help me to edit my file.
Hello,
Is it normal that my file herm1.nb is rained large that 30Mo at the time of that creation, thank you.
-------------
Edit:I excuse myself I have to make an error the first handling, I succeeded in having the file herm1.nb has 256 Ko (262 ' 439 bytes).
If I do not modify the mac address that you it will occur on the other apparatus, thank you
drummer10630 said:
...and no, we're not posting, or sending anyone the file. You have to find a friend that will help you, as your trust in each other will safeguard against any possible mis-use of this technique.
Click to expand...
Click to collapse
@drummer10630: I do appreciate all your and Laikos efforts to solve this problem and to let the whole community know the method so everybody can fix their devices... however, the reason I asked if anybody could post the file was not a sign of "laziness", rather it is due to the lack of friends who have a TyTN or who want to void their warranty by flashing a non-official bootloader in order to "do me the favor" of extracting their eeprom data.
If any of you guys have extracted the eeprom and you have edited it to include your MAC address, could you please edit a COPY of this file, put "FF" in all the bytes of the MAC address (which is the only thing that "ties" this file to your purchased device and hence yourself), and post it here for us "tytn-friend-less" people to use?
Many thanks for EVERYBODY's efforts in solving this
Thanks and kudos go to Pof and Oli ofcourse, due to whom none of this would be ever possible !!
Chris
I have tried to get the code from a working Vario II using Des' SSPL, to avoid all the flashing of a working device, but got
Code:
USB>task 32
Level = 0
USB>password 0000000000000000
HTCSPass1.
CMËHTCEUSB>set 1e 1
USB>rbmc me.txt 500a0000 40000
GetExtRomData+(): *pszPathName=me.txt, dwStartAddress=500A0000, dwLength=40000
USB>c=40000
... and no dump.
Is there a workaround?
jrp said:
I have tried to get the code from a working Vario II using Des' SSPL, to avoid all the flashing of a working device, but got
Code:
USB>task 32
Level = 0
USB>password 0000000000000000
HTCSPass1.
CMËHTCEUSB>set 1e 1
USB>rbmc me.txt 500a0000 40000
GetExtRomData+(): *pszPathName=me.txt, dwStartAddress=500A0000, dwLength=40000
USB>c=40000
... and no dump.
Is there a workaround?
Click to expand...
Click to collapse
According to the #1 post, you HAVE TO follow the instructions, i.e. downgrading to SPL 1.04, 1.01 MFG, Olipro 2.30, in order to save the eprom from the working device.... no shortcut I'm afraid
I removed the lines 00000000-00000140
But I do not have information with the line 0001F850 and 0001F860 is this normal? , thank you.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Quick question.... Could I dump the WLAN eeprom from a Wizard? Dont think so, but I thought I'd ask since I have a wizard lying around too....

Error [244] : Invalid model id

Hello
Please help me return the model number,
cause when I try to change my rom I always get the same error Error [244] : Invalid model id.
Now I have
some strange symbols in bootloader.
This appeared after I'd tryed to change mac using mtty, as I have created bin file for SPL 1.xx
Please help me
Hi,
You need to carry out the instructions to the letter in post 33 HERE and it will sort your problem, read it all very careful, its easy to make a mistake if you're not paying attention.
regards
Jay
Thanks Jay.
It works again.
You're welcome, glad it helped
Regards
Jay
here's an experimental program I made to make the process more automatic so users can fix their own wifi without our help.
this is good for both corrupt modelid and corrupt wifi, and fixes both at the same time.
STEP BY STEP:
1. download attachment at the end of the post for mac1.exe (requires .net 2.0 installed on the PC)
2. you will also need to download the other attachment in this post for the mtty program.
3. enter bootloader (tricolour screen) manually by pressing and holding camera button all the way in (yes I mean that, press it in as hard as you can!!), while doing a reset, then keep the camera button held until you see the tricolour screen.
4. disable USB in activesync (wmdc if you have vista - in this case, do not kill wmdc, just disable usb in it!!!)
5. run mtty and select USB option from the dropdown box!
6. then press enter in main window that comes up, see if that gives you Cmd>
7. now you should have Cmd>, if not, re-check if you did the above steps right until you get Cmd>
8. now run the mac1.exe, type in your MAC address you want to use for the Athena, if you have SPL 3.xx reported on the tricolour screen, then use the button for SPL 3.xx, otherwise if you have SPL 1.xx reported, use button for 1.xx.
9. this should have generated a .bin file for you, copy that bin file in the folder of mtty.
10. now, in mtty, type (do not copypaste!) this command: task 32
11. this should return Level = 0
12. now, you must only do one of the two following commands:
- if you have SPL 3.xx, then type (do not copypaste!!) this command: lnb filename.bin 76508000
(there filename is the name of the .bin file you generated - don't forget to put .bin after filename, as the full name is needed).
- OR, if you have SPL 1.xx, then the command is different (do not copypaste!!): lnbs filename.bin 75108000
(there filename is the name of the .bin file you generated - don't forget to put .bin after filename, as the full name is needed).
NOTE, the command starts with a lowercase "L", not "I"!
WARNING: PLEASE DO NOT MIX UP THESE TWO DIFFERENT COMMANDS!!!
if this info helps: most people will have SPL 3.xx, and if you have AP4 (not vanilla) already running then you're definitely 3.xx
13. mtty will popup a window asking "OK", you press OK!
if you get "Fail to synchronize with the host (1)", then make sure you did follow step by step. if still same error, try placing mtty and the bin file under C:\.
14. now the file downloads, if mtty reports it flashed the file, and at the end "code entrypoint unknown", then that's it, now boot back to WM and see if wifi works.
edit: see raskell's mtty tutorial too, #36. post in this thread
if you *really* can't manage to get it working, you can still feel free to PM me.
let me know if this program and step by step description helped any.
Attached Files
File Type: zip mac1.zip (6.3 KB, 2125 views)
File Type: zip mtty_0513_Test.zip (553.9 KB, 2613 views)
Ameo
Pfff i have tried everthing what i could find and nothing works. i managed to get the driver working from usb on windows 7 but it keeps showing the bootloader! with some strange marks. i flashed it with 1.2 Olipro and im afraid it will never work again any suggestions left?
Greetings

All Hurricane ROMS in one place!!!

I would ask all active members to upload or share their collection of roms for Hurricane. I bricked my hurr 2 years from now and yesterday i got one so i would like to try as many roms as possible, and it will be great for all to share roms!!! I found several on this forum (lazaj's, saleng's, shadow's) but i think that there is more!!! So share your collection!!!
Here i found some on forum:
hurricane unlock, patch and upgrade wm 6.1(selang09) ***
Link: http://www.megaupload.com/?d=JLO5H1L7
Thread: http://forum.xda-developers.com/showthread.php?t=475286
Opinion: Good one, but chinese language everywhere! After u change main lang. still some apps name stay in chinese and options too!
wm6.1 for hurricane (with Bluetooth and INFRARED RAY problems solved)0415update!!!
Link: http://rapidshare.com/files/100934508/5x6_wm6.1_0319.rar
Thread: http://forum.xda-developers.com/showthread.php?t=378607
Opinion: Didn't tried!
WM 6 Graphite rom, how to get WMPlayer in English (now in Polish)
Link: http://rapidshare.com/files/108676266/wm6_2_2.zip
Thread: http://forum.xda-developers.com/archive/index.php/t-384972.html
Opinion: Using this one right now! Seems ok, works nice, nice look, except incoming calls didn't show up!!! Very bad bug!
Wm 6.1 Pl/eng
Link: http://rapidshare.com/files/131860280/wm_6_1_by_Lazaj007.zip
Thread: http://forum.xda-developers.com/showthread.php?t=410739
Opinion: Tried before Graphite eng edition, works great, looks great... Main lang polski, after lang change WMP stay in polski! But still ok!
WM6 for SPV C550
Link: http://rapidshare.com/files/56833250/566.zip
Thread: http://forum.xda-developers.com/showthread.php?t=330709
Opinion: Never tried!
And one pack with SPL 1.00.84 & soft spl (nb, nbf), IPL 1.00.15, GSM DATA (hex and dec), bootloader commands, splsplit... etc!
Link: http://rapidshare.com/files/427352270/data_hurricane.rar
Info: This last files can help u to unbrick your hurricane (BUT AVOID TO BRICK IT), i found it on pda2u.ru , and thanks them for that! Special thanks to member SAXON!
I found many links for ROMs but those which is here have alive links! Someone with good upload speed can reup them again in one pack and post a link here!
ENJOY!
I would like to have a non T-Mobile German version (can be a shipped ROM). Have not found any yet, only those that are available at www.shipped-roms.com Have to live with de-branding this as it seems.
Possibly someone with any of the following devices can do a "r2sd all" backup of the ROM?
imate SP4M
Orange C550
Qtek 8200 (the Russian/English is available as RUU)
Thanks for this link tobbbie !
Btw, in selang's rom SMS Send don't work! So, it is useless!!! :S
I have tested all ROM´s below for SDA II, but for me lazaj007 is the best of all
Thanks to lazaj007
Did anyone care to pick up some ROM cooking for that device? I did not succeed in getting the .BIN files manipulated correctly - and I think I have a collection of nearly all ROM tools now :-(
howto convert .bin to .nb0 and back
Foreword:
.BIN files are not all the same by their nature (of course not by content). There are
.bin that are used to identify the bare binary content of the various partitions (you mostly see those)
.bin that are used to flash a ROM to the device. This looks somehow historic though, the format is already described by itsme at: http://www.xs4all.nl/~itsme/projects/xda/wince-flashfile-formats.html. It seems to me that some non HTC devices are still using this format.
The osnbtool.exe (from Weisun at PDACLAN.COM) does not work for any purpose regarding .bin files
at least not for Hurricane.
- The -sp option cuts only the B000F\0a header but does not reconstruct the blocks of the .bin file.
Mind that small .bin files (smaller than 0x1c00000) are treated correctly as there is only one block.
- The -2bin option creates an incorrect .bin header (sets a weird total length) and sets totally confused
block-load addresses for the created blocks of 64k (0x10000) size. Check it with viewbin.exe if you like.
Reference for the filestructure by itsme:
http://www.xs4all.nl/~itsme/projects/xda/wince-flashfile-formats.html
The splitrom.pl (itsme romtools) seems not be able to read the content of any .bin file I have fed to it.
Neither for .BIN files created for Hurricane nor those for Typhoon, I always get:
cmd> splitrom.pl <binfile>
B000FF image: 82040000-84c40000, entrypoint: 00000000
!!! your rom is not known to me: md5: a520f0d1093b36f0a3cfd9323ea99155
this bootloader seems to be No bootloader present
no xipchain found
no bootloader found
no operator rom found
no bitmap found
I am rather sure it should handle everything correctly but I am too stupid to debug .pl :-(
So the only thing that works and will re-create a flash-able .BIN file from a .nb0 is listed below:
convert .bin to .nb0:
enter: viewbin -r <binfile>, you get something like:
Image Start = 0x82040000, length = 0x02C00000
Record [ 0] : Start = 0x82040000, Length = 0x01C00000, Chksum = 0x00000000
Record [ 1] : Start = 0x83C40000, Length = 0x01000000, Chksum = 0x00000000
Record [ 2] : Start = 0x00000000, Length = 0x00000000, Chksum = 0x00000000
Start address = 0x00000000
The above has two blocks of data and a termination block.
The checksum = 0 effectively disables upload checking (so potentially dangerous).
The size just fits the Hurricane's SPL "l" (load) command buffer, as you get when loading a ROM:
"clean up the image temp buffer at 0x8C080000 Length 0x01C40000 "
The blocks can be smaller than 0x1c40000 but not bigger obviously.
then convert to nb0, enter: cvrtbin.exe -r -a <imgstart> -l <length> -w 32 <binfile>
for above viewbin output: cvrtbin.exe -r -a 82040000 -l 2c00000 -w 32 <binfile>
mind to omit the 0x for the start and address, replace <binfile> with your filename, then you get a resulting file from <original-name.bin> to <original-name.nb0> which can further be decomposed and edited with standard ROM tools
convert .nb0 to .bin:
enter: xipbin.exe <input.nb0> <start-in-nb0> <output.bin> <loadaddress>
to get back something flashable like above: xipbin.exe <input.nb0> 0 <output.bin> 82040000
mind to omit the 0x for the loadaddress, replace <"file"> with your filenames
to recheck if the created BIN file is usable, startup the viewbin again
enter: viewbin -r <binfile> you now get something like:
Image Start = 0x82040000, length = 0x02C00000
Record [ 0] : Start = 0x82040000, Length = 0x00040000, Chksum = 0x0208CC79
...many entries deleted...
Record [175] : Start = 0x84C00000, Length = 0x00040000, Chksum = 0x0177FB3C
Record [176] : Start = 0x00000000, Length = 0x00000000, Chksum = 0x00000000
Start address = 0x00000000
Done.
Looks quite different - but this is ok! The loading process in MTTY indocates the loading of each above block with a sequence of |*, so with these many blocks the upload to the device is giving feedback and thus is not tempting people to interrupt it.
I have done my tests with the 566.zip linked in the first post of this thread, but this should work with any .BIN file from the other ROMs as well. So I will continue to see if I can recycle any of the WM6 Roms for inserting my imgfs created for Tornado. As before the imgfs still the XIP is loaded and I know too little about this yet (especially in connection to the imgfs and how close these two are linked) - I am prepared to see non booting device states quite a lot. Luckily there is nothing done to the early boot chain (IPL and SPL) so I can always get back to the bootloader and start over again.
I hope to get a first indication that imgfs is mounted correctly in the "old" XIP before I have to replace the OEMdriver parts in my Tornado ROM.
I just checked if I can still use this flash-method for the Tornado - and it works as well. So the created "os-new.nb" in the OUT directory can be converted to .BIN and then flashed inside MTTY with the "l" command. Not that I like this method - but it works as well.
Tobbbie, you have here a very good research! To bad this device is out of use!

Categories

Resources