Reverse engineering the HERMES imei-check unlocker - 8525, TyTN, MDA Vario II, JasJam Software Upgradin

I am trying to capture the unlock of my M3100 to help the forum.
I followed the directions below...
fun_key said:
What you need befor you start:
USBMON (I used the trial): http://www.hhdsoftware.com/usbmon.html
A win 2k/XP computer with admin rights
How to fool the IMEI-CRACK tool:
-Login with the administrator and setup USBMON
-Create with the administrator a user (named wathever you like) with only "user" or "powered user" rights
-Log in with the user you just created (you may have to resetup Active sync with this user; I don't know why but it seems that active sync doesnt setup for all user)
-Right click on the USBMON icon and select "run as"; input the administrator credential and configure the software ready for the capture
-Launch the crack and follow the instruction
And voila ! The dump should be achieved by now
Click to expand...
Click to collapse
I had to create another admin account as the unlock UTIL requires that you use the Admin account. I have been able to RUN USBMON while starting the unlock and it put the M3100 in the white unlock screen but then get an error and the util has shut down.
Any Ideas? I don't mind waiting to unlock so I help th community out...

OK...I think I captured it....The unlocked changes to a different driver type in the middle of the unlock. So I started a new session with the "NEW" device I think I captured it all but what do I do with this file now?

slimsaturn said:
OK...I think I captured it....The unlocked changes to a different driver type in the middle of the unlock. So I started a new session with the "NEW" device I think I captured it all but what do I do with this file now?
Click to expand...
Click to collapse
attach it here

Alright...POF They are too big to attach....Anywhere else I can throw them? If someone tells me how to upload them to the FTP I will do ASAP...Hopefully this is able to help someone. If I did miss the crucial info i am sorry for failing

no problem, i'm sure it will be juicy
Put them here:
ftp://xdaupload:[email protected]/Hermes/
USERNAME: xdaupload
PASSWORD: xda
let me know when the files are uploaded.

OK so I am getting a 530 Permission Denied error. Can i just email them or someone let me know what I am doing wrong

Email them to me.
sexy [email protected] vijay555.com
V

Finally the files are here:
ftp://xda:[email protected]/Hermes/Technical/unlocker-capture.zip
Going to have a look at them right now! will post something later

pof said:
Finally the files are here:
ftp://xda:[email protected]/Hermes/Technical/unlocker-capture.zip
Going to have a look at them right now! will post something later
Click to expand...
Click to collapse
Good Deal...hopefully this helps us

Slimsaturn!! You got it right
This is more or less what the unlocker does, will explain it in another post:
Code:
retuoR
USB> shmsg 8 2 "unlocking..."
USB> rtask a
[COLOR="Red"]Enter Radio Bootloader[/COLOR]
USB> rpass
HTCS-[url=http://wiki.xda-developers.com/index.php?pagename=Hermes_BootLoaderPassword]dyamic password[/url]-HTCE
...
USB> rversion
[COLOR="Red"]0106[/COLOR]
rrbmc x 6D0000 8000
rwdata 4D0000 800
[HTCS]- code, to big to paste here -[HTCE]
retuoR
USB> rtask b
[COLOR="Red"]Enter radio Image
AT-Command interpeter ready[/COLOR]
[email protected]=0,1,22051978
[email protected]=0,2,22051978
[email protected]=0,4,22051978
[email protected]=0,8,22051978
[email protected]=0,16,22051978
[email protected]=0,32,22051978
AT
retuoR
USB> shmsg 8 2 " done"
USB> task 8

Is that from what I sent you

slimsaturn, yes this has been taken from the files you posted (Thanks!).
Here is the process explained, if you don't understand anything check the wiki bootloader page for a better explanation.
Code:
retuoR
Returns from radio bootloader to normal bootloader, probably here because the capture was not started at the very begining of the unlocker process
Code:
USB> shmsg 8 2 "unlocking..."
USB> rtask a
[COLOR="Red"]Enter Radio Bootloader[/COLOR]
Shows "unlocking..." on hermes screen, enters radio bootloader
Code:
USB> rpass
HTCS-[url=http://wiki.xda-developers.com/index.php?pagename=Hermes_BootLoaderPassword]dyamic password[/url]-HTCE
Sends "rpass \r" (mind the space between rpass and \r), then sends "HTCS" + the password + the CRC of the password as bytes + "HTCE".
This authenticates to the radio bootloader (to be able to use the rrbmc command later), the password is dynamic (but the method to generate it is known) and sent encapsulated on a HTCS+password+CRC+HTCE block.
It should either return "T " for succes, or "F " for failure (encapsulated in the HTCSHTCE block), in the capture it returns "T".
Code:
USB> rversion
[COLOR="Red"]0106[/COLOR]
returns radio version encapsulated in HTCS HTCE block.
Code:
rrbmc x 6D0000 8000
Read back 32768 bytes (0x8000) of memory content from address 6D0000 and save the data to a file named "x".
@slimsaturn: do you have a file named "x" on your computer? can you send it too? if not, can you try to "undelete" it with some tool...?
Code:
rwdata 4D0000 800
[HTCS]+(2048 bytes of code, to big to paste here)+(4 bytes crc)+[HTCE]
This writes 2048 bytes (0x800) of data to address 4D0000, the data is sent encapsulated on HTCSHTCE block as well. I guess this does the CID unlocking.
These 2048 bytes are on the attachment, if anyone wants to look at (hint: compare it with extracted radios using an hex editor).
Code:
retuoR
USB> rtask b
[COLOR="Red"]Enter radio Image
AT-Command interpeter ready[/COLOR]
Returns from radio bootloader to normal bootloader, then enters the AT command interpreter to talk to GSM AT cmd interface.
Code:
[email protected]=0,1,22051978
[email protected]=0,2,22051978
[email protected]=0,4,22051978
[email protected]=0,8,22051978
[email protected]=0,16,22051978
[email protected]=0,32,22051978
This enters the same sim unlock code to all locking facilities (2,4,8,16,32). The code here is 22051978, I guess this code is calculated from what has been previously read by rrbmc command. Will be a different code on every device. Weird that it doesn't get the locked facility first, it just tries all them.
Code:
retuoR
USB> shmsg 8 2 " done"
USB> task 8
This exits from the AT command interpreter, shows "done" on the Hermes screen and reboots the device.
Now I'm going to try the 'rrbmc' command on my hermes and see what is read from there... I've also found that the content written to device by rwdata has some strings in common on GSM.nb (radio) extracted from NBH update, so it's part of the radio.

pof said:
@slimsaturn: do you have a file named "x" on your computer? can you send it too? if not, can you try to "undelete" it with some tool...?
Click to expand...
Click to collapse
Sure...I will check my recycling BIN tonight. If I can't find it there do you have utility that I can use to search my PC to try to locate it?

It will not be in the recycle bin, it will be either on the folder you run the unlocker from, or on the c:\temp c:\windows\temp
The exact size of the file is 32768 bytes, it is named "x" (without extension).
If the unlocker has removed the file (most probably) then it will be removed (but not in the recycle bin!) so you will need to use some software to undelete removed files, I don't know any but google may help.

Pof, I just tried running the unlocker with file i/o monitoring, and didn't see it produce a file called X (or anything else that looked like a likely candidate)
Maybe we can do a before and after dump of the radio patch - it'll probably be using a similar idea to the Universal unlocker if it's overwriting the radio.
V

pof said:
It will not be in the recycle bin, it will be either on the folder you run the unlocker from, or on the c:\temp c:\windows\temp
The exact size of the file is 32768 bytes, it is named "x" (without extension).
If the unlocker has removed the file (most probably) then it will be removed (but not in the recycle bin!) so you will need to use some software to undelete removed files, I don't know any but google may help.
Click to expand...
Click to collapse
Alright I will check tonight. I am guessing this is the missing link to fully understand what happens.

help needed
I need the help from someone who hasn't unlocked their phone yet and is willing to pay imei-check the 20GBP: I need to compare two regions of the radio before and after running the unlocker.
These are the steps to follow:
1) Disable activesync on your computer by right click on activesync icon -> connection settings -> uncheck "allow USB connections".
2) Put your device in BootLoader mode
3) Connect device to computer using USB cable.
4) Download TryBootloader.exe and run it.
5) TryBootloader fails most times you run it with one of these errors:
"Could not enter bootloader mode" or "SetCommState failed Could not open device " you need to reset your device and put it in bootloader mode again, and keep trying until you get this (usually no more than 5 or 6 tries):
Code:
USB>info 3
password ~:0T4~~000~X~000
Entered advanced bootloader
rtask a
rtask a
Enter Radio Bootloader
rinfo
rpass
Retval:
T
Entered radio bootloader
6) Once TryBootloader successfully authenticates you, open mtty.exe and select "USB" port and click "OK", this time you will not get the usual "USB>" prompt because you will already be in radio bootloader, but this should give you an authenticated command line in radio bootloader where you have all commands enabled.
7) Start HHD USBMonitor.
8) File -> New session -> USB Monitor -> Select USB device where your phone is connected -> Check "request view" -> Finish
9) In the upper part there are two tabs: basic and complete. Click on "Complete".
10) Type these commands in mtty window (do not copy paste, type them!) please note that you will not get any output (echo) on the screen when typing because you are on radio bootloader:
Code:
[b]rrbmc a 6D0000 8000[/b]
You will see a lot of garbage in the mtty screen, don't worry... when it finishes, type the next command:
[b]rrbmc b 4D0000 800[/b]
You will see a lot of garbage in the mtty screen again, don't worry... when it finisheds, close mtty.
11) you should see all the USB traffic output on USB monitor window.
12) click on Edit -> Export and Save as type "ANSI Text files".
13) Save the file and zip it. Name it "dump-before-unlock.zip"
14) Enable USB connections on ActiveSync again, softreset your Hermes and make sure activesync icon is "green" again.
15) Run the imei check unlocker as normal, following their instructions.
16) Once your phone is unlocked, repeat steps 1 to 13 but this time name the file "dump-after-unlock.zip"
17) Post a comment here and attach the two files, if they are too big upload them to xda-developers ftp.
After that we'll have everything to start working on a free unlocker
PS: I am traveling from Spain to Germany tomorrow and will be 1 week "away" without internet connection, I hope someone will have uploaded the files when I come back!!!

Awesome on the Stick

slimsaturn said:
I am trying to capture the unlock of my M3100 to help the forum.
I followed the directions below...
I had to create another admin account as the unlock UTIL requires that you use the Admin account. I have been able to RUN USBMON while starting the unlock and it put the M3100 in the white unlock screen but then get an error and the util has shut down.
Any Ideas? I don't mind waiting to unlock so I help th community out...
Click to expand...
Click to collapse
Humm, interesting, when I tried it didn't required the admin rights so far. I tried this a quite long time ago, I may have forgot something or they may have updated there util.
@pof: You were talking about CID unlocking. I don't think that the IMEI tool is still able to make the tytn Super CID. I have used it about 2 months ago and my device is far from being super CID . Slimsaturn, could you please give us the CID of your device in order to check what really happen down there?
EDIT: I found the exe program when I tested the dump. There is now an updated version of the .exe on there website. I guess that it could be interesting to test differents version of the tool, in order to better understand what it realy does and how it does it.
I upload here the older version, it can maybe interest someone. I ll give more tries with the newest version, if it is able to handle my radio version.

nice work
my £20 donation is sitting here waiting for you guys!!!!!!!!!!
anything i can do to help?

Related

Application unlock for HTC Monet (Virgin Lobster 700tv)

Been trying everything on the Internet and managed to make some headway with Monet (Virgin Lobster 700tv) unlock (this might work for Meteor/C700 as well).
1. Firstly you need to get rid of the 'registry security policy' lock.
Download cert install sp.zip:
[see attachment]
a. copy "SP_AllowCertificateInstall.cab" to the root of Monet memory or card
b. Use file explorer on monet to navigate to file. Click to run. Should run ok.
c. Unzip "SDA_ApplicationUnlock.zip" on PC and run "SDA_ApplicationUnlock.exe" whilst Monet is connected via activesync
2. Copy registry editor onto Monet. I used PHM, but others should work. Note install PHM loader on PC whilst monet is connected via activesync. It might install correctly on Monet, it might not. This does not matter. Just navigate on your PC to Program Files\phm and find the .exe file and copy to root of Monet memory or card.
Also nice free remote registry editor here (works from PC whilst phone is connected via activesync):
http://www.breaksoft.com/Blog/Utilities/2005/1/Mobile_Registry_Editor.aspx
Excellent 'free' combined file explorer and registry editor (perhaps for later - after app. unlock) SGS:
http://www.handango.com/PlatformPro...925777&Ntt=registry&productId=195244&R=195244
3. Using phm (or the registry app you like) change the four keys specified in this guide (you might find the above process has already reset 1001 and 101b:
http://wiki.spv-developers.com/HTC_Application_Unlock_Guide
They are:
Under HKEY_LOCAL_MACHINE\Security\Policies\Policies:
a. Change the DWORD named "1001" to 1 (could originally be 2)
b. Change the DWORD named "1005" to 40 (could originally be 16)
c. HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1017 = 128 or 16 (before) 144 (after)
d. HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 101b = 1 (this key might not exist, if so, create it).
4. Restart
5. HOORAY. Now your phone is fully application unlocked.
-----the following procedure is to SIM Unlock, this currently does not work. Possibly spv-services will be updated at some time to work with the Monet---->
6. Now download spv_services:
http://www.spv-developers.com/forum/showthread.php?t=236
a. copy the cert.cab file to you Monet. Select and run using File explorer. it should run fine.
b. Next step. Run SPV_services from PC whilst phone still connected via Activesync. Should unlock ..... however I get checksum error....
Will investigate. Anyone have any luck please say. At least we can now get the phone app.unlocked.
------------------------->
Note: I have read that the phone might again become app.locked if you do a hard reset. If this is the case, just follow the above again.
rgds
colonel said:
(...)
b. Next step. Run SPV_services from PC whilst phone still connected via Activesync. Should unlock ..... however I get checksum error....
(...)
Click to expand...
Click to collapse
So this thread should not be named Full unlock for HTC Monet :>
apparently wen i tell spv services to use simlock tool. it freezes at a blue screen trying to load a php.. this is after i input AGREE into the box..
it opens fine b4 that.. am i doing anything wrong?
bongmaster said:
apparently wen i tell spv services to use simlock tool. it freezes at a blue screen trying to load a php.. this is after i input AGREE into the box..
it opens fine b4 that.. am i doing anything wrong?
Click to expand...
Click to collapse
SPV-Services needs to access the internet.
A php is an active type of web page.
It would appear that there is something blocking it from access the internet. Most probably a firewall on your PC, either the internal windows one, or a 3rd party package you have installed. You need to check this.
If its for the Monet I wouldn't bother anyhow as SPV-Services can not currently SIMunlock this phone.
rgds
colonel said:
SPV-Services needs to access the internet.
A php is an active type of web page.
It would appear that there is something blocking it from access the internet. Most probably a firewall on your PC, either the internal windows one, or a 3rd party package you have installed. You need to check this.
If its for the Monet I wouldn't bother anyhow as SPV-Services can not currently SIMunlock this phone.
rgds
Click to expand...
Click to collapse
1st thing i checked was the firewall..
i know wat a php is i run a phpbb forum and yea it is a Monet (lobster 700)..
shame ( i really need to unlock the networks on it ) i have an O2 sim and wen i put it in it askes for a network unlock code.. if only i had that code.. any idea how to obtain it?
the only way currently is to use virgin or a commercial service
If you put at least £30 of talk time on your virgin account, they will send you the unlock code for free.
Otherwise search google or this forum for a commercial unlocking service.
rgds
colonel said:
1. Firstly you need to get rid of the 'registry security policy' lock.
Download cert install sp.zip:
http://www.spv-developers.com/forum/showthread.php?t=425
Click to expand...
Click to collapse
Hi, I have a question. I would like to try it but the link above shows: Invalid Thread specified. If you followed a valid link, please notify the administrator :-(
burticek said:
Hi, I have a question. I would like to try it but the link above shows: Invalid Thread specified. If you followed a valid link, please notify the administrator :-(
Click to expand...
Click to collapse
Edit: Never mind. I have found it ;-)
Virgin Lobster
I have followed all the instructions
I get an error when running the sim lock to as follows:
Encrypted checksum not found
I then use a vodafone sime and get Network is locked. PLease input unlock code.
Any ideas?
SteveW
classicxda said:
I have followed all the instructions
I get an error when running the sim lock to as follows:
Encrypted checksum not found
I then use a vodafone sime and get Network is locked. PLease input unlock code.
Any ideas?
SteveW
Click to expand...
Click to collapse
simunlock is not working yet on the monet.
this procedure only app. unlocks
rgds
c.
Lobster unlock
What would it cost to do this?
Cheers
SteveW
just phone virgin if yu have a lobster. they require £30 of airtime to be purchased before they give you the code
Application Unlock for HTC Monet
Hi colonel
I have been trying in vain to do an application unlock on my Lobster 700tv. I have managed to install and run the "SP_AllowCertificateInstall.cab" which went ok. The "SDA_ApplicationUnlock.exe" also ran ok. However, running PHM required a copy to be placed on the Monet which I did. Attempting to run the "setup.exe", gave the following message:
"ALERT: Setup is Not a Valid Windows CE Application"
Because of this, I attempted to change the registry keys using "Mobile Registry Editor.exe" which seemed to do the job. However, applications still wont work (I'm trying to install TomTom Navigator 6).
I have since managed to load and run "MobileRegistryEditor.exe" on my phone without problems but I still cannot get TomTom Navigator 6 to run, although it loads onto the storage card ok.
Please can you help?
Regards,
leadweight
leadweight said:
Hi colonel
I have been trying in vain to do an application unlock on my Lobster 700tv. I have managed to install and run the "SP_AllowCertificateInstall.cab" which went ok. The "SDA_ApplicationUnlock.exe" also ran ok. However, running PHM required a copy to be placed on the Monet which I did. Attempting to run the "setup.exe", gave the following message:
"ALERT: Setup is Not a Valid Windows CE Application"
Because of this, I attempted to change the registry keys using "Mobile Registry Editor.exe" which seemed to do the job. However, applications still wont work (I'm trying to install TomTom Navigator 6).
I have since managed to load and run "MobileRegistryEditor.exe" on my phone without problems but I still cannot get TomTom Navigator 6 to run, although it loads onto the storage card ok.
Please can you help?
Regards,
leadweight
Click to expand...
Click to collapse
I also have been trying to unlock my Lobby to no avail.
Used a couple of reg editors but when u change the values the phone comes back "Unable to perform this operation".
I also used the HTC unlocker which came back with the same message.
Lobster headache
Hi bocsta
I had problems to start with but I had failed to read colonel's instructions correctly. I couldn't get PHM to run on my phone so I tried some of colonel's other suggestions. I found that "SGS Explorer" did load ok and I used its registry editor to change the registry keys as listed. I am assuming that my phone is now unlocked but TomTom Navigator 6 will not run.
Can someone please help before I throw my lobster back in the sea?
Regads .....
leadweight said:
Hi bocsta
I had problems to start with but I had failed to read colonel's instructions correctly. I couldn't get PHM to run on my phone so I tried some of colonel's other suggestions. I found that "SGS Explorer" did load ok and I used its registry editor to change the registry keys as listed. I am assuming that my phone is now unlocked but TomTom Navigator 6 will not run.
Can someone please help before I throw my lobster back in the sea?
Regads .....
Click to expand...
Click to collapse
Colonels zip file comes nack as not a valid archive ?
Where can I find the first file in his list being : SP_AllowCertificateInstall.cab ???
Find File
bocsta said:
Colonels zip file comes nack as not a valid archive ?
Where can I find the first file in his list being : SP_AllowCertificateInstall.cab ???
Click to expand...
Click to collapse
The file you require is "cert install sp.zip"
You can get it by clicking on colonels attached files link on the bottom left of his list.
Regards
leadweight said:
The file you require is "cert install sp.zip"
You can get it by clicking on colonels attached files link on the bottom left of his list.
Regards
Click to expand...
Click to collapse
Have you tried downloading it recently The zip file says it is not a valid archive or is damaged ?
bocsta said:
Have you tried downloading it recently The zip file says it is not a valid archive or is damaged ?
Click to expand...
Click to collapse
I have just tried it again and it downloaded ok. I'm not sure why you have had problems - keep trying as it could be just a glitch.
Regards ...
leadweight said:
I have just tried it again and it downloaded ok. I'm not sure why you have had problems - keep trying as it could be just a glitch.
Regards ...
Click to expand...
Click to collapse
Yes it dowmloads OK. I just cant unzip it. Can you try to unzip it please ?
If it fails and you still have the Zip file that you unzipped originally cann you please PM it to me ?
Thanks

KITL + Platform Builder Recovery without pissing around

ok, the current KITL tutorial is horribly crap since it takes you bloody ages before you can do anything; here's what you *actually* need to do:
Download Platform builder, Emulator and ARMV4i are probably not necessary... can't guarantee that, but you can rerun the installer anyway and just get those to add on.
run Platform builder, start a new platform, select custom, leave everything blank, that's fine.
now, for the juicy part;
firstly take a random dll, hell take ANY file and copy it 4 times as ril.dll rilgsm.dll serial_cmd.dll and stk_service.dll (the stk_service.dll might not actually be necessary either) also, create a blank text file here and rename it to nk.bin
now, go to Target --> Connectivity Options. set the Download to None, the Transport to USB and the Debugger to None, go ahead and click Apply, then click Close.
go to Build OS --> Open Release Directory; note down the folder path and go to it in explorer and copy the 4 files from earlier there.
Go back to Platform Builder and go to Target --> Release Directory Modules, in there you'll be able to add the 4 dll files to the release, once all are added, click OK.
now for your Hermes: hold the Power + Comm buttons and soft reset and wait for the KITL dialog to appear, now is the CRITICALLY missed step; you need to press the small OK button on the LEFT of the device to activate USB KITL.
once activated, go to Target --> Attach Device and just wait for the device to load, it won't take very long.
once loaded, you can use the device normally EXCEPT for disconnecting the USB... that'll lock the device up, so the best thing to do is of course lob SSPL on to it via an SD card and you're away.
Wonder what PB is actually doing to the phone to get access to it without the OS. Could we not create a program that basically does whatever PB does, but all automatically and once SSPL is loaded, push your HardSPL on it?
Oli, I think it goes without saying you are just too darned smart!!! Keep up the great work!
LegolasTheElf said:
Wonder what PB is actually doing to the phone to get access to it without the OS. Could we not create a program that basically does whatever PB does, but all automatically and once SSPL is loaded, push your HardSPL on it?
Click to expand...
Click to collapse
KITL is the Kernel Transport layer, what PB does is firstly communicate via this layer to try and push a null kernel image to the device (in our case) which fails, resulting in the normal kernel booting instead.
the second stage is that 3 null files (or at least not signed) are pushed to the phone intended to be used instead of the radio interface dll's... since of course, the radio isn't actually working and is hence crashing the OS, as a result, these Dll's never get executed, meaning the phone no longer crashes.
the reason this used to be so horribly slow was due to the ridiculous emulator image getting pointlessly pushed to the phone.
Is this one of those things that it's just not worth duplicating PB? Or, can we also push a null image to the device in a faster/easier way that also does the same thing, but, without needing windows and/or PB?
LegolasTheElf said:
Is this one
of those things that it's just not worth duplicating PB? Or, can we also push a null image to the device in a faster/easier way that also does the same thing, but, without needing windows and/or PB?
Click to expand...
Click to collapse
well, sniff the USB port and see for yourself
Thanks!!!
Olipro said:
ok, the current KITL tutorial is horribly crap since it takes you bloody ages before you can do anything; here's what you *actually* need to do:
Download Platform builder, Emulator and ARMV4i are probably not necessary... can't guarantee that, but you can rerun the installer anyway and just get those to add on.
run Platform builder, start a new platform, select custom, leave everything blank, that's fine.
now, for the juicy part;
firstly take a random dll, hell take ANY file and copy it 4 times as ril.dll rilgsm.dll serial_cmd.dll and stk_service.dll (the stk_service.dll might not actually be necessary either) also, create a blank text file here and rename it to nk.bin
now, go to Target --> Connectivity Options. set the Download to None, the Transport to USB and the Debugger to None, go ahead and click Apply, then click Close.
go to Build OS --> Open Release Directory; note down the folder path and go to it in explorer and copy the 4 files from earlier there.
Go back to Platform Builder and go to Target --> Release Directory Modules, in there you'll be able to add the 4 dll files to the release, once all are added, click OK.
now for your Hermes: hold the Power + Comm buttons and soft reset and wait for the KITL dialog to appear, now is the CRITICALLY missed step; you need to press the small OK button on the LEFT of the device to activate USB KITL.
once activated, go to Target --> Attach Device and just wait for the device to load, it won't take very long.
once loaded, you can use the device normally EXCEPT for disconnecting the USB... that'll lock the device up, so the best thing to do is of course lob SSPL on to it via an SD card and you're away.
Click to expand...
Click to collapse
Olipro thank you very much for this very nice explanation.
Worked perfectly . Maybe change in your tutorial copy 5 filess ( u wrote 4 files only the dlls ) to the release folder.
Another Time: THANK YOU VERY MUCH!
Best regards.
A nub
AdoMad
ActiveSyncen
Hello,
I have just a dump question:
After recovering my HTC Hermes and installing, which is now already deinstalled:
It is not synchronizing anymore with my hermes.
It is connected to my hermes and the activesync sign is making rounds, but nothing its happening.
I can access the SD card from Activesync but synchronization is not working.
I deinstalled activesync and installed it as well as I deinstalled the windows CE stuff.
Whats happened?
Thanks for help in advance!
adomad said:
Hello,
I have just a dump question:
After recovering my HTC Hermes and installing, which is now already deinstalled:
It is not synchronizing anymore with my hermes.
It is connected to my hermes and the activesync sign is making rounds, but nothing its happening.
I can access the SD card from Activesync but synchronization is not working.
I deinstalled activesync and installed it as well as I deinstalled the windows CE stuff.
Whats happened?
Thanks for help in advance!
Click to expand...
Click to collapse
not a bloody clue... play with it, I don't know
weired....
it does not work so far...
I tried different things, but no success!
Thanks anyways.
AdoMad
Thanks Oli..it works..I confirm
hdubli said:
Thanks Oli..it works..I confirm
Click to expand...
Click to collapse
O RLY?
I know it works mate... but thanks for pointing it out
Fantastic
Thank You Oli.
I had a 8525 brick for 2 weeks. I tried the superdave method many times without success. This method worked the first time. 30 minutes later I have a fully working phone again!
Great walk through Oli - if I get to that stage I know where to come but with Hard-SPL and the RUU Wrapper hopefully it shouldn't come to that
Olipro said:
ok, the current KITL tutorial is horribly crap since it takes you bloody ages before you can do anything; here's what you *actually* need to do:
Download Platform builder, Emulator and ARMV4i are probably not necessary... can't guarantee that, but you can rerun the installer anyway and just get those to add on.
run Platform builder, start a new platform, select custom, leave everything blank, that's fine.
now, for the juicy part;
firstly take a random dll, hell take ANY file and copy it 4 times as ril.dll rilgsm.dll serial_cmd.dll and stk_service.dll (the stk_service.dll might not actually be necessary either) also, create a blank text file here and rename it to nk.bin
now, go to Target --> Connectivity Options. set the Download to None, the Transport to USB and the Debugger to None, go ahead and click Apply, then click Close.
go to Build OS --> Open Release Directory; note down the folder path and go to it in explorer and copy the 4 files from earlier there.
Go back to Platform Builder and go to Target --> Release Directory Modules, in there you'll be able to add the 4 dll files to the release, once all are added, click OK.
now for your Hermes: hold the Power + Comm buttons and soft reset and wait for the KITL dialog to appear, now is the CRITICALLY missed step; you need to press the small OK button on the LEFT of the device to activate USB KITL.
once activated, go to Target --> Attach Device and just wait for the device to load, it won't take very long.
once loaded, you can use the device normally EXCEPT for disconnecting the USB... that'll lock the device up, so the best thing to do is of course lob SSPL on to it via an SD card and you're away.
Click to expand...
Click to collapse
Hi Olipro, Could you share or attached your mention below 4 fils us:
ril.dll
rilgsm.dll
serial_cmd.dll
and stk_service.dll
For us download.
Thanks a lot
mmgirlmm said:
Hi Olipro, Could you share or attached your mention below 4 fils us:
ril.dll
rilgsm.dll
serial_cmd.dll
and stk_service.dll
For us download.
Thanks a lot
Click to expand...
Click to collapse
Hey mmgirlmm, it's post like these that will give Olipro a Myocardial Infarction or better known as a Heart Attack. He's on the edge as it is and I really don't want to push him over! Most people here know he's done a lot of good for this community and inane posts like these will take him from us for good!
I realise that English may not be a strong point but Olipro could not have made it much clearer.... use ANY file. If you do not know what one of those is or can not find one on your phone then leave it be!
@Olipro
St John's Wort is good to calm the nerves & ease depression, or find out what Pof takes.
Wam7 said:
Hey mmgirlmm, it's post like these that will give Olipro a Myocardial Infarction or better known as a Heart Attack. He's on the edge as it is and I really don't won't to push him over! Most people here know he's done a lot of good for this community and inane posts like these will take him from us for good!
I realise that English may not be a strong point but Olipro could not have made it much clearer.... use ANY .dll. If you do not know what one of those is or can not find one on your phone then leave it be!
@Olipro
St John's Wort is good to calm the nerves & ease depression, or find out what Pof takes.
Click to expand...
Click to collapse
HI Warm, u r a good man, thanks a lot your post.
I think many ppl here who already brick their hermes, at this situation that is cannot copy the dill from the their hermes ppc. That Y i have this request from Olipro if he possible to share or attached file to here.
u r a good man, could u share or upload these ANY dll file to here to share for ppl who need in this form.
Thanks
Telling me I am a good man will not get me to post the files. I have not had reason to use Platform Builder but just from reading the Oli's post I think he means any .dll on your computer not phone as I alluded to.
Somebody will come along to make it totally clear for those poeple whose English might not be very good.
Check your PC firewall settings
adomad said:
weired....
it does not work so far...
I tried different things, but no success!
Thanks anyways.
AdoMad
Click to expand...
Click to collapse
Adomad, depending on what firewall program you have, you may need to wander through it's settings to check whether it has exclusions to allow your reinstalled version of ActiveSync to access the necessary ports to sync.
mmgirlmm said:
HI Warm, u r a good man, thanks a lot your post.
I think many ppl here who already brick their hermes, at this situation that is cannot copy the dill from the their hermes ppc. That Y i have this request from Olipro if he possible to share or attached file to here.
u r a good man, could u share or upload these ANY dll file to here to share for ppl who need in this form.
Thanks
Click to expand...
Click to collapse
Wam7 has tried to explain this... yet clearly you're failing to listen.
INVENT A FILE, THEY DO NOT HAVE TO BE REAL.
you could take a text file like mypasswords.txt and rename it to ril.dll then copy it 3 times and rename those... it doesn't make a blind bit of difference, do you get it now?

a little help please

hello everyone.
i'm trying to unlock the cid on my phone, i get to step 3 and then i dont know what to do next. which version do i download of itsutils? when i click pdocread the ms dos window appears then something happens on my fone and i click yes on my fone then nothing happens at all, i tried re opening pdocread and it appears for a second on my laptop then goes away. can some one tell me in detail the last steps ? thanks very much
you need to run pdocread in command line mode - click Start menu -> Run...:
cmd
then go to folder where pdocread is and enter:
pdocread
P.S. you need a itsutl050628.zip version of itsutils
thanks for that
i'm now stuck on part 7 i have my unique id, how do i run the program again?
thanks
okay i managed to get to step 10 i have a bin file and when i do step 10 replacing the xxxxx with the name of my bin file i get a destination file cannot be found error. unable to open host/destination file- the system cannot find the file specified.
what am i doing wrong?
thanks
ok managed to do it, i actually did it on the first go lol but no message came up on my fone saying it was done. thanks anyway.

Can't Get Wm6 On Qtek 8500

Tried everything in all the threads, 2 different registy editors, paid imei-check £20!! for cid unlock, which unlocked an un-locked a sim un-locked phone. registry editor settings don't appear to stick, when i run pdocread.exe the black box appears then dis-appears 1 second later!! everytime i try update get 5% in then 270 error. SDA_ApplicationUnlock.exe fails!! It just ain't having it!! phone is a new from expansys, computer is running xp pro. i've done everything in the way decribed. any help would be great.
vo1968 said:
when i run pdocread.exe the black box appears then dis-appears 1 second later
Click to expand...
Click to collapse
You MUST run pdocread via Command Line. To launch command line you have to click on Start->Run->enter cmd.
Then move to folder where pdocread.exe located using cd command. In example: C:\>cd D:\itsutils\
thanks for that, i will try that tomorrow.
thanks Erofich, but it still ain't having it. the dosbox does display but when i run commands all i get is errors. error ITGetStoreMgrList, system cannot find file, invalid signature, WARNING could not find default device etc etc. I have phone activsynced, the itsutl as described, i even payed imei-check for cid unlock, which i ran & was "successful"!!!! still get error 270 on rom update. i've looked though all the threads again. i have flashed spv e100, xda, xda exec & mda compact 3 in the past, none have give me as much grief as this. ANYONE HELP??????
vo1968 said:
...the dosbox does display...
Click to expand...
Click to collapse
Dosbox? oO You have to run pdocread via Command Line (cmd.exe) and not a DosBox
And yes, you MUST make an application unlock before running any part of itsutils, search this StarTrek forum for that thread.
thanks, sorry i meant command line, like you said. got this error:
C:\Documents and Settings\vo>build\pdocread.exe
Copying C:\Documents and Settings\vo\build\itsutils.dll to WCE:\windows\itsutils
.dll
Could not update itsutils.dll to the current version, maybe it is inuse?
try restarting your device, or restart activesync
tried resetting & restarting, guess what? same issue. but it does appear to be getting nearer to running your rom, which everybody else is raving about. many thanks.
have you app unlocked your device?
Download regeditSTG2 which is digitally signed: http://4pda.ru/forum/attach/387522/regeditSTG2.zip
Then install it and change some registry values:
HKEY_LOCAL_MACHINE\Security\Policies\Policies\00001001 = 2
-> change to 1
HKEY_LOCAL_MACHINE\Security\Policies\Policies\00001005 = 16
-> change to 40
HKEY_LOCAL_MACHINE\Security\Policies\Policies\00001017 = 128
-> change to 144
HKEY_LOCAL_MACHINE \Security\Policies\Policies
-> create new key "0000101a": Dword = 1
HKEY_LOCAL_MACHINE \Security\Policies\Policies
-> create new key "0000101b": Dword = 1"
Click to expand...
Click to collapse
cheers. do i run that in the phone or the computer? i'll do it tomorrow, given up for today! sorry to be a total noob!
vo1968 said:
cheers. do i run that in the phone or the computer? i'll do it tomorrow, given up for today! sorry to be a total noob!
Click to expand...
Click to collapse
You must install regedit STG2 to smartphone and edit registry values via smartphone
Simply search for regeditSTG2 in Start(may be Accessories) after installing and run it
THANK YOU VERY MUCH. it has been a long week but wm6 is installed. couldn't have done it without you. thanks again.

[Resolved] How to format rom? (detailed steps in post #9)

after a number of rom-flashing, i start to encounter some strange and random machine halt. according to some articles, it was suggested that formatting using mtty may help.
could anybody advise what command i should use in mtty or putty in order to do a format? is it still "task 29" as other devices? is it safe to apply the same steps as the Diamond mtty thread on my Topaz?
or, would this tool under the Leo forum work on Topaz as well?
http://forum.xda-developers.com/showthread.php?t=644781
i tried to google on above, but can not yet find a specific answer for Topaz (but only for some other devices).
thanks in advance.
pp18 said:
after a number of rom-flashing, i start to encounter some strange and random machine halt. according to some articles, it was suggested that formatting using mtty may help.
could anybody advise what command i should use in mtty or putty in order to do a format? is it still "task 29" as other devices? is it safe to apply the same steps as the Diamond mtty thread on my Topaz?
or, would this tool under the Leo forum work on Topaz as well?
http://forum.xda-developers.com/showthread.php?t=644781
i tried to google on above, but can not yet find a specific answer for Topaz (but only for some other devices).
thanks in advance.
Click to expand...
Click to collapse
Don't know about the tool you mention, but i've been using mtty (with the same steps described in the diamond thread) and got no issues. (task 29 is working ok). Just remember to put a ROM (named TOPAIMG.nbh) in the root of the SD card, so you can flash right after.
p.s. for me is working fine, but i don't take any responsibility in case of trouble (just a disclaimer...)
pp18 said:
after a number of rom-flashing, i start to encounter some strange and random machine halt. according to some articles, it was suggested that formatting using mtty may help.
could anybody advise what command i should use in mtty or putty in order to do a format? is it still "task 29" as other devices? is it safe to apply the same steps as the Diamond mtty thread on my Topaz?
or, would this tool under the Leo forum work on Topaz as well?
http://forum.xda-developers.com/showthread.php?t=644781
i tried to google on above, but can not yet find a specific answer for Topaz (but only for some other devices).
thanks in advance.
Click to expand...
Click to collapse
Yes, the same applies to Topaz. I was using mtty and "task 29" this morning to clear my device's internal storage .
pp18 said:
after a number of rom-flashing, i start to encounter some strange and random machine halt. according to some articles, it was suggested that formatting using mtty may help.
could anybody advise what command i should use in mtty or putty in order to do a format? is it still "task 29" as other devices? is it safe to apply the same steps as the Diamond mtty thread on my Topaz?
or, would this tool under the Leo forum work on Topaz as well?
http://forum.xda-developers.com/showthread.php?t=644781
i tried to google on above, but can not yet find a specific answer for Topaz (but only for some other devices).
thanks in advance.
Click to expand...
Click to collapse
it is working on topaz too. you just neet to put in topaz raio instead of that one in dir
thanks all for your help!
just now i was able to use PSAS (http://revskills.de) to enter the terminal mode (so as to skip the driver installation steps for vista64), follow the bootloader commands in the Diamond mtty thread to format the storage (bad block detected as expected), and flashed the Energy Mar-20 rom.
can enjoy flashing again.
pp18 said:
thanks all for your help!
just now i was able to use PSAS (http://revskills.de) to enter the terminal mode (so as to skip the driver installation steps for vista64), follow the bootloader commands in the Diamond mtty thread to format the storage (bad block detected as expected), and flashed the Energy Mar-20 rom.
can enjoy flashing again.
Click to expand...
Click to collapse
hi ,
i want to try it too.
can you write more detailed procedure.
10X
yes. elaborate it a little so we can have that option too
pp18 said:
thanks all for your help!
just now i was able to use PSAS (http://revskills.de) to enter the terminal mode (so as to skip the driver installation steps for vista64), follow the bootloader commands in the Diamond mtty thread to format the storage (bad block detected as expected), and flashed the Energy Mar-20 rom.
can enjoy flashing again.
Click to expand...
Click to collapse
Thanks for informing us about PSAS, it really makes life with HTC much easier
Will try it out next time I flash.
IMPORTANT NOTE to those who didn't do a format before:
please carefully read AT LEAST the first 4 posts of the mtty thread to learn what you're going to do.
Procedures of formatting the rom:
1: Install PSAS (http://revskills.de/) to your Windows PC
2: For Windows Vista/7, open up Windows Mobile Device Center, go to Preferences and uncheck "Use usb connections"
3: Bring device into bootloader (Reset + Hold Vol Down), this will show the Red, Blue, Green screen showing "Serial" - Connect device in bootloader mode to USB, the word "Serial" will change to "USB"
4: Follow instructions in the following post to enter the device's bootloader command prompt:
http://forum.xda-developers.com/showpost.php?p=5427496&postcount=23
Code:
---------------------
MTTY OUTPUT:
---------------------
CMD>
---------------------
[i]type "set 14 0" without the quotes to tell bootloader to boot the OS after reset:[/i]
---------------------
MTTY OUTPUT:
---------------------
CMD>set 14 0
HTCST ÚÈHTCEUSB>
---------------------
[i]type "task 29" to get your device formatted:[/i]
---------------------
MTTY OUTPUT:
---------------------
Cmd>task 29
Format BINFS start
Fill RSVD information for block 288 to 321
CE start sector=0x14, total sector of CE and TFAT=0x14
CE start start block=321, total block=1727
ERASE block 1337 FAIL !!!
Write 0xFF start page=0x5040, total page=0x1AFC0
Format BINFS end
Cmd>
---------------------
[i]type "task 8" to ask your device reboot:[/i]
---------------------
MTTY OUTPUT:
---------------------
Cmd>task 8
Cmd>
---------------------
5: DISCONNECT your device from PC
6: enter bootloader again to flash your favorite rom from SD card, i.e.
6a. Download a ROM of your Choice, RENAME the *.nbh for your ROM to TOPAIMG.nbh
6b. Prepare an SD Card (must be formatted in FAT32) and copy TOPAIMG.nbh to the root directory of the card
6c. enter bootloader by: hold Vol-Down + poke soft reset red button​
Thanks to the original authors
most of the above are copy-and-paste from the following posts:
1. the Diamond mtty thread
2. the instructions given by the author of PSAS
thank u, man.
it's work like a charm!
pp18 said:
thanks all for your help!
just now i was able to use PSAS to enter the terminal mode (so as to skip the driver installation steps for vista64), follow the bootloader commands in the Diamond mtty thread to format the storage (bad block detected as expected), and flashed the Energy Mar-20 rom.
can enjoy flashing again.
Click to expand...
Click to collapse
I use MTTY to do this.The driver for win7&vista both 32&64 are attached.
Anyone who want to format your ROM can follow this:
For Win7 system,please install drivers
Code:
1.Go to the 3color screen ,Plug in your cable and wait until "USB" appears.
2.Go to the "Device manager" of your computer and check the property of "Microsoft USB Sync" or*"HTC*USB Sync"
3.Choose "Update drivers",Check whether the driver is made in "2007"
4.Install the driver manually and the driver file is "wceusbsh.inf".
5.Check the driver's date again after installing it.The date for x86 should be "2004" and x64 is "2003"
*
The rest is just open MTTY*and configure the port to USB:
enter these commands:
Code:
set 14 0
task 29---------->This is to format BINFS
task 8 ----------->This command can restart your phone
Here's a better, easier one!
Here's a better, easier one
[REF] Task 29 (format) without drivers, without mtty.. It worked on my Topaz. Just make sure you change the radio file to the Topaz radio.
illi said:
Here's a better, easier one
[REF] Task 29 (format) without drivers, without mtty.. It worked on my Topaz. Just make sure you change the radio file to the Topaz radio.
Click to expand...
Click to collapse
Tried your way. Everything was fine with flashing. Let's see whether there are any improvments...
ayl said:
Tried your way. Everything was fine with flashing. Let's see whether there are any improvments...
Click to expand...
Click to collapse
I have not seen any improvement. Just flashed Mondilv v4.3 Beta1. Let's see after a few days.

Categories

Resources