Related
I'm truly sorry about the delay.
I've finally got round to posting a a STAR100 SuperCID guide.
1. Get itsutils: http://www.xs4all.nl/~itsme/projects/xda/tools.html
2. Run pdocread.exe with no args. Take a note of the "uniqueid" value.
3. Run "pdocread -n 1 0x000000 0x10000 -b 0x4000 original-bdk1.nb" - you'll get a file.
4. Head over to http://www.spv-developers.com/strtrkCID/. Feed it the DOCID and the file you got from steps 2 and 3. It'll give you back anoter file.
5. Run "pdocwrite -n 1 patchedfile.bin 0x000000 0x10000 -b 0x4000" where patchedfile.bin is obviously to be replaced with the patched file you got from step 4.
6. There is no 6. Report feedback.
Click to expand...
Click to collapse
All credit goes to itsme - he wrote all the tools and scripts which made all this possible.
Spawning script: perl startrek_cidedit.pl cid1e62995dd1db197b00b697388760b5e3.bin -i DOPOD601 -c 11111111 -o supercid1e62995.bin 2>&1
decrypting
bufend=44bdd4609845fd0931a871b4a31ddba42d4b96386f9 e9c5dff947c035432fc15
result=b2c7c4eede400853eb232eba436f394b3d75a9adf4c e9a1e452b26ea9059dc59
sha64k=8a7e3a8462b8c851ac125710d44abc05da4916f215e 331f98420db7ae5d87a5d
buffer checksum failed
why ?
Looks like the DOCID value you entered is incorrect. It should be a long stream of hex numbers.
Fantastic !!! Working Ok on SPV F600. Now, we need how to simunlock this smartphone.
Thank you very much Zone Mr.
i run pdocread in step 1 and got a dos screen that desaper in a second,and were i find the file in step 2.
Zone-MR said:
Looks like the DOCID value you entered is incorrect. It should be a long stream of hex numbers.
Click to expand...
Click to collapse
thank you Zone-MR,can u tell me how to get a long stream of hex numbers.
wlinsong said:
thank you Zone-MR,can u tell me how to get a long stream of hex numbers.
Click to expand...
Click to collapse
i know how to do,thank Zone-MR very very much
is there someone know how to flash rom use T-flash Card?
someone can't get the docid ,because you must use the old one!
I tried to do first step but when I ran pdocread.exe I get the following message :
Could not update itsutils.dll to the current version, maybe it is inuse?
try restarting your device, or restart activesync
or maybe your device is application-locked.
I've app-unlocked my device, activesync works ok, and restarting does not help. Phone is Qtek8500.
Any ideas?
Thanks
Is the script to calculate CID area for startrek available?
I think this should use the same method on Artemis or Herald, the problem is that they have G4 DOC and we'll not be able to use pdocwrite, but on those phones we're already able to place a hacked SPL in mem with psetmem.exe and jump into it's address with modified haret version. If we have the right CID area we can use the hacked SPL to flash it.
sorry for the ignorance...
I have downloaded itsutils but where is the dpocread.exe??
do I have to connect to the device with the mtty??
Maybe a bit more explanation
I've CID unlocked my Qtek 8500 and installed new ROM 3.6.251.0. Thanks Zone, great work!
Maybe it would be useful to write more detailed instructions, so here it is :
1. Application unlock your phone using regeditstg and do the following :
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1001 = 2 -->Change the value data from 2 to 1
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1005 = 16 --> Change the value data from 16 to 40
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1017 = 128 --> Change the value data from 128 to 144
Reboot the phone
2. Run SDA_ApplicationUnlock tool. Reboot the phone after it finishes.
3. Download itsutil.zip from http://www.xs4all.nl/~itsme/projects/xda/tools.html , version from 2005-6-28. There is even newer version, but with that version you can not use pdocread without arguments.
4. Connect the phone with activesync
5. Run Command Prompt, go to subfolder named "build" in itsutils folder, and run pdocread without arguments
6. Note the value of "uniqueid". It will be something like : "00 00 00 00 12 03 02 14 3b 07 1b b2 04 05 07 54"
7. run pdocread again with these arguments : "pdocread -n 1 0x000000 0x10000 -b 0x4000 original-bdk1.nb". This will make original-bdk1.nb file in build folder (where the pdocread is located).
8. Upload this file and value of uniqueid to http://www.spv-developers.com/strtrkCID/. It will open a new page after few seconds. Go to bottom of the page and click the link "Download patched BDK1"
9. Download the file (it will be named like "supercidxxxxxxx.bin) to "build" folder
10. Run the pdocwrite from command prompt with these arguments : "pdocwrite -n 1 supercidxxxxxxx.bin 0x000000 0x10000 -b 0x4000". Replace supercidxxxxxxx.bin with the original name of downloaded file from step 9.
11. Wait 15-20 seconds and that is it. Reboot the phone and install the ROM you like
It works! I've got now 3.6.251.0_02.67.30 on my Qtek!
Thank's, damird, your guide is unreplaceble for such lamers like me
But maybe anyone can suggest me were can i find and how to install (if it possible) Russian t9 or only russian lang to input? Or maybe how to rollback to original ROM with this that lang... (1.02.261.1)
Thank's
added:
Problem's gone, Russian T9 added.
Damird!
Cheers mate
Hello, can you share with us this script to calculate CID area in StarTrek?
With this script we can SimUnlock the StarTrek very easy (at least I think...)
Thank you very much.
I'm confused here... is CID unlock not the same with SIM unlock?
my carrier is tmob but I'm getting cing 3125 at ebay so I need to SIM unlock the phone for it to work on tmob right?
wow, pof, I can't wait for it! i had bought one herald in China but wireless was disable by default. I hope I could unlock the CID and get a WWE rom to enable the wireless.
sokelut said:
I'm confused here... is CID unlock not the same with SIM unlock?
my carrier is tmob but I'm getting cing 3125 at ebay so I need to SIM unlock the phone for it to work on tmob right?
Click to expand...
Click to collapse
Correct, you still need to pay to carrier unlock the phone. Check the wiki for links to a few services that are known to work.
CID unlock? Error installing ROM
I'm getting an ERROR [294] INVALID VENDER ID
I did the CID unlock
It starts to install the rom but when it gets to 4% I get this error. How do i fix this?
Can anyone help?!
Need a little clarification
Im stuck in steps 3-11. I've downloaded itsutils and I don't know how to proceed.
Just curious as to how long it should take to flash the OS.nb file through mtty???
its been sitting on the 'start NB image download' for about 30 minutes now...
Code:
USB>
USB>task 32
Level = 0
USB>task 28
Storage format start
Write Nand Success
dwBlockToWrite = 13
Storage start block: 463
Storage Total block: 473
Total Bad Block in CE: 0
NeedToEraseBlockStart: 476
Storage format success
USB>lnb OS.nb
:F=OS.nb
:A=501A0000
:O=00000000
:L=FFFFFFFF
start NB image download
well it should take no where near 30 minutes (a full RUU upgrades takes only 25minutes)
when i upgraded to 2.05 via mtty it was done in under ten minutes (fast).
are you sure the filename is OS.nb because be default when you extract the .nb from the .nbh is will be 06_OS.nb
yes im sure it was named correctly else it wouldnt have picked up the
Code:
USB>lnb OS.nb
:F=OS.nb
:A=501A0000
:O=00000000
:L=FFFFFFFF
start NB image download
should i cancel it and start again??
when you extracted the .nb files from the .nbh did you rename any files?
If you didnt, then again I think OS.nb doesnt exist and that is why it is hanging there after more than 30 minutes.
also, make sure that mtty.exe is in the same directory as the .nb you are trying to flash.
yes i renamed the files from 06_OS.nb to OS.nb and the files are in the same directory... what version and connection speed are you using in mtty??? the version im using is 1.11a...
v1.11a and default settings for the USB connection.
I guess you can restart the process, because immediately after the messages you see on the terminal output should have sees the progress meter kick into full swing.
hahahahaha you were right... was using the mtty from a different folder ... time for some sleep....
there you go,
time for sleep? its only 3:22pm in Melbourne...... should you be at work?
EDIT: I cant talk, reading forums on company time, academia is so good.
yeah at work.. but been up all night playing with all these new tools!!!!
Hello,
i try to flash bootloader 1.01 mfg according to http://wiki.xda-developers.com/index.php?pagename=Hermes_BootloaderMFG
It hangs after
USB> lnbs SPL-1.01.nbs 50020000
...
start NB image download
According to other threads this behavior exists if mtty can not find the file. But the file is in the same directory as mtty.
Does anybody has an idea what is wrong?
Thanks
Andreas
did you do the "Task 32" first? and if you did did you get "Level = 00"
yes, but i only one 0
USB>task 32
Level = 0
USB> lnbs SPL-1.01.nbs 50020000
i got some output at this point, but i cannot remember exactly
???
? 50020000
? 00000000
????
The last line was: start NB image download
My device is SuperCID. SPL 1.09
there's your problem then; you need SPL-1.04.
I suggest you load Hard-SPL and try again...
also, might I heartily recommend that instead you download my MFG pack and use SSPL with 1.01 rather than flash it to your device... or at least use my patched 1.01 (create an NBH)
I get that message whenever I do not type the name of the file correctly, like for example, sp1-1.01.nbs instead of spL-1.01.nbs (the latter being the correct spelling). Just my two cents..
I had 1.09 before, coz I updated with full RUU versions of roms (like 2.06.502.3 cingy or 2.05.255.1 HTC), and I had no problem to downgrade to 1.01 MFG and now to 1.01 oli... I also used mtty, device was supercid, used commands was
USB>task 32
Level = 0
USB> lnbs SPL-1.01.nbs 50020000
USB> task 8
If I remember correctly, task 8 automatically SW reset herm... maybe I am lucky one?
take a look at your mtty icon. Does it say MFC or does it look like a serial connector. If it says MFC then you have the wrong version of mtty.
my guess: it says "MFC"
Thanks for all your answers. At the moment a'm at work and cannot try your suggestions.
But i have some further questions:
>olipro: there's your problem then; you need SPL-1.04.
According to the wiki:
"This is a very special bootloader which can be flashed in any bootloader version BUT to flash it your Hermes must be SuperCID first..."
...can be flashed in any bootloader... what does this mean? i thougt i can flash it from 1.09. sinmae was able to do it. (or did i miss something)
>crazyut: wrong file name
i checked this several times. i typed the right name, but i do not now whats the working directory of mtty. i put the nb-file in the same directory as mtty and startet mtty from a dos-prompt. so this should be ok.
>Sleuth255: wrong version of mtty
i tried to investigate this yesterday. somebody said he has version 1.11a. i have version 0.01. it says MFS. so this should be the problem. but this is the version from the wiki:
http://wiki.xda-developers.com/index.php?pagename=Hermes_BootLoader
http://wiki.xda-developers.com/uploads/mtty.exe
where can i get the right version? (at google i found mttty (3 t))
Thank
Andreas
Use the mtty.exe included in this pack, mtty and nbs file in the same dir.
I'm trying to use the RBMC command in the BL to extract the splash screens (as I couldnt find Orange-Israel splash screens anywhere).
I authenticated myself in the BL (btw, I have an exectuable that will do all that is written in POF's wiki). when I use the RBMC command:
rbmc d:\splash.nb 500e0000 40000
alot of garbge starts to flow to the screen in MTTY.
I guess MTTY doesnt saves the file automaticly.
Please help me dumping the Splash using this method (or any other method)
Capture the output with usb-monitor and convert it to binary file.
Pog, can you elaborate in this?
I used USB Monitor to log everything. Now I have a HEX and ASCII dump of every packet that cam from the TYTN. How do I save it into something usfull and how do I convert it to binary and then to BMP?
You can do it with unix command 'xxd' (included in vim) or with a simple C program (do a bucle in a shell script for every hex-char):
Code:
int main () {
unsigned int c;
unsigned char aux[10];
int s=read(0,aux,4);
sscanf(aux,"%x",&c);
printf ("%c",c);
return 0;
}
If you don't have access to a linux box, attach the dump here and I do it for you.
damnit, I wont have access to linux until next week...
I would appritiate your help in converting but I dont know if I did the dump correctly with USB Monitor.
First, it has several packakets with the commands I issued, than it has several LARGE packets with "junk" (I think thats the Splash screen dump).
However, I can export it to TXT and in TXT I see both the HEX and the ASCII part. Is that ok? If not, how do I dump the correct part?
knfevg said:
However, I can export it to TXT and in TXT I see both the HEX and the ASCII part. Is that ok? If not, how do I dump the correct part?
Click to expand...
Click to collapse
Yes this is correct. Attach the dump and if it is useful i make the splashscreens for u.
POF, attached is the zipped file with the TXT dump (in unicode).
It would be GREAT if you could help me.
If there is a need in some other kind of a dump, please let me know.
The dump is incomplete, you only dumped 24Kb, a whole splash screen should be at least 128Kb + 128Kb more of padding. Attached is the partial bin file.
mtty is not good for rbmc'ing... the best is to use linux 'cu' comand (included in uucp) like this:
Code:
((sleep 2 && echo rbmc file 500E0000 40000 ) | cu -l /dev/ttyUSB0 ) > dump.txt
POF,
I think I've attached the wrong file
I hope thats the correct one
there you go, splash in .nb and .bmp
pof said:
The dump is incomplete, you only dumped 24Kb, a whole splash screen should be at least 128Kb + 128Kb more of padding. Attached is the partial bin file.
mtty is not good for rbmc'ing... the best is to use linux 'cu' comand (included in uucp) like this:
Code:
((sleep 2 && echo rbmc file 500E0000 40000 ) | cu -l /dev/ttyUSB0 ) > dump.txt
Click to expand...
Click to collapse
Hi pof.
Have tried this too, but the dump.txt contains only 46 bytes. What's wrong.
mm... post the contents and we'll know
Probably it's failing because you have to authenticate to the bootloader prior to doing the rbmc command (or use a patched SPL which does not require it, for example latest HardSPL).
Pof, THANKS!!!!!
One more question.
The secondary splash is usualy the same as the prime?
What IS SubMain splash? When does it come up?
knfevg said:
The secondary splash is usualy the same as the prime?
Click to expand...
Click to collapse
Generally yes.
knfevg said:
What IS SubMain splash? When does it come up?
Click to expand...
Click to collapse
MainSplash - the one you see with the red letters at bottom when booting
SubSplash - the next one without red letters
If MainSplash and SubSplash are the same, you get the feeling that there's only 1 splash screen, but there are actually two
pof can you make me .bmp from dump?
I can xxd to hex but don't know what's next to got .bmp
Thanks
gromel said:
I can xxd to hex but don't know what's next to got .bmp
Click to expand...
Click to collapse
After you xxd the hex, the binary file you get is the actual splash.nb, so you can use nb_image_converter.exe to make a BMP, you can find it here:
ftp://xda:[email protected]/Hermes/Cooked_ROMs/Hermes_SplashScreen_Pack.zip
BTW, before using xxd you'll need to convert the dump from utf-8 to ascii.
If you can't manage to do it yourself, tell me and I'll do it for you.
Ah, now better understand.
But When I try iconv -f utf8 -t ascii dump -o output
then I got always error iconv: illegal input sequence at position 0
PS. In usb-monitor I can export as UNICODE or ANSI (ASCII).
I'm trying and trying and trying....
I would ask all active members to upload or share their collection of roms for Hurricane. I bricked my hurr 2 years from now and yesterday i got one so i would like to try as many roms as possible, and it will be great for all to share roms!!! I found several on this forum (lazaj's, saleng's, shadow's) but i think that there is more!!! So share your collection!!!
Here i found some on forum:
hurricane unlock, patch and upgrade wm 6.1(selang09) ***
Link: http://www.megaupload.com/?d=JLO5H1L7
Thread: http://forum.xda-developers.com/showthread.php?t=475286
Opinion: Good one, but chinese language everywhere! After u change main lang. still some apps name stay in chinese and options too!
wm6.1 for hurricane (with Bluetooth and INFRARED RAY problems solved)0415update!!!
Link: http://rapidshare.com/files/100934508/5x6_wm6.1_0319.rar
Thread: http://forum.xda-developers.com/showthread.php?t=378607
Opinion: Didn't tried!
WM 6 Graphite rom, how to get WMPlayer in English (now in Polish)
Link: http://rapidshare.com/files/108676266/wm6_2_2.zip
Thread: http://forum.xda-developers.com/archive/index.php/t-384972.html
Opinion: Using this one right now! Seems ok, works nice, nice look, except incoming calls didn't show up!!! Very bad bug!
Wm 6.1 Pl/eng
Link: http://rapidshare.com/files/131860280/wm_6_1_by_Lazaj007.zip
Thread: http://forum.xda-developers.com/showthread.php?t=410739
Opinion: Tried before Graphite eng edition, works great, looks great... Main lang polski, after lang change WMP stay in polski! But still ok!
WM6 for SPV C550
Link: http://rapidshare.com/files/56833250/566.zip
Thread: http://forum.xda-developers.com/showthread.php?t=330709
Opinion: Never tried!
And one pack with SPL 1.00.84 & soft spl (nb, nbf), IPL 1.00.15, GSM DATA (hex and dec), bootloader commands, splsplit... etc!
Link: http://rapidshare.com/files/427352270/data_hurricane.rar
Info: This last files can help u to unbrick your hurricane (BUT AVOID TO BRICK IT), i found it on pda2u.ru , and thanks them for that! Special thanks to member SAXON!
I found many links for ROMs but those which is here have alive links! Someone with good upload speed can reup them again in one pack and post a link here!
ENJOY!
I would like to have a non T-Mobile German version (can be a shipped ROM). Have not found any yet, only those that are available at www.shipped-roms.com Have to live with de-branding this as it seems.
Possibly someone with any of the following devices can do a "r2sd all" backup of the ROM?
imate SP4M
Orange C550
Qtek 8200 (the Russian/English is available as RUU)
Thanks for this link tobbbie !
Btw, in selang's rom SMS Send don't work! So, it is useless!!! :S
I have tested all ROM´s below for SDA II, but for me lazaj007 is the best of all
Thanks to lazaj007
Did anyone care to pick up some ROM cooking for that device? I did not succeed in getting the .BIN files manipulated correctly - and I think I have a collection of nearly all ROM tools now :-(
howto convert .bin to .nb0 and back
Foreword:
.BIN files are not all the same by their nature (of course not by content). There are
.bin that are used to identify the bare binary content of the various partitions (you mostly see those)
.bin that are used to flash a ROM to the device. This looks somehow historic though, the format is already described by itsme at: http://www.xs4all.nl/~itsme/projects/xda/wince-flashfile-formats.html. It seems to me that some non HTC devices are still using this format.
The osnbtool.exe (from Weisun at PDACLAN.COM) does not work for any purpose regarding .bin files
at least not for Hurricane.
- The -sp option cuts only the B000F\0a header but does not reconstruct the blocks of the .bin file.
Mind that small .bin files (smaller than 0x1c00000) are treated correctly as there is only one block.
- The -2bin option creates an incorrect .bin header (sets a weird total length) and sets totally confused
block-load addresses for the created blocks of 64k (0x10000) size. Check it with viewbin.exe if you like.
Reference for the filestructure by itsme:
http://www.xs4all.nl/~itsme/projects/xda/wince-flashfile-formats.html
The splitrom.pl (itsme romtools) seems not be able to read the content of any .bin file I have fed to it.
Neither for .BIN files created for Hurricane nor those for Typhoon, I always get:
cmd> splitrom.pl <binfile>
B000FF image: 82040000-84c40000, entrypoint: 00000000
!!! your rom is not known to me: md5: a520f0d1093b36f0a3cfd9323ea99155
this bootloader seems to be No bootloader present
no xipchain found
no bootloader found
no operator rom found
no bitmap found
I am rather sure it should handle everything correctly but I am too stupid to debug .pl :-(
So the only thing that works and will re-create a flash-able .BIN file from a .nb0 is listed below:
convert .bin to .nb0:
enter: viewbin -r <binfile>, you get something like:
Image Start = 0x82040000, length = 0x02C00000
Record [ 0] : Start = 0x82040000, Length = 0x01C00000, Chksum = 0x00000000
Record [ 1] : Start = 0x83C40000, Length = 0x01000000, Chksum = 0x00000000
Record [ 2] : Start = 0x00000000, Length = 0x00000000, Chksum = 0x00000000
Start address = 0x00000000
The above has two blocks of data and a termination block.
The checksum = 0 effectively disables upload checking (so potentially dangerous).
The size just fits the Hurricane's SPL "l" (load) command buffer, as you get when loading a ROM:
"clean up the image temp buffer at 0x8C080000 Length 0x01C40000 "
The blocks can be smaller than 0x1c40000 but not bigger obviously.
then convert to nb0, enter: cvrtbin.exe -r -a <imgstart> -l <length> -w 32 <binfile>
for above viewbin output: cvrtbin.exe -r -a 82040000 -l 2c00000 -w 32 <binfile>
mind to omit the 0x for the start and address, replace <binfile> with your filename, then you get a resulting file from <original-name.bin> to <original-name.nb0> which can further be decomposed and edited with standard ROM tools
convert .nb0 to .bin:
enter: xipbin.exe <input.nb0> <start-in-nb0> <output.bin> <loadaddress>
to get back something flashable like above: xipbin.exe <input.nb0> 0 <output.bin> 82040000
mind to omit the 0x for the loadaddress, replace <"file"> with your filenames
to recheck if the created BIN file is usable, startup the viewbin again
enter: viewbin -r <binfile> you now get something like:
Image Start = 0x82040000, length = 0x02C00000
Record [ 0] : Start = 0x82040000, Length = 0x00040000, Chksum = 0x0208CC79
...many entries deleted...
Record [175] : Start = 0x84C00000, Length = 0x00040000, Chksum = 0x0177FB3C
Record [176] : Start = 0x00000000, Length = 0x00000000, Chksum = 0x00000000
Start address = 0x00000000
Done.
Looks quite different - but this is ok! The loading process in MTTY indocates the loading of each above block with a sequence of |*, so with these many blocks the upload to the device is giving feedback and thus is not tempting people to interrupt it.
I have done my tests with the 566.zip linked in the first post of this thread, but this should work with any .BIN file from the other ROMs as well. So I will continue to see if I can recycle any of the WM6 Roms for inserting my imgfs created for Tornado. As before the imgfs still the XIP is loaded and I know too little about this yet (especially in connection to the imgfs and how close these two are linked) - I am prepared to see non booting device states quite a lot. Luckily there is nothing done to the early boot chain (IPL and SPL) so I can always get back to the bootloader and start over again.
I hope to get a first indication that imgfs is mounted correctly in the "old" XIP before I have to replace the OEMdriver parts in my Tornado ROM.
I just checked if I can still use this flash-method for the Tornado - and it works as well. So the created "os-new.nb" in the OUT directory can be converted to .BIN and then flashed inside MTTY with the "l" command. Not that I like this method - but it works as well.
Tobbbie, you have here a very good research! To bad this device is out of use!