Database Info

BtT: Understanding Anansky's hack on 850 JAM

First of all, I'd like to say that I performed Anansky's BigStorage upgrade without a hitch on my 850MHz JAM running on Cingular's network. The only concern was that the device was reporting itself as a PM10A instead of a PM10C.
Precautions:
1. Use the write-protect feature on your SD card in the unlikely event that Windows or your PocketPC wishes to write or format it.
2. Use a smaller SD card, as the steps will create a ROM file as big as your card, and it'll take a while to load the file to make changes, update the SD card, etc.
3. Burn a copy of your downloaded ROM file to a CD for safety purposes.
4. Always keep your PocketPC charged either through your PC's USB port, or through a USB-to-AC adapter.
For those who want a quick rundown on how I did it:
1. From the FTP, download NTRW.EXE (version 2.0), ROMUPDATE.EXE, and MAGICIAN_OS1.11WWE_BIGSTORAGE_6.ZIP.
2. With your JAM connected via USB to your PC, disable ActiveSync's connections.
3. Enter the Bootloader and backup your entire ROM to your SD card using ROMUPDATE.EXE.
4. Read the contents of your SD card into a ROM file using NTRW.EXE. (Note that Administrator priviliges are required on your Windows account in order to read/write to the card)
5. Modify the first 416 decimal bytes of the OS1.11WWE_BIGSTORAGE.NB1 (extracted from the ZIP file) by using the first 416 decimal bytes from your ROM file.
6. Write the newly modified ROM file onto your SD card using NTRW.EXE.
7. Enter the Bootloader with the SD card inserted and flash the newly modified ROM to your device.
Notes:
1. I was able to reflash the official i-mate CE ROM (1.11) and Radio, thinking I'd force 850MHz support back into the device in the uncertain event it lost it during Anansky's upgrade. However:[list:44fd36694d]1. The Radio can't be flashed without the CE ROM being flashed alone first.
2. Any reflashing of the Radio or the CE ROM will lose your newly acquired 27MB Storage area. The Device Information applet will report a crazy value for the Storage area when in fact it's totally gone. The only way to restore it is to put your backed up old ROM image onto the SD card and perform the flash from the card.
2. The only way to find out how the hack was done is to look at the different versions of the hack and compare them byte-by-byte to the official updaters.
3. Perhaps one can perform another full SD-to-ROM backup with Anansky's upgrade and compare the files as well, then inject the compatible ROM portions and leave his hack in place.
4. Reflashing any of the ROM portions did NOT restore my model back to PM10C, which leads me to believe that it's outside that region untouched by the official flash utility.
5. I was only able to reflash with the official ROM updaters AND the hacked MaUpgradeUt_noID.exe from the FTP, and while it was in Bootloader mode only.
[/list:u:44fd36694d]
Lastly, I restored my original ROM image in its entirety and will try again sometime in the future to see if I can incorporate the 850MHz ROM into Anansky's hack. It was nice having the extra 27MB free for a short while, but until he comes back or someone else figures it all out, it'll be a risky endeavour in the event of another official ROM upgrade.

ADVANCED USERS ONLY. I take no responsibility for the information I provide below.
I dissected Anansky's ROM to find different sections which I could possibly compare. This is by no means accurate, but I have found certain locations to be of value.
Using the Magician ROM layout on http://wiki.xda-developers.com/index.php?pagename=MagicianRomLayout, I was able to build upon that template. Note that the values start with 80000000, but subtract that value and you get the starting points below.
00A6019C-00AC82D6 = UNKNOWN
00AE019C-00B3319A = UNKNOWN (REFERENCES TO RINGTONES)
00B6019C-00C3F3D5 = UNKNOWN (REFERENCES TO GPRS?)
00CB019C-00F88BF6 = UNKNOWN
00FB019C-014101CF = UNKNOWN
0143019C-0185B015 = UNKNOWN (APPROXIMATELY 4MB... RADIO ROM?)
0187019C-01995D38 = UNKNOWN (REFERENCES TO T9 DICTIONARY)
019E01AC-01CDDE58 = UNKNOWN (REFERENCES TO LDAP, DRM)
01DB019C-01E21343 = UNKNOWN (WINDOWS MEDIA PLAYER COMPONENTS?)
01E4019C-01EF8943 = UNKNOWN (SOLITAIRE / JAWBREAKER)
01F1019C-01F9B0CE = UNKNOWN (REFERENCES TO VPN)
01FC019C-0236A72B = UNKNOWN (APPROXIMATELY 3.8MB, REFERENCES TO NETWORK ADAPTERS, MODEM)
03F80140 = ANANSKY'S ROM CREDITS
03FB819C = MODEL (PM10A)
03F4015C = DATA STRING (UNKNOWN)
03F4019C = SPLASH SCREEN ("HTC MAGICIAN" VOLCANO)
For instance, if you wish to change the splash screen, you could replace the 153,600 decimal bytes starting at 03F4019C hexidecimal with your Splash2.NB file.
I have compared the 4MB block (0143019C-0185B015 hexidecimal) between my 1.11 NA ROM dump and Anansky's and found NO DIFFERENCE. It is possible that this section is the Radio ROM area, due to the size. I have to have the radio.nbk file decrypted in order to confirm.
If there are minute differences, I'll be sure to catch them now. Stay tuned.

I did something similar to find out, what he did. I first flashed Qtek's 1.11, then backed it up on SD card and wrote it to a file. Then I flashed Ananskys ROM and was now able to compare.
Unfortunately we know to few about the internals of the ROM (at least considering what's in the wiki).

BeyoneTheTech,
A question completly unrelated to the big storage ROM. How is it that your JAM has a 850Mhz Processor?

It's 850MHz radio band, unfortunately not CPU speed! I live in North America where the 900MHz is not utilized due to many pre-cellular products hogging up the 900MHz frequency.
As for everyone else, I used a program called WinHex to byte-compare the minimal differences between Anansky's BigStorage ROM file and my own ROM dump file. Bear in mind it's almost in the morning now and I crazily did this at work, so the details will be minimal:
I noticed two byte differences - B8 01 (1B8 hex=440 dec) vs 80 00 (80 hex=120 dec). I did NOT change those because I found it once in the bootloader, so I assumed it might be related to the way it handles the Storage area/Extended ROM.
The second set of differences were where the string "PM10A" was found in Anansky's ROM. Mind you, "PM10A" was also found in my ROM file (in the CE ROM portion), so I took my bytes around the "PM10C" section near the end and transposed it into Anansky's ROM file.
Of course, there was a major differrence in the middle of the two ROM files: the Extended ROM data. I left that the way it was in Anansky's ROM, mostly zeros and some "header"-looking information.
Bottom line is I have what appears to be a fully-functioning ROM file that I flashed successfully onto my 850MHz-band i-mate JAM (running on Cingular's network in the Northeast Americas.) I have little doubt it's not utilizing the 850MHz band, since the byte changes were so minimal between Anansky's WWE ROM and my official NA (850MHz) WWE ROM. My Device Information applet reports "PM10C," of course because I hardcoded it into the ROM, but I also mapped the bytes around it from my original "850MHz" ROM. Oh, and I've got my 27MB back! :wink:

I don't particularly see a problem with having your PM10C device updated with Anansky's ROM. Although the machine will now identify itself as PM10A, people have reported still being on 850MHz cells... so there shouldn't really be a problem there.
The only issue is that now when i-Mate releases upgrades, I'm only able to flash the European and not the North American mods.
What exactly is the method to force a North American ROM upgrade onto a supposedly European JAM? I didn't save the backup which was on the SD card.

As I stated last night and bleary-eyed, there was very little difference between the North American (850MHz) and the WWE (900MHz) versions of the ROM dumps. I believe most, if not all of the differences resided in the Extended ROM. Just the changes noted below worked on my 850MHz JAM.
Using the os1.11wwe_bigstorage.nb1 file...
1. Write FF's into offset 0000028Ch to 00000293h, erasing the T-MOB101 designation.
2. Change the letter A (41h) to C (43h) at offset 03FB81A4h, so it should read "P M 1 0 C."
3. Change bytes 09 2D 4D 27 C7 to 09 2D 4C D1 8E at offset 03FB81DDh to 03FB81E1h. Again, this was near the PM10C designation, and it's unlikely that this code is my IMEI number, so I'm trying to retain as much of my original ROM as possible.
4. Change the splash screen if you wish (see previous post).
Perform a full backup with Sprite Backup or similar program.
SD-Flash the new file onto your JAM and you should be good to go.
Perform a full restore with Sprite Backup, ignoring any ROM upgrade warnings.
If you feel comfortable with hex editing, use WinHex with the ROM files. It opens files fast and can copy and "write" (not paste) the splash screen in one shot.
I am hoping that if someone can easily decrypt the new CE and Radio ROM images, they can be injected into Anansky's ROM dump, while someone who still has their Extended ROM area will be able to extract any new changes or updates in the CAB files.

Shawn_230 said:
What exactly is the method to force a North American ROM upgrade onto a supposedly European JAM? I didn't save the backup which was on the SD card.
Click to expand...
Click to collapse
Just use the "NoID" version of the MaUpgrade EXE found on the FTP, but remember: Any flashing after Anansky's hack will make your Extended ROM/Storage area disappear! Like I stated in my previous post, let's hope someone can create a new xda3nbftool to decrypt the new ROMs and we might be able to either "inject" it into Anansky's ROM dump file, or we can change the necessary bytes, reencrypt, then upgrade only that portion of the ROM to your Magician/JAM device.

BeyondtheTech said:
Just use the "NoID" version of the MaUpgrade EXE found on the FTP, but remember: Any flashing after Anansky's hack will make your Extended ROM/Storage area disappear!
Click to expand...
Click to collapse
BeyondtheTech, I had an 900mzh version but I am living in US too. Actually, there is a very simple solution w/o going thru the hacking of the rom (But it's good someone can experiment how Anansky's did it so that we could do it for the future rom update).
1. Grab the latest USA rom from imate.
2. extract it w/ Winrar and U will get 3 nbf files.
3. Keep the radio_.nbf and remove the other 2
4. Use the no id version of MaUpgrade and it will only update the radio
5. U radio is 850mzh version and U still have the big storage

FYI, I don't know if you actually tested your sets, because I did flash just the alleged "USA" radio portion on my 850MHz JAM and I did lose the BigStorage area entirely, which is why I said that any subsequent flashing will do just that.

BeyondtheTech said:
FYI, I don't know if you actually tested your sets, because I did flash just the alleged "USA" radio portion on my 850MHz JAM and I did lose the BigStorage area entirely, which is why I said that any subsequent flashing will do just that.
Click to expand...
Click to collapse
Of course, I did.

BeyondtheTech said:
ADVANCED USERS ONLY.
00A6019C-00AC82D6 = UNKNOWN
.../...
03F80140 = ANANSKY'S ROM CREDITS
03FB819C = MODEL (PM10A)
03F4015C = DATA STRING (UNKNOWN)
03F4019C = SPLASH SCREEN ("HTC MAGICIAN" VOLCANO)
I have compared the 4MB block (0143019C-0185B015 hexidecimal) between my 1.11 NA ROM dump and Anansky's and found NO DIFFERENCE. It is possible that this section is the Radio ROM area, due to the size. I have to have the radio.nbk file decrypted in order to confirm.
If there are minute differences, I'll be sure to catch them now. Stay tuned.
Click to expand...
Click to collapse
Following to BeyondtheTech post, I'm now shure that the so called 'big storage' is located between address:
023c0190 : 03f40190 (about 27 MB)
I've also determined that every 256 kB (+40000h), this 'virtual disk' include something similar to a 'sector header' conform to:
f0 f0 f0 f0 00 00 00 00 96 f2 e7 10 db d3 00 fc
Click to expand...
Click to collapse
this string is present at address:
02400140h, 02440140h, 02480140h, 02480140h .../...
03f00140h, 03f40140h
For checking the validity of my theory, I've copied about 15 MB of different files, before making a backup of my Qtek S100. It's confirm that the data are occupying this space.
Because, I'm normaly working on a french OS version, I need all accentuated; and diacritic characters to answer my mail. So my purpose is now to 'reverse engeneer' the Anansky method to include this very usefull 'big storage' on a french based OS.
So, I've merged all content of my original v1.11 French OS UpGrade from address 00000000h to 023c0100h... This personaly cooked OS is working, and all is in french... but 'no-big-storage' available unfortunately.
So, in the next step, I've tried to undestand, how 'virtual storage' is working under Qtek S100. Back to my original OS, with small 7 MB storage. On the hexadecimal point of view, nothing more than, with the Anansky backup version, except that the virtual disk is smaller... Everything is in order, according to my theory...
But because the 'big storage' is not even visible, my conculsion is simple: "the solution is in the 'registry', but I've not yet been able to go through the mystery:
HKEY_LOCAL_MACHINE\System\StorageManager\Profiles\VDisk
"Name"="Extended_ROM"
"Folder"="Extended_ROM"
.../...
[HKEY_LOCAL_MACHINE\Drivers\Active\43]
"Hnd"=dword:0068e3f0
"Name"="DSK8:"
"Key"="Drivers\\VDisk"
"ClientInfo"=dword:00000000
.../...
[HKEY_LOCAL_MACHINE\Drivers\VDisk]
"Key"="Drivers\\VDisk"
"WindowBase"=dword:a2c00000
"Size"=dword:01300000
"Folder"="Extended_ROM"
"DisableInt"=dword:00000000
"OnBoard"=dword:00000001
"Dll"="VDISK.DLL"
"Index"=dword:00000008
"Prefix"="DSK"
"Profile"="VDisk"
.../...
[HKEY_LOCAL_MACHINE\Drivers\BuiltIn\FlshDrv]
"FolderName"="Storage"
Click to expand...
Click to collapse
Close to all references in the registry seem to be dedicated to the Extended_ROM (about 19 MB) that can become visible, but not writable... until yet.
I've found only one reference to the 'Storage' folder (about 7 MB on my QTek), but I don't understand how the OS know it's type, size, location, etc. Another thing is shure: the registry is not directely visible in the backup. I suppose that this file is compressed in ROM, and decompress to Ram for working (all modification disapear in case of har reset).
Lost of questions... :?:
Regards,
Thierry

To easy patch any ROM... folow this link ;-)
http://forum.xda-developers.com/viewtopic.php?t=22582

I am not sure it's in the registry as I did a byte compare of my backed up ROM (which was the 1.11 NA 850MHz from i-mate) to Anansky's (1.11 WWE) and found that the there were two sets of bytes that were different (changed?) in the bootloader area as well as the CE ROM, and of course, the 27MB chunk of data for the Extended ROM.
I think the bootloader may have something to do with the way the memory is set up.
The bytes that were different were in both places were B8 01 vs 80 00. 1B8h=440 and 80h=128, if that means anything. There were no other changes in the Radio or CE ROM areas, which leads me to believe that the 27MB area is just formatted differently (perhaps the start of the 7MB area was pulled back to the beginning of the Extended ROM area).
The only remaining change was near the end where it has the "PM10x" designation," but I doubt that has anything to do with the BigStorage area since I used his bytes and tried my bytes with no difference.
If you feel bold enough, you can mess with these two bytes (try a value in between) to see if it enlarges the 7MB storage space, corrupts it, makes it writable, etc.

pigot,
If you're willing to try this...
After you've injected your French ROM into the NB1 file, use a hex editor and change the following bytes:
On or around 00007E32h, change B8 01 to 80 00.
Do the same at 0211E32Eh, change B8 01 to 80 00.
Leave Anansky's changes in the Extended ROM and Storage area as well as the end of the file unless you want to call your device a PM10x.
SD-Flash it and tell me if you have the 27MB of Storage free with your French OS.

You are in the good way :lol: ... Those bytes (hB8 + h01 to h80 + h00) are the key. But not always they are in the same site in all the ROM's.
Bye. 8)

Seems to work great for me over the last couple of minutes at least! Upgraded a 3 day old UK o2 qtek s100.
Thanks a million.
BTW - what software is stored in the extended rom that we lose?
Vijay

MKS said:
You are in the good way :lol: ... Those bytes (hB8 + h01 to h80 + h00) are the key. But not always they are in the same site in all the ROM's.
Bye. 8)
Click to expand...
Click to collapse
Well, the application developped by MKS is a great job. It works perfectly for me on a v1.11 Fr... The process is very simple, and really accessible to even 'medium range' users. Sounds pretty good, isn't it?
Omho, the 'anansky trial' is over, and the big winner is MKS.
Thanks alot,
Thierry

SOLVED- EXT-ROM Unlock & UnHide - 2.xx

after few days of playing around, then found a solution to WRITE to Ext-ROM which persists after soft-reset.
All praise and thanks are to God the Most High.
Here is the solution; Tested for prophet ROM2.15.13.27 -G4 but should work for over chipsets and even other handsets e.g Wizard
To Unhide Ext-ROM --- (this is already known by most- but include for completeness)
Need following registry changes:
HKEY_LOCAL_MACHINE \System\StorageManager \AutoLoad\TRUEFFS_DOC1
"Bootphase"=dword:2
HKEY_LOCAL_MACHINE \System\StorageManager \Profiles\TRUEFFS_DOC1
"MountHidden"=dword:0
To Rename EXT-ROM
HKEY_LOCAL_MACHINE \System\StorageManager \Profiles\TRUEFFS_DOC1
"Folder"=string:Storage
--- can call it anything you like instead of "Storage"
To Unlock the EXT-ROM
HKEY_LOCAL_MACHINE \Drivers\Builtin\TRUEFFS _DOC1
"SoftwareWriteProtect" =Dword:0
THIS key is the mainchange that will enable write protect, but it keeps reverting after softreset. To get around this, will need to change the following also.
HKEY_LOCAL_MACHINE \Drivers\Builtin\TRUEFFS _DOC1
"AutoDPDMode"=Dword:0
Then Softreset.
Now should be able to write and install to Ext-ROM/Storage
If any problem can return the last key to original value
HKEY_LOCAL_MACHINE \Drivers\Builtin\TRUEFFS _DOC1
"AutoDPDMode"=Dword:1
-----not sure what this key does??
then soft reset again.
this worked for me . try at own risk!!
Enjoy
All praise and thanks are to God the Most High
AbuYAHYA
Ps. let me know if it works or not for you...if anyone wants to make a Cab file then would be helpful

did any1 try this??

Works!!
Yes it works flawlessly....
Thanks
FeiYu

Not On The Wizard
That's a very old and known trick.
But: it does not work on the Wizard !
Prophet, etc. all OK
Cheers
hrb

Does that mean that i can install a dutch rom, by downgrading my G4 device.
Hopefully it does.
Cheers

Hello,
i installed the AKU 2.3 Rom "2006-10-14_Upgrade_Rom_lvsw_edition.exe" and don't habe these entrys in my registry:
AbuYahya said:
HKEY_LOCAL_MACHINE \System\StorageManager \Profiles\TRUEFFS_DOC1
"MountHidden"=dword:0
To Unlock the EXT-ROM
HKEY_LOCAL_MACHINE \Drivers\Builtin\TRUEFFS _DOC1
"SoftwareWriteProtect" =Dword:0
Click to expand...
Click to collapse
AbuYahya said:
THIS key is the mainchange that will enable write protect, but it keeps reverting after softreset. To get around this, will need to change the following also.
HKEY_LOCAL_MACHINE \Drivers\Builtin\TRUEFFS _DOC1
"AutoDPDMode"=Dword:0
Click to expand...
Click to collapse
this key is in my device at:
HKEY_LOCAL_MACHINE \Drivers\Builtin\TRUEFFS1
"AutoDPDMode"=Dword:1
is it the same key?
thanks
John

John-Wu said:
Hello,
i installed the AKU 2.3 Rom "2006-10-14_Upgrade_Rom_lvsw_edition.exe" and don't habe these entrys in my registry:
Click to expand...
Click to collapse
I instaled the same ROM so abit strange you don't have writeprotect key. Possible options maybe perform backup and hard reset and then recheck for the latter key....Or....just make the keys.
I think I added this key also myself but not 100% sure.
HKEY_LOCAL_MACHINE \System\StorageManager \Profiles\TRUEFFS_DOC1
"MountHidden"=dword:0
As for writeprotect key then try adding. if the dword remain at 0 after soft reset then should work. if not try changing the Dword for AutoDPDMode form 1 to 0, aswell as the softwarewriteprotect key as below
To Unlock the EXT-ROM
HKEY_LOCAL_MACHINE \Drivers\Builtin\TRUEFFS _DOC1
"SoftwareWriteProtect" =Dword:0
HKEY_LOCAL_MACHINE \Drivers\Builtin\TRUEFFS _DOC1
"AutoDPDMode"=Dword:0
hopefully should work.
Abu Yahya

add to wiki
hrb said:
That's a very old and known trick.
But: it does not work on the Wizard !
Prophet, etc. all OK
Cheers
hrb
Click to expand...
Click to collapse
sorry to hear it doesn't work on Wizard.
If it was well known then maybe some-one should add it to the WIKI page. As several have asked how on a few threads with no replies both here and BUZZdev.net.
Abu yahya

doesnt work on my Jamin with the 16Mb_AKU2.3_GSM02.30.21_Extrom-4PDA.ru.exe rom
I had to use buzz's unlock tool to let me write to my extended rom.

I have upgraded to the PDAMobiz 16MB ROM. Unhiding the extrom via the registry entries work. But unlocking it doesn't.
I too do not have HKEY_LOCAL_MACHINE \Drivers\Builtin\TRUEFFS _DOC1 key. So, I manually created it with the entries as posted, but it didn't work. (yes I did a soft reset after shutting down for 30s or so).
I then proceeded to go to HKEY_LOCAL_MACHINE \Drivers\Builtin\TRUEFFS1 and change the "AutoDPDMode" to 0, and SoftwareWriteProtect to 0. There are 3 such keys: TrueFFS, TrueFFS1 & TrueFFS2. I changed all 3.
Unfortunately, it still didn't work...
But Buzz's unlocker prog worked. It didn't before when I was using the official Dopod ROM.

To every body !
I've update my rom to RUU-Prophet-G4-AKU2.2-2.20-2.47.21-Jester-r1.exe. when finished, the extended rom can't use. Change reg not work. So when i lock up at the rom "AKU2.3.1_LvsW_Edition_2006-11-28" i find there're 2 files : extunlock.exe and UnlockExtRom.cab. Run 2 files and finally i can use extended rom with no restrict.
My device is O2 Neo. Hope this usefull for some one

Would you please be so kind and upload these two files to the ftp? I'd like to try if it works with the last original QTEK-ROM.
Thank you

hi all.
've been reading some very interesting things in the forum the last few days.
i think you re great.
As far as:
Show extended ROM: [HKEY_LOCAL_MACHINE\System\StorageManager\AutoLoad\ TRUEFFS_DOC1] "Bootphase"=dword:2
[HKEY_LOCAL_MACHINE\System\StorageManager\Profiles\ TRUEFFS_DOC1] "MountHidden"=dword:0
Hide extended ROM:
[HKEY_LOCAL_MACHINE\System\StorageManager\AutoLoad\ TRUEFFS_DOC1] "Bootphase"=dword:1
[HKEY_LOCAL_MACHINE\System\StorageManager\Profiles\ TRUEFFS_DOC1] "MountHidden"=dword:1
they work ok for me with 2.9.7.24 wwe ROM
2.9.7.8009 extROM
(IPL&SPL 2.09.0001)
after soft reset i can see Extended_ROM2 on my file explorer.
when i check the file properties with resco file explorer all files inside extended_rom folder are read only(which can be changed of course).
so i can easily modify the cab files inside the extended rom along with config.txt entries.
last, changing all files to read only, reverting the registry keys to hide ext_rom
and hard reset.

crazyd said:
Would you please be so kind and upload these two files to the ftp? I'd like to try if it works with the last original QTEK-ROM.
Thank you
Click to expand...
Click to collapse
You can load "AKU2.3.1_LvsW_Edition_2006-11-28.exe", then right click to this file, select "extract to ..." to get these files hope this work on your !!

Great, it works again! Thank you for your help.

could you please to upload just two files ( extunlock.exe and UnlockExtRom.cab.) only, cause my connection is very slow for getting "complete packet rom".thx

Here you are!

Thaks bro, but still can't edit/delete my ext rom,
one more question, is this ROM can work with Simtolkit App?

Have tried the two files but I still can't install to ExtRom. It says ExtRom2 on my Dopod 818 Pro G3. Currently having more problems with syncing. Ay advise?

AbuYahya said:
HKEY_LOCAL_MACHINE \Drivers\Builtin\TRUEFFS _DOC1
"AutoDPDMode"=Dword:0
Click to expand...
Click to collapse
I found the following document about the Trueffs file system.
Download the following document http://www.mobilediskonchip.com/NR/....pdf|Installing_TrueFFS_for_Win_CE_Rev4.7.pdf
The AutoDPDMode parameter is described on page 12 as:
“AutoDPDMode”: This option enables Auto Deep Power-Down mode, which reduces the
average power consumption of DiskOnChip. Auto mode puts DiskOnChip in Deep Power-Down
mode automatically after each driver command, and takes DiskOnChip out of Deep
Power-Down mode automatically when the driver is called again. Using this mode disables the
option of booting from DiskOnChip via software reset, as the IPL cannot be accessed from Deep
Power-Down mode. In order to boot from a DiskOnChip device in Deep Power-Down mode, a
hardware reset or powering off is required. This registry entry has no effect on DiskOnChip
devices that do not support Deep Power-Down mode.
dword:1
Click to expand...
Click to collapse
Looks to me that AutoDPDMode has nothing to do with the write protection of the Extended ROM...
Regards,
--eluth.

Why,Why?!?

Having been trying to flash for couple weeks now and I can't get past the application unlock step. I need help please Wm5 is too outdated. I have a very virginy Sp5 nothing ever done to it and I just got it. I was reading some ancient forums dated 2006-05 and saw that i-mate released a ROM update and that was 2.5 333 ....something can remember but even that was newer than the rom currently loaded into this phone,so u have an idea of clean this phone is. Perhaps this is the problem. I am using Karhoe's guide and I am not sure if it works for such a virgin phone as mine, i keep getting this error(attached) plz help. Thanks in advance.

I had the same problem, and all I had to do was do a hard reset (clear storage) on my phone and restore it to factory settings (of course backup all the data you want to keep first). It seems as if I junked up my phone with things.

I've had same prob , solved using this unlocker

Not sure how to do a hard reset but I'll fiddle around somemore but Thanks alot stesa and the craze.

Hard reset is the same thing as "Clear Storage" found in the menu items. Factory default..

if u fail to unlock application using unlock application try try this:
Download regeditSTG2 fro: http://4pda.ru/forum/attach/387522/regeditSTG2.zip
Then install it and change some registry values:
HKEY_LOCAL_MACHINE\Security\Policies\Policies\00001001 = 2
-> change to 1
HKEY_LOCAL_MACHINE\Security\Policies\Policies\00001005 = 16
-> change to 40
HKEY_LOCAL_MACHINE\Security\Policies\Policies\00001017 = 128
-> change to 144
HKEY_LOCAL_MACHINE \Security\Policies\Policies
-> create new key "0000101a": Dword = 1
HKEY_LOCAL_MACHINE \Security\Policies\Policies
-> create new key "0000101b": Dword = 1"
after this reset phone then supercid using lockwiz

Orange SPV E650 Problems

I am trying to flash my Orange SPV E650, I Run SDA Apllication Unlock and get message 'Phone is unlockable' Can anyone help I have had the Sim Unlocked with no problems.

cyrixuk said:
I am trying to flash my Orange SPV E650, I Run SDA Apllication Unlock and get message 'Phone is unlockable' Can anyone help I have had the Sim Unlocked with no problems.
Click to expand...
Click to collapse
Have you tried it manually?
Change or create these registry values:
HKEY_LOCAL_MACHINE\Security\Policies\Policies\00001001 = 1
HKEY_LOCAL_MACHINE\Security\Policies\Policies\00001005 = 222 (or 40?)
HKEY_LOCAL_MACHINE\Security\Policies\Policies\00001006 = 1
HKEY_LOCAL_MACHINE\Security\Policies\Policies\00001017 = 16 (or 144?)
HKEY_LOCAL_MACHINE \Security\Policies\Policies\0000101a" = 1 (dword)
HKEY_LOCAL_MACHINE \Security\Policies\Policies\0000101b" = 1 (dword)

You need to use this first
http://spvunlock.rd.francetelecom.com/
when they send you the cab file remove the security and turn off the handset and on again, reinstall the cab again then it should work
if you are wondering why you need to install the cab twice its because for some reason on a first install the security sometimes remains active

belrei said:
Have you tried it manually?
Change or create these registry values:
HKEY_LOCAL_MACHINE\Security\Policies\Policies\00001001 = 1
HKEY_LOCAL_MACHINE\Security\Policies\Policies\00001005 = 222 (or 40?)
HKEY_LOCAL_MACHINE\Security\Policies\Policies\00001006 = 1
HKEY_LOCAL_MACHINE\Security\Policies\Policies\00001017 = 16 (or 144?)
HKEY_LOCAL_MACHINE \Security\Policies\Policies\0000101a" = 1 (dword)
HKEY_LOCAL_MACHINE \Security\Policies\Policies\0000101b" = 1 (dword)
Click to expand...
Click to collapse
Can I unlock sim by registry?

Heniek_W said:
Can I unlock sim by registry?
Click to expand...
Click to collapse
No, not to my knowledge. You have to pay for an unlock code.

[Q] Help building a small exe that changes a registry key on boot

My phone has bugged out and will not let me unlock it through the default pin unlock. I know the pin is correct, and it seems to be a pretty common problem with 6.5?
Now I know hard reset is the quickest way out of this mess, but I need to get to the texts I have received since i last backed up (3 days or so)
Can someone help me with the construction of an exe to change a registry key on boot, in particular
HKLM\Security\Policies\Policies\00001023: 1
I feel if I can get this key modified on boot I will be able to access my phone again.
Planning on shuffling it over to the phone into the startup folder.
Any thoughts?

snooparoop said:
My phone has bugged out and will not let me unlock it through the default pin unlock. I know the pin is correct, and it seems to be a pretty common problem with 6.5?
Now I know hard reset is the quickest way out of this mess, but I need to get to the texts I have received since i last backed up (3 days or so)
Can someone help me with the construction of an exe to change a registry key on boot, in particular
HKLM\Security\Policies\Policies\00001023: 1
I feel if I can get this key modified on boot I will be able to access my phone again.
Planning on shuffling it over to the phone into the startup folder.
Any thoughts?
Click to expand...
Click to collapse
I can make the exe for you but how do you plan to put it in the startup folder exactly?

Using a linux box, can see the phone as a drive despite the locked status.
Cheers

snooparoop said:
Using a linux box, can see the phone as a drive despite the locked status.
Cheers
Click to expand...
Click to collapse
haha, sounds like a good trick. the other thing: do you have a custom rom installed? stock rom may have cert checking in place before full boot up finished so the exe has to be signed with a cert that's already on the phone (default OEM or custom installed cert).

Stock Telecom NZ rom is installed

snooparoop said:
Stock Telecom NZ rom is installed
Click to expand...
Click to collapse
we will also have to deploy custom cert then.. we can try anyway, I'm curious to see if it can be done =) PM me.

Anybody else need the C++ code to do this? It follows.
Code:
//
// Regkey.cpp : Defines the entry point for the application.
//
#include "stdafx.h"
#include "Winreg.h"
int WINAPI WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPTSTR lpCmdLine,
int nCmdShow)
{
DWORD Value=1;
HKEY RegKey;
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,TEXT("\\Security\\Policies\\Policies"),0,0,&RegKey)==ERROR_SUCCESS)
{
RegSetValueEx(RegKey,TEXT("00001023"),NULL,REG_DWORD, (unsigned char *) &Value ,sizeof Value);
RegCloseKey(RegKey);
}
return 0;
}
Originally from post #4 in here:
http://forum.xda-developers.com/showthread.php?t=648103

If activesync is operational, you should be able to use MS security policy manager, see
http://www.howardforums.com/showthread.php/1238095-Un-set-Exchange-enforced-PIN-length-amp-etc