Always bootloader screen - HTC Tornado

Hi, I've a vodefone v1240 (HTC Tornado), i've tried to flash wm6 flash to it... but... i haven't super cid unlock... the flash is ok but phone always star in muticolor screen (botloader screen), i've tried to flash a lot of flashes but always get invalid vendor id or "only upgrade"... i've tried too with TyphoonNbfTool to edit nbf and change vendor id.. but always get the same mensaje ("invalid vendor id" or "only upgrade")...
How can i recover my phone? :S
Thanks
Sendoa

Determine your original CID first, to do this type:
Code:
info 2
into mtty or teratermpro and paste the output in the thread
Phil

Ahh, there you are ! Are you or duke_Stix still planning to cook some newer ROMs or remove bugs from the existing one ? We hardly see you guys around there days

i get this... what is the original CID? ¿?
info 2
GetDeviceInfo=0x00000002
+ SD Controller init
- SD Controller init
+StorageInit
***** user area size = 0x3CE40000 Bytes
HTCSVODA0504 㱍dHTCE
Cmd>

@anandoc: I've been fairly busy lately what with Jury Service etc but I've got a beta version in progress
Changelog:
HTC Task Manager inc
HTC File Manager inc
Application Unlocked
Fixed WiFi
HTC Comm Manager inc
Removed Wireless Manager
Removed Debug Apps
Removed Marketplace
Removed Office
Removed Voice Command,
Removed Windows Update,
Added Bluetooth DUN support for TomTom compatibility
Added Bluetooth FTP protocol
Extra's (as a separate download)
Office
MMS (semi working)
HTC Clear Storage
Jeodek Java
Button fixes
xT9 (for those who prefer it over standard T9)
xT9 lang packs (split into separate languages)
TCPMP
wm5torage
VoIp
Localisations:
Polish
Czech
Russian
However at the moment I'm having issues with initflashfiles.dat, once these are sorted, it will probably be released the same day.
Back to the topic:
Ok, using typhoonnbftool v0.41 open up a tornado nbf (wm6 or official, it doesnt matter) and then edit the header data so that the Operator field reads:
Code:
VODA0504
That is your original CID
Then save the nbf and flash it to your device
Phil

done but...
Hi, i've done but... always get a "only upgrade"... only let me to reflash wm6 flash.. but it always return to bootloader screen :S what am i doing wrong? :S
Thanks anyway
Sendoa

Try adjusting the version numbers to something ridiculous like 99.99.99.99 as well
Phil

jm012a9749 said:
@anandoc: I've been fairly busy lately what with Jury Service etc but I've got a beta version in progress
Phil
Click to expand...
Click to collapse
Hey Phil, Thanks very much for the update ! Your hard work is much appreciated here !!

Me too
I'm having the same problem as Sendoa. I flashed the WM6 ROM to my 8310but after 100% completion, the phone re-started in bootloader mode.
I can flash it again with the WM6 but the same thing happens each time (bootloader mode). I've tried to flash with several other ROMs but each time I get the "Invalid Vendor ID" error before flashing begins.
I've tried the Typhoonnbftool tool to change the header as suggested earlier in this thread but without any success. My CID is 'DNG_0501'. I'm still stuck in bootloader mode.
I'd appreciate any assistance.
Thanks,
Straker.

Sorted
Sorted. Found another ROM (the fifth I've tried) that would flash without the 'Invalid Vendor' message. It let me get back to a standard WM5 setup.

Solved
Thanks to all
I flash it with a cingular flash with version changed to 79.79.79.79 and operator changed to VODA0504, and work again.. then i've unlock the cid and flash wm6 flash and it is working with it
Thanks again

Wow, that's cool, means I can flash my phone to WM6 without voiding my warranty ( I still got 5 months left )

lomanasq said:
Here, here they are:
cancer awareness ribbon
Click to expand...
Click to collapse
ban this MOTHA F**&&

Straker said:
Sorted. Found another ROM (the fifth I've tried) that would flash without the 'Invalid Vendor' message. It let me get back to a standard WM5 setup.
Click to expand...
Click to collapse
where did you get your flash from?

typhoonnbftool is creating only 1kb file of nk.nbf
Hi,
I have the new typhoonnbftool got it from sourceforge when i try to edit headers of a Imate rom to make it for xpa swisscom v1240 with the CID "VODA0505" i get only 1kb nbf file i try lots of thinks but no luck at all.
kind regards
Fakbrenjeri

Similar problem
I've used Typhoonnbftool to change header, but the resulting file is only ever 1kb or smaller! What am I doing wrong?

Small nbf
Straker,
Where did you get the rom that worked?

timwb said:
I've used Typhoonnbftool to change header, but the resulting file is only ever 1kb or smaller! What am I doing wrong?
Click to expand...
Click to collapse
use typhoon tools 0.4.1...
ftp://ftp.xda-developers.com/Uploads/Smartphone/Tornado/Shipped_Complete_Updates/I-mate
use the rom from here..

Stuck on BootLoader
I there!
I've tried everything that I could find here and still no luck...:-\
I've an SPV C600 and when I upload the Imate ROM it stays stuck on the BootLoader.
It only works if I upload the Orange Upgrade ROM...
I can't SuperCID it, since no app as worked till now...
What can I do?
Thank you!

try this:
http://forum.xda-developers.com/showthread.php?t=285344

Related

ROM 1.06.116WWE

this afternoon i found an update on the swedish qtek site.
http://www.qtek.se/default.asp?nc=4484&id=127&element=0
wonder if it could be used by english speaking users? it says WWE, so i guess it is in english?
i'm uploading the unpacked installation folder to FTP now. maybe someone who knows his thing, could magic a .bat file with the correct checksum to change the carrier and language? [pinoo? ;-)]
the file is called: MA_Qtek(BrPt)_10600_116_10500_SHIP.zip
Hi there..
I will take a look... But my device is with PocketPcTechs at the moment... Getting 128MB RAM ... WOOOOOOOOOOOT
:lol:
Cheers
has anybody yet found out what the passwords for the rom files are?
btw, have the last ones (the imate rom for example) been cracked or did anyone blurt out the right keys?
cu
A bad traduction :
Click on the links below in order to update your Qtek S100. Follows installationsguiden careful in order to few a correct updating.
ROM 1.06.116WWE
(updating from ROM 1.03.148WWE to ROM 1.06.116WWE)
The updating is only for Swedish sold Qtek S100 with software version 1.03.148WWE. In order to check which version you have pressures Start>Settings>System>Device information, you find the information on ExtROM version. If you try to update with another version of software can the to damage your Qtek S100.
The updating ROM 1.06.116WWE contains:
GSM-radio software
MMS client (2.0.0.20)
Caller IDS
Phone PAD Swedish T9
Updated Blåtandsmjukvara
Installationsguide ROM 1.06.116
actually it was pretty clear that qtek only offers their support to their respective customers. Nevertheless it should be quite possible to gain advantages out of an alien fw ;-)
...so it could not be used for I-mate JAM and other models.... :roll: If someone has updated the firmware pls report the "improvements"...
Regards,
Primoz
Yes and please send us (or push it on the FTP) the content of ExtROM.
Thanks !
taron said:
Yes and please send us (or push it on the FTP) the content of ExtROM.
Thanks !
Click to expand...
Click to collapse
That would be very nice!
Regards,
Primoz
Anyone upgraded yet?
Hi, has anybody yet tried out the new QTEK ROM 1.06? If so, could you be so kind to make a ROM image and put it onto the ftp? Guess that'll be way easier than finding out some passwords to change the update-files?
thank you!
Why couldnt this be installed on non-swedish qtek s100?
Seems like an normal english rom-update
Wonder what it is with the bluetooth.
Cause the stack that is installed now is way to slow.
We need the passwords so xda3nbftool can be used to change operator id. Then we get past the Country id error...
So if anybody know the passwords that would be nice...
it cant be used out-of-the-box because the upgrade tools checks for your device-id, the carrier-id (which must be the one of qtek), the language (which, as you've said would fit) and the rom versions.
Thus, at least the carrier id would be different which is enough for the upgrade prog to abort. So there are 2 work-arounds:
1.) using xda3nbf-tool which requires the rom-passwords to decode the rom, change the parameters which are checked and re-encode the rom. Unfortunately anybody knows the passwords yet
2.) do a rom backup of a succesfully upgraded qtek-device with the bootloader-method which gives you *one* file that contains all the radio, the ext-rom and the os rom. This file needs to be modified by a hex-editor (which actually means to replace the first 412 bytes from the qtek-backup with the first byte of your own backup) --> restore the edited file et voilà: it should work. Unfortunatly anybody has posted such a backup yet...
conclusion:
way 2) is easier (at least we dont need any passkeys) nevertheless we still need that backup...
regards,
André
sorry, my upload was broken... should be ok now. the file is called MA_Qtek(BrPt)_10600_116_10500_SHIP.zip and you can find it in the Magician folder on the xda-ftp. it's basically just the unpacked installer.
could anybody tell me how to write a proper .bat file, like the one pinoo did for the i-mate rom? i suppose i need to change the 0x20040522... numbers to stop the installer giving the "invalid checksum" error?
...and reading the last post these numbers seems to be the passwords Guest was talking about...
any chance of getting them?
Be careful with this ROM. I tried to install it and now my Compact is dead . I can't reflash it anymore even from SD card. Tried everything and now it is in service-center. They are triing to fix it but still with no success ((
BTW you can install Radio ROM without any passwords and xda3nbf. Just remove all other .nbf files from directory and run update - and everything is OK without any mistakes. Problems appears after other upgrades (nb and mk_).
landau said:
BTW you can install Radio ROM without any passwords and xda3nbf. Just remove all other .nbf files from directory and run update - and everything is OK without any mistakes. Problems appears after other upgrades (nb and mk_).
Click to expand...
Click to collapse
Just upgraded my Imate Jam radio stack to this one and seems that it improved phone sound quality a lot or am I just hoping so ?!
However no problems with upgrading the radio stack only!
Hello,
landau said:
Be careful with this ROM. I tried to install it and now my Compact is dead . I can't reflash it anymore even from SD card. Tried everything and now it is in service-center. They are triing to fix it but still with no success ((
Click to expand...
Click to collapse
Hope you can solve your Magician problem. Which file did you use to upgrade your PPC: MA_Qtek(BrPt)_10600_116_10500_SHIP.exe or MA_DANG_WWE_10600_115_10500_SHIP.exe.
Thanks
macrinus said:
Hope you can solve your Magician problem. Which file did you use to upgrade your PPC: MA_Qtek(BrPt)_10600_116_10500_SHIP.exe or MA_DANG_WWE_10600_115_10500_SHIP.exe.
Thanks
Click to expand...
Click to collapse
MA_Qtek(BrPt)_10600_116_10500_SHIP.exe

Few question about upgrading W2K3 to W2K5

i've heard that WM2003 in himalaya gadget can be uprade to WM2005, it's very interesting and i going to try the uprade, but i have some question about the upgrade, my question is:
1. what's the risk during upgrading? could my device occuring some permanent error?
2. what's the consequence of this? will my device working slower? or working faster?
3. if i don't satisfy with the WM2005 can i downgrade back to the WM2003 OS?
please help me by answering my question
Response:
1. the device may fail, but you can restart the whole process entering the device in bootloader mode and upgrading (happen to me once)
2.Your device will work Faster but sometimes (at boot sequence) will be slower.
that's the price you have to pay. Other thing is there is no MMS in WM5 (dont work for me) and some camera issues, that can be fixed. But is more eye-candy than the WM2003 or 2003SE.
3. If you aint satisfied you can go back to 2003SE just putting the device in bootloader mode and then making the upgrade using a WM2003 ROM (the nbf file)
One thing: Tofclock and Buzz (thanks guys!) are working hard to bring us one stable, better and faster WM5 ROM, so be quiet and wait like me :wink:
Hi guys,
I ve also heard that after you upgrade to Wm 5.0 the phone vibratin wont work, is that true?
what else then?
:roll:
Thanks
Hi dickyw,
my vibration on my Himalaya works perfect...
Hi Guys,
Can anyone help another dumb newbie?
I upgraded my Himalaya to W2k5 OK from the O2 exe file, but I now want to downgrade to 2003 SE.
The folder I am trying to use to downgrade is WindowsMobile2003SE_XDA2_2.20.00CHS-translated.zip
Himaupgradeut.exe gives:- Error 120 Country ID error 1-1-8-n-1
HimaupgradeUt_noid.exe gives:- Error 103 ROM image file not found
XDA image tool gives me:-Unsupported file format error for NK.nbf
I have:-
Boot loader 1.06
CE image 1.72.00
Extended image 1.72.181
Radio image 1.17.00
Am I using the wrong tools, the wrong ROM or an incorrect procedure? I'm doing this for a friend so it's getting very embarassing. Any advice would be gratefully appreciated.
Thanks, Mike
Another issue to aware of when upgrading to WM5 is that you need to also upgrade to Activesync 4.1 as 3.8 won't work any more. Given that AS can be very tempremental it may take some time to get the sync link back up and working to your satisfaction so if your data is cruitial to your work then backup, backup, backup and upgrade when you have a few days free to dedicate to ironing out any wrinkles.
Then also xbackup doesn't work in WM5 so you are left with options like buying the latest Sprint backup soiftware (now WM5 compatible) or relying upon your PC Outlook to be your "backup data" (NB I use the Outlook free "backup" util to back up my pst files on exiting Outlook as double insurance).
Regards - Mallow1
PS I upgraded and v glad I did. Had a few AS issues but eventuall got there (took a lot of reading of forums and As battles, but worth it in the end)
cnimike,
One assumes that you have unzipped the zip file first before trying to reflash? If not try that (say use winzip). Also try reading the wiki as a guide to what to do (seee link attop left of page).
You are also best o use the HimaupgradeUt_noid.exe as at least it avoids the first error (esle you'll have to edit the flash files first and recompile them which is straight forward but if you are a noobie it's a step that can be avoided by using the "...noid.exe") and if you haven't unzipped the said file doing that may well sort out your second error.
Get back to me if you need more help.
Regards - Mallow1
cnimike said:
The folder I am trying to use to downgrade is WindowsMobile2003SE_XDA2_2.20.00CHS-translated.zip
Am I using the wrong tools, the wrong ROM or an incorrect procedure? I'm doing this for a friend so it's getting very embarassing. Any advice would be gratefully appreciated.
Thanks, Mike
Click to expand...
Click to collapse
I would suggest getting a hold of Sin's merged version (details in signature) or XDA2JoJo's version. Simply flash the ROM and you are there. Elsewhere, SIN has set out the steps in the most detailed fashion you are going to see outside a software manufacturer's manual. :wink:

Vox bootloader

Inspired by some threads in the Hermes and Trinity forums I started to explore the VOX bootloader. You can enter the bootloader by pressing the camera and power button at the same time. You see the tri-color (red/green/blue) bootscreen which shows the bootloader and CPLD version. In connection settings of activesync uncheck "allow USB connections" and connect PC and Vox with a USB cable. The PC will recognize the Vox and install an interface driver.
You need the MTTY to talk with the bootloader and send it commands. The Hermes wiki provides some good information and also has a link to MTTY:
http://wiki.xda-developers.com/index.php?pagename=Hermes_BootLoader
Unfortunately the Vox bootloader (v1.16.0000) doesn't display help information. The first command you should enter is password. I found a password for Trinity and Hermes which also works for Vox:
password BsaD5SeoA
Here are a couple of other commands which work: emapiWlanEERW, emapiInit, emapiWlanMac, emapiPwrDwn, emapiRead, emapiTest, emapi, cpldver, DumpReservoir, CheckImage, calcrccheck, getdevinfo, ruustart, ruurun, progress, wdata, password, mbr, set, atcmd, ResetDevice, BTRouting, BTTestMode, SetDebugMethod, IMEI, ls, lnbs
I would like to find a way to dump the SPL and ROM to SD-card or to PC. I tried a couple of things (r2sd, d2s) to no avail.
Anyone else some ideas?
Update1
I got stuck in the bootloader and luckily found how to boot into the OS again:
http://forum.xda-developers.com/showpost.php?p=1094479&postcount=11
password BsaD5SeoA
ruurun 0
ResetDevice
Update2
I discovered the 'ls' command. Afaik it allows to dump the rom parts like SPL, IPL, splashscreen when the device is CID unlocked. My unbranded S710 is SIM unlocked, but unfortunately not CID unlocked. When I issue 'ls' there's a "not allowed" error
Update3
I found a 'good' VOX ROM upgrade (the ones on the XDA FTP are all corrupt): RUU_Vox_HTC_WWE_1.15.405.2R4_4.1.13.37_02.83.90_Ship
Another upgrade ROM is the Dopod:
RUU_Vox_DOPODASIA_WWE_1.19.707.3_4.1.13.37_02.83.90_Ship
I used NBHextract.exe to extract both ROMs. The SPL bootloaders are attached.
NBHextract shows following info for the 1.15 Vox ROM upgrade:
Code:
Device: VOX010100
CID: HTC__001
Version: 1.15.405.2
Language: UK
Extracting: 00_IPL.nb
Extracting: 01_SPL.nb
Extracting: 02_GSM.nb
Extracting: 03_MainSplash.nb
Encoding: 03_MainSplash.bmp
Extracting: 04_OS.nb
and this for the Dopod upgrade:
Code:
Device: VOX010100
CID: DOPOD001
Version: 1.19.707.3
Language: USA
Extracting: 00_IPL.nb
Extracting: 01_SPL.nb
Extracting: 02_MainSplash.nb
Encoding: 02_MainSplash.bmp
Extracting: 03_GSM.nb
Extracting: 04_OS.nb
Update4
I managed to back up my S710 using itsme's "bkondisk" tool and "prun" from his itsutils suite here and here. Copy bkondisk.exe to /Windows on your device.
After running this on your PC
Code:
prun bkondisk.exe "\Storage Card"
following files are created in \Storage Card and a log file "bkondisk.log" in \
Code:
bk_00_0000.img - IPL : ONBL1 + ONBL2
bk_02_0005.img - GSM + splash + gsmdata + simlock + serialnrs
bk_03_0025.img - OS
bk_06_0001.img - SPL
bk_08_0205.img - userfilesystem
I compared a couple of these .img files with the .nb files extracted by NBHextract from an official RUU. The IPL and SPL look quite okay, but the OS is mapped totally different. So don't think you can just rename for example bk_03_0025.img to OS.nb in order to have a flashable file !! I have attached my dumped SPL which is version 1.16
Next mission is to find a 'good' (not corrupted) version of the RUU_Vox_HTC_WWE_1.15.405.2_4.1.13.37_02.83.90_Test.exe ROM upgrade. See this Excalibur thread. I think the same applies to S710
Update5
With Dark Simpson's htc rom tool here it is possible to create a flashable image file from separate .nb files. There is also Dutty's good NBHtool 1.1 yet, but so far I haven't tried it.
What we still need to have for flashing unsigned ROM images is a SSPL. See here and here.
Alternatively we need a so called Update SPL (USPL) which unlocks CID and then allows flashing any rom to your device. The version for the ELF created by the brilliant moderator pof can be found here. Since the ELF is very similar to VOX, I will study it and see if I can use it to implement a SSPL (software SPL) which allows us to also flash any ROM, but does not require to flash an USPL. I think flashing IPL and SPL is a bit too tricky atm.
Take the Elf USPL, remove the RUU folder (to be sure you don't flash anything by mistake), in the LOADER folder change the .nb file for a Vox bootloader (different version than the one on your device) and use the same name for the .nb file, then run elf-uspl.exe on your PC.
If elf & vox are so similar, this should jump to the bootloader you've placed in the LOADER folder, to check it disable activesync usb connections and go into bootloader with mtty. Do an "info" command or whatever identifies that the bootloader you're seeing is the one you've placed on the LOADER folder and not the one actually on your device.
If you succeed in loading a custom bootloader I can help you with the don't check cid / don't check signatures... patches
Good luck!
Thanks for replying pof. I did as you said and tried it with spl 1.15 (whereas 1.16 is flashed on my S710). First I went through step1 and then went in to step2 where at 75% the screen got blank and it rebooted the phone in my native bootloader 1.16 RUU mode. I suppose that's not what we wanted to see?
Where did you find RUU_Vox_HTC_WWE_1.15.405.2R4_4.1.13.37_02.83.90_Ship? Do you have a link?
Thanks
I found it here:
http://www.leaf.co.za/Members/Member Services/Manage My Profile/
Cant Find The Bootloader For The Life of Me
Tried:
"You can enter the bootloader by pressing the camera and power button at the same time. You see the tri-color (red/green/blue) bootscreen which shows the bootloader and CPLD version."
No Luck. I must be thick. Its gotta be just that easy... but...
The S710 simply boots into my home screen.
Can someone PLEASE post a (little) more detail about how to boot into the bootloader on the s710/vox?
THANKS.
Cheers.
** EDIT **
OK- Better bootloader entry instructions for SP noobs (like myself):
1) Turn device off
2) Unplug power/usb cable from handset
3) Press and hold camera button
4) Plug power/usb cable into handset
5) Be amazed by Blue-Green-Red Bootloader screen.
Yeah, it won't boot in bootloader mode if the usb cable is connected. Well, it's sometimes better to find out things all by yourself
Besides, I don't think anyone other than myself is researching this stuff on Vox. Too many ordinary users and nearly noone in to h*cking.
You don't have 1.04 on your phone by any chance?
RE: older bootloader
No joy.
Sorry.
Its 1.15
My SP has vanilla mods.
Its just out of the box the last 4 days in NYC!
The phones not even available AFAIK in the US yet-- except special order.
Got mine in London last week.
Still working out the kinks.
BTW:
Im looking for info/docs/someone who has forced GSM codec through WM6 to this handset through Asterisk LOCALLY-- Asterisk SIP logs show successful codec negotiation and initial start of audio delivery-- but the stream pukes out on my handset immediately-- ideas? Im begining to think it may be a cpu issue. Thanks.
850mph said:
BTW:
Im looking for info/docs/someone who has forced GSM codec through WM6 to this handset through Asterisk LOCALLY-- Asterisk SIP logs show successful codec negotiation and initial start of audio delivery-- but the stream pukes out on my handset immediately-- ideas? Im begining to think it may be a cpu issue. Thanks.
Click to expand...
Click to collapse
Yeah saw that. I don't think it's a CPU issue, could run GSM codec just fine on a stone old iPaq. Try trunning omap overclocker and set it to 240MHz and see if it makes a difference. Keep using the SIP thread for any replies on this
POF's O2/Nova Solution
jockyw2001-
I suppose youve seen Pof's post #89 (dated 4-8) in the "ELF Update SPL (USPL)" thread which calls for running enable-rapi.cab (on O2 Nova) BEFORE elf-uspl.exe?
Id try it myself but want a few days of joy with my handset BEFORE creating a potential brick.
From my reading if the elf-uspl.exe makes it to 75% in stage 2 before white-screening-- you're close (well, 75% anyway.. wink!). Seems like Pof could have a couple of suggestions at that point. Maybe hell be kind enough to comment?
You're on it.. but I thought Id ask.
Cheers.
Heres something I am trying to work out-- even after many hours of reading:
I understand that there is an exploit in the 1.04 bootloader which can potentially bypass CID and Certs when flashing a new ROM image on both SPs and PPCs..
I also understand that bootloaders 1.09+ cant be downgraded.
So am I right in assuming that potential VOX ROM-chefs have at least ** TWO ** potential paths to solving the bootloader issue:
1) Find a 1.04 bootloader **AND** a tool which will load it successfully
-- Then use the exploit (which I read about-- but cant find) to flash the ROM
-or-
2) Find a way to Flash **ANY** bootloader onto the vox with elf-uspl.exe
-- Then (keeping our fingers crossed) elf-uspl.exe can be patched to defeat the CID&CERT issues with the vox
Now heres the question:
I am right in assuming that we **DONT** need to find a way to flash **SPECIFICALLY** the 1.04 bootloader onto the ROM **BEFORE** we can take advantage of a patched elf-uspl.exe?
Is that correct?
Cheers.
Oh yeah.. AM I right in assuming that the WM5/6 bootloaders are EXACTLY the same code (except for dated revs) across all WM SP and PCC devices-- sort of like the ability to install grub or lilo on **ANY VENDORS PC** no matter what OS or eventual Software Packages end up on the box?
Looked at another way:
When they talk about the 1.15 bootloader in the Blue Angel Board they are talking about the EXACT SAME 1.15 bootloader in the VOX board?
I mean, I know this is gotta be the case but I need a little reassurance here-- As Im still a bit confused on why PPC software should run on SP devices-- even understanding that they use (generally) the same subset (WM5/6) of the CE5/6 API-- But have different CPUs.
850mph: cool to see there actually are brothers in arms
I've tested pof's USPL extensively, but haven't got it to work (yet).
Actually you need to run enable-rapi.cab only if your phone isn't yet application unlocked, i.e. if it doesn't allow to run unsigned apps. Mine is application unlocked so I can skip that step.
The next step is to load a modded SPL in RAM at physical address 0x10000000 and to run it. Once this modded SPL is running another modded SPL can be flashed.
I've tried to load an unmodified SPL in RAM (e.g. SPL 1.15) and to run it. This can be done with following 2 steps:
1) psetmem.exe -f -p 0x10000000 spl.nb
2) run haret.exe on device (can use cecopy & cerun); cerun -b CE:\haret.exe
Note: haret.exe is a linux kernel loader which was modified by pof to run a USPL from 0x10000000
What happens is that my phone reboots into the stock bootloader (SPL 1.16) in RUU mode. I have to use MTTY in order to boot the phone in WM again (see post #1 and #2 in this thread).
Actually I think haret.exe does run the SPL 1.15 which is loaded in RAM, but that at some point the code resets the device.
I'm quite sure we can run a specially prepared USPL or SSPL which allows flashing another specially prepared SPL such that the device is effectively CID unlocked which again means that any vendor's firmware can be flashed. I also think we don't absolutely need the SPL 1.04 for that purpose.
This is good info.
I see what you are trying to do now.
Im gonna take some time to get up to speed on Dumping/Reading/Flashing from the Trinity Hermes and Elf pages. Until then Im afraid Ill be of little use.
Until now Ive strictly been a Linux/GCC-guy. Im tempted (but not convinced) that I want to take the time to learn Microsofts WM5/6 IDE. Its a time issue (obviously).
But I will spend some time on the whole S710 ROM-cooking (and bootloader) issue this week. It looks manageable.
I see you have basically been mixing and matching the various ROM cooking tools-- including using Msofts CE powerToys. Is there no single suite (besides the ImagefsTools) which you can recommend I look at first (With the understanding we need to solve the bootloader issue specifically for the vox first)-- I see various kitchens for various devices. Do any of them see plausible as a starting point for an HTC/Vox kitchen suite?
GOOD LUCK.
Cheers.
** EDIT **
I REALLY think the S710/S730spec are GREAT devices-- couple of minor issues-- but just fantastic form-factors.
new in the sandbox
Hi guys,
I just got my XPA 1415 some days ago (for info, it's just the same than the others (HTC S710, SPV E650 and Vodafone V1415, VOX, ...) but from Swisscom (Swiss provider).
I've been reading around and found this thread that was the most related. I actually tried to use the techniques provided by jockyw2001 with no luck.
Doing a prun bkondisk does not work, neither any of the itsutil tools. I do think that my device is somehow protected, but I've no clues how to proceed next. I'm going to continue searching, but if any of you has an idea, it's more than welcome.
If I manage to dump that *damned* ROM, I'll make it available...
I've currently (on booloader ONBL 1.23.0000, SPL 1.23.0000, CPLD 04)
Cheers,
Nick
Nevermind...
I think I've been able to proceed with the backup (I've used the Microsoft Security Configuration Manager) when I realized that my system (Windows 2003 x64) the tool was not working.
Which made me think that maybe the procread and the other prun bkondisk might also have been blocked by the x64.
I've tested on my laptop (regular XP) and it works fine... just FYI !
** EDIT **
I've also tested the ELF haret with a downoaded SPL and I got the same result as jockyw2001...
BTW, jocky, did you find a way to re-create a proper nh from the bkondisk end result (bk_##_####.img) ?
nwaelti said:
BTW, jocky, did you find a way to re-create a proper nh from the bkondisk end result (bk_##_####.img) ?
Click to expand...
Click to collapse
The IPL and SPL are useable. The radio dump called bk_02_0005.img is from offset 0xA0000 identical to the radio rom. The first 0xA0000 bytes are other parts, probably splash + gsmdata + simlock + serialnrs. The OS file seems not directly useable and must be reordered somehow. More interesting is the ROM reconstruction method described here. Of course first we need to be able to flash unlock the Vox. I think the SSPL is most suitable for this purpose, this may need some reversing of the SPL with IDA Pro.
Thanks for those info, I'll try to go in that direction. Would be nice to find which one is splash, which one is gsm and the others below 0xA000.
I know we need to rev. SSPL. Don't exactly know where to start though I can't flash mine with any original ROM as Swisscom is not providing any.
BTW. viewimgfs gives me back a "packing DLL not found" (or some similar). Anyone had that also ?
I'll try to download IDA Pro...
It's below 0xA0000
I will do some testing again with the Vox today. I will see if I can paint the screen with a few instructions @0x10000000
I think I can not just run the SPL on VOX in the same way as you can on the ELF. The IPL on the VOX is 128kB, whereas on ELF it is only 2kB. So I think I will have to patch the IPL and run that first. I'm afraid that it will take a bit more time. Basically it will then be a SSPL (search forum for SSPL and user 'des') with both IPL and SPL patched and running in RAM.
But maybe it is also possible to patch just the SPL, because it could be that the default action initiated by IPL is to reset the device in RUU bootloader mode.
Given some time it can all be done I'm sure

O2 XDA Mini S (G4) Not flashing

Well, i've flashed the X50v and HTC Touch Elfin before, however I seem to be having some problems with the Wizard. I'm trying different ROMS and none seem to be working. Once a flash appeared to go through correctly, and the splash screen at startup was changed, but it still booted into WM5.
Now even though it is CID unlocked, it says that the RUU is out of date and won't update the phone.
IPL is 2.21.0001
SPL is 2.21.0001
have you downloaded and flashed with Wizard_Love_2.26.10.2_WWE_Novii_CF2 first if not then do. using the SoftSPL-V0.1 just extract then copy over the nk.nbf file after which do the same for the wm6 rom you wish to use. i advice using the TNT.20273_Professional_Wizard_HTC_Home_FREE rom or the TNT.20273 Professional Wizard rom. either are good roms.
i have the same phone and it worked a treat
Obsidiandesire said:
Well, i've flashed the X50v and HTC Touch Elfin before, however I seem to be having some problems with the Wizard. I'm trying different ROMS and none seem to be working. Once a flash appeared to go through correctly, and the splash screen at startup was changed, but it still booted into WM5.
Now even though it is CID unlocked, it says that the RUU is out of date and won't update the phone.
IPL is 2.21.0001
SPL is 2.21.0001
Click to expand...
Click to collapse
How do you confirm its CID unlocked,as G4 device cannot be CID unlocked and with its present IPL/SPL it isn't even HardSPL ?
A G4 phone can only be upgraded to wm6,either through SoftSPL or HardSPL,you can read about them in the G4 sub forum posted as stickies.
Thanks for the help guys, for some reason the hardSPL wasn't working, but now I have 6.1 on my phone! I have another problem, however which I'm going to create another thread for later today, here it is if anyone see's this:
Since upgrading to Winmo6.1, my keyboard layout has been broken. I have an O2XDA MiniS, so it's a UK phone.
Here's the layout I should get:
QWERTYUIOP
ASDFGHJKL (Del)
(cap)ZXCVBNM(up)(Enter)
(Dot)(Tab)(Windows)(Ok)(Space)(period)(left)(down)(Right)
And with dot-shift (Don't know the actual term)
1234567890
[email protected]#$%&*() (Del)
(cap) - _ € £ + = ; : (enter)
(dot) ~ (Win) " (sym what does this do?) , ' / ?
This is what I Get
QWERTY is exactly the same, its the symbols with Dot-Shift that have changed
123456790
[email protected]#$%&() (del)
(cap) ` -_+ = * ; : (Enter)
(dot) (Tab[Should be ~]) (win) " , ' / ?
I have tried the Et9 cab file which didn't seem to do anything, let alone work.
There was a post I saw which had a link to a rapidshare file which has now expired.
Some people have tried registry settings, that hasn't worked for me.
I've spent the last hour searching, this keyboard means a lot to me.
I bought this phone for my girlfriend but ended up keeping it since I love the keyboard, sometimes do Python scripting on the go, editing word docs + email browsing is easier. So she now has my Touch Elfin (which is newer)
So yeah, i'll pretty much copy + Paste that into a new topic if this doesn't get any replies by say 8PM GMT?
I don't really like making hundreds of new topics for every little problem I Have. Otherwise there'd be one for Opera + Hardware buttons (Plus the internet button on HTC home screen)
one for it not staying in landscape mode when the keyboard is down, and one for my myriad of MiniSD card troubles
sorry forgot about this issue about the keyboard its simple to put it back to uk even if its a pain.
step 1 open regedit
step 2 open HKEY_CURRENT_USER
step 3 open ControlPanel
step 4 open Keybd
step 5 select Locale and change it from 0409 to 0809
and now everything should be in the right place
anything else feel free to ask

[REF] Easiest way to SIM unlock your Elf/Elfin even if it's "MCC+MNC = None"

[REF] Easiest way to SIM unlock your Elf/Elfin even if it's "MCC+MNC = None"
First of all, sorry for my bad english...
Here goes the best way I found to unlock all Elf/Elfin, even those with the deadly "MCC+MNC=None" (wich is my elfin).
I saw some people say that when flashed with "Elf_Elfin_2.11.0.0_MFG_ModuleBuild" the phone it's not SIM locked anymore, but after reflashing with another rom it got locked again.
I tried that myself and it was true, I flashed "Elf_Elfin_2.11.0.0_MFG_ModuleBuild", then flashed other rom (with only the OS part) over it and bam, was locked again.
So the locking part should be in the OS. After looking over the system files, I found two files (SIMLock.exe and SIMLock.exe.0416.MUI [my OS was BR Portuguese]) and thought "here is the locking problem" (because "Elf_Elfin_2.11.0.0_MFG_ModuleBuild" don't have those files in the system folder!). Then I deleted those files and it wasn't SIM locked anymore... but it didn't find any networks.
So I serached a little more (google is your best friend in times like this) an discovered that the file rilgsm.dll is responsible for the network... It starts and calls SIMLock.exe, if SIMLock.exe returns a valid SIMcard, then rilgsm.dll starts the network service.
So that's the diference between "Elf_Elfin_2.11.0.0_MFG_ModuleBuild" and the other roms, its rilgsm.dll don't have the part that calls to SIMLock.exe, it just starts the network service based on the SIM card you have inserted.
So I just took that dll from that test rom and copied over another rom and it worked like a charm!
Enough talking, here's what you gotta do to SIM unlock your Elf/Elfin (no matter what rom you have):
You will need this file (unlocked "rilgsm.dll")
- Extract the file you just downloaded to a temporary folder.
- Turn on your mobile WITHOUT the SIM Card.
- Connect your Elf to your PC (activesync).
- Find the files "rilgsm.dll", "SIMLock.exe" and "SIMLock.exe.0***.MUI" (the *** depends on the language of your OS) on the windows folder of your mobile and make a bakup of them (in case you want to SIM lock it again).
- Copy the extracted "rilgsm.dll" over the one on the windows folder (say yes when it asks to replace the file).
- Delete both "SIMLock.exe" and "SIMLock.exe.0***.MUI".
- Turn off your mobile.
- Insert any SIM Card (that didn't work before) and turn your mobile on again and enjoy your newly unlocked ELFin!
If you intend to flash some other rom, just copy the dll again and it's ready to go.
Hope this helps.
Great find!!!
For Rogers users who are using the regular stock ROM, it is probably a good idea for them to use the regular free unlocking method because rilgsm.dll is responsible for Rogers Name Display. Other than that, I hope it works well for everyone else!!!
Anyone else tried this?
yes, I have, did not work. phone does not have simlock.exe or simlock.exe.xxxx.mui on windows folder, and just replacing rilgsm.dll does not affect carrier lock. when inserting sim card from other operators, it still asks for subsidy code.
Tested phone is:
ELF010050
BSTAR502
IPL: 2.24.0002
SPL: 2.26.0000pof
99HEH077-00
Operator Tim Brazil
ps.: I tried as well when phone was with stock rom, and was the same thing.
br
Good idea!!
I haven't tried your procedure but I also know that OS contained in "unbricker rom" (test only rom) do SIM unlocking, so I believe this will work . I will try it soon in my free time. Thanks!!!
I'll try to reflash my elfin tomorrow and do some other tests with it, to see if there are any problems with some specific roms.
My elfin:
ELF010050
BSTAR502
IPL 2.24.0002
SPL 2.24.0000
99HEH077-00
Claro Brazil
I'll post something more tomorrow.
Sorry for the lack of testing before posting (newbie yet).
i would feel better by patching or replacing the simlock.exe file instead of changing the dll.
zerostuff, why don't you add a poll to this thread to see if it works for most people?
Thank you for the idea dsixda.
I sent the .exes and .dlls to a friend of mine and asked asked him if he can find the locking part in those files (because i'm just a normal user and don't know anything about hex editing and stuf).
And I'm still testing some roms on my elfin to see if I can find a working and a non-working way to unlock it (so far, all the roms are working).
thinking of buying a htc elf
hi all im thinking of buying a htc elf but its locked to orange is it easy to unlock and get rid of the orange start up logo .
would you give me step by step guide on how to do it ?
thanks in advance
As you can see, some is easy to unlock others no solution yet...
@ zerostuff
elfin ELF010050 BSTAR502 from Vivo Brazil, had the simlock.exe and simlock0416.exe.mui . I replaced those files with and small clock app, and replaced rilgsm.dll , and did not worked (error 'unavailable file', and then hang) . So, I deleted the simlock.* , and phone got into menu, but no signal.
indeed, this is a way to go, but still need improvements.
@ chester-lad-2009
search board, there are many topics regarding that. this topic is not for that discussion.
br
zerostuff said:
- Delete both "SIMLock.exe" and "SIMLock.exe.0***.MUI".
Click to expand...
Click to collapse
hi, i use onyx 4.43 rom and when i try to delete a message tell me "could not delete. i try in windows and in my elfin too using total comander and sktools. how can delete this files?
I've try on my HTC Touch 3450 (PT) substitute the file and i can't! And i can't found these 2 files...
Using Total Commander
First we move the rilgsm.dll to windows folder, then delete the two files SIMLock.exe & SIMLock.exe.0***.mui, and ignore the Warning! Could not delete 1 file(s)...
Then reboot the ELFin and it´s done....loooooool... No need to put codes...
Just doing those steps, it´s done the SIM_Unlock
Strange??? i don´t know, but work´s
Note: Tested with One PT ELF and One ELFin BRS, worked fine!!!
Great post works like a charm!
i needed to use another explorer since my original rom dont let me move or copy windows folder file!
i used WinFileCE.exe to do the trick , but it worked !
1 more thing , is it possible to cook a rom with this files inside!? because if i hard reset the phone it relocks it self by this method!!
These two files they realy removed???
I cant' remove this two files because the cellphone is using them, how can i stop process's on Windows Mobile?
Using TC I was able to copy rilgsm.dll to \Windows. But simlock.* are a different story and I wasn't able to delete them.
Anyway, using this version of rilgsm causes the phone connection to die: it cannot be set on from Comm Manager. And then after some time, Comm Manager throws two or three errors.
It's an HTC Touch from Claro, Argentina. The ROM is http://forum.xda-developers.com/showthread.php?t=442391
Code:
Touch version : Elfin
Device ID : ELF010150
CID : BSTAR301
IPL : 2.24.0002
SPL : 3.07.cmonex
ROM Version : 3.07.720.03
ExtROM Version : None
Operator Version: None
AKU Version : 1.2.7
Page Pool : 12 MB
RAM Size : 128 MB
ROM Size : 256 MB
Model No. : ELF0100
Part Number : 99HEH129-00
MCC+MNC : Not found
Any information you guys want or some tests that could be run in the device, just tell me.
Cheers.
Not worked Efl 3450 ( 64/128)
The idea was great, but not worked with Efl 3450 ( 64/128)...
My device was patched (IPL 2.27/SPL 2.28 cmonex) and Rom ELVES ROM V5.0 - CE OS 5.2.2021.
No files found in windows dir "SIMLock.exe" and "SIMLock.exe.0***.MUI", so i just copy this file (unlocked "rilgsm.dll") to windows dir and i did a soft reset.
Result: deviced hanged.. new soft reset: boot ok, but no radio ( even trying to turning on manually), just wi-fi working..(nice to make calls from skype )
I don't have any clues about how to bypass simlock..
Any help will be appreciate.
Cheers
RILGSM.dll is not locked/unlocked
The thing is, that file controls GSM<-->PDA radio functions. As you took RILGSM from a "test" rom (is unlocked one)
When u sim unlock a device, it doesnt overwrite RILGSM with "unlocked" properties
The solution will be rewrite a RILGSM.dll file, and write a SIMLOCK.exe file with spoof properties to make think device is unlocked

Categories

Resources