Inspired by some threads in the Hermes and Trinity forums I started to explore the VOX bootloader. You can enter the bootloader by pressing the camera and power button at the same time. You see the tri-color (red/green/blue) bootscreen which shows the bootloader and CPLD version. In connection settings of activesync uncheck "allow USB connections" and connect PC and Vox with a USB cable. The PC will recognize the Vox and install an interface driver.
You need the MTTY to talk with the bootloader and send it commands. The Hermes wiki provides some good information and also has a link to MTTY:
http://wiki.xda-developers.com/index.php?pagename=Hermes_BootLoader
Unfortunately the Vox bootloader (v1.16.0000) doesn't display help information. The first command you should enter is password. I found a password for Trinity and Hermes which also works for Vox:
password BsaD5SeoA
Here are a couple of other commands which work: emapiWlanEERW, emapiInit, emapiWlanMac, emapiPwrDwn, emapiRead, emapiTest, emapi, cpldver, DumpReservoir, CheckImage, calcrccheck, getdevinfo, ruustart, ruurun, progress, wdata, password, mbr, set, atcmd, ResetDevice, BTRouting, BTTestMode, SetDebugMethod, IMEI, ls, lnbs
I would like to find a way to dump the SPL and ROM to SD-card or to PC. I tried a couple of things (r2sd, d2s) to no avail.
Anyone else some ideas?
Update1
I got stuck in the bootloader and luckily found how to boot into the OS again:
http://forum.xda-developers.com/showpost.php?p=1094479&postcount=11
password BsaD5SeoA
ruurun 0
ResetDevice
Update2
I discovered the 'ls' command. Afaik it allows to dump the rom parts like SPL, IPL, splashscreen when the device is CID unlocked. My unbranded S710 is SIM unlocked, but unfortunately not CID unlocked. When I issue 'ls' there's a "not allowed" error
Update3
I found a 'good' VOX ROM upgrade (the ones on the XDA FTP are all corrupt): RUU_Vox_HTC_WWE_1.15.405.2R4_4.1.13.37_02.83.90_Ship
Another upgrade ROM is the Dopod:
RUU_Vox_DOPODASIA_WWE_1.19.707.3_4.1.13.37_02.83.90_Ship
I used NBHextract.exe to extract both ROMs. The SPL bootloaders are attached.
NBHextract shows following info for the 1.15 Vox ROM upgrade:
Code:
Device: VOX010100
CID: HTC__001
Version: 1.15.405.2
Language: UK
Extracting: 00_IPL.nb
Extracting: 01_SPL.nb
Extracting: 02_GSM.nb
Extracting: 03_MainSplash.nb
Encoding: 03_MainSplash.bmp
Extracting: 04_OS.nb
and this for the Dopod upgrade:
Code:
Device: VOX010100
CID: DOPOD001
Version: 1.19.707.3
Language: USA
Extracting: 00_IPL.nb
Extracting: 01_SPL.nb
Extracting: 02_MainSplash.nb
Encoding: 02_MainSplash.bmp
Extracting: 03_GSM.nb
Extracting: 04_OS.nb
Update4
I managed to back up my S710 using itsme's "bkondisk" tool and "prun" from his itsutils suite here and here. Copy bkondisk.exe to /Windows on your device.
After running this on your PC
Code:
prun bkondisk.exe "\Storage Card"
following files are created in \Storage Card and a log file "bkondisk.log" in \
Code:
bk_00_0000.img - IPL : ONBL1 + ONBL2
bk_02_0005.img - GSM + splash + gsmdata + simlock + serialnrs
bk_03_0025.img - OS
bk_06_0001.img - SPL
bk_08_0205.img - userfilesystem
I compared a couple of these .img files with the .nb files extracted by NBHextract from an official RUU. The IPL and SPL look quite okay, but the OS is mapped totally different. So don't think you can just rename for example bk_03_0025.img to OS.nb in order to have a flashable file !! I have attached my dumped SPL which is version 1.16
Next mission is to find a 'good' (not corrupted) version of the RUU_Vox_HTC_WWE_1.15.405.2_4.1.13.37_02.83.90_Test.exe ROM upgrade. See this Excalibur thread. I think the same applies to S710
Update5
With Dark Simpson's htc rom tool here it is possible to create a flashable image file from separate .nb files. There is also Dutty's good NBHtool 1.1 yet, but so far I haven't tried it.
What we still need to have for flashing unsigned ROM images is a SSPL. See here and here.
Alternatively we need a so called Update SPL (USPL) which unlocks CID and then allows flashing any rom to your device. The version for the ELF created by the brilliant moderator pof can be found here. Since the ELF is very similar to VOX, I will study it and see if I can use it to implement a SSPL (software SPL) which allows us to also flash any ROM, but does not require to flash an USPL. I think flashing IPL and SPL is a bit too tricky atm.
Take the Elf USPL, remove the RUU folder (to be sure you don't flash anything by mistake), in the LOADER folder change the .nb file for a Vox bootloader (different version than the one on your device) and use the same name for the .nb file, then run elf-uspl.exe on your PC.
If elf & vox are so similar, this should jump to the bootloader you've placed in the LOADER folder, to check it disable activesync usb connections and go into bootloader with mtty. Do an "info" command or whatever identifies that the bootloader you're seeing is the one you've placed on the LOADER folder and not the one actually on your device.
If you succeed in loading a custom bootloader I can help you with the don't check cid / don't check signatures... patches
Good luck!
Thanks for replying pof. I did as you said and tried it with spl 1.15 (whereas 1.16 is flashed on my S710). First I went through step1 and then went in to step2 where at 75% the screen got blank and it rebooted the phone in my native bootloader 1.16 RUU mode. I suppose that's not what we wanted to see?
Where did you find RUU_Vox_HTC_WWE_1.15.405.2R4_4.1.13.37_02.83.90_Ship? Do you have a link?
Thanks
I found it here:
http://www.leaf.co.za/Members/Member Services/Manage My Profile/
Cant Find The Bootloader For The Life of Me
Tried:
"You can enter the bootloader by pressing the camera and power button at the same time. You see the tri-color (red/green/blue) bootscreen which shows the bootloader and CPLD version."
No Luck. I must be thick. Its gotta be just that easy... but...
The S710 simply boots into my home screen.
Can someone PLEASE post a (little) more detail about how to boot into the bootloader on the s710/vox?
THANKS.
Cheers.
** EDIT **
OK- Better bootloader entry instructions for SP noobs (like myself):
1) Turn device off
2) Unplug power/usb cable from handset
3) Press and hold camera button
4) Plug power/usb cable into handset
5) Be amazed by Blue-Green-Red Bootloader screen.
Yeah, it won't boot in bootloader mode if the usb cable is connected. Well, it's sometimes better to find out things all by yourself
Besides, I don't think anyone other than myself is researching this stuff on Vox. Too many ordinary users and nearly noone in to h*cking.
You don't have 1.04 on your phone by any chance?
RE: older bootloader
No joy.
Sorry.
Its 1.15
My SP has vanilla mods.
Its just out of the box the last 4 days in NYC!
The phones not even available AFAIK in the US yet-- except special order.
Got mine in London last week.
Still working out the kinks.
BTW:
Im looking for info/docs/someone who has forced GSM codec through WM6 to this handset through Asterisk LOCALLY-- Asterisk SIP logs show successful codec negotiation and initial start of audio delivery-- but the stream pukes out on my handset immediately-- ideas? Im begining to think it may be a cpu issue. Thanks.
850mph said:
BTW:
Im looking for info/docs/someone who has forced GSM codec through WM6 to this handset through Asterisk LOCALLY-- Asterisk SIP logs show successful codec negotiation and initial start of audio delivery-- but the stream pukes out on my handset immediately-- ideas? Im begining to think it may be a cpu issue. Thanks.
Click to expand...
Click to collapse
Yeah saw that. I don't think it's a CPU issue, could run GSM codec just fine on a stone old iPaq. Try trunning omap overclocker and set it to 240MHz and see if it makes a difference. Keep using the SIP thread for any replies on this
POF's O2/Nova Solution
jockyw2001-
I suppose youve seen Pof's post #89 (dated 4-8) in the "ELF Update SPL (USPL)" thread which calls for running enable-rapi.cab (on O2 Nova) BEFORE elf-uspl.exe?
Id try it myself but want a few days of joy with my handset BEFORE creating a potential brick.
From my reading if the elf-uspl.exe makes it to 75% in stage 2 before white-screening-- you're close (well, 75% anyway.. wink!). Seems like Pof could have a couple of suggestions at that point. Maybe hell be kind enough to comment?
You're on it.. but I thought Id ask.
Cheers.
Heres something I am trying to work out-- even after many hours of reading:
I understand that there is an exploit in the 1.04 bootloader which can potentially bypass CID and Certs when flashing a new ROM image on both SPs and PPCs..
I also understand that bootloaders 1.09+ cant be downgraded.
So am I right in assuming that potential VOX ROM-chefs have at least ** TWO ** potential paths to solving the bootloader issue:
1) Find a 1.04 bootloader **AND** a tool which will load it successfully
-- Then use the exploit (which I read about-- but cant find) to flash the ROM
-or-
2) Find a way to Flash **ANY** bootloader onto the vox with elf-uspl.exe
-- Then (keeping our fingers crossed) elf-uspl.exe can be patched to defeat the CID&CERT issues with the vox
Now heres the question:
I am right in assuming that we **DONT** need to find a way to flash **SPECIFICALLY** the 1.04 bootloader onto the ROM **BEFORE** we can take advantage of a patched elf-uspl.exe?
Is that correct?
Cheers.
Oh yeah.. AM I right in assuming that the WM5/6 bootloaders are EXACTLY the same code (except for dated revs) across all WM SP and PCC devices-- sort of like the ability to install grub or lilo on **ANY VENDORS PC** no matter what OS or eventual Software Packages end up on the box?
Looked at another way:
When they talk about the 1.15 bootloader in the Blue Angel Board they are talking about the EXACT SAME 1.15 bootloader in the VOX board?
I mean, I know this is gotta be the case but I need a little reassurance here-- As Im still a bit confused on why PPC software should run on SP devices-- even understanding that they use (generally) the same subset (WM5/6) of the CE5/6 API-- But have different CPUs.
850mph: cool to see there actually are brothers in arms
I've tested pof's USPL extensively, but haven't got it to work (yet).
Actually you need to run enable-rapi.cab only if your phone isn't yet application unlocked, i.e. if it doesn't allow to run unsigned apps. Mine is application unlocked so I can skip that step.
The next step is to load a modded SPL in RAM at physical address 0x10000000 and to run it. Once this modded SPL is running another modded SPL can be flashed.
I've tried to load an unmodified SPL in RAM (e.g. SPL 1.15) and to run it. This can be done with following 2 steps:
1) psetmem.exe -f -p 0x10000000 spl.nb
2) run haret.exe on device (can use cecopy & cerun); cerun -b CE:\haret.exe
Note: haret.exe is a linux kernel loader which was modified by pof to run a USPL from 0x10000000
What happens is that my phone reboots into the stock bootloader (SPL 1.16) in RUU mode. I have to use MTTY in order to boot the phone in WM again (see post #1 and #2 in this thread).
Actually I think haret.exe does run the SPL 1.15 which is loaded in RAM, but that at some point the code resets the device.
I'm quite sure we can run a specially prepared USPL or SSPL which allows flashing another specially prepared SPL such that the device is effectively CID unlocked which again means that any vendor's firmware can be flashed. I also think we don't absolutely need the SPL 1.04 for that purpose.
This is good info.
I see what you are trying to do now.
Im gonna take some time to get up to speed on Dumping/Reading/Flashing from the Trinity Hermes and Elf pages. Until then Im afraid Ill be of little use.
Until now Ive strictly been a Linux/GCC-guy. Im tempted (but not convinced) that I want to take the time to learn Microsofts WM5/6 IDE. Its a time issue (obviously).
But I will spend some time on the whole S710 ROM-cooking (and bootloader) issue this week. It looks manageable.
I see you have basically been mixing and matching the various ROM cooking tools-- including using Msofts CE powerToys. Is there no single suite (besides the ImagefsTools) which you can recommend I look at first (With the understanding we need to solve the bootloader issue specifically for the vox first)-- I see various kitchens for various devices. Do any of them see plausible as a starting point for an HTC/Vox kitchen suite?
GOOD LUCK.
Cheers.
** EDIT **
I REALLY think the S710/S730spec are GREAT devices-- couple of minor issues-- but just fantastic form-factors.
new in the sandbox
Hi guys,
I just got my XPA 1415 some days ago (for info, it's just the same than the others (HTC S710, SPV E650 and Vodafone V1415, VOX, ...) but from Swisscom (Swiss provider).
I've been reading around and found this thread that was the most related. I actually tried to use the techniques provided by jockyw2001 with no luck.
Doing a prun bkondisk does not work, neither any of the itsutil tools. I do think that my device is somehow protected, but I've no clues how to proceed next. I'm going to continue searching, but if any of you has an idea, it's more than welcome.
If I manage to dump that *damned* ROM, I'll make it available...
I've currently (on booloader ONBL 1.23.0000, SPL 1.23.0000, CPLD 04)
Cheers,
Nick
Nevermind...
I think I've been able to proceed with the backup (I've used the Microsoft Security Configuration Manager) when I realized that my system (Windows 2003 x64) the tool was not working.
Which made me think that maybe the procread and the other prun bkondisk might also have been blocked by the x64.
I've tested on my laptop (regular XP) and it works fine... just FYI !
** EDIT **
I've also tested the ELF haret with a downoaded SPL and I got the same result as jockyw2001...
BTW, jocky, did you find a way to re-create a proper nh from the bkondisk end result (bk_##_####.img) ?
nwaelti said:
BTW, jocky, did you find a way to re-create a proper nh from the bkondisk end result (bk_##_####.img) ?
Click to expand...
Click to collapse
The IPL and SPL are useable. The radio dump called bk_02_0005.img is from offset 0xA0000 identical to the radio rom. The first 0xA0000 bytes are other parts, probably splash + gsmdata + simlock + serialnrs. The OS file seems not directly useable and must be reordered somehow. More interesting is the ROM reconstruction method described here. Of course first we need to be able to flash unlock the Vox. I think the SSPL is most suitable for this purpose, this may need some reversing of the SPL with IDA Pro.
Thanks for those info, I'll try to go in that direction. Would be nice to find which one is splash, which one is gsm and the others below 0xA000.
I know we need to rev. SSPL. Don't exactly know where to start though I can't flash mine with any original ROM as Swisscom is not providing any.
BTW. viewimgfs gives me back a "packing DLL not found" (or some similar). Anyone had that also ?
I'll try to download IDA Pro...
It's below 0xA0000
I will do some testing again with the Vox today. I will see if I can paint the screen with a few instructions @0x10000000
I think I can not just run the SPL on VOX in the same way as you can on the ELF. The IPL on the VOX is 128kB, whereas on ELF it is only 2kB. So I think I will have to patch the IPL and run that first. I'm afraid that it will take a bit more time. Basically it will then be a SSPL (search forum for SSPL and user 'des') with both IPL and SPL patched and running in RAM.
But maybe it is also possible to patch just the SPL, because it could be that the default action initiated by IPL is to reset the device in RUU bootloader mode.
Given some time it can all be done I'm sure
Related
Dear all expert,
While trying to flash my German Black O2 mini from Ger to ENG. (Using MAupgrade_noID)
After some steps, the o2 mini turn black and display
"Serial V1.02"
At this time, even though I softreset or hardreset the device,
the same wording also appear and can't further boot.
I even use SD card method but the same wording still appear again.
Can any expert teach me how to rescure my device?
Thanks
Are you sure you did the SD-method right?
At OS 1.13.01 GER Radio 1.13.00 BigStorage you will find the latest german BigStorage ROM image available. Now do the following:
Get ntrw from this site
Get a 512 MB SD-card (maybe a 128 MB one will work, too, but I am unsure about this).
Put ntrw into C:\
Extract the RAR into C:\, which should produce C:\11301bs.nb1
Enter the following into the command line at C:\:
Code:
ntrw write 11301bs.nb1 [your SD-card drive letter, e.g. I:]
, ignore error messages
Fully load your Magician!
Disconnect your Magician from anything, especially USB
Shutdown your Magician (press power button)
Put the SD-card into the Magician
Put Magician into Bootloader-Mode (Camera+Power+Reset at once, until you have the "Serial 1.02" screen w/o backlight)
Wait some seconds for "Press power to flash" to show on screen. Do just that.
This might just work.
Thanks KK.
What's wrong is that, it seem the bootloader is dead.
WHile I input the SD card while enter into the bootloader.
The screen still display "serial V1.02" and hold it.
No further wording like "Press power to flash it" etc.
Is it the bootloader is dead?
I do not think so. Make sure you shut down the Magician before placing the SD-card with a fresh ROM-image written to it into your device. Power on into Bootloader-Mode afterwards.
Another option to check your loader is the following:
Shutdown the Magician
Go into Bootloader-Mode
Wait for "Serial 1.02" to be displayed
Connect to PC via USB. The Bootloader should display "USB" shortly after connecting. If it does not: Maybe really you managed to kill your loader.
What exactly did you do? I used the NOID-Tool too, and had absolutely no problems with it. Besides: I also have a bootloader version 1.02.
kk
While plugging the usb cable to the device , yes, it show "USB" on the screen then.
However, when I use the romupdate.exe and try extract the rom into SD card at this time. After pressing "d2s" , the device shut down at once. No words appear on the screen.
Do you know what does it mean?
Besides, can you tell me what is "NOID-Tool" ?
thanks
The NOID-Tool would be MAupgrade_noID, which you used.
I am not sure about it, but as your device does not boot into the OS anymore, it seems reasonable to assume, that the ROM in your device is not valid anymore, due to errors while flashing it in the first place.
So - if there is no valid ROM, there is nothing, which the bootloader can write onto the SD-card.
Please try the method suggested in previous postings before anything else. If all this fails, I have no further suggestions - your device might really be dead.
You can try regular upgrade insted of doing it through SD card.
Danload shipROM, extract it and use MAupgradeNOID to run ROM and that is all you should do.
kk said:
At OS 1.13.01 GER Radio 1.13.00 BigStorage you will find the latest german BigStorage ROM image available
Click to expand...
Click to collapse
Hi,
Can you upload the rom again pls? Someone removed it from the ftp site. Like to give it a try, but can't find a prepared BS-rom anywhere.
Thnx, M
kk said:
At OS 1.13.01 GER Radio 1.13.00 BigStorage you will find the latest german BigStorage ROM image available
Click to expand...
Click to collapse
Hi,
Can you upload the rom again pls? Someone removed it from the ftp site. Like to give it a try, but can't find a prepared BS-rom anywhere.
Thnx, M
Hi there!
The FTP-master kindly converted the file to ZIP format. It is now available here: ftp://xda:[email protected]/Magician/BigStorage_ROMs/DE_T-Mobile_1.13.01.zip.
Remember: I used a 512 MB SD-card to create it, so maybe it won't work with smaller ones (but I think it should, since the ROM stored within this SD-card-image is no more than 64 MB in size).
Hi KK,
I found it along with the other BS roms and feel ashamed I couldn't find them. I tried it first with my 512MB card, but the cardreader won't write the file (no question about formatting whatsoever). Tomorrow I'm going to try with my 256MB mini SD card, which I know will be written by NTRW. I'll let you if I succeeded.
Regards, M
It works for sure with my 512 MB Kingston SD-card!
Don't bother about an error at the end of the ntrw-writing process. That's absolutely normal, since it would like to make the SD-card-drive the current drive, which is not possible after the writing process, as the SD-card now contains a ROM-image instead of a valid filesystem.
Hi KK,
Didn't manage to get it flashing. I used both cards but my magician doesn't accept the image somehow. No sign of any message like 'press power to load', not on serial nor on usb connection in the bootloader. It did work before with my own dumped rom, but lost the storage than, but it did accept the rom. Now it keeps awful quiet, I copied the first bytes and all, so maybe I'll give it a try with another rom. I want to sort this problem out.
Cheers, M
nbfdec made my big storage
Hello KK,
Yesterday I tried with the steps from hlt, out of the radio 1.13 upgrade thread http://forum.xda-developers.com/viewtopic.php?t=32274. It doesn't involve any rom dumping or sd-card action whatsoever and it worked first time.Just one tool: nbfdec and a shipped rom. It is fast and simple. Thanks for your advices, hope others will try this method as well, because it is much easier than bigstorager and bytecopy etc.
M
The "no SD-card required"-method in this thread only works for shipped ROMs. The ROM i prepared is a combination of the latest german OS & Radio versions plus BigStorage, which is to my knowledge _not_ available in this combination elsewhere, and should therefore be the most up-to-date ROM usable for any german magician user with very few simple steps.
Since you require a non-german version, my ROM will not be appropriate for you, but this thread started out with a cry for help with a non-booting magician, and I thought, that my ROM-modification would be of some help here due to the simplicity in applying it and its actuality.
But be it as it may.
KK,
I had the same problem as Netmon, only bootloader and I couldn't make the sd flash. That's why I was looking for a decent rom. With the tooling found on this site I probably could turn my magacian from German to English again. Since all my storage was gone I could take the risc.
I solved my problem with the upgrade 1.13 thread and that method would have worked for Netmon to I guess, just put the magacian in bootloader connect to usb and flash with a German shipped rom or an altered version.
Anyway thanks for your time, M
Dear rilazi and all
The device has been proofed for dead by the manufacturer.
The symptom is
1) romupdate.exe can't detect the device
2) press softreset button can't reboot the device to normal screen, only display "Serial V1.02" on the screen
3) Use SD card method doesn't got any respone from the device, keep displaying "Serial V1.02"
4) Use shipped rom (with MaupgradeNo_id.exe) also can't detect the device.
I don't know whether it the V1.02 version of bootloader problem or not.
Before, I try to flash many time which it V1.01 with no problem.
So, all of the V1.02 German device (Black color Mini) should pay attention to it.
I have a bootloader v1.02, too. Absolutely no problems with flashing on my side.
Hi, I've a vodefone v1240 (HTC Tornado), i've tried to flash wm6 flash to it... but... i haven't super cid unlock... the flash is ok but phone always star in muticolor screen (botloader screen), i've tried to flash a lot of flashes but always get invalid vendor id or "only upgrade"... i've tried too with TyphoonNbfTool to edit nbf and change vendor id.. but always get the same mensaje ("invalid vendor id" or "only upgrade")...
How can i recover my phone? :S
Thanks
Sendoa
Determine your original CID first, to do this type:
Code:
info 2
into mtty or teratermpro and paste the output in the thread
Phil
Ahh, there you are ! Are you or duke_Stix still planning to cook some newer ROMs or remove bugs from the existing one ? We hardly see you guys around there days
i get this... what is the original CID? ¿?
info 2
GetDeviceInfo=0x00000002
+ SD Controller init
- SD Controller init
+StorageInit
***** user area size = 0x3CE40000 Bytes
HTCSVODA0504 㱍dHTCE
Cmd>
@anandoc: I've been fairly busy lately what with Jury Service etc but I've got a beta version in progress
Changelog:
HTC Task Manager inc
HTC File Manager inc
Application Unlocked
Fixed WiFi
HTC Comm Manager inc
Removed Wireless Manager
Removed Debug Apps
Removed Marketplace
Removed Office
Removed Voice Command,
Removed Windows Update,
Added Bluetooth DUN support for TomTom compatibility
Added Bluetooth FTP protocol
Extra's (as a separate download)
Office
MMS (semi working)
HTC Clear Storage
Jeodek Java
Button fixes
xT9 (for those who prefer it over standard T9)
xT9 lang packs (split into separate languages)
TCPMP
wm5torage
VoIp
Localisations:
Polish
Czech
Russian
However at the moment I'm having issues with initflashfiles.dat, once these are sorted, it will probably be released the same day.
Back to the topic:
Ok, using typhoonnbftool v0.41 open up a tornado nbf (wm6 or official, it doesnt matter) and then edit the header data so that the Operator field reads:
Code:
VODA0504
That is your original CID
Then save the nbf and flash it to your device
Phil
done but...
Hi, i've done but... always get a "only upgrade"... only let me to reflash wm6 flash.. but it always return to bootloader screen :S what am i doing wrong? :S
Thanks anyway
Sendoa
Try adjusting the version numbers to something ridiculous like 99.99.99.99 as well
Phil
jm012a9749 said:
@anandoc: I've been fairly busy lately what with Jury Service etc but I've got a beta version in progress
Phil
Click to expand...
Click to collapse
Hey Phil, Thanks very much for the update ! Your hard work is much appreciated here !!
Me too
I'm having the same problem as Sendoa. I flashed the WM6 ROM to my 8310but after 100% completion, the phone re-started in bootloader mode.
I can flash it again with the WM6 but the same thing happens each time (bootloader mode). I've tried to flash with several other ROMs but each time I get the "Invalid Vendor ID" error before flashing begins.
I've tried the Typhoonnbftool tool to change the header as suggested earlier in this thread but without any success. My CID is 'DNG_0501'. I'm still stuck in bootloader mode.
I'd appreciate any assistance.
Thanks,
Straker.
Sorted
Sorted. Found another ROM (the fifth I've tried) that would flash without the 'Invalid Vendor' message. It let me get back to a standard WM5 setup.
Solved
Thanks to all
I flash it with a cingular flash with version changed to 79.79.79.79 and operator changed to VODA0504, and work again.. then i've unlock the cid and flash wm6 flash and it is working with it
Thanks again
Wow, that's cool, means I can flash my phone to WM6 without voiding my warranty ( I still got 5 months left )
lomanasq said:
Here, here they are:
cancer awareness ribbon
Click to expand...
Click to collapse
ban this MOTHA F**&&
Straker said:
Sorted. Found another ROM (the fifth I've tried) that would flash without the 'Invalid Vendor' message. It let me get back to a standard WM5 setup.
Click to expand...
Click to collapse
where did you get your flash from?
typhoonnbftool is creating only 1kb file of nk.nbf
Hi,
I have the new typhoonnbftool got it from sourceforge when i try to edit headers of a Imate rom to make it for xpa swisscom v1240 with the CID "VODA0505" i get only 1kb nbf file i try lots of thinks but no luck at all.
kind regards
Fakbrenjeri
Similar problem
I've used Typhoonnbftool to change header, but the resulting file is only ever 1kb or smaller! What am I doing wrong?
Small nbf
Straker,
Where did you get the rom that worked?
timwb said:
I've used Typhoonnbftool to change header, but the resulting file is only ever 1kb or smaller! What am I doing wrong?
Click to expand...
Click to collapse
use typhoon tools 0.4.1...
ftp://ftp.xda-developers.com/Uploads/Smartphone/Tornado/Shipped_Complete_Updates/I-mate
use the rom from here..
Stuck on BootLoader
I there!
I've tried everything that I could find here and still no luck...:-\
I've an SPV C600 and when I upload the Imate ROM it stays stuck on the BootLoader.
It only works if I upload the Orange Upgrade ROM...
I can't SuperCID it, since no app as worked till now...
What can I do?
Thank you!
try this:
http://forum.xda-developers.com/showthread.php?t=285344
* THIS WILL WORK ON KAISER ONLY - FOR GENERIC METHOD SEE JumpSPL *
This tool allow to flash any Kaiser ROM bypassing CID and signature check.
You'll be able to change the ROM language, flash cooked roms, custom splash screens, etc...
FEATURES
Code:
1. SuperCID / Security Level=0
2. Does not check NBH signatures
3. Based on 0.92 Shipped SPL
4. Accept any Model ID
5. Disabled initial SD card loading to prevent hang
INSTRUCTIONS
Transfer SSPL-KAIS.exe to your Kaiser
Connect the USB cable and run SSPL-KAIS.exe (on kaiser, not on PC!)
Click "Continue", the Bootloader tri-color screen should appear
Check SPL version number: if it ends in ".JumpSPL" then everything is fine.
Unplug the USB cable and re-plug it
Device is ready to flash any ROM, you don't need ActiveSync at all.
DISCLAIMER
This software is free to use but at your own risk, I take no responsiblity for any conflict, fault, or damage caused by this unlocking procedure. No warranties of any kind are given.
DONATIONS
Your donations are a strong incentive to continue research on new devices, if you find JumpSPL useful please cosider making a PayPal donation. Any donation amount is greatly appreciated
Enjoy!
--------------------
UPDATE: Found a problem on SSPL where it will hang when flashing a full ROM with a new RUU due to the NBH buffer being smaller in SPL-0.92, I removed the link and will update Kaiser SSPL version when I have some free time. At the moment, please use Kaiser Hard-SPL, this is safe
For those of you had the phone stuck in bootloader mode after flash with SSPL stopping at 16%, follow these instructions to unbrick your phone:
1. Download mtty.exe
2. Disable activesync (connection settings -> uncheck "allow usb connections")
3. Connect your Kaiser to PC using USB cable.
4. Open mtty, select USB port and click OK.
5. Hit ENTER twice, you should see the "Cmd>" prompt.
6. Type the command "boot", you should see something like this:
Code:
Cmd> [B]boot[/B]
InitDisplay: Display_Chip=1
No card inserted
OSSIReadBack ++
Read SI data from flash success
tail signature match
Checksum match
UserStorageSIPreload ++
After that device should boot WM6 again, you can now re-enable USB connections in activesync and flash HardSPL
[- reserved -]
OMG thank you POF!!! You are truly the MASTER!!
Question how do we go about dumping and using Imgfs tools in Kaiser ROMS?
Can you give us a basic run down since its different than the Hermes please
Okay, excuse my ignorance, but when you say Kaiser, do you mean all versions of the Kaiser, like the ATT Tilt (8925), or just the HTC Kaiser? Please don't beat me up
austinsnyc said:
Question how do we go about dumping and using Imgfs tools in Kaiser ROMS?
Click to expand...
Click to collapse
See here how to dump the ROM: http://forum.xda-developers.com/showthread.php?t=334680
I've not researched yet on how to use ImgfsTools, reconstruct dumped roms, etc... but should not be very different from what you already know from hermes, just be creative
kman79 said:
when you say Kaiser, do you mean all versions of the Kaiser, like the ATT Tilt (8925), or just the HTC Kaiser?
Click to expand...
Click to collapse
All versions
now the race is on for who comes out with the first ultra lite, mega storage space slim downed rom, who will it be.......
pof! you are tha MAN!
Thanks!
Donation to follow...
-Syrius
pof said:
* THIS WILL WORK ON KAISER ONLY - FOR GENERIC METHOD SEE JumpSPL *
3. Based on 0.92 Shipped SPL
Click to expand...
Click to collapse
was this from me??
- Syrius
Syrius_B said:
was this from me??
Click to expand...
Click to collapse
Yes Thanks mate!
pof said:
Yes Thanks mate!
Click to expand...
Click to collapse
anytime
- Syrius
HI Pof,
Does this also SIM unlock the device?
Or if I use this CID unlock and load the HTC rom will that SIM unlock the device?
Thanks
OMG, wonderfull.... now only need some research on how to repack dumped /modified ROMs... any aproach?
THANKS Pof you are incredible...
botap said:
HI Pof,
Does this also SIM unlock the device?
Or if I use this CID unlock and load the HTC rom will that SIM unlock the device?
Thanks
Click to expand...
Click to collapse
Only CIDUnlock.... SIM Unlok is not ready...
pof said:
See here how to dump the ROM: http://forum.xda-developers.com/showthread.php?t=334680
I've not researched yet on how to use ImgfsTools, reconstruct dumped roms, etc... but should not be very different from what you already know from hermes, just be creative
All versions
Click to expand...
Click to collapse
HI POF Ihave tried the above method using pdocread but keep getting an error , not sure if its because im using windows vista ultimate.
duttythroy said:
HI POF Ihave tried the above method using pdocread but keep getting an error , not sure if its because im using windows vista ultimate.
Click to expand...
Click to collapse
I manage to dump mine without problems using Vista Ultimate too ... if you get this error when executing pdocread
Code:
[I]
C:\itsutils>pdocread.exe -l
Copying C:\itsutils\itsutils.dll to WCE:\windows\itsutils.dll
Could not update itsutils.dll to the current version, maybe it is inuse?
try restarting your device, or restart ActiveSync [/I]
You have to modify this registry key, and then softreset using power button:
[B]HKLM\Security\Policies\Policies
[/B] valuename '[B]00001001[/B]' was set to dword:2, change it to dword:1
dword: any thing other than 1 disallows unsigned
dword: 1 allows unsigned
(extracted from Hermes wiki and tested on Kaiser)
jcespi2005 said:
I manage to dump mine without problems using Vista Ultimate too ... if you get this error when executing pdocread
Code:
C:\itsutils>pdocread.exe -l
Copying C:\itsutils\itsutils.dll to WCE:\windows\itsutils.dll
Could not update itsutils.dll to the current version, maybe it is inuse?
try restarting your device, or restart ActiveSync You have to modify this registry key, and then softreset using power button:
HKLM\Security\Policies\Policies
valuename '00001001' was set to dword:2, change it to dword:1
dword: any thing other than 1 disallows unsigned
dword: 1 allows unsigned
(extracted from Hermes wiki and tested on Kaiser)
Click to expand...
Click to collapse
just fount it on the wiki, thanks
help
@jcespi2005 just tired it change policies to dword 1 tried the same command but now getting this error.
c:\itsutils\pdocread.exe is not a valid Win32 application
what to do
duttythroy said:
@jcespi2005 just tired it change policies to dword 1 tried the same command but now getting this error.
c:\itsutils\pdocread.exe is not a valid Win32 application
what to do
Click to expand...
Click to collapse
Works fine for me... Try to download latest version of pdcoread here...
http://www.xs4all.nl/~itsme/projects/xda/tools.html
Big problem
Hi all I have a big problem I have try to flash my kaiser from SRF and using kaiser_JumpSPL_pof_v1. at 16% my the copy hanged and the Rom wizzard told me to remove the kaiser battery.
and after that I lost my old rom and I have the SPL from the factory ! and I dont have any copy from my old Rom.
and My phone is locked...
so How I can do to copy and execute the kaiser_JumpSPL_pof_v1 to my devis to try to flush the kaiser again
thx for you help
Titosa
Instructions to unbrick posted in the first post.
I'm closing this thread until I have time to post an updated and hopefully working version...
Well, i've flashed the X50v and HTC Touch Elfin before, however I seem to be having some problems with the Wizard. I'm trying different ROMS and none seem to be working. Once a flash appeared to go through correctly, and the splash screen at startup was changed, but it still booted into WM5.
Now even though it is CID unlocked, it says that the RUU is out of date and won't update the phone.
IPL is 2.21.0001
SPL is 2.21.0001
have you downloaded and flashed with Wizard_Love_2.26.10.2_WWE_Novii_CF2 first if not then do. using the SoftSPL-V0.1 just extract then copy over the nk.nbf file after which do the same for the wm6 rom you wish to use. i advice using the TNT.20273_Professional_Wizard_HTC_Home_FREE rom or the TNT.20273 Professional Wizard rom. either are good roms.
i have the same phone and it worked a treat
Obsidiandesire said:
Well, i've flashed the X50v and HTC Touch Elfin before, however I seem to be having some problems with the Wizard. I'm trying different ROMS and none seem to be working. Once a flash appeared to go through correctly, and the splash screen at startup was changed, but it still booted into WM5.
Now even though it is CID unlocked, it says that the RUU is out of date and won't update the phone.
IPL is 2.21.0001
SPL is 2.21.0001
Click to expand...
Click to collapse
How do you confirm its CID unlocked,as G4 device cannot be CID unlocked and with its present IPL/SPL it isn't even HardSPL ?
A G4 phone can only be upgraded to wm6,either through SoftSPL or HardSPL,you can read about them in the G4 sub forum posted as stickies.
Thanks for the help guys, for some reason the hardSPL wasn't working, but now I have 6.1 on my phone! I have another problem, however which I'm going to create another thread for later today, here it is if anyone see's this:
Since upgrading to Winmo6.1, my keyboard layout has been broken. I have an O2XDA MiniS, so it's a UK phone.
Here's the layout I should get:
QWERTYUIOP
ASDFGHJKL (Del)
(cap)ZXCVBNM(up)(Enter)
(Dot)(Tab)(Windows)(Ok)(Space)(period)(left)(down)(Right)
And with dot-shift (Don't know the actual term)
1234567890
[email protected]#$%&*() (Del)
(cap) - _ € £ + = ; : (enter)
(dot) ~ (Win) " (sym what does this do?) , ' / ?
This is what I Get
QWERTY is exactly the same, its the symbols with Dot-Shift that have changed
123456790
[email protected]#$%&() (del)
(cap) ` -_+ = * ; : (Enter)
(dot) (Tab[Should be ~]) (win) " , ' / ?
I have tried the Et9 cab file which didn't seem to do anything, let alone work.
There was a post I saw which had a link to a rapidshare file which has now expired.
Some people have tried registry settings, that hasn't worked for me.
I've spent the last hour searching, this keyboard means a lot to me.
I bought this phone for my girlfriend but ended up keeping it since I love the keyboard, sometimes do Python scripting on the go, editing word docs + email browsing is easier. So she now has my Touch Elfin (which is newer)
So yeah, i'll pretty much copy + Paste that into a new topic if this doesn't get any replies by say 8PM GMT?
I don't really like making hundreds of new topics for every little problem I Have. Otherwise there'd be one for Opera + Hardware buttons (Plus the internet button on HTC home screen)
one for it not staying in landscape mode when the keyboard is down, and one for my myriad of MiniSD card troubles
sorry forgot about this issue about the keyboard its simple to put it back to uk even if its a pain.
step 1 open regedit
step 2 open HKEY_CURRENT_USER
step 3 open ControlPanel
step 4 open Keybd
step 5 select Locale and change it from 0409 to 0809
and now everything should be in the right place
anything else feel free to ask
[REF] Easiest way to SIM unlock your Elf/Elfin even if it's "MCC+MNC = None"
First of all, sorry for my bad english...
Here goes the best way I found to unlock all Elf/Elfin, even those with the deadly "MCC+MNC=None" (wich is my elfin).
I saw some people say that when flashed with "Elf_Elfin_2.11.0.0_MFG_ModuleBuild" the phone it's not SIM locked anymore, but after reflashing with another rom it got locked again.
I tried that myself and it was true, I flashed "Elf_Elfin_2.11.0.0_MFG_ModuleBuild", then flashed other rom (with only the OS part) over it and bam, was locked again.
So the locking part should be in the OS. After looking over the system files, I found two files (SIMLock.exe and SIMLock.exe.0416.MUI [my OS was BR Portuguese]) and thought "here is the locking problem" (because "Elf_Elfin_2.11.0.0_MFG_ModuleBuild" don't have those files in the system folder!). Then I deleted those files and it wasn't SIM locked anymore... but it didn't find any networks.
So I serached a little more (google is your best friend in times like this) an discovered that the file rilgsm.dll is responsible for the network... It starts and calls SIMLock.exe, if SIMLock.exe returns a valid SIMcard, then rilgsm.dll starts the network service.
So that's the diference between "Elf_Elfin_2.11.0.0_MFG_ModuleBuild" and the other roms, its rilgsm.dll don't have the part that calls to SIMLock.exe, it just starts the network service based on the SIM card you have inserted.
So I just took that dll from that test rom and copied over another rom and it worked like a charm!
Enough talking, here's what you gotta do to SIM unlock your Elf/Elfin (no matter what rom you have):
You will need this file (unlocked "rilgsm.dll")
- Extract the file you just downloaded to a temporary folder.
- Turn on your mobile WITHOUT the SIM Card.
- Connect your Elf to your PC (activesync).
- Find the files "rilgsm.dll", "SIMLock.exe" and "SIMLock.exe.0***.MUI" (the *** depends on the language of your OS) on the windows folder of your mobile and make a bakup of them (in case you want to SIM lock it again).
- Copy the extracted "rilgsm.dll" over the one on the windows folder (say yes when it asks to replace the file).
- Delete both "SIMLock.exe" and "SIMLock.exe.0***.MUI".
- Turn off your mobile.
- Insert any SIM Card (that didn't work before) and turn your mobile on again and enjoy your newly unlocked ELFin!
If you intend to flash some other rom, just copy the dll again and it's ready to go.
Hope this helps.
Great find!!!
For Rogers users who are using the regular stock ROM, it is probably a good idea for them to use the regular free unlocking method because rilgsm.dll is responsible for Rogers Name Display. Other than that, I hope it works well for everyone else!!!
Anyone else tried this?
yes, I have, did not work. phone does not have simlock.exe or simlock.exe.xxxx.mui on windows folder, and just replacing rilgsm.dll does not affect carrier lock. when inserting sim card from other operators, it still asks for subsidy code.
Tested phone is:
ELF010050
BSTAR502
IPL: 2.24.0002
SPL: 2.26.0000pof
99HEH077-00
Operator Tim Brazil
ps.: I tried as well when phone was with stock rom, and was the same thing.
br
Good idea!!
I haven't tried your procedure but I also know that OS contained in "unbricker rom" (test only rom) do SIM unlocking, so I believe this will work . I will try it soon in my free time. Thanks!!!
I'll try to reflash my elfin tomorrow and do some other tests with it, to see if there are any problems with some specific roms.
My elfin:
ELF010050
BSTAR502
IPL 2.24.0002
SPL 2.24.0000
99HEH077-00
Claro Brazil
I'll post something more tomorrow.
Sorry for the lack of testing before posting (newbie yet).
i would feel better by patching or replacing the simlock.exe file instead of changing the dll.
zerostuff, why don't you add a poll to this thread to see if it works for most people?
Thank you for the idea dsixda.
I sent the .exes and .dlls to a friend of mine and asked asked him if he can find the locking part in those files (because i'm just a normal user and don't know anything about hex editing and stuf).
And I'm still testing some roms on my elfin to see if I can find a working and a non-working way to unlock it (so far, all the roms are working).
thinking of buying a htc elf
hi all im thinking of buying a htc elf but its locked to orange is it easy to unlock and get rid of the orange start up logo .
would you give me step by step guide on how to do it ?
thanks in advance
As you can see, some is easy to unlock others no solution yet...
@ zerostuff
elfin ELF010050 BSTAR502 from Vivo Brazil, had the simlock.exe and simlock0416.exe.mui . I replaced those files with and small clock app, and replaced rilgsm.dll , and did not worked (error 'unavailable file', and then hang) . So, I deleted the simlock.* , and phone got into menu, but no signal.
indeed, this is a way to go, but still need improvements.
@ chester-lad-2009
search board, there are many topics regarding that. this topic is not for that discussion.
br
zerostuff said:
- Delete both "SIMLock.exe" and "SIMLock.exe.0***.MUI".
Click to expand...
Click to collapse
hi, i use onyx 4.43 rom and when i try to delete a message tell me "could not delete. i try in windows and in my elfin too using total comander and sktools. how can delete this files?
I've try on my HTC Touch 3450 (PT) substitute the file and i can't! And i can't found these 2 files...
Using Total Commander
First we move the rilgsm.dll to windows folder, then delete the two files SIMLock.exe & SIMLock.exe.0***.mui, and ignore the Warning! Could not delete 1 file(s)...
Then reboot the ELFin and it´s done....loooooool... No need to put codes...
Just doing those steps, it´s done the SIM_Unlock
Strange??? i don´t know, but work´s
Note: Tested with One PT ELF and One ELFin BRS, worked fine!!!
Great post works like a charm!
i needed to use another explorer since my original rom dont let me move or copy windows folder file!
i used WinFileCE.exe to do the trick , but it worked !
1 more thing , is it possible to cook a rom with this files inside!? because if i hard reset the phone it relocks it self by this method!!
These two files they realy removed???
I cant' remove this two files because the cellphone is using them, how can i stop process's on Windows Mobile?
Using TC I was able to copy rilgsm.dll to \Windows. But simlock.* are a different story and I wasn't able to delete them.
Anyway, using this version of rilgsm causes the phone connection to die: it cannot be set on from Comm Manager. And then after some time, Comm Manager throws two or three errors.
It's an HTC Touch from Claro, Argentina. The ROM is http://forum.xda-developers.com/showthread.php?t=442391
Code:
Touch version : Elfin
Device ID : ELF010150
CID : BSTAR301
IPL : 2.24.0002
SPL : 3.07.cmonex
ROM Version : 3.07.720.03
ExtROM Version : None
Operator Version: None
AKU Version : 1.2.7
Page Pool : 12 MB
RAM Size : 128 MB
ROM Size : 256 MB
Model No. : ELF0100
Part Number : 99HEH129-00
MCC+MNC : Not found
Any information you guys want or some tests that could be run in the device, just tell me.
Cheers.
Not worked Efl 3450 ( 64/128)
The idea was great, but not worked with Efl 3450 ( 64/128)...
My device was patched (IPL 2.27/SPL 2.28 cmonex) and Rom ELVES ROM V5.0 - CE OS 5.2.2021.
No files found in windows dir "SIMLock.exe" and "SIMLock.exe.0***.MUI", so i just copy this file (unlocked "rilgsm.dll") to windows dir and i did a soft reset.
Result: deviced hanged.. new soft reset: boot ok, but no radio ( even trying to turning on manually), just wi-fi working..(nice to make calls from skype )
I don't have any clues about how to bypass simlock..
Any help will be appreciate.
Cheers
RILGSM.dll is not locked/unlocked
The thing is, that file controls GSM<-->PDA radio functions. As you took RILGSM from a "test" rom (is unlocked one)
When u sim unlock a device, it doesnt overwrite RILGSM with "unlocked" properties
The solution will be rewrite a RILGSM.dll file, and write a SIMLOCK.exe file with spoof properties to make think device is unlocked