I tried to use the 'tera term pro' and send the command : r2sd all
I got the message :
Cmd>r2sd all
***** user area size = 0xF140000 Bytes
R2SDBackup() - Download type = 6
usTotalBlock = 1 sizeof(SDCARD_SIGNATRUE_TABLE)=512
You didn't get the proper security level to download a specific image
I need the password for the command password [password] to be able to dump the rom
Any ideas ?
Thx a lot for help
Hi All,
I used aWizard to read out my Wizard's ExtRom, but do not know how to write it back.
I want to read out the ExtRom in .nba format, I studied the aWizard , I believe since " pdocread.exe 0 0x3900000 ROM\OS.nba " can read out the os, then theoretically " pdocread.exe ??? 0xA00000 ROM\ExtRom.nba " should be able to read out ExtRom in .nba format.
I do not know about programming, can someone be kind enough to point out what the ??? in above should be.
Will the following info has some hints?
Cmd>r2sd all
***** user area size = 0x1E100000 Bytes
R2SDBackup() - Download type = 5
usTotalBlock = 1 sizeof(SDCARD_SIGNATRUE_TABLE)=512
Start address = 0x80000000 , Length = 0x800 (IPL)
Start address = 0x80000800 , Length = 0xC0000 (SPL)
Start address = 0x800C0800 , Length = 0x40000 ( )
Start address = 0x80100800 , Length = 0x280000 (GSM)
Start address = 0x4E3D4C0 , Length = 0x3900000 (OS)
Start address = 0x743D4C0 , Length = 0xA00000 (EXTROM)
Thanks a lot!
Any idea about " pdocread.exe 0 0x3900000 ROM\OS.nba "?
Is 0 the starting offset address & 0x3900000 the size of the os rom part?
I have read the info in wiki.xda-developers.com, but my programming knowledge is too bad for me to understand it!
(just for reference), i posted a detailed explanation on http://www.spv-developers.com/forum/showthread.php?t=2888
willem
i'm update from WWE to 1.3.13.7CHT,i have 2.18.13.2 CH rom, but can't update again,The error code 296.
I used MTTY to load 838 rom, but the trouble again.
r2sd all
***** user area size = 0x7820000 Bytes
R2SDBackup() - Download type = 5
usTotalBlock = 1 sizeof(SDCARD_SIGNATRUE_TABLE)=512
You didn't get the proper security level to download a specific image
Anyone can solve my problem!
THX
i'm using the hermes/artemis reference to see what works and not
first: almost every other commands give the "Command Error"
the wdata exists and gives: Command is Locked!
The first thing will be to get into the radio bootloader - seems that the password is fixed. As far as the bootloader I hope that it can be downgraded.
---
info 2:
HTCSHTC__102Ã;¿HTCE
info 3:
HTCST
info 4:
IsAllBytesTheSame-: dwLength=8, bResult=0
HTCSHTC__102Ã;¿HTCE
info 6:
HTCST ÚÈÒHTCE
info 7:
HTC Integrated Re-Flash Utility, Common Base Version : 1.51b
Device Name: TRIN100, Bootloader Version : 1.06.0000
Built at: Oct 19 2006 20:31:29
Copyright (c) 1998-2006 High Tech Computer Corporation
CPU ID=0x41129200
Main CPLD version=0xA
Main Board version=0x5
info 8:
Block 0x0(0) is Reversed block
Block 0x1(1) is Reversed block
Block 0x2(2) is Reversed block
Block 0x3(3) is Reversed block
Block 0x4(4) is Reversed block
Block 0x5(5) is Reversed block
Block 0x6(6) is Reversed block
Block 0x7(7) is Reversed block
Block 0x8(8) is Reversed block
Block 0x9(9) is Reversed block
Block 0xA(10) is Reversed block
Block 0xB(11) is Reversed block
Block 0xC(12) is Reversed block
Partition[0], type=0x20, start=0x2, total=0x18FE
Partition[1], type=0x23, start=0x1900, total=0x1700
Partition[2], type=0x25, start=0x3000, total=0x18700
Partition[3], type=0x4, start=0x1B700, total=0x1F100
CE Total Length(with sector info) = 0x37BB800
CE CheckSum Length(without sector info) = 0x36E0000
-----
task 32 : Level FF
-----
checkimage
IPL CRC checksum = 0x96BE3C47
SPL CRC checksum = 0xBA45D40C
CE CRC checksum = 0xE86D6EC6
ExtROM CRC checksum = 0x3FBE8D13
Radio Image CRC checksum = 0xAB599ED8
-----
progress - shows bar
SD Upgrade
I tried the SD upgrade method.
I placed an nbh file on it called TRINIMG.nbh but after cheking gaves me "NOT ALLOW" 00028002
Any ideea ?
As your seclevel is FF, the CID on the NBH should be the same on your device. info 2 shows your CID = HTC__102 (HTC Germany), so you need to put an HTC german rom in the TRINIMG.nbh file or CID unlock your device.
Nice work on the bootloader
I've just decoded Trinity radio, it is very very similar to Hermes radio (Same Qualcomm JNAND Identification block), so radio bootloader commands should be the same in Trinity as on Hermes (and radio patch for SIM/CID unlock too!).
Normal bootloader commands should be quite similar too, but not necessarily the same, this is what I found on Trinity's SPL:
getdevinfo
ResetDevice
progress
ruustart
rbmc
password
info
task
emapi
btrouter
wdata
lnbs
erase
checkimage
checksum
wdata
wdatah
Click to expand...
Click to collapse
There's also the static password: BsaD5SeoA
Can you add all this info to the wiki?
pof said:
I've just decoded Trinity radio, it is very very similar to Hermes radio (Same Qualcomm JNAND Identification block), so radio bootloader commands should be the same in Trinity as on Hermes (and radio patch for SIM/CID unlock too!).
Normal bootloader commands should be quite similar too, but not necessarily the same, this is what I found on Trinity's SPL:
There's also the static password: BsaD5SeoA
Can you add all this info to the wiki?
Click to expand...
Click to collapse
excellent. i'm in office only with my trusted Universal (i'll fill up all the info tonight).
from artemis Wiki:
Artemis Bootloader Password
Seems that artemis bootloader password is static: BsaD5SeoA
If you enter this password in mtty terminal, you may not be able to boot device into Windows, only in bootloader. Be carefull.
It's meaning that Artemis has the same bootloader (or similar) with trinity.
The question: why it cannot get out from the bootloader ??
decebal said:
It's meaning that Artemis has the same bootloader (or similar) with trinity.
Click to expand...
Click to collapse
No, if you compare SPL they are very different one from the other.
Trinity's SPL is more similar to Hermes SPL, but Artemis SPL is different.
decebal said:
The question: why it cannot get out from the bootloader ??
Click to expand...
Click to collapse
probably you just need to 'set 14 0' or hard reset to go back to OS, I don't know... the wiki edit was done by fdp24, he can probably explain
pof said:
I've just decoded Trinity radio, it is very very similar to Hermes radio (Same Qualcomm JNAND Identification block), so radio bootloader commands should be the same in Trinity as on Hermes (and radio patch for SIM/CID unlock too!).
Normal bootloader commands should be quite similar too, but not necessarily the same, this is what I found on Trinity's SPL:
There's also the static password: BsaD5SeoA
Can you add all this info to the wiki?
Click to expand...
Click to collapse
Cmd>getdevinfo
GetDevInfo: Get CID OK
HTCSTRIN100HTCE
--
Reset Device - works
--
Progress - works
--
ruustart - blocked - hard reset needed
--
rbmc - not working
--
password works with the password BsaD5SeoA
--
info - works as in wiki
--
task - works as in wiki
--
emapi and btrouter - blocks the device
--
wdata - works with the password provided
--
lnbs - not working
--
erase - working
HTCST ÚÈÒHTCE
--
checkimage - working as in wiki
--
checksum - seems working
--
wdatah - not working
seems that the 1.06 is somehow limited as bootloader. how can we get the 1.04 or other upgrade solution ??
thanks
Nice work on the wiki decebal
Answers to your comments:
rbmc and lnbs - probably only work on SuperCID devices.
emapi and btrouter - I think it switches to wlan or bluetooth and disables USB connection.
wdata and wdatah - In hermes wdatah is for flash NBH and wdata for flash NBF in preproduction devices. Have you captured a full ROM upgrade using USB monitor?? which one it uses the RUU? Probably it has a dynamic password which enables wdatah for NBH files. Does 'info 3' works as in Hermes (you need to watch usb monitor output, can't see in mtty generally).
decebal said:
seems that the 1.06 is somehow limited as bootloader. how can we get the 1.04 or other upgrade solution ??
Click to expand...
Click to collapse
Generally by flashing a ROM matching your CID with bootloader 1.04.
rbmc is not in spl in Artemis device. On Trinity probably too.
These are some commands for Artemis:
Could be similarity for Trinity
CASE SENSITIVE!
Cmd>fm
Wrong parameters of FM Command!!
Usage:
fm [command] [frequency]
where:
if[command] = i Initialize FM.
if[command] = o Power on FM.
if[command] = f Power off FM.
if[command] = t Tune FM channel to [frequency].
if[command] = a FM auto seek test.
if[command] = m Mono(1) or Stereo(0).
if[command] = v Volume (0x00 - 0x0F).
if[command] = u Mute(0)
if[command] = g AGC(1)
if[command] = h Set seek threshold (0x00 - 0xFF).
if[command] = s Seek Up(1) or Down(0).
if[command] = r Get RSSI (0x00 - 0xFF).
if[command] = c Get current channel [frequency].
if[command] = d Get RDS data (1 - 10 groups of data).
*****************************************************************************************************
Cmd>cpldver
xsvfExecute - CpldType=1
SUCCESS - Completed XSVF execution.
CPLD Ver[0]=1
CPLD Ver[1]=FC
CPLD Ver[2]=26
CPLD Ver[3]=5
SetDsbDBGMSGT
Unknown yet.
*****************************************************************************************************
Cmd>ReadExtROM
Dump Ext ROM to MTTY terminal
*****************************************************************************************************
Cmd>WLANReset
Usage:
WLANReset 1(or0)
set SDIO: 0-WLAN ;1-SDMC.
Cmd>WLANReset 0
WLANReset(FALSE)
Cmd>WLANReset 1
WLANReset(TRUE)
*****************************************************************************************************
Cmd>SDSelect
Usage:
SDSelect 1(or0)
set SDIO: 0-WLAN ;1-SDMC.
Cmd>SDSelect 1
Select SD Card
*****************************************************************************************************
Cmd>emapiWlanMac
Notice: This MAC address takes effect only when your platform is EEPRON-less configuration. Please use (emapiTest) to verify it !
Copying GSM DATA image to SDRAM:00004000
Wlan data header ++++++++++++++++++++
Signature : 0xEE1250
UpdateStatus : 0x2
UpdateCount : 0xA
BodyLength : 0x1A1
BodyCRC : 0x4349311B
Wlan data header --------------------------
0x00000000
0x00000009
0x0000002D
0x000000D2
0x000000D5
0x000000FB
*****************************************************************************************************
Cmd>emapiTest
+emapiTest
1. Power on WLAN
2. Reset WLAN
3. Switch MUX to WLAN
4. Enable WLAN clock
5. Init WLAN SDIO interface
6. DeviceID Test
DeviceID = 4030xxx
EEPROMless configuration!
-emapiTest
*****************************************************************************************************
Cmd>emapiPwrDwn
*****************************************************************************************************
Cmd>emapiRead
Parameter Wrong!!
*****************************************************************************************************
Cmd>getdevinfo
Need password!
*****************************************************************************************************
Cmd>wdata
Usage:
wdata [StartAddr Len]
Write data to memory(if write to ROM, need erase first).
StartAddr : Start address of memory.
Len : How many bytes will be written.
Length must not more than 0x10000 bytes(buffer limitation).
Write to RAM: 4 bytes(CRC checksum limitation).
1 byte(in user mode).
Write to ROM: 4 bytes(CRC checksum limitation).
2(16-bit)/4(32-bit) bytes(in user mode).
Write to ROM(16-bit data bus): 32 bytes(writebuffer mode).
Write to ROM(32-bit data bus): 64 bytes(writebuffer mode).
Length must be 4 bytes boundary(CRC checksum) if not in user mode.
After command execute, then send out the data to terminal.
Data format: HTCS(4 bytes)+DATA+checksum(4 bytes, if not in user mode)+HTCE(4 bytes).
*****************************************************************************************************
Cmd>password
Usage:
password [String]
Enter the password string to enable wdata, erase and rbmc functions.
*****************************************************************************************************
Cmd>set
Usage:
set [Type Value]
Set control flags.
Type(hex) : Control function types.
Value(hex) : Setting values for types.
Type 1(Operation mode): 1(auto) and 0(user).
Type 2(Back color on/off): 1(on) and 0(off).
Type 4(Front color value): 16 bits data
Type 5(Background color value): 16 bits data
Type 6(Set color of screen): Fill color to whole screen one time.
Current flag settings:
Type 1(Operation mode flag): g_cOpModeFlag=(0x0).
Type 2(Back color flag): cBackColorShowFlag=(0x0).
Type 4(Front color): g_dwFColor24bit=(0x0).
Type 5(Background color): g_dwBColor24bit=(0xFFFFFF).
Type 6(Set color of screen): None.
Type 32: Unlock Flash Command
Set control flags.
*****************************************************************************************************
Cmd>SetDebugMethod
Copying GSM DATA image to SDRAM:00004000
Default DebugTransport Value =00000000
Current Usage:
0 No Debug
A UART MTTY Output Debug Message
B USB MTTY Output Debug Message
*****************************************************************************************************
Cmd>checksum
Usage:
checksum addr len
Return CRC checksum of memory.
In user mode: Show 4 bytes of CRC checksum value on display of terminal.
In auto mode: Send 4 bytes of CRC checksum value to terminal with data format.
*****************************************************************************************************
Cmd>ResetDevice
no comments
*****************************************************************************************************
**When CID is locked.
Cmd>ls
clean up the image temp buffer at 0x8C100000 Length 0x03A00000
BOOTLOAD_PAGE_TABLE_BASE_C_VIRTUAL= 0x8C080000
Clear image temp buffer done .
MTTYDownloadImage
Not allow operation!
Error : DownloadImage return error (code = 0xFFFFFFFF)
**When CID is locked.
*****************************************************************************************************
**When CID unlocked
Cmd>ls
clean up the image temp buffer at 0x8C100000 Length 0x03A00000
BOOTLOAD_PAGE_TABLE_BASE_C_VIRTUAL= 0x8C080000
Clear image temp buffer done .
MTTYDownloadImage
start download
==CreateFile err==
**When CID unlocked
*****************************************************************************************************
Cmd>GPSRouting
Dump code to mtty console.
*****************************************************************************************************
Cmd>BTRouting
Dump code to mtty console.
*****************************************************************************************************
Cmd>BTRouting
+GSM_Modem_Init : include DAGON
Copying GSM DATA image to SDRAM:00004000
GSM - dwSize = 3479D
GSM Page0
GSM - dwSize = 45457
GSM Page1
GSM - dwSize = 4B768
GSM Page2
GSM - dwSize = 4E0A9
GSM Page3
GSM - dwSize = 4B4C4
GSM Page4
GSM - dwSize = 4C71F
GSM Page5
GSM - dwSize = 2958E
GSM Page6
GSM - dwSize = E8D8
GSM Page7
Copying GSM CODE image to SDRAM:00000000
ARMBOOT = 1 --> boot from CS3
Reset ARM 7 -- ok
Please close MTTY USB connection and open BT Testing program...
*****************************************************************************************************
*****************************************************************************************************
*****************************************************************************************************
*****************************************************************************************************
*****************************************************************************************************
*****************************************************************************************************
password BsaD5SeoA - this is static password used during flashing device. (USB sniffer)
battery seems to be charging during bootloader.
If you stuck at bootloader during manipulations with commands, try this:
password BsaD5SeoA
ruurun 0
Alternatively, you can run rom flasher even on CID locked device. It will give you error message about Device ID or something, but your device will be back to normal and boot normally.
i don't bakup my k-jam and
don't boot , white screen
Cmd>r2sd all
***** user area size = 0x3D680000 Bytes
R2SDBackup() - Download type = 5
usTotalBlock = 1 sizeof(SDCARD_SIGNATRUE_TABLE)=512
You didn't get the proper security level to download a specific image
Cmd>
IPL 2.16
SPL 2.16
where download sd.img for my k-jam restoring
please help me, thanks for everything.