Trinity bootloader - P3600 Software Upgrading
i'm using the hermes/artemis reference to see what works and not
first: almost every other commands give the "Command Error"
the wdata exists and gives: Command is Locked!
The first thing will be to get into the radio bootloader - seems that the password is fixed. As far as the bootloader I hope that it can be downgraded.
---
info 2:
HTCSHTC__102Ã;¿HTCE
info 3:
HTCST
info 4:
IsAllBytesTheSame-: dwLength=8, bResult=0
HTCSHTC__102Ã;¿HTCE
info 6:
HTCST ÚÈÒHTCE
info 7:
HTC Integrated Re-Flash Utility, Common Base Version : 1.51b
Device Name: TRIN100, Bootloader Version : 1.06.0000
Built at: Oct 19 2006 20:31:29
Copyright (c) 1998-2006 High Tech Computer Corporation
CPU ID=0x41129200
Main CPLD version=0xA
Main Board version=0x5
info 8:
Block 0x0(0) is Reversed block
Block 0x1(1) is Reversed block
Block 0x2(2) is Reversed block
Block 0x3(3) is Reversed block
Block 0x4(4) is Reversed block
Block 0x5(5) is Reversed block
Block 0x6(6) is Reversed block
Block 0x7(7) is Reversed block
Block 0x8(8) is Reversed block
Block 0x9(9) is Reversed block
Block 0xA(10) is Reversed block
Block 0xB(11) is Reversed block
Block 0xC(12) is Reversed block
Partition[0], type=0x20, start=0x2, total=0x18FE
Partition[1], type=0x23, start=0x1900, total=0x1700
Partition[2], type=0x25, start=0x3000, total=0x18700
Partition[3], type=0x4, start=0x1B700, total=0x1F100
CE Total Length(with sector info) = 0x37BB800
CE CheckSum Length(without sector info) = 0x36E0000
-----
task 32 : Level FF
-----
checkimage
IPL CRC checksum = 0x96BE3C47
SPL CRC checksum = 0xBA45D40C
CE CRC checksum = 0xE86D6EC6
ExtROM CRC checksum = 0x3FBE8D13
Radio Image CRC checksum = 0xAB599ED8
-----
progress - shows bar
SD Upgrade
I tried the SD upgrade method.
I placed an nbh file on it called TRINIMG.nbh but after cheking gaves me "NOT ALLOW" 00028002
Any ideea ?
As your seclevel is FF, the CID on the NBH should be the same on your device. info 2 shows your CID = HTC__102 (HTC Germany), so you need to put an HTC german rom in the TRINIMG.nbh file or CID unlock your device.
Nice work on the bootloader
I've just decoded Trinity radio, it is very very similar to Hermes radio (Same Qualcomm JNAND Identification block), so radio bootloader commands should be the same in Trinity as on Hermes (and radio patch for SIM/CID unlock too!).
Normal bootloader commands should be quite similar too, but not necessarily the same, this is what I found on Trinity's SPL:
getdevinfo
ResetDevice
progress
ruustart
rbmc
password
info
task
emapi
btrouter
wdata
lnbs
erase
checkimage
checksum
wdata
wdatah
Click to expand...
Click to collapse
There's also the static password: BsaD5SeoA
Can you add all this info to the wiki?
pof said:
I've just decoded Trinity radio, it is very very similar to Hermes radio (Same Qualcomm JNAND Identification block), so radio bootloader commands should be the same in Trinity as on Hermes (and radio patch for SIM/CID unlock too!).
Normal bootloader commands should be quite similar too, but not necessarily the same, this is what I found on Trinity's SPL:
There's also the static password: BsaD5SeoA
Can you add all this info to the wiki?
Click to expand...
Click to collapse
excellent. i'm in office only with my trusted Universal (i'll fill up all the info tonight).
from artemis Wiki:
Artemis Bootloader Password
Seems that artemis bootloader password is static: BsaD5SeoA
If you enter this password in mtty terminal, you may not be able to boot device into Windows, only in bootloader. Be carefull.
It's meaning that Artemis has the same bootloader (or similar) with trinity.
The question: why it cannot get out from the bootloader ??
decebal said:
It's meaning that Artemis has the same bootloader (or similar) with trinity.
Click to expand...
Click to collapse
No, if you compare SPL they are very different one from the other.
Trinity's SPL is more similar to Hermes SPL, but Artemis SPL is different.
decebal said:
The question: why it cannot get out from the bootloader ??
Click to expand...
Click to collapse
probably you just need to 'set 14 0' or hard reset to go back to OS, I don't know... the wiki edit was done by fdp24, he can probably explain
pof said:
I've just decoded Trinity radio, it is very very similar to Hermes radio (Same Qualcomm JNAND Identification block), so radio bootloader commands should be the same in Trinity as on Hermes (and radio patch for SIM/CID unlock too!).
Normal bootloader commands should be quite similar too, but not necessarily the same, this is what I found on Trinity's SPL:
There's also the static password: BsaD5SeoA
Can you add all this info to the wiki?
Click to expand...
Click to collapse
Cmd>getdevinfo
GetDevInfo: Get CID OK
HTCSTRIN100HTCE
--
Reset Device - works
--
Progress - works
--
ruustart - blocked - hard reset needed
--
rbmc - not working
--
password works with the password BsaD5SeoA
--
info - works as in wiki
--
task - works as in wiki
--
emapi and btrouter - blocks the device
--
wdata - works with the password provided
--
lnbs - not working
--
erase - working
HTCST ÚÈÒHTCE
--
checkimage - working as in wiki
--
checksum - seems working
--
wdatah - not working
seems that the 1.06 is somehow limited as bootloader. how can we get the 1.04 or other upgrade solution ??
thanks
Nice work on the wiki decebal
Answers to your comments:
rbmc and lnbs - probably only work on SuperCID devices.
emapi and btrouter - I think it switches to wlan or bluetooth and disables USB connection.
wdata and wdatah - In hermes wdatah is for flash NBH and wdata for flash NBF in preproduction devices. Have you captured a full ROM upgrade using USB monitor?? which one it uses the RUU? Probably it has a dynamic password which enables wdatah for NBH files. Does 'info 3' works as in Hermes (you need to watch usb monitor output, can't see in mtty generally).
decebal said:
seems that the 1.06 is somehow limited as bootloader. how can we get the 1.04 or other upgrade solution ??
Click to expand...
Click to collapse
Generally by flashing a ROM matching your CID with bootloader 1.04.
rbmc is not in spl in Artemis device. On Trinity probably too.
These are some commands for Artemis:
Could be similarity for Trinity
CASE SENSITIVE!
Cmd>fm
Wrong parameters of FM Command!!
Usage:
fm [command] [frequency]
where:
if[command] = i Initialize FM.
if[command] = o Power on FM.
if[command] = f Power off FM.
if[command] = t Tune FM channel to [frequency].
if[command] = a FM auto seek test.
if[command] = m Mono(1) or Stereo(0).
if[command] = v Volume (0x00 - 0x0F).
if[command] = u Mute(0)
if[command] = g AGC(1)
if[command] = h Set seek threshold (0x00 - 0xFF).
if[command] = s Seek Up(1) or Down(0).
if[command] = r Get RSSI (0x00 - 0xFF).
if[command] = c Get current channel [frequency].
if[command] = d Get RDS data (1 - 10 groups of data).
*****************************************************************************************************
Cmd>cpldver
xsvfExecute - CpldType=1
SUCCESS - Completed XSVF execution.
CPLD Ver[0]=1
CPLD Ver[1]=FC
CPLD Ver[2]=26
CPLD Ver[3]=5
SetDsbDBGMSGT
Unknown yet.
*****************************************************************************************************
Cmd>ReadExtROM
Dump Ext ROM to MTTY terminal
*****************************************************************************************************
Cmd>WLANReset
Usage:
WLANReset 1(or0)
set SDIO: 0-WLAN ;1-SDMC.
Cmd>WLANReset 0
WLANReset(FALSE)
Cmd>WLANReset 1
WLANReset(TRUE)
*****************************************************************************************************
Cmd>SDSelect
Usage:
SDSelect 1(or0)
set SDIO: 0-WLAN ;1-SDMC.
Cmd>SDSelect 1
Select SD Card
*****************************************************************************************************
Cmd>emapiWlanMac
Notice: This MAC address takes effect only when your platform is EEPRON-less configuration. Please use (emapiTest) to verify it !
Copying GSM DATA image to SDRAM:00004000
Wlan data header ++++++++++++++++++++
Signature : 0xEE1250
UpdateStatus : 0x2
UpdateCount : 0xA
BodyLength : 0x1A1
BodyCRC : 0x4349311B
Wlan data header --------------------------
0x00000000
0x00000009
0x0000002D
0x000000D2
0x000000D5
0x000000FB
*****************************************************************************************************
Cmd>emapiTest
+emapiTest
1. Power on WLAN
2. Reset WLAN
3. Switch MUX to WLAN
4. Enable WLAN clock
5. Init WLAN SDIO interface
6. DeviceID Test
DeviceID = 4030xxx
EEPROMless configuration!
-emapiTest
*****************************************************************************************************
Cmd>emapiPwrDwn
*****************************************************************************************************
Cmd>emapiRead
Parameter Wrong!!
*****************************************************************************************************
Cmd>getdevinfo
Need password!
*****************************************************************************************************
Cmd>wdata
Usage:
wdata [StartAddr Len]
Write data to memory(if write to ROM, need erase first).
StartAddr : Start address of memory.
Len : How many bytes will be written.
Length must not more than 0x10000 bytes(buffer limitation).
Write to RAM: 4 bytes(CRC checksum limitation).
1 byte(in user mode).
Write to ROM: 4 bytes(CRC checksum limitation).
2(16-bit)/4(32-bit) bytes(in user mode).
Write to ROM(16-bit data bus): 32 bytes(writebuffer mode).
Write to ROM(32-bit data bus): 64 bytes(writebuffer mode).
Length must be 4 bytes boundary(CRC checksum) if not in user mode.
After command execute, then send out the data to terminal.
Data format: HTCS(4 bytes)+DATA+checksum(4 bytes, if not in user mode)+HTCE(4 bytes).
*****************************************************************************************************
Cmd>password
Usage:
password [String]
Enter the password string to enable wdata, erase and rbmc functions.
*****************************************************************************************************
Cmd>set
Usage:
set [Type Value]
Set control flags.
Type(hex) : Control function types.
Value(hex) : Setting values for types.
Type 1(Operation mode): 1(auto) and 0(user).
Type 2(Back color on/off): 1(on) and 0(off).
Type 4(Front color value): 16 bits data
Type 5(Background color value): 16 bits data
Type 6(Set color of screen): Fill color to whole screen one time.
Current flag settings:
Type 1(Operation mode flag): g_cOpModeFlag=(0x0).
Type 2(Back color flag): cBackColorShowFlag=(0x0).
Type 4(Front color): g_dwFColor24bit=(0x0).
Type 5(Background color): g_dwBColor24bit=(0xFFFFFF).
Type 6(Set color of screen): None.
Type 32: Unlock Flash Command
Set control flags.
*****************************************************************************************************
Cmd>SetDebugMethod
Copying GSM DATA image to SDRAM:00004000
Default DebugTransport Value =00000000
Current Usage:
0 No Debug
A UART MTTY Output Debug Message
B USB MTTY Output Debug Message
*****************************************************************************************************
Cmd>checksum
Usage:
checksum addr len
Return CRC checksum of memory.
In user mode: Show 4 bytes of CRC checksum value on display of terminal.
In auto mode: Send 4 bytes of CRC checksum value to terminal with data format.
*****************************************************************************************************
Cmd>ResetDevice
no comments
*****************************************************************************************************
**When CID is locked.
Cmd>ls
clean up the image temp buffer at 0x8C100000 Length 0x03A00000
BOOTLOAD_PAGE_TABLE_BASE_C_VIRTUAL= 0x8C080000
Clear image temp buffer done .
MTTYDownloadImage
Not allow operation!
Error : DownloadImage return error (code = 0xFFFFFFFF)
**When CID is locked.
*****************************************************************************************************
**When CID unlocked
Cmd>ls
clean up the image temp buffer at 0x8C100000 Length 0x03A00000
BOOTLOAD_PAGE_TABLE_BASE_C_VIRTUAL= 0x8C080000
Clear image temp buffer done .
MTTYDownloadImage
start download
==CreateFile err==
**When CID unlocked
*****************************************************************************************************
Cmd>GPSRouting
Dump code to mtty console.
*****************************************************************************************************
Cmd>BTRouting
Dump code to mtty console.
*****************************************************************************************************
Cmd>BTRouting
+GSM_Modem_Init : include DAGON
Copying GSM DATA image to SDRAM:00004000
GSM - dwSize = 3479D
GSM Page0
GSM - dwSize = 45457
GSM Page1
GSM - dwSize = 4B768
GSM Page2
GSM - dwSize = 4E0A9
GSM Page3
GSM - dwSize = 4B4C4
GSM Page4
GSM - dwSize = 4C71F
GSM Page5
GSM - dwSize = 2958E
GSM Page6
GSM - dwSize = E8D8
GSM Page7
Copying GSM CODE image to SDRAM:00000000
ARMBOOT = 1 --> boot from CS3
Reset ARM 7 -- ok
Please close MTTY USB connection and open BT Testing program...
*****************************************************************************************************
*****************************************************************************************************
*****************************************************************************************************
*****************************************************************************************************
*****************************************************************************************************
*****************************************************************************************************
password BsaD5SeoA - this is static password used during flashing device. (USB sniffer)
battery seems to be charging during bootloader.
If you stuck at bootloader during manipulations with commands, try this:
password BsaD5SeoA
ruurun 0
Alternatively, you can run rom flasher even on CID locked device. It will give you error message about Device ID or something, but your device will be back to normal and boot normally.
Related
How to backup ROM for the SPV M3000
I tried to use the 'tera term pro' and send the command : r2sd all I got the message : Cmd>r2sd all ***** user area size = 0xF140000 Bytes R2SDBackup() - Download type = 6 usTotalBlock = 1 sizeof(SDCARD_SIGNATRUE_TABLE)=512 You didn't get the proper security level to download a specific image I need the password for the command password [password] to be able to dump the rom Any ideas ? Thx a lot for help
How to pdocread Extended Rom ?
Hi All, I used aWizard to read out my Wizard's ExtRom, but do not know how to write it back. I want to read out the ExtRom in .nba format, I studied the aWizard , I believe since " pdocread.exe 0 0x3900000 ROM\OS.nba " can read out the os, then theoretically " pdocread.exe ??? 0xA00000 ROM\ExtRom.nba " should be able to read out ExtRom in .nba format. I do not know about programming, can someone be kind enough to point out what the ??? in above should be. Will the following info has some hints? Cmd>r2sd all ***** user area size = 0x1E100000 Bytes R2SDBackup() - Download type = 5 usTotalBlock = 1 sizeof(SDCARD_SIGNATRUE_TABLE)=512 Start address = 0x80000000 , Length = 0x800 (IPL) Start address = 0x80000800 , Length = 0xC0000 (SPL) Start address = 0x800C0800 , Length = 0x40000 ( ) Start address = 0x80100800 , Length = 0x280000 (GSM) Start address = 0x4E3D4C0 , Length = 0x3900000 (OS) Start address = 0x743D4C0 , Length = 0xA00000 (EXTROM) Thanks a lot!
Any idea about " pdocread.exe 0 0x3900000 ROM\OS.nba "? Is 0 the starting offset address & 0x3900000 the size of the os rom part? I have read the info in wiki.xda-developers.com, but my programming knowledge is too bad for me to understand it!
(just for reference), i posted a detailed explanation on http://www.spv-developers.com/forum/showthread.php?t=2888 willem
Reset Simlock Count on Hw6515
Does it possible to reset the simlock counter try? I've a problem with it : Simlock say i've tried 20 times to enter simlock code! And now i can't valide new code : Ok button stay grey This happened after i used vBar to kill Simlock task ! Number of try has reach 20 and now it seem to be lock for many days. If someone can help me... Please cause now i've my simlock code but i can't valide if ! Ipaq Hw6515 French Bouygue telecom Last ROM 1.23 French vBar (great freeware but dangerous for simlock!) : http://www.pocketpcfreewares.com/fr/index.php?soft=562
Go into bootloader using mtty.exe, you need to access AT command interpreter, in some htc devices this is done by command 'rtask 7' on others is 'rtask b' (I don't know on the beetles). Should be something like this: Code: USB> rtask b <--- go into AT command interface ate1 <--- type this to enable local echo atv1 <--- type this to enable verbose output [email protected]=0,1,code <--- replace "code" with your MSL [email protected]=0,2,code [email protected]=0,4,code [email protected]=0,8,code [email protected]=0,16,code [email protected]=0,32,code [email protected]?40 If the last command returns simlock=00 means it's unlocked, other vaule means is still locked. No need to reset the counter
[email protected] Doesn't work Hi, Thank for your reply but it doesn't work : [email protected] doesn't seem to be implemented : USB>h rtask Usage: rtask [Type [Value]] Type(hex) 0: Reset radio and [value](hex) is ignore. Type(hex) 1: Turn on radio, lease use type 3 and 4 instead. Type(hex) 2: Turn off radio and [value](hex) is ignore. Type(hex) 3: Run radio image and [value](hex) is ignore. Type(hex) 4: Run radio bootloader and [value](hex) is ignore. Type(hex) 7: Radio AT Command Debug. Type(hex) 8: GSM trace route. Type(hex) 9: Run radio external bootloader and [value](hex) is ignore. Type(hex) A: Radio image flash by external bootloader and [value](hex) is ignore. Type(hex) C: Select debug path. Type(hex) D: Radio AT Command with GSM trace route. Type(hex) 10: Set radio external boot UART mode(fast(1)/normal(0)). USB>rtask 7 Radio AT command debug. Wait 177 ms ATCmd Version 0.1 CAIF Init Done ate1 0 atv1 aatv1 OK [email protected]?40 [email protected]?40 ERROR [email protected]?40 [email protected]?40 ERROR [email protected]?40 [email protected]?40 ERROR ati aati Ericsson Mobile Platform OK And when i trie [email protected]=0, facility(0 to 32), unlocking code => ERROR I've tried with the first ROM 1.05 and the last 1.23, with the 1.23 the help for rtask disappear! Does Someone know another methode or command to accomplish my unlocking action? Please I gonna be crazy, I've left my ipaq running simlock 7 days and Validation button stay grey!! I've reset to test [email protected] without success
ouch, then hw6515 bootloader is different from what I've seen previously....
hw6515a locked i have the same problems for months. my hw6515a 22 times. and i cannot have the button ok enabled. i cannot reset it. im still fresh on the boat. i downloaded the mtty.exe but i dont know how to use it. how to get my fone in the bootloader. Pof. you genius. plz show me how to unlock this fone. or reset the simlock count back. many thanks. Andrew. [email protected]
pof said: Go into bootloader using mtty.exe, you need to access AT command interpreter, in some htc devices this is done by command 'rtask 7' on others is 'rtask b' (I don't know on the beetles). Should be something like this: Code: USB> rtask b <--- go into AT command interface ate1 <--- type this to enable local echo atv1 <--- type this to enable verbose output [email protected]=0,1,code <--- replace "code" with your MSL [email protected]=0,2,code [email protected]=0,4,code [email protected]=0,8,code [email protected]=0,16,code [email protected]=0,32,code [email protected]?40 If the last command returns simlock=00 means it's unlocked, other vaule means is still locked. No need to reset the counter Click to expand... Click to collapse The bootloader are totally different, maybe the one that your are testing is on ipaq 6365...CMIIWW thanks
do HARD-RESET, that what i did to my H6515 USA version
Need a little help I am new with Ipaq 6515 but have unlocked other PDA and Pocket pcs, one thing how to put 6515 in bootmode and also how to hard reset it please can any one help. thanks bcnboy
need too to reset simlock counter.. this also can unlock beetles devices??
Hi all. I have the hw6515 spanish, sim locked, and french, without sim lock. Iz it possible to make both english and unlock it???
How to reset unlock codes counter on HP 6515a? How can I manage connection with mtty.exe and device. Because there is not any COM ports emulated by AS.
Pof - a little help with X01HT Hi - this worked on the HTC Hermes (I have X01HT) Before i started - [email protected]?40 - returned - 01 I then ran [email protected]=0,1,code (code= the code I bought off a member here) Then [email protected]?40 - returned - 00 (unlocked) Thanks heaps
lemming77 said: Hi - this worked on the HTC Hermes (I have X01HT) Before i started - [email protected]?40 - returned - 01 I then ran [email protected]=0,1,code (code= the code I bought off a member here) Then [email protected]?40 - returned - 00 (unlocked) Thanks heaps Click to expand... Click to collapse I think i need help with this. In mtty i get command error!!! all the time. Maybe I need to get the password? bootloader_pwn3d.pdf doesnt help. I have my code, I just need to know how to input it. I have HardSPL installed maybe I will try flashing another rom to input the code?
How to apply to elf dear sir HOW TO APPLY TO ELF & what is Msl that will be inserted instead of code
Cant reset hermes Khianto said: The bootloader are totally different, maybe the one that your are testing is on ipaq 6365...CMIIWW thanks Click to expand... Click to collapse DOES ANYONE KNOW HOW TO RESET COUNTS ON HERMES I TRIED LIKE THIS WITHOUT ANY RESULT task 32 Level = 0 Cmd>28 Command error !!! Cmd>task 32 Level = 0 Cmd>task 28 Storage format start Write Nand Success dwBlockToWrite = 13 Storage start block: 464 Storage Total block: 472 Total Bad Block in CE: 0 NeedToEraseBlockStart: 477 Storage format success Cmd>task b Cmd>task 7 Cmd>task b Cmd>rtask b Command error !!! Cmd>rtask 7 Command error !!! Cmd>task 7 Cmd>ate 1 Command error !!! Cmd>ave 1 Command error !!! Cmd>rask ave 1 Command error !!! Cmd>task ave1 Cmd>task ate 1 Cmd>USB hrtask Command error !!! Cmd>hrtask Command error !!! Cmd>h rtask Command error !!! Cmd>task h rtask Cmd>USB> rtask b Command error !!! Cmd>rtask b Command error !!! Cmd>rtask 7 Command error !!! Cmd>'rtask b' Command error !!! Cmd>rtask 7' Command error !!! Cmd>[email protected]=0,1,code <--- replace "code" with your MSL [email protected]=0,2,code [email protected]=0,4,code [email protected]=0,8,code [email protected]=0,16,code [email protected]=0,32,code [email protected]?40 Cmd> Cmd>[email protected]=0,1,00000000 Command error !!! Cmd>simlock=00 Command error !!! NO USB JUST CMD BUT I READ IT WAS THE SAME THING. THANK YOU ANYONE WHO KNOWS OR HOW TO DOWNGRADE SPL 1.4 OLIPRO TO 1.04 I HAVE SIM LOCKED 18 TIMES THX. AND I HAVE THE CODE. AND ANYONBE KNOWS HOW MANY TIME I HAVE TO WAIT FOR OK BOTTON? OR IT CANT BE DONE
diamond SPL possible damaged
Hi. I have HTC diamond with possible damaged SPL if i try to flash any Rom i have : error 270 : image corrupted after few minutes (flashing stops at 0% ) I can put it in bootloader mode In bootloader mode i can see it's SPL : 1.40 by Olinelix Mtty info give me that Cmd>info 2 HTCS00000000jR*ҐHTCE Cmd>set 32 Cmd>getdevinfo 2 GetDevInfo: Get backup CID HTCSDIAM1000HTCE Cmd>info 0 Platform Model IDIAM10000 Platform HW Board ID:1, PROT Cmd> Is it possible to recover this?
dump memory
like making a dump of the memory on trinity trin100 mfg spl-1.30.olipro i have use mtty ver 1.16 i have launch mtty on port \\.\WCEUSBSH001 command : cmd>task 32 level =0 Cmd>password BsaD5SeoA Pass. HTCST ÚÈÒHTCEPassWord: BsaD5SeoA Cmd>set 1e 1 after ??? after ? how can i put into file using rbmc ?? tnks
ok rbmc is blocked to 57000000 >