Hi all,
Has anyone managed to disassemble the ROM image files and possibly "see" actual source code? It would be interesting if someone could do this.
Cheers,
Zouga
patridaaaaa!
Geia sou!
Source code is not compiled. what you find in ROM is compiled, thus you cannot see the source code. YOu could disasseble a ROM image to see what files it has, but I do not know how that happens
What source code do you need? Microsoft provides partial source code of Windows CE in Platform Builder. Trial PB 4.20 was removed from MS site, you can only download PB 5.0.
Geia sou AdmiralAK!
Thank you guys for your replies. I have some parts of the radio ROM in which I am trying to identify interesting segments, like for example SIM lock I think I know what I am doing, I have managed to download from the PDA parts of the Radio ROM (which I suspect remains intact when flashing to a newer Radio version). Also, I have some commands which are being used with the XDA IIs bootloader, can anyone help me about their use?
r task a
rpass
x
rrbmc (that's probably to read from specific memory addresses)
rerase (to delete from specific memory addresses)
retuoR
rwdata (to write in specific memory addresses)
Also, does anyone have any information on the XDA II unlocking utility? I mean which memory addresses accesses, where it writes etc...
Thanks,
Zouga
hahahaha "I think I know what I'm doing" :lol:
then why do you need to know how and where to write information, dude?
"Also, does anyone have any information on the XDA II unlocking utility? I mean which memory addresses accesses, where it writes etc... "
Unfortunately for you, I don't believe Windows CE is written using QBASIC.
Yeh exactly, "I THINK" I know what I am doing, never said I know exactly what I'm doing. I am not a cracker or a software engineer, I am an electronic engineer and I try to use my understanding about embedded electronics to get through to some useful information. I know in which segments of the Radio rom the simlock lies, I just cannot crack the data. I can only see HEX format like
3A 46 3D 00 78 0D 20 08 3A 41 3D 00 00 00 00 00 :F=.x. .:A=.....
Anyone that can give a hand with this, I would appreciate your input.
Regards,
Zouganelis
You can decompile the radio ROM using IDA. It uses a variation of ARM cpu.
read http://www.xs4all.nl/~itsme/projects/xda/xdagsm-info.html for xda2
Related
i found that you can information about the 8 nearest cells directly from memory under windows ce on the typhoon / spv c500 smartphone.
Code:
pmemdump -x -w 29 -4 0x8f1d8e78 0x3a0
will show you a table, with the location-area-code and cell-id in the 23rd and 24th column.
this is for radio version 1337.0.32-0.03.18.
for other versions it should be somewhere in the 0x8f100000 - 0x8f200000 area.
Hi, this is very interresting. But how to know such information on other devices specially PPCs WM5 based.
Isn't this how celltrack works from spv-developers? I was speaking to the developer and he said it dumps it directly from memory, not through RIL or AT.
V
mmalek said:
Hi, this is very interresting. But how to know such information on other devices specially PPCs WM5 based.
Click to expand...
Click to collapse
Have a look here:
http://forum.xda-developers.com/viewtopic.php?t=54940&highlight=nicetrack
http://forum.xda-developers.com/viewtopic.php?t=53148&highlight=nicetrack
http://forum.xda-developers.com/viewtopic.php?t=43191&highlight=nicetrack
http://forum.xda-developers.com/viewtopic.php?t=46803&highlight=nicetrack
Hi,
My name is Carl and im trying to help the rockbox dev (http://www.rockbox.org) to port Rockbox on the Gigabeat S (Portable Media Player) based on WINCE5 (modified version). It is possible to have your help to find a way to write code on the firmware ? I mean, find a buffer overflow or an injectable DLL.. The reason why i and the rockbox dev want to do that is simple : rockbox is more customisable, support more audio codec ...
We want to know if it is possible to inject code (because the Firmware is signed /hashed in SHA256 by Verisign and the processor (ARM 9 Freescale IMX31L run only signed code ) A part of the firmware is stored into the ROM on the PCB. We dont know if the device is JTAG secured. Also, to find the firmware, we need to hotswamp the hard drive )with an iPod for exemple) because the device is in MTP and show what it want ! If you have usefull information concerning WinCE5 general /kernel/hex adress/bootloader lets me know !
You can find more information here : http://www.rockbox.org/twiki/bin/view/Main/GigabeatSInfo
You can also forward this email to other XDA-Dev if you can't help us.
Tanks alot for your time !
Hello everybody,
I'm Johan, I live in the netherlands and i'm doing a study Informatica->Software Engineer. For a schoolproject we have to write an Android Application, though i don't have Android running on my telephone natively. So i searched the internet and found out that on the XDA forums its all about custom roms and that there are some Android Roms available. Unfortunately nothing for my MDA Compact/HTC Magician yet.
After asking arround a bit and searching all over the internet I figured nowone actually was bothering to further investigate Android for Magician.
So even though I have no idea if it will ever gonna work i'm gonna try to document as much as possible, and I hope others might join this topic and give some (usefull!!) feedback.
These websites I think are the best place to start, as I don't have any experience with ROMS or Android-OS its gonna be a challenging task but if you guys have any idea's, suggestions or websites where we can find more information feel free to post comments.
Startpage for Magician info:
http://wiki.xda-developers.com/index.php?pagename=HTC_Magician
HaRET bootloader working on magician:
http://www.handhelds.org/moin/moin.cgi/HaRET
http://www.handhelds.org/moin/moin.cgi/HaRET_20Documentation
Linux kernel for Magician:
http://www.htc-linux.org/wiki/index.php?title=Kernel#Kernel_for_intel_PXA_based_devices
Current status for linux kernel:
http://wiki.xda-developers.com/index.php?pagename=MagicianProgress
http://www.handhelds.org/moin/moin.cgi/Magician
Source code for Android:
http://source.android.com/
How to build Android OS:
http://source.android.com/porting/build_system.html
Compatiblity test suite:
http://source.android.com/compatibility/cts-intro.html
Any feedback is apreciated but please don't make it like "nice, when is it finished?" or "its impossible!"
as I have no idea about both of those 2 comments yet, I'll have to figure that out on the go.
It should be possible, someone already ported android to pxa270!
http://www.mask.org.tw/demo.htm
need to throw in a kernel guess i ll fetch yet another magician if that happens!!!
Hi header2k and evildarknight, thanks for the input.
My chinese/tw isn't to good, so i googled for android and pxa270 and found the following website, no idea if its any usefull (currently not at home, and my datalimit on my laptop dislikes downloading 1,3GB so i'll have to see what it is when i'm at my desktop again.)
http://www.ntut.edu.tw/~wyliang/
This looks interesting, if it comes to testing, you can contact me!
guess my chinese aint better
can't somebody anybody compile the android froyo kernel 2.6.32 for the magician which seems to be inline with ph5 dev???
I can't read chinese either, but i wanted to link to the pdf files:
http://www.mask.org.tw/data/Android_Porting_on_PXA270.pdf
http://www.mask.org.tw/data/BringUp_Android_on_PXA270.pdf (he used files from: svn co https://android-pxa270.svn.sourceforge.net/svnroot/android-pxa270 android-pxa270 )
He uploaded his work, too(with two mirrors, after 原始碼 (1.3GB) 下載位置: )
His machine:
[email protected] <-- identical with our magician
64MB RAM <-- identical with our magician
32mb ROM <-- Isn't important because he used an external usb-stick with chroot - We can use our sdcard and haret
Toppoly TD035STEB1 <-- identical wth our magician
Setting up Dev-Team
So this proves i guess its a done deal already
But is it then just theoretically/closed project? or did he indeed release his sourcecode as well? Sourceforge SVN shows there isn't anything deposited.
Anyway, still want to use this on my telephone, no idea what it takes to use/modify his work. Anyone interested in actually joining the project-team to make it run on a telephone? cause in the pics in the powerpoint i see some laptop and some mainboard and touchscreen but not a MDA Compact/HTC Magician yet.
There are copies of the project www.mask.org.tw/data/release-sourceforge.tgz and www.ntut.edu.tw/~wyliang/release-sourceforge.tgz. I don't have access to a linux box at this moment. Need to fix my PC before working on android.
Hello, This is Mask from http://www.mask.org.tw
Hello, I am Mask and I found there are some traffic from xda-developers to my website, so I come here and found there are some discussion of my work before in last year.
I had open an android project for pxa270 on sourceforge, but I didn't know how to upload my source code to sourceforge, so I put the source code on my website and mirror sites.
I hope maybe I could help you if you are interest in "android porting" and some related topics.
mask.chung said:
Hello, I am Mask and I found there are some traffic from xda-developers to my website, so I come here and found there are some discussion of my work before in last year.
I had open an android project for pxa270 on sourceforge, but I didn't know how to upload my source code to sourceforge, so I put the source code on my website and mirror sites.
I hope maybe I could help you if you are interest in "android porting" and some related topics.
Click to expand...
Click to collapse
Yes, i have a question. Do you have a pxafb.c driver that works with android and the 2.6.32 kernels?
sorry about that I have no time to maintain my android project for pxa270, and now I have no plan to keep to maintain it, maybe we could upload whole developing source code including all svn reversion from begin to now, do you know how to import svn to sourceforge ? thanks a lot.
Here is some information on SVN and sourceforge.
http://haacked.com/archive/2006/02/22/QuickstartGuidetoSubversiononSourceForge.aspx some older howto from 2006 not sure if its up to date
http://sourceforge.net/apps/trac/sourceforge/wiki/Subversion Official sourceforge howto.
http://tortoisesvn.net/ svn client
Kernel
Can someone test this kernel and see if it works as I do not have a magician to test it with.
If it does boot can you follow the steps posted here to see if android boots...
http://forum.xda-developers.com/showthread.php?t=658664
notime2d8 said:
Can someone test this kernel and see if it works as I do not have a magician to test it with.
If it does boot can you follow the steps posted here to see if android boots...
Click to expand...
Click to collapse
I try to use kernel on Qtek S110(WM 6.1 by Cotulla), but get freeze screen on line "Jumping to Kernel...". When i use zImage from thread "Android 1.5 Cupcake on Universal" - again freeze on line "Jumping to Kernel...". Any ideas?
If you need to test something on Magician, contact me by ICQ 258113792.
Pavel A Safonov said:
I try to use kernel on Qtek S110(WM 6.1 by Cotulla), but get freeze screen on line "Jumping to Kernel...". When i use zImage from thread "Android 1.5 Cupcake on Universal" - again freeze on line "Jumping to Kernel...". Any ideas?
If you need to test something on Magician, contact me by ICQ 258113792.
Click to expand...
Click to collapse
Make sure you have the radio turned on and not in airplane mode and wifi and bluetooth turned off. Also the correct machine type 875 in the startup text file or 855 if using the one for the universal.
i think set MTYPE 875 should be the right one
notime2d8 said:
Make sure you have the radio turned on and not in airplane mode and wifi and bluetooth turned off. Also the correct machine type 875 in the startup text file or 855 if using the one for the universal.
Click to expand...
Click to collapse
When radio is turned on, Linux loading and stop on next lines:
1. With kernel for Magician
...
mmc0: new SD card at addess 41a8
mmcblk0: mmc0:41a8 SD01G 982 MiB
mmcvlk0: p1 p2 p3
Waiting for root device /dev/sdb2...
I wait more then 5 minutes, but nothing happens.
2. With kernel for Universal
...
ds1wm: ds1wm: reset failed
Device vibrate all time and after last line turn off display.
Pavel A Safonov said:
When radio is turned on, Linux loading and stop on next lines:
1. With kernel for Magician
...
mmc0: new SD card at addess 41a8
mmcblk0: mmc0:41a8 SD01G 982 MiB
mmcvlk0: p1 p2 p3
Waiting for root device /dev/sdb2...
I wait more then 5 minutes, but nothing happens.
2. With kernel for Universal
...
ds1wm: ds1wm: reset failed
Device vibrate all time and after last line turn off display.
Click to expand...
Click to collapse
Ok, don't use the universal kernel, from what you posted it seems that the kernel is not pointing to the correct memory card path in the startup text file or try reinserting the card.
If anybody knows how to build kernels i can provide the files and walk them through how i built the kernel for the universal which i have just gotten a very slow and unusable eclair (mostly due to hardware) working. I think this is the most i can help out as i don't have a magician.
I'm looking for a copy of the MPRG8960.HEX file.
This file is used to build the 8960_msimage.mbn which is the OEM bootimage flasher used by the MSM8960 Emergency host down-loader (EhostDL) to boot bricked devices. The tool that builds that *.mbn image is: emmcswdownload.exe which is a program that come with the QPST software...
Apparently, some ZTE firmwares may contain these...
In addition it would be useful to be able to extract these files into pure images.
The HEX file content look like this:
Code:
0 :020000042A00D0
11 :10000000D1DC4B843410D773FFFFFFFFFFFFFFFFEE
3e :10001000FFFFFFFF500000005000002A348802005C
...
Any help would be much appreciated!
bump, this would be a greatly appreciated
Sent from my HTC One X+ p_type 0.91.0
I think I might have found it. It seem to be here, but it's on a Chinese site that requires registration, and I cannot complete registration, since they're asking to complete a Chinese captcha!
E:V:A said:
I think I might have found it. It seem to , but it's on a Chinese site that requires registration, and I cannot complete registration, since they're asking to complete a Chinese captcha!
Click to expand...
Click to collapse
Pssst: weasel.net / MPRG8660.HEX
Wat are you planning to use this for?
luncht1me said:
Pssst: weasel.net / MPRG8660.HEX
Wat are you planning to use this for?
Click to expand...
Click to collapse
Pssst: There's abit of difference between 6 and 9
luncht1me said:
Pssst: weasel.net / MPRG8660.HEX
Click to expand...
Click to collapse
Thanks I already have those. I have many, but not for the 8960. Which make me speculate that the MPRG8960.HEX is not needed, if it could be built into to one of the bootloaders and possibly extracted from there as well...
I think we should have a section for Qualcomm and Tegra based devices specifically for these purposes. Lots of people on forums with Qualcomm chips and similar issues that may unite great minds
I have checked latest QPST release(Q3 2012) and it did not come with this file, despite many other HEX files :crying:
are we 100% sure the file exists? if it is not packaged inside QPST.. where would it come from?
There's definitely code in the 8960 PBL for the programmer. The reason it's probably not included with QPST is because the programmer is signed and signature-checked in the same way as SBL1, which means there's a programmer for each OEM and probably a different one for each phone model by the OEM that uses the 8960.
I've been searching the web for the .hex and .mbn files.... I have failed to find anything. I did find on a Russian site that said the two files will not be able to be obtained because of the write protection on sbl 1, 2, and 3... I'm confident in the great minds of everyone here on XDA that we will find some way to bypass that wp without corrupting the files.
Sent from my One X using xda app-developers app
E:V:A said:
I'm looking for a copy of the MPRG8960.HEX file.
This file is used to build the 8960_msimage.mbn which is the OEM bootimage flasher used by the MSM8960 Emergency host down-loader (EhostDL) to boot bricked devices. The tool that builds that *.mbn image is: emmcswdownload.exe which is a program that come with the QPST software...
Apparently, some ZTE firmwares may contain these...
In addition it would be useful to be able to extract these files into pure images.
The HEX file content look like this:
Code:
0 :020000042A00D0
11 :10000000D1DC4B843410D773FFFFFFFFFFFFFFFFEE
3e :10001000FFFFFFFF500000005000002A348802005C
...
Any help would be much appreciated!
Click to expand...
Click to collapse
thanks to 18th.abn we now have 8960_msimage.mbn and partition_boot.xml:
http://forum.xda-developers.com/showpost.php?p=34274853&postcount=2256
have been searching everywhere for mprg8960.hex and tracked down a link in a chinese forum:
http://bbs.wpcnn.com/forum.php?mod=redirect&goto=findpost&ptid=25317&pid=580675&fromuid=77335
unfortunately the link is no longer active. i joined the forum, pm'ed the poster and posted in the thread, but haven't heard back. maybe if he receives more requests he'll create a new link?
i also downloaded the full firmware file linked in the op of that thread in the slight chance that mprg8960.hex would be included in it, but the file is a single .binx; no idea how to extract its contents. also, pantech uses an online update utility that requires the phone to be plugged in for it to work, so doesn't look like that is an option to extract the contents.
E:V:A said:
I think I might have found it. It seem to be here, but it's on a Chinese site that requires registration, and I cannot complete registration, since they're asking to complete a Chinese captcha!
Click to expand...
Click to collapse
I was able to register on that site (got English captcha), but it doesn't have the file, it's just a request.
We can Close this thread now, the real hex file and msimage.mbn has been posted in the R&D section
check
http://forum.xda-developers.com/showpost.php?p=35762370&postcount=46
I'm very HAPPY to announce that they have been found!
Here are your HEX files. MERRY CHRISTMAS!
Code:
8064_msimage.mbn
8930_msimage.mbn
8960_msimage.mbn
MPRG8064.hex
MPRG8930.hex
MPRG8960.hex
GPP8064.hex
GPP8960.hex
THESE ARE NOT TESTED! AFAIK. You could hard brick your device if you try to use/flash these, in case they have the wrong signature key, as expected by your HTC device. I TAKE NO RESPONSIBILITY with anything that happens if you use these.
Thread Closed!
[Closed Thread]
..
sun75 said:
Ok, I searched other forums and I found some answers in the Mate 10 forum:
BEWARE-bla-l29c432b147-t3817241
I read all the thread, but I think our xloader is different, or maybe does not have the the version issue at this stage. But, yes, we have to look at it on every new Rom version... otherwise there is a brick or "can not return back" risk as they clearly discuss in their thread!
I extracted my xloader on my P Smart on TWRP:
Code:
dd if=/dev/block/mmcblk0boot0 of=/sdcard/xl1.img
dd if=/dev/block/mmcblk0boot1 of=/sdcard/xl2.img
The "good" file is only the first one, the second file is full of "zero".
I have on the phone v. FIG-LX1 8.0.0.152(C432): I have hex compared it with the one extracted from the Rom (update.app) and it matches perfectly. Ok.
So I downloaded other Rom zips randomly from .129 to the new .147SP1log
I hex compared all these XLOADER images one by one and all images are different in contents range hex 0x74c~0x873 and afer 0xF3B4 the entries of the compiling time (25 - 26 - 27 Dec 2017 and different hours) depending on firmware.
There is no 01/02 value at position 0x1a8 (that is 00 in every Rom).
Apparently -SP1log Rom has the "same" version xloader, so my question is the same: what is the meaning of SP1 and log suffixes in Rom versioning on Firmware Finder?
Click to expand...
Click to collapse
you can use this https://forum.xda-developers.com/mate-10/how-to/beware-bla-l29c432b147-t3817241 XLOADER Checking tool
..
..
sun75 said:
I've downloaded one of the Mate10 firmwares and I've compared the two xloader.img (mate10 and p smart), especially the first block, where is the "version" check. Apart the "xloader" string on top of the image, the first block is idenctical until hex 0x1cb, after that, they differ. They differ also in size: Mate10 (176Kb), and P Smart (69Kb).
Please see the attached jpeg.
Anyway, the "version" byte in Mate10 xloader.img is NOT only on offset 0x1a8, but also on hex offsets 0x474 and 0x740 ( @ante0 please take note of it: thank you for your thread which I started from! ) and in that hex addresses we have always "00"...
Click to expand...
Click to collapse
The tool was made for BLA and ALP, which both have either 01 or 02.
But!
Offset can't be 01 in 1a8 and 02 in 474, it needs to be either 01 in all or 02 in all.
Complete list:
0x1A8
0x474
0x740
0x231A8
0x23474
0x23740
https://forum.xda-developers.com/showpost.php?p=76538101&postcount=43
It's the same on Mate9, 00 in those offsets.
ante0 said:
The tool was made for BLA and ALP, which both have either 01 or 02.
But!
Offset can't be 01 in 1a8 and 02 in 474, it needs to be either 01 in all or 02 in all.
Complete list:
0x1A8
0x474
0x740
0x231A8
0x23474
0x23740
https://forum.xda-developers.com/showpost.php?p=76538101&postcount=43
It's the same on Mate9, 00 in those offsets.
Click to expand...
Click to collapse
So the tools is working for p smart or not?
..
..
sun75 said:
Ok, thank you for your reply...: I'm trying to figure out what are these firmwares -sp1 [log] out there because they are apparently indenctical to all the others (I compared the xloader images and are the same!) while in your threads, at least for Mate10, -sp1 firmwares are those with the "old" xloader...
So I'm a bit confused here...
Click to expand...
Click to collapse
Yeah, SP1 are 01 on Mate 10. At least some of them.
I belive they are tests of some sort, because B148 is certified so it passes safetynet while B148-SP1 is not.
sun75 said:
[Closed Thread]
Click to expand...
Click to collapse
Thread closed on request of OP