Database Users

tool to fix broken bootloader

here http://www.xs4all.nl/~itsme/download/bootloaderfix.zip a tool to fix
a broken bootloader.
use with extreme care, only as a last resort.
This tool depends on specific memory locations for certain roms.
It does verify that it is talking to a known rom. It also does a very
minimalisitc check if the file presented to it resembles a bootloader.
I tested it with 3.16.52, 4.00.10 and 3.04.00 ( the very old ppc2003 rom ).
It should also work with 3.17.03, 3.19.01, 4.00.01 and 4.00.05.
unpack the archive, from the command prompt, in the 'build' directory
run 'pnewbootloader bl515.nb0'.
it should take about 10 seconds.
output should be something like this:
Code:
C:\fix\build>pnewbootloader.exe bl515.nb0
protection found at 8c0d62d8
result: 00000000 00000000
if you get my ce utilities ( http://www.xs4all.nl/~itsme/projects/xda/tools.html )
you can check the current bootloader version with
Code:
C:\>pmemdump 0x80001880 0x40
80001880: 20 00 00 00 20 72 30 00 ff ff 00 f1 e0 07 1f 00 ... r0.........
80001890: 00 00 00 00 20 20 20 20 56 35 2e 31 35 20 20 20 .... V5.15
800018a0: 20 00 00 00 20 20 42 6f 6f 74 6c 6f 61 64 65 72 ... Bootloader
800018b0: 20 00 00 00 20 57 41 4c 4c 41 42 59 20 00 00 00 ... WALLABY ...

hi,
thanks for taking the time to make this utility. I am about to try it but i'm not sure if i should run it on my xda or on my desktop pc.
Could you please elaborate on how to use it?
Rico

Developer-#X2PL
Thanks for the new tool.
Unless I'm mistaken this requires an Active Sync connection ?
I am stuck on Wallaby 5.17 and a corrupted Rom image (My fault) and so can't establish an active sync connection. The only way to recover is to run an SD card restore but I have had no joy with the Wallaby patch to overcome the bootloader's security (Loads to SD card o.k but does not patch the bootloader on startup)
Is there any way of running your bootloader tool from a serial connection using the load and go command ?
Thanks
Richard

this tool runs on your desktop pc,
it requires a working activesync connection.
and also a working windows ce.
it is most useful for people who accidentally selected the same file for bootloader and osimage in xdarit. and are now stuck without a bootloader.
and it provides an easy way to change bootloader for people with a working xda and bootloader 5.17.
richard, sounds like the only way to fix your xda would be to get the patchloader working. does it say something about loading diagnostics, and bootloader detected, patching .... etc?

K2pl
Thanks for reply.
I get no messages at all when entering bootloader with patched SD card. I am wondering if XDArit is actualy writing to the SD card. I have been recieving the succesful write message and had assumed that it had done so but after asking it to write a CE image it confirmed this in about 2 seconds which I'm sure it couldn't have acheived. I have presumed that I wouldn't be able to see this file under windows file explorer even if it had written it is this correct ? I have also tried the 1.4 MB version but this just crashes (Win XP) at the write stage. I have a unix box as well if this program is available for this platform I could try that.
It sounds like sods law to me just two hours after corrupting my image a tool is released that would have allowed me to get out of it if only I had applied it first Oh well such is life.
Any help much appreicated.
Richard

XDA developer Itsme said:
this tool runs on your desktop pc,
it requires a working activesync connection.
and also a working windows ce.
it is most useful for people who accidentally selected the same file for bootloader and osimage in xdarit. and are now stuck without a bootloader.
and it provides an easy way to change bootloader for people with a working xda and bootloader 5.17.
Click to expand...
Click to collapse
Hi Itsme. Is there any link to download the bootloader 5.15.
Appreciate if U can post a link. :wink:
Thks.

OCMAX
It is included in the zip file just follow the instructions above. Don't forget if this goes wrong you will have a paper weight so don't do it unless you feel you really need to.
Richard

I think there are many more uses for a romless xda besides weighing on paper. you could also use it as a beercoaster. or it being a nice shine surface might invite you to deposit thin lines of certain powders on it.

xdarit being done writing way to quick is possibly not a good sign, maybe it is writing to the wrong disk?

I guess I'm going to get a chance to try them all whilst I wait for my old laptop to re-load XP (currently Red Hat) in the hope that its simplistic setup might allow the XDArit to function.
Happy sniffing
Richard

YEP 8)
That was the problem although it reported to be writing to the SD card it was actualy writing to my backup drive (No harm done) Once it was on my old laptop there is so little on it that I could quickly see what was going wrong. Anyway thanks for help.
Richard

Richjn said:
OCMAX
It is included in the zip file just follow the instructions above. Don't forget if this goes wrong you will have a paper weight so don't do it unless you feel you really need to.
Richard
Click to expand...
Click to collapse
Ge.. guys thks :lol: .

I just try it with XDA
Cooked ROM 4.00.05 from Jeff, Wallaby 5.17, xdarit 1.02, 256 MB SD Panasonic, time of bootloader -overwrite ROM less than 4 min.
It looks as work well
Thanks for hard working
Waiting for ROM 4.00.10 :roll:

Hi,
This sound like good news. :lol: This tools can re-build my bootloader ? because last time i errased my bootloader (its my fault), untill now i stuck on ROM : 3.04.00 ENG / PW10B1 and can't upgrade ROM for my device anymore. Please show me how to use this tools because i m not expert on computer programer. Sorry for this stupid question and i hope you can help me for this problem.
Many Thanks & nice work for XDA Develeper Team
Regards
Sandy[/quote]

for those who ran into a missing pput.exe.
the http://www.xs4all.nl/~itsme/download/bootloaderfix.zip is now updated,
and contains pput.exe.
pput.exe is also part of http://www.xs4all.nl/~itsme/download/itsutils.zip

Well it worked!!!
Thanks so much. My XDA is once again fully operational. I did run into the missing pput.exe error. But once i downloaded this file it worked like a charm.
Only thing is the result line did not show. So i waited quite some time before i just assumed it was done. And it was. :lol:
Thanks again XDA-developers.
Rico

My Bootloader Back
Hi XDA DEVELOPER Itsme,
I LOVE YOU MAN...hahahahahah i m so happy you help me to solve this problem....many many thanks..and great job. From now i can upgrade my device again...THANKS WILLEM....GOD BLESS YOU.
Regards
Sandy

XDA Developers you a Hero
Hi Guys,
Nice work....2 thumbs up for willem and another XDA Developer guys. You make me happy today.......btw good work. almost 1 month i waitting for help to solve this problem finally you did it...
Many thanks

Itsme
Thanks for help yesterday. As I live in Australia by the time you helped me figure out what was going wrong it was gone Midnight here so having recovered my XDA I went to bed. Got up first thing took a deep breath and ran your bootloaderfix tool and it worked flawlessly
I now have a SD card backup waiting for the next time I mess up
Only problem left is I seem to have one of the units that randomley hard resets itself when you enter the bootloader but thats a small price to pay.
Thanks again to all the Developers this is really great stuff.
Richard

Richjn,
u need turn the phone off before entering the bootloader. if u power it off and enter bootloader, it doesn't hard reset.
alex

mtty.exe & host11.exe ( flashing tools by HTC )

Hi All,
Maybe this is old hat, but is good to know.
I've seen these two programs on the internet made by HTC for the Ipaq:
1) mtty.exe = Multi-Port/USB TTY Version 1.10 2001 by HTC
2) host11.exe = Remote USB update 1.1
The first programme mtty.exe is a flashing utility made by HTC to flash the boot loader ( only *.bin files ) using the serial/USB cable for the Ipaq ( after a reboot using the Wallaby boot loader menu the Ipaq/XDA is connecting in the same way as using the Hyperterminal, spiting all the information about the hardware version and then looking for a *.bin file, containing the boot loader, if found it will start flashing the boot loader).
The second programme host11.exe is a flashing utility also made by HTC to flash the CE Rom only, via Usb, after a reboot using the Wallaby boot loader menu and pressing the “Volume button” on the left side of the XDA (sorry I don’t remember the button on the Ipaq ), will bring you the “Remote USB update 1.1” menu on the XDA as well on the Ipaq. If you have a file named “nk.nb0” located in the same directory with host11.exe, containing the CE Rom for the Ipaq ( probably it will do the same to the XDA) , it will start upgrading the CE Rom.
My question would be, if we can use these two programs to flash the XDA ( using the “wboot515.bin” file to flash the boot loader and “nk.nbf” – contained in Program A ver 3.17.03 CE Rom O2 UK, that we could edit with Ultraedit, cut the first two lines, save it and rename it “nk.nb0”, to flash the CE Rom ) as an alternative to the SD card flashing method ?
Please see down under a small procedure for the IPAQ.
I’ve got these info searching the Ipaq forums.
Mendo

Download the host11.exe file from here:
http://www.ultimatepocket.com/images/host11.exe
I have the mtty.exe program if you can't find it on the internet.
A very good explanation about the Ipaq upgrade using mtty.exe and host11.exe, english document:
http://www.wince.com.br/ftp/ipaq2002v214.doc
These are the links I've used for general info:
http://www.handhelds.org/z/wiki/HosT11
http://www.xonio.com/features/feature_unterseite_8750206.html
http://hardware.pchome.net/2002/07/13/3435.htm

I find this part of the upgrade procedure for the Ipaq very interesting:
-----------------------------------------------------------------------------------
Step 1- Check Pocket PC for Boot loader version number.
A) Establish a physical connection between your iPAQ and Desktop (Serial port). Use the "serial Auto-Sync Cable".
B) Open downloaded software folder. Execute the mtty.exe program on your desktop. Dialog box appears, select appropriate COM port settings. (i.e. COM1, COM2).
C) Press the speaker (game pad button) & reset button (Bottom right corner, you will need your stylus to get to the reset button.) at the same time.
D) Release the reset button, but ensure that you hold the speaker button until you see a parrot. On your desktop (Mtty.exe), you will see the following message being displayed:
******************************************************
InitDebugSerial using SERIAL PORT 3
******************************************************
Main=8C094D30
pTOC=FFFFFFFF
Init SCInitSerial
SCInitSerial-
HTC Integrated Re-Flash Utility for Strong ARM (Macaw) Version: 2.31
This version could be used for Parrot PPSH board to flash boot load
Built at: Mar 8 2001 13:40:39
Copyright (c) 1998-2000 High Tech Computer Corporation
CPU speed = 206 MHz
DRAM speed = 103 MHz
Main- no CF card
FW 0:4:38>
E) Note the Version Number. Since the Version number is 2.31 you will need to upgrade it to 2.43.
Step 2- Upgrade Boot loader Version.
A) Ensure that the mtty.exe & the file mboot241.bin are in the same folder or directory.
B) At the FW 0:4:38> prompt, type "l MBOOT241.bin" (Type as is, minding the case). A new boot loader will be flashed. This will enable one to flash the OS using the USB rather than serial. Since, flashing the OS by serial takes about 30 minutes to complete. The USB connection takes about 4 minutes. IMPORTANT!!!!! Don't remove the cables during this process. This process takes about 1min.
C) Due a cold reset of the device (Bottom right corner, you will need your stylus to get to the reset button).
D) You can check if the program was a success by repeating step 1 C and D. Note that the version number has changed.
-------------------------------------------------------------------------------------
It looks that is posible to use the USB cable to flash the boot loader, not only the serial cable.
Again I am interested if these things are good for the XDA as well, of course using the right boot loader and CE ROM files, as mentioned before.

Bootblaster utility for Ipaq ( very interesting, it would be good to have one for XDA):
http://www.hardce.com/htmlcn/CN/document/023/BACKUP_IPAQ_ROM.htm
Download from here:
ftp://ftp.handhelds.org/pub/linux/compaq/ipaq/v0.30/BootBlaster_1.18.exe

How to flash CE ROM image to the device via USB cable?
Initial condition: Windows 2000 or NT platform. The code being flashed and the flashing tool need to be put under the same directory.
1. Disable USB connection from the Connection Settings in Active Sync
(Uncheck the box for “ Allow USB connection with this desktop computer” )
2. Enter bootloader mode of the device by pressing down power button and soft reset at the same time.
3. Press Record button on the side of the device to enter USB Flash Mode
4. Plug in USB cable to the device, launch “mtty110 – USB” flashing tool and then choose USB port to start re-flashing.
5. Press Enter. Enter command to flash CE image when USB> is present. The command is l followed by the bin file name. For example,
USB> l wallaby233busa_2s.bin
6. After code-flashing process is finished, the device needs to be hard reset to ensure the old version is being overwritten.
How to flash CE ROM image to the device via serial cable?
Initial condition: The code being flashed and the flashing tool need to be put under the same directory.
1. Disable the serial COM port from the Connection Settings in Active Sync (Uncheck the box for “allowing serial cable or infrared connection to this COM port” )
2. Launch MTTY flashing tool
3. Connect the device with a desktop vial serial cable and enter bootloader mode by pressing down power button and soft reset at the same time
4. Enter command to copy CE image when FW> is present. The command is l followed by the bin file name. For example, FW> l wallaby233busa_2s.bin
5. After code-flashing process is finished, the device needs to be hard reset to ensure the old version is being overwritten.
How to flash Bootloader to the device via serial cable?
Initial condition: The code being flashed and the flashing tool need to be put under the same directory.
1. Disable the serial COM port from the Connection Settings in Active Sync (Uncheck the box for “allowing serial cable or infrared connection to this COM port” )
2. Launch MTTY flashing tool
3. Connect the device with a desktop vial serial cable and enter bootloader mode by pressing down power button and soft reset at the same time
4. Enter command to re-flash bootloader when FW> is present. The command is l followed by the bin file name. For example, FW> l wboot507.bin
5. After code-flashing process is finished, the device needs to be hard reset to ensure the old version is being overwritten.
How to flash CE ROM image from the device to SD card?
1. Disable the serial COM port from the Connection Settings in Active Sync (Uncheck box for allowing serial cable or infrared connection to this COM port)
2. Launch MTTY flashing tool
3. Connect the device with a desktop via serial cable and enter bootloader mode by pressing down power button with soft reset at the same time
4. Unplug serial cable from the device, insert 64MB SD card and then plug in serial cable again.
5. Enter command “r2c” to copy CE image to SD card. For example, FW> r2c
6. The message “SD flashing is success” is displayed after the process is finished.
How to flash CE ROM image on SD card to the device?
1. Insert SD card to the device
2. Enter bootloader mode by pressing down power button and soft reset at the same time
3. Press Action button to start SD flashing
4. Message indicates SD flashing is finished. Again, the device needs to be hard reset to ensure the old version is being overwritten.
How to flash GSM code via serial cable?
1. Disable the serial COM port from the Connection Settings in Active Sync (Uncheck box for allowing serial cable or infrared connection to this COM port)
2. Connect the device with a desktop via serial cable and enter bootloader mode by pressing down power button with soft reset at the same time
3. Launch Monitor flashing tool
4. Click “Target” on the menu bar, and choose “Connect…”
5. Enter bootloader mode again when seeing a message to switch on the target
6. Click on “Flash”, Choose “Erase all applications+ bootloader” the last option in the dropdown list
7. Click YES to start flashing
8. Hard Reset the device to ensure the new code overwrites the old one.

and where can I find the BIN file for example ("wallaby233busa_2s.bin"). Upgrading by USB is my only chance (broken SD card slot in MDA)

i have mistakenly installed a T-Mobile ROM on my O2 XDA n i want to switch back to the XDA Developers Special Edition ROM. For some reason the T-Mobile ROM doesnt let me use the setup they have. The SD Card method does not work for me since i do not have an external SD Card writer. Can i use mtty and host11 to do this? Where do i get the bin files that you mentioned?
thanx for your help

Hi Countster,
It's been a while since I was playing with my XDA.
The files I was talking "mtty" and "host11", you can find them on the Internet or post a message on the forum (I use to have them on an old PC in the office but I've lost them together with the bin ROM file), but I also never had to use the USB flash application, back then I was only preparing for the worst case, but my XDA never failed durring the upgrade.
But the best metod as far as I know is the one using an SD card (buy an external SD card reader from Ebay, it's only 15Euro max.)
I found this post on the net and these guys are having problems using the USB tool:
http://www.pdastreet.com/forums/showthread.php?threadid=21433
http://goodhyun.com/archives/2004/08/how_to_dump_new.php
My advice is to use the XDA forum for info and the SD card metod, because as far as I can remember it was the best.
The cooked ROM file should be available somewhere, on the forum.
If you decide to use the host11.exe, you might have to delete (trim) the first two rows of the "rom.bin" file and rename it "nk.nb0" (you need to open the file with an "bin to hex editor" and then delete the two hex encoded rows).
In the case of the T-mobile/O2, the flash application they are using to flash the XDA it is checking, validating and then trim the rom.bin file, after this it will flash the XDA.
A very important thing to know is that it hasn't been confirmed that the "host11.exe" works with the XDA (it might work only with the IPaq).
Apparently it might work to download the file but it is also important at what address (hex address) in the XDA flash memory, the program starts to write the firmware (the bin file). The danger is to overwrite the bootloader or part of it ( the bootloader is like your PC Bios) and this will destroy your XDA , because it wont boot any more and it wont communicate on any port.
I hope that your XDA it is still booting and you haven't lost the boot loader ( it is the worst case ).
My final advice, don't use the host11.exe but instead use the SD metod.
Regards,
Mendo

hmmm seems dangerous.. either i have to RTFM or try to get the SD card writer. thanx for your help!

How to dump new rom image into ipaq using host11.exe
If your OS upgrade image came with UpgradeUT.exe, I mean if you tried to upgrade your ipaq and got the popup screen "HP ROM UPGRADE Utlity v3.15" then the .nbf files couldn't be inserted directly using host11.exe
Certainly, there is a situation you want to dump the rom image into iPaq in a straightforward manner, not guided by the fixed routine. in that case, you have to trim your file's unnecessary portion.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Delete these inversed part and rename it to nk.nb0,
then set your ipaq to the usb memory upgrade mode and run host11.exe.
don't forget to kill activesync when you do this.
goodhyun (2004年08月02日 23:31) Technology
TrackBack
TrackBack URL for this entry:
http://goodhyun.com/mt/mt-tb.cgi/240
*************************************************************
For the XDA, the nk.nbf file should look like this, in the Ultraedit viewer (use Ultraedit to open the file and edit/save it):
00000000h: 50 57 31 30 41 31 2D 45 4E 47 2D 33 2E 31 37 2D ; PW10A1-ENG-3.17-
00000010h: 30 30 31 2D 38 37 32 2D 2D 2D 2D 2D 2D 2D 2D 2D ; 001-872---------
00000020h: FE 03 00 EA 00 00 00 00 00 00 00 00 00 00 00 00 ; þ..ê............
00000030h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000040h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000050h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000060h: 45 43 45 43 00 10 0A 8C 00 00 00 00 00 00 00 00 ; ECEC...Œ........
Remove this bit "PW10A1-ENG-3.17-001-872---------" (the two hex lines too)
Then save the file and rename it "nk.nb0", then set your XDA to the "USB memory upgrade mode" (using the bootloader menu shortcuts) and run host11.exe.
Don't forget to kill activesync when you do this.
*************************************************************
Be carefull, this procedure can make your XDA useless, I've not done this myself on my XDA, this is info from the net.
Use this metod only if Programme A metod fails and don't use it to upgrade the radio stack.
Regards,
M

http://en.pdamobiz.com/en/forum/PDAforum_posts.asp?TID=406&PN=1
Message << Prev Topic | Next Topic >>
Posted By mottile on 23-Dec-05 at 06:51 Quote
Hi,
I have ipaq 3870. I upgraded to wm2003 using host11.exe and a rom image found in emule. But i had problems with certain software on it, so i decided to go back to 2002. I erased the 32 bytes from the beggining of the rom file, and used host11.exe.
My problems:
No asset tag and SN
No model information when trying to run official rom upgrade.
I have original backup, but i cannot flash it with official upgradeut.exe
motti
Posted By basf on 24-Dec-05 at 16:31 Quote
um .... I seen the communicaiton for this problem in this site before.
edit the rom nk.nb0, offest 01ff000ah to be your asset number.

http://en.pdamobiz.com/en/forum/forum_posts.asp?TID=50
Now what you need is file to upgrade to WM2003 (I don't know where to get now because hp thailand did not support to upgade or sell the upgrade file/Chan).
Upgrade file are compose of 3 files.
1. host11.exe - This program is to flash rom
2. nk.nb0 - rom data or firmware file
3. readme.txt - the method to flash rom
Then you need Hex Editor such as UltraEdit-32 (if you don't have one, try search google.com) to Edit nk.nb0.
UltraEdit-32 will show 3 parts,
First "0xxxxxxxh:" (shown the line and address of data)
Second in the middle is data in hex (on top there is ruler from 0 to f but if you can not see just go to set at menu at view > display ruler), then you can see at first line or address at 01ff0000h: = 31, 01ff0001h: = 00, 01ff0002h: = 2E, 01ff0003h: = 00, 01ff0004h: = 31, ....
Third is "ASCII CODE"
Picture 1 show Mark at Address 01ff000ah
Picture 2 show Mark at Address : 01ff0e00h
At this point that we have to change data in file nk.nb0, start from 01ff000ah: to 01ff0020h:
The original file "nk.nb0" show "ASCII CODE" in that position are "4.G.2.3.D.W.3.4.M.1.N.0". These numbers are Asset Tag # and Serial # that you have to use from your ipaq, can be found at the back at S/N.
Then Click at "ASCII CODE" in the position of Address that you want to change, this case have to click at number 4. Then key input the first digit of your ipaq S/N, then click at G and key input your second S/N until finish all number.
You also have to do the same thing at address 01ff0e00h to 01ff0e14h.
If complete correction all numbers, just save the file.
Next is to disable active sync, there are two method:
1. At Microsoft ActiveSync at PC, Click at File > Connection Settings... > "Unmark" (Click to uncheck) at CheckBox "Allow USB connection with this desktop computer" > OK.
or
2. End Process "wcescomm.exe", call "Windows Task Manager" by press three botton Ctrl, Alt, Del then at Tab "Processes" Click at "wcescomm.exe" then click at "End Process" botton.
Now at ipaq 38xx have to set in Mode "Remote USB Update"
Press botton 2 (Default : Contacts Button) and botton 4 (Default : iTask Button) and Power on botton then use stylus press at Reset (small hole at bottom of ipaq) wait until on the screen has message " Remote USB Update"
Put ipaq to usb cradle, and connect battery charger ac adapter for safty purpose.
Then Run "host11.exe"
(If the message "USB Lost connection" come out continuous, that means the connection has a problem, just take out ppc from cradle, retart your pc and reset PPC, then make PPC Mode to "Remote USB Update" then try runing file "host11.exe" again)
Start to update, now at 7 %
Nearly finish.
If there is no problem flash rom process will be finish as the message "Flash Done." at PC.
At PPC screen.
Then take out PPC from cradle and soft reset it. Now the screen of PPC will be pink color and Version of OS in the right bottom will be 4.00. Then wait for a while, everything will be as we just hard reset.
(in cause the screen in pink color wait too long, just do hard reset, vai presss at botton 1 (Default : Calendar Button) and botton 4 (Default : iTask Button) then use stylus press at reset, then wait till pink screen come again.)
Finally, you are now using WM2003 with your ipaq 38xx.
====================
If you use method 1 to disable usb of microsoft active sysnc.
You have to enable USB at Microsoft ActiveSync to sync all data back from PC to PPC.
- Connect PPC to USB Cradle
- Call Microsoft ActiveSync at PC
- Click ??? File > Connection Settings... > Click at botton Get Connected...
- Microsoft ActiveSync, check at CheckBox "Allow USB connection with this desktop computer"
- Then the program will ask for Set Partnership (I used default name as "Pocket_PC")
If you use method 2 of disable usb.
- Call Microsoft ActiveSync at PC
- Connect PPC to USB Cradle
- Click ??? File > Connection Settings... > Click at botton Get Connected...
- Microsoft ActiveSync, check at CheckBox "Allow USB connection with this desktop computer"
- Then the program will ask for Set Partnership (I used default name as "Pocket_PC")
====================
# Finally, you have ...
iPAQ 38xx "Old one" but "new OS" that change from PPC2002 to WM2003 (or Windows Mobile 2003) and Asset Tag # ??? Serial # are still the same as before.
To Check Asset Tag # and Serial #, at PPC Tap Start > Settings > System > Asset Viewer > Identity.
What you will fine new thing from PPC2002.
- Beautiful Bluetooth Icon.
- New Connections at Setting... may make you a little confusing.
- New bar of set volume.
- One more game, Jawbreaker (from only Solitaire).
- Faster Add/Remove Program.
- Overall are faster
====================
# Thanks to K. ImHoTep so much to suggest me many thing untill I can solve all problem.
# and thanks to K. pat2545 that guide me at first.
# and thank to all members that test and exchange experience in the forum.
(I have to thanks to K.Shine so much for contributing the detail method/howto, that make thing much more easier/Chan)

mendo said:
Download the host11.exe file from here:
http://www.ultimatepocket.com/images/host11.exe
I have the mtty.exe program if you can't find it on the internet.
A very good explanation about the Ipaq upgrade using mtty.exe and host11.exe, english document:
http://www.wince.com.br/ftp/ipaq2002v214.doc
These are the links I've used for general info:
http://www.handhelds.org/z/wiki/HosT11
http://www.xonio.com/features/feature_unterseite_8750206.html
http://hardware.pchome.net/2002/07/13/3435.htm
Click to expand...
Click to collapse
I'll be very gratefull that you send mtty to [email protected]
I have problems with hp 5550

Here is a file IO monitoring tool for WM5

I've wrote a tool that hooks CreateFileW function and writes its parameters and a name of a caller process to "\Storage Card\fileio.txt" file. Here is a sample output:
Code:
Hooked CreateFileW...
17FB4002: CreateFileW("\Windows\CePerf.dll",a0000000,1,0,3,0,0) -> FFFFFFFF, Err: 2 ("\Windows\nk.exe")
17FB4002: CreateFileW("\CePerf.dll",a0000000,1,0,3,0,0) -> FFFFFFFF, Err: 2 ("\Windows\nk.exe")
17FB4002: CreateFileW("\Release\CePerf.dll",a0000000,1,0,3,0,0) -> FFFFFFFF, Err: 3 ("\Windows\nk.exe")
17FB4002: CreateFileW("\Windows\CePerf.dll.dll",a0000000,1,0,3,0,0) -> FFFFFFFF, Err: 2 ("\Windows\nk.exe")
17FB4002: CreateFileW("\CePerf.dll.dll",a0000000,1,0,3,0,0) -> FFFFFFFF, Err: 2 ("\Windows\nk.exe")
17FB4002: CreateFileW("\Release\CePerf.dll.dll",a0000000,1,0,3,0,0) -> FFFFFFFF, Err: 3 ("\Windows\nk.exe")
B6FA4402: CreateFileW("RIL1:",c0000000,0,0,3,0,0) -> F6769D16 ("\Windows\shell32.exe")
B6FA4402: CreateFileW("\windows\Default_stwater_240_320.gif",80000000,0,0,3,80,0) -> FFFFFFFF, Err: 2 ("\Windows\shell32.exe")
16DD2DCA: CreateFileW("\Windows\ActiveSync\CtrlLog.txt",40000000,3,0,4,0,0) -> 165DD2AE ("\Windows\repllog.exe")
16DD2DCA: CreateFileW("\Windows\Profiles\guest\Temporary Internet Files\Content.IE5\4TEF45QZ\SyncStat[1].dll",40000000,3,0,1,10000080,0) -> 7661E6E6 ("\Windows\repllog.exe")
16DD2DCA: CreateFileW("\Windows\ActiveSync\CtrlLog.txt",40000000,3,0,4,0,0) -> B65DD2F6 ("\Windows\repllog.exe")
575A36A6: CreateFileW("BAT2:",c0000000,0,0,3,0,0) -> 3660EBD2 ("\Windows\device.exe")
It would also create file "Log.txt" in the root directory with some diagnostics information.
The program works only under WM5, though it can be recompiled for older OSes. The idea is simple - hooking SystemAPISets table.
I can give the source code of the tool for someone who would finisth the project: add logging of CreateFileForMappingW, DeviceIOControl and registry functions.
Installation process:
copy TestApiSetHookDll.dll and TestApiSetHook.exe to \Windows directory on the device and run TestApiSetHook.exe. It would output a message "CreateFileW hooked" and logging would start. To stop logging reboot your device.
This program may conflict with the installed antivirus programs on PocketPC, so use it on your own risk.

mamaich - I'd be interested in looking at the code if you don't mind; I'm interested in hooking system functions, but I'd like to use this tool on WM200se as well.. Please PM if you don't mind sharing it..
V

Hi there,
I was looking for some ways to hook the DeviceIOControl function.
mamaich, would be great if you would like to share the source code.

Do you think it's possible to hook all RIL API using the same method?
Could you post the source code?
Thanks.
Bye
Sektor

Attached the source code
About hooking RIL. This method cannot be used, there are different ways to hook RIL functions.
Regarding DeviceIOControl. My other tool that hooks EnterCriticalSection function can be used to hook it, the trap address to hook is 0xF000E3D4

Thank's so much Mamaich. I've got nothing to use it for right now, but you've got my very sincerest thanks, as ever!
V

Hmm....
This + CeRegSpy == install logger = making proper uninstalls possible
/me crosses fingers

Thanks Mamaich.
Could you explain me the different ways to hook RIL functions, please?
Bye
Sektor

Sektor said:
Could you explain me the different ways to hook RIL functions, please?
Click to expand...
Click to collapse
You may try this - http://www.xs4all.nl/~itsme/projects/xda/rilhook.html
Or if you are hooking RIL for only one program, you can just patch its import table on the fly, or RIL.DLL export table. The process is almost identical for hooking DLL exports on a normal PC.

What changes are required in order to make it work under WM 2003SE for example?

this is obvious - internal WM structures in undoc.h should be changed

Mamaich - very interesting code, how would I go about hooking the file close events?
Have tried hooking method 0 of w32 API (20) but the handles look wrong.
Also tried mapping the File API, but the SysytemAPISet[7] doesn't seem to have any methods - but I know it must be loaded,
very confused...

I see this is using PerformCallback4. Apparently that function would be killed off in WM5, how come you can still use it ?

TheBlasphemer said:
I see this is using PerformCallback4. Apparently that function would be killed off in WM5, how come you can still use it ?
Click to expand...
Click to collapse
I think that this function fould be left forever, but it would be allowed to be called only from trusted apps. And even if it is removed - there are dozens of other methods that can inject your code into address space of other process or kernel.
2 mgargett
Regarding hooking CloseHandle. Maybe hooking 0xF0010000 would not be enough, but if you'll look into its disassembly:
Code:
CloseHandle
04 E0 2D E5 STR LR, [SP,#var_4]!
1C 30 9F E5 LDR R3, =unk_1FFFA54
00 30 93 E5 LDR R3, [R3]
00 00 53 E3 CMP R3, #0
0C 30 9F 05 LDREQ R3, =Int_CloseHandle
0F E0 A0 E1 MOV LR, PC
13 FF 2F E1 BX R3
04 E0 9D E4 LDR LR, [SP],#arg_4
1E FF 2F E1 BX LR
you'll see that unk_1FFFA54 may be set to an address of a function that would be called instead of CloseHandle. For example this method is used by LMemDebug.DLL.
Of cause unk_1FFFA54 would have different addresses on different devices, but this is not a problem.

Hi mamaich.
I've tried to change the code from testcritsect.rar to hook DeviceIoControl function.
However, because my wisdom in that area is not far away from 0, the program doesn't work as expected.
Code:
if(SystemAPISets[ApiSet]->cMethods<=Method)
{
puts("Invalid method number");
return 0;
}
The program ends in the if above. Don't know what I have wrong.
As you said above, I did that: #define FAULT_ADDR 0xF000E3D4 //DeviceIoControl
Are you sure this is the right number?
BTW, how did you get all this info?
I mean:
CreateFileW 0xF000AFDC
TakeCritSect 0xF000FF20
MessageBoxW 0xF000BB38

This is very interesting.
Would it be 'easy' to adapt it in order to catch registry modifications?
CERegSpy, doesn't work well for WM5.0. At least it doesn't work at all with my Qtek 9000.

Isn't there a WM5 update for CERegSpy available from the Author?
V

vijay555 said:
Isn't there a WM5 update for CERegSpy available from the Author?
V
Click to expand...
Click to collapse
At least not at its website http://www.forwardlab.com/ceregspy.htm
Still on release 1.0
Does someone knows about a newer version?

ZeBoxx does I think. But you have to write to the author for the new version.
V

Yep... I've got a WM5 version, but the evaluation download location doesn't work anymore - didn't keep a copy around, I'm afraid :/
So just write to the author, and you should be able to get the preliminary WM5 version. Alternatively, I think the app mentioned here *could* be coded about to keep an eye on the registry as well. But I'm no coder

[Q]Wrong IPL and SPL - will not come out of tri-color - Any help on command lines?

Hi
Other Affected Users with OEM P3450 Bricks:
Orange UK (x2) - Both Fixed by Olipro
Orange FR (x3) - One Fixed by Olipro
T-Mobile UK (x1) - Fixed by Olipro
T-Mobile Italy? (x1)
Vodafone Spain (x1)
Click to expand...
Click to collapse
I stupidly risked loading a new ROM without seeing anyone else's feedback first! (last time I will do that!)
This was the ROM:
http://forum.xda-developers.com/showthread.php?t=378704
I ran
http://forum.xda-developers.com/showthread.php?t=320155
then I loaded the ROM
It loaded to 1% then the device reset then continued to 2% and reset again then came up with error 297 "invalid vender id"
and reset again.
I now have
IPL 2.20.0002
SPL 2.28.0000
tri colour display which I have tried to fix using the MTTY program
http://forum.xda-developers.com/showthread.php?t=347700
and when I type "ResetDevice" I wind up back at the tricolour
When I plug in the USB it shows in the white/grey strip at the bottom of the screen but I now get errors like
"corrupted image" if I try to load my original ROM
or
"Invalid vender id" from other images
I dont recall the IPL being 2.20.0002 before!
I have tried the rename of the .nbh file on a freshly formatted (FAT32) memory card and boot and saw a "Checking SD" then "certificate not valid" message then back to the tri-colour screen TSoD (tri-color Screen Of Death).
Can anyone help me?
Yours
Leon

I've done some tinkering - I figured, the thing is dead, dead, dead. So... what the h.
Some interesting commands are available at the MTTY screen but I cannot find a reference anywhere to them and the onboard OS help is not helpful.
Cmd>password BsaD5SeoA
Pass.
<snip usual initialisation messages>
Interesting:
Cmd>set g_cKeyCardSecurityLevel = 0
Cmd>ResetDevice
This makes the RUU indicator turn on in the top right of the tri-color screen
And this
Cmd>password BsaD5SeoA
Pass.
<snip usual initialisation messages>
Cmd>set MTTYDownloadImage = 1
Makes the screen go dark like when the Penguin Boot Loader file is transferred
Does anyone have any info on the commands that can be issued to the firmware?
Yours
Leon

Cmd>ruurun 1
Cmd>ResetDevice
Will give RUU in top right corner of Tri-Color

g_cKeyCardSecurityLevel = FF ------- MEANS NOT CID UNLOCKED
g_cKeyCardSecurityLevel = 0 --------- MEANS CID UNLOCKED
Go here, may be u will find this thread useful.
Elf/Elfin Original Roms Model Id & Cid Id List
Have a nice day.

exactly the same thing happened to me. and i have IPL 1.14.0002 and SPL 2.28.0000. what the f...k

CyZeeK said:
g_cKeyCardSecurityLevel = FF ------- MEANS NOT CID UNLOCKED
g_cKeyCardSecurityLevel = 0 --------- MEANS CID UNLOCKED
Go here, may be u will find this thread useful.
Elf/Elfin Original Roms Model Id & Cid Id List
Have a nice day.
Click to expand...
Click to collapse
Hi CyZeeK
Sadly, I had already read this and tried each of the ROMs listed in turn.
Incidentally your link is how I determined the command:
"set g_cKeyCardSecurityLevel = 0" - kudos to you mate.
Thanks for responding though
Yours
Leon

dimushor said:
exactly the same thing happened to me. and i have IPL 1.14.0002 and SPL 2.28.0000. what the f...k
Click to expand...
Click to collapse
You'll be the 5th person I have heard of with the same problem which seems to be limited to OEM versions of the P3450, a false-positive from the CID unlocker and a "new" p3450 ROM.
Can you tell me what the branding of your mobile is?
The others have
Orange UK (x2)
T-Mobile UK (x1)
T-Mobile Italy? (x1)
Yours
Leon

leondaphillips said:
You'll be the 5th person I have heard of with the same problem which seems to be limited to OEM versions of the P3450, a false-positive from the CID unlocker and a "new" p3450 ROM.
Can you tell me what the branding of your mobile is?
The others have
Orange UK (x2)
T-Mobile UK (x1)
T-Mobile Italy? (x1)
Yours
Leon
Click to expand...
Click to collapse
My device was from Orange France

dimushor said:
My device was from Orange France
Click to expand...
Click to collapse
Which version of the CID unlocker did you use before trying to flash the ROM?

leondaphillips said:
Which version of the CID unlocker did you use before trying to flash the ROM?
Click to expand...
Click to collapse
I used USPL v 1.0

Okay that's two for two.
1. Which ROM file did you load?
2. Did it fail at 2% reset annd continue to 3% before failing giving a "Image corrupted" error some other error message?

i tried to load the same rom as you did. in general, i had exactly the same situation as you did. too bad that i did not read what you wrote before in the thread about thi rom

leondaphillips said:
Can you tell me what the branding of your mobile is?
The others have
Orange UK (x2)
T-Mobile UK (x1)
T-Mobile Italy? (x1)
Click to expand...
Click to collapse
Also I broke my device, it is from Orange France:
45 4C 46 30 31 30 30 30 30 00 00 00 00 00 00 00 ELF010000.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
4F 52 41 4E 47 32 30 32 00 00 00 00 00 00 00 00 ORANG202........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............

Hi VoyajMD
I am really sorry to hear you are in the same boat. We'll work together to cash our paper-weights in to working phones again if at all possible.
I just need to locate an original code signed RUU ROM from Orange and I believe that will get us all back on line. (I say *just* but you know how hard that might be!)
Any chance you could locate your original signed ROM image or get one from Orange Support In France? Are Orange support in France as bad as they are in the UK? (i.e. forget it they wont be helpful)
Yours
Leon

I have also done the same mistake...
But some how recovered using my original rom Asia HK version..
( My actual rom is India Airtel locked version 1.11.720.**)
and my device got recoverd...
u too try friends....

Hi.
If you're CID locked and still up **** creek, I can sort you out.
Of course, time is money, I'm a busy bloke, PM me

I have the original Orange France ROM, but it does not help. my device is also from orange france

U can try with other roms tooo.. Hard Reset your device,, Then flash it from memory card...

Olipro said:
Hi.
If you're CID locked and still up **** creek, I can sort you out.
Of course, time is money, I'm a busy bloke, PM me
Click to expand...
Click to collapse
Will do - thanks for the offer

my device always gives me "searching for SDcard" when it enters the bootloader

Can't connect to internet after installing 5.3 ipaq 910c wm6.5 update

Before, with the original ROM, I had problems connecting to a secure network (WPA), but was able to connect to unsecured networks, after installing mon's 5.3, I can't connect to ANY wireless network at all
When I press connect, it says connecting, screen freezes for a sec, than the words go blank, after another sec, it goes back to the original screen (selection)
I been searching around, but can't find any answers, the "closest" I got was this link: which I apparently can't post yet lol
Problem
"I now know the problem why the both devices couldn't connect to any wifi accesspoint.
samsung settings -> system -> version -> device -> WIFI.
the MAC address was: FF FF FF FF FF FF
that's the broadcast address for ethernet ...
So If you check Erase NV PDA & Erase CSC you get this problem.
after downgrade to your old 6.1 ROM... we have BACK a normal MAC address.. BUT !!!!
now we have the SAME mac address and probabely the same mac as you: 00 00 00 FF FF 58
We upgrades again to 6.5. and stil the same mac 00 00 00 FF FF 58
( so we can't connect simultanious to the same access point )
Is there anyway to solve the MAC problem ?
thank you."
SOLUTION:
I try change register HKEY_LOCAL_MACHINE\Software\Samsung\WiFi "MACADDRESS" to 60D0A9........ but after soft reset is FF FF FF FF FF FF back :-(
tired via Admin menu?
1. type: *#1546792*#
2. choose "Internal"
3. Type as pwd: *#0807#
4. choose WiFi MAC address
5. type pwd: 1234
6. Set MacAdress
7. Execute
Of course you do it at your own risk!"
I don't think it applies to me though....
Does anyone have any advice?
(I tried a hard reset, still didn't help)
Thank you for your time and help!