Bootloader password needed to make a dump of the ROM - 8125, K-JAM, P4300, MDA Vario Software Upgrading

I decided to tinker in the Wizard's bootloader mode. I found that the "d2s" command that people have used on other devices' bootloader mode does not work on the Wizard. However, the "r2sd" command does allow you to write a specific portion of the ROM to a memory card... provided you can provide the right password to enable the feature. Right now, I'm getting this error message:
Code:
Cmd>r2sd all
***** user area size = 0x1E980000 Bytes
R2SDBackup() - Download type = 6
usTotalBlock = 1 sizeof(SDCARD_SIGNATRUE_TABLE)=512
You didn't get the proper security level to download a specific image
Cmd>
According to other people performing ROM dumps and accessing bootloader commands, you need to type "password [password]" and you'll be able to get the "proper security level." The only problem is, what do I put in for [password]? I've tried WIZARD and PRODIGY and TYPHOON, since those were the passwords of the previous devices, but none work so far. Apparently, if I get the right password, I'll be greeted with a different prompt.
By the way, if we get the right password, this is what the "r2sd" command can supposedly grab.
Code:
Cmd>r2sd
Usage:
r2sd (ipl/spl/splash/os/gsm/ffs/all/gsmdata/diag/extrom/htclogo)
Backup DOC image to SD card .
Cmd>
Hey, I see the words "splash" and "htclogo" in there! So, anyone got any bright ideas?

BeyondtheTech said:
Code:
Cmd>r2sd
Usage:
r2sd (ipl/spl/splash/os/gsm/ffs/all/gsmdata/diag/extrom/htclogo)
Backup DOC image to SD card .
Cmd>
Click to expand...
Click to collapse
Did you try "r2sd os" or "r2sd gsm"?
what is the result from these commands?

Is the Wizard bootloader locked? If so, is there anyway to unlock it?

if you have it unlocked at imei-check.com (even with no simlock)
You will get a new bootloader installed.
and from there you can dump without a password..
Cmd>r2sd all
***** user area size = 0x1E3E0000 Bytes
R2SDBackup() - Download type = 5
usTotalBlock = 1 sizeof(SDCARD_SIGNATRUE_TABLE)=512
Start address = 0x80000000 , Length = 0x800
Start address = 0x80000800 , Length = 0xC0000
Start address = 0x800C0800 , Length = 0x40000
Start address = 0x80100800 , Length = 0x280000
Start address = 0x4E3D4C0 , Length = 0x3900000
Start address = 0x743D4C0 , Length = 0xA00000
SD user size = 0x1E3E0000, Image total size = 0x4680800
1 Start=0x80000000, Length=0x800, Checksum=0xEC197E45
+WriteDataToSDCard() - pusSourceAddr = 0x8C100000 , ulSourceLength=0x800
WriteDataToSDCard() ulTargetSDAddr=0x200 pusSourceAddr=0x8C100000 dwTotalBlock=0x4
-WriteDataToSDCard() - pusSourceAddr = 0x8C100000 , ulSourceLength=0x800
2 Start=0x80000800, Length=0xC0000, Checksum=0xB73A3E59
+WriteDataToSDCard() - pusSourceAddr = 0x8C100000 , ulSourceLength=0xC0000
WriteDataToSDCard() ulTargetSDAddr=0xA00 pusSourceAddr=0x8C100000 dwTotalBlock=0x600
-WriteDataToSDCard() - pusSourceAddr = 0x8C180000 , ulSourceLength=0xC0000
3 Start=0x800C0800, Length=0x40000, Checksum=0xDE71BB6B
+WriteDataToSDCard() - pusSourceAddr = 0x8C100000 , ulSourceLength=0x40000
WriteDataToSDCard() ulTargetSDAddr=0xC0A00 pusSourceAddr=0x8C100000 dwTotalBlock=0x200
-WriteDataToSDCard() - pusSourceAddr = 0x8C100000 , ulSourceLength=0x40000
4 Start=0x80100800, Length=0x280000, Checksum=0xCCF373AE
+WriteDataToSDCard() - pusSourceAddr = 0x8C100000 , ulSourceLength=0x280000
WriteDataToSDCard() ulTargetSDAddr=0x100A00 pusSourceAddr=0x8C100000 dwTotalBlock=0x1400
-WriteDataToSDCard() - pusSourceAddr = 0x8C380000 , ulSourceLength=0x280000
5 Start=0x4E3D4C0, Length=0x3900000, Checksum=0x7754CD01
+WriteDataToSDCard() - pusSourceAddr = 0x8C100000 , ulSourceLength=0x3900000
WriteDataToSDCard() ulTargetSDAddr=0x380A00 pusSourceAddr=0x8C100000 dwTotalBlock=0x1C800
-WriteDataToSDCard() - pusSourceAddr = 0x8FA00000 , ulSourceLength=0x3900000
6 Start=0x743D4C0, Length=0xA00000, Checksum=0x91C3A10A
+WriteDataToSDCard() - pusSourceAddr = 0x8C100000 , ulSourceLength=0xA00000
WriteDataToSDCard() ulTargetSDAddr=0x3C80A00 pusSourceAddr=0x8C100000 dwTotalBlock=0x5000
-WriteDataToSDCard() - pusSourceAddr = 0x8CB00000 , ulSourceLength=0xA00000
Double Check 0 Start=0x80000000, Length=0x800, Checksum=0xEC197E45
Double Check 1 Start=0x80000800, Length=0xC0000, Checksum=0xB73A3E59
Double Check 2 Start=0x800C0800, Length=0x40000, Checksum=0xDE71BB6B
Double Check 3 Start=0x80100800, Length=0x280000, Checksum=0xCCF373AE
Double Check 4 Start=0x4E3D4C0, Length=0x3900000, Checksum=0x7754CD01
Double Check 5 Start=0x743D4C0, Length=0xA00000, Checksum=0x91C3A10A
usTotalBlock = 1 sizeof(SDCARD_SIGNATRUE_TABLE)=512
+WriteHTCSignature,download type = 5
Common Info Checksum=0xC8AFBD04
-WriteHTCSignature...
Click to expand...
Click to collapse
grtx , arnold

but the http://www.imei-check.co.uk/m3000unlock.php doesn't provide service for dopod 838.

mhh i think it's for all htw wizard based phones.
But not sure.
did you mail them already???

Money money
Hi,
28 € for what we used to do for free ??????
Not interested !

Re: Money money
eurorpeen said:
Hi,
28 € for what we used to do for free ??????
Not interested !
Click to expand...
Click to collapse
We??? ......If you want to unlock it now there are two options: Paying 28 Euro at i-mei check or paying 120 Euro at T-Mobile.
There is no free unlocking tool yet.

that's your own choice .
I'm convinced that between now and 1-2 months the tools are freely availeble.
Only i'm still in switching numbers , and would like to use my old orange card for the time being.
so it's worth the e28 to me.
(and got a passfree bootloader)
But i didn't say you have to do it...
grtx , arnold

Not for me
Hi,
By "we", I was saying "the users of the previous models"
And no, if I can, I will not pay 28 € to unlock a phone that will be obsolete before 6 months.
Do you see its successor (for 03/2006) ? A beauty with UMTS and everything else, even an Intel 416 MHz processor.
So for the moment, my S110 will continue to work flawlessly

Hi all,
I want to flash the Qtek rom onto my vario as it's giving me nothing but grief, could someone please tell me how do i backup my t-mobile rom so that i can restore it at a later date?
I see talk of this r2sd command, but how do i send that to the phone? how do i then restore this backup from the SD? is there an app i can run which will save the backup to a file so i can save it on my pc for restoration later?
Thanks in advance
P.S : I have unlocked the phone using the software at imei-check.co.uk

@belial
http://forum.xda-developers.com/viewtopic.php?t=32866

Thank you arnoldl, i'll go try flash with the qtek one now, can't do any harm anyway as in it's current state it's next to no use

Related

How to backup ROM for the SPV M3000

I tried to use the 'tera term pro' and send the command : r2sd all
I got the message :
Cmd>r2sd all
***** user area size = 0xF140000 Bytes
R2SDBackup() - Download type = 6
usTotalBlock = 1 sizeof(SDCARD_SIGNATRUE_TABLE)=512
You didn't get the proper security level to download a specific image
I need the password for the command password [password] to be able to dump the rom
Any ideas ?
Thx a lot for help

How to pdocread Extended Rom ?

Hi All,
I used aWizard to read out my Wizard's ExtRom, but do not know how to write it back.
I want to read out the ExtRom in .nba format, I studied the aWizard , I believe since " pdocread.exe 0 0x3900000 ROM\OS.nba " can read out the os, then theoretically " pdocread.exe ??? 0xA00000 ROM\ExtRom.nba " should be able to read out ExtRom in .nba format.
I do not know about programming, can someone be kind enough to point out what the ??? in above should be.
Will the following info has some hints?
Cmd>r2sd all
***** user area size = 0x1E100000 Bytes
R2SDBackup() - Download type = 5
usTotalBlock = 1 sizeof(SDCARD_SIGNATRUE_TABLE)=512
Start address = 0x80000000 , Length = 0x800 (IPL)
Start address = 0x80000800 , Length = 0xC0000 (SPL)
Start address = 0x800C0800 , Length = 0x40000 ( )
Start address = 0x80100800 , Length = 0x280000 (GSM)
Start address = 0x4E3D4C0 , Length = 0x3900000 (OS)
Start address = 0x743D4C0 , Length = 0xA00000 (EXTROM)
Thanks a lot!
Any idea about " pdocread.exe 0 0x3900000 ROM\OS.nba "?
Is 0 the starting offset address & 0x3900000 the size of the os rom part?
I have read the info in wiki.xda-developers.com, but my programming knowledge is too bad for me to understand it!
(just for reference), i posted a detailed explanation on http://www.spv-developers.com/forum/showthread.php?t=2888
willem

Anyone can help me?

i'm update from WWE to 1.3.13.7CHT,i have 2.18.13.2 CH rom, but can't update again,The error code 296.
I used MTTY to load 838 rom, but the trouble again.
r2sd all
***** user area size = 0x7820000 Bytes
R2SDBackup() - Download type = 5
usTotalBlock = 1 sizeof(SDCARD_SIGNATRUE_TABLE)=512
You didn't get the proper security level to download a specific image
Anyone can solve my problem!
THX

Trinity bootloader

i'm using the hermes/artemis reference to see what works and not
first: almost every other commands give the "Command Error"
the wdata exists and gives: Command is Locked!
The first thing will be to get into the radio bootloader - seems that the password is fixed. As far as the bootloader I hope that it can be downgraded.
---
info 2:
HTCSHTC__102Ã;¿HTCE
info 3:
HTCST
info 4:
IsAllBytesTheSame-: dwLength=8, bResult=0
HTCSHTC__102Ã;¿HTCE
info 6:
HTCST ÚÈÒHTCE
info 7:
HTC Integrated Re-Flash Utility, Common Base Version : 1.51b
Device Name: TRIN100, Bootloader Version : 1.06.0000
Built at: Oct 19 2006 20:31:29
Copyright (c) 1998-2006 High Tech Computer Corporation
CPU ID=0x41129200
Main CPLD version=0xA
Main Board version=0x5
info 8:
Block 0x0(0) is Reversed block
Block 0x1(1) is Reversed block
Block 0x2(2) is Reversed block
Block 0x3(3) is Reversed block
Block 0x4(4) is Reversed block
Block 0x5(5) is Reversed block
Block 0x6(6) is Reversed block
Block 0x7(7) is Reversed block
Block 0x8(8) is Reversed block
Block 0x9(9) is Reversed block
Block 0xA(10) is Reversed block
Block 0xB(11) is Reversed block
Block 0xC(12) is Reversed block
Partition[0], type=0x20, start=0x2, total=0x18FE
Partition[1], type=0x23, start=0x1900, total=0x1700
Partition[2], type=0x25, start=0x3000, total=0x18700
Partition[3], type=0x4, start=0x1B700, total=0x1F100
CE Total Length(with sector info) = 0x37BB800
CE CheckSum Length(without sector info) = 0x36E0000
-----
task 32 : Level FF
-----
checkimage
IPL CRC checksum = 0x96BE3C47
SPL CRC checksum = 0xBA45D40C
CE CRC checksum = 0xE86D6EC6
ExtROM CRC checksum = 0x3FBE8D13
Radio Image CRC checksum = 0xAB599ED8
-----
progress - shows bar
SD Upgrade
I tried the SD upgrade method.
I placed an nbh file on it called TRINIMG.nbh but after cheking gaves me "NOT ALLOW" 00028002
Any ideea ?
As your seclevel is FF, the CID on the NBH should be the same on your device. info 2 shows your CID = HTC__102 (HTC Germany), so you need to put an HTC german rom in the TRINIMG.nbh file or CID unlock your device.
Nice work on the bootloader
I've just decoded Trinity radio, it is very very similar to Hermes radio (Same Qualcomm JNAND Identification block), so radio bootloader commands should be the same in Trinity as on Hermes (and radio patch for SIM/CID unlock too!).
Normal bootloader commands should be quite similar too, but not necessarily the same, this is what I found on Trinity's SPL:
getdevinfo
ResetDevice
progress
ruustart
rbmc
password
info
task
emapi
btrouter
wdata
lnbs
erase
checkimage
checksum
wdata
wdatah
Click to expand...
Click to collapse
There's also the static password: BsaD5SeoA
Can you add all this info to the wiki?
pof said:
I've just decoded Trinity radio, it is very very similar to Hermes radio (Same Qualcomm JNAND Identification block), so radio bootloader commands should be the same in Trinity as on Hermes (and radio patch for SIM/CID unlock too!).
Normal bootloader commands should be quite similar too, but not necessarily the same, this is what I found on Trinity's SPL:
There's also the static password: BsaD5SeoA
Can you add all this info to the wiki?
Click to expand...
Click to collapse
excellent. i'm in office only with my trusted Universal (i'll fill up all the info tonight).
from artemis Wiki:
Artemis Bootloader Password
Seems that artemis bootloader password is static: BsaD5SeoA
If you enter this password in mtty terminal, you may not be able to boot device into Windows, only in bootloader. Be carefull.
It's meaning that Artemis has the same bootloader (or similar) with trinity.
The question: why it cannot get out from the bootloader ??
decebal said:
It's meaning that Artemis has the same bootloader (or similar) with trinity.
Click to expand...
Click to collapse
No, if you compare SPL they are very different one from the other.
Trinity's SPL is more similar to Hermes SPL, but Artemis SPL is different.
decebal said:
The question: why it cannot get out from the bootloader ??
Click to expand...
Click to collapse
probably you just need to 'set 14 0' or hard reset to go back to OS, I don't know... the wiki edit was done by fdp24, he can probably explain
pof said:
I've just decoded Trinity radio, it is very very similar to Hermes radio (Same Qualcomm JNAND Identification block), so radio bootloader commands should be the same in Trinity as on Hermes (and radio patch for SIM/CID unlock too!).
Normal bootloader commands should be quite similar too, but not necessarily the same, this is what I found on Trinity's SPL:
There's also the static password: BsaD5SeoA
Can you add all this info to the wiki?
Click to expand...
Click to collapse
Cmd>getdevinfo
GetDevInfo: Get CID OK
HTCSTRIN100HTCE
--
Reset Device - works
--
Progress - works
--
ruustart - blocked - hard reset needed
--
rbmc - not working
--
password works with the password BsaD5SeoA
--
info - works as in wiki
--
task - works as in wiki
--
emapi and btrouter - blocks the device
--
wdata - works with the password provided
--
lnbs - not working
--
erase - working
HTCST ÚÈÒHTCE
--
checkimage - working as in wiki
--
checksum - seems working
--
wdatah - not working
seems that the 1.06 is somehow limited as bootloader. how can we get the 1.04 or other upgrade solution ??
thanks
Nice work on the wiki decebal
Answers to your comments:
rbmc and lnbs - probably only work on SuperCID devices.
emapi and btrouter - I think it switches to wlan or bluetooth and disables USB connection.
wdata and wdatah - In hermes wdatah is for flash NBH and wdata for flash NBF in preproduction devices. Have you captured a full ROM upgrade using USB monitor?? which one it uses the RUU? Probably it has a dynamic password which enables wdatah for NBH files. Does 'info 3' works as in Hermes (you need to watch usb monitor output, can't see in mtty generally).
decebal said:
seems that the 1.06 is somehow limited as bootloader. how can we get the 1.04 or other upgrade solution ??
Click to expand...
Click to collapse
Generally by flashing a ROM matching your CID with bootloader 1.04.
rbmc is not in spl in Artemis device. On Trinity probably too.
These are some commands for Artemis:
Could be similarity for Trinity
CASE SENSITIVE!
Cmd>fm
Wrong parameters of FM Command!!
Usage:
fm [command] [frequency]
where:
if[command] = i Initialize FM.
if[command] = o Power on FM.
if[command] = f Power off FM.
if[command] = t Tune FM channel to [frequency].
if[command] = a FM auto seek test.
if[command] = m Mono(1) or Stereo(0).
if[command] = v Volume (0x00 - 0x0F).
if[command] = u Mute(0)
if[command] = g AGC(1)
if[command] = h Set seek threshold (0x00 - 0xFF).
if[command] = s Seek Up(1) or Down(0).
if[command] = r Get RSSI (0x00 - 0xFF).
if[command] = c Get current channel [frequency].
if[command] = d Get RDS data (1 - 10 groups of data).
*****************************************************************************************************
Cmd>cpldver
xsvfExecute - CpldType=1
SUCCESS - Completed XSVF execution.
CPLD Ver[0]=1
CPLD Ver[1]=FC
CPLD Ver[2]=26
CPLD Ver[3]=5
SetDsbDBGMSGT
Unknown yet.
*****************************************************************************************************
Cmd>ReadExtROM
Dump Ext ROM to MTTY terminal
*****************************************************************************************************
Cmd>WLANReset
Usage:
WLANReset 1(or0)
set SDIO: 0-WLAN ;1-SDMC.
Cmd>WLANReset 0
WLANReset(FALSE)
Cmd>WLANReset 1
WLANReset(TRUE)
*****************************************************************************************************
Cmd>SDSelect
Usage:
SDSelect 1(or0)
set SDIO: 0-WLAN ;1-SDMC.
Cmd>SDSelect 1
Select SD Card
*****************************************************************************************************
Cmd>emapiWlanMac
Notice: This MAC address takes effect only when your platform is EEPRON-less configuration. Please use (emapiTest) to verify it !
Copying GSM DATA image to SDRAM:00004000
Wlan data header ++++++++++++++++++++
Signature : 0xEE1250
UpdateStatus : 0x2
UpdateCount : 0xA
BodyLength : 0x1A1
BodyCRC : 0x4349311B
Wlan data header --------------------------
0x00000000
0x00000009
0x0000002D
0x000000D2
0x000000D5
0x000000FB
*****************************************************************************************************
Cmd>emapiTest
+emapiTest
1. Power on WLAN
2. Reset WLAN
3. Switch MUX to WLAN
4. Enable WLAN clock
5. Init WLAN SDIO interface
6. DeviceID Test
DeviceID = 4030xxx
EEPROMless configuration!
-emapiTest
*****************************************************************************************************
Cmd>emapiPwrDwn
*****************************************************************************************************
Cmd>emapiRead
Parameter Wrong!!
*****************************************************************************************************
Cmd>getdevinfo
Need password!
*****************************************************************************************************
Cmd>wdata
Usage:
wdata [StartAddr Len]
Write data to memory(if write to ROM, need erase first).
StartAddr : Start address of memory.
Len : How many bytes will be written.
Length must not more than 0x10000 bytes(buffer limitation).
Write to RAM: 4 bytes(CRC checksum limitation).
1 byte(in user mode).
Write to ROM: 4 bytes(CRC checksum limitation).
2(16-bit)/4(32-bit) bytes(in user mode).
Write to ROM(16-bit data bus): 32 bytes(writebuffer mode).
Write to ROM(32-bit data bus): 64 bytes(writebuffer mode).
Length must be 4 bytes boundary(CRC checksum) if not in user mode.
After command execute, then send out the data to terminal.
Data format: HTCS(4 bytes)+DATA+checksum(4 bytes, if not in user mode)+HTCE(4 bytes).
*****************************************************************************************************
Cmd>password
Usage:
password [String]
Enter the password string to enable wdata, erase and rbmc functions.
*****************************************************************************************************
Cmd>set
Usage:
set [Type Value]
Set control flags.
Type(hex) : Control function types.
Value(hex) : Setting values for types.
Type 1(Operation mode): 1(auto) and 0(user).
Type 2(Back color on/off): 1(on) and 0(off).
Type 4(Front color value): 16 bits data
Type 5(Background color value): 16 bits data
Type 6(Set color of screen): Fill color to whole screen one time.
Current flag settings:
Type 1(Operation mode flag): g_cOpModeFlag=(0x0).
Type 2(Back color flag): cBackColorShowFlag=(0x0).
Type 4(Front color): g_dwFColor24bit=(0x0).
Type 5(Background color): g_dwBColor24bit=(0xFFFFFF).
Type 6(Set color of screen): None.
Type 32: Unlock Flash Command
Set control flags.
*****************************************************************************************************
Cmd>SetDebugMethod
Copying GSM DATA image to SDRAM:00004000
Default DebugTransport Value =00000000
Current Usage:
0 No Debug
A UART MTTY Output Debug Message
B USB MTTY Output Debug Message
*****************************************************************************************************
Cmd>checksum
Usage:
checksum addr len
Return CRC checksum of memory.
In user mode: Show 4 bytes of CRC checksum value on display of terminal.
In auto mode: Send 4 bytes of CRC checksum value to terminal with data format.
*****************************************************************************************************
Cmd>ResetDevice
no comments
*****************************************************************************************************
**When CID is locked.
Cmd>ls
clean up the image temp buffer at 0x8C100000 Length 0x03A00000
BOOTLOAD_PAGE_TABLE_BASE_C_VIRTUAL= 0x8C080000
Clear image temp buffer done .
MTTYDownloadImage
Not allow operation!
Error : DownloadImage return error (code = 0xFFFFFFFF)
**When CID is locked.
*****************************************************************************************************
**When CID unlocked
Cmd>ls
clean up the image temp buffer at 0x8C100000 Length 0x03A00000
BOOTLOAD_PAGE_TABLE_BASE_C_VIRTUAL= 0x8C080000
Clear image temp buffer done .
MTTYDownloadImage
start download
==CreateFile err==
**When CID unlocked
*****************************************************************************************************
Cmd>GPSRouting
Dump code to mtty console.
*****************************************************************************************************
Cmd>BTRouting
Dump code to mtty console.
*****************************************************************************************************
Cmd>BTRouting
+GSM_Modem_Init : include DAGON
Copying GSM DATA image to SDRAM:00004000
GSM - dwSize = 3479D
GSM Page0
GSM - dwSize = 45457
GSM Page1
GSM - dwSize = 4B768
GSM Page2
GSM - dwSize = 4E0A9
GSM Page3
GSM - dwSize = 4B4C4
GSM Page4
GSM - dwSize = 4C71F
GSM Page5
GSM - dwSize = 2958E
GSM Page6
GSM - dwSize = E8D8
GSM Page7
Copying GSM CODE image to SDRAM:00000000
ARMBOOT = 1 --> boot from CS3
Reset ARM 7 -- ok
Please close MTTY USB connection and open BT Testing program...
*****************************************************************************************************
*****************************************************************************************************
*****************************************************************************************************
*****************************************************************************************************
*****************************************************************************************************
*****************************************************************************************************
password BsaD5SeoA - this is static password used during flashing device. (USB sniffer)
battery seems to be charging during bootloader.
If you stuck at bootloader during manipulations with commands, try this:
password BsaD5SeoA
ruurun 0
Alternatively, you can run rom flasher even on CID locked device. It will give you error message about Device ID or something, but your device will be back to normal and boot normally.

i need K-Jam sd.img

i don't bakup my k-jam and
don't boot , white screen
Cmd>r2sd all
***** user area size = 0x3D680000 Bytes
R2SDBackup() - Download type = 5
usTotalBlock = 1 sizeof(SDCARD_SIGNATRUE_TABLE)=512
You didn't get the proper security level to download a specific image
Cmd>
IPL 2.16
SPL 2.16
where download sd.img for my k-jam restoring
please help me, thanks for everything.

Categories

Resources