Since most of the retail HTC devices are bootloader locked, how do the flashing tools bypass this? In my experience if you go into bootloader flashing mode on a Himalaya or Blue Angel, if you try and use the mtty utility to flash a bin image using "l image.bin" you get an error of:
"Not allow operation" which means that the bootloader is locked to prevent flashing. Obviously the tools posted here don't hit this obstacle so I'm curious how that works. Also if you use the tools posted here to flash a different ROM, do any of these upgrades end up rewriting the bootloader as well to end up giving you an unlocked bootloader that would accept the load (l) commands to flash images?
I thought these devices required a special SDIO card only HTC has to unlock the bootloader.
Thanks for the info.
Bootloader
You can unlock some settings by using the PASSWORD BOOTLOADER command
worked for my HTC audiovox vx6600 Harrier (Verizon CDMA) but to load the .bin file with l It didn't seem to work I got not allowed, a way around that was to interrupt the process when doing a real upgrade and it should but u in a DBG> mode then u can do l file.bin (ones u connect using mtty) I've been wondering how do u send a .bin file using mtty, I didn't see any options besides downloading from it, but not uploading to it... can u help me with that step? where do I put the .bin file? or will it open a "file open" window when I type that command?
Thats interesting! What does the PASSWORD BOOTLOADER do and where do you enter that command?
Can you detail more about what upgrade you interupted and how you interrupted it? Where do you see the debug mode? I would have tjought that interrupting the ROM flash would not affect the ability to access the load (l) command.
OK, to use a bin file you need to do this. Simply put the bin file in the same PC directory as the mtty utility (ie mtty16.exe) and then once you bring up the app in USB flashing mode you press Enter to get the prompt and then just type: l flash.bin
Basically whatever the local file name is type that name. If you want to place the image somewhere else then it would be something like:
l c:\flash.bin
Just keep the filename short to make it foolproof to type.
Let me know if you get get this to work. I'm curious if once this is done and you again boot up into USB flash mode and use mtty and then use the load command, do you now get it to work or do you again see the Not allow operation error.
What I am hoping is if doing a process of getting a new image on a Blue Angel (Harrier in your case) gets the bootloader in a state where it could be backed up and then restored onto a different device allowing its bootloader to be flash unlocked.
Have you seen any tools posted here to back up and restore the
BlueAngel bootloader?
This is fun stuff!
Hey, thanks, awesome, have u tried the command "d2s" (disk to storage) and "s2d" (storage to disk) ? those commands where not enabled until i typed PASSWORD BOOTLOADER and it gave me a success notice... I'll post the info i have for them.
usage_cmd_d2s
Usage:
d2s [StartAddr [Len [Type [Append[SkipStartAddr SkipLen]]]]]
Backup memory to storage.
StartAddr : Start address for backup(0xA0040000).
Len : Length of memory will be backup. And if not given value, it will be
Total ROM size on board - ((StartAddress & 0x0FFFFFFF) - (ROM base address(0) & 0x0FFFFFFF)).
Type : Which storage(cf/sd) type will be selected(cf).
Append : Backup methods(a/).
SkipStartAddr : Start address of skip area(0x0).
SkipLen : Skip length(0x0).
Skip area must be less than or equal to one block size of flash.
Skip area must not over two blocks, must inside one block.
Nand flash: Skip area size need be page boundary.
Nor flash: Skip area size need be DWORD boundary.
usage_cmd_s2d
Usage:
s2d
Restore memory from storage.
I currently have the 1.02 bootloader so it might be different for u.. also
h = help
and supposively ones u unblocked the bootloader u can do h full which should give u even more options, but that didn't work, which is weird, I think they took the h command out, eventhough they left all the info in the loader, cause u can always do a hexdump on any bootloader and u can figure the commands and their usage..
also here's how to unlock it.. this worked after I typed the password as well.. the only thing that didn't work was l i think (or atleast that i've tried)
usage_cmd_task
Usage:
task [Type [Value [Value1]]]
Type,Value and Value1 are both DWORD(hex).
Value and Value1 are ignore in some case.
Type(hex) 0: Do hardware clear boot.
Type(hex) 7: Do flash ROM lock/unlock and [value]: 1(lock) and 0(unlock).
Oh here's a little howto:
example how to flash the extended rom and radio Simultaneously
first copy the first 3 M of the radio to sd:
d2s 60000000 00300000
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
Total card size=1D30000ze=0
****************
Store image to SD/MMC card successful.
and now append the extended rom to the sd card:
d2s 70080000 01000000 sd a
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
Total card size=1D30000ze=0
DOCInfoTableinitHW+
Binary0:dwSize=80000
BINFS0:dwSize=0
FAT0:dwSize=1000000
FAT1:dwSize=EA0000
All:dwSize=1F20000
****************************************************************
Store image to SD/MMC card successful.
then when you insert the sdcard, and then boot into bootloader mode, the following happens: on the display, you see a message 'sections=2', and 'press power to flash'. after pressing the power button, you see the following output on the serial port:
Flash ROM mapping total size = 2000000
Flash ID = 89,8802
Trumbull INTEL StrataFlash 128 Mbit MEMORY (K3/k18) found
dwROMTotalSize = 2000000
wTotalChip = 2
HTC Integrated Re-Flash Utility for bootloader Version:1.29 HIMALAYAS PVT version:1.02
MainBoardID = 4
Built at: Sep 24 2003 18:17:06
Copyright (c) 1998-2002 High Tech Computer Corporation
Turbo Mode Frequency = 398 MHz
Run Mode Frequency = 199 MHz
Memory Frequency = 100 MHz
SDRAM Frequency = 100 MHz
Main=0x90035EE4
LCD Power ON!
ATI Chip Id=0x56441002
DOCInfoTableinitHW+
Binary0:dwSize=80000
BINFS0:dwSize=0
FAT0:dwSize=1000000
FAT1:dwSize=EA0000
All:dwSize=1F20000
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
Total card size=1D30000ze=0
Radio flash Updating...
************
SD/MMC download to ROM is successful!
DOCInfoTableinitHW+
Binary0:dwSize=80000
BINFS0:dwSize=0
FAT0:dwSize=1000000
FAT1:dwSize=EA0000
All:dwSize=1F20000
DOC flash Updating...
****************************************************************
SD/MMC download to ROM is successful!
now both the radio and extended rom are upgraded!
That great info. You posted the syntax for the Task command but didn't say how you used it.
after the USB> prompt what did you type?
I'm assuming you use mtty and then do:
USB> PASSWORD BOOTLOADER
and then perhaps:
USB> task xx
but I dont know what values you used
and then:
USB> ds2 step #1
USB> ds2 step#2
so once you did that what ROM did you decide to load? I assume you went for some sort of CDMA flavor? What did you end up gaining from the upgrade since you were probbaly already on Windows Mobile 2003 SE
Thanks!
looks like PASSWORD BOOTLOADER does not work. I got:
USB>PASSWORD BOOTLOADER
Invalid command : PASSWORD
For a help screen, use command ? or h
is that how it works?
How did you do the method from your original post where you somehow interrupted a flash and then were able to use the l command?
Thanks.
No it should have said something similar to this:
USB>l
Not allow operation!
USB>help
Invalid command : help
For a help screen, use command ? or h
USB>password boot
HTCSInvalid password.R¿ËPHTCEUSB>
USB>password bootloader
HTCSInvalid password.R¿ËPHTCEUSB>
USB>password BOOTLOADER
HTCSPass.<YHTCEUSB>BOOTLOADER
I did a couple typos so u can see what I get when it doesn't like the password.
I havn't decided on what to load I was trying to load the latest bootloader which is for the himalaya, and I did what u said l c:\wall515.bin and it said something like :F=c:\wall515.bin and then preparing to send, and nothing happened after that, the terminal locked i did a couple ctrl + (a key) to try and get out it seems that i got out with ctrl + a (perhaps abort) ?
I did realize though that I was in the CDMA DBG> section, not just the DBG> like before this might be because I interrupted a radio upgrade, and not a regular WCE upgrade / etc so I'm going to try and do it again, this is my main phone so I have to keep it working so I immediately just undid everything.
and as for the syntax for d2s:
d2s hex_start_location amount_to_copy
so for example say my RADIO starts at address 60000000 and I want to copy 5MB then the proper command would be
ds2 60000000 00500000
you should get something like
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
Total card size=1D50000ze=0
****************
Store image to SD/MMC card successful.
but u will have to be identified in order for any of the commands to work, what version do u have (what phone, model, etc.. ) GSM or CDMA? etc
I also have a program that can be used to dump the ROM from the command prompt.. u might of heard of it already, dumprom.exe and memdump.exe and a new one called mtrw which seems promesing but it doesn't seem to allow u to enter a password I think it's programmed to do that automagically, i'm going to try and get the source code, and fix it so it does.. also get a closer look on what it's actually doing
p.s the syntax of the others are basically the same
for task u would do something like
task 7 0
Type(hex) 7: Do flash ROM lock/unlock and [value]: 1(lock) and 0(unlock).
also check out this site:
http://wiki.xda-developers.com/wiki/HimalayaBootloader
alrighty heading to bed
tty tommorow
That password technique worked but didn't really have an effect. I was already able to do the d2s command.
I sure would like to get the (l) command working and get past the Not allow operation! error.
Did you say you had been trying a Himalaya bootloader on your Harrier?
I have never seen that DBG> mode you were referring to. how do you get into that mode?
Thanks for the great info.
I did it just by chance, right as you start loading ur shipped rom using the himauptdate or what ever program u use.. it will first erase the rom/ram what I did, (risking my BA, but luckely it's still dummy proof at that point) was unplug the phone, from the cradle right as it hit the 100% (erased completed) then I plugged it right back in, and I got the BDG> instead of the usual USB> I decided to see what would be different and l was available, I didn't know how to use it at the time (now I know thanks to you). if u have a copy of the dumped bootloader u can use a hexeditor I use xvi32, which can be found in the xda-dev's FTP. if u look around, u can see some readable data, I've looked at it throughly and thus thats how I figured the password.. here's the part that shows the different modes, so u can see there is BDG> mode
Addr 0 1 2 3 4 5 6 7 8 9 A B C D E F 0 2 4 6 8 A C E
-------- ---- ---- ---- ---- ---- ---- ---- ---- ----------------
00002a00 4873 0390 0000 0000 0000 0000 0000 0000 Hs..............
00002a10 0000 0000 0100 0000 6c77 0000 7072 6f75 ........lw..prou
00002a20 7465 7200 6368 6563 6b73 756d 0000 0000 ter.checksum....
00002a30 7764 6174 6100 0000 6572 6173 6500 0000 wdata...erase...
00002a40 7262 6d63 0000 0000 7461 736b 0000 0000 rbmc....task....
00002a50 7365 7400 7368 6d73 6700 0000 6432 7300 set.shmsg...d2s.
00002a60 6c6e 6200 6c00 0000 7061 7373 776f 7264 lnb.l...password
00002a70 0000 0000 696e 666f 0000 0000 7374 7269 ....info....stri
00002a80 6e67 0000 6d77 0000 6d68 0000 6d62 0000 ng..mw..mh..mb..
00002a90 0a0a 2a2a 2a20 5365 7269 616c 2070 6f72 ..*** Serial por
00002aa0 7420 7761 7320 7265 2d69 6e69 7469 616c t was re-initial
00002ab0 697a 6564 2064 7565 2074 6f20 756e 6578 ized due to unex
00002ac0 7065 6374 6564 2070 726f 626c 656d 202a pected problem *
00002ad0 2a2a 0a0a 0000 0000 4442 473e 0000 0000 **......DBG>....
00002ae0 5553 423e 0000 0000 5345 523e 0000 0000 USB>....SER>....
00002af0 3f00 0000 0d00 0000 0820 0800 546f 6f20 ?........ ..Too
Addr 0 1 2 3 4 5 6 7 8 9 A B C D E F 0 2 4 6 8 A C E
-------- ---- ---- ---- ---- ---- ---- ---- ---- ----------------
00002b00 6d61 6e79 2061 7267 756d 656e 7473 0a00 many arguments..
00002b10 466f 7220 6120 6865 6c70 2073 6372 6565 For a help scree
00002b20 6e2c 2075 7365 2063 6f6d 6d61 6e64 203f n, use command ?
00002b30 206f 7220 680a 0000 4d61 7820 4379 6c69 or h...Max Cyli
00002b40 6e64 6572 203a 2025 752c 204d 6178 2048 nder : %u, Max H
00002b50 6561 6420 3a20 2575 2c20 4d61 7820 5365 ead : %u, Max Se
00002b60 6374 6f72 203a 2025 752c 2054 6f74 616c ctor : %u, Total
00002b70 2073 7061 6365 203a 2025 7520 4b42 0a0d space : %u KB..
00002b80 0000 0000 4669 7277 6172 6520 7265 7669 ....Firware revi
00002b90 7369 6f6e 203a 2025 730a 0000 4d6f 6465 sion : %s...Mode
00002ba0 6c20 6e75 6d62 6572 203a 2025 730a 0000 l number : %s...
00002bb0 2573 0a00 4346 5265 6164 5365 6374 6f72 %s..CFReadSector
00002bc0 572d 3a20 7743 796c 696e 6465 723d 2578 W-: wCylinder=%x
00002bd0 2c63 6248 6561 643d 2578 2c63 6253 6563 ,cbHead=%x,cbSec
00002be0 746f 723d 2578 2c62 5374 6174 7573 3d25 tor=%x,bStatus=%
00002bf0 780d 0a00 4346 5772 6974 6553 6563 746f x...CFWriteSecto
I'm about to try and see if I can get in the DBG> mode, hopefully it wasn't just a lucky shot and it's easy to duplicate again..
anyways i'll keep u posted
grabbing that bootloader
I saw you said that you dumped the bootloader. I have not seen a tool that does that for a BlueAngel & Harrier. Ideally if somebody came up with an unlocked bootloader then that tool could maybe be used to dujmp that unlocked bootload and then push it to another device.
It sounds like your interrupt technique might be safest to try with an upgrade that only is doing the ROM and nothing else. if there is one thing I've seen hose HTC devices up badly is a messed up radio flash.
Have you been interrupting an upgrade using BaUpgradeUt.exe or doing a boot and restoring from SD card?
Re: grabbing that bootloader
obelix said:
I saw you said that you dumped the bootloader. I have not seen a tool that does that for a BlueAngel & Harrier.
Click to expand...
Click to collapse
what? Any tool that dumps ROM can dump a bootloader. Or even more. You can extract bootloader from any ROM update.
I dont doubt it but without knowing how large and the location of a Blue Angel bootloader I wouldn't know where to begin. I wouldn't necessarily want a bootloader from a ROM update as it would be more useful to extract a bootloader from a bootloader unlocked device and then use that to unlock another. HTC has most of its retail Blue Angel & Hima devices bootloader locked so that if you prefer to go through the mtty utility and do a "l blueangel.bin" technique to flash the OS thats going to fail. So that leaves converting a .bin to a .nbf file or replacing the locked bootloader with one thats unlocked.
Are there places in the wiki that detail the positions of the bootloader within Blue Angel memory?
zxvf, did you say you were using the himaupdate program to do the flash? I thought that BaUpgradeUt.exe needed to be used. BaUpgradeUt.exe does not give any messages that say that say it is erasing ROM. Also since the BaUpgradeUt.exe depends on an ActiveSync connection, how can you start the upgrade and then disconnect at the right moment and then plug in the cable and get to mtty? I only know about getting to the command line interface via the mtty app.
Curious to hear more!
Seems that the guy above is having a leaked version of Magneto for BlueAngel and he is not willing to share it.
There is no .bin file out there from HTC. Only Microsoft released the Magneto update as a .bin file.
So before helping him he should clarify why he want all the info from here and is not sharing his Magneto image.
John
nope no Magneto stuff. I am strictly trying to work out the the innards of the mtty program and how to get past the locked bootloader. I could have been doing this on my Wallaby and Himalaya as well but am playing with the BA for now. From what I hear you'll never see Magneto on a Blue Angel, its already end of life. If it ever shows up it will simply be some mobile operator's experiment. I dont trust those folks to release any upgrades, they only want to sell new devices.
Bootloader dumping and flashing
I seriously advise you not to try that...
I tried that on 2 different Blue Angels an they go trashed.
Back to scrap.
Although you can get the exact blocks to extract and the exact memory intervals they are allocated in you have no way to determine if thay are the same on the "destination" BA, Therefore, you take an enormous risk on doing this.
I tried to do thatbecause on Portugal Operators sim-locked BA the lock information is actually on the bootloader.
Till now... No luck.
I even considered payinf the £20 IMEI-CHECK ask for but i think that it is not as thrilling as trying to do it by yourself, with your own work and burnt lashes. Apart from that, £20 are allways £20 :wink:
By the way, any development on the BA sim-unlocking ?
Cheers
sorry for not responding any sooner but I hadn't been able to get online, anyways, there are MANY tools as mamiach (pardon if I typed it incorrectly) that you can use to extract the bootloader, and I'm actually quiet confused on what program I've used I though they were just different versions, and a little bit different, never actually knew one was for upgrades and the other one was for full installs.. what I think I did was while it was trying to right to the bootloader I must have interrupted it and it might have immediately put it self in full acess / dbg mode (this is just IMHO) in order to save it self.. because I do recall it even said it on the screen I've tried and tried, and i'm kinda close to giving up thus, It's been twice that I almost didn't have a phone :/ if you need any programs u are sure to find them on the xda-dev FTP, and/or my website http://www.hexcode.net/xda-dev its a mirror or XDA-DEV that the Admin's been using to restore the site.. I'm currently in the process of installing Windows Mobile 2005, but not having much luck, I'm going to keep on trying, oh yea, when I unpluged it, I right away plugged it into the cradle again, and made activesync disabled, and start mtty and thats how I got the DBG> mode. other then that I'm not sure what to say, there are also programs that suppose to help u with installing new bootloaders like pnewbootloader.exe but they seem to be for the XDA2 so I'm not sure if they work, also if this might be of any help another password I've found that they are using is AYaLaMiH (himalaya spelled backwords) hope that helps.. ciao
HOW TO ENTER CDMA DBG> mode (BOOTLOADER Full admin mode)
EUREKA I'VE GOT IT...
I should be making a wiki page instead of posting here but these are the steps that are needed to enter CDMA DBG> mode which allows the use of extended commands like l, rbmc, s2d, d2s etc.. full access it seems..
here's the commands I used.
hope they work, I was wrong about the password being BOOTLOADER infact thats a password that most sellers have to do a few fixes, but not give them full control to screw up our devices..
I don't really know much about the commands except the info that they return, so just bear with me and follow along if u really wanan get to this, as of getting to the CDMA DBG> isn't dangerous u are not writing anything (YET) in order to get there, just modifying some switches etc.
ok so first the password: 40r0~0y~~5~0000
so type
USB>password |40r0~0y~~5~0000
u should get "HTCSPass1.CMˆËHTCEUSB>"
[DONT PRESS ENTER/RETURN JUST CONTINUE TO TYPE]
HTCSPass1.CMˆËHTCEUSB>set 1 0
This makes it so the Operation mode currently is set to "User" (maybe allows user interaction, not sure)
type set 5 7777 (not really sure if this is needed, all it does is set the background color value to 7777)
not the last command rtask a
here's what mine looks like
USB>shmsg 5 0 " Upgrade "
USB>shmsg 7 0 " Radio Stack "
USB>shmsg 9 0 "Please Wait..."
USB>rtask a
Radio image flash by external bootloader.
ÿ
HTC Integrated Re-Flash Utility for Harrier
This version is used for developig CDMA system
Copyright (c) 2003 High Tech Computer Corporatio
CDMA DBG>h
now if I type
l (DONT DO THIS UNLESS UR READY LOOK AT THE SYNTAX FIRST) I was stupid enough to just try it I got this
CDMA DBG>l
start cdma download
instead of the "not allowed or what ever that error was.."
now I hope this doesn't do something bad to my device, but I can't seem to get out.. *GULP*
Anyways thats all the info I have, hope it helps in any way Cheers.
P.S you can look at the syntax of 'l' if u search in the wiki pages.. information brought to us by itsme here is a direct link to his page. I'll also paste the 'l''s section here..
http://www.xs4all.nl/~itsme/projects/xda/bl-ii-usage.html
syntax for 'l':
usage_cmd_l = sub_9004C74C(1)
sub_9004C74C
Usage:
l [path_name [startAddr offset ["cp"]]]
Download BIN file across from serial/USB port.
Startaddr offset(MSB bit is a sign bit): Start address offset of every packet in bin file.
When 'cp' is given, it will just compare data of file with ROM image.
When path_name is not given, the file to be downloaded is determined
by ppfs on the host.
Otherwise, path_name on the host is downloaded regardless the ppfs setting.
The file must be in the format of BIN (preprocessed SRE).
The code is auto-launched once downloaded.
Auto-launched is disabled after downloading.
Nice job zxvf! Thats some good digging. I didn't follow this section before getting to the Debug mode:
USB>shmsg 5 0 " Upgrade "
USB>shmsg 7 0 " Radio Stack "
USB>shmsg 9 0 "Please Wait..."
USB>rtask a
Radio image flash by external bootloader.
What is shmsg and rtask doing? Do the shmsg commands actually do some upgrades and if so from what image? I have never seen them and wonder what those steps do.
Please, if someone has MDA PRO with original ROM can use this indications to completely backup it (and upload it to
ftp://ftp.xda-developers.com/Uploads/Universal/
please!!!)
What you need:
MDA Pro ;-)
USB cable
PC
1 sd card or mmc card (at least 128MB)
MTTY.EXE (you can find it in internet but the version can use usb connection and not only COM connection)
NTRW.EXE (you can find it in internet.this file must to be copied on your pc on C:\ not in other folders)
If you have ActiveSync installed on your PC on ActiveSync connection settings uncheck USB connection
Before connecting your MDA you should bring it into the boot loader mode. This can be done by simultaneously pressing power + camera buttons and at the same time the soft reset button with the stylus.
The password to enter bootloader is UNIVERSAL
insert a BLANK sd-card
Link the usb cable
Run MTTY.EXE and select USB connection
After that a terminal window will popup in that window.
Type (if you want to backup operating system):
d2s 70100000 04000000
or type (if you want to backup extended rom):
d2s 74100000 00a00000
and press enter. Your MDA will start copying the ROM to the sd card. The screen of your MDA will be dark (no light), but you will see it counting up to 100%. When it reaches 100% it will say it is calculating the checksum. Give it some time till its done and it will say checksum ok.
Please note that there are others command to type due to what you want to obtain.They are:
d2s 60000000 00800000 8M radio rom
d2s 70000000 00100000 1M SPL
d2s 70100000 04000000 64.00 M OS TrueFFS
d2s 74100000 00a00000 10.00 M extrom DSK2ART00 fatfsd
d2s 74b00000 02c40000 44.25 M root filesystem TRUEFFS
After finishing the transfer of the German ROM from your MDA to the SD card, put your SD card into an SD card reader connected to your pc. Your pc might pop up a warning message that says your SD Card is not formatted would you like to format? Click No and open a Command prompt (DOS) window.
Change directory to your root directory (cd c:\) and run the command ntrw read German.nb1 x: where x is the drive letter of your sd card. That command will create the ROM Backup file of your German ROM into your C drive root directory by the name of German.nb1. Make sure you keep German.nb1 in a safe place and use a copy of that file for the rest of the procedure. Note that after finishing the copy from your SD card to German.nb1 file ntrw might give you an error, just don’t pay attention to it.
Luca
(excuse me for my bad english!)
Error message
I have an MDA PRO on Netherlands origional ROM. I am not able to use MTTY.exe to back up my ROM. I follow your procedure with the following exceptions:
1. "Before connecting your MDA you should bring it into the boot loader mode. This can be done by simultaneously pressing power + camera buttons and at the same time the soft reset button with the stylus."
NOTE: Bootloader mode is the dark screen that says "Serial" (unplugged) or "USB" (plugged). I can only access this by using POWER + LIGHT + SOFT RESET.
2. "Run MTTY.EXE and select USB connection. After that a terminal window will popup in that window."
NOTE: Is it necessary after this step to run the command "password UNIVERSAL"?
3. "Type d2s 70100000 04000000"
NOTE: I, as with others, recieve the following error:
USB>d2s
Not allow operation!
USB>d2s 70100000 04000000
Not allow operation!
This final error is where I am stuck. Thanks in advance to anyone who can advise!
I have exactly the same issue as nedbsd.........
Using original Dutch T-Mobile rom:
version: 1.12.42
date: 08/23/05
radio: 1.00.02
protocol: 42.33.P8
ext. rom: 1.12.125 WWE
Hmm... this isn't working for me either. It looks like the MDA Pro is taking the password but not staying in the right mode.
The transcript from MTTY looks like this:
USB>password UNIVERSAL
HTCSPass.<YHTCEUSB>d2s 70100000 04000000
Not allow operation!
USB>
Which is a bit of a mess. It does seem that this is the right password, however, as if I type in a different password I get an error message:
USB>password BADPASS
HTCSInvalid password.R¿ËPHTCEUSB>
This is from a standard English MDA PRO. Any ideas?
MDA Pro Rom backup
So, no fresh ideas :?:
same problems as above:
first stage - password UNIVERSAL
HTCSPass.<YHTCEUSB>
looks like OK
then 2ds
Invalid command : 2ds
or by Topogigi advice
h full
Invalid command : h
MDA Pro Rom backup
really Invalid command-
password UNIVERSAL
HTCSPass.<YHTCEUSB>d2s 70100000 04000000
Not allow operation!
USB>
etc.
This sounds very strange to me. From the beginning of the pocketpc era the bootloader was provided with a comprehensive help feature that you could recall with the command "h full"....
Topogigi said:
This sounds very strange to me. From the beginning of the pocketpc era the bootloader was provided with a comprehensive help feature that you could recall with the command "h full"....
Click to expand...
Click to collapse
Well, you are not the only one that finds it strange, there is about a dozen threads allready about people trying to figure out how to make a rom-image from the universal. No succes so far!
The commands published here on the wiki page just don't work.....
Yup, I've already read all the threads forum-wide concerning the efforts people made to get a rom dump, but noone suggested to try with "h". So, I was curious to see what would happen, that's all! :wink:
BTW, you can notice yourself that there is something very strange in the result you reported in the other thread:
password UNIVERSAL
HTCSPass.< YHTCEUSB>h full
Invalid command : h
For a help screen, use command ? or h
USB>
Click to expand...
Click to collapse
:shock:
That drives me to think that our problems are password related. Perhaps "UNIVERSAL" is a valid password, but with all the commands disabled... :?:
Any success ?
password UNIVERSAL
HTCSPass.<YHTCEUSB>d2s 70100000 04000000
Not allow operation!
USB>
ROM-Verion: 1.13.156 GER
ROM-Date: 09/28/05
Radio-Version: 1.04.10
ExtROM-Version: 1.13.163
Provider: Vodafone
Any update or solution on the backup?
unfortunately not yet ...
@ciapal
what is your bootloader version please???
THANX
buzz
Mine is 0.60 :roll:
.60 here too
hmm, i have 1.00 and i always get "Not allow operation!"
buzz
ah..Anyone has find out how to get the rom....i want to know
ah..Anyone has find out how to get the rom....i want to know
kizo said:
i manage to retore my mda back. But now am getting the simlock contact service provider error. I reverted back to thr tmobile rom i got of th ftp server on xda-development ftp site.
I rerun the lokwiz 2b and my this is where its gettin stuck now, I have been on this stage for 3hrs
machinagod's HTC Wizard/Prophet/Charmer MSL Revealer v0.3
NOW WITHOUT CID Unlocking POWER!
ECHO is off.
Supports SPL 2.x!!
--------------------
WARNING: This tool is highly experimental!
I will NOT be held responsible for any problems caused by this tool.
--------------------
Thanks to xda-developers, spv-developers, and especially itsme by the work they
released. This solution would not be possible without them.
--------------------
Unlocking RAPI Please wait...
MachinaGod RapiUnlocker v1.0
Initializing.......................Done!
RAPI Unlocked.
Starting MSL work... DO NOT DISCONNECT UNTIL THIS SCRIPT ENDS
ECHO is off.
CopyTFFSToFile(0x0, 0x10000, lock_backup.bin)
any ideas.
activesync is now connecting but am having trouble with getting my setting synched, I think this could all be related. because I can explore to phone using windows explorer, however i can't explorer to the device's windows folder.
Click to expand...
Click to collapse
Guys I managed to get past this and got a unlock code, by using a different computer, I don't know why I was not able to using mine. I did disable, firewalls, anti virus etc.
However, when I put in a foreign sim. Qm not gettin that prompt to enter a unlock code. I stll get the white screen with the data crashes. I did do a hard rest, but still. I'm now using the stock tmobile rom 1.08 I still get that msg with my tmobile sim. Any help to fix this will be welcome. Thanx.
Kizo
1 - Unzip lokiwiz.zip to somewhere in your computer
2 - Copy EnableRapi.cab to your Wizard
3 - Execute the EnableRapi.cab in your phone. Wait for it to finish
4 - Guarantee that your phone is connected via activesync with the computer
5 - Execute lokiwiz.bat (on your computer! My inbox is filled with this kind of error) and follow the instructions on your screen...
I'm newbie about PPC so please everybody helps me!
I bought Cingular 8125 from US then brought to Viet Nam. I want to follow your instructions above to unlock but I can not run the EnableRapi.cab file from device because I turned on the phone just see:
IPL 1.08
SPL 1.08
GSM 01.09.11
OS 1.8.11.1
Then received "Network is locked. Please input unlock code" so I can not access the phone.
Could you please advice me how to unlock in this case.
Many thanks!
Qred
I have run the file EnableRapi.cab already then tried lokiwiz02 is received:
--------------------
Thanks to xda-developers, spv-developers, and especially itsme by the work they
released. This solution would not be possible without them.
--------------------
U. Unlock
L. Lock
C. CID Unlock (SuperCID)
Q. Quit
--------------------
Type the letter and press Enter: U
Unlocking mobile... DO NOT DISCONNECT UNTIL THE PHONE REBOOTS!
The system cannot find the path specified.
The system cannot find the path specified.
The system cannot find the path specified.
The system cannot find the path specified.
Your phone is now unlocked....
Store the generated 'lock_backup.bin' file in a safe place. It can help to resto
re your device if anything goes wrong.
ECHO is off.
"Standing on the shoulder of giants"
Ricardo Afonso, 2005
And here is tried lokiwiz03a:
C:\lokiwiz03a\Lokiwiz03\LokiwizMsl.bat
machinagod's HTC Wizard/Prophet/Charmer MSL Revealer v0.3
NOW WITHOUT CID Unlocking POWER!
ECHO is off.
Supports SPL 2.x!!
--------------------
WARNING: This tool is highly experimental!
I will NOT be held responsible for any problems caused by this tool.
--------------------
Thanks to xda-developers, spv-developers, and especially itsme by the work they
released. This solution would not be possible without them.
--------------------
Unlocking RAPI Please wait...
MachinaGod RapiUnlocker v1.0
InitializingThe system cannot find the path specified.
.The system cannot find the path specified.
.The system cannot find the path specified.
...........The system cannot find the path specified.
..........Done!
RAPI Unlocked.
Starting MSL work... DO NOT DISCONNECT UNTIL THIS SCRIPT ENDS
ECHO is off.
The system cannot find the path specified.
ECHO is off.
ECHO is off.
SIMLock Code is your code... Type it with another SIM in...
--------------------
The system cannot find the path specified.
--------------------
"Standing on the shoulder of giants"
Ricardo Afonso, 2005
Press Any key to Exit.
I don't know the reason why... Could you please help me to unlock... I input the SIM and see only the screen is "Network is locked. Please input unlock code"
Many thanks,
Qred
Okie. I have just unlocked successfully. Thanks for the great tool!
But I still have a question is: "where can I download the newest ROM for Cingular 8125"?
how did you finally get it working? Steps? I'll be getting a locked phone very soon.
for latest OS
The above procedure is not working for the following OS version in Cingular 8125.
IPL 2.25.0001
SPL 2.25.0001
GSM 2.25.11
OS 2.25.11.1
Software for unlocking cingular 8125
Hi Got the loki tool but when i got to run it, it was giving me an error n then my Phone would restart. Did it four times n finally gave up!!!!!!!!!!! Help
Oh Yeah Does anyone know how to unlock a Blackberry 8800 cingular?????????:
i sim unlocked my G4 wizard with lokiwiz03a before bricking it. got it back from repair. and tried another sim, but its locked.
tried to lokiwiz03a it again. i get the same code back. i enter it but doesnt work
any ideas?
LOG
this is the log out put:
machinagod's HTC Wizard/Prophet/Charmer MSL Revealer v0.3
NOW WITHOUT CID Unlocking POWER!
ECHO is off.
Supports SPL 2.x!!
--------------------
WARNING: This tool is highly experimental!
I will NOT be held responsible for any problems caused by this tool.
--------------------
Thanks to xda-developers, spv-developers, and especially itsme by the work they
released. This solution would not be possible without them.
--------------------
Unlocking RAPI Please wait...
MachinaGod RapiUnlocker v1.0
Initializing.......................Done!
RAPI Unlocked.
Starting MSL work... DO NOT DISCONNECT UNTIL THIS SCRIPT ENDS
ECHO is off.
Copying C:\Documents and Settings\cwnl-sbadle\Desktop\lokiwiz03a\Lokiwiz03\Utils\itsutils.dll to WCE:\windows\itsutils.dll
Could not update itsutils.dll to the current version, maybe it is inuse?
try restarting your device, or restart activesync
ECHO is off.
ECHO is off.
SIMLock Code is your code... Type it with another SIM in...
--------------------
Lock Status: 0100000000000000
SIMLock Code: 12345678
This exe file was created with the evaluation version of Perl2Exe.
For more information visit http://www.indigostar.com
(The full version does not display this message with a 2 second delay.)
...
--------------------
"Standing on the shoulder of giants"
Ricardo Afonso, 2005
------------------------------------------------------
tiA
solution
*Copy the cab's from the Utils folder in the Lokiwiz03a.zip file to your Prophet and execute them.
(There are two files : "Cert_SPCS.cab" and "EnableRapi.cab")
did above and now it works!
hi all
can anyone help with unlocking i-mate k-jam?
I have a phone which was reported as stolen and got IMEI locked. I want either to unlock this (as i understand it involves changing the IMEI which has some legal problems in some countries) or simply unlock the simlock and move to another company.
I spent the last two days reading this forum but i can't find a basic explanation about what it means changing the ROM and if it can harm the phone, if it is reversable and if it means replacing the operating system and where can i get the right rom for my phone...
I tried this lokiwiz03a but it didn't work. after manually copying the two cabs to the phone this is the output that i got:
C:\>LokiwizMsl.bat
machinagod's HTC Wizard/Prophet/Charmer MSL Revealer v0.3
NOW WITHOUT CID Unlocking POWER!
ECHO is off.
Supports SPL 2.x!!
--------------------
WARNING: This tool is highly experimental!
I will NOT be held responsible for any problems caused by this tool.
--------------------
Thanks to xda-developers, spv-developers, and especially itsme by the work they
released. This solution would not be possible without them.
--------------------
Unlocking RAPI Please wait...
MachinaGod RapiUnlocker v1.0
Initializing.......................Done!
RAPI Unlocked.
Starting MSL work... DO NOT DISCONNECT UNTIL THIS SCRIPT ENDS
ECHO is off.
CopyTFFSToFile(0x0, 0x10000, lock_backup.bin)
ECHO is off.
ECHO is off.
SIMLock Code is your code... Type it with another SIM in...
--------------------
Lock Status: 0000000000000000
SIMLock Code: Qאm▒ך»BΘGφ2RW\↑►
This exe file was created with the evaluation version of Perl2Exe.
For more information visit http://www.indigostar.com
(The full version does not display this message with a 2 second delay.)
...
--------------------
"Standing on the shoulder of giants"
Ricardo Afonso, 2005
Press Any key to Exit.
Click to expand...
Click to collapse
What is this strange simlock code?
Thanks,
Roy.