JumpSPL is a WinCE application that allows to place a custom file on device's RAM memory and execute the arbitrary code contained on it by jumping into its physical memory address.
This method is tipically used to load a patched bootloader in RAM and execute it, so with JumpSPL you can potentially bypass any bootloader protections put by the manufacturer on a Windows Mobile based device, but you have to patch the bootloader yourself.
I'll be updating comment #2 with links to patched SPLs and future projects using JumpSPL, if you use JumpSPL in your project please post a comment or PM me.
JumpSPL should work on any WinCE device (not necessarily manufactured by HTC), although I have only tested it on HTC devices.
For more details and usage instructions please see the included README file.
DONATIONS:
Your donations are a strong incentive to continue research on new devices, if you find JumpSPL useful please cosider making a PayPal donation. Any donation amount is greatly appreciated
Patched SPLs
Notes on patching & testing custom SPLs:
Disassemble the SPL using radare (free) or IDA Pro (commercial).
You need to press the bootloader buttons after loading your custom SPL with JumpSPL, otherwise device will reboot. You can also patch the SPL to enter bootloader mode automatically, so you don't have to press the buttons.
Some devices require that you unplug and re-plug the USB cable after the SPL has been loaded.
On some devices (TI OMAP) you'll see a white screen instead of the usual tri-color screen, don't worry about that, you're in bootloader mode.
Use patched SPLs with caution, try to flash splash screens to do the initial tests and avoid bricking your device.
To know the jump address you can use itsutils 'pmemdump -p' and try to find a copy of the SPL in memory. You can find the virtual address with dumpromx.exe.
Projects using JumpSPL:
HTC Kaiser SSPL v1 and HardSPL v1
Attached SPL patches:
Kaiser Jump address is 0x00000000
Artemis & Herald Jump address is 0x10000000
Dude. If you can get this to work on the T-Mobile Wing, you will be my own personal hero.
@Mi|enko: Patched SPL for T-Mobile Wing (Herald) attached to comment #2
So ... its possible this way to CID unlock a Prophet G4 ? Can you make a version for prophet?
@kalavera: I don't own a Prophet, but yes should be possible to CID unlock it using this tool. Olipro and the-equinoxe have patched the Wizard's G4 SPL, which should be very close to prophet's, they will be able to help you with the SPL patches.
what patch is compatible to wizard?
Finally I could convert Dopod C800 into a fully working Atlas.Long live POF
Good work Pof!! This could have saved me a bit of time custom compiling my own HaRET for the Titan Hard-SPL. I'm sure it will speed up the unlocking of many future devices!
thanks again my friend!!
you did it again
Good jobs
What its adress to Htc Oxygen? Thanx
How about ATOM PURE, can i use this safely for CID unlock then i can use now sharkindark pagepool changer?
generalriden said:
How about ATOM PURE, can i use this safely for CID unlock then i can use now sharkindark pagepool changer?
Click to expand...
Click to collapse
which I can modify with jumpspl in herald?
os is ok,but how about others?
SPL
IPL
EXTEND_ROM
SPLASH
and modify SPL IPL seems to be quite dangerous...since I bricked herald before.
Geo2000 said:
What its adress to Htc Oxygen? Thanx
Click to expand...
Click to collapse
It's an OMAP device, so I guess the address will be also 0x10000000.
generalriden said:
How about ATOM PURE, can i use this safely for CID unlock then i can use now sharkindark pagepool changer?
Click to expand...
Click to collapse
You need to patch a bootloader first, and find the jump address.
yangchao8115 said:
which I can modify with jumpspl in herald?
Click to expand...
Click to collapse
You can modify any rom part once you can flash unsigned code, but as you say be careful with IPL & SPL. Also try to not screw the OS part if you don't have a ROM matching your CID, otherwise you'll be stuck in bootloader.
Sir i dont know to patch the bootloader and find the jump address..how?
pof said:
You can modify any rom part once you can flash unsigned code, but as you say be careful with IPL & SPL. Also try to not screw the OS part if you don't have a ROM matching your CID, otherwise you'll be stuck in bootloader.
Click to expand...
Click to collapse
yes,but there no tool for herald to edit splash and extend rom.....
and one of my friend bricked with a radio upgraded
Nice job, pof.
fluxist
Hi Pof,
We have a Quanta manufactured device. a.k.a. Atom / Atom Pure / Atom Exec / Atom Life. CID can easily be bypassed in our devices by simply upgrading it in bootloader mode OR do SD CARD flashing. Our problem really pertains to RAPI tools than to upgrade our device with any ROM.
We really don't know if CID is the cause for RAPI tools not to work. The only working tool is to PDOCREAD the device and see its memory layout.
Hope you could shed some light as to how we can patch the bootloader to CID unlock. My knowledge for ARM assembly is very limited...
Thanks,
Jiggs
Okay, I am willing to pay CASH for this if it is what i think it is..
my XDA Terra (Herald) is bricked because I tried to flash it from Touch-It 1.1 to Touch it 2.0. Now, I need the RUU of the XDA Terra which is branded by the provider O2. O2 however does not provide any ROM yet so I am stuck in the united states with a bricked GErman phone I cant even send it in.
Can this jump SPL help me somehow??
please, I will be eternally thankful !!!!
yangchao8115 said:
yes,but there no tool for herald to edit splash and extend rom.....
Click to expand...
Click to collapse
Use the same tools as in Artemis or Elf, splash format is exactly the same, and ExtROM format too, you can edit it with winimage.
fluxist said:
On a (somewhat) related note, would the admins protest if I released a (multi-device) IMEI changing util?
Click to expand...
Click to collapse
I don't think they will protest as long as HTC (or any operator) protests. But make it clear to the end-user to consult local laws before attempting to use your tool, and make sure to put a disclaimer to exempt you of any responsibilities for illegal use of the tool.
jiggs said:
CID can easily be bypassed in our devices by simply upgrading it in bootloader mode OR do SD CARD flashing. Our problem really pertains to RAPI tools than to upgrade our device with any ROM.
We really don't know if CID is the cause for RAPI tools not to work. The only working tool is to PDOCREAD the device and see its memory layout.
Hope you could shed some light as to how we can patch the bootloader to CID unlock. My knowledge for ARM assembly is very limited...
Click to expand...
Click to collapse
Sorry but my knowledge of Atom and Quanta devices is very limited too.
If you want some help, please send me a quanta bootloader and tell me the exact message you get from bootloader (not from RUU) when you try to flash an Atom ROM not intended for your device (ie: not matching your CID, or language...).
exxi said:
Can this jump SPL help me somehow??
Click to expand...
Click to collapse
JumpSPL is a WinCE application, it won't help if you can't boot OS.
Related
The new and improved hard-spl for our trinities, thanks to a little glitch in hard-spl's protecting itself against the new spl from HTC we have this new addition Olipro finished for us today. This is based on 1.05 MFG so we now have lnb capability and the rtasks. In addition of course, this SPL really should protect itself against being reflashed...
Donations to Olipro, I am only posting it...
EDIT: Should be working now!
Great as always!
Thanks for both Shadowmite and Olipro to offer us such nich piece.
It saves a lot of us from heartattack of flash problem...
great!! thanks to Olipro!
Great so quick
Thank you so much.
great works
thanks
Thanks for posting shadowmite... I couldn't sleep anyway so I might as well have sorted it myself, but never mind.
tomorrow I'll relocate it to the empirical thread
I'm flash hard spl1.30 and i cann't upgrade to official rom wm6 there is
ERROR[294]:INVALID VENDER ID
Upgrade from P3600
Hi,
Can I upgrade with this tool my P3600 with original WM5 GPS activated Dutch version to WM6?
Or do I need to take other steps?
And, what's the best official WM6 rom to use for European P3600 ?
Thx,
Kopernikus
xtraart said:
I'm flash hard spl1.30 and i cann't upgrade to official rom wm6 there is
ERROR[294]:INVALID VENDER ID
Click to expand...
Click to collapse
enter the bootloader and run mtty on your computer and do "task 32" - tell me what that returns.
also, tell me what version displays on the device
Thanks for the hard work.
Olipro said:
enter the bootloader and run mtty on your computer and do "task 32" - tell me what that returns.
also, tell me what version displays on the device
Click to expand...
Click to collapse
I run mtty with "task 32" and it return
task 32
Command error !!!
Cmd>task 32
Level = FF
Cmd>
and the version displays on my device is
TRIN100
IPL-1.00
TRIN100 MFG
SPL-1.30.Olipro
Does this mean we don't have to worry about the SPL getting overwritten? We can just flash whatever rom without any precautions?
am stuck in bootloader spl 1.30oli, am trying to install my original rom it give me device id error, modified also same problem and when i remove the battrey also same problem what can i do
HeartMan said:
am stuck in bootloader spl 1.30oli, am trying to install my original rom it give me device id error, modified also same problem and when i remove the battrey also same problem what can i do
Click to expand...
Click to collapse
I have this problem and spent almost an hour trying. You will need to find an OS only ROM(Eg. http://forum.xda-developers.com/showthread.php?t=312499) and it will flash successfully. Then you boot the PDA OS up and flash any suitable ROM.
I've removed the link for now, this is a bug in his patch and he's looking at it now. In the meantime you need to flash via SSPL or reflash the older hard-spl...
New Hard-SPL from Oli
Hello
Could you give us any news about new Hard-SPL?
When can we expect it?
Robidog
banzro said:
Hello
When can we expect it?
Robidog
Click to expand...
Click to collapse
my guess is....when its ready
I'm still waiting.
thanks to Olipro
I am waiting...
Hi,
I'm looking into buying Cingular 8525 and unlocking it. I don't see Cingular 8525 written in description for this forum so I'm not sure if it's right place to ask questions.
Here is questions.
1. If I unlock the phone and then download and install official ATT WM6 upgrade, will it relock the phone?
2. Is it ok to use HTC WWE ROM on my phone or it might not work becouse of original branding?
Yes the Cingular/AT&T 8525 is the Hermes.
As for unlocking.. Good luck.. I just got mine 3 weeks ago and discovered that it had already been upgraded to a boot loader that can not be unlocked at this time.
I don't think upgrading the rom to WM6 will re lock the phone.
Not sue on the second part about the WWE rom.
yes it is. I have one.
1. no it won't relock the phone. But read mr vanx guide and wiki before unlock and upgrade. also it is adviced that you install hardspl 2.10 or above.
2. HTC WWE ROM will work only issue might come to you is the keyboard layout which can be fixed if you do little search.
artisticcheese said:
Hi,
I'm looking into buying Cingular 8525 and unlocking it. I don't see Cingular 8525 written in description for this forum so I'm not sure if it's right place to ask questions.
Here is questions.
1. If I unlock the phone and then download and install official ATT WM6 upgrade, will it relock the phone?
2. Is it ok to use HTC WWE ROM on my phone or it might not work becouse of original branding?
Click to expand...
Click to collapse
8525 equals Hermes. Unlocking your device may void any warranty you have. You should only use ROMs made for the Hermes which you will find in this forum.
keitht said:
8525 equals Hermes. Unlocking your device may void any warranty you have. You should only use ROMs made for the Hermes which you will find in this forum.
Click to expand...
Click to collapse
Agree with all of the above comments, with the exception of this one... Loading a non OEM rom, WILL void your warranty... However, many members have been able to successfully reflash with an OEM rom before taking it back to the providers and having any warranty action performed... So, if you need to have your device repaired under the terms of your warranty, you would need to reflash to the OEM version or they will send it back to you unrepaired...
The needed file for fixing the keyboard translation issue is called Cingular Keyboard Fix... a simple google search on this forum should locate it for you... Or you can install another application called "Schaps Advanced Configuration Tool v1.1 (recommended)... In this tool, you can choose your keyboard layout as Cingular...
"Schap's Advanced Configuration Tool" would have been hard to find with a Typo...^^
but please READ MR VANX GUIDE!!! PLEASE!!!
This post will also lead you to all the info you'll need about locking/unlocking, flashing ROM's, etc.
Cheers,
I just recently Purchased a HTC TYTN from Rogers, now i am having problems, how easy it to unlock this phone by hardware was reading about unlocking steps etc. how to do it with the softwares.
Or I bumped into a website http://www.123Unlocking.net unlocking by IMEI i called them they said they give me code and enter it in.
What are plus and negative what way should i go, i dont really want to break my phone, i am not that much of a tech savy guy please give me your input thanks!
Pof way is dead easy mate
what's even easier is calling your service provider, telling them you're going overseas, and asking for the code
Hello,
I would like to unlock my vodafone 1615 and I saw you method to do it. But I read that I need the SPL 1.0 Olipof version. Now in my Kaiser I have the SPL 3.28. I would like to know if I can unlock my kaiser with this SPL version or I need to install before the SPL 1.0 Olipof version. Thank you in advance.
seridem said:
Hello,
I would like to unlock my vodafone 1615 and I saw you method to do it. But I read that I need the SPL 1.0 Olipof version. Now in my Kaiser I have the SPL 3.28. I would like to know if I can unlock my kaiser with this SPL version or I need to install before the SPL 1.0 Olipof version. Thank you in advance.
Click to expand...
Click to collapse
SPL 1.0 Olipof is a version of hard spl, you flash that to your device before doing the sim unlock.
Use the unlocker in this thread, by memory it does the whole lot, hard spl, and sim unlock.
http://forum.xda-developers.com/showthread.php?t=375583
once you have done the unlock, i would then upgrade the radio rom to one of the recent ones, then update hard spl to a recent one, then update the rom to a wm6.1 rom. You need to start reading through the kaiser forum and wiki both of you.
Use that link for the sim unlock though, definately the easiest, i did it the other day on my replacement phone.
Ok, noobs. All these information you could get by using the search button or Google (which you never do). So, in order to keep the thread clean from every kind of question, I’ve compiled some answers for you.
HTC Cavalier comes in three variants: HTC S630 – Europe & USA model (English only), Dopod C730 – Asian model (bilingual, Chinese and English) and Softbank 02HT – Japanese model (bilingual, Japanese and English).
All Windows Mobile Smartphones by default are application locked, that means that you have to unlock you phone in order to install an application (in most cases free apps) from developers. Problem has to do something with a certificate that costs a lot (more than 400$). To do the application unlock go here: http://forum.xda-developers.com/showthread.php?t=398945
and please read all the instructions.
There’s no free SIM unlock, so if you want to SIM unlock your device check the web.
There is a CID unlock. With CID unlock you can use HTC Rom on Dopod or Softbank device and vice-versa; also you can use developer made Roms for your devices, in other words cooked Roms.
There are two kind of CID unlock: the real CID unlock – which unlocks your device for real and it is visible if you send your device for repair (it voids your warranty) and the second kind is HardSPL. HardSPL makes your device think that is CID unlocked but in fact it is not (also HardSPL helps you when the issue of Bad Blocks appears), so in other words you don’t void your warranty (if you have one left).
Now, for Cavalier there’s a HardSPL which you can get it here: http://forum.xda-developers.com/showthread.php?t=398945
please read all the instructions and especially the thread, as there are a lot of solutions for the problems that you might encounter
Always, after the HardSPL check your device through Mtty.
Mtty.exe is kind of terminal emulation software, which is used to communicate to serial and/or USB enabled devices. On the HTC devices it enables you to issue a selection of commands that allow you to read the status of some of the components, to clear the bootloader flags, to format the internal flashdisk, remove bad blocks etc etc. (this program should of course be used with precautions as you could mess your bootloader).
Most of the information regarding mtty comes from Hermes thread and WIKI (most of the commands are same for PPC and Smartphone), get it here: http://wiki.xda-developers.com/index.php?pagename=Hermes_BootLoader
Mtty is good against bad blocks as you could see from cruzzmz topic: http://forum.xda-developers.com/showthread.php?t=428589
Now there is a unofficial WM6.1 for Cavalier and credit goes to cruzzmz, here: http://forum.xda-developers.com/showthread.php?t=425272
There's also a WM6.5 ROM, thanks to ookba: http://forum.xda-developers.com/showthread.php?t=520756
There is a tutorial how unbrick your Cavalier, again thaks to ookba: http://forum.xda-developers.com/showthread.php?t=540478
There are a lot of applications and games that work with Cavalier and don’t forget that you can find a lot of freeware which are very nice (keep in mind that most of Excalibur apps works also on Cavalier so don’t forget to check Excalibur thread from time to time).
If you want to cook your own ROM, here: http://forum.xda-developers.com/showthread.php?t=425567
For all other questions, here: http://forum.xda-developers.com/forumdisplay.php?f=415&nojs=1#goto_forumsearch, http://wiki.xda-developers.com/index.php?pagename=HTC_Cavalier or http://forum.xda-developers.com/showthread.php?t=298893
Cheers
good job dude
well done
thank you man ,
very useful information
Thank You, very very usefull...
smartman
Just for info of cost--u can unlock any htc any network for $20
timepassman said:
Just for info of cost--u can unlock any htc any network for $20
Click to expand...
Click to collapse
and can you tell me where?how?
Thanks ,really good work !!Helping a lot!!!
Does anyone have news about free sim unlock this phone??
Hi guys, I have an HTC Diamond P3700 (DIAM110 64M) and I cannot install any of the HTC 2.03 official roms. I already ran OLIPRO unlocker (dev Hard SPL, Sim Unlock, Security Unlock). I'm trying to run any of the official 2.03 ROMS (tried europe, ME, hong kong) but nothing works. I CAN flash any cooked rom (running AZTOR v10) but I still would like to know how to install any official 2.03 ROMS.
I get the always handy error 244 invalid model ID so it makes me think of invalid region ID issue.
Any pointers greatly appreciated.
You answers will most likely be found here....
http://forum.xda-developers.com/showthread.php?t=409425
Update stops at 5%/Invalid Model ID is displayed
Short answer: The model ID hardcoded in the ROM image doesn't match the ID of your device. Read on for a fix.
Long answer: Don't Panic. Your Device isn't broken
Each Diamond Model has it's own ID. My German MDA Compact IV is a DIAM200. Other models are DIAM150/DIAM300/DIAM100....
Now ROMs might be configured to be flashable to a specific Model ID only, even though technically they would work fine on any Model ID.
In that case the ROM needs to be "reconfigured" - this process works for full ROMs as well as Radios.
* If you are running a foreign Version of Windows or have Regional Settings other than English US configured, please set them to English U.S. temporarily. Otherwise NBHUtil will not function correctly.
* First you'll need OliPro's NBH Util (0.92 works for the Diamond).
* Fire it up, switch to "Extract NBH"
* Select the nbh of the ROM/Radio to be flashed and hit Go
* Extract the components you need. Radio/Splash/OS. If there's an SPL in there, you can safely discard/ignore it. You have HardSPL for that.
* Make note of the Target CID, Version, Language and Chunk Size. FYI the Model ID is the problematic setting here. If it says DIAM10000 and you have a DIAM300 you're screwed.
* Switch to the Build NBH tab and select the Diamond as target
* Note how the Model ID is preset to DIAM*****. The wildcard allows any device
* Change target CID, Version, Lang & Chunk size to the values you wrote down.
* Select each saved component under the NBH items
* Hit Build NBH and save the file as RUU_signed.nbh to a folder of your choice and flash it with the DiamondCustomRUU.exe or ROMUpdateUtility.exe
* Donate to OliPro because he just made your device useful
This is not the case
Update process stops at 1%. I already read that forum at usually you would think of HARD SPL issues, but not. I can flash cooked roms (I'm running AZTOR v10). That's why I'm thinking of region ID protection.
hmm....yes, yes, perhaps.
Ok, well I will see if there are any other post on this outside of this forum.
davidsle said:
Hi guys, I have an HTC Diamond P3700 (DIAM110 64M) and I cannot install any of the HTC 2.03 official roms. I already ran OLIPRO unlocker (dev Hard SPL, Sim Unlock, Security Unlock). I'm trying to run any of the official 2.03 ROMS (tried europe, ME, hong kong) but nothing works. I CAN flash any cooked rom (running AZTOR v10) but I still would like to know how to install any official 2.03 ROMS.
I get the always handy error 244 invalid model ID so it makes me think of invalid region ID issue.
Any pointers greatly appreciated.
Click to expand...
Click to collapse
that error is nothing to do with regionid
however if you flash a rom with high regionid protection, and your device is not from matching region you have to patch the rom, for older roms in 1 place, for newer ones in 2 places. I can give more info if anyone requests it, also I made a patcher for nk.exe (1st patch is in nk.exe), that does it automatically
PS: I noticed you mention mainly english roms. well, english language roms usually never have it. russian and chinese language roms tend to have this
davidsle said:
Update process stops at 1%. I already read that forum at usually you would think of HARD SPL issues, but not. I can flash cooked roms (I'm running AZTOR v10). That's why I'm thinking of region ID protection.
Click to expand...
Click to collapse
probably these roms are DIAM100**
your diamond is DIAM110 so you want a rom with DIAM110** or DIAM***** modelid
cooked roms are usually DIAM***** and stock roms aren't.
so do what band27 said.
is there a prob if my model id is DIAM100 and nbh [email protected] extract nbh i get DIAM10000?
i get this model id from the nbh @ the official ROM downloaded with my sn
cmonex said:
that error is nothing to do with regionid
however if you flash a rom with high regionid protection, and your device is not from matching region you have to patch the rom, for older roms in 1 place, for newer ones in 2 places. I can give more info if anyone requests it, also I made a patcher for nk.exe (1st patch is in nk.exe), that does it automatically
PS: I noticed you mention mainly english roms. well, english language roms usually never have it. russian and chinese language roms tend to have this
Click to expand...
Click to collapse
I am really intresting in it. Can you tell me the detail about how to patch nk.exe and rilphone.dll to remove the region ID protection? THX