I've tried cooking a new WM2003 ROM several times with some software add-ons selected, but when i reflash it to my SX56, its not there.
This is what I selected on http://lumpistefan.dyndns.org:
WM 2003 Final
A.30.09 ENG Siemens
No AutoConfig data
Add software and modify ROM
create 'System Tools' subfolder under 'Programs'
Notification Clear Fix
Frequency Tuner
Olive Tree BibleReader
Olivers ActionPack
Peters GameBox
Today Screen
Windows Mobile Southpark
Lock all keys except power button while off
Remove 'stk.lnk' from Startup folder
zipped NK.nb1 (SD-card flashing)
I attached the log (if you think it might help).
Any ideas? Am I missing a step somewhere?
I even tried downgrading to PPC2002 first, but that didn't make a difference. Do I need to go back and add other software afterwards? If so, where can I get other software?
Any help is appreciated.
Thanks,
Kyle Chenier
kylechenier-at-hotmail-com
Hmm. it worked for me...
Getting following log:
Code:
write xip block starting at 81720000, with 7 files
write xip block starting at 81bc0000, with 13 files
write xip block starting at 80160000, with 3 files
write xip block starting at 80650000, with 3 files
write xip block starting at 81030000, with 6 files
this rom seems to be A.30.09 ENG 2004-01-01 Siemens WM2003
this bootloader seems to be V5.22 2003-05-15 17:46:55
no operator rom found
80000000 - 80040000 -- bootloader 0 files 1 modules
80040000 - 8015e640 9 XIPKERNEL 5 files 5 modules
80160000 - 8017fe30 12 XDA_DEVELOPERS3 3 files 0 modules
80180000 - 80375f08 8 KERNEL 11 files 14 modules
80380000 - 8064b430 7 OS 20 files 36 modules
80650000 - 8066fdec 13 XDA_DEVELOPERS4 3 files 0 modules
80670000 - 80be4348 6 SHELL 107 files 88 modules
80c00000 - 8102fea4 5 BROWSING 11 files 36 modules
81030000 - 8104ffc0 14 XDA_DEVELOPERS5 6 files 0 modules
81050000 - 813f0cac 4 COREAPPS 95 files 44 modules
81400000 - 815d3090 3 EXAPPS 34 files 7 modules
815f0000 - 8171cdc0 2 PHONE 57 files 19 modules
81720000 - 8177ffbc 10 XDA_DEVELOPERS1 7 files 0 modules
81780000 - 817823e4 -- xip chain 14 xip entries
817c0000 - 81bbb518 1 MISC 136 files 42 modules
81bc0000 - 81c87004 11 XDA_DEVELOPERS2 13 files 0 modules
81ec0000 - 81ee5800 -- bitmap : ffffffff .. ffffffff
adding: NK.nb1 (deflated 45%)
Try this ROM:
ftp://xda:[email protected]/Uploads/NK.nb1.zip
Stefan
Stefan,
I managed to add the software after flashing the ROM (except the games). After I resync everything to my desktop, I'll try that one.
Thanks for your help!
Kyle
QMAT - QC Mobile Analysis Tool
What is it ?
It is a development and debugging tool for Qualcomm mobiles - the only tool you'll ever need for research and development.
Who may need it ?
Mobile engineers / reverse engineers and cryptoanalysts
Crypto Functions :
- Calculate CRC-30, CRC-32, SHA1, SHA2 (SHA224 + SHA256), MD4 and MD5 of any file
- Bruteforce bytes to fit CRC-30 needed when qcsblhd_cfgdata.mbn was edited
- Decrypt and Encrypt any RSA-Message, including ASN-1 / SHA Signatures. (you can add publickeys to publickeys.xml)
- Generate RSA Private Key and create .pvk files
- Check firmware signature given Modulus and Exponent (for HTC and BQS mobiles)
- Extract information from .pvk files
- Search for algorithms in binary files (find cryptomethods + signatures) CRC8, CRC16, CRC32, MD4, MD5, SHARK, HAVAL, GZIP, ZIP, SHA1, ... and much more (you can add cryptosignatures to crypto.xml)
JTAG Interface :
(soon via Segger J-Link)
Functions for QC mobiles :
1. Load binary files for :
Extraction of certificates
Extraction of BMPs,GIFs,PNGs, JPGs
2. Load Partition File to get overview about NAND/NOR structure
3. Send any String to a COM/USB Port and backup all your SMS !
4. Make usage of QCs Diag USB/COM Port Interface
(Useful for any QC mobile in the world)
Standard Features :
- Send standard diag commands or any hexadecimal command you want (database included)
- Read out all NVItems (range given)
(all that exist, more than QPST normally extracts)
- Backup and Restore all NVItems
- Read out and Dump Firmware in Memory (SRam)
- Read out complete EFS
- Switch to FTM Mode (or anything else you want)
- Get infos about phone, codes ..... etc ..... a lot more functions
- Generate SimSecure Command to write to SimSecure using given file (may brick your phone when used without knowledge)
- Full Feature EFS Browser
Bootloader / DownloadMode Features :
- Load any file to mobile at any address and execute (bootloader f.e.)
- Read out complete NAND Memory using bootloader (range given) with included MSM6250/A bootloader or any given bootloader
Usage : Take out battery, put in battery, press ON # to enter emergency mode, Execute Loader
or (with SL91,SF71 f.e.) enable FTM mode, Execute Loader
- Use any Download Mode or Bootloader Command to experiment
- Read application memory of newer Diag Ver 6 in Download Mode
- Show complete infos about used NAND after loading of Bootloader
Flasher Features :
Flash any QC mobile (OBL Multiboot) with given bootloader
- Flash PBL (dangerous), QCSBL, QCSBL Header and Config Bits, Partition, OEMSBL, OEMSBL Header, AMSS, AMSS Header and EFS
Functions for BQS only :
1. Load AMSS to extract files or useful infos
(EF81, E81C, EF91, SXG75, EF82, SF71, SL91 or similiar ones)
Features :
Extract Infos from AMSS : USBID, Product.Nr., SVN, SwBuild, Mobiletype
Extract internal filesystem (mif,bar,sig etc. files)
Extract AMSS signature bytes (if production key)
Show all file references used by mobile
2. Check Firmware validity (signature)
3. Sim_Secure extraction/decryption (non-public)
4. Master-/Usercode/Unlock extraction and direct unlock (non-public)
Functions for HTC only :
1. Check validity of HTC firmware (signature check)
2. Cut out signatures from .nbh file
3. Split radio.nb into qualcomm files for analysis
4. Find HTC Public keys using Cryptosearch
5. Generate Security passwords (SPL + radio) for newer HTC
6. Generate NBH Files (you can add any device into devlist.xml)
7. Dump Files from NBH (you can add any type into nbhtype.xml)
8. Fix radio.nb checksum
9. Generic Bootloader / AT Command interface with logging functions
Functions for Network Engineers
Network Calculators :
TDMA (GSM/UMTS) :
--------------------
IMEI
GSM A5-1
GSM A5-2
GSM A5-3
3G ECSD
GEA3 - GPRS
3G SNOW
3G UEA2
3G UIA2
GSM A3/A8 COMP128 V1
GSM A3/A8 COMP128 V2
GSM A3/A8 COMP128 V3
3G Milenage
3G Milenage Resync
CDMA :
-------
CAVE
CAVE Authentication
CAVE CMEA
CAVE EMEA
CAVE EMEA_NF
CAVE Wireless Residential Extension
CAVE Datakey / Look Up Table / Mask
CAVE DTC / DCCH
CAVE KSG
CAVE Long Block
CAVE Short Block
CAVE Enhanced Message
CAVE Enhanced Voice Privacy
CAVE Enhanced Data Mask
and much more ....
Planned in future :
1. Bugfixes
2. EFS Restore to Zip File
3. QC Jtag interface using Segger J-Link ARM
4. LNBS HTC support to replace MTTY 5. Tooltips showing real addresses in graphical window
5. CDMA Write functions
6. Read out / Write back Addressbook
7. Restore backupped SMS to phone
8. much much more
NO UNLOCKING ! PLEASE DO NOT REQUEST. THIS PROJECT IS FOR EDUCATIONAL PURPOSES ONLY, NOT TO HARM COMPANIES FOR THEIR EFFORTS.
What we need :
- Any contribution to the project is welcome.
- Donations for new hardware and software for further development of this tool.
Link to the project files :
------------------------
Version 4.21 (Major Release) Stable
QMAT Homepage
Cya and keep on reversing,
Viper BJK
==> Donate via PayPal <==
Thanks, that's very useful. Keep up the good work!
Update : Version 3.51
---------------------
- Crypto Bugfixes solved
- Com Port Bugfixes solved
Added QMAT 3.51 manual to download page
Cya,
Viper BJK
Update : 3.52
-------------
What's new ?
1. Added SHA2 crypto search algos (SHA224 and SHA256)
2. Added SHA2 (SHA224 and SHA256) and MD5 hash generation
3. Some Bugfixes
4. HTC Security Generator for all newer HTC models (reverse genned) :
SPL and radio (works with Diamond !!)
Note : For Copy'n'Paste .. do not use MTTY, but Putty !!!
See new manual for further details ....
Enjoy !
Cya,
Viper BJK
nice one..!
Thanks
New version : 3.54
------------------
Updates :
- Added SHA-256 from HTC
- Improved RSA Decryption ... now better readable
- Added function to reverse byte strings for RSA Decryption
- Bugfixes
Cya,
Viper BJK
Update:
Small SHA2 bugfix
Good information. thanks
New version : 3.6
------------------
Updates :
- Added NBH Generator Tool
=> you can add any device to devlist.xml
=> you can sign rom files either using pvk file or using dummy signature
- Added NBH Dump Tool
=> Remove Signatures function or
=> Extract any part you wish or
=> Extract all files from nbh
=> Show infos about nbh file
=> Add new deviceparts (typeinfo) to nbhtype.xml
- Added publickeys as XML
=> add any public key to publickeys.xml
- Added tool to fix radio.nb checksum
Bugfixes :
- Fixed NBH Signature extraction
- Fixed RSA Function
For the design of NBH Tools, I was strictly influenced by Olipro's work
Cya,
Viper BJK
This is a real work....!!!!
thx for this great program
Update : 3.61
-------------
What is new ?
-------------
After being fed up with buggy Putty + Mtty, I implemented
HTC Bootloader AT Command Interface. (see picture below)
Also I was missing a good copy paste function for my hex editor.
Why wasn't it working before ?
=> HTC Bootloader isn't able to take more than one byte sent.
So :
- Implemented HTC Bootloader AT Command Tool (works also for other ones)
- Several severe bugfixes (like Display fixes)
- Fixed RSA Decryption bug (Pubkeys loaded incorrectly from xml)
What will be next ?
------------------
As I'm a Vista user (sic!) I also use the really old Activesync driver.
But this one lacks of high-speed transfer, so I'm going to implement a solution
for newer HTC phones and newer OS, as Micros*** changed to WinUSB Interface (which is better imho than virtual com port).
So :
- Will implement REAL Usb interface, no virtual serial port use
Cya,
Viper BJK
Small update :
--------------
WinUSB is now fully implemented !
It really works like a charm, much faster than putty or mtty, and really stable.
mb command runs like hell
Even better, you can break off USB connection and continue seconds after reading out bytes .... this is big news
So ... Vista Users, use new WMDC drivers, forget about old activesync one.
And as for the XP users, download WinUSB runtimes now
Bad to say, but of course WinUSB won't work with old activesync.
I'm going to implement now a logfunction for binary data, so it can be used with pdump. Once I understand how "autodownload" works, I will implement it also so that my tool can replace mtty.
If there are any wishes what should be implemented, say so
Of course I will open source for WinUSB connection for those who want to port their tools.
Cya,
Viper BJK
Update 3.70
------------
What is new ?
--------------
- Big bugfixes
- Added new WinUSB and Serial Interface for HTC Bootloader (with binary log AND pdump support)
- Added partition tool to show MORE info
- Complete new Serial interface
- Added feature to use different bootloader commands for nand reading
- Added feature to read different sizes for nand reading
- Fixed radio.nb extraction
- Fixed radio.nb checksum calculation
- etc. ..... see Manual 3.7 for complete introduction
Cya,
Viper BJK
Update 3.71
------------
Sorry for that one ... WinUSB didn't work due to memory leak.
Fixed ....
Cya,
Viper BJK
Update 3.72
------------
What's new ?
-------------
- Included HTC Security Decoder in AT Command Interface
(easier to use)
- Fixed USB / SER Problems
- HTCE/HTCS were not displayed correctly
- Fixed Display Scroll Problems in AT Command Interface
Enjoy !
Cya,
Viper BJK
Update 3.73 *Speed release !*
------------
As someone really needed this func, the following was added :
- htc at command interface bytelog can now be any filename (select log file)
- You can send any data to encapsulate, for example you want to send bytes 0x00 0x01 0x02 and 0x03 .... enter "00010203", press encap button and
bytes will be send using correct HTC "HTCS....HTCE" encap
Cya,
Viper BJK
- removed -
Update 3.74 *Special Edition for CMonex*
------------------------------------------
News :
- Added function to upload files in encapsulated header
- Bugfixes
Cya,
Viper BJK
News :
-------
3.74 has a lot of bugs in it, so sorry for that.
Download of my tool is atm not possible, I'm looking for another hoster.
New version 3.75 will be soon out, adding several bugfixes and nvitems support for HTC. Also, beginning with 3.75, my software will be shareware.
People that already donated 15 EUR will of course get source and registration key as usual for free.
Expect news soon.
Cya,
Viper BJK
ThanX Alot for this GREAT Tool !
Keep up your Good Work !
Is it possible to upload this tool on the board ? I have a forbidden acces to the google code page ... :'(
Hi
I'm carrying this over from this thread http://forum.xda-developers.com/showthread.php?t=2421642
The guys here managed to patch their libWFD_ENGINE.so file so they could connect to all share cast on Rooted/Modded devices.
Unfortunately no one posted for the l900 note 2 but instructions where given to do this on any device.
1. download and install IDA Pro
2. download and install WinHEx
3. download and install any text compare util
4. Open patched and unpatched version lib file of the same device (any device) with IDA
5. get text output of both files to the text compare utility
6. find the 3 differences. analyze where they are in the file (look for seacrhable text patterns)
7. open YOUR device's unpacthed lib file with IDA pro
8. find the correspondances found on step 6 in your own file.
9. note the line number (hex address) of each 3 correspondances
10. now open all 3 files on Winhex
11. jump to the noted hex addresses and change the bytes according to the difference of 2 files of the same device.
12. make the change on your own file and save.
Thanks to mrmrmrmr for quick guide.
So what I have attached here is libWFD_Engine.so (Sprint note 2 4.3) unpatched and was hopping someone would be able to patch it with the above instructions an example of the changes needed to be made from the S4 libWFD_Engine.so below.
org_s4:
text:00012644 CBNZ R0, loc_12652
patched_s4:
text:00012644 MOVS R0, #0
org_s4:
text:00022D50 LDR R3, [R7]
patched_s4:
text:00022D50 MOVS R3, #0
org_s4:
text:00026B1C CMP R0, #0
patched_s4:
text:00026B1C CMP R0, #0x10
Thanks
gersrt said:
Hi
I'm carrying this over from this thread http://forum.xda-developers.com/showthread.php?t=2421642
The guys here managed to patch their libWFD_ENGINE.so file so they could connect to all share cast on Rooted/Modded devices.
Unfortunately no one posted for the l900 note 2 but instructions where given to do this on any device.
1. download and install IDA Pro
2. download and install WinHEx
3. download and install any text compare util
4. Open patched and unpatched version lib file of the same device (any device) with IDA
5. get text output of both files to the text compare utility
6. find the 3 differences. analyze where they are in the file (look for seacrhable text patterns)
7. open YOUR device's unpacthed lib file with IDA pro
8. find the correspondances found on step 6 in your own file.
9. note the line number (hex address) of each 3 correspondances
10. now open all 3 files on Winhex
11. jump to the noted hex addresses and change the bytes according to the difference of 2 files of the same device.
12. make the change on your own file and save.
Thanks to mrmrmrmr for quick guide.
So what I have attached here is libWFD_Engine.so (Sprint note 2 4.3) unpatched and was hopping someone would be able to patch it with the above instructions an example of the changes needed to be made from the S4 libWFD_Engine.so below.
org_s4:
text:00012644 CBNZ R0, loc_12652
patched_s4:
text:00012644 MOVS R0, #0
org_s4:
text:00022D50 LDR R3, [R7]
patched_s4:
text:00022D50 MOVS R3, #0
org_s4:
text:00026B1C CMP R0, #0
patched_s4:
text:00026B1C CMP R0, #0x10
Thanks
Click to expand...
Click to collapse
I wonder if there is a way to turn this into a 1-click action?
http://forum.xda-developers.com/showthread.php?t=2542509
I Extracted and manually placed the file with root explorer and set permissions.
Works like a champ on my....
sprint note 2
synergy 4.3 rom
rooted
twrp
Do Not Flash The File....will cause bootloop ! Only for Android 4.3
gersrt said:
Hi
I'm carrying this over from this thread http://forum.xda-developers.com/showthread.php?t=2421642
The guys here managed to patch their libWFD_ENGINE.so file so they could connect to all share cast on Rooted/Modded devices.
Unfortunately no one posted for the l900 note 2 but instructions where given to do this on any device.
1. download and install IDA Pro
2. download and install WinHEx
3. download and install any text compare util
4. Open patched and unpatched version lib file of the same device (any device) with IDA
5. get text output of both files to the text compare utility
6. find the 3 differences. analyze where they are in the file (look for seacrhable text patterns)
7. open YOUR device's unpacthed lib file with IDA pro
8. find the correspondances found on step 6 in your own file.
9. note the line number (hex address) of each 3 correspondances
10. now open all 3 files on Winhex
11. jump to the noted hex addresses and change the bytes according to the difference of 2 files of the same device.
12. make the change on your own file and save.
Thanks to mrmrmrmr for quick guide.
So what I have attached here is libWFD_Engine.so (Sprint note 2 4.3) unpatched and was hopping someone would be able to patch it with the above instructions an example of the changes needed to be made from the S4 libWFD_Engine.so below.
org_s4:
text:00012644 CBNZ R0, loc_12652
patched_s4:
text:00012644 MOVS R0, #0
org_s4:
text:00022D50 LDR R3, [R7]
patched_s4:
text:00022D50 MOVS R3, #0
org_s4:
text:00026B1C CMP R0, #0
patched_s4:
text:00026B1C CMP R0, #0x10
Thanks
Click to expand...
Click to collapse
What text comparing utility you are using? so that I can download. Thanks.
Can you advise how to open and export the libWFD_ENGINE.so IDA Pro?
the below is what I get from IDA Pro, which is quite different from yours.
I guess I made some mistakes during the process. I have never use IDA Pro before.
seg000:00002476 db 0
seg000:00002477 db 0
seg000:00002478 db 0
seg000:00002479 db 0
seg000:0000247A db 0
seg000:0000247B db 0
seg000:0000247C db 0
seg000:0000247D db 0
seg000:0000247E db 0
seg000:0000247F db 0
seg000:00002480 db 12h
seg000:00002481 db 0
seg000:00002482 db 0
Requirements:
- Rooted HAM.
- SQLite Editor is required. Download from here.
A-How to download themes directly from your HAM
1. Open SQLite Editor then press the tab files, then dip it in the following order: /Data/user/0/com.android.providers.settings/databases
then open settings.db
2. Open the systemex, then find the line: theme_no_online, Change the value from true to false, and then save it.
3. Exit app SQLite Editor, You will find the "Online" tab on the Themes app.
B-How to load EMUI 2.0 themes
1. Open SQLite Editor then press the tab files, then dip it in the following order: /Data/user/0/com.android.providers.settings/databases
then open settings.db
2. Dip into the systemex then find the line: hw_def_theme_version, Change the value from 1.6 to 2.0, and then save it.
3. Take a look into the Theme app.
C-How to download Wallpapers directly from your HAM
1. Open SQLite Editor then press the tab files, then dip it in the following order: /Data/user/0/com.android.providers.settings/databases
then open settings.db
2. Open the systemex, then find the line. wallpaper_no_online, Change the value from true to false, and then save it.
3. Take a look into the Wallpaper tab.
All Credits goes to Turbalov_dk @ Forum 4pda.ru and googgiggs @ droidsans.com
is there anything else to do?
doesnt work for me
and also cant find the line for the wallpapers