Jump to content

Hacked ROM!

Guest GNU

By Guest GNU
in Smartphone General Discussion

 Share

Recommended Posts

  • Replies 149
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Spine

Guest Spine

Posted
Posted

Ok boys, this isn't really a big step but its a small step

I disassembled my spv tonight and identified the main IC's inside.

Attached are two images, of the front and back of the mainboard. I didn't take the pictures but I added the labels and the crappy lines identifying each chip.

I am trying to identify the JTAG interface.

I have tried contacting TI about the pinout for the OMAP710 chipset but they wouldn't budge. My second thought was to find another IC that is connected to the jtag chain and tap off of those points.

There is a row of 11 test points on the edge of the left side of the back of the board (see photo back.jpg).

There are also similar rows of test points on the front of the board.

I am 99% sure that the jtag interface is connected to some of these pins. There has to be an easy way to load firmware as well as testing these puppies as they come off the line.

This is why I requested for someone to send me a dead spv (doesn't even have to have a screen) so i can try to figure out what points these are.

The 1880 Part is just a 1880MHZ Saw split band filter, which is no use to us.

The toshiba part is basically the SD card controller. Toshiba calls it a "Secure Digital Hose Controller (SDHC)"

The maxim part is the line driver for the serial interface capable of up to max 250kbps.

I have no clue what the HTC chip does and cannot find any info about it.

Additionally, the SPV uses the same analog baseband chipset as the XDA.

http://xda-developers.com/research-gsm/

Also, above the omap chip (under the shiny sheet metal shielding) there is a hyundai chip. My guess is that this is either ram or it could be addition eeprom/flash memory containing such information as the imei numbers etc.

Can someone here with a little more knowledge in circuit design help in figuring this out?

front.jpg

back.jpg

Link to comment
Share on other sites
Guest davidhorn

Guest davidhorn

Posted
Posted

Can you not just follow the steps used for the XDA - it's possible to flash that through the USB link, the SPV must be the same, it's how updates are applied.

Link to comment
Share on other sites
Guest Spine

Guest Spine

Posted
Posted

Yes you are correct, but this is only possible through the software included in the bootloader.

If the bootloader is corrupted then you will have no connectivity through the the serial/usb port.

The jtag interface is an ISO standard for accessing and debugging chips on a motherboard. This jtag program is burned into processor memory and cannot be erased. Using the jtag can also allow you full access to any device on the jtag chain.

This is how the xda-developers.com people (as well as the ipaq clan) can restore an ipaq with a corrupted bootloader.

The steps would be something like this.

1. turn on your spv and find out it does nothing or locks up

2. you try holding down voice record and cannot get into bootloader menu

3. you hook up the jtag interface to the motherboard and to your computer

4. you reprogram a working bootloader into the spv

5. you reboot the spv and use the newly loaded bootloader to load the rest of the memory, from serial, sd card etc.

Also, using the bootloader cannot provide detailed information about the chips on the motherboard. most manufacturing companies have a process to make sure all the all the parts are working and as well as loading the initial firmware.

Hope this crappy explaination makes a little bit of sense.

The jtag is basically a really slow, primative way of accessing different chips on the motherboard. The bootloader makes a complicated process simple, and might also include other software such as backup options (like the earlier versions) or initialization functions. This software usually needs to be updated and is alot larger in size (more code and functionality) so therefore it is not beneficial and cost effective to include this stuff in ROM.

Mike

Link to comment
Share on other sites
Guest Spine

Guest Spine

Posted
Posted

Yes and Yes :)

Firstly, I am actually waiting for florin_m to get back from his vacation so he can tell us how he make his custom rom. Thats why I haven't been workin on this part too hard right now because if someone has already done some of the steps it would be a waste to figure this out again.

But i also do think it is important to figure out how to get phones back alive again with damaged bootloaders. With flashing new roms to the phones it is quite possible to write over parts of memory we dont want to and I think less people would help knowing that they could totally wreck their phones playing around with the roms.

But my ultimate goal is to create a custom rom with the best parts of the existing roms, that is slimmed down and inclusive of the best utility applications that we all require.

Maybe I should have made 2 threads on this, one for jtag and one for rom. But I guess I am also interested in identifying the jtag because I don't have orange care so if I mess up my phone I am screwed ;)

Link to comment
Share on other sites
Guest Greywolf_Ghost

Guest Greywolf_Ghost

Posted
Posted

Keep up the great work all!!! I am learning from watching all this and I am hopefull I can apply this custom ROM hacking to the Casio BE300.

( now before you blow a brain seal read on)

I own both a Casio E-125 and Casio BE 300....will be buying a used BE again soon as well for mod.

Both your work here and the XDA crew have made me think I can dump the E-125 rom, slim it up greatly removing things like IrDA and voice recording features as the BE has neither, then apply it to the BE 300.

I would love to see PPC2000 UI on a BE.

Oh well GOOD LUCK on your project !!! May you slove all your unwanted issues and create a great rom that you will enjoy for years !!!!

Link to comment
Share on other sites
Guest Spine

Guest Spine

Posted
Posted

Hey greywolf:

I have owned a BE300, and I currently own a E-125.

You will not be able to hack the rom on the E-125. Most of the PocketPC2000 machines have a different architecture than the PPC2002 based devices.

The e-125 has windows CE and bundled applications actually burned on a rom chip that is installed in the device. ROM cannot be overwritten and therefore the operating system can never change on thse devices unless you physically remove the old rom chips and replace them with newer ones.

The filesystem on the PPC2000 and earlier PPC's/HPCs used battery backed RAM (volitile) as storage, if you remember you actually could specify how much of the onboard ram was to be used for storage and how much of it was to be used as actuall program running space (or how ram is used on desktop machines)

You could only upgrade these machines by placing a file with the same filename into the volitile ram. Upon bootup, if the os found a copy of a file with the same filename in ram it would use that over the one permanently burned in ROM. this is how updates are applied to PPC2000 machines. If you were to pull the main battery as well as backup battery, the OS would still be there but all the user files, registry and update would be erased.

With the BE300 and PPC2002 devices (like the HPjornadas, ipaq, xda, smartphones) generally the ROM as we incorrectly refer to it is actually flash memory, similar to what is found in digital camera compact flash cards, etc. This rom does not need a backup battery to keep it's information and can be written and read from many times. The windows CE operating system, bundled applications are stored in this flash memory (what we call rom). Any leftover flash memory (rom) that is not used by the operating system is used to store the users registry as well as additional data etc. So when we perform rom upgdades on these devices we are actually erasing the writing to the flash memory, and therefore any update you perform is semi-permanent (ie it;ll be there until you erase it). This concept of using flash memory to store files is great because it is more reliable and easier to upgrade devices.

When you do a "hard reset/cold reset" of a smartphone device, you are only erasing the "user files" defined area of the flash memory and not the operating system part.

What we are trying to do here is to create our own custom version of the operating system part of the flash memory (the area we call rom) that has the best of the many versions out there right now as well as slimming it down to the applications we only require.

If anyone wants to try something, try putting a file in your ipsmwindows directory with the same name as some file in windows and you will probably find that the operating system will use the version in the ipsmwindows directory.

This might be an idea for people who have updates that don't contain the best t9english.dll that they want. Try adding a t9english from a different rom version to the ipsmwindows directory and you will probably find that next time you reboot the phone your t9 will be updated.

(I haven't tried this, but it should work)

So sorry to put a damper on your plans for upgrading the E-125. I own one too and wish it could have the ppc2002 operating system but even if it had flash memory (which is required for ppc2002 standard) it has a MIPS processor and the an ARM processor is required for PPC2002. Developers these days have stopped developing for ppc2000 because on the problems is the wide variety of processor types that could be used, not to mention it's getting pretty outdated.

Updating the Be300 is worthwile though, it does have an arm processor and flash memory. From what i have seen it looks like it can basically conform to the ppc2002 requirements. But another issue is that the be300 is a dying breed, now the ppc's have come down so much in price, such as the dell axim x5 series and the new x3.

Hope this helps,

Mike

Link to comment
Share on other sites
Guest Greywolf_Ghost

Guest Greywolf_Ghost

Posted
Posted

Spine

I guess I must have said my message incorrectly. I am not looking to upgrade the E-125. I am looking to dump the Rom from the E-125 and attempt to run it on the BE 300.

Also please do not take this with any bad intent. The BE 300 is a MIPS chip.

If you look at the specs it is an NEC VR4131, 166MHz, 280 MIPS (64 bit CPU)

Under the Casio GUI it is underclocked to 166. If you run a custom shell, say eXpod , the underclocking is removed and the chip is pushed to it's 200 Mhz.

I am quite happy with my E-125 as is, I do however wish to find a way to hack the PPC2000 for use on the BE 300.

So both are Mips ( same chip almost ), both run windows ce 3.0 ....E-125 PPC shell, The BE 300 a custom made shell little to no PPC support unless runing eXpod.

Any way I got you guys off topic, for that I am sorry !!!! However there should be something I can do like the XDA crew with the E-125 I hope.

Your work is being watched with great joy on my part, as I do intend to get a smartphone when they come out in Canada. I was going to import one, but the cost is just to high for me right now.

So seeing you guys here do all the wonderful things is only adding to my excitment. :)

Link to comment
Share on other sites
Guest bp

Guest bp

Posted
Posted

Hi Spine,

Great work your doing here.

I just wonder if you really need to use the JTAG when you mess up your bootloader. I think that USBTerm with an SD card can easily fix a corrupted bootloader...

Right now, what I'm trying to find out is how to copy a qtek with a chinese dictionary (Hong Kong version) into another phone to make it have the chinese dictionary also.

would appreciate if you can give me info on how to do what I plan.

Thanks and keep up the good work!

BP

Link to comment
Share on other sites
Guest Liam2000

Guest Liam2000

Posted
Posted

I believe that we can flash the SPV (OS or bootloader) without JTAG. (i'm not sure about this, but from my experience, repairing phones...)

Almost any other phone is able to be flashed (even when the booloader is damaged) just by his serial port. But, they always need to be powered by the port too, so i believe that the phone can be flashed on the cradle.

I think that the problem is, that we don't know when to turn ON the phone when the update is running. Beside that, I don't know if the update really needs to identify the current update that is installed on the phone.

Also, I don't have any damaged SPV, so i can't test this theory.

Link to comment
Share on other sites
Guest Liam2000

Guest Liam2000

Posted
Posted

I believe that we can flash the SPV (OS or bootloader) without JTAG. (i'm not sure about this, but from my experience, repairing phones...)

Almost any other phone is able to be flashed (even when the booloader is damaged) just by his serial port. But, they always need to be powered by the port too, so i believe that the phone can be flashed on the cradle.

I think that the problem is, that we don't know when to turn ON the phone when the update is running. Beside that, I don't know if the update really needs to identify the current update that is installed on the phone.

Also, I don't have any damaged SPV, so i can't test this theory.

Link to comment
Share on other sites
Guest Spine

Guest Spine

Posted
Posted

well it is easy to extract files from a rom image.

Right now i am trying to get the author of splitrom.pl to help me modify the code to split the rom into the appropriate sections, like operator, os, bootloader, splash image etc.

Then the next step would be to modify the sections, and then rebuild the rom. This will also require the program that re-assembles the .nbf file to be adapted for the smartphone roms.

I am also waiting for florin_m to let me know if he can tell us how he made his rom image, which would be a great help - but he hasn't replied to my PM's

I'll post any significant updates to this thread, you have my guarantee.

I think i might try to add the qtek update to my smartphone tonight and then try to add the t9 dlls from the orange update so that I can get some reasonable t9 performance.

Oh, thanks to someone who pm'ed me (i forget your name) - It is for certain now that the SPV does have a jtag port, and it should be possible to repair dead phones, somthing that most likely will be needed when we are developing roms - we just have to find the right test points on the motherboard.

Mike

Mike

Link to comment
Share on other sites
Guest vijay555

Guest vijay555

Posted
Posted

Spine how did you extract files?

I'm using the QTEK rom with T9, but i suspect that Imate had better battery life, but Imate has no T9, so this would be a boon.

BTW all, off topic, but has anyone played with Platform Builder for .net/2003?

There's C++ code for a number of standard SP apps (eg explorer). I've compiled a rom for ARM but obivously it's not possible to upgrade onto our phones - the RUU won't accept it.

Must admit, i only played around with it for a few mins after getting back from holiday, but was wondering if it might be possible to shoehorn some ARM compiled SP2003 tools into our SP 2002. Don't know why i would, but hell, why not?

V

Link to comment
Share on other sites
Guest vijay555

Guest vijay555

Posted
Posted

Liam2000, when you say easily dump, I mean files that can be dumped and put back on the phone.

So far i don't think spine has done that.

Spine: perhaps there's a crc issue with the files that are dumped. I tried to hexedit some ascii in a normal .exe (not a rom image, just some a generic app), and i also got an error on trying to execute it. I suspect that there may be some crc checking or similiar.

Again, this might be completely irrelevant or incompatible, but Platform Builder also comes with a makerom program, that will take a dir full of files and prepare an .nb0 file. not an nbf, but close! Spine, you might consider comparing the structure of the nb0 to the file known file structure to assemble an idea of rom file placement. However, going the XDA route would be easier, in making generic apps that would work as their's does but for the SPV...

V

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept