## how to flash patch ## 2 ##

Acidmrp · 11.07.2003, 11:41

diesmal wegen zu geringer Beteiligung auf Englisch:

## how to flash patch ## 2 ##

(part one only exist in german this time but you can
read the "how to find entry point" by RizaPN)
If you want to make an translation you can find first
part here:
http://www.gsm-multifund.de/board/sh...5&pagenumber=1

Author: ACiD [mrp]
Homepage: www.gsm-dev.com

here it is: 2nd part of Siemens flash patching tutorial!

I always use my ME45i v4 for the examples but you can
easyly modify this for other phones.

Let's assume what we've learnd in the first lession:

- you have all tools to start
- you have an modified language pack
- you know how to change text in flash
- you know how to change jump adresses in flash

today we go more deeper in the fw using IDA

first of all make an new file (1.bin) with 8MB only 0xFF's
than copy the first 2MB from phone flash in an file (2.bin)
now you have this two files and the fubu file (6MB) (fubu.bin)

go to DOS promt and type:

copy 1.bin/b + 2.bin/b + fubu.bin/b MEBig.bin

now go to IDA and disassemble this MEBig.bin (16 MB)
select "Binary file" and Processor type "Siemens C166: c166"

now you can use fmenu like you learned in first lession.
Use it to find the games entrys. You will get this entrys:

Goto_F6A8CC (StackAttack)
Goto_F6A8D0 (RaceAce)
Goto_F6A8D4 (Balloon)
Goto_F6A8DA (Setup)

so let's go to this points in IDA. Press 'g' (Goto) and type in
the adress. NOw press 'c' to disassemble you can undo this
with pressing 'u'

you will geth this:

seg000:F6A8CC ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
seg000:F6A8CC
seg000:F6A8CC
seg000:F6A8CC StackAttackEntry: ; this is called by menu StackAttack
seg000:F6A8CC jmps 0F3h, StackAttack ; Stack Attack
seg000:F6A8CC ; End of function StackAttackEntry
seg000:F6A8CC
seg000:F6A8D0
seg000:F6A8D0 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
seg000:F6A8D0
seg000:F6A8D0
seg000:F6A8D0 RaceAceEntry: ; this is called by menu RaceAce
seg000:F6A8D0 jmps 0F3h, RaceAceSplashEntry ; Race Ace
seg000:F6A8D0 ; End of function RaceAceEntry
seg000:F6A8D0
seg000:F6A8D4 ; ---------------------------------------------------------------------------
seg000:F6A8D4
seg000:F6A8D4 BalloonEntry: ; this is called by menu BallonShooter
seg000:F6A8D4 jmps 0F2h, BalloonShooter
seg000:F6A8D8
seg000:F6A8D8 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
seg000:F6A8D8
seg000:F6A8D8
seg000:F6A8D8 SpieleMenu: ; CODE XREF: sub_F5E160+242P
seg000:F6A8D8 ; seg000:F65D2CJ ...

make shure you always write many comments in this file!

Make an double click on "RaceAceSplashEntry" in your file this is named loc_F3C2E6
you'll find this:

seg000:F3C2E6 RaceAceSplashEntry: ; CODE XREF: RaceAceEntryJ
seg000:F3C2E6 mov r12, #1
seg000:F3C2E8 jmps 0F3h, RaceAceSplash

so let's go to RaceAceSplash (loc_F3C28E)

seg000:F3C28E RaceAceSplash: ; CODE XREF: seg000:F3C288J
seg000:F3C28E ; seg000:F3C2E8J
seg000:F3C28E calls 0CBh, sub_CB0498
seg000:F3C292 mov r12, #35FCh ;Display INIT
seg000:F3C296 mov r13, #0F5h ;Display INIT
seg000:F3C29A mov r14, #3694h ;Display INIT
seg000:F3C29E mov r15, #0F5h ;Display INIT
seg000:F3C2A2 calls 0FAh, sub_FA7184
seg000:F3C2A6 calls 0CAh, InitDisplay
seg000:F3C2AA cmp r6, #0
seg000:F3C2AC jmpr cc_Z, loc_F3C2B8
seg000:F3C2AE mov r14, #3ECCh ; Siemens Logo
seg000:F3C2B2 mov r15, #214h
seg000:F3C2B6 jmpr cc_UC, loc_F3C2C0
seg000:F3C2B8 ; ---------------------------------------------------------------------------
seg000:F3C2B8
seg000:F3C2B8 loc_F3C2B8: ; CODE XREF: seg000:F3C2ACj
seg000:F3C2B8 mov r14, #3EA0h ; HandyGames Logo
seg000:F3C2BC mov r15, #214h
seg000:F3C2C0
seg000:F3C2C0 loc_F3C2C0: ; CODE XREF: seg000:F3C2B6j
seg000:F3C2C0 calls 0FAh, CallBoxItem

first of all you'll see some Init's for the display. Than you'see some box call
in the first one there is the Siemens Logo:

seg000:F3C2AE mov r14, #3ECCh ; Siemens Logo
seg000:F3C2B2 mov r15, #214h
seg000:F3C2C0 calls 0FAh, CallBoxItem

and in the secound one the HandyGames Logo:

seg000:F3C2B8 mov r14, #3EA0h ; HandyGames Logo
seg000:F3C2BC mov r15, #214h
seg000:F3C2C0 calls 0FAh, CallBoxItem

try to play with them.

after both logos are shown, there is an indirect call by menu to adress loc_F3C276
it's not important to find this now this is only for you to get start and start
some playing.

seg000:F3C276 cmp r14, #3
seg000:F3C278 jmpr cc_NZ, loc_F3C28C
seg000:F3C27A calls 0FAh, sub_FA7764
seg000:F3C27E or r4, r5
seg000:F3C280 jmpr cc_NZ, loc_F3C286
seg000:F3C282 jmps 0F3h, RaceAce
seg000:F3C286 ; ---------------------------------------------------------------------------
seg000:F3C286
seg000:F3C286 loc_F3C286: ; CODE XREF: seg000:F3C280j
seg000:F3C286 mov r12, #0
seg000:F3C288 jmps 0F3h, RaceAceSplash
seg000:F3C28C ; ---------------------------------------------------------------------------
seg000:F3C28C
seg000:F3C28C loc_F3C28C: ; CODE XREF: seg000:F3C278j
seg000:F3C28C rets

here you find an call to the real RaceAce GameMenu: It's located at loc_F3B90C

now let's go back to the start loc_F6A8D0 go into you favorite HexEditor and
jump to adress 56A8D0 (F6A8D0 - Offset (0xA00000)) you'll find this values:
FAF3E6C2

FA means an jmps (intersegment jump) F3E6C2 is the adress. F3 the segment and
E6C2 the adress you alwasy have to mirrow this adresses --> C2E6
and this is the same that IDA says: jmps loc_F3C2E6
But WE don't want to go to RaceAce splash, no, we want to got to RaceAce

So let's make an direct jump to RaceAce: jmps loc_F3B90C in hex this is:
FAF30CB9

so write in v_klay:
56A8D0: FAF3E6C2 FAF30CB9

flash this patch, turn on phone and you'll see: no more race ace splash screen

Now make an patch that GPRS is allways truned on by pressing menu-9-6-1 and i'll
give you the next lession

thanks goes out to RizaPN & SkyLord
greetings goes out to

GSM-Dev Crew & Users,
GSM-Multifund Mods & Users,
Megamobil Mods & Users,
GSM-Forum Mods & Users,
and GSM-Free Mods & Users

thank you for reading this

have fun and stay relaxed.
ACiD [mrp]

01.10.2003, 13:25

why do u build a file with 8 mb FF + 2mb Begin of file +6 mb fubu ?

does it work with siemens m 35 ?

bragos.

Acidmrp · 01.10.2003, 15:29

@bragos because memory mapping is 16MB this will work with C35 but use 12MB 0xFF File and 4MB Flash.

01.10.2003, 18:20

Tanks for our help !

Fmenu Seems not to work on m35 code , I tried with some menus ( like game/quattopoli/mines ….) with no results ! ( I thing that the code is different ). Do u know something about this?

Do you know where I can get a short description (Zusammenfassung) of the c166 asm (I think it looks like x86 or microship asm , I don’t need the full explanations ! )?

Acidmrp · 01.10.2003, 20:04

if you understand german, you can get the best command description here:
http://www.controllertechnik.de/download/h166.hlp

this is also an nice document (english):
http://www.infineon.com/cmc_upload/d....2_2001_07.pdf

02.10.2003, 13:23

Fmenu seems not to work on m35 .

But the way it work on an m35 is easy to understand.

The dump of the “games” menu is shown below

FFFF [ 0B02 ] 0C02 0300 B004 FFFF 3C02 3D02 ............<.=.
0300 2003 DEBB E700 E6BB E700 F2BB E700 .. .............
F6BB E700 [ FABB E700 ] 02BC E700 0000 0000 ................

0B 02 = string number 523 = 020Bh = "Games"
On adresse 00 E7 BB FA we can find a Jump :

seg000:E7BBFA ; ---------------------------------------------------------------------------
seg000:E7BBFA mov r13, r15 ; Jeux
seg000:E7BBFA ;
seg000:E7BBFC mov r12, r14
seg000:E7BBFE jmps 0E7h, loc_E7FFA6
seg000:E7BC02 ; ---------------------------------------------------------------------------
seg000:E7BC02 mov r13, r15 ; mesure tps
seg000:E7BC02 ;
seg000:E7BC04 mov r12, r14
seg000:E7BC06 jmps 0E7h, loc_E7BC5A
seg000:E7BC06 ; ---------------------------------------------------------------------------
seg000:E7BC0A

02.10.2003, 13:35

question :

how did u find than this is the init of the display ?

seg000:F3C292 mov r12, #35FCh ;Display INIT
seg000:F3C296 mov r13, #0F5h ;Display INIT
seg000:F3C29A mov r14, #3694h ;Display INIT
seg000:F3C29E mov r15, #0F5h ;Display INIT
seg000:F3C2A2 calls 0FAh, sub_FA7184
seg000:F3C2A6 calls 0CAh, InitDisplay

Acidmrp · 02.10.2003, 17:42

this calls an new Menuitem. You can't write to Display without doing this Frame Inits. Of course
this is not the only and not the real Init done at startup

03.10.2003, 10:46

Do u know a simple patching programm like vklay but that work whith m35?

thanks for help

Acidmrp · 03.10.2003, 11:16

no, sorry. This is really bad

Themen-Optionen	Thema durchsuchen
Druckbare Version zeigen Jemanden per E-Mail auf dieses Thema hinweisen	Thema durchsuchen: Erweiterte Suche
Ansicht
Linear-Darstellung Zur Hybrid-Darstellung wechseln Zur Baum-Darstellung wechseln

Ähnliche Themen
Thema	Autor	Forum	Antworten	Letzter Beitrag
Welche Box ist die Beste ??	huzein	Samsung	40	11.03.2008 13:43
Making a Patch for Bigger MC60 Drive C by deleting unneeded languages	ThEDaMn3d	Softwaremoddingzone	0	17.06.2004 20:06
Wie funktioniert der Flash SMS Sender Patch?	Devil123	Softwaremoddingzone	39	30.03.2004 08:04
## how to flash patch ## 1 ##	Acidmrp	Patches, Know How & Anleitungen	92	03.03.2004 18:16
ME45 > ME45i - manche Patches lassen sich nicht aktivieren	greenland	Flash, Update, Unlock	1	26.04.2003 16:19

11.07.2003, 11:41	#1
Acidmrp Handy Gott Registriert seit: 17.11.2002 Beiträge: 2.723	## how to flash patch ## 2 ## diesmal wegen zu geringer Beteiligung auf Englisch: ## how to flash patch ## 2 ## (part one only exist in german this time but you can read the "how to find entry point" by RizaPN) If you want to make an translation you can find first part here: http://www.gsm-multifund.de/board/sh...5&pagenumber=1 Author: ACiD [mrp] Homepage: www.gsm-dev.com here it is: 2nd part of Siemens flash patching tutorial! I always use my ME45i v4 for the examples but you can easyly modify this for other phones. Let's assume what we've learnd in the first lession: - you have all tools to start - you have an modified language pack - you know how to change text in flash - you know how to change jump adresses in flash today we go more deeper in the fw using IDA first of all make an new file (1.bin) with 8MB only 0xFF's than copy the first 2MB from phone flash in an file (2.bin) now you have this two files and the fubu file (6MB) (fubu.bin) go to DOS promt and type: copy 1.bin/b + 2.bin/b + fubu.bin/b MEBig.bin now go to IDA and disassemble this MEBig.bin (16 MB) select "Binary file" and Processor type "Siemens C166: c166" now you can use fmenu like you learned in first lession. Use it to find the games entrys. You will get this entrys: Goto_F6A8CC (StackAttack) Goto_F6A8D0 (RaceAce) Goto_F6A8D4 (Balloon) Goto_F6A8DA (Setup) so let's go to this points in IDA. Press 'g' (Goto) and type in the adress. NOw press 'c' to disassemble you can undo this with pressing 'u' you will geth this: seg000:F6A8CC ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ seg000:F6A8CC seg000:F6A8CC seg000:F6A8CC StackAttackEntry: ; this is called by menu StackAttack seg000:F6A8CC jmps 0F3h, StackAttack ; Stack Attack seg000:F6A8CC ; End of function StackAttackEntry seg000:F6A8CC seg000:F6A8D0 seg000:F6A8D0 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ seg000:F6A8D0 seg000:F6A8D0 seg000:F6A8D0 RaceAceEntry: ; this is called by menu RaceAce seg000:F6A8D0 jmps 0F3h, RaceAceSplashEntry ; Race Ace seg000:F6A8D0 ; End of function RaceAceEntry seg000:F6A8D0 seg000:F6A8D4 ; --------------------------------------------------------------------------- seg000:F6A8D4 seg000:F6A8D4 BalloonEntry: ; this is called by menu BallonShooter seg000:F6A8D4 jmps 0F2h, BalloonShooter seg000:F6A8D8 seg000:F6A8D8 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ seg000:F6A8D8 seg000:F6A8D8 seg000:F6A8D8 SpieleMenu: ; CODE XREF: sub_F5E160+242P seg000:F6A8D8 ; seg000:F65D2CJ ... make shure you always write many comments in this file! Make an double click on "RaceAceSplashEntry" in your file this is named loc_F3C2E6 you'll find this: seg000:F3C2E6 RaceAceSplashEntry: ; CODE XREF: RaceAceEntryJ seg000:F3C2E6 mov r12, #1 seg000:F3C2E8 jmps 0F3h, RaceAceSplash so let's go to RaceAceSplash (loc_F3C28E) seg000:F3C28E RaceAceSplash: ; CODE XREF: seg000:F3C288J seg000:F3C28E ; seg000:F3C2E8J seg000:F3C28E calls 0CBh, sub_CB0498 seg000:F3C292 mov r12, #35FCh ;Display INIT seg000:F3C296 mov r13, #0F5h ;Display INIT seg000:F3C29A mov r14, #3694h ;Display INIT seg000:F3C29E mov r15, #0F5h ;Display INIT seg000:F3C2A2 calls 0FAh, sub_FA7184 seg000:F3C2A6 calls 0CAh, InitDisplay seg000:F3C2AA cmp r6, #0 seg000:F3C2AC jmpr cc_Z, loc_F3C2B8 seg000:F3C2AE mov r14, #3ECCh ; Siemens Logo seg000:F3C2B2 mov r15, #214h seg000:F3C2B6 jmpr cc_UC, loc_F3C2C0 seg000:F3C2B8 ; --------------------------------------------------------------------------- seg000:F3C2B8 seg000:F3C2B8 loc_F3C2B8: ; CODE XREF: seg000:F3C2ACj seg000:F3C2B8 mov r14, #3EA0h ; HandyGames Logo seg000:F3C2BC mov r15, #214h seg000:F3C2C0 seg000:F3C2C0 loc_F3C2C0: ; CODE XREF: seg000:F3C2B6j seg000:F3C2C0 calls 0FAh, CallBoxItem first of all you'll see some Init's for the display. Than you'see some box call in the first one there is the Siemens Logo: seg000:F3C2AE mov r14, #3ECCh ; Siemens Logo seg000:F3C2B2 mov r15, #214h seg000:F3C2C0 calls 0FAh, CallBoxItem and in the secound one the HandyGames Logo: seg000:F3C2B8 mov r14, #3EA0h ; HandyGames Logo seg000:F3C2BC mov r15, #214h seg000:F3C2C0 calls 0FAh, CallBoxItem try to play with them. after both logos are shown, there is an indirect call by menu to adress loc_F3C276 it's not important to find this now this is only for you to get start and start some playing. seg000:F3C276 cmp r14, #3 seg000:F3C278 jmpr cc_NZ, loc_F3C28C seg000:F3C27A calls 0FAh, sub_FA7764 seg000:F3C27E or r4, r5 seg000:F3C280 jmpr cc_NZ, loc_F3C286 seg000:F3C282 jmps 0F3h, RaceAce seg000:F3C286 ; --------------------------------------------------------------------------- seg000:F3C286 seg000:F3C286 loc_F3C286: ; CODE XREF: seg000:F3C280j seg000:F3C286 mov r12, #0 seg000:F3C288 jmps 0F3h, RaceAceSplash seg000:F3C28C ; --------------------------------------------------------------------------- seg000:F3C28C seg000:F3C28C loc_F3C28C: ; CODE XREF: seg000:F3C278j seg000:F3C28C rets here you find an call to the real RaceAce GameMenu: It's located at loc_F3B90C now let's go back to the start loc_F6A8D0 go into you favorite HexEditor and jump to adress 56A8D0 (F6A8D0 - Offset (0xA00000)) you'll find this values: FAF3E6C2 FA means an jmps (intersegment jump) F3E6C2 is the adress. F3 the segment and E6C2 the adress you alwasy have to mirrow this adresses --> C2E6 and this is the same that IDA says: jmps loc_F3C2E6 But WE don't want to go to RaceAce splash, no, we want to got to RaceAce So let's make an direct jump to RaceAce: jmps loc_F3B90C in hex this is: FAF30CB9 so write in v_klay: 56A8D0: FAF3E6C2 FAF30CB9 flash this patch, turn on phone and you'll see: no more race ace splash screen Now make an patch that GPRS is allways truned on by pressing menu-9-6-1 and i'll give you the next lession thanks goes out to RizaPN & SkyLord greetings goes out to GSM-Dev Crew & Users, GSM-Multifund Mods & Users, Megamobil Mods & Users, GSM-Forum Mods & Users, and GSM-Free Mods & Users thank you for reading this have fun and stay relaxed. ACiD [mrp]

01.10.2003, 13:25	#2
bragos Gast Beiträge: n/a	why do u build a file with 8 mb FF + 2mb Begin of file +6 mb fubu ? does it work with siemens m 35 ? bragos.

01.10.2003, 15:29	#3
Acidmrp Handy Gott Registriert seit: 17.11.2002 Beiträge: 2.723	@bragos because memory mapping is 16MB this will work with C35 but use 12MB 0xFF File and 4MB Flash.

01.10.2003, 18:20	#4
bragos Gast Beiträge: n/a	Tanks for our help ! Fmenu Seems not to work on m35 code , I tried with some menus ( like game/quattopoli/mines ….) with no results ! ( I thing that the code is different ). Do u know something about this? Do you know where I can get a short description (Zusammenfassung) of the c166 asm (I think it looks like x86 or microship asm , I don’t need the full explanations ! )?

01.10.2003, 20:04	#5
Acidmrp Handy Gott Registriert seit: 17.11.2002 Beiträge: 2.723	if you understand german, you can get the best command description here: http://www.controllertechnik.de/download/h166.hlp this is also an nice document (english): http://www.infineon.com/cmc_upload/d....2_2001_07.pdf

02.10.2003, 13:23	#6
bragos Gast Beiträge: n/a	Fmenu seems not to work on m35 . But the way it work on an m35 is easy to understand. The dump of the “games” menu is shown below FFFF [ 0B02 ] 0C02 0300 B004 FFFF 3C02 3D02 ............<.=. 0300 2003 DEBB E700 E6BB E700 F2BB E700 .. ............. F6BB E700 [ FABB E700 ] 02BC E700 0000 0000 ................ 0B 02 = string number 523 = 020Bh = "Games" On adresse 00 E7 BB FA we can find a Jump : seg000:E7BBFA ; --------------------------------------------------------------------------- seg000:E7BBFA mov r13, r15 ; Jeux seg000:E7BBFA ; seg000:E7BBFC mov r12, r14 seg000:E7BBFE jmps 0E7h, loc_E7FFA6 seg000:E7BC02 ; --------------------------------------------------------------------------- seg000:E7BC02 mov r13, r15 ; mesure tps seg000:E7BC02 ; seg000:E7BC04 mov r12, r14 seg000:E7BC06 jmps 0E7h, loc_E7BC5A seg000:E7BC06 ; --------------------------------------------------------------------------- seg000:E7BC0A

02.10.2003, 13:35	#7
bragos Gast Beiträge: n/a	question : how did u find than this is the init of the display ? seg000:F3C292 mov r12, #35FCh ;Display INIT seg000:F3C296 mov r13, #0F5h ;Display INIT seg000:F3C29A mov r14, #3694h ;Display INIT seg000:F3C29E mov r15, #0F5h ;Display INIT seg000:F3C2A2 calls 0FAh, sub_FA7184 seg000:F3C2A6 calls 0CAh, InitDisplay

02.10.2003, 17:42	#8
Acidmrp Handy Gott Registriert seit: 17.11.2002 Beiträge: 2.723	this calls an new Menuitem. You can't write to Display without doing this Frame Inits. Of course this is not the only and not the real Init done at startup

03.10.2003, 10:46	#9
bragos Gast Beiträge: n/a	Do u know a simple patching programm like vklay but that work whith m35? thanks for help

03.10.2003, 11:16	#10
Acidmrp Handy Gott Registriert seit: 17.11.2002 Beiträge: 2.723	no, sorry. This is really bad

Aktive Benutzer in diesem Thema: 1 (Registrierte Benutzer: 0, Gäste: 1)