Page 5 of 19 FirstFirst 1234567891015 ... LastLast
Results 81 to 100 of 363
  1. #81  
    Originally posted by atari
    do you have unlock code for your treo?
    Yes

    did you try to find it in ram?
    Not yet, but I'll try just in case...
  2. #82  
    Although Patrick is skiing today, I thought I would post the following lines I found in the DeviceCustomizer.prc. Please bare in mind I'm a total zero in Palm programming, the only thing I know is how to search in a hexadecimal file on SIM and GSM.


    HardReset....ProcessPrep.Processing the ROM updater or Test app.
    Processing the Token Writer: ParamClear.Saving the hwvr and hser.No serial number string on device.
    No hardware version string on the device.Saving the hardware version string.
    Saving the serial number.Processing the Token Writer.Writing the GM flag.
    Doing a full CDMA firmware update.Processing the CDMA Param Writer.
    Doing a CDMA PRL only firmware update.Processing the GSM Firmware Updater.
    FirmwareParam.GSM Param file found. Telling update to process the param file.No GSM param file found.Processing the GSM SIM Locking.Error Code: 0x%Lx.Pro
    cessPrep: Error:

    And later on another set of strings:

    /PALM/DeviceCustomizer.
    /PALM/DeviceCustomizer/Scenarios.
    /PALM/DeviceCustomizer/HSTraceDatabase.pdb.
    /PALM/DeviceCustomizer/DCSavedState.bin.
    /PALM/DeviceCustomizer/SimLock.pdb.
    /PALM/DeviceCustomizer/MiniParam.pdb.
    /PALM/DeviceCustomizer/SA.DATó...

    So I think we're looking for a way to skip or tweak the "Processing the GSM SIM Locking" step, and/or patch the SimLock.pdb before it is restored.


    EDIT: changed the formatting to that the post doesn't go all the way off screen
    Last edited by Mol; 01/08/2004 at 03:50 PM.
  3. #83  
    Also, I noticed that if I create the PALM/DeviceCustomizer directory on my SD and then go into the Advanced Mode of the DeviceCustomizer and enter "savetrace", it does store a file HSTraceDatabase.pdb in this directory.

    Tried the same thing with "savesimlock" but still no simlock.pdb in that folder. Just imagine that this turns out to be a bug that causes the unlocked phones to go back into the locked state...
  4. #84  
    Some dude stated he had unlocked his Orange Treo! Does anyone here knows what he's talking about?

    http://discussion.treocentral.com/tc...-t45664/s.html
    Phokhong is a state of mind!
  5. #85  
    Originally posted by euroclie

    Yes, I've used SyncWizard in the past to get ROM dumps, but not with the Treo 600 (tried again right now - program freezes before the trasnfer even begins. Bad luck...). And I've got 1.9.8 which is supposed to be the latest version, right?
    Actually SyncWizard 1.9.9.0 is the latest version and in fact is the only version compatible with the Treo600. I had simmilar problems as you did, trying to use 1.9.8 but now with 1.9.9 there is no problem at all.

    By the way in case you are using 'Pilot Install', all versions older than and including 4.5.0.0 do not work with the Treo600 and you need Pilot Install v4.7.0.0 for it to work.
    Last edited by Sanjay; 01/10/2004 at 03:07 AM.
  6. #86  
    Originally posted by atari
    >>WTF??? That's unbelievable! I've been trying to get a straight
    >>answer about the memory size of the Treo 600 ROM chip for
    >>weeks and that's the LAST thing I expected to hear. I had
    >>assumed the chip was 16 MB and the ROM was between 8 -
    >>10 MB

    check:
    http://discussion.treocentral.com/tc...ht=i+open.html

    ......treo flash is k4s56163lc-rg75 samsung

    http://www.samsung.com/Products/Semi...s_k4s56163lc-r(b)g_s_r14.pdf

    I cant find any good reason for so small flash memory(battery waste only), even phones like simens a52,a55,c55,m55 have 8mb and new ones a60,c60,sl55 have 12mb....

    btw phones which where locked then unlocked(unlocked in ram),
    after firmware upgrade go beck to locked(they are locked in rom).
    Apparentiy in script file there is no command for checking if phone is locked or not, or command in DeviceCustomizer.prc not
    working (SimLockSaveDBToSD)
    I don't believe that Samsung chip is 4 MB. Are you sure that's the chip you saw in your Treo 600?
  7. #87  
    Originally posted by atari
    >>To say the least, it will make it almost impossible to "play" with
    >>the PalmOS ROM. Now my hope is that the simlock status isn't
    >>in the compressed part...

    do you have unlock code for your treo? did you try to find it in ram?If it is hard cripted we can use script for devicecustomizer patching only.....

    As posted above, "The fact that a legitimate unlock code survives hard resets suggests there is a simple backdoor to this update and that it leads either to protected RAM or to Handspring's Shrunken Head Of A ROM Chip ("SHOARC")."

    (i.e. entering the unlock code must write it to protected RAM, ROM, or another site/chip separate from the regular user-accessible RAM. The fact that flashing with the new firmware upgrade removes the "unlocked" status suggests the code resides in protected RAM and will therefore be hidden until someone comes up with a way to read those 8 MB of the phone's RAM. )
  8. #88  
    Originally posted by The Chupacabra
    (i.e. entering the unlock code must write it to protected RAM, ROM, or another site/chip separate from the regular user-accessible RAM. The fact that flashing with the new firmware upgrade removes the "unlocked" status suggests the code resides in protected RAM and will therefore be hidden until someone comes up with a way to read those 8 MB of the phone's RAM. )
    I agree with you. One interesting question is: does the protected RAM survive a hard reset? Since the content of the protected RAM is (normally) untouched because this is just an uncompressed ROM mirror, it is possible that this part of memory could survive a hard reset, and in this case the simlock status could indeed be located there.

    On the other hand, re-creating that uncompressed ROM mirror image is probably relatively fast to achieve, so maybe it gets erased too during the hard resets, and then re-created, and in this case this would mean that the simlock status is located somewhere else (FlashROM? EEPROM?) in order to survive the hard reset.

    One way to solve this question might be to completely empty the Treo battery and see if the simlock status survives the hard reset that will follow. If all the RAM content is lost due to physical lack of electicity, then I think we may safely assume that the protected part of RAM will disappear as well.

    I'm not going to perform that test yet on my device, first because emptying completely the battery isn't good for its health, and then I do need my Treo as phone and PDA throughout the day, but if anyone feels brave enough to try that on an unlocked Treo, I'd be curious to know the result!

    All in all, IMHO, we won't be able to solve this without some sort of reverse engineering (i.e. disassembling the appropriate PalmOS code to find at least the affected memory offsets)...
  9. #89  
    >>I'm not going to perform that test yet on my device, first
    >>because emptying completely the battery isn't good for its >>health, and then I do need my Treo as phone and PDA >>throughout the day, but if anyone feels brave enough to try >>that on an unlocked Treo, I'd be curious to know the result!

    I open my treo and remove battery, still locked.....
  10. #90  
    >>I don't believe that Samsung chip is 4 MB. Are you sure that's
    >>the chip you saw in your Treo 600?

    Yap, but it is ram not flash,my mistake, flash is in chip colled Batman
  11. #91  
    Originally posted by atari
    I open my treo and remove battery, still locked.....
    What do you mean exactly? Was your Treo 600 unlocked before removing the battery? If it was already locked (factory status), then it should indeed remain (or become again if manually unlocked by entering the unlock code) locked after removing the battery.*

    On the other hand, if your device is a generic GSM or factory-unlokced (Cingular) version, then it's surprising that it should become locked by removing the battery...

    Anyway, thanks for trying!
  12. #92  
    Originally posted by euroclie


    I agree with you. One interesting question is: does the protected RAM survive a hard reset? Since the content of the protected RAM is (normally) untouched because this is just an uncompressed ROM mirror, it is possible that this part of memory could survive a hard reset, and in this case the simlock status could indeed be located there.

    On the other hand, re-creating that uncompressed ROM mirror image is probably relatively fast to achieve, so maybe it gets erased too during the hard resets, and then re-created, and in this case this would mean that the simlock status is located somewhere else (FlashROM? EEPROM?) in order to survive the hard reset.

    One way to solve this question might be to completely empty the Treo battery and see if the simlock status survives the hard reset that will follow. If all the RAM content is lost due to physical lack of electicity, then I think we may safely assume that the protected part of RAM will disappear as well.

    I'm not going to perform that test yet on my device, first because emptying completely the battery isn't good for its health, and then I do need my Treo as phone and PDA throughout the day, but if anyone feels brave enough to try that on an unlocked Treo, I'd be curious to know the result!

    All in all, IMHO, we won't be able to solve this without some sort of reverse engineering (i.e. disassembling the appropriate PalmOS code to find at least the affected memory offsets)...
    Brayder's explanation to you would suggest that the PhoneOS-containing part of protected RAM is merely the expanded/decompressed version of ROM. If changes in that part of RAM are automatically backed up in the compressed ROM, it's somewhat academic where the unlock code/flag is written to - it would be reflected/mirrored in both sites. (This may be analagous to - but a lot more complicated than - the CLIE UX-50 automatically backing up data to Flash memory.) It wouldn't matter if the protected RAM was erased in a hard reset or battery drain scenario, since it would than be reconstituted from the non-volatile ROM.
    I would expect that protected RAM gets erased in hard resets, even though Handspring's claimed used of protected RAM (to hold the expanded PhoneOS) is unconventional - to say the least. I believe most other PalmOS devices use protected RAM for dynamic heap. Hard resets should free up all of the chunks in the heaps in RAM. While the PhoneOS existing in protected RAM isn't exactly a typical chunk, I would expect it is also governed by the same rules. Of course, this is pure speculation on my part and my understanding of the details of PalmOS memory management may be totally wrong. Somewhere a PalmOS engineer is probably cringing at my feeble attempts to explain this.

    As previously posted, I'm baffled as to why Handspring would have chosen such a complicated solution when they could have simply picked a bigger ROM chip. Unless this setup was designed primarily to restrict access to the ROM.
  13. #93  
    >>What do you mean exactly? Was your Treo 600 unlocked
    >>before removing the battery? If it was already locked (factory
    >>status), then it should indeed remain (or become again if
    >>manually unlocked by entering the unlock code) locked after
    >>removing the battery.*

    It was locked before removing battery and it is still locked.
    I try reset radio too.....
    Last edited by atari; 01/09/2004 at 04:51 AM.
  14. #94  
    Originally posted by The Chupacabra



    WTF??? That's unbelievable! I've been trying to get a straight answer about the memory size of the Treo 600 ROM chip for weeks and that's the LAST thing I expected to hear. I had assumed the chip was 16 MB and the ROM was between 8 - 10 MB (depending on localization). I had also assumed the 8 MB missing from RAM was reserved for dynamic heap. This makes no sense - what Brayder claims Handspring is doing with ROM compression/decompression sounds like a Rube Goldberg solution to a problem that doesn't exist. Something sounds fishy here. And would that mean there is no dynamic heap in the Treo 600? (Unless the compressed ROM is, say 3 MB -> decompresses to 6 MB -> and somehow Handspring releases the remaining "OS-reserved" 2 MB of RAM to programs as dynamic heap.) Did Brayder confirm something like the latter scenario, or did they just give you the vague explanation you quoted above? Why would Handspring do the Rube Goldberg solution when they could have just spent an extra $2 and sourced a ROM chip with more memory? Are they that geeky or are they really such cheap b@stards that they went the comp/decomp route? Or did they really do it to satisfy the demands of the carriers that Handspring prevent ROM hacking?

    Handspring's coders did a hell of a job hacking the ancient PalmOS into PhoneOS. And it appears they had even more clever tricks up their sleeves. Nice try, P.R., but I now REALLY doubt Handspring would have been dumb enough to expose the simlock to a software-only hack. If it's software-crackable, it will probably require insider info to achieve. (A new ROM Transfer Utility capable of doing a "pure" transfer of a non-decompressed ROM; the standalone version of the Handspring ROM Expander; the address of the "unlocked" flag.) More deviously, design a software solution to expose/read/write to the 8 MB of protected RAM -> change appropriate line to "Unlocked". The fact that a legitimate unlock code survives hard resets suggests there is a simple backdoor to this update and that it leads either to protected RAM or to Handspring's Shrunken Head Of A ROM Chip ("SHOARC").

    Can you get som more details from Monsieur B.? Merci bien.

    P.R. - Have you had a chance to speak with either Brayder or Kit (from HandEra) recently? If you do, please try to get some more details about the above.

    HandEra has been hacking the hell out of the PalmOS for the past five or six years and will be able to explain everything - if they want to. Tell Kit it's for "educational" purposes and let him know about your app. It's too bad Palm squeezed HandEra out of the market - they were always years ahead of their time. Had Palm just contracted out to HandEra's engineering services and concentrated on marketing and industrial design, Palm would be a lot better off than they are now...

    Brayder's explanation of how Handspring may have effectively hobbled the PhoneOS is a shocker and it would be great to hear more from them about it.
  15. #95  
    Originally posted by atari
    >>What do you mean exactly? Was your Treo 600 unlocked
    >>before removing the battery? If it was already locked (factory
    >>status), then it should indeed remain (or become again if
    >>manually unlocked by entering the unlock code) locked after
    >>removing the battery.*

    It was locked before removing battery and it is still locked.
    I try reset radio too.....
    He was just asking people with phones that were initially locked and then later manually unlocked to test if a no-battery reset would lock the phone again. Testing a phone that is now locked won't prove anything - nothing you do other than entering in an unlock code will unlock it.

    But I wouldn't be surprised to see there's soon a way to hack the firmware updater to reset the simlock status to UNLOCKED.
  16. #96  
    Made some additional tests to see what's written to the SD. I installed Dacovery and first checked that it indeed recovers deleted files from the SD (btw, very useful utility if you ever need to recover files).

    Then formatted the SD, put the 2.09 Siam on it, and flashed the firmware again. When I ran Dacovery afterwards, it didn't find any deleted files.

    I'm starting to think that the firmware upgrade doesn't write anything to the SD.
  17. #97  
    Originally posted by The Chupacabra
    Brayder's explanation to you would suggest that the PhoneOS-containing part of protected RAM is merely the expanded/decompressed version of ROM.
    What exactly do you call the PhoneOS? As far as I could tell, there's just the usual PalmOS with some additional or revamped applications (phone, various GSM/GPRS related libraries, etc...), and also a firmware for the radio part. Is it the firmware you call the PhoneOS?

    If changes in that part of RAM are automatically backed up in the compressed ROM, it's somewhat academic where the unlock code/flag is written to - it would be reflected/mirrored in both sites.
    I would be extremely surprised is this is the case (i.e. if the RAM version of the ROM is backed up to the (Flash)ROM. It is not supposed to be modified normally, so implementing compression functions would probably be useless. I've only seen decompression stuff in the updater ROM image (at least in its uncompressed part).

    Unless this setup was designed primarily to restrict access to the ROM.
    I guess you're getting closer to the trhuth... <knock, knock> Do I hear the men in black knocking at your door?
  18. #98  
    Originally posted by The Chupacabra
    P.R. - Have you had a chance to speak with either Brayder or Kit (from HandEra) recently? If you do, please try to get some more details about the above.
    Brad from Brayder gave me the informations I quoted initially. But I'm afraid he hasn't got much to say about the Treo 600 since when given those informations they decided not to support this device with their FlashROM-related products...
  19. #99  
    Originally posted by Mol
    I'm starting to think that the firmware upgrade doesn't write anything to the SD.
    The funny thing is that if you try to save the trace on the SD and you're missing the appropriate directory, the command fails with an error message, whereas if you try to save the simlock status, the command reports success but nothing seems written!

    Does anyone know if there's some SD cards with a builtin LED like some Lexar MemoryStick? That would let us know if an application is accessing the SD card... My Sony units had such a builtin LED to signal card access, but not the Treo 600...
  20. #100  
    Originally posted by Sanjay

    Actually SyncWizard 1.9.9.0 is the latest version and in fact is the only version compatible with the Treo600. I had simmilar problems as you did, trying to use 1.9.8 but now with 1.9.9 there is no problem at all.

    By the way incase even Pilot Install 4.5 does not work with the Treo600 and you need Pilot Install v4.7.0.0 for it to work.
    Not an easy find, but the 1.9.9.0 version can be obtained from this German site:

    SyncWizard 1.9.9.0
Page 5 of 19 FirstFirst 1234567891015 ... LastLast

Posting Permissions