    Have sort of been following this thread then caught your thread on mytreo

    I come to the 700P from the 600 and did not get to play with the ROM udpating on the 650

    Since it does look like Palm will ignore us Telus users in getting a patch , am hoping you might be willing to provide a 'newbie' step by step, hopefully minimizing the chances of my 'bricking' my 700

    Am fairly skilled in computer stuff - just have no experience in playing at the system level with Treos

    Whatever help you can provide would be most appreciated. At this point all that I have done is grabbed your rar of the 700p-ventura-ROM file


    For advanced users only: The complete howto to flash "All other 700p carriers" with Sprint v1.10 MR update/CDMA 187 Firmware update. Getting your MSL without calling Cellular provider.
    By Kocoman
    Version 1.0 (June 7 2007)

    I have done the update successfully on my phone. Expect the EVDO settings. Please see the troubleshooting section to see problems you might/would encounter and how to fix it. If anyone have success, please post here. If failure please post here and I try to help you diagnose to the best of my ability.
    This is my first flash for a non Sprint 700p (Telus).. So my experience with other carriers is limited. Also I do not have any Sprint/etc ROMs, other people will have to make backup and share it. I only have ROM v1.40 for Telus and the Sprint v1.10 ROM from the palm updater. There should be a Verizon old version somewhere in this world but I have not find it. (Reference: user "drewdown") at
    This howto is written AS ITS AND NOT OFFICIALLY SUPPORTED BY PALM. If you break your $600/3 year contract Treo 700p, or some functions not working after, I will not pay for your loss. You have been warned. Do not do it and wait for Palm's "No update needed for Alltel/Telus/Bell/Cingular South" to release the MR for your carrier.

    THERE IS CURRENTLY NO TESTED METHOD OF DOWNGRADING/REVERT ROM OR CDMA FIRMWARE. UPGRADING 700P CARRIER BRANDS OTHER THAN SPRINT WILL VOID YOUR WARRANTY. This is especially true for Bell/Telus because the phone is still under warranty. (released in Jan 2007)




    Ok. I will write the howto here and post in howardforums/wiki/TC/shadowmite etc. If any files link doesn't work you can try email me and see if I can upload it again.

    My English is not good, there is a lot of run on sentences. Maybe someone can fix it for me someday.

    This is a incomplete howto beacuse the I first did the CDMA upgrade (oops --- can't make backup of CDMA firmware. Will explain below)

    I don't know what picture to take to prove that I did the update. Please email me some suggestions.

    For details on how I converted the PDB (for the flashing rom step) of the SD patch from Sprint please email me.

    1) Your device still under warranty/$25 DATA plan contract for one year... so you have to make backup in case you need to revert back.../if you brick device you might be able to send to warranty if its less than 1 yr (Free) Don't tell them you update the phone because its not official, over 1 yr need to pay $125 (For Telus), or send to me to repair via bootloader maybe.

    With Telus phones, you will only get 1X, I am not able to connect EVDO (Keep getting: PPP Timeout) I have to manually edit the NVRAM to fix this. You will not be able to use Vbuzzer callback feature without EVDO, since all calls go to voicemail while the connection is Connected and Active (Green arrow on signal bar), as opposed to Connected and Inactive (gray arrow on signal bar)
    At the mean time, if you don't mind missing calls. You can use force 1X, go to ##EVDO, and select the (Force 1X). Sometimes the setting is loss after the reboot.?

    DO NET USE THIS UPDATE IF YOU ARE ON 3 MONTHS FREE DATA OR NEED VBUZZER callback function. I will post a solution to fix the EVDO Login problem later. Its likely a WinHex Hack.

    Anyways this procedure is for power user, so its not for newbies. If you don't understand the steps/feel something is missing. please email me beforehand.
    The procedure is similar to 650 and 680. If you had some experience there that is great. There are NO pictures attached at this time. So study and make notes before attempting. Do NOT SKIP STEPS!!! Without backup its impossible to restore some things. Proofread my COMPLETE howto first!! do not get caught by some surprise because you didn't read the next part.

    If you don't use bluetooth and not feel you need the update, then don't apply it!! This is a MR (Maintenance Release) and does not really add anything new. Its only used as a last resort/you feel the 700P is POS already and don't care what happens to it and its not your Primary phone. If necessary, switch ESNs before trying the update to avoid disruption in service, and revert back ESN after ifs its working. This is experimental, I have a TROUBLESHOOTING section at the end about the problems I had. Maybe it will help you

    Backup your RAM stuff on Palm. A hard reset will be done after the update. Also the Esponal/Spanish is GONE after the flash, there is English ONLY.

    Your Version, CC-CAP, Carrier DB version will not change. I don't know how to change these numbers at this time (Phone App, Options, Phone Info). But going to "App, Info, Version" at home screen will show all update to 3.1.2 and you get "Quick Tour with Sprint device picture", "Downloads", "GetGood", "On Demand", "software", "Sprint TV". (new icons) Once I find a safe method of flashing we can start removing/adding files to ROM with the ROMTool by Grack. (don't use the bootloader features with the Grack tool because it does not work with 700p)

    2) BACKUP NVRAM/GET MSL/SPL (write it down)


    Copy down your SID. (you might need it later for the Roaming issue)
    With phone on. Go to Phone App, the options, then phone info, the second page you will see the SID. Copy it.

    Download the CDMAUpdater for 700p PalmOS here.

    (Since Palm pulled the update, you have to download my version I think) Its from the SD Updater one.

    The CDMA radio is different than the Flash ROM. Please see if you need to update it? As I aleady updated mines accidently (without a option to backup).

    To see radio version, run the "#*#RADIO#", or ##RADIO# (72346) at the Phone App.

    YOU MUST BACKUP YOUR NVRAM, DO NOT SKIP THIS STEP. I will not send you my NVRAM if you forget yours because my ESN is attached to the NVRAM, if you flash my NVRAM onto yours then I will have problem with my phone. (cloned my phone) Till I get a way to edit the ESN in NVRAM file, I can't help you. (I try the Bitpim method but I think its "disabled" by a setting/byte somewhere in the NVRAM file. If someone can send me a NVRAM from a 700p phone that can use Bitpim/Passthrough/AT$QCDMG, ti will help a lot)

    Sprint: 108

    Verizon: 105

    Telus/Bell: 140

    Alltel: ?

    Cellular South: ?

    755p: 169

    CDMAUpdater: 187
    Whats new in the 187 I have no idea!!

    ATI0-6 will not show the radio version. It always give the same dummy output regardless of what radio firmware is installed.

    Extract the RAR and Copy the "CDMA Updater" Application into RAM (via McFile/Filez etc)

    Do not do this if you are expecting someone calling you, because the calls will not go through while updating etc. The phone radio will be OFF after, turn it back on to receive calls.

    Run the app, it will WHITESCREEN for a bit.....loads., then there is a Pull Down menu, select "Options", "Debug"
    Uncheck ALL things, then check "Backup NV" then press OK
    Then Press the "Update Now" button. It will ask you to flash but doesn't actually flash.
    Exit the App.
    It will create a "CDMA NV BACKUP.pdb". Copy the file into SD Card, with Filez/McFile etc, then copy to HD, put it in a SAFE PLACE!!! This file should contain your ESN/MSL/SPC/Data settings/MSID etc.

    Homework 1: Load Winhex/Aptedit, then go to Offset "0000F370" (for Telus.. but should be in the same location). That 6 digit # is MSL. Copy it down on paper, then a bit below it at 0000F470 is the SPC, copy down also. DO NOT DELETE THE FILE!!! keep it somewhere safe, you will need it in case the NVRAM becomes corrupted for some reason.

    What is MSL, SPC?
    MSL code is Master Subsidy Lock, its used to change DATA/Provision etc. To test it, enter ##DATA# (or #*#DATA# for Telus), press the LOCKED RED icon/MODIFY button. It will ask for MSL. Put it in. If the lock becomes GREEN, Unlock then the MSL is good. The SPC code should not work here. MSL will always work. This is the most important number. (You can change it to 000000 later if you want)

    SPC is "ONE TIME USE" code. ie: for "##SPC" or "#*#SPC" in the phone app will bring you to the Provision screen. But after you exit... and type the same SPC code.. Won't work anymore (you have to do a RESET in the ##RTN Pulldown menu to get it working again, but this will HARD RESET your PALM.. SO BACKUP YOUR DATA!!!!!). The SPL should not work with ##DATA/##RTN etc.

    If you cannot find and test successfully the MSL, do NOT continue till you get it!!

    There is NO WAY to backup CDMA firmware as of this time. So unless something doesn't work its not necessary I think to update the Radio/CDMA firmware. I will put the how to update CDMA firmware in the troubleshooting section.


    * Copy down data settings. In Phone App, type ##DATA (#*#DATA# for Telus),
    Type the MSL to unlock the RED lock.

    Copy down to a piece of paper AND KEEP IN SAFE PLACE, photocopy/scan a copy for backup: (press down on the item if you can't see it completely)

    a) User Name -- Phone #@something
    b) Password -- Decimal of your ESN, it should be the same (maybe a extra 0) as the bottom of the phone battery. Copy what you see on the phone...
    c) HA Password -- Long digits... beware -- double check
    d) Primary HA
    e) Secondary HA
    (next page)
    f) IP Address (Auto/Manual)
    g) Tunneling
    h) MN-HA SPI
    i) MN-AAA SPI

    Each provider is different. these info are so rare even technical support will tell you to send back the phone rather than tell you the settings!!


    Layout of Flash: (Approx)

    1) IPL 4kb (Has different revisions, see below)
    2) SPL 256kb
    3) BL(TPL) 256kb
    4) Sprint ROM 13mb zipped (why) to 29mb uncompressed
    5) CC-Cap (Your Carrier's wallpaper, other(?) XML settings, Phone ON/OFF JPGs)


    1) IPL, has I think 4 different versions, as seen in the update in

    a) ventura-ipl-dvt.pdb (I convert/strip this from PDB to BINARY -- DO NOT JUST RENAME THE FILE, YOU NEED T3.JAR)

    b) ventura-ipl-evt2.pdb

    c) ventura-ipl-evt5.pdb

    d) ventura-ipl-evt5a.pdb

    There are also md5 files, but I don't think they are verified by the ROMTool for PalmOS. ? ?

    2) SPL - Stores tokens ???

    3) Bootloader - Telus original is v0.14 dated 2006-4-4
    New Sprint bootloader is v0.18 dated 2006-10-13
    Whats new between them I don't know yet.
    We will use the new v0.18 bootloader for our update

    4) The ROM - I used ROMTool by Grack to convert the PDB into ONE zip file. Do NOT use the T3.JAR because it only converts/combines a-d rom pdb (8mb) instead of the complete rom (a-g, 12mb). Run a WinZip/Winrar test to make sure the large "Ventura-Release-SPCS-Dev-enUS.rom" file are ok.

    5) The CC-CAP does not seem to get flashed by the ROM Updater, hence your Phone LOGO, Blazer Homepage, Phone ON sound, Phone Wallpaper is not changed. You have to extract it from a "r2sd" at Offset (for Telus) 3880800, "PK" (zipped header) see below.

    In phone App, Options, Phone info, The "Software", "CC-Cap", "Carrier DB", "Hardware", "HS SN" (Serial number for Hotsync---for Application register) still shows while the phone radio is OFF, hence suggest the CC-CAP is stored in ROM and not NV RAM

    700WX and 700P dump. For those people interested:

    Approx location of 1-5 on the r2sd TelusROMDump.

    (Winhex offset in HEX)

    0) 00000000-00000800

    HTC$NAPA-555 and 00's

    When you run the bootloader (hold hotsync button while press reset button) or
    ##UPST (for US phones), #*#UPST (for Canadian phones) in the phone app. Take out the battery and put back in to normal reset.

    With SD Card inserted, it will ask "Update ROM Image"

    This is where the HTC$NAPA-555 comes in, according to shadowmite, you can run a diagnostic mode if you change the 555 to another number then run "Update ROM Image" (UNTESTED BY ME, DO NOT TRY AT THIS TIME)

    1) 00000800-00000EA0 --- IPL (4 kinds possible), must have "VENT" (Hardware code name for 700p "Ventura") inside

    2) 00080800 to Approx 25% at 0008ABE0 -- SPL - zlib uncompress code (to decompress what??), romtokens? Only about 25% of 256k is used, the rest is 00's

    3) 00100800 to Approx 80% 0013C390 - BL (TPL) This is the Red Green Blue / RGB screen you see and version number. you can connect a USB hotsync cable and access the bootloader. You need to install the Bootloader driver (downloaded with Grack's romtool.. Its for 650 but 700p works too) and MTTY 1.42 (from xda-developers). This can be used to reset your CDMA NV If your phone doesn't boot properly. You can use serial cable too.

    4) 00200800 - (depend on ROM size) -- The Palmcard - ROM Store. UnZipped version. I think you can add/remove files from it with Gract ROMTool. To do this (UNTESTED), extract the 00200800 to the END of ROM into new file, rename the file to "Ventura-Release-SPCS-Dev-enUS.rom", ZIP it, then open with Grack's tool???

    5) 3880800- (388c240 For Telus -- depend on carrier)ZIP version of CC-CAP . You can unzip it the same way, as in #4 above. But you can't make changes to it yet. Looking for a flasher for the CC-CAP. I think the Cellular carriers will have the flasher to customize the device.

    6) Blank FF or 00 after the CC-Cap -- Useless

    Partition scheme of ROM Updater for PalmOS:
    There is some discussion for the 650 about the different Partition size (max ROM free and RAM free) Feel free to add anything you know. All I know is it depends on the ROMUpdater used, and is not adjustable. So maybe downgrade is not possible even with a r2sd backup??

    What is r2sd?
    Its a command run in the bootloader. Its used to backup the 0-6 items to SD card.
    Put in a 256mb (or 128 work too? I don't know) regular SD card (not micro, mini etc, because the adapter might corrupt the data easily. ALL DATA WILL BE ERASED!! So use a empty one/freshly formatted, etc. Change up the Palm. Put the card in then run the r2sd. It will have 2 progress bar. Sometimes it will be successful, sometimes not. I don't know why. Anyways take your time. After you done one copy, use the "Tools, open disk" in the Winhex, then copy all things inside into a new file. DO NOT LET WINDOWS FORMAT THE SD CARD. or with Linux or Mac I think the "dd if=/dev/SDCARD of=fileout bs=1M" (There are no partitions on the SD card anymore, only RAW mode access)

    Do another one just in case the first one is corrupted. Maybe compare them too with a hex comparison program. (maybe they have same md5 too I don't know)

    Homework 2: Figure out your IPL version. Need "version DVT"

    Download the ROM Updater for 700p v1.2.3 for PalmOS

    Extract the RAR then Copy the "ROM Updater" Application into RAM (via McFile/Filez etc)
    Run the ROM updater:

    Check on the middle to see if it says:

    "HW Rev: dvt"

    (I think Hardware: A is the same as Hardware version DVT??)

    If you see something else like :

    "HW Rev: evt2"
    "HW Rev: evt5"
    "HW Rev: evt5a"

    DO NOT CONTINUE TO FLASH, YOU WILL BRICK YOUR PHONE. you need a different IPL file. email me for it. Do not use the PDB one from the Sprint update, you have to STRIP the PALM PDB header with T3.jar

    The ROM Updater should show something like this (For my Sprint MR'ed ROM)
    Welcome to the Device Updater...
    ROM Build: 44
    Built: Feb 08 2007 09:41:18

    SD Card VolRefNum: 0x0002 (card inserted) OR 0xFFFF (no card inserted)
    Board ID : VENT
    "HW Rev: dvt"


    An alternative method to install (NOT TESTED BY ME) is to install from RAM via PDB (card ejected). But I will post this method later someday.

    Lets backup your ROM:

    See the r2sd part above... (you didn't skip that did you)?

    The best is to backup everything with the r2sd. While the "Rom Transfer Extension.prc" also backup the ROM, it will only backup #4....

    Download (DVT VERSION) Ask me to make another version if you have EVTxx

    Extract the files, then put it in the /ROM directory (Make the "ROM" name yourself)

    Put the SD card in, maybe turn off phone, plug into charger.

    Run Rom Updater, then type "list"
    It should show you the extracted files

    Then type "ventura" with SD card inserted.

    It will say like: (I forgot the exact output, this is from memory)
    Validating... /ROM/ventura-IPL-dvt..... OK!
    Validating... /ROM/ventura-SPL... OK!
    Validating... /ROM/ventura--BL... OK!

    Validating... /ROM/ (wait for a while)........................... OK!
    Then it scrolls off............

    from file: 36... (more hex numbers - I could not copy in time)

    From Flash: fe.. (more hex numbers - I could not copy in time)


    token: HRST

    DeleteToken Success!

    token: Nohr

    DeleteToken Success!

    The device will automatically reboot after flashing rom

    flasing section...

    THE DEVICE WILL FREEZE! (even if you plug in the charger, etc it doesn't charge)
    All you can do is wait, don't move the device/battery cover etc. I took a shower. (I did not time it) Then after I showered..

    .. It show the "Date and Time Screen"

    SUCCESS (for me anyways)

    You will most likely need to see the troubleshooting section below:

    1) You might need to restore NV or reprogram your phone. (use ##MSL)
    2) Your PRL needs to be updated. (*22803 for Telus, other US/Bell I don't know the code)
    3) Can't update PRL when Roaming
    4) Re-hotsync old stuff back if everything works fine (UNTESTED)



    If the phone doesn't work properly (This is something new, as I accidently flashed CDMA Firmware first, then ROM Firmware).

    a) Load the "CDMA Updater" app. Make sure the battery charger is plugged in/changed.

    THERE IS NO METHOD TO BACKUP THE CDMA FIRMWARE. I do not know whats new in the 187 version. Flashing it may enable some security things (such as disable downgrading firmware) in the new CDMA firmware, I don't know.

    If the second person who use this method. please tell me the result. (Since I am the first... I am not going to reflash anything/more testing at this time.)

    b) Select "debug", then uncheck all.
    Then check "Update FW"

    What is "Enable Debug", "switch carriers" ? ? I enable them and they don't seem to make a difference.

    Then push the big button.. then OK..


    1) Stuck/FREEZE at CARRIER LOGO (ie: Telus Logo) even after hard reset/When phone turns on automatically at startup.

    This happens if you (or for me anyway) updated the CDMA Firmware FIRST. To fix it, you need your NV Backup. Boot into bootloader with USB Hotsync cable (read somewhere above on MTTY). Then run

    "cdmar bl usb"
    press some enter...

    It will say like (from what I remember):
    * *
    * *
    Intel Flash detected....

    Erasing NV......
    your phone should boot, then see #2 below

    2) Phone Boots but stuck at "Network Search". I think this is similar to #1
    Flash the MR now, or maybe the CDMA Firmware Upgrade... (see above). Then Restore the NV.

    With Filez/McFile, copy your "CDMA NV BACKUP.PDB" file into RAM from SD CARD.

    In the CDMA Firmware App, unselect all, then select "NV Restore"
    Reboot phone or reboot Palm.

    3) Stuck at Roaming/Can't do PRL update.
    In phone app type ##DATA (no #*# anymore since you flashed with Sprint ROM)
    Pull down the menu, select ADVANCED.

    In the "Home SID" (for Telus), change the 16422 to 17500. (I don't know the USA ones, but you can check (unlock the lock with the MSL) This worked for me, then do a PRL update with *22803. Even though the number changes back to 16422 after a "##DATA, Restore" I don't get roaming anymore.

    The MNC/MCC is for GSM I think. I don't know why its in the 700p

    4) Phone resets when getting CDMAUpdaterApp?
    Make sure you are not using a 650 one. Maybe do a hard reset?? (backup of course)

    5) Lost data settings or data settings won't save. Slow to initialize data connection. Stuck at 1X, EVDO Connections say "PPP Timeout" had to force 1X with "##EVDO"

    Still investigating... Note at 1X all your calls will go to voicemail when your 1X connection is active!! Do not go online if you are expecting a call.

    Things still to do...

    1) Disable the Network Data settings lock permanently via NVRAM patch
    2) Enable Bitpim for Bitpim disabled phones via NVRAM patch
    3) Fix EVDO Settings for Telus
    4) Explain how to convert the PDB of the IPL/SPL/BL/ROM into BINARY via the T3.JAR by shadowmite.
    5) Backup the CDMA Firmware
    6) Wait for guys to make a quad-boot loader to run 700pMR, 755p ROM, Linux ROM and WM6 ROM.
    7) Flash the CC-CAP part
    8) Update Romtool by Grack to support 700p for "safe flash"
    9) Take out/put in ROM stuff like in the 650, Languages, more RAM space etc
    10) Edit Tokens, version strings.

    GFunks SD MR link (Palm Pulled the release shortly). I also still have it.

    How to find me? I am at the usual Treo places...

    The problem with the EVDO I think is from the Shared Secrets (AAA/HA) stuff being lost. Maybe its related to the akey. I am not sure. I want to try disabliny MobileIP and see if it will help.
  5.    #5  
    To reset a PRL so your device doesn't roam on any other network, you have to do nverase in the CDMA Bootrom. The resulting PRL will be 65535. And when you Restore back your NV Backup, and change the "Home SID". It will get rid of roaming and you ALWAYS STAY on your network or it will go NO SERVICE Etc instead.

    Sometimes you will miss a lot of calls (not ringing at all) beacuse of roaming. So I think if you never leave the country, its best to have a 65535 PRL (blank) and never do a OTSAP PRL Update. *22803. I don't think restoring a NV Backup will restore the PRL. The PRL version in the SPRINT MR is (If you check "update PRL") 2xxxx. For Canadians don't update the Sprint MR PRL it will screw up the PRL and cause you to always roam, even if you set Home SID correctly.

    Sometimes if you can't update the PRL while roaming. Try making a few short (1 second) 611 calls, and sometimes after disconnect it will catch back to your home network tempatory. When that happens do a *22803 to update the PRL

    As to the PRI. Its something related to the CC-CAP/EVDO Settings, the CRC is changed when you

    1) Flash back a NV Restore
    2) do a Restore in the DATA menu.

    A ##RTN reset doesn't chance the PRI CRC

    Also the NV Backup does not seem to contain your ESN, AAA/HA shared secrets and AKEY (Prevents cloning) Maybe they can be extracted with BREW but I have not been able to enable it.
    I found the Sprint SPL at offset F674.
  7.    #7  
    It seems the NV Backup can range from 70-100k. But the PRL file is not inside I think.

    How to backup the PRL?
  8. #8  
    I havent tried to figure out how to get it to back up so I can get my MSL on my 755p. I've got the 755p 1.07 sprint updater. Has anyone done the hexedit trick on a 755?
  9. #9  
    Okay so I am new to the Flashing process, Kocoman, if you are still out there can you guide me through the flash rom process of this phone? I want to clone a 755p using an esn from my w385. to get this going I need some help, shadowmite is down and I am trying to understand this clearly. Anyone around that can handle this with me?

