tips+tricks
- how to get rid of all the strange echoing
- set 0 0
- how to enter bootloader mode
- hold powerbutton + navigator button, and reset.
- how to cold boot
- hold powerbutton, and reset
- how to talk to gsm from bootloader
- type 'rtask 7'
- how to talk to the VSP to the gsm ( the multiplex protocol )
- type 'rtask 8'
now you have to type 'ctrl-v' AT 'ctrl-m' 'ctrl-b'
to send 'AT\r' to the gsm.
- how to save the rom from the bootloader
- type 'd2s'
- enable all kinds of interesting debug logs:
- in regpath "HKLM\SOFTWARE\HTC\ATDbgLog", set key Enable=1
this will write atcmds to be logged in \Storage\AtDbg*.log
- in regpath "HKLM\SOFTWARE\HTC\XPanel", set Enable=1
research projects
Todo: write a program, that using the msystems trueffs sdk,
extracts data from the disk-on-a-chip. ( there is about 1.5 Mbyte unaccounted for, so that would
be interesting to find out what is in it. )
links
See xda-developers/xda2 for a more indepth review.
xda-ii gsm memory map
| 00000000 | 2 identical 4M rom images |
| 00800000 | 16 identical 512k ram images |
| 01000000 | 16 identical 512k ram images |
| 01800000 | filled with bit23-16 of addr, 0x01 |
| 02000000 | filled with bit23-16 of addr |
| 03000000 | filled with 0xff |
| 03800000 | 512 identical 8k images |
| 03c00000 | 16k identical 256 byte images |
| ffd00000 | |
| ffe00000 | |
| fff00000 | ram |
xda-ii wince memory map
| physical | virtual | size | description |
|---|
| 00000000 | 80000000 | 02000000 | 32M ROM |
| 70000000 | | 02000000 | 32M disk-on-a-chip ROM |
|
| offset | size | description |
|---|
| 00000000 | 00008000 | 0xff |
| 00008000 | 00008000 | serial number info |
| 00010000 | 00008000 | 0xff |
| 00018000 | 00050000 | bootsplash image |
|
this is stored as follows: 2 times 5 groups of 8 times repeated 4k blocks, or
aaaaaaaabbbbbbbbccccccccddddddddeeeeeeeeaaaaaaaabbbbbbbbccccccccddddddddeeeeeeee
|
| 00068000 | 00018000 | 0xff |
| 00080000 | 01000000 | FAT16 filesystem 0x8000 sectors |
| 01080000 | 00e9e800 | FAT16 filesystem 0x74f4 sectors |
| 01f1e800 | 000e1800 | 0x00 |
|
| a0000000 | 90000000 | 08000000 | 128M RAM |
xda2dmp tool
to research the memory space I use commands like this:
xda2dmp.exe -r -s 0x10000 0x00000000 0x04000000
which steps through memory in large steps, dumping 16 bytes of each block.
you can find the source to xda2dmp here, and the crc code
here.
to use this tool, you must first boot your xda2 in bootloader mode.
it may occasionally crash your device, and after dumping the gsm rom ( '-r' )
you can no longer dump wince memory, without doing a reboot.
WARNING: you will lose all the data on your device when you do this!!
0.99b now also checks crc's of downloaded blocks
0.99c attempt to fix bufferhandling
current adds possibility to write to memory be very carefull when using this
here is a compiled version.
older versions:
| 0.99a |
here is a old compiled version. |
here is a old source version. |
| 0.99b |
here is a old compiled version. |
here is a old source version. |
| 0.99c |
here is a old compiled version. |
here is a old source version. |