GSM Shop GSM Shop
GSM-Forum  

Welcome to the GSM-Forum forums.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features.
Only registered members may post questions, contact other members or search our database of over 8 million posts.

Registration is fast, simple and absolutely free so please - Click to REGISTER!

If you have any problems with the registration process or your account login, please contact contact us .

Go Back   GSM-Forum > GSM & CDMA Phones / Tablets Software & Hardware Area > Various > Siemens-Benq > Siemens-Benq Flash Patching > x4x, x5x Flashpatching

Reply
 
LinkBack Thread Tools Display Modes
Old 04-25-2005, 01:36   #1 (permalink)
No Life Poster
 
charlielao's Avatar
 
Join Date: May 2004
Posts: 501
Member: 66040
Status: Offline
Thanks Meter: 14
Some RAM questions


@Masters and other patchers:
I tired experimenting on ACID's Siemens Debugger and found this:
0dfa06 to 0dfa09 <- 4 digit batt voltage
0dfa0b to 0dfa0f <- 4 digit and : sign of current time
the batt voltage and current time are shown in the right column of the debugger. How come the RAM used by Master Riza for Batt voltage is 000E:39E2 ?
And how do i use the RAM locations i found?
  Reply With Quote
Old 04-25-2005, 13:26   #2 (permalink)
No Life Poster
 
lalo.lerry's Avatar
 
Join Date: Jan 2004
Location: Italy
Age: 49
Posts: 1,018
Member: 50673
Status: Offline
Thanks Meter: 2
@Student Charlie:
RAM value can be fond and understood:
-by fw routine studies, e.g. a RAM location is called/modified in a known routine (better way)
-by randomic RAM exploration

Anyway, going on with your RAM studies you will see the same RAM values are often repeated more than one in RAM, usually in close offsets (as you found out for Battery Voltage).
Usually they are identical in that moment but may not be the same in all situations, as they are controlled by different routines.
You can guess which to use only by deep understanding of laying routines or by great testing.

How to use a RAM location?
I've already told you, just look here
  Reply With Quote
Old 04-26-2005, 03:22   #3 (permalink)
No Life Poster
 
charlielao's Avatar
 
Join Date: May 2004
Posts: 501
Member: 66040
Status: Offline
Thanks Meter: 14
Hello Prof,
If time is 12:12
0dfa0b shows 1
0dfa0c shows 2
odfa0d shows :
odfa0e shows 1
0dfa0f shows 2 in the right hand portion of the debugger. When i use the Monitor button, it displays the current time (same as that shown in my phone).
if i use 37h:3A0B (0dfa0b <-correct?)
extp#37h,#1 mov r12, 3A0Bh what will be the value of r12? will it be 1? and some of the patches use this: mov r12,37h mov r13,3A0Bh what will happen to the values of r12 and r13?
  Reply With Quote
Old 04-26-2005, 03:51   #4 (permalink)
No Life Poster
 
lalo.lerry's Avatar
 
Join Date: Jan 2004
Location: Italy
Age: 49
Posts: 1,018
Member: 50673
Status: Offline
Thanks Meter: 2
Hello Student,

if i use 37h:3A0B (0dfa0b <-correct?) yes

extp#37h,#1 mov r12, 3A0Bh what will be the value of r12? will it be 1? yes!

and some of the patches use this: mov r12,37h mov r13,3A0Bh what will happen to the values of r12 and r13?
If you have copied right, in r12 will be 37 hex value and in r13 3A0B value.

but I think you have miscopied, a very used piece of commands is:

extp#37h,#2 ;op1=2=extp for next 2 instructions
mov r12, 3A0Bh ;word value present in 37:3A0B stored in r12
mov r13, 3A0Dh ;word value present in 37:3A0D stored in r13

NOTE: op1 can be a value between 1 and 4

Clear?
  Reply With Quote
Old 04-26-2005, 04:05   #5 (permalink)
No Life Poster
 
charlielao's Avatar
 
Join Date: May 2004
Posts: 501
Member: 66040
Status: Offline
Thanks Meter: 14
extp#37h,#1 mov r12, 3A0Bh what will be the value of r12? will it be 1? yes!
The value will be 1 (which is on the right column of debugger) or will it be the hex value on the left side column of the debugger?
From Menu Button Text patch:
27E97A: E6 FC 06 3A : mov r12, #3A06h
27E97E: E6 FD 37 00 : mov r13, #37h
this is what i was asking about Prof. Isnt 37h:3A06h a RAM location? so r12 and r13 were assigned with their corresponding values above. What happens to their values?
op1 can be 1to4
so this means we can use extp #37h, #4, which correspond to 4x use of it?
  Reply With Quote
Old 04-28-2005, 02:23   #6 (permalink)
No Life Poster
 
lalo.lerry's Avatar
 
Join Date: Jan 2004
Location: Italy
Age: 49
Posts: 1,018
Member: 50673
Status: Offline
Thanks Meter: 2
hello student,
here I'm again!

extp#37h,#1 mov r12, 3A0Bh what will be the value of r12? will it be 1? yes!
The value will be 1 (which is on the right column of debugger) or will it be the hex value on the left side column of the debugger?


Sorry, I answer you in too hurry.
Of course value is the one on left side of debugger, so it's 31h.
Right side is only the conversation in ASCII character of left side values, it a corresponding character is possible.
It's just for help, as in hex editors.


From Menu Button Text patch:
27E97A: E6 FC 06 3A : mov r12, #3A06h
27E97E: E6 FD 37 00 : mov r13, #37h
this is what i was asking about Prof. Isnt 37h:3A06h a RAM location? so r12 and r13 were assigned with their corresponding values above. What happens to their values?

I've looked quicky into MTB patch so I can tell you that 37:3A06 is a RAM location choosen by Riza to store MTB time buffer
r12 and r13 are setted before a call, see call routine to understand how they are used.

op1 can be 1to4
so this means we can use extp #37h, #4, which correspond to 4x use of it?

yes, the following 4 instruction are in extp page.
BTW, if you want to set an extp page for more than 4 instruction, or for instructions that are not in row, you can set DPP0 (a special function register) to that extp page.
Bye

Lalo
  Reply With Quote
Old 04-28-2005, 05:32   #7 (permalink)
No Life Poster
 
charlielao's Avatar
 
Join Date: May 2004
Posts: 501
Member: 66040
Status: Offline
Thanks Meter: 14
Hello Prof:
If i use 37:3A0F which contains the minutes (ones) of current time, can i use it as a jumper to execute a command after 5 minutes (for example) like this:
extp #37h,#1 mov r12,3a0fh add r12,#5 jmpr cc_NC, got to command
  Reply With Quote
Old 04-28-2005, 14:56   #8 (permalink)
No Life Poster
 
lalo.lerry's Avatar
 
Join Date: Jan 2004
Location: Italy
Age: 49
Posts: 1,018
Member: 50673
Status: Offline
Thanks Meter: 2
hello Student,
no, routine cannot be so simple to obtain what you want.
2 problem in your routine:

1. it check a RAM location related to a patch (MTB). So it will not work if that patch is not installed.
In fw there are plenty of RAM time locations.
E.g. use the one used in hourly Beep

2.in r12 there is a variable number that is udpated every few second (or each minute), depending in which routine you insert it. So conditional code will never be sotisfied.
Use a different routine,e.g hourly beep one.

3.IHMO, to insert a delay it's better to use original fw built-in delay () routines... work perfect and saves a lot of bytes


BTW, why you always try to develop such a difficul patches, even if you are still a young patching student?
I myself didn't start with these (middle) difficult ones... they are for intermedied level patching students!


Bye

prof

Last edited by lalo.lerry; 04-28-2005 at 15:17.
  Reply With Quote
Old 04-29-2005, 00:53   #9 (permalink)
No Life Poster
 
charlielao's Avatar
 
Join Date: May 2004
Posts: 501
Member: 66040
Status: Offline
Thanks Meter: 14
Hi Prof:
So Hourly beep has a better RAm loc?
3.IHMO, to insert a delay it's better to use original fw built-in delay () routines... work perfect and saves a lot of bytes
Do you know these routines?
BTW, why you always try to develop such a difficul patches, even if you are still a young patching student?
Hehehe because the easier patches have already been done Prof
  Reply With Quote
Old 04-29-2005, 01:30   #10 (permalink)
No Life Poster
 
lalo.lerry's Avatar
 
Join Date: Jan 2004
Location: Italy
Age: 49
Posts: 1,018
Member: 50673
Status: Offline
Thanks Meter: 2
hello Stu:

So Hourly beep has a better RAm loc?
yes, this one, 0D:25DE, as RAM hours location
So, if RAM locations are used in a similar way as in my S45i (as very often), there should be also in that area these locations:

0D:25DA = 365DA :seconds (only when inserted)
0D:25DC = 365DC :minutes
0D:25DE = 365DE :hours
0D:25E0 = 365E0 :day
0D:25E2 = 365E2 :month
0D:25E4 = 365E4 :year

Please check them, because I cannot not having SL45.

Do you know these routines?
I know them in S45i, and searched one of it in SL45 for you.
Should be:

mov r13, #Off
mov r14, #Seg ;where r14:r13= Seg:Off is call to be executed after delay
mov [-r0], r14
mov [-r0], r13
mov r12, #Off
mov r13, #Page ;where r13:r12= Page:Off of RAM timer location (just choose a free RAM area)
mov r14, #n ,where n is time in ms/0,25
mov r15, #0
calls C1CA86 ;delay1 ()
add r0, #4


Enjoy it

prof
  Reply With Quote
Old 04-29-2005, 02:01   #11 (permalink)
No Life Poster
 
charlielao's Avatar
 
Join Date: May 2004
Posts: 501
Member: 66040
Status: Offline
Thanks Meter: 14
Thanks for the quick answer Prof. Ill be studying it first then post many many more stupid questions for you hehehe. Now im redoing the Blank Screen when key locked by Master because if there is an unread sms, after some time, the screen goes back to blank.

mov r13, #Off
mov r14, #Seg ;where r14:r13= Seg:Off is call to be executed after delay
mov [-r0], r14
mov [-r0], r13
<- why make r13 and r14 0 again?
mov r12, #Off
mov r13, #Page ;where r13:r12= Page:Off of RAM timer location (just choose a free RAM area) <- ill use debugger and find RAM loc with FFFFFFFF... ?
mov r14, #n ,where n is time in ms/0,25
mov r15, #0 <- where did r15 come from and why move #0 into it?
calls C1CA86 ;delay1 ()
add r0, #4 <- what is r0 and why add #4?

Last edited by charlielao; 04-29-2005 at 04:51.
  Reply With Quote
Old 04-30-2005, 01:37   #12 (permalink)
No Life Poster
 
lalo.lerry's Avatar
 
Join Date: Jan 2004
Location: Italy
Age: 49
Posts: 1,018
Member: 50673
Status: Offline
Thanks Meter: 2
hello Student,
here are your answers:


mov r13, #Off
mov r14, #Seg ;where r14:r13= Seg:Off is call to be executed after delay
mov [-r0], r14
mov [-r0], r13 <- why make r13 and r14 0 again?

to store Seg:Offset in sistem stack.
I think is due on how fw-hw machine interaction work.
Anyway, this routine is used plenty of time in this exactly way.


mov r12, #Off
mov r13, #Page ;where r13:r12= Page:Off of RAM timer location (just choose a free RAM area) <- ill use debugger and find RAM loc with FFFFFFFF... ?

free RAM areas can be find searching FFFFF (usually related to EEPROM RAM areas9 or 00000 (normal RAM areas)
be carefully, because some RAM areas may seems to be free, but only because not used when you are looking at them in that specific moment.
I suggest you to use a RAM location close to one used by other patchmasters, should be already well tested and bug-free.
BTW, usually a patchmaster tend to use always the same RAM area for his patches, as well as a patchmaster has his "own" area in fw to store patches routines.


mov r14, #n ,where n is time in ms/0,25
mov r15, #0 <- where did r15 come from and why move #0 into it?

r15 is just set so before the delay call, search in call to understand why.
Anyway, very often r15 is setted to 0.
Sometime r15 is used to store time if time value is greater than FFFF and cannot be saved in only one register, but haven't check if this is the right case.


calls C1CA86 ;delay1 ()
add r0, #4 <- what is r0 and why add #4?

r0 is used for system stack, you have to add 4 (=2 words) because you have stored r13 and r14 without resuming it.
many "function" subroutines add something to system stack as last command of them, just explore original fw routines.

bye

Lalo
  Reply With Quote
Old 04-30-2005, 02:15   #13 (permalink)
No Life Poster
 
charlielao's Avatar
 
Join Date: May 2004
Posts: 501
Member: 66040
Status: Offline
Thanks Meter: 14
Prof:
i got this from your hourly beep v1:
27DC72: D7 40 11 00 : extp #11h, #1
27DC76: F7 F8 40 38 : movb 47840h, rl4 ; (0011:3840)
what ram loc is it pointing to?
  Reply With Quote
Old 04-30-2005, 04:59   #14 (permalink)
No Life Poster
 
lalo.lerry's Avatar
 
Join Date: Jan 2004
Location: Italy
Age: 49
Posts: 1,018
Member: 50673
Status: Offline
Thanks Meter: 2
who remember it, my friend.... who remember?!
(I'll check out ASAP)
  Reply With Quote
Old 04-30-2005, 08:31   #15 (permalink)
No Life Poster
 
charlielao's Avatar
 
Join Date: May 2004
Posts: 501
Member: 66040
Status: Offline
Thanks Meter: 14
Hi Prof, here is another out of the blue question:
Master Riza expalined this from his cdr patch:
From CDR.asm (Call Detail Record) source:
mov r8, #200h+'R' <- R(eceived)
- put "received sms" flag in the register R8
mov r12, #315h
- set R12 with value hexa 315
mov r5, #32h
- and R5 with 32h
R5:R12 is prepared to store the pointer to incoming SMS sender number (32h:0315h).
extp r5, #1
- work in page values stored in register R5 (32h)
movb rl4, 2F0h
- get the byte value of RAM 32h:02F0h and store it in the RL4. 32h:02f0 for incoming SMS is storing the SMS type, including normal or delivery status SMS. I don't know about another values meaning ...
andb rl4, #40h
jmpr cc_Z, sdr_001
- make some test. if (RL4 and 40h==0) goto sdr_001
mov r8, #200h+'D'
add r12, #1
- if the result of test is not zero (RL4 and 40h != 0), then set the flag with 'D' (Delivery status SMS), and change the incoming SMS sender number pointer to 32h:0316h ...

I used debugger and got these while there is new incoming sms:
09196262888:<-sender number
0C8300: 01 03 01 07 91 36 19 08 00 30 17 00 14 04 0C 00
0C8310: 00 00 01 14 04 0C 91 36 19 69 62 82 88 00 00 50
0C8320: 40 03 20 01 95 00 01 41 10 2E 07 C5 68 3A D8 4C
0C8330: 97 7D D7 E5 A0 71 5D 2E 2F BB E9 20 71 98 1D 76

the numbers are shown in red, but they are alternated in the RAM,
I tried using Master's CDR EP 44e6fc: E6FE2600 for incoming sms but if i receive an incoming sms, my phone shuts down
This is a simple patch test i made that causes it:
44e6fc: E6FE2600 DABA77BB
1ABB77: FFFF 8880
1ABB79: FFFFFFFF D7403200 ; extp #32h, #1
1ABB7D: FFFFFFFF F2F81B03 ; mov r8, 31bh
1ABB81: FFFFFFFF 46F85200 ; cmp r8, #82
1ABB85: FFFF 3D04 ; jmpr cc_NZ, 11
1ABB87: FFFFFFFF E6FC3a00 ; mov r12, #3a
1ABB8B: FFFFFFFF DAC3B600 ; calls 0C3h, loc_C300B6 (play tone)
1ABB8F: FFFFFFFF D7403200 ; extp #32h, #1
1ABB93: FFFFFFFF F6F81B03 ; mov 31bh, r8
1ABB97: FFFFFFFF E6FE2600
1ABB9B: FFFF 9880
1ABB9D: FFFF DB00
What's wrong prof?
I also saw that the RAM loc (000C:326C) you used in Blacklist is the same loc used when there is an incoming SMS for Postcode data. I tried using it in the above patch but it doesnt play the tone, but my phone didnt shut off. How come we have to use the low byte in the RAM loc above to compare the Postcode data? why cant we use the whole word?

Last edited by charlielao; 04-30-2005 at 09:35.
  Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
thread Thread Starter Forum Replies Last Post
Some newbie questions mocca Siemens Hardware Repair Area 7 12-25-2003 03:29
Some Basic Questions Scallion Old Ericsson Phones & Sony Phones 1 10-24-2003 23:18
Some cable questions! concom Nokia Hardware & Hardware Repair 2 05-19-2003 22:28
Some general questions about the T720i Interlude Motorola P2k 2 03-15-2003 22:51
some sagem questions cemali34 Infineon C16X M51 & ARM7 M52 BASED 1 11-05-2002 14:26

 



All times are GMT +1. The time now is 10:29.



Powered by Searchlight © 2024 Axivo Inc.
vBulletin Optimisation provided by vB Optimise (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
- GSM Hosting Ltd. - 1999-2023 -
Page generated in 0.29929 seconds with 9 queries

SEO by vBSEO