GSM-Forum (
-   x4x, x5x Flashpatching (
-   -   Patching: Technical Discussion ... (

rizapn 07-11-2004 12:07

Patching: Technical Discussion ...
*) Knowledge is not something to be "cut and paste", but "copy and paste", so we can share it without any loose of ours.

Please, limit this thread to share about "Improving our skill to build C166 patches", not a such discussion about : how to flash, how to patch, please create this patch, why this patch is not work in my phone, etc-etc ...

If it is usefull, then probably, it can be putted as a Sticky ones ...


I'll start ...

I got a question from Lalo : How to put a dynamic text inside the MsgBox ?

if you disasm my SMS Counter Info patch, then you can see a convertString2ID() function (0xE6599C in SL45v56, 0xF99172 in SME45iv04). Using this function, we can convert a dynamic string to the StringID. And then, this StringID is free to use with our MsgBox or any other string related function. Sometimes, before using that function, we also need to run ResetStringID() function (SL45v56=0xE65B5E, SME45iv04=0xF992E8) ...


lalo.lerry 07-11-2004 17:04

It will help patchers to improve each other a lot! :)

Thank you very much, I'll make my little experiments, hoping to have understood all right.
Maybe some other question on this argument may follow.

Anyway I was intresting not only in showing a dinamic text as new text ID but also in showing a mixed text with dinamic numbers and fixed text.
So using an existing text ID with variable numbers, like for example in minute beep MsgBox.

rc-flitzer 07-11-2004 17:16

This thread is a bit "unfair", because in my opinion, rizapn has discovered mostly all knowledge about C166 and Siemens firmware, so that other people hardly are able to post their own new experiences. But because this is also a discussion thread, we might exchange some ideas how to get this and that possible or find entrypoints in the firmware.

I have some questions about handling with strings and with menu structures. Of course I can disassemble some patches from rizapn, but they're not commented, and the only example sl45.asm has just a few patches with few documentation. The file is helpful, but there's unfortunately not described what registers are used (and what content?) for and what return values involve.
Maybe someone call tell me some of the values and I make a documentation file for all other C166 programmers?

To the string handling routines: I'd like to know how to manage the routines like strCopy etc. I even don't know if words or bytes are used for the strings.
Also I ask, whether it's possible (and discovered) to put at string at a specific position/line on the display. I have played around with date/time string routines (beginning at 0xDB0082), but only could change the position left/center/right, not the line of it.

A third question is a bit tricky. I tried to get a routine called after several seconds when a phone call is running, e.g. after 10 seconds dictRecord() should be started. I compared the time string that is displayed, but there's a problem: I started playVMOFile() after started phone call, and then no time from the call is displayed - therefore (that's my suggestion) I can't call dictRecord() anymore. So, is there maybe another routine that can tell me how many seconds are passed?

@lalo.lerry: Can you read out an existing text ID? If so, you can do this, add your variable numbers and then make it as new text ID. I think that's a solution (but I have yet no idea how to do this).

rizapn 07-12-2004 01:10

Dynamic Text:
(Yes, dynamic text means not only 'text' but also number (as a text)). Then, we can use : id2str, strcpy, word2str, etc-etc, and then string2id ... before using the MsgBox.

Menu Structure:
This is only one example of creating menu, using CreateMenu02 function (0xE6EC90) which is used by "New Application menu" and "Format" SMS menu ... (why did I choose that function, just because its need less bytecode than the others). The code example is based on sfe format (o,p,q,r built-in function)


mov r14, #0
mov [-r0], r14  ; dunno, most samples is set to zero
mov [-r0], r14

mov [-r0], r13  ; r13:r12 is input parameter from the caller
mov [-r0], r12  ; something like the caller's handle

mov [-r0], r14
mov [-r0], r14
mov [-r0], r14
mov [-r0], r14

mov r13, #q(MENUHEADER)  ; offset of MENUHEADER data
mov r14, #p(MENUHEADER)  ; page of MENUHEADER data
mov [-r0], r14
mov [-r0], r13
mov r13, #q(MENUSTRUCT)  ; offset of MENUSTRUCT data
mov r14, #p(MENUSTRUCT)  ; page of MENUSTRUCT data
mov [-r0], r14
mov [-r0], r13
mov r12, #0  ; menu_style, 0=full_screen, 1=options-like
mov r13, #0
mov r14, #0
calls createMenu02  ; 0xE6EC90
add r0, #18h

dw 5,9,5fh,15h ; dunno ...
dw 0,0 ; pointer to MenuIcon ID
dw 885h ; menu header string ID
dw 7fffh ; end_of_data

dw 0,0,0,0,0,0,0,0 ; handler_info
dw 3c02h,2ebh,3bfch,2ebh,48h,0 ; pointer to some data, dunno...
dw o(itemHandler), s(itemHandler) ; itemHandler func address
dw q(MENUBUFF), p(MENUBUFF)  ; pointer to menu items data
dw q(MENUHANDLER), p(MENUHANDLER)  ; pointer to menuHandler (if selected)
dw MENUITEMNO  ; number of menu item

itemHandler is the OnChange() function for menu item (executed each time, the menu cursor is change). Set to 0 if there is no such function needed.

MENUBUFF is the detail data for menu item (18 bytes each) :
dw 0,0  ; dunno, pointer to some data?
dw stringID1,stringID2  ; stringID used as a menu item
dw 0,3c06h,2ebh ; dunno
dw 3  ; menu item type
dw 0d0h  ; menu item condition code

dw o(onSelectHandler), s(onSelectHandler) ...

onSelectHandler is the function which is executed when the menu item is selected.

Function parameters:
I have write a document called 'functions.txt', where you can find some functions and their parameters. I think I already zipped into my sl45 document, but if it is not there I will put it here also ...

Modify string location in the screen:
For that date and time string, I also have no information. I am searching, but still no lucky. I found something new yesterday (when I found text style master data), but still not include that ones ... Hope somebody will found it soon ...

Executing our function after some times:
- If we are in the loop, then we can put our own counter somewhere in the RAM, and increase/decrease it based on that loop, and if the counter reach some number, it will call our function.
- If we are not in the loop, I'm not sure about that, but there is a function called 'setTimer' or 'setDelay' or I don't know, but it has a timer and function address as the parameter. The function address is 0xD6026C, and the parameter is : r13:r12 miliseconds (double_word), r15:r14 (function address). You can check the example in BLR or from address 0xDAFC46.


DeadManS 07-12-2004 15:24

2RizaPN:Explain please that this program does?

;#name ICT. Incoming_Call_Trap
;(from A3077C, add r9, #2E10h)

org 0c7d500h
        extp        #35h, #1
        mov        r12, 3F00h
        and        r12, #1Fh
        extp        #35h, #3
        mov        [r12+#3900h], r9
        add        r12, #1
        mov        3F00h, r12
        add        r9, #2E10h

I try to find procedure which takes a name from Addressbook at an Incoming call, or procedure whence she is caused

rc-flitzer 07-12-2004 17:43

@rizapn: Thank you very much for explanation. :) Your're right with the file "functions.txt", it's already there, but I think we could add some more functions. How's the idea of a seperate functions thread only for info (like flash patches)?
Also thanks for setTimer() function. I will try it out soon. Hope it works when dictRecord is still running (in stop mode).

rizapn 07-13-2004 01:06

TRAP routines
I did create some "TRAP" function (which is written in my sl45.asm). The goal of those kind of functions is knowing some registers value by copy them to some "free" RAM location, so I can monitor them using AT+CGSN command.
In that example, Incoming_Call_Trap, I like to know, what is happened with r9 in the address 0xA3077C, which I think it is related with Incoming Call function.

My other usefull (at least for me) TRAP function is : Dump All Registers. It uses to dump all register value and track the caller function. What I mean is : this function is called from funcA, funcA is called from funcB <- funcC <- funcD ...

TRAP routines is used by me to find some "difficult" entry-point. Sometimes, it is still not work (could not find the correct entry-point). And finally, I found them "only" by lucky ...

Name in Addressbook at Incoming Call
I think Chaos already find them. Have you try to check the "Show mobile/home/fax icons at incoming calls" patch by him?

Yes, I'm sure that we can share also the firmware functions/entry-point covered by us in this topics. And how about putting this topic as a sticky?


MacKam 07-13-2004 20:37

I think it's technical problem for this topic: When we "Doing Something else while Playing dictaphone" by DSP patch we can full use java I mean full MMC access! this situation is when we use "DSR. Doing Someting else while Recording" too. But when we use "Doing something else while playing MP3" phone haven't full access. Why? How is differences between using *.VMO and *.MP3 files?

rc-flitzer 07-13-2004 22:09

MP3 files need a special mode of MMC, continuous data stream (or something like that). So there's no "time" for other apps to access the MMC - the MP3 processor (I think it's a special chip because C166 is too slow for that) needs full access.
For VMO files the data rate is much lower (16 kbps, MP3: 128 kbps and upwards). So I think the C166 has
1. full control about recording and playing,
2. doesn't need continouus reading/writing,
3. can compensate and manage MMC accesses by several processes, just like a multitasking system can manage CPU time.

DeadManS 07-14-2004 07:02

How i can add more pictures to pic table ? i found this way:
increase the maxpics in B17AF6 on quantity of pictures which needs to be added, and add pictures on the SPC2 in new place, but space under the pit table not empty :(
How i can add pictures whith out erase data under the pit table ?

rizapn 07-14-2004 07:50

Pictures (and the Extended Table)

Yes, maximum pics is stored in 0xB17AF6 (word). After modifying that, you need to search the free area after the standard picture table (0xEBBCE0 is free). If you see my SOL3 patch, I use that address to put the new picture table. If you like to add yours, you can start from 0xEBBD7E).

I don't know how to handle the extended picture using SPC2. But, using ffmod you have to modify the last data in the standard Picture table (0xEBBB36) to become this : 1B FF EE FF ... 1B is the number of 0x10 bytes block to be skipped (because some block after the PIT is not free) to get the extended picture table (1B x 10 = 1B0), so the extended PIT is started from address 0xEBBB36+1B0=0xEBBCE6) ...

DeadManS 07-15-2004 11:24

And you did not try entirely to transfer the PITtable on a new place? As far as I have understood seg2C5:3AF2 the address of the beginning of the PITtable is set but at his change and carry of the PITtable in corresponding address any picture is not drawing

rizapn 07-15-2004 12:06

@DeadManS: Sorry, I don't understand what you mean. But, yes, I never move all PIT data to the new place. Firmware is only use a formula like : 8 x ImgIdx to get the address and picture data, after checking the MaxImgIdx limit. So, we just need to find the free area after the normal PIT by skipping some used blocks.

Hope it is clear (please check SOL3 to get more "detail" experiment) ...


rc-flitzer 07-15-2004 12:11

About executing function after some time: I tried the supposed routine 0xD6026C by using VWC patch. Instead of vibrating, the patch called once setTimer(), which should start dictRecord() after some seconds. But nothing happened. Maybe in calls there is a special mode which doesn't allow such routines?

DeadManS 07-15-2004 12:16

My English very bad :(
I wanted to tell here. Whether it is possible to transfer the full PITtable on a new place? address of the PITtable start stored here seg2C5:3AF2, but if i change it and replace PITtable in new place, phone not drawing any image

All times are GMT +1. The time now is 21:46.

vBulletin Optimisation provided by vB Optimise (Pro) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.
- GSM Hosting Ltd. - 1999-2017 -

Page generated in 0.33232 seconds with 5 queries