Patching: Technical Discussion ...
 

*) Knowledge is not something to be "cut and paste", but "copy and paste", so we can share it without any loose of ours.

Please, limit this thread to share about "Improving our skill to build C166 patches", not a such discussion about : how to flash, how to patch, please create this patch, why this patch is not work in my phone, etc-etc ...

If it is usefull, then probably, it can be putted as a Sticky ones ...

~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'll start ...

I got a question from Lalo : How to put a dynamic text inside the MsgBox ?

@Lalo:
if you disasm my SMS Counter Info patch, then you can see a convertString2ID() function (0xE6599C in SL45v56, 0xF99172 in SME45iv04). Using this function, we can convert a dynamic string to the StringID. And then, this StringID is free to use with our MsgBox or any other string related function. Sometimes, before using that function, we also need to run ResetStringID() function (SL45v56=0xE65B5E, SME45iv04=0xF992E8) ...

rizapn

GREAT THREAD IDEA Master Riza!
It will help patchers to improve each other a lot! :)

Thank you very much, I'll make my little experiments, hoping to have understood all right.
Maybe some other question on this argument may follow.

Anyway I was intresting not only in showing a dinamic text as new text ID but also in showing a mixed text with dinamic numbers and fixed text.
So using an existing text ID with variable numbers, like for example in minute beep MsgBox.

This thread is a bit "unfair", because in my opinion, rizapn has discovered mostly all knowledge about C166 and Siemens firmware, so that other people hardly are able to post their own new experiences. But because this is also a discussion thread, we might exchange some ideas how to get this and that possible or find entrypoints in the firmware.

I have some questions about handling with strings and with menu structures. Of course I can disassemble some patches from rizapn, but they're not commented, and the only example sl45.asm has just a few patches with few documentation. The sl45.inc file is helpful, but there's unfortunately not described what registers are used (and what content?) for and what return values involve.
Maybe someone call tell me some of the values and I make a documentation file for all other C166 programmers?

To the string handling routines: I'd like to know how to manage the routines like strCopy etc. I even don't know if words or bytes are used for the strings.
Also I ask, whether it's possible (and discovered) to put at string at a specific position/line on the display. I have played around with date/time string routines (beginning at 0xDB0082), but only could change the position left/center/right, not the line of it.

A third question is a bit tricky. I tried to get a routine called after several seconds when a phone call is running, e.g. after 10 seconds dictRecord() should be started. I compared the time string that is displayed, but there's a problem: I started playVMOFile() after started phone call, and then no time from the call is displayed - therefore (that's my suggestion) I can't call dictRecord() anymore. So, is there maybe another routine that can tell me how many seconds are passed?

@lalo.lerry: Can you read out an existing text ID? If so, you can do this, add your variable numbers and then make it as new text ID. I think that's a solution (but I have yet no idea how to do this).

Dynamic Text:
(Yes, dynamic text means not only 'text' but also number (as a text)). Then, we can use : id2str, strcpy, word2str, etc-etc, and then string2id ... before using the MsgBox.

Menu Structure:
This is only one example of creating menu, using CreateMenu02 function (0xE6EC90) which is used by "New Application menu" and "Format" SMS menu ... (why did I choose that function, just because its need less bytecode than the others). The code example is based on sfe format (o,p,q,r built-in function)

Function parameters:
I have write a document called 'functions.txt', where you can find some functions and their parameters. I think I already zipped into my sl45 document, but if it is not there I will put it here also ...

Modify string location in the screen:
For that date and time string, I also have no information. I am searching, but still no lucky. I found something new yesterday (when I found text style master data), but still not include that ones ... Hope somebody will found it soon ...

Executing our function after some times:
- If we are in the loop, then we can put our own counter somewhere in the RAM, and increase/decrease it based on that loop, and if the counter reach some number, it will call our function.
- If we are not in the loop, I'm not sure about that, but there is a function called 'setTimer' or 'setDelay' or I don't know, but it has a timer and function address as the parameter. The function address is 0xD6026C, and the parameter is : r13:r12 miliseconds (double_word), r15:r14 (function address). You can check the example in BLR or from address 0xDAFC46.

rizapn

2RizaPN:Explain please that this program does?
I try to find procedure which takes a name from Addressbook at an Incoming call, or procedure whence she is caused

@rizapn: Thank you very much for explanation. :) Your're right with the file "functions.txt", it's already there, but I think we could add some more functions. How's the idea of a seperate functions thread only for info (like flash patches)?
Also thanks for setTimer() function. I will try it out soon. Hope it works when dictRecord is still running (in stop mode).

TRAP routines
I did create some "TRAP" function (which is written in my sl45.asm). The goal of those kind of functions is knowing some registers value by copy them to some "free" RAM location, so I can monitor them using AT+CGSN command.
In that example, Incoming_Call_Trap, I like to know, what is happened with r9 in the address 0xA3077C, which I think it is related with Incoming Call function.

My other usefull (at least for me) TRAP function is : Dump All Registers. It uses to dump all register value and track the caller function. What I mean is : this function is called from funcA, funcA is called from funcB <- funcC <- funcD ...

TRAP routines is used by me to find some "difficult" entry-point. Sometimes, it is still not work (could not find the correct entry-point). And finally, I found them "only" by lucky ...

Name in Addressbook at Incoming Call
I think Chaos already find them. Have you try to check the "Show mobile/home/fax icons at incoming calls" patch by him?

@rc-flitzer:
Yes, I'm sure that we can share also the firmware functions/entry-point covered by us in this topics. And how about putting this topic as a sticky?

rizapn

I think it's technical problem for this topic: When we "Doing Something else while Playing dictaphone" by DSP patch we can full use java I mean full MMC access! this situation is when we use "DSR. Doing Someting else while Recording" too. But when we use "Doing something else while playing MP3" phone haven't full access. Why? How is differences between using *.VMO and *.MP3 files?

MP3 files need a special mode of MMC, continuous data stream (or something like that). So there's no "time" for other apps to access the MMC - the MP3 processor (I think it's a special chip because C166 is too slow for that) needs full access.
For VMO files the data rate is much lower (16 kbps, MP3: 128 kbps and upwards). So I think the C166 has
1. full control about recording and playing,
2. doesn't need continouus reading/writing,
3. can compensate and manage MMC accesses by several processes, just like a multitasking system can manage CPU time.

2RizaPN
How i can add more pictures to pic table ? i found this way:
increase the maxpics in B17AF6 on quantity of pictures which needs to be added, and add pictures on the SPC2 in new place, but space under the pit table not empty :(
How i can add pictures whith out erase data under the pit table ?

Pictures (and the Extended Table)

Yes, maximum pics is stored in 0xB17AF6 (word). After modifying that, you need to search the free area after the standard picture table (0xEBBCE0 is free). If you see my SOL3 patch, I use that address to put the new picture table. If you like to add yours, you can start from 0xEBBD7E).

I don't know how to handle the extended picture using SPC2. But, using ffmod you have to modify the last data in the standard Picture table (0xEBBB36) to become this : 1B FF EE FF ... 1B is the number of 0x10 bytes block to be skipped (because some block after the PIT is not free) to get the extended picture table (1B x 10 = 1B0), so the extended PIT is started from address 0xEBBB36+1B0=0xEBBCE6) ...

And you did not try entirely to transfer the PITtable on a new place? As far as I have understood seg2C5:3AF2 the address of the beginning of the PITtable is set but at his change and carry of the PITtable in corresponding address any picture is not drawing

@DeadManS: Sorry, I don't understand what you mean. But, yes, I never move all PIT data to the new place. Firmware is only use a formula like : 8 x ImgIdx to get the address and picture data, after checking the MaxImgIdx limit. So, we just need to find the free area after the normal PIT by skipping some used blocks.

Hope it is clear (please check SOL3 to get more "detail" experiment) ...

rizapn

About executing function after some time: I tried the supposed routine 0xD6026C by using VWC patch. Instead of vibrating, the patch called once setTimer(), which should start dictRecord() after some seconds. But nothing happened. Maybe in calls there is a special mode which doesn't allow such routines?

My English very bad :(
I wanted to tell here. Whether it is possible to transfer the full PITtable on a new place? address of the PITtable start stored here seg2C5:3AF2, but if i change it and replace PITtable in new place, phone not drawing any image

@rc-flitzer:
Sorry, but I really have no other information about that functions. Maybe you can find something about that from chaos or mamaich site (I'm not sure).

@DeadManS:
Yes, as far as I know (from drawImgIdx routines), the PIT value is stored in that address. But, I never try to change the value to move PIT to the new address. Anyway, why do you need to move the PIT to the area if there is another way to extend it? If you move them, then you need another "big" free area for the new PIT.

rizapn

Hello, Rizapn
can you tell me some info about T9?

@coollang:
Long time no "see". Aha... that's my wish too. I did discuss some about T9 with mamaich, but we did not found something really clear about T9. I only cover very-very preliminary info about T9 structure. You can download it from my z-soft, http://groups.yahoo.com/group/z-soft...s/t9_trial.txt ... If you find some other thing, please share it with us ...

@Riza
very thanks!
I have found some info about T9, but there is more different between lg8 and others. i would share all found!

Patch exists :D .....................

@ Sekith:
thanks :)

@ Master RIZA:
I've seen that in all you patches that have a request of confirmation you used to create a new MsgBox, but there isn't in SLIK fw a DisMsgBox? () function alread done (in S45i I found 3 - FA4D9C, FA4E18 and FA4E38)?

And can you teach me well (even if I've yet partly understood) how to create a new msgbox (icon,text,sks,headers, sk answers jump...)
Thanks :)

Message Box and Dialogs

Yes, SL45 also has some (many) display message box, such as : 0xE6F138, 0xE6EF0A, 0xE6F198, 0xE6EFE4, 0xD4E960, etc-etc. There are also some show Dialog routines, 0xE5DD76, 0xE5DE28, 0xE5ECD8, etc-etc.

Mostly, I use the one in 0xE5DDCE (why? because, in my current knowledge, this is the most compact ones) ... and here is my 'generic' syntax :

Actually x_text is separated from x_data, but I like to save some spaces, so I combine both, and x_text is become a part of x_data. The original format is :

x_text:
dw string_ID, string_ID, string_ID, ... ,7fffh

x_data:
dw 0,0,2,x,y,7fffh, ... 2e2h,4e26h,2

I dunno the meaning of each word in the x_data, but some of them (time-to-wait, handler, and button-definition). I use a 'generic' format to display the generic (but different text) dialog.

I saw that SME45iv04 has more 'powerfull' built-in displayYesNoDialog, such as : 0xFA4E18 (r12=style?,r13=text,r14=ofs(yes_handler),r15=seg( yes_handler)) ...

rizapn

Thank you MASTER! :)

Yes, I know S45i MsgBox? and already used it in some patches as "Add request of confirmation for unlocking keybord".
E.g.:

DisplayMessageBoxD(? icon) {
mov r12, flag ; #1=boxed, #2=unboxed
mov r13, #textID
mov r14, #segment offset(YESNOReturn)
mov r15, #segment (YESNOReturn)
call FA4E38 ; MsgBox ? icon with yes on left sk
answer in r12: sk right o arrow right=no=0, sk left=yes=1, red button rets


I think I'm going to use this if I'll adaptate you latest patches...
May I ask you another thing?
In these MsgBox? if mov r14 and r15 are setted to 0 where is return routine?
I alway go mad to find them!

After some bugging in the SMS counter patch I discovered that the values for received and sent messages are stored in RAM right after values for currency calculator. I presume that the values will be stored in EEPROM together with curreny calc. values?

Sometimes my SL crashes after sending an SMS (maybe from the modification with menu structures), so every change since last regular shutdown of the phone is lost. It's a pity that the SMS counts are only stored when shutting off the phone. Is it possible to write them directly into EEPROM, using the described eeprom routines? So the values will be stored immediately just like appointments. Or will this method be too time-critical?
(I announce that values have to be also read from EEPROM not from RAM.)

dear riza,
there is a very interesting function in your rsb patch. D6A20A draws a rectangle of white pixels. now my question: is there also a function that does the same thing by drawing black pixels? this will make the drawing of the signal bars in my supernet patch much easier!

thanks
arsh0r

SMS Counter
Thank's. I never try (use EEPROM func in that SMS Counter patch), but I think it is possible. If the result is same (not directly write into the EEPROM), then we have to check more in the Appointment routines. About reading the value, I think it will be no different (read it from RAM or read it from EEPROM) because the SMS Counter function will be executed after all phone initialization (including copy most EEPROM content/pointer to the RAM).

ClearRect and FillRect

:) ...
ClearRect is a sub-function of FillRect.
FillRect() in SL45v56 is 0xC0E5D0, and here is the usage:

There is also : drawImage() (not a drawImgIdx ones) and even drawString() in the firmware.

rizapn

What hear - is found tel in idle state/locking state or no?

How i can load the mid file into a individual 1-3 song memory ?
Patch idea:
song name = phone number into in address book
ringtone = individual3
before the play of ringtone when incomingcall we load a .mid file into a individual3 memory, and phone plays them

thx riza, now it works perfectly!
I also want to share my source with all of you:
supernetv0.4beta: http://www.2chaos.de/supernet/supernet0.4.txt
because i don't use mamaichs functions anymore, it can be easily ported to f.e. SME45 (but i only have sl45).

we need more functions in the app menu, too many patches are allready selctable, theres nothing left.
/edit: thx again riza, 48 patches ijn app menu will last for generations of patches...

cya
arsh0r

I know how to do some shortcuts to functions in the app-menu.

But only by changing some exiting patch code -> for example this:

0x18E388: 8B00 A904 ;string #8B -> #4A9
0x18E3BC: 8C00 A904 ;string #8B -> #4A9
0x18E4B8: 8B008B00 A904A904 ;same thing
0x3AE310: DAD70245 DAC7E0D3 ;call to patch

How can I find the marked things ? The change of the language strings is easy to do, but I can´t reproduce the other things.

The patch ist easy to do, too:
Or, even better, how can I add some more shortcuts (not changing existing ones)...

2RizaPN: If you want use this ram area for you patch C400h-C500h. this ram is not used by phone

@DeadManS: Thank's. Do you know other location with more than 0x100 free bytes which is not used anytime by the phone?

ram area i use c500h+320 for my patch translit SMS and rc-flitzers use this area for compress sms. thisram can be used for buffer like in compress sms. also see the other address from C640 with ATGSNDebugger in realtime

Hi,

@izapn: i got some questions about binary files:
1. are binarys loaded from mmc to RAM and then executed or are they directly executed from mmc (i suggest the first idea).
2. what RAM area is used for binarys? do you use the java memory?
3. how big can a binary be? (at DOS it was 640k)
4. is it possible to load images from b.s with the drawimg function (not the idx one)? if so, how?
5. can you explain some function witch draws strings on the screen and how to get data input...

maybe we can write binarys thar can customize the patches taht are in flash. or i can write a supernet binary version that refreshes more often than it doaes on the mainscreen *g* (just dreaming)

thx a lot for this patch.
arsh0r

i use ATGSNDebugger and find very intresting futures VideoRam a started at 960Ch and 1 byte = 8dots on screen try to load at this adress any byte :)

Binary File:
1. The file is loaded from MMC to RAM all bytes, and then executed from the RAM area.
2. I use RAM 0020:0000 until the end. It is not used by dictaphone, and MP3Player. But, I think yes, it is used by the java midlet.
3. I did check some pages, starting from 20 until 29 and all are filled by 00. There are something again in the page 2A. If 20-29 is really free, then binary file up to 10x16KB (160KB) will give no problem.

4. Yes, of course possible. The drawImage() function is 0xD6A45C. There are some clear example usage starting from address 0xD6B4B8, and some other location ...
5. Hehehe :) actually, this is the function which I really want from the beginning, but rather hard to cover, and finally. I use it in my unpublished : "Display both name + number" and "Show signal level + battery voltage" patches with the very small number font type. I will publish it soon ...

I still have no idea how to modify the firmware area byte by byte on the fly. And I think, binary file is not for fixed patching, but for additional function, just like a midlet, but in a low-level. I also mention about using language file as a patch file in another topic in this forum. Using language file, we can load bytecode in the firmware area, so it can be as a patch or a collection of add-on. I plan to use this method for building a big text reader (up to 2 x 64KB) which is possible to combine with MP3.

VideoRAM:
Hmmm, interesting information. Let's explore it ...

rizapn

also check this address AC0Ch is java screen videoram

drawimg test
 

i tried to test the drawimg function in a binary, but it showed nothing. just the waiting animation in endless loop (ahh, sweet endless loop). does someody know what i did wrong?

here is my code:
@rizapn: i'd be cool if you put some binary output mode to sfe

edit: i also tried some other stuff, but it didn't work, it was just loaded into ram and i can execute it with at+cgsn debug. also mmc access ****ed up, if i use my precious endlessloop...

cya
arsh0r

drawImage() function :

The usage is like this :
drawString() function:

I did publish the modified SNN: Show both Name and Number patch using drawString function. It can be used to eliminate the needed of changing (and more) images just to draw text and numbers in the screen (using well-known drawImgIdx) ... also it has a built-in centered function (so it is drawStringCentered, not drawString actually). I did not found the drawString() function yet ...

Here is the syntax:
rizapn

:confused:

NEW sfe v2.30
 

sfe

strange Error 'Bad recheck process' ...

Most of the time, if your code has no problem, it caused by ZERO offset used to compile the file.

So, add something like this :

base 0a00000h
org 0c7e000h

if you plan to put the code in the firmware address 0c7e000h.

BTW, it is a bug in my sfe, sorry ... I just forget to solve it because I never use the zero offset for all of my patches ... I will try to correct it in the next sfe version ...

;--------- EDITED --------

OK, that sfe bug had been corrected. Download the new sfe 2.30 from http://www.geocities.com/rizapn

rizapn

RizaPN please tech me how load file from MMC ? and do you know how load ringtone file to individual memory ?

Loading file from MMC

I don't know how to do it with the original firmware. There are fileOpen, fileRead, fileWrite, and fileClose built-in functions. But, it could turn the phone off if we call it directly.

That's why I modify some function to get access to the file function more savely.

If you already install FAM patch, the file access will be like this :
FACBuff is a temporary buffer used by FAM to distinguish between a normal fileOpen and our fileOpen (I use 36h:3FF8h in FAM, you can not modify this unless you modify the FAM patch also).

BFABuff is the buffer for fileRead content. You can select any "free" RAM, usually, I use 20:0 until 29:3FFF (used by Java midlet).

after_loading_func is the function which will be executed after the fileRead is finished, just after the original fileClose is executed. Put all your instruction which need to be executed after the file is loaded here ...

I know how to load any file (including midi ones) into the memory, but I need to search the convertMID2Tones() and playTonesMemory() function to be able to play the file after it is loaded.

Hope it is helpfull,

rizapn

Thanks is very helpfull :)
i think we try to make the one standart melody address change to address in ram, and put in this address melody from MMC and if ring melody set to this melody phone play tones loding from mmc like Calling Images patch from Chaos. for convert melody we write a function.

Can i on\off illumination?
I want use in java midlet.

Hello, Riza
about these function:
0xE49486 GBSS_po_open
0xE4952E GBSS_po_read
0xE49672 GBSS_po_write
0xE497E0 GBSS_po_close
I found system use these to r/w file on mmc, but if using these directely phone would turn off.
in fact these function oprate file throught sending message to MMC_FILE_SYSTEM_proc and waiting retvalue, i think there is some action for init, but i cann't find.
example this SysProcess:0xDC5DA2 LoadImageSystemOnAndWait
it is called by 0xDC652A STOREBITMAP_PROCESS.
i known mamaich has used these function to read filedata at his java patch. but i write a test and call it by at+cgsn, it would turn on system.

sorry my bad english, my national language is chinese!

2RizaPN: another question about fileread function,if file not found on mmc what i get? and how i know about this

Best thing to handle illumination in Java is to import Light class and use SetLightOn() and SetLightOff(). The difference between "Java light" and "firmware light" is that by firmware the light goes off after 15 seconds without keystroke, while Java light is on forever. But if you use some Canvas class in your midlet you can set a Timer that does making light off after 15 seconds like in MicroReader midlet.
The other way is to use System calls, you need Extension class from mamaich and the phone has to be patched to allow this. Then illumination is switched with firmware routine 0xDC4680 - but without notification whether illumination is on or off.

File Access

fileOpen (and also GBSS_po_Open) return r4 as a file Handle. If it is FFFF means something wrong with opening the file.

GBSS_po_xxx, yes I knew them. As I said, direct access to them (also) will turn the phone Off. I also think about the Init process. But, after made a long time search, I think, I prefer to patch the built-in fileAccess to do it. That's the reason why FAM patch is exist.

All existing file access patches (calling images by chaos and java access by mamaich), insert their code in the location where the (MMC) INIT function is already established. My FAM patch put a possibility for us, to read (and also write with some tricks) any file in any condition.

rizapn

Thanks, a have a question about bin melody format for my patch LRT, if i convert melody from mid file, melody play a once not in loop, but if i download standart melody from flash and store in bin file his play in loop :( i try to use for conver you FFMod and RingToneConverter but melody after conversion by this prog not play in loop :(