GSM Shop GSM Shop
GSM-Forum  

Welcome to the GSM-Forum forums.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features.
Only registered members may post questions, contact other members or search our database of over 8 million posts.

Registration is fast, simple and absolutely free so please - Click to REGISTER!

If you have any problems with the registration process or your account login, please contact contact us .

Go Back   GSM-Forum > GSM & CDMA Phones / Tablets Software & Hardware Area > Various > Siemens-Benq > Siemens-Benq Flash Patching > x4x, x5x Flashpatching

Reply
 
LinkBack Thread Tools Display Modes
Old 07-11-2004, 12:07   #1 (permalink)
No Life Poster
 
Join Date: Mar 2002
Location: -[r0]-
Age: 48
Posts: 834
Member: 9891
Status: Offline
Thanks Meter: 2
Post Patching: Technical Discussion ...


*) Knowledge is not something to be "cut and paste", but "copy and paste", so we can share it without any loose of ours.

Please, limit this thread to share about "Improving our skill to build C166 patches", not a such discussion about : how to flash, how to patch, please create this patch, why this patch is not work in my phone, etc-etc ...

If it is usefull, then probably, it can be putted as a Sticky ones ...

~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'll start ...

I got a question from Lalo : How to put a dynamic text inside the MsgBox ?

@Lalo:
if you disasm my SMS Counter Info patch, then you can see a convertString2ID() function (0xE6599C in SL45v56, 0xF99172 in SME45iv04). Using this function, we can convert a dynamic string to the StringID. And then, this StringID is free to use with our MsgBox or any other string related function. Sometimes, before using that function, we also need to run ResetStringID() function (SL45v56=0xE65B5E, SME45iv04=0xF992E8) ...

rizapn

Last edited by rizapn; 07-11-2004 at 12:54.
  Reply With Quote
Old 07-11-2004, 17:04   #2 (permalink)
No Life Poster
 
lalo.lerry's Avatar
 
Join Date: Jan 2004
Location: Italy
Age: 45
Posts: 1,018
Member: 50673
Status: Offline
Thanks Meter: 2
GREAT THREAD IDEA Master Riza!
It will help patchers to improve each other a lot!

Thank you very much, I'll make my little experiments, hoping to have understood all right.
Maybe some other question on this argument may follow.

Anyway I was intresting not only in showing a dinamic text as new text ID but also in showing a mixed text with dinamic numbers and fixed text.
So using an existing text ID with variable numbers, like for example in minute beep MsgBox.
  Reply With Quote
Old 07-11-2004, 17:16   #3 (permalink)
No Life Poster
 
Join Date: Mar 2004
Posts: 593
Member: 60520
Status: Offline
Thanks Meter: 0
This thread is a bit "unfair", because in my opinion, rizapn has discovered mostly all knowledge about C166 and Siemens firmware, so that other people hardly are able to post their own new experiences. But because this is also a discussion thread, we might exchange some ideas how to get this and that possible or find entrypoints in the firmware.

I have some questions about handling with strings and with menu structures. Of course I can disassemble some patches from rizapn, but they're not commented, and the only example sl45.asm has just a few patches with few documentation. The sl45.inc file is helpful, but there's unfortunately not described what registers are used (and what content?) for and what return values involve.
Maybe someone call tell me some of the values and I make a documentation file for all other C166 programmers?

To the string handling routines: I'd like to know how to manage the routines like strCopy etc. I even don't know if words or bytes are used for the strings.
Also I ask, whether it's possible (and discovered) to put at string at a specific position/line on the display. I have played around with date/time string routines (beginning at 0xDB0082), but only could change the position left/center/right, not the line of it.

A third question is a bit tricky. I tried to get a routine called after several seconds when a phone call is running, e.g. after 10 seconds dictRecord() should be started. I compared the time string that is displayed, but there's a problem: I started playVMOFile() after started phone call, and then no time from the call is displayed - therefore (that's my suggestion) I can't call dictRecord() anymore. So, is there maybe another routine that can tell me how many seconds are passed?

@lalo.lerry: Can you read out an existing text ID? If so, you can do this, add your variable numbers and then make it as new text ID. I think that's a solution (but I have yet no idea how to do this).
  Reply With Quote
Old 07-12-2004, 01:10   #4 (permalink)
No Life Poster
 
Join Date: Mar 2002
Location: -[r0]-
Age: 48
Posts: 834
Member: 9891
Status: Offline
Thanks Meter: 2
Dynamic Text:
(Yes, dynamic text means not only 'text' but also number (as a text)). Then, we can use : id2str, strcpy, word2str, etc-etc, and then string2id ... before using the MsgBox.

Menu Structure:
This is only one example of creating menu, using CreateMenu02 function (0xE6EC90) which is used by "New Application menu" and "Format" SMS menu ... (why did I choose that function, just because its need less bytecode than the others). The code example is based on sfe format (o,p,q,r built-in function)

Code:
func_createMenu:
mov r14, #0
mov [-r0], r14  ; dunno, most samples is set to zero
mov [-r0], r14

mov [-r0], r13  ; r13:r12 is input parameter from the caller
mov [-r0], r12  ; something like the caller's handle

mov [-r0], r14
mov [-r0], r14
mov [-r0], r14
mov [-r0], r14

mov r13, #q(MENUHEADER)  ; offset of MENUHEADER data
mov r14, #p(MENUHEADER)  ; page of MENUHEADER data
mov [-r0], r14
mov [-r0], r13
mov r13, #q(MENUSTRUCT)  ; offset of MENUSTRUCT data
mov r14, #p(MENUSTRUCT)  ; page of MENUSTRUCT data
mov [-r0], r14
mov [-r0], r13
mov r12, #0  ; menu_style, 0=full_screen, 1=options-like
mov r13, #0
mov r14, #0
calls createMenu02  ; 0xE6EC90
add r0, #18h
rets

MENUHEADER:
dw 5,9,5fh,15h ; dunno ...
dw 0,0 ; pointer to MenuIcon ID
dw 885h ; menu header string ID
dw 7fffh ; end_of_data

MENUSTRUCT:
dw 0,0,0,0,0,0,0,0 ; handler_info
dw 3c02h,2ebh,3bfch,2ebh,48h,0 ; pointer to some data, dunno...
dw o(itemHandler), s(itemHandler) ; itemHandler func address
dw q(MENUBUFF), p(MENUBUFF)  ; pointer to menu items data
dw q(MENUHANDLER), p(MENUHANDLER)  ; pointer to menuHandler (if selected)
dw MENUITEMNO  ; number of menu item

itemHandler is the OnChange() function for menu item (executed each time, the menu cursor is change). Set to 0 if there is no such function needed.

MENUBUFF is the detail data for menu item (18 bytes each) :
MENUBUFF:
dw 0,0  ; dunno, pointer to some data?
dw stringID1,stringID2  ; stringID used as a menu item
dw 0,3c06h,2ebh ; dunno
dw 3  ; menu item type
dw 0d0h  ; menu item condition code
...

MENUHANDLER:
dw o(onSelectHandler), s(onSelectHandler) ...

onSelectHandler is the function which is executed when the menu item is selected.
Function parameters:
I have write a document called 'functions.txt', where you can find some functions and their parameters. I think I already zipped into my sl45 document, but if it is not there I will put it here also ...

Modify string location in the screen:
For that date and time string, I also have no information. I am searching, but still no lucky. I found something new yesterday (when I found text style master data), but still not include that ones ... Hope somebody will found it soon ...

Executing our function after some times:
- If we are in the loop, then we can put our own counter somewhere in the RAM, and increase/decrease it based on that loop, and if the counter reach some number, it will call our function.
- If we are not in the loop, I'm not sure about that, but there is a function called 'setTimer' or 'setDelay' or I don't know, but it has a timer and function address as the parameter. The function address is 0xD6026C, and the parameter is : r13:r12 miliseconds (double_word), r15:r14 (function address). You can check the example in BLR or from address 0xDAFC46.

rizapn

Last edited by rizapn; 07-12-2004 at 01:24.
  Reply With Quote
Old 07-12-2004, 15:24   #5 (permalink)
Freak Poster
 
Join Date: May 2003
Location: Russia, Ekaterinburg
Age: 40
Posts: 184
Member: 29316
Status: Offline
Thanks Meter: 0
2RizaPN:Explain please that this program does?
Code:
;-----------------------------
;#name ICT. Incoming_Call_Trap
;(from A3077C, add r9, #2E10h)
;-----------------------------

org 0c7d500h
	extp	#35h, #1
	mov	r12, 3F00h
	and	r12, #1Fh
	extp	#35h, #3
	mov	[r12+#3900h], r9
	add	r12, #1
	mov	3F00h, r12
	add	r9, #2E10h
	rets
I try to find procedure which takes a name from Addressbook at an Incoming call, or procedure whence she is caused
  Reply With Quote
Old 07-12-2004, 17:43   #6 (permalink)
No Life Poster
 
Join Date: Mar 2004
Posts: 593
Member: 60520
Status: Offline
Thanks Meter: 0
@rizapn: Thank you very much for explanation. Your're right with the file "functions.txt", it's already there, but I think we could add some more functions. How's the idea of a seperate functions thread only for info (like flash patches)?
Also thanks for setTimer() function. I will try it out soon. Hope it works when dictRecord is still running (in stop mode).
  Reply With Quote
Old 07-13-2004, 01:06   #7 (permalink)
No Life Poster
 
Join Date: Mar 2002
Location: -[r0]-
Age: 48
Posts: 834
Member: 9891
Status: Offline
Thanks Meter: 2
TRAP routines
I did create some "TRAP" function (which is written in my sl45.asm). The goal of those kind of functions is knowing some registers value by copy them to some "free" RAM location, so I can monitor them using AT+CGSN command.
In that example, Incoming_Call_Trap, I like to know, what is happened with r9 in the address 0xA3077C, which I think it is related with Incoming Call function.

My other usefull (at least for me) TRAP function is : Dump All Registers. It uses to dump all register value and track the caller function. What I mean is : this function is called from funcA, funcA is called from funcB <- funcC <- funcD ...

TRAP routines is used by me to find some "difficult" entry-point. Sometimes, it is still not work (could not find the correct entry-point). And finally, I found them "only" by lucky ...

Name in Addressbook at Incoming Call
I think Chaos already find them. Have you try to check the "Show mobile/home/fax icons at incoming calls" patch by him?

@rc-flitzer:
Yes, I'm sure that we can share also the firmware functions/entry-point covered by us in this topics. And how about putting this topic as a sticky?

rizapn
  Reply With Quote
Old 07-13-2004, 20:37   #8 (permalink)
Freak Poster
 
MacKam's Avatar
 
Join Date: Jun 2003
Posts: 354
Member: 30834
Status: Offline
Thanks Meter: 0
I think it's technical problem for this topic: When we "Doing Something else while Playing dictaphone" by DSP patch we can full use java I mean full MMC access! this situation is when we use "DSR. Doing Someting else while Recording" too. But when we use "Doing something else while playing MP3" phone haven't full access. Why? How is differences between using *.VMO and *.MP3 files?
  Reply With Quote
Old 07-13-2004, 22:09   #9 (permalink)
No Life Poster
 
Join Date: Mar 2004
Posts: 593
Member: 60520
Status: Offline
Thanks Meter: 0
MP3 files need a special mode of MMC, continuous data stream (or something like that). So there's no "time" for other apps to access the MMC - the MP3 processor (I think it's a special chip because C166 is too slow for that) needs full access.
For VMO files the data rate is much lower (16 kbps, MP3: 128 kbps and upwards). So I think the C166 has
1. full control about recording and playing,
2. doesn't need continouus reading/writing,
3. can compensate and manage MMC accesses by several processes, just like a multitasking system can manage CPU time.
  Reply With Quote
Old 07-14-2004, 07:02   #10 (permalink)
Freak Poster
 
Join Date: May 2003
Location: Russia, Ekaterinburg
Age: 40
Posts: 184
Member: 29316
Status: Offline
Thanks Meter: 0
2RizaPN
How i can add more pictures to pic table ? i found this way:
increase the maxpics in B17AF6 on quantity of pictures which needs to be added, and add pictures on the SPC2 in new place, but space under the pit table not empty
How i can add pictures whith out erase data under the pit table ?
  Reply With Quote
Old 07-14-2004, 07:50   #11 (permalink)
No Life Poster
 
Join Date: Mar 2002
Location: -[r0]-
Age: 48
Posts: 834
Member: 9891
Status: Offline
Thanks Meter: 2
Pictures (and the Extended Table)

Yes, maximum pics is stored in 0xB17AF6 (word). After modifying that, you need to search the free area after the standard picture table (0xEBBCE0 is free). If you see my SOL3 patch, I use that address to put the new picture table. If you like to add yours, you can start from 0xEBBD7E).

I don't know how to handle the extended picture using SPC2. But, using ffmod you have to modify the last data in the standard Picture table (0xEBBB36) to become this : 1B FF EE FF ... 1B is the number of 0x10 bytes block to be skipped (because some block after the PIT is not free) to get the extended picture table (1B x 10 = 1B0), so the extended PIT is started from address 0xEBBB36+1B0=0xEBBCE6) ...

Last edited by rizapn; 07-14-2004 at 08:02.
  Reply With Quote
Old 07-15-2004, 11:24   #12 (permalink)
Freak Poster
 
Join Date: May 2003
Location: Russia, Ekaterinburg
Age: 40
Posts: 184
Member: 29316
Status: Offline
Thanks Meter: 0
And you did not try entirely to transfer the PITtable on a new place? As far as I have understood seg2C5:3AF2 the address of the beginning of the PITtable is set but at his change and carry of the PITtable in corresponding address any picture is not drawing
  Reply With Quote
Old 07-15-2004, 12:06   #13 (permalink)
No Life Poster
 
Join Date: Mar 2002
Location: -[r0]-
Age: 48
Posts: 834
Member: 9891
Status: Offline
Thanks Meter: 2
@DeadManS: Sorry, I don't understand what you mean. But, yes, I never move all PIT data to the new place. Firmware is only use a formula like : 8 x ImgIdx to get the address and picture data, after checking the MaxImgIdx limit. So, we just need to find the free area after the normal PIT by skipping some used blocks.

Hope it is clear (please check SOL3 to get more "detail" experiment) ...

rizapn
  Reply With Quote
Old 07-15-2004, 12:11   #14 (permalink)
No Life Poster
 
Join Date: Mar 2004
Posts: 593
Member: 60520
Status: Offline
Thanks Meter: 0
About executing function after some time: I tried the supposed routine 0xD6026C by using VWC patch. Instead of vibrating, the patch called once setTimer(), which should start dictRecord() after some seconds. But nothing happened. Maybe in calls there is a special mode which doesn't allow such routines?
  Reply With Quote
Old 07-15-2004, 12:16   #15 (permalink)
Freak Poster
 
Join Date: May 2003
Location: Russia, Ekaterinburg
Age: 40
Posts: 184
Member: 29316
Status: Offline
Thanks Meter: 0
My English very bad
I wanted to tell here. Whether it is possible to transfer the full PITtable on a new place? address of the PITtable start stored here seg2C5:3AF2, but if i change it and replace PITtable in new place, phone not drawing any image
  Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
thread Thread Starter Forum Replies Last Post
BB5 - Technical Discussion adihack Nokia Base Band 5 ( BB-5 ) 220 10-14-2011 06:31
x65 patching technical discussion Acidmrp x6x and x7x Flashpatching 42 10-10-2009 08:06
Iphone 3G Technical Discussion and SP Unlocking theory GraveSlayer iPhone 2 / iPhone 3G / iPhone 3GS 8 11-15-2008 06:04
Technical discussion sharp705sh celluniversal Sharp 0 05-17-2007 18:26
Technical discussion BB5 unlocking twisterfan Nokia Base Band 5 ( BB-5 ) 0 05-16-2007 20:36

 



All times are GMT +1. The time now is 10:50.



Powered by Searchlight © 2019 Axivo Inc.
vBulletin Optimisation provided by vB Optimise (Pro) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.
- GSM Hosting Ltd. - 1999-2017 -
Page generated in 0.46076 seconds with 9 queries

SEO by vBSEO