Profil Logo Patch selectable Help - Page 3 - GSM-Forum

charlielao · 02-11-2005, 04:04

@Professor Lalo:
Orig fw:
3B36C6: 46 FC FF FF : cmp r12, #0FFFFh
Patched w/ Auto Profile fw:
3B36C6: DA E0 00 C7 : calls 0E0h, loc_E0C700
In Orig fw, loc 3B36C6 is cmp command. Then Alex inserted his Auto Patch
but in the line before rets command, he re inserted the orig command.
40C72C: 46 FC FF FF : cmp r12, #0FFFFh ;original routine
40C730: DB 00 : rets
So if i do my patch also, i have to re insert the orig command too?
do the other insert points used by other Masters re insert the orig
command too?
I patched my phone with this:
3B36C6: DAE000C7 DAFF20FB ; reroute to call 2 patches
5FFB20: FFFFFFFF DAE000C7 ; Alex' patch
5FFB24: FFFFFFFF DAFF80FB ; My patch
5FFB28: FFFFFFFF CC00CC00 ; free for further use
5FFB2C: FFFF DB00
5FFB80: 88 C0 : mov [-r0], r12
5FFB82: 88 D0 : mov [-r0], r13
5FFB84: 88 90 : mov [-r0], r9
5FFB86: D7 40 36 00 : extp #36h, #1
5FFB8A: F2 F9 6C 09 : mov r9, mem_D896C
5FFB8E: 9A F9 13 10 : jnb r9.1, loc_5FFBB8
5FFB92: D7 40 36 00 : extp #36h, #1
5FFB96: F2 FC 6C 09 : mov r12, mem_D896C <=store word value of RAM loc 0036:096C; APP Profile 2
5FFB9A: 2E FC : bclr r12.2 <= always cleared first
5FFB9C: D7 40 0D 00 : extp #0Dh, #1
5FFBA0: F2 FD DE 25 : mov r13, mem_25DE ;0D:25DE= RAM time hours
5FFBA4: 46 FD 11 00 : cmp r13, #11h ; compare r13=hours, with #11h=17:00
5FFBA8: 8D 07 : jmpr cc_C, 15 ; if r13 < 17 then jump to 5FFBB8
5FFBAA: 48 D7 : cmp r13, #7h ; compare r13 with #7h
5FFBAC: 9D 05 : jmpr cc_NC,13 ; if r13 >= 7 then jump to 5FFBB8
5FFBAE: 2F FC : bset r12.2 <= to set flag of APP Profile2 Function 3
5FFBB0: D7 40 0D 00 : EXTP #36H, #1
5FFBB4: F6 FC 6C 09 : mem_D896C, mov r12
5FFBB8: 98 90 : mov r9, [r0+]
5FFBBA: 98 D0 : mov r13, [r0+]
5FFBBC: 98 C0 : mov r12, [r0+]
5FFBBE: 46 FC FF FF : cmp r12, #0FFFFh ;original routine
5FFBC2: DB 00 : ret

Then my phone died. hehehe. What's wrong with the above sir? Is there a conflict if the 2 patches use the same Rw?

I also tried this:
40C722: BB 1C : callr loc_40C75C (previously CC00) in Alex's patch. This was used to call the Auto light function of his patch.
40C75C: D7 40 36 00 : extp #36h, #1
40C760: E6 FE 6C 09 : mov r14, mem_D896C <=store word value of RAM loc 0036:096C; APP Profile 2
40C764: 2E FE : bclr r14.2 <= always cleared first
40C766: 46 FD 11 00 : cmp r13, #11h ; compare r13=hours, with #11h=17:00
40C76A: 8D 07 : jmpr cc_C, 17 ; if r13 < 17 then jump to 40C77A
40C76C: 48 D7 : cmp r13, #7h ; compare r13 with #7h
40C76E: 9D 05 : jmpr cc_NC,13 ; if r13 >= 7 then jump to 40C77A
40C770: 2F FE : bset r14.2 <= to set flag of APP Profile2 Function 3
40C772: D7 40 0D 00 : EXTP #36H, #1
40C776: F6 FE 6C 09 : mem_D896C, mov r14
40C77A: CB 00 : ret

VKP file: (the data changed were the ones used by Alex's patch to call Auto light, which i did not use)
40C722: CC00 BB1C
40C75C: E6003600 D7403600
40C760: CC00F3F8 E6FE6C09
40C764: F90A 2EFE
40C766: 46FD1100 46FD1100
40C76A: 8D06 8D07
40C76C: 66F4 48D7
40C76E: 0400 9D05
40C770: 3D02 2FFE
40C772: DADE2617 D7400D00
40C776: CB0046FD F6FE6C09
40C77A: 0800 CB00
40C77C: 8DF766F4 FFFFFFFF
40C780: 04002D02DADE3817 FFFFFFFFFFFFFFFF
40C788: CB00FFFFFFFFFFFF FFFFFFFFFFFFFFFF
My phone didnt die hehehe but ANM wasnt SET also

In a Show Icon/home/phone patch, 27EBE0: DAA3102C : calls 0A3h, loc_A32C10. If i disasm the loc_A32C10, this comes out:
A32C10: 00 00 : add r0, r0
what does it do? I'd like to know because lots of patches calls on loc like this.

About vkp disasm, how come if i try sfe d patchname.vkp,offset,bytes on the patches i saved for S45, it doesnt work? But if i try it on SL45 patches, it works.

lalo.lerry · 02-11-2005, 17:51

@Student Charlie:

Quote:

Orig fw:
3B36C6: 46 FC FF FF : cmp r12, #0FFFFh
Patched w/ Auto Profile fw:
3B36C6: DA E0 00 C7 : calls 0E0h, loc_E0C700
In Orig fw, loc 3B36C6 is cmp command. Then Alex inserted his Auto Patch
but in the line before rets command, he re inserted the orig command.
40C72C: 46 FC FF FF : cmp r12, #0FFFFh ;original routine
40C730: DB 00 : rets
So if i do my patch also, i have to re insert the orig command too?
do the other insert points used by other Masters re insert the orig
command too?

1.Yes
2.Yes, in 99% cases (=when there is a call to patch routine).

About phone crash:
eheheh... if my pour "prototype" S45i could speak...
Patch errors:

5FFB20: FFFFFFFF DAE000C7 ; Alex' patch ;did you remember to apply it?

5FFB8E: 9A F9 13 10 : jnb r9.1, loc_5FFBB8 ;why r9.1= profile 1, item 2?

5FFB9A: 2E FC : bclr r12.2 <= always cleared first ;ok, but you need to store it back to RAM NAM mem.

Then my phone died. hehehe. What's wrong with the above sir? Is there a conflict if the 2 patches use the same Rw? No, I think not this the reason.

Anyway, this is not the best way to use the same fw routine for as starting point for 2 patches, because you have that both patch have to be corrected or reapplyed.
The solution is to find in the same fw routine another starting point (best one are calls).

Quote:

In a Show Icon/home/phone patch, 27EBE0: DAA3102C : calls 0A3h, loc_A32C10. If i disasm the loc_A32C10, this comes out:
A32C10: 00 00 : add r0, r0
what does it do? I'd like to know because lots of patches calls on loc like this.

I don't have that result.
Have you remembered to subtract base address?
call to A32C10 = fw offset 32C10...

Quote:

About vkp disasm, how come if i try sfe d patchname.vkp,offset,bytes on the patches i saved for S45, it doesnt work? But if i try it on SL45 patches, it works.

I cannot believe in this SFE "SL45 preferences"

You make some minor errors, IMHO...

rizapn · 02-11-2005, 23:34

About sfe disasm directly from patch file :

- it may caused by the different patch file format, especially in address usage. sfe recognize *only* "0xZZZZZZ:" and "ZZZZZZ:", 6 digit address format. If some address is not written in 6 digits, it will NOT be disasm correctly.

ps:
- it is corrected in the sfe v2.40 ...

charlielao · 02-12-2005, 01:38

@Master Rizapn:
Thank you for your posts. And for the sfe v2.4

@Prof Lalo:

Quote:

5FFB20: FFFFFFFF DAE000C7 ; Alex' patch ;did you remember to apply it?

Yes it has been applied.

Quote:

5FFB8E: 9A F9 13 10 : jnb r9.1, loc_5FFBB8 ;why r9.1= profile 1, item 2?

Profile 2 Function 2 Prof

so that i can clear the auto ANM without clearing
the Auto Profile too. And yes i remembered to set it whn i tested the patch.

I found this call at Orig fw :
3B3648: DA C7 40 EE : calls 0C7h, loc_C7EE40
can i use it for my entry? hehehe

How does AT+CGSN work? How do i use it? My understanding of Master Rizapn's patch is to patch it on my phone, connect my phone with sync station, then i dont know next step hehehe.

charlielao · 02-12-2005, 03:08

@Prof Lalo:
Patched phone with this. Phone Dead hehehe

3B36F8: DAA2A2C6 DAFF80FB
5FFB80: 88 C0 : mov [-r0], r12
5FFB82: 88 D0 : mov [-r0], r13
5FFB84: 88 90 : mov [-r0], r9
5FFB86: D7 40 36 00 : extp #36h, #1
5FFB8A: F2 F9 6C 09 : mov r9, mem_D896C
5FFB8E: 9A F9 13 10 : jnb r9.1, loc_5FFBB8
5FFB92: D7 40 36 00 : extp #36h, #1
5FFB96: F2 FC 6C 09 : mov r12, mem_D896C <=store word value of RAM loc 0036:096C; APP Profile 2
5FFB9A: 2E FC : bclr r12.2 <= always cleared first
5FFB9C: D7 40 0D 00 : extp #0Dh, #1
5FFBA0: F2 FD DE 25 : mov r13, mem_25DE ;0D:25DE= RAM time hours
5FFBA4: 46 FD 11 00 : cmp r13, #11h ; compare r13=hours, with #11h=17:00
5FFBA8: 8D 03 : jmpr cc_C, 9 ; if r13 < 17 then jump to 5FFBB0
5FFBAA: 48 D7 : cmp r13, #7h ; compare r13 with #7h
5FFBAC: 9D 01 : jmpr cc_NC,5 ; if r13 >= 7 then jump to 5FFBB0
5FFBAE: 2F FC : bset r12.2 <= to set flag of APP Profile2 Function 3
5FFBB0: D7 40 0D 00 : EXTP #36H, #1
5FFBB4: F6 FC 6C 09 : mem_D896C, mov r12
5FFBB8: 98 90 : mov r9, [r0+]
5FFBBA: 98 D0 : mov r13, [r0+]
5FFBBC: 98 C0 : mov r12, [r0+]
5FFBBE: DA A2 A2 C6
5FFBC2: DB 00 : ret

lalo.lerry · 02-12-2005, 04:57

@Student Charlie:
Errors:

5FFB86: D7 40 36 00 : extp #36h, #1
5FFB8A: F2 F9 6C 09 : mov r9, mem_D896C
...
5FFB92: D7 40 36 00 : extp #36h, #1
5FFB96: F2 FC 6C 09 : mov r12, mem_D896C <=st

why you take twice the same word?
Not fatal error but you can save bytes deleting second extp

5FFBB0: D7 40 0D 00 : EXTP #36H, #1
5FFBB4: F6 FC 6C 09 : mem_D896C, mov r12

0D:6C09=3496C, NOT D896C
change 0D with 36

If still not working:
try another starting point
Is vkp file exactly the same?
There are patches conflicts whe applying it?
Phone work perfectly without this patch?
Can you try with orignal fubu?

Bye

charlielao · 02-12-2005, 05:40

Oooppss sorry about the double trouble hehehe. Ill recheck the patch.
No conlficts when applying the patch. But if i undo it, there are some words changed to 00, which, in my patch, is not 00.

In smelter, what's the use of Offset number in languages menu?
4E5198: Message Not sent!

charlielao · 02-12-2005, 09:32

@Prof Lalo:
I found the Error why my phone dies. This line:
46FD0700 ; cmp r13, #7h
using SFE, type sfe a "cmp r13, #7h" =
48 D7 : cmp r13, #7h <= this comes out intead of the one above.

This patch, when i set the P2F16, and i go to main screen, then i go back to APP menu, the P2F16 is not set anymore but P2F1 is set. weird.
3B36F8: DAA2A2C6 DAFF80FB
5FFB80: FFFF 88D0 ; mov [-r0], r13
5FFB82: FFFF 8890 ; mov [-r0], r9
5FFB84: FFFFFFFF D7403600 ; extp #36h, #1
5FFB88: FFFFFFFF F2F96C09 ; mov r9, mem_D896C
5FFB8C: FFFFFFFF 9AF90FF0 ; jnb r9.15, 35 loc_5FFBB0
5FFB90: FFFFFFFF D7400D00 ; extp #0Dh, #1
5FFB94: FFFFFFFF F2FDDE25 ; mov r13, mem_25DE ;0D:25DE= RAM time hours
5FFB98: FFFFFFFF 46FD1100 ; cmp r13, #11h ; compare r13=hours, with #11h=17:00
5FFB9C: FFFF 8D04 ; jmpr cc_C, 9 ; if r13 < 17 then jump to 5FFBB0
5FFB9E: FFFFFFFF 46FD0700 ; cmp r13, #7h ; compare r13 with #7h
5FFBA2: FFFF 9D01 ; jmpr cc_NC,5 ; if r13 >= 7 then jump to 5FFBB0
5FFBA4: FFFF 2FF9 ; bset r9.2 <= to set flag of APP Profile2 Function 3
5FFBA6: FFFFFFFF D7403600 ; EXTP #36H, #1
5FFBAA: FFFFFFFF F6F96C09 ; mem_D896C, mov r9
5FFBAE: FFFF 9890 ; mov r9, [r0+]
5FFBB0: FFFF 98D0 ; mov r13, [r0+]
5FFBB2: FFFFFFFF DAA2A2C6
5FFBB6: FFFF DB00

This 2nd patch, my phone is working normal. But when i set the P2F16, nothing happens to P2F3 at 17:00.
3B36F8: DAA2A2C6 DAFF80FB
5FFB80: FFFF 88D0 ; mov [-r0], r13
5FFB82: FFFF 8890 ; mov [-r0], r9
5FFB84: FFFFFFFF D7403600 ; extp #36h, #1
5FFB88: FFFFFFFF F2F96C09 ; mov r9, mem_D896C
5FFB8C: FFFFFFFF 9AF90BF0 ; jnb r9.15, 27 loc_5FFBB0
5FFB90: FFFFFFFF D7400D00 ; extp #0Dh, #1
5FFB94: FFFFFFFF F2FDDE25 ; mov r13, mem_25DE ;0D:25DE= RAM time hours
5FFB98: FFFFFFFF 46FD1100 ; cmp r13, #11h ; compare r13=hours, with #11h=17:00
5FFB9C: FFFF 8D04 ; jmpr cc_C, 11 ; if r13 < 17 then jump to 5FFBB0
5FFB9E: FFFFFFFF 46FD0700 ; cmp r13, #7h ; compare r13 with #7h
5FFBA2: FFFF 9D01 ; jmpr cc_NC,5 ; if r13 >= 7 then jump to 5FFBB0
5FFBA4: FFFF 2FF9 ; bset r9.2 <= to set flag of APP Profile2 Function 3
5FFBA6: FFFF 9890 ; mov r9, [r0+]
5FFBA8: FFFF 98D0 ; mov r13, [r0+]
5FFBB0: FFFFFFFF DAA2A2C6
5FFBB4: FFFF DB00

Do i have to call C7DE42 ;Application active handler EP? How do i insert it and where?

Also, i still cannot disasm your patches for s45 with sfe v2.4

lalo.lerry · 02-13-2005, 00:21

@Stud Charlie:

cmp r13, #7h
You can write in both ways, using a word command or a dw one.
So SFE isn't compiling it wrongly.
Very strange... maybe is related to the use of dw command in the line before. Perhaps MASTER could answer us something more.

Errors:
in both versions
2E FC : bclr r12.2 ;missing command

Do i have to call C7DE42 ;Application active handler EP?
ABSOLUTLY NO!
This call is ued to refresh menu item active hadler only if you are in it.
Just crash phone if you use it here.

Also, i still cannot disasm your patches for s45 with sfe v2.4
Wait for Riza, or use my good old method

rizapn · 02-13-2005, 01:00

Asm & Disasm:

Yes ... cmp r13, #7h could be assembled as : 46FD0700 and also : 48D7, and both are correct (refer to m166ism.pdf file page 15 & 54). Some other commands has also similar thing if the 2nd parameter is #data3 (3 bit data).

Using sfe, try this : sfe d "46FD070048D7" and you will get 2 lines with the same output, cmp r13,#7h ...

By default, sfe try to get the shortest bytecode when assembling a commands. To generate always 4 bytes command, use something like this : cmp r13, #007h (add 2 leading zero in the value).

@charlielao: could you attach yours Lalo's patch file which is not able to disasm by you using sfe 2.40 ?

charlielao · 02-14-2005, 00:51

@Prof Lalo:
If i dont put the bclr line, what happens? What's the effect if i dont put it?
Also, this is how i try to test a patch: After writing it, i patch it on my phone then turn it on. Most of the time my phone dies hehehe.
Is there a better method of testing a patch without patching to the phone first? I dont understand what asm file is.
@ Master Rizapn:
;*** UWS. Unsent SMS Waring Sound ***

;Firmware : S-ME45i v04
;Author : Lalo
;luki's Siemens Modding Forum <http://www.forumcommunity.net/?c=3784>
;Release : 11.02.05 - v1
;Updated : 12.02.05 - v2 - more situations included

;This patch changes "SMS not sent" MessageBox beep with a warning sound,
;if the SMS has not been (or only partly if multiSMS) sent.

4A3496: DACA4E9A DA8770F1
4A38A8: DAFAD84C DA8776F1
4A4070: DACC5C1A DA877CF1
4A437A: DACA5EA0 DA8782F1

7F170: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF DACA4E9A0D08DAFAD84C0D05DACC5C1A
7F180: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 0D02DACA5EA0DACAB89CE6FC6700DACD
7F190: FFFFFFFFFFFF 3EDBFACA629C

;CUSTOMIZATION:
;Change warning sound type (uncomment):
;7E18C: 67 xx
;where xx is a sound taken from word sounds list

;NOTE: If you find some other situations in which SMS in not sent but there is no waring sound,
;please report to me and I'll try to add them.

lalo.lerry · 02-14-2005, 01:28

@Stu Charlie:
1.if you don't put bclr command item of APP Profile2 Function 3 will alway be flagged, no auto-deflagging at wished time.

2.No, I don't know another method (except making better patches *g*)

3.An asm file is the source file which you write when making a patch, that is complied by a compiler (SFE in this case, or Keil, or Tasking,...), to have the object file (the patch, in this case).
So the asm file is a txt where you write down you asm command, using mnem
Bye

charlielao · 02-14-2005, 04:26

@Prof Lalo:
I saw this error in my previous patch:
5FFB9C: FFFF 8D04 ; jmpr cc_C, 11 ; if r13 < 17 then jump to 5FFBB0
5FFBA2: FFFF 9D01 ; jmpr cc_NC,5 ; if r13 >= 7 then jump to 5FFBB0
because if time=5:00 then it will go directly to exit of patch instead of passing through the line 5FFBA2.
I made this version:
3B36F8: DAA2A2C6 DAFF80FB
5FFB80: FFFF 88D0 ; mov [-r0], r13
5FFB82: FFFF 8890 ; mov [-r0], r9
5FFB84: FFFFFFFF D7403600 ; extp #36h, #1
5FFB88: FFFFFFFF F2F96C09 ; mov r9, mem_D896C
5FFB8C: FFFFFFFF 9AF90CF0 ; jnb r9.15, 29 loc_5FFBB0
5FFB90: FFFF 2EF9 ; bclr r9.2
5FFB92: FFFFFFFF D7400D00 ; extp #0Dh, #1
5FFB96: FFFFFFFF F2FDDE25 ; mov r13, mem_25DE ;0D:25DE= RAM time hours
5FFB9A: FFFFFFFF 46FD1100 ; cmp r13, #11h ; compare r13=hours, with #11h=17:00
5FFB9E: FFFF 9D03 ; jmpr cc_NC, 9 ;if r13 >= 17 then jump to 5FFBA6
5FFBA0: FFFFFFFF 46FD0700 ; cmp r13, #7h ; compare r13 with #7h
5FFBA4: FFFF 9D01 ; jmpr cc_NC, 5 ; if r13 >= 7 then jump to 5FFBA8
5FFBA6: FFFF 2FF9 ; bset r9.2 <= to set flag of APP Profile2 Function 3
5FFBA8: FFFF 9890 ; mov r9, [r0+]
5FFBAA: FFFF 98D0 ; mov r13, [r0+]
5FFBAC: FFFFFFFF DAA2A2C6
5FFBB0: FFFF DB00

But still wont SET the P2F3.

lalo.lerry · 02-14-2005, 05:27

@Stu Charlie:
the problem is still in CC option or that that patch is not called.
Please, tell me how do you want patch works (=which time on, which time off).
How is now, it P2F3 should be flagged between 17-6 and unflagged 7-16, is this what you want?
If still not working try another Starting Point (e.g. Alex one, just for try)

BTW, was P2F16 flagged?

charlielao · 02-14-2005, 06:18

@VERY PATIENT Prof Lalo

I want P2F3 to be flagged (turned ON) from 17:00 to 06:00. Then Tuned OFF at 07:00 to 16:00
Yes sir. P2F16 was flagged.
Ive tried using Alex Enrty too. Nothing happens

02-11-2005, 04:04	#31 (permalink)
charlielao No Life Poster Join Date: May 2004 Posts: 501 Member: 66040 Status: Offline Thanks Meter: 14	@Professor Lalo: Orig fw: 3B36C6: 46 FC FF FF : cmp r12, #0FFFFh Patched w/ Auto Profile fw: 3B36C6: DA E0 00 C7 : calls 0E0h, loc_E0C700 In Orig fw, loc 3B36C6 is cmp command. Then Alex inserted his Auto Patch but in the line before rets command, he re inserted the orig command. 40C72C: 46 FC FF FF : cmp r12, #0FFFFh ;original routine 40C730: DB 00 : rets So if i do my patch also, i have to re insert the orig command too? do the other insert points used by other Masters re insert the orig command too? I patched my phone with this: 3B36C6: DAE000C7 DAFF20FB ; reroute to call 2 patches 5FFB20: FFFFFFFF DAE000C7 ; Alex' patch 5FFB24: FFFFFFFF DAFF80FB ; My patch 5FFB28: FFFFFFFF CC00CC00 ; free for further use 5FFB2C: FFFF DB00 5FFB80: 88 C0 : mov [-r0], r12 5FFB82: 88 D0 : mov [-r0], r13 5FFB84: 88 90 : mov [-r0], r9 5FFB86: D7 40 36 00 : extp #36h, #1 5FFB8A: F2 F9 6C 09 : mov r9, mem_D896C 5FFB8E: 9A F9 13 10 : jnb r9.1, loc_5FFBB8 5FFB92: D7 40 36 00 : extp #36h, #1 5FFB96: F2 FC 6C 09 : mov r12, mem_D896C <=store word value of RAM loc 0036:096C; APP Profile 2 5FFB9A: 2E FC : bclr r12.2 <= always cleared first 5FFB9C: D7 40 0D 00 : extp #0Dh, #1 5FFBA0: F2 FD DE 25 : mov r13, mem_25DE ;0D:25DE= RAM time hours 5FFBA4: 46 FD 11 00 : cmp r13, #11h ; compare r13=hours, with #11h=17:00 5FFBA8: 8D 07 : jmpr cc_C, 15 ; if r13 < 17 then jump to 5FFBB8 5FFBAA: 48 D7 : cmp r13, #7h ; compare r13 with #7h 5FFBAC: 9D 05 : jmpr cc_NC,13 ; if r13 >= 7 then jump to 5FFBB8 5FFBAE: 2F FC : bset r12.2 <= to set flag of APP Profile2 Function 3 5FFBB0: D7 40 0D 00 : EXTP #36H, #1 5FFBB4: F6 FC 6C 09 : mem_D896C, mov r12 5FFBB8: 98 90 : mov r9, [r0+] 5FFBBA: 98 D0 : mov r13, [r0+] 5FFBBC: 98 C0 : mov r12, [r0+] 5FFBBE: 46 FC FF FF : cmp r12, #0FFFFh ;original routine 5FFBC2: DB 00 : ret Then my phone died. hehehe. What's wrong with the above sir? Is there a conflict if the 2 patches use the same Rw? I also tried this: 40C722: BB 1C : callr loc_40C75C (previously CC00) in Alex's patch. This was used to call the Auto light function of his patch. 40C75C: D7 40 36 00 : extp #36h, #1 40C760: E6 FE 6C 09 : mov r14, mem_D896C <=store word value of RAM loc 0036:096C; APP Profile 2 40C764: 2E FE : bclr r14.2 <= always cleared first 40C766: 46 FD 11 00 : cmp r13, #11h ; compare r13=hours, with #11h=17:00 40C76A: 8D 07 : jmpr cc_C, 17 ; if r13 < 17 then jump to 40C77A 40C76C: 48 D7 : cmp r13, #7h ; compare r13 with #7h 40C76E: 9D 05 : jmpr cc_NC,13 ; if r13 >= 7 then jump to 40C77A 40C770: 2F FE : bset r14.2 <= to set flag of APP Profile2 Function 3 40C772: D7 40 0D 00 : EXTP #36H, #1 40C776: F6 FE 6C 09 : mem_D896C, mov r14 40C77A: CB 00 : ret VKP file: (the data changed were the ones used by Alex's patch to call Auto light, which i did not use) 40C722: CC00 BB1C 40C75C: E6003600 D7403600 40C760: CC00F3F8 E6FE6C09 40C764: F90A 2EFE 40C766: 46FD1100 46FD1100 40C76A: 8D06 8D07 40C76C: 66F4 48D7 40C76E: 0400 9D05 40C770: 3D02 2FFE 40C772: DADE2617 D7400D00 40C776: CB0046FD F6FE6C09 40C77A: 0800 CB00 40C77C: 8DF766F4 FFFFFFFF 40C780: 04002D02DADE3817 FFFFFFFFFFFFFFFF 40C788: CB00FFFFFFFFFFFF FFFFFFFFFFFFFFFF My phone didnt die hehehe but ANM wasnt SET also In a Show Icon/home/phone patch, 27EBE0: DAA3102C : calls 0A3h, loc_A32C10. If i disasm the loc_A32C10, this comes out: A32C10: 00 00 : add r0, r0 what does it do? I'd like to know because lots of patches calls on loc like this. About vkp disasm, how come if i try sfe d patchname.vkp,offset,bytes on the patches i saved for S45, it doesnt work? But if i try it on SL45 patches, it works. Last edited by charlielao; 02-11-2005 at 09:36.

02-11-2005, 23:34	#33 (permalink)
rizapn No Life Poster Join Date: Mar 2002 Location: -[r0]- Age: 53 Posts: 834 Member: 9891 Status: Offline Thanks Meter: 2	About sfe disasm directly from patch file : - it may caused by the different patch file format, especially in address usage. sfe recognize only "0xZZZZZZ:" and "ZZZZZZ:", 6 digit address format. If some address is not written in 6 digits, it will NOT be disasm correctly. ps: - it is corrected in the sfe v2.40 ... Last edited by rizapn; 02-12-2005 at 00:28.

02-12-2005, 04:57	#36 (permalink)
lalo.lerry No Life Poster Join Date: Jan 2004 Location: Italy Age: 49 Posts: 1,018 Member: 50673 Status: Offline Thanks Meter: 2	@Student Charlie: Errors: 5FFB86: D7 40 36 00 : extp #36h, #1 5FFB8A: F2 F9 6C 09 : mov r9, mem_D896C ... 5FFB92: D7 40 36 00 : extp #36h, #1 5FFB96: F2 FC 6C 09 : mov r12, mem_D896C <=st why you take twice the same word? Not fatal error but you can save bytes deleting second extp 5FFBB0: D7 40 0D 00 : EXTP #36H, #1 5FFBB4: F6 FC 6C 09 : mem_D896C, mov r12 0D:6C09=3496C, NOT D896C change 0D with 36 If still not working: try another starting point Is vkp file exactly the same? There are patches conflicts whe applying it? Phone work perfectly without this patch? Can you try with orignal fubu? Bye Last edited by lalo.lerry; 02-12-2005 at 05:17.

02-12-2005, 09:32	#38 (permalink)
charlielao No Life Poster Join Date: May 2004 Posts: 501 Member: 66040 Status: Offline Thanks Meter: 14	@Prof Lalo: I found the Error why my phone dies. This line: 46FD0700 ; cmp r13, #7h using SFE, type sfe a "cmp r13, #7h" = 48 D7 : cmp r13, #7h <= this comes out intead of the one above. This patch, when i set the P2F16, and i go to main screen, then i go back to APP menu, the P2F16 is not set anymore but P2F1 is set. weird. 3B36F8: DAA2A2C6 DAFF80FB 5FFB80: FFFF 88D0 ; mov [-r0], r13 5FFB82: FFFF 8890 ; mov [-r0], r9 5FFB84: FFFFFFFF D7403600 ; extp #36h, #1 5FFB88: FFFFFFFF F2F96C09 ; mov r9, mem_D896C 5FFB8C: FFFFFFFF 9AF90FF0 ; jnb r9.15, 35 loc_5FFBB0 5FFB90: FFFFFFFF D7400D00 ; extp #0Dh, #1 5FFB94: FFFFFFFF F2FDDE25 ; mov r13, mem_25DE ;0D:25DE= RAM time hours 5FFB98: FFFFFFFF 46FD1100 ; cmp r13, #11h ; compare r13=hours, with #11h=17:00 5FFB9C: FFFF 8D04 ; jmpr cc_C, 9 ; if r13 < 17 then jump to 5FFBB0 5FFB9E: FFFFFFFF 46FD0700 ; cmp r13, #7h ; compare r13 with #7h 5FFBA2: FFFF 9D01 ; jmpr cc_NC,5 ; if r13 >= 7 then jump to 5FFBB0 5FFBA4: FFFF 2FF9 ; bset r9.2 <= to set flag of APP Profile2 Function 3 5FFBA6: FFFFFFFF D7403600 ; EXTP #36H, #1 5FFBAA: FFFFFFFF F6F96C09 ; mem_D896C, mov r9 5FFBAE: FFFF 9890 ; mov r9, [r0+] 5FFBB0: FFFF 98D0 ; mov r13, [r0+] 5FFBB2: FFFFFFFF DAA2A2C6 5FFBB6: FFFF DB00 This 2nd patch, my phone is working normal. But when i set the P2F16, nothing happens to P2F3 at 17:00. 3B36F8: DAA2A2C6 DAFF80FB 5FFB80: FFFF 88D0 ; mov [-r0], r13 5FFB82: FFFF 8890 ; mov [-r0], r9 5FFB84: FFFFFFFF D7403600 ; extp #36h, #1 5FFB88: FFFFFFFF F2F96C09 ; mov r9, mem_D896C 5FFB8C: FFFFFFFF 9AF90BF0 ; jnb r9.15, 27 loc_5FFBB0 5FFB90: FFFFFFFF D7400D00 ; extp #0Dh, #1 5FFB94: FFFFFFFF F2FDDE25 ; mov r13, mem_25DE ;0D:25DE= RAM time hours 5FFB98: FFFFFFFF 46FD1100 ; cmp r13, #11h ; compare r13=hours, with #11h=17:00 5FFB9C: FFFF 8D04 ; jmpr cc_C, 11 ; if r13 < 17 then jump to 5FFBB0 5FFB9E: FFFFFFFF 46FD0700 ; cmp r13, #7h ; compare r13 with #7h 5FFBA2: FFFF 9D01 ; jmpr cc_NC,5 ; if r13 >= 7 then jump to 5FFBB0 5FFBA4: FFFF 2FF9 ; bset r9.2 <= to set flag of APP Profile2 Function 3 5FFBA6: FFFF 9890 ; mov r9, [r0+] 5FFBA8: FFFF 98D0 ; mov r13, [r0+] 5FFBB0: FFFFFFFF DAA2A2C6 5FFBB4: FFFF DB00 Do i have to call C7DE42 ;Application active handler EP? How do i insert it and where? Also, i still cannot disasm your patches for s45 with sfe v2.4 Last edited by charlielao; 02-12-2005 at 10:02.

02-14-2005, 05:27	#44 (permalink)
lalo.lerry No Life Poster Join Date: Jan 2004 Location: Italy Age: 49 Posts: 1,018 Member: 50673 Status: Offline Thanks Meter: 2	@Stu Charlie: the problem is still in CC option or that that patch is not called. Please, tell me how do you want patch works (=which time on, which time off). How is now, it P2F3 should be flagged between 17-6 and unflagged 7-16, is this what you want? If still not working try another Starting Point (e.g. Alex one, just for try) BTW, was P2F16 flagged? Last edited by lalo.lerry; 02-14-2005 at 05:55.

02-12-2005, 03:08	#35 (permalink)
charlielao No Life Poster Join Date: May 2004 Posts: 501 Member: 66040 Status: Offline Thanks Meter: 14	@Prof Lalo: Patched phone with this. Phone Dead hehehe 3B36F8: DAA2A2C6 DAFF80FB 5FFB80: 88 C0 : mov [-r0], r12 5FFB82: 88 D0 : mov [-r0], r13 5FFB84: 88 90 : mov [-r0], r9 5FFB86: D7 40 36 00 : extp #36h, #1 5FFB8A: F2 F9 6C 09 : mov r9, mem_D896C 5FFB8E: 9A F9 13 10 : jnb r9.1, loc_5FFBB8 5FFB92: D7 40 36 00 : extp #36h, #1 5FFB96: F2 FC 6C 09 : mov r12, mem_D896C <=store word value of RAM loc 0036:096C; APP Profile 2 5FFB9A: 2E FC : bclr r12.2 <= always cleared first 5FFB9C: D7 40 0D 00 : extp #0Dh, #1 5FFBA0: F2 FD DE 25 : mov r13, mem_25DE ;0D:25DE= RAM time hours 5FFBA4: 46 FD 11 00 : cmp r13, #11h ; compare r13=hours, with #11h=17:00 5FFBA8: 8D 03 : jmpr cc_C, 9 ; if r13 < 17 then jump to 5FFBB0 5FFBAA: 48 D7 : cmp r13, #7h ; compare r13 with #7h 5FFBAC: 9D 01 : jmpr cc_NC,5 ; if r13 >= 7 then jump to 5FFBB0 5FFBAE: 2F FC : bset r12.2 <= to set flag of APP Profile2 Function 3 5FFBB0: D7 40 0D 00 : EXTP #36H, #1 5FFBB4: F6 FC 6C 09 : mem_D896C, mov r12 5FFBB8: 98 90 : mov r9, [r0+] 5FFBBA: 98 D0 : mov r13, [r0+] 5FFBBC: 98 C0 : mov r12, [r0+] 5FFBBE: DA A2 A2 C6 5FFBC2: DB 00 : ret

02-12-2005, 05:40	#37 (permalink)
charlielao No Life Poster Join Date: May 2004 Posts: 501 Member: 66040 Status: Offline Thanks Meter: 14	Oooppss sorry about the double trouble hehehe. Ill recheck the patch. No conlficts when applying the patch. But if i undo it, there are some words changed to 00, which, in my patch, is not 00. In smelter, what's the use of Offset number in languages menu? 4E5198: Message Not sent!

02-13-2005, 00:21	#39 (permalink)
lalo.lerry No Life Poster Join Date: Jan 2004 Location: Italy Age: 49 Posts: 1,018 Member: 50673 Status: Offline Thanks Meter: 2	@Stud Charlie: cmp r13, #7h You can write in both ways, using a word command or a dw one. So SFE isn't compiling it wrongly. Very strange... maybe is related to the use of dw command in the line before. Perhaps MASTER could answer us something more. Errors: in both versions 2E FC : bclr r12.2 ;missing command Do i have to call C7DE42 ;Application active handler EP? ABSOLUTLY NO! This call is ued to refresh menu item active hadler only if you are in it. Just crash phone if you use it here. Also, i still cannot disasm your patches for s45 with sfe v2.4 Wait for Riza, or use my good old method

02-13-2005, 01:00	#40 (permalink)
rizapn No Life Poster Join Date: Mar 2002 Location: -[r0]- Age: 53 Posts: 834 Member: 9891 Status: Offline Thanks Meter: 2	Asm & Disasm: Yes ... cmp r13, #7h could be assembled as : 46FD0700 and also : 48D7, and both are correct (refer to m166ism.pdf file page 15 & 54). Some other commands has also similar thing if the 2nd parameter is #data3 (3 bit data). Using sfe, try this : sfe d "46FD070048D7" and you will get 2 lines with the same output, cmp r13,#7h ... By default, sfe try to get the shortest bytecode when assembling a commands. To generate always 4 bytes command, use something like this : cmp r13, #007h (add 2 leading zero in the value). @charlielao: could you attach yours Lalo's patch file which is not able to disasm by you using sfe 2.40 ?

02-14-2005, 00:51	#41 (permalink)
charlielao No Life Poster Join Date: May 2004 Posts: 501 Member: 66040 Status: Offline Thanks Meter: 14	@Prof Lalo: If i dont put the bclr line, what happens? What's the effect if i dont put it? Also, this is how i try to test a patch: After writing it, i patch it on my phone then turn it on. Most of the time my phone dies hehehe. Is there a better method of testing a patch without patching to the phone first? I dont understand what asm file is. @ Master Rizapn: ;* UWS. Unsent SMS Waring Sound * ;Firmware : S-ME45i v04 ;Author : Lalo ;luki's Siemens Modding Forum <http://www.forumcommunity.net/?c=3784> ;Release : 11.02.05 - v1 ;Updated : 12.02.05 - v2 - more situations included ;This patch changes "SMS not sent" MessageBox beep with a warning sound, ;if the SMS has not been (or only partly if multiSMS) sent. 4A3496: DACA4E9A DA8770F1 4A38A8: DAFAD84C DA8776F1 4A4070: DACC5C1A DA877CF1 4A437A: DACA5EA0 DA8782F1 7F170: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF DACA4E9A0D08DAFAD84C0D05DACC5C1A 7F180: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 0D02DACA5EA0DACAB89CE6FC6700DACD 7F190: FFFFFFFFFFFF 3EDBFACA629C ;CUSTOMIZATION: ;Change warning sound type (uncomment): ;7E18C: 67 xx ;where xx is a sound taken from word sounds list ;NOTE: If you find some other situations in which SMS in not sent but there is no waring sound, ;please report to me and I'll try to add them.

02-14-2005, 01:28	#42 (permalink)
lalo.lerry No Life Poster Join Date: Jan 2004 Location: Italy Age: 49 Posts: 1,018 Member: 50673 Status: Offline Thanks Meter: 2	@Stu Charlie: 1.if you don't put bclr command item of APP Profile2 Function 3 will alway be flagged, no auto-deflagging at wished time. 2.No, I don't know another method (except making better patches g) 3.An asm file is the source file which you write when making a patch, that is complied by a compiler (SFE in this case, or Keil, or Tasking,...), to have the object file (the patch, in this case). So the asm file is a txt where you write down you asm command, using mnem Bye

02-14-2005, 04:26	#43 (permalink)
charlielao No Life Poster Join Date: May 2004 Posts: 501 Member: 66040 Status: Offline Thanks Meter: 14	@Prof Lalo: I saw this error in my previous patch: 5FFB9C: FFFF 8D04 ; jmpr cc_C, 11 ; if r13 < 17 then jump to 5FFBB0 5FFBA2: FFFF 9D01 ; jmpr cc_NC,5 ; if r13 >= 7 then jump to 5FFBB0 because if time=5:00 then it will go directly to exit of patch instead of passing through the line 5FFBA2. I made this version: 3B36F8: DAA2A2C6 DAFF80FB 5FFB80: FFFF 88D0 ; mov [-r0], r13 5FFB82: FFFF 8890 ; mov [-r0], r9 5FFB84: FFFFFFFF D7403600 ; extp #36h, #1 5FFB88: FFFFFFFF F2F96C09 ; mov r9, mem_D896C 5FFB8C: FFFFFFFF 9AF90CF0 ; jnb r9.15, 29 loc_5FFBB0 5FFB90: FFFF 2EF9 ; bclr r9.2 5FFB92: FFFFFFFF D7400D00 ; extp #0Dh, #1 5FFB96: FFFFFFFF F2FDDE25 ; mov r13, mem_25DE ;0D:25DE= RAM time hours 5FFB9A: FFFFFFFF 46FD1100 ; cmp r13, #11h ; compare r13=hours, with #11h=17:00 5FFB9E: FFFF 9D03 ; jmpr cc_NC, 9 ;if r13 >= 17 then jump to 5FFBA6 5FFBA0: FFFFFFFF 46FD0700 ; cmp r13, #7h ; compare r13 with #7h 5FFBA4: FFFF 9D01 ; jmpr cc_NC, 5 ; if r13 >= 7 then jump to 5FFBA8 5FFBA6: FFFF 2FF9 ; bset r9.2 <= to set flag of APP Profile2 Function 3 5FFBA8: FFFF 9890 ; mov r9, [r0+] 5FFBAA: FFFF 98D0 ; mov r13, [r0+] 5FFBAC: FFFFFFFF DAA2A2C6 5FFBB0: FFFF DB00 But still wont SET the P2F3.

02-14-2005, 06:18	#45 (permalink)
charlielao No Life Poster Join Date: May 2004 Posts: 501 Member: 66040 Status: Offline Thanks Meter: 14	@VERY PATIENT Prof Lalo I want P2F3 to be flagged (turned ON) from 17:00 to 06:00. Then Tuned OFF at 07:00 to 16:00 Yes sir. P2F16 was flagged. Ive tried using Alex Enrty too. Nothing happens Last edited by charlielao; 02-14-2005 at 06:33.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
how to Add profile logo font like this picture ?	blazefr	Siemens-Benq Flash Patching	12	06-05-2005 09:01
NEWEST profile logo patch - SME45iv04	genetic1	Siemens-Benq Flash Patching	0	11-01-2004 23:19
SOL Selectable Operator Logo Patch	Kromonos	Siemens-Benq Flash Patching	8	12-24-2003 11:30
selectable operator logo patch	Shibby86	Siemens-Benq Flash Patching	4	06-18-2003 16:06
Selectable Operator Logo patch problem	wong	Siemens-Benq Flash Patching	0	06-17-2003 16:57