S/ME45i-v04: Flash Patching ...

[lalo.lerry]

keil uVision, I know it.
Some patchers use it to make their patches (e.g. Acid).
Others (e.g.Mamaich) use Tasking C166 complier, or other compliers...
I don't use them, I (and the most ones) prefer to make them with Riza's SFE, or to work directly with opcodes.
Just a metter of taste and habbit.

[genetic1]

@Lalo:

Quote:

;Nobody notice this very little bug?

...now, that you approach about...

Could it be, that little bug was this => incomming flash SMS where not displayed in screensaver mode - only in idle?

I've applied new version, but not tested yet - but I think it's 100% okay!

BR

genetic1

[lalo.lerry]

@genetic:
quite right!
the bug was that if a info string type 3 (beetwen 8 types, 3=Immediate Flash Message) arrived, it was displayed but only the first 15 characters, didn't scroll.
Now is fixed.

[fcotrina]

; LKM 1.0 Loadable Kernel Modules
; Firmware : S45iv4
; Author: cotrinaf
; Created: 06.12.2004
; Based in LPF by DeadManS
; With some ideas taken from lalo.lerry and RizaPN
; This patch will load a file in RAM and can run it
; First: Apply this patch
; Second: Create a silly patch and generate the code (.bin file)
; Alternativelly, use vkp2bin
; Third: Name that file as PPPPOOOO.bin ,
; where PPPP is the page, OOOO is the offset
; Fourth: Copy PPPPOOOO.bin into FLEXmem with Data Exchange Software
; It must go to A:\ , not to A:\ Misc
; Five: On the phone, go to Menu->Surf&fun->Explorer->PPPPOOOO.bin
; and Options->Attributes->Select
; Six: Press key Dictaphone . This will load the loadable module
; Seven: Go to any menu, and press Dictaphone key to run the module
; example: use vkp2bin to convert this silly patch
; 0x000000: 88C088D088E088F08880E6FDAE00D740
; 0x000010: 3E00A8ED5C2ED7403E00B8EDE028DACD
; 0x000020: 7EDC98F098E098D098C0DB00
; and rename as 00400900.bin
; Then, start playing StackAttack. Press Dictaphone and your
; score will be multiplied by 2 , and a short beep will play.
; known bugs: -sometimes the module runs twice
; -once the module has been loaded, the file can not be deleted. Rename it.
; limitations:-there is no indication that the module has been loaded
; -only runs the last loaded module
; -files must be in the A:\ , not anywhere else
; -it will blindly write to the address, and fail if it is in ROM
; -modules must be smaller than 256 bytes
; -this version sends debug inforamtion to serial port
; -this version uses the same address as other patches
; -filename can be anything, as long as it ends with PPPPOOOO.bin
; -PPPPOOOO.bin will be loaded in PPPP:OOOO, that is, in
; memory PPPP*4000+OOOO%4000. For example, 00400900.bin will go to 100900h
; I plan to enhance it because I want to create many loadable patches.
; enjoy

base 0A00000h

#include C166.inc
base 0A00000h
org 0A7C6D0h ; some free area
load_file: ; result r5=#20h .run #01h .bin #00h nothing

mov [-r0], r15
mov [-r0], r14
mov [-r0], r13
mov [-r0], r12
mov [-r0], r7
mov [-r0], r6
mov [-r0], r4

mov r13, #012h ; segment for the filename
mov r5, #20h ; how manz times search for \0
mov r14, #1E1Ch ; filename should start in 0012:1E1C at+cgsn:12,1E1C
loop_letter:
extp r13, #1
movb rl4, [r14+]
cmpb rl4, #0h ; por fin: \0
jmpr cc_Z, si0
callr send_number
sub r5,#1h ;not found yet. increase and continue searching
jmpr cc_NZ, loop_letter
jmpr cc_UC, sal

si0:

sub r14,#02h ; 2 bytes before \0 .might be .bin or .run
extp r13, #1
movb rl4, [r14]
callr send_number
cmpb rl4, #'n' ; does not end with 'n'
jmpr cc_NZ, sal

mov r5, #1h ; start with 'i'
sub r14, #01h ; previous char. Might be .bIn or .rUn
extp r13, #1
movb rl4, [r14]
callr send_number
cmpb rl4, #'u'
jmpr cc_NZ, got_iu
mov r5,#20h ; flag that
got_iu:

sub r14, #0Ah ; 12345678.b ; filename start
mov r12, #1E1Ch ; file name

callr r13r14_2i ; get first 4 chars from name: 1234
mov r7, r3

callr r13r14_2i ; 4 next chars: 5678
mov r6, r3


;copy file name from r13:r12 to r7:r6
mov r15, #0
mov [-r0], r5
mov [-r0], r7
mov [-r0], r6

; need to copy the file name somewhere. Use the mem where the content will be stored
mov r14, #0Ch ; copy 0C*2=24 chars
loop_copy_ascii:
extp r13, #1
mov r5,[r12+]
extp r7, #1
mov [r6],r5
add r6, #2h
sub r14, #1
jmpr cc_NZ, loop_copy_ascii
mov r12, [r0+] ; quick way to retrieve r6
mov [-r0], r12
mov r13, r7

calls 0DA2C98h ; search file with name r13:r12
mov r6, [r0+] ; this seems to delete the first letter (in r13:r12)
mov r7, [r0+] ; use this to know if the file has already been loaded
mov r5, [r0+]
cmp r4, #0FFFFh
jmpr cc_Z, sal
mov r12, r4
encontrado:
mov r4,#'M' ; found
callr send_number

mov r4, r12
mov [-r0], r12
mov r14, r7
mov r13, r6
mov r15, #100h
mov [-r0], r5
calls 0DA30F2h ; load file in r14:r13, maximal r5 bytes
mov r12, [r0+]
calls 0DA4AB4h
mov r4,#'L'
callr send_number

;load in 010081Ah the addres where it should jump
mov r5, r7
shl r5, #0Eh
or r6, r5
mov r5, r7
shr r5, #2
movb rh5, rl5

movb rl5, #0FAh ; jmps
mov r4, r6
mov r3, #081Ah
extp #40h,#1
mov [r3], r5
add r3, #02h
extp #40h,#1
mov [r3], r4


mov r5, [r0+] ; exit flag

sal:
mov r4, [r0+]
mov r6, [r0+]
mov r7, [r0+]
mov r12, [r0+]
mov r13, [r0+]
mov r14, [r0+]
mov r15, [r0+]
rets

; debug: send to port
send_rl4:
and r4, #000Fh
add r4, #30h
cmp r4, #3Ah
jmpr cc_ULT, send_number
add r4, #07h
send_number:
movb S0TBUF, rl4
bclr S0TIR ; send to port
right_here:
;idle
;jnb S0TIR, right_here ; need to be connected to serial port
nop
ret

;translate ASCII to value
get_r14:
mov r4, #0
extp r13, #1
movb rl4, [r14+]
cmpb rl4, #3Ah
jmpr cc_ULT, number0
subb rl4, #07h
number0:
subb rl4, #30h
and r4, #000Fh
ret

;translate 4 ASCIIs to their value
r13r14_2i:
mov r15, #4
mov r3, #0
another_r15:
shl r3, #4h
callr get_r14
or r3, r4
callr send_rl4
sub r15, #1h
jmpr cc_NZ, another_r15
ret

; *************************************
; get key
org 0CCB2CCh ; from CCB510
calls key_handler
org 0A7C800h
key_handler:

mov [-r0], r5
mov r13, #0816h

mov r5, r12 ; pressed key
cmp r5, #000Bh ; is dictaphone?
jmpr cc_NZ, exit_no_dict

extp #40h,#1
mov r5, [r13]
cmp r5, #2224h ; just run it?
jmpr cc_Z, exit_no_dict
calls load_file
cmp r5, #20h ; is it an executable?
jmpr cc_NZ, no_run
calls 010081Ah
no_run:
mov r5, #2224h ; done: flag it
jmpr cc_UC, almost_exit:

exit_no_dict:
mov r5, #2222h
almost_exit:
extp #40h,#1
mov [r13], r5

mov r5, [r0+]

; original code from 0CCB2CCh
mov r13,#0
jmps 0CCB2ECh

end


07C6D0: 88F088E088D088C0887088608840E6FD
07C6E0: 1200E6F52000E6FE1C1EDC4D998E4980
07C6F0: 2D04BB6928513DF90D5628E2DC4DA98E
07C700: BB6247F86E003D4FE01528E1DC4DA98E
07C710: BB5A47F875003D02E6F5200026FE0A00
07C720: E6FC1C1EBB62F073BB60F063E00F8850
07C730: 88708860E0CEDC4D985CDC47B8560862
07C740: 28E13DF998C088C0F0D7DADA982C9860
07C750: 9870985046F4FFFF2D26F0C4E6F44D00
07C760: BB32F04C88C0F0E7F0D6E6FF00018850
07C770: DADAF23098C0DADAB44AE6F44C00BB23
07C780: F0575CE57065F0577C25F1BAE7FAFA00
07C790: F046E6F31A08D7404000B8530832D740
07C7A0: 4000B843985098409860987098C098D0
07C7B0: 98E098F0DB0066F40F0006F4300046F4
07C7C0: 3A008D010847F7F8B0FE7EB69AB6CC00
07C7D0: CB00E004DC4D998E47F83A008D012987
07C7E0: 27F8300066F40F00CB00E04FE0035C43
07C7F0: BBF07034BBE028F13DFACB00

2CB2CC: DAA700C8

07C800: 8850E6FD1608F05C46F50B003D10D740
07C810: 4000A85D46F524222D0ADAA7D0C646F5
07C820: 20003D02DA101A08E6F524220D02E6F5
07C830: 2222D7404000B85D9850E00DFACCECB2

[redkin]

Quote:

Originally Posted by fcotrina

; LKM 1.0 Loadable Kernel Modules
; known bugs: -sometimes the module runs twice
; -once the module has been loaded, the file can not be deleted. Rename it.

Hi! Great Work! FYI:
You use functions _open and _read. To close file, use _close in the end.

S45i__open EQU 00DA2C98h
S45i__read EQU 00DA30F2h
S45i__write EQU 00DA3642h
S45i__lseek EQU 00DA3DACh
S45i__close EQU 00DA4AB4h

[fcotrina]

That's exactly the information I was looking for ! Where did you get it from?
I would need the parameters, although probably I can figure them myself.
That might fix some bug in my code. Thanks

[redkin]

One of the main "methods" of discovering theese functions is comparing the code with famous IDA Pro 4.30 base by mamaich for SL45.
( http://mamaich.fu ckru.net )
Some others are discovered by ntcn and other patchers.
BTW, there are some useful functions in firmware:

S45i_strcpy EQU 0FF40A0h ; like C strcpy
S45i_SendComCharRL5 EQU 0CDE6EEh
S45i_ByteRL5ToHexChar EQU 0CDE6FAh

You may use it in your patch.

About parameters of file I/O functions: they should be much like it's C analogues (look for standard C functions documentation), but ntcn and RizaPN said that there are some tricks with it.
You'd better ask them about it.

[ntcn]

Problem (imho, nobody has solved this problem) that functions _open/_close/.. cannot be called from any place of firmware. It is possible to call only from 0DA8102 (S45i_FILE_SYSTEM_proc). But we can set any flag (write "1" to unused area of RAM) and install an additional patch which running from S45i_FILE_SYSTEM_proc and, if the flag ("1") is set, this patch call _open, etc..
how to call S45i_FILE_SYSTEM_proc manually ?
1) Call function for reading a file of the certain type (so does RizaPN) or
2) Use phone menu to perform work with files (I use this method in the CL patch)

[misko903]

patch bugs:
1. my phone dont send correct *.mid files through IrDA to other mobile phones and to PC - i dont know the name of patch, which makes this error
2. patch GPT. Just another GPRS toggle: when i have GPRS in favourites, phone falls.

with honour for best S45i patch creators Lalo, ntcn, Redkin, and others
Antoine [KNet]

[lalo.lerry]

2. GPT.
Apply this fix patch for correct working in favourites:

5D456: 6A 54


Thanks for compliments
Bye

Lalo

[lalo.lerry]

@Redkin:
I've was wondering why some patches I was working had strange behaviours, and finally found out: we are using the same RAM location to store patch state.
Your SSSS patch use RAM address 113800 and following, the same as my at least 5 patch already pubblished.
Morover, I'm developing 3 patch that uses that RAM area.
Not a big problem, but I or you have to move patches to another RAM address, and we have to decide a personal RAM area.
WBR

Lalo

[fcotrina]

@ntcn: Well, in my patch I open a file in the press key handler, not coming from S45i_FILE_SYSTEM_proc. Why does it work? Maybe I am already within S45i_FILE_SYSTEM_proc ?
I ask because I am having a strange problem: I created a patch (screenshot) that open-write-close a file. It works when I call it from a menu. But it fails when I load it with LKM.
Seems that it doesn't like to be called from an interrupt handler.
I will use your technique to flag a pending operation, and call from 0DA8102 .
Thanks for the advise.

@redkin : any alternative link for the SL45 base? the web http://mamaich.fu ckru.net is forbidden by my firewall :-(

Thanks to all.

[genetic1]

@Lalo:

Quote:

I've was wondering why some patches I was working had strange behaviours,

Which paches are affected?

Do you suggest, to undo SSSS and AL&DC for first time, untill "problems" are fixed???

I don't like strange behaviours and unpleasant surprises!!!

I am interested in your opinion.

BR

genetic1

[lalo.lerry]

No, don't worry.
You don't have to undo any of my released patches, even if some of them use the same Ram location of SSSS.
SSSS patch use to show item selected in its menu a state buffer in RAM address 113804 and following 50w
This buffer is used only if you enter the new SSSS menu.
Secondly, my released patches seem not to be affected even if you have entered SSSS menu, because use only a bit, bit 0, as state flag.

Problem arised with 3 patch I'm working, Read SMS while keylock v0.7, Improuved Blinking when Ringing and Missed Events String in idle/screensaver.
I can use another RAM location, there is a lot of normally unused space, but I want to avoid in the future such a not easy to find problem, so we have to decide a "standard".
In the same way, I use for my patch routines a specific fw area and not other, and others patchers let this area free...

[genetic1]

...okay - I think I got it.

It was only a question - thanks for detailed answer!

So I'll wish you, that redkin and yourself, will find your own "standards" in RAM area.

Next I want to wish you already yet a

MARRY CHRISTMAS AND A HAPPY NEW YEAR!!!

Thanks for all support and creating patch(es) during 2nd half of the year...

so here is my patch...

TYL. THANK YOU LALO!

That's it...

genetic1