x65 patching technical discussion

[arsh0r]

i tried SendCommChar, but AT+CGSN:bA8100000 still returns:
- AT Command: ---------------------------------------------------------------------
0A

and stange: when i change filename to: 4:\\%08X.bin\0 (4 is for mmc i think), AT returns the string i composed with sprintf, when i didnt use any sendanswer function at the end of the routine...

edit:
byte the way: you discovered GetSelectedProfile, did you also find some function to change profile? with that we could f.ex. change profile depending which CI:LAC the phone logs in...

[Acidmrp]

what when you call the SendCommString routine by AT+CGSN:c???????? A00063D8
does this works?

GetProfile

Code:

typedef unsigned int (*g_GetProfile)();
g_GetProfile GetProfile = 
(g_GetProfile)(0xA08C88F4 + 1); // S65 FW47

// Pattern: 10B5????????????0478????????201C10BDF8B5

SetProfile

Code:

typedef void (*g_SetProfile)(unsigned int iProfileNumber);
g_SetProfile SetProfile = 
(g_SetProfile)(0xA08C87C2 + 1); // S65 FW47

// Pattern: 10B5041C????????082C0CD2

[arsh0r]

SendCommChar('.'); works. returns something like this: "<<nextline>>."
thanks for the profile functions, i'll check them out...

[Acidmrp]

yes, it's possible that SendCommChar don't send only one char. It's not the low level routine for sending an char to COM Port (not found this yet), it's the high level routine
used by AT Commands for example.

[arsh0r]

with the help of acid i made some minigps patch. it reads files from 0:\Misc\gps\*.txt (create gps folder first!). it saves unknown CI/LAC as "CI-LAC.txt", the content of the file will be displayed as providername.
by the way: does anyone know a good j2me text editor for editiong the files?
i post only the source here. if anyone of you got any ideas/additions to the code, i'll be glad. i also want to change profile when phone logs into another cell, then the file format will be: "name%profilenumber". i didn't implement this yet...

edit: patch crashes phone sometimes, with well known Data_Abort! at Address 0xA128D51C...

[Acidmrp]

ok, maybe try this:

OpenReadCloseFile

Code:

typedef int (*g_OpenReadCloseFile)(char *cFilename, char **cFileData);
g_OpenReadCloseFile OpenReadCloseFile = 
(g_OpenReadCloseFile)(0xA0BDAB06 + 1); // S65 FW47

// Pattern: FEB5071C0C1C002500AB1D

this is an crazy routine, it opens an file, allocate needed memory, reads complete
file content and closes the file. If it returns -1 there was an error, else it returns
readed size.

But you need to free the buffer after use if it don't returns -1. If it returns -1 the
buffer is already free'd.

malloc_high

Code:

typedef char* (*g_malloc_high)(int iSize);
g_malloc_high malloc_high = 
(g_malloc_high)(0xA0BDE680 + 1); // S65 FW47

// Pattern: 10B5002800D110BD????????04

mfree_high

Code:

typedef void (*g_mfree_high)(char *cArray);
g_mfree_high mfree_high = 
(g_mfree_high)(0xA0BC6274 + 1); // S65 FW47

// Pattern: 80B5002801D0????????80BD10EB

try it

[Acidmrp]

ah and one more thing, if malloc_high an mfree_high don't work, try this ones:

maybe they are better:

malloc

Code:

typedef char* (*g_malloc)(unsigned int iSize);
g_malloc malloc = 
(g_malloc)(0xA0820F98); // S65 FW47

Patter: 0010A0E10200A0E3????????70402DE9

mfree

Code:

typedef void (*g_mfree)(char *cArray);
g_mfree mfree = 
(g_mfree)(0xA0821000); // S65 FW47

Pattern: 000050E3????????1EFF2FE104E02DE53CD04DE2

[arsh0r]

thx, seems to work, i'll test it this evening and see if its stable....

edit: it didn't crash... i used mfree_high to free the buffer. big thx for your help...

[Acidmrp]

@arsh0r can you please post your latest x65.h? I want to do some tests with
minigps patch but my NetData don't have the struct LAC

[arsh0r]

i old versions i named it LAI2 ('cause it was the second number after LAI)

[Acidmrp]

I've done some changes in minigps patch.

v0.3: modified by ACiD[mrp]

- added "change profile"
- changed file format into tmo. This format is directly editable
on the phone.

Use this String:

[profile number] [space] [text to be displayed]

profile number is between 1 and 8. If the profile should be not changed
use 0 as profile number.

Example:

"0 home" will display "home" on screen and not change the profile
"1 work" will display "work" on screen and change profile to normal
environment.

- now saving default text to files

I've used malloc and mfree. They work perfect.

[Acidmrp]

I continue the list of functions here:
http://www.gsm-multifund.de/board/sh...0510#post50510

because I get always an "The server is too busy at the moment. Please try again later." error message here.

[avkiev]

Quote:

Originally Posted by Acidmrp

I continue the list of functions here:
http://www.gsm-multifund.de/board/sh...0510#post50510

I'll collect functions in file "Functions.ini" from Smelter.
It can be easy converted to idc-file for exporting to IDA.
Use Smelter - StandardFunctions - List - Save_as_IDC

[amacri]

Hi,

miniGPS is really nice, but the current version 0.8 sometimes crashes.

Here below some questions after a rough look in the code in order to understand the reason of my crashes.

1. I think that it would be better to avoid any additional file operation when one (e.g., fwrite, lseek) returns errors (this apart from fclose). This consideration might not be really appropriate... just because I noticed that the phone crashes when the filesystem becomes close to full. Maybe this could be the solution...

3. I think that decodeTMOfile should be made more robust; if size is not correct, the phone might crash. The function should first control the xor at the end of the buffer, then copy it; if not correct, it should return an error. The function should also avoid to exceed "dest" lenght (e.g., with appropriate check against additional dest_length parameter). (I noticed that version 0.9 simply deletes decodeTMOfile. Does this simply fix all related issues?)

4. Is there a limit to the charset and size of tmo files? (e.g., in the number of characters of the operatorname) If there is, it should be checked.

5. I would add "sprintf(out, "MiniGPS Error\0");" just after "out = malloc(64);" at the beginning of te file; this is because I think that there might be a case where "out" is not correctly valued; e.g., when "size = OpenReadCloseFile(filename, &filebuffer);" fails and iCID == 0 and isNewNet(iCID) fails. Maybe this is the reason of possible crashes just after new cell selection....

6. Maybe "new cell selected" would be better than "new network found"

[arsh0r]

@amacri:
1.i heard that phone sometimes crashes from many people, it didn't crash for me on v43, didn't test it on v50. yes we must avoid file routines as much as possible, we could use ram to save some temporary values, f.ex. last cell/ last provider string.

3. the data in a tmo is in unicode, but the decodetmo routine copied the data to a char and this killed unicode support. we don't know the lenght of the provider string for sure, simply noone should create a tmo file that is bigger than one line of text. checking the xor will just cost more processor power, don't know if this is really needed.

4.we could simply define a maximum of about 32 characters

5. the file routines sometimes cause a data_abort!, don't know yet how to avoid it.

6. we also could use langpack for those strings...