|
|
 |
|
Welcome to the GSM-Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. Only registered members may post questions, contact other members or search our database of over 8 million posts. Registration is fast, simple and absolutely free so please - Click to REGISTER! If you have any problems with the registration process or your account login, please contact contact us . |
| |||||||
| Register | FAQ | Donate | Forum Rules | Root any Device | ★iPhone Unlock★ | ★ Direct Codes ★ | Direct Unlock Source |
| GSM Programming & Reverse Engineering Here you can post all Kind of GSM Programming and Reverse Engineering tools and Secrets. |
 |
| | LinkBack | Thread Tools | Display Modes |
01-27-2003, 00:31
| #1 (permalink) |
| No Life Poster  Join Date: Mar 2002 Location: -[r0]- Age: 53
Posts: 834
Member: 9891 Status: Offline Thanks Meter: 2 | Siemens Entry Point (for Menu Items) I want to share this with all of you, who really like to read the Siemens full flash file. It is about to check the entry point for each menu items. Of course this is not the only or the best way, it just based on my experience, hope it is usefull for others. 1) Create your own language pack with its own index the beginning of each string. Refer to SkyLord software output (lgp file), modify all String xxx, "teks" to become String xxx, "xxx.teks". Use this as your menu language. Using this package, you will see, each menu items with their string index. Most of text-display function inside the flash use index as their parameter. 2) Take a look for a single menu. For example, Organiser menu (I use SL45v56 as an example). The sequence of their items index are : 014.Addressbook, 23B.SIM Location, 159.Calendar, 29C.Appointments ... 128. Help. These index are saved in the flash file in this format : w00 w01 wIdx02 wIdx03 w04 w05 w06 w07 w08 w10 w11 wIdx12 wIdx13 w14 w15 w16 w17 w18 w00..w08 is data (word format, lo-byte,hi-byte) for the 1st menu item, w10..w18 for 2nd item ... wIdx02 is the string index of menu item, 0014 (saved as 14 00 in the flash) for Addressbook, 023B for SIM Location, etc. wIdx03 is the string index of menu item in Big Letter mode, 0013 for Addressbook, 080D for SIM Location, etc. 3) Search inside the flash file, the sequence of one wIdx2 and wIdx3 (index of menu item in normal mode and Big Letter mode). For example, search for 14 00 13 00 to find Addressbook menu item string index location. 4) The location of w00 of the 1st menu item (for ex. Addressbook in the Organiser menu), is saved in the flash together with the address of their function entry-point and the number of menu items. For example, 14 00 13 00 for Addressbook is found at address 0x1A07E4 and the other format is match (wIdx12 wIdx13 are values 3B 02 0D 08 ...), it means the w00 address for Organiser menu is : 0x1A07E4 - 4 = 0x1A07E0 0x1A07E0 in the file is equal with the address 0xBA07E0 in the flash (base address for SL4x is 0xA00000), and recognized with this format : 02E8:07E0 ... 2E8 is BA07E0 div 4000 and 07E0 is BA07E0 mod 4000. Search for that address (02E8:07E0 => E0 07 E8 02) in the location near the address of w00. The following 4 bytes (after those address bytes) are subroutines/functions address, and the word after that is the number of menu items. Let's assume that we found : 94 08 E8 02 0A 00 as the bytes after those (E0 07 E8 02) bytes, then we know that : 02E8:0894 is the location of each subroutine, and 000A is the number of menu items. 5) Check the subroutine location, and we should found this format : B03 B02 B01 B00 B13 B12 B11 B10 ... B03..B00 is the address of the 1st menu item function/subroutine. If it is : 3C EF DB 00 => then the entry point of that menu item is 00DBEF3C. ==================== 6) Almost all string are called by their index. Sometimes, also usefull if we search their location in the flash by this byte sequence : E6 F? ib2 ib1 ... => mov r?, ib1ib2 for example : E6 FC 14 00 for mov r12, 0014 7) Some of string are called indirectly. Their index is saved in the flash, and the function use that location as their parameter. Some of them use this format : ib2 ib1 FF 7F to save index ib1ib2 in the flash. Allaaahu Akbar, RizaPN |
 |
|
01-28-2003, 00:12
| #4 (permalink) |
| Crazy Poster  Join Date: Jul 2002 Location: Russia Age: 40
Posts: 57
Member: 14048 Status: Offline Thanks Meter: 0 | Nive work, Rizapn! Thanx a lot! :-) I've planned to work on menu system after my current work (some tricks about opened/closed-BfB in ServiceMode) and i pleased to view your info! :-))) So, do you plan to write some soft dealing with menus on Siemens phones? I'm thinking about software which can modify menus anyways... What's your opinion? |
| |
|
01-28-2003, 01:12
| #5 (permalink) |
| No Life Poster Join Date: Mar 2002 Location: -[r0]- Age: 53
Posts: 834
Member: 9891 Status: Offline Thanks Meter: 2 | @All.. You welcome... @Skylord: No. I don't have a plan to do that. I think organizing menu items is interesting, but I prefer to do some flash enhanchement through the patching. There are a lot of think that I like to proove that I can found it, just like : - where is the handle of every incoming call? - where is the handle of outgoing SMS (I found it, but not all, I need the header part), - etc-etc... RizaPN |
| |
|
| Bookmarks |
| |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| SLIK: Entry point for profiles? | -+8+- | x4x, x5x Flashpatching | 0 | 09-23-2009 16:16 |
| how to know anothere Entry Point for Fav. patch | blazefr | Siemens-Benq Flash Patching | 0 | 05-06-2005 11:16 |
| C35 menu entry points | [ZZToP] | GSM Programming & Reverse Engineering | 0 | 02-22-2004 20:37 |
| C35 menu entry points | [ZZToP] | x1x to x45/x50 | 1 | 02-22-2004 16:37 |
| program entry point? | Acidmrp | GSM Programming & Reverse Engineering | 12 | 11-02-2002 17:04 |
|
|
Linear Mode
