Patching: Technical Discussion ...

[lalo.lerry]

I'm my experiments i found that asm commands jbc and jnbs aren't implemented in S45i C166 chip.
I'm I right or not?

[rc-flitzer]

Hm, maybe, I don't have S45i. But if so, you have to use and / or commands for clearing / setting the bit after jumping.

[rizapn]

I did test both JBC and JNBS using my SL45, and it works as it should be. So, I think it is also work in the S45 platform (S45 is 'newer' than SL45) ...

rizapn

[lalo.lerry]

Thanks for reply, friends!

Also I could believe they weren't implemented but I was unable to use them.
Morover, I've looked in fw if they were used sometime and didn't find them anywhere.
SO, either I'm using them in a wrong way (dw optcode: AA(BA)QQrrq0 , where QQ=GPR, rr(jumpr of n word), q=bit number) or they aren't really implemented.
Can you tell mw if I'm wrong?

[rizapn]

They are not used (by Siemens firmware compiler, none of the firmware function is converted to that JBC/JNBS assembler), but they are supported by the chip/platform.

rizapn

[lalo.lerry]

Ok, I understand.
So where I'm wrong?
Can you post me an example (or a patch) where are you using them?
Thanks

[rizapn]

I use this source :

Code:

org 37h:3700h
	mov	r12, #1235h
	jbc	r12.0, loc_jbcok
	mov	r12, #0
loc_jbcok:
	extp	#37h, #1
	mov	3740h, r12
	rets

And then, using my AT+CGSN format :

Write to the RAM location 37h:3700h:
at+cgsn.w.37.3700.E6FC3512AAFC0100E00CD7403700F6FC 4037DB00

Run from RAM (000D:F700):
at+cgsn.r.d.f700

Dump memory from RAM:
at+cgsn.d.37.3700

;~~~~~~~~~~~~~~~

rizapn

[lalo.lerry]

DOH...
Ok, I used them in a wrong way (forget the second extp )
Many many thanks, MASTER!

[abomin]

@RizaPN

In patch *** SDS. SMS Delete Shortcut *** you wrote:

Quote:

Originally Posted by rizapn

;ps:
;- yes, it is possible to modify any other RightSoft function, just explore some bytes near that location

rizapn

Can you explain how to do this, `coz it not evident for me...

[viraptor]

@anybody_who_knows
What is the meaning of r13 passed to function at 0xE6F1C8 (info box display). For example calculator short help (LeftSoft key) shown at 0xA59628 passes #0E21h. Is it some kind of id, or offset (if so - what segment)? I can't find it in func.

[rizapn]

@viraptor:
r13 in that function (I call it msgBox2) is a firmware textID. 0xE21 is ID for calculator sign text. If you have sfe, you can try this command : sfe l sl45ff.bin e21

@abomin:
If you explore the fullflash starting from offset 0x18AE8E : you will see this hexa values :
6F 00 52 00 4B 4E
1E 00 52 00 59 00
1D 00 52 00 1D 02
29 00 52 00 7E 01
etc-etc ...

6F is button code, 4E4B is text code for button (image move to archive)
1E is button code, 0059 is text code for button (Reply)
1D is button code, 021D is text code for 'Send'
29 is button code, 017E is text code for 'Delete'
etc-etc ...

means : 6F -> move to archive, 1E -> Reply, 1D -> Send, 29 -> Delete ...
and you can modify them as you like. You can also check, the function written in the address : 0xD9E9C8, it is smsSoftKeyHandle() function.

rizapn

[H3ct0R]

Quote:

Originally Posted by rizapn

6F is button code, 4E4B is text code for button (image move to archive)
1E is button code, 0059 is text code for button (Reply)
1D is button code, 021D is text code for 'Send'
29 is button code, 017E is text code for 'Delete'
etc-etc ...

means : 6F -> move to archive, 1E -> Reply, 1D -> Send, 29 -> Delete ...
and you can modify them as you like. You can also check, the function written in the address : 0xD9E9C8, it is smsSoftKeyHandle() function.

@RizaPN: Great, thank you for that info, Riza! BTW, what is the address of "Reply" function? I would like to change it.

-EDITED-

OK, found it (0x18AE94), thanks again!

HeCToR

[amacri]

Can somebody please provide some example about how to read the EEPROM through assembler coding (e.g. in order to point to the content of EEPROM Block "5089=* WAP Profile 4b (CSD Dialup) *")?

Thanks.

amacri

[lalo.lerry]

For SLIK:

Read Data from EEPROM (method 1) :
mov r12, #0
mov [-r0], r12
mov [-r0], r12
mov [-r0], r12
mov r12, size
mov [-r0], r12
mov r12, EEPROM_Block
mov r13, dst_Offset
mov r14, dst_Page
mov r15, offset
calls 0C2h, 2F3Eh
add r0, #8

Read Data from EEPROM (method 2) :
mov r12, size
mov [-r0], r2
mov r12, EEPROM_Block
mov r13, dst_Offset
mov r14, dst_Page
mov r15, offset
calls 0C2h, 30BAh
add r0, #2

[viraptor]

@RizaPN
Thanks for dialogs explanation, Master

@all
Assembler question - can someone explain me how this works (from begining of item handler in SMS menu):

Code:

mnu_sms_itemhandler:
csegD9:0D30 F0 1E                   mov r1, r14
csegD9:0D32 F0 2F                   mov r2, r15
csegD9:0D34 28 12                   sub r1, #2
csegD9:0D36 38 20                   subc r2, #0
csegD9:0D38 2D 05                   jmpr cc_Z, loc_D90D44

So ok. r14 is the analized entry number. What is r15? And which "sub" sets/unsets Z flag? Is "cmp r1, #2 ; jmpr cc_Z, loc_D90D44" the same as 3 last instructions? What is the sense of "subc r2, #0"?
If I'm wrong, then what are exact meaings of r14 and r15?

edit: new question - i'm trying to make a dynamic message - looks like this:

Code:

my_text:
	db 95h,'My text',0
org	0EBBCE0h
my_patch:
	mov [-r0], r12
	mov [-r0], r13
	mov [-r0], r14
	mov [-r0], r15
	mov r12, #8B9h
	mov r13, #0h
	calls 0E65B5Eh ; resetStringID
	mov r12, #8B9h
	mov r13, q(my_text)
	mov r14, p(my_text)
	mov r15, #0h
	calls 0E6599Ch ; convert2ID
	mov r13, #8B9h
	mov r12, #1h
	calls 0E6F1C8h ; showCustomDialog
	mov r15, [r0+]
	mov r14, [r0+]
	mov r13, [r0+]
	mov r12, [r0+]
	rets

and know what? it doesn't work - I am missing something, but what is it? (tried an unexistant StringID too, it hangs)