## how to flash patch ## 2 ## - GSM-Forum

Acidmrp · 07-11-2003, 10:45

how to Siemens flash patch:
http://www.odblokovani.net/forum/viewtopic.php?t=660

(part one only exist in german this time but you can
read the "how to find entry point" by RizaPN)
If you want to make an translation you can find first
part here:
http://www.gsm-multifund.de/board/sh...5&pagenumber=1

GIROSAVO · 07-22-2003, 15:41

hello ACiD !

Excuse me for my questions on e-mail....

I've translate the first lesson in english, but not very well, german is very complicated for me

In the second lesson how I make the new file .bin with 8mb and only FF ? which is the software that i can use ?

tank in advanced ! very good job !

Acidmrp · 07-22-2003, 16:42

you can use Hexwork to make this 8MB 0xFF file for example.
If you have problems let me know.

dspmobile · 07-28-2003, 13:16

@ACID

I have seen in some patches for the S45i that you must subtract

0x800000 instead of 0xA00000 . ( like the one for GFX menu )

Is that because in these patches the addresses reside in the first 2Mb of the Fubu ?

Are you sure that the same method applies for other phones like the SL45i ?
I mean the method for making disassemply of some code ...

Acidmrp · 07-28-2003, 16:24

the S45i has two offsets.
You can disassemble the SL45 with the same method.

kxn · 07-30-2003, 14:18

Address mapping for SL45 is

0xA00000 - 0xBFFFFF ( first 2mb flash)
0xC00000 - 0xFFFFFF ( last 4 mb flash)

for S45i, it is

0x800000 - 0x9FFFFF ( first 2mb flash)
0xC00000 - 0xFFFFFF ( last 4 mb flash)

note there may be a 2Mb mapping from 0x800000 to 0xA00000
so 0xA00000 - 0xBFFFFF has the same content to 0x800000 -0x9FFFFF, but I'm not sure for that for I do not have S45, but a 6618 which has 8Mb flash

GIROSAVO · 08-21-2003, 09:07

@ ACiD
you have posted this

seg000:F6A8CC ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
seg000:F6A8CC
seg000:F6A8CC
seg000:F6A8CC StackAttackEntry: ; this is called by menu StackAttack
seg000:F6A8CC jmps 0F3h, StackAttack ; Stack Attack
seg000:F6A8CC ; End of function StackAttackEntry
seg000:F6A8CC

I 've not found "StackAttackEntry"...ecc. There isn't a text but only date

F6A8CC - A00000 = 56A8CC on 6mb flash it's right ??

seg000:56A8CC jmps 0F3h, 0E94Ch ; 0F3E94Ch

The same for Race Ace and Baloon
How to convert in text ?? How I undertand these strings ??

Please answer me.
Tank

Acidmrp · 08-21-2003, 10:42

the adresses are right. You can't convert this into strings, you
have to do this on your own. Name as many adresses as possible
to have an better understanding. If there is an interrest I can
post the functions I've found.

GIROSAVO · 08-21-2003, 11:23

OK I understood, it's very difficult for me, but I'll try and try and try !!!

For the interest look yor private message !

07-11-2003, 10:45	#1 (permalink)
Acidmrp No Life Poster Join Date: Sep 2002 Location: EEPROM damaged Age: 44 Posts: 578 Member: 15315 Status: Offline Thanks Meter: 1	## how to flash patch ## 2 ## how to Siemens flash patch: http://www.odblokovani.net/forum/viewtopic.php?t=660 (part one only exist in german this time but you can read the "how to find entry point" by RizaPN) If you want to make an translation you can find first part here: http://www.gsm-multifund.de/board/sh...5&pagenumber=1

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
How to Flash Patch,if you dont have Folder.	S.L.F.	Multi-Box	3	02-27-2008 17:16
How To Flash Patch III	Acidmrp	GSM Programming & Reverse Engineering	0	04-01-2004 19:06

07-22-2003, 15:41	#2 (permalink)
GIROSAVO Freak Poster Join Date: Apr 2003 Location: Italy - Rome Age: 45 Posts: 142 Member: 26549 Status: Offline Thanks Meter: 1	hello ACiD ! Excuse me for my questions on e-mail.... I've translate the first lesson in english, but not very well, german is very complicated for me In the second lesson how I make the new file .bin with 8mb and only FF ? which is the software that i can use ? tank in advanced ! very good job !

07-22-2003, 16:42	#3 (permalink)
Acidmrp No Life Poster Join Date: Sep 2002 Location: EEPROM damaged Age: 44 Posts: 578 Member: 15315 Status: Offline Thanks Meter: 1	you can use Hexwork to make this 8MB 0xFF file for example. If you have problems let me know.

07-28-2003, 13:16	#4 (permalink)
dspmobile Freak Poster Join Date: May 2003 Location: Athens, Greece Posts: 173 Member: 29130 Status: Offline Thanks Meter: 5	@ACID I have seen in some patches for the S45i that you must subtract 0x800000 instead of 0xA00000 . ( like the one for GFX menu ) Is that because in these patches the addresses reside in the first 2Mb of the Fubu ? Are you sure that the same method applies for other phones like the SL45i ? I mean the method for making disassemply of some code ...

07-28-2003, 16:24	#5 (permalink)
Acidmrp No Life Poster Join Date: Sep 2002 Location: EEPROM damaged Age: 44 Posts: 578 Member: 15315 Status: Offline Thanks Meter: 1	the S45i has two offsets. You can disassemble the SL45 with the same method.

07-30-2003, 14:18	#6 (permalink)
kxn Junior Member Join Date: Jun 2003 Posts: 21 Member: 32935 Status: Offline Thanks Meter: 0	Address mapping for SL45 is 0xA00000 - 0xBFFFFF ( first 2mb flash) 0xC00000 - 0xFFFFFF ( last 4 mb flash) for S45i, it is 0x800000 - 0x9FFFFF ( first 2mb flash) 0xC00000 - 0xFFFFFF ( last 4 mb flash) note there may be a 2Mb mapping from 0x800000 to 0xA00000 so 0xA00000 - 0xBFFFFF has the same content to 0x800000 -0x9FFFFF, but I'm not sure for that for I do not have S45, but a 6618 which has 8Mb flash

08-21-2003, 09:07	#7 (permalink)
GIROSAVO Freak Poster Join Date: Apr 2003 Location: Italy - Rome Age: 45 Posts: 142 Member: 26549 Status: Offline Thanks Meter: 1	@ ACiD you have posted this seg000:F6A8CC ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ seg000:F6A8CC seg000:F6A8CC seg000:F6A8CC StackAttackEntry: ; this is called by menu StackAttack seg000:F6A8CC jmps 0F3h, StackAttack ; Stack Attack seg000:F6A8CC ; End of function StackAttackEntry seg000:F6A8CC I 've not found "StackAttackEntry"...ecc. There isn't a text but only date F6A8CC - A00000 = 56A8CC on 6mb flash it's right ?? seg000:56A8CC jmps 0F3h, 0E94Ch ; 0F3E94Ch The same for Race Ace and Baloon How to convert in text ?? How I undertand these strings ?? Please answer me. Tank

08-21-2003, 10:42	#8 (permalink)
Acidmrp No Life Poster Join Date: Sep 2002 Location: EEPROM damaged Age: 44 Posts: 578 Member: 15315 Status: Offline Thanks Meter: 1	the adresses are right. You can't convert this into strings, you have to do this on your own. Name as many adresses as possible to have an better understanding. If there is an interrest I can post the functions I've found.

08-21-2003, 11:23	#9 (permalink)
GIROSAVO Freak Poster Join Date: Apr 2003 Location: Italy - Rome Age: 45 Posts: 142 Member: 26549 Status: Offline Thanks Meter: 1	OK I understood, it's very difficult for me, but I'll try and try and try !!! For the interest look yor private message !