I'm new to this. Now what? I was trying to remove the TMDNL.Customizations.sa.CAB file like Akira did, but the thing won't let me cut or delete it. Neither will it allow me to edit config.txt, it just says make sure that the program isn't in use or write-protected - WTF?! It wasn't saying that before the update. Any suggestions? I'm using scarybears extended_ROM viewer btw. Is there any program that allows me to edit the registry? Thanks in advace.

get a reg editor like regedit.Mrln_ARM.cab

If you delete the value "MountFlags" (dword:00000001 == 'hidden filesystem') from the key [HKEY_LOCAL_MACHINE\System\StorageManager\Profiles\ TRUEFFS_DOC], this 16MByte disk gets mounted as '\Extended_ROM'.

then when connected to active sync
you can delete the files

you can edit the config.txt and just remove the line in case you want the cab file not to be deleted

Exactly where do I get that editor?

I've done that, deleted mount flags and all, and it STILL won't let me edit!

where is this protected rom area?

delete the files from your pc

not through you pda

link to active sync

and cut the files
and past them in a folder on your pc

It's useless for me~
I think the extended rom lock is being applied like the sim lock.
Upgrade OS rom or extended rom will do nothing on the lock.

I only can mount the ms_.nbf in linux, modify the file, and flash it back to the xda2 :(

delete the files from your pc

not through you pda

link to active sync

and cut the files
and past them in a folder on your pc

Tried that too. Won't work as well mate.

It's useless for me~
I think the extended rom lock is being applied like the sim lock.
Upgrade OS rom or extended rom will nothing on the lock.

For this case , we only can mount the ms_.nbf in linux, edit the file, and flash it back to the xda2 to modify it :(

How do you do this exactly? I read what you and the other guy talked about in the other thread, but it wasn't too clear for me (I'm not a programmer y'know)

Care to explain it to me more thoroughly? Such as what software do I need? and what steps to take? I'm new to this stuff. It seems like only you and I have this problem y'know...and it sucks.

Exactly where do I get that editor?

Hello

you can download it from this site http://www.phm.lu/Products/PocketPC/RegEdit/


http://www.phm.lu/Products/PocketPC/RegEdit/regedit_ss.gif



regards.


Othman :)

my guess is that this is how it is protected:
( from http://www.m-sys.com/ )

3.3 FL_IOCTL_WRITE_PROTECT ( == 3002 )

This function enables key-controlled write protection (software protection) for
DiskOnChip. Once DiskOnChip is protected by the key, it remains in read-only
mode. Removing a key can be done by an authorized user who knows the current
key.

The key consists of 8 bytes (64 bits), each of which may be any 8-bit code
character (264 combinations). The key is stored on the flash disk in a manner
that is both scrambled and hidden. That is, the key is encrypted, and it is not
possible to read the flash disk to see the encrypted key. If the key is lost or
forgotten by the authorized user, the flash disk can be restored to read/write
mode by downloading all data from it, reformatting it, and uploading the saved
data. A new key can then be enforced.

The same procedure can also be performed by unauthorized users. In this case
however, the authorized user is able to determine that the key was removed or
changed.

A key-protected DiskOnChip is available to an unauthorized user in read-only
mode. All data may be read, but not written or modified. An authorized user can
write to the flash disk by temporarily disabling the write-protection (unlock)
or permanently removing it (unprotect), depending on the parameters involved.
If the protection is temporarily removed, dismounting DiskOnChip and/or
performing a system reset cause DiskOnChip to revert to read-only mode.

DiskOnChip units are not key-protected by default when shipped by M-Systems.

Note: This protection is not as reliable as the hardware protection supported
by DiskOnChip Millennium Plus and Mobile DiskOnChip.

Input Record

typedef struct {
unsigned char type; /* Type of operation: FL_PROTECT / FL_UNPROTECT / FL_UNLOCK */
long password[2]; /* 8 bytes Key */
} flWriteProtectInput

#define FL_PROTECT 0 - Make the DiskOnChip write-protected.
#define FL_UNPROTECT 1 - Permanently remove the write-protection.
#define FL_UNLOCK 2 - Temporarily remove the write-protection.

Output Record

typedef struct {
FLStatus status;
} flOutputStatusRecord;

hmm, my 1.60 is not write protected.
can anyone with a writeprotected rom_extended dump the first 96k of
the extended rom, and mail with attachment to the forum?

instructions:
*download tool: xda2dmp (http://www.xs4all.nl/~itsme/projects/xda/xda-ii.html)
* then boot the xda-ii in bootloader mode ( hold power + navigator button while resetting ) , you should see 'serial' on the display.
WARNING: you will lose all data on your device
* then put back the device in the cradle ( now you see 'usb' on the display )
* disable USB connections in the connection settings of activesync
* then run xda2dmp -u 0x70000000 0x18000 xtdrom.bin
* if you zip the xtdrom.bin it will be really small no problem to attach it to a posting to this forum

hmm, my 1.60 is not write protected.
can anyone with a writeprotected rom_extended dump the first 96k of
the extended rom, and mail with attachment to the forum?

instructions:
*download tool: xda2dmp (http://www.xs4all.nl/~itsme/projects/xda/xda-ii.html)
* then boot the xda-ii in bootloader mode ( hold power + navigator button while resetting ) , you should see 'serial' on the display.
WARNING: you will lose all data on your device
* then put back the device in the cradle ( now you see 'usb' on the display )
* disable USB connections in the connection settings of activesync
* then run xda2dmp -u 0x70000000 0x18000 xtdrom.bin
* if you zip the xtdrom.bin it will be really small no problem to attach it to a posting to this forum

Errr...what's this supposed to do?

figure out where the protection is stored in the extended rom.
I suspect it to be somewhere in the memory range 0x70000000-0x70018000

Damn...is that the only way? Can't I edit the upgraded ROM's executable file then upload it to my PDA again? I can't put it on bootloader mode without removing it from the cradle you see - I don't have the USB connection cable (without the cradle) thing. I'll still have to purchase one in order to put it on bootloader mode if that's the case.

it does not matter if you remove it from the cradle in order to put it in bootloader mode, just put it back afterwards.

the xda2dmp tool can read roms through either usb, or serial port, but I only wrote the usb instructions since I expect more people to have a usb cradle, than a serial cable.

this is the only way I know of to read the hidden part of the chip that the extended rom is on.

Alright. BTW, many thanks for taking the time to help out a newbie :)

Oh,and there are two dmp files I can download...the cpp one, and the compiled version...which one should I use?

King

u need a compiled version of the file. cpp is source code which u will need to compile before running.

to answer ur other question. u can create a file on ur linux box and flash it to the phone. what xda developers are trying to do is to crack the key to be able to write to the card and skip the flashing step.


alex

hmm, my 1.60 is not write protected.
can anyone with a writeprotected rom_extended dump the first 96k of
the extended rom, and mail with attachment to the forum?

instructions:
*download tool: xda2dmp (http://www.xs4all.nl/~itsme/projects/xda/xda-ii.html)
* then boot the xda-ii in bootloader mode ( hold power + navigator button while resetting ) , you should see 'serial' on the display.
WARNING: you will lose all data on your device
* then put back the device in the cradle ( now you see 'usb' on the display )
* disable USB connections in the connection settings of activesync
* then run xda2dmp -u 0x70000000 0x18000 xtdrom.bin
* if you zip the xtdrom.bin it will be really small no problem to attach it to a posting to this forum

thanks.

hmmm, that looks almost like it is in my rom.
and on my xda the extended rom is not write protected.

are you sure your rom is write protected?

if you unhide the extended rom, can you modify /add/remove files from
the folder \Extended_ROM ?

----------------------
my rom:
00008000 "17A3339203052"
00008020 "OK"
00008400 "HT339D326916"
00008420 " Himalayas DIAG V1.01s "
00008440 "OK "
00008460 c2 70 00 00
000084a0 80 70 00 00

your rom:
00008000 "17A4345100264"
00008020 "OK"
00008400 "HT345D312949"
00008420 " Himalayas DIAG V1.03sb3"
00008440 "OK "
00008460 70 38 00 00
000084a0 40 38 00 00
---------------------

I expect to find the hash of the password somewhere, none of these values look like one.

thanks.

hmmm, that looks almost like it is in my rom.
and on my xda the extended rom is not write protected.

are you sure your rom is write protected?

if you unhide the extended rom, can you modify /add/remove files from
the folder \Extended_ROM ?




I'm unhide it using ArneHess tools ( http://www.ppcw.net/downloads/download_extended_ROM_viewer.html ). Using RESCO explorer try to copy file to Extended_ROM will give The media is write protected error. Try to rename file also same error.

Finally (!) someboby of the XDA Developer Team aknowledge what I am writing on this forum since 20 days...

I have a Qtek 2020 with 1.03 ROM and Extended_ROM is write-protected out of the box.

Now that the issue is arrived in the hands of the fabolous Team I am sure we will see results in few days.

Byez,

hmm, my 1.60 is not write protected.
can anyone with a writeprotected rom_extended dump the first 96k of
the extended rom, and mail with attachment to the forum?

instructions:
*download tool: xda2dmp (http://www.xs4all.nl/~itsme/projects/xda/xda-ii.html)
* then boot the xda-ii in bootloader mode ( hold power + navigator button while resetting ) , you should see 'serial' on the display.
WARNING: you will lose all data on your device
* then put back the device in the cradle ( now you see 'usb' on the display )
* disable USB connections in the connection settings of activesync
* then run xda2dmp -u 0x70000000 0x18000 xtdrom.bin
* if you zip the xtdrom.bin it will be really small no problem to attach it to a posting to this forum

What exactly is in your attachment? Should I download it? Or is it for the xdaDev team to crack?

What exactly is in your attachment? Should I download it? Or is it for the xdaDev team to crack?

Don't download it. It's for xdaDev team to crack.

thanks.

I expect to find the hash of the password somewhere, none of these values look like one.

Do you want me to dump other memory region ?

thanks.

hmmm, that looks almost like it is in my rom.
and on my xda the extended rom is not write protected.

are you sure your rom is write protected?

if you unhide the extended rom, can you modify /add/remove files from
the folder \Extended_ROM ?


I expect to find the hash of the password somewhere, none of these values look like one.

Wouldn't it be more promising to check on the update.exe from the ROM upgrade kits ? This tool can temporarily unlock the Ext.ROM, so I guess the "switch" or passwords should be somewhere inside this EXE-file ?? :lol:

Here is my version.
I am running 1.52 CHT Rom , 1.60 Extended ROm and 1.60 Radio rom.
The extended rom is locked.

:lol:
there is an OFFICIAL UPGRADE ready and existing, but not yet PUBLIC,
it is one nice 40 MB RUU file which will uprgade your unit to english language:

Microsoft Pocket PC version 4.20.0 (Build 13252)
ROM version: 1.60.00WWE
ROM date: 12/03/03
Radio version: 1.06.01
Protocol version: 1337.16
ExtROM version: 1.60.06
Indirizzo http://xda-developers.com/incoming/rom160wwe/RUU16006WWE_T-mobile_NL.exe

IT'S FANTASTIC AND EASY WHIT THE USB CRADDLE

Hi,

In an attempt to unravel this further I need some more snapshots of locked ROMs. For some reason my upgrade didn't lock my ROM. Similar to the previous request I need a small dump, but this time from a different region:

instructions:
*download tool: xda2dmp (http://www.xs4all.nl/~itsme/projects/xda/xda-ii.html)
* then boot the xda-ii in bootloader mode ( hold power + navigator button while resetting ) , you should see 'serial' on the display.
WARNING: you will lose all data on your device
* then put back the device in the cradle ( now you see 'usb' on the display )
* disable USB connections in the connection settings of activesync
* then run xda2dmp -u 0x70080000 0x400 xtdrom.bin
* it will be really small no problem to attach it to a posting to this forum

Here is the dump from my Locked extended_ROM O2 XDA II asia version. Running the 1.60 NL ROM. I modified my MS_.NBF removing the T-Mobile stuff ( mount under linux method ), if you need original MS_.NBF I will reflash my XDA before the dump.

Here is my "0x70080000 0x400" extended rom dump.
Dump from a O2 XDAII Asian version with a Linux modified 1.60 T-mobile Extended rom.

Thanks for XDA Developers!!!

I have same problem with "King"
I can write any thing with extended rom because "Read Only!!"

How I can fix these problem PlEaSe HlEp :(

Heloooooo
any bady hear ?!

we wait the crack from XDA Developers!!!

:roll: thank you ,,