i'm using the hermes/artemis reference to see what works and not

first: almost every other commands give the "Command Error"

the wdata exists and gives: Command is Locked!

The first thing will be to get into the radio bootloader - seems that the password is fixed. As far as the bootloader I hope that it can be downgraded.

---

info 2:
HTCSHTC__102Ã;¿HTCE

info 3:
HTCST

info 4:
IsAllBytesTheSame-: dwLength=8, bResult=0
HTCSHTC__102Ã;¿HTCE

info 6:
HTCST ÚÈÒHTCE

info 7:
HTC Integrated Re-Flash Utility, Common Base Version : 1.51b
Device Name: TRIN100, Bootloader Version : 1.06.0000
Built at: Oct 19 2006 20:31:29
Copyright (c) 1998-2006 High Tech Computer Corporation

CPU ID=0x41129200
Main CPLD version=0xA
Main Board version=0x5

info 8:
Block 0x0(0) is Reversed block
Block 0x1(1) is Reversed block
Block 0x2(2) is Reversed block
Block 0x3(3) is Reversed block
Block 0x4(4) is Reversed block
Block 0x5(5) is Reversed block
Block 0x6(6) is Reversed block
Block 0x7(7) is Reversed block
Block 0x8(8) is Reversed block
Block 0x9(9) is Reversed block
Block 0xA(10) is Reversed block
Block 0xB(11) is Reversed block
Block 0xC(12) is Reversed block

Partition[0], type=0x20, start=0x2, total=0x18FE
Partition[1], type=0x23, start=0x1900, total=0x1700
Partition[2], type=0x25, start=0x3000, total=0x18700
Partition[3], type=0x4, start=0x1B700, total=0x1F100

CE Total Length(with sector info) = 0x37BB800
CE CheckSum Length(without sector info) = 0x36E0000

-----
task 32 : Level FF
-----
checkimage

IPL CRC checksum = 0x96BE3C47

SPL CRC checksum = 0xBA45D40C

CE CRC checksum = 0xE86D6EC6

ExtROM CRC checksum = 0x3FBE8D13

Radio Image CRC checksum = 0xAB599ED8

-----
progress - shows bar

I tried the SD upgrade method.

I placed an nbh file on it called TRINIMG.nbh but after cheking gaves me "NOT ALLOW" 00028002

Any ideea ?

As your seclevel is FF, the CID on the NBH should be the same on your device. info 2 shows your CID = HTC__102 (HTC Germany), so you need to put an HTC german rom in the TRINIMG.nbh file or CID unlock your device.

Nice work on the bootloader :)

I've just decoded Trinity radio, it is very very similar to Hermes radio (Same Qualcomm JNAND Identification block), so radio bootloader commands should be the same in Trinity as on Hermes (and radio patch for SIM/CID unlock too!).

Normal bootloader commands should be quite similar too, but not necessarily the same, this is what I found on Trinity's SPL:

getdevinfo
ResetDevice
progress
ruustart
rbmc
password
info
task
emapi
btrouter
wdata
lnbs
erase
checkimage
checksum
wdata
wdatah

There's also the static password: BsaD5SeoA

Can you add all this info to the wiki?

I've just decoded Trinity radio, it is very very similar to Hermes radio (Same Qualcomm JNAND Identification block), so radio bootloader commands should be the same in Trinity as on Hermes (and radio patch for SIM/CID unlock too!).

Normal bootloader commands should be quite similar too, but not necessarily the same, this is what I found on Trinity's SPL:



There's also the static password: BsaD5SeoA

Can you add all this info to the wiki?

excellent. i'm in office only with my trusted Universal (i'll fill up all the info tonight).

from artemis Wiki:

Artemis Bootloader Password
Seems that artemis bootloader password is static: BsaD5SeoA

If you enter this password in mtty terminal, you may not be able to boot device into Windows, only in bootloader. Be carefull.

It's meaning that Artemis has the same bootloader (or similar) with trinity.

The question: why it cannot get out from the bootloader ??

It's meaning that Artemis has the same bootloader (or similar) with trinity.

No, if you compare SPL they are very different one from the other.
Trinity's SPL is more similar to Hermes SPL, but Artemis SPL is different.

The question: why it cannot get out from the bootloader ??

probably you just need to 'set 14 0' or hard reset to go back to OS, I don't know... the wiki edit was done by fdp24, he can probably explain :)

I've just decoded Trinity radio, it is very very similar to Hermes radio (Same Qualcomm JNAND Identification block), so radio bootloader commands should be the same in Trinity as on Hermes (and radio patch for SIM/CID unlock too!).

Normal bootloader commands should be quite similar too, but not necessarily the same, this is what I found on Trinity's SPL:



There's also the static password: BsaD5SeoA

Can you add all this info to the wiki?


Cmd>getdevinfo
GetDevInfo: Get CID OK

HTCSTRIN100HTCE

--
Reset Device - works

--
Progress - works

--
ruustart - blocked - hard reset needed

--
rbmc - not working

--
password works with the password BsaD5SeoA

--
info - works as in wiki

--
task - works as in wiki

--
emapi and btrouter - blocks the device

--
wdata - works with the password provided

--
lnbs - not working

--
erase - working
HTCST ÚÈÒHTCE

--
checkimage - working as in wiki

--
checksum - seems working

--
wdatah - not working

seems that the 1.06 is somehow limited as bootloader. how can we get the 1.04 or other upgrade solution ??

thanks

Nice work on the wiki decebal :)

Answers to your comments:

rbmc and lnbs - probably only work on SuperCID devices.
emapi and btrouter - I think it switches to wlan or bluetooth and disables USB connection.

wdata and wdatah - In hermes wdatah is for flash NBH and wdata for flash NBF in preproduction devices. Have you captured a full ROM upgrade using USB monitor?? which one it uses the RUU? Probably it has a dynamic password which enables wdatah for NBH files. Does 'info 3' works as in Hermes (you need to watch usb monitor output, can't see in mtty generally).


seems that the 1.06 is somehow limited as bootloader. how can we get the 1.04 or other upgrade solution ??

Generally by flashing a ROM matching your CID with bootloader 1.04.

rbmc is not in spl in Artemis device. On Trinity probably too.
These are some commands for Artemis:
Could be similarity for Trinity
CASE SENSITIVE!

Cmd>fm
Wrong parameters of FM Command!!
Usage:
fm [command] [frequency]
where:
if[command] = i Initialize FM.
if[command] = o Power on FM.
if[command] = f Power off FM.
if[command] = t Tune FM channel to [frequency].
if[command] = a FM auto seek test.
if[command] = m Mono(1) or Stereo(0).
if[command] = v Volume (0x00 - 0x0F).
if[command] = u Mute(0)
if[command] = g AGC(1)
if[command] = h Set seek threshold (0x00 - 0xFF).
if[command] = s Seek Up(1) or Down(0).
if[command] = r Get RSSI (0x00 - 0xFF).
if[command] = c Get current channel [frequency].
if[command] = d Get RDS data (1 - 10 groups of data).

************************************************** ************************************************** *
Cmd>cpldver
xsvfExecute - CpldType=1

SUCCESS - Completed XSVF execution.
CPLD Ver[0]=1
CPLD Ver[1]=FC
CPLD Ver[2]=26
CPLD Ver[3]=5

SetDsbDBGMSGT

Unknown yet.
************************************************** ************************************************** *
Cmd>ReadExtROM

Dump Ext ROM to MTTY terminal
************************************************** ************************************************** *

Cmd>WLANReset

Usage:
WLANReset 1(or0)
set SDIO: 0-WLAN ;1-SDMC.

Cmd>WLANReset 0
WLANReset(FALSE)

Cmd>WLANReset 1
WLANReset(TRUE)
************************************************** ************************************************** *

Cmd>SDSelect

Usage:
SDSelect 1(or0)
set SDIO: 0-WLAN ;1-SDMC.

Cmd>SDSelect 1
Select SD Card
************************************************** ************************************************** *
Cmd>emapiWlanMac
Notice: This MAC address takes effect only when your platform is EEPRON-less configuration. Please use (emapiTest) to verify it !
Copying GSM DATA image to SDRAM:00004000

Wlan data header ++++++++++++++++++++
Signature : 0xEE1250
UpdateStatus : 0x2
UpdateCount : 0xA
BodyLength : 0x1A1
BodyCRC : 0x4349311B
Wlan data header --------------------------
0x00000000
0x00000009
0x0000002D
0x000000D2
0x000000D5
0x000000FB
************************************************** ************************************************** *
Cmd>emapiTest
+emapiTest
1. Power on WLAN
2. Reset WLAN
3. Switch MUX to WLAN
4. Enable WLAN clock
5. Init WLAN SDIO interface
6. DeviceID Test
DeviceID = 4030xxx
EEPROMless configuration!
-emapiTest
************************************************** ************************************************** *
Cmd>emapiPwrDwn
************************************************** ************************************************** *
Cmd>emapiRead
Parameter Wrong!!
************************************************** ************************************************** *
Cmd>getdevinfo
Need password!
************************************************** ************************************************** *
Cmd>wdata
Usage:

wdata [StartAddr Len]



Write data to memory(if write to ROM, need erase first).

StartAddr : Start address of memory.

Len : How many bytes will be written.

Length must not more than 0x10000 bytes(buffer limitation).

Write to RAM: 4 bytes(CRC checksum limitation).

1 byte(in user mode).

Write to ROM: 4 bytes(CRC checksum limitation).

2(16-bit)/4(32-bit) bytes(in user mode).

Write to ROM(16-bit data bus): 32 bytes(writebuffer mode).

Write to ROM(32-bit data bus): 64 bytes(writebuffer mode).

Length must be 4 bytes boundary(CRC checksum) if not in user mode.



After command execute, then send out the data to terminal.

Data format: HTCS(4 bytes)+DATA+checksum(4 bytes, if not in user mode)+HTCE(4 bytes).
************************************************** ************************************************** *
Cmd>password
Usage:

password [String]
Enter the password string to enable wdata, erase and rbmc functions.
************************************************** ************************************************** *
Cmd>set
Usage:

set [Type Value]

Set control flags.

Type(hex) : Control function types.

Value(hex) : Setting values for types.

Type 1(Operation mode): 1(auto) and 0(user).

Type 2(Back color on/off): 1(on) and 0(off).

Type 4(Front color value): 16 bits data

Type 5(Background color value): 16 bits data

Type 6(Set color of screen): Fill color to whole screen one time.



Current flag settings:

Type 1(Operation mode flag): g_cOpModeFlag=(0x0).

Type 2(Back color flag): cBackColorShowFlag=(0x0).

Type 4(Front color): g_dwFColor24bit=(0x0).

Type 5(Background color): g_dwBColor24bit=(0xFFFFFF).

Type 6(Set color of screen): None.

Type 32: Unlock Flash Command

Set control flags.
************************************************** ************************************************** *

Cmd>SetDebugMethod
Copying GSM DATA image to SDRAM:00004000

Default DebugTransport Value =00000000
Current Usage:
0 No Debug
A UART MTTY Output Debug Message
B USB MTTY Output Debug Message
************************************************** ************************************************** *
Cmd>checksum
Usage:

checksum addr len

Return CRC checksum of memory.

In user mode: Show 4 bytes of CRC checksum value on display of terminal.

In auto mode: Send 4 bytes of CRC checksum value to terminal with data format.
************************************************** ************************************************** *
Cmd>ResetDevice
no comments :)
************************************************** ************************************************** *
**When CID is locked.
Cmd>ls
clean up the image temp buffer at 0x8C100000 Length 0x03A00000
BOOTLOAD_PAGE_TABLE_BASE_C_VIRTUAL= 0x8C080000
Clear image temp buffer done .
MTTYDownloadImage
Not allow operation!
Error : DownloadImage return error (code = 0xFFFFFFFF)
**When CID is locked.
************************************************** ************************************************** *
**When CID unlocked
Cmd>ls
clean up the image temp buffer at 0x8C100000 Length 0x03A00000
BOOTLOAD_PAGE_TABLE_BASE_C_VIRTUAL= 0x8C080000
Clear image temp buffer done .
MTTYDownloadImage
start download
==CreateFile err==
**When CID unlocked
************************************************** ************************************************** *
Cmd>GPSRouting

Dump code to mtty console.
************************************************** ************************************************** *
Cmd>BTRouting

Dump code to mtty console.
************************************************** ************************************************** *
Cmd>BTRouting
+GSM_Modem_Init : include DAGON
Copying GSM DATA image to SDRAM:00004000

GSM - dwSize = 3479D

GSM Page0

GSM - dwSize = 45457

GSM Page1

GSM - dwSize = 4B768

GSM Page2

GSM - dwSize = 4E0A9

GSM Page3

GSM - dwSize = 4B4C4

GSM Page4

GSM - dwSize = 4C71F

GSM Page5

GSM - dwSize = 2958E

GSM Page6

GSM - dwSize = E8D8

GSM Page7

Copying GSM CODE image to SDRAM:00000000

ARMBOOT = 1 --> boot from CS3
Reset ARM 7 -- ok


Please close MTTY USB connection and open BT Testing program...


************************************************** ************************************************** *

************************************************** ************************************************** *

************************************************** ************************************************** *

************************************************** ************************************************** *

************************************************** ************************************************** *

************************************************** ************************************************** *

password BsaD5SeoA - this is static password used during flashing device. (USB sniffer)
battery seems to be charging during bootloader.

If you stuck at bootloader during manipulations with commands, try this:
password BsaD5SeoA
ruurun 0

Alternatively, you can run rom flasher even on CID locked device. It will give you error message about Device ID or something, but your device will be back to normal and boot normally.