If you have a preproduction Hermes (http://wiki.xda-developers.com/index.php?pagename=Hermes_PreproductionVersions) device (300MHz) and still have a preproduction ROM running on it, I need your help! :)

I want to extract the bootloader from your device, if the SPL version is lower than 1.04.

To do this, you have to follow these instructions:

1) First try to dump it from bootloader itself, using usb monitor (http://www.hhdsoftware.com/Products/home/usb-monitor.html) and mtty (http://wiki.xda-developers.com/uploads/mtty.exe):


USB> task 32
USB> set 1e 1
USB> rbmc spl 50020000 40000


2) If this doesn't work, try to dump it using gnuharet (http://handhelds.org/~koconnor/haret/), connect to your device port 9999 and type:


HaRET(1)# pwf splfile 0x30000000 0x40000


I can provide more detailed explanation if you have the preproduction bootloader and these instructions are not enough to you, do not hesitate to ask.

I am also interested in collecting preproduction or test ROMs for the Hermes in any language, please PM me if you have one of these.

Thanks in advance!

Is This What You Want?

Hmm 300logic. That's an interesting file. Will come in handy for some stuff I've been thinking about. I had another version, but that's really useful.

Many thanks!

V

Is This What You Want?

T0:300logic

so nice. so dark! :)

Can i talk with you in PM?
i have something ask you.

Any way thanks for this great file!

Is This What You Want?

it looks good yes.. 256K (0x4000) SPL + signature... any of you flashed it yet? I'm going to try now... i hope the address in the wiki for SPL is ok :rolleyes:

pray for my hermes :)

EDIT: Flashed OK with 'lnbs spl-1.01.nbs 50020000' bootloader shows:


HERM100
IPL-1.01

HERM100 MFG
SPL-1.01


Interesting, it has 'wdata' and 'lnb' commands... does it mean we can flash unsigned code??

I think we can try - I was looking at your rom decompiling stuff Pof. It should be possible I think, but someone has to risk their Hermes :eek: But this could be very useful... Not really my area, I'll leave this to you guys with the Brains :)

V

it looks good yes.. 256K (0x4000) SPL + signature... any of you flashed it yet? I'm going to try now... i hope the address in the wiki for SPL is ok :rolleyes:

pray for my hermes :)

EDIT: Flashed OK with 'lnbs spl-1.01.nbs 50020000' bootloader shows:


HERM100
IPL-1.01

HERM100 MFG
SPL-1.01


Interesting, it has 'wdata' and 'lnb' commands... does it mean we can flash unsigned code??

hmmmmm... i bet we can flash unsigned code now ;) Custom cooked roms, here we come!!!!!

Looks very cool, i've just flashed both splash screens using 'lnb' command without any signature on them!!! My hermes now has custom splash screens, rom cooking is on the way!!! :D

Will make a wiki page later tonight :):)

i can confirm that i was also able to flash custom splash screens in the same manner on my cingular 8525!!! this is fabulous... no more sh!tty cingular 3G splash's

Guys, I have a very good contact in my local vodafone store and would easily be able to get a replacement Hermes should anything "bad" happen to this one.

If you need me to test anything, please let me know.

I have Rom version 1.20.162.3

Vodafone German rom.
Radio 1.03.07.00
IPL-1.00
SPL-1.09

I can confirm that I was able to flash some girls on the street! No more sh!tty freedom for me, I'm going to prison. Cool!

V

PS This is great work guys.

Warning to those who don't know what you're doing. Don't to be tempted to attempt this for now. Soon, we'll have tools to automate this stuff. Right now, it's research for people that really need to get out more.

Warning to those who don't know what you're doing. Don't to be tempted to attempt this for now. Soon, we'll have tools to automate this stuff. Right now, it's research for people that really need to get out more.

i just want to put this out there again....

Well Pof This Discovery Seems To Cut Your Unsigned Code Estimate Down A Fair Few Months :)

Now Lets Hope We Can Prove Your Estimate For Cooked ROMs Wrong As Well.

Thanks 300Logic

Cheers
Mousey

Cool!!! You make my day!!!

ive cooked what could be a VERY buggy aku 3.5 rom for hermes, i cant even guarantee it will boot because i dont have one i can flash, only for reference.

atm all i need is the hex start and finish of the XIP section and i can compile it

(and a willing tester)

Hi at all
This Bootloader is only a joke, or not ? :confused:
Or is this that thing to what we waiting for.
The dump looks different than the other bootloaders, I belive.:confused:

Hi at all
This Bootloader is only a joke, or not ? :confused:
Or is this that thing to what we waiting for.
The dump looks different than the other bootloaders, I belive.:confused:

Not a joke.. this is exactly the kind of thing we needed!!! this bootloader will allow you to flash unsigned *.nb's, where as the others will not let you flash anything that isnt signed.

Looks very cool, i've just flashed both splash screens using 'lnb' command without any signature on them!!! My hermes now has custom splash screens, rom cooking is on the way!!! :D

Will make a wiki page later tonight :):)

Pof, ..... thanks.

Than please make an Howto for noobs to update to this bootloader in WIKI,or I think I can't sleep tonight.:D

WAIT UNTIL INSTRUCTIONS ARE POSTED IN THE WIKI

I'm writing a wiki page, please be patient or you could brick your device if you don't know what you're doing :)

Could we try to flash this boot loader to try and revive a bricked device

Slim, depends on how dead it is. If you can't access the bootloader, not much you can do other then jtag or goldcard I think.
Otherwise, it appears to be a normal bootloader, with a few special features...

V

V,
Not trying to hijack this post. My second device I can get to bootloader but get a vendor id when trying to flash. It was bricked when it failed during a ROM upgrade. I am not sure the specfics but thought that this way may allow me to try something else. What is this jtag and goldcard you speak of?

This bootloader requires 'lnbs' command to be flashed, and this only works on SuperCID devices, so if you have a bricked device which can read the CID, yes it might help fixing it, but if the CID is corrupted it will not help.

AFAIK jtag pins for hermes are unknown, and goldcard... this is a dream for us yet :)

Is there any way we could automate 'bootloader downgrade' in the fashion of imeicheck bootloader downgrader... Just for the sake of these poor x01ht users like me? :p

As promised, here is the wiki page with instructions:

ROM cooking and Bootloader 1.01 MFG (http://wiki.xda-developers.com/index.php?pagename=Hermes_BootloaderMFG)

Feel free to edit it if you find anything wrong or find something new about it I still havent found :)

Enjoy! :D

Is there any way we could automate 'bootloader downgrade' in the fashion of imeicheck bootloader downgrader... Just for the sake of these poor x01ht users like me? :p

well so far your phone still has to be super cid before being able to flash the lower bootloader...

Please read sticky post Here (http://forum.xda-developers.com/showthread.php?t=290206).

WOW! This is amazing! Simply put, your idea pof is simple and brilliant at the same time, and it is one of those ideas that you think to yourself... GEE.. why didn't i think of that sooner.. but no worries. EHEHEHE.. this is great.. gonna put some porn on my splash screen.. maybe two hot babes.... WOO..

just kidding.. my girlfriend would be mad... but I am definatlly going to put that custom softbank logo that some dood made on this forum on there.. it is awesome.. wow.. i am so happy.... i feel happyness inside.

-Joe.

ya i am a lil crazy.. but that is why i am so cool. and no i am not 12 ... ehehehe.

For command like this: "lnbs SPL-1.01.nbs 50020000"

for it to work, where do you copy the file SPL-1.01.nbs?

do you have it on your PC, do you copy it on the device ?

JY

@jyavenard: In your PC, in the same folder as mtty.exe

Everything worked out beautifully: Downgraded to 1.01, removed the ugly T-Mobile splash screens and upgraded Bootloader to 1.04 again :)

Now I would like to ask for a few nice 320*240 bootscreens (..maybe within a new thread?) - Anyone?