Hi,

I seem to have lost the ability to activate wifi. Neither the "Comm Manager" nor the 'Wireless LAN" applications are able to turn wifi on. Also, the wifi details are not shown under the "Wireless" Today panel.

The device has been flashed quite a lot recently. I have tried reflashing the original phones roms, the v3 unlock radio rom, and the 2.05 & 2.11 HTC roms; none of these seem to have solved the problem.

Also, possibly the cause, I ran an 'erase 80000000 d80000' & 'erase 0x80100000 0x20000' (radio(?) & radio bootloader(?) from wiki.

Would reflashing the data that was deleted by the above two erases help? (in case a normal re-flash doesn't touch these areas).

I have searched through the forums and the wiki but I'm unable to find a similar problem, so if anyone has any ideas that would be appreciated.

thanks

rob-ix


WHOOPS just saw http://forum.xda-developers.com/showthread.php?t=295211 so this post my not have been required. But, I gotta read it first, so put this on hold for a few mins

Booting using Platform Builder gives the following possible answer for the problem:

20161 PID:239ceb52 TID:23862ede CertVerify: TIACXWLN.dll trust = 2
20179 PID:2375059e TID:23862ede no EEPROM no WLAN!!

I've tried, changing via HTweakC, to allow non-trusted apps to be used but this hasn't changed things.

If anyone can answer these questions or point me in the right direction to answer/fix them it would be appreciated:

1, Is the 'no EEPROM no WLAN' error being caused by 'trust = 2' on the above dll or is in fact caused by having no wlan EEPROM?
2, Is this EEPROM a real one or one simulated via the flash/NAND?
3, Can this data be re-written/flashed?

thanks

Rob-ix

1, Is the 'no EEPROM no WLAN' are being caused by 'trust = 2' on the above dll or is in fact caused by having no wlan eeprom?
By having EEPROM erased or corrupted.

2, Is this EEPROM a real one or one simulated via the flash/NAND?
I think it is inside the MSM6275 chip.

3, Can this data be re-written/flashed?
No that i know of.

By having EEPROM erased or corrupted.

I ran these commands via the BL at one point to try to clear the radio, could these have been responsibile?

erase 80000000 d80000
erase 80100000 20000

thanks

rob-ix

not sure, let me check if i can get a dump of that...

did you actually use 'erase' from bootloader, or 'rerase' from radio bootloader?
where you successfully authenticated to the bootloader/radio bootloader when you did that?

Pof,

not sure, let me check if i can get a dump of that...

Great. Then I should be able to compare the two dumps.

did you actually use 'erase' from bootloader, or 'rerase' from radio bootloader? where you successfully authenticated to the bootloader/radio bootloader when you did that?

I used 'erase' from the bootloader, and I believe I was authenticated at the time.

thanks

Rob

Then I should be able to compare the two dumps.

bootloader command 'rbmc' dumps nothing on that addreses :(

go into bootloader, type these commands:


task 32
task 37 ff


tell me the output of the second :)

go into bootloader, type these commands:


task 32
task 37 ff


tell me the output of the second :)

Please see attached.

thanks

Rob

Seems that you have erased the EEPROM: :rolleyes:


03/24/2007 23:53:25 [K :: KERNEL] HTC Nand Read!
03/24/2007 23:53:25 [K :: KERNEL] Kernel: EEPROM signature=FF FF FF FF FF
03/24/2007 23:53:25 [K :: KERNEL] HTC Nand Read!
03/24/2007 23:53:25 [K :: KERNEL] Kernel: EEPROM signature Old=FF FF FF FF FF
[...]
CertVerify: TIACXWLN.dll trust = 2
no EEPROM no WLAN!!


On a normal hermes this looks like this:


05/01/2006 00:00:00 [K :: KERNEL] HTC Nand Read!
05/01/2006 00:00:00 [K :: KERNEL] Kernel: EEPROM signature=50 12 EE 0 2
05/01/2006 00:00:00 [K :: KERNEL] Kernel: EEPROM1 Checksum=0xbd4ccc54
05/01/2006 00:00:00 [K :: KERNEL] HTC Nand Read!
05/01/2006 00:00:00 [K :: KERNEL] Kernel: EEPROM signature Old=50 12 EE 0 2
05/01/2006 00:00:00 [K :: KERNEL] Kernel: EEPROM2 Checksum=0xbd4ccc54


If I find anything for you to try I'll let you know.

Pof,

Seems that you have erased the EEPROM: :rolleyes:



That makes sense. Do you know if it's a real EEPROM or just some flash pretending to be EEPROM? Would GNU Haret be able to dump/reload the information?

thanks

Rob

would HTC have to replace the entire mainboard for this to be fixed, or do they have a tool that could reflash the EEPROM with a new mac adress and such

In theory, should be possible to reflash via bootloader EMAPI commands, but we don't know how to use them, sure HTC knows... but in service centre they most probably will replace the mainboard for that.

In theory, should be possible to reflash via bootloader EMAPI commands, but we don't know how to use them, sure HTC knows... but in service centre they most probably will replace the mainboard for that.

... thats not good, how much do you think that would cost? over $300?

is there anyway to emulate the EEPROM or put the MAC address in the registry?

Output of task 37 ff scrolls way too much overflowing the screen buffer. I don't see a log option in the mtty I downloaded from wiki pages. What's the method to capture large output like that?

TIA

@cjchriscj: no

@aarman: type "task 37 ff" and pull out the USB cable before the buffer grows too big.

Is it possible that people having this problem have flashed _too big_ a OS.nb file using MFG bootloader before having the problem?

I have the feeling that WLAN EEPROM is read from NAND flash, if we manage to find the right offset we can probably rbmc to read it and reflash it with lnb.

I have the same problem :(

05/23/2006 23:57:46 [K :: KERNEL] HTC Nand Read!
05/23/2006 23:57:46 [K :: KERNEL] Kernel: EEPROM signature=FF FF FF FF FF
05/23/2006 23:57:46 [K :: KERNEL] HTC Nand Read!
05/23/2006 23:57:46 [K :: KERNEL] Kernel: EEPROM signature Old=FF FF FF FF FF
05/23/2006 23:57:46 [K :: KERNEL]

If i understand that pof say for resolve my probleme i need the lnb wifi ?

The offset is not 0xb6d00000 0x20000000 ?

ok, good news for those who have fucked up wlan EEPROM...

I was able to rbmc the right place where the WLAN eeprom is stored, as a proof of concept:


This is my MAC address: 00:09:2d:f1:f2:d3

This is the EEPROM signature reported by "task 32 ff": 50 12 EE 0 2



50 12 EE 00 02 00 00 00 06 00 00 00 A1 01 00 00 P.î.........¡...
43 50 AA 80 00 00 00 00 00 00 00 00 00 00 00 00 CPª?............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02 11 56 05 1B 06 00 11 31 01 00 01 09 56 12 00 ..V.....1....V..
00 00 01 0D 56 71 00 00 00 02 6D 54 D3 F2 F1 2D ....Vq..........
09 00 00 00 01 05 5A 64 00 00 00 01 09 5A 00 00 ......Zd.....Z..
00 00 01 0D 5A 00 00 00 00 01 01 0C 03 00 00 00 ....Z...........
01 01 5A 00 00 00 00 01 55 09 01 00 00 00 01 E5 ..Z.....U......å
58 02 00 00 00 01 F1 58 08 00 00 00 01 D5 58 10 X.....ñX.....ÕX.
00 00 00 01 B1 58 04 00 00 00 00 00 00 00 00 00 ....±X..........
00 0C 00 8B 00 C6 00 D0 00 DC 00 EE 00 0C 01 15 ...?.Æ.Ð.Ü.î....
01 17 01 2D 01 67 01 77 01 7F 01 01 39 00 00 11 ...-.g.w...9...
00 04 01 01 01 00 05 01 06 00 02 01 02 01 02 1E ................
00 0A 00 02 05 02 04 11 22 44 03 06 41 20 30 31 ........"D..A 01
32 40 04 09 54 49 20 41 43 58 31 30 30 05 07 54 2@..TI ACX100..T
49 20 54 65 73 74 01 08 00 00 00 00 00 00 00 00 I Test..........
05 02 00 00 3B 00 81 00 C5 00 1F 01 04 04 44 10 ....;..Å.....D.
00 00 45 10 00 00 18 5A 40 00 14 5A 20 00 02 0E ..E....Z@..Z ...
A0 01 F7 00 08 01 7E 02 78 00 B2 01 8A 09 80 00 .÷...~.x.².?.?.
F7 00 08 01 79 02 78 00 A4 01 8A 09 01 07 00 01 ÷...y.x.¤.?.....
40 00 00 00 01 00 00 05 04 00 01 01 00 00 00 00 @...............
FF FF FF FF FD FD FD FD FB FB FB FB FB 0E 04 09 ÿÿÿÿýýýýûûûûû...
09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 ................
09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 ................
09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 ................
09 09 09 09 09 09 09 0E 01 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 03 02 D4 08 D4 08 07 00 01 .........Ô.Ô....


This is on NAND, around offset 0x500CD800 (after SPL and before MainSplash).

Probably this can be overwriten with 'lnb' command on MFG bootloader, i'm investigating this with Olipro right now.

If anyone wants to serve as a guinea pig, let us know :)

ok, good news for those who have fucked up wlan EEPROM...

I was able to rbmc the right place where the WLAN eeprom is stored, as a proof of concept:

[LIST]
This is my MAC address: 00:09:2d:f1:f2:d3



This is on NAND, around offset 0x500CD800 (after SPL and before MainSplash).

Probably this can be overwriten with 'lnb' command on MFG bootloader, i'm investigating this with Olipro right now.

If anyone wants to serve as a guinea pig, let us know :)


I don't mind being a guinea pig, i think rodents are cool!

just a quick question, mac addresses are supposed to be unique to each wireless device right? If it was truly erased? how would you get another one? make it up?

just a quick question, mac addresses are supposed to be unique to each wireless device right? If it was truly erased? how would you get another one? make it up?

basically, yes.

well... the first 3 numbers (hex) are the OUI, so those can just be cloned, then the last 3 can be invented.

ok, we have fond the exact place where wlan eeprom is on NAND.

I've made a backup of mine and overwrite it with one dumped from Olipro's hermes, and my MAC address changed to olipro's one. Then i restored from my backup and got my original MAC.

We're working to provide a tool which will allow you to do it on a semi-automated way, so wait a few days until we have it ready :)

Olipro will publish it here (http://forum.xda-developers.com/showthread.php?t=304004) when it's ready.

Pof and Oli, you guys are truly amazing, I don't have a problem with my wifi but if I did it is nice to know that you guys are nice enough to find the problems and fix them. Keep up the great work, everybody here appreciates it!!!:)

ok, we have fond the exact place where wlan eeprom is on NAND.

I've made a backup of mine and overwrite it with one dumped from Olipro's hermes, and my MAC address changed to olipro's one. Then i restored from my backup and got my original MAC.

We're working to provide a tool which will allow you to do it on a semi-automated way, so wait a few days until we have it ready :)

Olipro will publish it here (http://forum.xda-developers.com/showthread.php?t=304004) when it's ready.great work yet again!!! do you think it is possible to do the same for the wizard? as i have a dead wifi on it. it happen after i flashed my wizard with a custom scrip in windows vista.

great work yet again!!! do you think it is possible to do the same for the wizard? as i have a dead wifi on it. it happen after i flashed my wizard with a custom scrip in windows vista.

I know very few about wizard internals, this is the approach we took on hermes, probably you can do something similar on wizard:

1) see which is the EEPROM signature on a working device (task 37 ff)
2) patch the bootloader to allow rbmc at any address
3) rbmc full NAND until you find the EEPROM signature
4) patch the bootloader to allow lnb at any address
5) dump wlan EEPROM from a working device using rbmc
6) flash it on a wifi-dead deivce using lnb

This way you will clone the MAC address, there's a checksum in the EEPROM code, we still have to figure out how to calculate the checksum if you want to change the MAC address to your liking.

Using this method u can change also other stuff non accessible without patching the bootloader, like the Backup CID, Model ID, Serial Number, etc...

I know very few about wizard internals, this is the approach we took on hermes, probably you can do something similar on wizard:

1) see which is the EEPROM signature on a working device (task 37 ff)
2) patch the bootloader to allow rbmc at any address
3) rbmc full NAND until you find the EEPROM signature
4) patch the bootloader to allow lnb at any address
5) dump wlan EEPROM from a working device using rbmc
6) flash it on a wifi-dead deivce using lnb

This way you will clone the MAC address, there's a checksum in the EEPROM code, we still have to figure out how to calculate the checksum if you want to change the MAC address to your liking.

Using this method u can change also other stuff non accessible without patching the bootloader, like the Backup CID, Model ID, Serial Number, etc...
yes thats was what i was thinking it may work!

good job i got the wife wizard fully working....i will try now thanks!

Pof and Olipro,

You guys amaze me with your talents! Great job helping people out with their Hermes problems.

Thank you guys so much. Was about to flash back to the original rom and send back my phone. :-s

But now I dont have to. P.S. The new bootloader is totally off the hook!

Looks to me like something gets corrupted after a wifi connection, changing the MAC address.

On my device (Cin 8525, Black 2.5, 1.40) after a soft reset I have one MAC address, and then can connect, disconnect and try to reconnect, no go, and I see my MAC address has changed. Soft reset and back to the original and again I can connect.

Hope that helps in the debugging process guys - i.e. something is corrupting memory!

and, for the users, a soft-reset may fix it temporarily.

After unbricking my Hermes with KITL+PB and reflash it with the new official french ROM, I can't activate my wifi anymore. How can I know the origin of the problem and if the EEPROM has been erased or not ?

All info are here : http://forum.xda-developers.com/showthread.php?t=304004

is there a method to fix this bug yet??????
seems everyone forgot about it already....

we wait for a fix.

we wait for a fix.

Still no fix ?

Would we be able to get back the same MAC adress? It isnt illegal to change it right?

I know very few about wizard internals, this is the approach we took on hermes, probably you can do something similar on wizard:

1) see which is the EEPROM signature on a working device (task 37 ff)
2) patch the bootloader to allow rbmc at any address
3) rbmc full NAND until you find the EEPROM signature
4) patch the bootloader to allow lnb at any address
5) dump wlan EEPROM from a working device using rbmc
6) flash it on a wifi-dead deivce using lnb

This way you will clone the MAC address, there's a checksum in the EEPROM code, we still have to figure out how to calculate the checksum if you want to change the MAC address to your liking.

Using this method u can change also other stuff non accessible without patching the bootloader, like the Backup CID, Model ID, Serial Number, etc...

Just want to know if it's possibile to dump EEPROM with this tool http://forum.xda-developers.com/showthread.php?t=293651 ?? or an other tool without install anythink on the device ?

I unbricked my X01HT now i have this:

07/26/2007 18:49:55 [K :: KERNEL] HTC Nand Read!
07/26/2007 18:49:55 [K :: KERNEL] Kernel: EEPROM signature=FF FF FF FF FF
07/26/2007 18:49:55 [K :: KERNEL] HTC Nand Read!
07/26/2007 18:49:55 [K :: KERNEL] Kernel: EEPROM signature Old=FF FF FF FF FF
07/26/2007 18:49:55 [K :: KERNEL]
OEMInit: The CRC Checksum of 2M is 0xa53450a3

My WiFi is Dead....

I hope a solution very soon please... Pof and Olipro help!!!

I have the same problem, Plz Help us !!!

Does this problem occur if we modify the bootloader to enable flashing ROM of a particular Hermes brand onto another. What I mean is for example for enabling an imate Jasjam to accept ROM released for the Doopod.

I am asking this question since I have a TyTn still on its original WM5.. Now that HTC has released the ROM for the TyTn I will not need to play around with the Bootloader and all. Do you suspect that even such straightforward upgrade of ROM from WM5 to WM6 may cause the WiFi failure phenomenon.

Shall be obliged for your help and Regards

So far, no one is sure of what exactly causes this. Some users have had the problem from flashing radio only. Some from full rom upgrade, some when trying to unbrick. I can verify that the technique posted on page 3 of this thread will fix your problem.

Read this post:

http://forum.xda-developers.com/showthread.php?t=322225

closing this one ;)