Post Reply

[release] JumpSPL v1.0, or how-to CID unlock ANY device!

OP pof

6th October 2007, 01:34 AM   |  #1  
pof's Avatar
OP Retired Moderator
Barcelona
Thanks Meter: 63
 
3,571 posts
Join Date:Joined: Mar 2005
Donate to Me
JumpSPL is a WinCE application that allows to place a custom file on device's RAM memory and execute the arbitrary code contained on it by jumping into its physical memory address.

This method is tipically used to load a patched bootloader in RAM and execute it, so with JumpSPL you can potentially bypass any bootloader protections put by the manufacturer on a Windows Mobile based device, but you have to patch the bootloader yourself.

I'll be updating comment #2 with links to patched SPLs and future projects using JumpSPL, if you use JumpSPL in your project please post a comment or PM me.

JumpSPL should work on any WinCE device (not necessarily manufactured by HTC), although I have only tested it on HTC devices.

For more details and usage instructions please see the included README file.

DONATIONS:


Your donations are a strong incentive to continue research on new devices, if you find JumpSPL useful please cosider making a PayPal donation. Any donation amount is greatly appreciated
Attached Files
File Type: zip JumpSPLv1.zip - [Click for QR Code] (8.7 KB, 20138 views)
Last edited by pof; 6th October 2007 at 02:41 AM.
6th October 2007, 01:36 AM   |  #2  
pof's Avatar
OP Retired Moderator
Barcelona
Thanks Meter: 63
 
3,571 posts
Join Date:Joined: Mar 2005
Donate to Me
Patched SPLs
Notes on patching & testing custom SPLs:
  • Disassemble the SPL using radare (free) or IDA Pro (commercial).
  • You need to press the bootloader buttons after loading your custom SPL with JumpSPL, otherwise device will reboot. You can also patch the SPL to enter bootloader mode automatically, so you don't have to press the buttons.
  • Some devices require that you unplug and re-plug the USB cable after the SPL has been loaded.
  • On some devices (TI OMAP) you'll see a white screen instead of the usual tri-color screen, don't worry about that, you're in bootloader mode.
  • Use patched SPLs with caution, try to flash splash screens to do the initial tests and avoid bricking your device.
  • To know the jump address you can use itsutils 'pmemdump -p' and try to find a copy of the SPL in memory. You can find the virtual address with dumpromx.exe.

Projects using JumpSPL:
Attached SPL patches:
  • Kaiser Jump address is 0x00000000
  • Artemis & Herald Jump address is 0x10000000
Attached Files
File Type: zip herald_JumpSPL_pof_v1.zip - [Click for QR Code] (222.5 KB, 2541 views)
File Type: zip artemis_jumpSPL_pof_v1.zip - [Click for QR Code] (213.8 KB, 2189 views)
File Type: zip kaiser_JumpSPL_pof_v1.zip - [Click for QR Code] (101.1 KB, 4914 views)
Last edited by pof; 6th October 2007 at 05:07 AM.
6th October 2007, 01:48 AM   |  #3  
Mi|enko's Avatar
Senior Member
Thanks Meter: 112
 
1,434 posts
Join Date:Joined: Jul 2006
More
Dude. If you can get this to work on the T-Mobile Wing, you will be my own personal hero. :)
6th October 2007, 02:02 AM   |  #4  
pof's Avatar
OP Retired Moderator
Barcelona
Thanks Meter: 63
 
3,571 posts
Join Date:Joined: Mar 2005
Donate to Me
@Mi|enko: Patched SPL for T-Mobile Wing (Herald) attached to comment #2
6th October 2007, 02:36 AM   |  #5  
Member
Thanks Meter: 2
 
39 posts
Join Date:Joined: Mar 2006
So ... its possible this way to CID unlock a Prophet G4 ? Can you make a version for prophet?
6th October 2007, 03:18 AM   |  #6  
pof's Avatar
OP Retired Moderator
Barcelona
Thanks Meter: 63
 
3,571 posts
Join Date:Joined: Mar 2005
Donate to Me
@kalavera: I don't own a Prophet, but yes should be possible to CID unlock it using this tool. Olipro and the-equinoxe have patched the Wizard's G4 SPL, which should be very close to prophet's, they will be able to help you with the SPL patches.
6th October 2007, 03:24 AM   |  #7  
chev's Avatar
Senior Member
Thanks Meter: 40
 
363 posts
Join Date:Joined: Jul 2006
More
what patch is compatible to wizard?
6th October 2007, 03:54 AM   |  #8  
Senior Member
Thanks Meter: 11
 
1,134 posts
Join Date:Joined: Dec 2004
Finally I could convert Dopod C800 into a fully working Atlas.Long live POF
6th October 2007, 05:19 AM   |  #9  
Member
Thanks Meter: 4
 
74 posts
Join Date:Joined: Jan 2007
Good work Pof!! This could have saved me a bit of time custom compiling my own HaRET for the Titan Hard-SPL. I'm sure it will speed up the unlocking of many future devices!
6th October 2007, 09:36 AM   |  #10  
zaharakis's Avatar
Senior Member
Flag khalkis/Greece
Thanks Meter: 45
 
725 posts
Join Date:Joined: Dec 2006
Donate to Me
More
thanks again my friend!!

you did it again

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes