Recent content by Bph&co

Hi, Thanks for the fast response! No rush really. I only need the Compass app and fitness features. All else is off to save battery. BR

Hi guys, Does anyone have a copy of the actual rooting guide ? First post links to some 'under construction' image. Thanks!

Oh i see, that is why will not show as disk,but a folder in Temp directory

Great job! Thanks for sharing. But how do you unmount ? Just closing the folder ?

Hi, You need to make sure the phone is in Normal Mode and detected by NSS, so product type/imei etc could be read and checked before rebooting to OSBL mode and doing the restore process. BR

Hi, I stopped work on this as there was no interest apparently, while i had time to do it. Maybe in few months time i will have a look. To dump you need JTAG i believe. BR

Hi, The 800 will also require very precise and somehow risky cut on the shielding to get good access to the TP locations. Maybe there is a better way via IR station and full removal of the shield, but i have no idea how to do that. Also i don't offer such service, maybe for a bottle of Jack...

Hi, In theory the ELF file contains all needed info. In case not - use ARM little endian. BR

Hi, If the 900 baseband soft is anything like the 710/800, then you need to dump the image somehow, drag to IDA and look for the AT processor task. There is a huge handler table with at command string + ptr to C handler for each entry. The main problem is that IDA will not automatically parse...

Hi, I guess 1-bit MMC = SDIO, sorry my bad. The phone for sure switches to wider bus after initial boot sequence, i haven't reversed this part, not sure where it is, probably the bootrom. But during this initial chip inquiry is the golden opportunity to take control and off course hats off to...

Hi, I am still yet to see somebody implement off power read/write of the eMMC chip. ATF manages with so many wires by the fact that the chip is still wired to the CPU and all control signals are handled correct. If you watch the protocol on screen you will see that ATF FGPA asserts low's and...

My trial finished, so i had to sent back the phone. Anyway, it more or less clear now. A friend promised to send me full dump, so will do some IDA work to see if anything is possible. BR

Another update, after last nights fiasco, it seems the 920 employs the good old BB5 SL3 simlock, probably with 20 digits codes only. The lame Qcom NV file system with 8 digit codes is just left there unused. So the codes read via simple json call are not working, do not enter them, it will...

Ok, the valid WinUsb class to talk to the json handler in the NSC app is: // WP8 driver class DEFINE_GUID(GUID_CLASS_NOKIA_WIN_DRIVER_WP8, 0x7EAFF726,0x34CC,0x4204,0xB0, 0x9D, 0xF9, 0x54, 0x71, 0xB8, 0x73, 0xCF); Pipe 7 seems to be the output, pipe 6 the input, but JSON protocol seems to be...

So seems Nokia coders had some time and decided to return to old FBUS protocol format for the test mode application: 1B 00 10 35 00 0E 00 00 7F A0 00 01 00 08 01 00 88 00 00 00 1B 10 00 35 00 4E 00 00 7F A1 00 01 00 07 00 48 00 88 00 04 02 00 00 00 08 34 01 2E 4E 54 43 20 72 65 73 69...