• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[release] JumpSPL v1.0, or how-to CID unlock ANY device!

Search This thread

pof

Retired Moderator
Mar 18, 2005
3,571
72
40
Barcelona
pof.eslack.org
JumpSPL is a WinCE application that allows to place a custom file on device's RAM memory and execute the arbitrary code contained on it by jumping into its physical memory address.

This method is tipically used to load a patched bootloader in RAM and execute it, so with JumpSPL you can potentially bypass any bootloader protections put by the manufacturer on a Windows Mobile based device, but you have to patch the bootloader yourself.

I'll be updating comment #2 with links to patched SPLs and future projects using JumpSPL, if you use JumpSPL in your project please post a comment or PM me.

JumpSPL should work on any WinCE device (not necessarily manufactured by HTC), although I have only tested it on HTC devices.

For more details and usage instructions please see the included README file.

DONATIONS:


Your donations are a strong incentive to continue research on new devices, if you find JumpSPL useful please cosider making a PayPal donation. Any donation amount is greatly appreciated :)
 

Attachments

  • JumpSPLv1.zip
    8.7 KB · Views: 20,704
Last edited:

pof

Retired Moderator
Mar 18, 2005
3,571
72
40
Barcelona
pof.eslack.org
Patched SPLs

Notes on patching & testing custom SPLs:
  • Disassemble the SPL using radare (free) or IDA Pro (commercial).
  • You need to press the bootloader buttons after loading your custom SPL with JumpSPL, otherwise device will reboot. You can also patch the SPL to enter bootloader mode automatically, so you don't have to press the buttons.
  • Some devices require that you unplug and re-plug the USB cable after the SPL has been loaded.
  • On some devices (TI OMAP) you'll see a white screen instead of the usual tri-color screen, don't worry about that, you're in bootloader mode.
  • Use patched SPLs with caution, try to flash splash screens to do the initial tests and avoid bricking your device.
  • To know the jump address you can use itsutils 'pmemdump -p' and try to find a copy of the SPL in memory. You can find the virtual address with dumpromx.exe.

Projects using JumpSPL:

Attached SPL patches:
  • Kaiser Jump address is 0x00000000
  • Artemis & Herald Jump address is 0x10000000
 

Attachments

  • herald_JumpSPL_pof_v1.zip
    222.5 KB · Views: 2,660
  • artemis_jumpSPL_pof_v1.zip
    213.8 KB · Views: 2,263
  • kaiser_JumpSPL_pof_v1.zip
    101.1 KB · Views: 5,077
Last edited:
  • Like
Reactions: mg102670

pof

Retired Moderator
Mar 18, 2005
3,571
72
40
Barcelona
pof.eslack.org
@kalavera: I don't own a Prophet, but yes should be possible to CID unlock it using this tool. Olipro and the-equinoxe have patched the Wizard's G4 SPL, which should be very close to prophet's, they will be able to help you with the SPL patches.
 

ImCoKeMaN

Senior Member
Jan 8, 2007
213
54
Good work Pof!! This could have saved me a bit of time custom compiling my own HaRET for the Titan Hard-SPL. I'm sure it will speed up the unlocking of many future devices!
 

pof

Retired Moderator
Mar 18, 2005
3,571
72
40
Barcelona
pof.eslack.org
What its adress to Htc Oxygen? Thanx
It's an OMAP device, so I guess the address will be also 0x10000000.

How about ATOM PURE, can i use this safely for CID unlock then i can use now sharkindark pagepool changer?
You need to patch a bootloader first, and find the jump address.

which I can modify with jumpspl in herald?
You can modify any rom part once you can flash unsigned code, but as you say be careful with IPL & SPL. Also try to not screw the OS part if you don't have a ROM matching your CID, otherwise you'll be stuck in bootloader.
 

yangchao8115

Member
Aug 10, 2007
27
0
You can modify any rom part once you can flash unsigned code, but as you say be careful with IPL & SPL. Also try to not screw the OS part if you don't have a ROM matching your CID, otherwise you'll be stuck in bootloader.

yes,but there no tool for herald to edit splash and extend rom.....

and one of my friend bricked with a radio upgraded
 

jiggs

Senior Member
Jan 27, 2006
953
4
Hi Pof,

We have a Quanta manufactured device. a.k.a. Atom / Atom Pure / Atom Exec / Atom Life. CID can easily be bypassed in our devices by simply upgrading it in bootloader mode OR do SD CARD flashing. Our problem really pertains to RAPI tools than to upgrade our device with any ROM.

We really don't know if CID is the cause for RAPI tools not to work. The only working tool is to PDOCREAD the device and see its memory layout.

Hope you could shed some light as to how we can patch the bootloader to CID unlock. My knowledge for ARM assembly is very limited...

Thanks,
Jiggs
 
Last edited:

exxi

Senior Member
Apr 26, 2006
639
86
Okay, I am willing to pay CASH for this if it is what i think it is..

my XDA Terra (Herald) is bricked because I tried to flash it from Touch-It 1.1 to Touch it 2.0. Now, I need the RUU of the XDA Terra which is branded by the provider O2. O2 however does not provide any ROM yet so I am stuck in the united states with a bricked GErman phone I cant even send it in.

Can this jump SPL help me somehow??

please, I will be eternally thankful !!!!
 

pof

Retired Moderator
Mar 18, 2005
3,571
72
40
Barcelona
pof.eslack.org
yes,but there no tool for herald to edit splash and extend rom.....
Use the same tools as in Artemis or Elf, splash format is exactly the same, and ExtROM format too, you can edit it with winimage.

On a (somewhat) related note, would the admins protest if I released a (multi-device) IMEI changing util?
I don't think they will protest as long as HTC (or any operator) protests. But make it clear to the end-user to consult local laws before attempting to use your tool, and make sure to put a disclaimer to exempt you of any responsibilities for illegal use of the tool.

CID can easily be bypassed in our devices by simply upgrading it in bootloader mode OR do SD CARD flashing. Our problem really pertains to RAPI tools than to upgrade our device with any ROM.

We really don't know if CID is the cause for RAPI tools not to work. The only working tool is to PDOCREAD the device and see its memory layout.

Hope you could shed some light as to how we can patch the bootloader to CID unlock. My knowledge for ARM assembly is very limited...
Sorry but my knowledge of Atom and Quanta devices is very limited too.
If you want some help, please send me a quanta bootloader and tell me the exact message you get from bootloader (not from RUU) when you try to flash an Atom ROM not intended for your device (ie: not matching your CID, or language...).

Can this jump SPL help me somehow??
JumpSPL is a WinCE application, it won't help if you can't boot OS.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Patched SPLs

    Notes on patching & testing custom SPLs:
    • Disassemble the SPL using radare (free) or IDA Pro (commercial).
    • You need to press the bootloader buttons after loading your custom SPL with JumpSPL, otherwise device will reboot. You can also patch the SPL to enter bootloader mode automatically, so you don't have to press the buttons.
    • Some devices require that you unplug and re-plug the USB cable after the SPL has been loaded.
    • On some devices (TI OMAP) you'll see a white screen instead of the usual tri-color screen, don't worry about that, you're in bootloader mode.
    • Use patched SPLs with caution, try to flash splash screens to do the initial tests and avoid bricking your device.
    • To know the jump address you can use itsutils 'pmemdump -p' and try to find a copy of the SPL in memory. You can find the virtual address with dumpromx.exe.

    Projects using JumpSPL:

    Attached SPL patches:
    • Kaiser Jump address is 0x00000000
    • Artemis & Herald Jump address is 0x10000000