Hi!

Is it possible to change the firmware of a 5110. Not to upgrade, but say change a byte in MCU or PPM, calculate the checksums and then write it back. Will the phone still work (presuming the byte changed didn't trashed the MCU or PPM, just change a letter for example)?

Mircea

hi

did this (modifies menu texts - with eye on length) and my mobile had no coverage afterwards /n/images/smiles/icon_smile.gif

regards

Leandros

hi

did this (modifies menu texts - with eye on length) and my mobile had no coverage afterwards /n/images/smiles/icon_smile.gif

regards

Leandros

twice is better than once /n/images/smiles/icon_wink.gif

sorry for that

I think, we can do that..

But, we must recalculate all (Eeprom, MCU, PPM, PMM --> Use NFree 1.2) and then write it back, and then we must recalculate the Flash Authority ID of that phone..

Actually, I never do that, but I think, it's not impossible to do that..

Regards,

Iccang
======

Hello!
It is possible to modify some parts of PPM (texts etc.).
I modified lots of texts and phone works fine!

You just have to check that Flash-checksum will not be affected.
If Flash-checksum changes phone can't find network and FAID must be recalculated.

(Flash-checksum is NOT calculated from full flash
Only every 32. & 33. byte is used in Flash-checksum.)

After modifying PPM area, PPM checksums must be recalculated.

Where can I find the exact algorithms for checksum calculation (MCU, PPM, ...)?

This 32-33 byte applies only on PPM or also for MCU? Because my main interest is the MCU.

Can you write more about your experience modifying the PPM?

Hi!
No algorithms are needed for MCU/PPM checksums, they are just normal
8-/16-/32-bit checksums. They can be calculated with a good HEX-editor.
But is no need to calculate checksums manualy, use 'NFREE 1.3 Alabaster ß-3' for calculations.

Yes, "32.&33. byte thing" is allso for MCU

Bytes used in Flash-checksum can be located like this:
-----------------------------------------------------------------------------------
[Offset 0x00] = Beginning of file (FULL-flash file)

[Offset 0x32] = First 32th byte,for some reason this byte is not used for FLS-crc
[Offset 0x33] = First 33th byte,for some reason this byte is not used for FLS-crc
.
[Offset 0x64] = This byte is used in flash-checksum, do not change
[Offset 0x65] = This byte is used in flash-checksum, do not change
.
[Offset 0x96] = This byte is used in flash-checksum, do not change
[Offset 0x97] = This byte is used in flash-checksum, do not change
.
.
.
And so on, until end of file...
-----------------------------------------------------------------------------------

Things I have found/modified from PPM section of flash:
- Menu texts, and all other texts used in UI
- Lengths of text-strings
- Menu graphics
- Original ringtones
- Fonts
- Original names of phone-operators (for example: Vodafone, Mobitel, D1-telecom)

Here's something I found at the end of MCU section:
- Emergency-center number [ Modifying this could be interesting /n/images/smiles/icon_wink.gif ]

This is only thing I know about MCU section.
Can you share your knowledge about MCU?

Hi!
I will gladly share my knowledge of MCU, but it's very small at the present moment.
I started studying the 5110 v5.24 flash, with a disassembler and it's progressing very slowly (mainly due to the lack of time and because I couldn't find people with same interest to share this task).
I started from the Netmonitor codes as this allows me to find some memory locations, but I'm totally clueless about how the phone interacts with the buttons and the LCD. Finding the way MCU displays the messages would be a major breakthru, but I feel I'm a long way from there. Any info on this would help. If people with similar interests read this posting maybe we can join forces and share our knowledge gained.

Hi.
I belive the LCD routines are embbed to MAD2, why to waste valuable FLASH space for routine that is similar(allmost similar) in every NK phone.

Hi.

Then what would be the way of displaying the info? Does the phone use an address where it puts bytes and each bit is a pixel?

I guess there must be a in/out region for this. Does anyone know where it is and how does it work?

And the same for button reading?