can somebody help me?
i want to know how to find functions(enable_irq,disable_irq for example) in a flash file. i am using winarm 1.63 but don't know which is which

forgot to tell you that i want to find functions in a 3410 flash

Hi,

3410-530:

Disable: 1C.B462
Enable: 1C.B47C

Found by comparing some hex combinations to what I know from 8210.

NokDoc

nokdoc, what i meant was to find all functions not only those two. i tried to compare them with the ones in 3310 or 8210 but they are not the same

Hi,

Then I think I can't help.

All depends on the certain feeling U train Urself while looking at flashfiles.

Good luck.

NokDoc

ok. thanks

can somebody help me?
i want to know how to find functions(enable_irq,disable_irq for example) in a flash file. i am using winarm 1.63 but don't know which is which

The problem with 3410 and 2100 is that firmware is a lot different from other DCT3

When looking for a known function/routine all you had to do was look for a pattern (with the help of a mask ;) ) and would be easy to find since the similarity of firmwares. That doensn't happen with those two :evil:

@nokdoc
I've managed to find some functions/routines for those two models (comparing with know patterns) but got stuck with "GET_STRING" routine :sad:

this is what i have:
patt=(B5001C0A2800D01A78012904D1173001780129FFD1011C40BD00020904090C0930017800430804000C01292EDA012233E002392E04080C011C10F7FFFF88BD00)
mask=(FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00FFFFFF00FFFFFF00FFFFFFFFFFFFF000F000FFFF) (taken from nokix's locate.rx file)

All the other DCT3 have this pattern with a slight difference but no matter what sort of combinations i do with that i can find the routine :sad:

can you do something since you're very experienced in pattern finding?

thanks

Hi,

8210-531 = E.31A4
3410-530 = 12.2E50
2100-564 = C.004C

I got this from the function that calls this one.

3.96B2 in 8210 uses the string ':', after that it calls for the E.31A4.

I traced that in 3410, and found out that 6.4BCC use that ':' too, and had this call to 12.2E50 as alternative.

The reason the 2100 and 3410 looks different is while it uses Half Dwords and the older ones use 1 byte strings. (ldrH, ldrB)

Sorry not have time to argument more...

Good Luck

NokDoc

Thanks for your help m8 :D

I did the same for GET_MENU_CONFIG. :lol:
Since i couldn't find the routine i looked for another that it jumped too in 8210. Once i got that pattern looked for it in 3410 and BINGO, there it was (with an extra 2bytes in the middle of the routine :evil: )

Lets hope i can get all the others needed for Nokix to work with all DCT3 :smile:


Cheers

Hi,

But U already have that certain 'feeling' since U do alot Urself.

Anyway, in case U might get stuck don't be scared to ask me.

But please use byte demos since I hardly know those names. ;)

Good Luck

NokDoc

Hi,

8210-531 = E.31A4
3410-530 = 12.2E50
2100-564 = C.004C

I got this from the function that calls this one.

3.96B2 in 8210 uses the string ':', after that it calls for the E.31A4.

I traced that in 3410, and found out that 6.4BCC use that ':' too, and had this call to 12.2E50 as alternative.

The reason the 2100 and 3410 looks different is while it uses Half Dwords and the older ones use 1 byte strings. (ldrH, ldrB)

Sorry not have time to argument more...

Good Luck

NokDoc

Hi,

been studying those addresses all day and still can't figure what string ':' you talk about :-?
How do you know for sure that the chosen adress is the right one since the pattern for the routine is so different and there are other adresses that jump to E31A4? I'm not doubting, i just wanna know how to compare because i have found other routines that look different from the old DCT3 and wish to know if i'm choosing them right.
Yeah, i know, i should study a bit ARM to get the bigger picture :lol:

Please analise the following routines to tell me if i did it right:
Function - GET_FONT
8210 V5.31- 27FD48
patt=(B5F04643464C4655465EB478469346894682260148CE46804CCC69202800)
mask=(ffffffffffffffffffffffffffffffffffffffffff00ffffff00ffffffff)
to find it in 3410 had to look for a string 'large' and then analise the nearby patterns. so i got

3410 v530 - 28368A

Function - STRLEN
8210 V531- 30CA3C
patt=(1E413101780A2A00D1FB1A084770)
mask=(FFFFFFFFFFFFFFFFFFFFFFFFFFFF)
in this case, the solution i found was to look foward two routines and then search for them in 3410 flash :D
this is what i got...
3410 V530 - 3FA004

Thanks in advance for your guidance

Hi,

I tried noting the steps I did.

All values are 8210, besides the ones in [].

- To start, 1. FONT:

We want 7.FD48, it's called from 3.DB8E, so we try from there.

The string 'large' is there in that area, but not wise to use alone, while we have this one 25 times in a 3410.

So I looked down some lines down and saw some values '02' and '42' at 3.DBA2

42h = 66, not a very typical or logical value like FF or 01.

The possibility the combination '34022042' and that string 'large' is not that big anymore.

Open 3410 in winarm, press Control^F, hex search 34022042, and voila.

That will lead Us finally to the Get_Font_3410 at the BL address [8368A]

- Next, (2) STRLEN:

0000.2DD4 calls this one.

I went to the start of this function, and found 78022A0BDA01....

Along with that string '123456789*#p' and a LDR value 70 at 0000.2CF6 that hex seemed to be sufficient.

Which finally lead to the 3410 BL address [1F.A004], but U already found out.

- Last, the ':' string I told about:

8210 > 3.96C4 (32.E5A4) > 04.02F0 > ppm text id = 02F0 = ':'

3410 > 6.4BD6 [49.2275] > 04.04B7 > ppm text id = 04B7 = ':'

8210 has 1 call for the hex '0032.E5A4'

3410 has 2 calls for the hex ['0049.2275'], so U have 50% chance.

NokDoc

Thanks for the thorough explanation m8.

Took me a while but managed to take the steps you took and reach same result. :-o
Never in my wildest dreams i could get there by myself since i didn't know we could find the ppm strings at those addresses. I browsed it once but using hexworkshop and the appearence was completely diferent so no connection between the two times :-P

The way i see it: another day another learning :D

Thanks, until next doubt :lol:

Well, next doubt is here :lol:

i'm trying to find the 3410/2100 routine called 'MEMSET'

8210 - 5.31
patt=x2c(1C032A00D00606090E09701933013A012A00D1FA4770)
mask=x2c(FFFFFFFFFFFFFFFFF8FFFFFFFFFFFFFFFFFFFFFFFFFF)

found at: 30C9A0

This is called from a million addresses but what most of them have in common is this hex pattern just before: 21FF220D

Looking for that in 3410 5.30 flash i always get the same BL jump address: 3F8A1A but don't know if it's right.
My doubt is because the routine found at that address is so much different from the 8210 one :-?

Please confirm if i'm doing it right (even if you take another path ;) )

Thanks once again m8

Hi,

Sorry I'm late, but due to these server problems I missed it.

I just done a quick check on places that calls that memset functions.

For 90% I agree [1F8A1A] is the most logical, since some known calls lead to there.

But a visual check at the function itself confuses me just as much as U.

Maybe if I make more time to study what the function does exactly, I can be sure.

U have a 3410, maybe U can make a test patch and just assume we both are right on that [1F8A1A].

If this test patching doesn't work, we will have to redo this one then.

Ok?

NokDoc

:sad: I do not have a 3410

All this is being done just with some flash files and winarm :lol:

Maybe i'll get a faulty one so that i can try the test patches...

thanks and stick around 'cause i have one or two more doubts on the way

@Nokdoc

Ok m8,

i have some new routines for you to advise :)

first is MEMCPY with the following patt/mask:
patt=(B5101C03430B4313085C)
mask=(FFFFFFFFFFFFFFFFFFFF)

8210 5.31 -> 30BC58

20222C calls that function and some lines above we see the string #00006f60. Traced that in 3410 v5.30 and got 2194F8 that jumps to 3F7412.

Did i hit the target?

Another routine that got me puzzled is the DRAW_BITMAP with the following patt/mask:
patt=(B5F04641464A4653465CB41EB08946802800D100E0B248E9)
mask=(FFFFFFFFFFFFFFFFFFFFFFFFFFF0FF0FFFFFFFFFFF004800)

8210 v5.31 -> 27F3B6

27F75E calls this routine (16) and some lines below i found the string #00006d37. Traced it in 3410 v 5.30 and got 282FE6. Looking some lines up i see the BL jumping to 2823CC (routine 17). I know the routines look a bit different but after that BL there's an LDR and in both firmwares they end in the same LSL :confused:

What do you say?

thanks in advance :-D

cheers

@Nokdoc

Ok m8,

i have some new routines for you to advise :)

first is MEMCPY with the following patt/mask:
patt=(B5101C03430B4313085C)
mask=(FFFFFFFFFFFFFFFFFFFF)

8210 5.31 -> 30BC58

20222C calls that function and some lines above we see the string #00006f60. Traced that in 3410 v5.30 and got 2194F8 that jumps to 3F7412.

Did i hit the target?

Another routine that got me puzzled is the DRAW_BITMAP with the following patt/mask:
patt=(B5F04641464A4653465CB41EB08946802800D100E0B248E9)
mask=(FFFFFFFFFFFFFFFFFFFFFFFFFFF0FF0FFFFFFFFFFF004800)

8210 v5.31 -> 27F3B6

27F75E calls this routine (16) and some lines below i found the string #00006d37. Traced it in 3410 v 5.30 and got 282FE6. Looking some lines up i see the BL jumping to 2823CC (routine 17). I know the routines look a bit different but after that BL there's an LDR and in both firmwares they end in the same LSL :confused:

What do you say?

thanks in advance :-D

cheers

Hi,

The 1st is correct:
30BC58 => CopyBytes 8210
3F7412 => CopyBytes 3410

The other I will do later, while I now see I was looking at the wrong one. :)

But in case U like this one too:

27FA70 => DrawLine 8210
28341C => DrawLine 3410

NokDoc

...

But in case U like this one too:

27FA70 => DrawLine 8210
28341C => DrawLine 3410

NokDoc


Yep :),

got that values also.
In fact i've found over 40 routines for 3410/2100. In one case i've even used the Nokdoc's search for text strings trick ;) . But will be back whenever a doubt comes up

thanks for the help once again m8

cheers

Mr. Mestrini,

Draw Bitmap is at 82D02 in 3410.

I used the battery/ network bars logos structure, U can even find them visually in winarm.

I used the addresses 00323cc0 for 8210 and [004668fc] in 3410 from which I know a DrawBitMap function is being called after loading.

In 8210 that lead me to the area [7f6de...7f714]

In 3410 to 83920...83958

Looking at these areas it was not quite hard to find this 7f3b6 equivalent.

NokDoc

i ask you to be a bit more clear or to check the addresses you posted because io couldn't follow your ways.

Are we talking about 8210 v5.31 and 3410 v5.30?

Hi,

reading NokDoc post do also give me some head aches... specially when he start posting about hex...

just re-read his post and eventually u will understand it more ;-)

regards

hi
could somebody tell me where could i find the function W_GET_STRING on 3330 4.50?

hi
could somebody tell me where could i find the function W_GET_STRING on 3330 4.50?

Hi m8,

see the .txt attached which is a dump of a 3330 v450 flash from a script written by me to find most of the needed function by Nokix or genolite (i said most because i haven't finished the tracing of nokix scripts)

enjoy :grin:

Hi m8,

see the .txt attached which is a dump of a 3330 v450 flash from a script written by me to find most of the needed function by Nokix or genolite (i said most because i haven't finished the tracing of nokix scripts)

enjoy :grin:


thx your answer :wink:


and could you tell me the same function for 3350 5.30?

get file attached but note that, since it's a flash that i usualy do not work with, some functions were not found. i have to check it... some day :razz:

enjoy

get file attached but note that, since it's a flash that i usualy do not work with, some functions were not found. i have to check it... some day :razz:

enjoy


thank you very much :-)

i have modified the call duration gsc and nrx to work with 3410 but the call duration doesn't appear on the phone's screen. can someone tell me what i did wrong? the script is only for 3410 5.30 version

hey m8,

haven't seen your nrx yet, but can you edit your post and attach the file in my other thread "3410 tester needed" so that we don't mix subjects here?

thanks

hi all

i modify a little the w_get_string funcion

(B5301C042C00D00F78202804D00E2A00D00A4DA31C20F0ACFA990400)
(FFFFFFF00FF000F0000000000F00000F00F0000000000000F0000000)

and now it is working for 3330 & 3350 also

hi,
can someone help me find the refresh zones in a 3410 flash. i tried to use "nokz0ne" and "flsedit 0.5" but this programs only show the zones and not the refresh zones like in a 3310 flash

Hi,

I couldn't find that in 3410.

Possibly it not exist there, and it uses values from the other for refresh.

NokDoc