"Hello,

It is easy to change SMS Alert tones on some DCT3 phones like
5110s, 6150... but almost impossible for other DCT3 phones like
8850-5.30, 8210-5.30, etc...

Why? Because of MCU security. The SMS Alert tones are stored
in the MCU for some DCT3 phones unlike the Rongtones which
are stored in the PPM for ALL nokia.

For 51xx, 61xx it is still in the MCU, but you can change it
easily provided that you must make sure that the checksum
remains the same!

For example:
6130-5.61

Use HEX Editor and search for string "8005020A01"
(Thanks to ICEDRAGON for initial findings )

Now you see Message Alert to for "Special" below:

1 - 5A0C 400C
2 - 5A0C 400C 0AFE
3 - 5A0C 4025 0A01
4 - 5A25 400C
5 - 5A25 4025 0AFE
6 - 5A0C 400C
7 - 5A0C 400C
8 - 5A0C 0A7F

407D 060B C000 02FD 0A

The actual Alert Tones are the first 8 lines above... the last line
is not included in the tone generation... I think it is only used for
how the tone will sound and whether or not is will repeat itself.

5A0C ---> 5A is the Tone, 0C is the Length....
400C ---> 40 is a pause, 0C is the Length....
0AFE ---> I think this is a VIBRA call, although I am not sure
0A01 ---> Another Vibra call?
0A7F ---> Yet still another Vibra call?



But I guess you are not really interested to know what they really
mean, but CAN WE CHANGE THEM??? Off course here are a
few sample below:


Who Let the Dogs Out?
1 - 5A2A 400C
2 - 5A0C 400C 0AFE
3 - 5A0C 400C 0A01
4 - 5A2A 400C
5 - 5A2A 4025 0AFE
6 - 0A4D 400C
7 - 0A5C 400C
8 - 0A5C 0A7F


Notice that I managed to keep the checksum the same by adding
the same number of bytes subtracted to another byte.

A good IDEA would be to manipulate the code above to generate
other MORSE CODE letters (Because all nokia tones are Morse
codes if you haven't noticed that

Standard Tone --> Morse Code "M M"
Special Tone --> Morse Code "S M S"
Ascending Tone --> Morse Code "Connecting People"
Beep Once --> Morse Code "I Love GSMCITY Forum"


Ok, for lesson number two, try to create morse code letters like
the example below:

Morse Code 'F'
5A0C 400C
5A0C 400C 0AFE
5A25 400C 0A01
5A0C 400C
0A5C 4075 0AFE
0A25 405C
0A25 400C
0A5C 0A7F

By the way, you do not need to recalculte FAID when updating
ALert tones on supported phones. Just think of it as if you are
unlocking your phone via partial Flashing method.

Here is an example on how to keep the Checksums the same...

If you want a longer tone duration, you must make 5A length
longer... for example 5A0C ----> 5A5C! This is a longer tone,
but notice that we added 50 to 0C to make it 5C... Now you have
to remove 50 from somewhere so you will not alter the
checksums! For exmample, remove 50 from 405C, you will
result to 400C! Now checksum is not altered.

I guess in newer MCUs, they implement better CRC because you
can not change alert tones even if you do not change checksums!
That is why, single PARTIAL unlocking also does not work!

Good Luck!

Please dont ask me If you can make Ringtones into alert tones
because I did not try this yet

Best Regards,
X-Shadow"

This topic is posted by X-shadow in gsmcity forum......
So please x-shadow,if u read this ,dont be angry.......maybe MEHDI can make usefull soft with your info.......
REgards to all....especially mehdi with his usefull soft.......

One thing you dont know that mcu can be edited and chksum can be calculed

How?
Let flashanalyser calc new chmsum for mcu.

On 00022 and FFFsomething(with ff and 00 around) address have mcu chksums And flashanalyser doesnt know that fff address has also mcu chksum stored.
So if you change only first chksum.last one still remains wrong.
So replace on both addresses with new mcu chmsum.

Brought to you by nokiaguru.gsmsearch.com

1cffa is another mcu address location.

Here some locations:
136355 keyboard locked/general warning
1363e9 normal beep
1363b5 long tone
136405 short beep(may be same with accenting)
1364e1 power off/on tone..

Tone start allmost same ways as ringtones(02fc) and
message/alert tones 02fd. Dont know yet what is difference between them.

0bc0 maybe end of tone.

Have phun.

Hi Nokiaguru!

Let us know which SW you use for analyzing.
Which reassemler do you use?
I'm curious how did u find these locations /n/images/smiles/icon_smile.gif

Doc

Hi Ringers.

I tried to do conversion to rttl long time ago.
I remeber to get stuck somewhere but since U have interrest here's what I got.
I myself don't think it's nessecary to do conversion anymore, built a Direct player/editor in this format, it's very simple language.

Further:
Vibra has nothing to do with Vibrato, Appreggio and other Frequency Modulated tone generation aspects.
Find info on FM synthese if serious willing to create player/editor.

Faid calc can be needed sometimes!
Calc also uses MCU area data, 2 bytes per each 32.
It's a 1/16 change it won't succeed then.

Good Luck.

NokDoc

I did that on 8210 5.30.
I noticed that nokiaflash tool fixes mcu chksums and only faid is needed to calc if mcu is changed.

I stutied ringtones and they guite same based.

As i said before 02fc or +02fd is start of tone.
Ringtone or smsalert or general tones.

By the way, simple testing trick:

Use logomanager to insert a rttl ringtone inside the outbox, ready for sending.

Reread the sms out box with gNokii/ PDU AT+ command or sms manager proggy.

The bytes you'll obtain are the converted RTTL's and exact the same format as in the PPM.

So logomanager does do conversion for U.

Good Luck

NokDoc

I dont have disassembler.
All i do is old fashion cutn-paste operations.

I have tested for that week ago.

I belive even if i store message on phones memory its still nbs format.

That what i have done is i used logomanager to put mid files to phone as ringtones and then extracted from memory and put them on ppm file.
As you can see phonetone file at my page.