Posts Tagged ‘hack’

CatEye TL-LD130 to TL-LD150

February 24, 2009 1 comment

Whilst replacing some dead batteries in my bicycle light, I noticed that the circuit board was slightly under populated, it had three LEDs rather than the five you might expect judging by the two interstitial gaps.

I placed a quick order to RS for what I hoped would be some similar LEDs to solder in place. I picked some 5mm clear ones with luminous intensity of  5500mcd and a view angle of 30degrees.

The next morning I received a quantity of five :

RS Stock No. 4966156 – HLMP-ED31-SV000 Red 30deg LED

Disassembling the CatEye TL-LD130 is childs play, and the soldering is also simple and easy (be quick as too much heat will damage the LED reducing it’s brightness). Seen below is the first LED having been soldered in place.

Note there’s nothing for C2, R2, or Q1. I can only guess what they’re for as I didn’t choose to experiment with attaching SMD caps or resistors to them.

And here’s the not-very-exciting final product (effectively a CatEye TL-LD150), which works beautifully!

If you’re thinking of doing the same (the LEDs cost exactly £2 delivered), then you may choose to use LEDs with a smaller view angle than 30 degrees, I think the originals probably have a 15 degree view angle.

Of course this modification also reduces the hours of runtime for the light, from about 150hours to about 90hours depending on the output mode you use.

Also a warning that you’ll need to be as brief as possible whilst soldering them as too much heat will dramatically and permanently reduce the light output of the LEDs.

Tags: ,

Sony DCM-F717 repair

January 26, 2009 1 comment

One SMT fuse (F404) blown on the BT-015 board.

Though bridging the fuse corrected the problem, the CCD has failed in line with the known issue of which Sony have offered free repair :

Sony repair reference #232633144.

I have the following, please comment if they’re helpful to you :

Service Manual – Sony DSC-F717 Adjustments

Service Manual – Sony DSC-F717 L2

Service Manual – Sony DSC-F717 L3

Tags: ,

IR Upgrade on Treo 680

November 26, 2008 Leave a comment

Exchanged two SMD resistors near IR module (the 33Ω and the 10Ω) for smaller values increasing current from 77mA to 150mA.

I’ve yet to perform conclusive tests to see if IR range has increased much, but the initial feeling is that it hasn’t.

There is scope to further increase the current, but until I’ve tested this first modifications effects I won’t know whether that would be worth it.

Tags: , ,

Treo SMS receipts (solved)

March 16, 2008 Leave a comment

Treo SMS receipts are a missing option from the 2.12 ROW ROM when using T-Mobile.
I’d like the option of having them but here’s why we don’t get to :

a) nexter.prc calls CarrierCustomisation.lib to get the options list.
(PmCarrierCustomisation.prc) CarrierCustomisation.prc lives in ROM, on a even a soft-reset it extracts and overwrites any existing CarrierProfiles2 (CarrierDB ver 561 in the case of the 2.12ROW) and NetworkProfiles2 from itself. These two files then live in RAM.
CarrierProfiles2 stores settings keyed on MNC,MCC pairs :
234,10 = O2
234,15 = Vodafone
234,30 = T-Mobile
234,31 = T-Mobile (also)
234,33 = Orange
The options follow as a comma separated list. For CarrierDB ver 561, T-Mobiles entries are as follows :

234,30,1,,>j,,,,,,,,,,,,,,,4emg`gib`cb_^aa,l ~(Li^>|$x3DC< smws53t?E$Grh`b,<kba,3a`,?bgl,?bgl,,0,:gkg,:gkg,,0,,,,,,,,,,,,,,,,,0,0,0,=ke,=hj,0,,,3a`,5b,,,8#z^smws'uB,1,0,4emg`gib`cb_^aa,l ~(Li^>|$x3DC< smws53t?E$Grh`b,<kba,3a`,,,3a`,5b,1,0,O_
234,31,1,,8c,,,,,,,,,,,,,,,4emg`gib`cb_^aa,l ~(Li^>|$x3DC< smws53t?E$Grh`b,<kba,3a`,8bde,8bde,,0,,,,,,,,,,,,,,,,,,,,,0,0,0,=ke,=hj,0,,,3a`,5b,9$%(@DC4tplw<3t?E$,,8#z^smws'uB,1,0,4emg`gib`cb_^aa,l ~(Li^>|$x3DC< smws53t?E$Grh`b,<kba,3a`,,,3a`,5b,1,0,O_

d) One of the comma separated options above is spoiling our fun. But which one ?
Based on the fact we know field 19 is very probably ““, we’re looking at an encrypted string. It’s not an XOR, and though I know it’s a substitution cipher it’s not a straightforward one as different characters are being encoded to the same crypt-character.
This may not matter though as we could just take the CarrierProfiles2 file from a CarrierDB where SMS-Receipts are enabled for T-Mobile and compare and replace the values.
There are 72 values, though many are empty, a comparison of working CarrierDBs should reveal what field contains our grail.
Comparison of CarrierDB 292 and 561 shows fields 21, 64 and 72 are different.
Comparison of CarrierDB 292 and 549 shows fields 21, 64 and 72 are different.
234,30 and 234,31 are resource indexes 41 and 42 in CarrierProfiles2.
Modifying values in CarrierProfiles2.pdb makes no difference, perhaps they are cached on boot somewhere ?
Solution : Copy working CarrierCustomisation.prc version 549 into RAM, it survives resets and will extract a good CarrierProfiles2 into RAM. Use Resco Explorer or similar to copy from SD Card to RAM, Filez will not work properly.
Now that the RAM copy will extract a version of CarrierProfiles2 after each reset, we can edit the MNC/MCC keyed lists in it and see if there are other useful things we can enable.

Interesting links :
CarrierCustomization.prc containing CarrierProfiles2 version 549.

Tags: , ,

Treo 680 ROM hacking 3

December 16, 2007 Leave a comment

The new 2.11 AT&T ROM release has prompted me to take a look behind the scenes of the romupdater.prc and I’ve discovered a few interesting new things beyond the commands we knew already :

? / help (lists the very few commands we knew before)
low <directory> (Flash LowRider IPL,SPL,TPL and OS. From RAM or SD directory)
list (lists the ROM images)
lt (list ROM tokens)
->prnm – Product name (TREO680)
->hser – HotSync/Handspring serial number (PMGG0BCxxxxx)
->hwvr – H/W version (A)
->Gime – IMEI *beware the Mobile Phones (Reprogramming) Act 2002*
->BTid – Bluetooth ID
->crnm – Carrier name (ROW)
->revn – ROM revision (2.11)
->gmfl – GM flag (GM)
->CleS – Cameraless ID
->Skip – Skip camera ID
->KBlo – Keyboard localization
->TScb – Screen calibration
->GoUc – Network Unlock PIN
->GpUc – Operator Unlock PIN
->Gvlt – GSM voice life timer (240)
->???? – GSM data life timer
->???? – Warranty date code
->HTCM – ?no idea? (FC6B07E…)
->HRST – ?no idea?
->Nohr – ?no idea?
dt <token> (delete ROM token)
wt <token> <value> (write ROM token)
su (superuser mode)
superuser mode enabled
duinit (Device Updater modifies carrier settings?)
DuLibInitialize returned: 0x0000
rev [list] (Show hardware revision or list all IPL files)
Board ID: LOW
HW Rev: cvt
reset (Soft reset)
listcards (Lists the SD cards available)
Vol: 0x0002  Attr: 0x00000001
updatebinfs (Requires superuser mode)
updateipl <low-ipl-cvt.pdb> (Requires superuser mode)
Using low-ipl-cvt.pdb
Updating the IPL…
Updating from SD card… Comparing image with flash…
Diff at offset 0x00000000
From File:
18, F0, 9F, E5, 18, F0, 9F, E5
From Flash:
6C, 6F, 77, 2D, 69, 70, 6C, 2D
Flashing section…Done!
Verifying section…Done!
updatespl (Requires superuser mode)
updatetpl <dir index> <filename> (Requires superuser mode)
format [ace|angus|low] <force> (?)
lowsize (?)
Low MaxOS Size: 0x2100000
Low BinFS Size: 0x02400000
Checking os file size (/ROM/ …
OS size on SD: 0x00849D91
MaxOS >= 0x00849E00
>> You can flash your device
pmhreset (?)
hreset (*Hard reset*, requires superuser mode)
fboot (?)
Fastboot mode enabled…
check [ace|angus|brahma] (No LOW option)
cleartokens (Clear ROM tokens)
verifyp (ERROR!)
verifyb (?)
low-ipl- (?)
aceroff (?)
angusroff (?)
hdread (?, brahma-only)
hdfill (?, brahma-only)
norread (?, resets device)
norfill (?)
smallrom <filename> (?)
No file specified. Assuming /ROM/Brahma_Release_EVT1_efgs.smallrom
Smallrom updated unsuccessfully.

What do dvt,evt,p1,p2 refer to?
M-Systems EVT3 = ?
M-Systems Ace/Camino = EVT2 = Treo650 / Treo680?
M-Systems Angus = T5?

lt and wt are useful for avoiding the official ROM update version checks as we can modify both carrier name (ROW/CNG,ROG,etc) and revision number (1.09/2.11,etc)

Tags: , ,

Palm to add A2DP support ?

December 15, 2007 Leave a comment

The hidden preferences page is already present in the latest updated ROM images for AT&T.

Tags: , ,

Holux GPSlim236 boot mode

June 18, 2007 Leave a comment

Should the urge grab you to play with firmware on these SiRFStarIII handheld GPS units, you will undoubtedly discover there is a boot mode one must enable before the 4Mbit flash chip can be read from or written to using SiRFflash.

Whilst we can send message 148 (0x94) to it from SiRFdemo to enable this mode, it’s handy to know one can also short the highlighted pads above (two gold pads enclosed in the white square border just above the label ‘C48’) whilst turning the unit on to achieve the same thing.

“PSRF100,0,38400,8,1,0” is the NMEA sentence to enable SiRF mode.
“94” is the SiRF binary code to enable boot mode.

As long as we always communicate at 38400 baud, it is perfectly possible to flash the firmware over bluetooth, and as you now know the location of the boot mode enabling pads, you can easily recover from a bad flash (eg. trying to push updated SiRF firmwares from other products onto it to enable proper SBAS support).

To put the GPSlim236 into boot mode, you’ll need : (thanks Antineutrino!)

Then to read or write the firmware to the GPSlim236, you’ll need : (thanks Antineutrino!)

Here is a backup of my old Holux V5 firmware (binary, not Motorola format):
GSW3.1.1_3.1.00.07-C23B1.00.bin (From SiRFflash, 0x00 to 0x79999)

And here is the Holux V6 firmware (binary, not Motorola format):
GSW3.2.2_3.1.00.12-SDK003P1.bin (kindly extracted by ‘brio2001’ from

And here is the Holux V7 ? firmware (binary, not Motorola format):
GSW3.2.4_3.1.00.12-SDK003P1.00a.bin (kindly extracted by ‘tsp’ from

Note the V6 firmware supposedly has better support for SBAS based DGPS, which is EGNOS for those of us in Europe. Just have to wait until September when the three birds begin transmitting non-test correction data.

Note the V7 firmware is extracted from a rev.C board and may cause problems if you flash it to a rev.B board, though at least one user has successfully done so.

Tags: , ,