Posts Tagged ‘treo680’

IR Upgrade on Treo 680

November 26, 2008 Leave a comment

Exchanged two SMD resistors near IR module (the 33Ω and the 10Ω) for smaller values increasing current from 77mA to 150mA.

I’ve yet to perform conclusive tests to see if IR range has increased much, but the initial feeling is that it hasn’t.

There is scope to further increase the current, but until I’ve tested this first modifications effects I won’t know whether that would be worth it.

Tags: , ,

Treo SMS receipts (solved)

March 16, 2008 Leave a comment

Treo SMS receipts are a missing option from the 2.12 ROW ROM when using T-Mobile.
I’d like the option of having them but here’s why we don’t get to :

a) nexter.prc calls CarrierCustomisation.lib to get the options list.
(PmCarrierCustomisation.prc) CarrierCustomisation.prc lives in ROM, on a even a soft-reset it extracts and overwrites any existing CarrierProfiles2 (CarrierDB ver 561 in the case of the 2.12ROW) and NetworkProfiles2 from itself. These two files then live in RAM.
CarrierProfiles2 stores settings keyed on MNC,MCC pairs :
234,10 = O2
234,15 = Vodafone
234,30 = T-Mobile
234,31 = T-Mobile (also)
234,33 = Orange
The options follow as a comma separated list. For CarrierDB ver 561, T-Mobiles entries are as follows :

234,30,1,,>j,,,,,,,,,,,,,,,4emg`gib`cb_^aa,l ~(Li^>|$x3DC< smws53t?E$Grh`b,<kba,3a`,?bgl,?bgl,,0,:gkg,:gkg,,0,,,,,,,,,,,,,,,,,0,0,0,=ke,=hj,0,,,3a`,5b,,,8#z^smws'uB,1,0,4emg`gib`cb_^aa,l ~(Li^>|$x3DC< smws53t?E$Grh`b,<kba,3a`,,,3a`,5b,1,0,O_
234,31,1,,8c,,,,,,,,,,,,,,,4emg`gib`cb_^aa,l ~(Li^>|$x3DC< smws53t?E$Grh`b,<kba,3a`,8bde,8bde,,0,,,,,,,,,,,,,,,,,,,,,0,0,0,=ke,=hj,0,,,3a`,5b,9$%(@DC4tplw<3t?E$,,8#z^smws'uB,1,0,4emg`gib`cb_^aa,l ~(Li^>|$x3DC< smws53t?E$Grh`b,<kba,3a`,,,3a`,5b,1,0,O_

d) One of the comma separated options above is spoiling our fun. But which one ?
Based on the fact we know field 19 is very probably ““, we’re looking at an encrypted string. It’s not an XOR, and though I know it’s a substitution cipher it’s not a straightforward one as different characters are being encoded to the same crypt-character.
This may not matter though as we could just take the CarrierProfiles2 file from a CarrierDB where SMS-Receipts are enabled for T-Mobile and compare and replace the values.
There are 72 values, though many are empty, a comparison of working CarrierDBs should reveal what field contains our grail.
Comparison of CarrierDB 292 and 561 shows fields 21, 64 and 72 are different.
Comparison of CarrierDB 292 and 549 shows fields 21, 64 and 72 are different.
234,30 and 234,31 are resource indexes 41 and 42 in CarrierProfiles2.
Modifying values in CarrierProfiles2.pdb makes no difference, perhaps they are cached on boot somewhere ?
Solution : Copy working CarrierCustomisation.prc version 549 into RAM, it survives resets and will extract a good CarrierProfiles2 into RAM. Use Resco Explorer or similar to copy from SD Card to RAM, Filez will not work properly.
Now that the RAM copy will extract a version of CarrierProfiles2 after each reset, we can edit the MNC/MCC keyed lists in it and see if there are other useful things we can enable.

Interesting links :
CarrierCustomization.prc containing CarrierProfiles2 version 549.

Tags: , ,

Treo 680 ROM hacking 3

December 16, 2007 Leave a comment

The new 2.11 AT&T ROM release has prompted me to take a look behind the scenes of the romupdater.prc and I’ve discovered a few interesting new things beyond the commands we knew already :

? / help (lists the very few commands we knew before)
low <directory> (Flash LowRider IPL,SPL,TPL and OS. From RAM or SD directory)
list (lists the ROM images)
lt (list ROM tokens)
->prnm – Product name (TREO680)
->hser – HotSync/Handspring serial number (PMGG0BCxxxxx)
->hwvr – H/W version (A)
->Gime – IMEI *beware the Mobile Phones (Reprogramming) Act 2002*
->BTid – Bluetooth ID
->crnm – Carrier name (ROW)
->revn – ROM revision (2.11)
->gmfl – GM flag (GM)
->CleS – Cameraless ID
->Skip – Skip camera ID
->KBlo – Keyboard localization
->TScb – Screen calibration
->GoUc – Network Unlock PIN
->GpUc – Operator Unlock PIN
->Gvlt – GSM voice life timer (240)
->???? – GSM data life timer
->???? – Warranty date code
->HTCM – ?no idea? (FC6B07E…)
->HRST – ?no idea?
->Nohr – ?no idea?
dt <token> (delete ROM token)
wt <token> <value> (write ROM token)
su (superuser mode)
superuser mode enabled
duinit (Device Updater modifies carrier settings?)
DuLibInitialize returned: 0x0000
rev [list] (Show hardware revision or list all IPL files)
Board ID: LOW
HW Rev: cvt
reset (Soft reset)
listcards (Lists the SD cards available)
Vol: 0x0002  Attr: 0x00000001
updatebinfs (Requires superuser mode)
updateipl <low-ipl-cvt.pdb> (Requires superuser mode)
Using low-ipl-cvt.pdb
Updating the IPL…
Updating from SD card… Comparing image with flash…
Diff at offset 0x00000000
From File:
18, F0, 9F, E5, 18, F0, 9F, E5
From Flash:
6C, 6F, 77, 2D, 69, 70, 6C, 2D
Flashing section…Done!
Verifying section…Done!
updatespl (Requires superuser mode)
updatetpl <dir index> <filename> (Requires superuser mode)
format [ace|angus|low] <force> (?)
lowsize (?)
Low MaxOS Size: 0x2100000
Low BinFS Size: 0x02400000
Checking os file size (/ROM/ …
OS size on SD: 0x00849D91
MaxOS >= 0x00849E00
>> You can flash your device
pmhreset (?)
hreset (*Hard reset*, requires superuser mode)
fboot (?)
Fastboot mode enabled…
check [ace|angus|brahma] (No LOW option)
cleartokens (Clear ROM tokens)
verifyp (ERROR!)
verifyb (?)
low-ipl- (?)
aceroff (?)
angusroff (?)
hdread (?, brahma-only)
hdfill (?, brahma-only)
norread (?, resets device)
norfill (?)
smallrom <filename> (?)
No file specified. Assuming /ROM/Brahma_Release_EVT1_efgs.smallrom
Smallrom updated unsuccessfully.

What do dvt,evt,p1,p2 refer to?
M-Systems EVT3 = ?
M-Systems Ace/Camino = EVT2 = Treo650 / Treo680?
M-Systems Angus = T5?

lt and wt are useful for avoiding the official ROM update version checks as we can modify both carrier name (ROW/CNG,ROG,etc) and revision number (1.09/2.11,etc)

Tags: , ,

Palm to add A2DP support ?

December 15, 2007 Leave a comment

The hidden preferences page is already present in the latest updated ROM images for AT&T.

Tags: , ,

Treo680 sounds

A quick note of where the power-on and power-off sounds are kept within the 680 ROM.

I had expected them to be WAV resources, but no, they’re MIDI.

HsSysResource.prc has them at resource ID’s 25002 and 25003.

Both are 152bytes each, the longest MIDI resource in there is 289bytes.

Tags: , ,

Treo 680 Varnish

To allow Palm to cater to carriers wanting to change the branding, Palm seem to have come up with the following.

Varnishator.prc – gets the ROM token (ROW|ATT|etc) and calls CapLib.prc

CapLib.prc – Unpacks and parses CapData.xml

Varnishator.prc is probably called after a reset, depending on the comparison of the ROM token and the CapData.xml, the splashscreens are then extracted or not. If they aren’t extracted (because the ROM token is different), then the splashscreens in TelephonyUI_CNGW_enUS.lprc are used as default.

In terms of using this behaviour to create our own custom ‘varnish’, we are probably looking at modifying the XML to match whatever our ROM token is, and changing the JPEG’s included in

Rebuilding of will be awkward though as the JPEG images will need to be split into record sized (4k) chunks and padded accordingly with the original. So instead, we ensure the filenames contained in don’t match what the XML will look for, by doing that, Varnishator is somewhat defeated and we fall back on the Telephony_UI prc which is much easier to edit with custom splash screens using the same process as for the 650.

We thereby go from custom ROMs with branding like the original Cingular and the rebranded AT&T splashscreens, both unsuitable for an unbranded ROM, to the Treo650 splashscreen (because it was the only stock image I could find). All without having to muck about with copying splashscreen files to RAM which I think is a rather unclean approach until such point as a ROM update arrives for the unlocked GSM 680’s.
Tags: , ,

Treo680 ROM recovery

I thought I’d figure out how to use the debug tools to flash the Treo. But before that, I thought I’d document a few Palm codenames I’ve seem floating around in some of their official ROM flashing tools.

Codenames :

Palm T5 : Angus (Platform), TnT5(DeviceID)
Palm TX : Devon (Platform), D050(DeviceID)
Lifedrive : Brahma (Platform), TunX(DevceID)
Treo 650 : Ace (Platform), H102(DeviceID)
Treo 680 : Lowrider (Platform), Camino(Hardware), Nitro, D053(DeviceID)
Treo 700p : Ventura (Platform), D052(DeviceID)
Treo 755p : Torino (Platform), Sherlock, D060(DeviceID)

Essential reading:

Programming Development Tools Guide.
Alvin Mok’s Palm codename list


Down and reset > SmallROM debugger (bootstrap code to initialise the hardware), starts communicating at 57600 baud.

Interesting commands :

bootstrap <“hwInitFileName”> <“romFileName”> [\slow]
dump <“filename”> <addr> <numBytes>
save <“fileName”> <addr> <numBytes>
g <addr>
storeinfo <cardNum>
t and s (step)

===== Welcome to the Palm OS SmallROM Debugger!! =====
+$00EC  10000448  *PEA       $FFFFFFFF                   ; FFFFFFFF    | 4878 FFFF

Booting ROM...
Tags: , ,

Interior of the Treo 680

Just the interesting side of the main board in the 680.

M-Systems MD8832-d1G-V3-X-P – 128MB DiskOnChip
Spansion S71PL064JB0BFW – 32Mbit pSRAM, 64Mbit Flash
Broadcom BCM2133KFBG – Baseband EDGE/GPRS/GSM chip
Intel 8270C5C312 CPU
SEC 634 BF75 ?

I suspected the sixteen pads (two rows of eight, though the upper row is occluded by the RF shielding) to the upper left of the PXA in the photo contain the JTAG points. This has been confirmed by Alex and Chris at Hack&Dev.

1 3.3 VDC   ; 16 TDO
2 NC        ; 15 NC
3 NC        ; 14 TCK
4 NC        ; 13 NTRST
5 NC        ; 12 NRESET
6 TDI       ; 11 TMS
7 GPIO 118  ; 10 GND
8 GPIO 39   ; 9 GND
Tags: ,

Treo 680 ROM hacking 2

Palms ROM updates :

Palm have released several different methods of updating flash ROMs and firmware and recently they seem to have settled on using a method of splitting the large PalmOS ROM into small 2MB chunks to allow easy hotsyncing. These ‘hacksplit’ chunks are then combined during the flashing of the ROM image.

Fortunately for us, Matt at and a few others created RomTool for the Treo650. This was aware of hacksplit and could perform the somewhat trivial concatenation to allow us to extract and then edit the whole ROM image. It can also talk to the 650’s bootloader, which the 680 doesn’t have.

The only way so far to flash a custom ROM to the 680 is to use the release for updating AT&T branded phones, which included the ROM image in hacksplit format. We therefore need a method of converting our large monolithic ROM into hacksplit format and producing a valid MD5 checksum for it.

There is existing code to perform at least part of this work for the Tungsten TX, and I have modified it to work for the somewhat larger 680 ROM. [TXupdate original] [TXupdate_modified_for_680].

How to build a custom ROM :

1) Take apart the AT&T Rom with Romtool.

Extract it to a directory and replace the files you want. I listed files suitable for removing here.

2) Compress that same directory with Romtool to create and accompanying .md5 checksum.

3) Use the TXupdate REXX code I updated to split the large file into the HACKSPLIT sections that the ROM Updater expects (,, etc). i.e.

Put the large, and rexx32.exe and zip2pdb.rex into c:\scratch.

   cd c:\scratch
    c:\scratch\rexx32.exe zip2pdb.rex
    Write file
    Write file
    Write file
    Write file
    Write file
    Write file

4) Place those newly created ROM sections into the Rom Updater directory.

5) Recreate the MD5 checksum to match.

Do this with a hex editor, open the md5 checksum file you got from RomTool, copy the 32 character string and replace it for the one in in the Rom Updater directory.

6) You can now copy the RomUpdater.prc and all the ROM files to the launcher directory on your SD card and run from there.

If you are after custom ROM’s and don’t want to make one yourself, there’s a thread on TreoCentral.

Tags: , ,

Treo 680 ROM hacking

May 29, 2007 1 comment

Tuesday, 29 May 2007

Palm released the AT&T update ROM under pressure to clean up Cingular branding.

Here is a content listing of the unpacked ROM :

Tools you need :


ROM  Updater
Welcome  to the device updater...
ROM  Build: 3406
Built  Jun 22 2006  15:51:12
SD  Card VolRefNum: 0x0002
Board  ID: LOW
HS  Rev: cvt
list -  List the ROM images.
ace  [filename] - Update Ace. (Ace is the  Treo650)
angus  [force] [filename] - Update Angus. (Angus  is the T5)
Low  MaxOS Size: 0x2100000
Low  BinFS Size: 0x2400000
Checking  os file size (/ROM/ ...
OS  size on SD: 0x00BC5652
MaxOS  >= 0x00BC5800
>>  You can flash your device
Preparing  to update Low.
Verifying  the image files...
Validating  /ROM/low-ipl-cvt ...OK!
Validating  /ROM/low-spl ...OK!
Validating  /ROM/ ...OK!
Validating  /ROM/ ...OK!
Validating  /ROM/ ...OK!
Updating  the Low Part...
Turning  off Phone...DONE!
Turning  off Bluetooth...DONE!
Turning  off IR...DONE!
Updating  the IPL...
Updating from device... Comparing image with flash...OK.
Skipping section.
Updating  the SPL...
Updating from device... Comparing image with flash...OK.
Skipping section.
Updating  the TPL...
Updating from device... Comparing image with flash...OK.
Skipping section.
Updating  the TPL...
Updating from device... Comparing image with flash...OK.
Skipping section.
Updating  the OS...
Updating from device... Comparing image with flash...
File  size different:
file: 0x00F43F07
flash: 0x00BC5652
Flashing section...Done!
Verifying section...Done!
Token:  HRST
DeleteToken  Success!
Token:  Nohr
DeleteToken  Success!
Language  token is set to enUS!

If you proceed this way, your CarrierDB will be 292, not 355 as per the ATT update.


I’ve tooled around with some REXX code to recreate the files from a custom ROM I created to remove PocketTunes, Addit and some other junk, and I’ve manually edited the MD5 checksum to match the new custom ROM. I just need to finish copying them to RAM and I’ll try what I believe to be the first custom ROM created for an unlocked GSM Treo 680 !

Yes, I have a custom ROM working, next on the list is recovery methods should anything go wrong.

Tags: , ,