Vous êtes sur la page 1sur 4

Creating Fullflash for E1

1. Use FlashBackup to create custom range backup of this address: 10040000-12000000. The
custom range excludes bootloader and pds, which is required to get around rokr bootloader protection.

Choose 'Additional loader for 32 MB' from the dropdown list at the bottom. This allows you to create
backup in normal speed, which takes about 5 minutes to complete (thanks to cdtrix for the info). You
can also untick the checkbox to make a backup, but the process will take around 2.5 hours to finish.

Check "Disable backup compression and support of compressed backups" in Backups page to get
backup in .bin format directly. Without that option checked, by default FlashBackup creates compressed
backup file with .fbp extension. You can get the uncompressed binary backup by renaming the .fbp file
to .cab, then extract it with compression utilities like winzip, winrar, and others.

Since it is not full 32 MB in size, FB will refuse to make fullflash out of it. You need a hex editor to add
empty 256 KB at the beginning of the file to expand its size to 32 MB.

2. Open the bin backup in xvi32. Make sure the cursor is at the beginning of the file. In edit > insert
  - Insert: Hex string
  - Value: 00
  - Insert times: hexadecimal, value: 40000

3. Save it, e.g: "32 MB full backup.bin".

Both bootloader and pds (which are located in the area before 1004000) are not needed when creating
fullflash, as flashbackup will skip that part and converting binary to Motorola S format (shx) starting
from cg3 (dsp) at 0x40000 to 0x2000000m (32 MB). So it does not matter if you filled that part with
anything, and in the case above with zero byte.

4. Use the file to generate E790/E1 ROKR fullflash from flashbackup. Save the flash in cd/dvd and keep
it in a safe place. You will need it later when your modding went wrong, or you need to come clean
before claiming the warranty because of hardware problems etc.
Patching E1 fullflash for E398
I won't write detailed step by step here, as this is intended for people who are familiar with modding.

1. Split 32MB E1 fullflash above with shxcodec.

2. Edit CG1 and CG18 smg with hex editor.

Replace the original values at this offsets with these values:

At the beginning part (this is CG0):

Offsets: hexadec.
0:Â 11Â
2:Â 00Â
3:Â 00Â
C4:Â 11Â
C6:Â 00Â
C7:Â 00Â

The middle part:

• Locate this hex values: 396BE59FC000. You should find it in the middle part of CG1
• Right above it you should see quite a few of this hex pattern: 47 78 46 C0
• Replace the fifth of that pattern (counting bottom up from current location) with 20 01 47
• Save it as different file with .smg extention.
Replace the first 16 bytes with these values:
Offsets: hexadec.
0: E5
1: 9F
2: 10
3: 04
4: E5
5: 91
6: 10
7: 00
8: E1
9: 2F
B: 11
C: 10
D: 04
E: 00
F: 00

Save it.

Replace the original cg1 and 18 with the patched ones in shxcodec, compile it to a nex shx, and there,
your patched firmware

Things to consider before flashing:

Some version of shxcodec (can't remember which ones) incorrectly written wrong address of
codegroups in the ramdownloader. Split your patched MP and compare its ramdownloader with other
ramdownloader that has similiar cg structure and make sure there are no difference in codegroups
addresses. To check them manually:

codegroup, memory address, offsets in file:

3, 10040000-1007FFFF, 110-117
1, 10080000-10CFFFFF, 100-107
15, 10D00000-10F3FFFF, 170-177
4, 10F40000-110FFFFF, 118-11F
2, 11100000-11F5FFFF, 108-10F
7, 11F80000-11F90000, 130-137
18, 11FE0000-11FE07FF, 188-18F

Hope that helps.