[milad_a]

hi

i can port small patch like this :

; [hw]W580[/hw] R8BE001 
; Remove "Emergency calls" 
; Ubirayutsya 911 and 112, with zalochennoy keylock 
; Remove "Emergency calls" 911 and 112 when keyboard is locked. 
; © Joker XT
; (p) MILAD

+44140000
106A1A8: 3131320039313100 0000000000000000

but when i try to patch progressive patch that use new free section of memory and make new function i'll confuse!

see below:

Quote

;W580 SW-R8BA024
;Vibra when connecting call
; © IronMaster
+44140000
c737ec: 4A22A35C 994A9047
c73a54: 9A110000 F12BBF45
1ab2bf0: 00000000000000000000000000000000 4422A35CFFB5002081B00090A2B06846
1ab2c00: 00000000000000000000000000000000 06498847FA21890032220B1C0668FF24
1ab2c10: 00000000000000000000000000000000 69343659B04723B0FFBDFFFF99052E45

i konw that 1ab2bf0=reverse(F12BBF45)-44140000-1 and it jump to section of memory and put new funcion there

so i konw that BOLDed is address for return but i dont know how i can calculate it ?

see this one too:

Quote

;W850 SW-R1KG001
;Отображение имени абонента, назначенного на быстрый вызов, при наборе номера
;v. 1
;© IronMaster
+44140000
129ccfa: 818061884180E188C180 014EB04701E001A2CF45
1bba200: 00000000000000000000000000000000 818061804180E180C180009EFFB5301C
1bba210: 00000000000000000000000000000000 00F07AF8012859D1301C00F079F8011C
1bba220: 00000000000000000000000000000000 68460122012300F077F868460478312C
1bba230: 00000000000000000000000000000000 4CDB392C4ADC303C9021D43105230122
1bba240: 00000000000000000000000000000000 002000F049F8071C848002203875391C
1bba250: 00000000000000000000000000000000 1FA000F049F8002838D13878002835D0
1bba260: 00000000000000000000000000000000 3889B880F868B8600220B8750020B874
1bba270: 00000000000000000000000000000000 2B20852149007854391C15A000F038F8
1bba280: 00000000000000000000000000000000 002823D13878002820D0381C18300021
1bba290: 00000000000000000000000000000000 104A00F031F8061C391C002000F020F8
1bba2a0: 00000000000000000000000000000000 362000F03DF8FF200006011C03B4EB20
1bba2b0: 00000000000000000000000000000000 6E21162204230FB4301C022102223C23
1bba2c0: 00000000000000000000000000000000 00F032F806B0301C00F01AF8FFBDFFFF
1bba2d0: 00000000000000000000000000000000 00000000FFFF0000004D28472516F244
1bba2e0: 00000000000000000000000000000000 004D28475116F244004D284775FCE844
1bba2f0: 00000000000000000000000000000000 004D284779D9E844004D284705794645
1bba300: 00000000000000000000000000000000 004D2847CD7A4645004D28477DD53D45
1bba310: 00000000000000000000000000000000 004D284795D53D45004D2847BD623545
1bba320: 00000000000000000000000000000000 004D28474DEB4745004D2847F1E04745

this is ported patch :

Quote

;W580 SW-R8BE001
;Отображение имени абонента, назначенного на быстрый вызов, при наборе номера
;v. 1
;© IronMaster
;(p) -=Tanusha_SE=-
+44140000
117be9a: 818061884180E188C180 014EB04701E0C1E1BF45
1abe1c0: 00000000000000000000000000000000 818061804180E180C180009EFFB5301C
1abe1d0: 00000000000000000000000000000000 00F07AF8012859D1301C00F079F8011C
1abe1e0: 00000000000000000000000000000000 68460122012300F077F868460478312C
1abe1f0: 00000000000000000000000000000000 4CDB392C4ADC303C9021D43105230122
1abe200: 00000000000000000000000000000000 002000F049F8071C848002203875391C
1abe210: 00000000000000000000000000000000 1FA000F049F8002838D13878002835D0
1abe220: 00000000000000000000000000000000 3889B880F868B8600220B8750020B874
1abe230: 00000000000000000000000000000000 2B20852149007854391C15A000F038F8
1abe240: 00000000000000000000000000000000 002823D13878002820D0381C18300021
1abe250: 00000000000000000000000000000000 104A00F031F8061C391C002000F020F8
1abe260: 00000000000000000000000000000000 362000F03DF8FF200006011C03B4EB20
1abe270: 00000000000000000000000000000000 6E21162204230FB4301C022102223C23
1abe280: 00000000000000000000000000000000 00F032F806B0301C00F01AF8FFBDFFFF
1abe290: 00000000000000000000000000000000 00000000FFFF0000004D28474599DF44
1abe2a0: 00000000000000000000000000000000 004D28477199DF44004D2847617FD644
1abe2b0: 00000000000000000000000000000000 004D28471D5CD644004D284735743445
1abe2c0: 00000000000000000000000000000000 004D2847FD753445004D284729C72B45
1abe2d0: 00000000000000000000000000000000 004D284741C72B45004D2847A1402345
1abe2e0: 00000000000000000000000000000000 004D28475DE73545004D284701DD3545

i know that C1E1BF45 indicate jump place and it's diffrent in 2 patches because destination is diffrent but BOLDed section in patches is permanent and the red section is variable that i think is return addresss

can anybody help me?

i know that in this forum we have many people that port such patch share your knowlagment with us

how you port DB2020 patch


thx in advance

This post has been edited by milad_a: 29 August 2008 - 07:43 PM

[mousex]

Modifying/creating Advanced Patches - SE-NSE Forums

[milad_a]

@mousex

thx man i read all post of this topic before but it's for DB2010 i need DB2020

[jamesbond22]

milad_a
you need to port all marked in red addresses also.

[milad_a]

how?

i know that i must use IDA and smelter , i try many time but no success

can you guide me ?

or navigate me to a page that contain some tutorial about that ?

thx buddy

[ThilinaC]

anyway do u have an idea to port ironmasters 5th elf tab patch to w580??

i was wondering

[mousex]

milad_a, on 2008-08-30 07:34, said:

@mousex

thx man i read all post of this topic before but it's for DB2010 i need DB2020

It's the same for DB2020 you only have to use the right Firmwares and +44140000 as starting address.

[milad_a]

i read all post of that topic and i understand all of them but this section :

Quote

Now we need to find addresses for K750 SW-R1CA021.
Open Smelter, go to Fullflash -> Open and choose our file K750_R1CA021.raw (since Smelter doesn't see '.raw' files, choose 'all files' below).
After opening, go to Fullflash -> Load base and set it to 44020000.


Porting address1:
CODE
address1 equ 0x4512B220


Go to 0x4512B220 and move a little bit lower (because making pattern from middle of the function is better IMHO) in the W800 flashfile and create a pattern:
CODE
ROM:4512B24C loc_4512B24C ; CODE XREF: sub_4512B220+20j
ROM:4512B24C 2A 7C LDRB R2, [R5,#0x10]
ROM:4512B24E 10 1C ADD R0, R2, #0
ROM:4512B250 12 30 ADD R0, #0x12
ROM:4512B252 14 21 MOV R1, #0x14
ROM:4512B254 3B F0 5E FC BL sub_45166B14
ROM:4512B258 03 1C ADD R3, R0, #0
ROM:4512B25A 00 2A CMP R2, #0
ROM:4512B25C 0F D1 BNE loc_4512B27E
ROM:4512B25E 13 23 MOV R3, #0x13
ROM:4512B260 0D E0 B loc_4512B27E

2A7C101C12301421????????031C002A0FD1 – this is a pattern in our case.

Press a big "B" button in the Smelter's panel, copy the pattern here and press OK.
We found an address, click the line with address and F3 to copy it.
Go to the same address in K750_R1CA021.
Press "Alt+B", in String fill b5 then Search Up...
Ready? Got an address. Go to this address-1 and press "C".
Compare functions, they are equal aren't they? Yes!

i can't found pattern nor in source MAIN neither in destination MAIN !

can any one help me?

this is IDA ASM code of the patch :

ROM:45CFA200			;
ROM:45CFA200			; +-------------------------------------------------------------------------+
ROM:45CFA200			; |	 This file is generated by The Interactive Disassembler (IDA)		|
ROM:45CFA200			; |	 Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com>		|
ROM:45CFA200			; | Licensed to: Mach EDV Dienstleistungen, Jan Mach, 1 user, adv, 11/2007  |
ROM:45CFA200			; +-------------------------------------------------------------------------+
ROM:45CFA200			;
ROM:45CFA200			; Input MD5   : 249F5250525D55A5081F10696854088F
ROM:45CFA200
ROM:45CFA200			; ---------------------------------------------------------------------------
ROM:45CFA200			; File Name   : G:\New Folder\API.raw
ROM:45CFA200			; Format	  : Binary file
ROM:45CFA200			; Base Address: 0000h Range: 45CFA200h - 45CFA330h Loaded length: 0130h
ROM:45CFA200
ROM:45CFA200			; Processor	   : ARM710a
ROM:45CFA200			; Target assembler: Generic assembler for ARM
ROM:45CFA200			; Byte sex		: Little endian
ROM:45CFA200
ROM:45CFA200			; ===========================================================================
ROM:45CFA200
ROM:45CFA200			; Segment type: Pure code
ROM:45CFA200							 AREA ROM, CODE, READWRITE, ALIGN=0
ROM:45CFA200							; ORG 0x45CFA200
ROM:45CFA200							 CODE16
ROM:45CFA200 81 80					   STRH	R1, [R0,#4]
ROM:45CFA202 61 80					   STRH	R1, [R4,#2]
ROM:45CFA204 41 80					   STRH	R1, [R0,#2]
ROM:45CFA206 E1 80					   STRH	R1, [R4,#6]
ROM:45CFA208 C1 80					   STRH	R1, [R0,#6]
ROM:45CFA20A 00 9E					   LDR	 R6, [SP]
ROM:45CFA20C FF B5					   PUSH	{R0-R7,LR}
ROM:45CFA20E 30 1C					   ADDS	R0, R6, #0
ROM:45CFA210 00 F0 7A F8				 BL	  sub_45CFA308
ROM:45CFA214 01 28					   CMP	 R0, #1
ROM:45CFA216 59 D1					   BNE	 locret_45CFA2CC
ROM:45CFA218 30 1C					   ADDS	R0, R6, #0
ROM:45CFA21A 00 F0 79 F8				 BL	  sub_45CFA310
ROM:45CFA21E 01 1C					   ADDS	R1, R0, #0
ROM:45CFA220 68 46					   MOV	 R0, SP
ROM:45CFA222 01 22					   MOVS	R2, #1
ROM:45CFA224 01 23					   MOVS	R3, #1
ROM:45CFA226 00 F0 77 F8				 BL	  sub_45CFA318
ROM:45CFA22A 68 46					   MOV	 R0, SP
ROM:45CFA22C 04 78					   LDRB	R4, [R0]
ROM:45CFA22E 31 2C					   CMP	 R4, #0x31
ROM:45CFA230 4C DB					   BLT	 locret_45CFA2CC
ROM:45CFA232 39 2C					   CMP	 R4, #0x39
ROM:45CFA234 4A DC					   BGT	 locret_45CFA2CC
ROM:45CFA236 30 3C					   SUBS	R4, #0x30
ROM:45CFA238 90 21 D4 31				 MOVLS   R1, 0x164
ROM:45CFA23C 05 23					   MOVS	R3, #5
ROM:45CFA23E 01 22					   MOVS	R2, #1
ROM:45CFA240 00 20					   MOVS	R0, #0
ROM:45CFA242 00 F0 49 F8				 BL	  sub_45CFA2D8
ROM:45CFA246 07 1C					   ADDS	R7, R0, #0
ROM:45CFA248 84 80					   STRH	R4, [R0,#4]
ROM:45CFA24A 02 20					   MOVS	R0, #2
ROM:45CFA24C 38 75					   STRB	R0, [R7,#0x14]
ROM:45CFA24E 39 1C					   ADDS	R1, R7, #0
ROM:45CFA250 1F A0					   ADR	 R0, unk_45CFA2D0
ROM:45CFA252 00 F0 49 F8				 BL	  sub_45CFA2E8
ROM:45CFA256 00 28					   CMP	 R0, #0
ROM:45CFA258 38 D1					   BNE	 locret_45CFA2CC
ROM:45CFA25A 38 78					   LDRB	R0, [R7]
ROM:45CFA25C 00 28					   CMP	 R0, #0
ROM:45CFA25E 35 D0					   BEQ	 locret_45CFA2CC
ROM:45CFA260 38 89					   LDRH	R0, [R7,#8]
ROM:45CFA262 B8 80					   STRH	R0, [R7,#4]
ROM:45CFA264 F8 68					   LDR	 R0, [R7,#0xC]
ROM:45CFA266 B8 60					   STR	 R0, [R7,#8]
ROM:45CFA268 02 20					   MOVS	R0, #2
ROM:45CFA26A B8 75					   STRB	R0, [R7,#0x16]
ROM:45CFA26C 00 20					   MOVS	R0, #0
ROM:45CFA26E B8 74					   STRB	R0, [R7,#0x12]
ROM:45CFA270 2B 20					   MOVS	R0, #0x2B
ROM:45CFA272 85 21 49 00				 MOVLS   R1, 0x10A
ROM:45CFA276 78 54					   STRB	R0, [R7,R1]
ROM:45CFA278 39 1C					   ADDS	R1, R7, #0
ROM:45CFA27A 15 A0					   ADR	 R0, unk_45CFA2D0
ROM:45CFA27C 00 F0 38 F8				 BL	  sub_45CFA2F0
ROM:45CFA280 00 28					   CMP	 R0, #0
ROM:45CFA282 23 D1					   BNE	 locret_45CFA2CC
ROM:45CFA284 38 78					   LDRB	R0, [R7]
ROM:45CFA286 00 28					   CMP	 R0, #0
ROM:45CFA288 20 D0					   BEQ	 locret_45CFA2CC
ROM:45CFA28A 38 1C					   ADDS	R0, R7, #0
ROM:45CFA28C 18 30					   ADDS	R0, #0x18
ROM:45CFA28E 00 21					   MOVS	R1, #0
ROM:45CFA290 10 4A					   LDR	 R2, dword_45CFA2D4
ROM:45CFA292 00 F0 31 F8				 BL	  sub_45CFA2F8
ROM:45CFA296 06 1C					   ADDS	R6, R0, #0
ROM:45CFA298 39 1C					   ADDS	R1, R7, #0
ROM:45CFA29A 00 20					   MOVS	R0, #0
ROM:45CFA29C 00 F0 20 F8				 BL	  sub_45CFA2E0
ROM:45CFA2A0 36 20					   MOVS	R0, #0x36
ROM:45CFA2A2 00 F0 3D F8				 BL	  sub_45CFA320
ROM:45CFA2A6 FF 20 00 06				 MOVLS   R0, 0xFF000000
ROM:45CFA2AA 01 1C					   ADDS	R1, R0, #0
ROM:45CFA2AC 03 B4					   PUSH	{R0,R1}
ROM:45CFA2AE EB 20					   MOVS	R0, #0xEB
ROM:45CFA2B0 6E 21					   MOVS	R1, #0x6E
ROM:45CFA2B2 16 22					   MOVS	R2, #0x16
ROM:45CFA2B4 04 23					   MOVS	R3, #4
ROM:45CFA2B6 0F B4					   PUSH	{R0-R3}
ROM:45CFA2B8 30 1C					   ADDS	R0, R6, #0
ROM:45CFA2BA 02 21					   MOVS	R1, #2
ROM:45CFA2BC 02 22					   MOVS	R2, #2
ROM:45CFA2BE 3C 23					   MOVS	R3, #0x3C
ROM:45CFA2C0 00 F0 32 F8				 BL	  sub_45CFA328
ROM:45CFA2C4 06 B0					   ADD	 SP, SP, #0x18
ROM:45CFA2C6 30 1C					   ADDS	R0, R6, #0
ROM:45CFA2C8 00 F0 1A F8				 BL	  sub_45CFA300
ROM:45CFA2CC
ROM:45CFA2CC			 locret_45CFA2CC						; CODE XREF: ROM:45CFA216j
ROM:45CFA2CC													; ROM:45CFA230j ...
ROM:45CFA2CC FF BD					   POP	 {R0-R7,PC}
ROM:45CFA2CC			; ---------------------------------------------------------------------------
ROM:45CFA2CE FF						  DCB 0xFF
ROM:45CFA2CF FF						  DCB 0xFF
ROM:45CFA2D0 00		  unk_45CFA2D0	DCB	0			   ; DATA XREF: ROM:45CFA250o
ROM:45CFA2D0													; ROM:45CFA27Ao
ROM:45CFA2D1 00						  DCB	0
ROM:45CFA2D2 00						  DCB	0
ROM:45CFA2D3 00						  DCB	0
ROM:45CFA2D4 FF FF 00 00 dword_45CFA2D4  DCD 0xFFFF			 ; DATA XREF: ROM:45CFA290r
ROM:45CFA2D8
ROM:45CFA2D8			; =============== S U B R O U T I N E =======================================
ROM:45CFA2D8
ROM:45CFA2D8
ROM:45CFA2D8			 sub_45CFA2D8						   ; CODE XREF: ROM:45CFA242p
ROM:45CFA2D8 00 4D					   LDR	 R5, dword_45CFA2DC
ROM:45CFA2DA 28 47					   BX	  R5
ROM:45CFA2DA			; End of function sub_45CFA2D8
ROM:45CFA2DA
ROM:45CFA2DA			; ---------------------------------------------------------------------------
ROM:45CFA2DC 25 16 F2 44 dword_45CFA2DC  DCD 0x44F21625		 ; DATA XREF: sub_45CFA2D8r
ROM:45CFA2E0
ROM:45CFA2E0			; =============== S U B R O U T I N E =======================================
ROM:45CFA2E0
ROM:45CFA2E0
ROM:45CFA2E0			 sub_45CFA2E0						   ; CODE XREF: ROM:45CFA29Cp
ROM:45CFA2E0 00 4D					   LDR	 R5, dword_45CFA2E4
ROM:45CFA2E2 28 47					   BX	  R5
ROM:45CFA2E2			; End of function sub_45CFA2E0
ROM:45CFA2E2
ROM:45CFA2E2			; ---------------------------------------------------------------------------
ROM:45CFA2E4 51 16 F2 44 dword_45CFA2E4  DCD 0x44F21651		 ; DATA XREF: sub_45CFA2E0r
ROM:45CFA2E8
ROM:45CFA2E8			; =============== S U B R O U T I N E =======================================
ROM:45CFA2E8
ROM:45CFA2E8
ROM:45CFA2E8			 sub_45CFA2E8						   ; CODE XREF: ROM:45CFA252p
ROM:45CFA2E8 00 4D					   LDR	 R5, dword_45CFA2EC
ROM:45CFA2EA 28 47					   BX	  R5
ROM:45CFA2EA			; End of function sub_45CFA2E8
ROM:45CFA2EA
ROM:45CFA2EA			; ---------------------------------------------------------------------------
ROM:45CFA2EC 75 FC E8 44 dword_45CFA2EC  DCD 0x44E8FC75		 ; DATA XREF: sub_45CFA2E8r
ROM:45CFA2F0
ROM:45CFA2F0			; =============== S U B R O U T I N E =======================================
ROM:45CFA2F0
ROM:45CFA2F0
ROM:45CFA2F0			 sub_45CFA2F0						   ; CODE XREF: ROM:45CFA27Cp
ROM:45CFA2F0 00 4D					   LDR	 R5, dword_45CFA2F4
ROM:45CFA2F2 28 47					   BX	  R5
ROM:45CFA2F2			; End of function sub_45CFA2F0
ROM:45CFA2F2
ROM:45CFA2F2			; ---------------------------------------------------------------------------
ROM:45CFA2F4 79 D9 E8 44 dword_45CFA2F4  DCD 0x44E8D979		 ; DATA XREF: sub_45CFA2F0r
ROM:45CFA2F8
ROM:45CFA2F8			; =============== S U B R O U T I N E =======================================
ROM:45CFA2F8
ROM:45CFA2F8
ROM:45CFA2F8			 sub_45CFA2F8						   ; CODE XREF: ROM:45CFA292p
ROM:45CFA2F8 00 4D					   LDR	 R5, dword_45CFA2FC
ROM:45CFA2FA 28 47					   BX	  R5
ROM:45CFA2FA			; End of function sub_45CFA2F8
ROM:45CFA2FA
ROM:45CFA2FA			; ---------------------------------------------------------------------------
ROM:45CFA2FC 05 79 46 45 dword_45CFA2FC  DCD 0x45467905		 ; DATA XREF: sub_45CFA2F8r
ROM:45CFA300
ROM:45CFA300			; =============== S U B R O U T I N E =======================================
ROM:45CFA300
ROM:45CFA300
ROM:45CFA300			 sub_45CFA300						   ; CODE XREF: ROM:45CFA2C8p
ROM:45CFA300 00 4D					   LDR	 R5, dword_45CFA304
ROM:45CFA302 28 47					   BX	  R5
ROM:45CFA302			; End of function sub_45CFA300
ROM:45CFA302
ROM:45CFA302			; ---------------------------------------------------------------------------
ROM:45CFA304 CD 7A 46 45 dword_45CFA304  DCD 0x45467ACD		 ; DATA XREF: sub_45CFA300r
ROM:45CFA308
ROM:45CFA308			; =============== S U B R O U T I N E =======================================
ROM:45CFA308
ROM:45CFA308
ROM:45CFA308			 sub_45CFA308						   ; CODE XREF: ROM:45CFA210p
ROM:45CFA308 00 4D					   LDR	 R5, dword_45CFA30C
ROM:45CFA30A 28 47					   BX	  R5
ROM:45CFA30A			; End of function sub_45CFA308
ROM:45CFA30A
ROM:45CFA30A			; ---------------------------------------------------------------------------
ROM:45CFA30C 7D D5 3D 45 dword_45CFA30C  DCD 0x453DD57D		 ; DATA XREF: sub_45CFA308r
ROM:45CFA310
ROM:45CFA310			; =============== S U B R O U T I N E =======================================
ROM:45CFA310
ROM:45CFA310
ROM:45CFA310			 sub_45CFA310						   ; CODE XREF: ROM:45CFA21Ap
ROM:45CFA310 00 4D					   LDR	 R5, dword_45CFA314
ROM:45CFA312 28 47					   BX	  R5
ROM:45CFA312			; End of function sub_45CFA310
ROM:45CFA312
ROM:45CFA312			; ---------------------------------------------------------------------------
ROM:45CFA314 95 D5 3D 45 dword_45CFA314  DCD 0x453DD595		 ; DATA XREF: sub_45CFA310r
ROM:45CFA318
ROM:45CFA318			; =============== S U B R O U T I N E =======================================
ROM:45CFA318
ROM:45CFA318
ROM:45CFA318			 sub_45CFA318						   ; CODE XREF: ROM:45CFA226p
ROM:45CFA318 00 4D					   LDR	 R5, dword_45CFA31C
ROM:45CFA31A 28 47					   BX	  R5
ROM:45CFA31A			; End of function sub_45CFA318
ROM:45CFA31A
ROM:45CFA31A			; ---------------------------------------------------------------------------
ROM:45CFA31C BD 62 35 45 dword_45CFA31C  DCD 0x453562BD		 ; DATA XREF: sub_45CFA318r
ROM:45CFA320
ROM:45CFA320			; =============== S U B R O U T I N E =======================================
ROM:45CFA320
ROM:45CFA320
ROM:45CFA320			 sub_45CFA320						   ; CODE XREF: ROM:45CFA2A2p
ROM:45CFA320 00 4D					   LDR	 R5, dword_45CFA324
ROM:45CFA322 28 47					   BX	  R5
ROM:45CFA322			; End of function sub_45CFA320
ROM:45CFA322
ROM:45CFA322			; ---------------------------------------------------------------------------
ROM:45CFA324 4D EB 47 45 dword_45CFA324  DCD 0x4547EB4D		 ; DATA XREF: sub_45CFA320r
ROM:45CFA328
ROM:45CFA328			; =============== S U B R O U T I N E =======================================
ROM:45CFA328
ROM:45CFA328
ROM:45CFA328			 sub_45CFA328						   ; CODE XREF: ROM:45CFA2C0p
ROM:45CFA328 00 4D					   LDR	 R5, dword_45CFA32C
ROM:45CFA32A 28 47					   BX	  R5
ROM:45CFA32A			; End of function sub_45CFA328
ROM:45CFA32A
ROM:45CFA32A			; ---------------------------------------------------------------------------
ROM:45CFA32C F1 E0 47 45 dword_45CFA32C  DCD 0x4547E0F1		 ; DATA XREF: sub_45CFA328r
ROM:45CFA32C			; ROM		   ends
ROM:45CFA32C
ROM:45CFA32C							 END

i make this ASM file :

include "MILAD.inc"
include "x.inc"
; ---------------------------------------------------------------------------

; Processor	   : ARM710a
; Target assembler: Generic assembler for ARM
; Byte sex		: Little endian

; ===========================================================================

; Segment type: Pure code
				AREA ROM, CODE, READWRITE, ALIGN=0
			   ; ORG 0x45CFA200
				CODE16
				STRH	R1, [R0,4]
				STRH	R1, [R4,2]
				STRH	R1, [R0,2]
				STRH	R1, [R4,6]
				STRH	R1, [R0,6]
				LDR	 R6, [SP]
				PUSH	{R0-R7,LR}
				ADDS	R0, R6, 0
				BL	  addr1
				CMP	 R0, 1
				BNE	 locret_45CFA2CC
				ADDS	R0, R6, 0
				BL	  addr2
				ADDS	R1, R0, 0
				MOV	 R0, SP
				MOVS	R2, 1
				MOVS	R3, 1
				BL	  addr3
				MOV	 R0, SP
				LDRB	R4, [R0]
				CMP	 R4, 0x31
				BLT	 locret_45CFA2CC
				CMP	 R4, 0x39
				BGT	 locret_45CFA2CC
				SUBS	R4, 0x30
				MOVLS   R1, 0x164
				MOVS	R3, 5
				MOVS	R2, 1
				MOVS	R0, 0
				BL	  addr4
				ADDS	R7, R0, 0
				STRH	R4, [R0,4]
				MOVS	R0, 2
				STRB	R0, [R7,0x14]
				ADDS	R1, R7, 0
				adr	 R0, unk_45CFA2D0
				BL	  addr5
				CMP	 R0, 0
				BNE	 locret_45CFA2CC
				LDRB	R0, [R7]
				CMP	 R0, 0
				BEQ	 locret_45CFA2CC
				LDRH	R0, [R7,8]
				STRH	R0, [R7,4]
				LDR	 R0, [R7,0xC]
				STR	 R0, [R7,8]
				MOVS	R0, 2
				STRB	R0, [R7,0x16]
				MOVS	R0, 0
				STRB	R0, [R7,0x12]
				MOVS	R0, 0x2B
				MOVLS   R1, 0x10A
				STRB	R0, [R7,R1]
				ADDS	R1, R7, 0
				adr	 R0, unk_45CFA2D0
				BL	  addr6
				CMP	 R0, 0
				BNE	 locret_45CFA2CC
				LDRB	R0, [R7]
				CMP	 R0, 0
				BEQ	 locret_45CFA2CC
				ADDS	R0, R7, 0
				ADDS	R0, 0x18
				MOVS	R1, 0
				LDR	 R2, dword_45CFA2D4
				BL	  addr7
				ADDS	R6, R0, 0
				ADDS	R1, R7, 0
				MOVS	R0, 0
				BL	  addr8
				MOVS	R0, 0x36
				BL	  addr9
				MOVLS   R0, 0xFF000000
				ADDS	R1, R0, 0
				PUSH	{R0,R1}
				MOVS	R0, 0xEB
				MOVS	R1, 0x6E
				MOVS	R2, 0x16
				MOVS	R3, 4
				PUSH	{R0-R3}
				ADDS	R0, R6, 0
				MOVS	R1, 2
				MOVS	R2, 2
				MOVS	R3, 0x3C
				BL	  addr10
				ADD	 SP, SP, 0x18
				ADDS	R0, R6, 0
				BL	  addr11

locret_45CFA2CC						; CODE XREF: ROM:45CFA216j
									   ; ROM:45CFA230j ...
				POP	 {R0-R7,PC}
; ---------------------------------------------------------------------------
				
align 4
DCB 0xFF
				DCB 0xFF
unk_45CFA2D0	DCB	0			   ; DATA XREF: ROM:45CFA250o
									   ; ROM:45CFA27Ao
				DCB	0
				DCB	0
				DCB	0
dword_45CFA2D4  DCD 0xFFFF			 ; DATA XREF: ROM:45CFA290r

; =============== S U B R O U T I N E =======================================


sub_45CFA2D8						   ; CODE XREF: ROM:45CFA242p
				LDR	 R5, dword_45CFA2DC
				BX	  R5
; End of function sub_45CFA2D8

; ---------------------------------------------------------------------------
align 4
dword_45CFA2DC  DCD 0x44F21625		 ; DATA XREF: sub_45CFA2D8r

; =============== S U B R O U T I N E =======================================


sub_45CFA2E0						   ; CODE XREF: ROM:45CFA29Cp
				LDR	 R5, dword_45CFA2E4
				BX	  R5
; End of function sub_45CFA2E0

; ---------------------------------------------------------------------------
align 4
dword_45CFA2E4  DCD 0x44F21651		 ; DATA XREF: sub_45CFA2E0r

; =============== S U B R O U T I N E =======================================


sub_45CFA2E8						   ; CODE XREF: ROM:45CFA252p
				LDR	 R5, dword_45CFA2EC
				BX	  R5
; End of function sub_45CFA2E8

; ---------------------------------------------------------------------------
align 4
dword_45CFA2EC  DCD 0x44E8FC75		 ; DATA XREF: sub_45CFA2E8r

; =============== S U B R O U T I N E =======================================


sub_45CFA2F0						   ; CODE XREF: ROM:45CFA27Cp
				LDR	 R5, dword_45CFA2F4
				BX	  R5
; End of function sub_45CFA2F0

; ---------------------------------------------------------------------------

align 4
dword_45CFA2F4  DCD 0x44E8D979		 ; DATA XREF: sub_45CFA2F0r

; =============== S U B R O U T I N E =======================================


sub_45CFA2F8						   ; CODE XREF: ROM:45CFA292p
				LDR	 R5, dword_45CFA2FC
				BX	  R5
; End of function sub_45CFA2F8

; ---------------------------------------------------------------------------
align 4

dword_45CFA2FC  DCD 0x45467905		 ; DATA XREF: sub_45CFA2F8r

; =============== S U B R O U T I N E =======================================


sub_45CFA300						   ; CODE XREF: ROM:45CFA2C8p
				LDR	 R5, dword_45CFA304
				BX	  R5
; End of function sub_45CFA300

; ---------------------------------------------------------------------------
align 4

dword_45CFA304  DCD 0x45467ACD		 ; DATA XREF: sub_45CFA300r

; =============== S U B R O U T I N E =======================================


sub_45CFA308						   ; CODE XREF: ROM:45CFA210p
				LDR	 R5, dword_45CFA30C
				BX	  R5
; End of function sub_45CFA308

; ---------------------------------------------------------------------------
align 4

dword_45CFA30C  DCD 0x453DD57D		 ; DATA XREF: sub_45CFA308r

; =============== S U B R O U T I N E =======================================


sub_45CFA310						   ; CODE XREF: ROM:45CFA21Ap
				LDR	 R5, dword_45CFA314
				BX	  R5
; End of function sub_45CFA310

; ---------------------------------------------------------------------------
align 4

dword_45CFA314  DCD 0x453DD595		 ; DATA XREF: sub_45CFA310r

; =============== S U B R O U T I N E =======================================


sub_45CFA318						   ; CODE XREF: ROM:45CFA226p
				LDR	 R5, dword_45CFA31C
				BX	  R5
; End of function sub_45CFA318

; ---------------------------------------------------------------------------
align 4

dword_45CFA31C  DCD 0x453562BD		 ; DATA XREF: sub_45CFA318r

; =============== S U B R O U T I N E =======================================


sub_45CFA320						   ; CODE XREF: ROM:45CFA2A2p
				LDR	 R5, dword_45CFA324
				BX	  R5
; End of function sub_45CFA320

; ---------------------------------------------------------------------------
align 4

dword_45CFA324  DCD 0x4547EB4D		 ; DATA XREF: sub_45CFA320r

; =============== S U B R O U T I N E =======================================


sub_45CFA328						   ; CODE XREF: ROM:45CFA2C0p
				LDR	 R5, dword_45CFA32C
				BX	  R5
; End of function sub_45CFA328

; ---------------------------------------------------------------------------
align 4

dword_45CFA32C  DCD 0x4547E0F1		 ; DATA XREF: sub_45CFA328r
; ROM		   ends

				END

and i make MILAD.INC file with address reference but when i want to convert it to my firmware i 'll confuse!

i know that my pattern is something like this:

00 4D 28 47 ???????? 00 4D 28 47

can anyone help me?

jamesbond22 please guide me

thx

[milad_a]

up!

nobody knows?

[mousex]

Be patient. The people who can help you wont help you faster if you bump your thread every few hours.

[markross]

Quote

i konw that 1ab2bf0=reverse(F12BBF45)-44140000-1 and it jump to section of memory and put new funcion there

so i konw that BOLDed is address for return but i dont know how i can calculate it ?

I gues You using WinHex to port, is there easy way to calucalte it,

simple example:

Quote

;K810 SW-R8BA024
; Upon clicking on swings - resets the brightness of the display and keyboard illumination
; Without patch "Advanced range adjustment of brightness" resets on the value of 50% if the patch is 10%
;© Joker777
;(p) Xamid
45c60c3c: 29CE3C45 4509DA45
45da0944: 00000000000000000000000000000000 FFB5024DA847014DA847FFBD0D883E45

You know the basic so i skip most obviously things.
Jumps are ending with 44/45
29CE3C45 - in this case jump when You press "-"
4509DA45 - jump to offset 45da0944 = when you press "-" phone execute code
0D883E45 - jump to phone function (i guess something connected with brightness)

calculating where point hook:
1. Reverse 29CE3C45 -> 453CCE29
2. Open calculator, turn to hex and paste 453CCE29 - 44140000 = 128CE29
Go to this ofset in FW and just copy some values and search same in desired FW, for me from R8BA024 to R8BF003 offset is 128EA35
3. 128EA35 + 44140000 = 453CEA35, turned = 35EA3C45
4. Search for 35EA3C45 in desired FW - for me in offset 1B23864 (1B23864 + 44140000 = 45C63864)
Now we have:

Quote

45C63864: 35EA3C45

If there's more jumps repeat steps from 1-4

4509DA45 - jump to free space in main which will be owerwrite by additional code, soemtimes no need to be ported but if there is missmatch witch other advanced patch or QA just change it (You probably know how ) I changed it to 45CEB240 = so in patch write 41B2CE45

To port 0D883E45 - repeat steps from 1 - 4. For me = 19A43E45

Ready patch:

Quote

; K810 SW-R8BF003
; Upon clicking on swings - resets the brightness of the display and keyboard illumination
; Without patch "Advanced range adjustment of brightness" resets on the value of 50% if the patch is 10%
; © Joker777
; (p) markross
45C63864: 35EA3C45 41B2CE45
45CEB240: 00000000000000000000000000000000 FFB5024DA847014DA847FFBD19A43E45

Hope You understand

This post has been edited by markross: 30 August 2008 - 11:05 PM

[milad_a]

thx man you survive me

i get it now i'll try if i get any error comment here again buddy

thx again

[milad_a]

thx man it works like a dream

it's my first big patch :(edited now without mismatch error)

;W580 SW-R8BE001
;Vibra when connecting call
; (c) IronMaster
; (p) MILAD
+44140000
C74038: 4A22A35C 994A9047 
C742A0: 9A110000 0119C245 
1AE1900: 00000000000000000000000000000000 4A22A35CFFB5002081B00090A2B06846 
1AE1910: 00000000000000000000000000000000 064988477D21C90032220B1C0668FF24 
1AE1920: 00000000000000000000000000000000 69343659B04723B0FFBDFFFFD51C2E45

This post has been edited by milad_a: 31 August 2008 - 12:25 PM

[photographer]

niiice! that's great! A w580i owner who owns the secret of porting advanced patches yay ^^

[xerxeer]

Quote

hx man it works like a dream

it's my first big patch :(edited now without mismatch error)

gr8 job

be sabrane montazere amozech farsy hastam damet garm

[milad_a]

salam

ta chand rooz dige ye amoozesh farsi toye site topsony.ir mizaram

[mousex]

http://forums.se-nse...n...mp;f=3&id=6

Quote

Language

The language used on SE-NSE is English and we would ask
that you keep to this please.

[KrX]

Congrats milad_a!

Good job on those patches!

[kroco_bodo]

Quote

4509DA45 - jump to free space in main which will be owerwrite by additional code, soemtimes no need to be ported but if there is missmatch witch other advanced patch or QA just change it (You probably know how ) I changed it to 45CEB240 = so in patch write 41B2CE45

how to find 45CEB240 from 4509DA45? i didn't know how, please tell me

[datacrime]

milad_a, on 2008-08-29 13:45, said:

hi

i can port small patch like this :

; [url="/products/W580"]W580[/url] R8BE001 
; Remove "Emergency calls" 
; Ubirayutsya 911 and 112, with zalochennoy keylock 
; Remove "Emergency calls" 911 and 112 when keyboard is locked. 
; © Joker XT
; (p) MILAD

+44140000
106A1A8: 3131320039313100 0000000000000000

but when i try to patch progressive patch that use new free section of memory and make new function i'll confuse!

see below:



i konw that 1ab2bf0=reverse(F12BBF45)-44140000-1 and it jump to section of memory and put new funcion there

so i konw that BOLDed is address for return but i dont know how i can calculate it ?

see this one too:




this is ported patch :



i know that C1E1BF45 indicate jump place and it's diffrent in 2 patches because destination is diffrent but BOLDed section in patches is permanent and the red section is variable that i think is return addresss

can anybody help me?

i know that in this forum we have many people that port such patch share your knowlagment with us

how you port DB2020 patch


thx in advance

please download this patch this patch work fine!:

http://se-zone.ru/pa...oad.php?id=1555