• Welcome, Guest. Please login.
 

[Tutorial] Manual creating of some patches

Started by Bipolar, January 14, 2011, 03:04:47 pm

previous topic - next topic

0 Members and 1 Guest are viewing this topic.

Bipolar

January 14, 2011, 03:04:47 pm Last Edit: January 16, 2011, 12:35:41 am by Bipolar
Contents:
1.Keypad lock/unlock (+ patch generator at the end)
2.
Change the enter to opcode menu
3.Disable the midlet verification
4.
Java over Bluetooth (+ patch generator at the end)
5.
Guide to create patch
6.
Phone buttons and their hex values
7.
ASCII Table

You wil need:

XVI32
and
FlashBackup 2.62

1.Keypad lock/unlock
Open with some Hex editor CG1 of the Firmware that you are using. Then search for hex string:

For Locking keys: 14 00 0A 00 26 00 14 00 0B 00 26


For Unlocking keys: 14 D1 00 24 01 1C 20 BC 10 BC 08

(Screenshots are from CG1 48R)

14    -    menu  /first button
and
0A   -     *       /second button

You can change them directly in CG1 by changing the values:

Look at "Phone buttons and their hex values"

For creating patch you need to click with the cursor on 14,0A and write somewhere the offsets: look here
Now create new text document with notepad and if you want lock menu+menu and unlock right soft+menu write in:
[Patch_code]
here the offset(hexadecimal)of lock b. 1: 14
offset lock b. 2: 14
unlock b. 1: 0F
unlock b. 2: 14

Example(48R):
[Patch_Code]
319ead: 14
319eaf:  14
459db7: 0f
459e0b: 14

Now save and change extension of the file from .txt to .fpa and the patch is ready.

Here are the patch codes for some firmwares:

Firmware                    48R               45R           42R             70R           6FR                6BR
Lock button 1           319ead         319de5     319aa9        31CD75       31cced          31BD15
Lock button 2           319eaf          319de7     319aab        31CD77       31ccef           31BD17
Unlock button 1        459db7         459CDF     45998B        45C52D       45C1A5         45AE09
Unlock button 2        459e0b         459D33     4599DF        45C581        45C1F9         45AE5D

And a good program that does all this for you A~LUPG_v1.1.3b by ~Absolut buG~

(You have to know that not all combination of keys is supported by the firmware)

2.Change the enter to opcode menu(from menu+ 048263* to menu+ one key)
Search string: 00 00 04 00 08 00 02 00 06 00 03 00 0A


You need to change only

00 - to value of the button that you want to use
and
04 - that has to be changed to 26

(if you change only 04 to 26 its going to be menu +0)
00 can be changed to 0A,11,12,0F,0E,17,18(1,2,..9 are used for shortcuts)
Recommend: 0A,11,12(*,End call,Answer)

Then to create patch write the offsets of 00,04 and the patch should look like that:
[Patch_Code]
31a095: 0A
31a097: 26
(this is menu + *)

Firmware                45R                48R              70R           6fr         42r
offset of 00         319FCD          31a095           31cf5d     31ced5    319c91
offset of 04         319FCF           31a097           31cf5f      31ced7    319c93


3.Disable the midlet verification(you have to change 9005 to E00F)
Search for string: 90 05 90 04 1C 0F 26 0F 22 0C
If you cant find it try this: E0 0F 90 04 1C 0F 26 0F 22 0C(that means your firmware is allready patched)

Firmware : offset
70R : 1DA96A
6FR : 1DA952
42R : 1D8C16
45R : 1D8E7E
48R : 1D8E7E

Patch should look like that:
[Patch_Code]
1D8E7E: E00F

4.Java over Bluetooth(This patch is for transfering files through bluetooth, you need phoneman or iphone explorer to copy the files to audio,video or pictures)
Open with hex editor CG1 of your firmware,search for these hex strings:

1.00 00 00 00 00 21 12 00 00 D0 12                    (write down the offset for first 00 only)
2.D0 12 00 01 B7 12 00 02 20                       -here you have to write the offset for the last one(20)
3.05 00 00 00 00 00 00 07 03                              (offset of 05)
4.77 00 62 00 6D FF FE                                         (of 77)
When you got the offsets you are ready to create the patch.
(offsets: patch code)
1.(00): 3E4F
2.(20): 21
3.(05): 04                                 (04 is for files to be in video folder/audio=03/pictures=05/audio and video=10)
4.(77): 6A00610072                 (6A is j; 06 is a; 72 is r = jar ,if you want to send other file just change this hex values > see ASCII Table)

Example(48R for .jar file stored in video):
[Patch_Code]     
2FCB7E: 3E4F
2FCB87: 21   
2FCC34: 04   
2FD5A5: 6A00610072

And a good program that does all this for you "motobluetooth 1.2.0 beta" by
vassio

5.Guide to create patch
Create new text document with notepad and write in:
[Patch_code]
offset: hex value

Example(48R changing keypad lock/unlock):
[Patch_Code]
319ead: 14
319eaf:  14
459db7: 0f
459e0b: 14

Other Example(48R Disable the midlet verification):
[Patch_Code]
1D8E7E: E00F
Save it and change extension of the file from .txt to .fpa and the patch is ready.

6.Phone buttons and their hex values
(Key  > Hex Value)
KP1   >   01          Answer > 12          Joy Left > 2E   
KP2   >   02        End Call > 11          Joy Click > 3D                 
KP3   >   03      Right Soft > 0F         T-Mobile > 42
KP4   >   04        Left Soft > 0E
KP5   >   05           Joy up > 2C
KP6   >   06             Menu > 14
KP7   >   07       Joy down > 2D
KP8   >   08          Vol. Up > 17
KP9   >   09      Vol.Down > 18
KP*   >   0A        Smart b. > 15
KP0   >   00      Camera b. > 3F
KP#   >   0B      Joy Right > 2F

7.ASCII Table

Dec = Decimal
Hx = Hexadecimal (Use this)
Oct = Octal
Html = HyperText Markup Language
Char = Character