Nokia S60 ROM Modding, Dev. Cert. Zone

[Necrophilia]

Hacking & Signing Simplified - Now includes Leftup & BiNPDA certs Big THANKS to FCA00000, Leftup & Zorn for making this possible...you guys rocks

PREREQUISITES:
Install the SignSis v1.03 Repacked.sisx attached to this post on your phone.
Install X-plore if you don't already have it installed.
Press 0 in X-plore to bring up the settings dialog and ensure that Show Hidden files & Show system files/folders are enabled.

Also ensure that in Application Manager, Software Installation is set to All and Online certif. check is set to Off

STEP 1: LET'S HACK YOUR PHONE FIRST
Install ROMPatcher from HERE
Open ROMPatcher and select Disable caps from Options menu. Then exit from it.

STEP 2: FINAL STEP TO SETUP YOUR PHONE TO SIGN APPLICATIONS
Copy the 00000001.rar file to your phone. In X-plore, browse to the file and open it.
Then press 4 to extract and select C: as destination.

Now browse to the file C:\resource\swicertstore\dat\00000001. Press 6 & enable the Read-only attribute for it.

All done! Now you can sign any unsigned app and install it.

TO SIGN ANY UNSIGNED APP USING SIGNSIS:
- Open SignSIS and select unsigned SIS file by pressing middle joystick button.
- Select Selfsign from Options menu.
- The signed file will be placed in the same folder with a SISX extension.

To sign your apps on a PC, you should use the cert & key from Leftup_CertKey.rar with your favorite signing tool.

 

[Necrophilia]

Silent Hack

1) download files and extract those that apply to you: preFP1 of FP1
2) apply the hack using the script (or Profiler aplication)
3) copy CProfDriver_SISX.ldd from RAR into C:\sys\bin
4) install CapsOn.sisx
5) install CapsOff.sisx

To hack the phone, run CapsOff. To revert to normal, run CapsOn
Program runs and exits inmediatly.
To test it, run any unprivileged application and see if it gets permissions.
For example, unpatched X-plorer should be able to access c:\sys\bin\

Remember: CapsOn is normal. CapsOff means hacked.

If you want to uninstall Profile afterwards, you need to copy CProfDriver_SISX.ldd into c:\sys\bin\ again.
I have been told that a tool called PowerBoot allows to start programs on starting of the phone.
I suggest you NOT to do that. Disable security only when needed, not all the time.

 

[Necrophilia]

Signsis v1.03 by leftup@OPDA
changes:
support sign with RSA key&cert
optimistically speaking,we can use any valid key&cert pair now.
Enjoy it

Best Regards

 

[Necrophilia]

Sign & Install any app - Bye Bye Symbiansigned/OpenSigned

Sign & Install any app - Bye Bye Symbiansigned/OpenSigned The following method is old & complicated. A much easier method is now available in the Hacking and Simfield thread.
Click http://forum.gsmmkd.com/showthread.php?t=1442 to follow it.
Do not update your Nokia PC Suite or Nokia Software Updater to latest versions. Please make sure you have Nokia PC Suite v6.85 or below.
If you have already upgraded then you need to uninstall both the products and re-install old Nokia PC Suite again. You can upgrade to the new versions once you have completed the following procedure and hacked your phone.

Step 1:. One time procedure
First you need to apply FCA00000's hack as described in the following thread
http://forum.gsmmkd.com/showthread.php?t=765
Step 2.
Now you should have access to C:\sys\bin. Simply follow the instructions and the install the utilities available at
http://forum.gsmmkd.com/showthread.php?t=1443
tep 3. This is the final step to setup your phone to accept your signed apps
If you had installed http://forum.gsmmkd.com/showthread.php?t=1444 earlier then extract the contents of keycert.rar to c:\private\EC696702 overwriting the previous files. (If you installed SignSis to memory card then replace C: with E:)

reate the following folder & subfolders:
c:\resource\swicertstore\dat\

Extract and copy the 00000001 file to the above folder. Once you have copied the file, enable the read-only attribute for it. (In X-plore press 6 to do it)

All Done

Now you can sign any of the unsigned apps and install them.

To sign using SignSIS:
- Open SignSIS and select unsigned sis file.
- Select Options -> Selfsign

To sign using any of the PC based signing apps, just extract and use the key & cert from keycert.rar

 

[Necrophilia]

ROMPatcher - The ultimate hack by Zorn & FCA00000 [Detailed Procedure by swankyleo]

ROMPatcher - The ultimate hack by Zorn & FCA00000 [Detailed Procedure by swankyleo]

PLEASE USE THE ATTACHMENTS PROVIDED IN THIS POST [Updated 14-MAY-08]​

Dear iPmartians! What we were all waiting for is finally here, thanks to mighty FCA00000 and discoveries made after his platform hack, Zorn has managed to make a ROMPatcher. Big THANKS to FCA00000 and to ZoRn for all their effort in empowering us with the ultimate freedom to customize & improve the functionality of our phones. We will never find the right words to thank them and will be always grateful to them!

Цитат:
What is ROMPatcher?
ROMPatcher is an amazing piece of code, application allowing you to patch the ROM in a very easy and secure way. We are only limited by our imagination when it comes to the number of uses for it. There is no real danger in using it because it maps the ROM into RAM and then modifies it, so the patch is not permanent and a phone restart will clean all changes made by the patcher. After restart, you have to manually enable the patches again.

What is the difference between the FCA's hack & Zorn's hack?

FIRST STEP
The first step involves hacking the phone from PC to gain access to the system folders. For FCA's hack you have to install Metro TRK and a dummy application called HelloCarbide on the phone. Only Metro TRK is required for Zorn's hack.
For FCA's method you are required to install python & related libraries on PC.
Based on the work of FCA, Zorn simplified this process by using Windows API. In short no need to install python & extra stuff.

SECOND STEP
For FCA's hack you have to install CapsOn/CapsOff to toggle the phone security. This is done by manually installing the SIS files.
Zorn simplified this process too by giving us an option in the first step itself to install the ROMPatcher. In ROMPatcher options you get the same functionality to enable/disable phone capabilities.

LET US BEGIN

PLEASE NOTE THERE IS NO HACK AVAILABLE FOR N93/N93i YET​

If you have already applied Leftup's root certificate as mentioned http://forum.gsmmkd.com/showthread.php?t=1445, then you can directly install the ROMPatcher from attachment and then skip to the Patches section below, otherwise proceed through the tutorial.

Those who have already installed ROMPatcher (any version), can again install from the SIS file. This will give you the option to uninstall ROMPatcher from App. manager

first restart your phone. Then try installing the SIS file 2-3 times. First few tries will fail with error "Update failed!" But last try will always succeed.

Download the applicable RAR file for you phone and extract the contents to a folder. You can check out your phone model Цитат:
Pre-FP1 devices:
-------------------
Nokia N77
Nokia E61i
Nokia E65
Nokia N93i
Nokia N91 8GB
Nokia E62
Nokia E50
Nokia 5500
Nokia N93
Nokia N73
Nokia N80
Nokia N71
Nokia N92
Nokia E70
Nokia E60
Nokia E61
Nokia 3250

FP1 devices:
---------------
Nokia 6124 classic
Nokia N82
Nokia N95-3 NAM
Nokia E51
Nokia N95 8GB
Nokia N81
Nokia N81 8GB
Nokia 6121 classic
Nokia 6120 classic
Nokia 5700 XpressMusic
Nokia 6110 Navigator
Nokia E90 Communicator
Nokia N76
Nokia 6290
Nokia N95

FP2 devices
-------------
Nokia 5320 XpressMusic
Nokia N78
Nokia N96
Nokia 6210 Navigator
Nokia 6220 classic
s
Transfer the TRK SIS file to your phone and install it to phone memory. Make sure Nokia PC Suite is not running. Now connect your phone to PC using the USB cable in PC Suite mode.

By default TRK starts in Bluetooth mode, cancel it. Then go to Options->Settings and set then as shown below. When done TRK will show connected.

Now find out the port number of your phone USB connection from the device manager. (Tip: Start Menu->Run->devmgmt.msc). In the following image it is COM4 for my N73.

On the PC now run RPInstaller.exe and enter the COM port number. Now click on Install Button (do not tick the box). If successful, you will see something like this:

If no errors occured, you will find a new application ROMPatcher in your phone's Applications folder (Do not start it yet). Now close the RPinstaller application on your PC. Exit from the TRK on your phone and then disconnect the cable and reboot your phone.

HOW TO APPLY PATCHES​

Make the folder E:\Patches on your phone. All the supplied/future patches should be copied into this folder. Patch files are simple text files you can open in any text editor.

The application lists all the patches available in E:\Patches. You can simply enable or disable a patch as shown below:

You can download the available patches from the next post below. After ownloading, just copy them to E:\Patches on your phone.

Цитат:
Zorn has also released a tool to create a ROM dump for debugging. It is not useful for the noobs, but if you are interested you can download it from HERE. Just install DumpROM to phone memory and run it (Note: The process takes a lot of time).
Using this ROMPatcher:
To disable caps (same as CapsOff): Select Options->Disable caps
To enable caps (same as CapsOn) : Select Options->Enable caps

 

[Necrophilia]

ROMPatcher for S60 3rd Edition Devices!
By ZoRn and patches by FAC00000

Detailed tutorials by swankyleo http://forum.gsmmkd.com/showthread.php?t=1446

ROMPatcher by -=ZoRn=-

Installation:
1. First you need install MetroTRK on your mobile and launch it.
2. Change address (and/or checkVal) in RPInstaller.ini to yours.
For Symbian 9.1 address is 60000148 for 9.2 it C0000148
3. Launch RPInstaller.exe, select MetroTRK COM port and press Install
4. If no errors occurs then you have ROMPatcher installed on your mobile

Patches:
Patches should be in E:\Patches directory on mobile and have rmp extention.
Symbols count for addresses and patch data must divided by 2. 12345 - WRONG, 012345 - RIGHT.

Example patch:
This line (first 256 symbols, I think it enough) will be shown while you choose "Patch info" submenu.\nThis patch just for test. Replace Z:\resource\versions\sw.txt

Lines that dont start with one of patch method (like this one ) just ignored.
abs:F93C70A6:34002E0030003600330032002E0030002E003 30038:35002E0038003800380038002E0037002E00360035

;This line also ignored. Next line show relative patch method. Doing the same as line above, but not only for N80 FW 4.0632.0.38
rel:resource\versions\sw.txt:06:34002E003000360033 0032002E0030002E00330038:35002E0038003800380038002 E0037002E00360035

//Another method of patches above - Search'n'Replace
SnR:resource\versions\sw.txt:34002E003000360033003 2002E0030002E00330038:35002E0038003800380038002E00 37002E00360035




From FCA00000

patch: EnableHiddenMenus.rar

Save this as
e:\Patches\EnableHiddenMenus.rmp
and activate it.

Цитат:
; *** EnableHiddenMenus 1.0 ***
; *** Enable Hidden Menus ***
; Author: fca00000 , fca00000-at-yahoo-dot-es
; Date: 2008.04.18
; Firmware: tested on N80 v 5.0719.02 . Might work on preFP1+FP1
;
; In the main applications menu some options disappear if you select a program or a folder.
; This patch shows all of them, allowing to rename applications and creating sub-folders inside folders.
; Seems to work on preFP1, although on FP1 it doesn't show the menu to rename apps.
;
; For the curious people: I changed eikcoctl.dll in
; method CEikMenuPane:

eleteMenuItem
; so that it simply returns
;F8F29D56 PUSH {R0,R1,R4-R7,LR} ; patch to BX LR
;F8F29D58 SUB SP, SP, #4
;F8F29D5A LSLS R6, R0, #0
;F8F29D5C LDR R0, [R0,#0x70]
;F8F29D5E MOVS R7, #0
;F8F29D60 CMP R0, #0
;F8F29D62 BEQ loc_F8F29D66
;F8F29D64 LDR R7, [R0,#4]
;
; As far as I know, nothing is broken. But I decline all responsability, of course.
; Anyway, here it is. Enjoy
; end of EnableHiddenMenus
SnR:sys\bin\eikcoctl.dll:F3B581B00600006F0027:704781B00600006F0027
patch: ChangeSwipolicyPath (allows installing unsigned apps)

Save as e:\patches\ChangeSwipolicyPath.rmp
Цитат:
*** ChangeSwipolicyPath 1.0 ***
; *** Change swipolicy path ***
; Author: phrig
; Released by: fca00000 , fca00000-at-yahoo-dot-es
; Date: 2008.04.24
; Thanks to -=ZoRn=- for his wonderful ROMPatcher and phrig for making this changes . I am just publishing and polishing it.
; Credits also go to Symbaali for his initial great discovery about that, back in 2007
; Firmware: tested on N80 v 5.0719.02 . Might work on preFP1+FP1
;
; Change path to swipolicy.ini in securitymanager.dll to e:\system\data\swipolicy.ini
; You also need to copy the file from Z: into E:
; then, you can modify it.
; I suggest:
; AllowUnsigned = true
; UserCapabilities = NetworkServices LocalServices ReadUserData WriteUserData UserEnvironment Location SurroundingsDD UserEnvironment NetworkControl SwEvent AllFiles NetworkControl DiskAdmin ProtServ TrustedUI DRM WriteDeviceData ReadDeviceData MultimediaDD PowerMgmt CommDD TCB
; with these changes, you might run some programs that are unsigned.
; Warning: not all unsigned programs can be installed. For example, if supplier is untrusted or certificate has expired.
; Warning: installing a program from untrusted sources is dangerous and might destroy your phone.
;
; For the curious people: the change is done in securitymanager.dll
;
; As far as I know, nothing is broken. But I decline all responsability, of course.
; Anyway, here it is. Enjoy
; end of ChangeSwipolicyPath
SnR:sys\bin\securitymanager.dll:1C0000007A003A005C00730079007300740065006D005C0064006100740061005C0073007700690070006F006C006900630079002E0069006E006900:1C00000065003A005C00730079007300740065006D005C0064006100740061005C0073007700690070006F006C006900630079002E0069006E006900
[14-MAY-08]
Updated ROMPatcher with new icons is now available. Download from Post#2 below.
Attachment in 1st post removed to avoid confusion - Phoezies

ECENTLY ADDED PATCHES WILL APPEAR ON THE TOP
INDEX UPDATED ON 03-MAY-2008​

ChangeKeyCombinations by CODeRUS
This patch will change the key combinations used for various purposes like *#0000#, *#06#, *#7780#, *#7370#, etc. More info available in post.

ChangePhoneModel&Firmware by MORF
This patch is only meant for fun & to make your phone unique. Using this patch you can customize all the info(firmware & phone model) shown when you type *#0000#.

DisableCameraSounds for N95-8gb v20.0.16 by Microx256
These patches will disable the camera capture, focus, recording & stop sounds.
Note: Dmoe has confirmed it working on Euro-I N95 v21.0.016 also.

Camcorder patch for muting the capturing sound on 6120c by wook

No camera sound for E51 by wook

EnableHiddenMenus by FCA00000 for pre-FP1
In the main applications menu some options disappear if you select a program or a folder. This patch shows all of them, allowing you to rename applications and creating sub-folders inside folders. When this patch is activated it is applicable to all menus on phone. Also note that all the hidden items get shown but the owning application hasn't activated them and will not respond to it. So please stop complaing about this.
Цитат:

ChangeSwipolicyPath by FCA00000
This patch will give all the capabilities to the installed applications. Also it will allow you to install some unsigned applications. Not all unsigned programs can be installed e.g. if supplier is untrusted.
Warning: Installing a program from untrusted sources is dangerous.

To make this patch work, some steps need to be followed first on your phone:
Copy z:\system\data\swipolicy.ini to e:\system\data\swipolicy.ini and modify the following settings in it:
AllowUnsigned = true
UserCapabilities = NetworkServices LocalServices ReadUserData WriteUserData UserEnvironment Location SurroundingsDD UserEnvironment NetworkControl SwEvent AllFiles NetworkControl DiskAdmin ProtServ TrustedUI DRM WriteDeviceData ReadDeviceData MultimediaDD PowerMgmt CommDD TCB

Here is a sample modified ChangeSwipolicyPath.rar from my phone. (do not use it)

 

[Necrophilia]

c2z Patch Creator by FCA00000 [Updated 11-MAY-08] This program makes a patch to be used with ROMPatcher. The purpose of this patch is to force the phone to use files in C: before the same file in Z:

For example, if you have c:\resource\apps\About.r01
then it will take precedence over z:\resource\apps\About.r01

This is useful to fake Symbian so that it takes your own file, before the original one. As files in C: are read+write, you can modify them.

Instructions:

• From your phone copy the file z:\sys\bin\EFSrv.dll to the PC in the same folder where you have c2z.exe and then run c2z.exe
• It will generate the file c2z.rmp
• Now copy the generated rmp file to your mobile in E:\Patches
• Start ROMPatcher and enable the patch

Which files can be overriden?
At least *.RSC , *.MBM, *.INI, *.R??, *.TXT

Changelog 11.05.08:

Now it can replace z:\resource\versions\sw.txt & z:\system\data\swipolicy.ini and many others. Therefore some of the previous patches are no longer needed.

Still can not load some DLLs and EXEs but I am working on it.

On some FP1 phone models, by default the files in C: are used before the same file in Z: If your phone exihibits this behaviour then you don't need this patch. But this might not be true for all files.

DOWNLOAD (This is a direct link, so you'll always get the latest one)

Kindly ensure that your are using the latest ROMPatcher released on 30-APR-08 from http://forum.gsmmkd.com/showthread.php?t=1446

 

[Necrophilia]

Camera Sound OFF--c2z patch--For ALL HACKED PHONES--SIMPLIFIED

This Method works for all hacked Phones. Doesnt matter if its pre-FP1 or FP1 models.​

For this, you need c2z patch...You can learn how to apply this patch from http://forum.gsmmkd.com/showthread.php?t=1449

Now the Real Part:

1:Copy the included "Camcorder.r01" to C:\resources\apps\ (if the language is not english ie., *.r01 then goto Z:\resources\apps\ copy Camcorder.r* of your language
to C:\resources\apps\, and edit it to direct it to those sound files )


2:Copy all the included sound files to c:\data\sounds\digital\ [Create this folder if not present]

3:Just goto ROMpatcher and apply c2z patch.

Thats It

Note:
When ever u restart the phone, the patch is removed, so you need to put the patch again from RompPatcher.

EDIT:::::
In case this doesnt work for you, it means you have CamMojave rather than CamCord,so for CamMojave followers, visit: http://forum.gsmmkd.com/showthread.php?t=1450
This trick will work for all the other hacked cells whoz following Camcord.01file

Confirmed working on: E61i , E65, 5500, 3250, 5700XM, 6110Navigator, 6120c

this thread is for english models, and if your model is different then you need to edit your camcorder.r*​

​

 

[Necrophilia]

Camera sound off (Patch) Tested on N95, may not work on all other phones.

Camera sound off (Patch) Tested on N95, may not work on all other phones.
This is a patch for ROMPatcher, only for S60v3

1. Unpack camera patch.zip and copy all .wav files to e:\system\sounds\digital
2. Copy all .rmp files to e:\patches\
3. Apply patch and enjoy

.
All patches are for other things, allin1.rpm are patch, which are shutting all camera sounds off.
capture1-4 - turning off capture1-4 sounds
focus - turning off focus sound
start/stopcapture - turning off start/stop capture video sound
allin1 - turning off ALL camera sounds

Of course you can replace .wav files for your own .wav files, example explosion sound for capture1

etc.

CamMojaveCapture1-4.wav - Capture 1-4 sound
CamMojaveFocusSucc.wav - Focus sound
CamMojaveStart/Stop - Video capture start/stop sound

@edit:
If you don't have e:\system\sounds\digital folder, just make it yourself.

 

[Necrophilia]

Your own text for your phone model (Patch)

Your own text for your phone model (Patch) 1. Create a model.txt file in e:\resource\versions\
2. Write a text in this file and save it in UNICODE format (i think max text lenght is 20).
3. Activate the patch and have fun

.

Patch in attachment.

Edit:
Put model.rmp in E:\Patches\ and you must have ROMPatcher installed to activate the patch.

 

[Necrophilia]

How to install ANY applications using platform hack!

How to install ANY applications using platform hack! ​

Apparently, this wasn't good enough for some people so today I bring you another method to get the applications that you want on your phone without the need of Stupid Symbian Signed!​

READ THE GUIDE CAREFULLY AND DO EXACTLY AS IT SAYS!​

First of all, you will need to have the Symbian Platform hack RUNNING this means you must be able to write to the C drive on your phone. Check out the guide if you haven't done it already.​

http://forum.gsmmkd.com/showthread.php?t=765

1) Download and install MobileSigner to your PHONE MEMORY, not memory card (A great app by leftup, a member of OPDA and Symbian Freak forums) from here.​

2) Download this file. Open up Ybrowserand create a folder in resource called swicertstore and then make another folder in there called dat so it should be c:\RESOURCE\SWICERTSTORE\DAT once you've done that, paste the file file that you just downloaded in the dat folder that you created.​

3) Go back to Resource and from there, make swicertstore into a read-only folder (Options>file>attributes) once you've done that, make dat into a ready-only folder aswell and then, finally, make the 0000001 file into read-only.​

NOTE: you may get an error like 'invalid name' while trying to make the files read only this is because the C:\ part of the path isn't visible in the scrolling text at the top in Y Browser. These screenshots should make everything clear:​

When you can see the C:\ part at the top like it's highlighted in the screenshot above press save​

When you can't see C:\ above, wait for it to scroll along until it's like the first screenshot before you press save otherwise you'll get an error. ​

4) Go to the private folder on C: and then scroll down to the folder named EC696702 and paste this 2 files FILES into that folder, say yes when Y Browser asks you to replace them.​

5) Copy your unsigned file to your memory card, in any place you want as long as you'll remember it.

​

6) Open up MobileSigner and select the application that you'll be signing. Now go to Options>SelfSign.
​

You'll get a message confirming your success. Now navigate to where you saved your application and there'll be a new copy of the app with a .SISx extension. Install it and enjoy!​

Now all you'll ever have to do to install unsigned apps again is just repeat step 5! Easy, isn't it!?​