Too Cool for Internet Explorer

Using Far Manager to hack/flash/patch/customize Sony Ericsson K750i CID49 mobile phones

This tutorial just describes the method I used to hack my phone. By hack, I mean access to phone internal filesystem and applying patches to firmware. This should be a very simple tutorial for people with little experience.

The method here works for me. I ensure no warranty if this will work for you. If you try to reproduce these steps, you are entirely responsible for you phone. If you kill your phone, it is not my problem. Also, I'm not very experienced with phone hacking, so don't even try to ask anything by e-mail, because I probably won't know. If you have a different phone, then the method for hacking it may be similar, or may be completely different. I really don't know, because I have only a K750i CID49 and can't (and won't) test with other phones.

Please read the entire tutorial before trying to hack your phone.

Originally written at 2007-02-17. Last change at 2007-06-28. Written by Denilson F. de Sá.

Glossary

Before continuing, I must explain some terms that will be used in this tutorial (and probably on any other tutorial).

CID
CID36
CID49
The CID number is the generation of Sony Ericsson protection. Old K750i phones usually have CID36, while newer phones have CID49. All W800i phones have CID36. Why is this important? Because while CID36 protection has been broken long time ago, CID49 was not. That means the nice old methods of hacking CID36 did not work. But nowadays some workarounds are possible and we can hack K750i (and W810i, and W300i, and others) CID49 phones too.
Red
Brown
The color of a phone is some type of phone version, and is not related to external case color. Most end-user phones are red. This tutorial talks only about red K750i (because that is the version I have). If you have a brown phone, search somewhere else for instructions. Read a more detailed description at one SE-NSE forum post.
Firmware
Firmware can be thought as the phone's Operating System.
Patch
Firmware Patch
A patch is something that modifies the firmware, but is not a full firmware. Each patch is written for only one firmware version, and will not work on different versions (in fact, it may be possible to adjust one patch to work on another firmware, but this is far beyond the scope of this tutorial).
MAIN
FS
CSFS
When hacking the phone, you can have access to MAIN firmware code, or to phone's internal file system (FS or CSFS).
GDFS
It is an internal part of MAIN, containing important things, including IMEI and calibration data. GDFS is unique for each phone, and shouldn't be messed with.
DCU-60
DCU-60 is the standard USB cable that comes with most Sony Ericsson phones. It is different than the service cable (AKA Cruiser 4 in 1). For this tutorial, we need a DCU-60.
to flash
Verb that does mean "update the firmware", or "write something inside phone flash memory".
IMEI
IMEI is some type of phone serial number, that uniquely identifies your phone. Never publish this number on Internet, but you can safely tell the first 8 digits. I believe it is written at some OTP, in addition to GDFS.

Requeriments

Preparing everything

  1. Install Far Manager. Just execute the installer and follow the instructions.

  2. Extract the SEFP010044.zip file inside C:\Program Files\Far\Plugins\. The directory SEFP should be created inside that path.

  3. Extract the sefp010051.rar file at same path. Confirm the overwriting of any file or directory. The reason is that SEFP 0.10.0.51 archive does not contain the full SEFP, and is intended to be extracted on top of SEFP 0.10.0.44.

  4. Optionally rename db2010cid49_4_alpha.rar.zip file to db2010cid49_4_alpha.rar, because that file is actually a RAR archive.

  5. Open db2010cid49_4_alpha.rar file and extract the SEFP folder at Far Manager plugins path. Confirm overwriting of any file or directory. This contains a patch and some files needed to make SEFP work with CID49 phones.

  6. Run sefp0.10.0.51patch.exe file, available at C:\Program Files\Far\Plugins\SEFP\ and click do it!. Message patched! will be displayed.

    Screenshot of sefp0.10.0.51patch.exe

  7. Open db2010cid49_4_alpha.rar file and extract k750w800_r2e_dcu.49r.ssw. Go to REST directory inside that archive and extract the rest_K750_xxxx.bin file where xxxx is your firmware version. If you are in doubt, extract the entire REST directory.

  8. Extract the XS++.rar file somewhere.

  9. Either install SEUS or keep EPIUSB drivers nearby. You will need these drivers when you plug your phone in Flash mode for the first time.

Overview of the entire process

Supposing the software above is correctly installed, then the entire process is made of the following steps:

  1. Discover what firmware version you have.
  2. Use XS++ to apply a patch on your phone firmware. This patch will allow SEFP work with your phone. Notice, however, you won't be able to turn on your phone after this step. Don't worry, we will fix that later.
  3. Use SEFP to access phone's internal FS and/or use SEFP to apply MAIN firmware patches.
  4. Use SEFP to apply a "restore" patch, to allow the phone be turned on again. OR, instead of applying this patch, we can flash the entire MAIN firmware.
  5. Depending on changes made, you will need to Menu > Settings > Master reset > Reset settings after the phone has been turned on again. This will reset most settings done in all Settings panels, but will keep all your contacts, games, applications, sounds, images...

Getting phone's software info

On your phone, press: * * *. This will display a Service menu, where you can test some features of your phone and also read the software versions. Go to Service info and then Software info.

The first line will be the firmware version. It will be R1AA008, R1BC002, R1CA021 or R1DB001. If you have one of the first two versions, consider updating the full firmware (either by this method or by using SEUS), because these firmwares are quite old. Please take note of your firmware version.

Also on that screen you can read the Camera driver version. The camera driver and the display driver (as well as some other files) can be replaced easily, once you get access to phone's FS. Some people use modified thirdy-party drivers. The latest official Sony Ericsson camera driver version is 5.3.

On that screen you can also read the phone CDA. Even though we don't need it for this tutorial, it might be required for other customizations.

Using XS++ tp patching the breakin-loader

  1. Run XS++.exe.

    XS++ first screen.

  2. Turn off your phone, remove the battery, remove the Memory Stick, remove the SIM card. (note: in fact you do not need to remove Memory Stick or SIM card) Wait a few seconds. Don't hurry up. Then put the battery again, but do not turn on your phone. Plug the DCU-60 cable to computer, but do not plug it yet to the phone.

  3. Press Start at XS++ software.

    XS++ waiting for user connect the phone.

  4. Hold C button on phone, then connect the DCU-60 cable to phone. Keep C pressed until you notice the program recognized your phone.

    XS++ recognizing the phone.

    If a "New hardware found" Windows message shows up, then install the EPIUSB drivers and restart the process.

    If the phone turns on (screen goes white and it starts to boot), then something gone wrong. Try restarting the process and do not miss any step.

  5. XS++ will print some useful information, including the phone color and CID, as well as firmware version. From now on, instructions are for my phone: K750i CID49 Red. There are no guarantees this method will work on other phones, and also no guarantee this will work on your phone.

  6. Mark the Flash Main Firmware checkbox. Find the k750w800_r2e_dcu.49r.ssw file. Do not change anything else and click Flash.

    XS++ with k750w800_r2e_dcu.49r.ssw file selected to be flashed at main firmware.

  7. After some seconds, it will display Finishing flash. Then click on Stop and confirm the operation.

    XS++ finished flashing of breakin loader, but the user must manually press Stop.

    XS++ will say Error: Flashing failed, but don't worry, it really worked. Now unplug the phone, remove the battery, close the XS++. Now your phone won't turn on anymore, but SEFP will be able to access it.

    XS++ after the user pressed Stop.

Using SEFP to gain access to your phone

  1. Open Far Manager. Press F11 to open the plugins menu. Select SEFP 0.10.0.51.

    List of available Far plugins, with SEFP 0.10.0.51 selected.

  2. Select DCU-60 as Device, 921600 (the maximum available) as Speed, and k750_w800_CID49 as Boot script. Press Enter The Matrix.

    SE Flash Plugin startup dialog, where you choose the connection type (any COM port or the USB DCU-60 cable), the connection speed (usually 921600 is selected) and the boot script (each boot script works only for one or a few phones).

  3. Put the battery back, hold C button and plug your phone.

    SEFP waiting for user connect the phone.

  4. Congratulations! Now you can use SEFP with your phone! You have two choices: FLASH, to flash main firmware and apply patches; and FS, to have access to phone's internal filesystem. Select one of them, according to what you want to do. Remember that, after choosing one of them, you need to unplug the phone and activate SEFP plugin again before you can access the other one.

    SEFP after the phone has been recognized. It shows FLASH (to flash the main firmware) and FS (to access phone's internal file system).

Using SEFP to disable the camera shutter sound

Let's suppose you want to disable that annoying camera sound. There are two ways of doing that. Both of them involve editing the FS portion of your phone. So, select the FS item after you connect your phone in SEFP.

  1. The first way to remove camera sounds is to delete the sound files at /tpa/preset/system/sound/. To do it, just navigate until you reach that directory, then press F8 to delete files.

    Of course, you might want to make a backup of any edited or deleted file. To do it, just copy it from phone to your computer.

  2. The second way to remove camera sounds is to edit cutomize.xml file inside /tpa/preset/custom/ directory. Just navigate until you reach it, select the file and press F4. Find the following line and change it from false to true.

    <suppress-camera-sound>true</suppress-camera-sound>

    Save the file and quit the editor.

You can copy files from/to phone using F5. You can (de)select a file by pressing Ins (selected files are yellow). You can view file contents using F3. You can delete files using F8. You can move the cursor to left/right panel by pressing Tab. You can see more shortcuts at bottom of screen. You can read help using F1.

Important! Whenever you changed everything you want, you must shutdown the CSFSloader, or things can badly break.

To shutdown the CSFSloader, navigate through .. directories until the root. When you try to follow the last .. directory, SEFP you ask if you really want to shutdown it. Confirm by choosing YES, and only after the shutdown is complete you can safely remove the DCU-60 cable. Quit Far Manager before using SEFP again.

Warning: Do you wish to SHUTDOW CSFSloader? NO YES

Remember that all changes to cutomize.xml file and most changes to other portions of filesystem do require a Master reset after you turn the phone on.

I've read that you can create a customize_upgrade.xml file, which will apply the changes when phone boots, without need of Master reset. I've never tried customize_upgrade.xml, search web for it if you want more info.

Using SEFP to patch MAIN firmware

Let's suppose you will apply some VKP patches to your phone. These patches are available at many sites, look at Links section for a small list.

  1. Select the FLASH item after you connect your phone in SEFP.

    SEFP after the phone has been recognized. It shows FLASH (to flash the main firmware) and FS (to access phone's internal file system).

  2. Inside FLASH mode, you don't have access to filesystem. Press Tab and navigate on your computer directories to find the patches you want.

    SEFP under FLASH mode. Only one big file called 'memory' is displayed.

  3. Select the VKP file and press F3 to view its contents. These patches usually have a little text description at top (ignored by flash process), followed by hexadecimal code of both original data and modified data. Sometimes the text description have important information you must know. Press F10 to quit viewer.

  4. Press F5 to copy the VKP file to SEFP: virtual drive. Don't modify anything, just press Enter.

    Far Manager Copy dialog, asking you to confirm the copy operation.

  5. Since the FLASH is not a filesystem, instead of just copying the file, SEFP will ask you to confirm the Flash operation. Since this is a VKP file and SEFP automatically detected that, we can just press Enter to confirm the operation. Note that you can also remove any VKP patch you've applied before, by just marking the Remove patch checkbox.

    SEFP Flash dialog. You can select the file type and can also remove VKP patches you've applied before.

  6. That's it. You can patch more patches now, if you want. Notice that, unlike the FS, there is no need to shutdown anything.

Using SEFP to restore phone firmware

If you try to turn on your phone, it won't. Now we must fix that!

  1. Select the FLASH item after you connect your phone in SEFP. If you've already selected that because you applied other patches, then go on to next step.

  2. Find the rest_K750_xxxx.bin, according to your firmware version.

  3. Press F5 to copy the file to phone's memory. Confirm the first dialog (Far Manager dialog).

  4. The option Flash BABE ssw image will be selected. Leave it selected and confirm.

    SEFP Flash dialog. Use 'Flash BABE ssw image' option to flash the REST file.

  5. That's it. Your phone is restored. Now it will turn on, but won't be recognized anymore by SEFP (after you unplug it). Whenever you want to hack your phone again, follow all these instructions again.

    SEFP Flash report dialog. It just shows some information about the process, with only one button: Close.

  6. Unplug the phone, remove the battery, put the SIM card back, put the Memory Stick back (optional). The first time you turn your phone on after hacking it will require you to keep the power button pressed for a few more seconds than normal. Then it will boot up normally. Enjoy! :)

  7. Depending on changes you've made, you need to Menu > Settings > Master reset > Reset settings. Usually this is required after you change the filesystem. Be warned this will clear most settings available in all those Settings panels, but will keep contacts, image, sounds, games, applications and some other things intact. The default phone unlock code is 0000 (four zeros).

FAQ

Can I use bluetooth to flash/hack my phone?
No, you must use the USB cable.
My phone is not recognized anymore by any program!
Don't worry... Unplug it, remove the battery and leave it without battery for a few minutes. Then try again. If it still does not work... Then start to worry. :)
How similar are K750i and W800i models?
They have the same hardware, but different cases (I personally prefer the K750i case, much prettier, much more elegant, and also has camera lens cover). Many people flash a W800i firmware into K750i phone.
How can I flash a W800i firmware into K750i phone?
Don't ask me. Search for a tutorial somewhere else.

Note that some of the following posts are old, and may contain outdated information.