Bootloader - how (unsolved yet)

Beeing used to the community with my HTC devices - it seems that we are at loss currently to have low-level access without the operating system running. The only thing that runs well are the itsutil tools from XDA devloper "itsme" - look there: http://wiki.xda-developers.com/index.php?pagename=XdaUtils
Also other tools that operate on the extracted filesystem images (e.g."ROM Kitchen" or also WM5editrom) are working as expected - yet I did not dare yet to flash back anything via pdocwrite :-)

Some low-level acess should be possible, however I do not yet know how. What I found out so far is:

• Pressing power-on and holding the message-key will send a USB signal to a connected PC. The Windows-XP PC then searches for a "Neptune" USB device - for which the web hardly offers anything useful, except:
• The Motorola Flash tools (yes another deja vu with Motorola) require dedicated drivers to install. After this is done succesfully - well nothing more happens.

It seems that in the very short time (3 seconds) that this temporary state of USB exists some communication has to be established to keep it alive. Any hints are welcome.

I have also hoped that tools available for the BenQ P51 may help here, but it just seems that they are not doing more than itsutils can do already. And since we do not know yet addresses of the various parts of the ROM, nothing gained here either :-(

Remove UMAClient.exe

You can remove UMAClient.exe from \HKLM\init\Launch.. but still keep WiFi switched off after reboot. UMAClient cares for the settings in Settings->Connections->WiFi transmission. If not loaded also the WiFi mode to disable WiFi if not connected after does not work after startup.
This can be solved by a little program which toggles the WIFI settings, put it either in the startup folder or at the place in the registry where UMAclient.exe was present.

I found the origin of the file I copied from the web - and that works ok. It was posted at XDA-developers here: http://forum.xda-developers.com/showpost.php?p=1773191&postcount=1 it even has a cab to install it. It also reveals the author "smartmadsoft". BTW: their program SamsungBacklight does now also work for the E72 - you have to edit all *.lnk files and add the parameter "-benq" (including a leading blank and the quotes) to them. Mind that the SamsungLamp does not work, but for that purpose another great free utility exists "MultiFlashLight" by Igor V. Bozhko (2006).

Interesting Programs in \windows

Interesting Programs (not linked via .lnk files) in \windows:

• DevHealth.exe will also be called by LogMaster and creates a very elaborate memory and process report. It is named "mem_1.txt" and is either located in the Storage Card root or the main memory root, sized ~ 292kB. Subsequent calls will generate files named mem_.txt where relates to the called number. This file includes the DLL relationship of all active loaded modules, so it is easy for ROM cleaners to sort out the debug ROM remains.
  -> This is the key application to investigate further any modifications of Startup options or ROM modifications.
• LogMaster.exe sets various trace and log points, can call netlogctl.exe, swmodemtrace.exe, celogflush.exe, DevHealth.exe, WinsockLogApp.exe, links to LogUtil.dll which relates to logfiles: OSImageVersion.txt, sqpco.log, sqmodem.log, sqdriver.log, sqatcmd.log
  My version is 2.4 (I have seen already 2.5 in another ROM).
  
• QDW.exe (internall referenced: "QDW.exe is launched by AppExceptionMonitor.exe", but this .exe is missing, only a dll is remaining) This would read (or write) to files in \Windows\System\ExceptionExtraLogs\. It calls copylog.exe to do the job.
  If directly called it asks for a memory card and generates a directory \yyyymmdd_hhmmss\ExceptionExtraLogs\ generating (copying) files ELog.txt KITL.txt qatcmd.log qdriver.log qmodem.log qpco.log verinfo.txt call is finished with "copy failed".
• PreForWSA.exe is called via HLKM\init\Launch.. and may prepare WinSockLogging (may call \Windows\WinsockLogApp.exe)
• prtscrn.exe generates a screendump of the current state, it is also called via long press of the Vol-Up key and generates a file called scncap.jpg in the "\My Documents" folder ( is a sequence number starting at 1).

Power Drain

The E72 battery driver functions do not deliver drain and temperature, but the backup battery voltage is reported. The measured drain (amperemeter) is (rough values):

• 60 mA display visible - no keyboard lights
  
• 90 mA lowest Light - with keyboard lights
  
• 110 mA more
• 120 mA normal
• 130 mA high
• 150 mA highest
• BT creates peaks ~ 10 mA on top roughly once per second
• WiFi creates peaks ~60 mA similar rate as above
• power off still drains the battery to charge the backup battery but only a few µA (micro Ampere)

Retrieve hidden settings/options

Retrieve hidden settings/options in the setup menus by removing the commenting in the relevant XML files:

• callforwarding.cpl.xml get CFU settings for Data and Fax (Phone->Call Forwarding)
• clckalrm.cpl.xml get Automatic Timezone setting from Network (Clock&Alarm->TimeZone->AutoTimeZone)
• telephonygsm.cpl.xml get Frequencyband selection (Phone->Band Selection = usually "automatic")
• connectgsm.cpl.xml get SMS delivery options (Connections->SMS Service = usually "circuit only")

You will need to copy these files to your PC from the device's \windows directory, edit it with a Unicode capable editor (notepad.exe) and copy them back to the device's \windows directory. A reboot is not required. Changes persist until you have to do factory-reset (so hopefully forever).

Install more than one T9 language

• get packages from http://melgurth.ovh.org/index.php?page=downloads
• download also the package that you already have + the ones you want (so all have the same version) - if you miss to download ALL packages it will spoil your T9 completely
  
• install them all, ignore device reboot requests in the meantime
• edit HKEY_LOCAL_MACHINE\T9 Input Method\MUI\Languages string "Available" to contain concatenated (separated by comma) all language numbers
• reboot device

Cleaning up the \windows directory

Despite the device has much more free memory (around 25 MB) to install programs on the device than my old Tornado (around 10 MB), I still want to have the device cleaned up from things I do not need. As I (still) have a BT-Fusion branded device, some tips may not be applicable for yours.

• Remove locales not needed for MunduIM (fr, it, br, ...directories)
• \Data folder is for beetzRSS -> move to SD card in options menu
• \Java folder for JBED -> move to SD card, change keys in registry at (HKEY_CURRENT_USER\Software\JBlend)
• \Profiles folder for PIE -> move to SD card by changing paths at: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (may not be persistent if card is not ready at boot time or is removed)
• \Rings folder for ringtones -> also in \windows but are not referenced from there, so they stay here
• \skins folder is for HipCam (HKEY_LOCAL_MACHINE\Software\Emuzed Inc\HipCam)
• \sounds folder is for Camera sounds (HKEY_LOCAL_MACHINE\System\Pictures\Camera\OEM)
• \themes folder is for HipCam (HKEY_LOCAL_MACHINE\Software\Emuzed Inc\HipCam)
• \traveller folder for FIZZ Traveler (move to SDCard, change items in HKEY_CURRENT_USER\Software\FizzSoftware\MicroClient\TRS)

General tip: When the device is first booted (or after a factory reset - pushing left+right softkey when turning on) several actions are taken to copy files from the \windows directory (as a repository) to various place on the device. Some things a necessary for the functions to work right, some are not.

Hacking the USB Headset connector

[Updated 20090105 - see below]
Well - much to my disappointment, my device (claimed as - nearly new, factory refurbished) was delivered with a set of non-original parts. I received a Blackberry charger which has the option to exchange the plug for the mains-socket, so it also works in my continental sockets in Germany - no problem here, especially as all my other chargers (from my older HTC devices) also work.

BUT: the delivered headset was a cheap Motorola S200 replacement - which has the same plug, but different connectors inside. No way to get it working :-(
I knew that I will not use the original headset, but I need a blueprint to understand what is going on to build an USB-3.5mm adaptor. As I do not have that (yet - hopefully), I have checked other options to debug the duplicate purpose of the standard mini-USB (5 pin) plug.

The good part is that you have big variety of Motorola Headsets or adaptors that you can start working with - just look for the Razor-V3, it has the same physical connector.
The bad part is that the multiple use of the same socket for different purposes creates the need to have the device switch between these modes. Also here it is advised to have a look at related Motorola resources, e.g. here: http://wiki.openezx.org/EMU
Unfortunately the described options do NOT work for the E72 - but they give a clue on what to investigate...

Terminology:
The USB socket has 5 pins + shield, sometimes the numbering is 1,2,3,x,4, but I prefer to number the pins in sequence, i.e. 1,2,3,4,5 - just like the EMU wiki above does.

Findings:

1. Connecting a resistor in the range of 50 to 200 kB between (5+Shield) and (1) will raise the level at (1) from 0,3V to the full power of the battery (you can drive a light with this!) for exactly 10 seconds.
   
2. Pin (3) (the middle one) will generate a stepping voltage output (1 Hz) as long as (1) is up - here I suspect an action is required to confirm the operation mode.
3. nothing more - I had to give up here...

Conclusion:

• The temporary presence of (a fully powered) supply voltage at pin (1) and the activity at pin (3) may indicate an active wired headset (just like the Motorola). It is however impossible to tell without a real E72 headset at hand...

[Updated 20090105:]
Thanks to the community in Taiwan, see this post, the connection strategy is now settled :-)
Continuing my discussion above the "protocol" on pin(3) is very simple - just connect a resistor (below about 250 ohm) to grounds - that's all - the device will go into headset mode (can also be seen at HKLM\System\State\Hardware - the value of the "Headset" property changes to "1".
After the device is in headset mode, pin(3) can be released again (what I did to identify the other speaker channel and microphone connection). So the final result is then for the numbered pins of the USB connector (1-5):

1. Must be connected with a resistor less than 200 kOhms (but more than 10k - not to drain the battery) to ground. The voltage will rise briefly to battery level (so if you short cut this to ground it may kill it) but then drop back to 0,16 V to stay there. I suspect that accepting calls with the headset button will introduce new functionality here...
   
2. Speaker channel (l,r not checked, source indicates right here) - must be connected to a speaker or a pulldown resistor at device-headset connection time.
   
3. Speaker channel (l,r not checked, source indicates left here)
4. Microphone channel (checked to work with Audionotes)
   
5. Grounds

So luckily no complicated electronics - get your soldering irons ready!

Mind that the drawing in the Taiwanese post labels the "V+" and "GND" incorrect - they have to be reversed. The "NC" (microphone) pin is close to the - (GND) pin.

The crappy Battery levels on the BenQ E72

Did you notice that some report a bad battery life for this device? I did as well and there are several reasons possible for that - the most important one imho is the crappy battery level indication on the device (at least on mine - the BT-Fusion branded Version):

If you watch the Battery-Level in Windows, it reaches 100% already with a battery voltage of only 39xx mV - far less than a fully charged battery. Always watch for the green LED to indicate a full charge - this comes at 42xx mV as it should be.

This problem applies as well for the dis-charge: Any battery voltage above 3906 mV is reported as 100%. So you think the battery lasts forever - just to give you a bad surprise below that voltage. The Tornado is way below 80% here...

I still hope that this is due to a crappy battery.dll which may be a special version for the BT-Fusion device. In its intended use, it will eat more power than a normal device as it will scan for WIFI to connect a VOIP call via Internet if possible.

If you want to contribute your observations for a non BT-Fusion device - you can get the Voltage and Charge Percentage from the registry anytime at: HKLM\System\State\ or simply use the well known CeleTask option "Power Status".

If you know of a working(!) Batterymonitor that logs data to a file please tell me. My current idea is to create a MortScript that polls the registry and writes data to a file - yet no time to do that actually.

Edit 20090104:
In the meantime I have seen that the charge-level may not only depend on the batteryvoltage alone - see especially this link. When scanning the extracted files from the ROM dump, I have also found a huge bunch of possible registry entries in the battery.dll module. I will not try to debug their influence, so my only hope is that some other ROM contains a better charge-level calculation.

Why I bought the BenQ E72

Well - this phone caught my eye already a long time ago, i.e. when it was announced early 2007. At that time I just had bought my Tornado (O2 XDA Phone) and the E72 did not offer much more - ecpecially with the price tag it had at that time.
Then, September 2008, the phone hit Expansys.UK for just 100GBP - and I was really tempted to buy one. As I found an even cheaper option on ebay then (69GBP) I could no longer resist and bought one. Still some days after I bought it - the promised wired headset is not there, despite the vendor has promised to deliver one (as announced in the advertisment) - sigh... if that does not come finally I will have to return the device and buy one from Expansys.

OK - what does it offer more than the Tornado?

• thinner, lighter (not really smaller)
  
• less energy consumption in wireless modes (Bluetooth and WIFI)
• can read micro-SDHC cards (after installation of a small CAB)
• micro-SD cards are hot-plugable
  
• much better sound from the speaker
• better camera (2 instead of 1,3 MP + better options: Emuzed HipCam)
• better JAVA (JBlend)
• Nice MMS Client (from Jataayu)
• Active Sync via Bluetooth is a snap now :-)
  

What is worse (yes there is!) than the Tornado?

• Battery level indication is crap (dedicated post will follow)
• no 3.rd party wired headsets or adapters available (dedicated post will follow)
• only English language installed in my BT-Fusion branded device
  
• smaller LCD (2" vs 2,2") and Battery (900 vs 1150 mAh)
  
• no big support community (yet)

Specialties I do not care much about:

• "Redial" option when calls are busy
• automatic Key-Lock (on Home Screen Settings)
• Facade HomeScreens (limited)
  
• MunduIM
• BeetzStream RSS

What still works with this device:

• WM5storage (check the LED options - you can choose any, including vibrate)
  
• TomTom 5 - just like any other application after application unlock

...and what does not any longer:

• omapclock, special Tornado related tools
  

Starting the log...

Hey - despite many resources on the web about Windows Mobile - I have made up my mind to have a kind of log related to my BenQ E72 efforts. Unfortunately BenQ is not a vendor with a long history in Windows Mobile - and not very popular in Germany since the failed Benq-Siemens deal.
This makes dedicated resources for this phone or re-usable tools and methods hard to find and even harder to have a common place to discuss about.

I have Windows Mobile Smartphones since 2004 (SDA Music) when I moved away from my 2-device (mobile + organizer) handling to just one. Then came an O2 XDA phone with TomTom mobile 5 (receiving a new heart from a Vodafone VDA 1240 with WiFi finally). This O2 XDA phone is still my device of choice as it is not fully replaced yet by me last phone, the BenQ E72.