Running unsigned code on BREW devices/Casio

From Legacy Portable Computing Wiki

This method of BREW sideloading deals with patching parts of the firmware to remove the signature checks entirely, allowing test signatures with mismatched ESNs and differing dates to run no problem. Similar to the LG guide, this is the best of the BREW sideloading solutions so far, as no ESN changing is required (thus no risk of old BREW apps deleting if the end-user does not back them up beforehand).

This is intended to be a step-by-step guide on how to patch a Casio CDMA phone to run unsigned BREW programs.

Disclaimer

As with any modification of any kind, there is a small chance your phone will be bricked if something goes wrong. Do this at your own risk!

Currently compatible phones

These phones have the necessary requirements in order to work correctly for this guide:

  • Casio C781 Ravine 2 - Fully working with no issues.
    Please be aware that Casio released four revisions of this device: C781, C781H, C781NC, C781NCH, this has been tested to work with the C781, C781H, and C781NC only.

Prerequisites

Setting everything up

Make sure that battery is fully charged. Do not continue otherwise - you will brick your device if your device will runs out of charge while flashing!

Once the phone is fully charged, power it on. Go to MENU → Settings & Tools → 12. USB Mode and change the setting to Modem Mode, In newer firmware versions, this option is named Charge Only.

At this state, the phone should be detected correctly by your PC or laptop once plugged in. Make sure the computer you're using is running either Windows XP or Windows 7.

Installing Flasher Programs

Note: Be sure Modem Mode is set as instructed!

Connect the phone to your computer. After a few seconds, Windows should detect it, and at this point you can install the drivers from C781_Drivers.

When the drivers are finished installing, open Device Manager and go to Ports (COM & LPT). You should see the following entries:

Once you have confirmed the drivers were installed correctly, install the following programs:

PT_PST_Framework_Store_NCMC_v3.9_70111.msi (install this one first!)

PT_PST_C781_Store_v1.4.5.1_B0322.msi

Important steps for newer firmware versions

Before opening any of the PST tools, check the firmware version of your phone by going to MENU → Settings & Tools → Phone Info → SW/HW Version → Software Version.

If your firmware version is WC781VWB885F.252, then no additional steps are required.

If your firmware version is not the version above (e.g., WC781VWF211F.252), you will need to use a patched version of Download_PST.dll in order to flash the modified firmware.

To do this, download the above file and copy it to C:\Program Files\NCMC\PST\Store\C781 (this assumes you did not change the installer path).

It's important to note that the patched DLL will alter the flashing procedure in a way that the EFS2 partition will be re-formatted. All of your personal data will be wiped!

It is strongly recommended that you back up your EFS2 partition. The partition may become corrupted after flashing and some applications will not work afterwards.

Backing up Activation data

Activation data can be backed up to a file using the PT PST Store application installed earlier. When first opened, the app will ask which interface to use to connect to the phone. You'll want to select CASIO C781(UDP), and once detected, the PST should display the model and currently installed firmware version. If the PST does not detect your device, try another port.

Once connected, press the Phone Setting button in the top-left. From there, check off every option on the Settings checklist, and then press Read from Phone. At that point, your screen should look something like this:

If everything looks as it should, press File Save. Keep this file somewhere important as it will be needed later.

You're now ready to flash the modified firmware!

Flashing the firmware

Open PT PST Store and set your phone port as instructed if you haven't done so already.

Click the S/W Upgrade button in the top-left, and then press the [...] button to where your modified firmware is. Be sure to extract the ZIP first!

The screenshot below shows the CEFS box checked; this will only happen if you have to use the patched Download_PST DLL.

Flashing will take around 5 minutes. Do not disconnect the device while this takes place.

Your phone will automatically reboot once it's finished flashing. If the patched Download_PST DLL was used, you will see the following extra step:

Please wait until this finishes before continuing further.

Restoring the Activation backup

If your EFS2 partition was wiped, be sure to restore your backup! You will need to reconfigure the USB Mode as instructed in the "Setting everything up" section.

Open PT PST Store if it isn't already, go to Phone Setting, and press the File Open button. Select your previously saved backup, and then press Write to Phone.

Your phone will automatically reboot once the backup has been written.

Checking if the firmware was flashed correctly

This isn't strictly required, but can save a lot of time if certain applications are not starting.

Go to MENU → Apps and open Mobile IM.

If the app opens normally, then you can proceed to the next step. If nothing opens or the phone reboots, then your EFS2 partition is corrupted. You will need to re-flash the firmware using the patched Download_PST DLL, as described in the "Important steps for newer firmware versions" section.

Installing AppManager

As is normal practice with any BREW device, there is no installation wizard for loading your own apps. Every app needs to be copied to the proper directories, or the phone will not know they are there.

This is not a particularly safe method, as the phone detects new apps on each reboot. If an application is unstable or incompatible, then it will lead to a boot-loop. There is no simple recovery method for this rare scenario, so unless you have access to JTAG equipment, it will never boot again.

Due to this, there is a need to "install" the AppManager so that BREW apps can be opened directly from the SD card. With this method, if you ever encounter a boot-loop, you can simply remove the SD card and delete the offending app.

The AppManager you want to install can be found here.

You can sideload this to the phone using IoE Development Tools. (RevSkills and Bitpim should also work, but this has not been tested!)

Once the tools are installed, open the Loader application. In the selection window, chose BREW MP Targets [COM/BTIL] and CASIO C781 Diagnostic Serial Port(UDP). Your COM number may be different than what is shown below.

At this point, a file structure tree should be shown. You'll want to copy the entire appmgr folder to fs:/mod including all of its files: appmgr.mod, appmgrln.bar, and appmgrls.bar.

Once you've done that, navigate to fs:/mif and copy appmgr.mif to the folder.

At this point, you can restart your device. While you could sideload other apps/games in the same way, this is not a recommended method for reasons explained in the beginning of this section. SD card sideloading is explained in the next section.

Installing Apps via SD card

In order to install BREW apps from an SD card, a certain folder structure is necessary. On the root directory of the SD card, create a brew folder (just like that - it's case sensitive!). Inside of the brew folder, create another folder named usermods (also case sensitive).

For each app you wish to install, you'll need to make a separate folder inside of usermods. You'll need to put all of the application files, MIF included, in said subfolder(s). Below is an example on how you would load FManager:

In general, the directory structure should look like this:

[Root directory]
|
+---[brew]
         |
         +---[usermods]
                      |
                      +-------[app_name1]
                                        +--------app_name1.mif 
                                        +--------app_name1.bar 
                                        +--------app_name1.mod 
                                        +--------app_name1.sig
                      +-------[app_name2]
                                        +--------app_name2.mif 
                                        +--------app_name2.bar 
                                        +--------app_name2.mod 
                                        +--------app_name2.sig

Be sure not to modify the names of files inside of /mod/ folders. If a BREW game backup you download has the files named in a certain way, keep them like that.

You can use the built-in Mass Storage USB option on the phone to copy files to the SD card without removing it. Keep in mind that new apps will be detected upon reboot. If you decide to copy BREW apps to the SD card while it is outside of the phone, the apps will be detected once the phone is restarted and the SD card is reinserted.

Running BREW apps

Once AppManager is installed, it will take place of the stock Verizon Apps menu, opened by going to MENU → Apps.

Use the d-pad to select the app you want to run, and then press the center button to open said app.

If you've made it this far, congrats! You're now able to load BREW apps and games to your phone with just an SD card alone.

References

This guide was based off of a previous PDF Casio C781 BREW guide. Said PDF and the resources that go along with it can be found here: Original PDF guide and files