<hidden Omnius server history>
Omnius has signed loader access via SEUS mode. Authenticates to the bootloader (thanks to valid signature). Gains access to flash/GDFS operations. Change CID53 colour of certificate to developer brown (now for free with kaijousuru server). Unfortunately, the source code was lost over time (2elw stated the srcs were sold with the initial selling of the dev). //Please help if you have contact to former owners of Omnius to free CID53 browning completely.// \\
[[https://gsmserver.com/en/updates/omnius-software-update-v0-22-for-sony-ericsson-released/?utm_source=chatgpt.com|v0.22 (10-2011) protocol of early version]] \\ 
gsmcure is/was the forum part of omnius \\
Apparently Omnius source got leaked fairly early into development (can somebody confirm and share?) \\
Also Aerix, Omnius, Cruiser and a couple more were all made by the same people - they do look similar as wxWidgets GUI library is used. \\
Omnius was sold several times - at least: 2018 for a symbolic price of 500€ (to who?) and [[https://www.topsony.com/forum/showthread.php/33085-Greetings-from-the-new-owner-of-Omnius-Server|2020 to RMSMajestic]] and [[https://www.reddit.com/r/vintagemobilephones/comments/1e36wbe/new_owner_of_omnius_free_firmware_archives/|2024 to vi0let / estrog3n / lucy]]. 
Feel free to try giving a shot at tracking down mizar (and his set up shell company). \\
</hidden>
The community is in search for former Omnius owners/maintainers to retrieve the source code or SEUS signing process. \\
@vi0let/lucy: Please release non-functional Omnius server side program w/o database for reverse engineering. should have bought it in 2018... \\


====== Basics ======

I do not intend to create tutorials here. This has been done elsewhere already, also beginner friendly. \\
Look in the [[sony_ericsson:links|links section]] yourself. Also see the [[sony_ericsson:forum_threads|se-nse archive]] for beginner friendly tutorials. \\

There is a collection of tutorials here: [[https://www.akshayy.com/sonyericsson/index/]] \\

How to use Setool2-lite for A1 phones: [[https://sony.yt/topic/3199-setool2-lite-v111-user-guide-identify-gdfs-backup-flashing-patching-unlocking/]] \\

How to use A2 Uploader: [[https://sony.yt/topic/942-a2-uploader-a2-tool-tutorial/]] \\
Howto patch A2 phones with FAR: [[https://sony.yt/topic/944-far-how-to-patch-permanently-a2-based-phones/]] \\

See which [[https://www.topsony.com/forum/cmps_index.php?page=cid_es|platform and CID your phone can be, e.g. on topsony]]. \\
For doing anything fun, phone needs to be on BROWN certificate. Changing from RED is possible for CID<=53. Use Omnius (now for free =)) or setool2 for CID53. \\
CID81 was introduced in early 2010 - some phones like W995 have been shipped initially with CID53 and were changed to CID81 later. \\
CID81/CID80/RED only has runtime patching via [[https://github.com/farid1991/jjpatcher|jjpatcher jar]] with [[https://github.com/farid1991/bpatch|bpatch]] and [[https://github.com/farid1991/elfpack-se/tree/master/runtime_vkp|runtime_vkp]] - it is possible to load elfpack now! Autoboot too\\
**jppatcher -> load Elfloader -> Elf (runtime_vkp) -> apply patches** \\


DCU-60 USB cable is used for fastport phones. \\ 
[[sony_ericsson:links#modifications|Modified DSS-20]]/25 can be used for phones with T28 Connector as serial adapter. \\

> Use the service cable to read (boot) logs from the phone! \\

__Firmware file structure of A2__: \\
After flashing A2 firmware (.fbn), flash custpack and 'finalize' the phone. \\
Resetting the phone from menu will not remove patches but files and (even some preinstalled) content. \\
Firmware is split into three parts: \\
1) MBN: main firmware that contais all code for running. MBN contains CXC files which can be extracted. Vkp patches on cxc. \\
2) FBN: image of internal filesystem (FS), contains all files that are used by the main firmware, (GUI, drivers, lang, sounds, pre-installed Java apps, etc \\
3) Custpack or Customization files: files stored in FS, which are modified by phone carriers to customize the operating system. Unpack to modify yourself - clean custpack from ad-links or do afterwards in FS. \\

 
====== Glossary ======

backup - if you ask yourself what it is, learn how to backup GDFS / REST file NOW! \\

📘 Glossary

CID (Content Identifier)
>    A security level marking for firmware and loader signing (e.g., CID49, CID52, CID53); higher CIDs have stricter checks and restrictions.
> SUPERCID / AnyCID refers to an EROM with disabled security check, allowing patching without converting certificate colour to BROWN. 
> (AFAIK) CID110 phones were never released it is mainly to allow flashing firmware to phones with any CID / CID110 is a dummy /pseudo CID applied to patched A2 Sony Ericsson phones to bypass CID restrictions. 

A1 / A2 Platforms
>    A1 = early SE platform (e.g., DB2010, DB2020); A2 = newer architecture (e.g., DB3150, DB3210, DB3310) with stricter security and different file structure. A2 is interchangeably called A200.

DB (=Digital Baseband - AFAIK)
>    Internal hardware code name for SE baseband platforms (e.g., DB2010, DB2020, DB3150), tied to CPU, RAM, and bootloader layout. It was //Locosto// before DB-plattform.

CDA = Customer Delivery Assembly
>    The customization package that defines branding, language, and region

Certificate Colour / Domain
>    Phones have a certificate "color" (also called domain): Red (retail), Brown (developer), Blue (factory)test. Brown allows reading file contents and write access to FS. 
>    "Browning": refers to changing certificate colour to "brown". It is currently not possible for CID80+
>    SCRC (Security Certificate) is in OTP and therefore cannot be changed (hence called OTP Cert colour). Instead the cert colour used for patching is emulated in Loader (to skip certificate enforcement) or it is a patch-based certificate conversion, like QA-patch with DB2020.


GDFS (Global Data File System) / TA (Trim Area)
>    A region of phone memory storing unique configuration. It contains IMEI, SIM/network lock info, RF calibration data, Bluetooth/WiFi addresses, call timers and also used to store flags enabling patch access. 
>    BACKUP GDFS! This is unique device specific! If lost/damaged, the phone is screwed. 
>    Note: If you repair GDFS the 'total call timer' is reset. 

REST file
>    'restore file' preserves FS-based customization on A1 phones and is required on flashing. A2 phones have critical data in TA. \\


VKP Patch
>    A plaintext format (.vkp) for firmware patches; used to modify ROM functions or bypass checks by patching mainly the MAIN flash (MBN).
>    VKP means V_Klay Patch which is taken from a patcher tool for Siemens known as V_Klay Patcher. 
>    There are simple and advanced vkp patches: either they just replace/modify code (simple) or advanced patch uses free blocks to add functions (mostly converted by elf2vkp).

ELF / ELFpack / ELFloader / ELFlib
>    ELF (Executable and Linkable Format): small native apps written in c. ELFloader is the launcher; ELFpack combines it with ELFlib.

DynLib (Dynamic Library)
>    Shared binary used by ELF files (like a DLL); loaded at runtime by ELFloader to provide reusable functions (e.g., file I/O).

QA (QuickAccess) Patch (DB2020)
>    Firmware patch to disable signature checks on DB2020 phones, allowing FS/GDFS access and .vkp patching without a service box.

Heap Shift
>    Patch offset of Heap area to win space for advanced vkp patches

T28 11‑pin Connector
>    The legacy serial connector from the Ericsson T28 era; used for flashing, service mode, and accessories before the FastPort standard.

FastPort
>    A proprietary all-in-one connector used in most SE phones (A1 and A2) after T610; supported charging, data, audio, and accessory control. 

Firmware structure
> phone_acc.cxc is modem fw, AFAIU. ACC stands for the ACCess processor

> /tpa/	stands for "Third Party Applications" and contains themes, menus, fonts, branding. It is writable by default
> /ifs/ – stands for "Internal File System"
> /system/ – Core Operating System Files (A2 only)


====== Basis ======

Following is some crap that reminds me to rewrite this section. It may be untrue too. \\

#########################\\
#TODO\\

> SEMCBOOT is the bootloader in OTP. It waits for either a normal boot from flash or a service connection via USB. SEMCBOOT enforces CID/SCRC checks. 

Methods to make SEMCBOOT see different cert colour: 
     * CSCA Method (obsolete)
     * Patch-Based Unlock (Quick Access Patch)
     * Bypass loaders

> CSCA = Certificate Signed Certificate Authority (formerly sometimes just called “Central Sony Certificate Authority”) = Sony Ericsson's official signing server used to validate and authorize service operations, the phone's SEMCBOOT verified this signature

> How does Loader bypass work?
<code>
[Phone powered on]
      ↓
[SEMCBOOT in OTP]
      ↓  (USB)
[Tool uploads signed SE loader into RAM]
      ↓
[Loader runs in RAM → certificate checks bypassed]
      ↓
[Tool can patch FS / MAIN / GDFS]
      ↓  (reboot)
[Phone back to RED, RAM cleared]
</code>
>  SEMCBOOT sees RED in OTP, but a signed SE loader loaded in service mode. The loader hooks its certificate-check routines in RAM. While the loader is active, you can patch FS, MAIN (CXC), GDFS, etc. After reboot, the loader disappears, and the phone reports RED again. A patched phone 

################################ \\

===== Development =====


[[https://web.archive.org/web/20101002014412/http://www.esato.com/board/viewtopic.php?topic=112828]] \\
[[https://web.archive.org/web/20090313052216/http://forums.se-nse.net/index.php?showtopic=3423]] \\
[[https://web.archive.org/web/20080331211211/http://forums.se-nse.net/index.php?showtopic=6571]] \\

Also read [[https://web.archive.org/web/20080404205659/http://forums.se-nse.net/index.php?showforum=76]] \\
play around with dates of wayback-machine [[https://web.archive.org/web/20120114145554/http://forums.se-nse.net/forum/76-research-development/]] or [[https://web.archive.org/web/20130829125929/http://forums.se-nse.net/forum/76-research-development/]] \\