I've got some more news. As you know with Sonics you can read out the entire flash content. For a 750i/800i the start address is $44000000 and the length is $2000000 (32MB). The problem is that there ain't much you can do with such a readout. For example you may want to flash it or part of it. Unfortunately you can't flash it with DVT as it does not have the right header data. I have spent some hours to reverse engineer this file format and coded a little proggy to convert a full 32MB readout to a flashable file. Here is a short explanation of flashable SE binary file format. The file has a header which contains at least 0x380 bytes. Multiple blocks of data are flashed. Each block has a short header indicating the address to flash to and the number of bytes to flash in the block. The file has a header which contains general info offset: 0x0000-0003: 0xBABE 0x0010-0010: CID value (e.g. 29 or 36) 0x02E8-02EB: number of blocks to flash (#blocks) (little endian) 0x02EC-02EF: block length of the 1st block (little endian) 0x0300-037F: 128 bytes of dynamic hash data 0x0380-......: one additional checksum byte (hash) per block, so there are #blocks bytes 0x0380+(#blocks) start of first block *Each* block header is 8 bytes long: 0x0000-0003: flash address (e.g. 0x44000000) (little endian) 0x0004-0007: number of bytes to flash (little endian) It was easy to generate a file with the right format except for the proper hash data. I tested with a good flash file, as soon as you modify a single byte in payload, flashaddress or any of the checkbytes, DVT returns an error. Usually block not accepted 0x5556 or "there was a flash error in the previous block" or something like that. By accident I solved the problem. At offset 0x10 there is the File CID. If I set it to 0x25 (CID37) DVT skips the hashchecks and I can flash what I want to where I want Finally full control over the 32MB flash! I can read it and write it at will. In the process I learned that the so called EROM is a small block of data which is at 0x44000000 which determines if your phone is RED or BROWN, the EEPROM is a 1MB area from 0x45F00000-46000000, the MAIN part is max 20MB from 0x44000000-45400000, the FS part is max 12MB from 0x45400000-45F00000 However there is still something weird. I have a full 32MB readout of a friend with the same phone. We made the readout before we actually switched on the phone (though it was on the charger for some time). When I flash that readout on my phone it doesn't work. Can someone explain? ------------- EDIT: The author of SE Tool has an explanation here: http://www.mobile-files.com/f[....]owpost.php?p=70942&postcount=2 ------------- Here is the link to the "raw2bin" tool http://rapidshare.de/files/9283818/raw2main.rar.html Unrar it and put your 32MB Sonics readout called "raw.bin" in the same directory. Run raw2main.exe and wait a few seconds. Then you will find a little over 32MB file called "main.bin" which you can flash with DVT (I tried with 13.8 and works fine, takes appr. 15 min). The sourcecode is included so you can improve and customize it. Do whatever you like with it. Now about the DVT14.6 problem. Yes, DVT have changed the scheme. But it is very likely that Fallout, the author of the DVT file decrypter tool, will produce another crack. Either be patient or do as leprechaun, just by a credit and flash your phone with 14.6, then complete with Sonics and use your credit for another phone or whatever.