Related
I got a XDA new ROM which is 4.00.01. It's a BIN file. 32 MB. I don't know how to flash it. Anyone has ideas?
What's the exact size in bytes?
I have seen .bin files which start with the string 'B000FF'
you can use
Code:
perl splitrom.pl yourfile.bin -wo outfile.nb1 -t nb1
to convert it to nb1.
you can find splitrom.pl in the mkrom distribution archive.
splitrom understands several types of romimages.
Can I convert to NBF file? So that I can use PROGRAM A to install. Size is 33,555,995 bytes. It start with B000FF.
you must make sure there is either a bootloader in your .bin file,
or you get a bootloader from another source.
you can extract a bootloader from another nbf file using
Code:
perl splitrom.pl yournbf.nbf -wl bootloader.nb0
you must make very sure that your nbf really contains a bootloader, if it doesn't and programme a overwrites it with junk, you will have your self a brand new hightech paperweight.
a safer way to burn unknown images, is via an sd card + xdarit + bootloader mode.
What is the command to convert to NBF once I got the bootloader? When I try to extract the bootloader, I got the following message: "80000000 - 80040000 -- bootloader 0 files 1 modules". Does that mean no bootload information inside the NBF file?
that means you are looking at a file containing just a bootloader, no OS.
Code:
perl splitrom.pl yourfile.bin -rl bootloader.nb0 -wo outfile.nbf -t nbf -n PW10A1-ENG-3.17-001
to convert .bin + bootloader to .nbf
you can check the result again using
Code:
perl splitrom.pl outfile.nbf
Sorry about having so many questions. How can I make sure that the nbf really contains a bootloader? I use the NBF file from O2 UK RUU 3.17.03 to extract bootloader which under PROGRAM A folder. Can I use "perl splitrom.pl yourbin.bin -wl bootloader.nb0" to
extract the bootloader from my BIN file? I use UltraEdit to view the BIN file, I notice some information about bootloader 5.22 (not 5.17). The person give me this ROM said it's the PPC 2003 final. Actually I was given a HTC tool to flash the BIN file. But when I load the bin file, it checks my SD card and tells me invalid card. So I cannot flash directly.
well, that is a difficult question. in an ideal world we would have ready a list of bootloaders, and md5sums of these. for easy idendification. but not done that yet. su currently I look at the binary. and see if I see this line in the hexdump:
0000060: 4543 4543 0010 0a8c 0000 0000 0000 0000 ECEC............
and at about 0001580 there should be some lines with '*' and 'init debugserial...'
then it at least resembles something that looks like a bootloader, and not accidentally an os image. ( yes, that is a mistake we made fore you, leading us to abother intersting development : jtag flashing
5.22 is the latest I saw too.
so does your .bin file start with 'b000ff' ? can you maybe upload this file to
ftp://xda-developers.com ?
actually we noticed that somehow for recent roms the bootloader was not flashed by programme A. even though we managed to overwrite it with crap with one of our own experiments. possibly a different version of programme A. we have not researched this yet.
I would be interested in that htc program too.
you can only extract a bootloader from your .bin file if it contains one. .bin files may contain any memory region. so I don't know if yours does.
I saw the following information. So I believe it has bootloader.
0000060: 4543 4543 0010 0a8c 0000 0000 0000 0000 ECEC............
about 0001580 there should be some lines with '*' and 'init debugserial...'
I've done the following. I don't know if I'm right.
1. I run "perl splitrom.pl yourfile.bin -wl bootloader.nb0 -t nb0" to extracted the bootloader.
2. Run "perl splitrom.pl yourfile.bin -wo outfile.nb1 -t nb1" to extract OS.
3. Run "perl splitrom.pl yourfile.bin -rl bootloader.nb0 -wo outfile.nbf -t nbf -n PW10A1-ENG-4.00-001" to get NBF file. I got error message said romimage already has bootloader. So I run "perl splitrom.pl yourfile.bin -wo outfile.nbf -t nbf -n PW10A1-ENG-4.00-001" to convert to NBF file directly. I dont' know if this the right command to convert BIN to BNF file, but I didn't see any error.
4. I run "perl splitrom.pl outfile.nbf" to check and below is the result.
rommap: 80000000-81f00000
no xipchian found
no operator rim found
80000000 - 80040000 -- bootloader 0 files 1 modules
80040000 - 8015c5c8 -- kernel 5 files 5 modules
80180000 - 80376bd0 -- kernel 10 files 14 modules
80380000 - 8064306c -- kernel 20 files 36 modules
80670000 - 80be66a8 -- kernel 107 files 88 modules
80c80000 - 8102ce98 -- kernel 11 files 36 modules
81050000 - 813ef114 -- kernel 95 files 44 modules
81400000 - 815d2238 -- kernel 34 files 7 modules
815f0000 - 8171bc7c -- kernel 56 files 19 modules
817c0000 - 81adf390 -- kernel 109 files 40 modules
81980000 - 81925800 -- bitmap :30000be5 .. 010000ea
I tried to upload the file to your FTP. But no permission. Please PM your MSN Messenger ID, so that we can discuss more baout this ROM.
Thanks
I don't have msn, but you can find me on irc in #xda-developers on ircnet
( if you don't know a server: irc.nl.uu.net )
3: yes, that should work.
if you want to replace the exsisting bootloader, you can type "perl splitrom.pl outfile.nb1 -rl bootloader.nb0 -wo outfile.nbf -t nbf -n PW10A1-ENG-4.00-001"
4: ah, ppc2003 roms have a different structure splitrom cannot yet find
the xipchain in its new location. that is why it says 'kernel' on all lines.
also the bitmap it mentions is not the bitmap.
another issue may be that the nbf it creates has the wrong size, since
the xipchain in ppc2003 roms is in a location which was not originally
present in nbf files, I am not sure if programme a can write it correctly.
forgot to tell you the password: user=xdaftp pass=xdaftp
Replacing a corrupted bootloader via ActiveSync
I have a T-Mobile PPC Phone on which I have installed the AT&T radio stack and the XDA-Developers 1.1 ROM. All works well except for the fact that I appear to have corrupted the bootloader. The device now jumps directly into Windows CE and ignores any keys which I press when performing a soft reset.
From reading the rest of this thread it seems that I may be able to replace my corrupted bootloader via ActiveSync if I prepare an image file correctly. Is this true, or am I misunderstanding the ActiveSync upgrade process? As I can't reload from SD card, I'd be grateful for some expert advice before I go ahead - I can't afford to get it wrong!
Thanks,
Malcolm
Hi,
I've already upload the PPC2003 for XDA to your FTP. Please check your private message for the password for the ZIP file.
Thanks
After one week with a T-Mobile US version (32Mb) i want to thank you all for your job.
I mean that first thing when I got it I've installed SE 1.2 and unlocked it. Afterwards I was toying with TMO 4.00.16 ENG and also upgraded radio to 6.24.
Everythnig is smooth but ... I want to build my own ROM. I've set up the makerom on a linux box and i think i will follow this steps:
1. perl setup.sh nk.nbf (this one taken from the origina TMO distribution in the RUU directory) - on the linux box
2. dumprom -4 -d files -q nk.nbf - on the linux machine to get all files
3. perl fdf2reg.pl files/default.fdf cfg/default.reg - linux
4. tr -d "\0" <files/initobj.dat >cfg/initobj.txt - linux box
5. cp files/initdb.ini cfg/initdb.ini - linux box
6. delete all files & add all the files I want to add (all kind of software)
7. bash mkrom.sh out/out.nbf - to generate the file for the SD
Questions:
a) is it possible to remove some files from the original ROM and how (any additional steps required)
b) using ssnap for the addtitional software installed ... where shall i make the additions (in files and for registry) ?
Thanks for all your support.
Decebal
PS. Any XDA owner from Romania ?
I don't take the responsibility for any damage caused by the information included.
This is not my intention to reveal any secrets of HTC Company. All this information was known earlier. I've just collected it in one place and used it for repairing my broken HTC device.
Although it was successfully tested on Herald from Dopod, it should work on any Herald and as far as I know this is the only hope, especially for Heralds with low SPL number, broken by flashing with HardSPL
If you find this tutorial useful, do it on your risk.
I've spent a lot of time in searching of a solution for my bricked Dopod C858. It has been bricked after Hard-SPL by Olipro. When this Hard-SPL was first introduced, there wasn't any warnings about minimum SPL and GSM versions requirements. That's why there is a lot of people with their Heralds stuck in the bootloader mode without a possibility of successful flashing in any way.
One of the symptoms was Invalid Update Tool 300 Error when I was trying to flash even with the official RUU. The other symptom was "GetDeviceCID: Error - InitDecoder" when getdevinfo command was typed at MTTY console.
Finally I was able to recover from this state. I successfully created the goldcard - a micro SD card with the special header, which gives us a temporary SuperCID status (security level 0). In this way we are able to flash the new ROM via SD card, instead of using the official RUU (ROM Update Utility). If it is not enough to flash successfully, we can use a wonderful service tool included in Herald's diagnostic image (heradiag.nbh).
All the credits goes to "itsme" and his hard work. It wouldn't be possible without his knowledge, his help and his great software. Willem agreed to make this tutorial and share this knowledge on the forum.
Thank you Willem!
I would also like to thank "pof" for his effort and although he couldn't find a solution, he tried to help me, so thank you Pau!
The other person I would like to thank is "canonyang_China". I know he is accused of stealing Olipro's ideas of Hard-SPL. I only want to thank him for posting heradiag.nbh file. This is the great tool which together with the goldcard can do a lot.
I would also like to mention one person. It's "jockyw". He has almost identical solution but he has found it by himself. If you find this tutorial too hard to deal with I recommend to contact "jockyw" and he will help you for a small paypal donation.
TUTORIAL:
***********************************************************
Requirements (not tested on other configurations):
1) Windows XP with SP3
2) ActiveSync 4.5
3) ActivePerl 5.8.8.822
4) Crypt-DES and XdaDevelopers-NbfUtils PERL packages
5) typhoonnbfdecode.pl PERL program
6) itsutils tools
7) working mobile device with any Windows mobile OS (2003, 5.0, 6.0)
8) any .nbh ROM file from the official Herald's RUU
9) heradiag.nbh file
10) micro SD card (tested on 512MB and 1GB)
Ad.2) download your language verion of ActiveSync and install it:
Ad.3) download and install MSI installer of ActivePerl 5.8.8.822 from http://www.activestate.com
http://www.activestate.com/store/download_file.aspx?binGUID=e5c71329-b7a6-4563-8199-e1483f751c4f
Ad.4) run Perl Package Manager from Windows Start Menu
change PPM Preferences (run Preferences from the Perl Package Manager menu and switch to the repository tab):
- Add repositories:
Name: itsme
Location: http://www.xs4all.nl/~itsme/projects/perl/ppm
- Add repository:
Name: theoryx
Location: http://theoryx5.uwinnipeg.ca/ppms/package.xml
After database synchronization install those packages (at the main window of Perl Package manager find those packages, mark them for install (the icon with green plus, next to the search bar) and run marked action(green arrow icon)):
-Crypt-DES
-XdaDevelopers-NbfUtils
If you can't find those packages on your list, please make sure you have selected "All packages" from "View" menu in Perl Package Manager main window.
Ad.5) download typhoonnbfdecode.pl from http://www.nah6.com/~itsme/cvs-xdadevtools/xda2nbftool/
Save it to "C:\itsutilsbin"
Ad.6) download itsutilsbin package from http://www.xs4all.nl/~itsme/projects/xda/tools.html. Unpack it to "C:\itsutilsbin"
http://nah6.com/~itsme/itsutilsbin-20080602.zip
Ad.7) Find a working Windows mobile device and use it to format your micro SD card as FAT32. It's important to do this on working mobile device with any Windows mobile OS (2003, 5.0, 6.0) because PC USB card readers causing troubles with making a goldcard because of a different MBR interpretation.
- Activesync your working Windows mobile device with SD card inside
- On your PC enter windows command mode (Start->Run... cmd)
- Choose your itsutilsbin directory (cd C:\itsutilsbin),
- Run this command (l means a letter 'el' - not a digit 'one'):
psdread -l
If you have problems with running psdread -l you probably have problems with the security configuration of your mobile device. There are many options to change it. In my case I was using Device Security Manager PowerToy for Windows Mobile 5.0
It is recommended to save your security configuration, then change it to the Security Off level and after the whole goldcard preparation process, load saved configuration preset if you don't want to leave your Windows mobile device Security Off. You should have your mobile device ActiveSync with your PC when you are using this tool.
- If everything went OK, look at the result at the cmd window after psdread -l and find something like that:
remote disk 1 has 1984000 sectors of 512 bytes - 968.75Mbyte
SerialNr: 75 63 00 49 8a f2 00 80 47 31 30 55 53 44 53 03
- in the next step you will have to replace the first byte ( in this case '75' ) with '00' and write this ID without spaces between numbers - this will be your modified cardid
In this example your modified cardid will be 006300498af200804731305553445303
(Thank you "hookcard" for reporting troubles in this step)
Run this command, where <cardid> is your modified cardid:
perl typhoonnbfdecode.pl -p cardid=<cardid> -p keys=tornado -p seclevel=0 -d goldcard.img
- Your goldcard image will be saved in your current directory (C:\itsutilsbin)
- If you have error message connected with msvcr71.dll file, please download this file or try to find it somewhere on your system partition and then copy it to the directory containing typhoonnbfdecode.pl (C:\itsutilsbin)
Then repeat the previous step with running typhoonnbfdecode.pl
If everything went OK, run this command, where <number> is a number under which you have your SD card during psdread -l command, for example, "remote disk 1 has 1984000 sectors of 512 bytes - 968.75Mbyte" means that your <number> is 1:
psdwrite -<number> goldcard.img 0 0x120
Now you have a card which gives you SuperCID - you can test it with MTTY and see that g_cKeyCardSecurityLevel = 0
Ad.8) Remember to have more than a half of the battery capacity available before you start this step!
- download any official Herald's RUU and extract it to the directory, where you should find RUU_signed.nbh ROM file. (It was tested with Dopod's ROM). Copy this .nbh file to your goldcard changing its name to heraimg.nbh
- Enter the bootloader mode. When you will see on your Herald's screen the question: "Update SD image?" you will have 10 seconds to press Volume Down button and this way to start flashing
Unfortunatelly, if something will go wrong and i.e. you will see SD update failed you will have to use heradiag.nbh file to enter special menu during the start of the bootloader mode. If you have problems with flashing, please read the step below:
Ad.9) download and unpack heradiag.zip file from this thread:
http://forum.xda-developers.com/showthread.php?t=332413&highlight=heradiag.nbh&page=6
Remember to have more than a half of the battery capacity available before you start!
- Copy heradiag.nbh on your goldcard together with any official .nbh ROM from ROM Update Utility from the previous step.
- boot your Herald in bootloader mode and you will see the diagnostic menu where you will have Reflash Image option. Choose Reflash Image and after the flashing process (about 5 minutes) please softreset your device.
That's all! You should see your Herald properly booting Windows OS.
Good luck!
Anyone had any luck with this?
I tried.
Everything is O.K.
ok first of all thank you very much for as a hope gain to bring our herald to live again.
but there is some point at this thread i didnt get it so plz if u could help me
1-
run Perl Package Manager from Windows Start Menu
change PPM Preferences:
- Add repository: itsme http://www.xs4all.nl/~itsme/projects/perl/ppm
- Add repository: theoryx http://theoryx5.uwinnipeg.ca/ppms/package.xml
After database synchronization install those packages (mark them for install and run marked action):
-Crypt-DES
-XdaDevelopers-NbfUtils
what is crypt -des
and when i open the link (add rep.by itsme )
there is too many files to download.
which one is that files u mean
i download them all but it seems they work on linux not in windows
so plz if u make that point more clear or at least post some pictures..
2-
does any official room will work .or it must be the exact cid room.
I've updated this tutorial and now it should be more clear.
According to your question about the ROMs - if you successfully create the Goldcard you will be able to flash any ROM, not only those matching your original CID.
halder said:
...............
what is crypt -des
and when i open the link (add rep.by itsme )
there is too many files to download.
which one is that files u mean
i download them all but it seems they work on linux not in windows
so plz if u make that point more clear or at least post some pictures..
2-
does any official room will work .or it must be the exact cid room.
Click to expand...
Click to collapse
how come i cant find XdaDevelelopers-NbfUtils package?
i have added the repository correctly.
i can see from the status screen:
Synchronizing Database ...
Downloading ActiveState Package Repository packlist ... done
Updating ActiveState Package Repository database ... done
Downloading itsme packlist ... redirect
Downloading itsme packlist ... done
Downloading itsme Win32-API-0.41WJ PPD ... done
Downloading itsme XdaDevelopers-CompressUtils PPD ... done
Downloading itsme XdaDevelopers-NbfUtils PPD ... done
Downloading theoryx packlist ... not modified
but i just can find the module (ie. XdaDevelopers-NbfUtils)
i have also tried the command line installation but no luck..
anyone??
maybe someone can post the perl folder, with the required modules installed?
Do you have "All Packages" chosen through View Menu?
klikman said:
how come i cant find XdaDevelelopers-NbfUtils package?
i have added the repository correctly.
i can see from the status screen:
Synchronizing Database ...
Downloading ActiveState Package Repository packlist ... done
Updating ActiveState Package Repository database ... done
Downloading itsme packlist ... redirect
Downloading itsme packlist ... done
Downloading itsme Win32-API-0.41WJ PPD ... done
Downloading itsme XdaDevelopers-CompressUtils PPD ... done
Downloading itsme XdaDevelopers-NbfUtils PPD ... done
Downloading theoryx packlist ... not modified
but i just can find the module (ie. XdaDevelopers-NbfUtils)
i have also tried the command line installation but no luck..
anyone??
Click to expand...
Click to collapse
Hi there! I also have a bricked Herald. I'm in Brazil and a store wants around 200 US dollars to fix the phone and it's too high.
I saw that the file itsme XdaDevelopers-NbfUtils PPD has just a text indicating an e-mail adress.
I saw in another site that this file has another content.
May be this is why we cannot find the package to install.
If i find a way to fix my Herald here i will do a very good donate!!
Thanks,
Alencar
alencarfr said:
Hi there! I also have a bricked Herald. I'm in Brazil and a store wants around 200 US dollars to fix the phone and it's too high.
I saw that the file itsme XdaDevelopers-NbfUtils PPD has just a text indicating an e-mail adress.
I saw in another site that this file has another content.
May be this is why we cannot find the package to install.
If i find a way to fix my Herald here i will do a very good donate!!
Thanks,
Alencar
Click to expand...
Click to collapse
Go to this thread, it will explain how to fix your phone....
http://forum.xda-developers.com/showthread.php?t=345411
Hi Mkoz,
Tried your procedure but when start bootloader it do not read the SDcard. I copied Heradiag to the card but it do not run. The bootloader remains the same as before.
No Signal. With MTTTy I gave the command set 32 1 and get the message:
================================================
+ SD Controller init
- SD Controller init
+StorageInit
SDInit+++
PL_SDSetSlotNumber() - MPUIO_SDIF_SEL1=0, MPUIO_SD_IF_SEL=0
SDCmd8 Command response time-out. MMC_STAT = 80
SDCmd8 Command response time-out. MMC_STAT = 80
SDCmd8 Command response time-out. MMC_STAT = 80
SDInit - SD ver1.0
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SD clock to 24MHz
***** user area size = 0x79280000 Bytes
SDInit---
SDInit OK
Unlimited time!
GetDeviceCID: Error - InitDecoder
g_cKeyCardSecurityLevel = 0
HTCE
=======================================================
So, please could you help me ? Thanks! Alencar
Hi,
Where did you format your SD card before preparing Goldcard? In Windows Mobile device or in laptop or PC card reader?
alencarfr said:
Hi Mkoz,
Tried your procedure but when start bootloader it do not read the SDcard. I copied Heradiag to the card but it do not run. The bootloader remains the same as before.
g_cKeyCardSecurityLevel = 0
So, please could you help me ? Thanks! Alencar
Click to expand...
Click to collapse
Hi Mkoz,
I formatted using Pocketmechanics in my HTC universal in mode FAT32.
I'm really looking forward to see the mobile working.
Thanks!! Alencar
please SIR how can i change cardid ?
and witch tool i use ?
Hi,
I've sent you my private message but you haven't answered so I have to ask you in this thread:
- What is the size of your SD card? I successfully tested it with 512MB and 1GB cards.
alencarfr said:
Hi Mkoz,
I formatted using Pocketmechanics in my HTC universal in mode FAT32.
I'm really looking forward to see the mobile working.
Thanks!! Alencar
Click to expand...
Click to collapse
Sucessfully tested with 2gb card
BTW, HardSPL'd devices doesn't want to load heradiag!
i can see from the status screen:
Synchronizing Database ...
Downloading ActiveState Package Repository packlist ... done
Updating ActiveState Package Repository database ... done
Downloading itsme packlist ... redirect
Downloading itsme packlist ... done
Downloading itsme Win32-API-0.41WJ PPD ... done
Downloading itsme XdaDevelopers-CompressUtils PPD ... done
Downloading itsme XdaDevelopers-NbfUtils PPD ... done
I found -Crypt-DES but not found -XdaDevelopers-NbfUtils
Please help me! Thanks
same here
already try restarting my windows still no luck
I guess you are doing something wrong because there are people who were successful with this tutorial. Maybe you don't have "All packages" chosen from the menu.
I have updated point 4 of my tutorial so please take a look.
I've also posted in this thread my answer to someone who had the same problem like you and he didn't answered anymore so I guess as a result he created Goldcard successfully.
If it will help you, please let us know.
TINDUNG10 said:
i can see from the status screen:
Synchronizing Database ...
Downloading ActiveState Package Repository packlist ... done
Updating ActiveState Package Repository database ... done
Downloading itsme packlist ... redirect
Downloading itsme packlist ... done
Downloading itsme Win32-API-0.41WJ PPD ... done
Downloading itsme XdaDevelopers-CompressUtils PPD ... done
Downloading itsme XdaDevelopers-NbfUtils PPD ... done
I found -Crypt-DES but not found -XdaDevelopers-NbfUtils
Please help me! Thanks
Click to expand...
Click to collapse
please help me delete 1 post
Well this is just my second HTC device.. But has anybody ever wondered why information on creating HardSPL and stuff is seeded sparely? We're just waiting until olipro, cmonex (bless their work!!! ) or some other mod finishes the Hard-SPL.
If this is an illegal talk or something then just delete my thread..
I find this is an interesting topic.. So why not colaborate with each other and report status on this, so that we eventually could hack something together..? At least for the sake of interest.. I ever liked hacking embedded devices, but my knowledge in these things is not so good. Would like to dig more into this and solve this kind of mystery
I have found interesting bits of information at the following places:
http://wiki.xda-developers.com/index.php?pagename=Wizard_ROM_Layout
http://forum.xda-developers.com/showthread.php?t=334667
http://www.xs4all.nl/~itsme/projects/xda/tools.html
http://wiki.xda-developers.com/index.php?pagename=SPL%20Questions%3F
http://forum.xda-developers.com/showthread.php?t=501871
The first step seems to be extracting the stock SPL.. I read something about pmemmap, a tool to show the memory map of the phone and pmemdump, a tool to dump memory areas of the phone to disk.
This rises the question of how to find out the address, where the SPL lies in our LEOs and then how to dump it?
If there are any constructive comments on this, everybody is invited to add his thoughts here, or point out the right way
Update:
SPL seems to be dumped, credits go to cmonex. - Now it's time to investigate further steps. Currently looking into it.
Okay.. You can read the SPL from your LEOs with the following command:
pmemdump 0x8ff00000 0x80000 dump.bin
But i have attached it here for your convenience.
Update 2:
For all those people that are curious about the technical background behind SPL hacking i am giving an update of my research now (of course cmonex will finish that work, and she will do it good, but as you probably know, i want to get into that kind of stuff):
I managed to get an MFG SPL (the SPL that isn't shipped with stock ROMs and that is used by HTC to debug) now. This type of SPL is needed to do any further steps regarding flashing Hard-SPL.
This may not be complete or even correct, so if you have any information to add, please share it with us.
As far as i understood the rough procedure now would be to relocate the SPL and its .data section in RAM (that means all the data referenced by code) to a new address. This is needed because the address where the SPL and its data section lie now is protected by the MPU (Memory Protection Unit?), which is set up by the radio bootloader, which is running on another CPU (the ARM9). Every write there will lead to nowhere and as our SPL would execute, it would crash, because of missing data. This is why we need to relocate our SPL to a new address by changing all the hard coded references to data (such as strings etc.) in code.
I need someone to comment on the process of changing all the hard coded addresses to another one. I don't know how to do it yet.
If this is done and all code runs well (there could be further glitches, such as the NAND write/read issue - please comment on that) we would use JumpSPL to load our SPL in RAM into an unused address and execute it. This would give us all the tools needed for flashing HSPL.
I have attached a copy of the MFG SPL i obtained (if this is against any rules, please remove it) together with an analysis in IDA32, which i just made (for the lazy ones).
It would be nice, if we could get some further info here.
Btw.: I found this funky stuff on the PSAS forum. It is a tool that actually simulates an ARM processor and let's you step through the instructions. Really nice, if you want to understand what's going on.
If you want to flash another language ROM to your HTC device you can go here. Please don't use this thread for such requests. Let's keep it about SPL talking. Thanks
Thanks to share this information with the comunity.
Feel free to investigate and and have a go for it.
The itsme utils are extremely useful,
You could also read the posts from Pof, Des, jockeyw2001 regarding this subject.
After you got your SPL, you can read Jockyw2001's posts regarding bootloaders dissembling in IDA pro.
The actual patching of the SPL isn't the hardest part, Cmonex once told that the development of the Soft SPL was trickiest part.
Regards, and good luck.
EqX
Thank you.. I will have a go for it, when i have more time. It's over for today..
Very interesting thread. I would like to know how they are trying to hack the SPL. With due respect to Olinex, we rely on them but there must be also people around who can give a hand to accelerate the process. No ?
on a related note i tried to make my hd2 supercid without using QMAT so that i could flash wwe official rom...
i followed these steps and i got to Ad.7) part where i needed to run this command:
perl typhoonnbfdecode.pl -p cardid=<cardid> -p keys=tornado -p seclevel=0 -d goldcard.img
when i hit enter i get this message:
C:\itsutilsbin>perl typhoonnbfdecode.pl -p cardid=0085007b9394eb0000000000000000
00 -p keys=tornado -p seclevel=0 -d goldcard.img
Can't locate XdaDevelopers/NbfUtils.pm in @INC (@INC contains: C:/Perl/site/lib
C:/Perl/lib .) at typhoonnbfdecode.pl line 81.
BEGIN failed--compilation aborted at typhoonnbfdecode.pl line 81
if anybody can point me to the right direction or tell me what am i doing wrong i would be very grateful.
mr.vandalay said:
on a related note i tried to make my hd2 supercid without using QMAT so that i could flash wwe official rom...
i followed these steps and i got to Ad.7) part where i needed to run this command:
perl typhoonnbfdecode.pl -p cardid=<cardid> -p keys=tornado -p seclevel=0 -d goldcard.img
when i hit enter i get this message:
C:\itsutilsbin>perl typhoonnbfdecode.pl -p cardid=0085007b9394eb0000000000000000
00 -p keys=tornado -p seclevel=0 -d goldcard.img
Can't locate XdaDevelopers/NbfUtils.pm in @INC (@INC contains: C:/Perl/site/lib
C:/Perl/lib .) at typhoonnbfdecode.pl line 81.
BEGIN failed--compilation aborted at typhoonnbfdecode.pl line 81
if anybody can point me to the right direction or tell me what am i doing wrong i would be very grateful.
Click to expand...
Click to collapse
Did you install activeperl ?
yes , however now i see that packages Crypt-DES and XdaDevelopers-NbfUtils are not installed and i can't find them...
i select "all packages" but i can't find those two, and i tried by adding repositories but it doesn't download anything.
can i somehow add them manually?
mr.vandalay said:
yes , however now i see that packages Crypt-DES and XdaDevelopers-NbfUtils are not installed and i can't find them...
i select "all packages" but i can't find those two, and i tried by adding repositories but it doesn't download anything.
can i somehow add them manually?
Click to expand...
Click to collapse
You need to use the exact version of ActivePerl as stated on that page and you must use Windows.
You should also know that you cant use this goldcard image for your LEO with the typhoon option. This is for another HTC device.. If you look into that pl file you see that there is no entry for LEO. We need the LEO key.
I replied to your PM about dumping SPL 0x95000000
mr.vandalay said:
on a related note i tried to make my hd2 supercid without using QMAT so that i could flash wwe official rom...
i followed these steps and i got to Ad.7) part where i needed to run this command:
perl typhoonnbfdecode.pl -p cardid=<cardid> -p keys=tornado -p seclevel=0 -d goldcard.img
when i hit enter i get this message:
C:\itsutilsbin>perl typhoonnbfdecode.pl -p cardid=0085007b9394eb0000000000000000
00 -p keys=tornado -p seclevel=0 -d goldcard.img
Can't locate XdaDevelopers/NbfUtils.pm in @INC (@INC contains: C:/Perl/site/lib
C:/Perl/lib .) at typhoonnbfdecode.pl line 81.
BEGIN failed--compilation aborted at typhoonnbfdecode.pl line 81
if anybody can point me to the right direction or tell me what am i doing wrong i would be very grateful.
Click to expand...
Click to collapse
sorry this will never work on Leo. I can make the goldcard for you though (for a small donation)
Thanks a lot cmonex, for your PM, hope to flash my Holand device onto a WWE device to better understud.
just wondering, based on this, is it possible for me to flash my o2 branded device with the stock wwe rom?
Tung_meister said:
just wondering, based on this, is it possible for me to flash my o2 branded device with the stock wwe rom?
Click to expand...
Click to collapse
Yes, it should be
umh... I can't dump... I'm wondering ...why?
If I enter "pmemdump 0x95000000 0x80000 spl.nb" I get a 0bytes file, but if I don't enter the file name I'm seeing the errors that it gets.
Anyway, this is what I'm getting:
Code:
G:\itsutilsbin>pmemdump.exe 0x95000000 0x80000
ERROR: ITReadProcessMemory - Invalid access to memory location.
95000000: * * * * *
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
Someone can help?
kholk said:
umh... I can't dump... I'm wondering ...why?
If I enter "pmemdump 0x95000000 0x80000 spl.nb" I get a 0bytes file, but if I don't enter the file name I'm seeing the errors that it gets.
Anyway, this is what I'm getting:
Someone can help?
Click to expand...
Click to collapse
You're not the only one. Currently working it out with cmonex.
just wanna say that cmonex helped me and i just flashed wwe rom on my german hd2
mr.vandalay said:
just wanna say that cmonex helped me and i just flashed wwe rom on my german hd2
Click to expand...
Click to collapse
Welcome to the club of dutch rom refugees
cmonex helped me and i just finish to flash my NEW WWE ROM.
Thank you mate.
To all who want to flash now, be in touch with this guy, he is going to help you really fast.
cidriver said:
cmonex helped me and i just finish to flash my NEW WWE ROM.
Thank you mate.
To all who want to flash now, be in touch with this guy, he is going to help you really fast.
Click to expand...
Click to collapse
She.. She's female!
Hi all, I have problems using osnbtool: when I open it it closes immediatly...
Can somebody tell me how to use it? I'm using Windows 7
Never used it but try right click and run as administrator.
It is a console tool. You need to run it from the Command Prompt in admin priviledge.
Ok I managed to run It, the problem now is that the program crashes after some time... what should I do now?
Please somebody answer
Didn't you get this if you just type "osnbtool" on the command prompt? The built-in help is good enough. What exactly do you want to use it for?
$ ./tools/osnbtool.exe
OS ROM Partition Tool V1.59 By Weisun :> PDAclan.com
A powerful tool for de-pack partitions from OS.NB!(RAW-OS-IMAGE)
*** Decompress & compress SRPX partitions,unpack & pack partitions.
*** Support to re-structure OS.NB when insert a resized partition.
====Command for decompress,compress,unpack & pack partitions:
-d <OS.NB> <Num> <OUT.BIN> Decompress Num of part from OS image to OUT.BIN
-c <OS.NB> <Num> <IN .BIN> Compress or insert IN.BIN to OS image
====Command for split to a RAW-OS-IMAGE form srcFile & repack:
-sp <fName.ext> Split source file to fName.ext.PRE & fName.ext.OS.NB
----'fName.ext.OS.NB' means that RAW-OS-IMAGE.
----it can remove extra-data(SECTOR_ENTRYs) or B000FF struc.
-extra <fName.ext> [0x"intBlocksToFill" | 0x"dwBlockSize"] Insert extra fields (SECTOR_ENTRYs) & get fName.ext.EXA
-2bin <fName.ext> [0x"StartADDR"|-CutHeader] Pack fName.ext to BIN(B000FF)
-FixBinHeader <fName.ext> [0x'intRecordsToAdd'] Fix 'B000FF' header-entry.
====Command for unmask src file :
-x <fName.ext> <0x"dwKeyWord"> [outFile] Unmask source file to outFile
====Command for PagePool value changing in XIP.BIN:
-pp <XIP.BIN> <0x"dwOFFSET"> <decVal"MB"> [-y] Change PagePool Value at OFFSET in source XIP file
-ap <XIP.BIN> <decVal"MB"> [-y] Auto search & change PagePool Value in source XIP file.