Database Users

XDA-developers ROMkitchen: cook your own ROMs

Announcing: ROMkitchen
Special Edition ROMs are soooo yesterday.... We're proud to unveil our largest project yet: ROMkitchen. Now you too can modify your ROM to contain precisely what you need. Create your personal ROM, based on the ROM you like.
Wanna see: Have a look at our showroom kitchen to see what we mean. As you can see the showroom kitchen shows the PPC2002 based 3.17.03 ROM released by O2, as well as the 4.00.05 Microsoft WM2003 test ROM. Neither of these ROMs is really present though: you need to download the scripts, include your own ROM images, and run the scripts on your own unix machine. But once you do, you and your friends can create ROMs to your heart's content.
Why didn't we just include these files and make it all work? Because we're not licensed to distribute these ROMs, that's why.
So now what?
Play around to see if you like it.
download all the files visible when logging in using FTP to xda-developers.com username 'kitchen', password 'kitchen'.
Put them on your own unix machine, which should be capable of executing php scripts, and which should have a 'little' memory, disk and processing power left over. (We're afraid ROMkitchen wasn't built with resource-efficiency in mind.)
Add your own ROM files, see the readme files in the "data/00[...]/_/cfg" directories for details.
Notes:
If you set up your ROMkitchen, make sure you only use it for yourself, and with ROMs you legally own. We're not responsible for abuses.
If you use an ftp-client which can ignore files which are newer on your side, you can regularly check for updates and always have the newest kitchen.
ROMkitchen does not yet support outputting self-extracting binaries a-la Jeff's exe. We're working on that.
ROMkitchen currently supports English language ROMs only. We're working on this too.
The welcome exe is back in ROMs made with it: a little too much hassle to make our own. So you'll have to go through the silly tutorial every cold-boot.
XDAunlock is missing still. (It will be incorporated, but most people will be making 4.00.05 ROMs, and it doesn't work on that anyway...)
How does it work?
The ROMkitchen consists of a number of php scripts that present the form with all the options to choose from, and which copy files ready for our 'mkrom' utility to process. If you take a look you can see the raw structure of the data that is presented and inserted into the ROM. We'll find some time soon to explain, but you can already learn quite a bit if you look at the files and directories carefully.

xda-developers u are AWESOME
I'm going to try it as soon as i get home tonight. So all that is needed at first is a 2003 or 2002 image file?
thanks
alex

This looks awesome
Is it possible to run this program on Cygwin ? I have configuered the Cygwin download to include Bash and Perl but can't find a reference to dd. I confess that although I have a reasonable amount of programming experience I have never used Unix before so don't even know how to invoke the scripts so any help would be much appreciated.
Richard

just uploaded everything to my unix box and tried to run setup.sh from 4.00.05 directory. i also uploaded bootloader.nb0 and rom.nb1 files to the cfg directory. when i run ./setup.sh this is what i get:
[[email protected] _]# ./setup.sh
Usage: splitrom <romimage(s)> [options]
-wx xipchain where to write xipchain
-wo osrom where to write output image
-wb bitmap where to write bitmap
-wl bootloader where to write bootloader
-rl bootloader which bootloader to use for NBF
-n nbfinfotext what NBF header to use [ex: PW10A1-ENG-3.16-007]
-ri nbfinfofile or where to read NBF header info from
-wi nbfinfofile where to save NBF header info
-rx xipchain where to get xipchain from
-rb bitmap where to get bitmap from
-rm [email protected] insert new romsection.
-ob offset where to find the bootup image
-oe offset the end of the desired os image ( default: 0x81f00000 )
-t NBF | B000FF | NB? | IMG type of result image (default is NB1)
also when i tried to convert the default.fdf file to default.reg i get error saying "unknown fdf file signature" and it creates a 0 byte default.reg file.
any help is appreciated. i know i'm asking too many questions, but same happened with ur mkrom tools and once i got answers from u i was able to build roms without any problems.
thanks
alex

Hold on a tick, if you guys added one more feature it would go nova, however. Some features I would like to see is the ability to mix drinks, roll joints, cook dinner, and cure premature baldness/cancer.
It would also be nice if you could arrange for the program to be delivered to my house by the drunken, naked Chinese twins, Fok u and Fok me.
You guys are the bomb. Keep up the great work!
-

# Put them on your own unix machine, which should be capable of executing php scripts, ...
Click to expand...
Click to collapse
this implies that you should also have setup a webserver, for running the php scripts.
you will have to change the 'splitrom' commandline in setup.sh depending on what source file you have.
it is not a configure all automatically script, just a guide, to what sort of is supposed to happen for setup.

Holy Cow, you guys are amazing....
This is just a short message to say I'm fighting with it as we speak. My friend's box does have PHP, this is good. I've already found that it needs two subdirs under its root ('download' and 'workspace') to be world-writeable. Took me a while to figure that one out. Haven't got it running yet though, this ROM setup.sh thing is far less than intuitive. But I have the two ROMs which have all the other mumbo-jumbo done: 3.17.03 and 4.00.05, and I will get this to run, if it's the last thing I do.
Jeff (Just back from the U.S., up since 4 am, severe jetlag)

Jeff Summers said:
I've already found that it needs two subdirs under its root ('download' and 'workspace') to be world-writeable.
Click to expand...
Click to collapse
Whoops... I guess you're right, that should have been documented. The things you take for granted sometimes...
Thanks, and good luck...

Thanks
hey, you are doing a great job guys, keep it up.
welcome back Jeff Summers.
Othman

OK, here's the status:
I'm close, really close. It wouldn't detect my OS, the bash on the system I'm on is in /usr/local/bin instead of /bin and now it's complaining about a missing perl file. I'm working on it though...

probably you are missing http://search.cpan.org/author/GBARR/Scalar-List-Utils-1.11/
which is included with perl 5.8, but not with perl 5.6.*
if you don't have root access to you box, you can also install ( see the README for build instructions ) list-utils in your home directory, by editing the generated Makefile, and changing 'PREFIX=$(HOME)', and then adding
Code:
export PERL5LIB=$HOME/lib/perl5/site_perl/5.6.*
to your environment. ( with '*' your perl version )

It's working
It's working!!!
With a little help, I got it to work !!!
Have a look at http://cuba.calyx.nl/~jsummers/ROMkitchen
I just created my first ROM!

Hi, I tried create 4.00 based Rom on Jeff web and it works... thanks.
I discovered only small problem, that there are not installed links in Programs to extra included programs. But I can do it manually for now.
I tried to start my version of romkitchen on my notebook but I was stopped on integration PHP to IIS. I tried some last installer php-4.3.2-installer.exe for Windows but I got CGI error when I tried to access index.php. I'll work on it.
I hope that it will run too, like mkrom on Cygwin.

aleho said:
Hi, I tried create 4.00 based Rom on Jeff web and I works... thanks.
I discovered only small problem, that there are not installed links in Programs to extra included programs. But I can do it manually for now.
Click to expand...
Click to collapse
Ah, you haven't noticed that we put these in subfolders maybe. Go to Programs, and you should see subfolders. If you unchecked the option to put in these subfolders, then you have also unchecked everything 'below' that, meaning you haven't installed these programs.
I tried to start my version of romkitchen on my notebook but I was stopped on integration PHP to IIS. I tried some last installer php-4.3.2-installer.exe for Windows but I got CGI error when I tried to access index.php. I'll work on it.
I hope that I will run too, like mkrom on Cygwin.
Click to expand...
Click to collapse
Go for it...

Ah, you haven't noticed that we put these in subfolders maybe. Go to Programs, and you should see subfolders. If you unchecked the option to put in these subfolders, then you have also unchecked everything 'below' that, meaning you haven't installed these programs.
Click to expand...
Click to collapse
I had unchecked only few of programs to fit in ROM 4.00 free memory.
But folders in Programs like Phone, System tools,... were not in this case created, but they were checked.

jeff: great work...
one bug i found: when i disable the modify rom and add programs i get an error: Warning: Invalid argument supplied for foreach() in /home/jsummers/public_html/ROMkitchen/processor.php on line 480
i wanted to get the orig 4.00.05 rom without modifications
Jabba

REQUEST: zipped Kitchen
Hi !
Thanks all developers! Great work
One request though: please put a zipped version of your ROMKitchen at your ftp -> downloading hundreds of files is a mess *g*
Thanks... Jabba

This is so frustrating: I had it working perfectly, and now all of a sudden it stopped working. I'm working on it...

It's working now. Not really sure what was up, but it seems to have fixed itself.
Nice!!! These new ROMs are sooo cool. All the programs are stored in neat subfolders with icons....
I did find that D9 and PocketCHAT (The EVB apps) do not yet work on WM2003. It complains some EVB shared files are still missing.

Hi Jeff, just to say I've successfully used your ROM builder principally it has to be said to get hold of 4.00.05 so I only choose the Hot Fix item.
Checked in startup (which I've not looked in before) to see the hotfix and its there, there is also aFlashman, cFlashman Handsfree poutlook, SMSReciever, stk & Ussd. Are these part of the normal ROM? Just want to check that the thing is running as lean and clean as it can.
Many Thanks

Building Rom using MKROM

Can anybody please help me to build a rom? specially to the XDA-developers, thanks in a million...in advance.
My question is:
1. Do i need a base rom(no program included) on the cfg/(rom.nb1)? is it necessary ?
2. what is the maximum files i can put in the files/ directory? that will be splited by mkrom, i know it is depending on the version since 3.17 the maximum for all files is 5 M. how about other version. 4.01,4.05, 4.10 and 4.16
3. when i run the bash setup.sh nk.nb1(4.05), using parameter for 4.05 i get a message "!!! your rom is not known to me: md5:fb9e70c5786f08e4db6db7c184c59704" is this normal or it is not define on the splitrom.pl ?
4. what kind of editor did you use for building a BMP file with 16 bit, I tried to use adobe photoshop 6.0, but i can not seem to save it as 151 k, the option is only 24 bit and 8 bit, if you can give me a site where i can download it , i will really apreciate it.
Thanks for the Help..
More power to the XDA team
and
Welcome TMO 4.16!!! (which i think no diff with 4.10)

1. yes you do need some kind of rom to start with
2. you can check using
Code:
perl splitrom.pl yourrom.nb1 -ob <your bmp offset> | perl calcgaps.pl 0x3ffff
and add the sizes of the holes.
you have to figure out where the bootsplash is for your rom. ( for new roms this is most likely 0x81ec0000 )
3) there is a list of 27 roms I know about in splitrom, if I never saw your rom, the signature will also not be there.
btw, what rom do you have?
4) I think we used photoshop for that. ( Peter Poelman knows more about that )

thanks for the reply XDA developer Itsme,
but how can i build a baserom with the rom i have, I have a ROM 4.05 which i created in jeff's kitchen? or any site where i can download the base rom 4.05?
I have a ROM 4.05, 4.10 which i get from jeff's kitchen and also the original 4.10 TMO. regarding the signature of the ROM, i read your splitrom.pl and i found out you 27 list of roms, but i didn't find that signature "md5:fb9e70c5786f08e4db6db7c184c59704" is it because my ROM is not base ROM?
my param is ;
wincever=4
start1=21740000
size1=0040000
start2=003c0000
startbmp=81ec0000
startop=81b00000
I'll still try to use the photoshop, maybe i miss something there.
Please correct me if i done something wrong with my commands.
I have Perl 5.8 and cygwin, installed in windows 2003
then make the path for perl/bin and cygwin/bin
then i copy all the things i need to build a rom in one directory including nk.nbf(with jeff's 4.05) and mkrom tools(which i got from the demokitchen)
i run "perl setup.sh nk.nbf" to extract the bootimage.bmp and rom.nb1 to cfg/ directory
then i dump "dumprom -4 -d files -q nk.nbf" to extract all files in files directory
then i convert "perl fdf2reg.pl files/default.fdf cfg/default.reg"
"tr -d "\0" <files/initobj.dat >cfg/initobj.txt"
"cp files/initdb.ini cfg/initdb.ini"
then in files/ directory i delete all the windows files i leave only the program with the dll i wanted to add in the rom like total commander, file commander.. etc...
(I compare it with the original files of WM2003)
then i run "bash mkrom.sh out/out.nbf"
but i got an OVERLAP message on the screen
and also the same message like i told you before "Your rom is not know to me"
Please Help me with this because i want to build my own rom according to the program i need.. and many thanks.

split rom does not recognize romkitchen roms, since they vary too much.
you should use an original rom, not one from the romkitchen.
the overlap means that somehow the params file was not correct.
or maybe you just tried to add too much files.

XDA developer Itsme said:
split rom does not recognize romkitchen roms, since they vary too much.
you should use an original rom, not one from the romkitchen.
the overlap means that somehow the params file was not correct.
or maybe you just tried to add too much files.
Click to expand...
Click to collapse
Thanks Itsme, thats why splti rrom can not recognize the ROM I have, I'll try to search for the base ROM in the forum, or can you give me a site where i can download the baseROM, I think that's why I am having a OVERLAP because there is a added program on my ROM, XDA-Developers File1 and File2 is duplicated.
It answer my question regarding the ROM i have, thanks a lot man you really a good help.
Now my only problem is to find all the base rom so i can start cooking some ROM.

Extracting mpx200's ROM?

hi.
How can extract files from a mpx200 rom? I tried to use tools from the forum but with no success. Mpx200's rom is a file with .img extension. As i see so far in forum, rom's file extension for pda is .nbf. Is there any way to convert .img file into .nbf so i can use er2003edit program? Any other idea-guide that could help to extract the rom from my mpx200(wm 2003) would be very welcome. I couldn't find any resources on the web about extracting mpx200 rom and that's why i posted in this forum. I hope that i'm not totally off topic.
Thank you.
Nikos

I had a play with this a while back, to try to get MPX300 compatibility with VJCandela.
I believe the rom files have have a "B000FF header" (open it with a hex editor). Apparently splitrom can reassemble them into a rom we can play with, but it became more urgent to finish VJCandela then continue with this, so I put it aside. If you get anywhere on this, please PM or post so that I can see if I can make VJCandela cross compatible.
Many thanks!
V

I can upload a dumped mpx200 WM5 ROM to xda-developers FTP if needed.
These IMG files are somehow non-standard B000FF, I was unable to use splitrom to convert them to normal file.
You should dump ROM from a device, then remove a hole in the middle (probably MPx200 has 2 ROM chips at different addresses), then edit it manually because some idiot incorrectly edited that ROM to remove DevAuth.exe and broken its internal structure. After that you'll get a complete dump with broken ril.dll and gx.dll.
I wonder how that incorrectly patched ROM can even boot.

That would be interesting Mamaich. I'd appreciate it if you can.
Can we dump a live rom normally then? I'll try to speak to a guy with an MPX300 to get it dumped if possible, and try to upload it if he's successful.
V

hi.
I found so far that it's possible to convert the .img file, which is
used to update mpx200, into a .bin file. I opened the .bin file with a
hex editor and it starts with B000FF as you said. I don't know where i
can use this information or what it means. As you said it's the
header. When i try to dump rom with dumprom.exe i get an error message saying "unable to determine loading offset for out.bin". Looks like i have to find this offset myself and give it to dumprom. Could you help
me somehow on this?
Also where i can read a few things about the rom structure, xip and
stuff to understand what's going on.
Thanks!
EDIT1
Also tried with splitrom.pl.
With command splitrom.pl out.bin it gives me the following
B000FF entrypoint: 00000000
!!! your rom is not known to me: md5:
68847f4d859a242753798d9d0e205144
!!! your bootloader is not known to me: md5:
ea25e7468c09bf09a384a94cb4dcc67c
no operator rom found
no bitmap found
xip regions not found: 82d80000=LANG, 82040000=SMARTFON,
82d00000=OPERATOR, 82f2
0000=OE
And a lazy question. If i finally do it, i will get a folder in my
disk with all windows components unlocked and ready for modification?
EDIT2
Reading a few things about splitrom it says that it can handle bin
files with B000FF header. In our case(mpx200) we have a bin with
B000FF header. Right? So we can use splitrom to make the nk.nbf file.
An example on how to use splitrom.pl is the following.
perl splitrom.pl cfg/rom.nb1 \
-rm tmp/xda1.bin:0x81740000 \
-rm tmp/xda2.bin:0x81b00000 \
-rx tmp/xipchain \
-rb cfg/bootimage.bmp -ob 0x81ec0000 \
-rl cfg/bootloader.nb0 \
-wo nk.nbf -t nbf -n PW10A1-ENG-4.01-007
On the above, he opens rom.nb1 which is his rom file. Probably the
plain rom image format, i don't know the type. Then he refers to
another 2 files xda1.bin and xda2.bin. In my case i have only one
file, out.bin . He also uses bootloader.nb0, i don't have it or
something similar. Finally he writes nk.nbf file and gives it a
header. In my case i will give a B000FF header.
End.

nicktgr15, for extract files from 2002 and 2003 firmware you can use tools from http://onk.nm.ru/mpx200

Great site my friend onk. Great site. I hope i'll find something. Thank you.

Hi nicktgr15!
Any luck with the ROM extraction for MPx200?
Anyone here on this board can comment too.
I went to the link http://onk.nm.ru/mpx200 but can't really get thinks going with the WM2003 for MPx200.
I've the ROM but using dumprom.exe, I got something like 'can't determine the memory offset'.
So...where so I start?
I really need the SIMManager & Resource Manager for my WM5 MPx200.
Also, would like to have the SIM Tool Kit working on my phone since there's no way to interact with the SIM features.
Thanks anyone!

Please Upload the Dumped WM5 MPx200 Rom you are saying about!It will be a huge step!!!We can edit it,fix some bug,even make it work without the need of the SD Card...!!!

I've uploaded ROM dump to uploads/mpx200_dump directory on xda-developers FTP.
Buildimgfs tool is useless on this ROM, because 2 files in it are broken. Maybe addfile/delfile would work (but they would break data in imgfs_removed_data.bin). And of cause you have to manually remove hole inside ROM before working, and inject the removed data back before flashing. And figure out the format of imgfs_removed_data.bin and recreate it yourself.

For dump WM5 files you can use tool http://buzzdev.net/index.php?option=com_remository&Itemid=100&func=fileinfo&id=83
You must create directory "\Storage Card\" on SD and run this program on smartphone
I think this program work on many other devices with wm5
PS. you can read http://www.wce.by/forum/viewtopic.php?t=1517 (Russian language) about tools for firmware

Onk nice site but i can understand a thing!!!
Have you made a fixed version of wm5 for Mpx200?If yes where i can download it?
My goal is to make a cut down wm5 version that can fit on the 32MB ROM of MPx200...can that be possible?

I'm downloadl WM 2005 for MPX200 smartphone Build 14343 from sendmefile , but link id dead ;(
after extract files from archive, I convert part2.bin and part3.bin to CMCS IMGAGE (use BINtoIMG) and flash images to mpx200 (use Motorola Upgrade Wizard 1.8.x)
wm5 for mpx200 used SD card like /Storage on wm2003 and wm2002 (for save config, datafiloes, program etc)
Internal flash used only for firmware
for replace some files from firmware you can place it to /Windows on SD card
BUT! This build of WM5 work on 80-90% of mpx200 devices ;(
some devices can't run wm5.
And the speed of operation WM5 strongly depends of speed used SDcard (x80..x132 recomended)
Your file mpx200_wm5_bin_B00FF.7z (17460816 Bytes) is now online.
Your Download-Link: http://rapidshare.de/files/14495499/mpx200_wm5_bin_B00FF.7z.html
for extract files you must use 7zip archiver www.7zip.org

what?is this a fixed wm5 version?

does it works without the need of the SD?

NO
this version NEED SD

is there ANY chance to remove some files (Images,Sounds,maybe some prorams) from the WM5 ROM and make it work without the need of the SD?
I believe then,the OS would be STABLE and work Faster.
Let's make a Try!!!
What do you think?

part1.bin сontains magneto with use built-in flash memories (WM5 build 14122)
It is necessary to correct a little. Find in an firmware
Code:
0BFC440: 65 6D 72 65 67 69 73 74 │ 72 79 2E 64 6C 6C 00 44 emregistry.dll D
0BFC450: 65 76 41 75 74 68 2E 65 │ 78 65 00 62 74 68 61 74 evAuth.exe bthat
and change DevAuth.exe to AuthDev.exe for disable Device ID check
But this firmware contains one more "protection" - works before some date.
If before flashing set date 2004 - works normally. If the current date - show a modal system window with the message that is the version for developers.
How to disable this "protection" - it is not known yet
And it is not known about locking the register in this firmware
PS: In Firmaware structure ROM similar 2002/2003 is used. Use dumprom for extract files
PPS: my page is updated. Added simple manual about firmware and tools

mamaich said:
I've uploaded ROM dump to uploads/mpx200_dump directory on xda-developers FTP.
Click to expand...
Click to collapse
Can you please upload this dump somewhere once again? as it seems /mpx200_dump is already deleted from FTP.

Samsung i718 (i710, i718+) ROM Kitchen

Hello!
Thanks to ppl from this forum I've managed to assemble from various sources files required to dump, build and flash back to device WM6 English ROM. It is not a "plug & play" style kitchen yet, so I call it "ROM Kitchen essentials"
Most of files are made by other people. Mine part was converter and flasher hacking. As for now, you have to edit dumped ROM absolutely manually. There are no support for initflashes.dat automatisation. You may want to use rgucomp to make changes to default.hv and user.hv.
Thanks goes to (not in any order )
trinca
mamaich
bepe
itsme
faria
double_ofour
yhauwang
and many others...
Actual version is 0.1 and RAR archive is about 50Mb.
All required files (including WM6 Eng ROM distribution and flasher) can be downloaded from:
h**p://www.r*pidshare.com/files/47189318/Juggler_Samsung_WM6_Eng_ROM_Kitchen_0.1.rar.html
You also may want to download original WM6 English ROM from here:
h**p://r*pidshare.com/files/45439904/Juggler_WM6_i718ZMGF4_PDA_Eng.rar.html
And radio firmware (required for some i71x to work with WM6):
h**p://r*pidshare.com/files/45950071/Juggler_WM6_i718ZMGF4_Phone_Eng.rar.html
In case somebody don't know how to flash Samsungs i71x:
Make backup!
Have your your firmware at hand so in case of troubles you can flash your original firmware back!
Turn off device.
Disable all ActiveSync connectivity (usb, comm, etc).
Run flasher and click start.
Hold "down" button on device and turn it on while holding "down".
Flasher recongnize it and start to flash.
After flashing make a hard reset.
If GPRS/EDGE do not work your radio firmware is not compatible with new WM6. You have to go back to your original firmware or flash new radio!
To flash new radio firmware you should have SPECIAL FLASHING CABLE for samsung phones! It is not the one that comes with device!
Now you have options to buy such cable, build one yourself, flash your original fimware back or continue using WM6 without GPRS/EDGE - it is your choice.
So - to flash WM6 you need usual usb cable. New WM6 probably work with your radio. If not - you should flash radio!
Special flashing cable is the cable with USB-Serial adapter or plain serial cable:
h**p://www.fonefunshop.co.uk/datacables/samsung.htm
Search for UNLOCK / FLASH CABLES and you'll see
"Samsung D800 - T809 - E900 - D900 USB Cable
This cable is needed to unlock / flash the Samsung D800 - T809 - E900 - D900 etc."
Notice the difference with the usual USB cable supplied with device!

Have you read my thread on the Samsung i60x?
Hello, there,
Please refer to this thread:
http://forum.xda-developers.com/showthread.php?t=316647
It seems very familiar to the i600. I will download your image just for the sake of taking a look... The ROM with header B000FF is prepared with the Romimage tool from the MS WCE IDE and is named the Run-time image, the nb0 ROM (that works with the WM5 kitchen) is prepared by Romimage by splitting the nb0 ROM in 128 KB records, a header is added containing start address, record length and Checksum 32. Then all this chunks are added together and compressed with another tool named compbin, the "encryption" you are seeing is no other than the aftermath of this compbin tool.
If you read myu thread you will find I was able to extract the flat image using cvrtbin (also another MS tool that comes with visual studio) you may grab a copy from here:
http://www.toradex.com/colibri_downloads/Linux/linux_to_wince/?D=D
Then you will be able to use the common tools from xda-developers such as prepare_imgfs (with the switch -acer) and so on.
Making the ROM back to the B000FF format is going to be the trouble. Again, read the thread.
There is also an excellent article on Mobilepro BIN roms made by cmonex, you can get a copy of that tutorial inside his Romtool packege, get it from here:
http://hpcmonex.net/nec900/files/releases/romtoolpack.zip
Be informed the Mobilepro ROM is very different in the way the Runtime file is organized, however is the best resource I have seen so far.
Besides, there are some really good tools inside that package
Best regards and start cooking!
trinca

Thanks trinca, at least I have something to read to start with. But the first thing a can't figure out how correctly RIP rom image from EXE file and then after modifing it PUT it back to flasher. There s.b. some proprietary tools for samsung phones or pdas.

Extracting the i718 ROM image: a suggestion
JugglerLKR said:
Thanks trinca, at least I have something to read ...
Click to expand...
Click to collapse
My friend, we are all navigating uncharted waters..., this requires some research, and the courage to flash the phone with the outcome of your research.
Please read my post:
http://forum.xda-developers.com/showthread.php?p=1371344#post1371344
It will give you a hint on how I found out how to extract the O/S payloads for the i60x, pretty sure it may work for your model as well. A quick look to your executable shows the arrangement may be similar, I would say for the i718, the O/S ROM is located last as it is on the i60x, starting at address 0x01620000 now, just by looking for the end indicator (following the string B000F, 0x0A, 0x00000000 which is the ROM start address, 0x00CA5F03 which should be the offset -little endian-, actually would be 035FCA00), however be noticed the runtime image is compressed using compbin during preparation, therefore I would guess is a little more beyond. You may have to do some research here.
Start by cutting the area surrounding such an offset and use viewbin to determine the offset length and cvrtbin to find if your cut was successful.
BTW it would be nice to find a tool to just decompress B000FF Runtime ROMS. (differently of what it does cvrtbin converting and decompressing Runtime images)
One other thing you may do is to use xdautils, you may find those here:
http://wiki.xda-developers.com/index.php?pagename=XdaUtils.
This collection of utilities has pdocread allowing you to extract the contents of raw partitions in the pda. Make sure to use the handle to extract each raw partition.
Regards,
Trinca

I had no success with cvrtbin. How to decompress image after compbin? I've found pdocread and put it to phone, but it won't work :-( Are there any tools to dump ROM to flash card or something like that?

JugglerLKR said:
I had no success with cvrtbin. How to decompress image after compbin? I've found pdocread and put it to phone, but it won't work :-( Are there any tools to dump ROM to flash card or something like that?
Click to expand...
Click to collapse
To decompress the image:
Get a tool named viewbin, also part of the MS PE, run it on your file and will tell you the start address and the offset of the img files. THen use this information with cvrtbin. If viewbin reports the start address is 0, then use 1 in cvrtbin, otherwise the extraction will fail.
To use PDOCREAD, you run it from your computer, it will install itsutils.dll in your phone and you must accept this in the smartphone. Your phone must be unlocked to do that and the policies set to allow unsigned applications to be installed in your phone. TO accomplish the above you need to modify the registry on the phone. See how it is done here:
http://www.modaco.com/index.php?showtopic=244205
TO dump the ROM with PDOCREAD, see a detailed procedure here:
http://wiki.xda-developers.com/index.php?pagename=Hermes_HowtoDumpRom
Be informed some phones like the i607 require the disk kernel handle, reported with pdocread -l, if you follow the procedure in the above link with no results, then add the disk handle.
Wish you good luck....

CAn Anybody help PLEASE????
I have a i718 but was bought in China and the OS is in Chinese. The blur me can only read English. Is the ROM in English? If I were to download it (still struggling now with the russian words), how can I change it? All I need is the phone to be in English. I do not need to improve anything as WM5 is good enough. I know I am a newbie and I might not be in the right thread. Can anybody please help? Any links to show "how-to-change the ROM" would be most appreciated. Thank you in advance

Your phone is also known as i710
Your phone Samsung i718 is the chinese version of the Samsung i710, all you have to do is to install the phone serial/modem drivers from the companion CD and place the phone in bootloader mode. If you get the ROM package cited above in the first post of this thread by JugglerLKR you will find complete instructions on how to download the ROM into your phone.
Good Luck!

Thank you
Thank you very much for the quick response sir! Really appreciate it. I finally managed to download the ROM and will give it a go this weekend. Wish me luck. I will be reading more to make sure I am doing the right thing as I am definitely a nOObie. First time flashing a phone .
I looked at the CD that came with my phone and the only thing I see is the ActiveSync 4.2. Worse of all, everthing seems to be in Chinese. Guess I have to do more research to see where I can get the drivers you mentioned. There are also alot of things I do not understand like bootloader, how to do a hard reset, etc. I will continue searching and reading and will post the development of my virgin "flash" as I move along.
Thank you once again.

Trinca - so I dumped my ROM from device to .raw files. What can I do with them now? viewbin shows only zeros on b000f .bin image extracted using winhex from .exe

Use Mamaich's ROM Kitchen
You can find instructions to do some cooking and tools here:
http://forum.xda-developers.com/showthread.php?t=249836
This is self-explanatory, tell me if this is enough or you need some extra info. Once finished, the trouble would be to put that back in B000FF format for flashing, as there is no tool to do that yet, and you can't just download a raw image back into the phone. The Runtime image is formed as follows:
Byte---->--1--2--3--4---5--6--7--8---9--10--11--12--<----------- 128KB------------>
Record 0> 42-30-30-30-46-46-06 <Start add> <lenght of ROM> -----------------(42-30-30-30-46-46 = B000FF in ASCII ; 06 = end of header B000FF)
Record 1>--<Address> < length > < CHKSUM32 > <----Chunk of Raw image-->
Record 2>--<Address> < length > < CHKSUM32 > <----Chunk of Raw image-->
" "
" "
V V
Last Rec>-00-00-00-00--00-00-00-00--00-00-00-00
I am doing some crazy splitting and Hex scripts to achieve that, but it is a pain in the neck. So I have decided to make a proggie to help me out with that. Please see the thread
http://forum.xda-developers.com/showthread.php?t=316647
on the 2nd post you will see what I am talking about.
Regards,
trinca

Tried viewbin on my extracted from .exe bin file - Image Start = 0x00000000, length = 0x02C1D3E0
Start address = 0x00000000
Done.
Looks like something is missing. Also cvrtbin is not working also, as it cannot accept 0x00000 as start adress

JugglerLKR said:
Tried viewbin on my extracted from .exe bin file - Image Start = 0x00000000, length = 0x02C1D3E0
Start address = 0x00000000
Done.
Looks like something is missing. Also cvrtbin is not working also, as it cannot accept 0x00000 as start adress
Click to expand...
Click to collapse
Start address = 0001ffe0

So, How to convert dumped LZX packed rom to B000F format for flashing to device?

How to convert dumped LZX packed rom to B000F format
Please refer to my thread:
http://forum.xda-developers.com/showthread.php?p=1392761#post1392761

I am unable to download your file (can you post it on rapidshare ou megaupload?). I am in the same situation as well but I appiled the english patch from asukal and Buzzlightyear and it worked .. I now have a device in english ... I am waiting for the firmware in english.. I have wm6 roms in chinese that I have not tested it ...
I also have a i710 rom but it's also a .bin file dumped from a i710 device ...
Hope this helps,
-Hau

I have uploaded several files... Can you tell me which one you have trouble with?
trinca

Oops ... My message was intended for Juggler uploading his ROM ...
Thanks,
-Hau

Thanks to trinca and bepe, mamich and many others i've managed rom kitchen essentials - look at first page.

i downloaded your flasher but why when i run i718ZMGF4_PDA_Eng, i click detect but nothing detected....
phone is on and connected via active sync

HP Ipaq 6955....need Help

Hi,
I need help with my Ipaq 6955......i got a french verison and i need a english rom to flash, i have tried the tread that talks about the 6915 but does not work...
Please help need a english rom for it and if some has a wm6 rom for this model please let me know

Welcome to the club!
http://forum.xda-developers.com/showthread.php?t=325051
Might help.
Anyways you (and I) need a Rom or rom upgrade that is in English (F*ckin HP doesn't provide it!!) Anyways P.M. I can give you the dumps of an English rom (I dumped it with pdocread (see link above) but I haven't tried to pdocwrite it so more or less its a shoot in the dark (dawn?) If you want more info about my dilemma see my last post in the above discussion. http://forum.xda-developers.com/showthread.php?t=325051&page=3
Anyways PM if you want those dumps
I guess there is another option available e.g. modify the registry and add some MUI files (Havent researched that option yet)

To convert nb to nbf there is a solution, but some questions stays unanswered...
During an upgrade, RUU uses wdatas which seem to use signature (source: hermes forum...). We don't have information about wdata command availability in bootloader mode.
In fact, the english dump you made is a CEOS file with header and some imgfs_removed_data.bin informations.
I tried to use a dump to create a CEOS file which could be disassembled as any other ipaq69xx ROM, but RUU hangs and the upgrade fails.
If we could know why the upgrade fails (checksum test, signature...), we could try to find a way to bypass it.
After this step, it will be easy to cook some ROM.
One more problem is G3 and G4.... Is it supposed to be the same G3/G4 difference than for wizard?

to b0ris747
In another thread earlier you gave this link http://forum.xda-developers.com/showthread.php?p=1480853
Just went through the whole thing - relevant but not helpful. For short:
1) Extracting the osrom.nb using pdocwrite. To be frank I didnt like the usage of -d flag (device name) and -p (windows assigned) partition name. It makes things very confusing (If you try to actually follow the procedures not only re-type) because there are duplicates of device names TrueFFS and duplicates of partition names Part00 Part01 etc. If someone wants to understand the pdocread.exe flags and usage please read the following thread where itsme explains it all http://www.spv-developers.com/forum/showthread.php?t=2888
2) That thread describes a method to extract the directories of an OSrom image (using these tools http://forum.xda-developers.com/showthread.php?t=249836)
So this action helps to cook (modify the OSrom's files) and then put them back into .nb (.raw format that is not a flashable .nbf/nba)
3) Also describes how to extract various roms (Osrom, Extrom, RadioRom) from a different type of flashable rom .nbh Basically (not getting into depths, just to better describe it) .nbh is a .nbf/nba rom container used in flashable updates onto other HTC devices. This procedure is completely irrelevant to Sable/hw6915, but we can skip that.
4) This next thing is quite interesting - hexediting your .nb non-flashable rom file (in other words .raw) so that it's header would match the header of a manufacturer supplied .nb file (which is extracted from .nbh). This is done in order to trick the flashing utility/pda device into thinking that the new coocked rom is legit This might come in handy someday.
5) The next step is to make a .nbh file container using HTC ROM Tool by Dark Simpson. This is completely irrelevant because sable does not use .nbh
Anyways that is as far as I go with my backup which cannot be restored.

pdocwrite
Right now Im researching the possibility to just simply restore the osrom using pdocwrite utility form itsutils package. It seems the only simple, clear (and possible) option w/o cooking.
But I have some questions regarding that:
1) If my partitions are as follows :
63.94M (0x3ff0000) TrueFFS
| 3.06M (0x30fc00) Part00
| 3.19M (0x330000) Part01
| 56.75M (0x38c0000) Part02
51.22M (0x3337e00) TRUEFFS
| 3.06M (0x30fc00) Part00
| 3.19M (0x330000) Part01
| 56.75M (0x38c0000) Part02
STRG handles:
handle f3f54ee2 51.22M (0x3337e00)
handle 93f54212 56.75M (0x38c0000)
handle 13f54026 3.19M (0x330000)
handle 33f54002 3.06M (0x30fc00)
What to dump - just the 56.75megs form 93f54212 handle or all 64 megs I can access using this handle? As I understand that the little partitons (first little) are also part of osrom containing xip and spl, but I dont want to change the SPL nor other things, just flash the Spanish rom with a copy of an English hw6915 rom which also happens to have additional software like tomtom for example.
2) And the second is about CID. As b0ris also I'm botherd about the G3/G4 thing. My bootscreen shows
English iPAQ 1.00.00
1.21UK
Spanish iPAQ 1.00.00
1.50
So I guess that I have G3 CID lock, but which tool should I use to unlock?
3) Can I even pdocwrite the OsRom when it is used by windows mobile? Thou guys developing aWizard say yes (I studied their bat file which executes the same pdocwrite and pdocread utils)http://forum.xda-developers.com/showthread.php?t=252957&highlight=awizard

rx-8 said:
4) This next thing is quite interesting - hexediting your .nb non-flashable rom file (in other words .raw) so that it's header would match the header of a manufacturer supplied .nb file (which is extracted from .nbh). This is done in order to trick the flashing utility/pda device into thinking that the new coocked rom is legit This might come in handy someday.
Click to expand...
Click to collapse
I adapted tadzio tools and mamaich tools to fit ipaq hw69xx rom format. The problem in the upgrade. Some checksum/certificate verification made the upgrade fail. I don't know if this comes from the RUU or from the device.
Someone sent me a USB Monitor log, but I wasn't able to read it... It was a .dmslog... If you know more about this file format, tell me!
The question I would like to answer is: Does the RUU tool send the checksum data to be verified on the device (hard to fix) or checks it on the PC, then send to the device (simple crack!)...
A simple way to answer it would be to upgrade the device using an official ROM, tell me what ROM you used (Orange, Bouygues, German, Spanish) and we'll see if the additional datas are sent or not.
If you got the solution about this, I have some ROMs... ROM headers are OK, ROM can be decompiled as any official ipaq ROM (except the Orange one), but ROM cannot be upgraded...
Of course pdocwrite should write, but we have to find where the CID lock is

CID in hw6915
I think one developer may have the answer to our questions about he cid
wikidorg said:
Well, I tooked the french Orange sable_ruu, and works everytime when flashing my 6915... The only rom for that update utility is in french.. i looked on internet and i've found sp's from HP, downloaded all, but none in English... Just for fun, i've hexedit every one of these sp's CEOS.nbf with that working french header from original Orange sable update...Then i flashed using sable_ruu from Orange package and i changed 3 or 4 different languages... it worked everytime, all was ok... but still no English CEOS.nbf in order to change language to English using the same method... So now i am looking for HP 6915 original softpack from HP, and that should also work in the same manner... If someone have it, i can give a try... Meanwhile, that's no problem for German, Spanish, Italian and Dutch (i think) languages... These are the only softpacks i've found till now...
Click to expand...
Click to collapse
He explains some of his techniques in this thread http://forum.xda-developers.com/showthread.php?t=325051&page=3
b0ris747 said:
Of course pdocwrite should write, but we have to find where the CID lock is
Click to expand...
Click to collapse
It's a pitty though he didn't mention what he'd done with the CID lock thing.
I already PM him this morning but no response yet. Lets just give him a little bit of time and hope for the best
b0ris747 said:
I adapted tadzio tools and mamaich tools to fit ipaq hw69xx rom format
Click to expand...
Click to collapse
What did you change exactly? I used the latest mamaich tools from
http://forum.xda-developers.com/showthread.php?t=249836
And using the -nosplit flag my rom was successfully prepared and after that viewed (e.g extracted from the prepared.bin file) w/o any hassles. I checked the directory tree and it seemed ok (many files and the commandline output in txt file reached 3MB. I checked it too and there were no errors)
The making of the initial .nb file also seemed successfull. Anyways please post here what changes have you made to mamaich tools.
b0ris747 said:
Someone sent me a USB Monitor log, but I wasn't able to read it... It was a .dmslog... If you know more about this file format, tell me!
Click to expand...
Click to collapse
Well if I ever have a file w/o extension or with unknown extension or purpose I simply try viewing it with far manager. Usually there is some readable text like the program name and version number with which the file was made. So just download that program/util and try opening/editing/viewing the file
BTW my devices are original HP (One English and one Spanish) with no operator's contract bugging me So please upload your English rom to this forum, rapidshare or my FTP server.
You may want to open the below link in IE or some FTP client app.
ftp://xda:[email protected]:82
I would very much appreciate it because I only have my dumped .nb rom

rx-8 said:
What did you change exactly? I used the latest mamaich tools from
http://forum.xda-developers.com/showthread.php?t=249836
Click to expand...
Click to collapse
if (argv[argc][1] == 'i')
{ rate=0x10089; step=0x10000; skip=0x89; }
it's in the last page of the mamaich thread, and I created a specific thread on the hw69xx forum
rx-8 said:
And using the -nosplit flag my rom was successfully prepared and after that viewed (e.g extracted from the prepared.bin file) w/o any hassles. I checked the directory tree and it seemed ok (many files and the commandline output in txt file reached 3MB. I checked it too and there were no errors)
The making of the initial .nb file also seemed successfull. Anyways please post here what changes have you made to mamaich tools.
Click to expand...
Click to collapse
Yes, the ROM stored in DOC is un-encapsulated, unlike current upgradable ROMs. That's one of the points that makes official ROMs upgradable. The other point is "What's contained in the unknown data zones, is it sent to the device for checksum verification or can we bust this verification by cracking RUU?"
rx-8 said:
Well if I ever have a file w/o extension or with unknown extension or purpose I simply try viewing it with far manager. Usually there is some readable text like the program name and version number with which the file was made. So just download that program/util and try opening/editing/viewing the file
Click to expand...
Click to collapse
try to find some informations... I didn't find any and used the same software as he used...
rx-8 said:
I would very much appreciate it because I only have my dumped .nb rom
Click to expand...
Click to collapse
There is another ROM dump available here on the forums

I can dump my 6965 ROM for you if you like. This is the Australian (English) model.
http://h10010.www1.hp.com/wwpc/au/en/sm/WF05a/1090709-1113753-1113753-1113753-1117925-12573438.html

Please dump bootloader too if possible.
If you can dump the bootloader part, it would be great to have it.
I'm asking this because in sable_RUU I'm seeing weird things
-The updater seem to be made to all hw6xxx series
-Very easy to track!
-Seem to be made for wdata command and wdatas command.
So my new question (last one was: "are the extra data of the NBF sent to the device, or checked by sable_RUU?") is:
"In bootloader mode, do your have wdata command or wdatas command?"
And:
"Is it just for hw65xx devices (if confirmed to work) or is it because of some preproduction devices who have a special bootloader (like the HERMES)?"
And that's why having a backup of an unmodified bootloader would be great! Just in case we need it later!

domp using what?
Hi!
I know that it is impossible to dump IPl using pdocread, so I can dump only the SPL (To be frank I dont know the offset and size of the SPL) so if you can link me to a SPL dump manual that would be very nice. If not I can give you my whole Osrom partition dump (Including the xip and other stuff - the 6.25megs before real Osrom) (see my ftp rx-8_en_dump folder)
If you want me to dump bootloader using bootloder mode I must say that I wasnt able to access it (pressing action button+power+soft reset) any suggestions?

Similar post on Sable flasing!
http://forum.xda-developers.com/showthread.php?p=2577170#post2577170