Related
two roms, I dump using imgfs tools
dump_MemoryMap_1.txt -- rom1
01130000 - 01133FFF ( 16383 bytes): HTCcamera.dll
dump_MemoryMap_2.txt -- rom2
011A0000 - 011A3FFF ( 16383 bytes): HTCcamera.dll
I hope to replace htccamera.dll in rom1, so i copy htccamer.dll directory from
rom2\dump to rom1\dump, and then change e32_vbase, o32[?].o32_realaddr into 01130000 in imageinfo.txt and imageinfo.bin.
and then build the rom, flash it to machine, but it don't work,
what's wrong with my operation?
This message is intended to you all who tried to unlock the ExtROM of HTC Artemis and ended with not working ExtROM.
I am not sure if I can 100% document how I have achieved it, but I will try to do my best
You will need:
-collection of tools attached to this post
-WinRAR http://www.winrar.com/
-Winimage http://www.winimage.com/
First you will need an extrom image file, its part of the nbh image which you can unpack from the original image using winrar.
To extract the extended ROM image use the tool NBHextract.
command: NBHextract image.nbh
It will extract about 6 nb files one of them will be xx_ExtROM.nb.
You can check the content of the image with WinImage, you can also customize the image by removing or adding other cab, xml or exe files.
Remember only signed files will be executed.
Connect the phone to PC, you don't need to configure ActiveSync for synchronization.
From command prompt start following commands to enable RAPI:
cecopy EnableRapi.cab dev:\
cecopy Cert_SPCS.cab dev:\
cerun.exe -b CE:\Windows\wceload.exe \Cert_SPCS.cab /noui
cerun.exe -b CE:\Windows\wceload.exe \EnableRapi.cab /noui
pdocread -l
The STRG handles section from the output is what we will need for next commands.
STRG handles:
handle cdfc4c7e 1.89G (0x79120e00)
handle 8e9e43d2 14.99M (0xefc400)
handle aea981c6 38.24M (0x263e000)
handle eeae71ae 50.95M (0x32f4000)
handle cfb25ef6 2.94M (0x2f0000)
handle 2fb25ea2 3.06M (0x30fc00)
Insert the handle "code" of the ExtROM partition (the one about 15MB big) to following commands:
one for reading the current extrom from the phone
pdocread -h 0x8e9e43d2 0 0xf00000 extrom.ima
and other one to write the prepared image to the phone
pdocwrite -h 0x8e9e43d2 -v extrom.nb 0x000000 0xf00000
Remember the handle code changes every restart.
After you write the image to the phone do a hard reset.
Press both SW keys and use the Stylus for pressing the soft reset button, keep holding the soft keys until a message appears then press the green answering/calling button to format the phone (Hard Reset).
After hard reset and completing the touch screen adjusting wizard should load the ExtROM automatic setup like before.
Remember after hard reset you need to re-enable RAPI in case you want read or write the phone again.
Your device doesn't have to bee CID unlocked to be able write the images to the phone using this procedure.
Although this procedure seems to be pretty easy be careful Be sure you have at least one working ship update from your provider in case things go wrong.
I have also successfully written the OS.nb from the original HTC ship update and PDAmobiz releases with the same procedure.
Good luck!
Finally...using this method I've managed to repair my extrom. Few weeks ago I deleted all files in extended rom (using Total Commander) and was never able to restore it again (copying files gives error message 29 access denied). Now its all restored again...jaaaaiiii
instead of hardreset i did softreset because i didn't want to install all apps again
This is great! I'm now using my own customized Ext_rom. Thank you very much.
does this method allow one to unhide and unlock the ext_rom? Up to now I have not been able to really unlock the ext_rom.
thanks,
apap said:
does this method allow one to unhide and unlock the ext_rom? Up to now I have not been able to really unlock the ext_rom.
thanks,
Click to expand...
Click to collapse
No, this is not to unlock or unhide the ext_rom. With this method, you can just customize (adding or deleting files) your ext_rom image file on your PC. Then you can write your customized ext_rom back to your Artemis.
size of ext rom
i need to change size of ext rom on artemis.
regards.
Not working properly(((
Hi
I have used this method described above to re-write my Extrom with new items in there, its went OK, BUT the issue is that now Extrom doesnt start automatically after hard reset...it is just seats silently in the memory...just it. Can anyone help to activate it.
Thanks
hi I've one proble, I'm stop on the hangle step,, whot is handle? how I can see the right handle code? And how I can rebuild the custom rom and install it in my phone?
bye.
STRG handles
Hi PiGeonCZ
thanks for your method
pls explain what STRG handles/volumes associated with Windows.nb, Radio.nb, IPL.nb etc , as for example i wanted to upgrade my radio.nb or os.nb but does not know which string handle to work with.
and how to activate Extrom as now it is not loaded itself after hard reset.
thanks
PiGeonCZ said:
This message is intended to you all who tried to unlock the ExtROM of HTC Artemis and ended with not working ExtROM.
I am not sure if I can 100% document how I have achieved it, but I will try to do my best
You will need:
-collection of tools attached to this post
-WinRAR http://www.winrar.com/
-Winimage http://www.winimage.com/
First you will need an extrom image file, its part of the nbh image which you can unpack from the original image using winrar.
To extract the extended ROM image use the tool NBHextract.
command: NBHextract image.nbh
It will extract about 6 nb files one of them will be xx_ExtROM.nb.
You can check the content of the image with WinImage, you can also customize the image by removing or adding other cab, xml or exe files.
Remember only signed files will be executed.
Connect the phone to PC, you don't need to configure ActiveSync for synchronization.
From command prompt start following commands to enable RAPI:
cecopy EnableRapi.cab dev:\
cecopy Cert_SPCS.cab dev:\
cerun.exe -b CE:\Windows\wceload.exe \Cert_SPCS.cab /noui
cerun.exe -b CE:\Windows\wceload.exe \EnableRapi.cab /noui
pdocread -l
The STRG handles section from the output is what we will need for next commands.
STRG handles:
handle cdfc4c7e 1.89G (0x79120e00)
handle 8e9e43d2 14.99M (0xefc400)
handle aea981c6 38.24M (0x263e000)
handle eeae71ae 50.95M (0x32f4000)
handle cfb25ef6 2.94M (0x2f0000)
handle 2fb25ea2 3.06M (0x30fc00)
Insert the handle "code" of the ExtROM partition (the one about 15MB big) to following commands:
one for reading the current extrom from the phone
pdocread -h 0x8e9e43d2 0 0xf00000 extrom.ima
and other one to write the prepared image to the phone
pdocwrite -h 0x8e9e43d2 -v extrom.nb 0x000000 0xf00000
Remember the handle code changes every restart.
After you write the image to the phone do a hard reset.
Press both SW keys and use the Stylus for pressing the soft reset button, keep holding the soft keys until a message appears then press the green answering/calling button to format the phone (Hard Reset).
After hard reset and completing the touch screen adjusting wizard should load the ExtROM automatic setup like before.
Remember after hard reset you need to re-enable RAPI in case you want read or write the phone again.
Your device doesn't have to bee CID unlocked to be able write the images to the phone using this procedure.
Although this procedure seems to be pretty easy be careful Be sure you have at least one working ship update from your provider in case things go wrong.
I have also successfully written the OS.nb from the original HTC ship update and PDAmobiz releases with the same procedure.
Good luck!
Click to expand...
Click to collapse
if I want to read Os.nb wich is the correct script?
pdocread -h 0x8e9e43d2 0 0xf00000 extrom.ima is your exemple, 0 (zero) is the partition disk of ext rom, so i can try to insert 3 (three), the right partition of my OS (58 mb) rom and insert 0xf000000? it's all right?
es: pdocread -h 0x???????? 0 0xf000000 OS.ima (?= my handle), it's all right???
Work Great
For PiGeonCZ, I need your help for two question:
I've do all your steps, and I can read all ext-rom from other P3300 and i can write the new one in my O2 phone, but when I press the hard reset the ext rom still in loop when try to install the ttn.cab, why? I've try to delete ttn and the relative row in config.txt but the rom still in loop when try to install the other file (defoult page....)
my second question is about the OS dump. My friend have the original italian language of P3300, and he has dumped all his OS.nb whit this parameter:
es: pdocread -h 0x???????? 0 0xf000000 OS.ima (?= his handle), it's all right???
0f000000 (one zero plus of extrom exemple, all right?)
but about the end of all process, he have an error about impossible to read the right sector why? is there a mode to backup the OS.nb, and so how I can read if it's is all right dumped?? (do you know any program to read .nb file?) do you know any program to recompile the nba rom?
best regard.
@thefamous
Try to put the lines with ttn setup at the end of the config.txt. Before the "LOCK: Disabled" line. It worked for me.
This thread is about the extrom, please keep it clean of other things.
Anyway. You don't need to use handles when reading the whole OS image. Try following command: pdocread 0 0x3900000 OS.nba
PiGeonCZ said:
@thefamous
Try to put the lines with ttn setup at the end of the config.txt. Before the "LOCK: Disabled" line. It worked for me.
This thread is about the extrom, please keep it clean of other things.
Anyway. You don't need to use handles when reading the whole OS image. Try following command: pdocread 0 0x3900000 OS.nba
Click to expand...
Click to collapse
thanks, I've try to change the line of ttn setup in config.sys but now still in loop on PP_DefaultPage_WWE.CAB. I've try to modify this line (cut and paste it below LOK: line) but still loop on the other file.. do you have any solution? I'll try to re install the original ext rom and all work well.
this is my original config.sys
LOCK:Enabled
EXEC:\Windows\cusTSK.exe \Windows\HTC_Default.tsk
CAB: \Extended_ROM\MP_CVSDcpl_20060718.cab
XML: \Windows\MP_MMS3.5_HTC_Generic_Artemis_060818.xml
CAB: \Extended_ROM\PP_DefaultPage_WWE.CAB
XML: \Extended_ROM\PP_ExtVer.xml
CAB: \Extended_ROM\MP_ttn.cab
CAB: \Extended_ROM\MP_TT6_Voice13_ITA.cab
CAB: \Extended_ROM\PP_RemoveBTlnk.cab
CAB: \Extended_ROM\ST_PatchPeripheral.cab
CAB: \Windows\PP_CommManager_Patch_060808.CAB
EXEC:\Extended_ROM\ChgScutAttri.exe
LOCKisabled
RST: Reset
P.S. wich is the write command for OS.nba? this is all right command: pdowrite OS.nba 0 0x3900000? thanks
@thefamous
I am sorry but I don't know what could be wrong, for me has worked putting the freezing cabs just above the LOCK: DISABLED.
ZdravĂm,
funguje to i pro PDAmobiz ROMky jo?
thefamous said:
thanks, I've try to change the line of ttn setup in config.sys but now still in loop on PP_DefaultPage_WWE.CAB. I've try to modify this line (cut and paste it below LOK: line) but still loop on the other file.. do you have any solution? I'll try to re install the original ext rom and all work well.
this is my original config.sys
LOCK:Enabled
EXEC:\Windows\cusTSK.exe \Windows\HTC_Default.tsk
CAB: \Extended_ROM\MP_CVSDcpl_20060718.cab
XML: \Windows\MP_MMS3.5_HTC_Generic_Artemis_060818.xml
CAB: \Extended_ROM\PP_DefaultPage_WWE.CAB
XML: \Extended_ROM\PP_ExtVer.xml
CAB: \Extended_ROM\MP_ttn.cab
CAB: \Extended_ROM\MP_TT6_Voice13_ITA.cab
CAB: \Extended_ROM\PP_RemoveBTlnk.cab
CAB: \Extended_ROM\ST_PatchPeripheral.cab
CAB: \Windows\PP_CommManager_Patch_060808.CAB
EXEC:\Extended_ROM\ChgScutAttri.exe
LOCKisabled
RST: Reset
P.S. wich is the write command for OS.nba? this is all right command: pdowrite OS.nba 0 0x3900000? thanks
Click to expand...
Click to collapse
try putting a Cert_SPCS.cab in the first of the config list.
hi, can u tell me where i have to do the first step with the nbhextract.exe??
or can someone send me an image of a xda orbit?
Command "pdocread -l" returns following:
STRG handles:
handle 2e9d5306 2.00M (0x1ff800)
handle 4ea971d2 51.99M (0x33fcc00)
handle 8eae81ae 49.95M (0x31f2000)
handle 6fb26ef6 2.94M (0x2f0000)
handle 4fb26ea2 3.06M (0x30fc00)
so, I don't see 15M partition. Which handle should I use?
XDA Orbit extrom damaged
Hi to all..
Can someone tell me wich address I must use from info below to read/write
extrom to XDA Orbit?
Thanks
D:\ArtExtROMtools>pdocread -l
52.99M (0x34fe000) TrueFFS
| 3.06M (0x30fc00) Part00
| 2.94M (0x2f0000) Part01
| 46.99M (0x2efe000) Part02
54.96M (0x36f6000) TrueFFS
| 3.06M (0x30fc00) Part00
| 2.94M (0x2f0000) Part01
| 46.99M (0x2efe000) Part02
2.00M (0x1ff800) TRUEFFS
| 3.06M (0x30fc00) Part00
| 2.94M (0x2f0000) Part01
| 46.99M (0x2efe000) Part02
2.00M (0x1ff800) TRUEFFS
| 3.06M (0x30fc00) Part00
| 2.94M (0x2f0000) Part01
| 46.99M (0x2efe000) Part02
1.87G (0x77a80000) DSK1:
| 1.87G (0x77a60200) Part00
STRG handles:
handle ee3083e6 1.87G (0x77a60200)
handle 8e9ae6de 2.00M (0x1ff800)
handle 4e9e03be 2.00M (0x1ff800)
handle aea9e1c6 54.96M (0x36f6000)
handle 0eaeb1ae 46.99M (0x2efe000)
handle afb29ef2 2.94M (0x2f0000)
handle 4fb29e9e 3.06M (0x30fc00)
disk ee3083e6
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 8e9ae6de
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 4e9e03be
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk aea9e1c6
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 0eaeb1ae
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 33 3d 02 04 0b 0b 16 d8 0c 09 06 62
disk afb29ef2
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 33 3d 02 04 0b 0b 16 d8 0c 09 06 62
disk 4fb29e9e
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 33 3d 02 04 0b 0b 16 d8 0c 09 06 62
D:\ArtExtROMtools>
I'm trying to extract the tnetw1251.dll from the Trinity P3600.
The ROM Version is 1.23.405.2 dated 03/11/07.
I followed the instructions in extracting the ROM from the device from the following webpage :
http://wiki.xda-developers.com/index.php?pagename=Hermes_HowtoDumpRom
First I got the imgfs partition (Part02) info via:
> pdocread -w -d FLASHDR -p Part02 -t
real nr of sectors: 98816 - 48.25Mbyte (0x3040000)
I then extracted Part02:
> pdocread -w -d FLASHDR -p Part02 0 0x3040000 Part02.raw
CopyTFFSToFile(0x0, 0x3040000, Part02.raw)
Next, I extracted the files:
> viewifgfs Part02.raw
Then I looked at the dump\TNETW1251\TNETW1251.dll file and found that it is about 10K larger than the same file listed in the ROM of the device:
08/27/2007 11:21 AM 512,000 TNETW1251.dll
On the ROM:
03/11/2007 16:47 501,296 TNETW1251.dll
I then looked at the dump\TNET1251 directory and saw 4 segment files:
08/27/2007 11:21 AM 463,244 S000
08/27/2007 11:21 AM 16,896 S001
08/27/2007 11:21 AM 18,720 S002
08/27/2007 11:21 AM 2,228 S003
With a HEX edit and comparison utility, I saw the layout of the extracted TNETW1251.dll file:
Addr Size Description
00000000 000000D0 (208) MZ Header
000000D0 00000330 (816) PE Header
00000400 0007118C (463,244) S000 with many relocations
0007158C 00000074 (116) Padding
00071600 00004200 (16,896) S001 with some relocations
00075800 00004920 (18,720) S002 all relocations
0007A120 00002EE0 (12,000) Looks like garbage data
-----------------------------------------------------------------------
0007D000 (512,000) Total Size of file
It appears that the ~2K S003 segment is missing and in it's place is a 12K garbage segment.
Can anyone assist with this problem?
Thanks,
((&->
As I've heard some people have problems with working with XIP sections of some ROMs... as for example Asus P525 or other devices, here's a little tiny tutorial about this issue. What's the problem with them? It's their XIP sections are compressed with SRPX algorithm.
In some Asus kitchens in the ROM directory you have a ROM.TPL file. How to use it?
1. Get the OSNBTool from the attachement (it's a fantastic tool from Weisun of PDAclan.com).
2. Do:
Code:
>osnbtool -d rom.tpl 1 xip.bin
OS ROM Partition Tool V1.48 By Weisun :> PDAclan.com
Sector size : 0x00000200
OS IMAGE found.
Partitions infomation:
**************************************
Part-0 type: BOOT SECTION image
Part-1 type: XIP RAM Image
Part-2 type: IMGFS file system
**************************************
Signature: SRPX
CompressVersion: 5
Uncompressed size: 2E0000
Deompress processing...
Successfully decompressed to xip.bin
3. Run XIPPort and click "dump xip.bin".
4. Do your work with a XIP section.
5. After you're finished, issue "realloc P" and "build xip_out.bin" in XIPPort.
6. Do:
Code:
>osnbtool -c rom.tpl 1 xip_out.bin
OS ROM Partition Tool V1.48 By Weisun :> PDAclan.com
Sector size : 0x00000200
OS IMAGE found.
Partitions infomation:
**************************************
Part-0 type: BOOT SECTION image
Part-1 type: XIP RAM Image
Part-2 type: IMGFS file system
**************************************
Source OS image:
Signature: SRPX
CompressVersion: 5
Uncompressed size: 2E0000
Source Part-1 Size: 1AC400
--------------------------------------
Compress processing...
NEW Uncompressed size: 2D5000
NEW Compressed size: 1A6BF6
New Part Size: 1A71E6
Successfully compressed xip_out.bin into rom.tpl.NEW
7. You're done!
It turns out that a dumprom.exe and buildxip.exe tools handle those XIPs really well, too - and even better, as they do better reallocation of modules.
So, it can go as this:
Code:
>dumprom rom.tpl
IMGFS guidBootSignature: F8 AC 2C 9D E3 D4 2B 4D BD 30 91 6E D8 4F 31 DC
dwFSVersion: 00000001
dwSectorsPerHeaderBlock: 00000001
dwRunsPerFileHeader: 00000001
dwBytesPerHeader: 00000034
dwChunksPerSector: 00000008
dwFirstHeaderBlockOffset: 00000200
dwDataBlockSize: 00001000
szCompressionType: LZX
dwFreeSectorCount: 0000001E
dwHiddenSectorCount: 00000100
dwUpdateModeFlag: 00000000
Address: 00000200, dwBlockSignature: 2F5314CE
dwNextHeaderBlock: 00000000 (size: FFFFFE00)
Header type: FFFFFFFF, Addr: 00000208
Empty header
Header type: FFFFFFFF, Addr: 0000023C
Empty header
Header type: FFFFFFFF, Addr: 00000270
Empty header
Header type: FFFFFFFF, Addr: 000002A4
Empty header
Header type: FFFFFFFF, Addr: 000002D8
Empty header
Header type: FFFFFFFF, Addr: 0000030C
Empty header
Header type: FFFFFFFF, Addr: 00000340
Empty header
Header type: FFFFFFFF, Addr: 00000374
Empty header
Header type: FFFFFFFF, Addr: 000003A8
Empty header
Now you have new files: boot.bin, msflsh.bin and romhdr.bin, and a new folder XIP. Edit your XIP folder as you want.
Now, in ..\temp\dump folder put your .VM and .ROM folders and issue:
Code:
>buildxip
BUILDXIP 0.54 Copyright (c) 2007-2008 bepe 30 Jan 2008
Slot 0 Boundary: 0x01fa0000
Slot 1 Boundary: 0x03e18000
RAMStart: 0x88868000
RAMFree: 0x888c6000 - 0x8c000000 L0373a000
KernelFlags: 0x00000000
FSRamPercent: 0x00000004
Done!
In the end put your new created out.bin file into your tpl file:
Code:
>osnbtool -c rom.tpl 1 out.bin
OS ROM Partition Tool V1.48 By Weisun :> PDAclan.com
Sector size : 0x00000200
Extra data bytes : 0x00000000
OS IMAGE found.
Partitions infomation:
**************************************
Part-0 type: BOOT SECTION image
Part-1 type: XIP RAM Image
Part-2 type: IMGFS file system
**************************************
Source OS image:
Signature: SRPX
CompressVersion: 5
Uncompressed size: 2E0000
Source Part-1 Size: 1AC400
--------------------------------------
Compress processing...
New part size larger than old part in source OS image!
Rebuilding partition structure...
NEW Uncompressed size: 2E7000
NEW Compressed size: 1B1664
New Part Size: 1B1C78
Successfully compressed out.bin into rom.tpl.NEW
and you're done!
Hello utak3r.
This info is really important for me as I have an Eten device. Although, I've tried several times to build a XIP using "buildxip" (with or without -b flag - I don't know exactly what it does) but my rom doesn't boot.
I didn't even tried to change anything in XIP folder. Only dumped the XIP using "dumprom" and then build again to test it. Was I supposed to do something in the middle? Any idea?
bgcngm said:
with or without -b flag - I don't know exactly what it does
Click to expand...
Click to collapse
This flag tells if it should take another, external boot.rgu file, or the included one. So, you should do it without this flag.
bgcngm said:
but my rom doesn't boot.
Click to expand...
Click to collapse
The problem may be not in the building it, but in inserting it back. Some devices don't like changing the partition's size, for instance...
Check, what was the original xip.bin size and try to fill your new one with 0xFFs to this size - maybe it will help...
Another thing: give here full outputs from all the steps.
utak3r said:
The problem may be not in the building it, but in inserting it back. Some devices don't like changing the partition's size, for instance...
Click to expand...
Click to collapse
I already thought that the problem was XIP insertion, but then I found XIPKitchen.
With a XIP created by XIPKitchen, I can successfully create a bootable rom, even with a different XIP partition size. I'm happy because those XIP's are working, however XIPKitchen doesn't integrates nicely in a rom kitchen. The user has to manually input the files and select some options in the program and I wanted to build the new XIP silently which is what buildxip does.
Do you know what could be the problem? I might be missing something... like rellocating the modules... But as I said before, I tried to build the XIP without touching it, simply by dumping and then rebuilding it. In that case there was no need to rellocate the modules, right?
utak3r, don't you know what could be the problem?
Hi bro
In some Asus kitchens in the ROM directory you have a ROM.TPL file
Click to expand...
Click to collapse
use tool NB0 KITCHEN mrtoto which extracting&inserting partition xip in file out.bin in to NewROM.tpl
extracting out.bin use XipKitchen or buildrom bepe,ren xip_out_new.bin to out.bin ,move to directory Rom.tpl end push button "Build Template" in NB0 KITCHEN mrtoto
THANKS A LOT !!
Awesome tool, had troubles extracting one of the xip files since a LONG time, this just did the trick and it's nifty features like putting romhdr, o32, e32 headers nicely were also helpful.
This tutorial is about making a custom ROM for ATIV S or any other Samsung WP8 phone.
Samsung ROM files:
.wp8 - main file with OS and boot
.csc - file with regional info
.smd - ROM for WP7 devices
All those files have (almost) the same format. I call it SMD. Old .smd file can be unpacked using this instruction, back in time smd-tool was made for it, but format changed slightly. This process was only tested on ATIV S.
CSC
.csc files aren't flashed to device, those are just containers for MBN files. And MBN files are copied to DPP during flashing process.
AS ALWAYS YOU ARE MAKING THIS ON YOUR OWN RISK! AND GOOD LUCK
Tutorial contents
Basic:
Making custom CSC (.mbn)
Extracting SMD
How to work with "packed" partitions
What to edit in ROM
Packing SMD
Advanced:
Making CSC from MBN
Making developer ROM
Making custom CSC (.mbn)
Software
sam-tools
Any tool for mounting drive images (OSFMount)
MBN Creator
MBN Creator is a kitchen itself. It has some limitations, but creating MBNs with MBN Creator is very easy. This method is described in the end.
Unpacking CSC files
Official CSCs come in .csc files. Use smd-tool to unpack file.csc to csc_dump folder:
Code:
smd-tool /u file.csc /d csc_dump
Now mount DPP.bin and copy CSC.mbn file from it. Unmount DPP then.
Code:
\Samsung\CSC\CSC.mbn
Now use mbn-tool to extract files from csc.mbn to mbn_dump folder:
Code:
mbn-tool /u csc.mbn /d mbn_dump
Every folder in mbn_dump is for one CSC code. There are 4 files inside every folder (AUT for ex.):
SS_AUT.ini - init values for welcome screen (first boot). Language, region, timezone and carrier.
SS_AUT.reg - registry file.
SS_AUT_AppInstall.provxml - PROVXML file with (and only) install app instructions.
SS_AUT_CSC.xml - PROVXML file.
Warning! There is a size limit for any file ~50KB. MBN itself is limited to DPP free space.
Packing MBN
Code:
mbn-tool /p mbn_dump /f my.mbn /ver I8750OXXCMK2 /subver OXX
CSC version (I8750OXXCMK2) should be greater or equal to your ROM version. Otherwise it will be ignored. DOC2 CSC will work on CMK2 ROM, but not vice versa!
Warning! Official DNI and DOC ROMs don't support custom MBNs.
Using MBN Creator
You can apply predefined tweaks from 1st tab or add your own directly into files. Last tab contains MBN file properties. MBN Creator is limited to only one CSC code.
You can check your work in
Code:
MBN Creator temp
folder. Output file is CSC.mbn.
Flashing MBN with MBN Creator
Reboot phone into Download Mode
Connect to PC and install drivers
Copy or create CSC.mbn file
Press Flash, Scan
Choose CSC code and press Flash
All done. Reset phone. Perform HR if MBN didn't apply.
Warning! MBN Creator can't flash files larger than 64KB.
Flashing MBN with stock Downloader
Open .wp8 and .mbn files
Check "Select" and uncheck everything but "CSC"
If flasher asks you about something click NO
Extracting SMD
Software
sam-tools
Any tool for mounting drive images (OSFMount)
Unpack
Unpack file.wp8 to dump folder
Code:
smd-tool /u file.wp8 /d dump
Output example:
Code:
Partition name NAND off N size ROM off R size Part. ID Type Status
GPT 00000000 00000800 00200C00 0000FC00 00000000 00000000 [ OK ]
SECURE 00000800 00000800 00210800 00000400 00000001 00000000 [ OK ]
DPP 00001000 00004000 00210C00 00800000 00000002 00000000 [ OK ]
SBL1 00008000 00000BB7 00A10C00 0016A400 00000003 00000000 [ OK ]
SBL2 P 00009000 00000BB7 00B7B000 0016A400 00000004 00000000 [ OK ]
SBL3 0000A000 00000FFF 00CE5400 001F8000 00000005 00000000 [ OK ]
UEFI S 0000B000 00001387 00EDD400 00207C00 00000006 00000000 [ OK ]
RPM 0000D000 000003E7 010E5000 0006E400 00000007 00000000 [ OK ]
TZ 0000E000 000003E7 01153400 0006E400 00000008 00000000 [ OK ]
WINSECAPP 0000F000 000003FF 011C1800 0007E000 00000009 00000000 [ OK ]
PLAT 0001A000 00003FFF 0123F800 00742800 0000000A 00000000 [ OK ]
EFIESP 00020000 0001FFFF 01982000 0094A400 0000000B 00000000 [ OK ]
MMOS 00046000 0002403F 022CC400 0440B800 0000000C 00000000 [ OK ]
MainOS 0006C000 004B295F 066D7C00 61F20000 0000000D EACCE221 [ OK ]
Data 00520000 01838FFF 685F7C00 02920000 0000000E EACCE221 [ OK ]
Output files:
header - header of SMD
GPT - partition table
PLAT, EFIESP, MMOS - partitions with FAT file system
MainOS and Data - NTFS partitions
other files - bootloader and other low level stuff
DPP partition isn't flashed to phone. In wp8 file it's empty.
EACCE221 means that partition is packed.
How to work with "packed" partitions
Software
sam-tools
Any tool for mounting drive images (OSFMount)
Unpack
Large zero areas are cut off from those partitions. image-rebase can restore such files.
Code:
image-rebase /u MainOS.bin /o MainOS.img
You can now mount and edit MainOS.img.
Warning! Data partition is very large and almost empty.
Pack
First of all slice image file:
Code:
image-rebase /s MainOS.img /z 2048
This command will cut off zero areas larger than 2048 sectors (1MB).
MainOS.img.xml is a template file.
Now you can glue files together using template:
Code:
image-rebase /p MainOS.bin /t MainOS.img.xml
What to edit in ROM
CSCMgr
This service applies MBN file. The idea is to downgrade it to CMK2 (GDR3) version. To do so replace those files:
system32\CSCMgr.dll
system32\CSCMgrSvc.dll
system32\drivers\CSCMgrSvc.dll (yes, it's a copy)
FCRouter
This service is used by Samsung system tools to perform actions with high privileges. Files:
system32\FCRouter.dll
system32\FCRouterProxy.dll
system32\drivers\FCRouter.dll
system32\drivers\FCDriver.dll
Registry hives
Code:
system32\config
You can edit those hive as you want. But HR will destroy all you work.
OSRepack
It a simple tool to work with packages on mounted partitions. Available here.
SDelete
There is a tool called SDelete which can fill all free space on a drive with zeros.
Code:
sdelete -z X:
Very useful for non-developer ROMs.
Packing SMD
Software
sam-tools
Hex editor (HxD)
Pack MainOS image
Code:
image-rebase /s MainOS.img /z 2048
image-rebase /p MainOS.bin /t MainOS.img.xml
Prepare SMD header
It's not really a header but a first part of file. This file can be used as template for your later work. It contains all partitions except MainOS.
Code:
smd-tool /info file.wp8
This command will give you some info about SMD file structure. Open it in hex editor and copy all data up to MainOS ROM offset to a new file. Add Data.bin to this new file.
There are some structures at the start of file. For example:
4D 61 69 6E 4F 53 00 00 00 00 00 00 00 00 00 00
00 C0 06 00 5F 29 4B 00 00 7C FF 08 00 0E AD 61
1F 1F 1F 1F 00 00 00 00 21 E2 CC EA 00 00 00 00
2B C2 5E C9 6A 2F 0B E1 6F 1C 95 FC 49 FF E9 FD
Start and length are colored.
Warning! Those numbers are little endian (12345678 = 78 56 34 12)
Replace Data Start with MainOS Start. You can use Ctrl+C & Ctrl+B (copy and paste with replace).
Replace MainOS Start with length of this (template) file.
Save file.
Adding MainOS
Add MainOS.img to your template.
Replace MainOS Length with length (in bytes) of MainOS.bin file.
Replace 16 bytes at offset 0x50 with zeros.
Count MD5 hash of the file (HxD can do it) and write it at 0x50 (^C & ^B).
Save this file as .wp8
You can check numbers you entered with following command:
Code:
smd-tool /info custom.wp8
Warning! This .wp8 file can only be flashed with Downloader v3.54
Making CSC from MBN
Software
Hex editor (HxD)
Pack
Open CSC file in HxD.
At 0x00A00C00 it has MBN file contents.
Replace it with your MBN and fill rest of the CSC with zeros.
Warning! This file can't be unpacked with this instruction because FAT is broken. You can unpack it manually.
Correct MD5 as you did for WP8 file.
Warning! This CSC can fool Downloader but not phone. New CSCMgr will still ignore custom MBN.
Making developer ROM
Such ROMs can be directly mounted with OSFMount.
This command will pseudo slice MainOS.img:
Code:
image-rebase /s MainOS.img /z 4000000
Entire partition will be in one piece.
If you pack SMD with this file you can mount it and edit without repacking SMD.
In OSFMount enter offset equal to MainOS ROM offset + 0x1000.
Don't forget to recalculate MD5 after edit.
OMG, WOLF! People tell me that my tutorials are too long. But you are a true match for me!! :highfive:
Congrats on this great achievement! :victory:
Wow! Huge thanks for rewriting these tutorials in English; I wasn't expecting you to do it so soon! Can't wait to play around and to see what others come up with.
I play around with the replacement of files FC Router + WP8 Diag on my GT-I8750 (from the SM-W750V, SPH-I800, SGH-I187, SGH-T899M), in the end everything works.
Powered mode Smart Download.
so I could be possible to use ATIV S version of CSCMgr on SE. And SE then will have custom MBN
Yea, that's what I gathered from the info as well. Unfortunately I won't have time to try this out for another 4-7 days but I'll let you know if I do. And if you (or anyone else) feels like whipping it up and you need someone to try it, shoot me a PM.
Added info about sdelete and OSRepack to "What to edit in ROM"
I have an idea to record full process of ROM making and upload it on Youtube. Will it be useful?
Added poll.