[Universal] How to d2s (dump) the ROM - Windows Mobile Development and Hacking General

All right... GOOD NEWS story for today!!!
There is no doubt, that our gods are helping us...
Here's what happened to me yesterday.
Yesterday I was dreaming about editing the ROM of Universal/Exec but as you may know, 'd2s' command doesn't work. It just quits with "Not allow operation".
But suddenly, my china god of wisdom whispered to me:
GOD: "hey buzz, you wanna dump the thing? why do you use that old fashioned 'd2s' command to dump it?"
me: "well, that always worked... so what else should i use?"
GOD: "OK, here's a little present for you ) just try 'task 32' )) "
Code:
USB>task 32
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SD:Detected one card
SD:ready for transfer OK
d.total_lba=1DC00
d.block_size=200
d.RCA=EC7E
d.drv_type=40000000
d.busWidth=1
Total card size=3B80000
So here it is !!!!
... and LET THE FUN BEGIN!!!
The above story is 100% true, i've made up maybe two words myself...
BTW, this might also work on other "password protected" devices.
THANX
buzz

Buzz, that's great, where the heck did you find that command?
But now that bal666 has that decrypt/encrypt utility of the original NBK files, what would be the benefit of dumping the ROM to the SD card?
Can you restore back to the device from the SD card?
Going by the way of the SD card to dump, extract, modify, write back, then flash may be safer than the Upgrade Utility that keeps my device stuck in Bootloader mode until I go through the whole NK/MS, then Radio upgrade.
So, what's the opposite of 'task 32?'
Thanks!

i'm dumping at the moment, but i would say, that it would be enough to insert the SD card back into the slot and reboot into bootloader mode.
Then you have to wait few seconds till "press power to flash" message appears.
But so far i didn't test it, yet...
Testing right now...
))
buzz

buzz_lightyear said:
i'm dumping at the moment, but i would say, that it would be enough to insert the SD card back into the slot and reboot into bootloader mode.
Then you have to wait few seconds till "press power to flash" message appears.
But so far i didn't test it, yet...
Testing right now...
))
buzz
Click to expand...
Click to collapse
Buzz, it is really good news. At this moment some of Universal (e.g. T-mobile) providers have not released an update yet. So if people can dump their roms on a SD, we at least have a fall back. In case of repairs the Universal will need to be updated again with a rom from the provider.

That is really a fantastic news!
If the restore test is successful, please just let all of us know.
Oh, and look forward to a complete dump backup/restore guide. :wink:

BeyondtheTech said:
But now that bal666 has that decrypt/encrypt utility of the original NBK files, what would be the benefit of dumping the ROM to the SD card?
Click to expand...
Click to collapse
From what I've seen his tool incorrectly decrypts NBF, some blocks are mixed.

hmmm.....
i think that the "task 32' commande needs a little bit more tweaking...
Till now it was just saying OK... ready.. etc., but actually did not the dump... (
Code:
USB>task 32
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SD:Detected one card
SD:ready for transfer OK
d.total_lba=F1F00
d.block_size=200
d.RCA=80CA
d.drv_type=40000000
d.busWidth=1
Total card size=1E3E0000
Level = FF
USB>
Well, "Level = FF" sounds like an error to me....
hmmm....
buzz

Another very interesting command and it's output:
Code:
USB>info 2
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SD:Detected one card
SD:ready for transfer OK
d.total_lba=F1F00
d.block_size=200
d.RCA=80CA
d.drv_type=40000000
d.busWidth=1
Total card size=1E3E0000
HTCSDOPOD601 «Jú½HTCE
USB>
Code:
USB>info 7
HTC Integrated Re-Flash Utility for bootloader Version : 1.40h, UNIVERSAL HW Version : 1.00
Built at: Sep 2 2005 15:14:29
Copyright (c) 1998-2005 High Tech Computer Corporation
Turbo=312, Run=208
Memory Frequency = 208 MHz
SDRAM Frequency = 104 MHz
Board ID is: 5
USB>
buzz

buzz_lightyear said:
Code:
Board ID is: 5
Click to expand...
Click to collapse
Hi Buzz,
is it possible to make memory dumps
in the bootloader without entering a password ?

cr2 said:
buzz_lightyear said:
Code:
Board ID is: 5
Click to expand...
Click to collapse
Hi Buzz,
is it possible to make memory dumps
in the bootloader without entering a password ?
Click to expand...
Click to collapse
not in bootloader...
but i'm able to dump DOC and memory using RapiEnabler and itsutils.
buzz

buzz_lightyear said:
but i'm able to dump DOC and memory using RapiEnabler and itsutils.
Click to expand...
Click to collapse
Hmm. What part of the DoC ? All 128 MB ?
There is also OTP and other stuff.
As you can guess, i'd like to dump the whole 64MB RAM (or as much as possible) while the bootloader is running, not
in wince.

Maybe you should try 'r2sd' ?

mamaich said:
BeyondtheTech said:
But now that bal666 has that decrypt/encrypt utility of the original NBK files, what would be the benefit of dumping the ROM to the SD card?
Click to expand...
Click to collapse
From what I've seen his tool incorrectly decrypts NBF, some blocks are mixed.
Click to expand...
Click to collapse
He stated that as long as you don't change the header information, it will encrypt and decrypt properly.
As a precaution, I took the NK.NBF, decrypted it to NK.FAT, then reencrypted it and did a successful byte-comparison.
I did the same with my modified NK.FAT file with my injected custom splash image and it encrypted and decrypted properly.
The biggest test was flashing it, and man, I was sweating buckets during the process. But, the flash came through successful for me and now I have the first custom splash screen on the Universal.
It's fun to break news or be the first guinea pig to try it out, just as long as it comes out successful! :lol:

The password doesn't seem do do anything.
The level of access is determined by your CID.
If your CID is 11111111 you have a SuperCID, which enables all the operations. I'm trying to track down where the CID is stored.
Bye,
Ricardo

go beyoundthetech !!!!
now only if you could post a step by step for all us goofs out here...
also im wondering with your genius if you could use the recently posted tools here to make custom universal rom (minus the ie explorer, file explorer etc) and teach us how to do that aswell!!!!

buzz_lightyear said:
i'm dumping at the moment, but i would say, that it would be enough to insert the SD card back into the slot and reboot into bootloader mode.
Then you have to wait few seconds till "press power to flash" message appears.
But so far i didn't test it, yet...
Testing right now...
))
buzz
Click to expand...
Click to collapse
My 9000 has a SuperCID. I managed to dump and flash the rom using these techniques.
Bye,
Ricardo

BeyondtheTech said:
He stated that as long as you don't change the header information, it will encrypt and decrypt properly.
As a precaution, I took the NK.NBF, decrypted it to NK.FAT, then reencrypted it and did a successful byte-comparison.
I did the same with my modified NK.FAT file with my injected custom splash image and it encrypted and decrypted properly.
Click to expand...
Click to collapse
I decrypted nk.nbf to nba with his tool, and decrypted the same file with alpinenbfdecode.pl script. Files are different after some offset. So there should be a bug in his util, because alpinenbfdecode.pl is known to produce working files. I had no time for more tests.

buzz_lightyear said:
Another very interesting command and it's output:
Click to expand...
Click to collapse
Hi buzz,
i can run "rbmc", but don't get where is this c:\test\mem.nb located.
Is it used by the mtty download protocol ?
I can't test it because mtty is not working
for me in windowz

cr2 said:
buzz_lightyear said:
Another very interesting command and it's output:
Click to expand...
Click to collapse
Hi buzz,
i can run "rbmc", but don't get where is this c:\test\mem.nb located.
Is it used by the mtty download protocol ?
I can't test it because mtty is not working
for me in windowz
Click to expand...
Click to collapse
looks like rbmc is running up to the point, where it should start saving the dump (
same as task 32
(
buzz

OK, so here is, how it should be:
Dump Bootloader:
Code:
USB>task 32
USB>d2s 70000000 80000
OS ROM + splash:
Code:
USB>d2s 70100000 3FA0000
XtendedROM:
Code:
USB>d2s 74100000 A00000
Radio ROM:
Code:
USB>d2s 60000000 a24200
If you want to have them all on single SD card, you must add "sd a" at the end of each command except the first one.
Example to dump/backup OS + XtendedROM + Radio:
Code:
USB>d2s 70100000 3FA0000
USB>d2s 74100000 A00000 sd a
USB>d2s 60000000 a24200 sd a
buzz

Related

write the nb1 file to SD card directly from the PPC device !

hello..
is there a chance to do it ?
writting the nb1 file to SD card directly from the PPC device its self without need to buy a card writer/reader ?
why not ? out PPC can write & read the card, so any chance to do it ?
best regards
Yes, this possibility exists. Nobody has written code to do it though.
We're toying woth the idea of a whole new tool which allows many more operations directly to the device. If only we could find either a lot of time, or some sharp volunteer coders with too little on their hands...
yes, it is possible. just didn't have the time to write a program to do it yet.
I did write some test code, to see how it works
source + exe here
btw, warning - the write function will erase what ever was on your sdcard.
hello again..
well thank u all XDA developers, i wanna know is it just a raw writting of nb0 & nb1 on SD card starting from block 0 to the end of nb1 ?
best regards
for 5.14, 5.15, 5.22 the first sector contains a string specifying the cardtype:
"HTC$WALLABY00" - bootloader ( nb0 )
"HTC$WALLABY11" - wince image (nb1)
"HTC$WALLABY22" - bootloader(nb0) + wince image(nb1)
"HTC$WALLABY33" - diagnostics card(nb2)
"HTC$WALLABY44" - gsm
"HTC$WALLABY55" - gsm + wince image
starting at the 2nd sector, the data is written.
these last 2 we have not experimented with yet.
for 5.17 the layout is a bit different, the first sectory contains the string 'HTC FLASH KEY', the 2nd sector starts with the md5sum of the cardid, the 3rd sector has a 4 byte counter value, the 4th the md5sum of this counter, the 5th contains 'N'
starting at the 6th the about HTC$WALLABY string + bootloader/wince images are written.
a bootloader is always 512 512byte blocks or 256k
a os image is always 65024 blocks, or 31.75M
see xdarit source for more details
thanx alot XDA developer
my WALLABY boot loader is v5.15
I'm on my way to write xdirt for PPC, many thanx for ur information.
best regards
Hi...
Can't wait to get my hands on your code...hoping it works with 5.17.
Is the idea behind your program to prepare the SD card with the .NB0 / .NB1 files so we can upgrade our PPC's to 2003 through an ActiveSync connection?...yes, I'm a complete novice at this...sorry
G

universal bootloader 1.0 decrypted

After banging my head with the update utility and a bootsplash stuck universal for like hours, I did decrypt the bootloader 1.0... Will do some reverse engineering and post what I find... :lol:
Update: decrypted Bootloader 1.0 is attached...
ady,
if this is true... congratulations!!!
you may want to share your knowledge with buzz and the other specialists ;-)
have a good success
peter
hi ady,
GREAT!
could you please tell me how you did it?
thanx
buzz
By hacking the ruu.dll and running the upgradeut. I'm away at the moment. Will post it later
ady said:
By hacking the ruu.dll and running the upgradeut. I'm away at the moment. Will post it later
Click to expand...
Click to collapse
very interesting approach... )))
buzz
Thanx buzz.
something which I observed earlier while looking at the string table:
It has multilevel password protection and the password for each level i.e update, erase, dump, debug is calculated at runtime.
Moreover the access level resets to lowest after a certain time which makes it almost unhackable
There are strings related to CID meaning there might be a method to change CID
updated first post to attach the decrypted bootloader 1.0 for those who are interested.
Also I succesfully flashed the 1.0 bootloader on a device which was previously updated with 1.01...
Of course if was after hacking the RUU.dll. By default it doesn't let you update to an older bootloader
ady I have been looking at the bootloader of the prophet and the interaction between the romupdate utility and the phone with a software logic analyzer which has revealed a lot of information including the commands that romupdate runs while upgrading the rom.
I am in the process of compiling a list of bootloader commands which may be usefull.
Did you dump the commands while downgrading the bootloader.
Pete
you can find a list of commands very easily. just look at the string table. however not all commands are allowed and that is the callenge
Some commands do not appear to be secured correctly.
For example the rbmc command.
If I run it without a password it says no pemission enter any password and then it will run fine.
The password issued by the romupdate tool seem to be based partly upon the results of the info 2 command as far as I can tell.
The main command I am struggling to figure out is the r2sd command which reads a key/password from the SD Card.
Rymez2K said:
The main command I am struggling to figure out is the r2sd command which reads a key/password from the SD Card.
Click to expand...
Click to collapse
hi,
did you mean d2s command?
buzz
r2sd command runs well when u hv CID unlocked..works for Prohet,wizard and charmer..typhoon
hdubli said:
r2sd command runs well when u hv CID unlocked..works for Prohet,wizard and charmer..typhoon
Click to expand...
Click to collapse
;o))) I thought, this is about Universal 1.00 bootloader...
buzz
According to some source of information there are 2 types of Universal. One with G3 and another with G4 chips. G3 bootroms have string "HW Version : 1.40h" in bootloader and its version is 1.xx, G4: "1.40j" and version numbers are 2.xx. Your ROM is for G3.
And bootrom can be decoded from nk.nbf with alpinenbfdecode.pl script
ady said:
By hacking the ruu.dll and running the upgradeut. I'm away at the moment. Will post it later
Click to expand...
Click to collapse
If this is correct , i hope, ...the nk.nbf of JASJAR bootloader can be decoded from bal66 tool and one can get.nba file.But I was not able to decode further with imgfs tools...it simply fails to do that....
@hdubli
bootloader image - nk.nba - is not an imgfs. you cannot use mamaich's imgfs_tools on it.
bal66's tool cannot decode bootloader nk.nbf to nk.nba either.
buzz
Attached is the file...pls check
hdubli said:
Attached is the file...pls check
Click to expand...
Click to collapse
yes, that file looks to be OK...
buzz
another thing:
lnb command doesn't work on 1.0 or 1.01. Another command wdata is used instead to update.
the difference between the two commands is that lnb needs to have an nb image i.e. lnb lnbtemp.nb whereas wdata transfers the image directly from host computer memory (more hack safe)

BA Disconnects as Update Starts

Hi,
Apologies in advance if I'm covering old ground.
I'm trying to re-flash a WM6 rom after my previous attempt just left me with the 4 colour screen permanently and as the links to mtty1.42.rar seem to be broken at the moment I decided to re-flash with a different rom.
the problem is that even though I can get the unit into boot-loader mode and the update software appears to see the BA when it checks versions etc. as soon as I hit the upgrade button the BA screen blanks and I get Error 112: CE ROM UPDATE ERROR.
I've tried different roms, different usb ports and different versions of activesync all with the same result.
Any help on this would be great and hopefully I haven't 'bricked' the unit.
Cheers
Duncan
Do you have PH20A2 or PH20B device?
mtty utility can be found using search button
It's a PH20B.
I've now found mtty after a fair bit of searching on other forums..now to see if I can make some sense of it's commands.
A further update: it seems that I've managed to corrupt just the OS part of the ROM. I managed a radio update successfully which means all the USB connection is fine for updating. It just can't access the OS part of the ROM.
Is there anyway to manually format that area of ROM so I can in effect install over clean unit? Infortunately I can't make sense of the mtty commands and don't know what memory address and for how log I should perform the format.
Cheers Duncan
try reflashing
You should know how to use search - however here is the link
http://forum.xda-developers.com/showthread.php?t=348030&highlight=mtty
(Is that hard to put "mtty" in the search field and set BA section only? )
Further update:
Now I don't even get the 4 colour screen. After soft and hard reset I get a dead device. I can put the device into bootloader mode (serial/usb) but as soon as the update software attempts to copy the rom across the screen blanks and I get the ROM Update Error.
Now my thought is to try and flash with the original rom for the device as I have another unit available but using the link from the BA wiki for dumping the ROM doesn't work. I have also tried searching for 'ROM Dump' within the BA section of the forum but there don't seem to be any definitive instructions for this, everyone just keeps asking why not use the wiki or search funtion....
I have used the wiki and the search funstion and I seem to be the first with this situation.
Soft Reset - Nothing
Hard Reset - Nothing
Bootloader - Able to flash the radio rom but as sson as i try to flash the OS rom the screen blanks and I get Error 112: CE ROM Update Error. When I take the device out of the cradle the screen comes back on with the Serial 2.xx screen and I'm back to square one.
I've tried to use the wiki to dump an exisiting working rom but the link on the wiki is broken. I have also searched the BA forum for these intructions but they're not covered as they're already in the wiki..... or not as the case is.
I appreciate you regular users get fed up with noobs coming on and expexting you to do all the work for them but so far I've spent 3 days searching both this site and others to try and resurect my device. I'm not dumb or lazy and would love to be able to do all this myself but without instructions I'm flying somewhat blind.
Any help would be great..... please??
[off topic]
no need for apologies...
we started once like you... some are far worse...
knowing one part and boasting with air on their heads...
since you managed to explain yourself on your first post.
knowing what to search (E.G. MTTY 1.42.rar)
you definitely searched the forum before you posted AND
you stated that the links are not working... that proves it.
we are the one who is sorry because some others think
that they are high and mighty, it sometimes blurs the opinion making.
i dont like opinionated people because i admit that am one too... sometimes...
but that doesnt mean i hate them...
[on-topic]
you never told us what happened when you tried the mtty procedure.
is your last post the result of your mtty experience?
please elaborate how did you end up with that... what did you do before you soft-reset and hard-reset?
SilverSamurai,
Thanks for the quick response.
After my last 'apparently' successful re-flash with Helmi's latest WM6 rom when I hard reset the device I had nothing but a blank black screen, no power LED or anything. Soft-reset was the same. I can reset into bootloader and the PC detects the device when I place it in the cradle. The first part of the update seems to work although it never detects the current OS installed, it always says upgrade from ' ' to 'ver 6.0.0' which is wierd because it always used to say the previous OS version. When I then hit next the progress bar shows on the PC but the BA screen immediately blanks and eventually the PC gives the ROM update error.
I have managed to re-flash the radio rom in this state which proved that I still have access tho the device from the PC.
Using mtty I can run through all the commands to recover from the 4 colour lines screen (even though I'm beyond that point).
USB>set 14 0
HTCST ÚÈÒHTCEUSB>task 28
DOC_format_HW+
DOCInfoTableinitHW+
Binary0:dwSize=80000
BINFS0:dwSize=0
FAT0:dwSize=1000000
FAT1:dwSize=2BA0000
All:dwSize=3C20000
USB>task 0
USB>
It's almost as if the last flash didn't complete and has left the area for the OS 'dirty' with what ever it did manage to flash. What I was hoping to try was to re-format the entire OS section of memory and then try to re-flash again. Using mtty it says you can format sections of memory by stating a start address and the length you want to format but I don't have clue what these should be.
I've tried flashing with WM6, WM5 and a compatible version of 2003 with the same result every time. I would like to dump a rom from another BA I have and try with that but as mentioned earlier the link for that is down at the moment.
I think that's about it. If you need any more info let me know.
Many thanks
Duncan.
let's relist the things you did.
USB>set 14 0
Click to expand...
Click to collapse
1. start OS after a reset
result:
HTCST ÚÈÒHTCE
USB>task 28
Click to expand...
Click to collapse
2. format doc (Disc-On-Chip)
result:
DOC_format_HW+
DOCInfoTableinitHW+
Binary0:dwSize=80000
BINFS0:dwSize=0
FAT0:dwSize=1000000
FAT1:dwSize=2BA0000
All:dwSize=3C20000
USB>task 0
Click to expand...
Click to collapse
3. do hardware clear boot.
Click to expand...
Click to collapse
since i dont want to experiment with my sole BA...
i tried to search for solution...
and with some of my computer instincts i came up with this suggestion...
try this command before "task 28"
"task 7 0" <-- this is the "Do flash ROM lock/unlock" command
"task 2a" <-- fix bad blocks on MFG bootloader and Storage
then try to reflash your BA.
my sources one | two
although it's not BA but i think mtty commands are generic.
it's worth a try.
SS,
Still no joy, it's exactly as it was before.
Just reading through some more posts for bootloader ant it seems at least one other person has the same problem - http://forum.xda-developers.com/showthread.php?t=345181&highlight=bootloader and no resolution posted for that either.
I think I may have got it beyond the point of return.
I've just tried to flash from the blank screen I end up with from the initial attempt and it still detects the device but fails in exactly the same way.
awww... im sorry to hear that.
but dont lose hope.
i'll try to read some more and search for solutions.
and i hope someone with the same problem as
yours that had their BA fixed comes to the foreground.
[off topic]
hmm... come to think of it... we're both Marvel SuperVillains
SilverSamurai said:
awww... im sorry to hear that.
but dont lose hope.
i'll try to read some more and search for solutions.
and i hope someone with the same problem as
yours that had their BA fixed comes to the foreground.
[off topic]
hmm... come to think of it... we're both Marvel SuperVillains
Click to expand...
Click to collapse
These steps are from my notes. Follow these steps. It worked for me last time i tried (3 months back)
2. Stop ActiveSync, by Task Manager (press Ctrl + Alt + Delete)
kill two processes rapimgr.exe and wcescomm.exe
3. put your device into Bootloader Mode by pressing Power + Record Button and Soft Reset.
4. Run mtty (from downloaded) Choose WCEUSBSH001
5. type "set 14 0" without the quotes to tell bootloader to boot the OS after reset.
6. type "task 28" to get your device formatted
7. type "task 0" to ask your device reboot
8. take the device out of the cradle, and manually reset it if it does not do that already.
i think he did all of those already,
that's why i posted this in response to his mtty experience.
wouldnt hurt to try it again though.
A bit more info:
I tried the mtty solution again but still the same result.
I finally managed to find the instructions for dumping and exisiting rom to SD card and pulled one from a working unit. I put the card into the faulty BA and booted into bootloader. Pressed 'Power Button' to flash from card and it appeared it was going to work........ until it got to 12% then it failed with the message 'Download Fail'. So still no better off.
What I'm going to try now as it seems anything is worth a try is use the address ranges used to dump the rom to try and format all 3 sections. See if that will give me a clean base to try and re-flash from the sd card. My only worry is if it will format the section of ROM used to store the bootloader info.
I'll post my results shortly.
Now I need to know how to get the bootloader password to enable me to use the 'erase' command through mtty.
The hunt coninues....
Yet more developments.
As the update from SD failed I thought I'd see if it was possible to dump the current contents of the rom to SD using the following
“d2s 80000000 02000000“
“d2s 60000000 00300000 sd a“
“d2s 70000000 01080000 sd a“
The first 2 commands completed fine and checksum was OK. On the 3r command 'd2s 70000000 01080000 sd a' it errored with the following result
USB>d2s 70000000 01080000 sd a
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SDetected one card
SD:ready for transfer OK
pc->drive.total_lba=1E8000
pc->drive.num_heads=0
pc->drive.sec_p_track=0
pc->drive.num_cylinders=0
pc->drive.block_size=200
pc->drive.features=0
pc->drive.RCA=B368
pc->drive.drv_type=40000000
pc->drive.securedAreaSize=0
pc->drive.securityDrv=0
pc->drive.busWidth=1
pc->drive.erasedSize=0
Total card size=3D000000
DOCInfoTableinitHW+
Binary0:dwSize=80000
BINFS0:dwSize=0
FAT0:dwSize=1000000
FAT1:dwSize=2BA0000
All:dwSize=3C20000
DOC_ReadBinary is fail: dwStartAddress=0,dwReadSize=40000.
DOC_ReadBinary is fail: dwStartAddress=0,dwTempReadLength=40000.
*DOC_ReadBinary is fail: dwStartAddress=40000,dwTempReadLength=40000.
*****************************************************************dwCheckSum of Storage=95609D16
cSectionNum=2
psImageSectionInfo[cSectionNum].dwCheckSum=0
psImageSectionInfo[cSectionNum].dwLength=1080000
Stored image of SD/MMC card checksum error!
Now my guess is the Doc_Read_Fail bits are the corrupt part of the rom. If I can find a way to repair these I could then try re-flashing the rom.
what was "task 2a"'s result?
i think that's the chkdsk option of mtty.
we're dissecting the innards of the bootloader.
little by little as we go along the way...
im learning something, i hope you can find the fix for your problem.
SilverSamurai,
Thanks for the help you gave but the unit has finally had enough and totally locked. No power or anything no matter how I try to reset it. I've tried charging for hours, discharging for hours, left the battery out for hours but to no avail. It seemed to take exception to me dumping the rom contents to the SD card. Maybe there was a hardware problem ?? Not sure.
I'll have to see if I can wangle another unit from the company I work for as we're currently selling a bunch that were purchased for a failed IT project on ebay.
it was sad to hear/read that.
anyways. at least we tried to revive it. but dont throw it away.
maybe someday there will be ways how to ressurect your BA.
Happy Computing! err... Mobile Computing!

Rooting German G1 CRB43

I have spent the past several weeks trying to root my G1 originally from Germany. My goal is to root and load a stock U.S. T-Mobile ROM onto the phone. Here is some info on the phone:
Model: T-Mobile G1
Firmware: 1.5
Baseband Version: 62.50S.20.17U_2.22.19.26I
Kernel Version: 2.6.27-00393-g6607056
Build Number: CRB43
Now, I've been through the forums and pretty much all of the tutorials. I've attempted the goldcard method using several different micro SD cards. I've been trying to load it with DREAIMG.NBH, (RC7) version. I've been using both dd commands in Ubuntu and also via PC using HXD. Where I run into a wall is the phone upon booting it up (Camera Button + Power Button) it says "No Image File".
Here's how I've been trying thus far. I've formatted the SD cards using Windows XP command (format F: /FS:FAT32 /A:4096). I've checked the CID from the SD cards using both the G1 via Terminal and also using a WMD (HTC Touch) in qmat and reversed in qmat crypto toolbox, replaced the first byte with "00", and generated a gold card via the online goldcard generator. I've tried writing the goldcard.img via HXD and via dd command, to see if either would work, and have written the DREAIMG.NBH to root as instructed. The results have always been the same, "No Image File" when I boot the phone.
If there is anyone that could help, I would greatly appreciate it as I am at a loss with what to do next.
Uhm.. CRB43 is the same build number than the Rogers Dream. Perhaps the Rogers rooting method works? That's all I can tell sorry
hellfenix said:
Uhm.. CRB43 is the same build number than the Rogers Dream. Perhaps the Rogers rooting method works? That's all I can tell sorry
Click to expand...
Click to collapse
Just tried the Rogers method. Unfortunately, I get stuck at the first reboot point. After I've loaded the update.zip file and I reboot (Camera button + Power button), I get the "No image file" error.
Any other suggestions.
If the no image file is a green text going really fast then it is normal, you have to pres the Send key (talk key) from there to get to Fastboot mode.
hellfenix said:
If the no image file is a green text going really fast then it is normal, you have to pres the Send key (talk key) from there to get to Fastboot mode.
Click to expand...
Click to collapse
I attempted it again, this time I pressed the send key and it does nothing. It goes back to the red, green, blue, and white screen.
To root a german G1 you will need to make a goldcard. I don't have an english link to a tutorial, so please google on it. Search for "Goldcard G1".
djvw said:
To root a german G1 you will need to make a goldcard. I don't have an english link to a tutorial, so please google on it. Search for "Goldcard G1".
Click to expand...
Click to collapse
I appreciate the response, but if you look at my original post, I've been trying the Goldcard method but have had problems with "No image file" appearing.
i have been having the same problem with my official 1.5 (CRB43) USA while i was trying to root today :/
IIxShockwavexII said:
i have been having the same problem with my official 1.5 (CRB43) USA while i was trying to root today :/
Click to expand...
Click to collapse
Hopefully someone has figured out a solution and will let us know.
johnnysacco said:
Hopefully someone has figured out a solution and will let us know.
Click to expand...
Click to collapse
do you rooting your crb43 ? I have same problem on my g1
Hi guys. Did someone figure it out already? I have CRB43 and faced exactly the same issue. Any ideas?
ringieringie said:
Yo peoples,
after weeks of trying to downgrade my rc9 to rc7. i finally figured a way to easily write to the raw sectors in xp without using unmount, cygwin and things like that. use at own risk!!!!
- download terminal on your g1.
- type: cat /sys/class/mmc_host/mmc1/mmc1:*/cid
- reverse in qmat
- change the first 2 numbers or letters to 00
- create goldcard from Viper BJK website (thanks man)
- format sd card to fat32
- download HxD Hex Editor and install
- open program and go to "extra" and then "open disk"
- choose physical disk and then the removable disk. that is the same as your memory card. I've you don`t know with one it is. just remove the card and restart the program and you will see witch one is disappeared.
- uncheck open as readonly !!!!!!!
- go to "extra" again and the open disk image.
- open the goldcard.img witch you have created from Viper BJK website.
- press ok (512 is fine) en then "select all" and "copy"
- go to the removable disk tab and select offset 00000000 till offset 00000170 go to "edit" and then past write.
- save it
- now copy dreaming.nbh to the root off your memorycard.
- turn of your phone and restart by holding the camera and the power button.
Hope this will help you.....
grtz C.C.
Click to expand...
Click to collapse
This worked for me on my German G1 T-Mobile crb43.
rgs.
tsk
johnnysacco said:
...and reversed in qmat crypto toolbox, replaced the first byte with "00", and generated a gold card via the online goldcard generator. I've tried writing the goldcard.img via HXD and via dd command
Click to expand...
Click to collapse
Hi m8, I had exactly the same problems as you, but this finaly worked for me and now I got root
If you get the cid via adb you don't need to reverse (When you use Linux you use the reverse function) only replace the first bytes and generate the goldcard and write the img with HxD.
/tsk
Mine Updated Today
I just got a repaired phone yesterday here in the US and the shop had put in a new German mainboard which had CRB43 build on it. This morning my phone received a network update and changed my build to CRC1. Now I can downgrade the phone and try running the normal rooting procedures found here http://forum.xda-developers.com/showthread.php?t=533731.

[Q]I need help please

Hi all, new here, I'll get straight to the point because it'ds quite urgent. I flashed my htc elfin with the onyx 6.5 rom and after flashing if kept crashing on the Orange splash screen but I done an even more of a stupid move because I tried flashing the phone with a shipped rom and at the time I did it I didn't know it was incorrect so now all my phne can do is display pretty red green and blue gradiants with the following written on the red gradiant.
IPL 2.27.0002
SPL 2.28.0000
I can't remember anything like CID or anything like that but I do have the following...
SN :HT837Gxxxxxx
IMEI :35678601xxxxxxx
Part Number :99HEH137-00
Part Description :SKU,ORANGE,English-WWE,GBR,white,GSM 900/1800/1900,HTC_P3452,ELFIN-A2,w/ SIM Lock
Customer Name :Orange P.C.S Limited
Customer Model :
HTC Model :ELFIN-A2
Error Message :
Please help me as I can't do anything with it.
By the way I got two other devices, one being my gizmondo and the other being my old IPAQ h1910.
I've also got this info...
Cmd>password BsaD5SeoA
Pass.
+ SD Controller init
- SD Controller init
+StorageInit
SDInit+++
SDInit - SD ver2.00
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd55 Card status error in response. MMC_STAT = 4000
SD Ver2.00: Low Capacity
SD clock to 24MHz
***** user area size = 0x3AF000 Secters
SDInit---
SDInit OK
g_cKeyCardSecurityLevel = FF
HTCEType (0x1)(Operation mode flag): cOpModeFlag=(0x0).
Type (0x2)(Back color flag): cBackColorShowFlag=(0x1).
Type (0x5)(Background color value): g_wBColor=(0xC618) (0xC0C0C0).
HTCST
Thanks Leighton
Leightonw87 said:
g_cKeyCardSecurityLevel = FF
Click to expand...
Click to collapse
that little line is telling u that the phone is CID-Locked, and as it doesnt go beyond the bootloader, is bricked too.
so, the most easy thing to do is trying to flash the unbricker rom from sd, if that doesnt work go with the goldcard method that will work for sure if done properly.
I tried the unbricker rom through the ruu utility but it says invalid vendor and when I do it through SD it says Checking SD and then nothing. I'm currently trying the goldcard method but it doesn't seem to want to work on my 2gb MicroSD. The SD SN starts with 00 so I not sure whats wrong.
I now regret doing the flash in the first place. Also some of the utilities are reconising it as around 900>mb, not 2gb so thats making me think that I should get a 512mb or 1gb memory card...
try making a smaller partition in sd card and the unbricker rom again.
read this:
http://wiki.xda-developers.com/index.php?pagename=Elf_SD_Card_Flashing
the problem is not flashing roms, the problem is with all the ppl that tries to flash original roms/backups and end with a dead phone.
That is probably what did lol.
Edit, How do I resize the SD card, I've done it in past for my IPAQ but that was a good while ago and it was for putting opie on it.
Start > control panel > administrative tools > computer management, then on the left select disk management under storage. delete all partitions from ur sd card and make a new one with 800mb for example and make sure to format it.
I've got windows 2000 and under disk management, Delete Partition is greyied out on the sd card.
EDIT:
I just tried disk management on my windows xp laptop and I cannot Delete Partition, same as the above which makes me think it maybe my card reader because this is with a 1gb microsd, not my 2gb one.
I know I shouldn't do this but I'll say sorry in advance.
I can't get the gold card method to work nor will it flash from sd, should I be using a wm device with a MicroSD slot or should I be able to use the adaptors in a standard sd slot device as I only got the latter. I'm in desperation and I really can afford to send it off, please help me.
AFAIK, the sd adaptor is just a mechanical device, so it should work ok.
however is strange that u cant flash from SD, make sure that the filename is correct and that u wait long enough.
i will suggest simple way switch off ur device . (take the battery out) reinsert the battery and flash ur carrier provided rom from our forum..see sticky rom thread. and try flashing original one .it will work flawlessly ..and then use 3.10cmon uspl and ur cid unlocked and free to flash any
rom..
Hapy flashing
I've tried looking for the Orange uk shipped rom and they are all dumped roms on the wiki and there isn't any orange uk shipped roms on the stickie.
I wish they made this sort of thing alot easier, My sony ericsson didn't even give me this much hassle.
Leightonw87 said:
I've tried looking for the Orange uk shipped rom and they are all dumped roms on the wiki and there isn't any orange uk shipped roms on the stickie.
I wish they made this sort of thing alot easier, My sony ericsson didn't even give me this much hassle.
Click to expand...
Click to collapse
Your Sony Ericsson probably didn't allow you to flash cooked ROMs either.
You don't need an Orange shipped ROM, you just need a shipped ROM with same device ID (eg. ELF010150 or whatever your device is). Gold card should work if done right.
I think I'll have to see if I can get a Virgin Lobster phone because out local pawn shop gets them quite often and very cheap, to try the goldcard then, until I find one I'll wait abit because my gizmondo refuses to do anything with QMAT even though it says written to sd card.
By any chance is it possible to change Cardid by hex editing?
Leightonw87 said:
I think I'll have to see if I can get a Virgin Lobster phone because out local pawn shop gets them quite often and very cheap, to try the goldcard then, until I find one I'll wait abit because my gizmondo refuses to do anything with QMAT even though it says written to sd card.
By any chance is it possible to change Cardid by hex editing?
Click to expand...
Click to collapse
I don't know because all the knowledge I have about the Gold Card is shared in the Wiki. As I already stated there, I don't know of any other way to get the Card ID. I'm no hacker.
ok no probs, thanks for all the help you've given to me, once I find another WM device I'll try again because I spend too much time on trying to do goldcard and my partner is getting annoyed. lol
Leightonw87 said:
I tried the unbricker rom through the ruu utility but it says invalid vendor and when I do it through SD it says Checking SD and then nothing. I'm currently trying the goldcard method but it doesn't seem to want to work on my 2gb MicroSD. The SD SN starts with 00 so I not sure whats wrong.
.
Click to expand...
Click to collapse
What do you mean by it "doesn't seem to want to work"? What error are you getting. And why do you want to hex edit the card id?
No matter how many times I try I just doesn't want make the goldcard. on xp and 2000 but like I mentioned before it must be something to do with my gizmondo. My pda is pre ppc 2003 so no luck there. doesn't find the serial number at all.
Leightonw87 said:
No matter how many times I try I just doesn't want make the goldcard. on xp and 2000 but like I mentioned before it must be something to do with my gizmondo. My pda is pre ppc 2003 so no luck there. doesn't find the serial number at all.
Click to expand...
Click to collapse
Just buy a WM device from the electronics shop and then use the Gold Card method on it.. then return the device when you are successful
hahaha, Thats a great idea but these days they are pretty fussy when it comes to returns.
Hi, I just thought I'd add this as I don't know what the CID number is.
Cmd>getdevinfo
HTCSELF010051¡o³fHTCE
As far as I can work out its ELF010051 but looks like something went wrong with the CID number
I know it's orange uk as shown in the first post. I was also wondering could I create a goldcard by just using my pc/laptop or could someone create a goldcard for me???
SD SN:E06E030000000000F0FFFFFF30000306

Resources