Related
Hi, I am trying to extract a file (actually, cplmain.,cpl) from a rom image. It all seems to work fine, but the size of the extracted file is lesser than the right one.
File seems to be truncated.
I did:
1) get the "B000FF" file (.bin), 24,856,907 bytes
2) Since dumprom seems not to "like" this format, I converted it using splitrom:
perl splirom.pl file.bin -wo file.rom
3) I don't know which format it generates to file to, but now dumprom works:
dumprom -d result file.rom > res.txt
4) A few snapshots of the file res.txt, regarding the file cplmain.cpl:
NOTE: section at fee73000 iso 00044000 for cplmain.cpl
806f5fe4 - 806f5ff0 L0000000c modname cplmain.cpl
8072d000 - 8076fe1c L00042e1c o32 region_0 rva=00001000 vsize=00042e1c real=02e61000 psize=00043000 f=60000020 for cplmain.cpl
80770000 - 8079e600 L0002e600 o32 region_3 rva=00048000 vsize=0002f000 real=02ea8000 psize=0002e600 f=40000040 for cplmain.cpl
808c7650 - 808c76bc L0000006c e32 struct 4 objs, img=212e entrypt=0000b408 base=02e60000 v4.20 tp9 cplmain.cpl
808c76bc - 808c771c L00000060 o32 struct cplmain.cpl
80a36870 - 80a36ff6 L00000786 o32 region_1 rva=00044000 vsize=00001800 real=01cd3000 psize=00000786 f=c0002040 for cplmain.cpl
80a4d0d8 - 80a4dffd L00000f25 o32 region_2 rva=00046000 vsize=00001ca8 real=02ea6000 psize=00000f25 f=40002040 for cplmain.cpl
80be2ed8 - 80be2ef8 L00000020 modent 20 00000005 01c3f9e1932529f0 486400 8119a000 cplmain.cpl
...............
5) Last line's "486400" is actually the *right* size of the file, but the real size of the extracted file (in directory "result") is 477,184.
I have not checked other files, since this is the one I am interested in.
Any idea?
Thanks in advance
XIP files would report incorrect size. Because they are XIP
If XIP files report wrong size (I guess you mean inside the very NB1 file), how can one fix this?
Spasiva!
I guess i am not using the same alignment of blocks in the reconstructed .exe file, as was used for constructing the rom.
it is not a really important issue, that the file is not exactly the same size.
there are also sections missing in the rom, that were in the original file, like the relocation information.
the main use of dumprom extracted modules, is that you can reverse engineer them with something like IDA. .. not that they are useful as real executables.
willem
Hi Willem,
Well the thing is that I need this file to be the right size. I agree that size is not important (that's what I actually say to my girlfriend ;-) ) as long as the extracted file's is greater, not lesser (which implies truncation) than the original's. The problem is that the file I got is smaller, so there is some missing data in.
Actually, I copy cplmain.cpl to the ppc as cplmain2.cpl, I do:
ctlpnl cplmain2.cpl,2 (for instance)
and it simply does not do anything.
Excuse my ignorance, but, what is IDA?
Dank u vel
IDA: http://www.datarescue.com/idabase/
you can't use a file extracted with dumprom on another device.
most executables and dll's ( and cpl's ) are fixed to work at a specific location in memory in one specific ROM. you can't use it on another device, it will most likely have a different memory layout.
willem
If you have two versions of the same DLL that are different only in code and data base addresses, you can restore the .reloc section and get a working DLL. I've wrote a simple program that when used with any relocation rebuilder tool would produce a working DLL. And even if DLL is not working, it is much easier to decompile it with IDA because it uses relocation information internally during analysis.
The DLLs should be exactly the same, for example they can be taken from the same ROM builds that differ only in language (of cause in this case DLLs should not be localized).
hi.
How can extract files from a mpx200 rom? I tried to use tools from the forum but with no success. Mpx200's rom is a file with .img extension. As i see so far in forum, rom's file extension for pda is .nbf. Is there any way to convert .img file into .nbf so i can use er2003edit program? Any other idea-guide that could help to extract the rom from my mpx200(wm 2003) would be very welcome. I couldn't find any resources on the web about extracting mpx200 rom and that's why i posted in this forum. I hope that i'm not totally off topic.
Thank you.
Nikos
I had a play with this a while back, to try to get MPX300 compatibility with VJCandela.
I believe the rom files have have a "B000FF header" (open it with a hex editor). Apparently splitrom can reassemble them into a rom we can play with, but it became more urgent to finish VJCandela then continue with this, so I put it aside. If you get anywhere on this, please PM or post so that I can see if I can make VJCandela cross compatible.
Many thanks!
V
I can upload a dumped mpx200 WM5 ROM to xda-developers FTP if needed.
These IMG files are somehow non-standard B000FF, I was unable to use splitrom to convert them to normal file.
You should dump ROM from a device, then remove a hole in the middle (probably MPx200 has 2 ROM chips at different addresses), then edit it manually because some idiot incorrectly edited that ROM to remove DevAuth.exe and broken its internal structure. After that you'll get a complete dump with broken ril.dll and gx.dll.
I wonder how that incorrectly patched ROM can even boot.
That would be interesting Mamaich. I'd appreciate it if you can.
Can we dump a live rom normally then? I'll try to speak to a guy with an MPX300 to get it dumped if possible, and try to upload it if he's successful.
V
hi.
I found so far that it's possible to convert the .img file, which is
used to update mpx200, into a .bin file. I opened the .bin file with a
hex editor and it starts with B000FF as you said. I don't know where i
can use this information or what it means. As you said it's the
header. When i try to dump rom with dumprom.exe i get an error message saying "unable to determine loading offset for out.bin". Looks like i have to find this offset myself and give it to dumprom. Could you help
me somehow on this?
Also where i can read a few things about the rom structure, xip and
stuff to understand what's going on.
Thanks!
EDIT1
Also tried with splitrom.pl.
With command splitrom.pl out.bin it gives me the following
B000FF entrypoint: 00000000
!!! your rom is not known to me: md5:
68847f4d859a242753798d9d0e205144
!!! your bootloader is not known to me: md5:
ea25e7468c09bf09a384a94cb4dcc67c
no operator rom found
no bitmap found
xip regions not found: 82d80000=LANG, 82040000=SMARTFON,
82d00000=OPERATOR, 82f2
0000=OE
And a lazy question. If i finally do it, i will get a folder in my
disk with all windows components unlocked and ready for modification?
EDIT2
Reading a few things about splitrom it says that it can handle bin
files with B000FF header. In our case(mpx200) we have a bin with
B000FF header. Right? So we can use splitrom to make the nk.nbf file.
An example on how to use splitrom.pl is the following.
perl splitrom.pl cfg/rom.nb1 \
-rm tmp/xda1.bin:0x81740000 \
-rm tmp/xda2.bin:0x81b00000 \
-rx tmp/xipchain \
-rb cfg/bootimage.bmp -ob 0x81ec0000 \
-rl cfg/bootloader.nb0 \
-wo nk.nbf -t nbf -n PW10A1-ENG-4.01-007
On the above, he opens rom.nb1 which is his rom file. Probably the
plain rom image format, i don't know the type. Then he refers to
another 2 files xda1.bin and xda2.bin. In my case i have only one
file, out.bin . He also uses bootloader.nb0, i don't have it or
something similar. Finally he writes nk.nbf file and gives it a
header. In my case i will give a B000FF header.
End.
nicktgr15, for extract files from 2002 and 2003 firmware you can use tools from http://onk.nm.ru/mpx200
Great site my friend onk. Great site. I hope i'll find something. Thank you.
Hi nicktgr15!
Any luck with the ROM extraction for MPx200?
Anyone here on this board can comment too.
I went to the link http://onk.nm.ru/mpx200 but can't really get thinks going with the WM2003 for MPx200.
I've the ROM but using dumprom.exe, I got something like 'can't determine the memory offset'.
So...where so I start?
I really need the SIMManager & Resource Manager for my WM5 MPx200.
Also, would like to have the SIM Tool Kit working on my phone since there's no way to interact with the SIM features.
Thanks anyone!
Please Upload the Dumped WM5 MPx200 Rom you are saying about!It will be a huge step!!!We can edit it,fix some bug,even make it work without the need of the SD Card...!!!
I've uploaded ROM dump to uploads/mpx200_dump directory on xda-developers FTP.
Buildimgfs tool is useless on this ROM, because 2 files in it are broken. Maybe addfile/delfile would work (but they would break data in imgfs_removed_data.bin). And of cause you have to manually remove hole inside ROM before working, and inject the removed data back before flashing. And figure out the format of imgfs_removed_data.bin and recreate it yourself.
For dump WM5 files you can use tool http://buzzdev.net/index.php?option=com_remository&Itemid=100&func=fileinfo&id=83
You must create directory "\Storage Card\" on SD and run this program on smartphone
I think this program work on many other devices with wm5
PS. you can read http://www.wce.by/forum/viewtopic.php?t=1517 (Russian language) about tools for firmware
Onk nice site but i can understand a thing!!!
Have you made a fixed version of wm5 for Mpx200?If yes where i can download it?
My goal is to make a cut down wm5 version that can fit on the 32MB ROM of MPx200...can that be possible?
I'm downloadl WM 2005 for MPX200 smartphone Build 14343 from sendmefile , but link id dead ;(
after extract files from archive, I convert part2.bin and part3.bin to CMCS IMGAGE (use BINtoIMG) and flash images to mpx200 (use Motorola Upgrade Wizard 1.8.x)
wm5 for mpx200 used SD card like /Storage on wm2003 and wm2002 (for save config, datafiloes, program etc)
Internal flash used only for firmware
for replace some files from firmware you can place it to /Windows on SD card
BUT! This build of WM5 work on 80-90% of mpx200 devices ;(
some devices can't run wm5.
And the speed of operation WM5 strongly depends of speed used SDcard (x80..x132 recomended)
Your file mpx200_wm5_bin_B00FF.7z (17460816 Bytes) is now online.
Your Download-Link: http://rapidshare.de/files/14495499/mpx200_wm5_bin_B00FF.7z.html
for extract files you must use 7zip archiver www.7zip.org
what?is this a fixed wm5 version?
does it works without the need of the SD?
NO
this version NEED SD
is there ANY chance to remove some files (Images,Sounds,maybe some prorams) from the WM5 ROM and make it work without the need of the SD?
I believe then,the OS would be STABLE and work Faster.
Let's make a Try!!!
What do you think?
part1.bin сontains magneto with use built-in flash memories (WM5 build 14122)
It is necessary to correct a little. Find in an firmware
Code:
0BFC440: 65 6D 72 65 67 69 73 74 │ 72 79 2E 64 6C 6C 00 44 emregistry.dll D
0BFC450: 65 76 41 75 74 68 2E 65 │ 78 65 00 62 74 68 61 74 evAuth.exe bthat
and change DevAuth.exe to AuthDev.exe for disable Device ID check
But this firmware contains one more "protection" - works before some date.
If before flashing set date 2004 - works normally. If the current date - show a modal system window with the message that is the version for developers.
How to disable this "protection" - it is not known yet
And it is not known about locking the register in this firmware
PS: In Firmaware structure ROM similar 2002/2003 is used. Use dumprom for extract files
PPS: my page is updated. Added simple manual about firmware and tools
mamaich said:
I've uploaded ROM dump to uploads/mpx200_dump directory on xda-developers FTP.
Click to expand...
Click to collapse
Can you please upload this dump somewhere once again? as it seems /mpx200_dump is already deleted from FTP.
I was trying to cook a modded ROM for the i607, I was able to extract the nb0 from the bin file using cvrtbin & viewbin > then Mamaich's prepare_imgfs > viewimgfs > dump > modify/add/delete files > buildimgfs > makeimgfs and I know this is basically what you do with the Hermes ROM, however making it back to a BIN file has proven to be a "no go". I have tried splitrom.pl, rommaster, xipbin, etc, but I am afraid without the right utility this will not happen.
Does anybody know if there is a Tool to convert the cooked nb0 back into WMx B000F bin file? There is an old tool for Mobilpro xipbin.exe, however the block size and lenght of ROM does not match. Doing the splitting in sectors and retrieving the checksum manually is going to take a lifetime...
Just an idea: Could it be possible to use a blank CE.BIB with only the start and offset of the ROM and romimage from MS PB builder together with the nb0 file above?
Any good ideas are welcome.
I tried using romimage with no results
I tried to use Romimage from MS platform builder, and after many attempts I gave up. I basically used a minimal CE.BIB and the patched ROM (nb0) file as the source to be inserted. It creates the Run-time BIN file with 4K blocks where it should be making it 128Kb ones.
TO Do:
Try an HEX editor with macro or script capabilities, to perform the following process
1.- Strip the HEADER+RECORD section from the original FLASH file
2.- Strip all zeroes preceding the patched ROM (NB0) before the start point
3.- Cut the patched ROM in 128K chunks (about 500 pieces) called blocks or records
4.- Calculate the Checksum 32 of everyone of these chunks and annotate it
5.- Make the HEADER of the RECORD annotating (in little endian) : Start Address - Lenght(Block Size) - Checksum 32 for every record
6.- Join the HEADER to the respective record. Iterate this process until finished (some 500 times)
7.- Insert the above joined (HEADER+RECORD) section into the stripped flash file in step 1
8.- Here comes the scary part : flash the phone with this MOD (just the PDA section)
9.- If successful, make a program to automate steps 1 to 7
Wish me good luck...
On other comment: according to Texas Instruments, in the Code Composer Studio for OMAP processors, it can be connected to the phone via a COM port using HyperTerminal. Alternatively I think if we can flash the phone using this method and a ROM type NB0.... Perhaps no, as the flash program just connects to the phone using the Serial port qhen in Flash mode. This program also accepts img files, I tried to rename the nb0 file to img and didn't work. Does anybody know what these Samsung's img files are?
Is anybody interested on this matter? Please don't just read the post, start replying... If we really want to MOD this phone, being it the BlackJack i607 or the European i600, we need to start doing some Reverse Engineering..., the people at xda-developers had started this way to master the HTC and similars.
hey, i replied to your email. hope it will be helpful. especially if you give me a link to the image
cmonex said:
hey, i replied to your email. hope it will be helpful. especially if you give me a link to the image
Click to expand...
Click to collapse
Thank-you, however I haven't received your reply yet. I'll send you the link to the ROMS via private message .
Regards,
trinca
The modded ROM
Cmonex:
I have uploaded the modded ROM and is located at:
http://rapi*****/files/42779528/XXGD1_pda.nb0.html
******************W A R N I N G *********************
For everybody else following the thread, please be advised
this above file is a plain binary, it must be converted to a
MS WMx BIN format with a B000FF header before flashing any BJ.
Please do not attempt to flash your phone with it!
**************************************************
I haven't received your e-mail
cmonex said:
hey, i replied to your email. hope it will be helpful. especially if you give me a link to the image
Click to expand...
Click to collapse
Hi, Cmonex:
Can you please resubmit?
TKS
trinca
For those of you who would like to start cooking this ROM
I was able to extract the plain image using cvrtbin (MS tool that comes with visual studio) you may grab a copy from here:
http://www.toradex.com/colibri_downloads/Linux/linux_to_wince/?D=D
Then you will be able to use the common tools from xda-developers such as prepare_imgfs (with the switch -acer) from the WM5 kitchen made by itsme (first sticky in this forum) and so on.
Making the ROM back to the B000FF format is going to be the trouble... So far there is not an easy come back... yet!
There is also an excellent article on Mobilepro BIN roms made by cmonex, you can get a copy of that tutorial inside his Romtool package, get it from here:
http://hpcmonex.net/nec900/files/releases/romtoolpack.zip
Be informed the Mobilepro ROM is very different in the way the Runtime file is organized, however the tutorial is the best resource I have seen so far.
Besides, there are some really good tools inside that package
Best regards and start cooking!
trinca
Samsung i60x ROM: Extracting the OS payload from the Upgrader exe single file
The Upgrader program contains 3 payloads: Eboot, Phone and O/S. To extract the O/S payload follow this procedure:
1. Open the exe upgrader file using the Hex editor of your choice.
2. Locate the ASCII string B000F followed by 0x0A. The complete sequence you should look for is 0x4230303046460A. You should find 3 occurrences of the above string. Concentrate on the last one.
3. Copy from this start address all the way up to the string 0x060000EA3B, which is the start of the phone ROM.
4. Make sure your cut includes 12 trailing zeroes 0x000000000000 as they indicate the loader the end of the Runtime of the pda image.
5. Name your file ending with a bin extension. (i.e XXGD1_pda.bin)
6. Proceed with cvrtbin to extract the absolute (or plain) ROM image (ending in nb0.
7. You are ready to start cooking.
I was able to sucessfuly extract in this way the ROMS for i600 releases: XXGC6 and XXGD1 and for i607: UCGB4 and UCGD2.
How did I find out? I got the chance of getting the XXGC6 upgrade package, which included the eboot, phone and pda sections separated. Further reading in the forums indicated the B000FF is followed by 0x0A, the start address of the ROM (00000000) and the end address. From there it was easy to locate the payloads in the Upgrader single exe file.
Good luck extracting your ROMS.
Samsung i607 Service Manual
Below is the link for the SGH-i600 service manual URL. Does anybody have the service manual and/or schematics for the SGH-i607?
BIN B000FF runtime image file format
Does anybody have a detailed description of the arrangement of headers and records in this file format? The best reference I have found is this page:
http://www.devpia.com/MAEUL/Contents/Detail.aspx?BoardID=60&MAEULNO=23&no=242&page=1
Unfortunately I do not understand Korean...
hey, i again sent you an email. i'll quote it in PM too just to be sure.
btw, the rom tutorial that i wrote and that you linked to, fully details B000FF format. what is not clear about it?
The tutorial is right
There is nothing wrong with your tutorial, I had to use the HEX editor several times until I got that right.
cmonex said:
hey, i again sent you an email. i'll quote it in PM too just to be sure.
Click to expand...
Click to collapse
Do you know if isotherm may share the source code for xipbin? Do you have a way to contact him? I tried to contact him at hpcfactor with no results.
Trinca - ok, let's imagine you got all the needed files to B000F format. How do you plan flash it back to your i607?
Creating the B000FF Runtime image
After cooking the ROM...how to re-create the B000FF Runtime image back? That is the $1M.. question, I am still navigating uncharted waters...
Producing the Flashable runtime image back is what I am now concentrating on, as I see it there may be 4 possible ways:
1) Manually
-a) Splitting the nb0 file in [n] 128KB chunks (for a ~64MB image, there are over 500 x 128KB chunks)
-b) adding the chksum32 at the beginning of each chunk
-c) adding the address and offset to the beginning of the above.
-d) merging it all together
-e) adding B000FF, start address and offset at the beginning of the merged files
You can use an Hex editor with scripting properties such as 010Editor and write a script to accommodate a) thru e)
http://www.sweetscape.com/010editor/
Still a pain in the neck and the scripting language is similar to C, if you know this language it will be easy for you to automate the above. Still experimenting with it.
2) Using XIPBIN, made by somebody AKA isotherm, this utility will make a B000FF runtime file good for a HP/NEC mobilepro, the record length is made 0x40000 bytes long, different from 0x1FFE0 record length of the original ROM, according to cmonex, this should not be a problem provided the record is made of different length and has the right checksum per record, but I already have made several attempts and it does not work for me, when flashing the phone it gets stuck at the very beginning. You may research further here.
3) Modify xipbin and make it produce records 0x0001FFE0 bytes long, as the source code for this utility is not available, cmonex says isotherm had disappear. I am still hacking into this utility...
4) Create our own program using VC or VB, I may probably work on this one as well, as I get some time available.
I am attaching a copy of xipbin.exe, however if you have followed my instructions, you may probably have it already, please let me know of any success (or failure, we all learn from these ones too).
usage:
xipbin [myrom.nb0] [start address for myrom.nb0] [myrom.bin] [start address for myrom.bin]
For Samsung's B000FF ROMs the command will look like:
xipbin myrom.nb0 0 myrom.bin 0
myrom.bin is then recreated from scratch.
Also according to cmonex, you may do the following:
a) Get an original B000FF ROM
b) use cvrtbin.exe and obtain a nb0 ROM
c) use xipbin with this nb0 and re-create a runtime bin file.
d) apply again this cvrtbin utility to the re-created runtime bin file
e) compare the result with above b) step
f) If they match you may have a candidate procedure, if they don't do not attempt to flash the phone with the procedure above.
I will include the new viewbin and cvrtbin, which now works with start address 0 on this type of ROMs
Usage:
cvrtbin -r -a [start address] -l [length of ROM] -w [8, 16 or 32] [romfile.bin]
cvrtbin -r -a 0 -l [the length of your ROM] -W 32 [myrom.bin]
Good luck!
The format of MS BIN B000FF runtime image file
According to several sources I have consulted, including MS documentation and insights given by cmonex, plus heavy HEX editing sessions, this is my impression on how the B000FF Runtime image format looks like:
Byte------>--1--2--3--4--5--6--7--8--9--A--B--C--D--E--F
Record 0 -> 42-30-30-30-46-46-0A--<Strt add>--<ROM lgth> * * * * * * * * * * * (42-30-30-30-46-46 = B000FF in ASCII ; 0x0A = end of header B000FF)
Byte------>--1--2--3--4--5--6--7--8--9--A--B--C--<-----128KB of nb0 image------>
Record 1 ->--<Strt Add>--<Rec lgth>--<CHKSUM32>--<--Chunk Nbr 1 of nb0 image--->
Record 2 ->--<Strt Add>--<Rec lgth>--<CHKSUM32>--<--Chunk Nbr 2 of nb0 image--->
v - v
v - v
v - v
Record n-1>--<Strt Add>--<Rec lgth>--<CHKSUM32>--<---Last chunk of nb0 image--->
Last Rec-->-00-00-00-00-00-00-00-00-00-00-00-00 .* * * * * * * * * * * * * * * (The last record always ends with 12 bytes set to 0x0)
**************************************
Please note:
Record 0 and the last one are different
All data are encoded Little Endian!
**************************************
Using the command:
viewbin -r [myrom.bin]
Will give you the record content of your runtime image file.
Trinca - just ran viewbin on samsung i750 image. chunks sizes are not 128kb each. looks like chunks are actually files from ROM in XIP format (executable in place, it is usual PE files but missing reloc table and something else). I bet we should use file deleting/adding/injecting utility like romtools one for ROM image manipulation which reamins intact B000F header! I see no other way to recreate B000F.
Well, I guess your runtime differs from that on the i60x. In any case I know of a tool made by bepe the name of xipport, you can look at this thread and download it here:
http://forum.xda-developers.com/showthread.php?t=315030
The best thing I can recommend you to do, is to try to get the appropriate format of your runtime image.
trinca
unfortunately all version of xipport just crash with errors on my ROM dump.
ROm Dump
JugglerLKR:
Let's get acquainted with your procedure, and do not pretend to modify something, just to find out if the tools work:
a) Have you dumped the ROM from the phone or you just extracted it from the updater executable?
b) If you have just cut the ROM out of the executable, use the new cvrtbin posted before (which runs fine at start address 0)
c) Run Mamaich's prepare_imgfs, there are 3 possible options:
prepare_imgfs [yourROM.bin] will produce imgfs_raw_data.bin and imgfs_removed_data.bin
prepare_imgfs [yourROM.bin] -nosplit will produce imgfs_raw_data.bin and an empty imgfs_removed_data.bin
prepare_imgfs [yourROM.bin] -acer will produce imgfs_raw_data.bin and an empty imgfs_removed_data.bin, but this one is the only which has worked for the i60x
d) Now if you use viewimgfs then the dump directory will be created and the files will be extracted. It is only after this confirmation you may be assured the ROM extracted has the correct structure for manipulation. I got so much trouble using the old version of cvrtbin, that I am telling you to run these extra steps.
Now try to run the xipport tool on the above *.nb0 file. and tell us if you were successful. At this point if you are not able to run the xipport tool, then you may not have something usable. RomMaster and dumprom/dumpromx are also alternatives for working with xip modules, please remember all these tools are highly experimental and not bug-free!
trinca
Hello!
Thanks to ppl from this forum I've managed to assemble from various sources files required to dump, build and flash back to device WM6 English ROM. It is not a "plug & play" style kitchen yet, so I call it "ROM Kitchen essentials"
Most of files are made by other people. Mine part was converter and flasher hacking. As for now, you have to edit dumped ROM absolutely manually. There are no support for initflashes.dat automatisation. You may want to use rgucomp to make changes to default.hv and user.hv.
Thanks goes to (not in any order )
trinca
mamaich
bepe
itsme
faria
double_ofour
yhauwang
and many others...
Actual version is 0.1 and RAR archive is about 50Mb.
All required files (including WM6 Eng ROM distribution and flasher) can be downloaded from:
h**p://www.r*pidshare.com/files/47189318/Juggler_Samsung_WM6_Eng_ROM_Kitchen_0.1.rar.html
You also may want to download original WM6 English ROM from here:
h**p://r*pidshare.com/files/45439904/Juggler_WM6_i718ZMGF4_PDA_Eng.rar.html
And radio firmware (required for some i71x to work with WM6):
h**p://r*pidshare.com/files/45950071/Juggler_WM6_i718ZMGF4_Phone_Eng.rar.html
In case somebody don't know how to flash Samsungs i71x:
Make backup!
Have your your firmware at hand so in case of troubles you can flash your original firmware back!
Turn off device.
Disable all ActiveSync connectivity (usb, comm, etc).
Run flasher and click start.
Hold "down" button on device and turn it on while holding "down".
Flasher recongnize it and start to flash.
After flashing make a hard reset.
If GPRS/EDGE do not work your radio firmware is not compatible with new WM6. You have to go back to your original firmware or flash new radio!
To flash new radio firmware you should have SPECIAL FLASHING CABLE for samsung phones! It is not the one that comes with device!
Now you have options to buy such cable, build one yourself, flash your original fimware back or continue using WM6 without GPRS/EDGE - it is your choice.
So - to flash WM6 you need usual usb cable. New WM6 probably work with your radio. If not - you should flash radio!
Special flashing cable is the cable with USB-Serial adapter or plain serial cable:
h**p://www.fonefunshop.co.uk/datacables/samsung.htm
Search for UNLOCK / FLASH CABLES and you'll see
"Samsung D800 - T809 - E900 - D900 USB Cable
This cable is needed to unlock / flash the Samsung D800 - T809 - E900 - D900 etc."
Notice the difference with the usual USB cable supplied with device!
Have you read my thread on the Samsung i60x?
Hello, there,
Please refer to this thread:
http://forum.xda-developers.com/showthread.php?t=316647
It seems very familiar to the i600. I will download your image just for the sake of taking a look... The ROM with header B000FF is prepared with the Romimage tool from the MS WCE IDE and is named the Run-time image, the nb0 ROM (that works with the WM5 kitchen) is prepared by Romimage by splitting the nb0 ROM in 128 KB records, a header is added containing start address, record length and Checksum 32. Then all this chunks are added together and compressed with another tool named compbin, the "encryption" you are seeing is no other than the aftermath of this compbin tool.
If you read myu thread you will find I was able to extract the flat image using cvrtbin (also another MS tool that comes with visual studio) you may grab a copy from here:
http://www.toradex.com/colibri_downloads/Linux/linux_to_wince/?D=D
Then you will be able to use the common tools from xda-developers such as prepare_imgfs (with the switch -acer) and so on.
Making the ROM back to the B000FF format is going to be the trouble. Again, read the thread.
There is also an excellent article on Mobilepro BIN roms made by cmonex, you can get a copy of that tutorial inside his Romtool packege, get it from here:
http://hpcmonex.net/nec900/files/releases/romtoolpack.zip
Be informed the Mobilepro ROM is very different in the way the Runtime file is organized, however is the best resource I have seen so far.
Besides, there are some really good tools inside that package
Best regards and start cooking!
trinca
Thanks trinca, at least I have something to read to start with. But the first thing a can't figure out how correctly RIP rom image from EXE file and then after modifing it PUT it back to flasher. There s.b. some proprietary tools for samsung phones or pdas.
Extracting the i718 ROM image: a suggestion
JugglerLKR said:
Thanks trinca, at least I have something to read ...
Click to expand...
Click to collapse
My friend, we are all navigating uncharted waters..., this requires some research, and the courage to flash the phone with the outcome of your research.
Please read my post:
http://forum.xda-developers.com/showthread.php?p=1371344#post1371344
It will give you a hint on how I found out how to extract the O/S payloads for the i60x, pretty sure it may work for your model as well. A quick look to your executable shows the arrangement may be similar, I would say for the i718, the O/S ROM is located last as it is on the i60x, starting at address 0x01620000 now, just by looking for the end indicator (following the string B000F, 0x0A, 0x00000000 which is the ROM start address, 0x00CA5F03 which should be the offset -little endian-, actually would be 035FCA00), however be noticed the runtime image is compressed using compbin during preparation, therefore I would guess is a little more beyond. You may have to do some research here.
Start by cutting the area surrounding such an offset and use viewbin to determine the offset length and cvrtbin to find if your cut was successful.
BTW it would be nice to find a tool to just decompress B000FF Runtime ROMS. (differently of what it does cvrtbin converting and decompressing Runtime images)
One other thing you may do is to use xdautils, you may find those here:
http://wiki.xda-developers.com/index.php?pagename=XdaUtils.
This collection of utilities has pdocread allowing you to extract the contents of raw partitions in the pda. Make sure to use the handle to extract each raw partition.
Regards,
Trinca
I had no success with cvrtbin. How to decompress image after compbin? I've found pdocread and put it to phone, but it won't work :-( Are there any tools to dump ROM to flash card or something like that?
JugglerLKR said:
I had no success with cvrtbin. How to decompress image after compbin? I've found pdocread and put it to phone, but it won't work :-( Are there any tools to dump ROM to flash card or something like that?
Click to expand...
Click to collapse
To decompress the image:
Get a tool named viewbin, also part of the MS PE, run it on your file and will tell you the start address and the offset of the img files. THen use this information with cvrtbin. If viewbin reports the start address is 0, then use 1 in cvrtbin, otherwise the extraction will fail.
To use PDOCREAD, you run it from your computer, it will install itsutils.dll in your phone and you must accept this in the smartphone. Your phone must be unlocked to do that and the policies set to allow unsigned applications to be installed in your phone. TO accomplish the above you need to modify the registry on the phone. See how it is done here:
http://www.modaco.com/index.php?showtopic=244205
TO dump the ROM with PDOCREAD, see a detailed procedure here:
http://wiki.xda-developers.com/index.php?pagename=Hermes_HowtoDumpRom
Be informed some phones like the i607 require the disk kernel handle, reported with pdocread -l, if you follow the procedure in the above link with no results, then add the disk handle.
Wish you good luck....
CAn Anybody help PLEASE????
I have a i718 but was bought in China and the OS is in Chinese. The blur me can only read English. Is the ROM in English? If I were to download it (still struggling now with the russian words), how can I change it? All I need is the phone to be in English. I do not need to improve anything as WM5 is good enough. I know I am a newbie and I might not be in the right thread. Can anybody please help? Any links to show "how-to-change the ROM" would be most appreciated. Thank you in advance
Your phone is also known as i710
Your phone Samsung i718 is the chinese version of the Samsung i710, all you have to do is to install the phone serial/modem drivers from the companion CD and place the phone in bootloader mode. If you get the ROM package cited above in the first post of this thread by JugglerLKR you will find complete instructions on how to download the ROM into your phone.
Good Luck!
Thank you
Thank you very much for the quick response sir! Really appreciate it. I finally managed to download the ROM and will give it a go this weekend. Wish me luck. I will be reading more to make sure I am doing the right thing as I am definitely a nOObie. First time flashing a phone .
I looked at the CD that came with my phone and the only thing I see is the ActiveSync 4.2. Worse of all, everthing seems to be in Chinese. Guess I have to do more research to see where I can get the drivers you mentioned. There are also alot of things I do not understand like bootloader, how to do a hard reset, etc. I will continue searching and reading and will post the development of my virgin "flash" as I move along.
Thank you once again.
Trinca - so I dumped my ROM from device to .raw files. What can I do with them now? viewbin shows only zeros on b000f .bin image extracted using winhex from .exe
Use Mamaich's ROM Kitchen
You can find instructions to do some cooking and tools here:
http://forum.xda-developers.com/showthread.php?t=249836
This is self-explanatory, tell me if this is enough or you need some extra info. Once finished, the trouble would be to put that back in B000FF format for flashing, as there is no tool to do that yet, and you can't just download a raw image back into the phone. The Runtime image is formed as follows:
Byte---->--1--2--3--4---5--6--7--8---9--10--11--12--<----------- 128KB------------>
Record 0> 42-30-30-30-46-46-06 <Start add> <lenght of ROM> -----------------(42-30-30-30-46-46 = B000FF in ASCII ; 06 = end of header B000FF)
Record 1>--<Address> < length > < CHKSUM32 > <----Chunk of Raw image-->
Record 2>--<Address> < length > < CHKSUM32 > <----Chunk of Raw image-->
" "
" "
V V
Last Rec>-00-00-00-00--00-00-00-00--00-00-00-00
I am doing some crazy splitting and Hex scripts to achieve that, but it is a pain in the neck. So I have decided to make a proggie to help me out with that. Please see the thread
http://forum.xda-developers.com/showthread.php?t=316647
on the 2nd post you will see what I am talking about.
Regards,
trinca
Tried viewbin on my extracted from .exe bin file - Image Start = 0x00000000, length = 0x02C1D3E0
Start address = 0x00000000
Done.
Looks like something is missing. Also cvrtbin is not working also, as it cannot accept 0x00000 as start adress
JugglerLKR said:
Tried viewbin on my extracted from .exe bin file - Image Start = 0x00000000, length = 0x02C1D3E0
Start address = 0x00000000
Done.
Looks like something is missing. Also cvrtbin is not working also, as it cannot accept 0x00000 as start adress
Click to expand...
Click to collapse
Start address = 0001ffe0
So, How to convert dumped LZX packed rom to B000F format for flashing to device?
How to convert dumped LZX packed rom to B000F format
Please refer to my thread:
http://forum.xda-developers.com/showthread.php?p=1392761#post1392761
I am unable to download your file (can you post it on rapidshare ou megaupload?). I am in the same situation as well but I appiled the english patch from asukal and Buzzlightyear and it worked .. I now have a device in english ... I am waiting for the firmware in english.. I have wm6 roms in chinese that I have not tested it ...
I also have a i710 rom but it's also a .bin file dumped from a i710 device ...
Hope this helps,
-Hau
I have uploaded several files... Can you tell me which one you have trouble with?
trinca
Oops ... My message was intended for Juggler uploading his ROM ...
Thanks,
-Hau
Thanks to trinca and bepe, mamich and many others i've managed rom kitchen essentials - look at first page.
i downloaded your flasher but why when i run i718ZMGF4_PDA_Eng, i click detect but nothing detected....
phone is on and connected via active sync
TFAT Image Editor 1.2.0.14
==================================================
A utility to editing Extended_ROM.NBs files.
May be especially useful for use with (T)FAT filesytems image files.
==================================================
Operating systems supported:
- Windows 2000/XP/Vista
Features:
- Create an Extended_ROM image file. Support: Artemis, Athena, Elf, Gene, Herald, Hermes, Titan, Trinity.
- Extract file(s) from the image.
- Write file(s) into an existing image file.
- AutoConfig function.
- Support TFAT 12, TFAT 16 filesytems. 512 - 4096 sector size.
Fantastic Tool. The first which combines Opening,Modifying,Saving the ExtRom.nb files
And
the Only which is auto config maker.
Many many congrs and applauses...!!!!
Wow! Thank you for making this, i was about to give up on hoping for extrom tools now that new devices aren't using it at all. This did open up the extrom for my Titan though, so good work!
I may be missing something simple: How do you get it to open the ext rom on/for your Titan?
AnDim said:
TFAT Image Editor 1.2.0.14
(c) 2007-2008 AnDim
==================================================
A utility to editing Extended_ROM.NBs files.
May be especially useful for use with (T)FAT filesytems image files.
==================================================
Operating systems supported:
- Windows 2000/XP/Vista
Features:
- Create an Extended_ROM image file. Support: Artemis, Athena, Elf, Gene, Herald, Hermes, Titan, Trinity.
- Extract file(s) from the image.
- Write file(s) into an existing image file.
- AutoConfig function.
- Support TFAT 12, TFAT 16 filesytems. 512, 1024, 2048, 4096 sector size.
Click to expand...
Click to collapse
Is the ElfIN also supported?
AnDim said:
TFAT Image Editor 1.2.0.14
(c) 2007-2008 AnDim
==================================================
A utility to editing Extended_ROM.NBs files.
May be especially useful for use with (T)FAT filesytems image files.
==================================================
Operating systems supported:
- Windows 2000/XP/Vista
Features:
- Create an Extended_ROM image file. Support: Artemis, Athena, Elf, Gene, Herald, Hermes, Titan, Trinity.
- Extract file(s) from the image.
- Write file(s) into an existing image file.
- AutoConfig function.
- Support TFAT 12, TFAT 16 filesytems. 512, 1024, 2048, 4096 sector size.
Click to expand...
Click to collapse
Great proggy !! I' m truly appreciated
and if i have a ROM with 2 files? how can i use this tool to add some cabs? the files are: RUU_signed.nbh and RUUWrapper.exe
ady_uaic said:
and if i have a ROM with 2 files? how can i use this tool to add some cabs? the files are: RUU_signed.nbh and RUUWrapper.exe
Click to expand...
Click to collapse
right
me too
One of a few tools out there to extract the extended rom .nb file from .nbh
http://forum.xda-developers.com/showthread.php?t=289830
There's a gui one around too, just search.
ok, i saw that tool, but i was wondering, with this one, what can we do exactly?
I'm looking for this very long time .now i found it.thank you
you`re so handsome!
How about having the ability to create the image in the size that you want while keeping to its TFAT16 format? I tried using Winimage to do that, but while resizing, it changes the format.
ivanmmj said:
...keeping to its TFAT16 format?
Click to expand...
Click to collapse
For what?
AnDim
AnDim said:
For what?
AnDim
Click to expand...
Click to collapse
The Herald requires a TFAT16. The only software that I have that can change the size of the ExtROM is Winimage and that reformats the image to TFAT12 or FAT16 (not TFAT16) if I change the image size. I'm trying to do something that Artemis users can already do, gained unused space from the extrom and putting it into the main storage. I don't know if it's possible, but I'd love to try.
ivanmmj said:
The Herald requires a TFAT16.
Click to expand...
Click to collapse
It is exact?
My Trinity reads any format (TFAT16, TFAT12).
Theoretically, the minimal size of the TFAT16 for Herald is 2Mb.
If it is necessary it is less, only TFAT12.
Well, I've tried with TFAT12 but it always fails with a corrupt image error. I figured that it's probably an issue with it reading TFAT12. Could be that the device maybe requires TFAT16 or maybe it just requires a 10mb file...
So how could I built a 2mb TFAT16 extROM?
Great tool! AnDim, can u update it to recognize TFAT32 format? 3Q ,the ext rom of Samsung Omina 2 ,I8000 is TFAT32, so i'll need it.