Related
I am trying to understand how the ROM is layed out in PPC2003 verses PPC2002. I am finally starting to understand XIP Chains so I am trying to figure out how it ties in to the directory structure of the finished rom.
For example, if there is a service pack that updates a single XIP Chain, how will that impact the SER or my own version for that matter? Is each XIP Chain layed out differently for every version of the ROM????
In some cases, I know you are "replacing" files in the original ROM like welcome.exe for example. Are you actually "replacing" the file or does yours take priority?
You are also removing the "Action Engine" Framework as well? Or are you simply removing the link from the Startup?
Too many questions!!! :?
Wade
in ppc2002 the files in higher numbered xip sections take priority over lower numbered.
in ppc2003 this does not seem to work anymore, so I had to redirect the actual filedata pointer in the first fileentry records in order to be able to substitute another file.
yes, roms of different languages tend to have different xip sizes.
wit the chinese version being even more different, in that the bootsplash is in a different location.
if you run an xip update, for something other than the last 2 xip regions, you will most likely be ok. the last two regions you may run into trouble due to the xdadev sections overlapping with the updated xip's.
we removed the action engine because of the scary promises it makes, such as 'over the air updates without the user noticing this'
see this document
I'd like to toss this out for discussion. This might already exist, it might not.
Microsoft had system builders use a Disk Differencing technique to extract what exactly had changed after installing applications and customizations.
First, we'd install the OS and create a base image.
Second, we'd install the apps & customizations we wanted for our customers.
Third, we'd create another image. An app would then compare these two images and determine what files were added/changed and what registry additions, deletions, alterations were performed.
I'm hoping we can do the same for ROM upgrades.
1. OLD ROM - Base image.
2. Install apps and customizations - Image "Apps". This will give us our customizations.
3. Install new ROM - NEW base image created. Compare to OLD ROM base image to see what has changed (that we need to look out for that our APPs image might adversly change).
4. Apply Apps image to restore all customizations & applications.
Ideas anyone?
The theory sounds good.
Maybe buzz can comment?
The theory is very feasable, ive used similar building Win PE rescue disks, you have a app that gives you the base bootable image made from a Win XP install CD. then you add home made "modules" ie, your installed apps or networking capabilities etc. then it makes an image for you to use,
that cant really be that difficult to do the same for Win CE,
Ive also seen a M$ webcast thing where the guy took 45 mins to build an entire image for a win ce device,
so yer, it is very feasible that such dev apps exist, after all, they were made and then sold to the hardware vendors before ever being a rom image.
check in msdn for win ce 5 stuff, its a very intresting read, :shock:
it is a good idea, but only for linear ROMs, where each file has always it's own and same place in the rom and such rom is not compressed.
hmm...
but you can do partial rom upgrades with wm5 roms...
...and it would be possible to make registry diff + DOC Storage partition backup, where you actually install programs (so called \Device) and userdata.
buzz
buzz_lightyear said:
it is a good idea, but only for linear ROMs, where each file has always it's own and same place in the rom and such rom is not compressed.
hmm...
but you can do partial rom upgrades with wm5 roms...
...and it would be possible to make registry diff + DOC Storage partition backup, where you actually install programs (so called \Device) and userdata.
buzz
Click to expand...
Click to collapse
Ok...Since I'm not a programmer and somewhat of a noob with respect to WinCE, I am NOT constrained by what might be a logical limitation to a programmer or someone in the "know". So, below is my thinking ... outside of the box (er, PDA) style.
But first, I need to grasp further Buzz's post above about the locations of things in ROM. Does this mean that there isn't, for lack of a better example, a FAT for the ROM? That every individual thing is expected to be at some specific, static location that can't change? If so, I see your point. But that tells the system that this location is static? Also, doesn't that make bug fixes difficult as the fix might exceed the designated space in ROM? Or do bug fixes always get re-applied after each reset? Patching in memory is how I'm looking at this. (Remember, I'm a non-programmer...deal with me, please.) LOL
Ok..out of the box time.
1. Can a shim be used to capture calls to a certain location in the ROM and redirect to another location (within the ROM or even the storage card. Linux builds anyone?). Like what HD disk managers did to get around LBA limitations or even boot sector viruses did.
2. Can an emulator be used to simulate/backup/build/test the ROMs on a PC before wiping the PDA? Don't laugh, but if not, could something be done with Virtual PC? Oh..Ok, laugh.
(Should I go hide somewhere?)
Hi Universal cracks,
i got a Qtek device which seems totally bricked.
The history of the device is unknown, so my investigation is getting deeper and deeper.
On gathering all information together it seems that the IPL and maybe also the SPL is damaged and cannot be easily revovered, because the bootmenu is not reachable in any way (believe me, i read everything about recovering intensely ).
That's why i'm looking for a general way to recover bricked devices using JTAG.
The idea is the following:
1. Access the device via jtag
2. Setup ram according to the setting used in wince or linux kernel
3. Rewrite IPL (it is yet unknown how to do it!)
4. Load SPL as executable binary into RAM using JTAG
5. Start the SPL from RAM
6. With SPL running from RAM Re-format the DOC reinstall SPL into DOC
Restart
That's it!
To resume my efforts so far i may report:
1. JTAG connection established (using OpenOCD or OCD Commander)
2. Init SDRAM (using intel PXA270 development kit setup)
3. Write a file to SDRAM and start it
4. Made a dump of IPL and SPL (using haret)
What did not work???
1. Access mDOC G3 in normal mode via JTAG (seems to stick in reset mode)...
2. Rewrite IPL using JTAG...
3. Start the SPL successful from SDRAM base address....
What do you think specialists!
Anyone willing to help?
Cheers,
scholbert
Hello Scholbert,
Sorry I couldn't help you out on this matter. But When I read your post I thought that you gone deeper than me in this technically.
So can Please go though my problem http://forum.xda-developers.com/showthread.php?t=353063 & help me out to solve WHITE SCREEN Problem?
Thanks in Advance.
bootloader
Hi scholbert, it couldn't be enough to simply rewrite the bootloader?
Please could you post the patched version of openwince jtag?
Hi roglio,
roglio said:
Hi scholbert, it couldn't be enough to simply rewrite the bootloader?
Click to expand...
Click to collapse
Maybe you're right , restoring the uni via JTAG could be mission impossible (at least the way described in my starting post).
As far as i got to know from various postings, the bootloader itself does some security checks during runtime (password checking, CRC checking ...).
It could require some real awful hacks, to start the SPL from RAM with an external debugger.
Please could you post the patched version of openwince jtag?
Click to expand...
Click to collapse
I made a lot experiments on other platforms using the openwince jtag.
In this case i used the famous OpenOCD:
http://openfacts.berlios.de/index-en.phtml?title=Building_OpenOCD
There's PXA270 support out of the box!
You have to download the sources from their SVN-repository .
Anyway i'll have a look on my workstation in a few days, what could be of interest for the geeks out there.
Regards,
scholbert
Geek inside
Hi scholbert, all bricked universal are broken because the bootloader was wrongly updated or overwritten with a bad update. If we look for a fresh bootloader, the right starting address and wrote it back we've fixed the major problem. Recover a universal starting from this point is already well documented...
Tomorrow I'll download OpenOCD and try to compile it on cygwin to start doing some experiments.
I lack of some informations anyway: the most important is the address where to put the correct bootloader...
I'll post any further step ahead.
Thanks.
roglio
Hi again,
roglio said:
Hi scholbert, all bricked universal are broken because the bootloader was wrongly updated or overwritten with a bad update.
Click to expand...
Click to collapse
this seemed to be happened to my device too. With single stepping starting at address 0x0 there's an error after some instructions. So it seems there's wrong assembler code in the IPL section already.
If we look for a fresh bootloader, the right starting address and wrote it back we've fixed the major problem. Recover a universal starting from this point is already well documented...
Click to expand...
Click to collapse
That's the theory .
Tomorrow I'll download OpenOCD and try to compile it on cygwin to start doing some experiments.
Click to expand...
Click to collapse
Good luck for this action! I did compile it on a debian linux system.
I lack of some informations anyway: the most important is the address where to put the correct bootloader...
Click to expand...
Click to collapse
Let's assume we got a working device .
As far as i know, this is what happens after coldboot (comments welcome):
1. DOC is in reset mode, processor jumps to address 0x0 and excutes IPL
2. IPL initializes RAM, switches DOC to normal mode and copies SPL to RAM
3. further details of IPL functions unknown
4. leaving IPL, jump to physical address 0xa0000000
5. execute SPL ....
The problem is, that at this point various system checks are following.
If something goes wrong before we good USB serial connection or bootloader screen. The processor simply could stop at any instruction and we won't know why .
I'll post any further step ahead.
Thanks.
roglio
Click to expand...
Click to collapse
Good luck for your next steps!!!
Maybe, we may draw some attention with this little discussion. It would be nice to get things rollin' and someday there'll be hope for all those bricked devices around .
P.S.:
I already made bootloader dumps. See attachments!
IPL and IPL2 got the same content but they were dumped on different physical addresses. SPL was dumped from RAM. Of course these files were taken from a working device.
scholbert
Hi, after your description of the boot process I'm not so optimist anymore...
Anyway, I've just finished to compile OpenOCD under cygwin, without any major problem.
Just a doubt: which configuration file are you using?
Does you have already configured also the flash banks?
I share your doubts about what's happen after SPL execution... IMHO anyway we should give a chance to a complete reflash: fully dump a working device and after wrote it back to a bricked uni just to see what happen.
Some time ago, I've accidentally overwritten the bootloader of a Toshiba e740 PDA (very nice device indeed). After using a proprietary jtag sw/hw I've resurrected it simply writing the bootloader back in place.
This give me at least a hope...
Hi roglio,
Anyway, I've just finished to compile OpenOCD under cygwin, without any major problem.
Click to expand...
Click to collapse
Great!!!
Just a doubt: which configuration file are you using?
Click to expand...
Click to collapse
I will post the configuration file as soon as possible (it's on my linux machine at work ).
Does you have already configured also the flash banks?
Click to expand...
Click to collapse
No, only the PXA270 chip select for the DOC device was set up. These NAND flashes need special initialisation to switch form reset mode to normal mode to be programmed or to read the filesystem.
This process was not yet successful using JTAG .
I share your doubts about what's happen after SPL execution... IMHO anyway we should give a chance to a complete reflash: fully dump a working device and after wrote it back to a bricked uni just to see what happen.
Click to expand...
Click to collapse
If we are able to access the DOC device in a proper way, this may work.
At least there are professionel programmers on the market, that are able to reprogram these devices using the JTAG interface. But these are very, very expensive .
Some time ago, I've accidentally overwritten the bootloader of a Toshiba e740 PDA (very nice device indeed). After using a proprietary jtag sw/hw I've resurrected it simply writing the bootloader back in place.
Click to expand...
Click to collapse
Yes basically this also possible for the uni, but this damn#?=% DOC device is very hard to handle. There's also no linux device driver for these devices yet.
Great work anyway!!!
This give me at least a hope...
Click to expand...
Click to collapse
Our hope should never die .
Best regards,
scholbert
Googling
Hi, scholbert! Today I was googling around and I've found some interesting informations about mDOCs... These special flashrom are internally handled as NAND flash but with the cpu (when used to eXecute In Place XIP) are handled as NOR flash chips. I haven't still found useful information to understand how this could be useful for our goal.
Another interesting information about mDOCs is that exists some pc software that permit to flash them via jtag but are part of very expensive development packages!
Anyway mDOCs are handled by linux! Basically it is possible to patch the linux kernel to handle them via trueffs. I'll be more detailed tomorrow, but my first impression is that these information about linux drivers for mDOC family aren't useful for our project...
Does you have retrieved the conf file for openocd?
Hi roglio,
that's nice information. I also gathered together anything about the mDOC series i could find, all over the planet. If you need more details
Unfortunately, there's no source code of the low level routines to access this device. If someone would share m-systems BDK for the G3, you're welcome!
Does you have retrieved the conf file for openocd?
Click to expand...
Click to collapse
Yes, but i realized that i used a slightly modified one of the standard package (no SDRAM init, nothing but access PXA270).
You will find it attached!
My efforts with the uni using OpenOCD get stuck at a point, because i only got a very simple JTAG hardware. To use it as a debugger you also need to have influence on the systems reset.
That's why i decided to used some Macraigor stuff to get nice hardware debugger for accessing the universal hardware with OCD Commander.
Obviously both systems are very similar.
OpenOCD is completely GPL, so this should be first choice in the end!!!
You will also find the OCD Commander config file (htc-uni.zip) attached.
This could be the base for an OpenOCD script (very similar stuff).
Just an additional information:
I successfully disassembled the IPL . At the moment i'm in the process of clearing up, how the basic init process is working!
I nearly forgot to mention, that you'll need to update the description for the stepping of PXA270 in the OpenOCD source code. If i remember correctly, the C5 is missing. Without it the PXA is not recognized correctly. I will post the updated file tomorrow.
Stay tuned!!!
scholbert
scholbert said:
I also gathered together anything about the mDOC series i could find, all over the planet. If you need more details
Click to expand...
Click to collapse
Yes! Post it! Thank you! (or send them to rapidshare or similar).
scholbert said:
Just an additional information:
I successfully disassembled the IPL . At the moment i'm in the process of clearing up, how the basic init process is working!
Click to expand...
Click to collapse
A weird idea... What do you think about relocate and then recompile IPL and run it from SDRAM?
You should remove and/or modify IPL routines related to SDRAM init anyway!
Which tools are you using to decompile IPL?
Hi,
Yes! Post it! Thank you! (or send them to rapidshare or similar).
Click to expand...
Click to collapse
I will somehow. Maybe i'll put on my website or post it here!
Very busy at the moment .
A weird idea... What do you think about relocate and then recompile IPL and run it from SDRAM?
You should remove and/or modify IPL routines related to SDRAM init anyway!
Click to expand...
Click to collapse
The first attempt will be to enhance the JTAG config file with all that stuff i already found out, e.g. setup all GPIO, alternate functions .....
Relocate and compile would be nice too, but more work .
Which tools are you using to decompile IPL?
Click to expand...
Click to collapse
Someone in the forum pointed out to use radare. This was the starting point for further investigation.
At least radare uses objdump for disassembly.
So i decided to use the tools itself.
Here's a short howto:
How to convert raw arm binaries to elf and disassemble the code:
Although not every ARM code is compiled with the famous GCC (e.g. wince binaries) you may use some tools
of the GCC to convert raw binary code that is executable on ARM platforms.
Make sure that you made a real memdump or read out pure flash files from a known offset (reset entry points, direct jumps into code, etc).
In other words use pure binaries!!!
Otherwise this method won't work. It is nice to disassemble bootloader code for example.
Image files with filesystem information won't work, either!!
You'll need a working ARM cross compiler in this example the arm-none-eabi gcc version 4.2 from codesourcery was used.
1. first you have to build an elf-binary for ARM without offset (assumed 0x0) from the raw binary.
arm-none-eabi-objcopy -I binary -B arm -O elf32-littlearm ipl_0x0-0x800.bin ipl_0x0-0x800.elf
2. second simply disassemble the elf-binary!
arm-none-eabi-objdump -D ipl_0x0-0x800.elf > ipl_0x0-0x800.asm
That's it!
scholbert
Click to expand...
Click to collapse
Of course you need some skills to point out how assembler code is organized and you'll have to find out where ASCII strings are stored. If you don't check this everything looks like instruction code!
Regards,
scholbert
scholbert said:
Hi,
I will somehow. Maybe i'll put on my website or post it here!
Very busy at the moment .
Click to expand...
Click to collapse
Ok... I'll look forward for these documents! Thanks!
scholbert said:
The first attempt will be to enhance the JTAG config file with all that stuff i already found out, e.g. setup all GPIO, alternate functions .....
Click to expand...
Click to collapse
Great!
After my jtag will be fully functional, I'll try to do some experiments running IPL from memory...
scholbert said:
Of course you need some skills to point out how assembler code is organized and you'll have to find out where ASCII strings are stored. If you don't check this everything looks like instruction code!
Click to expand...
Click to collapse
I'm a little rusty... but I'll try!
Anyway I found a very great tool for disassembling arm code: IDA Pro v5.2
It is awesome.
Cheers,
roglio
Anyway I found a very great tool for disassembling arm code: IDA Pro v5.2
It is awesome.
Click to expand...
Click to collapse
Yeah i know. I once worked with the eval version.
Very nice piece of software, but no freeware.
Good luck for your experiments!!!
scholbert
IPL disassembled
Hi scholbert!
Attached you will find the IPL asm I've disassembled with IDA.
I hope it could be of some usefulness!
Cheers,
roglio
Hi,
roglio said:
Hi scholbert!
Attached you will find the IPL asm I've disassembled with IDA.
I hope it could be of some usefulness!
Cheers,
roglio
Click to expand...
Click to collapse
Great work!
Here's mine. As you will see it's very equal (at least it should be ).
I made some comments already, but it's not finished yet.
The structure can be seen already. It is soon possible to reconstruct the whole asm code and compile it .
scholbert
is it all necessary ?? more easy way in desoldering flash ... and program it or change to flash from dead device
@scholbert: wow you're always at least a step ahead!!!
Great!
@mo3ulla: hi! yes it is worth the effort because the chance to have skills to build a jtag connector is greater than have skills (and tools) to reball a bga chip (and program it!).
With jtag interface and a relocated IPL we can resurrect bricked uni simply loading it in ram and running. Then reflash the pda with a simple usb cable
Hi,
roglio thanks for the credits .
But at least this no competition, it's really great that someone took a look at this posting and started to discuss.
This goes out to you roglio .
mo3ulla said:
is it all necessary ?? more easy way in desoldering flash ... and program it or change to flash from dead device
Click to expand...
Click to collapse
When i started this topic, i thought about a way to de-brick some uni's without touching the hardware. So roglio is absolutely right!
Once tried reballing at home???
At least the major point is:
Why touch the hardware, when it's a software problem?
Obviously no one got a programmer for mDOC devices!
If the universal would have NOR flash all things would be less complicated.
So what we are doing here, is to replace a 10.000$ programmer.
These professional devices do the same in the end, they use software algorithm to programm these NAND flashes.
The SPL uses the same software parts to reprogram G3 NAND flashes, but to start SPL (get into bootloader menu), IPL is needed. On a heavily bricked device these parts are damaged.
If we setup the device like IPL does or recompile IPL to run from RAM using JTAG, it could be possible to start SPL and get into bootloader menu.
The rest is already described here ....
Regards,
scholbert
O.K., here's dump from the bricked uni.
The screenshot shows the IPL section. It seems to be IPL version 2.36 which is for devices with a G4 NAND.
Mine is a G3, so this is the reason why it got bricked.
Someone updated the bootloader with a wrong version .
I enhanced the config file for the JTAG debugger with the settings i found out by disassembling IPL version 0.36 (G3 devices).
But unfortunately no success. The SDRAM is not accessible .
Without SDRAM initialised, i am not able do download SPL to the platform.
grumbl....
I'll have to check all settings again.
Especially the SDRAM setup...........
No time for that at the moment.
Anyone who'd like to join our experiments????
Cheers,
scholbert
Hi!
So what it's all about?
There are so many projects dedicated to porting linux to WM devices.
Mostly the only way to boot into linux and kick windows mobile out of RAM is the haret tool.
For thoose who never heard of it is a linux bootloader (it is even more), that is started from within windows mobile.
This is the result of the fact that the native bootcode of the device could not easily be replaced.
Apart from that, there are to many things to consider to rewrite own bootcode for a closed device.
So what if the native bootcode "thinks" it boots in windows mobile again, but it in fact jumps into linux kernel code?
Whaaat, you might think and i thought a lot of it in the last few weeks:
The idea is, to embed a linux kernel in a XIP container and boot it with the native bootloader
So that's crazy stuff and it's even more crazy, that some insane hackers already did some successful attempts.
The project aims to port Android to a device called Meizu M8.
Step into this thread and start reading:
http://www.meizume.com/modding-development/9014-project-port-android-meizu-m8-18.html
One of the developers already has started to push some GIT-repos of the toolset here:
http://gitorious.com/~banxian
Of course there's a lot to investigate and other things to consider:
1. The injected code must be in good shape (kernel needs excellent hardware support)
2. The device will need to be hard-SPLed (no security check)
3. The files must match the Flash layout of the bootcode
4. JTAG support for the device would be mandatory for testing
5. Lots of information about internal Flash structure is required
....
Please tell me what you think about it!
Cheers,
scholbert
That's an excellent idea!
Multiboot would seem to be a better (albeit more complicated) alternative to me though... In their current stage, Linux ports to WM devices tend to be unstable and rather limited in functionality. Replacing a fully functional WM with a semi-functional Android on one's primary device is not as tempting as having both at the same time.
I'd say the first step in this direction is bootstrapping custom XIP from RAM with a patched SPL. Flashing XIP nbX every time custom XIP is patched is slow and tedious. Once a working XIP with booting Linux kernel is available, it should be relatively easy to switch SPL back to normal booting from NAND. Also ULDR XIP can be used as a container for the custom XIP rather than the WM kernel XIP. This way one can boot WM by default and then reboot to ULDR/Linux if required (not quite multiboot, but something close).
The caveat here is that when HaRet is used to boot Linux kernel from under WM, some hardware init could have been carried out by WM kernel at boot time. When WM kernel/XIP was never ran, there's a good chance some of the hardware that works when booting Linux via HaRet won't work anymore Completely bypassing WM kernel initialization means more initialization may have to be done in Linux kernel/custom XIP.
The progress that Meizu people made is certainly impressive, but there's a long way from a 100-byte piece of code that fills the framebuffer to a fully working Linux kernel. I'm not being sceptical here, on contrary I'm pretty sure this is possible, but it will take a lot of time and dedication to make this happen. At any rate, good luck and I'm sure you'll find plenty of support here.
This project, is cool, i am waiting any progress, i want put the android in the MS20(Brazillian KS20 without wifi and 3G)
Hi again,
thanks for the feedback so far
@ stepw:
I really share your thoughts concerning long and dusty road of development.
So perhaps i was in kind of euphoria when i decided to post it yesterday.
Anyway, let's see what the future will bring us
Maybe we should start with some kind of ramloader and place it in XIP area.
BTW, could you be more specific about this ULDR XIP thing?
Sounds interesting and to be honest, never heard of it...
Please consider the thread as a starting point for an open discussion.
Anyway, i will need help, because i'm a horrible hacker.
So maybe i should have written IDEA not PRJ
Have a nice day!
scholbert
As per http://channel9.msdn.com/wiki/CEDeveloper/BSP/
ULDR and IPL
For BSPs that are for Windows Mobile products, the ULDR and IPL are required parts of the BSP.
“ULDR” stands for “Update Loader”, and is part of the Image Update system. This system allows deployed devices to be updated with new software after they ship. The Update Loader reads a configuration stored in persistent memory and downloads and installs new versions of operating system or OEM files.
“IPL” stands for “Initial Program Loader”. This piece of code is launched by the bootloader or executed directly at startup if a bootloader has been removed from a board. The sole job of this program is to choose whether to execute the ULDR software, or load and execute the operating system that is currently on the device. If a user has downloaded new versions of operating system or OEM files, the IPL will be configured to launch the ULDR. Otherwise, it will load and launch the OS.
===
Da_G's thread http://forum.xda-developers.com/showthread.php?t=520009 has plenty of information about ULDR, although it's more about keeping it rather than about using it for something else.
Replacing ULDR is a valid way to inject another item into NAND partition table. Unfortunately with WM all 4 primary partitions are used in the MBR by default, so taking ULDR out allows for reuse of one of the parition slots for other purposes. IPL already has a way to bootstrap either ULDR or OEM XIP (WM kernel), it should be possible to control boot partition selection from each of the OSes. Manipulating partition type and flags should make it possible to choose the default OS too.
ULDR partition is typically fairly small, but it can be expanded to store Linux ramfs image or even the filesystem. Alternatively, FATFS partition in NAND could be mounted at boot and filesystem image could be located there. Yet another location for it is IMGFS partition, but that calls for a file system driver (read-only at least) that I don't think exists for Linux. Anyway, if at least FATFS can be mounted, access to all user files accessible from WM should also be possible from Linux/Android once it's booted.
Sorry for deviating from the original topic
Hey stepw!
Sorry for deviating from the original topic
Click to expand...
Click to collapse
Hey we got an open discussion here...
Thanks for all this useful information so far!!
I knew about starting up WM platform and i also looked deeper into IPL and stuff. What i am missing a little is just these information about XIP and WM image in general.
So i think i'll first step through Da_G'S thread, it looks very promising. Great stuff!
Again leave your technical comments here, because i think it's the only way to get best solution
Best regards,
scholbert
Hi,
I've been working on this for a few days now and have a simple bootloader that loads and runs a kernel on my vogue. Unfortunately the kernel doesn't boot properly because it can't initialise all the hardware correctly but it definitely runs. Attached is my code and a script to insert it into an xip payload with a kernel.
Woooow.....
Hey dzo,
this is a real breakthrough or whatever you may call it.
Really great stuff!
Maybe this won't reach peoples interest right now,
but let me forecast, that someday this will give us the opportunity
to wipe out windows mobile completely if we like to
Anyway i think it would be nice to get some stuff pointed out more clearly.
So let me sum up:
1. Let's assume we got excellent kernel zImage to support the hardware of our device.
We will need to initialize even parts of hardware in this kernel,
that we did not even know about, while testing with haret.
2. We need some hard-SPL bootcode on our device, because we need to avoid security check of the image.
3. We got WM ROM for our device and we got some kitchen to extract it and work with it.
The starting point will be the file OS.nb.payload, because this is pure binary.
(the image like it is stored in NAND flash memory).
The image (OS.nb.payload) itself is organized in different parts and partitions.
At the moment we don't care much about it, because we leave it mainly untouched.
We need to find the entry point from the WM kernel, which is pure XIP code (XIP.bin).
4. We inject a tiny loader for elf binaries at this point, which is also compiled as XIP code (tinboot).
5. We step a bit further and place the kernel zImage (which is an elf file) at a certain offset.
At least this should be the address the tiny loader points at (e.g. offset + 0x8000).
6. We use some kitchen tools to reconstruct a flashable image.
7. We flash this image to our platform, using the same tools we use to flash a cooked ROM.
8. We boot into linux!
Please correct me if i forgot something or made a wrong assumption here.
Would be really nice to get some more hackers and ROM cookers over here to benefit the discussion.
Thanks again dzo!
Best regards,
scholbert
Hi again!
A little research at the forum gives some more details about OS.nb.payload:
http://forum.xda-developers.com/showthread.php?t=446506
This maybe all well known, but should help to point at it again for a better understanding.
So if we use mtty and type the info 8 command on HTC loaders this prints out these partitions (should be all the same on HTC devices):
Partition[0], type=0x20, start=..., total=... BOOT (ULDR)
Partition[1], type=0x23, start=..., total=... RAWFS (XIP)
Partition[2], type=0x25, start=..., total=... IMGFS (SYSTEM)
Partition[2], type=0x04, start=..., total=... FATFS
TBC
scholbert
dzo said:
Hi,
I've been working on this for a few days now and have a simple bootloader that loads and runs a kernel on my vogue. Unfortunately the kernel doesn't boot properly because it can't initialise all the hardware correctly but it definitely runs. Attached is my code and a script to insert it into an xip payload with a kernel.
Click to expand...
Click to collapse
That's some excellent progress! Did you build your kernel yourself too? Is it mission critical hardware that fails initalization or some minor stuff?
SuperJustKitchen v0.9 Released.
Go to my site: http://justkitchen.info to get the updates and the info. It takes to long to update every device's forum that is supported, and I plan to support all devices, eventually.
Word of warning:
Not all EXT's have been tested or modified for the every device. Please test test and test and then let me know which packages don't work and what YOU've done to fix them. (I don't have time to fix ALL of them by myself.) Some packages will only be compatible with some devices.
(I'm no longer updating each thread separately for each device but just updating my site and posting the release info here. I will only update each thread to say that a new version is out.)
**Warning**
Before using this kitchen, you MUST read the whole thread. Any questions that have been answered will be ignored. This is your only warning.
**Disclaimer**
I am not responsible for any damage that may be done to your phone with a ROM created in this kitchen.
I am not responsible for any damage done to your computer.
I am not responsible for anything... at all.
Introducing SuperJustKitchen!
SuperJustKitchen is based on [http://forum.xda-developers.com/member.php?u=843218"]airxtreme[/URL]'s osKitchen Zero. All credit on for the kitchen backend goes to him.
Features
A completely stripped ROM. (Work in progress for some devices.)
LZX and XPR compression (Also option for No compression.)
Auto clean files that are language specific or DPI specific that your ROM does not need
Auto port missing language MUI files
Automatic rec'loc'ing for devices without native 6.5 nk's
6.1 and 6.5 support
Auto XIP and SYS porting
Auto NBH packing
Tool to convert OEM packages to EXT packages
Auto file conflict fix (don't have to removing older file that conflict (not that there are any. )
Save custom ROM settings (for cooks for multiple ROMs)
Cook multiple languages at the same time with the same ROM settings (Have to add language support yourself. I removed the required MUI's a while back because they made updating the kitchen and adding devices a nightmare.)
MUCH better organization of EXT packages
Active development instead of a program that is no longer being developed
Cleaner and easier to use interface
A built-in and customizable Tutorial section
And more!
Builds included
21056 - WM6.1
23658 - WM6.5 with new redesigned GUI
At the moment, this is an ENGLISH (WWE) only kitchen. This might change...
NOTE: In order for me to keep track of whether my time was well spent or wasted, if you use this kitchen to make a ROM, please either include SJK in the name or just mention that it was SJK cooked in your ROM's thread.
NOTE: This kitchen assumes that you know how to flash through SD, recover from a bad flash and are able to backtrack your steps to figure out how you broke your own ROM. If you do not understand these, please learn them first. Do not PM me asking me. I have written numerous walkthroughs on all these except on how to backtrack your steps. For that, just remember what you're doing as you do it and keep backups.
If you find any issues, PLEASE report them to the bug tracker in my website. It will help me make this kitchen better!
ENJOY!!!
thanks i will try....
oh!!!!! it takes a long time as Compaed to earvius kitchen.....also i am not able to flash .nbh file it stops at 1% in ruu and then device restarts.......
Not working
indresh88 said:
oh!!!!! it takes a long time as Compaed to earvius kitchen.....also i am not able to flash .nbh file it stops at 1% in ruu and then device restarts.......
Click to expand...
Click to collapse
same here...the final ROM when flashed says image corrupt
Same here all the rom file made by sjkv0.8 gives unflashable rom.
Something might be broken then. I changed the executable last minute. What size is the NBH you are all producing?
ivan the output nbh size is ok it seems for a lite rom it produces about 56mb and remember the one nbh u provided for testing is also having prob it says its corrupt.
help me...SJK won't cook
i cannot make it work...
i get an error while cooking about some files (ringtones) not able to be copied and then hangs.
i tried it on Windows7 and it says that the some payload.nb file is not found in temp folder.
gui-wise/appearance wise...this is the best kitchen ever!!
can someone please tell me where i went wrong? i download four files from the SJK website: ext package, sys package, opal package and the SJK package and extracted to the same folder.
Update:
v0.8.1 - Fixed unflashable ROM bug
Thanks ivan now finally i can use sjk v0.8 (now 0.8.1) after using sjk 7 for so long time.
v0.8.2
Fixed LZX
still gives an error...
ivanmmj said:
v0.8.2
Fixed LZX
Click to expand...
Click to collapse
last night, i cooked 3-4 times using different settings, compression, rom version but it still gives a flash write error for me
cooking works fine except for some errors regarding some *.wma ringtone files inside SYS/PhoneRedist folder not being able to be copied (i overcame them by deleting)
flashing goes upto 100% (i used RUU via the usb cable) but the device reboots and goes to tri-color screen and says Rom Code Error.
btw...do i have to re-download every thing (SYS, EXT, *device_specific*) and the SJK_0.*.* or just the single SJK_0.*.* file?????
+1 Exactly same result since v8 and above
freelancer81 said:
last night, i cooked 3-4 times using different settings, compression, rom version but it still gives a flash write error for me
cooking works fine except for some errors regarding some *.wma ringtone files inside SYS/PhoneRedist folder not being able to be copied (i overcame them by deleting)
flashing goes upto 100% (i used RUU via the usb cable) but the device reboots and goes to tri-color screen and says Rom Code Error.
btw...do i have to re-download every thing (SYS, EXT, *device_specific*) and the SJK_0.*.* or just the single SJK_0.*.* file?????
Click to expand...
Click to collapse
No, if you already had the *_0.8 for all the files, just download the SJK_0.8.3. If you didn't have anything, download EVERY file that's not device specific and your device's file.
You're getting a flash write error?
Still error
what might be the problem????
flashing goes upto 100%, device reboots and goes to tri-color screen
and displays a "ROM CODE ERROR".
i tried all compression methods including UPX on EXT packages but same problem.
freelancer81 said:
what might be the problem????
flashing goes upto 100%, device reboots and goes to tri-color screen
and displays a "ROM CODE ERROR".
i tried all compression methods including UPX on EXT packages but same problem.
Click to expand...
Click to collapse
I think I know what happened. Please hold while I work with airxtreme to fix it.
gooooddddyyyy....i am looking forward to it!!!
Try this:
http://justkitchen.info/main/rokdownloads/SJK_0.8.5.7z
Please let me know ASAP if it works.
thank you for your promptness...i will surely try and let you know.
freelancer81 said:
thank you for your promptness...i will surely try and let you know.
Click to expand...
Click to collapse
Did you ever get a chance to try it out?