Hi !!
I'm sorry if I write about talking before but I search for 2 dayes internet (Most link coming from xda ) without success.
I'm pretty sure that is not possible to do on Trinity due to bootloader limitation but I want a last confirm before to flash my device.
My boot loader is a Des' Crash-Proof SPL:
TRIN100
IPL-0.50
TRIN100
SPL-9.99 CP
After I play with the WM6 registry it don't load th OS after reset.
I wondering if is it possible to dump the ROM (The mass storage part) to mount in a linux box from the boot loader.
I read that the Trinity lack of the s2d command and also the rbmc didn't work.
There is any other way to do it
Off course I can't use pdocread.exe due to the OS is not loaded on the Trinity.
Thanks in advance and sorry for my english.
Carlo.
Hi again.
I was able to read ROM whit the rbmc command using the follow command:
password BsaD5SeoA
set 1e 1
task32
rbmc >/tmp/dump.bin 0x3100 0x17900
The problem is that the output is show on the screen and not writed in the file.
I tried on linux using HTCFlasher and mtty on WIndows whit the > and without.
Any Idea ?
Carlo
Try QMAT too, although it's not meant to be used with Trinity, it supports rbmc dumping.
Thanks, I'll try it tonight.
Here's an rbmc partition dumper I've created for dumping os, storage and ext rom. Storage partition doesn't seem to be readable this way...
You need to have a security unlocked device or HSPL that allows rbmc when device is not security unlocked.
Hope this helps...
Thanks for the command, I tried and it don't work.
I have the Des' Crash-Proof SPL on my Trinity and the rbmc command work but I have to give the follow commands before use it.
password BsaD5SeoA
set 1e 1
task32
is your command supplied it before to dump or there is any command line option to pass it to the command ?
Works on my trinity allright... task 32 is not required, btw.
Did you manage to get QMAT working/dumping?
I tried more times but I have allways this message:
C:\Temp2>rbmc.exe
HTC RBMC reader version 1.0, Dec 19 2008
Reading OS.nb...
WARNING: rbmc OS.nb command failed!
Reading Storage.nb...
WARNING: rbmc Storage.nb command failed!
Reading ExtROM.nb...
WARNING: rbmc ExtROM.nb command failed!
Read 0xC1B144 bytes in 0d:00h:00m:01s.953ms
HTCSBye!>.L.HTCE
I switch the Trinity to the bootloader screen and then I plug the usb and ru the command with no args.
Where I wrong ? I tried without ActiveSync open and with it opne with the usb connection disbled.
No, I was unable to use QMAT, the manuals is little different from the version and don't explain the very first operation to recognise the PDA to the program.
Instend I was able to capture the rmbc output on my linux box and minicom on usb but I get error after a while the program is dumping (The same I got on the screen using mtty) and then I'm little confusing about partition dimension showed by the "info 8" command
Bye.
What happens when you manually issue "rbmc c:\temp\os.bin OS" in mtty or minicom?
I start minicom with the capture option active then I use the command
Cmd>rbmc a 0x3100 0x17900
Then the dump start
Cmd>rbmc a 0x3100 0x17900
GetExtRomData+(): *pszPathName=a, dwStartAddress=57600000, dwLength=8C08DAA0
:F=a :A=57600000 :L=8C08DAA0 :rbmc= HTCS¼Ñÿÿùÿ0ÖÿÿùÿRPQQ"RTP¤QP>Öÿÿùÿ¤ìÿÿùÿÔÿÿùÿ9Öÿÿùÿ<Öÿÿùÿ=Öÿÿùÿina
condominiale
[.....]
,(*"(B+&*0ùÿNANDFlashReadSectorWithSectorInfo: dwBlockIndex=0x400
NANDFlashReadSectorWithSectorInfo: Address over boundary!!!
rbmc: read data error at 0x8000000
In the [...] I got about 1 MByte of data.
My I was to dump th user partition to recover same data, not the OS.
This syntax is not valid:
rbmc a 0x3100 0x17900
1. Do not use 0x prefix for offset and length
2. Use actual flash offsets (starting at 50000000 (hex))
Can you try this exact command?
rbmc c:\temp\os.bin OS
This is the command rbmc.exe executes and it seems to be failing on your Trinity.
I tried and that is what I had:
C:\temp>rbmc c:\temp\os.bin OS
HTC RBMC reader version 1.0, Dec 19 2008
Reading OS.nb...
WARNING: rbmc OS.nb command failed!
Reading Storage.nb...
WARNING: rbmc Storage.nb command failed!
Reading ExtROM.nb...
WARNING: rbmc ExtROM.nb command failed!
Read 0xC1B144 bytes in 0d:00h:00m:02s.031ms
HTCSBye!>.L.HTCE
C:\temp>
cybor said:
I tried and that is what I had:
C:\temp>rbmc c:\temp\os.bin OS
HTC RBMC reader version 1.0, Dec 19 2008
Reading OS.nb...
WARNING: rbmc OS.nb command failed!
Reading Storage.nb...
WARNING: rbmc Storage.nb command failed!
Reading ExtROM.nb...
WARNING: rbmc ExtROM.nb command failed!
Read 0xC1B144 bytes in 0d:00h:00m:02s.031ms
HTCSBye!>.L.HTCE
C:\temp>
Click to expand...
Click to collapse
Can you do it in mtty?
Ok, sorry, I missunderstand.
Cmd>password BsaD5SeoA
Pass.
HTCST ÚÈÒHTCEPassWord: BsaD5SeoA
Cmd>set 1e 1
Cmd>rbmc c:\temp\os.bin OS
Command error !!!
Ok, it looks like your SPL doesn't support rbmc command, but if you do "rbmc 50000000 1" in mtty that works?
Yes, it work.
Cmd>rbmc 50000000 1
GetExtRomData+(): *pszPathName=50000000, dwStartAddress=1, dwLength=8C08DAA0
rbmc=8DAA0
Cmd>
But it work only if I supply the "task 32" command after the "password .. " and "set 1e 1"
Colud you modify your command to supply the "task 32" command, maybe by a switch ?
Finally it work !!
I mean your command.. after the message before I tried this way.
I connect to the bootloader with the patched version of TeraTerm (To have the copy and paste function ), then I supply the three commands like the message above and finally I close the Teraterm and lunched your command with no parameters and here what I get:
C:\Temp0\rbmc>rbmc.exe
HTC RBMC reader version 1.0, Dec 19 2008
Reading OS.nb...
0x4d50800 bytes read
Reading Storage.nb...
WARNING: rbmc Storage.nb command failed!
Reading ExtROM.nb...
WARNING: rbmc ExtROM.nb command failed!
Read 0x55628D8 bytes in 0d:00h:02m:02s.125ms
HTCSBye!>.L.HTCE
How you can watch it don't read the Storage.nb and the ExtROM.nb, but now I can get OS.
So I think that the "task 32" is mandatory in with the HardSPL I got in my Trinity.
Witch HardSPL do you use for test your command ?
cybor said:
So I think that the "task 32" is mandatory in with the HardSPL I got in my Trinity.
Witch HardSPL do you use for test your command ?
Click to expand...
Click to collapse
Yeah, well, this seems to be the way HardSPL works, you only get access to locked commands after faking security lock status with "task 32". I've added this command to rbmc.exe, however I want to make it more generic before I post the updated version, because dumping storage doesn't work so far.
I'm using MFG SPL 1.05 patched to allow rbmc, this shouldn't be relevant though.
Ok, so attached is an updated version of rbmc.exe.
It will work just like the old version without any parameters, but you can specify the same parameters as you would feed to rbmc command too now.
E.g. to dump storage you can do
C:\>rbmc.exe storage.bin Storage
However due to a bug in SPL this won't work, it will produce an error message showing the starting offset of storage partition though.
Grab that offset, substract it from 0x60000000 to get the correct storage size and rub rbmc.exe again with parameters:
C:\>rbmc.exe storage.bin 0x53540000 0xACAC0000
You should have a dump of storage partition (albeit not excatly 0xACAC0000 bytes) in storage.bin file as a result. Note that resulting dump has NAND flash block status data (0x10 bytes every 0x200 bytes) that you may need to strip to get an image of storage partition you can work on.
Good luck!
Thanks for this new realese, it work fine.
I have a problem to understand how to calculate the offset.
When I run
rbmc.exe storage.bin Storage
I get:
Dumping rbmc storage.bin Storage to storage.bin...
ERROR: rbmc storage.bin Storage command failed; last message:
"Storage address error.(0x54DC0000, 0xB301000) "
What I must subtract from 0x60000000 to get the offset and which is the other value in the last example you write.
C:\>rbmc.exe storage.bin 0x53540000 0xACAC0000
I'm sorry to waste your time, but I tried to understand but I fail, but I want to reach the end because in future a tool like this will be very usefull to recover data froma crashed Trinity.
Related
When I first tried writing a bigstorage ROM to SD using "ntrw write", like many other people here I got the "incorrect parameter" message and was quite nervous about attempting to flash my magician having seen this message.
So, I've come up with the following method to verify that the ROM has written correctly to the SD card, despite the error above.
To perform this procedure, in addition to the usual tools, you will need to install GNU32 diff tools from here:
http://prdownloads.sourceforge.net/gnuwin32/diffutils-2.8.7-1.exe?download
1. Let's presume that the image you want to write is called hackedimage.nb1.
2. In Windows explorer, right click on the file hackedimage.nb1 and choose Properties, from this window you will be able to read the size of this file in bytes (it will be something like 66847136) write this down somewhere. This is the magic number. [NOTE, write down the "Size" NOT "Size on disk"].
3. Now write the file to your SD card with the command "ntrw write hackedimage.nb1 X:"
4. Next, we'll read the image straight back to another file that we'll call "readimage.nb1". The command is "ntrw read readimage.nb1"
5. You now have two files, which we'll compare to make sure the content is identical (ignoring the fact that they are completely different sizes).
6. In the directory \Program Files\GnuWin32\bin\ you will find a file called "cmp.exe".
7. Run the command "cmp -b -n XXXXX hackedimage1.nb1 readimage.nb1" replacing XXXXX with the magic number you wrote down earlier. This command will do whats known as a "binary diff" to compare the contents of the files.
8. If the command gives no output whatsoever, then you should have a good image, great! Go flash it! (If the command does give output, then the images don't match, time to try again).
Hope that helps, it certainly worked for me.
While in bootloader, need to save existing ROM, but don't know how to dump it.
r2sd seems to be removed. Any other commands or substitutions?
regards,
fdp24
please,
do post exactly howto remove CID lock, as i urgently need to reflash my device.
regarding your howto dump your rom , sorry i havent heard of a complete way!
regards
Use aWizard
I think It's very dangerous to restore rom with awizard. Hight risk to crash!!!
Does the artemis bootloader has rbmc command? if yes you can use it to dump the rom from bootloader.
artemis bootloader has not rbmc command,can't use rbmc command backup it's ROM !!
commands
I posted commands, which I found.
http://forum.xda-developers.com/showthread.php?t=285112
When you execute password XXXXXXXX
it says:
Cmd>password
Usage:
password [String]
Enter the password string to enable wdata, erase and rbmc functions.
But I could not get rbmc working
Hi All. I dumped OS and Radio from my Artemis used aWizard programm. Now i have 2 files: OS.nba and Radio.nba . Can i upload this versions on the same Artemis and how can i do it? maybe ather programm no aWizard?
Have u done swomething with ROM ???
I don't take the responsibility for any damage caused by the information included.
This is not my intention to reveal any secrets of HTC Company. All this information was known earlier. I've just collected it in one place and used it for repairing my broken HTC device.
Although it was successfully tested on Herald from Dopod, it should work on any Herald and as far as I know this is the only hope, especially for Heralds with low SPL number, broken by flashing with HardSPL
If you find this tutorial useful, do it on your risk.
I've spent a lot of time in searching of a solution for my bricked Dopod C858. It has been bricked after Hard-SPL by Olipro. When this Hard-SPL was first introduced, there wasn't any warnings about minimum SPL and GSM versions requirements. That's why there is a lot of people with their Heralds stuck in the bootloader mode without a possibility of successful flashing in any way.
One of the symptoms was Invalid Update Tool 300 Error when I was trying to flash even with the official RUU. The other symptom was "GetDeviceCID: Error - InitDecoder" when getdevinfo command was typed at MTTY console.
Finally I was able to recover from this state. I successfully created the goldcard - a micro SD card with the special header, which gives us a temporary SuperCID status (security level 0). In this way we are able to flash the new ROM via SD card, instead of using the official RUU (ROM Update Utility). If it is not enough to flash successfully, we can use a wonderful service tool included in Herald's diagnostic image (heradiag.nbh).
All the credits goes to "itsme" and his hard work. It wouldn't be possible without his knowledge, his help and his great software. Willem agreed to make this tutorial and share this knowledge on the forum.
Thank you Willem!
I would also like to thank "pof" for his effort and although he couldn't find a solution, he tried to help me, so thank you Pau!
The other person I would like to thank is "canonyang_China". I know he is accused of stealing Olipro's ideas of Hard-SPL. I only want to thank him for posting heradiag.nbh file. This is the great tool which together with the goldcard can do a lot.
I would also like to mention one person. It's "jockyw". He has almost identical solution but he has found it by himself. If you find this tutorial too hard to deal with I recommend to contact "jockyw" and he will help you for a small paypal donation.
TUTORIAL:
***********************************************************
Requirements (not tested on other configurations):
1) Windows XP with SP3
2) ActiveSync 4.5
3) ActivePerl 5.8.8.822
4) Crypt-DES and XdaDevelopers-NbfUtils PERL packages
5) typhoonnbfdecode.pl PERL program
6) itsutils tools
7) working mobile device with any Windows mobile OS (2003, 5.0, 6.0)
8) any .nbh ROM file from the official Herald's RUU
9) heradiag.nbh file
10) micro SD card (tested on 512MB and 1GB)
Ad.2) download your language verion of ActiveSync and install it:
Ad.3) download and install MSI installer of ActivePerl 5.8.8.822 from http://www.activestate.com
http://www.activestate.com/store/download_file.aspx?binGUID=e5c71329-b7a6-4563-8199-e1483f751c4f
Ad.4) run Perl Package Manager from Windows Start Menu
change PPM Preferences (run Preferences from the Perl Package Manager menu and switch to the repository tab):
- Add repositories:
Name: itsme
Location: http://www.xs4all.nl/~itsme/projects/perl/ppm
- Add repository:
Name: theoryx
Location: http://theoryx5.uwinnipeg.ca/ppms/package.xml
After database synchronization install those packages (at the main window of Perl Package manager find those packages, mark them for install (the icon with green plus, next to the search bar) and run marked action(green arrow icon)):
-Crypt-DES
-XdaDevelopers-NbfUtils
If you can't find those packages on your list, please make sure you have selected "All packages" from "View" menu in Perl Package Manager main window.
Ad.5) download typhoonnbfdecode.pl from http://www.nah6.com/~itsme/cvs-xdadevtools/xda2nbftool/
Save it to "C:\itsutilsbin"
Ad.6) download itsutilsbin package from http://www.xs4all.nl/~itsme/projects/xda/tools.html. Unpack it to "C:\itsutilsbin"
http://nah6.com/~itsme/itsutilsbin-20080602.zip
Ad.7) Find a working Windows mobile device and use it to format your micro SD card as FAT32. It's important to do this on working mobile device with any Windows mobile OS (2003, 5.0, 6.0) because PC USB card readers causing troubles with making a goldcard because of a different MBR interpretation.
- Activesync your working Windows mobile device with SD card inside
- On your PC enter windows command mode (Start->Run... cmd)
- Choose your itsutilsbin directory (cd C:\itsutilsbin),
- Run this command (l means a letter 'el' - not a digit 'one'):
psdread -l
If you have problems with running psdread -l you probably have problems with the security configuration of your mobile device. There are many options to change it. In my case I was using Device Security Manager PowerToy for Windows Mobile 5.0
It is recommended to save your security configuration, then change it to the Security Off level and after the whole goldcard preparation process, load saved configuration preset if you don't want to leave your Windows mobile device Security Off. You should have your mobile device ActiveSync with your PC when you are using this tool.
- If everything went OK, look at the result at the cmd window after psdread -l and find something like that:
remote disk 1 has 1984000 sectors of 512 bytes - 968.75Mbyte
SerialNr: 75 63 00 49 8a f2 00 80 47 31 30 55 53 44 53 03
- in the next step you will have to replace the first byte ( in this case '75' ) with '00' and write this ID without spaces between numbers - this will be your modified cardid
In this example your modified cardid will be 006300498af200804731305553445303
(Thank you "hookcard" for reporting troubles in this step)
Run this command, where <cardid> is your modified cardid:
perl typhoonnbfdecode.pl -p cardid=<cardid> -p keys=tornado -p seclevel=0 -d goldcard.img
- Your goldcard image will be saved in your current directory (C:\itsutilsbin)
- If you have error message connected with msvcr71.dll file, please download this file or try to find it somewhere on your system partition and then copy it to the directory containing typhoonnbfdecode.pl (C:\itsutilsbin)
Then repeat the previous step with running typhoonnbfdecode.pl
If everything went OK, run this command, where <number> is a number under which you have your SD card during psdread -l command, for example, "remote disk 1 has 1984000 sectors of 512 bytes - 968.75Mbyte" means that your <number> is 1:
psdwrite -<number> goldcard.img 0 0x120
Now you have a card which gives you SuperCID - you can test it with MTTY and see that g_cKeyCardSecurityLevel = 0
Ad.8) Remember to have more than a half of the battery capacity available before you start this step!
- download any official Herald's RUU and extract it to the directory, where you should find RUU_signed.nbh ROM file. (It was tested with Dopod's ROM). Copy this .nbh file to your goldcard changing its name to heraimg.nbh
- Enter the bootloader mode. When you will see on your Herald's screen the question: "Update SD image?" you will have 10 seconds to press Volume Down button and this way to start flashing
Unfortunatelly, if something will go wrong and i.e. you will see SD update failed you will have to use heradiag.nbh file to enter special menu during the start of the bootloader mode. If you have problems with flashing, please read the step below:
Ad.9) download and unpack heradiag.zip file from this thread:
http://forum.xda-developers.com/showthread.php?t=332413&highlight=heradiag.nbh&page=6
Remember to have more than a half of the battery capacity available before you start!
- Copy heradiag.nbh on your goldcard together with any official .nbh ROM from ROM Update Utility from the previous step.
- boot your Herald in bootloader mode and you will see the diagnostic menu where you will have Reflash Image option. Choose Reflash Image and after the flashing process (about 5 minutes) please softreset your device.
That's all! You should see your Herald properly booting Windows OS.
Good luck!
Anyone had any luck with this?
I tried.
Everything is O.K.
ok first of all thank you very much for as a hope gain to bring our herald to live again.
but there is some point at this thread i didnt get it so plz if u could help me
1-
run Perl Package Manager from Windows Start Menu
change PPM Preferences:
- Add repository: itsme http://www.xs4all.nl/~itsme/projects/perl/ppm
- Add repository: theoryx http://theoryx5.uwinnipeg.ca/ppms/package.xml
After database synchronization install those packages (mark them for install and run marked action):
-Crypt-DES
-XdaDevelopers-NbfUtils
what is crypt -des
and when i open the link (add rep.by itsme )
there is too many files to download.
which one is that files u mean
i download them all but it seems they work on linux not in windows
so plz if u make that point more clear or at least post some pictures..
2-
does any official room will work .or it must be the exact cid room.
I've updated this tutorial and now it should be more clear.
According to your question about the ROMs - if you successfully create the Goldcard you will be able to flash any ROM, not only those matching your original CID.
halder said:
...............
what is crypt -des
and when i open the link (add rep.by itsme )
there is too many files to download.
which one is that files u mean
i download them all but it seems they work on linux not in windows
so plz if u make that point more clear or at least post some pictures..
2-
does any official room will work .or it must be the exact cid room.
Click to expand...
Click to collapse
how come i cant find XdaDevelelopers-NbfUtils package?
i have added the repository correctly.
i can see from the status screen:
Synchronizing Database ...
Downloading ActiveState Package Repository packlist ... done
Updating ActiveState Package Repository database ... done
Downloading itsme packlist ... redirect
Downloading itsme packlist ... done
Downloading itsme Win32-API-0.41WJ PPD ... done
Downloading itsme XdaDevelopers-CompressUtils PPD ... done
Downloading itsme XdaDevelopers-NbfUtils PPD ... done
Downloading theoryx packlist ... not modified
but i just can find the module (ie. XdaDevelopers-NbfUtils)
i have also tried the command line installation but no luck..
anyone??
maybe someone can post the perl folder, with the required modules installed?
Do you have "All Packages" chosen through View Menu?
klikman said:
how come i cant find XdaDevelelopers-NbfUtils package?
i have added the repository correctly.
i can see from the status screen:
Synchronizing Database ...
Downloading ActiveState Package Repository packlist ... done
Updating ActiveState Package Repository database ... done
Downloading itsme packlist ... redirect
Downloading itsme packlist ... done
Downloading itsme Win32-API-0.41WJ PPD ... done
Downloading itsme XdaDevelopers-CompressUtils PPD ... done
Downloading itsme XdaDevelopers-NbfUtils PPD ... done
Downloading theoryx packlist ... not modified
but i just can find the module (ie. XdaDevelopers-NbfUtils)
i have also tried the command line installation but no luck..
anyone??
Click to expand...
Click to collapse
Hi there! I also have a bricked Herald. I'm in Brazil and a store wants around 200 US dollars to fix the phone and it's too high.
I saw that the file itsme XdaDevelopers-NbfUtils PPD has just a text indicating an e-mail adress.
I saw in another site that this file has another content.
May be this is why we cannot find the package to install.
If i find a way to fix my Herald here i will do a very good donate!!
Thanks,
Alencar
alencarfr said:
Hi there! I also have a bricked Herald. I'm in Brazil and a store wants around 200 US dollars to fix the phone and it's too high.
I saw that the file itsme XdaDevelopers-NbfUtils PPD has just a text indicating an e-mail adress.
I saw in another site that this file has another content.
May be this is why we cannot find the package to install.
If i find a way to fix my Herald here i will do a very good donate!!
Thanks,
Alencar
Click to expand...
Click to collapse
Go to this thread, it will explain how to fix your phone....
http://forum.xda-developers.com/showthread.php?t=345411
Hi Mkoz,
Tried your procedure but when start bootloader it do not read the SDcard. I copied Heradiag to the card but it do not run. The bootloader remains the same as before.
No Signal. With MTTTy I gave the command set 32 1 and get the message:
================================================
+ SD Controller init
- SD Controller init
+StorageInit
SDInit+++
PL_SDSetSlotNumber() - MPUIO_SDIF_SEL1=0, MPUIO_SD_IF_SEL=0
SDCmd8 Command response time-out. MMC_STAT = 80
SDCmd8 Command response time-out. MMC_STAT = 80
SDCmd8 Command response time-out. MMC_STAT = 80
SDInit - SD ver1.0
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SD clock to 24MHz
***** user area size = 0x79280000 Bytes
SDInit---
SDInit OK
Unlimited time!
GetDeviceCID: Error - InitDecoder
g_cKeyCardSecurityLevel = 0
HTCE
=======================================================
So, please could you help me ? Thanks! Alencar
Hi,
Where did you format your SD card before preparing Goldcard? In Windows Mobile device or in laptop or PC card reader?
alencarfr said:
Hi Mkoz,
Tried your procedure but when start bootloader it do not read the SDcard. I copied Heradiag to the card but it do not run. The bootloader remains the same as before.
g_cKeyCardSecurityLevel = 0
So, please could you help me ? Thanks! Alencar
Click to expand...
Click to collapse
Hi Mkoz,
I formatted using Pocketmechanics in my HTC universal in mode FAT32.
I'm really looking forward to see the mobile working.
Thanks!! Alencar
please SIR how can i change cardid ?
and witch tool i use ?
Hi,
I've sent you my private message but you haven't answered so I have to ask you in this thread:
- What is the size of your SD card? I successfully tested it with 512MB and 1GB cards.
alencarfr said:
Hi Mkoz,
I formatted using Pocketmechanics in my HTC universal in mode FAT32.
I'm really looking forward to see the mobile working.
Thanks!! Alencar
Click to expand...
Click to collapse
Sucessfully tested with 2gb card
BTW, HardSPL'd devices doesn't want to load heradiag!
i can see from the status screen:
Synchronizing Database ...
Downloading ActiveState Package Repository packlist ... done
Updating ActiveState Package Repository database ... done
Downloading itsme packlist ... redirect
Downloading itsme packlist ... done
Downloading itsme Win32-API-0.41WJ PPD ... done
Downloading itsme XdaDevelopers-CompressUtils PPD ... done
Downloading itsme XdaDevelopers-NbfUtils PPD ... done
I found -Crypt-DES but not found -XdaDevelopers-NbfUtils
Please help me! Thanks
same here
already try restarting my windows still no luck
I guess you are doing something wrong because there are people who were successful with this tutorial. Maybe you don't have "All packages" chosen from the menu.
I have updated point 4 of my tutorial so please take a look.
I've also posted in this thread my answer to someone who had the same problem like you and he didn't answered anymore so I guess as a result he created Goldcard successfully.
If it will help you, please let us know.
TINDUNG10 said:
i can see from the status screen:
Synchronizing Database ...
Downloading ActiveState Package Repository packlist ... done
Updating ActiveState Package Repository database ... done
Downloading itsme packlist ... redirect
Downloading itsme packlist ... done
Downloading itsme Win32-API-0.41WJ PPD ... done
Downloading itsme XdaDevelopers-CompressUtils PPD ... done
Downloading itsme XdaDevelopers-NbfUtils PPD ... done
I found -Crypt-DES but not found -XdaDevelopers-NbfUtils
Please help me! Thanks
Click to expand...
Click to collapse
please help me delete 1 post
Well this is just my second HTC device.. But has anybody ever wondered why information on creating HardSPL and stuff is seeded sparely? We're just waiting until olipro, cmonex (bless their work!!! ) or some other mod finishes the Hard-SPL.
If this is an illegal talk or something then just delete my thread..
I find this is an interesting topic.. So why not colaborate with each other and report status on this, so that we eventually could hack something together..? At least for the sake of interest.. I ever liked hacking embedded devices, but my knowledge in these things is not so good. Would like to dig more into this and solve this kind of mystery
I have found interesting bits of information at the following places:
http://wiki.xda-developers.com/index.php?pagename=Wizard_ROM_Layout
http://forum.xda-developers.com/showthread.php?t=334667
http://www.xs4all.nl/~itsme/projects/xda/tools.html
http://wiki.xda-developers.com/index.php?pagename=SPL%20Questions%3F
http://forum.xda-developers.com/showthread.php?t=501871
The first step seems to be extracting the stock SPL.. I read something about pmemmap, a tool to show the memory map of the phone and pmemdump, a tool to dump memory areas of the phone to disk.
This rises the question of how to find out the address, where the SPL lies in our LEOs and then how to dump it?
If there are any constructive comments on this, everybody is invited to add his thoughts here, or point out the right way
Update:
SPL seems to be dumped, credits go to cmonex. - Now it's time to investigate further steps. Currently looking into it.
Okay.. You can read the SPL from your LEOs with the following command:
pmemdump 0x8ff00000 0x80000 dump.bin
But i have attached it here for your convenience.
Update 2:
For all those people that are curious about the technical background behind SPL hacking i am giving an update of my research now (of course cmonex will finish that work, and she will do it good, but as you probably know, i want to get into that kind of stuff):
I managed to get an MFG SPL (the SPL that isn't shipped with stock ROMs and that is used by HTC to debug) now. This type of SPL is needed to do any further steps regarding flashing Hard-SPL.
This may not be complete or even correct, so if you have any information to add, please share it with us.
As far as i understood the rough procedure now would be to relocate the SPL and its .data section in RAM (that means all the data referenced by code) to a new address. This is needed because the address where the SPL and its data section lie now is protected by the MPU (Memory Protection Unit?), which is set up by the radio bootloader, which is running on another CPU (the ARM9). Every write there will lead to nowhere and as our SPL would execute, it would crash, because of missing data. This is why we need to relocate our SPL to a new address by changing all the hard coded references to data (such as strings etc.) in code.
I need someone to comment on the process of changing all the hard coded addresses to another one. I don't know how to do it yet.
If this is done and all code runs well (there could be further glitches, such as the NAND write/read issue - please comment on that) we would use JumpSPL to load our SPL in RAM into an unused address and execute it. This would give us all the tools needed for flashing HSPL.
I have attached a copy of the MFG SPL i obtained (if this is against any rules, please remove it) together with an analysis in IDA32, which i just made (for the lazy ones).
It would be nice, if we could get some further info here.
Btw.: I found this funky stuff on the PSAS forum. It is a tool that actually simulates an ARM processor and let's you step through the instructions. Really nice, if you want to understand what's going on.
If you want to flash another language ROM to your HTC device you can go here. Please don't use this thread for such requests. Let's keep it about SPL talking. Thanks
Thanks to share this information with the comunity.
Feel free to investigate and and have a go for it.
The itsme utils are extremely useful,
You could also read the posts from Pof, Des, jockeyw2001 regarding this subject.
After you got your SPL, you can read Jockyw2001's posts regarding bootloaders dissembling in IDA pro.
The actual patching of the SPL isn't the hardest part, Cmonex once told that the development of the Soft SPL was trickiest part.
Regards, and good luck.
EqX
Thank you.. I will have a go for it, when i have more time. It's over for today..
Very interesting thread. I would like to know how they are trying to hack the SPL. With due respect to Olinex, we rely on them but there must be also people around who can give a hand to accelerate the process. No ?
on a related note i tried to make my hd2 supercid without using QMAT so that i could flash wwe official rom...
i followed these steps and i got to Ad.7) part where i needed to run this command:
perl typhoonnbfdecode.pl -p cardid=<cardid> -p keys=tornado -p seclevel=0 -d goldcard.img
when i hit enter i get this message:
C:\itsutilsbin>perl typhoonnbfdecode.pl -p cardid=0085007b9394eb0000000000000000
00 -p keys=tornado -p seclevel=0 -d goldcard.img
Can't locate XdaDevelopers/NbfUtils.pm in @INC (@INC contains: C:/Perl/site/lib
C:/Perl/lib .) at typhoonnbfdecode.pl line 81.
BEGIN failed--compilation aborted at typhoonnbfdecode.pl line 81
if anybody can point me to the right direction or tell me what am i doing wrong i would be very grateful.
mr.vandalay said:
on a related note i tried to make my hd2 supercid without using QMAT so that i could flash wwe official rom...
i followed these steps and i got to Ad.7) part where i needed to run this command:
perl typhoonnbfdecode.pl -p cardid=<cardid> -p keys=tornado -p seclevel=0 -d goldcard.img
when i hit enter i get this message:
C:\itsutilsbin>perl typhoonnbfdecode.pl -p cardid=0085007b9394eb0000000000000000
00 -p keys=tornado -p seclevel=0 -d goldcard.img
Can't locate XdaDevelopers/NbfUtils.pm in @INC (@INC contains: C:/Perl/site/lib
C:/Perl/lib .) at typhoonnbfdecode.pl line 81.
BEGIN failed--compilation aborted at typhoonnbfdecode.pl line 81
if anybody can point me to the right direction or tell me what am i doing wrong i would be very grateful.
Click to expand...
Click to collapse
Did you install activeperl ?
yes , however now i see that packages Crypt-DES and XdaDevelopers-NbfUtils are not installed and i can't find them...
i select "all packages" but i can't find those two, and i tried by adding repositories but it doesn't download anything.
can i somehow add them manually?
mr.vandalay said:
yes , however now i see that packages Crypt-DES and XdaDevelopers-NbfUtils are not installed and i can't find them...
i select "all packages" but i can't find those two, and i tried by adding repositories but it doesn't download anything.
can i somehow add them manually?
Click to expand...
Click to collapse
You need to use the exact version of ActivePerl as stated on that page and you must use Windows.
You should also know that you cant use this goldcard image for your LEO with the typhoon option. This is for another HTC device.. If you look into that pl file you see that there is no entry for LEO. We need the LEO key.
I replied to your PM about dumping SPL 0x95000000
mr.vandalay said:
on a related note i tried to make my hd2 supercid without using QMAT so that i could flash wwe official rom...
i followed these steps and i got to Ad.7) part where i needed to run this command:
perl typhoonnbfdecode.pl -p cardid=<cardid> -p keys=tornado -p seclevel=0 -d goldcard.img
when i hit enter i get this message:
C:\itsutilsbin>perl typhoonnbfdecode.pl -p cardid=0085007b9394eb0000000000000000
00 -p keys=tornado -p seclevel=0 -d goldcard.img
Can't locate XdaDevelopers/NbfUtils.pm in @INC (@INC contains: C:/Perl/site/lib
C:/Perl/lib .) at typhoonnbfdecode.pl line 81.
BEGIN failed--compilation aborted at typhoonnbfdecode.pl line 81
if anybody can point me to the right direction or tell me what am i doing wrong i would be very grateful.
Click to expand...
Click to collapse
sorry this will never work on Leo. I can make the goldcard for you though (for a small donation)
Thanks a lot cmonex, for your PM, hope to flash my Holand device onto a WWE device to better understud.
just wondering, based on this, is it possible for me to flash my o2 branded device with the stock wwe rom?
Tung_meister said:
just wondering, based on this, is it possible for me to flash my o2 branded device with the stock wwe rom?
Click to expand...
Click to collapse
Yes, it should be
umh... I can't dump... I'm wondering ...why?
If I enter "pmemdump 0x95000000 0x80000 spl.nb" I get a 0bytes file, but if I don't enter the file name I'm seeing the errors that it gets.
Anyway, this is what I'm getting:
Code:
G:\itsutilsbin>pmemdump.exe 0x95000000 0x80000
ERROR: ITReadProcessMemory - Invalid access to memory location.
95000000: * * * * *
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
Someone can help?
kholk said:
umh... I can't dump... I'm wondering ...why?
If I enter "pmemdump 0x95000000 0x80000 spl.nb" I get a 0bytes file, but if I don't enter the file name I'm seeing the errors that it gets.
Anyway, this is what I'm getting:
Someone can help?
Click to expand...
Click to collapse
You're not the only one. Currently working it out with cmonex.
just wanna say that cmonex helped me and i just flashed wwe rom on my german hd2
mr.vandalay said:
just wanna say that cmonex helped me and i just flashed wwe rom on my german hd2
Click to expand...
Click to collapse
Welcome to the club of dutch rom refugees
cmonex helped me and i just finish to flash my NEW WWE ROM.
Thank you mate.
To all who want to flash now, be in touch with this guy, he is going to help you really fast.
cidriver said:
cmonex helped me and i just finish to flash my NEW WWE ROM.
Thank you mate.
To all who want to flash now, be in touch with this guy, he is going to help you really fast.
Click to expand...
Click to collapse
She.. She's female!
Hi everybody! I bought some weeks ago a Shift and my first priority is to change the language from Italian to English. But before going ahead in flashing a new rom I thought it is wise to make a back-up of the original rom.
So in my attempt to dump the original italian rom of my Shift I've come to an error status I don't know how to overcome, therefore any help would be very much appreciated:
Following pof's How to dump HTC Shift ROM at
http://forum.xda-developers.com/showthread.php?t=382609
I downloaded itsutils, unzipped on the pc and placed all the itsutils files in the c:\users\HTC User folder, (as I just did not know how to change the path in cmd to go to the c root with the itsutil folder).
Further on, with the WinMob connected to Vista with USB Tool, I introduced the first command line for pdocread
pdocread.exe -w -d FLASHDR -b 0x800 -p Part00 0 0x31f000 Part00.raw
and I got the answer
Copying c:\users\HTC User\itsutils.dll to WCE:\Windows\itsutils.dll (which I think it's OK) and then
rapi reinitializing (is it normal?)
and then
ERROR: CeProcessConfig – r=002349d0 ce=00000002 le=00000000 hr=80070005
– Access is denied
I have no idea on what the cause of the error could be, probably I must have done something wrong and I am stuck at this first dump step.
Can somebody please help me further to get unstuck?
Thank you very much!
Are you connected using activesync?
Also, try this guide:
http://forum.xda-developers.com/showthread.php?t=427507
and use pdocread -l first.
thaihugo said:
Are you connected using activesync?
Also, try this guide:
http://forum.xda-developers.com/showthread.php?t=427507
and use pdocread -l first.
Click to expand...
Click to collapse
THANK YOU THAIHUGO for taking the glove of answering me on this dead forum, I really need help! I find it fantastic that you are still so active, maybe in time some other senior members will take again the challenge to support the newcomers.
Yes, WM was connected to Vista side using the USB Tool and the Windows Mobile Device Center.
Looking back, I think I opened cmd as user and not as admin (now I know how to do it), this might have been the mistake, I will try again this afternoon.
1. So far I understood that the main reading process is running under Vista using the command lines and the itsutils, which is ok.
Does it matter where the unzipped folder <itsutilsbin-20100324> is placed? I mean should it be placed obligatory in the root of the c:\ drive?
If YES, how do I do that in the cmd line, I mean change the directory? Normally the cmd screen opens to the folder c:\users\HTC User when starting as user and to c:\Windows\system32 when doing it as administrator. Is it wise to copy all the itsutils files to system 32?
Of all those itsutils files, which are the absolutely necessary files to do the dump? Are these pdocread.exe and itsutils.dll only? This is because I'd like to handle as less files as possible to the system 32 folder.
2. If I got this right, the link that you pointed to shows for the Raphael ROM how to do the dump entirely on the WM side and should be applicable to the Shift WM as well if not managing it from Vista side, is that what you were trying to say?
3. Is this way of dumping the rom covering also the radio part and the bootloader, I mean all the 4 raw files contain the whole initial memory of the WM?
Sorry to raise such beginners question, but I did not find these things explained in any of the Shift threads and without answers I cannot progress with this dump job and furtehr proceed with flashing a custom rom in English. I did search in the Shift forums and googles for answers, but maybe I did not use the right keywords.
Looking forward to receive the enlighting answers, thanks in advance!
Admin cmd mode should help yes.
1) it doesn't matter where your zip is. Just uncompress the files somewhere in a folder (c:\itsutils if you want), open you command line in admin mode, navigate from system32 folder to the itsutils folder and try again with the pdocread -l then the command from POF post.
2) do not use raphael numbers. I linked to the post for the general procedure. Proper numbers are in the POF post.
3) you will not have the radio, nor the bootloader. But you have to jump if you want to use custom roms. Bootloader is available somwhere, and radio also I think.
Still getting errors
thaihugo said:
Admin cmd mode should help yes.
1) it doesn't matter where your zip is. Just uncompress the files somewhere in a folder (c:\itsutils if you want), open you command line in admin mode, navigate from system32 folder to the itsutils folder and try again with the pdocread -l then the command from POF post.
Click to expand...
Click to collapse
Thank you again Thaihugo!
I gave it another try to pof's commands as you recommended this time first with pdocread -l and it doens't work, BUT I'm getting the similar error messages. While accessing cmd as administrator and running the cmd line from c:\itsutils:
pdocread.exe -l
rapi reinitializing
and then after about 35 sec
ERROR: CeProcessConfig – r=002349d0 ce=00000002 le=00000000 hr=80070005 – Access is denied
At different runs I got different addresses for r and ce, but the same for le and hr (no idea what those mean).
It doesn't change if launching as administrator or user.
I even downloaded a previous version of itsutils directly on the Vista computer and unzipped it with Total Commander and the result is the same.
Have also tried another command from pof with the same error result:
pmemdump.exe 0x8c000000 262144 SPL.nb
Of course the WM side was connected to Vista via USB Tool and I also checked if from the Vista side the WM folders were accessible.
I'm completely stuck, don't know what to do further, please help!!!
Thank you!
P.S. Have copied the itsutils.dll to the Windows folder in WM via e-mail, just like in the liberalization process in order to avoid copying it via Active sync (as recommended for Raphael). This time at the first run of the pdocread.exe I was asked to accept installing itsutils.dll on the WM side, which I did.
But I'm still getting the error messages when launching pdocread.exe -l, this time running very fast in a few seconds and after 4 turns it stops with the final message
ERROR loading itsutil.dll - probably denied by policy restrictions
Does it ring any bell to you?
My guess is that I have to relax the security policy on the WM side, but I don't know how.
I am amaized that nobody raised all these before.
I've finally done it! HowTo......
OK, I finally managed to dump the ROM thanks to the support of Thaihugo and the info in various threads on this forum (with credit to the authors), I have now the ROM and bootloader dump files, but not the radio rom.
There were several detailed steps important for beginners that were not included in POF's thread "How to dump HTC Shift ROM" at http://forum.xda-developers.com/showthread.php?t=382609 that prevented me to do the dump from the first go.
In order to spare other newcomers time, here they are:
-On the WinMob side change the Security Policies setting by installing a registry editor like PHM Registry Editor, TotalCommander, etc. (I used the cab files downloaded in Vista and moved to WinMob via the Windows Mobile Device Center);
Go to HKLM\Security\Policies\Policies and change the valuename '00001001' from dword:2 to dword:1. Save the change and soft reset your WM device.
If in doubt check this: http://forum.xda-developers.com/showthread.php?t=427507
Note: After finishing the dump operation do not forget to revert back to the initial dword:2 value
-Download itsutils from POF's site to Vista and unzip the package to a new folder "c:\itsutils".
-To be on the safe side disconnect all network connections (3G modem, wifi, BT, LAN) and all USB external devices.
-Connect the WinMob side of the liberated Shift to Vista using the USB Tool and check in the Windows Mobile Device Center that the folders and files of WinMob are indeed accessible from Vista
-Open the command line screen and go to the folder where you unzipped the itsutils tool by typing "cd c:\itsutils" (without the quotes).
-From within the folder itutils type the command "pdocread -l" (without the quotes).
At this point, with pdocread.exe started, go to the WinMob side and
you will find a message asking you to accept installing the itsutils.dll on the WM side, say Yes to it and wait until it is instelled.
Then go back to Vista side and carry on as described in POF's thread mentioned above by:
- using "pdocread.exe -l" to list the NAND PARTITIONS (which have to do also with the radio side as I understood from one of cmonex posts)
- using "pdocread.exe -w -d FLASHDR -b 0x800 -p Part00 0 0x31f000 Part00.raw" and the other 3 commnads to generate the 4 raw files in the same folder c:\itsutils; keep them for reconstructing the original ROM
- using "pmemdump.exe 0x8c000000 262144 SPL.nb" to dump the bootloader file to the same folder c:\itsutils; keep that too.
That's it for now.
I have to deal further with dumping the radio rom, but I don't know how to do it, I must search the forums.
A big THANK YOU to all who helped me!
I never dumped a Radio. I think the experts keep this as secret because it's quite dangerous. Isuggest you have a look at your radio version and try and fin the same radioin the forum already dumped.
Otherwise, there are roms for each radio, so you could just simply apply the one that works wth your radio. No phone call though if you don't use the right one.
thaihugo said:
I never dumped a Radio. I think the experts keep this as secret because it's quite dangerous. Isuggest you have a look at your radio version and try and fin the same radioin the forum already dumped.
Otherwise, there are roms for each radio, so you could just simply apply the one that works wth your radio. No phone call though if you don't use the right one.
Click to expand...
Click to collapse
Thank you again Thaihugo, it seems that you are the only senior left on duty on this dead forum....yet the counter shows 238 views of this thread. Hm, strange....Anyway, thank you for all the good hints given one way or another during the past days, I wouldn't have made it without it.
I got the message, I will not bother with dumping the Radio. I know that a particular Rom is matched with a certain radio. I will flash one of your roms, most probably Age of Reasons and the associated radio. I am not looking for tens of programs on the WM side, it is enough to have the basic things in English and instant-on. I will let you know!