I'm proud to present a new version of tgtool with repack support.
I want to tank cotulla (DES) and viperbjk (PSAS), without their work this would not be possible.
WARNING: THIS TOOL IS UNTESTED. NOBODY KNOWS WHAT WILL HAPPEN
WARNING: FLASHING A ROM CREATED WITH THIS TOOL CAN BRICK YOUR PHONE
WARNING: FLASHING A ROM CREATED WITH THIS TOOL MAY VOID WARRANTY
WARNING: YOU ARE ASSUMING FULL RESPONSIBILITY FROM USING THIS TOOL
WARNING: WARNING WARNING WARNING
if you use this tool you use it on your own risk, i am not responsible if anything bad happens but strongly hope YOU ARE responsible and know what you are doing
Da Mafia has flashed a rebuild but unmodified rom and phone works.
Da Mafia has did it again and again, because of him we know we are now close of having a custom ROM so a big THANK YOU for risking your phone for us.
Novembre5 has flashed a 6.5.5 ROM that didn't booted, he has successfully recovered the phone using pin method.
Changes:
1.3.20
- added -tg01
- added -t01a
1.3.19
- fixed bad unk0 in WMB3
- extra checks for -chk (partition signatures, length of rom, lenght of payload)
- repack/merge now automatically checks resulting rom
- added -dci to display catalog informations
1.3.18
- added repack support
Example to check a rom file:
Code:
tgtool -chk TG01WP_5005000176.tsw
Example decrypt a rom file:
Code:
tgtool -dec TG01WP_5005000176.tsw tg01.bin
Example to extract payload from rom file:
Code:
tgtool -sp tg01.bin tg01.os.payload
Example to insert a payload in a rom file:
Code:
tgtool -mp tg01.os.payload tg01.bin tg01-new.bin
OR
Code:
tgtool -mp tg01.os.payload tg01.bin tg01-new.tsw
Copy note:
It is required for whomever uses this software and releases a ROM created with it to distribute a copy of the software and this copy note with released rom so rom integrity can be checked.
It is required for whomever uses this software and releases a ROM created with it to state that this software is a key part in building that ROM and that the ROM could not have been created without it.
It is required for whomever uses this software and releases a ROM created with it to test the ROM and make sure it is working.
It is required to inform potential users that ROM created with this software can permanently and irremediably damage the phone.
This software is provided as it is without any warranty of any kind, express or implied, not even that it does anything useful.
best wishes
cedesmith
FLASHING AND RECOVERY
Don't use sddl+, use short pin method, as stepw(autor of sddl+) stated here "Now that entering SD download mode via shorting pins became public, SDDL+ is obsolete.". shorting pins is toshiba intended and tested mode to enter downloader mode and seams a little safer then sddl+.
There is info that short pin method accepts .bin files.
To skip language check (SD Downloading failed. varient is invalid!!) rename .tsw to .enc
To enter downloader mode bridge pin 1 and 3 and press reset. release reset and keep bridge for few seconds. DO NOT PRESS RESET AGAIN. check screen and see what happens.
Secure your battery with duct tape it can drop very easy. If you use short pin method it can drop while you turn phone with screen up. Since you will turn phone just after you reset it will be flashing bootloader and and phone will be bricked for ever.
read more and make sure you know what are you doing
picture is from 1st thread i found about short pin unfortunately i can remember where that is. if you can point me to it i would link it here.
during split of payload you will nice
Code:
Part 00 OS 00000273-0000078E (050F4000-0F98FFFF)
NOOPBlock 0017CA90-0018C210
NOOPBlock 004CD610-0056A210
NOOPBlock 0928E8D0-0A584210
NOOPBlock 0A6A5650-0A6AD000
this is because these blocks are filled with 0xFF, they have all data 0xFF, ecc 0xFF, sector number 0xFF and partition flag 0xFF.
i think that these blocks are to be ignored by download tool. the fact that SIM_SECURE catalog entry is all filled with 0xFF strengthens that belief.
if you follow my examples and you compare tg01.bin with tg01-new.bin you will notice that the files are almost identical.
they are not perfect equal because once dumped extra data like sector number and partition flag is lost and is no way to know if block is full of 0xFF or not to be flashed (NOOP).
i think that NOOP blocks are there because partitions start at flash block boundaries limit so there is some extra space in partition that is not used and does not mater what is in it so is not overwritten by flash process.
THIS IS ALL SUPPOSITION.
on merge content of original rom is preserved till WMB1 EXCEPT file header witch i assume is not flashed. in this header only catalog table entries for WMB1 WMB2 and WMB3 are modified.
i think that if rom will not boot short pin method may be able to flash original rom as part till OS is preserved.
-dec on new .tsw file and file compare with original to make sure they match till OS start 0x050F4000 in the example above
don't take chances unless you know what are you doing and you triple checked. this is untested stuff and may contain bugs
***reserved***
congratulations cedemish, we are very pround of you. I hope we all can start to develop ROM's properly. Thank you for all your effort!
Just one question, is there any way for testing the rom package like you tried to do in your first release?
yeaaahhhhhhhhhhh!!!.........
Do you think we can flash now costum roms??????
did someone try it??
arag0n85 said:
Just one question, is there any way for testing the rom package like you tried to do in your first release?
Click to expand...
Click to collapse
sure
Code:
tgtool -chk tg01-new.bin
TGTool v1.3.18 copyright(c) 2010 cedesmith
Checking tg01-new.bin has completed without warnings
but keep in mind that it checks only for things i know and i observed in official roms.
is no guarantee that will not brick the phone but if it fails it raises big question marks
Hamido123 said:
yeaaahhhhhhhhhhh!!!.........
Do you think we can flash now costum roms??????
did someone try it??
Click to expand...
Click to collapse
i hope we will have custom roms. i didn't have the guts to try it. i hope you don't either.
have patience and don't do something stupid
WOW, good work!
Yihaaa, soon we'll have cooked room, thanks to you!
suberb work done, hopefully donations will follow
Thanks cedesmith!
This is a milestone in the Rom development for our TG01.
We're now able to create custom Roms. And I'm sure, that someone will try this very soon and will tell us, that he flashed a WM6.5.3 without problems
I'll wait until hdubli creates a Rom. I trust him and he said, that he is sure, that he's able to boot WM6.5.3.
Hope you get more donations. I donated directly on the first day you placed the link in your signature. (ID: 7M1172384A419273S)
Best regards,
Manuel
I got one question cedesmith.
I can remind me that hdubli said, that we need to change the XIP also and not only the payload in order to get WM6.5.3 working.
But for me it seems, that it's only possible to customize the payload and then create a new .bin or .tsw file with your tool at the moment.
So don't we need to customize the XIP or is that the next step of your development?
Here's hdublis post: http://forum.xda-developers.com/showpost.php?p=5886393&postcount=111
Best regards!
Congratulations cdsmith!
Thank you very much cdsmith. I was missing a bit today but tomorrow I will try to make a ROM.
Some questions: The new payload length need to be identical with the original one or the packing process take care of it? If needed to be I can fill manually the rest with FF to be sure. Any way on the and of original payload there is a spare space with FF.
....the xip.bin is included in payload. Need first to be extracted, than ported and than injected in the final new payload (after SYS and OEM files was modified/excluded)...but it can hapen that the new ROM will boot also with old XIP, just then the version shown will be a mixture between the old and new one. And maybe some mallfunctions...but not necesary (I allready made in the begining of my cooking, ROMs for ASUS P552 in such a way......but after that I learn more)
...AND A BIG THANKS TO hdubli , I learned a lot from his ROMs
cedesmith said:
a word about short pins:
yesterday i updated to official uk rom and tried short pins method for it. it didn't work. sddl+ worked.
short pin checks the file as TG01_SDDL.exe from toshiba does so if OS does not boot and SD Downloader works you may bot be able to restore original rom.
i think is better not to use sddl+ to flash cooked roms as it seams it skips some checks. instead flash original IT debranded with sddl+ then flash unbranded cocked room with TG01_SDD or pins ( file should be named correctly ?)
All this info is for chefs/developers who are willing to test (and sacrifice phone) not for users. I strongly suggest that users don't use it.
i cannot stress enough how dangerous this is.
Click to expand...
Click to collapse
when shortcutting pins as far as I remember you need to rename the .tsw file in .enc in order to skip the language check.
payload contains WM partition table, boot partition, xip partition, imgfs partition, fat partition (user storage).
for me ImgfsToNb cut off fat partition from payload so roms will probably not boot as noware to save configuration files?
osnbtool seamed to put everything back together nicer.
my hopes are with hdubli right now as he previously announced he is willing to make a rom and to try it.
packing should take care of everything as is relays on info from partition table. there is no need to do anything manually. i was just explaining why a unmodified rebuilded rom is different from original a little.
main idea is that orriginal rom knew that extra FF are filling and no need to waste energy on write them to flash while tgtool does not.
at least is what i suppose.
@ABM30 and others: plz do not make and release a rom till someone test on a phone and we are sure it does not brick anything. ppl will download and flash without reading warning and we might end up with a lot of angry peoples.
cedesmith
congratuations for your work and the perfect result.
i think you deserve all the respect of us all, you are the real hero for us,becasuse you do so much for us and for this forum.
in compare I want to say I am disappointed for someone other,some people do much and say little,but some people do little and say so much.
cedesmith:Can you make a tgtool version for japanese rom .it has a tsd (toshiba docomo) file not tsw(toshiba worldwide) file? http://update.toshibamobile.com/update/t01a/wm65/T01A_to_SP50_wm65.exe or tell us what are the differences between them?The T01A users really want to flash English Rom but they can't do that....
this is great news,i may get a tg01 now and sell my x1.Do you think you can port a HTC leo Rom now
mr.mike said:
cedesmith:Can you make a tgtool version for japanese rom .it has a tsd (toshiba docomo) file not tsw(toshiba worldwide) file? http://update.toshibamobile.com/update/t01a/wm65/T01A_to_SP50_wm65.exe or tell us what are the differences between them?The T01A users really want to flash English Rom but they can't do that....
Click to expand...
Click to collapse
Hoping cedesmith can think about this, because many people use japanese tg01
hi cedesmith
thanks for tool, i cooked the rom..but when flash, the sd updater says "invalid file"
the cooked rom size is 234564kb and the original latest tg01 uk rom size is 253572kb
I checked with hex editor as well and the -chk oprion..cannot see anything differrent.
I just cooked the exisitng rom first, as it is to see it it boots or not.may be we miising header? because of size differrence ?
hdubli said:
hi cedesmith
thanks for tool, i cooked the rom..but when flash, the sd updater says "invalid file"
the cooked rom size is 234564kb and the original latest tg01 uk rom size is 253572kb
I checked with hex editor as well and the -chk oprion..cannot see anything differrent.
I just cooked the exisitng rom first, as it is to see it it boots or not.may be we miising header? because of size differrence ?
Click to expand...
Click to collapse
VOW, hdubli can my japanese tg01 can use your rom too? maybe I can test it in my device...
Related
I am trying to extend the bepe's kitchen in order to include support for Mio A701 and Mio A700 (Scoter platform). Some of you are already aware of it.
Our DOC architecture is quite simple:
- DOC's static RAM: G3/G4 Initial Program Loader
- DOC BDK0 Binary partition that keeps the Bootloader
- DOC BDK1 Binary partition that keeps the Microsoft Initial Program Loader (also called SPL over these forums, isn't it)
- DOC BDTL0 TrueFFS partition that keeps the WM5. This partition is exactly 50MB (0x3200000 bytes). It is a MSFLSH50 image containing a 0x400 bytes header followed by 4 subpartitions.
- DOC BDTL1 TrueFFS partition that keeps the user data in a FAT32 filesystem.
BDTL0 has 4 subpartitions:
- Part00 Starts at offset 0x400 inside the MSFLSH50 image. Unknown format, it has 'SRPX' signature at offset 0x40.
- Part01 Unknown format, it has 'SRPX' signature at offset 0x40.
- Part02 IMGFS segment.
- Part03 segment with an empty FAT16 filesystem used for padding the size of 50MB required for the BDTL0_MSFLSH50 partition.
I can extract everything but those files stored in Part00 and Part01. IMGFS can be easily extracted and built with the IMGFS_tools by Mamaich.
In HTC devices the kernel and critical drivers are stored in 2 XIP chains, but these files do not seem to be XIP chains since they are compressed or encrypted. Thew SRPX signature is not very common, Buzz Lightyear talked about it here:
buzz_lightyear said:
hi willem,
hmm... I know, it's a problem...
wm5 compression signature is 'SRPX' (as far as I remember coz i'm 1 month away from it). it's XPRS other way around. XPRS is some standard compression. I guess it is also included in cecompress.dll from CEPB5.
...just a thought... maybe a bit of help...
is it also used in smartphones with wm5?
thanx
buzz
Click to expand...
Click to collapse
After that no one else has talked about this kind of segments or SRPX signature.
If you want to take a look at the unknown segments/subpartitions of the MSFLSH50 WM5 image then you can download a dump of Part00 and Part01 from here.
I need to extract and insert files into this segments, can you help me with any related information about it please?
Thanks a lot,
Oki
Hi Oki,
where did yo dig that post about SRPX out, please )))
Anyway, i still have no info about that, but i'm wondering, what would you like to put inside...
Oki said:
Microsoft Initial Program Loader (also called SPL over these forums, isn't it)
Click to expand...
Click to collapse
))) it actually is SPL
buzz
It is nice receiving a quick answer here. I have already posted this in your site.
It seems that Microsoft calls the SPL as MS IPL. It does not matter, in the MiTAC world bootloader is known as UBoot and has a nice menu for selecting the part that you want to flash so we only need to create a customized MSFLSH50 image and that's all, the OS is upgraded.
I want to create a customized image for my device so I need to apply the certmod.dll patch described by mamaich. Any other solution?
The kernel file, some critical DLLs and boot.rgu among other important files are in those two segments, so in order to create a customized OS I will need to access these files and replace them.
Let me ask you where did you found the SRPX signature? Is there any other device with this image format?
Thanks,
Oki
Oki said:
It is nice receiving a quick answer here. I have already posted this in your site.
Click to expand...
Click to collapse
)))) maybe because i was on this site, when i've got notification...
But i first answered at buzzdev.net ))))) LOL
"Hi Oki,
so SRPX... )) i saw that very long time ago in some Himalaya WM5 ROM. i really can't remember, where exactly.
all i know is, that XPRS is a kind of compression, so i thought that time, that XPRS is actually SRPX other way around.
Then, as other things poped up, i somehow forgot about that totally ))
CU
buzz"
For Oki: SRPX signature found on ATOM LIFE
Hello Oki,
The XDA Atom Life has MSFLASH50 format as well as SRPX signature for the kernel part. I was wondering what is the start of the segment for the MSFLASH50...? I couldn't seem to get msflshtool.exe to work with this ROM. It keeps on saying not a MSFLASH50 format.
BTW, your Scoter Kitchen tools worked on XDA ATOM, we are trying to port the files from XDA ATOM LIFE into our ROM... Fortunately you have covered this format so we can extract its contents...
Jiggs
request for other srpx-tool
Hello, and sorry for digging in this old thread.
I have a XDA Comet aka Atom Life and the XIP is SRPX compressed like Jiggs described.
I'm trying to update the Kernel.
I use the SRPX tools from Scoter kitchen. With MSFLSHTOOL i get 2 XIP and 1 imgfs part.
I use SRPX2XIP for the second part and the XIP is 1728 KB.
If I change back with XIP2SRPX the new part is only 1442 KB.
So I write back this part to my ROM image and the image doesn't boot.
Is this an error from SPRX tools or did I miss something ?
I can't find an other tool for that job. Google gives only a hint to "sushi-repeat-containing protein" but i guess that's not the information i realy need.
May be someone can enlighten me.
Attached a link to Atom Life XIP (If someone is interested)
http://rapidshare.com/files/79622471/LifeXIP.rar.html
scorpio16v said:
Hello, and sorry for digging in this old thread.
I have a XDA Comet aka Atom Life and the XIP is SRPX compressed like Jiggs described.
I'm trying to update the Kernel.
I use the SRPX tools from Scoter kitchen. With MSFLSHTOOL i get 2 XIP and 1 imgfs part.
I use SRPX2XIP for the second part and the XIP is 1728 KB.
If I change back with XIP2SRPX the new part is only 1442 KB.
So I write back this part to my ROM image and the image doesn't boot.
Is this an error from SPRX tools or did I miss something ?
I can't find an other tool for that job. Google gives only a hint to "sushi-repeat-containing protein" but i guess that's not the information i realy need.
May be someone can enlighten me.
Attached a link to Atom Life XIP (If someone is interested)
http://rapidshare.com/files/79622471/LifeXIP.rar.html
Click to expand...
Click to collapse
Did you do a hex comparison between old and new XIP? you could try dumping and rebuilding first without modifications, and see the difference. vivi was able to sort this thing with his asus p525.
tjlabais said:
vivi was able to sort this thing with his asus p525.
Click to expand...
Click to collapse
Thank you for the hint.
After comparing the Comet-, the Atom Life- and the rebuilded file, I'll try to hexedit the beginning and fill the end of the rebuilded file to match the right filesize.
Will report later.
edit:
after simply cosmetical changes with a hexeditor the files are identical.
Hello!
Thanks to ppl from this forum I've managed to assemble from various sources files required to dump, build and flash back to device WM6 English ROM. It is not a "plug & play" style kitchen yet, so I call it "ROM Kitchen essentials"
Most of files are made by other people. Mine part was converter and flasher hacking. As for now, you have to edit dumped ROM absolutely manually. There are no support for initflashes.dat automatisation. You may want to use rgucomp to make changes to default.hv and user.hv.
Thanks goes to (not in any order )
trinca
mamaich
bepe
itsme
faria
double_ofour
yhauwang
and many others...
Actual version is 0.1 and RAR archive is about 50Mb.
All required files (including WM6 Eng ROM distribution and flasher) can be downloaded from:
h**p://www.r*pidshare.com/files/47189318/Juggler_Samsung_WM6_Eng_ROM_Kitchen_0.1.rar.html
You also may want to download original WM6 English ROM from here:
h**p://r*pidshare.com/files/45439904/Juggler_WM6_i718ZMGF4_PDA_Eng.rar.html
And radio firmware (required for some i71x to work with WM6):
h**p://r*pidshare.com/files/45950071/Juggler_WM6_i718ZMGF4_Phone_Eng.rar.html
In case somebody don't know how to flash Samsungs i71x:
Make backup!
Have your your firmware at hand so in case of troubles you can flash your original firmware back!
Turn off device.
Disable all ActiveSync connectivity (usb, comm, etc).
Run flasher and click start.
Hold "down" button on device and turn it on while holding "down".
Flasher recongnize it and start to flash.
After flashing make a hard reset.
If GPRS/EDGE do not work your radio firmware is not compatible with new WM6. You have to go back to your original firmware or flash new radio!
To flash new radio firmware you should have SPECIAL FLASHING CABLE for samsung phones! It is not the one that comes with device!
Now you have options to buy such cable, build one yourself, flash your original fimware back or continue using WM6 without GPRS/EDGE - it is your choice.
So - to flash WM6 you need usual usb cable. New WM6 probably work with your radio. If not - you should flash radio!
Special flashing cable is the cable with USB-Serial adapter or plain serial cable:
h**p://www.fonefunshop.co.uk/datacables/samsung.htm
Search for UNLOCK / FLASH CABLES and you'll see
"Samsung D800 - T809 - E900 - D900 USB Cable
This cable is needed to unlock / flash the Samsung D800 - T809 - E900 - D900 etc."
Notice the difference with the usual USB cable supplied with device!
Have you read my thread on the Samsung i60x?
Hello, there,
Please refer to this thread:
http://forum.xda-developers.com/showthread.php?t=316647
It seems very familiar to the i600. I will download your image just for the sake of taking a look... The ROM with header B000FF is prepared with the Romimage tool from the MS WCE IDE and is named the Run-time image, the nb0 ROM (that works with the WM5 kitchen) is prepared by Romimage by splitting the nb0 ROM in 128 KB records, a header is added containing start address, record length and Checksum 32. Then all this chunks are added together and compressed with another tool named compbin, the "encryption" you are seeing is no other than the aftermath of this compbin tool.
If you read myu thread you will find I was able to extract the flat image using cvrtbin (also another MS tool that comes with visual studio) you may grab a copy from here:
http://www.toradex.com/colibri_downloads/Linux/linux_to_wince/?D=D
Then you will be able to use the common tools from xda-developers such as prepare_imgfs (with the switch -acer) and so on.
Making the ROM back to the B000FF format is going to be the trouble. Again, read the thread.
There is also an excellent article on Mobilepro BIN roms made by cmonex, you can get a copy of that tutorial inside his Romtool packege, get it from here:
http://hpcmonex.net/nec900/files/releases/romtoolpack.zip
Be informed the Mobilepro ROM is very different in the way the Runtime file is organized, however is the best resource I have seen so far.
Besides, there are some really good tools inside that package
Best regards and start cooking!
trinca
Thanks trinca, at least I have something to read to start with. But the first thing a can't figure out how correctly RIP rom image from EXE file and then after modifing it PUT it back to flasher. There s.b. some proprietary tools for samsung phones or pdas.
Extracting the i718 ROM image: a suggestion
JugglerLKR said:
Thanks trinca, at least I have something to read ...
Click to expand...
Click to collapse
My friend, we are all navigating uncharted waters..., this requires some research, and the courage to flash the phone with the outcome of your research.
Please read my post:
http://forum.xda-developers.com/showthread.php?p=1371344#post1371344
It will give you a hint on how I found out how to extract the O/S payloads for the i60x, pretty sure it may work for your model as well. A quick look to your executable shows the arrangement may be similar, I would say for the i718, the O/S ROM is located last as it is on the i60x, starting at address 0x01620000 now, just by looking for the end indicator (following the string B000F, 0x0A, 0x00000000 which is the ROM start address, 0x00CA5F03 which should be the offset -little endian-, actually would be 035FCA00), however be noticed the runtime image is compressed using compbin during preparation, therefore I would guess is a little more beyond. You may have to do some research here.
Start by cutting the area surrounding such an offset and use viewbin to determine the offset length and cvrtbin to find if your cut was successful.
BTW it would be nice to find a tool to just decompress B000FF Runtime ROMS. (differently of what it does cvrtbin converting and decompressing Runtime images)
One other thing you may do is to use xdautils, you may find those here:
http://wiki.xda-developers.com/index.php?pagename=XdaUtils.
This collection of utilities has pdocread allowing you to extract the contents of raw partitions in the pda. Make sure to use the handle to extract each raw partition.
Regards,
Trinca
I had no success with cvrtbin. How to decompress image after compbin? I've found pdocread and put it to phone, but it won't work :-( Are there any tools to dump ROM to flash card or something like that?
JugglerLKR said:
I had no success with cvrtbin. How to decompress image after compbin? I've found pdocread and put it to phone, but it won't work :-( Are there any tools to dump ROM to flash card or something like that?
Click to expand...
Click to collapse
To decompress the image:
Get a tool named viewbin, also part of the MS PE, run it on your file and will tell you the start address and the offset of the img files. THen use this information with cvrtbin. If viewbin reports the start address is 0, then use 1 in cvrtbin, otherwise the extraction will fail.
To use PDOCREAD, you run it from your computer, it will install itsutils.dll in your phone and you must accept this in the smartphone. Your phone must be unlocked to do that and the policies set to allow unsigned applications to be installed in your phone. TO accomplish the above you need to modify the registry on the phone. See how it is done here:
http://www.modaco.com/index.php?showtopic=244205
TO dump the ROM with PDOCREAD, see a detailed procedure here:
http://wiki.xda-developers.com/index.php?pagename=Hermes_HowtoDumpRom
Be informed some phones like the i607 require the disk kernel handle, reported with pdocread -l, if you follow the procedure in the above link with no results, then add the disk handle.
Wish you good luck....
CAn Anybody help PLEASE????
I have a i718 but was bought in China and the OS is in Chinese. The blur me can only read English. Is the ROM in English? If I were to download it (still struggling now with the russian words), how can I change it? All I need is the phone to be in English. I do not need to improve anything as WM5 is good enough. I know I am a newbie and I might not be in the right thread. Can anybody please help? Any links to show "how-to-change the ROM" would be most appreciated. Thank you in advance
Your phone is also known as i710
Your phone Samsung i718 is the chinese version of the Samsung i710, all you have to do is to install the phone serial/modem drivers from the companion CD and place the phone in bootloader mode. If you get the ROM package cited above in the first post of this thread by JugglerLKR you will find complete instructions on how to download the ROM into your phone.
Good Luck!
Thank you
Thank you very much for the quick response sir! Really appreciate it. I finally managed to download the ROM and will give it a go this weekend. Wish me luck. I will be reading more to make sure I am doing the right thing as I am definitely a nOObie. First time flashing a phone .
I looked at the CD that came with my phone and the only thing I see is the ActiveSync 4.2. Worse of all, everthing seems to be in Chinese. Guess I have to do more research to see where I can get the drivers you mentioned. There are also alot of things I do not understand like bootloader, how to do a hard reset, etc. I will continue searching and reading and will post the development of my virgin "flash" as I move along.
Thank you once again.
Trinca - so I dumped my ROM from device to .raw files. What can I do with them now? viewbin shows only zeros on b000f .bin image extracted using winhex from .exe
Use Mamaich's ROM Kitchen
You can find instructions to do some cooking and tools here:
http://forum.xda-developers.com/showthread.php?t=249836
This is self-explanatory, tell me if this is enough or you need some extra info. Once finished, the trouble would be to put that back in B000FF format for flashing, as there is no tool to do that yet, and you can't just download a raw image back into the phone. The Runtime image is formed as follows:
Byte---->--1--2--3--4---5--6--7--8---9--10--11--12--<----------- 128KB------------>
Record 0> 42-30-30-30-46-46-06 <Start add> <lenght of ROM> -----------------(42-30-30-30-46-46 = B000FF in ASCII ; 06 = end of header B000FF)
Record 1>--<Address> < length > < CHKSUM32 > <----Chunk of Raw image-->
Record 2>--<Address> < length > < CHKSUM32 > <----Chunk of Raw image-->
" "
" "
V V
Last Rec>-00-00-00-00--00-00-00-00--00-00-00-00
I am doing some crazy splitting and Hex scripts to achieve that, but it is a pain in the neck. So I have decided to make a proggie to help me out with that. Please see the thread
http://forum.xda-developers.com/showthread.php?t=316647
on the 2nd post you will see what I am talking about.
Regards,
trinca
Tried viewbin on my extracted from .exe bin file - Image Start = 0x00000000, length = 0x02C1D3E0
Start address = 0x00000000
Done.
Looks like something is missing. Also cvrtbin is not working also, as it cannot accept 0x00000 as start adress
JugglerLKR said:
Tried viewbin on my extracted from .exe bin file - Image Start = 0x00000000, length = 0x02C1D3E0
Start address = 0x00000000
Done.
Looks like something is missing. Also cvrtbin is not working also, as it cannot accept 0x00000 as start adress
Click to expand...
Click to collapse
Start address = 0001ffe0
So, How to convert dumped LZX packed rom to B000F format for flashing to device?
How to convert dumped LZX packed rom to B000F format
Please refer to my thread:
http://forum.xda-developers.com/showthread.php?p=1392761#post1392761
I am unable to download your file (can you post it on rapidshare ou megaupload?). I am in the same situation as well but I appiled the english patch from asukal and Buzzlightyear and it worked .. I now have a device in english ... I am waiting for the firmware in english.. I have wm6 roms in chinese that I have not tested it ...
I also have a i710 rom but it's also a .bin file dumped from a i710 device ...
Hope this helps,
-Hau
I have uploaded several files... Can you tell me which one you have trouble with?
trinca
Oops ... My message was intended for Juggler uploading his ROM ...
Thanks,
-Hau
Thanks to trinca and bepe, mamich and many others i've managed rom kitchen essentials - look at first page.
i downloaded your flasher but why when i run i718ZMGF4_PDA_Eng, i click detect but nothing detected....
phone is on and connected via active sync
Hi,
I need help with my Ipaq 6955......i got a french verison and i need a english rom to flash, i have tried the tread that talks about the 6915 but does not work...
Please help need a english rom for it and if some has a wm6 rom for this model please let me know
Welcome to the club!
http://forum.xda-developers.com/showthread.php?t=325051
Might help.
Anyways you (and I) need a Rom or rom upgrade that is in English (F*ckin HP doesn't provide it!!) Anyways P.M. I can give you the dumps of an English rom (I dumped it with pdocread (see link above) but I haven't tried to pdocwrite it so more or less its a shoot in the dark (dawn?) If you want more info about my dilemma see my last post in the above discussion. http://forum.xda-developers.com/showthread.php?t=325051&page=3
Anyways PM if you want those dumps
I guess there is another option available e.g. modify the registry and add some MUI files (Havent researched that option yet)
To convert nb to nbf there is a solution, but some questions stays unanswered...
During an upgrade, RUU uses wdatas which seem to use signature (source: hermes forum...). We don't have information about wdata command availability in bootloader mode.
In fact, the english dump you made is a CEOS file with header and some imgfs_removed_data.bin informations.
I tried to use a dump to create a CEOS file which could be disassembled as any other ipaq69xx ROM, but RUU hangs and the upgrade fails.
If we could know why the upgrade fails (checksum test, signature...), we could try to find a way to bypass it.
After this step, it will be easy to cook some ROM.
One more problem is G3 and G4.... Is it supposed to be the same G3/G4 difference than for wizard?
to b0ris747
In another thread earlier you gave this link http://forum.xda-developers.com/showthread.php?p=1480853
Just went through the whole thing - relevant but not helpful. For short:
1) Extracting the osrom.nb using pdocwrite. To be frank I didnt like the usage of -d flag (device name) and -p (windows assigned) partition name. It makes things very confusing (If you try to actually follow the procedures not only re-type) because there are duplicates of device names TrueFFS and duplicates of partition names Part00 Part01 etc. If someone wants to understand the pdocread.exe flags and usage please read the following thread where itsme explains it all http://www.spv-developers.com/forum/showthread.php?t=2888
2) That thread describes a method to extract the directories of an OSrom image (using these tools http://forum.xda-developers.com/showthread.php?t=249836)
So this action helps to cook (modify the OSrom's files) and then put them back into .nb (.raw format that is not a flashable .nbf/nba)
3) Also describes how to extract various roms (Osrom, Extrom, RadioRom) from a different type of flashable rom .nbh Basically (not getting into depths, just to better describe it) .nbh is a .nbf/nba rom container used in flashable updates onto other HTC devices. This procedure is completely irrelevant to Sable/hw6915, but we can skip that.
4) This next thing is quite interesting - hexediting your .nb non-flashable rom file (in other words .raw) so that it's header would match the header of a manufacturer supplied .nb file (which is extracted from .nbh). This is done in order to trick the flashing utility/pda device into thinking that the new coocked rom is legit This might come in handy someday.
5) The next step is to make a .nbh file container using HTC ROM Tool by Dark Simpson. This is completely irrelevant because sable does not use .nbh
Anyways that is as far as I go with my backup which cannot be restored.
pdocwrite
Right now Im researching the possibility to just simply restore the osrom using pdocwrite utility form itsutils package. It seems the only simple, clear (and possible) option w/o cooking.
But I have some questions regarding that:
1) If my partitions are as follows :
63.94M (0x3ff0000) TrueFFS
| 3.06M (0x30fc00) Part00
| 3.19M (0x330000) Part01
| 56.75M (0x38c0000) Part02
51.22M (0x3337e00) TRUEFFS
| 3.06M (0x30fc00) Part00
| 3.19M (0x330000) Part01
| 56.75M (0x38c0000) Part02
STRG handles:
handle f3f54ee2 51.22M (0x3337e00)
handle 93f54212 56.75M (0x38c0000)
handle 13f54026 3.19M (0x330000)
handle 33f54002 3.06M (0x30fc00)
What to dump - just the 56.75megs form 93f54212 handle or all 64 megs I can access using this handle? As I understand that the little partitons (first little) are also part of osrom containing xip and spl, but I dont want to change the SPL nor other things, just flash the Spanish rom with a copy of an English hw6915 rom which also happens to have additional software like tomtom for example.
2) And the second is about CID. As b0ris also I'm botherd about the G3/G4 thing. My bootscreen shows
English iPAQ 1.00.00
1.21UK
Spanish iPAQ 1.00.00
1.50
So I guess that I have G3 CID lock, but which tool should I use to unlock?
3) Can I even pdocwrite the OsRom when it is used by windows mobile? Thou guys developing aWizard say yes (I studied their bat file which executes the same pdocwrite and pdocread utils)http://forum.xda-developers.com/showthread.php?t=252957&highlight=awizard
rx-8 said:
4) This next thing is quite interesting - hexediting your .nb non-flashable rom file (in other words .raw) so that it's header would match the header of a manufacturer supplied .nb file (which is extracted from .nbh). This is done in order to trick the flashing utility/pda device into thinking that the new coocked rom is legit This might come in handy someday.
Click to expand...
Click to collapse
I adapted tadzio tools and mamaich tools to fit ipaq hw69xx rom format. The problem in the upgrade. Some checksum/certificate verification made the upgrade fail. I don't know if this comes from the RUU or from the device.
Someone sent me a USB Monitor log, but I wasn't able to read it... It was a .dmslog... If you know more about this file format, tell me!
The question I would like to answer is: Does the RUU tool send the checksum data to be verified on the device (hard to fix) or checks it on the PC, then send to the device (simple crack!)...
A simple way to answer it would be to upgrade the device using an official ROM, tell me what ROM you used (Orange, Bouygues, German, Spanish) and we'll see if the additional datas are sent or not.
If you got the solution about this, I have some ROMs... ROM headers are OK, ROM can be decompiled as any official ipaq ROM (except the Orange one), but ROM cannot be upgraded...
Of course pdocwrite should write, but we have to find where the CID lock is
CID in hw6915
I think one developer may have the answer to our questions about he cid
wikidorg said:
Well, I tooked the french Orange sable_ruu, and works everytime when flashing my 6915... The only rom for that update utility is in french.. i looked on internet and i've found sp's from HP, downloaded all, but none in English... Just for fun, i've hexedit every one of these sp's CEOS.nbf with that working french header from original Orange sable update...Then i flashed using sable_ruu from Orange package and i changed 3 or 4 different languages... it worked everytime, all was ok... but still no English CEOS.nbf in order to change language to English using the same method... So now i am looking for HP 6915 original softpack from HP, and that should also work in the same manner... If someone have it, i can give a try... Meanwhile, that's no problem for German, Spanish, Italian and Dutch (i think) languages... These are the only softpacks i've found till now...
Click to expand...
Click to collapse
He explains some of his techniques in this thread http://forum.xda-developers.com/showthread.php?t=325051&page=3
b0ris747 said:
Of course pdocwrite should write, but we have to find where the CID lock is
Click to expand...
Click to collapse
It's a pitty though he didn't mention what he'd done with the CID lock thing.
I already PM him this morning but no response yet. Lets just give him a little bit of time and hope for the best
b0ris747 said:
I adapted tadzio tools and mamaich tools to fit ipaq hw69xx rom format
Click to expand...
Click to collapse
What did you change exactly? I used the latest mamaich tools from
http://forum.xda-developers.com/showthread.php?t=249836
And using the -nosplit flag my rom was successfully prepared and after that viewed (e.g extracted from the prepared.bin file) w/o any hassles. I checked the directory tree and it seemed ok (many files and the commandline output in txt file reached 3MB. I checked it too and there were no errors)
The making of the initial .nb file also seemed successfull. Anyways please post here what changes have you made to mamaich tools.
b0ris747 said:
Someone sent me a USB Monitor log, but I wasn't able to read it... It was a .dmslog... If you know more about this file format, tell me!
Click to expand...
Click to collapse
Well if I ever have a file w/o extension or with unknown extension or purpose I simply try viewing it with far manager. Usually there is some readable text like the program name and version number with which the file was made. So just download that program/util and try opening/editing/viewing the file
BTW my devices are original HP (One English and one Spanish) with no operator's contract bugging me So please upload your English rom to this forum, rapidshare or my FTP server.
You may want to open the below link in IE or some FTP client app.
ftp://xda:[email protected]:82
I would very much appreciate it because I only have my dumped .nb rom
rx-8 said:
What did you change exactly? I used the latest mamaich tools from
http://forum.xda-developers.com/showthread.php?t=249836
Click to expand...
Click to collapse
if (argv[argc][1] == 'i')
{ rate=0x10089; step=0x10000; skip=0x89; }
it's in the last page of the mamaich thread, and I created a specific thread on the hw69xx forum
rx-8 said:
And using the -nosplit flag my rom was successfully prepared and after that viewed (e.g extracted from the prepared.bin file) w/o any hassles. I checked the directory tree and it seemed ok (many files and the commandline output in txt file reached 3MB. I checked it too and there were no errors)
The making of the initial .nb file also seemed successfull. Anyways please post here what changes have you made to mamaich tools.
Click to expand...
Click to collapse
Yes, the ROM stored in DOC is un-encapsulated, unlike current upgradable ROMs. That's one of the points that makes official ROMs upgradable. The other point is "What's contained in the unknown data zones, is it sent to the device for checksum verification or can we bust this verification by cracking RUU?"
rx-8 said:
Well if I ever have a file w/o extension or with unknown extension or purpose I simply try viewing it with far manager. Usually there is some readable text like the program name and version number with which the file was made. So just download that program/util and try opening/editing/viewing the file
Click to expand...
Click to collapse
try to find some informations... I didn't find any and used the same software as he used...
rx-8 said:
I would very much appreciate it because I only have my dumped .nb rom
Click to expand...
Click to collapse
There is another ROM dump available here on the forums
I can dump my 6965 ROM for you if you like. This is the Australian (English) model.
http://h10010.www1.hp.com/wwpc/au/en/sm/WF05a/1090709-1113753-1113753-1113753-1117925-12573438.html
Please dump bootloader too if possible.
If you can dump the bootloader part, it would be great to have it.
I'm asking this because in sable_RUU I'm seeing weird things
-The updater seem to be made to all hw6xxx series
-Very easy to track!
-Seem to be made for wdata command and wdatas command.
So my new question (last one was: "are the extra data of the NBF sent to the device, or checked by sable_RUU?") is:
"In bootloader mode, do your have wdata command or wdatas command?"
And:
"Is it just for hw65xx devices (if confirmed to work) or is it because of some preproduction devices who have a special bootloader (like the HERMES)?"
And that's why having a backup of an unmodified bootloader would be great! Just in case we need it later!
domp using what?
Hi!
I know that it is impossible to dump IPl using pdocread, so I can dump only the SPL (To be frank I dont know the offset and size of the SPL) so if you can link me to a SPL dump manual that would be very nice. If not I can give you my whole Osrom partition dump (Including the xip and other stuff - the 6.25megs before real Osrom) (see my ftp rx-8_en_dump folder)
If you want me to dump bootloader using bootloder mode I must say that I wasnt able to access it (pressing action button+power+soft reset) any suggestions?
Similar post on Sable flasing!
http://forum.xda-developers.com/showthread.php?p=2577170#post2577170
Hello community,
I would like to thank cedesmith, thats provided me very useful information about the next steps that are needed to get WM6.5.3 on the TG01.
Ok here is the actual development status:
Progress of the Project WM6.5.3:
- With SDDL+ made by stepw we can flash any Rom on the TG01
- With cedesmith's tool TGTool v.1.2.14 we can decrypt the .tsw file that Toshiba provides us, we than get an unencrypted .bin file out of the .tsw file
- We also can dump this .bin file by also using cedesmith's TGTool v.1.2.14
TGTool.exe extracts out of the .bin the following parts:
-TG01.AMSS.nbin
-TG01.APPS.nbin
-TG01.APPSBL.nbin
-TG01.DSP1.nbin
-TG01.EFS2.nbin
-TG01.FOTA.nbin
-TG01.FSBL.nbin
-TG01.MIBI.nbin
-TG01.OSBL.nbin
-TG01.SIM_.nbin
-TG01.WMB0.nbin
-TG01.WMB1.nbin -> is boot+xip partition (information by cedesmith)
-TG01.WMB2.nbin -> is imgfs (information by cedesmith)
-TG01.WMB3.nbin -> is dos partition (information by cedesmith)
- With viewimgfs.exe it's possible to dump the imgfs partition (TG01.WMB2.nbin)
- With bepe's package Tool it's possible to analyze the Rom. Through this you get a OEM and a SYS folder, that contains some important files
- With TGTool v1.2.14 it's also possible to dump the OS that's included in the decrypted .bin file (you get a file called TG01.OS.nb)
- With TGTool v1.2.14 it's also possible to dump the payload that's included in the decrypted .bin file (you get a file called TG01WP.OS.payload)
- After Rom is cooked, it's possible to check the Rom with cedesmith's TGTool v1.2.14
Next steps of the development (To-Do-List):
- Rom needs to be cooked
- Tool needs to be made that rebuilds a .bin or .tsw file out of the modified files
We should already thank hdubli that is currently working on a Rom.
And we should thank cedesmith. Without him there would be no development for the TG01. There would be nothing...So big thanks to cedesmith who made this project possible.
Will update this post as soon as we got more information!
Best regards,
DunkDream
Wrong...See first post for right information.
DunkDream said:
Okay I gained some informations.
Well a Hard-SPL is needed when we want to flash custom roms that are not official on out TG01.
So I think this must be the first step in the development.
One question remains. If the phone got the Hard-SPL, what is needed to get a working WM6.5.3 Rom onto the phone?
And what is needed to cook this Rom?
For example, if we get a Hard-SPL for the Toshiba TG01, will the people of WMPoweruser be able to cook a Wm6.5.3 Rom for the phone or do they need some files out of the TG01 that they can't get at the moment?
People, you need to realize that more informations are needed!
Nobody will help us, if we don't know what is needed to be done!
Does nobody know the exact Rom Development Process for Windows Mobile phones here?
I count on you guys! It's our only chance to get a working WM6.5.3 for our phone.
So please answer me! I can than provide the Cracker all the information.
Best regards,
DunkDream
Click to expand...
Click to collapse
Hard spl how I say we dont need. May be I am not sure. I have a simple kitchen for other Toshiba 900 but I think is working for TG01. What we need all files from TG01 dll , cab etc....
That is from one beginner if I can help with something more tell me.
about the need
I am so glad to see that someone finally care the TG01 progress.
I come to the forum from the time TG01 to be opened,waiting the cooked rom for a long time, many IDs come and many IDs go, at last the news about TG01 become few more and more, the people that use TG01 become lack more and more,many thread not to be updated for a long time.
OK, then I talk about the need that I most wanted:
I have a japanese version TG01, it only can flash the japanese rom, and can not flash the ENGLISH or ITALY rom, and as I know ,many people like me have the same question.
Hope DunkDream can help to solve this question.
Well for me it seems that nobody in this Forum knows 100% sure what is needed to be done, to get a cooked Rom for the TG01.
If we don't have more information about the TG01, nobody will help us.
Or what should I tell the person I talked to, now?
Should I tell, that we want a hard-spl but are not sure if it's needed?
I guess, this development is not very easy.
I'll try to get more information about the TG01 and want to find a person thats knows the Rom Development process for WM-Phones very good.
We need a real expert in Rom Development.
Maybe Wen knows one, I could talk to.
I'll ask him.
Before we don't have all information, we won't get a new Rom for our phone.
Sorry bojan, but we need to be 100% sure Otherwise we may cause some people work that is at the end worthless.
Best regards,
DunkDream
I started a new thread in the General Hacking and Development section of xda-developers.
Maybe I can gain some informations there.
Can somebody explain me what we exactly can do with the tool that cotulla made and with the sddl+?
Thanks in advance!
Here is the thread I started:
http://forum.xda-developers.com/showthread.php?t=639783
Hope that sums everything in a good way up.
You are welcome to post in that thread, if you gain new information!
about sdd+
there are two threads about the sdd+ download method and short pin download method.
hope these threads have some useful:
about how short pin to download:
http://forum.xda-developers.com/showpost.php?p=5405267&postcount=325
about how SDDL+ to download:
http://www.modaco.com/content/toshi...7/tg01-sddl-plus-install-rom-in-any-language/
sorry I dont know
sorry I dont know who know the most question about TG01,but I think you can contact Wen\bojan, I hope you will get much info.
and I am very happy that you care about TG01,hope the good news,but I think it is a hard work.
So you want a know the truth?We need hard spl if we want a full ROM who work in all TG01.
And other think we need is a decompress the bin file. Cotula program is just decrypt the tsw file now is unpack this file and you can cook.
What info do you need more? We have kitchen we have files decrypted and we need just unpacker and hard spl.
Couldn't you just wait for the TG02 to come out and then flash that rom on?
All the TG01 2 is different chassis and a different screen.
Just sent a PM to Cotulla regarding what exactly is needed. Hope he'll help us.
TG01
mikiril said:
Just sent a PM to Cotulla regarding what exactly is needed. Hope he'll help us.
Click to expand...
Click to collapse
cedarsmith main tg01 forum is a programmer but needs main toshiba tg01 bin file decrypted which is totally different to htc variants.
bin files sticking point
Progress of the Project WM6.5.3:
- With SDDL+ made by stepw we can flash any Rom on the TG01
- With Cotullas Tool we can decode/encode .tsw files
What we need:
- A person that understands the format of .bin (unencrypted .tsw)
Now we need to search that person. I'll ask around if someone is able to help us and wants to help us.
Special Thanks to cedesmith due he knows we is needed to get WM6.5.3 for the TG01!
Best regards,
DunkDream
And here is reply from Cotulla:
"Seems you need decrypt TSW image to BIN and then encrypt it back to TSW.
BIN image have complex format with header and many parts.
Obviously we need exclude all stuffs except OS.
The main problem to test this - I am not sure if we put wrong image, it won't brick device...
-Cotulla"
crazy thought no.1: can we just use pdocwrite to write a new imgfs to Part02 ?
does anyone know if pdocwrite works ?
the good part would be that it would reduce the chances to brick the phone as would only write OS portion of the flash thus leaving SD Downloader intact and short pins would work to restore original rom.
could anyone use pdocread to dump a UK version rom ? i have dumped RO rom but could use UK version.
one could download rapi tools and use:
pdocread.exe -l
pdocread.exe -w -b 0x800 -d DSK1: -p Part00 0 0x17f000 Part00
pdocread.exe -w -b 0x800 -d DSK1: -p Part01 0 0x380000 Part01
pdocread.exe -w -b 0x800 -d DSK1: -p Part02 0 0x9940000 Part02
addresses and sizes may vary on UK ROM but u can see that with pdocread -l
do not post Part03 as it contains you contacts and pictures and etc
You are finish decompress or (unpack ...) bin file.When we do it we can start dump.
We don't need dump ROM we need unpacked original to see witch file it use.
I have dumped 6.1 PL rom(rare) 6.5 UK leaked 6.5 O2 leaked using these tools... then unpacked them in Touch Pro kitchen but I only get access to protected files dumped rom gives You nothing more... Trying to write something using these tools can brick TG01...
i could relay use dump of official UK 6.5 ROM for comparing with update file.
nico you could also use bepe's tools to dump Part02.
xidump.exe -I -b Part02
result is ready to be put in a kitchen.
one could make now a custom rom using WM 6.5.3 but the problem would be writing it back to phone.
this could be done by writing directly on flash with pdocwrite ( but i think it will not work ) or by replacing OS (IMGFS) on original toshiba rom with cooked one.
the problem now is that i cannot figure the algorithm Tosh uses to calculate 112bits hash.
to explain a little:
imgfs starts on .bin file at 0x565E000 and is Part02 in dump with pdocread
every 464 bytes 0xFFFF is inserted
every 512 bytes a 112 bits (14 bytes) hash is inserted.
i could not figure out the hash algorithm. when i do i could reintegrate coocked OS into update file and have a cooked room.
nico101 said:
Trying to write something using these tools can brick TG01...
Click to expand...
Click to collapse
i know, almost any mod can.
does O2 rom have SPB Mobile shell ? do hardware buttons work ?
TG01
mAIN STICKING POINT IS STILL DECRYPTION OF ROM BIN DUMP AND THE RADIO STACK THO
OK, so I was asked by kevinpwhite to write up a guide on how I made a ROM with with Orange logo, so here it is.
Also, i'm sure some of this isn't needed, but I tried to be thorough. I'm not much of a guide writer so if you find this hard to follow or think its missing something, please let me know and i'll try my best to fix it.
Now before I begin, I should warn everybody that flashing unofficial software is unsafe, I followed this guide myself before posting but I can hardly guarantee safety by just using it myself.
Files Needed:
TGTool 1.3.19 - http://forum.xda-developers.com/showthread.php?t=650075
tg01_sddl+ - http://www.4shared.com/dir/18687254/7d532a3f/Windows_Phone_65.htmla
TG01WP_6.5_Orange_UK_Update - TG01WP_5005000176.tsw
TG01WP_6.5_IT_Update - TG01WP_5005030076.tsw
For ease of use, I renamed my ROM's ITA and UK respectivly, and I will be refering to them as ITA.tsw and UK.tsw in this guide.
So for starters, put your UK.tsw and ITA.tsw in the same folder with TGTool. Run 'Command Prompt', navigate to your chosen folder and then we can begin.
Step 1 - Take the English software out of the UK ROM.
Code:
tgtool -sp UK.tsw UK.nb0
Step 2- Insert that into the Italian ROM.
Code:
tgtool -mp UK.nb0 ITA.tsw TG01WP_00.tsw
Step 3 - Copy TG01_SDDL+ to your 'Storage Card' if you haven't already done so, and copy TG01WP_00.tsw into a folder named 'prg'.
Step 4 - Run TG01_SDDL+ and let it flash.
Now as far a I can tell, this only removes the Orange logo from bootup, it still has an Orange logo on shutdown and still contains all Orange apps and settings. So you will still also need to follow kevinpwhite's "Soft De-Brand Procedure" to remove the majority.
Da Mafia - thank you very much - practically an instant response !
I can follow the logic now and think I understand this process better. The next will be to try doing it....carefully
Do you think any more steps can be taken beyond wrapping elements of one ROM within the shell of another or does that then immediately get into the realms of 'proper' cooking such as the experts are currently grappling with ?
I don't know of any easy way to make further modifications, so anything more than this will need a 'proper' cook. I've tried to look into this myself but the TG01 is my first Windows Mobile phone so I have no experience and don't know how much of the guides for other phones transfer to the TG01.
Hmm.. I've just tried the process and am getting an error message
" Upgrade image not found, copy an image to 'prg' folder of the storage card."
The TG01WP.tsw file generated OK (apparently) and I have copied to the prg folder (file size is identical to original).
View attachment 300061
To be repeated tomorrow
TG01WP_00.tsw
Thats what was wrong. Will update the first post.
thank you da mafia that's brilliant
i got this far
but i'm going to wait till tomorrow, as it's a bit late to start a new adventure
TGTool v1.3.19 copyright(c) 2010 cedesmith
Checking ITA.tsw complete
Creating TG01WP.tsw complete
Checking TG01WP.tsw has completed without warnings
Da Mafia said:
TG01WP_00.tsw
Thats what was wrong. Will update the first post.
Click to expand...
Click to collapse
Many thanks for the amendment. I am pleased to report that I have now succeeded with the re-flash.
One additional point to mention - changing the filename of the output .tsw file did NOT work. It was necessary to re-generate with the correct filename structure - evidently cedesmith's TGTool does something internally with that information.
View attachment 300191
Initial Toshiba splash screen, then few seconds dark period and then the normal Windows orange-coloured screen cal screen. Following the full 'soft-debrand procedure', apart from the residual .cab and other files dormant in the ROM \windows, etc. the device is now as 'clean' as I suspect is possible.
Brilliant stuff Da Mafia - thank you for taking the first 'great leap' !
Brilliant stuff cedesmith - thank you for providing the TGTool. I am sure that it will lead to much greater things, but even this apparently modest step needs to be seen as really significant
Next question is how can the UK OS Payload .nb0 file be filleted to remove the unwanted .cabs, etc.....
On a second tack, I have made a Registry archive post-debrand using CeRegEditor, but at present cannot figure how to be able to write that back to the device on top of the original Registry. Does anyone reading this have any expertise with that side of things they can share please ?
morning guys,
YES
this method worked great
to confirm what Da Mafia & Kevin have said...
this mod will basically re-create your standard oragnge phone - but with no orange boot up screen
sensational - can't thank you both enough
cheers
Adam
I guess I have a method to avoid orange cab's to install at all. But here is nothing sure at all... I'm flashing a working ROM now because i have to leave. I failed so many times flashing a 6.5.5 non bootable (im starting to get used to the pin method lol). By the way, I would work faster if you can tell me if that procedure works properly once I come back to house:
Code:
tgtool -sp tg01uk.tsw tg01.os.nb.payload
osnbtool -d tg01.os.nb.payload 2 imgfs.bin
imgfstodump imgfs.bin
imgfsfromdump imgfs.bin imgfs-new.bin
osnbtool -c tg01.os.nb.payload 2 imgfs-new.bin
tgtool -mp tg01.os.nb.payload.new tg01uk.tsw tg01uk-new.tsw
If it works I'm 90% sure I can build a debranded 6.5.0 ROM.
adzman808 said:
morning guys,
YES
this method worked great
to confirm what Da Mafia & Kevin have said...
this mod will basically re-create your standard oragnge phone - but with no orange boot up screen
sensational - can't thank you both enough
cheers
Adam
Click to expand...
Click to collapse
Hi Adam,
Glad you have been successful too ! I've now pasted in the Welcomehead and Shutdown screens and just soft reset a few times in the course of installing various basic software ... whole effect is just what was needed !
arag0n85 said:
I guess I have a method to avoid orange cab's to install at all.
Click to expand...
Click to collapse
I've not had time to absorb the detail of each step you've suggested....but could you please clarify which action will prevent the .cabs installing ? And is it simply to stop the auto-installer (same as editing the Registry pre-boot) or is it actually removing the .cabs from the payload completely ?
Sorry if a dim question, but feeling my way here !
kevinpwhite said:
I've not had time to absorb the detail of each step you've suggested....but could you please clarify which action will prevent the .cabs installing ? And is it simply to stop the auto-installer (same as editing the Registry pre-boot) or is it actually removing the .cabs from the payload completely ?
Sorry if a dim question, but feeling my way here !
Click to expand...
Click to collapse
Well, none of the steps I posted avoids the installation of cab's. It just unpacks and repacks the payload. If this simple steps works, I have located the cab files and registry pre-boot places that I need to edit.
So, I just need someone to test if the simple unpack-repack procedure builds a bootable rom. I will be out of house until tomorrow morning I guess and it's going to be faster to have someone testing it before I come back.
Also, If someone wants to try, just use the attached initflashfiles.dat and see what happens. It won't remove the cabs but I think it will avoid most of the Orange installations.
Originally Posted by arag0n85
... just use the attached initflashfiles.dat and see what happens.
Click to expand...
Click to collapse
Again sorry to be dim... how does one run the .dat you posted ? Does this need to be inserted pre-boot or is it run post-boot ?
nail varnish remover, some cotton buds, a small flat blade screwdriver & patience...
...and you can kiss goodbye to the orange logo on the back too !!
Cheers
kevinpwhite said:
Again sorry to be dim... how does one run the .dat you posted ? Does this need to be inserted pre-boot or is it run post-boot ?
Click to expand...
Click to collapse
you need to replace the .dat file on the dump directory after the instruction:
imgfstodump imgfs.bin
arag0n85 said:
I guess I have a method to avoid orange cab's to install at all. But here is nothing sure at all... I'm flashing a working ROM now because i have to leave. I failed so many times flashing a 6.5.5 non bootable (im starting to get used to the pin method lol). By the way, I would work faster if you can tell me if that procedure works properly once I come back to house:
Code:
tgtool -sp tg01uk.tsw tg01.os.nb.payload
osnbtool -d tg01.os.nb.payload 2 imgfs.bin
imgfstodump imgfs.bin
imgfsfromdump imgfs.bin imgfs-new.bin
osnbtool -c tg01.os.nb.payload 2 imgfs-new.bin
tgtool -mp tg01.os.nb.payload.new tg01uk.tsw tg01uk-new.tsw
If it works I'm 90% sure I can build a debranded 6.5.0 ROM.
Click to expand...
Click to collapse
I've just done this and flashed fine.
It looks like imgfstodump doesn't dump everything, my rebuilt imgfs is nearly 20MB smaller, also I cannot see initflashfiles.dat to replace, but still the phone flashed OK and is working.
Da Mafia said:
I've just done this and flashed fine.
It looks like imgfstodump doesn't dump everything, my rebuilt imgfs is nearly 20MB smaller, also I cannot see initflashfiles.dat to replace, but still the phone flashed OK and is working.
Click to expand...
Click to collapse
It may be also because the compresion of the payload it's diferent,I don't think it's because rubish in the payload, but well, if that's the case it's also welcome.
The initflashfiles.dat that i posted should be placed into the dump directory after the imgfstodump process. It should avoid the installation of orange maps, video player and other orange stuff. If it works then I just need to delete the files from the dump directory before rebuilding and voila, a debranded 6.5 payload.
Right, it turns out initflashfiles.dat was actually there, i'd just overlooked it. So i've flashed again using yours and again, working fine.
Da Mafia said:
Right, it turns out initflashfiles.dat was actually there, i'd just overlooked it. So i've flashed again using yours and again, working fine.
Click to expand...
Click to collapse
did you find any diferences?
I can't say for sure, but it looks like there is a tab missing from the Orange Homescreen, I don't normally use it so could be wrong, and I think the Orange Maps shortcut from the menu has gone too.