How to totally remove XDAtools from Windows XP ? - MDA, XDA, 1010 Software Upgrading

AS title..... thanks ! :wink:

- Remove the XDAtools subdir under 'Program Files'
- Remove the registry keys:
HKEY_CLASSES_ROOT\XDA OS Image
HKEY_CLASSES_ROOT\.nb1
HKEY_CLASSES_ROOT\.nbf
Unhappy?

No really..... may be is my XDA problem because when I run Fix broken bootloader from Windows XP with O2 xda in USB Cradle & I saw the below error message from DOS command prompt:
=============================================
C:\Program Files\XDAtools\binaries>pnewbootloader.exe bootloader_v5_15.nb0
Unable to find flash info offset, cannot disable bootloader writeprotect
=============================================
Can you / anyone success use the Fix broken bootloader from Windows XP to downgrade bootloader from v5.17 to v5.15 ? Please teach me if you can downgrade to 5.15, thanks !
THANKS A LOTS !

Related

Dump ROM (HTC P3300)

While in bootloader, need to save existing ROM, but don't know how to dump it.
r2sd seems to be removed. Any other commands or substitutions?
regards,
fdp24
please,
do post exactly howto remove CID lock, as i urgently need to reflash my device.
regarding your howto dump your rom , sorry i havent heard of a complete way!
regards
Use aWizard
I think It's very dangerous to restore rom with awizard. Hight risk to crash!!!
Does the artemis bootloader has rbmc command? if yes you can use it to dump the rom from bootloader.
artemis bootloader has not rbmc command,can't use rbmc command backup it's ROM !!
commands
I posted commands, which I found.
http://forum.xda-developers.com/showthread.php?t=285112
When you execute password XXXXXXXX
it says:
Cmd>password
Usage:
password [String]
Enter the password string to enable wdata, erase and rbmc functions.
But I could not get rbmc working
Hi All. I dumped OS and Radio from my Artemis used aWizard programm. Now i have 2 files: OS.nba and Radio.nba . Can i upload this versions on the same Artemis and how can i do it? maybe ather programm no aWizard?
Have u done swomething with ROM ???

Goldcard for Herald

I don't take the responsibility for any damage caused by the information included.
This is not my intention to reveal any secrets of HTC Company. All this information was known earlier. I've just collected it in one place and used it for repairing my broken HTC device.
Although it was successfully tested on Herald from Dopod, it should work on any Herald and as far as I know this is the only hope, especially for Heralds with low SPL number, broken by flashing with HardSPL
If you find this tutorial useful, do it on your risk.
I've spent a lot of time in searching of a solution for my bricked Dopod C858. It has been bricked after Hard-SPL by Olipro. When this Hard-SPL was first introduced, there wasn't any warnings about minimum SPL and GSM versions requirements. That's why there is a lot of people with their Heralds stuck in the bootloader mode without a possibility of successful flashing in any way.
One of the symptoms was Invalid Update Tool 300 Error when I was trying to flash even with the official RUU. The other symptom was "GetDeviceCID: Error - InitDecoder" when getdevinfo command was typed at MTTY console.
Finally I was able to recover from this state. I successfully created the goldcard - a micro SD card with the special header, which gives us a temporary SuperCID status (security level 0). In this way we are able to flash the new ROM via SD card, instead of using the official RUU (ROM Update Utility). If it is not enough to flash successfully, we can use a wonderful service tool included in Herald's diagnostic image (heradiag.nbh).
All the credits goes to "itsme" and his hard work. It wouldn't be possible without his knowledge, his help and his great software. Willem agreed to make this tutorial and share this knowledge on the forum.
Thank you Willem!
I would also like to thank "pof" for his effort and although he couldn't find a solution, he tried to help me, so thank you Pau!
The other person I would like to thank is "canonyang_China". I know he is accused of stealing Olipro's ideas of Hard-SPL. I only want to thank him for posting heradiag.nbh file. This is the great tool which together with the goldcard can do a lot.
I would also like to mention one person. It's "jockyw". He has almost identical solution but he has found it by himself. If you find this tutorial too hard to deal with I recommend to contact "jockyw" and he will help you for a small paypal donation.
TUTORIAL:
***********************************************************
Requirements (not tested on other configurations):
1) Windows XP with SP3
2) ActiveSync 4.5
3) ActivePerl 5.8.8.822
4) Crypt-DES and XdaDevelopers-NbfUtils PERL packages
5) typhoonnbfdecode.pl PERL program
6) itsutils tools
7) working mobile device with any Windows mobile OS (2003, 5.0, 6.0)
8) any .nbh ROM file from the official Herald's RUU
9) heradiag.nbh file
10) micro SD card (tested on 512MB and 1GB)
Ad.2) download your language verion of ActiveSync and install it:
Ad.3) download and install MSI installer of ActivePerl 5.8.8.822 from http://www.activestate.com
http://www.activestate.com/store/download_file.aspx?binGUID=e5c71329-b7a6-4563-8199-e1483f751c4f
Ad.4) run Perl Package Manager from Windows Start Menu
change PPM Preferences (run Preferences from the Perl Package Manager menu and switch to the repository tab):
- Add repositories:
Name: itsme
Location: http://www.xs4all.nl/~itsme/projects/perl/ppm
- Add repository:
Name: theoryx
Location: http://theoryx5.uwinnipeg.ca/ppms/package.xml
After database synchronization install those packages (at the main window of Perl Package manager find those packages, mark them for install (the icon with green plus, next to the search bar) and run marked action(green arrow icon)):
-Crypt-DES
-XdaDevelopers-NbfUtils
If you can't find those packages on your list, please make sure you have selected "All packages" from "View" menu in Perl Package Manager main window.
Ad.5) download typhoonnbfdecode.pl from http://www.nah6.com/~itsme/cvs-xdadevtools/xda2nbftool/
Save it to "C:\itsutilsbin"
Ad.6) download itsutilsbin package from http://www.xs4all.nl/~itsme/projects/xda/tools.html. Unpack it to "C:\itsutilsbin"
http://nah6.com/~itsme/itsutilsbin-20080602.zip
Ad.7) Find a working Windows mobile device and use it to format your micro SD card as FAT32. It's important to do this on working mobile device with any Windows mobile OS (2003, 5.0, 6.0) because PC USB card readers causing troubles with making a goldcard because of a different MBR interpretation.
- Activesync your working Windows mobile device with SD card inside
- On your PC enter windows command mode (Start->Run... cmd)
- Choose your itsutilsbin directory (cd C:\itsutilsbin),
- Run this command (l means a letter 'el' - not a digit 'one'):
psdread -l
If you have problems with running psdread -l you probably have problems with the security configuration of your mobile device. There are many options to change it. In my case I was using Device Security Manager PowerToy for Windows Mobile 5.0
It is recommended to save your security configuration, then change it to the Security Off level and after the whole goldcard preparation process, load saved configuration preset if you don't want to leave your Windows mobile device Security Off. You should have your mobile device ActiveSync with your PC when you are using this tool.
- If everything went OK, look at the result at the cmd window after psdread -l and find something like that:
remote disk 1 has 1984000 sectors of 512 bytes - 968.75Mbyte
SerialNr: 75 63 00 49 8a f2 00 80 47 31 30 55 53 44 53 03
- in the next step you will have to replace the first byte ( in this case '75' ) with '00' and write this ID without spaces between numbers - this will be your modified cardid
In this example your modified cardid will be 006300498af200804731305553445303
(Thank you "hookcard" for reporting troubles in this step)
Run this command, where <cardid> is your modified cardid:
perl typhoonnbfdecode.pl -p cardid=<cardid> -p keys=tornado -p seclevel=0 -d goldcard.img
- Your goldcard image will be saved in your current directory (C:\itsutilsbin)
- If you have error message connected with msvcr71.dll file, please download this file or try to find it somewhere on your system partition and then copy it to the directory containing typhoonnbfdecode.pl (C:\itsutilsbin)
Then repeat the previous step with running typhoonnbfdecode.pl
If everything went OK, run this command, where <number> is a number under which you have your SD card during psdread -l command, for example, "remote disk 1 has 1984000 sectors of 512 bytes - 968.75Mbyte" means that your <number> is 1:
psdwrite -<number> goldcard.img 0 0x120
Now you have a card which gives you SuperCID - you can test it with MTTY and see that g_cKeyCardSecurityLevel = 0
Ad.8) Remember to have more than a half of the battery capacity available before you start this step!
- download any official Herald's RUU and extract it to the directory, where you should find RUU_signed.nbh ROM file. (It was tested with Dopod's ROM). Copy this .nbh file to your goldcard changing its name to heraimg.nbh
- Enter the bootloader mode. When you will see on your Herald's screen the question: "Update SD image?" you will have 10 seconds to press Volume Down button and this way to start flashing
Unfortunatelly, if something will go wrong and i.e. you will see SD update failed you will have to use heradiag.nbh file to enter special menu during the start of the bootloader mode. If you have problems with flashing, please read the step below:
Ad.9) download and unpack heradiag.zip file from this thread:
http://forum.xda-developers.com/showthread.php?t=332413&highlight=heradiag.nbh&page=6
Remember to have more than a half of the battery capacity available before you start!
- Copy heradiag.nbh on your goldcard together with any official .nbh ROM from ROM Update Utility from the previous step.
- boot your Herald in bootloader mode and you will see the diagnostic menu where you will have Reflash Image option. Choose Reflash Image and after the flashing process (about 5 minutes) please softreset your device.
That's all! You should see your Herald properly booting Windows OS.
Good luck!
Anyone had any luck with this?
I tried.
Everything is O.K.
ok first of all thank you very much for as a hope gain to bring our herald to live again.
but there is some point at this thread i didnt get it so plz if u could help me
1-
run Perl Package Manager from Windows Start Menu
change PPM Preferences:
- Add repository: itsme http://www.xs4all.nl/~itsme/projects/perl/ppm
- Add repository: theoryx http://theoryx5.uwinnipeg.ca/ppms/package.xml
After database synchronization install those packages (mark them for install and run marked action):
-Crypt-DES
-XdaDevelopers-NbfUtils
what is crypt -des
and when i open the link (add rep.by itsme )
there is too many files to download.
which one is that files u mean
i download them all but it seems they work on linux not in windows
so plz if u make that point more clear or at least post some pictures..
2-
does any official room will work .or it must be the exact cid room.
I've updated this tutorial and now it should be more clear.
According to your question about the ROMs - if you successfully create the Goldcard you will be able to flash any ROM, not only those matching your original CID.
halder said:
...............
what is crypt -des
and when i open the link (add rep.by itsme )
there is too many files to download.
which one is that files u mean
i download them all but it seems they work on linux not in windows
so plz if u make that point more clear or at least post some pictures..
2-
does any official room will work .or it must be the exact cid room.
Click to expand...
Click to collapse
how come i cant find XdaDevelelopers-NbfUtils package?
i have added the repository correctly.
i can see from the status screen:
Synchronizing Database ...
Downloading ActiveState Package Repository packlist ... done
Updating ActiveState Package Repository database ... done
Downloading itsme packlist ... redirect
Downloading itsme packlist ... done
Downloading itsme Win32-API-0.41WJ PPD ... done
Downloading itsme XdaDevelopers-CompressUtils PPD ... done
Downloading itsme XdaDevelopers-NbfUtils PPD ... done
Downloading theoryx packlist ... not modified
but i just can find the module (ie. XdaDevelopers-NbfUtils)
i have also tried the command line installation but no luck..
anyone??
maybe someone can post the perl folder, with the required modules installed?
Do you have "All Packages" chosen through View Menu?
klikman said:
how come i cant find XdaDevelelopers-NbfUtils package?
i have added the repository correctly.
i can see from the status screen:
Synchronizing Database ...
Downloading ActiveState Package Repository packlist ... done
Updating ActiveState Package Repository database ... done
Downloading itsme packlist ... redirect
Downloading itsme packlist ... done
Downloading itsme Win32-API-0.41WJ PPD ... done
Downloading itsme XdaDevelopers-CompressUtils PPD ... done
Downloading itsme XdaDevelopers-NbfUtils PPD ... done
Downloading theoryx packlist ... not modified
but i just can find the module (ie. XdaDevelopers-NbfUtils)
i have also tried the command line installation but no luck..
anyone??
Click to expand...
Click to collapse
Hi there! I also have a bricked Herald. I'm in Brazil and a store wants around 200 US dollars to fix the phone and it's too high.
I saw that the file itsme XdaDevelopers-NbfUtils PPD has just a text indicating an e-mail adress.
I saw in another site that this file has another content.
May be this is why we cannot find the package to install.
If i find a way to fix my Herald here i will do a very good donate!!
Thanks,
Alencar
alencarfr said:
Hi there! I also have a bricked Herald. I'm in Brazil and a store wants around 200 US dollars to fix the phone and it's too high.
I saw that the file itsme XdaDevelopers-NbfUtils PPD has just a text indicating an e-mail adress.
I saw in another site that this file has another content.
May be this is why we cannot find the package to install.
If i find a way to fix my Herald here i will do a very good donate!!
Thanks,
Alencar
Click to expand...
Click to collapse
Go to this thread, it will explain how to fix your phone....
http://forum.xda-developers.com/showthread.php?t=345411
Hi Mkoz,
Tried your procedure but when start bootloader it do not read the SDcard. I copied Heradiag to the card but it do not run. The bootloader remains the same as before.
No Signal. With MTTTy I gave the command set 32 1 and get the message:
================================================
+ SD Controller init
- SD Controller init
+StorageInit
SDInit+++
PL_SDSetSlotNumber() - MPUIO_SDIF_SEL1=0, MPUIO_SD_IF_SEL=0
SDCmd8 Command response time-out. MMC_STAT = 80
SDCmd8 Command response time-out. MMC_STAT = 80
SDCmd8 Command response time-out. MMC_STAT = 80
SDInit - SD ver1.0
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SD clock to 24MHz
***** user area size = 0x79280000 Bytes
SDInit---
SDInit OK
Unlimited time!
GetDeviceCID: Error - InitDecoder
g_cKeyCardSecurityLevel = 0
HTCE
=======================================================
So, please could you help me ? Thanks! Alencar
Hi,
Where did you format your SD card before preparing Goldcard? In Windows Mobile device or in laptop or PC card reader?
alencarfr said:
Hi Mkoz,
Tried your procedure but when start bootloader it do not read the SDcard. I copied Heradiag to the card but it do not run. The bootloader remains the same as before.
g_cKeyCardSecurityLevel = 0
So, please could you help me ? Thanks! Alencar
Click to expand...
Click to collapse
Hi Mkoz,
I formatted using Pocketmechanics in my HTC universal in mode FAT32.
I'm really looking forward to see the mobile working.
Thanks!! Alencar
please SIR how can i change cardid ?
and witch tool i use ?
Hi,
I've sent you my private message but you haven't answered so I have to ask you in this thread:
- What is the size of your SD card? I successfully tested it with 512MB and 1GB cards.
alencarfr said:
Hi Mkoz,
I formatted using Pocketmechanics in my HTC universal in mode FAT32.
I'm really looking forward to see the mobile working.
Thanks!! Alencar
Click to expand...
Click to collapse
Sucessfully tested with 2gb card
BTW, HardSPL'd devices doesn't want to load heradiag!
i can see from the status screen:
Synchronizing Database ...
Downloading ActiveState Package Repository packlist ... done
Updating ActiveState Package Repository database ... done
Downloading itsme packlist ... redirect
Downloading itsme packlist ... done
Downloading itsme Win32-API-0.41WJ PPD ... done
Downloading itsme XdaDevelopers-CompressUtils PPD ... done
Downloading itsme XdaDevelopers-NbfUtils PPD ... done
I found -Crypt-DES but not found -XdaDevelopers-NbfUtils
Please help me! Thanks
same here
already try restarting my windows still no luck
I guess you are doing something wrong because there are people who were successful with this tutorial. Maybe you don't have "All packages" chosen from the menu.
I have updated point 4 of my tutorial so please take a look.
I've also posted in this thread my answer to someone who had the same problem like you and he didn't answered anymore so I guess as a result he created Goldcard successfully.
If it will help you, please let us know.
TINDUNG10 said:
i can see from the status screen:
Synchronizing Database ...
Downloading ActiveState Package Repository packlist ... done
Updating ActiveState Package Repository database ... done
Downloading itsme packlist ... redirect
Downloading itsme packlist ... done
Downloading itsme Win32-API-0.41WJ PPD ... done
Downloading itsme XdaDevelopers-CompressUtils PPD ... done
Downloading itsme XdaDevelopers-NbfUtils PPD ... done
I found -Crypt-DES but not found -XdaDevelopers-NbfUtils
Please help me! Thanks
Click to expand...
Click to collapse
please help me delete 1 post

Is it possble to dump ROM from bootloader ?

Hi !!
I'm sorry if I write about talking before but I search for 2 dayes internet (Most link coming from xda ) without success.
I'm pretty sure that is not possible to do on Trinity due to bootloader limitation but I want a last confirm before to flash my device.
My boot loader is a Des' Crash-Proof SPL:
TRIN100
IPL-0.50
TRIN100
SPL-9.99 CP
After I play with the WM6 registry it don't load th OS after reset.
I wondering if is it possible to dump the ROM (The mass storage part) to mount in a linux box from the boot loader.
I read that the Trinity lack of the s2d command and also the rbmc didn't work.
There is any other way to do it
Off course I can't use pdocread.exe due to the OS is not loaded on the Trinity.
Thanks in advance and sorry for my english.
Carlo.
Hi again.
I was able to read ROM whit the rbmc command using the follow command:
password BsaD5SeoA
set 1e 1
task32
rbmc >/tmp/dump.bin 0x3100 0x17900
The problem is that the output is show on the screen and not writed in the file.
I tried on linux using HTCFlasher and mtty on WIndows whit the > and without.
Any Idea ?
Carlo
Try QMAT too, although it's not meant to be used with Trinity, it supports rbmc dumping.
Thanks, I'll try it tonight.
Here's an rbmc partition dumper I've created for dumping os, storage and ext rom. Storage partition doesn't seem to be readable this way...
You need to have a security unlocked device or HSPL that allows rbmc when device is not security unlocked.
Hope this helps...
Thanks for the command, I tried and it don't work.
I have the Des' Crash-Proof SPL on my Trinity and the rbmc command work but I have to give the follow commands before use it.
password BsaD5SeoA
set 1e 1
task32
is your command supplied it before to dump or there is any command line option to pass it to the command ?
Works on my trinity allright... task 32 is not required, btw.
Did you manage to get QMAT working/dumping?
I tried more times but I have allways this message:
C:\Temp2>rbmc.exe
HTC RBMC reader version 1.0, Dec 19 2008
Reading OS.nb...
WARNING: rbmc OS.nb command failed!
Reading Storage.nb...
WARNING: rbmc Storage.nb command failed!
Reading ExtROM.nb...
WARNING: rbmc ExtROM.nb command failed!
Read 0xC1B144 bytes in 0d:00h:00m:01s.953ms
HTCSBye!>.L.HTCE
I switch the Trinity to the bootloader screen and then I plug the usb and ru the command with no args.
Where I wrong ? I tried without ActiveSync open and with it opne with the usb connection disbled.
No, I was unable to use QMAT, the manuals is little different from the version and don't explain the very first operation to recognise the PDA to the program.
Instend I was able to capture the rmbc output on my linux box and minicom on usb but I get error after a while the program is dumping (The same I got on the screen using mtty) and then I'm little confusing about partition dimension showed by the "info 8" command
Bye.
What happens when you manually issue "rbmc c:\temp\os.bin OS" in mtty or minicom?
I start minicom with the capture option active then I use the command
Cmd>rbmc a 0x3100 0x17900
Then the dump start
Cmd>rbmc a 0x3100 0x17900
GetExtRomData+(): *pszPathName=a, dwStartAddress=57600000, dwLength=8C08DAA0
:F=a :A=57600000 :L=8C08DAA0 :rbmc= HTCS¼Ñÿÿùÿ0ÖÿÿùÿRPQQ"RTP¤QP>Öÿÿùÿ¤ìÿÿùÿÔÿÿùÿ9Öÿÿùÿ<Öÿÿùÿ=Öÿÿùÿina
condominiale
[.....]
,(*"(B+&*0ùÿNANDFlashReadSectorWithSectorInfo: dwBlockIndex=0x400
NANDFlashReadSectorWithSectorInfo: Address over boundary!!!
rbmc: read data error at 0x8000000
In the [...] I got about 1 MByte of data.
My I was to dump th user partition to recover same data, not the OS.
This syntax is not valid:
rbmc a 0x3100 0x17900
1. Do not use 0x prefix for offset and length
2. Use actual flash offsets (starting at 50000000 (hex))
Can you try this exact command?
rbmc c:\temp\os.bin OS
This is the command rbmc.exe executes and it seems to be failing on your Trinity.
I tried and that is what I had:
C:\temp>rbmc c:\temp\os.bin OS
HTC RBMC reader version 1.0, Dec 19 2008
Reading OS.nb...
WARNING: rbmc OS.nb command failed!
Reading Storage.nb...
WARNING: rbmc Storage.nb command failed!
Reading ExtROM.nb...
WARNING: rbmc ExtROM.nb command failed!
Read 0xC1B144 bytes in 0d:00h:00m:02s.031ms
HTCSBye!>.L.HTCE
C:\temp>
cybor said:
I tried and that is what I had:
C:\temp>rbmc c:\temp\os.bin OS
HTC RBMC reader version 1.0, Dec 19 2008
Reading OS.nb...
WARNING: rbmc OS.nb command failed!
Reading Storage.nb...
WARNING: rbmc Storage.nb command failed!
Reading ExtROM.nb...
WARNING: rbmc ExtROM.nb command failed!
Read 0xC1B144 bytes in 0d:00h:00m:02s.031ms
HTCSBye!>.L.HTCE
C:\temp>
Click to expand...
Click to collapse
Can you do it in mtty?
Ok, sorry, I missunderstand.
Cmd>password BsaD5SeoA
Pass.
HTCST ÚÈÒHTCEPassWord: BsaD5SeoA
Cmd>set 1e 1
Cmd>rbmc c:\temp\os.bin OS
Command error !!!
Ok, it looks like your SPL doesn't support rbmc command, but if you do "rbmc 50000000 1" in mtty that works?
Yes, it work.
Cmd>rbmc 50000000 1
GetExtRomData+(): *pszPathName=50000000, dwStartAddress=1, dwLength=8C08DAA0
rbmc=8DAA0
Cmd>
But it work only if I supply the "task 32" command after the "password .. " and "set 1e 1"
Colud you modify your command to supply the "task 32" command, maybe by a switch ?
Finally it work !!
I mean your command.. after the message before I tried this way.
I connect to the bootloader with the patched version of TeraTerm (To have the copy and paste function ), then I supply the three commands like the message above and finally I close the Teraterm and lunched your command with no parameters and here what I get:
C:\Temp0\rbmc>rbmc.exe
HTC RBMC reader version 1.0, Dec 19 2008
Reading OS.nb...
0x4d50800 bytes read
Reading Storage.nb...
WARNING: rbmc Storage.nb command failed!
Reading ExtROM.nb...
WARNING: rbmc ExtROM.nb command failed!
Read 0x55628D8 bytes in 0d:00h:02m:02s.125ms
HTCSBye!>.L.HTCE
How you can watch it don't read the Storage.nb and the ExtROM.nb, but now I can get OS.
So I think that the "task 32" is mandatory in with the HardSPL I got in my Trinity.
Witch HardSPL do you use for test your command ?
cybor said:
So I think that the "task 32" is mandatory in with the HardSPL I got in my Trinity.
Witch HardSPL do you use for test your command ?
Click to expand...
Click to collapse
Yeah, well, this seems to be the way HardSPL works, you only get access to locked commands after faking security lock status with "task 32". I've added this command to rbmc.exe, however I want to make it more generic before I post the updated version, because dumping storage doesn't work so far.
I'm using MFG SPL 1.05 patched to allow rbmc, this shouldn't be relevant though.
Ok, so attached is an updated version of rbmc.exe.
It will work just like the old version without any parameters, but you can specify the same parameters as you would feed to rbmc command too now.
E.g. to dump storage you can do
C:\>rbmc.exe storage.bin Storage
However due to a bug in SPL this won't work, it will produce an error message showing the starting offset of storage partition though.
Grab that offset, substract it from 0x60000000 to get the correct storage size and rub rbmc.exe again with parameters:
C:\>rbmc.exe storage.bin 0x53540000 0xACAC0000
You should have a dump of storage partition (albeit not excatly 0xACAC0000 bytes) in storage.bin file as a result. Note that resulting dump has NAND flash block status data (0x10 bytes every 0x200 bytes) that you may need to strip to get an image of storage partition you can work on.
Good luck!
Thanks for this new realese, it work fine.
I have a problem to understand how to calculate the offset.
When I run
rbmc.exe storage.bin Storage
I get:
Dumping rbmc storage.bin Storage to storage.bin...
ERROR: rbmc storage.bin Storage command failed; last message:
"Storage address error.(0x54DC0000, 0xB301000) "
What I must subtract from 0x60000000 to get the offset and which is the other value in the last example you write.
C:\>rbmc.exe storage.bin 0x53540000 0xACAC0000
I'm sorry to waste your time, but I tried to understand but I fail, but I want to reach the end because in future a tool like this will be very usefull to recover data froma crashed Trinity.

[Q] Help needed to dump the original rom

Hi everybody! I bought some weeks ago a Shift and my first priority is to change the language from Italian to English. But before going ahead in flashing a new rom I thought it is wise to make a back-up of the original rom.
So in my attempt to dump the original italian rom of my Shift I've come to an error status I don't know how to overcome, therefore any help would be very much appreciated:
Following pof's How to dump HTC Shift ROM at
http://forum.xda-developers.com/showthread.php?t=382609
I downloaded itsutils, unzipped on the pc and placed all the itsutils files in the c:\users\HTC User folder, (as I just did not know how to change the path in cmd to go to the c root with the itsutil folder).
Further on, with the WinMob connected to Vista with USB Tool, I introduced the first command line for pdocread
pdocread.exe -w -d FLASHDR -b 0x800 -p Part00 0 0x31f000 Part00.raw
and I got the answer
Copying c:\users\HTC User\itsutils.dll to WCE:\Windows\itsutils.dll (which I think it's OK) and then
rapi reinitializing (is it normal?)
and then
ERROR: CeProcessConfig – r=002349d0 ce=00000002 le=00000000 hr=80070005
– Access is denied
I have no idea on what the cause of the error could be, probably I must have done something wrong and I am stuck at this first dump step.
Can somebody please help me further to get unstuck?
Thank you very much!
Are you connected using activesync?
Also, try this guide:
http://forum.xda-developers.com/showthread.php?t=427507
and use pdocread -l first.
thaihugo said:
Are you connected using activesync?
Also, try this guide:
http://forum.xda-developers.com/showthread.php?t=427507
and use pdocread -l first.
Click to expand...
Click to collapse
THANK YOU THAIHUGO for taking the glove of answering me on this dead forum, I really need help! I find it fantastic that you are still so active, maybe in time some other senior members will take again the challenge to support the newcomers.
Yes, WM was connected to Vista side using the USB Tool and the Windows Mobile Device Center.
Looking back, I think I opened cmd as user and not as admin (now I know how to do it), this might have been the mistake, I will try again this afternoon.
1. So far I understood that the main reading process is running under Vista using the command lines and the itsutils, which is ok.
Does it matter where the unzipped folder <itsutilsbin-20100324> is placed? I mean should it be placed obligatory in the root of the c:\ drive?
If YES, how do I do that in the cmd line, I mean change the directory? Normally the cmd screen opens to the folder c:\users\HTC User when starting as user and to c:\Windows\system32 when doing it as administrator. Is it wise to copy all the itsutils files to system 32?
Of all those itsutils files, which are the absolutely necessary files to do the dump? Are these pdocread.exe and itsutils.dll only? This is because I'd like to handle as less files as possible to the system 32 folder.
2. If I got this right, the link that you pointed to shows for the Raphael ROM how to do the dump entirely on the WM side and should be applicable to the Shift WM as well if not managing it from Vista side, is that what you were trying to say?
3. Is this way of dumping the rom covering also the radio part and the bootloader, I mean all the 4 raw files contain the whole initial memory of the WM?
Sorry to raise such beginners question, but I did not find these things explained in any of the Shift threads and without answers I cannot progress with this dump job and furtehr proceed with flashing a custom rom in English. I did search in the Shift forums and googles for answers, but maybe I did not use the right keywords.
Looking forward to receive the enlighting answers, thanks in advance!
Admin cmd mode should help yes.
1) it doesn't matter where your zip is. Just uncompress the files somewhere in a folder (c:\itsutils if you want), open you command line in admin mode, navigate from system32 folder to the itsutils folder and try again with the pdocread -l then the command from POF post.
2) do not use raphael numbers. I linked to the post for the general procedure. Proper numbers are in the POF post.
3) you will not have the radio, nor the bootloader. But you have to jump if you want to use custom roms. Bootloader is available somwhere, and radio also I think.
Still getting errors
thaihugo said:
Admin cmd mode should help yes.
1) it doesn't matter where your zip is. Just uncompress the files somewhere in a folder (c:\itsutils if you want), open you command line in admin mode, navigate from system32 folder to the itsutils folder and try again with the pdocread -l then the command from POF post.
Click to expand...
Click to collapse
Thank you again Thaihugo!
I gave it another try to pof's commands as you recommended this time first with pdocread -l and it doens't work, BUT I'm getting the similar error messages. While accessing cmd as administrator and running the cmd line from c:\itsutils:
pdocread.exe -l
rapi reinitializing
and then after about 35 sec
ERROR: CeProcessConfig – r=002349d0 ce=00000002 le=00000000 hr=80070005 – Access is denied
At different runs I got different addresses for r and ce, but the same for le and hr (no idea what those mean).
It doesn't change if launching as administrator or user.
I even downloaded a previous version of itsutils directly on the Vista computer and unzipped it with Total Commander and the result is the same.
Have also tried another command from pof with the same error result:
pmemdump.exe 0x8c000000 262144 SPL.nb
Of course the WM side was connected to Vista via USB Tool and I also checked if from the Vista side the WM folders were accessible.
I'm completely stuck, don't know what to do further, please help!!!
Thank you!
P.S. Have copied the itsutils.dll to the Windows folder in WM via e-mail, just like in the liberalization process in order to avoid copying it via Active sync (as recommended for Raphael). This time at the first run of the pdocread.exe I was asked to accept installing itsutils.dll on the WM side, which I did.
But I'm still getting the error messages when launching pdocread.exe -l, this time running very fast in a few seconds and after 4 turns it stops with the final message
ERROR loading itsutil.dll - probably denied by policy restrictions
Does it ring any bell to you?
My guess is that I have to relax the security policy on the WM side, but I don't know how.
I am amaized that nobody raised all these before.
I've finally done it! HowTo......
OK, I finally managed to dump the ROM thanks to the support of Thaihugo and the info in various threads on this forum (with credit to the authors), I have now the ROM and bootloader dump files, but not the radio rom.
There were several detailed steps important for beginners that were not included in POF's thread "How to dump HTC Shift ROM" at http://forum.xda-developers.com/showthread.php?t=382609 that prevented me to do the dump from the first go.
In order to spare other newcomers time, here they are:
-On the WinMob side change the Security Policies setting by installing a registry editor like PHM Registry Editor, TotalCommander, etc. (I used the cab files downloaded in Vista and moved to WinMob via the Windows Mobile Device Center);
Go to HKLM\Security\Policies\Policies and change the valuename '00001001' from dword:2 to dword:1. Save the change and soft reset your WM device.
If in doubt check this: http://forum.xda-developers.com/showthread.php?t=427507
Note: After finishing the dump operation do not forget to revert back to the initial dword:2 value
-Download itsutils from POF's site to Vista and unzip the package to a new folder "c:\itsutils".
-To be on the safe side disconnect all network connections (3G modem, wifi, BT, LAN) and all USB external devices.
-Connect the WinMob side of the liberated Shift to Vista using the USB Tool and check in the Windows Mobile Device Center that the folders and files of WinMob are indeed accessible from Vista
-Open the command line screen and go to the folder where you unzipped the itsutils tool by typing "cd c:\itsutils" (without the quotes).
-From within the folder itutils type the command "pdocread -l" (without the quotes).
At this point, with pdocread.exe started, go to the WinMob side and
you will find a message asking you to accept installing the itsutils.dll on the WM side, say Yes to it and wait until it is instelled.
Then go back to Vista side and carry on as described in POF's thread mentioned above by:
- using "pdocread.exe -l" to list the NAND PARTITIONS (which have to do also with the radio side as I understood from one of cmonex posts)
- using "pdocread.exe -w -d FLASHDR -b 0x800 -p Part00 0 0x31f000 Part00.raw" and the other 3 commnads to generate the 4 raw files in the same folder c:\itsutils; keep them for reconstructing the original ROM
- using "pmemdump.exe 0x8c000000 262144 SPL.nb" to dump the bootloader file to the same folder c:\itsutils; keep that too.
That's it for now.
I have to deal further with dumping the radio rom, but I don't know how to do it, I must search the forums.
A big THANK YOU to all who helped me!
I never dumped a Radio. I think the experts keep this as secret because it's quite dangerous. Isuggest you have a look at your radio version and try and fin the same radioin the forum already dumped.
Otherwise, there are roms for each radio, so you could just simply apply the one that works wth your radio. No phone call though if you don't use the right one.
thaihugo said:
I never dumped a Radio. I think the experts keep this as secret because it's quite dangerous. Isuggest you have a look at your radio version and try and fin the same radioin the forum already dumped.
Otherwise, there are roms for each radio, so you could just simply apply the one that works wth your radio. No phone call though if you don't use the right one.
Click to expand...
Click to collapse
Thank you again Thaihugo, it seems that you are the only senior left on duty on this dead forum....yet the counter shows 238 views of this thread. Hm, strange....Anyway, thank you for all the good hints given one way or another during the past days, I wouldn't have made it without it.
I got the message, I will not bother with dumping the Radio. I know that a particular Rom is matched with a certain radio. I will flash one of your roms, most probably Age of Reasons and the associated radio. I am not looking for tens of programs on the WM side, it is enough to have the basic things in English and instant-on. I will let you know!

[TEST MODE] Windows Phone 8/8.1 for Retail Device

Hello Folks,
We are introducing a way to apply @Myrianchan's WindowsRT "Test Mode" hack to Windows Phone 8/8.1 and Windows 10 Mobile Preview builds before 10572.
Yeah,Actually this not my complete hack but @Myriachan discovered wonderful hack I've ever seen. So the FULL credits goes to her of course.
Probably to Enable test Mode for Phone you have to Full Registry Access to configure the BCD objects "Boot Configuration Data".
Yeah, we have vcReg editor base upon this for Lumia Devices.
This is NOT specific about the LUMIA device but for now we have only lumia device with FULL Registry Access.
**********
CAUTIONS.
please, DON'T BE STUPID. IT'S UEFI Hacking. Bricking chances is maximum and potentially too Dangerous.
It can be a permanent damage to the Device and no one will recover your device. like[Nokia/Microsoft Care. ATF Box]
So the, I'm/Any other XDA Member not responsible for any damage to your device. Use it on your own risk.
**********
Introduction to Test-Signing.
Test-signing refers to using a test certificate to sign a pre-release version of a driver package for use on test computers. In particular, this allows developers to sign kernel-mode binaries by using self-signed certificates, such as those the MakeCert tool generates. Starting with Windows Vista, this capability allows developers to test kernel-mode binaries on Windows with driver signature verification enabled.
More details are here.
Introduction to Test-Signing Hack for Windows Phone.
Specifically, the "Trusted Boot Security Feature Bypass Vulnerability – CVE-2015-2552" is Myriachan's jailbreak exploit.
The exploit itself is simple. Run an administrator PowerShell (can't be cmd), and execute the following command, then reboot:
bcdedit /set '{current}' loadoptions '/TŅSTSIGNING'
(The Ņ character is Unicode character U+0145, which you can find in Character Map if you need it.)
Your system will come up in "test signing" mode, along with a watermark on the desktop indicating this. While in test-signing mode, applications still have to be signed, but they can be signed by anyone, including your own self-signed certificates.
How to sign executables for this is mostly beyond the scope of what I'm posting. Use makecert and signtool. Your certificate must be at least 2048-bit RSA. When using signtool, be sure to timestamp your executable (/t option), use page hashing mode (/ph) and SHA-256 (/fd SHA256).
More Details of why this works:
http://pastebin.com/w5U2qTR0
Source
How to Enable Test-Sign on Windows Phone.
Yeah, It is also Simple.
Not Got much time to write simple tool for it. (I'll attached xap here later)
You have to write this Registry Key and Value.
1. Deploy and RUN VcReg Editor.
2. Select "HKEY_LOCAL_MACHINE"
3. Select "String"
Enter Without Quote.
Path:
Code:
"BCD00000001\objects\{7619dcc9-fafe-11d9-b411-000476eba25f}\Elements\12000030"
(your guid may vary)
Key:
Code:
"Element"
Value:
Code:
"/TŅSTSIGNING"
*** NOTE THAT, "Ņ" character is Unicode character U+0145. So don't mess with it. Probably Copy and Paste it. ***
4. HIT WRITE BUTTON !!!
5. REBOOT DEVICE.
That's It.
To verify Test Mode is Actually Enabled or Not
Read the below registry key and value.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control]
"SystemStartOptions"
It should have Included a value of "TESTSIGNING"(theres other strings too,forget them) . If not that mean it didn't work.
*** This is permanent TEST-SING mode. After the Hard reset it will stay "ENABLED". if you want to disable simply flash the Stock ROM***
Thanks,
Credits.
Special thanks to @vcfan, Without his RPC Code really unreachable registry access.
@Myriachan For this wonderful discovery.
Reserved Post for Official Test packages.
Microsoft.MS_TSHELL.MSN.MainOS.spkg
(Remove ".zip" extension)
Reserved for Custom Packages.
Also You can post your custom package in this thread, I'll attach here to this post.
How are we supposed to find our GUID in case it's different?
I got code execution as SYSTEM through this.
See http://forum.xda-developers.com/windows-phone-8/general/code-execution-test-mode-t3239066
Do not works on my lumia 1020 with this GUID how can i find GUID?
titi66200 said:
Do not works on my lumia 1020 with this GUID how can i find GUID?
Click to expand...
Click to collapse
I think the easiest way would be to grab the BCD from one of your phone's FFUs (convert it to VHD, open it with winimage, go to the first partition (FAT32), it'll be in \efi\microsoft\boot), then run the exploit in PowerShell in the directory you extracted the BCD to like:
bcdedit /store BCD /set '{default}' loadoptions '/TŅSTSIGNING'
then load the BCD as a registry hive in regedit and search it for "STSIGNING", find the GUID as the result.
Works on Lumia 830 Windows Phone 8.1 Version 8.10.15148.160 but not on Lumia 1020 Windows Mobile 10 Version 10.0.10581.0.
titi66200 said:
Works on Lumia 830 Windows Phone 8.1 Version 8.10.15148.160 but not on Lumia 1020 Windows Mobile 10 Version 10.0.10581.0.
Click to expand...
Click to collapse
This patched on 10581 do the thing I did .
flash back your 1020 to 8.1 and get Insider Slow ring update (it's build 10166)
do Interop Unlock using VCReg v2.2 . in build 10166 this bug is still presents .
??? 520, 640xl
Get 10166 before they close the entrance!!
⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙⚙
need help on iball I701
djamol said:
Reserved Post for Official Test packages.
Microsoft.MS_TSHELL.MSN.MainOS.spkg
(Remove ".zip" extension)
Click to expand...
Click to collapse
Hello sir i have Iball I701 windows * tablet n i want to make it android can it be possible n can u plz guide me how i can make this possible plz thank you
madycoot said:
Hello sir i have Iball I701 windows * tablet n i want to make it android can it be possible n can u plz guide me how i can make this possible plz thank you
Click to expand...
Click to collapse
Though my vision isn't possible if then thumbs up ?
Is there any way to do this on Win10 10.0.586.29?
titi66200 said:
Is there any way to do this on Win10 10.0.586.29?
Click to expand...
Click to collapse
No. Not Possible.
It has been patch in build 572.
So it will not work on later builds untill secured boot if OFF.
My bootloader is unlocked with Windows Phone Internals.
I can deploy testsigning packages?
titi66200 said:
Is there any way to do this on Win10 10.0.586.29?
Click to expand...
Click to collapse
titi66200 said:
My bootloader is unlocked with Windows Phone Internals.
I can deploy testsigning packages?
Click to expand...
Click to collapse
Yes.
Put device into MassStorage Mode.
Bcdedit.exe /store D:\xyz -set TESTSIGNING ON
Or through reg edit.
Refers official msdn page.
bcdedit /store H:\EFIESP\efi\Microsoft\Boot\BCD -set TESTSIGNING ON
But error
An error occurred while trying referencing the specified entry.
The specified file can not be found.
titi66200 said:
bcdedit /store H:\EFIESP\efi\Microsoft\Boot\BCD -set TESTSIGNING ON
But error
An error occurred while trying referencing the specified entry.
The specified file can not be found.
Click to expand...
Click to collapse
Hmm, then edit BCD entries through vcRegEditor.
Grab BCD (Its hive file) from FFU or your device.
"C:\EFIESP\efi\Microsoft\Boot\BCD"
run whatever commands. (like dual boot)
Observe objects and elements.
Write same Object Elements using vcreg Editor.
while writing to the BCD use this "BCD00000001" instead of "BCD".
Cheers...
Here is some test entries from Engineering Device.
GlobalSettings
Code:
[HKEY_LOCAL_MACHINE\BCD\Objects\{7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}\Elements\16000049]
"Element"=hex:01
Boot Manager.
Code:
[HKEY_LOCAL_MACHINE\BCD\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\16000049]
"Element"=hex:01
Found "Microsoft.BaseOS.EnableTestSigning_BCDStore_0.reg" in EFIESP.bin from RM825_1232.2101.1239.3001_PROD_developer_265_01_86530.ffu
Code:
[HKEY_LOCAL_MACHINE\BCD]
[HKEY_LOCAL_MACHINE\BCD\Objects]
[HKEY_LOCAL_MACHINE\BCD\Objects\{7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}\Elements]
[HKEY_LOCAL_MACHINE\BCD\Objects\{7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}\Elements\16000049]
"Element"=hex:01
[HKEY_LOCAL_MACHINE\BCD\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements]
[HKEY_LOCAL_MACHINE\BCD\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\16000049]
"Element"=hex:00
titi66200 said:
Found "Microsoft.BaseOS.EnableTestSigning_BCDStore_0.reg" in EFIESP.bin from RM825_1232.2101.1239.3001_PROD_developer_265_01_86530.ffu
Code:
[HKEY_LOCAL_MACHINE\BCD]
[HKEY_LOCAL_MACHINE\BCD\Objects]
[HKEY_LOCAL_MACHINE\BCD\Objects\{7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}\Elements]
[HKEY_LOCAL_MACHINE\BCD\Objects\{7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}\Elements\16000049]
"Element"=hex:01
[HKEY_LOCAL_MACHINE\BCD\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements]
[HKEY_LOCAL_MACHINE\BCD\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\16000049]
"Element"=hex:00
Click to expand...
Click to collapse
Yes. Exactly.

Categories

Resources