extract from raw rom image? - Windows Mobile Development and Hacking General

I was attempting to use dumprom on a PDA phone other than XDA... I extracted the memory address from 0x80000000 to 0x81FFFFFF using pmemdump, and ran it through dumprom. As it turns out only the bootloader and a small part of the kernel got extracted. Nothing of the OS or the application files came out. As it turns out, looking at the dumped file, the 'good part' is missing and seems to be located elsewhere in the memory.
But then I have a rom image that can be used to flash the device, so I tried to use the image with dumprom, but that gave me an error, obviously, as the image is not laid out like how it's mapped out in the memory.
So how should I go about in extracting the files? For example, what do I have to do to modify the rom image to work with dumprom? I'll upload the rom image in question or the memory dump if need be.

To dump ROM of any PocketPC, you should extract first 32 Mb of physical memory starting from 0 address. They contain bootloader and ROM image at least on PXA25x, 26x and 27x CPUs. For example you may use my program: http://mamaich.kasone.com/imate/ROMDump.rar
it comes with source code and dumps 64Mb of ROM to any directory on SD card. Later you can extract files from this dump with "dumprom.exe dump.bin -4 -d C:\dump"
I've tested this method on several devices and it worked. If device contains 32mb ROM, the second half of a dump would be identical to the first 32 mb.
The BIN/NBF files used to flash are sometimes stored in a format with unnecessary parts removed. Such files normally start with "B000FF" signature and their format is explained in PlatformBuilder documentation. You may try to write a program that would convert them to a "normal" dump that dumprom understands.

Unfortunately, that didn't go well. The CPU is PXA255 and the OS is WM2003, but whatever ROMDump pulled out, it wasn't of any relevance. The attached file is what it put out. It's 64MB, but as you can see from the size of the compressed result, there's not much useful information in it. It's just a repetitive garbage data that goes on for the whole 64MB. Maybe the program was accessing the wrong area? To be sure, I ran the file through dumprom, and the program hanged. This isn't even as good as pmemdump, sadly. What seems to be the problem?

Probably the problem is in wrong addresses to dump. You should modify my RomDump code so that it would check all 4Gb of adress space in 32-mb blocks to find a block that looks like a ROM start. Rom starts with someting like:
Code:
0000000000: FE 03 00 EA 00 00 00 00 │ 00 00 00 00 00 00 00 00  ъ
0000000010: FE 03 00 EA 00 00 00 00 │ 00 00 00 00 00 00 00 00  ъ
0000000020: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0000000030: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0000000040: 45 43 45 43 4C 4B 12 84 │ 00 00 00 00 00 00 00 00 ECECLKД
0000000050: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
I.e. XX XX XX EA bytes (it is a BL command opcode) followed with garbage (may be 00, may be FFs, may be other XX XX XX EA bytes), and "ECEC" string from offset 0x40 from the ROM start. "ECEC" is present at this offset in my device and several other. But this may be not in yours.

mamaich said:
Probably the problem is in wrong addresses to dump. You should modify my RomDump code so that it would check all 4Gb of adress space in 32-mb blocks to find a block that looks like a ROM start. Rom starts with someting like:
Code:
0000000000: FE 03 00 EA 00 00 00 00 │ 00 00 00 00 00 00 00 00  ъ
0000000010: FE 03 00 EA 00 00 00 00 │ 00 00 00 00 00 00 00 00  ъ
0000000020: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0000000030: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0000000040: 45 43 45 43 4C 4B 12 84 │ 00 00 00 00 00 00 00 00 ECECLKД
0000000050: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
I.e. XX XX XX EA bytes (it is a BL command opcode) followed with garbage (may be 00, may be FFs, may be other XX XX XX EA bytes), and "ECEC" string from offset 0x40 from the ROM start. "ECEC" is present at this offset in my device and several other. But this may be not in yours.
Click to expand...
Click to collapse
I met this problem also. In my case, the BIN code of the ROM file that I ROMDumped from my device is looked like this
and the result of "dumprom.exe dump.bin -4 -d d:\111" is shown as following.
How can I solve this problem?
Thanks a lot.

Related

Latest on getting CellID?

I am trying to make an application which retrieves an estimate of my XDAII's position based on it's Cell ID. I realise getting hold of cellid vs location databases is almost impossible, but I only need something simple for the time being - such as detecting if I am at "home", "uni", "city" (or other locations I can hardcode).
I've searched the forums and found various possible methods, but each seem to have their problems. I've read about RIL_GetCellTowerInfo but apparently it always returns 0x80004001. Opening COM2 and sending AT+CREG? seems to be a messy solution since it conflicts with call setup/cleanup. Is there any more information known at this time? Any sample code?
look at tstril2.cpp and RilClass.cpp in http://viewcvs.xda-developers.com/cgi-bin/viewcvs.cgi/xdautils/rilhook/
Thanks for the info itsme. I've tried running tstrill2.exe, but get this:
starting new tstril2 instance
ERROR: RIL_GetAudioDevices - UNKNOWNERROR: 0x80004001
2004-04-18 13:17:02.000 RIL_Notification: RADIOSTATE::RADIOPRESENCECHANGED 4 bytes
ril-RadioPresence: RIL_RADIOPRESENCE_PRESENT
2004-04-18 13:17:02.000 RIL_Result: FUNCRESULT::OK id=0000013d 520 bytes
raw: 08 02 00 00 0f 00 00 00 48 54 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 49 4d 41 4c 41 59 41 53 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31 2e 33 2e 33 2e 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 35 31 39 33 38 30 30 31 31 33 36 35 39 33 30 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ril-HandleEquipmentInfoAnswer: EQUIPMENTINFO: manufacturer=HTC model=HIMALAYAS revision=1.3.3.7 serial=35193800113659301
2004-04-18 13:17:02.000 RIL_Result: FUNCRESULT::OK id=0000013e 20 bytes
raw: 14 00 00 00 07 00 00 00 02 00 00 00 02 00 00 00 0f 00 00 00
ril-HandleEquipmentStateAnswer: EQUIPMENTSTATE: RIL_RADIOSUPPORT_ON RIL_EQSTATE_FULL RIL_READYSTATE_INITIALIZED RIL_READYSTATE_SIM RIL_READYSTATE_SMS RIL_READYSTATE_UNLOCKED
2004-04-18 13:17:02.000 RIL_Result: FUNCRESULT::OK id=0000013f 4 bytes
raw: 00 00 00 00
ril audio muting: 0
2004-04-18 13:17:02.000 RIL_Result: FUNCRESULT::OK id=00000140 4 bytes
raw: 01 00 00 00
ril lockedstate : RIL_LOCKEDSTATE_READY
2004-04-18 13:17:02.000 RIL_Result: FUNCRESULT::OK id=00000141 0 bytes
raw:
ril-req CBS reply
2004-04-18 13:17:02.000 RIL_Result: FUNCRESULT::OK id=00000142 0 bytes
raw:
ril-req CellId reply
2004-04-18 13:17:02.000 RIL_Result: FUNCRESULT::OK id=00000143 32 bytes
raw: 20 00 00 00 3f 00 00 00 93 ff ff ff 8f ff ff ff cd ff ff ff ff ff ff ff 92 ff ff ff c4 ff ff ff
ril-HandleSignalQualityAnswer sig=-109 min=-113 max=-51 low=-110 high=-60
2004-04-18 13:17:26.000 RIL_Result: FUNCRESULT::OK id=00000174 32 bytes
raw: 20 00 00 00 3f 00 00 00 93 ff ff ff 8f ff ff ff cd ff ff ff c5 01 00 00 92 ff ff ff c4 ff ff ff
ril-HandleSignalQualityAnswer sig=-109 min=-113 max=-51 low=-110 high=-60
...
Click to expand...
Click to collapse
There seems to be no data returned with the CellID reply. What could be the cause of this?

T-Mobile MDA Compact III OS CRASH!

HI! I need help! While i upgrade my artemis i crashed my device!
Info USB SNIFF on getdevinfo
Code:
41 52 54 45 31 31 30 30 30 00 00 00 00 00 00 00 ARTE11000.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
54 2D 4D 4F 42 30 30 34 00 00 00 00 00 00 00 00 T-MOB004........
00 00 00 00 0 ....
i need original ROM? or i can flash only os in mtty?
what firmware i need? i search but i can not find T-MOB004 CID rom..
Help me please..

Error Itsutils.dll

Hi. Itsutils.dll error writte to disk in device. Use options pdocread. exe and error writte to disk. how using itsutils.dll writte success to disk. Thanx.
STOREINFO dev='DSK1:' store='OneNAND Drive OS' nsect=12948 bpsect=200 free=0 maxpartsize=0
STOREINFO dev='DSK2:' store='OneNAND FAT' nsect=9990 bpsect=200 free=202 maxpartsize=202
STOREINFO dev='DSK3:' store='SD Memory Card' nsect=1e8400 bpsect=200 free=0 maxpartsize=0
PARTINFO name='Part00' filesys='BOOT' volname='' end=10ba type=20
PARTINFO name='Part01' filesys='RAWFS' volname='' end=16a4 type=23
PARTINFO name='Part02' filesys='imgfs.dll' volname='' end=101e8 type=25
listing diskinfo for 0ebf58a6:eeb4bf82 DSK1:/Part00
get_info - out: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ERROR: DeviceIoControl(FL_IOCTL_GET_INFO) - UNKNOWNERROR: 0x00000000
ERROR: DeviceIoControl(FL_IOCTL_NUMBER_OF_PARTITIONS) - UNKNOWNERROR: 0x00000057
hellp. How To coome writte in my device not errror in itsutils. dll . pls
pdocread/write is intended for DOC (DiskOnChip) device to memories - you have on device OneNAND memory this not compatibly.
What work program in my device?compatibiilyty
Flshing Disk Chip OneNAND
HI. My device disk OneNAND work flashing? Thanx
Geo2000 said:
HI. My device disk OneNAND work flashing? Thanx
Click to expand...
Click to collapse
I do not know what your device (Herald Artemis Oxygen ,etc ). I did not see program for flash OneNAND -only readin.
My device is HTc S310 Oxygen its not work tool writte mz diskchip. flashing my dysk is wrong
ONENAND FLasher V1.18
Hi. OneNAND Downloader v1.18 work flashing from SamsunG SGHi800 to diskonchip ONENAND. Not preparing on tool from HTC s310 flashing Disk?
Nembadi. help. thanx

WM6 pagepool address

Does anyone know what is the address for changing BA pagepool size on WM6?
Thanks in advance.
adrress:0x2565D3
00 00 00 00 =0M
00 00 80 00 =8M
00 00 C0 00 =12M
00 00 00 01 =16M
00 00 80 01 =24M
00 00 00 02 =32M
00 00 00 03 =48M
adotan said:
adrress:0x2565D3
00 00 00 00 =0M
00 00 80 00 =8M
00 00 C0 00 =12M
00 00 00 01 =16M
00 00 80 01 =24M
00 00 00 02 =32M
00 00 00 03 =48M
Click to expand...
Click to collapse
Thanks for the answer. But I don't think this is a correct address. Look at the attached image. Address pattern is now where close to what you have mentioned in your replay.
what does the pagepool do exactly? Increasing the pagepool would do what?
Try 2555d2
That's indeed the correct one... I've done so, changed this one from 16 to 32 mb's but must honestly say tat I don't find it be different that much...

HTC Camera Counter

Good evening again peoples,
Last thing I'm sorting out on the phone after the rom upgrade it the camera. just spent the last two hours sorting out all the file names and order of my images and put them on the phone again.
However the camera's counter is set to 1. I found a tweak on the Polaris forum
schaggo said:
Ok guys, I got a tricky one: how to set the camera image counter to a custom value?
Everytime I hardreset my Polaris the damn application starts counting up from IMG0001.JPG again... HTF can I manually set that to the latest picture taken?
Edit: Was a tricky one but I solved it myself. Under [HKEY_CURRENT_USER\Software\HTC\Camera\5.04\Preferences] you'll find an entry VALUES. Change bit 0068 to the desired value in hex. Example: Mine was 06 and resulted in IMG0006.JPG, I now changed to 74 which equals 116 in hex, my next pic will be named IMG0116.JPG
Got it?
Click to expand...
Click to collapse
But there isn't 5.04 folder on my Nike. Is there anyone that could tell me what to do?!
I've managed to sort out the registry so that the phone saves to Storagecard/mydoc~/mypictures. And also has a prefix of Image_ I just need help with this one last thing!
Thanks in advance!
nowimboard said:
But there isn't 5.04 folder on my Nike.
Click to expand...
Click to collapse
The key will match the camera version in your ROM - for example, I've got a key 5.06. Just look inside whatever key you have.
Thanks!
I cant believe how dim I was! I know that I'm just starting out with flashing roms and editing registries.. but I had a "blonde" moment
"HKEY_CURRENT_USER" isn't listing on my phone, but HKCU is...
Thanks!!!!!
EDIT: Anyone know what the correct HEX for 402 is? On line calculators are telling me 192 however the phone is telling me that "192" isn't a valid string! Isn't it supposed to have letters in?
nowimboard said:
Thanks!
I cant believe how dim I was! I know that I'm just starting out with flashing roms and editing registries.. but I had a "blonde" moment
"HKEY_CURRENT_USER" isn't listing on my phone, but HKCU is...
Thanks!!!!!
EDIT: Anyone know what the correct HEX for 402 is? On line calculators are telling me 192 however the phone is telling me that "192" isn't a valid string! Isn't it supposed to have letters in?
Click to expand...
Click to collapse
I haven't looked at it but I would guess that the reg key is divided up into 2 character bits each of which will go up to a maximum of FF (255 in decimal).
So, yes 192 is hex for 402 but you can't set one bit that high.
Just what I expect to be the case.
randomelements said:
I haven't looked at it but I would guess that the reg key is divided up into 2 character bits each of which will go up to a maximum of FF (255 in decimal).
So, yes 192 is hex for 402 but you can't set one bit that high.
Just what I expect to be the case.
Click to expand...
Click to collapse
Thank you for your help RandomE,
I'll think I'll PM schaggo to see if he can offer any suggestions.
So do you think that you would split up the 192 Hex code to "FF" & "93"?
whoa guys, somebody actually called for my help, yay!
ok, I reflashed my polaris with the Syrius-ROM and didnt look at this issue any longer. I never got over like pic 200 or so, so it never really was an issue to me. But good question, what about numbers higher than 255...?
I'll recheck the registry values and see what I find out. It could very well be that itll turn FF00, ff01, ff02 and so on...
Ok, found out how it works:
Bit 68 is the pic number in hex. Once it reaches 255 eg FF, bit 69 turns one up. So bit 68 is the running number while bit 69 is the index for bit 68. Example:
Code:
Pic 68 69
220 DC 00
221 DD 00
223 DE 00
...
254 FE 00
255 FF 00
256 00 01 <--!
257 01 01
258 02 01
...
510 FF 01 (510 = 255+255 = FF+FF)
511 00 02
...
schaggo said:
Ok, found out how it works:
Bit 68 is the pic number in hex. Once it reaches 255 eg FF, bit 69 turns one up. So bit 68 is the running number while bit 69 is the index for bit 68. Example:
Code:
Pic 68 69
220 DC 00
221 DD 00
223 DE 00
...
254 FE 00
255 FF 00
256 00 01 <--!
257 01 01
258 02 01
...
510 FF 01 (510 = 255+255 = FF+FF)
511 00 02
...
Click to expand...
Click to collapse
You Genius!
So my reg value was:
00 00 00 00 05 00 00 00
05 00 00 00 05 00 00 00
03 00 00 00 03 00 00 00
03 00 00 00 01 00 00 00
03 00 00 00 05 00 00 00
03 00 00 00 03 00 00 00
03 00 00 00 01 00 00 00
03 00 00 00 00 00 00 00
03 00 00 00 03 00 00 00
03 00 00 00 00 00 00 00
90 01 00 00 40 1F 00 00
02 10 00 5A 01 02 01 01
11 00 00 00 01 00 00 00
01 00 00 00 01 00 00 00
01 00 00 00 00 00 00 00
00 02 00 02 09 11 20 00
45 46 00 00 28 00 00 00
05 20 00 00 01 00 00 00
00 00 00 00 C0 27 09 00
01 00 00 00 00 00 00 00
And for the image value to be 415 to get the Hex values I did 415-225=190 which is BE in HEX so I did this:
00 00 00 00 05 00 00 00
05 00 00 00 05 00 00 00
03 00 00 00 03 00 00 00
03 00 00 00 01 00 00 00
03 00 00 00 05 00 00 00
03 00 00 00 03 00 00 00
03 00 00 00 01 00 00 00
03 00 00 00 00 00 00 00
03 00 00 00 03 00 00 00
03 00 00 00 00 00 00 00
90 01 00 00 40 1F 00 00
02 10 00 5A 01 02 01 01
BE 01 00 00 01 00 00 00
01 00 00 00 01 00 00 00
01 00 00 00 00 00 00 00
00 02 00 02 09 11 20 00
45 46 00 00 28 00 00 00
05 20 00 00 01 00 00 00
00 00 00 00 C0 27 09 00
01 00 00 00 00 00 00 00
!!! YAY !!!
EDIT: I set the vale to BD as when the valve was BE the picture came out as 416.
Thank you so much!!!
Damit, judging by the time of posts, it took me half an hour to find something that simple out AAAARRRGH...!
Have fun guys
Hope it helps some others as well...!
schaggo said:
Damit, judging by the time of posts, it took me half an hour to find something that simple out AAAARRRGH...!
Have fun guys
Hope it helps some others as well...!
Click to expand...
Click to collapse
Thank you again!
Help Please!
I have very little knowledge of hex. I was hoping someone here could give me a hand with changing my counter to 92.
Here is my hex for [HKEY_CURRENT_USER\Software\HTC\Camera\5.04\Preferences\Values] as i see it in phm regedit.
00 00 00 00 05 00 00 00 05 00 00
00 05 00 00 00 03 00 00 00 03 00
00 00 03 00 00 00 01 00 00 00 03
00 00 00 05 00 00 00 03 00 00 00
03 00 00 00 03 00 00 00 01 00 00
00 03 00 00 00 00 00 00 00 03 00
00 00 03 00 00 00 03 00 00 00 00
00 00 00 03 00 00 00 90 01 00 00
90 01 00 00 40 1F 00 00 02 10 00
55 04 02 01 01 3C 00 00 00 01 00
00 00 01 00 00 00 01 00 00 00 01
00 00 00 00 00 00 00 00 02 00 02
49 11 20 00 05 46 00 00 28 00 00
00 07 00 00 00 01 00 00 00 01 00
00 00 C0 27 09 00 01 00 00 00 00
00 00 00 01 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 01 00 00
00 00 00 00 00
Advance THANKS
With my Touch Pro2 I found out that byte 109 and 110 are the right ones for this solution.
thanks for this tip !

Categories

Resources