Database Users

Building Rom using MKROM

Can anybody please help me to build a rom? specially to the XDA-developers, thanks in a million...in advance.
My question is:
1. Do i need a base rom(no program included) on the cfg/(rom.nb1)? is it necessary ?
2. what is the maximum files i can put in the files/ directory? that will be splited by mkrom, i know it is depending on the version since 3.17 the maximum for all files is 5 M. how about other version. 4.01,4.05, 4.10 and 4.16
3. when i run the bash setup.sh nk.nb1(4.05), using parameter for 4.05 i get a message "!!! your rom is not known to me: md5:fb9e70c5786f08e4db6db7c184c59704" is this normal or it is not define on the splitrom.pl ?
4. what kind of editor did you use for building a BMP file with 16 bit, I tried to use adobe photoshop 6.0, but i can not seem to save it as 151 k, the option is only 24 bit and 8 bit, if you can give me a site where i can download it , i will really apreciate it.
Thanks for the Help..
More power to the XDA team
and
Welcome TMO 4.16!!! (which i think no diff with 4.10)

1. yes you do need some kind of rom to start with
2. you can check using
Code:
perl splitrom.pl yourrom.nb1 -ob <your bmp offset> | perl calcgaps.pl 0x3ffff
and add the sizes of the holes.
you have to figure out where the bootsplash is for your rom. ( for new roms this is most likely 0x81ec0000 )
3) there is a list of 27 roms I know about in splitrom, if I never saw your rom, the signature will also not be there.
btw, what rom do you have?
4) I think we used photoshop for that. ( Peter Poelman knows more about that )

thanks for the reply XDA developer Itsme,
but how can i build a baserom with the rom i have, I have a ROM 4.05 which i created in jeff's kitchen? or any site where i can download the base rom 4.05?
I have a ROM 4.05, 4.10 which i get from jeff's kitchen and also the original 4.10 TMO. regarding the signature of the ROM, i read your splitrom.pl and i found out you 27 list of roms, but i didn't find that signature "md5:fb9e70c5786f08e4db6db7c184c59704" is it because my ROM is not base ROM?
my param is ;
wincever=4
start1=21740000
size1=0040000
start2=003c0000
startbmp=81ec0000
startop=81b00000
I'll still try to use the photoshop, maybe i miss something there.
Please correct me if i done something wrong with my commands.
I have Perl 5.8 and cygwin, installed in windows 2003
then make the path for perl/bin and cygwin/bin
then i copy all the things i need to build a rom in one directory including nk.nbf(with jeff's 4.05) and mkrom tools(which i got from the demokitchen)
i run "perl setup.sh nk.nbf" to extract the bootimage.bmp and rom.nb1 to cfg/ directory
then i dump "dumprom -4 -d files -q nk.nbf" to extract all files in files directory
then i convert "perl fdf2reg.pl files/default.fdf cfg/default.reg"
"tr -d "\0" <files/initobj.dat >cfg/initobj.txt"
"cp files/initdb.ini cfg/initdb.ini"
then in files/ directory i delete all the windows files i leave only the program with the dll i wanted to add in the rom like total commander, file commander.. etc...
(I compare it with the original files of WM2003)
then i run "bash mkrom.sh out/out.nbf"
but i got an OVERLAP message on the screen
and also the same message like i told you before "Your rom is not know to me"
Please Help me with this because i want to build my own rom according to the program i need.. and many thanks.

split rom does not recognize romkitchen roms, since they vary too much.
you should use an original rom, not one from the romkitchen.
the overlap means that somehow the params file was not correct.
or maybe you just tried to add too much files.

XDA developer Itsme said:
split rom does not recognize romkitchen roms, since they vary too much.
you should use an original rom, not one from the romkitchen.
the overlap means that somehow the params file was not correct.
or maybe you just tried to add too much files.
Click to expand...
Click to collapse
Thanks Itsme, thats why splti rrom can not recognize the ROM I have, I'll try to search for the base ROM in the forum, or can you give me a site where i can download the baseROM, I think that's why I am having a OVERLAP because there is a added program on my ROM, XDA-Developers File1 and File2 is duplicated.
It answer my question regarding the ROM i have, thanks a lot man you really a good help.
Now my only problem is to find all the base rom so i can start cooking some ROM.

Samsung i607 Blackjack ROM cooking (Applies to i600 and other Samsung phones)

I was trying to cook a modded ROM for the i607, I was able to extract the nb0 from the bin file using cvrtbin & viewbin > then Mamaich's prepare_imgfs > viewimgfs > dump > modify/add/delete files > buildimgfs > makeimgfs and I know this is basically what you do with the Hermes ROM, however making it back to a BIN file has proven to be a "no go". I have tried splitrom.pl, rommaster, xipbin, etc, but I am afraid without the right utility this will not happen.
Does anybody know if there is a Tool to convert the cooked nb0 back into WMx B000F bin file? There is an old tool for Mobilpro xipbin.exe, however the block size and lenght of ROM does not match. Doing the splitting in sectors and retrieving the checksum manually is going to take a lifetime...
Just an idea: Could it be possible to use a blank CE.BIB with only the start and offset of the ROM and romimage from MS PB builder together with the nb0 file above?
Any good ideas are welcome.

I tried using romimage with no results
I tried to use Romimage from MS platform builder, and after many attempts I gave up. I basically used a minimal CE.BIB and the patched ROM (nb0) file as the source to be inserted. It creates the Run-time BIN file with 4K blocks where it should be making it 128Kb ones.
TO Do:
Try an HEX editor with macro or script capabilities, to perform the following process
1.- Strip the HEADER+RECORD section from the original FLASH file
2.- Strip all zeroes preceding the patched ROM (NB0) before the start point
3.- Cut the patched ROM in 128K chunks (about 500 pieces) called blocks or records
4.- Calculate the Checksum 32 of everyone of these chunks and annotate it
5.- Make the HEADER of the RECORD annotating (in little endian) : Start Address - Lenght(Block Size) - Checksum 32 for every record
6.- Join the HEADER to the respective record. Iterate this process until finished (some 500 times)
7.- Insert the above joined (HEADER+RECORD) section into the stripped flash file in step 1
8.- Here comes the scary part : flash the phone with this MOD (just the PDA section)
9.- If successful, make a program to automate steps 1 to 7
Wish me good luck...
On other comment: according to Texas Instruments, in the Code Composer Studio for OMAP processors, it can be connected to the phone via a COM port using HyperTerminal. Alternatively I think if we can flash the phone using this method and a ROM type NB0.... Perhaps no, as the flash program just connects to the phone using the Serial port qhen in Flash mode. This program also accepts img files, I tried to rename the nb0 file to img and didn't work. Does anybody know what these Samsung's img files are?
Is anybody interested on this matter? Please don't just read the post, start replying... If we really want to MOD this phone, being it the BlackJack i607 or the European i600, we need to start doing some Reverse Engineering..., the people at xda-developers had started this way to master the HTC and similars.

hey, i replied to your email. hope it will be helpful. especially if you give me a link to the image

cmonex said:
hey, i replied to your email. hope it will be helpful. especially if you give me a link to the image
Click to expand...
Click to collapse
Thank-you, however I haven't received your reply yet. I'll send you the link to the ROMS via private message .
Regards,
trinca

The modded ROM
Cmonex:
I have uploaded the modded ROM and is located at:
http://rapi*****/files/42779528/XXGD1_pda.nb0.html
******************W A R N I N G *********************
For everybody else following the thread, please be advised
this above file is a plain binary, it must be converted to a
MS WMx BIN format with a B000FF header before flashing any BJ.
Please do not attempt to flash your phone with it!
**************************************************

I haven't received your e-mail
cmonex said:
hey, i replied to your email. hope it will be helpful. especially if you give me a link to the image
Click to expand...
Click to collapse
Hi, Cmonex:
Can you please resubmit?
TKS
trinca

For those of you who would like to start cooking this ROM
I was able to extract the plain image using cvrtbin (MS tool that comes with visual studio) you may grab a copy from here:
http://www.toradex.com/colibri_downloads/Linux/linux_to_wince/?D=D
Then you will be able to use the common tools from xda-developers such as prepare_imgfs (with the switch -acer) from the WM5 kitchen made by itsme (first sticky in this forum) and so on.
Making the ROM back to the B000FF format is going to be the trouble... So far there is not an easy come back... yet!
There is also an excellent article on Mobilepro BIN roms made by cmonex, you can get a copy of that tutorial inside his Romtool package, get it from here:
http://hpcmonex.net/nec900/files/releases/romtoolpack.zip
Be informed the Mobilepro ROM is very different in the way the Runtime file is organized, however the tutorial is the best resource I have seen so far.
Besides, there are some really good tools inside that package
Best regards and start cooking!
trinca

Samsung i60x ROM: Extracting the OS payload from the Upgrader exe single file
The Upgrader program contains 3 payloads: Eboot, Phone and O/S. To extract the O/S payload follow this procedure:
1. Open the exe upgrader file using the Hex editor of your choice.
2. Locate the ASCII string B000F followed by 0x0A. The complete sequence you should look for is 0x4230303046460A. You should find 3 occurrences of the above string. Concentrate on the last one.
3. Copy from this start address all the way up to the string 0x060000EA3B, which is the start of the phone ROM.
4. Make sure your cut includes 12 trailing zeroes 0x000000000000 as they indicate the loader the end of the Runtime of the pda image.
5. Name your file ending with a bin extension. (i.e XXGD1_pda.bin)
6. Proceed with cvrtbin to extract the absolute (or plain) ROM image (ending in nb0.
7. You are ready to start cooking.
I was able to sucessfuly extract in this way the ROMS for i600 releases: XXGC6 and XXGD1 and for i607: UCGB4 and UCGD2.
How did I find out? I got the chance of getting the XXGC6 upgrade package, which included the eboot, phone and pda sections separated. Further reading in the forums indicated the B000FF is followed by 0x0A, the start address of the ROM (00000000) and the end address. From there it was easy to locate the payloads in the Upgrader single exe file.
Good luck extracting your ROMS.

Samsung i607 Service Manual
Below is the link for the SGH-i600 service manual URL. Does anybody have the service manual and/or schematics for the SGH-i607?

BIN B000FF runtime image file format
Does anybody have a detailed description of the arrangement of headers and records in this file format? The best reference I have found is this page:
http://www.devpia.com/MAEUL/Contents/Detail.aspx?BoardID=60&MAEULNO=23&no=242&page=1
Unfortunately I do not understand Korean...

hey, i again sent you an email. i'll quote it in PM too just to be sure.
btw, the rom tutorial that i wrote and that you linked to, fully details B000FF format. what is not clear about it?

The tutorial is right
There is nothing wrong with your tutorial, I had to use the HEX editor several times until I got that right.

cmonex said:
hey, i again sent you an email. i'll quote it in PM too just to be sure.
Click to expand...
Click to collapse
Do you know if isotherm may share the source code for xipbin? Do you have a way to contact him? I tried to contact him at hpcfactor with no results.

Trinca - ok, let's imagine you got all the needed files to B000F format. How do you plan flash it back to your i607?

Creating the B000FF Runtime image
After cooking the ROM...how to re-create the B000FF Runtime image back? That is the $1M.. question, I am still navigating uncharted waters...
Producing the Flashable runtime image back is what I am now concentrating on, as I see it there may be 4 possible ways:
1) Manually
-a) Splitting the nb0 file in [n] 128KB chunks (for a ~64MB image, there are over 500 x 128KB chunks)
-b) adding the chksum32 at the beginning of each chunk
-c) adding the address and offset to the beginning of the above.
-d) merging it all together
-e) adding B000FF, start address and offset at the beginning of the merged files
You can use an Hex editor with scripting properties such as 010Editor and write a script to accommodate a) thru e)
http://www.sweetscape.com/010editor/
Still a pain in the neck and the scripting language is similar to C, if you know this language it will be easy for you to automate the above. Still experimenting with it.
2) Using XIPBIN, made by somebody AKA isotherm, this utility will make a B000FF runtime file good for a HP/NEC mobilepro, the record length is made 0x40000 bytes long, different from 0x1FFE0 record length of the original ROM, according to cmonex, this should not be a problem provided the record is made of different length and has the right checksum per record, but I already have made several attempts and it does not work for me, when flashing the phone it gets stuck at the very beginning. You may research further here.
3) Modify xipbin and make it produce records 0x0001FFE0 bytes long, as the source code for this utility is not available, cmonex says isotherm had disappear. I am still hacking into this utility...
4) Create our own program using VC or VB, I may probably work on this one as well, as I get some time available.
I am attaching a copy of xipbin.exe, however if you have followed my instructions, you may probably have it already, please let me know of any success (or failure, we all learn from these ones too).
usage:
xipbin [myrom.nb0] [start address for myrom.nb0] [myrom.bin] [start address for myrom.bin]
For Samsung's B000FF ROMs the command will look like:
xipbin myrom.nb0 0 myrom.bin 0
myrom.bin is then recreated from scratch.
Also according to cmonex, you may do the following:
a) Get an original B000FF ROM
b) use cvrtbin.exe and obtain a nb0 ROM
c) use xipbin with this nb0 and re-create a runtime bin file.
d) apply again this cvrtbin utility to the re-created runtime bin file
e) compare the result with above b) step
f) If they match you may have a candidate procedure, if they don't do not attempt to flash the phone with the procedure above.
I will include the new viewbin and cvrtbin, which now works with start address 0 on this type of ROMs
Usage:
cvrtbin -r -a [start address] -l [length of ROM] -w [8, 16 or 32] [romfile.bin]
cvrtbin -r -a 0 -l [the length of your ROM] -W 32 [myrom.bin]
Good luck!

The format of MS BIN B000FF runtime image file
According to several sources I have consulted, including MS documentation and insights given by cmonex, plus heavy HEX editing sessions, this is my impression on how the B000FF Runtime image format looks like:
Byte------>--1--2--3--4--5--6--7--8--9--A--B--C--D--E--F
Record 0 -> 42-30-30-30-46-46-0A--<Strt add>--<ROM lgth> * * * * * * * * * * * (42-30-30-30-46-46 = B000FF in ASCII ; 0x0A = end of header B000FF)
Byte------>--1--2--3--4--5--6--7--8--9--A--B--C--<-----128KB of nb0 image------>
Record 1 ->--<Strt Add>--<Rec lgth>--<CHKSUM32>--<--Chunk Nbr 1 of nb0 image--->
Record 2 ->--<Strt Add>--<Rec lgth>--<CHKSUM32>--<--Chunk Nbr 2 of nb0 image--->
v - v
v - v
v - v
Record n-1>--<Strt Add>--<Rec lgth>--<CHKSUM32>--<---Last chunk of nb0 image--->
Last Rec-->-00-00-00-00-00-00-00-00-00-00-00-00 .* * * * * * * * * * * * * * * (The last record always ends with 12 bytes set to 0x0)
**************************************
Please note:
Record 0 and the last one are different
All data are encoded Little Endian!
**************************************
Using the command:
viewbin -r [myrom.bin]
Will give you the record content of your runtime image file.

Trinca - just ran viewbin on samsung i750 image. chunks sizes are not 128kb each. looks like chunks are actually files from ROM in XIP format (executable in place, it is usual PE files but missing reloc table and something else). I bet we should use file deleting/adding/injecting utility like romtools one for ROM image manipulation which reamins intact B000F header! I see no other way to recreate B000F.

Well, I guess your runtime differs from that on the i60x. In any case I know of a tool made by bepe the name of xipport, you can look at this thread and download it here:
http://forum.xda-developers.com/showthread.php?t=315030
The best thing I can recommend you to do, is to try to get the appropriate format of your runtime image.
trinca

unfortunately all version of xipport just crash with errors on my ROM dump.

ROm Dump
JugglerLKR:
Let's get acquainted with your procedure, and do not pretend to modify something, just to find out if the tools work:
a) Have you dumped the ROM from the phone or you just extracted it from the updater executable?
b) If you have just cut the ROM out of the executable, use the new cvrtbin posted before (which runs fine at start address 0)
c) Run Mamaich's prepare_imgfs, there are 3 possible options:
prepare_imgfs [yourROM.bin] will produce imgfs_raw_data.bin and imgfs_removed_data.bin
prepare_imgfs [yourROM.bin] -nosplit will produce imgfs_raw_data.bin and an empty imgfs_removed_data.bin
prepare_imgfs [yourROM.bin] -acer will produce imgfs_raw_data.bin and an empty imgfs_removed_data.bin, but this one is the only which has worked for the i60x
d) Now if you use viewimgfs then the dump directory will be created and the files will be extracted. It is only after this confirmation you may be assured the ROM extracted has the correct structure for manipulation. I got so much trouble using the old version of cvrtbin, that I am telling you to run these extra steps.
Now try to run the xipport tool on the above *.nb0 file. and tell us if you were successful. At this point if you are not able to run the xipport tool, then you may not have something usable. RomMaster and dumprom/dumpromx are also alternatives for working with xip modules, please remember all these tools are highly experimental and not bug-free!
trinca

HP Ipaq 6955....need Help

Hi,
I need help with my Ipaq 6955......i got a french verison and i need a english rom to flash, i have tried the tread that talks about the 6915 but does not work...
Please help need a english rom for it and if some has a wm6 rom for this model please let me know

Welcome to the club!
http://forum.xda-developers.com/showthread.php?t=325051
Might help.
Anyways you (and I) need a Rom or rom upgrade that is in English (F*ckin HP doesn't provide it!!) Anyways P.M. I can give you the dumps of an English rom (I dumped it with pdocread (see link above) but I haven't tried to pdocwrite it so more or less its a shoot in the dark (dawn?) If you want more info about my dilemma see my last post in the above discussion. http://forum.xda-developers.com/showthread.php?t=325051&page=3
Anyways PM if you want those dumps
I guess there is another option available e.g. modify the registry and add some MUI files (Havent researched that option yet)

To convert nb to nbf there is a solution, but some questions stays unanswered...
During an upgrade, RUU uses wdatas which seem to use signature (source: hermes forum...). We don't have information about wdata command availability in bootloader mode.
In fact, the english dump you made is a CEOS file with header and some imgfs_removed_data.bin informations.
I tried to use a dump to create a CEOS file which could be disassembled as any other ipaq69xx ROM, but RUU hangs and the upgrade fails.
If we could know why the upgrade fails (checksum test, signature...), we could try to find a way to bypass it.
After this step, it will be easy to cook some ROM.
One more problem is G3 and G4.... Is it supposed to be the same G3/G4 difference than for wizard?

to b0ris747
In another thread earlier you gave this link http://forum.xda-developers.com/showthread.php?p=1480853
Just went through the whole thing - relevant but not helpful. For short:
1) Extracting the osrom.nb using pdocwrite. To be frank I didnt like the usage of -d flag (device name) and -p (windows assigned) partition name. It makes things very confusing (If you try to actually follow the procedures not only re-type) because there are duplicates of device names TrueFFS and duplicates of partition names Part00 Part01 etc. If someone wants to understand the pdocread.exe flags and usage please read the following thread where itsme explains it all http://www.spv-developers.com/forum/showthread.php?t=2888
2) That thread describes a method to extract the directories of an OSrom image (using these tools http://forum.xda-developers.com/showthread.php?t=249836)
So this action helps to cook (modify the OSrom's files) and then put them back into .nb (.raw format that is not a flashable .nbf/nba)
3) Also describes how to extract various roms (Osrom, Extrom, RadioRom) from a different type of flashable rom .nbh Basically (not getting into depths, just to better describe it) .nbh is a .nbf/nba rom container used in flashable updates onto other HTC devices. This procedure is completely irrelevant to Sable/hw6915, but we can skip that.
4) This next thing is quite interesting - hexediting your .nb non-flashable rom file (in other words .raw) so that it's header would match the header of a manufacturer supplied .nb file (which is extracted from .nbh). This is done in order to trick the flashing utility/pda device into thinking that the new coocked rom is legit This might come in handy someday.
5) The next step is to make a .nbh file container using HTC ROM Tool by Dark Simpson. This is completely irrelevant because sable does not use .nbh
Anyways that is as far as I go with my backup which cannot be restored.

pdocwrite
Right now Im researching the possibility to just simply restore the osrom using pdocwrite utility form itsutils package. It seems the only simple, clear (and possible) option w/o cooking.
But I have some questions regarding that:
1) If my partitions are as follows :
63.94M (0x3ff0000) TrueFFS
| 3.06M (0x30fc00) Part00
| 3.19M (0x330000) Part01
| 56.75M (0x38c0000) Part02
51.22M (0x3337e00) TRUEFFS
| 3.06M (0x30fc00) Part00
| 3.19M (0x330000) Part01
| 56.75M (0x38c0000) Part02
STRG handles:
handle f3f54ee2 51.22M (0x3337e00)
handle 93f54212 56.75M (0x38c0000)
handle 13f54026 3.19M (0x330000)
handle 33f54002 3.06M (0x30fc00)
What to dump - just the 56.75megs form 93f54212 handle or all 64 megs I can access using this handle? As I understand that the little partitons (first little) are also part of osrom containing xip and spl, but I dont want to change the SPL nor other things, just flash the Spanish rom with a copy of an English hw6915 rom which also happens to have additional software like tomtom for example.
2) And the second is about CID. As b0ris also I'm botherd about the G3/G4 thing. My bootscreen shows
English iPAQ 1.00.00
1.21UK
Spanish iPAQ 1.00.00
1.50
So I guess that I have G3 CID lock, but which tool should I use to unlock?
3) Can I even pdocwrite the OsRom when it is used by windows mobile? Thou guys developing aWizard say yes (I studied their bat file which executes the same pdocwrite and pdocread utils)http://forum.xda-developers.com/showthread.php?t=252957&highlight=awizard

rx-8 said:
4) This next thing is quite interesting - hexediting your .nb non-flashable rom file (in other words .raw) so that it's header would match the header of a manufacturer supplied .nb file (which is extracted from .nbh). This is done in order to trick the flashing utility/pda device into thinking that the new coocked rom is legit This might come in handy someday.
Click to expand...
Click to collapse
I adapted tadzio tools and mamaich tools to fit ipaq hw69xx rom format. The problem in the upgrade. Some checksum/certificate verification made the upgrade fail. I don't know if this comes from the RUU or from the device.
Someone sent me a USB Monitor log, but I wasn't able to read it... It was a .dmslog... If you know more about this file format, tell me!
The question I would like to answer is: Does the RUU tool send the checksum data to be verified on the device (hard to fix) or checks it on the PC, then send to the device (simple crack!)...
A simple way to answer it would be to upgrade the device using an official ROM, tell me what ROM you used (Orange, Bouygues, German, Spanish) and we'll see if the additional datas are sent or not.
If you got the solution about this, I have some ROMs... ROM headers are OK, ROM can be decompiled as any official ipaq ROM (except the Orange one), but ROM cannot be upgraded...
Of course pdocwrite should write, but we have to find where the CID lock is

CID in hw6915
I think one developer may have the answer to our questions about he cid
wikidorg said:
Well, I tooked the french Orange sable_ruu, and works everytime when flashing my 6915... The only rom for that update utility is in french.. i looked on internet and i've found sp's from HP, downloaded all, but none in English... Just for fun, i've hexedit every one of these sp's CEOS.nbf with that working french header from original Orange sable update...Then i flashed using sable_ruu from Orange package and i changed 3 or 4 different languages... it worked everytime, all was ok... but still no English CEOS.nbf in order to change language to English using the same method... So now i am looking for HP 6915 original softpack from HP, and that should also work in the same manner... If someone have it, i can give a try... Meanwhile, that's no problem for German, Spanish, Italian and Dutch (i think) languages... These are the only softpacks i've found till now...
Click to expand...
Click to collapse
He explains some of his techniques in this thread http://forum.xda-developers.com/showthread.php?t=325051&page=3
b0ris747 said:
Of course pdocwrite should write, but we have to find where the CID lock is
Click to expand...
Click to collapse
It's a pitty though he didn't mention what he'd done with the CID lock thing.
I already PM him this morning but no response yet. Lets just give him a little bit of time and hope for the best
b0ris747 said:
I adapted tadzio tools and mamaich tools to fit ipaq hw69xx rom format
Click to expand...
Click to collapse
What did you change exactly? I used the latest mamaich tools from
http://forum.xda-developers.com/showthread.php?t=249836
And using the -nosplit flag my rom was successfully prepared and after that viewed (e.g extracted from the prepared.bin file) w/o any hassles. I checked the directory tree and it seemed ok (many files and the commandline output in txt file reached 3MB. I checked it too and there were no errors)
The making of the initial .nb file also seemed successfull. Anyways please post here what changes have you made to mamaich tools.
b0ris747 said:
Someone sent me a USB Monitor log, but I wasn't able to read it... It was a .dmslog... If you know more about this file format, tell me!
Click to expand...
Click to collapse
Well if I ever have a file w/o extension or with unknown extension or purpose I simply try viewing it with far manager. Usually there is some readable text like the program name and version number with which the file was made. So just download that program/util and try opening/editing/viewing the file
BTW my devices are original HP (One English and one Spanish) with no operator's contract bugging me So please upload your English rom to this forum, rapidshare or my FTP server.
You may want to open the below link in IE or some FTP client app.
ftp://xda:[email protected]:82
I would very much appreciate it because I only have my dumped .nb rom

rx-8 said:
What did you change exactly? I used the latest mamaich tools from
http://forum.xda-developers.com/showthread.php?t=249836
Click to expand...
Click to collapse
if (argv[argc][1] == 'i')
{ rate=0x10089; step=0x10000; skip=0x89; }
it's in the last page of the mamaich thread, and I created a specific thread on the hw69xx forum
rx-8 said:
And using the -nosplit flag my rom was successfully prepared and after that viewed (e.g extracted from the prepared.bin file) w/o any hassles. I checked the directory tree and it seemed ok (many files and the commandline output in txt file reached 3MB. I checked it too and there were no errors)
The making of the initial .nb file also seemed successfull. Anyways please post here what changes have you made to mamaich tools.
Click to expand...
Click to collapse
Yes, the ROM stored in DOC is un-encapsulated, unlike current upgradable ROMs. That's one of the points that makes official ROMs upgradable. The other point is "What's contained in the unknown data zones, is it sent to the device for checksum verification or can we bust this verification by cracking RUU?"
rx-8 said:
Well if I ever have a file w/o extension or with unknown extension or purpose I simply try viewing it with far manager. Usually there is some readable text like the program name and version number with which the file was made. So just download that program/util and try opening/editing/viewing the file
Click to expand...
Click to collapse
try to find some informations... I didn't find any and used the same software as he used...
rx-8 said:
I would very much appreciate it because I only have my dumped .nb rom
Click to expand...
Click to collapse
There is another ROM dump available here on the forums

I can dump my 6965 ROM for you if you like. This is the Australian (English) model.
http://h10010.www1.hp.com/wwpc/au/en/sm/WF05a/1090709-1113753-1113753-1113753-1117925-12573438.html

Please dump bootloader too if possible.
If you can dump the bootloader part, it would be great to have it.
I'm asking this because in sable_RUU I'm seeing weird things
-The updater seem to be made to all hw6xxx series
-Very easy to track!
-Seem to be made for wdata command and wdatas command.
So my new question (last one was: "are the extra data of the NBF sent to the device, or checked by sable_RUU?") is:
"In bootloader mode, do your have wdata command or wdatas command?"
And:
"Is it just for hw65xx devices (if confirmed to work) or is it because of some preproduction devices who have a special bootloader (like the HERMES)?"
And that's why having a backup of an unmodified bootloader would be great! Just in case we need it later!

domp using what?
Hi!
I know that it is impossible to dump IPl using pdocread, so I can dump only the SPL (To be frank I dont know the offset and size of the SPL) so if you can link me to a SPL dump manual that would be very nice. If not I can give you my whole Osrom partition dump (Including the xip and other stuff - the 6.25megs before real Osrom) (see my ftp rx-8_en_dump folder)
If you want me to dump bootloader using bootloder mode I must say that I wasnt able to access it (pressing action button+power+soft reset) any suggestions?

Similar post on Sable flasing!
http://forum.xda-developers.com/showthread.php?p=2577170#post2577170

how to edit nk.nbf Files ?

i would like to edit nk.nbf files (of course just for personal use).
have searched hours for an editor, but i cant find anything useful.
plz help me !

AFAIR you should only generate nbf file using "kitchen", not edit them.

jakubd said:
AFAIR you should only generate nbf file using "kitchen", not edit them.
Click to expand...
Click to collapse
are you sure ?
i found this app that allows you to edit WM 2003 nbf files (sadly it doesn´t work for 6.1 rom nbf):
http://wiki.xda-developers.com/index.php?pagename=ER2003Edit
is there an other way to edit WM 6.1 images ?
(maybe i can drop them from the device in a format that can be open)

editing nbf files
try this it works a treat and will help you understand thing a little more, Then you could read up on how to port it up a bit higher once you'v learnt how it works hope this helps be carefull when you CreatROM read the text in the dos window the "free sectors" !!!! 0??? To 0001 is good, 0001 been the full to the brim ! ( ffff???? ) is bad ! if bad do NOT flash to your device start buildOS again and unckeck something ealse read the readme or guide file carefully also explode has a kitchen out that's good search for kitchen on this site there's a assortment out there have fun REMEMBER be CAREFULL or you could brick your device however you edit a rom Most time if you screew up you can flash a 2003 shipped rom and alls well agian but if you flash a rom that's fare to big you will over wright your boot sector and that's NOT GOOD
http://forum.xda-developers.com/showthread.php?t=331636

how can i dump a ROM ?
have read xplode´s kitchen how to, but i have still some questions:
witch tool i have to use to dump a rom ?
must the device be in boot loader mode ?
must i perform a hard reset before putting the device in boot loader mode ?
thank you for you help

dump rom
wmvfan said:
how can i dump a ROM ?
have read xplode´s kitchen how to, but i have still some questions:
witch tool i have to use to dump a rom ?
must the device be in boot loader mode ?
must i perform a hard reset before putting the device in boot loader mode ?
thank you for you help
Click to expand...
Click to collapse
I think I read some thing about dumping from the device ! But it's very complicated to do and if you get it wroung then it could damage your device Buzz-dev has a program called grabit see his site it copys the rom from the device to The SD CARD as a *.bin file then you dump that instructions are there, I have attached a zip i found on this site moded a bit for myown use it will dump BA or Hima put it in C:\ and right click it select extract here PS (you need winrar it's free just search xda site for it) My decompilers not complete but should give you some idear or how it works, You say u got explodes kitchen follow his instructions and build his rom when It says put your device in boot loader DON'T. Wait untill the build is finnished Press ctrl + C then look in upgrade folder and you should find an nk.nbf copy this to Swamp395Decompiler folder so you see it with PKGTool then double click BA_Disasemble.bat when that's finnished double click PKGTool.exe then "File" "open" from menu navegate to swampy395decompiler\dump click OK read screen then When that's finnished meun "tools""build packages" you should have some missing files if you look at the one called sys it should look simaler to explodes kitchen!! Then spend some time reading xda site good luck Remember the risk is all your bla bla no responcerbility ETC
I'm learning myself ! But if i can help i will, I'v been Building My own kitchen It's getting close but not got a booting rom yet but soon I HOPE
PPS pda viet rom Don't bump so well
swampy395

It works !
i easily put the nk.nbf file in C:\Swampy395Decompiler\ and start BA Disassemble.bat
a dos window opened and dump the rom in C:\Swampy395Decompiler\dump
all files of the rom are now in this folder and i can edit them.
but i have still some questions:
-how can i make a rom out of the files in \dump ?
-how can i edit registry files ?
-is there a way to change the rom language ?
greetings from germany

editing rom
wmvfan said:
It works !
i easily put the nk.nbf file in C:\Swampy395Decompiler\ and start BA Disassemble.bat
a dos window opened and dump the rom in C:\Swampy395Decompiler\dump
all files of the rom are now in this folder and i can edit them.
but i have still some questions:
-how can i make a rom out of the files in \dump ?
-how can i edit registry files ?
-is there a way to change the rom language ?
greetings from germany
Click to expand...
Click to collapse
read these links and you'll find thing you'll have to do a lot of searches *.reg files open in notepad then save as unicode turn wordwrap off these a lot to read too much fro me to explane here these links should get you in the right area
Ps if you find any good tutorials please send me a link and as i find them i'll send to you good luck I'v been reading some 4 weeks now it's not so easy building a rom so i'v found
PPS the tools i send you copys and converts the default/user.HV files and initflashfiles.dat to swampy395decompiler folder i also posted a tool to edit initflashfiles see
http://forum.xda-developers.com/showthread.php?t=394680
search for kitchen building roms ETC you'll find thing like these
http://www.anichillus.net/index.php?topic=29.0
http://wiki.xda-developers.com/index.php?pagename=OEM Package Tutorial
good luck let me know how get on
swampy395

swampy395 said:
read these links and you'll find thing you'll have to do a lot of searches *.reg files open in notepad then save as unicode turn wordwrap off these a lot to read too much fro me to explane here these links should get you in the right area
Ps if you find any good tutorials please send me a link and as i find them i'll send to you good luck I'v been reading some 4 weeks now it's not so easy building a rom so i'v found
PPS the tools i send you copys and converts the default/user.HV files and initflashfiles.dat to swampy395decompiler folder i also posted a tool to edit initflashfiles see
http://forum.xda-developers.com/showthread.php?t=394680
search for kitchen building roms ETC you'll find thing like these
http://www.anichillus.net/index.php?topic=29.0
http://wiki.xda-developers.com/index.php?pagename=OEM Package Tutorial
good luck let me know how get on
swampy395
Click to expand...
Click to collapse
Just a quick thought you'v got a kitchen and a rom built in that kitchen put the rom back together as it is in the kitchen IE copy the layout you'll find some *.rug files missing download athers himalaya kitchens and read the help and guid files on how to build a kitchen and use explodes kitchen as a referance see if you can put it back together without copying files out of explodes kitchen If you manage that then you should be able to make a higher build kitchen of your own good luck

[UTIL][UPG] TGTool 1.3

I'm proud to present a new version of tgtool with repack support.
I want to tank cotulla (DES) and viperbjk (PSAS), without their work this would not be possible.
WARNING: THIS TOOL IS UNTESTED. NOBODY KNOWS WHAT WILL HAPPEN
WARNING: FLASHING A ROM CREATED WITH THIS TOOL CAN BRICK YOUR PHONE
WARNING: FLASHING A ROM CREATED WITH THIS TOOL MAY VOID WARRANTY
WARNING: YOU ARE ASSUMING FULL RESPONSIBILITY FROM USING THIS TOOL
WARNING: WARNING WARNING WARNING
if you use this tool you use it on your own risk, i am not responsible if anything bad happens but strongly hope YOU ARE responsible and know what you are doing
Da Mafia has flashed a rebuild but unmodified rom and phone works.
Da Mafia has did it again and again, because of him we know we are now close of having a custom ROM so a big THANK YOU for risking your phone for us.
Novembre5 has flashed a 6.5.5 ROM that didn't booted, he has successfully recovered the phone using pin method.
Changes:
1.3.20
- added -tg01
- added -t01a
1.3.19
- fixed bad unk0 in WMB3
- extra checks for -chk (partition signatures, length of rom, lenght of payload)
- repack/merge now automatically checks resulting rom
- added -dci to display catalog informations
1.3.18
- added repack support
Example to check a rom file:
Code:
tgtool -chk TG01WP_5005000176.tsw
Example decrypt a rom file:
Code:
tgtool -dec TG01WP_5005000176.tsw tg01.bin
Example to extract payload from rom file:
Code:
tgtool -sp tg01.bin tg01.os.payload
Example to insert a payload in a rom file:
Code:
tgtool -mp tg01.os.payload tg01.bin tg01-new.bin
OR
Code:
tgtool -mp tg01.os.payload tg01.bin tg01-new.tsw
Copy note:
It is required for whomever uses this software and releases a ROM created with it to distribute a copy of the software and this copy note with released rom so rom integrity can be checked.
It is required for whomever uses this software and releases a ROM created with it to state that this software is a key part in building that ROM and that the ROM could not have been created without it.
It is required for whomever uses this software and releases a ROM created with it to test the ROM and make sure it is working.
It is required to inform potential users that ROM created with this software can permanently and irremediably damage the phone.
This software is provided as it is without any warranty of any kind, express or implied, not even that it does anything useful.
best wishes
cedesmith

FLASHING AND RECOVERY
Don't use sddl+, use short pin method, as stepw(autor of sddl+) stated here "Now that entering SD download mode via shorting pins became public, SDDL+ is obsolete.". shorting pins is toshiba intended and tested mode to enter downloader mode and seams a little safer then sddl+.
There is info that short pin method accepts .bin files.
To skip language check (SD Downloading failed. varient is invalid!!) rename .tsw to .enc
To enter downloader mode bridge pin 1 and 3 and press reset. release reset and keep bridge for few seconds. DO NOT PRESS RESET AGAIN. check screen and see what happens.
Secure your battery with duct tape it can drop very easy. If you use short pin method it can drop while you turn phone with screen up. Since you will turn phone just after you reset it will be flashing bootloader and and phone will be bricked for ever.
read more and make sure you know what are you doing
picture is from 1st thread i found about short pin unfortunately i can remember where that is. if you can point me to it i would link it here.

during split of payload you will nice
Code:
Part 00 OS 00000273-0000078E (050F4000-0F98FFFF)
NOOPBlock 0017CA90-0018C210
NOOPBlock 004CD610-0056A210
NOOPBlock 0928E8D0-0A584210
NOOPBlock 0A6A5650-0A6AD000
this is because these blocks are filled with 0xFF, they have all data 0xFF, ecc 0xFF, sector number 0xFF and partition flag 0xFF.
i think that these blocks are to be ignored by download tool. the fact that SIM_SECURE catalog entry is all filled with 0xFF strengthens that belief.
if you follow my examples and you compare tg01.bin with tg01-new.bin you will notice that the files are almost identical.
they are not perfect equal because once dumped extra data like sector number and partition flag is lost and is no way to know if block is full of 0xFF or not to be flashed (NOOP).
i think that NOOP blocks are there because partitions start at flash block boundaries limit so there is some extra space in partition that is not used and does not mater what is in it so is not overwritten by flash process.
THIS IS ALL SUPPOSITION.
on merge content of original rom is preserved till WMB1 EXCEPT file header witch i assume is not flashed. in this header only catalog table entries for WMB1 WMB2 and WMB3 are modified.
i think that if rom will not boot short pin method may be able to flash original rom as part till OS is preserved.
-dec on new .tsw file and file compare with original to make sure they match till OS start 0x050F4000 in the example above
don't take chances unless you know what are you doing and you triple checked. this is untested stuff and may contain bugs

***reserved***

congratulations cedemish, we are very pround of you. I hope we all can start to develop ROM's properly. Thank you for all your effort!
Just one question, is there any way for testing the rom package like you tried to do in your first release?

yeaaahhhhhhhhhhh!!!.........
Do you think we can flash now costum roms??????
did someone try it??

arag0n85 said:
Just one question, is there any way for testing the rom package like you tried to do in your first release?
Click to expand...
Click to collapse
sure
Code:
tgtool -chk tg01-new.bin
TGTool v1.3.18 copyright(c) 2010 cedesmith
Checking tg01-new.bin has completed without warnings
but keep in mind that it checks only for things i know and i observed in official roms.
is no guarantee that will not brick the phone but if it fails it raises big question marks
Hamido123 said:
yeaaahhhhhhhhhhh!!!.........
Do you think we can flash now costum roms??????
did someone try it??
Click to expand...
Click to collapse
i hope we will have custom roms. i didn't have the guts to try it. i hope you don't either.
have patience and don't do something stupid

WOW, good work!
Yihaaa, soon we'll have cooked room, thanks to you!

suberb work done, hopefully donations will follow

Thanks cedesmith!
This is a milestone in the Rom development for our TG01.
We're now able to create custom Roms. And I'm sure, that someone will try this very soon and will tell us, that he flashed a WM6.5.3 without problems
I'll wait until hdubli creates a Rom. I trust him and he said, that he is sure, that he's able to boot WM6.5.3.
Hope you get more donations. I donated directly on the first day you placed the link in your signature. (ID: 7M1172384A419273S)
Best regards,
Manuel

I got one question cedesmith.
I can remind me that hdubli said, that we need to change the XIP also and not only the payload in order to get WM6.5.3 working.
But for me it seems, that it's only possible to customize the payload and then create a new .bin or .tsw file with your tool at the moment.
So don't we need to customize the XIP or is that the next step of your development?
Here's hdublis post: http://forum.xda-developers.com/showpost.php?p=5886393&postcount=111
Best regards!

Congratulations cdsmith!
Thank you very much cdsmith. I was missing a bit today but tomorrow I will try to make a ROM.
Some questions: The new payload length need to be identical with the original one or the packing process take care of it? If needed to be I can fill manually the rest with FF to be sure. Any way on the and of original payload there is a spare space with FF.
....the xip.bin is included in payload. Need first to be extracted, than ported and than injected in the final new payload (after SYS and OEM files was modified/excluded)...but it can hapen that the new ROM will boot also with old XIP, just then the version shown will be a mixture between the old and new one. And maybe some mallfunctions...but not necesary (I allready made in the begining of my cooking, ROMs for ASUS P552 in such a way......but after that I learn more)
...AND A BIG THANKS TO hdubli , I learned a lot from his ROMs

cedesmith said:
a word about short pins:
yesterday i updated to official uk rom and tried short pins method for it. it didn't work. sddl+ worked.
short pin checks the file as TG01_SDDL.exe from toshiba does so if OS does not boot and SD Downloader works you may bot be able to restore original rom.
i think is better not to use sddl+ to flash cooked roms as it seams it skips some checks. instead flash original IT debranded with sddl+ then flash unbranded cocked room with TG01_SDD or pins ( file should be named correctly ?)
All this info is for chefs/developers who are willing to test (and sacrifice phone) not for users. I strongly suggest that users don't use it.
i cannot stress enough how dangerous this is.
Click to expand...
Click to collapse
when shortcutting pins as far as I remember you need to rename the .tsw file in .enc in order to skip the language check.

payload contains WM partition table, boot partition, xip partition, imgfs partition, fat partition (user storage).
for me ImgfsToNb cut off fat partition from payload so roms will probably not boot as noware to save configuration files?
osnbtool seamed to put everything back together nicer.
my hopes are with hdubli right now as he previously announced he is willing to make a rom and to try it.
packing should take care of everything as is relays on info from partition table. there is no need to do anything manually. i was just explaining why a unmodified rebuilded rom is different from original a little.
main idea is that orriginal rom knew that extra FF are filling and no need to waste energy on write them to flash while tgtool does not.
at least is what i suppose.
@ABM30 and others: plz do not make and release a rom till someone test on a phone and we are sure it does not brick anything. ppl will download and flash without reading warning and we might end up with a lot of angry peoples.

cedesmith
congratuations for your work and the perfect result.
i think you deserve all the respect of us all, you are the real hero for us,becasuse you do so much for us and for this forum.
in compare I want to say I am disappointed for someone other,some people do much and say little,but some people do little and say so much.

cedesmith:Can you make a tgtool version for japanese rom .it has a tsd (toshiba docomo) file not tsw(toshiba worldwide) file? http://update.toshibamobile.com/update/t01a/wm65/T01A_to_SP50_wm65.exe or tell us what are the differences between them?The T01A users really want to flash English Rom but they can't do that....

this is great news,i may get a tg01 now and sell my x1.Do you think you can port a HTC leo Rom now

mr.mike said:
cedesmith:Can you make a tgtool version for japanese rom .it has a tsd (toshiba docomo) file not tsw(toshiba worldwide) file? http://update.toshibamobile.com/update/t01a/wm65/T01A_to_SP50_wm65.exe or tell us what are the differences between them?The T01A users really want to flash English Rom but they can't do that....
Click to expand...
Click to collapse
Hoping cedesmith can think about this, because many people use japanese tg01

hi cedesmith
thanks for tool, i cooked the rom..but when flash, the sd updater says "invalid file"
the cooked rom size is 234564kb and the original latest tg01 uk rom size is 253572kb
I checked with hex editor as well and the -chk oprion..cannot see anything differrent.
I just cooked the exisitng rom first, as it is to see it it boots or not.may be we miising header? because of size differrence ?

hdubli said:
hi cedesmith
thanks for tool, i cooked the rom..but when flash, the sd updater says "invalid file"
the cooked rom size is 234564kb and the original latest tg01 uk rom size is 253572kb
I checked with hex editor as well and the -chk oprion..cannot see anything differrent.
I just cooked the exisitng rom first, as it is to see it it boots or not.may be we miising header? because of size differrence ?
Click to expand...
Click to collapse
VOW, hdubli can my japanese tg01 can use your rom too? maybe I can test it in my device...