I did a dump of non-xda device running CE 4.0 .net and am trying to extract the individual files. Here is the first 3F bytes:
00000000 4230 3030 4646 0A00 0022 0068 F5F5 0100 B000FF...".h....
00000010 0022 0010 0000 0057 0700 0090 9090 90E9 .".....W........
00000020 0F2F 0000 9090 9090 9090 9040 0022 0008 ./[email protected]"..
00000030 0000 0087 0200 0045 4345 432C B217 8200 .......ECEC,....
I have tried to used splitrom.pl to put convert to a format that dumprom.exe would like.
"splitrom.pl dtr.bin -wo out.bin" creates empty binary file
and..
Webpad_CE4>splitrom.pl dtr.bin
B000FF image: 00220000-0217f568, entrypoint: 00222f18
!!! your rom is not known to me: md5: a520f0d1093b36f0a3cfd9323ea99155
this bootloader seems to be No bootloader present
no xipchain found
Microsoft's viewbin.exe yields plenty of good results, but I am not sure how to apply them to splitrom.pl and dumprom.exe. Knowing starting starting offsets and lengths of individual files in ROM, can I manually extract/decompress files from ROM. Do I need the XIP chain to do this?
Thanks!
Success using dumprom on B000FF file type (non-xda)
Had to convert the nk.bin to a file that dumprom recognized using the platform builder tool "cvrtbin.exe" This created a nk.nb0 file that was dumped with dumprom.
Image start and length parameters for cvrtbin was obtained using viewbin.exe
cvrtbin.exe -r -a 00220000 -l 01F5F568 -w 32 nk.bin
Then I could dump the files using dumprom:
dumprom -3 nk.nb0 -d c:\dump
Had to use -3 decompression option even though this is a win ce 4.0 .net rom.
I have a Rom
http://www.dopodasia.com/download/RUU_1.32.707.0_DOPODWWE_Ship.exe
I use WinRAR open the RUU_1.32.707.0_DOPODWWE_Ship.exe,I find the nksigned.nbh. Rename to nk.nbh.
1. cmd
D:\tt2>NBHextract.exe nk.nbh -v
=== NBHextract v1.0
=== Extract contents from HTC NBH files
=== (c)2007 xda-developers.com
=== by: pof & TheBlasphemer based on itsme perl scripts
Device: StarTrek
CID: DOPOD001
Version: 1.32.707.0
Language: WWE
Extracting: 00_G3IPL.nb
Extracting: 01_G4IPL.nb
Extracting: 02_SPL.nb
Extracting: 03_GSM.nb
Extracting: 04_ExtROM.nb
Extracting: 05_MainSplash.nb
Encoding: 05_MainSplash.bmp
Extracting: 06_OS.nb
rename 06_OS.nb to OS.nb
2.
D:\tt2>NBSplit -hermes OS.nb
NBSplit 2.0 RC 2
Done.
3.
D:\tt2>ImgfsFromNb OS.nb.payload imgfs.bin
ImgfsFromNb 2.0 RC 2
Searching for IMGFS start...
Found IMGFS at 0045e860.
Dumping IMGFS at offset 0045e860 (size 02217a08)
Done!
4.
D:\tt2>ImgfsToDump imgfs.bin
ImgfsToDump 2.0 RC 2
guidBootSignature: F8 AC 2C 9D E3 D4 2B 4D BD 30 91 6E D8
dwFSVersion: 00000001
dwSectorsPerHeaderBlock: 00000001
dwRunsPerFileHeader: 00000001
dwBytesPerHeader: 00000034
dwChunksPerSector: 00000008
dwFirstHeaderBlockOffset: 00000200
dwDataBlockSize: 00001000
szCompressionType: LZX
dwFreeSectorCount: 00002B22
dwHiddenSectorCount: 00000100
dwUpdateModeFlag: 00000000
Address: 00000200, dwBlockSignature: FFFFFEFE
dwNextHeaderBlock: 00000000 (size: FFFFFE00)
Header type: 00000270, Addr: 00000208
Unknown header type, FS_DATA_TABLE??
Header type: 00760070, Addr: 0000023C
Unknown header type, FS_DATA_TABLE??
Header type: 000002A4, Addr: 00000270
Unknown header type, FS_DATA_TABLE??
Header type: 000002D8, Addr: 000002A4
Unknown header type, FS_DATA_TABLE??
Header type: 0000030C, Addr: 000002D8
Unknown header type, FS_DATA_TABLE??
Header type: 00000000, Addr: 0000030C
Unknown header type, FS_DATA_TABLE??
Header type: 000003A8, Addr: 00000340
Unknown header type, FS_DATA_TABLE??
Header type: 0072006F, Addr: 00000374
Unknown header type, FS_DATA_TABLE??
Header type: 00300053, Addr: 000003A8
Unknown header type, FS_DATA_TABLE??
It's defeated .What can I do??Please Help me! Thanks!!!
no one can help me?
Introduction:
The SPro uses DA80 images along with the DA80 Download tool to factory fix/flash SPros.
It's the analog of using QDLtool for the S5/V and the equvilent of NVflash payloads for the S7/S10.
Unlike qdltool or nvflash payloads, DA80 images are not their consitutant files.
In file archiving teminology it's a solid archive with no compression.
File layout:
Code:
DA80 image layout
0x0 - 0x39 empty space
0x40 - 0x7f header
0x80 - 0xbf entry1
0x192 - 0xff entry2
...
0x40+64n - 0x7f+64n entryn
...
0x7f+64n+1 - <file 1 offset>-1 file1
<file 1 offset> - <file 2 offset>-1 file2
...
<file n offset> - <file n offset>-1 filen
entry layout
0x0 - 0x31 filename
0x32 - 0x63 size of file (offset) [in bytes (little-endian)]
(My math in the explanation might be wrong, but it's explaination below is definitely correct)
Explaniation:
20 bytes of empty space at beginning of file
header
Filename equvilent: DA80_android
Filesize equvilent: 0x13 bytes
file entries
File name
Size of file (ie it's offset), in bytes, in little-endian
Actual files
There's no padding at all, each file immediately ends and the next one begins.
There's no absolute addresses for any of the files, it's merely
file1+offset = file2
file2+offset = file3
until the end.
Conclusion:
Overall it's a simple file format with no error checking, encryption, or obfuscation.
As a note: the ext4 files inside DA80 images are actual ext4 sparse files.
They must be run though a tool such as sgs2toext4.jar to be read by some ext4 file readers (such as ext2explore)
Before:
XIP.BIN Target Size: 00435B00 AdjSize: 0043FFFF
ULRD in Payload Start:00000400 Size:0001F3FF End:0001F7FF
XIP in Payload Start:0001F800 Size:0046DFFF End:0048D7FF
IMG in Payload Start:0048D800 Size:04D267FF End:051B3FFF
FAT in Payload Start:00000000 Size:00000000 End:00000000
After:
XIP.BIN Target Size: 00435B00 AdjSize: 0046DFFF
ULRD in Payload Start:00000400 Size:0001F3FF End:0001F7FF
XIP in Payload Start:0001F800 Size:0046DFFF End:0048D7FF
IMG in Payload Start:0048D800 Size:04D267FF End:051B3FFF
FAT in Payload Start:00000000 Size:00000000 End:00000000
XIP PagePool Sign not Found!
XIP PagePool from: 16 Mb, to: 20 Mb
Payload resized and XIP Inserted into: OS-new.nb.payload
ERROR! (errorlevel: -1073741819)
ERROR executing: kitchen_build_rom.bat
ERROR!!!
Wait some seconds...
No ''SVN'' folders present...
Restored Original config.txt...
Temp config.txt Deleted!!!
...?
This tutorial is about making a custom ROM for ATIV S or any other Samsung WP8 phone.
Samsung ROM files:
.wp8 - main file with OS and boot
.csc - file with regional info
.smd - ROM for WP7 devices
All those files have (almost) the same format. I call it SMD. Old .smd file can be unpacked using this instruction, back in time smd-tool was made for it, but format changed slightly. This process was only tested on ATIV S.
CSC
.csc files aren't flashed to device, those are just containers for MBN files. And MBN files are copied to DPP during flashing process.
AS ALWAYS YOU ARE MAKING THIS ON YOUR OWN RISK! AND GOOD LUCK
Tutorial contents
Basic:
Making custom CSC (.mbn)
Extracting SMD
How to work with "packed" partitions
What to edit in ROM
Packing SMD
Advanced:
Making CSC from MBN
Making developer ROM
Making custom CSC (.mbn)
Software
sam-tools
Any tool for mounting drive images (OSFMount)
MBN Creator
MBN Creator is a kitchen itself. It has some limitations, but creating MBNs with MBN Creator is very easy. This method is described in the end.
Unpacking CSC files
Official CSCs come in .csc files. Use smd-tool to unpack file.csc to csc_dump folder:
Code:
smd-tool /u file.csc /d csc_dump
Now mount DPP.bin and copy CSC.mbn file from it. Unmount DPP then.
Code:
\Samsung\CSC\CSC.mbn
Now use mbn-tool to extract files from csc.mbn to mbn_dump folder:
Code:
mbn-tool /u csc.mbn /d mbn_dump
Every folder in mbn_dump is for one CSC code. There are 4 files inside every folder (AUT for ex.):
SS_AUT.ini - init values for welcome screen (first boot). Language, region, timezone and carrier.
SS_AUT.reg - registry file.
SS_AUT_AppInstall.provxml - PROVXML file with (and only) install app instructions.
SS_AUT_CSC.xml - PROVXML file.
Warning! There is a size limit for any file ~50KB. MBN itself is limited to DPP free space.
Packing MBN
Code:
mbn-tool /p mbn_dump /f my.mbn /ver I8750OXXCMK2 /subver OXX
CSC version (I8750OXXCMK2) should be greater or equal to your ROM version. Otherwise it will be ignored. DOC2 CSC will work on CMK2 ROM, but not vice versa!
Warning! Official DNI and DOC ROMs don't support custom MBNs.
Using MBN Creator
You can apply predefined tweaks from 1st tab or add your own directly into files. Last tab contains MBN file properties. MBN Creator is limited to only one CSC code.
You can check your work in
Code:
MBN Creator temp
folder. Output file is CSC.mbn.
Flashing MBN with MBN Creator
Reboot phone into Download Mode
Connect to PC and install drivers
Copy or create CSC.mbn file
Press Flash, Scan
Choose CSC code and press Flash
All done. Reset phone. Perform HR if MBN didn't apply.
Warning! MBN Creator can't flash files larger than 64KB.
Flashing MBN with stock Downloader
Open .wp8 and .mbn files
Check "Select" and uncheck everything but "CSC"
If flasher asks you about something click NO
Extracting SMD
Software
sam-tools
Any tool for mounting drive images (OSFMount)
Unpack
Unpack file.wp8 to dump folder
Code:
smd-tool /u file.wp8 /d dump
Output example:
Code:
Partition name NAND off N size ROM off R size Part. ID Type Status
GPT 00000000 00000800 00200C00 0000FC00 00000000 00000000 [ OK ]
SECURE 00000800 00000800 00210800 00000400 00000001 00000000 [ OK ]
DPP 00001000 00004000 00210C00 00800000 00000002 00000000 [ OK ]
SBL1 00008000 00000BB7 00A10C00 0016A400 00000003 00000000 [ OK ]
SBL2 P 00009000 00000BB7 00B7B000 0016A400 00000004 00000000 [ OK ]
SBL3 0000A000 00000FFF 00CE5400 001F8000 00000005 00000000 [ OK ]
UEFI S 0000B000 00001387 00EDD400 00207C00 00000006 00000000 [ OK ]
RPM 0000D000 000003E7 010E5000 0006E400 00000007 00000000 [ OK ]
TZ 0000E000 000003E7 01153400 0006E400 00000008 00000000 [ OK ]
WINSECAPP 0000F000 000003FF 011C1800 0007E000 00000009 00000000 [ OK ]
PLAT 0001A000 00003FFF 0123F800 00742800 0000000A 00000000 [ OK ]
EFIESP 00020000 0001FFFF 01982000 0094A400 0000000B 00000000 [ OK ]
MMOS 00046000 0002403F 022CC400 0440B800 0000000C 00000000 [ OK ]
MainOS 0006C000 004B295F 066D7C00 61F20000 0000000D EACCE221 [ OK ]
Data 00520000 01838FFF 685F7C00 02920000 0000000E EACCE221 [ OK ]
Output files:
header - header of SMD
GPT - partition table
PLAT, EFIESP, MMOS - partitions with FAT file system
MainOS and Data - NTFS partitions
other files - bootloader and other low level stuff
DPP partition isn't flashed to phone. In wp8 file it's empty.
EACCE221 means that partition is packed.
How to work with "packed" partitions
Software
sam-tools
Any tool for mounting drive images (OSFMount)
Unpack
Large zero areas are cut off from those partitions. image-rebase can restore such files.
Code:
image-rebase /u MainOS.bin /o MainOS.img
You can now mount and edit MainOS.img.
Warning! Data partition is very large and almost empty.
Pack
First of all slice image file:
Code:
image-rebase /s MainOS.img /z 2048
This command will cut off zero areas larger than 2048 sectors (1MB).
MainOS.img.xml is a template file.
Now you can glue files together using template:
Code:
image-rebase /p MainOS.bin /t MainOS.img.xml
What to edit in ROM
CSCMgr
This service applies MBN file. The idea is to downgrade it to CMK2 (GDR3) version. To do so replace those files:
system32\CSCMgr.dll
system32\CSCMgrSvc.dll
system32\drivers\CSCMgrSvc.dll (yes, it's a copy)
FCRouter
This service is used by Samsung system tools to perform actions with high privileges. Files:
system32\FCRouter.dll
system32\FCRouterProxy.dll
system32\drivers\FCRouter.dll
system32\drivers\FCDriver.dll
Registry hives
Code:
system32\config
You can edit those hive as you want. But HR will destroy all you work.
OSRepack
It a simple tool to work with packages on mounted partitions. Available here.
SDelete
There is a tool called SDelete which can fill all free space on a drive with zeros.
Code:
sdelete -z X:
Very useful for non-developer ROMs.
Packing SMD
Software
sam-tools
Hex editor (HxD)
Pack MainOS image
Code:
image-rebase /s MainOS.img /z 2048
image-rebase /p MainOS.bin /t MainOS.img.xml
Prepare SMD header
It's not really a header but a first part of file. This file can be used as template for your later work. It contains all partitions except MainOS.
Code:
smd-tool /info file.wp8
This command will give you some info about SMD file structure. Open it in hex editor and copy all data up to MainOS ROM offset to a new file. Add Data.bin to this new file.
There are some structures at the start of file. For example:
4D 61 69 6E 4F 53 00 00 00 00 00 00 00 00 00 00
00 C0 06 00 5F 29 4B 00 00 7C FF 08 00 0E AD 61
1F 1F 1F 1F 00 00 00 00 21 E2 CC EA 00 00 00 00
2B C2 5E C9 6A 2F 0B E1 6F 1C 95 FC 49 FF E9 FD
Start and length are colored.
Warning! Those numbers are little endian (12345678 = 78 56 34 12)
Replace Data Start with MainOS Start. You can use Ctrl+C & Ctrl+B (copy and paste with replace).
Replace MainOS Start with length of this (template) file.
Save file.
Adding MainOS
Add MainOS.img to your template.
Replace MainOS Length with length (in bytes) of MainOS.bin file.
Replace 16 bytes at offset 0x50 with zeros.
Count MD5 hash of the file (HxD can do it) and write it at 0x50 (^C & ^B).
Save this file as .wp8
You can check numbers you entered with following command:
Code:
smd-tool /info custom.wp8
Warning! This .wp8 file can only be flashed with Downloader v3.54
Making CSC from MBN
Software
Hex editor (HxD)
Pack
Open CSC file in HxD.
At 0x00A00C00 it has MBN file contents.
Replace it with your MBN and fill rest of the CSC with zeros.
Warning! This file can't be unpacked with this instruction because FAT is broken. You can unpack it manually.
Correct MD5 as you did for WP8 file.
Warning! This CSC can fool Downloader but not phone. New CSCMgr will still ignore custom MBN.
Making developer ROM
Such ROMs can be directly mounted with OSFMount.
This command will pseudo slice MainOS.img:
Code:
image-rebase /s MainOS.img /z 4000000
Entire partition will be in one piece.
If you pack SMD with this file you can mount it and edit without repacking SMD.
In OSFMount enter offset equal to MainOS ROM offset + 0x1000.
Don't forget to recalculate MD5 after edit.
OMG, WOLF! People tell me that my tutorials are too long. But you are a true match for me!! :highfive:
Congrats on this great achievement! :victory:
Wow! Huge thanks for rewriting these tutorials in English; I wasn't expecting you to do it so soon! Can't wait to play around and to see what others come up with.
I play around with the replacement of files FC Router + WP8 Diag on my GT-I8750 (from the SM-W750V, SPH-I800, SGH-I187, SGH-T899M), in the end everything works.
Powered mode Smart Download.
so I could be possible to use ATIV S version of CSCMgr on SE. And SE then will have custom MBN
Yea, that's what I gathered from the info as well. Unfortunately I won't have time to try this out for another 4-7 days but I'll let you know if I do. And if you (or anyone else) feels like whipping it up and you need someone to try it, shoot me a PM.
Added info about sdelete and OSRepack to "What to edit in ROM"
I have an idea to record full process of ROM making and upload it on Youtube. Will it be useful?
Added poll.