Database Users

[HSPL/SSPL][DISCUSSION] Hacking SPL [SSPL works - now flashing HSPL/closed testing]

Well this is just my second HTC device.. But has anybody ever wondered why information on creating HardSPL and stuff is seeded sparely? We're just waiting until olipro, cmonex (bless their work!!! ) or some other mod finishes the Hard-SPL.
If this is an illegal talk or something then just delete my thread..
I find this is an interesting topic.. So why not colaborate with each other and report status on this, so that we eventually could hack something together..? At least for the sake of interest.. I ever liked hacking embedded devices, but my knowledge in these things is not so good. Would like to dig more into this and solve this kind of mystery
I have found interesting bits of information at the following places:
http://wiki.xda-developers.com/index.php?pagename=Wizard_ROM_Layout
http://forum.xda-developers.com/showthread.php?t=334667
http://www.xs4all.nl/~itsme/projects/xda/tools.html
http://wiki.xda-developers.com/index.php?pagename=SPL%20Questions%3F
http://forum.xda-developers.com/showthread.php?t=501871
The first step seems to be extracting the stock SPL.. I read something about pmemmap, a tool to show the memory map of the phone and pmemdump, a tool to dump memory areas of the phone to disk.
This rises the question of how to find out the address, where the SPL lies in our LEOs and then how to dump it?
If there are any constructive comments on this, everybody is invited to add his thoughts here, or point out the right way
Update:
SPL seems to be dumped, credits go to cmonex. - Now it's time to investigate further steps. Currently looking into it.
Okay.. You can read the SPL from your LEOs with the following command:
pmemdump 0x8ff00000 0x80000 dump.bin
But i have attached it here for your convenience.
Update 2:
For all those people that are curious about the technical background behind SPL hacking i am giving an update of my research now (of course cmonex will finish that work, and she will do it good, but as you probably know, i want to get into that kind of stuff):
I managed to get an MFG SPL (the SPL that isn't shipped with stock ROMs and that is used by HTC to debug) now. This type of SPL is needed to do any further steps regarding flashing Hard-SPL.
This may not be complete or even correct, so if you have any information to add, please share it with us.
As far as i understood the rough procedure now would be to relocate the SPL and its .data section in RAM (that means all the data referenced by code) to a new address. This is needed because the address where the SPL and its data section lie now is protected by the MPU (Memory Protection Unit?), which is set up by the radio bootloader, which is running on another CPU (the ARM9). Every write there will lead to nowhere and as our SPL would execute, it would crash, because of missing data. This is why we need to relocate our SPL to a new address by changing all the hard coded references to data (such as strings etc.) in code.
I need someone to comment on the process of changing all the hard coded addresses to another one. I don't know how to do it yet.
If this is done and all code runs well (there could be further glitches, such as the NAND write/read issue - please comment on that) we would use JumpSPL to load our SPL in RAM into an unused address and execute it. This would give us all the tools needed for flashing HSPL.
I have attached a copy of the MFG SPL i obtained (if this is against any rules, please remove it) together with an analysis in IDA32, which i just made (for the lazy ones).
It would be nice, if we could get some further info here.
Btw.: I found this funky stuff on the PSAS forum. It is a tool that actually simulates an ARM processor and let's you step through the instructions. Really nice, if you want to understand what's going on.
If you want to flash another language ROM to your HTC device you can go here. Please don't use this thread for such requests. Let's keep it about SPL talking. Thanks

Thanks to share this information with the comunity.

Feel free to investigate and and have a go for it.
The itsme utils are extremely useful,
You could also read the posts from Pof, Des, jockeyw2001 regarding this subject.
After you got your SPL, you can read Jockyw2001's posts regarding bootloaders dissembling in IDA pro.
The actual patching of the SPL isn't the hardest part, Cmonex once told that the development of the Soft SPL was trickiest part.
Regards, and good luck.
EqX

Thank you.. I will have a go for it, when i have more time. It's over for today..

Very interesting thread. I would like to know how they are trying to hack the SPL. With due respect to Olinex, we rely on them but there must be also people around who can give a hand to accelerate the process. No ?

on a related note i tried to make my hd2 supercid without using QMAT so that i could flash wwe official rom...
i followed these steps and i got to Ad.7) part where i needed to run this command:
perl typhoonnbfdecode.pl -p cardid=<cardid> -p keys=tornado -p seclevel=0 -d goldcard.img
when i hit enter i get this message:
C:\itsutilsbin>perl typhoonnbfdecode.pl -p cardid=0085007b9394eb0000000000000000
00 -p keys=tornado -p seclevel=0 -d goldcard.img
Can't locate XdaDevelopers/NbfUtils.pm in @INC (@INC contains: C:/Perl/site/lib
C:/Perl/lib .) at typhoonnbfdecode.pl line 81.
BEGIN failed--compilation aborted at typhoonnbfdecode.pl line 81
if anybody can point me to the right direction or tell me what am i doing wrong i would be very grateful.

mr.vandalay said:
on a related note i tried to make my hd2 supercid without using QMAT so that i could flash wwe official rom...
i followed these steps and i got to Ad.7) part where i needed to run this command:
perl typhoonnbfdecode.pl -p cardid=<cardid> -p keys=tornado -p seclevel=0 -d goldcard.img
when i hit enter i get this message:
C:\itsutilsbin>perl typhoonnbfdecode.pl -p cardid=0085007b9394eb0000000000000000
00 -p keys=tornado -p seclevel=0 -d goldcard.img
Can't locate XdaDevelopers/NbfUtils.pm in @INC (@INC contains: C:/Perl/site/lib
C:/Perl/lib .) at typhoonnbfdecode.pl line 81.
BEGIN failed--compilation aborted at typhoonnbfdecode.pl line 81
if anybody can point me to the right direction or tell me what am i doing wrong i would be very grateful.
Click to expand...
Click to collapse
Did you install activeperl ?

yes , however now i see that packages Crypt-DES and XdaDevelopers-NbfUtils are not installed and i can't find them...
i select "all packages" but i can't find those two, and i tried by adding repositories but it doesn't download anything.
can i somehow add them manually?

mr.vandalay said:
yes , however now i see that packages Crypt-DES and XdaDevelopers-NbfUtils are not installed and i can't find them...
i select "all packages" but i can't find those two, and i tried by adding repositories but it doesn't download anything.
can i somehow add them manually?
Click to expand...
Click to collapse
You need to use the exact version of ActivePerl as stated on that page and you must use Windows.
You should also know that you cant use this goldcard image for your LEO with the typhoon option. This is for another HTC device.. If you look into that pl file you see that there is no entry for LEO. We need the LEO key.

I replied to your PM about dumping SPL 0x95000000

mr.vandalay said:
on a related note i tried to make my hd2 supercid without using QMAT so that i could flash wwe official rom...
i followed these steps and i got to Ad.7) part where i needed to run this command:
perl typhoonnbfdecode.pl -p cardid=<cardid> -p keys=tornado -p seclevel=0 -d goldcard.img
when i hit enter i get this message:
C:\itsutilsbin>perl typhoonnbfdecode.pl -p cardid=0085007b9394eb0000000000000000
00 -p keys=tornado -p seclevel=0 -d goldcard.img
Can't locate XdaDevelopers/NbfUtils.pm in @INC (@INC contains: C:/Perl/site/lib
C:/Perl/lib .) at typhoonnbfdecode.pl line 81.
BEGIN failed--compilation aborted at typhoonnbfdecode.pl line 81
if anybody can point me to the right direction or tell me what am i doing wrong i would be very grateful.
Click to expand...
Click to collapse
sorry this will never work on Leo. I can make the goldcard for you though (for a small donation)

Thanks a lot cmonex, for your PM, hope to flash my Holand device onto a WWE device to better understud.

just wondering, based on this, is it possible for me to flash my o2 branded device with the stock wwe rom?

Tung_meister said:
just wondering, based on this, is it possible for me to flash my o2 branded device with the stock wwe rom?
Click to expand...
Click to collapse
Yes, it should be

umh... I can't dump... I'm wondering ...why?
If I enter "pmemdump 0x95000000 0x80000 spl.nb" I get a 0bytes file, but if I don't enter the file name I'm seeing the errors that it gets.
Anyway, this is what I'm getting:
Code:
G:\itsutilsbin>pmemdump.exe 0x95000000 0x80000
ERROR: ITReadProcessMemory - Invalid access to memory location.
95000000: * * * * *
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
ERROR: ITReadProcessMemory - Invalid access to memory location.
Someone can help?

kholk said:
umh... I can't dump... I'm wondering ...why?
If I enter "pmemdump 0x95000000 0x80000 spl.nb" I get a 0bytes file, but if I don't enter the file name I'm seeing the errors that it gets.
Anyway, this is what I'm getting:
Someone can help?
Click to expand...
Click to collapse
You're not the only one. Currently working it out with cmonex.

just wanna say that cmonex helped me and i just flashed wwe rom on my german hd2

mr.vandalay said:
just wanna say that cmonex helped me and i just flashed wwe rom on my german hd2
Click to expand...
Click to collapse
Welcome to the club of dutch rom refugees

cmonex helped me and i just finish to flash my NEW WWE ROM.
Thank you mate.
To all who want to flash now, be in touch with this guy, he is going to help you really fast.

cidriver said:
cmonex helped me and i just finish to flash my NEW WWE ROM.
Thank you mate.
To all who want to flash now, be in touch with this guy, he is going to help you really fast.
Click to expand...
Click to collapse
She.. She's female!

[SOLVED] problem compiling rom in ervius kitchen

hello everyone, im using ervius kitchen 1.8.2
and getting error while compiling rom after picking all packages on executing
kitchen_build_rom.bat
ERROR: errorlevel:1
im running xpsp2, net3.5
can anyone help me with that?
rom is official, of course
this error appears on every compilation, even right after dumping official rom

aZzz.bZzz said:
hello everyone, im using ervius kitchen 1.8.2
and getting error while compiling rom after picking all packages on executing
kitchen_build_rom.bat
ERROR: errorlevel:1
im running xpsp2, net3.5
can anyone help me with that?
rom is official, of course
this error appears on every compilation, even right after dumping official rom
Click to expand...
Click to collapse
oh have u added new sources and new build...
if yes then check netcf and wince_nls must be in sys>shared>common
then still persist let us know....

yes, im trying to update build 21887 to 23549 and yes, both packages exist and included
NetCF and WinCENLS_WWE

aZzz.bZzz said:
hello everyone, im using ervius kitchen 1.8.2
and getting error while compiling rom after picking all packages on executing
kitchen_build_rom.bat
ERROR: errorlevel:1
im running xpsp2, net3.5
can anyone help me with that?
rom is official, of course
this error appears on every compilation, even right after dumping official rom
Click to expand...
Click to collapse
Open kitchen_build_rom.bat in the 'tools' folder of your kitchen with a text editor:
Search for this lines:
Code:
set DSM_TEMPLATE=%dsm%
set DSM_INCLUDES=*
REM **************** TOOLS\platformrebuilder.exe
if not "%errorlevel%"=="0" goto error
And change it to be like this:
Code:
set DSM_TEMPLATE=%dsm%
set DSM_INCLUDES=*
REM **************** TOOLS\platformrebuilder.exe
REM **************** if not "%errorlevel%"=="0" goto error
take care

YES, it works, thank you, dotcompt

I'm with this error on x1 kitchen:
Processing "AudioFilterTable.csv" as file
Processing "AudioPara.csv" as file
Processing "AudioPara3.csv" as file
Processing "AudioPara3_Boot.csv" as file
Processing "AudioPa
ERROR! (errorlevel: -1073741819)
ERROR executing: kitchen_build_rom.bat
ERROR!!!
Wait some seconds...
No ''SVN'' folders present...
Restored Original config.txt...
Temp config.txt Deleted!!!
Somebody know why?

Please help HOW TO COOK MY OWN WM6.5 ROM

Hello ewerybody,
I need help. Can you tell me what all is needed
to make wm6.5 ROM?
I have WM 6.5 standard SDK, bud no lasdscape mode is supported

you will need a to port a wm 6.5 ROM from the S730 i don`t realy know it haves one but you will need a kitchen from there if it is and modify to adjust to the S740 for more information about how to do this please say it and i will give you all the informations i have

...i cannot found Wings ROM Kitchen, but i found kitchen for VOX. Is possible modifi this vox kitchen to use for Rose ?
Frauhottelmann Vox Kitchen 1.2:
http://forum.xda-developers.com/showthread.php?t=551366

Sorry for the late here you have the links to some tutorials hope that helps i wanted to cook a rom to but ain`t got time right now..good luck and keep us with the news how does the job goes
http://forum.xda-developers.com/showthread.php?t=406721#4
PS:this is for the elf but the basic things are the same

Okay, i found wings kitchen.
I edit it, flash to my Rose cooked 6.5 ROM with no problems, BUT :
RUU.nbh has only 67MB
Phone starting and make restart and restart and restart
here is my log:
======================================================
= S740 Rose kitchen v1.0test =
======================================================
Creating 'dump' folder...
Folder created...
Launching BuildOS:
Select packages and run...
when done Exit BuildOS
!!!DO NOT CLOSE THIS WINDOW!!!
BuildOS has finished
Continuing...
Processing data, please wait...
Processing...
Dump completed successfully - ready to compile image
Launching CreateROM.bat
File not found - temp\dump\*.brn.
File not found - temp\dump\*.kbd.
*********************************************************
* CreateROM.bat *
* Compiled from Bepe's Heremes 6.1 Kitchen CreateROM.bat*
* and Aichillus' Core Kitchen Build_ROM.bat *
* by Cornholio GSM *
* 12.4.2010 *
*********************************************************
Copying OS.nb.payload...
System cannot found this file.
Completed copying - continuing
Initial processing...
Processing complete - continuing
Creating image, please wait...
ImgfsFromNb 2.1rc2
Could not open input file 'OS.nb.payload'. Aborting.
ImgfsFromDump 2.1rc2
Input file imgfs.bin cannot be opened. Exiting.
ImgfsToNb 2.1rc2
Using bigstorage mode
Input file imgfs-new.bin cannot be opened. Exiting.
NBMerge 2.1rc2
Could not open input file 00_OS-new.nb.payload
Cannot found C:\Kitchen_WINGS_21234-21234-131dpi\Kitchen_WINGS_21234-21234-131dpi
\temp\imgfs-new.bin.
Cannot found C:\Kitchen_WINGS_21234-21234-131dpi\Kitchen_WINGS_21234-21234-131dpi
\temp\imgfs.bin.
Cannot found C:\Kitchen_WINGS_21234-21234-131dpi\Kitchen_WINGS_21234-21234-131dpi
\temp\OS.nb.payload.
Cannot found C:\Kitchen_WINGS_21234-21234-131dpi\Kitchen_WINGS_21234-21234-131dpi
\temp\OS-new.nb.payload.
Processing complete.
Moving os-new.nb to \tools\htools directory
System cannot found this file.
The file "os-new.nb" has been created and is in the dump folder
Now we need to generate the file that is written to your phone
Follow these directions when the NBH Tool opens:
* Select "NB to NBH"
* Click the browse button for OS
* Select the "os-new.nb" (Tools\HTools)
* Save it on your Desktop
* After adding extra (if any) components, click "Generate NBH File"
* Close NBHTool once complete
NBH Generator ver0.1 by bot
OS-New.nb
Completed.
The rom is in \RUU folder
Press any key to continue...
And here is my CreateROM.bat
echo.*********************************************************
echo.* CreateROM.bat *
echo.* Compiled from Bepe's Heremes 6.1 Kitchen CreateROM.bat*
echo.* and Aichillus' Core Kitchen Build_ROM.bat *
echo.* by Cornholio GSM *
echo.* 12.4.2010 *
echo.*********************************************************
echo.
echo.
echo Copying OS.nb.payload...
echo.
echo.
copy ROM\OS.nb.payload temp\OS.nb.payload
echo.
echo.
echo.Completed copying - continuing
echo.
cd temp
echo.
echo.
echo.
echo.Initial processing...
echo.
echo.
echo.Processing complete - continuing
echo.
echo.
echo.Creating image, please wait...
echo.
echo.
echo.
..\TOOLS\ImgfsFromNb OS.nb.payload imgfs.bin
..\TOOLS\ImgfsFromDump imgfs.bin imgfs-new.bin
..\TOOLS\ImgfsToNb imgfs-new.bin OS.nb.payload OS-new.nb.payload -bigstoragemove
..\TOOLS\NBMerge -data 2048 -extra 8 00_OS-new.nb
attrib boot.rgu -r -s -h -a
del boot.hv
del boot.rgu
del imgfs-new.bin
del imgfs.bin
del OS.nb.payload
del OS-new.nb.payload
echo.
echo.
echo.
echo.Processing complete.
echo.
echo. Moving os-new.nb to \tools\htools directory
echo.
move ..\temp\os-new.nb ..\Tools\HTools
echo. The file "os-new.nb" has been created and is in the dump folder
echo. Now we need to generate the file that is written to your phone
echo.
echo. Follow these directions when the NBH Tool opens:
echo.
echo. * Select "NB to NBH"
echo. * Click the browse button for OS
echo. * Select the "os-new.nb" (Tools\HTools)
echo. * Save it on your Desktop
echo. * After adding extra (if any) components, click "Generate NBH File"
echo. * Close NBHTool once complete
echo.
cd ..\tools\htools\
nbhgen.exe nbhgen.txt
move RUU_signed.nbh "..\..\RUU"
SET status2=* The RUU_signed.nbh has been moved to RUU ) ELSE (
SET status2=* The RUU_signed.nbh is missing from Desktop
GOTO NO )
echo.
echo. Do you want to run RUU Flash utility now ? (Make sure the device is USB connected)
echo.
:Choice
echo.
Set /P Choice=Type Y (Yes) or N (No) and press [Enter]:
IF NOT '%Choice%'=='' SET Choice=%Choice:~0,1%
IF /I '%Choice%'=='y' GOTO YES
IF /I '%Choice%'=='n' GOTO NO
IF /I '%Choice%'=='' GOTO Quit
GOTO Choice
:Quit
echo.
echo.Flash aborted - compiled image is in the /tools/RUU folder
echo.
pause
GOTO :EOF
:YES
echo.
cd ..\Tools\RUU
RUUWrapper.exe
echo.
echo.
echperation complete
echo.
pause
:NO
echo.
if NOT "%ALL%"=="1" pause
goto :EOF
:error
echo.
echo ERROR! (errorlevel: %errorlevel%)
pause

You have to use G'Reloc and change the values to the original Rose values, since my kitchen uses the Vox' values, where the ROM is only so small...

okay, i test this :
I extract with dutty's NBH Tool original Orange_UK_1.17.61.2 ROM to .nb files.
Then i compile back .nb file to .nbh. I select only OS (windows.nb) and set:
Device:ROSE100
CID Type: SuperCID
Version : 2.00.0
Language: WWE
Signature Size 128
Generated .nbh file has approx 102MB.
I make upgrade to my rose. Upgrading was with no problems.
Bud when rose boots show only Orange splash screen, then version and then restart and restart and restart !!!
I'm really unhappy

i think you should another kitchen like HTC Snap that got a 256 mb ROM and modify it so it should adjust to the rose i don`t know how to do those things but you should realy modify the screen to be portrait and landscape
PS:with the rom from wings i think it will never work so try modify a snap rom

how do we obtain the values to use on g.reloc?

okay, restart problem is fixed...
I use another tool to compile nbh and set the values to
ModelId=ROSE10000
Signature Size=64
Version : 2.00.0
Language: 0409
...and it works
...i continue with cooking rom

CornholioGSM said:
okay, restart problem is fixed...
I use another tool to compile nbh and set the values to
ModelId=ROSE10000
Signature Size=64
Device:ROSE100
Version : 2.00.0
Language: 0409
...and it works
Click to expand...
Click to collapse
so now you have a working wm6.5 rom?

no, no...i test this on original shipped rom.

You get the G'Reloc values by unpacking a original ROM and putting the SYS and OEM files in the respective folder and open G'Reloc. I can do that for you.
Here are the values:
Slot 0: 01FA0000
Slot 1: 03E40000
Size of ROM: 83400000
Unknown: 00000000

Hi CornholioGSM,
Don't give up! We all are waiting for the first 6.5 ROM...
What kitchen do you use? And why from Wing? Is a tutorial available? Could you please tell us more details? Maybe we can help you cooking a ROM.
Sorry fo lots of questions I'm a newbie.
CU
Semmelknoedel
P.S. How can I backup my existing ROM? It is a original Swisscom ROM without any restrictions. I want upload it in S740 ROM-Thread.

You get the G'Reloc values by unpacking a original ROM and putting the SYS and OEM files in the respective folder and open G'Reloc. I can do that for you.
Here are the values:
Slot 0: 01FA0000
Slot 1: 03E40000
Size of ROM: 83400000
Unknown: 00000000
thanks frauhottelmann

When I am back home, I can make a WM 6.5 test ROM for you guys and upload it for you to try. Sometime next week. I can't promise anything though without an actual device.
BTW: You also have to port the XIP to get 6.5 working.

I flash my S740 device with RUU_Rose_HTC_WWE-Brightpoint_1.64.422.1_Radio_sign_12.29a.30.12_0.29.30.33_Ship and try to cook here is the pics what is extracted hrom rom how can now put new 6.5 insted 03_OS_0x400.nb

You have to extract the 03_OS.nb and replace it's SYS folder with a WM 6.5 SYS folder. And then recook everything together

komunistvb said:
I flash my S740 device with RUU_Rose_HTC_WWE-Brightpoint_1.64.422.1_Radio_sign_12.29a.30.12_0.29.30.33_Ship and try to cook here is the pics what is extracted hrom rom how can now put new 6.5 insted 03_OS_0x400.nb
Click to expand...
Click to collapse
keep in mind that this is for s743...

I am cooking right now (without a device), but I can't promise anything and I can't upload until tomorrow evening (European time).

[Q] Help needed to dump the original rom

Hi everybody! I bought some weeks ago a Shift and my first priority is to change the language from Italian to English. But before going ahead in flashing a new rom I thought it is wise to make a back-up of the original rom.
So in my attempt to dump the original italian rom of my Shift I've come to an error status I don't know how to overcome, therefore any help would be very much appreciated:
Following pof's How to dump HTC Shift ROM at
http://forum.xda-developers.com/showthread.php?t=382609
I downloaded itsutils, unzipped on the pc and placed all the itsutils files in the c:\users\HTC User folder, (as I just did not know how to change the path in cmd to go to the c root with the itsutil folder).
Further on, with the WinMob connected to Vista with USB Tool, I introduced the first command line for pdocread
pdocread.exe -w -d FLASHDR -b 0x800 -p Part00 0 0x31f000 Part00.raw
and I got the answer
Copying c:\users\HTC User\itsutils.dll to WCE:\Windows\itsutils.dll (which I think it's OK) and then
rapi reinitializing (is it normal?)
and then
ERROR: CeProcessConfig – r=002349d0 ce=00000002 le=00000000 hr=80070005
– Access is denied
I have no idea on what the cause of the error could be, probably I must have done something wrong and I am stuck at this first dump step.
Can somebody please help me further to get unstuck?
Thank you very much!

Are you connected using activesync?
Also, try this guide:
http://forum.xda-developers.com/showthread.php?t=427507
and use pdocread -l first.

thaihugo said:
Are you connected using activesync?
Also, try this guide:
http://forum.xda-developers.com/showthread.php?t=427507
and use pdocread -l first.
Click to expand...
Click to collapse
THANK YOU THAIHUGO for taking the glove of answering me on this dead forum, I really need help! I find it fantastic that you are still so active, maybe in time some other senior members will take again the challenge to support the newcomers.
Yes, WM was connected to Vista side using the USB Tool and the Windows Mobile Device Center.
Looking back, I think I opened cmd as user and not as admin (now I know how to do it), this might have been the mistake, I will try again this afternoon.
1. So far I understood that the main reading process is running under Vista using the command lines and the itsutils, which is ok.
Does it matter where the unzipped folder <itsutilsbin-20100324> is placed? I mean should it be placed obligatory in the root of the c:\ drive?
If YES, how do I do that in the cmd line, I mean change the directory? Normally the cmd screen opens to the folder c:\users\HTC User when starting as user and to c:\Windows\system32 when doing it as administrator. Is it wise to copy all the itsutils files to system 32?
Of all those itsutils files, which are the absolutely necessary files to do the dump? Are these pdocread.exe and itsutils.dll only? This is because I'd like to handle as less files as possible to the system 32 folder.
2. If I got this right, the link that you pointed to shows for the Raphael ROM how to do the dump entirely on the WM side and should be applicable to the Shift WM as well if not managing it from Vista side, is that what you were trying to say?
3. Is this way of dumping the rom covering also the radio part and the bootloader, I mean all the 4 raw files contain the whole initial memory of the WM?
Sorry to raise such beginners question, but I did not find these things explained in any of the Shift threads and without answers I cannot progress with this dump job and furtehr proceed with flashing a custom rom in English. I did search in the Shift forums and googles for answers, but maybe I did not use the right keywords.
Looking forward to receive the enlighting answers, thanks in advance!

Admin cmd mode should help yes.
1) it doesn't matter where your zip is. Just uncompress the files somewhere in a folder (c:\itsutils if you want), open you command line in admin mode, navigate from system32 folder to the itsutils folder and try again with the pdocread -l then the command from POF post.
2) do not use raphael numbers. I linked to the post for the general procedure. Proper numbers are in the POF post.
3) you will not have the radio, nor the bootloader. But you have to jump if you want to use custom roms. Bootloader is available somwhere, and radio also I think.

Still getting errors
thaihugo said:
Admin cmd mode should help yes.
1) it doesn't matter where your zip is. Just uncompress the files somewhere in a folder (c:\itsutils if you want), open you command line in admin mode, navigate from system32 folder to the itsutils folder and try again with the pdocread -l then the command from POF post.
Click to expand...
Click to collapse
Thank you again Thaihugo!
I gave it another try to pof's commands as you recommended this time first with pdocread -l and it doens't work, BUT I'm getting the similar error messages. While accessing cmd as administrator and running the cmd line from c:\itsutils:
pdocread.exe -l
rapi reinitializing
and then after about 35 sec
ERROR: CeProcessConfig – r=002349d0 ce=00000002 le=00000000 hr=80070005 – Access is denied
At different runs I got different addresses for r and ce, but the same for le and hr (no idea what those mean).
It doesn't change if launching as administrator or user.
I even downloaded a previous version of itsutils directly on the Vista computer and unzipped it with Total Commander and the result is the same.
Have also tried another command from pof with the same error result:
pmemdump.exe 0x8c000000 262144 SPL.nb
Of course the WM side was connected to Vista via USB Tool and I also checked if from the Vista side the WM folders were accessible.
I'm completely stuck, don't know what to do further, please help!!!
Thank you!
P.S. Have copied the itsutils.dll to the Windows folder in WM via e-mail, just like in the liberalization process in order to avoid copying it via Active sync (as recommended for Raphael). This time at the first run of the pdocread.exe I was asked to accept installing itsutils.dll on the WM side, which I did.
But I'm still getting the error messages when launching pdocread.exe -l, this time running very fast in a few seconds and after 4 turns it stops with the final message
ERROR loading itsutil.dll - probably denied by policy restrictions
Does it ring any bell to you?
My guess is that I have to relax the security policy on the WM side, but I don't know how.
I am amaized that nobody raised all these before.

I've finally done it! HowTo......
OK, I finally managed to dump the ROM thanks to the support of Thaihugo and the info in various threads on this forum (with credit to the authors), I have now the ROM and bootloader dump files, but not the radio rom.
There were several detailed steps important for beginners that were not included in POF's thread "How to dump HTC Shift ROM" at http://forum.xda-developers.com/showthread.php?t=382609 that prevented me to do the dump from the first go.
In order to spare other newcomers time, here they are:
-On the WinMob side change the Security Policies setting by installing a registry editor like PHM Registry Editor, TotalCommander, etc. (I used the cab files downloaded in Vista and moved to WinMob via the Windows Mobile Device Center);
Go to HKLM\Security\Policies\Policies and change the valuename '00001001' from dword:2 to dword:1. Save the change and soft reset your WM device.
If in doubt check this: http://forum.xda-developers.com/showthread.php?t=427507
Note: After finishing the dump operation do not forget to revert back to the initial dword:2 value
-Download itsutils from POF's site to Vista and unzip the package to a new folder "c:\itsutils".
-To be on the safe side disconnect all network connections (3G modem, wifi, BT, LAN) and all USB external devices.
-Connect the WinMob side of the liberated Shift to Vista using the USB Tool and check in the Windows Mobile Device Center that the folders and files of WinMob are indeed accessible from Vista
-Open the command line screen and go to the folder where you unzipped the itsutils tool by typing "cd c:\itsutils" (without the quotes).
-From within the folder itutils type the command "pdocread -l" (without the quotes).
At this point, with pdocread.exe started, go to the WinMob side and
you will find a message asking you to accept installing the itsutils.dll on the WM side, say Yes to it and wait until it is instelled.
Then go back to Vista side and carry on as described in POF's thread mentioned above by:
- using "pdocread.exe -l" to list the NAND PARTITIONS (which have to do also with the radio side as I understood from one of cmonex posts)
- using "pdocread.exe -w -d FLASHDR -b 0x800 -p Part00 0 0x31f000 Part00.raw" and the other 3 commnads to generate the 4 raw files in the same folder c:\itsutils; keep them for reconstructing the original ROM
- using "pmemdump.exe 0x8c000000 262144 SPL.nb" to dump the bootloader file to the same folder c:\itsutils; keep that too.
That's it for now.
I have to deal further with dumping the radio rom, but I don't know how to do it, I must search the forums.
A big THANK YOU to all who helped me!

I never dumped a Radio. I think the experts keep this as secret because it's quite dangerous. Isuggest you have a look at your radio version and try and fin the same radioin the forum already dumped.
Otherwise, there are roms for each radio, so you could just simply apply the one that works wth your radio. No phone call though if you don't use the right one.

thaihugo said:
I never dumped a Radio. I think the experts keep this as secret because it's quite dangerous. Isuggest you have a look at your radio version and try and fin the same radioin the forum already dumped.
Otherwise, there are roms for each radio, so you could just simply apply the one that works wth your radio. No phone call though if you don't use the right one.
Click to expand...
Click to collapse
Thank you again Thaihugo, it seems that you are the only senior left on duty on this dead forum....yet the counter shows 238 views of this thread. Hm, strange....Anyway, thank you for all the good hints given one way or another during the past days, I wouldn't have made it without it.
I got the message, I will not bother with dumping the Radio. I know that a particular Rom is matched with a certain radio. I will flash one of your roms, most probably Age of Reasons and the associated radio. I am not looking for tens of programs on the WM side, it is enough to have the basic things in English and instant-on. I will let you know!

[Q] How to use osnbtool

Hi all, I have problems using osnbtool: when I open it it closes immediatly...
Can somebody tell me how to use it? I'm using Windows 7

Never used it but try right click and run as administrator.

It is a console tool. You need to run it from the Command Prompt in admin priviledge.

Ok I managed to run It, the problem now is that the program crashes after some time... what should I do now?

Please somebody answer

Didn't you get this if you just type "osnbtool" on the command prompt? The built-in help is good enough. What exactly do you want to use it for?
$ ./tools/osnbtool.exe
OS ROM Partition Tool V1.59 By Weisun :> PDAclan.com
A powerful tool for de-pack partitions from OS.NB!(RAW-OS-IMAGE)
*** Decompress & compress SRPX partitions,unpack & pack partitions.
*** Support to re-structure OS.NB when insert a resized partition.
====Command for decompress,compress,unpack & pack partitions:
-d <OS.NB> <Num> <OUT.BIN> Decompress Num of part from OS image to OUT.BIN
-c <OS.NB> <Num> <IN .BIN> Compress or insert IN.BIN to OS image
====Command for split to a RAW-OS-IMAGE form srcFile & repack:
-sp <fName.ext> Split source file to fName.ext.PRE & fName.ext.OS.NB
----'fName.ext.OS.NB' means that RAW-OS-IMAGE.
----it can remove extra-data(SECTOR_ENTRYs) or B000FF struc.
-extra <fName.ext> [0x"intBlocksToFill" | 0x"dwBlockSize"] Insert extra fields (SECTOR_ENTRYs) & get fName.ext.EXA
-2bin <fName.ext> [0x"StartADDR"|-CutHeader] Pack fName.ext to BIN(B000FF)
-FixBinHeader <fName.ext> [0x'intRecordsToAdd'] Fix 'B000FF' header-entry.
====Command for unmask src file :
-x <fName.ext> <0x"dwKeyWord"> [outFile] Unmask source file to outFile
====Command for PagePool value changing in XIP.BIN:
-pp <XIP.BIN> <0x"dwOFFSET"> <decVal"MB"> [-y] Change PagePool Value at OFFSET in source XIP file
-ap <XIP.BIN> <decVal"MB"> [-y] Auto search & change PagePool Value in source XIP file.