Database Users

Goldcard for Herald

I don't take the responsibility for any damage caused by the information included.
This is not my intention to reveal any secrets of HTC Company. All this information was known earlier. I've just collected it in one place and used it for repairing my broken HTC device.
Although it was successfully tested on Herald from Dopod, it should work on any Herald and as far as I know this is the only hope, especially for Heralds with low SPL number, broken by flashing with HardSPL
If you find this tutorial useful, do it on your risk.
I've spent a lot of time in searching of a solution for my bricked Dopod C858. It has been bricked after Hard-SPL by Olipro. When this Hard-SPL was first introduced, there wasn't any warnings about minimum SPL and GSM versions requirements. That's why there is a lot of people with their Heralds stuck in the bootloader mode without a possibility of successful flashing in any way.
One of the symptoms was Invalid Update Tool 300 Error when I was trying to flash even with the official RUU. The other symptom was "GetDeviceCID: Error - InitDecoder" when getdevinfo command was typed at MTTY console.
Finally I was able to recover from this state. I successfully created the goldcard - a micro SD card with the special header, which gives us a temporary SuperCID status (security level 0). In this way we are able to flash the new ROM via SD card, instead of using the official RUU (ROM Update Utility). If it is not enough to flash successfully, we can use a wonderful service tool included in Herald's diagnostic image (heradiag.nbh).
All the credits goes to "itsme" and his hard work. It wouldn't be possible without his knowledge, his help and his great software. Willem agreed to make this tutorial and share this knowledge on the forum.
Thank you Willem!
I would also like to thank "pof" for his effort and although he couldn't find a solution, he tried to help me, so thank you Pau!
The other person I would like to thank is "canonyang_China". I know he is accused of stealing Olipro's ideas of Hard-SPL. I only want to thank him for posting heradiag.nbh file. This is the great tool which together with the goldcard can do a lot.
I would also like to mention one person. It's "jockyw". He has almost identical solution but he has found it by himself. If you find this tutorial too hard to deal with I recommend to contact "jockyw" and he will help you for a small paypal donation.
TUTORIAL:
***********************************************************
Requirements (not tested on other configurations):
1) Windows XP with SP3
2) ActiveSync 4.5
3) ActivePerl 5.8.8.822
4) Crypt-DES and XdaDevelopers-NbfUtils PERL packages
5) typhoonnbfdecode.pl PERL program
6) itsutils tools
7) working mobile device with any Windows mobile OS (2003, 5.0, 6.0)
8) any .nbh ROM file from the official Herald's RUU
9) heradiag.nbh file
10) micro SD card (tested on 512MB and 1GB)
Ad.2) download your language verion of ActiveSync and install it:
Ad.3) download and install MSI installer of ActivePerl 5.8.8.822 from http://www.activestate.com
http://www.activestate.com/store/download_file.aspx?binGUID=e5c71329-b7a6-4563-8199-e1483f751c4f
Ad.4) run Perl Package Manager from Windows Start Menu
change PPM Preferences (run Preferences from the Perl Package Manager menu and switch to the repository tab):
- Add repositories:
Name: itsme
Location: http://www.xs4all.nl/~itsme/projects/perl/ppm
- Add repository:
Name: theoryx
Location: http://theoryx5.uwinnipeg.ca/ppms/package.xml
After database synchronization install those packages (at the main window of Perl Package manager find those packages, mark them for install (the icon with green plus, next to the search bar) and run marked action(green arrow icon)):
-Crypt-DES
-XdaDevelopers-NbfUtils
If you can't find those packages on your list, please make sure you have selected "All packages" from "View" menu in Perl Package Manager main window.
Ad.5) download typhoonnbfdecode.pl from http://www.nah6.com/~itsme/cvs-xdadevtools/xda2nbftool/
Save it to "C:\itsutilsbin"
Ad.6) download itsutilsbin package from http://www.xs4all.nl/~itsme/projects/xda/tools.html. Unpack it to "C:\itsutilsbin"
http://nah6.com/~itsme/itsutilsbin-20080602.zip
Ad.7) Find a working Windows mobile device and use it to format your micro SD card as FAT32. It's important to do this on working mobile device with any Windows mobile OS (2003, 5.0, 6.0) because PC USB card readers causing troubles with making a goldcard because of a different MBR interpretation.
- Activesync your working Windows mobile device with SD card inside
- On your PC enter windows command mode (Start->Run... cmd)
- Choose your itsutilsbin directory (cd C:\itsutilsbin),
- Run this command (l means a letter 'el' - not a digit 'one'):
psdread -l
If you have problems with running psdread -l you probably have problems with the security configuration of your mobile device. There are many options to change it. In my case I was using Device Security Manager PowerToy for Windows Mobile 5.0
It is recommended to save your security configuration, then change it to the Security Off level and after the whole goldcard preparation process, load saved configuration preset if you don't want to leave your Windows mobile device Security Off. You should have your mobile device ActiveSync with your PC when you are using this tool.
- If everything went OK, look at the result at the cmd window after psdread -l and find something like that:
remote disk 1 has 1984000 sectors of 512 bytes - 968.75Mbyte
SerialNr: 75 63 00 49 8a f2 00 80 47 31 30 55 53 44 53 03
- in the next step you will have to replace the first byte ( in this case '75' ) with '00' and write this ID without spaces between numbers - this will be your modified cardid
In this example your modified cardid will be 006300498af200804731305553445303
(Thank you "hookcard" for reporting troubles in this step)
Run this command, where <cardid> is your modified cardid:
perl typhoonnbfdecode.pl -p cardid=<cardid> -p keys=tornado -p seclevel=0 -d goldcard.img
- Your goldcard image will be saved in your current directory (C:\itsutilsbin)
- If you have error message connected with msvcr71.dll file, please download this file or try to find it somewhere on your system partition and then copy it to the directory containing typhoonnbfdecode.pl (C:\itsutilsbin)
Then repeat the previous step with running typhoonnbfdecode.pl
If everything went OK, run this command, where <number> is a number under which you have your SD card during psdread -l command, for example, "remote disk 1 has 1984000 sectors of 512 bytes - 968.75Mbyte" means that your <number> is 1:
psdwrite -<number> goldcard.img 0 0x120
Now you have a card which gives you SuperCID - you can test it with MTTY and see that g_cKeyCardSecurityLevel = 0
Ad.8) Remember to have more than a half of the battery capacity available before you start this step!
- download any official Herald's RUU and extract it to the directory, where you should find RUU_signed.nbh ROM file. (It was tested with Dopod's ROM). Copy this .nbh file to your goldcard changing its name to heraimg.nbh
- Enter the bootloader mode. When you will see on your Herald's screen the question: "Update SD image?" you will have 10 seconds to press Volume Down button and this way to start flashing
Unfortunatelly, if something will go wrong and i.e. you will see SD update failed you will have to use heradiag.nbh file to enter special menu during the start of the bootloader mode. If you have problems with flashing, please read the step below:
Ad.9) download and unpack heradiag.zip file from this thread:
http://forum.xda-developers.com/showthread.php?t=332413&highlight=heradiag.nbh&page=6
Remember to have more than a half of the battery capacity available before you start!
- Copy heradiag.nbh on your goldcard together with any official .nbh ROM from ROM Update Utility from the previous step.
- boot your Herald in bootloader mode and you will see the diagnostic menu where you will have Reflash Image option. Choose Reflash Image and after the flashing process (about 5 minutes) please softreset your device.
That's all! You should see your Herald properly booting Windows OS.
Good luck!

Anyone had any luck with this?

I tried.
Everything is O.K.

ok first of all thank you very much for as a hope gain to bring our herald to live again.
but there is some point at this thread i didnt get it so plz if u could help me
1-
run Perl Package Manager from Windows Start Menu
change PPM Preferences:
- Add repository: itsme http://www.xs4all.nl/~itsme/projects/perl/ppm
- Add repository: theoryx http://theoryx5.uwinnipeg.ca/ppms/package.xml
After database synchronization install those packages (mark them for install and run marked action):
-Crypt-DES
-XdaDevelopers-NbfUtils
what is crypt -des
and when i open the link (add rep.by itsme )
there is too many files to download.
which one is that files u mean
i download them all but it seems they work on linux not in windows
so plz if u make that point more clear or at least post some pictures..
2-
does any official room will work .or it must be the exact cid room.

I've updated this tutorial and now it should be more clear.
According to your question about the ROMs - if you successfully create the Goldcard you will be able to flash any ROM, not only those matching your original CID.
halder said:
...............
what is crypt -des
and when i open the link (add rep.by itsme )
there is too many files to download.
which one is that files u mean
i download them all but it seems they work on linux not in windows
so plz if u make that point more clear or at least post some pictures..
2-
does any official room will work .or it must be the exact cid room.
Click to expand...
Click to collapse

how come i cant find XdaDevelelopers-NbfUtils package?
i have added the repository correctly.
i can see from the status screen:
Synchronizing Database ...
Downloading ActiveState Package Repository packlist ... done
Updating ActiveState Package Repository database ... done
Downloading itsme packlist ... redirect
Downloading itsme packlist ... done
Downloading itsme Win32-API-0.41WJ PPD ... done
Downloading itsme XdaDevelopers-CompressUtils PPD ... done
Downloading itsme XdaDevelopers-NbfUtils PPD ... done
Downloading theoryx packlist ... not modified
but i just can find the module (ie. XdaDevelopers-NbfUtils)
i have also tried the command line installation but no luck..
anyone??

maybe someone can post the perl folder, with the required modules installed?

Do you have "All Packages" chosen through View Menu?
klikman said:
how come i cant find XdaDevelelopers-NbfUtils package?
i have added the repository correctly.
i can see from the status screen:
Synchronizing Database ...
Downloading ActiveState Package Repository packlist ... done
Updating ActiveState Package Repository database ... done
Downloading itsme packlist ... redirect
Downloading itsme packlist ... done
Downloading itsme Win32-API-0.41WJ PPD ... done
Downloading itsme XdaDevelopers-CompressUtils PPD ... done
Downloading itsme XdaDevelopers-NbfUtils PPD ... done
Downloading theoryx packlist ... not modified
but i just can find the module (ie. XdaDevelopers-NbfUtils)
i have also tried the command line installation but no luck..
anyone??
Click to expand...
Click to collapse

Hi there! I also have a bricked Herald. I'm in Brazil and a store wants around 200 US dollars to fix the phone and it's too high.
I saw that the file itsme XdaDevelopers-NbfUtils PPD has just a text indicating an e-mail adress.
I saw in another site that this file has another content.
May be this is why we cannot find the package to install.
If i find a way to fix my Herald here i will do a very good donate!!
Thanks,
Alencar

alencarfr said:
Hi there! I also have a bricked Herald. I'm in Brazil and a store wants around 200 US dollars to fix the phone and it's too high.
I saw that the file itsme XdaDevelopers-NbfUtils PPD has just a text indicating an e-mail adress.
I saw in another site that this file has another content.
May be this is why we cannot find the package to install.
If i find a way to fix my Herald here i will do a very good donate!!
Thanks,
Alencar
Click to expand...
Click to collapse
Go to this thread, it will explain how to fix your phone....
http://forum.xda-developers.com/showthread.php?t=345411

Hi Mkoz,
Tried your procedure but when start bootloader it do not read the SDcard. I copied Heradiag to the card but it do not run. The bootloader remains the same as before.
No Signal. With MTTTy I gave the command set 32 1 and get the message:
================================================
+ SD Controller init
- SD Controller init
+StorageInit
SDInit+++
PL_SDSetSlotNumber() - MPUIO_SDIF_SEL1=0, MPUIO_SD_IF_SEL=0
SDCmd8 Command response time-out. MMC_STAT = 80
SDCmd8 Command response time-out. MMC_STAT = 80
SDCmd8 Command response time-out. MMC_STAT = 80
SDInit - SD ver1.0
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SD clock to 24MHz
***** user area size = 0x79280000 Bytes
SDInit---
SDInit OK
Unlimited time!
GetDeviceCID: Error - InitDecoder
g_cKeyCardSecurityLevel = 0
HTCE
=======================================================
So, please could you help me ? Thanks! Alencar

Hi,
Where did you format your SD card before preparing Goldcard? In Windows Mobile device or in laptop or PC card reader?
alencarfr said:
Hi Mkoz,
Tried your procedure but when start bootloader it do not read the SDcard. I copied Heradiag to the card but it do not run. The bootloader remains the same as before.
g_cKeyCardSecurityLevel = 0
So, please could you help me ? Thanks! Alencar
Click to expand...
Click to collapse

Hi Mkoz,
I formatted using Pocketmechanics in my HTC universal in mode FAT32.
I'm really looking forward to see the mobile working.
Thanks!! Alencar

please SIR how can i change cardid ?
and witch tool i use ?

Hi,
I've sent you my private message but you haven't answered so I have to ask you in this thread:
- What is the size of your SD card? I successfully tested it with 512MB and 1GB cards.
alencarfr said:
Hi Mkoz,
I formatted using Pocketmechanics in my HTC universal in mode FAT32.
I'm really looking forward to see the mobile working.
Thanks!! Alencar
Click to expand...
Click to collapse

Sucessfully tested with 2gb card
BTW, HardSPL'd devices doesn't want to load heradiag!

i can see from the status screen:
Synchronizing Database ...
Downloading ActiveState Package Repository packlist ... done
Updating ActiveState Package Repository database ... done
Downloading itsme packlist ... redirect
Downloading itsme packlist ... done
Downloading itsme Win32-API-0.41WJ PPD ... done
Downloading itsme XdaDevelopers-CompressUtils PPD ... done
Downloading itsme XdaDevelopers-NbfUtils PPD ... done
I found -Crypt-DES but not found -XdaDevelopers-NbfUtils
Please help me! Thanks

same here
already try restarting my windows still no luck

I guess you are doing something wrong because there are people who were successful with this tutorial. Maybe you don't have "All packages" chosen from the menu.
I have updated point 4 of my tutorial so please take a look.
I've also posted in this thread my answer to someone who had the same problem like you and he didn't answered anymore so I guess as a result he created Goldcard successfully.
If it will help you, please let us know.
TINDUNG10 said:
i can see from the status screen:
Synchronizing Database ...
Downloading ActiveState Package Repository packlist ... done
Updating ActiveState Package Repository database ... done
Downloading itsme packlist ... redirect
Downloading itsme packlist ... done
Downloading itsme Win32-API-0.41WJ PPD ... done
Downloading itsme XdaDevelopers-CompressUtils PPD ... done
Downloading itsme XdaDevelopers-NbfUtils PPD ... done
I found -Crypt-DES but not found -XdaDevelopers-NbfUtils
Please help me! Thanks
Click to expand...
Click to collapse

please help me delete 1 post

Is it possble to dump ROM from bootloader ?

Hi !!
I'm sorry if I write about talking before but I search for 2 dayes internet (Most link coming from xda ) without success.
I'm pretty sure that is not possible to do on Trinity due to bootloader limitation but I want a last confirm before to flash my device.
My boot loader is a Des' Crash-Proof SPL:
TRIN100
IPL-0.50
TRIN100
SPL-9.99 CP
After I play with the WM6 registry it don't load th OS after reset.
I wondering if is it possible to dump the ROM (The mass storage part) to mount in a linux box from the boot loader.
I read that the Trinity lack of the s2d command and also the rbmc didn't work.
There is any other way to do it
Off course I can't use pdocread.exe due to the OS is not loaded on the Trinity.
Thanks in advance and sorry for my english.
Carlo.

Hi again.
I was able to read ROM whit the rbmc command using the follow command:
password BsaD5SeoA
set 1e 1
task32
rbmc >/tmp/dump.bin 0x3100 0x17900
The problem is that the output is show on the screen and not writed in the file.
I tried on linux using HTCFlasher and mtty on WIndows whit the > and without.
Any Idea ?
Carlo

Try QMAT too, although it's not meant to be used with Trinity, it supports rbmc dumping.

Thanks, I'll try it tonight.

Here's an rbmc partition dumper I've created for dumping os, storage and ext rom. Storage partition doesn't seem to be readable this way...
You need to have a security unlocked device or HSPL that allows rbmc when device is not security unlocked.
Hope this helps...

Thanks for the command, I tried and it don't work.
I have the Des' Crash-Proof SPL on my Trinity and the rbmc command work but I have to give the follow commands before use it.
password BsaD5SeoA
set 1e 1
task32
is your command supplied it before to dump or there is any command line option to pass it to the command ?

Works on my trinity allright... task 32 is not required, btw.
Did you manage to get QMAT working/dumping?

I tried more times but I have allways this message:
C:\Temp2>rbmc.exe
HTC RBMC reader version 1.0, Dec 19 2008
Reading OS.nb...
WARNING: rbmc OS.nb command failed!
Reading Storage.nb...
WARNING: rbmc Storage.nb command failed!
Reading ExtROM.nb...
WARNING: rbmc ExtROM.nb command failed!
Read 0xC1B144 bytes in 0d:00h:00m:01s.953ms
HTCSBye!>.L.HTCE
I switch the Trinity to the bootloader screen and then I plug the usb and ru the command with no args.
Where I wrong ? I tried without ActiveSync open and with it opne with the usb connection disbled.
No, I was unable to use QMAT, the manuals is little different from the version and don't explain the very first operation to recognise the PDA to the program.
Instend I was able to capture the rmbc output on my linux box and minicom on usb but I get error after a while the program is dumping (The same I got on the screen using mtty) and then I'm little confusing about partition dimension showed by the "info 8" command
Bye.

What happens when you manually issue "rbmc c:\temp\os.bin OS" in mtty or minicom?

I start minicom with the capture option active then I use the command
Cmd>rbmc a 0x3100 0x17900
Then the dump start
Cmd>rbmc a 0x3100 0x17900
GetExtRomData+(): *pszPathName=a, dwStartAddress=57600000, dwLength=8C08DAA0
:F=a :A=57600000 :L=8C08DAA0 :rbmc= HTCS¼Ñ
ÿÿùÿ0Ö
ÿÿùÿR

PQ
Q


"R

TP
¤Q
P
>Ö
ÿÿùÿ¤ì
ÿÿùÿÔ
ÿÿùÿ9Ö
ÿÿùÿ<Ö
ÿÿùÿ=Ö
ÿÿùÿina
condominiale
[.....]
,(*"(B+&*0ùÿNANDFlashReadSectorWithSectorInfo: dwBlockIndex=0x400
NANDFlashReadSectorWithSectorInfo: Address over boundary!!!
rbmc: read data error at 0x8000000
In the [...] I got about 1 MByte of data.
My I was to dump th user partition to recover same data, not the OS.

This syntax is not valid:
rbmc a 0x3100 0x17900
1. Do not use 0x prefix for offset and length
2. Use actual flash offsets (starting at 50000000 (hex))
Can you try this exact command?
rbmc c:\temp\os.bin OS
This is the command rbmc.exe executes and it seems to be failing on your Trinity.

I tried and that is what I had:
C:\temp>rbmc c:\temp\os.bin OS
HTC RBMC reader version 1.0, Dec 19 2008
Reading OS.nb...
WARNING: rbmc OS.nb command failed!
Reading Storage.nb...
WARNING: rbmc Storage.nb command failed!
Reading ExtROM.nb...
WARNING: rbmc ExtROM.nb command failed!
Read 0xC1B144 bytes in 0d:00h:00m:02s.031ms
HTCSBye!>.L.HTCE
C:\temp>

cybor said:
I tried and that is what I had:
C:\temp>rbmc c:\temp\os.bin OS
HTC RBMC reader version 1.0, Dec 19 2008
Reading OS.nb...
WARNING: rbmc OS.nb command failed!
Reading Storage.nb...
WARNING: rbmc Storage.nb command failed!
Reading ExtROM.nb...
WARNING: rbmc ExtROM.nb command failed!
Read 0xC1B144 bytes in 0d:00h:00m:02s.031ms
HTCSBye!>.L.HTCE
C:\temp>
Click to expand...
Click to collapse
Can you do it in mtty?

Ok, sorry, I missunderstand.
Cmd>password BsaD5SeoA
Pass.
HTCST ÚÈÒHTCEPassWord: BsaD5SeoA
Cmd>set 1e 1
Cmd>rbmc c:\temp\os.bin OS
Command error !!!

Ok, it looks like your SPL doesn't support rbmc command, but if you do "rbmc 50000000 1" in mtty that works?

Yes, it work.
Cmd>rbmc 50000000 1
GetExtRomData+(): *pszPathName=50000000, dwStartAddress=1, dwLength=8C08DAA0
rbmc=8DAA0
Cmd>
But it work only if I supply the "task 32" command after the "password .. " and "set 1e 1"
Colud you modify your command to supply the "task 32" command, maybe by a switch ?

Finally it work !!
I mean your command.. after the message before I tried this way.
I connect to the bootloader with the patched version of TeraTerm (To have the copy and paste function ), then I supply the three commands like the message above and finally I close the Teraterm and lunched your command with no parameters and here what I get:
C:\Temp0\rbmc>rbmc.exe
HTC RBMC reader version 1.0, Dec 19 2008
Reading OS.nb...
0x4d50800 bytes read
Reading Storage.nb...
WARNING: rbmc Storage.nb command failed!
Reading ExtROM.nb...
WARNING: rbmc ExtROM.nb command failed!
Read 0x55628D8 bytes in 0d:00h:02m:02s.125ms
HTCSBye!>.L.HTCE
How you can watch it don't read the Storage.nb and the ExtROM.nb, but now I can get OS.
So I think that the "task 32" is mandatory in with the HardSPL I got in my Trinity.
Witch HardSPL do you use for test your command ?

cybor said:
So I think that the "task 32" is mandatory in with the HardSPL I got in my Trinity.
Witch HardSPL do you use for test your command ?
Click to expand...
Click to collapse
Yeah, well, this seems to be the way HardSPL works, you only get access to locked commands after faking security lock status with "task 32". I've added this command to rbmc.exe, however I want to make it more generic before I post the updated version, because dumping storage doesn't work so far.
I'm using MFG SPL 1.05 patched to allow rbmc, this shouldn't be relevant though.

Ok, so attached is an updated version of rbmc.exe.
It will work just like the old version without any parameters, but you can specify the same parameters as you would feed to rbmc command too now.
E.g. to dump storage you can do
C:\>rbmc.exe storage.bin Storage
However due to a bug in SPL this won't work, it will produce an error message showing the starting offset of storage partition though.
Grab that offset, substract it from 0x60000000 to get the correct storage size and rub rbmc.exe again with parameters:
C:\>rbmc.exe storage.bin 0x53540000 0xACAC0000
You should have a dump of storage partition (albeit not excatly 0xACAC0000 bytes) in storage.bin file as a result. Note that resulting dump has NAND flash block status data (0x10 bytes every 0x200 bytes) that you may need to strip to get an image of storage partition you can work on.
Good luck!

Thanks for this new realese, it work fine.
I have a problem to understand how to calculate the offset.
When I run
rbmc.exe storage.bin Storage
I get:
Dumping rbmc storage.bin Storage to storage.bin...
ERROR: rbmc storage.bin Storage command failed; last message:
"Storage address error.(0x54DC0000, 0xB301000) "
What I must subtract from 0x60000000 to get the offset and which is the other value in the last example you write.
C:\>rbmc.exe storage.bin 0x53540000 0xACAC0000
I'm sorry to waste your time, but I tried to understand but I fail, but I want to reach the end because in future a tool like this will be very usefull to recover data froma crashed Trinity.

ROSE S740 S743 Official Radios

Hello all,
Since jockyw2001 was so nice to release Rose hardspl I spent the time finding official ROM's to test them out. In the process I extracted the radios from each & did a rebuild with pof's yang 1.1 using the following process:
Code:
1. Grabbed yang 1.1 from XDA
2. Extracted yang to a folder
3. Extracted RUU_signed.nbh from an official ROM exe file into yang folder using winrar
4. Opened CMD & went to yang folder
5. Ran yang -X RUU_signed.nbh (To extract all files)
6. Ran yang -F REBUILT_RUU_signed.nbh -t 0x301,0x200,0x600,0x400 -f 00_GSM_0x301.nb,01_SPL_0x200.nb,02_MainSplash_0x600.nb,03_OS_0x400.nb -s 64 -d ROSE***** -c 11111111 -v 1.00.000.0 -l WWE (To test SignMaxChunkSize. If rebuilt NHB is same size as original then we're golden otherwise I would have tried 1024 per the instructions)
7. Renamed 00_GSM_0x301.nb to GSM.nb (This step may not be necessary but I wanted to be safe & was pretty sure the original filename was GSM.nb)
8. Ran yang -F RADIO_RUU_signed.nbh -t 0x301 -f GSM.nb -s 64 -d ROSE***** -c 11111111 -v 1.00.000.0 -l WWE
9. Copied RADIO_RUU_signed.nbh to folder with CustomRUU.exe, renaming it to RUU_signed.nbh
10. Ran CustomRUU.exe to flash to phone & test, confirming it went on OK, had signal & radio version matched
NOTES: I set version to 1.00.000.0 to hopefully make it obvious this wasn't a full ROM but the fact it's 22MB should be pretty good indicator. I set Device ID/model to ROSE***** so it should go on any Rose. CID was set to 11111111 as shown per examples in yang instructions. Language was set to WWE although not sure that matters.
These radios are all from official shipped rom's that I found on XDA without anything changed other than using the procedure above. I tested them all on my S740 (installed & made sure I had a signal with TMobile SIM but no further testing was done) but USE AT YOUR OWN RISK. I can't be held responsible if you bork your phone or lose your data. The included CustomRUU.exe shouldn't require a hard reset but I'd highly recommend you backup just in case.
Here are the radio files:
S740RoseRadioAsia_12.23.30.06H_0.24.30.24 7.92MB
S740RoseRadioEurope12.23.30.06H_0.24.30.24 7.92MB
S740RoseRadioOrange_12.29.30.09H_0.29.30.22 8MB
S740RoseRadioRus_12.23.30.06H_0.24.30.24 7.92MB
S743RoseRadioBrightPoint_12.29a.30.12H_0.29.30.33 7.95MB
Hope these prove useful to someone.
Bill
** Super big thanks to jockeyw2001 for hardspl, pof for yang & to everyone else who posted up official roms to make this possible! **

good job!
2 roms came from me
With a little help of jockyw2001 I'm soon uploading non-brand us rom and hopefully u can extract it's radio and add it to your list

Soz, shout out to sasiskas for posting up 2 of the roms I used.
Yeah that would be cool but I've not been able to do radio from dump yet.. I did a rebuild of a Touch Dual NEON rom from a dump awhile back and it wasn't too fun but once you get the process down it's not so bad I suppose but it was rom only, no radio.

Hi Bill, thanks for your continued efforts.
One thing, and this is going to make me sound very thick, but I can't get the installer to run.
It reports that it fails to initialise. Should this be run on the phone or on a PC.
lol, told you i'd sound stupid, lol

Hey Jerry-S,
You plug the phone into USB & run the flasher on the computer which uses active sync to update the phone, just like flashing any ROM.
Btw, in case you are not caught up I am pretty sure your phone needs jocky's hardspl installed 1st. I say that because that gets installed the same way as these radios & if you're lost doing the radio odds are you didn't do the hardspl yet.
Bill

mods please sticky the thread

I don't know why, but a file CustommRUU.exe is not working on my computer. It is said "initialization error" when I start it.

why should i install this rom to a perfectly working phone?
gives it advantages, or stability?

wuwa said:
why should i install this rom to a perfectly working phone?
gives it advantages, or stability?
Click to expand...
Click to collapse
yes it is definitely to boost device performance....

On which of RadioROM, you can select the COM port to work with GPS?

Newbie doubt
Hello
I'm new in these things, so I would like to help.
Will soon acquire an HTC S743, but has two problems. One is that language is not in Portuguese, the other is the FM radio does not work, the icon does not even appear to turn it on.
Did any of the roms posted here I solved the problem? and even now, like flashing my HTC S740?
I await response
João Serra

Create custom splash screen ?

im running on
HTC HD2 (us)
rom version: CELL SERIES WWE
Radio: 2.08.50
OS version: 5.2.2
i wanted to create a custom splash screen, with my pictures to have a unique bootup but i don't know how to start it off, where to get the program ETC... ive searched on google and here but its for the Htc touch pro what i found... im still new to this, but if anyone can help me out, THANKS!

in brief...
create your image, 480 x 800 as a 24 bit bmp.
(EDIT - since writing this i have made a few and i CAN confirm it fails if the bmp isn't 24bit.
In photoshop, choose save as BMP, and if it only gives you the option of 8 bit colour, then cancel out of teh save, click Image - Mode - RGB Colour. (index colour gives 8 bit BMP) )
get nbimg-1.1win32.zip from this thread
put nbimg.exe and your bmp in the same folder, open up a command prompt** in that folder, and issue the command
nbimg -p 18400 -w 480 -h 800 -F nameofphoto.bmp -T 0x600 -S 64 -D PB8110000
(change nameofphoto to whatever your image is called)
[EDIT - Warning, see *** at end of post for update It turns out there are two memory positions you can flash splash screens, the first at 0x600 which is the first five or six seconds, then the second at 0x601 which is the screen with the R G D info screen for five or six seconds, then it goes into the animated part which is part of teh rom.
If you dont make a second splashscreen, the first is shown for 14 seconds, then the rom animation.
To make the second splash, simply use the command as above, but use 0x601 instead
nbimg -p 18400 -w 480 -h 800 -F nameofphoto.bmp -T 0x601 -S 64 -D PB8110000
(change nameofphoto to whatever your image is called)
I ASSUME that flashing a stock will remove the secondary splashscreen, and not just replace the first one, , but i haven't tried it.......]
it will create nameofphoto.bmp.nbh which you flash using customruu.exe, just like flashing a rom or radio.
**To open a command prompt in the currently viewed explorer folder in vista/7, you can press shift and right click in the folder window, which will give you the option to 'open command window here', , , , which is handy.
***EDIT - 24 Jun 10 - Turns out flashing a stock rom DOES NOT remove the second boot screen (the one with the RGD info)
On the plus side, my second splash screen contains 'reward if found' and contact info, so even if the thief flashes a stock rom will still show. Winner!
(I only tested with the tmous 2.13 rom, and the UK O2 rom 1.43, one using customruu and the other using the stock exe, neither removed the 2nd splashscreen)
Not sure how one would go about it. A blank .nbh I assume. I don't mind, cos i don't want to remove it, so i'm not going to investigate, but anyone any ideas, please post to this thread. Thanks.

samsamuel said:
in brief...
Click to expand...
Click to collapse
thank you Sam!! I had been thinking about doing one for myself, but hadn't bothered to look for the instructions yet.
Guess what just got added to my "HD2ToDo" folder for this weekend

hehe this thread being posted earlier made me decide it was time to find out how.

You could also edit the registry manally:
Use a couple of personalized 480x800.gif and drop it into the windows directory (unhide everything to get to to it).
Go to:
HKLM\HTC\HTC Animation and change the startup480x800.gif and the shutdown480x800.gif to point to your own gifs.
For the Microsoft welcome you need to .png files and they need to be identical and named as such:
xxx.192.png and xxx.png
Drop those into your window directory with whatever name you have chosen and go to:
HKLM\Software\Microsoft\Splash Screen (I think that is the path).
In there change the values of Carrier Bitmap to xxx.192.png and MSBitmap to xxx.png
I put my contact info on that screen embedded into a picture just in case I lose the puppy and a good samaritan happens to pick it up.
Hope this helps!

custom splash screen help
im having all kinds of problems doin a custom splash screen. i think its because of vista. if i provide the image can some one covert it for me so that i might flash it on my tmo hd2. any help with this would be greatly appreciated.

Camusa said:
You could also edit the registry manally:
Use a couple of personalized 480x800.gif and drop it into the windows directory (unhide everything to get to to it).
Go to:
HKLM\HTC\HTC Animation and change the startup480x800.gif and the shutdown480x800.gif to point to your own gifs.
For the Microsoft welcome you need to .png files and they need to be identical and named as such:
xxx.192.png and xxx.png
Drop those into your window directory with whatever name you have chosen and go to:
HKLM\Software\Microsoft\Splash Screen (I think that is the path).
In there change the values of Carrier Bitmap to xxx.192.png and MSBitmap to xxx.png
I put my contact info on that screen embedded into a picture just in case I lose the puppy and a good samaritan happens to pick it up.
Hope this helps!
Click to expand...
Click to collapse
that's not the initial splash screen. the animation and the splash screen that are mentioned in the registry are step 3 and 4 in the boot process.they are part of the rom, step 1 exists in its own rom space and it survives a new rom flash.
still useful info for skinning the whole process though.
tsalate said:
im having all kinds of problems doin a custom splash screen. i think its because of vista. if i provide the image can some one covert it for me so that i might flash it on my tmo hd2. any help with this would be greatly appreciated.
Click to expand...
Click to collapse
look up opening a command prompt as administrator on vista.(ill do it for you tomorrow if you have no luck. )

thanks I shall try that and if no luck i will let you know. again thanks for the help.

Super super lost!
ok so i changed my jpg to a bmp through REAConverter and made pic size 480 x 800 like you said SAM
then i was in command prompt..... and enterd this.....
c:\USER\Robo\desktop\nbimg> nbimg -p 18400 -w 480 -h 800 -F Kurbaan.bmp -T 0x600 -S 64 -D PB8110000
after i clicked entered it went
[]file Kurbaan.bmp
[] No padding found. Check file size
WHAT DO I DO PLEASSSE HELP! AND IM SUPER NEW TO THIS

samsamuel said:
that's not the initial splash screen. the animation and the splash screen that are mentioned in the registry are step 2 and 3 in the boot process.they are part of the rom, step 1 exists in its own rom space and it survives a new rom flash.
still useful info for skinning the whole process though.
look up opening a command prompt as administrator on vista.(ill do it for you tomorrow if you have no luck. )
Click to expand...
Click to collapse
AH...sorry that.
Yeah, I am not a "Custom flash the ROM" guy and that one is indeed embedded.
My bad.

I found out a way to make them suprr easy super fast it doesnt take me more than 5 min here is my favorite one I made
http://youtube.com/watch?&gl=US&warned=True&client=mv-google&hl=en&v=QcIf9e_Zb_s&nomobile=1

pakistaniprince said:
ok so i changed my jpg to a bmp through REAConverter and made pic size 480 x 800 like you said SAM
then i was in command prompt..... and enterd this.....
c:\USER\Robo\desktop\nbimg> nbimg -p 18400 -w 480 -h 800 -F Kurbaan.bmp -T 0x600 -S 64 -D PB8110000
after i clicked entered it went
[]file Kurbaan.bmp
[] No padding found. Check file size
WHAT DO I DO PLEASSSE HELP! AND IM SUPER NEW TO THIS
Click to expand...
Click to collapse
so far so good, ,,, look on yourdesktop for two files, one called yourfilename.bmp.nb and another called yourfilename.bmp.nbh
Its yourfilename.bmp.nbh that you flash.
Or perhaps your file is too big (mine was 1.1 meg, whats yours?)

Update for anyone playing with splashcreens.
It seems its a four stage process, not three. There are two .nbh files, not just one, though if you dont flash the second one the first shows in its place.
When building the nbh file, with the command
nbimg -p 18400 -w 480 -h 800 -F nameofphoto.bmp -T 0x600 -S 64 -D PB8110000
THis .nbh will be the very first thing that comes on screen, and will persist until the animation stage (stage 3)
however, if you also build another .nbh using the command
nbimg -p 18400 -w 480 -h 800 -F nameofphoto.bmp -T 0x601 -S 64 -D PB8110000
and flash this second .nbh, then when you boot you will get the first image first (of course) but then when the system info comes up (small writing bottom left) it switches to this second bootscreen, and then thirdly the animation, and finally the windows welcome.

Little Lost now lol
samsamuel said:
so far so good, ,,, look on yourdesktop for two files, one called yourfilename.bmp.nb and another called yourfilename.bmp.nbh
Its yourfilename.bmp.nbh that you flash.
Or perhaps your file is too big (mine was 1.1 meg, whats yours?)
Click to expand...
Click to collapse
THANKS ALOT SAM I GOT IT TOO WORK! APPRECIATE IT MAN!! =)
Just a couple of questions if you can help me out again SAM
1---on like the cell evo boot up screen he made a sick one how can i do that?
2---i did two images for bootup splash screen but i wanted something like spider man swinging across my screen or sumthan like that..... possible? and how to..PLEASE
3---when i turn off my phone how can i make a custom splash screen for that? "plus IM still super new to this Rom stuff"
4--- i want like a movable animation for a splash screen..... i guess this goes with question 2 lol

the only part that can be animated is part three, which is an animated .gif in the windows folder called leo_animated.gif
the rest of yourquestions are down to your own skill with creating graphics.

samsamuel said:
the only part that can be animated is part three, which is an animated .gif in the windows folder called leo_animated.gif
the rest of yourquestions are down to your own skill with creating graphics.
I'll put some notes down on the whole boot splash process later this evening when I get home.
Click to expand...
Click to collapse
ok so i just find a .gif off of google, hook up my phone via active sync find that folder leo_animated.gif and delete the old gif and add my new one?
Thanks again bro for the help

pakistaniprince said:
ok so i just find a .gif off of google, hook up my phone via active sync find that folder leo_animated.gif and delete the old gif and add my new one?
Thanks again bro for the help
Click to expand...
Click to collapse
yea, (so long as its 480x800) and you dont need to delete the old one, just copy over it. LEO_Animated.gif is a file, not a folder, , its in the windows folder.
oops, wrong info, see next page, post 26

I cannot get any of the tools I've tried to use to run on XP SP3, and I don't know why. I click the .exe, but nothing happens.
Any suggestions would be appreciated.
I've prepared a BMP to the proper dimensions for a boot splash, but I cannot get anywhere from there.

donalgodon said:
I cannot get any of the tools I've tried to use to run on XP SP3, and I don't know why. I click the .exe, but nothing happens.
Any suggestions would be appreciated.
I've prepared a BMP to the proper dimensions for a boot splash, but I cannot get anywhere from there.
Click to expand...
Click to collapse
Are you trying to use Nbimg? you gotta run that in command prompt.... got to the first page of this topic it might help you out more...

samsamuel said:
yea, (so long as its 480x800) and you dont need to delete the old one, just copy over it. LEO_Animated.gif is a file, not a folder, , its in the windows folder.
Click to expand...
Click to collapse
ok so i found the file on my computer through activesync, so then i tried to drag and drop my file HTC_animated.gif to HTChD2/windows and it said "i dont have premission" the file that i want to copy over is also called HTC_animated.gif but i cant change it, so i went on my phone to "TOtal command" to see if i can delete it, but when i tried it said i cant delete file....WHAT DO I DOOOO!!! =[

[Q] Help needed to dump the original rom

Hi everybody! I bought some weeks ago a Shift and my first priority is to change the language from Italian to English. But before going ahead in flashing a new rom I thought it is wise to make a back-up of the original rom.
So in my attempt to dump the original italian rom of my Shift I've come to an error status I don't know how to overcome, therefore any help would be very much appreciated:
Following pof's How to dump HTC Shift ROM at
http://forum.xda-developers.com/showthread.php?t=382609
I downloaded itsutils, unzipped on the pc and placed all the itsutils files in the c:\users\HTC User folder, (as I just did not know how to change the path in cmd to go to the c root with the itsutil folder).
Further on, with the WinMob connected to Vista with USB Tool, I introduced the first command line for pdocread
pdocread.exe -w -d FLASHDR -b 0x800 -p Part00 0 0x31f000 Part00.raw
and I got the answer
Copying c:\users\HTC User\itsutils.dll to WCE:\Windows\itsutils.dll (which I think it's OK) and then
rapi reinitializing (is it normal?)
and then
ERROR: CeProcessConfig – r=002349d0 ce=00000002 le=00000000 hr=80070005
– Access is denied
I have no idea on what the cause of the error could be, probably I must have done something wrong and I am stuck at this first dump step.
Can somebody please help me further to get unstuck?
Thank you very much!

Are you connected using activesync?
Also, try this guide:
http://forum.xda-developers.com/showthread.php?t=427507
and use pdocread -l first.

thaihugo said:
Are you connected using activesync?
Also, try this guide:
http://forum.xda-developers.com/showthread.php?t=427507
and use pdocread -l first.
Click to expand...
Click to collapse
THANK YOU THAIHUGO for taking the glove of answering me on this dead forum, I really need help! I find it fantastic that you are still so active, maybe in time some other senior members will take again the challenge to support the newcomers.
Yes, WM was connected to Vista side using the USB Tool and the Windows Mobile Device Center.
Looking back, I think I opened cmd as user and not as admin (now I know how to do it), this might have been the mistake, I will try again this afternoon.
1. So far I understood that the main reading process is running under Vista using the command lines and the itsutils, which is ok.
Does it matter where the unzipped folder <itsutilsbin-20100324> is placed? I mean should it be placed obligatory in the root of the c:\ drive?
If YES, how do I do that in the cmd line, I mean change the directory? Normally the cmd screen opens to the folder c:\users\HTC User when starting as user and to c:\Windows\system32 when doing it as administrator. Is it wise to copy all the itsutils files to system 32?
Of all those itsutils files, which are the absolutely necessary files to do the dump? Are these pdocread.exe and itsutils.dll only? This is because I'd like to handle as less files as possible to the system 32 folder.
2. If I got this right, the link that you pointed to shows for the Raphael ROM how to do the dump entirely on the WM side and should be applicable to the Shift WM as well if not managing it from Vista side, is that what you were trying to say?
3. Is this way of dumping the rom covering also the radio part and the bootloader, I mean all the 4 raw files contain the whole initial memory of the WM?
Sorry to raise such beginners question, but I did not find these things explained in any of the Shift threads and without answers I cannot progress with this dump job and furtehr proceed with flashing a custom rom in English. I did search in the Shift forums and googles for answers, but maybe I did not use the right keywords.
Looking forward to receive the enlighting answers, thanks in advance!

Admin cmd mode should help yes.
1) it doesn't matter where your zip is. Just uncompress the files somewhere in a folder (c:\itsutils if you want), open you command line in admin mode, navigate from system32 folder to the itsutils folder and try again with the pdocread -l then the command from POF post.
2) do not use raphael numbers. I linked to the post for the general procedure. Proper numbers are in the POF post.
3) you will not have the radio, nor the bootloader. But you have to jump if you want to use custom roms. Bootloader is available somwhere, and radio also I think.

Still getting errors
thaihugo said:
Admin cmd mode should help yes.
1) it doesn't matter where your zip is. Just uncompress the files somewhere in a folder (c:\itsutils if you want), open you command line in admin mode, navigate from system32 folder to the itsutils folder and try again with the pdocread -l then the command from POF post.
Click to expand...
Click to collapse
Thank you again Thaihugo!
I gave it another try to pof's commands as you recommended this time first with pdocread -l and it doens't work, BUT I'm getting the similar error messages. While accessing cmd as administrator and running the cmd line from c:\itsutils:
pdocread.exe -l
rapi reinitializing
and then after about 35 sec
ERROR: CeProcessConfig – r=002349d0 ce=00000002 le=00000000 hr=80070005 – Access is denied
At different runs I got different addresses for r and ce, but the same for le and hr (no idea what those mean).
It doesn't change if launching as administrator or user.
I even downloaded a previous version of itsutils directly on the Vista computer and unzipped it with Total Commander and the result is the same.
Have also tried another command from pof with the same error result:
pmemdump.exe 0x8c000000 262144 SPL.nb
Of course the WM side was connected to Vista via USB Tool and I also checked if from the Vista side the WM folders were accessible.
I'm completely stuck, don't know what to do further, please help!!!
Thank you!
P.S. Have copied the itsutils.dll to the Windows folder in WM via e-mail, just like in the liberalization process in order to avoid copying it via Active sync (as recommended for Raphael). This time at the first run of the pdocread.exe I was asked to accept installing itsutils.dll on the WM side, which I did.
But I'm still getting the error messages when launching pdocread.exe -l, this time running very fast in a few seconds and after 4 turns it stops with the final message
ERROR loading itsutil.dll - probably denied by policy restrictions
Does it ring any bell to you?
My guess is that I have to relax the security policy on the WM side, but I don't know how.
I am amaized that nobody raised all these before.

I've finally done it! HowTo......
OK, I finally managed to dump the ROM thanks to the support of Thaihugo and the info in various threads on this forum (with credit to the authors), I have now the ROM and bootloader dump files, but not the radio rom.
There were several detailed steps important for beginners that were not included in POF's thread "How to dump HTC Shift ROM" at http://forum.xda-developers.com/showthread.php?t=382609 that prevented me to do the dump from the first go.
In order to spare other newcomers time, here they are:
-On the WinMob side change the Security Policies setting by installing a registry editor like PHM Registry Editor, TotalCommander, etc. (I used the cab files downloaded in Vista and moved to WinMob via the Windows Mobile Device Center);
Go to HKLM\Security\Policies\Policies and change the valuename '00001001' from dword:2 to dword:1. Save the change and soft reset your WM device.
If in doubt check this: http://forum.xda-developers.com/showthread.php?t=427507
Note: After finishing the dump operation do not forget to revert back to the initial dword:2 value
-Download itsutils from POF's site to Vista and unzip the package to a new folder "c:\itsutils".
-To be on the safe side disconnect all network connections (3G modem, wifi, BT, LAN) and all USB external devices.
-Connect the WinMob side of the liberated Shift to Vista using the USB Tool and check in the Windows Mobile Device Center that the folders and files of WinMob are indeed accessible from Vista
-Open the command line screen and go to the folder where you unzipped the itsutils tool by typing "cd c:\itsutils" (without the quotes).
-From within the folder itutils type the command "pdocread -l" (without the quotes).
At this point, with pdocread.exe started, go to the WinMob side and
you will find a message asking you to accept installing the itsutils.dll on the WM side, say Yes to it and wait until it is instelled.
Then go back to Vista side and carry on as described in POF's thread mentioned above by:
- using "pdocread.exe -l" to list the NAND PARTITIONS (which have to do also with the radio side as I understood from one of cmonex posts)
- using "pdocread.exe -w -d FLASHDR -b 0x800 -p Part00 0 0x31f000 Part00.raw" and the other 3 commnads to generate the 4 raw files in the same folder c:\itsutils; keep them for reconstructing the original ROM
- using "pmemdump.exe 0x8c000000 262144 SPL.nb" to dump the bootloader file to the same folder c:\itsutils; keep that too.
That's it for now.
I have to deal further with dumping the radio rom, but I don't know how to do it, I must search the forums.
A big THANK YOU to all who helped me!

I never dumped a Radio. I think the experts keep this as secret because it's quite dangerous. Isuggest you have a look at your radio version and try and fin the same radioin the forum already dumped.
Otherwise, there are roms for each radio, so you could just simply apply the one that works wth your radio. No phone call though if you don't use the right one.

thaihugo said:
I never dumped a Radio. I think the experts keep this as secret because it's quite dangerous. Isuggest you have a look at your radio version and try and fin the same radioin the forum already dumped.
Otherwise, there are roms for each radio, so you could just simply apply the one that works wth your radio. No phone call though if you don't use the right one.
Click to expand...
Click to collapse
Thank you again Thaihugo, it seems that you are the only senior left on duty on this dead forum....yet the counter shows 238 views of this thread. Hm, strange....Anyway, thank you for all the good hints given one way or another during the past days, I wouldn't have made it without it.
I got the message, I will not bother with dumping the Radio. I know that a particular Rom is matched with a certain radio. I will flash one of your roms, most probably Age of Reasons and the associated radio. I am not looking for tens of programs on the WM side, it is enough to have the basic things in English and instant-on. I will let you know!