Database Users

mkrom with 2003 "mkrom.sh" code

Hi All
I am trying to setup mkrom to handle PPC2003. I have extracted / converted all of the files from a "bare" 4.00.05 rom from Jef's Kitchen and amended the operator files etc and am able to generate new roms. I now need to change the code in the mkrom.sh file to change the xda1.bin and xda2.bin, and so on, addresses to match the 2003 rom layout. I have the relevant details but my question is can I simply substitute the new adresses into the .sh file or is there more to it ?
Thanks for any help
Richard

the latest version of mkrom has all its rom dependent parameters in 'cfg/params' and instead of all the 'dd' stuff, I now changed splitrom to handle all the manipulating of image files.
the offsets you see in mkrom are defaults for 3.17.
the latest mkrom you can find in http://xda-developers.com/DemoKitchen/data/00_Base ROM/4.00.05 ENG ppc2003/_/mkrom.sh

Itsme
Thanks again
Great site, Great team
Richard

Itsme
I have downloaded the 4.00.05 directory of Rom Kitchen and placed the required files in the correct folders and ran mkrom. On the first attempt the program reported "can't find dumprom" so I copied in the entire toolset and ran mkrom again this time I'm getting an overlap error as below:
write xip block starting at 81740000, with 2 files
write xip block starting at 81b00000, with 0 files
!!! your rom is not known to me: md5: dad2e3cad6095282bf1d58ccf12171e8
this bootloader seems to be V5.22 2003-05-15 17:46:55
no operator rom found
80000000 - 80040000 -- bootloader 0 files 1 modules
80040000 - 8015df78 9 XIPKERNEL 5 files 5 modules
80180000 - 80376f10 8 KERNEL 10 files 14 modules
80380000 - 8064306c 7 OS 20 files 36 modules
80670000 - 80be66a8 6 SHELL 107 files 88 modules
80c00000 - 8102ce98 5 BROWSING 11 files 36 modules
81050000 - 813ef114 4 COREAPPS 95 files 44 modules
81400000 - 815d2238 3 EXAPPS 34 files 7 modules
815f0000 - 8171bc7c 2 PHONE 56 files 19 modules
81740000 - 81766e90 10 XDA_DEVELOPERS1 2 files 0 modules
81780000 - 81781c34 -- xip chain 11 xip entries
817c0000 - 81ca1b44 1 MISC 225 files 42 modules
81b00000 - 81b01054 11 XDA_DEVELOPERS2 0 files 0 modules
81ec0000 - 81ee5800 -- bitmap : f9fff9ff .. f9fff9ff
Error creating new rom
Overlap detected
1 MISC 225 files 42 modules
11 XDA_DEVELOPERS2 0 files 0 modules
This output comes from a run with a Tmobile "bare" rom but I get the same with a 4.00.05 rom from Jeffs kitchen.
I had not wanted to install the whole kitchen if I could help it and from the code it doesn't look as if I would need to but something is wrong somewhere. I would be verry grateful if you could offer any thoughts.
Thanks
Richard

All sorted now
Richard

http://cuba.calyx.nl/~jsummers/ROMkitchen/ Not working

Attn : Jeff summer
First thks for your effort for creating the cook rom page.
Just lock in the page and found out you have the Tmobile 4.00.10 rom cooking rom included in your web page http://cuba.calyx.nl/~jsummers/ROMkitchen/, But after downloaded and flash, the additional software is not included in the files in the selected windows.
thks again :wink:

OCMAX said:
Just lock in the page and found out you have the Tmobile 4.00.10 rom cooking rom included in your web page http://cuba.calyx.nl/~jsummers/ROMkitchen/, But after downloaded and flash, the additional software is not included in the files in the selected windows.quote]
Ohoh. Small mistake on my part. Fixed...
Click to expand...
Click to collapse

Hi Jeff,
Thanks for providing a wonderful site, but I would like to find from you is that, the T-Mobile v4.00.10 ROM does it come clean in terms of no customization like the today plug-in just like the 4.00.05?
In the Asia 02 XDA, it seems to have some problem with the T-Mobile v4.00.10 probably due to the customization of the setup.
I have tried the one located here, just thinking that if yours would be the PLAIN v4.00.10?
Thanks again for the wonderful setup and site.

I just tried to cook a rom and I got this error:
Warning: fopen(../../download/jaqpailv/log.html): failed to open stream: Not a directory in /home/jsummers/public_html/ROMkitchen/processor.php on line 104
Warning: fputs(): supplied argument is not a valid stream resource in /home/jsummers/public_html/ROMkitchen/processor.php on line 105
Warning: fclose(): supplied argument is not a valid stream resource in /home/jsummers/public_html/ROMkitchen/processor.php on line 106
Warning: rename(rom.exe,../../download/jaqpailv/rom.exe): Not a directory in /home/jsummers/public_html/ROMkitchen/processor.php on line 110
Thanks!

No working at all

Just tested: works for me... Maybe a glitch...

Worked for me yesterday evening too!
Many thanks Jeff!
Geoff

Wasn't working for me this morning, but seems to work fine right now...

Jeff-Kitchen is OK now :lol:
Thanks

Not working again?
Not for 3.17?
Warning: OS type not detected, you may need to set tounicode variable manuallywrite xip block starting at 81800000, with 24 fileswrite xip block starting at 81940000, with 0 filesheader : No such file or directoryError creating new rom.
Hope somebody will fix this. :wink:

Re: Not working again?
OCMAX said:
Not for 3.17?
Warning: OS type not detected, you may need to set tounicode variable manuallywrite xip block starting at 81800000, with 24 fileswrite xip block starting at 81940000, with 0 filesheader : No such file or directoryError creating new rom.
Hope somebody will fix this. :wink:
Click to expand...
Click to collapse
Works fine for me...:
Code:
Warning: OS type not detected, you may need to set tounicode variable manually
no files for configid 26220739
write xip block starting at 81800000, with 3 files
write xip block starting at 81980000, with 190 files
this rom seems to be 3.17.03 ENG 2003-05-15 o2euro
this bootloader seems to be V5.22 2003-05-15 17:46:55
80000000 - 80040000 -- bootloader 0 files 1 modules
80040000 - 8026a804 -- kernel 13 files 11 modules
802c2000 - 8057d330 9 OS 15 files 32 modules
80580000 - 8075a69c 8 SHELL 79 files 27 modules
80780000 - 80a13b04 7 BROWSING 9 files 14 modules
80a40000 - 80d8a33c 6 COREAPPS 46 files 30 modules
80dc0000 - 80ebd150 5 SYNC 12 files 22 modules
80ec0000 - 810388e0 4 24MAPPS 13 files 13 modules
81080000 - 81348248 3 24MCONSUMER 69 files 1 modules
81400000 - 814019a4 -- xip chain 10 xip entries
81440000 -817f6f14 1 MISC 209 files 40 modules
81800000 - 818ffff0 10 XDA_DEVELOPERS1 3 files 0 modules
81900000 - 81925800 -- bitmap : f9fff9ff .. f9fff9ff
81940000 - 81960278 -- operator rom 10 files81980000 -
81e205c8 11 XDA_DEVELOPERS2 190 files 0 modules
../rom.exe: found a preamble of 31232 bytes adding: English/NK.nbf (deflated 51%)

The kitchen is back up !!!

My friend's box is back up !
There was a problem which caused workspace directories not to be deleted under some circumstances, which caused the 'all workspaces are busy' problem. If all is well this problem is now also fixed.
--
Jeff

First of all without yor kitchen we will not eat, thank you.
I suggest if you can put a version or last update date so the visitor check if there is a changes and highlite the new lines.
Thanks.

Sigh,
And back down again...
Guess we'll have to wait for it to come back up.

http://cuba.calyx.nl/~jsummers/ROMkitchen/
Hi! Jeff
Thks for your time, effort you spent to create the web page.
I'm being using 3.17 cook rom it for a few weeks. and is wonderful.
Any chances that U fit in the 3.20 rom to your page?
thks in advance. :wink:

FYI:
Jeff's kitchen seems fine now...

Jeff, your kitchen is fantastic!! Thanks for all the great work!

@ Jeff. Thanks for the great work. Decided to try out the new anti-theft feature and received this when cooking:
echo Warning: OS type not detected, you may need to set tounicode variable manuallywrite xip block starting at 81740000, with 3 fileswrite xip block starting at 81b00000, with 144 files!!! your rom is not known to me: md5: 1cd007bbffa268b12b7968cabb7cc75fthis bootloader seems to be V5.22 2003-05-15 17:46:55no operator rom found80000000 - 80040000 -- bootloader 0 files 1 modules80040000 - 8015d5cc 9 XIPKERNEL 5 files 5 modules80180000 - 80375bdc 8 KERNEL 10 files 14 modules80380000 - 8064306c 7 OS 20 files 36 modules80670000 - 80be66a8 6 SHELL 107 files 88 modules80c00000 - 8102ce98 5 BROWSING 11 files 36 modules81050000 - 813ef114 4 COREAPPS 95 files 44 modules81400000 - 815d2238 3 EXAPPS 34 files 7 modules815f0000 - 8171bc7c 2 PHONE 56 files 19 modules81740000 - 8177ffec 10 XDA_DEVELOPERS1 3 files 0 modules81780000 - 81781c34 -- xip chain 11 xip entries817c0000 - 81ae4338 1 MISC 109 files 42 modules81b00000 - 81eadc2c 11 XDA_DEVELOPERS2 144 files 0 modules81ec0000 - 81ee5800 -- bitmap : f9fff9ff .. f9fff9ff adding: NK.nb1zip I/O error: No space left on devicezip error: Output file write failure (write error on zip file)

Did anyone try running haret on a smartphone?

I ran the latest version 0.36 on my Mio8390 which is using a PXA262 processor
running smartphone 2003.
When I started haret I've got an error message :
EXCEPTION reading coprocessor 15 register 0
twice.
And the detected cpu type is unknown
Anyway i could start the application and open a tcp port
Here is the result of dump cp(0) :
c00: ffffffd2 | c08: ffffffd2
c01: ffffffd2 | c09: ffffffd2
c02: ffffffd2 | c10: ffffffd2
c03: ffffffd2 | c11: ffffffd2
c04: ffffffd2 | c12: ffffffd2
c05: ffffffd2 | c13: ffffffd2
c06: ffffffd2 | c14: ffffffd2
c07: ffffffd2 | c15: ffffffd2
And here is the result of dump mmu:
----- Virtual address map -----
Descriptor flags legend:
C: Cacheable
B: Bufferable
0..3: Access Permissions (for up to 4 slices):
0: Supervisor mode Read
1: Supervisor mode Read/Write
2: User mode Read
3: User mode Read/Write
Error: EXCEPTION reading coprocessor 15 register 2
MMU 1st level descriptor table is at FFFFC000
Virtual | Physical | Descr | Description
address | address | flags |
----------+----------+---------+-----------------------------
Error: EXCEPTION CAUGHT AT MEGABYTE 0!
ffffffff | | | End of virtual address space
It seems that haret is having problem trying to read the CPU registeries,
what could be the problem?
So it means that I have to patch the source of haret before I can use it on a smartphone?
Or is it because of smartphone security policies? something about user-mode, kernel-mode in
wince?
I'm quite a nub but I think I have to know what to read first before I start reading books. Any info or help is appreciated.

aybabtu said:
I ran the latest version 0.36 on my Mio8390 which is using a PXA262 processor
running smartphone 2003.
When I started haret I've got an error message :
EXCEPTION reading coprocessor 15 register 0
...
Any info or help is appreciated.
Click to expand...
Click to collapse
You can try to add this code the the assembler file
and call the functions directly. Worked for
me with wince2.11, where i also had problems:
export |cp15_0|
|cp15_0| proc
mrc p15, 0, r0, c0, c0, 0
mov pc, lr
endp
export |cp15_2|
|cp15_2| proc
mrc p15, 0, r0, c2, c0, 0
mov pc, lr
endp
export |cp15_13|
|cp15_13| proc
mrc p15, 0, r0, c13, c0, 0
mov pc, lr
endp

aybabtu said:
I ran the latest version 0.36 on my Mio8390 which is using a PXA262 processor
running smartphone 2003.
Click to expand...
Click to collapse
Don't forget to post at least the 'dump gpio', FB address,
'dump mmu' and 'pd 0x41300004 4' here when
haret works

cr2 said:
... 'dump gpio', FB address,
'dump mmu' and 'pd 0x41300004 4'
Click to expand...
Click to collapse
Thank you for your help.
I signed the code with a privileged certification, then dump gpio and
physical address worked.
Code:
#dump gpio :
GPIO# D S A INTER | GPIO# D S A INTER | GPIO# D S A INTER | GPIO# D S A INTER
------------------+-------------------+-------------------+------------------
0 I 0 0 FE | 21 I 0 0 | 42 I 1 1 | 63 I 1 0 FE
1 I 0 0 RE FE | 22 O 1 0 | 43 O 1 2 | 64 O 1 0
2 I 0 0 RE | 23 O 0 0 | 44 I 1 1 | 65 O 1 0
3 I 0 0 RE FE | 24 O 0 0 | 45 O 1 2 | 66 O 1 0
4 I 0 0 RE | 25 O 0 0 | 46 I 1 2 | 67 I 1 0 FE
5 I 1 0 FE | 26 I 1 0 | 47 O 1 1 | 68 I 1 0
6 O 0 1 | 27 I 1 0 | 48 I 1 0 | 69 I 0 0
7 I 1 0 | 28 I 1 1 | 49 O 1 2 | 70 I 1 0
8 O 1 1 | 29 I 0 1 | 50 O 1 0 | 71 I 1 0
9 I 1 0 | 30 O 0 2 | 51 O 0 0 | 72 I 1 0 FE
10 I 1 0 FE | 31 O 0 2 | 52 I 1 0 | 73 O 1 0
11 I 1 0 | 32 I 1 0 | 53 I 1 0 | 74 O 0 0
12 I 1 0 RE FE | 33 O 1 2 | 54 O 0 0 | 75 O 1 0
13 I 0 0 RE FE | 34 I 1 1 | 55 O 1 0 | 76 O 0 0
14 I 0 0 RE FE | 35 I 0 1 | 56 O 0 0 | 77 O 0 0
15 O 1 2 | 36 I 0 0 | 57 I 1 0 | 78 O 1 2
16 I 1 0 | 37 I 0 1 | 58 O 0 0 | 79 I 1 2
17 O 1 2 | 38 I 0 0 | 59 O 0 0 | 80 O 1 2
18 I 1 1 | 39 O 1 2 | 60 O 1 0 | 81 I 1 1
19 O 1 0 | 40 O 0 0 | 61 O 1 0 | 82 O 1 1
20 O 1 0 | 41 O 0 0 | 62 O 1 0 | 83 I 1 2
#pd 0x41300004 4 :
41300004 | 00017bef | .{..
(What is so special about these four bytes?)
Then I tried to apply your code, but i don't know where should I call those fumctions, I tried calling them right before cpuDetect() or put it inside cpu-pxa.cpp and call them before cpuGetCP(), same effect.
The error message box doesn't show up but there is no message in the wince side console (detected cpu type),
then the same exception show up when I telnet it and when I dump any cp other then cp0.
phrack #63 - Hacking Windows CE said:
...
; SetProcessorMode.s
AREA |.text|, CODE, ARM
EXPORT |SetProcessorMode|
|SetProcessorMode| PROC
mov r1, lr ; different modes use different lr - save it
msr cpsr_c, r0 ; assign control bits of CPSR
mov pc, r1 ; return
END
...
Most of Pocket PC ROMs were builded with Enable Full Kernel Mode option, so all applications appear to run in kernel mode. The first 5 bits of the Psr register is 0x1F when debugging, that means the ARM processor runs in system mode. This value defined in nkarm.h:
// ARM processor modes
#define USER_MODE 0x10 // 0b10000
#define FIQ_MODE 0x11 // 0b10001
#define IRQ_MODE 0x12 // 0b10010
#define SVC_MODE 0x13 // 0b10011
#define ABORT_MODE 0x17 // 0b10111
#define UNDEF_MODE 0x1b // 0b11011
#define SYSTEM_MODE 0x1f // 0b11111
...
Click to expand...
Click to collapse
I guess smartphone is a little bit different from pocketpc?
Oh, btw I have to specify the address 0x81a00000 when I dumped the
rom using itsme's pmemdump, so it means that 0x81a00000 is mapped to 0x0?
I'd better start reading the ARM reference manual.

aybabtu said:
(What is so special about these four bytes?)
Click to expand...
Click to collapse
This is a ClocKENable (CKEN) register, so you have:
LCD,I2C,ICP,MMC,USB,NSSP,I2S,BTUART,FFUART,STUART,
SSP,AC97,PWM1,PWM0
enabled.
Then I tried to apply your code, but i don't know where should I call those fumctions
Click to expand...
Click to collapse
Add them to the wince/asmstuff.asm file,
and modify the cpuGetCP function in
wince/s-cpu.cpp to
Code:
uint32 cpuGetCP (uint cp, uint regno)
{
uint32 result=0xffffffff;
int ok=0;
if (cp > 15)
return 0xffffffff;
if (cp==15)
{
ok=1;
SetKMode (TRUE);
cli ();
switch (regno)
{
case 0:
result=cp15_0();
break;
case 2:
result=cp15_2();
break;
case 13:
result=cp15_13();
break;
default:
ok=0;
break;
}
sti ();
SetKMode (FALSE);
}
if (!ok) Output (L"Invalid register read cp=%d regno=%d\n",cp,regno);
return result;
uint32 value;
selfmod [0] = 0xee100010 | (cp << 8) | (regno << 16);
if (!FlushSelfMod ("read"))
return 0xffffffff;
__try
{
value = ((uint32 (*) ())&selfmod) ();
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
Complain (C_ERROR ("EXCEPTION reading coprocessor %d register %d"), cp, regno);
value = 0xffffffff;
}
return value;
Oh, btw I have to specify the address 0x81a00000 when I dumped the
rom using itsme's pmemdump, so it means that 0x81a00000 is mapped to 0x0?
Click to expand...
Click to collapse
Maybe, but how did you come to using this address ?

The 'dump gpio' shows that the phone is not using the
builtin LCD pins. Then there must be a
video chipset in the phone. Interesting,
because even HTC is saving money on that.

I tried adding SetKMode to the original function, it worked without
calling your functions.
would there be any possible problem?
Maybe, but how did you come to using this address ?
Click to expand...
Click to collapse
Well I got a leaked dump out rom and tried to extract it with itsme's tool.
and i got something similar to these:
Code:
img 00000000 : hdr=81d5352c base=81a00000 commandlineoffset=81a00000
img 00640000 : hdr=82c40878 base=81a00000 commandlineoffset=81a00000
img 01300000 : hdr=82d02dd8 base=81a00000 commandlineoffset=81a00000
img 01380000 : hdr=8356d204 base=81a00000 commandlineoffset=81a00000
there must be a video chipset in the phone
Click to expand...
Click to collapse
There is a MediaQ MQ2100-JBE chipset inside, i'll look for info for this chipset later. And yes this phone is interesting, low price for it's high specification compared to other same generation phones but crappy customer service .
I'll post the result of dump mmu to the point it crash a little bit later.

aybabtu said:
I tried adding SetKMode to the original function, it worked without
calling your functions.
would there be any possible problem?
Click to expand...
Click to collapse
Unlikely.
Well I got a leaked dump
Click to expand...
Click to collapse
Then you can just lookup the static remapping
table.
There is a MediaQ MQ2100-JBE chipset inside, i'll look for info for this chipset later.
Click to expand...
Click to collapse
The datasheet is available here
www.handhelds.org/platforms/hp/ipaq-h22xx/mq-lcd-interface-appnote.pdf

And the mapping table dumped out using itsme's pmemmap:
Code:
v81a00000-83a00000 -> p00000000-02000000
v86000000-86100000 -> pe0000000-e0100000
v86100000-86200000 -> p48000000-48100000
v86200000-88200000 -> p40000000-42000000
v8c000000-8e000000 -> pa0000000-a2000000
v9a300000-9a400000 -> p04000000-04100000
v9c300000-9c400000 -> p08000000-08100000
v9f600000-9f700000 -> p0c000000-0c100000
v9f800000-9f900000 -> p14000000-14100000
Dumped it out and i can only tell that the first 32MB is my rom data.
And many info you gave me which I don't fully understand, guess I have to
read much more before I can thtink about running linux on this phone,
at least I know what to read now.

On a side note, it jumps to 1000h at the beginning of the rom likes the others
wince devices, but starting from 1000h, the content matches the dumped out
NK.exe kernel without the PE header(?).
Wasn't there supposed to be a 256K bootloader?
And at the end of the rom, there are 2 copies of 256K code, in which I found
strings of the bootloader in it, and the second copy is 1 byte different from
the first one, 1:0x00 2:0x01, in the middle of the code.
I'm not sure these are Mitac only layout, just put it here in case anyone
knows.

Oh and there is a Atmel MEGA16L-8MI Microcontroller inside,
don't know what it exactly does but I found strings related to this
in the 'bootloader portion'.

aybabtu said:
And the mapping table dumped out using itsme's pmemmap:
Click to expand...
Click to collapse
v81a00000-83a00000 -> p00000000-02000000
32MB ROM
v86000000-86100000 -> pe0000000-e0100000
Weird.
v86100000-86200000 -> p48000000-48100000
PXA26x Memory Controller
v86200000-88200000 -> p40000000-42000000
PXA26x Peripherals
v8c000000-8e000000 -> pa0000000-a2000000
32MB SDRAM
v9a300000-9a400000 -> p04000000-04100000
v9c300000-9c400000 -> p08000000-08100000
v9f600000-9f700000 -> p0c000000-0c100000
v9f800000-9f900000 -> p14000000-14100000
mmaped devices.
And many info you gave me which I don't fully understand, guess I have to
read much more before I can thtink about running linux on this phone
Click to expand...
Click to collapse
You can also dump/decode the registry and identify the
use of the serial ports.
Your GPIO table suggests that the PXA MMC
controller is used.
Looks good

aybabtu said:
Oh and there is a Atmel MEGA16L-8MI Microcontroller inside,
don't know what it exactly does but I found strings related to this
in the 'bootloader portion'.
Click to expand...
Click to collapse
Battery monitoring or something like that,
maybe keyboard controller.

aybabtu said:
On a side note, it jumps to 1000h at the beginning of the rom likes the others
wince devices, but starting from 1000h, the content matches the dumped out
NK.exe kernel without the PE header(?).
Wasn't there supposed to be a 256K bootloader?
Click to expand...
Click to collapse
Not all wince devices have a bootloader,
wince2.11 and wince2005 un universal for example.
You can also look with 'strings -el' for
other useful strings.

v86000000-86100000 -> pe0000000-e0100000
Weird.
Click to expand...
Click to collapse
Seems to be that 16MB PXA26X NAND Flash ROM

aybabtu said:
v86000000-86100000 -> pe0000000-e0100000
Weird.
Click to expand...
Click to collapse
Seems to be that 16MB PXA26X NAND Flash ROM
Click to expand...
Click to collapse
Built-in ? BTW, does this device support SD cards or only MMC ?

Built-in ? BTW, does this device support SD cards or only MMC ?
Click to expand...
Click to collapse
Built-in, It should be the M-System DiskOnChip MD3831-D16-V3Q18-T inside.
Support both.
And this phone does not support bluetooth, but the clock to BTUART is
enabled :?:

aybabtu said:
And this phone does not support bluetooth, but the clock to BTUART is
enabled :?:
Click to expand...
Click to collapse
It is a normal UART, not blue at all , Himalaya
uses it for the serial cable.

That's not exactly the datasheet of
mq2100...
archive.org show that this was available
for downloads.. oh well

Put the list of all components and the known
information to wiki. That can help other people.

Is it possbale to unlock EXTROM space?

It seems that there is about 100 MB Missing... I just guess is EXTROM
It could very easy to test that - different EXTROM but same Flash.bin.
The total free ROM space unchanged, even your EXTROM just used a few MB
If the EXTROM could be used, then it could be great help for cooking
The files may relate to FLASH.Header and partition.mbn. could anyone have a good try?
But...
pdocread.exe -l
411.25M (0x19b40000) DSK1:
| 1.87M (0x1df000) Part00 BOOT SECTION image
| 5.00M (0x500000) Part01 XIP RAM Image
| 84.25M (0x5440000) Part02 IMGFS file system
| 320.13M (0x14020000) Part03 legit DOS partition
handle#1 ef638fc6 320.13M (0x14020000)
handle#2 ef6adea6 84.25M (0x5440000)
handle#3 2f6ade82 5.00M (0x500000)
handle#4 4f6ade3a 1.87M (0x1df000)
Total is just 411.25, about 100MB (0x064C0000) seems missing....
For Part02, I could know is imgfs, and Part00 seems EXTROM, but where is disappear 100M?
partition table:
Code:
Partition-Info :
------------------
MIBIB
---------------------------------------------------------
Page: 0x6
Size: 0x4
Address: 0x000C0000 - 0x00140000
Block: 0x00000180 - 0x00000280
Flash: 0xFEFFFFFF
SIM_SECURE
---------------------------------------------------------
Page: 0x4
Size: 0x2
Address: 0x00080000 - 0x000C0000
Block: 0x00000100 - 0x00000180
Flash: 0xFEFFFFFF
FSBL
---------------------------------------------------------
Page: 0x180
Size: 0x1E
Address: 0x03000000 - 0x033C0000
Block: 0x00006000 - 0x00006780
Flash: 0xFFFFFFFF
OSBL
---------------------------------------------------------
Page: 0x180
Size: 0x1E
Address: 0x03000000 - 0x033C0000
Block: 0x00006000 - 0x00006780
Flash: 0xFFFFFFFF
AMSS
---------------------------------------------------------
Page: 0x4650
Size: 0x708
Address: 0x8CA00000 - 0x9AB00000
Block: 0x00119400 - 0x00135600
Flash: 0xFFFFFFFF
EFS2
---------------------------------------------------------
Page: 0x1F40
Size: 0xC8
Address: 0x3E800000 - 0x40100000
Block: 0x0007D000 - 0x00080200
Flash: 0xFFFFFF01
DSP1
---------------------------------------------------------
Page: 0x3E80
Size: 0x258
Address: 0x7D000000 - 0x81B00000
Block: 0x000FA000 - 0x00103600
Flash: 0xFFFFFFFF
FOTA
---------------------------------------------------------
Page: 0x80
Size: 0x64
Address: 0x01000000 - 0x01C80000
Block: 0x00002000 - 0x00003900
Flash: 0xFFFFFFFF
EXTROM
---------------------------------------------------------
Page: 0xC350
Size: 0x7D0
Address: 0x86A00000 - 0x96400000
Block: 0x0010D400 - 0x0012C800
Flash: 0xFFFFFFFF
APPSBL
---------------------------------------------------------
Page: 0x300
Size: 0x32
Address: 0x06000000 - 0x06640000
Block: 0x0000C000 - 0x0000CC80
Flash: 0xFFFFFFFF
APPS
---------------------------------------------------------
Page: 0x80
Size: 0xC
Address: 0x01000000 - 0x01180000
Block: 0x00002000 - 0x00002300
Flash: 0xFFFFFFFF
EFS2APPS
---------------------------------------------------------
Page: 0xFFFFFFFF
Size: 0xFFFF
Address: 0xFFFE0000 - 0xFFFC0000
Block: 0x001FFFC0 - 0x001FFF80
Flash: 0xFFFF02FF

good investigation ! I hope you can find a Way to reduce the allocated space, sadly I can't help you with this...keep the research !

Arto said:
good investigation ! I hope you can find a Way to reduce the allocated space, sadly I can't help you with this...keep the research !
Click to expand...
Click to collapse
Thank you also
The difficult problem is that, I'm not much understanding NAND Flash...
But, it seems that, after flashing ROM with new partition.mbn, the size of ExtRom could be changed.
At this moment, I'm not sure that the Hex files should be also changed or not ...
Code:
EXTROM
---------------------------------------------------------
[COLOR="Red"] Page: 0xC350
Size: 0x7D0[/COLOR]
Address: 0x86A00000 - 0x96400000
Block: 0x0010D400 - 0x0012C800
[COLOR="Red"] Flash: 0xFFFFFFFF[/COLOR]
Form Page (seems like format pagepool), the maximum ExtROM could be 50MB, that's the limit for a cook to modify ExtROM.
Of cause, if we could modify ExtROM size, then we could include more module in to Image
Moreover, including ExtROM, the boot system could used up to 93.674MB

my extrom take 7mb...so if the extrom allocated space can be changed it would be reallocated to application space? Qazer found a way to change page pool size, maybe it can help you on this !
edit, what is NAND flash?

Arto said:
my extrom take 7mb...so if the extrom allocated space can be changed it would be reallocated to application space? Qazer found a way to change page pool size, maybe it can help you on this !
edit, what is NAND flash?
Click to expand...
Click to collapse
After rearranged the partition table, it could be like this:
Code:
offset size
SIM_SECURE 0x4 0x2
MIBIB 0x6 0x4
FOTA 0x80 0x64
APPS 0x80 0xC
FSBL 0x180 0x1E
OSBL 0x180 0x1E
APPSBL 0x300 0x32
EFS2 0x1F40 0xC8
DSP1 0x3E80 0x258
AMSS 0x4650 0x708
EXTROM 0xC350 0x7D0
EFS2APPS 0xFFFFFFFF 0xFFFF
It could be much strange that some 'partitions' are overlapping!
Emmm, I forgot the order flashing these programs (.mbn), however, the ExtROM could be the last one to flash in the phone...
If somebody could tell me the order, then it could be much clear the process
Seems changed size could be OK, but I just wonder that what about ImageFS...
BTW, for term 'NAND flash', just wikipedia it

the best thing we can do is to reallocate this space in a virtual ram driver, and dont use the extrom space anymore. I noticed that the extrom files (cabs,tsk..) are in the windows folder of the device when you explore the windows folder.
So Is there a virtual ram driver or is there a way to do that, we don't need space, we need ram alternative.
anyway, don't know if it is possible to do such a thing on winmo devices...
( a kind of swap space....)

ocman said:
the best thing we can do is to reallocate this space in a virtual ram driver, and dont use the extrom space anymore. I noticed that the extrom files (cabs,tsk..) are in the windows folder of the device when you explore the windows folder.
So Is there a virtual ram driver or is there a way to do that, we don't need space, we need ram alternative.
anyway, don't know if it is possible to do such a thing on winmo devices...
( a kind of swap space....)
Click to expand...
Click to collapse
I think we should hardmod to add more RAM instead of using NAND flash, to avoid damaging it faster
Emmm, at this time I could not be sooooooo brave to flash my only phone
I just only change 0x7D0 (D0 07 00 00) to 0x3E8 (E8 03 00 00)....
If I try to flash with new partition.mbn,the phone turn into FTM Mode
But I just put partition.mbn, extrom.bin and two hex files only to the flash tool...
It sounds like I should put all files in that...
Then, finally these two hex files ENPRG8650.hex and NPRG8650.hex should be also modified.