Database Info

ROM 1.06 - broke that code???

hey,
it is: 5E 4D 31 30 41
just had an idea how to get that xor-passkey...
every *.nbf files begins (when decrypted) with the string 'PM10A' which is, converted into hexadecimal '50 4D 31 30 41' (you can verify that with an hex editor examining an decrypted file (*.nba) . As i read in some article from the internet, an xor-key is symmetrical (ok, not such a big deal ;-) ). That means that you can xor-compare the encrypted part with the decrypted one and get the passkey!
how to do:
(i'll take the imate.zip after executing the change.bat for that since it contains both encrypted and decryted files when you delete the "del *.nba" line at the end of the batch file)
write down the first 8 bytes of the encrpyted file
=> 71 48 35 10 (from nk.nbf)
write down the first 8 bytes of the decrypted file
=> 50 4D 31 30 (from nk.nba)
now take the windows calculator, activate scientific mode and switch to hex, also choose 'word' on the right side
a) enter 7148, press XOR, now enter 504D
b) the result should be 2105
remember, we're looking for an 8 digits key! the result shows the last 4 digits in *inverse* order. so we have (after changing) XX XX 05 21
(XX XX stands for the missing first 4 digits)
c) do steps a) and b) again with the comparison of 3510 with 3130
you'll get 420 as result which is (after adding a leading '0') 04 20
change the digits and get: 20 04 05 21 which is, when you look into the change.bat, exactly the given key for decrypting!!!
======== NOW FOR THE WANTED QTEK/DANGAARD-ROM ========
in the dangaard-contribution the nk-nbf begins with:
"4B 37 43 6E" which you must compare again with
"50 4D 31 30"
do the steps mentioned above and get: 5E 72 7A 1B
=========NEW CHANGE.BAT===================
xda3nbftool -x ms_.nbf ms_.nba 0x5e727a1b
xda3nbftool -x nk.nbf nk.nba 0x5e727a1b
xda3nbftool -x radio_.nbf radio_.nba 0x5e727a1b
xda3nbftool -so T-MOB101 -sl WWE ms_.nba
xda3nbftool -so T-MOB101 -sl WWE nk.nba
xda3nbftool -so T-MOB101 -sl WWE radio_.nba
xda3nbftool -c -u NK.nba
xda3nbftool -c -u ms_.nba
xda3nbftool -c -u Radio_.nba
xda3nbftool -x ms_.nba ms_.nbf 0x5e727a1b
xda3nbftool -x nk.nba nk.nbf 0x5e727a1b
xda3nbftool -x radio_.nba radio_.nbf 0x5e727a1b
============================================
unfortunately the calculation/correction of the checksum in the xda3nbftool doesn't work correctly. We'll need to calculate the new checksum by hand. As it is much too late for me now, i'd like to invite some other folks to support me! Refer to wiki to get the offsets for the checksum.
regards,
André

Good job Andre!!!
Are you sure, that it is simple XOR coded ? Did you check how it works with previous rom (any other)?
I can write small prog for checksum calculating but I have to know how this checksum is calculated.
Regards,
Darek

I do believe they changed the algorithem. Since in the old ROM (IMATE) you could read the password using a hex editor at offset 50.
This is the result using xdatool with -t switch on the qtek ROM.
xda3nbftool -x NK.nbf NK.nba 0x4156cc35
xda3nbftool -x ms_.nbf ms_.nba 0x8e86c6cc
I believe we're not too far away from a solution.

dkot said:
Good job Andre!!!
Are you sure, that it is simple XOR coded ? Did you check how it works with previous rom (any other)?
I can write small prog for checksum calculating but I have to know how this checksum is calculated.
Regards,
Darek
Click to expand...
Click to collapse
yes, it is true

It seems that header is not excatly in same format as it was previous nbf so PM10 might not give accurate key for extracting, nor you can't get any other hint for decoding, like Magician or WWE...
Or the file is encrypted twice....

the thing that astonishes me is the fact that after xor-comparison the provider string of the "decrypted" dangaard-rom is "t-mob101"???

kha said:
It seems that header is not excatly in same format as it was previous nbf so PM10 might not give accurate key for extracting, nor you can't get any other hint for decoding, like Magician or WWE...
Or the file is encrypted twice....
Click to expand...
Click to collapse
where do you see that the header is different? and why wouldnt you take the matching strings like pm10 to get an xor-key?

Hey, good work guys !
Go on
Val.

It is impossible to use old xda3nbftool to decrypt the ROM. Header and encryption methods have changed a bit.
Long time ago I've explained new algos in this post:
http://forum.xda-developers.com/viewtopic.php?t=14877
using this code you can easily decrypt ROM, change operator settings and reflash to a different device.
P.S. you don't need to "get a xor-passkey". It is contained in header in plaintext.

mamaich said:
It is impossible to use old xda3nbftool to decrypt the ROM. Header and encryption methods have changed a bit.
Long time ago I've explained new algos in this post:
http://forum.xda-developers.com/viewtopic.php?t=14877
using this code you can easily decrypt ROM, change operator settings and reflash to a different device.
P.S. you don't need to "get a xor-passkey". It is contained in header in plaintext.
Click to expand...
Click to collapse
Yep, thats true, with your code it shows correct:
PM10A DANGA001 WWE 1.05.00 Magician 0 0 0 e896d943
Hope we got someday updated xda3nbftool...

can i flash my t mobile magician with i mate jam rom

can i flash my t mobile magician with i mate jam rom directly ?

NO not directly & YES with a little tweaking.
But why would you? The newest rom is the TMO 1.13WWE. The 'how to's' are posted so many times I refuse to post it again & suggest you read the sticky on rom upgrading & search for some other threads on that topic. There not hard to find.
Got a question on a specific step? No problem or give me a PM & I'll send you my standard story on upgrading.
Cheers, M

sorry but im searching like a fool for a couple of days
cant find the correct link to the topic.
im going to get crazy.....
can someone please help me,
tnx in advance!

Tha relaxxxx,
Here's my standard manual for this issue:
All steps:
Included in package:
nbfdec
maupgradeut_noid
Download the shipped rom from:
http://www.t-mobile.nl/zakelijk/htdocs/page/service/mda_compact_upgrade.asp
Download the Hexeditor from:
http://www.hhdsoftware.com/hexeditor.html
1. Unzip NL_11300_131_11200.exe (or any other shipped rom)
2. Put NBFDEC in the same directory as the unzipped shipped rom files
3. Copy the getdevicedata.exe to your Magician and execute to write DeviceData.txt
to \Windows and view with notepad
5. Decode nk.nbf -> nk.nb1:
nbfdec -d nk.nbf nk.nb1
6. Hexedit header to correct ID from DeviceData.txt
(probably only if using a rom from other provider)
7. Replace pattern for bigstorage in hexeditor:
locate the 02 00 00 80 00 20 and change 80 00 to b8 01 in the nk.nb1
(use binary search for this!!)
7. Encode nk.nb1->nk.nbf
nbfdec -e nk.nb1 nk.nbf
8. run maupgradeut_noid.exe to upgrade CE image
Also, this way you will save the contents of increased \Storage folder if previous rom was bigstorage one
Usage sample (must be run from the same folder as nbf files or specify full path):
nbfdec -d nk.nbf nk.nb1
nbfdec -e nk.nb1 nk.nbf
You'll have to download the tools nbfdec &
maupgradeut_noid yourself
Cheers, M
Ps. package also available in Dutch ;-)

I am trying to flash my tmo rom to an asian rom but i have an error message;
"error 120: country id error 38-38-N-25-N"
will your steps below get ride of this?. Thanks.
oltp said:
Tha relaxxxx,
Here's my standard manual for this issue:
All steps:
Included in package:
nbfdec
maupgradeut_noid
Download the shipped rom from:
http://www.t-mobile.nl/zakelijk/htdocs/page/service/mda_compact_upgrade.asp
Download the Hexeditor from:
http://www.hhdsoftware.com/hexeditor.html
1. Unzip NL_11300_131_11200.exe (or any other shipped rom)
2. Put NBFDEC in the same directory as the unzipped shipped rom files
3. Copy the getdevicedata.exe to your Magician and execute to write DeviceData.txt
to \Windows and view with notepad
5. Decode nk.nbf -> nk.nb1:
nbfdec -d nk.nbf nk.nb1
6. Hexedit header to correct ID from DeviceData.txt
(probably only if using a rom from other provider)
7. Replace pattern for bigstorage in hexeditor:
locate the 02 00 00 80 00 20 and change 80 00 to b8 01 in the nk.nb1
(use binary search for this!!)
7. Encode nk.nb1->nk.nbf
nbfdec -e nk.nb1 nk.nbf
8. run maupgradeut_noid.exe to upgrade CE image
Also, this way you will save the contents of increased \Storage folder if previous rom was bigstorage one
Usage sample (must be run from the same folder as nbf files or specify full path):
nbfdec -d nk.nbf nk.nb1
nbfdec -e nk.nb1 nk.nbf
You'll have to download the tools nbfdec &
maupgradeut_noid yourself
Cheers, M
Ps. package also available in Dutch ;-)
Click to expand...
Click to collapse

Yes & you got two choices:
1. To bypass the country_id error you need to flash with the maupgradeut_noid.exe twice.
So:
-unzip the shipped-rom
- put maupgradeut_noid.exe in the same folder as the unzipped files
- execute maupgradeut_noid.exe twice (first run still gives the country error)
2. If you go for BS then apply all my steps from the previous post on your Asian shipped-rom instead of the TMO rom.
Clear enough?
Regards, M

How For Extracting Files From Cooked Rom

hi!!
i downloaded llbasha-WM5-AKU35pp16c3 rom
i want extract os.nb file from nk.nbf with typho5 utility (typhoonbftool_v5),i got this error:
unknow header format, and it abort work.
other way:
i want extract os.nb file from nk.nba with prepare_imgfs, and i got this error:
searching for IMGFS start.......Not found!!!
anybody know if it can extract some file from a rom already cooked ???
thank in advance

use xda2nbftool
open command prompt -> xda2nbftool.exe -c nk.nbf nk.nba 0x20040304 press enter.

How to Reconstruct a Dumped ROM & Reconstructed ROMs

This is the procedure to convert the dumped ROM into NBH "flashable" file. I take no responsability in any damage on your device. If you're not sure what you're doing, take time to learn some basics from wiki.
Well, i manage to reconstruct the spanish dumped rom from my Kaiser. This thread is about how to reconstruct a dumped Kaiser ROM, to have the original ROM that cames with your Kaiser, so you can revert to origin.
1. First of all is to Dump the ROM from your device. For this you only need to go to Pof post here and follow the instructions. After dumping the ROM you'll have 4 RAW files. Take apart in one folder the Part01.raw that contains the XIP and Part02.RAW that contains the IMGFS, both needed for the reconstruction process.
2. Download the WWE BaseROM to use in the reconstruction process here http://rapidshare.com/files/5781641...dio_sign_22.45.88.07_1.27.12.11_Ship.rar.html or http://rapidshare.com/files/1205992....5_radio_sign_22.45.88.07_1.27.12.11_Ship.exe
3. Download the modified version by Alex of Kaiser Kitchen here, that allows to reconstruct the ROM from the dump. The Kaiser Kitchen allows to cook a ROM from a dumped one and from base NBH shipped one. You need to put the NBH file from the step before in the BaseROM folder, and put the RAW files too. Then execute the KAISERKITCHEN.CMD and choose the next options from the menu it this order:
e, b (for dumped ROM), c, b, choose BuildOS tab, Load ROM option, Choose the KaiserKitchen folder, Go > Option, Close BuildOS, in the HRT choose ROM Builder, Choose Kaiser in device list, in the System button choose the os-new.NB file from the Kaiser Kitchen folder, press the BuildROM button and save as RUU_signed.NBH
Thanks to JugglerLKR for help me and the knowledge to solve the issues into reconstructed ROMs, and Alex to make a better script...
Thanks to all the testers who make this work for me
Cheers.

List of Reconstructed ROMs (all BigStorage and only OS)
Spanish HTC 1.56.412.4
Polish HTC 1.56.118.4
Sweden HTC 1.56.413.2
Russian HTC 1.56.411.5
German TMobile 1.56.111.4
UK TMobile 1.56.110.4
Italian HTC 1.56.408.5 or Mirror thanks to udK
German HTC 1.56.407.3
Norwegian HTC 1.56.409.4
Chinesse HTC 1.56.708.3
German Vodafone1.56.162.5
German SwissCOM 1.56.166.2
Netherlands TMobile 1.56.114.4
French Orange 1.81.73.1
Italian Vodafone 1.56.165.5
UK Vodafone 1.56.161.4
UK Orange 1.81.61.2
Danish HTC 1.56.403.3
FIN HTC 1.56.414.2
PTG HTC 1.56.410.2
Croatian TMobile 1.82.119.1 (WWE)
Spanish Vodafone 1.56.164.3
Czech TMobile 1.56.113.4
Slovakia Orange WWE 1.81.68.3 (thanks to Leon.nr)
Czech O2 1.56.405.5 (other version thanks to Leon.nr)
Croatian VIPNet 1.56.405.5
Dutch Vodafone 1.56.172.3
CZech HTC 1.56.405.5
German T-Mobile Austrian Rom 1.62.112.4 with shipped radio 1.27.12.32 (Thanks to GSLEON3)
Portuguese Brazillian HTC 1.88.514.1 (thanks to Denis Costa)
Dutch HTC 1.56.404.6 (thanks to Imperium)
Spain Orange 1.85.75.1

Thanx
That was a wonderfull guide. Now I gonna dump and reconstruct my Swedish rom so I can test the new cooked roms and have my Swedish as backup

batch file for steps 4 to 7: mind the filenames!
Waiting for this explanation I kind of figured out this myself...
Great move to make a tutorial!!!
If it helps, I made two batch files (reconstruct conservative ROM from dump.bat) from step 4 to 7.
All you need is to have an 'original' OS.nb (named Windows.nb in your tutorial) and the Part02.raw in the same directory as this batch file, along with all the programs described in step 1 to 3.
usage:
bigstorage 03_OS.nb Part02.raw
or
conservative 03_OS.nb Part02.raw
It performs the described steps and deletes the files you don't need for the ROM reconstruction.
Note:
I don't take any responsibility for any outcome and consequenses. Make sure you know what you are doing!
All credits go to the makers of the programs needed...
EDIT:
REMOVED THE ATTACHMENT...
NO USE FOR IT WHEN WE CAN USE THE KITCHEN!

By the way...
This should definitely be a sticky!

rvdgeer said:
Waiting for this explanation I kind of figured out this myself...
Great move to make a tutorial!!!
If it helps, I made a batch file (reconstruct conservative ROM from dump.bat) from step 4 to 7.
All you need is to have the 'original' 03_OS.nb (named Windows.nb in your tutorial) and the Part02.raw in the same directory as this batch file, along with all the programs described in step 1 to 3.
Click to expand...
Click to collapse
Thanks for your contribution

I noticed something...
When I flash back my reconstructed ROM I'm missing some icons in settings, for example 'device information'...
Did you notice this too?

Anyone with the dutch T-mobile Dump?

hellejoep said:
Anyone with the dutch T-mobile Dump?
Click to expand...
Click to collapse
http://forum.xda-developers.com/showpost.php?p=1582642&postcount=29

Works Fine
Hello,
I am a newbie here. First I flashed my German TMobile vario III with original HTC rom and found that original HTC rom is somewhat sluggish in performance as comapred to the HTC rom.
I checked this step by step way of building the rom and it works just fine. Great learning experience. Thanks to Pof, Tadzio and yourself for the explanation.
Regards

vijavij said:
Hello,
I am a newbie here. First I flashed my German TMobile vario III with original HTC rom and found that original HTC rom is somewhat sluggish in performance as comapred to the HTC rom.
I checked this step by step way of building the rom and it works just fine. Great learning experience. Thanks to Pof, Tadzio and yourself for the explanation.
Regards
Click to expand...
Click to collapse
Glad to hear helps you...
I add a link to this thread in the Wiki for quick finding...
EDIT: If you guys want, you can upload your reconstructed ROMs to rapidshare or any other site, and i mantain a list of reconstructed ROMs in the first page. This can be ussefull for ppl looking differents languaje ROMs.
Send me a PM if you don't know how to upload or any other issue.

I have the follow error when work with CHT part02.raw (imgfs.bin here)
Any hint?
C:\wm6\ppc\test2>imgfstonb imgfs.bin 03_OS.org.nb.payload 03_OS.new.nb.payload -conservative
ImgfsToNb 2.1RC1
Using conservative mode
Sector size is 0x800 bytes
Writing imgfs to offset byte 0x6e0000, sector 0xdc0
Padding ImgFs from 0x4690000 bytes (0x8d20 sectors)
to 0x46a0000 bytes (0x8d40 sectors)
Conservative/move mode: imgfs partition overflow! Aborting!
available sectors: 0x8c00, needed sectors: 0x8d40
No problem in -bigstorage mode
C:\wm6\ppc\test2>imgfstonb imgfs.bin 03_OS.org.nb.payload 03_OS.new.nb.payload -bigstorage
ImgfsToNb 2.1RC1
Using bigstorage mode
Sector size is 0x800 bytes
Writing imgfs to offset byte 0x6e0000, sector 0xdc0
Padding ImgFs from 0x4690000 bytes (0x8d20 sectors)
to 0x46a0000 bytes (0x8d40 sectors)
Not conservative/move mode. Changing imgfsEnd from 0x4ce0000 to 0x4d80000
...
...
ImgFs Flash Region log blocks was 0x232, now is 0x237
Storage Flash Region log block was 0xffffffff, now is 0xffffffff,
Done!

kfluk said:
I have the follow error when work with CHT part02.raw (imgfs.bin here)
Any hint?
C:\wm6\ppc\test2>imgfstonb imgfs.bin 03_OS.org.nb.payload 03_OS.new.nb.payload -conservative
ImgfsToNb 2.1RC1
Using conservative mode
Sector size is 0x800 bytes
Writing imgfs to offset byte 0x6e0000, sector 0xdc0
Padding ImgFs from 0x4690000 bytes (0x8d20 sectors)
to 0x46a0000 bytes (0x8d40 sectors)
Conservative/move mode: imgfs partition overflow! Aborting!
available sectors: 0x8c00, needed sectors: 0x8d40
No problem in -bigstorage mode
C:\wm6\ppc\test2>imgfstonb imgfs.bin 03_OS.org.nb.payload 03_OS.new.nb.payload -bigstorage
ImgfsToNb 2.1RC1
Using bigstorage mode
Sector size is 0x800 bytes
Writing imgfs to offset byte 0x6e0000, sector 0xdc0
Padding ImgFs from 0x4690000 bytes (0x8d20 sectors)
to 0x46a0000 bytes (0x8d40 sectors)
Not conservative/move mode. Changing imgfsEnd from 0x4ce0000 to 0x4d80000
...
...
ImgFs Flash Region log blocks was 0x232, now is 0x237
Storage Flash Region log block was 0xffffffff, now is 0xffffffff,
Done!
Click to expand...
Click to collapse
For me sounds like a bad dumping making imgfstonb bad calculating the lenght of imgfs.... can you repeat the dump process and attach the output yo see how goes?
And don't try to flash the result of -bigstorage cause don't work. To work you need to use -bigstoragemove instead of -bigstorage to get the result working.

Thanks for advise. Try to dump the raw ROM now. Post result later.
btw, I don't find -bigstoragemove in imgfs 2 rc1 readme.txt.
Hidden parameter?

ROM re-construction still fail. I post what I did for the ROM re-construction here. btw, my ROM is CHT unlock from HTC.
=================================
C:\wm6\ppc\org_rom>pdocread.exe -l
210.63M (0xd2a0000) FLASHDR
| 3.12M (0x31f000) Part00
| 4.38M (0x460000) Part01
| 73.38M (0x4960000) Part02
| 129.75M (0x81c0000) Part03
3.80G (0xf2e80000) DSK1:
| 3.79G (0xf2a80000) Part00
STRG handles:
handle 85a97436 3.79G (0xf2a80000)
handle 47476c3e129.75M (0x81c0000)
handle 0748310a 73.38M (0x4960000)
handle 474830e6 4.38M (0x460000)
handle a74b1f0e 3.12M (0x31f000)
disk 85a97436
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 47476c3e
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 0748310a
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 474830e6
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk a74b1f0e
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=====================================================
pdocread -w -d FLASHDR -b 0x800 -p Part00 0 0x31f000 Part00.raw
pdocread -w -d FLASHDR -b 0x800 -p Part01 0 0x460000 Part01.raw
pdocread -w -d FLASHDR -b 0x800 -p Part02 0 0x4960000 Part02.raw
pdocread -w -d FLASHDR -b 0x800 -p Part03 0 0x81c0000 Part03.raw
=====================================================
copy part02.raw C:\wm6\ppc\org_rom_test1
=====================================================
C:\wm6\ppc\org_rom_test1>dir
Volume in drive C is OS
Volume Serial Number is 34EC-33D3
Directory of C:\wm6\ppc\org_rom_test1
17/10/2007 22:23 <DIR> .
17/10/2007 22:23 <DIR> ..
17/10/2007 22:14 76,939,264 Part02.raw
28/08/2007 21:11 99,219,775 RUU_signed.nbh
=====================================================
C:\wm6\ppc\org_rom_test1>nbhextract RUU_signed.nbh
=== NBHextract v1.0
=== Extract contents from HTC NBH files
=== (c)2007 xda-developers.com
=== by: pof & TheBlasphemer based on itsme perl scripts
Device: KAIS13000
CID: HTC__001
Version: 1.56.405.5
Language: USA
Extracting: 00_Unknown.nb
Extracting: 01_SPL.nb
Extracting: 02_MainSplash.nb
Encoding: 02_MainSplash.bmp
Extracting: 03_OS.nb
=====================================================
C:\wm6\ppc\org_rom_test1>nbsplit -kaiser 03_OS.nb
NBSplit 2.1RC1
Using data chunk size = 0x800 and extra chunk size = 0x8
on file 03_OS.nb
Done.
=====================================================
C:\wm6\ppc\org_rom_test1>ren Part02.raw imgfs.bin
=====================================================
C:\wm6\ppc\org_rom_test1>imgfstonb imgfs.bin 03_OS.nb.payload 03_OS-new.nb.payload -conservative
ImgfsToNb 2.1RC1
Using conservative mode
Sector size is 0x800 bytes
Writing imgfs to offset byte 0x6e0000, sector 0xdc0
Padding ImgFs from 0x4960000 bytes (0x92c0 sectors)
to 0x4960000 bytes (0x92c0 sectors)
Conservative/move mode: imgfs partition overflow! Aborting!
available sectors: 0x8c00, needed sectors: 0x92c0
=====================================================

kfluk said:
Thanks for advise. Try to dump the raw ROM now. Post result later.
btw, I don't find -bigstoragemove in imgfs 2 rc1 readme.txt.
Hidden parameter?
Click to expand...
Click to collapse
Glad to help...
Really tadzio tools are in Release Candidate, means not finished yet, so this parameters are part of the "testing" phase to get the tools working for Kaiser.
Tadzio makes a great effrot and work on the new version.

kfluk said:
ROM re-construction still fail. I post what I did for the ROM re-construction here. btw, my ROM is CHT unlock from HTC.
Sector size is 0x800 bytes
Writing imgfs to offset byte 0x6e0000, sector 0xdc0
Padding ImgFs from 0x4960000 bytes (0x92c0 sectors)
to 0x4960000 bytes (0x92c0 sectors)
Conservative/move mode: imgfs partition overflow! Aborting!
available sectors: 0x8c00, needed sectors: 0x92c0
=====================================================
Click to expand...
Click to collapse
Well, seems the part02.raw have a problem. Have you tried to dump the part02.raw? do executing imgfstodump imgfs.bin
Take a look at the output of the command and look for an error. If the dump process goes well, then try to dump back the dump folder with imgfsfromdump imgfs-in.bin imgfs-new.bin (the imgfs-in.bin is extracted from origin Windows.nb.payload with imgfsfromnb windows.nb.payload).
The result of this process is a new imgfs-new.bin to use with imgfstonb.exe command.
Say me if this helps you...

I dump again the Part02.raw from kaiser.
After rename Part02.raw to imgfs.bin
I run imgfstodump imgfs.bin
Dump goes well. At least the command complete without problem.
imgfsfromdump fail if do it immediately after dump.
C:\wm6\ppc\org_rom_test1>imgfsfromdump 03_OS.nb.payload imgfs-new.bin
ImgfsFromDump 2.1RC1
Compression DLL does not support compression type ''!
The only different is I extract OS.nb from "RUU_Kaiser_HTC_WWE_1.56.405.5_radio_sign_22.45.88.07_1.27.12.11_Ship".
i.e. full procedure.
1. Get part02.raw from device and rename to imgfs.bin
2. NBHextract RUU_signed.nbh
3. NBSplit -kaiser 03_OS.nb (result two file 03_OS.nb.payload and 03_OS.nb.extra)
4. imgfstodump imgfs.bin (no error)
5. imgfsfromdump 03_OS.nb.payload imgfs-new.bin (error)

kfluk said:
I dump again the Part02.raw from kaiser.
After rename Part02.raw to imgfs.bin
I run imgfstodump imgfs.bin
Dump goes well. At least the command complete without problem.
imgfsfromdump fail if do it immediately after dump.
C:\wm6\ppc\org_rom_test1>imgfsfromdump 03_OS.nb.payload imgfs-new.bin
ImgfsFromDump 2.1RC1
Compression DLL does not support compression type ''!
The only different is I extract OS.nb from "RUU_Kaiser_HTC_WWE_1.56.405.5_radio_sign_22.45.88.07_1.27.12.11_Ship".
i.e. full procedure.
1. Get part02.raw from device and rename to imgfs.bin
2. NBHextract RUU_signed.nbh
3. NBSplit -kaiser 03_OS.nb (result two file 03_OS.nb.payload and 03_OS.nb.extra)
4. imgfstodump imgfs.bin (no error)
5. imgfsfromdump 03_OS.nb.payload imgfs-new.bin (error)
Click to expand...
Click to collapse
This is not valid command "C:\wm6\ppc\org_rom_test1>imgfsfromdump 03_OS.nb.payload imgfs-new.bin"... cause you need to extract the imgfs.bin from the 03_OS.nb, and then use like imgfs-in.bin. Note that the imgfs.bin is inside the 03_os.nb.payload.
The imgfsfromdump commmand takes the dump folder and makes a new imgfs named imgfs-new.bin using imgfs-in.bin to take infor about headers...
Te correct command is imgfsfromdump imgfs-in.bin imgfs-new.bin.
If you want, upload the par02.raw and send me the link. I'll try to repack for you.
Cheers.

jcespi2005 said:
This is not valid command "C:\wm6\ppc\org_rom_test1>imgfsfromdump 03_OS.nb.payload imgfs-new.bin"... cause you need to extract the imgfs.bin from the 03_OS.nb, and then use like imgfs-in.bin. Note that the imgfs.bin is inside the 03_os.nb.payload.
The imgfsfromdump commmand takes the dump folder and makes a new imgfs named imgfs-new.bin using imgfs-in.bin to take infor about headers...
Te correct command is imgfsfromdump imgfs-in.bin imgfs-new.bin.
If you want, upload the par02.raw and send me the link. I'll try to repack for you.
Cheers.
Click to expand...
Click to collapse
Hi jcespi2005,
How could I extract the imgfs.bin from the 03_OS.nb?
I am uploading part02.raw to rapidshare, speed is very slow. Will post you the link.
thanks for your patient.
kfluk

How to dump TP2 ROM from Phone

I have successfully dumped the ROM from my Brand New VZW Touch Pro 2 ... Here is how I did it. You will need itsutils to dump the ROM, and imgfstools to extract it.
Dump:
1) List partitions - Should show Part00 to Part03 - pdocread -l
2) Get Part00 address - pdocread -w -d FLASHDR -p Part00 -t -b 0x800 - Find the partition address (displayed as 0x######)
3) Dump Part00 - Use address from step 2 - pdocread -w -d FLASHDR -p Part00 -b 0x800 0 0x###### Part00.raw
4) Repeat steps 2 & 3 for Part01, Part02 and Part03 ... MAKE SURE YOU USE THE CORRECT ADDRESSES
Partitions:
Part00 - Core XIP? (May have something to do with AutoUpdate)
Part01 - XIP
Part02 - OS IMGFS
Part03 - User Storage (TFAT)
Extract XIP (Part00 and Part01 ... You will need bepe's dumpxip.exe from ervius visual kitchen):
1) Make sure there is not an XIP folder (if so, rename it) and run dumpxip Part00.raw
2) Rename XIP folder to XIP_00 (ren XIP XIP_00)
3) Make sure there is not an XIP folder (if so, rename it) and run dumpxip Part01.raw
4) Rename XIP folder to XIP_01 (ren XIP XIP_01)
Extract IMGFS (Part02):
1) imgfstodump Part02.raw - This will create a folder called dump, and extract the contents to it.
View User Storage (Part03):
1) Mount Image using DaemonTools Lite
To rebuild flashable ROM from DUMP (Currently OS Only, No radio or SPL):
1) You need a base_os.nb.payload for your device ... See below for details
2) Convert OS IMGFS (Part02.raw) to nb.payload (new-os.nb.payload) imgfstonb Part02.raw base_os.nb.payload new-os.nb.payload
3) Insert XIP (Part01.raw) into new-os.nb.payload implantxip Part01.raw new-os.nb.payload
4) Merge os-new.nb.payload into os-new.nb nbmerge -kaiser new-os.nb
5) Create os-new.nbh nbhutil, Select "Touch_Pro2" under "Target Device", change RHOD*** to RHOD500, click the ... box next to OS, and select new-os.nb, click Build NBH and select where to save NBH file.
How to get a base os.nb.payload:
1) Download a stock ROM and extract RUU_Signed.nbh
2) Extract RUU_Signed.nbh nbhextract RUU_Signed.nbh - This will list the files extracted ... The one you need is ##_OS.nb ... Copy as os.nb copy ##_OS.nb OS.nb
3) Split OS.nb to OS.nb.payload nbsplit -kaiser OS.nb
4) Create OS.imgfs.bin imgfsfromnb OS.nb.payload OS.imgfs.bin
5) Create empty directory called 'DUMP' (If a DUMP folder exists, rename it) mkdir DUMP
6) Create a blank IMGFS file imgfsfromdump OS.imgfs.bin blank_imgfs.bin
7) Create base_os.nb.payload imgfstonb blank_imgfs.bin OS.nb.payload base_os.nb.payload

Dump SPL and Radio
Does anyone know how to do this?

Oh my god I found the answer on "how to dump a rom from the TP2"!
Could someone rename the topic in something like "official guide" or stick it?
I think it could be useful for a lot of people..

dj13241 said:
How to get a base os.nb.payload:
1) Download a stock ROM and extract RUU_Signed.nbh
2) Extract RUU_Signed.nbh nbhextract RUU_Signed.nbh - This will list the files extracted ... The one you need is ##_OS.nb ... Copy as os.nb copy ##_OS.nb OS.nb
3) Split OS.nb to OS.nb.payload nbsplit -kaiser OS.nb
4) Create OS.imgfs.bin imgfsfromnb OS.nb.payload OS.imgfs.bin
5) Create empty directory called 'DUMP' (If a DUMP folder exists, rename it) mkdir DUMP
6) Create a blank IMGFS file imgfsfromdump OS.imgfs.bin blank_imgfs.bin
7) Create base_os.nb.payload imgfstonb blank_imgfs.bin ##_OS.nb.payload base_os.nb.payload
Click to expand...
Click to collapse
Aloha Man,
- i'm trying to use your tutorial to Dump and Rebuild an HTC ROSE (S740) ROM
- i'm at the point where i've downloaded the RUU_Signed, and folowed the above procedure until step 7
- in step 2, i've replaced ## in ##_OS.nb with 03, witch is the number of the file after nbhextract
- i can't find 03_OS.nb.payload and at step 7, the command spits out and error :
" ImgfsTools 2.1rc2>imgfstonb blank_imgfs.bin 03_OS.nb.payload base_os.nb.payload
ImgfsToNb 2.1rc2
Using bigstorage mode
Input file 03_OS.nb.payload cannot be opened. Exiting "
Should i rename
OS.nb.payload to 03_OS.nb.payload or change the syntax on the command input file accordingly ?
tks again alot for your help !

UrbanWarrior said:
Aloha Man,
- i'm trying to use your tutorial to Dump and Rebuild an HTC ROSE (S740) ROM
- i'm at the point where i've downloaded the RUU_Signed, and folowed the above procedure until step 7
- in step 2, i've replaced ## in ##_OS.nb with 03, witch is the number of the file after nbhextract
- i can't find 03_OS.nb.payload and at step 7, the command spits out and error :
" ImgfsTools 2.1rc2>imgfstonb blank_imgfs.bin 03_OS.nb.payload base_os.nb.payload
ImgfsToNb 2.1rc2
Using bigstorage mode
Input file 03_OS.nb.payload cannot be opened. Exiting "
Should i rename
OS.nb.payload to 03_OS.nb.payload or change the syntax on the command input file accordingly ?
tks again alot for your help !
Click to expand...
Click to collapse
You are correct ... Step 7 should should not have the ##_ ... I have corrected the instructions above in my previous post. The command should be:
Code:
imgfstonb blank_imgfs.bin OS.nb.payload base_os.nb.payload

dj13241 said:
To rebuild flashable ROM from DUMP (Currently OS Only, No radio or SPL):
1) You need a base os.nb.payload for your device ... See below for details
2) Convert OS IMGFS (Part02.raw) to nb.payload (new-os.nb.payload) imgfstonb Part02.raw os.nb.payload new-os.nb.payload
3) Insert XIP (Part01.raw) into new-os.nb.payload implantxip Part01.raw new-os.nb.payload
4) Merge os-new.nb.payload into os-new.nb nbmerge -kaiser os-new.nb
5) Create os-new.nbh nbhutil, Select "Touch_Pro2" under "Target Device", change RHOD*** to RHOD500, click the ... box next to OS, and select new-os.nb, click Build NBH and select where to save NBH file.
How to get a base os.nb.payload:
1) Download a stock ROM and extract RUU_Signed.nbh
2) Extract RUU_Signed.nbh nbhextract RUU_Signed.nbh - This will list the files extracted ... The one you need is ##_OS.nb ... Copy as os.nb copy ##_OS.nb OS.nb
3) Split OS.nb to OS.nb.payload nbsplit -kaiser OS.nb
4) Create OS.imgfs.bin imgfsfromnb OS.nb.payload OS.imgfs.bin
5) Create empty directory called 'DUMP' (If a DUMP folder exists, rename it) mkdir DUMP
6) Create a blank IMGFS file imgfsfromdump OS.imgfs.bin blank_imgfs.bin
7) Create base_os.nb.payload imgfstonb blank_imgfs.bin OS.nb.payload base_os.nb.payload
Click to expand...
Click to collapse
Aloha again,
i need some further clarifications if u are so kind :
- i've properly finished the "How to get a base os.nb.payload" section, so now i have a "base_os.nb.payload" file
- going back to point 2 of the section "To rebuild flashable ROM from DUMP (Currently OS Only, No radio or SPL)", i've succesfully executed points 2 and 3 , but when i go to try point 4 nbmerge spits out the following error :
"NBMerge 2.1rc2
Could not open input file os-new.nb.payload"
My Questions :
- where do u use the "base_os.nb.payload" file that's created at the "How to get a base os.nb.payload" step ? since the file is called "base_os.nb.payload" and in the command syntax description u call it : "base os.nb.payload"
- until point 4 of the "To rebuild flashable ROM from DUMP (Currently OS Only, No radio or SPL)" section in the syntax u use the name "new-os.nb.payload" for the file,
- from point 4 on u use the term "Merge os-new.nb.payload into os-new.nb" -> so os-new.nb.payload , and NBmerge is expecting "Could not open input file os-new.nb.payload" but until point for we've created a file called "new-os.nb.payload"
- shouldn't the syntax for the commands from point 2 thru 4 be what NBMerge is expecting ? meaning "os-new.nb.payload"
thanks again for your help!

When I get home from work today, I will run through the steps and eliminate any errors I find.

UrbanWarrior, I have updated the 'Build a Flashable ROM' section step 2 ... I changed the reference to 'os.nb.payload' to 'base_os.nb.payload' ... Let me know if you run into any other issues.

I was trying the steps for my HTCJade to dump my stock ROM. Things were going smoothly however, the step
"Insert XIP (Part01.raw) into new-os.nb.payload implantxip Part01.raw new-os.nb.payload"
fails with an error "XIP File not Specified!"
I noticed that the mentioned step is not following tha syntax of the command:
Usage: implantxip -XIP <xip.bin> -PAYLOAD <.nb.payload> [-ImgStart <hexvalue>] [
-uldr [tryremove] ] [-PP <MbValue>] [-NoCert]
The command expects "xip.bin" but i am giving the argument as Part01.raw as per the step.
What to do? Can anybody help.

svaym said:
I was trying the steps for my HTCJade to dump my stock ROM. Things were going smoothly however, the step
"Insert XIP (Part01.raw) into new-os.nb.payload implantxip Part01.raw new-os.nb.payload"
fails with an error "XIP File not Specified!"
I noticed that the mentioned step is not following tha syntax of the command:
Usage: implantxip -XIP <xip.bin> -PAYLOAD <.nb.payload> [-ImgStart <hexvalue>] [
-uldr [tryremove] ] [-PP <MbValue>] [-NoCert]
The command expects "xip.bin" but i am giving the argument as Part01.raw as per the step.
What to do? Can anybody help.
Click to expand...
Click to collapse
i had the same problem. i just did "implantxip -XIP Part01.raw -PAYLOAD new-os.nb.payload"