Related
Inspired by some threads in the Hermes and Trinity forums I started to explore the VOX bootloader. You can enter the bootloader by pressing the camera and power button at the same time. You see the tri-color (red/green/blue) bootscreen which shows the bootloader and CPLD version. In connection settings of activesync uncheck "allow USB connections" and connect PC and Vox with a USB cable. The PC will recognize the Vox and install an interface driver.
You need the MTTY to talk with the bootloader and send it commands. The Hermes wiki provides some good information and also has a link to MTTY:
http://wiki.xda-developers.com/index.php?pagename=Hermes_BootLoader
Unfortunately the Vox bootloader (v1.16.0000) doesn't display help information. The first command you should enter is password. I found a password for Trinity and Hermes which also works for Vox:
password BsaD5SeoA
Here are a couple of other commands which work: emapiWlanEERW, emapiInit, emapiWlanMac, emapiPwrDwn, emapiRead, emapiTest, emapi, cpldver, DumpReservoir, CheckImage, calcrccheck, getdevinfo, ruustart, ruurun, progress, wdata, password, mbr, set, atcmd, ResetDevice, BTRouting, BTTestMode, SetDebugMethod, IMEI, ls, lnbs
I would like to find a way to dump the SPL and ROM to SD-card or to PC. I tried a couple of things (r2sd, d2s) to no avail.
Anyone else some ideas?
Update1
I got stuck in the bootloader and luckily found how to boot into the OS again:
http://forum.xda-developers.com/showpost.php?p=1094479&postcount=11
password BsaD5SeoA
ruurun 0
ResetDevice
Update2
I discovered the 'ls' command. Afaik it allows to dump the rom parts like SPL, IPL, splashscreen when the device is CID unlocked. My unbranded S710 is SIM unlocked, but unfortunately not CID unlocked. When I issue 'ls' there's a "not allowed" error
Update3
I found a 'good' VOX ROM upgrade (the ones on the XDA FTP are all corrupt): RUU_Vox_HTC_WWE_1.15.405.2R4_4.1.13.37_02.83.90_Ship
Another upgrade ROM is the Dopod:
RUU_Vox_DOPODASIA_WWE_1.19.707.3_4.1.13.37_02.83.90_Ship
I used NBHextract.exe to extract both ROMs. The SPL bootloaders are attached.
NBHextract shows following info for the 1.15 Vox ROM upgrade:
Code:
Device: VOX010100
CID: HTC__001
Version: 1.15.405.2
Language: UK
Extracting: 00_IPL.nb
Extracting: 01_SPL.nb
Extracting: 02_GSM.nb
Extracting: 03_MainSplash.nb
Encoding: 03_MainSplash.bmp
Extracting: 04_OS.nb
and this for the Dopod upgrade:
Code:
Device: VOX010100
CID: DOPOD001
Version: 1.19.707.3
Language: USA
Extracting: 00_IPL.nb
Extracting: 01_SPL.nb
Extracting: 02_MainSplash.nb
Encoding: 02_MainSplash.bmp
Extracting: 03_GSM.nb
Extracting: 04_OS.nb
Update4
I managed to back up my S710 using itsme's "bkondisk" tool and "prun" from his itsutils suite here and here. Copy bkondisk.exe to /Windows on your device.
After running this on your PC
Code:
prun bkondisk.exe "\Storage Card"
following files are created in \Storage Card and a log file "bkondisk.log" in \
Code:
bk_00_0000.img - IPL : ONBL1 + ONBL2
bk_02_0005.img - GSM + splash + gsmdata + simlock + serialnrs
bk_03_0025.img - OS
bk_06_0001.img - SPL
bk_08_0205.img - userfilesystem
I compared a couple of these .img files with the .nb files extracted by NBHextract from an official RUU. The IPL and SPL look quite okay, but the OS is mapped totally different. So don't think you can just rename for example bk_03_0025.img to OS.nb in order to have a flashable file !! I have attached my dumped SPL which is version 1.16
Next mission is to find a 'good' (not corrupted) version of the RUU_Vox_HTC_WWE_1.15.405.2_4.1.13.37_02.83.90_Test.exe ROM upgrade. See this Excalibur thread. I think the same applies to S710
Update5
With Dark Simpson's htc rom tool here it is possible to create a flashable image file from separate .nb files. There is also Dutty's good NBHtool 1.1 yet, but so far I haven't tried it.
What we still need to have for flashing unsigned ROM images is a SSPL. See here and here.
Alternatively we need a so called Update SPL (USPL) which unlocks CID and then allows flashing any rom to your device. The version for the ELF created by the brilliant moderator pof can be found here. Since the ELF is very similar to VOX, I will study it and see if I can use it to implement a SSPL (software SPL) which allows us to also flash any ROM, but does not require to flash an USPL. I think flashing IPL and SPL is a bit too tricky atm.
Take the Elf USPL, remove the RUU folder (to be sure you don't flash anything by mistake), in the LOADER folder change the .nb file for a Vox bootloader (different version than the one on your device) and use the same name for the .nb file, then run elf-uspl.exe on your PC.
If elf & vox are so similar, this should jump to the bootloader you've placed in the LOADER folder, to check it disable activesync usb connections and go into bootloader with mtty. Do an "info" command or whatever identifies that the bootloader you're seeing is the one you've placed on the LOADER folder and not the one actually on your device.
If you succeed in loading a custom bootloader I can help you with the don't check cid / don't check signatures... patches
Good luck!
Thanks for replying pof. I did as you said and tried it with spl 1.15 (whereas 1.16 is flashed on my S710). First I went through step1 and then went in to step2 where at 75% the screen got blank and it rebooted the phone in my native bootloader 1.16 RUU mode. I suppose that's not what we wanted to see?
Where did you find RUU_Vox_HTC_WWE_1.15.405.2R4_4.1.13.37_02.83.90_Ship? Do you have a link?
Thanks
I found it here:
http://www.leaf.co.za/Members/Member Services/Manage My Profile/
Cant Find The Bootloader For The Life of Me
Tried:
"You can enter the bootloader by pressing the camera and power button at the same time. You see the tri-color (red/green/blue) bootscreen which shows the bootloader and CPLD version."
No Luck. I must be thick. Its gotta be just that easy... but...
The S710 simply boots into my home screen.
Can someone PLEASE post a (little) more detail about how to boot into the bootloader on the s710/vox?
THANKS.
Cheers.
** EDIT **
OK- Better bootloader entry instructions for SP noobs (like myself):
1) Turn device off
2) Unplug power/usb cable from handset
3) Press and hold camera button
4) Plug power/usb cable into handset
5) Be amazed by Blue-Green-Red Bootloader screen.
Yeah, it won't boot in bootloader mode if the usb cable is connected. Well, it's sometimes better to find out things all by yourself
Besides, I don't think anyone other than myself is researching this stuff on Vox. Too many ordinary users and nearly noone in to h*cking.
You don't have 1.04 on your phone by any chance?
RE: older bootloader
No joy.
Sorry.
Its 1.15
My SP has vanilla mods.
Its just out of the box the last 4 days in NYC!
The phones not even available AFAIK in the US yet-- except special order.
Got mine in London last week.
Still working out the kinks.
BTW:
Im looking for info/docs/someone who has forced GSM codec through WM6 to this handset through Asterisk LOCALLY-- Asterisk SIP logs show successful codec negotiation and initial start of audio delivery-- but the stream pukes out on my handset immediately-- ideas? Im begining to think it may be a cpu issue. Thanks.
850mph said:
BTW:
Im looking for info/docs/someone who has forced GSM codec through WM6 to this handset through Asterisk LOCALLY-- Asterisk SIP logs show successful codec negotiation and initial start of audio delivery-- but the stream pukes out on my handset immediately-- ideas? Im begining to think it may be a cpu issue. Thanks.
Click to expand...
Click to collapse
Yeah saw that. I don't think it's a CPU issue, could run GSM codec just fine on a stone old iPaq. Try trunning omap overclocker and set it to 240MHz and see if it makes a difference. Keep using the SIP thread for any replies on this
POF's O2/Nova Solution
jockyw2001-
I suppose youve seen Pof's post #89 (dated 4-8) in the "ELF Update SPL (USPL)" thread which calls for running enable-rapi.cab (on O2 Nova) BEFORE elf-uspl.exe?
Id try it myself but want a few days of joy with my handset BEFORE creating a potential brick.
From my reading if the elf-uspl.exe makes it to 75% in stage 2 before white-screening-- you're close (well, 75% anyway.. wink!). Seems like Pof could have a couple of suggestions at that point. Maybe hell be kind enough to comment?
You're on it.. but I thought Id ask.
Cheers.
Heres something I am trying to work out-- even after many hours of reading:
I understand that there is an exploit in the 1.04 bootloader which can potentially bypass CID and Certs when flashing a new ROM image on both SPs and PPCs..
I also understand that bootloaders 1.09+ cant be downgraded.
So am I right in assuming that potential VOX ROM-chefs have at least ** TWO ** potential paths to solving the bootloader issue:
1) Find a 1.04 bootloader **AND** a tool which will load it successfully
-- Then use the exploit (which I read about-- but cant find) to flash the ROM
-or-
2) Find a way to Flash **ANY** bootloader onto the vox with elf-uspl.exe
-- Then (keeping our fingers crossed) elf-uspl.exe can be patched to defeat the CID&CERT issues with the vox
Now heres the question:
I am right in assuming that we **DONT** need to find a way to flash **SPECIFICALLY** the 1.04 bootloader onto the ROM **BEFORE** we can take advantage of a patched elf-uspl.exe?
Is that correct?
Cheers.
Oh yeah.. AM I right in assuming that the WM5/6 bootloaders are EXACTLY the same code (except for dated revs) across all WM SP and PCC devices-- sort of like the ability to install grub or lilo on **ANY VENDORS PC** no matter what OS or eventual Software Packages end up on the box?
Looked at another way:
When they talk about the 1.15 bootloader in the Blue Angel Board they are talking about the EXACT SAME 1.15 bootloader in the VOX board?
I mean, I know this is gotta be the case but I need a little reassurance here-- As Im still a bit confused on why PPC software should run on SP devices-- even understanding that they use (generally) the same subset (WM5/6) of the CE5/6 API-- But have different CPUs.
850mph: cool to see there actually are brothers in arms
I've tested pof's USPL extensively, but haven't got it to work (yet).
Actually you need to run enable-rapi.cab only if your phone isn't yet application unlocked, i.e. if it doesn't allow to run unsigned apps. Mine is application unlocked so I can skip that step.
The next step is to load a modded SPL in RAM at physical address 0x10000000 and to run it. Once this modded SPL is running another modded SPL can be flashed.
I've tried to load an unmodified SPL in RAM (e.g. SPL 1.15) and to run it. This can be done with following 2 steps:
1) psetmem.exe -f -p 0x10000000 spl.nb
2) run haret.exe on device (can use cecopy & cerun); cerun -b CE:\haret.exe
Note: haret.exe is a linux kernel loader which was modified by pof to run a USPL from 0x10000000
What happens is that my phone reboots into the stock bootloader (SPL 1.16) in RUU mode. I have to use MTTY in order to boot the phone in WM again (see post #1 and #2 in this thread).
Actually I think haret.exe does run the SPL 1.15 which is loaded in RAM, but that at some point the code resets the device.
I'm quite sure we can run a specially prepared USPL or SSPL which allows flashing another specially prepared SPL such that the device is effectively CID unlocked which again means that any vendor's firmware can be flashed. I also think we don't absolutely need the SPL 1.04 for that purpose.
This is good info.
I see what you are trying to do now.
Im gonna take some time to get up to speed on Dumping/Reading/Flashing from the Trinity Hermes and Elf pages. Until then Im afraid Ill be of little use.
Until now Ive strictly been a Linux/GCC-guy. Im tempted (but not convinced) that I want to take the time to learn Microsofts WM5/6 IDE. Its a time issue (obviously).
But I will spend some time on the whole S710 ROM-cooking (and bootloader) issue this week. It looks manageable.
I see you have basically been mixing and matching the various ROM cooking tools-- including using Msofts CE powerToys. Is there no single suite (besides the ImagefsTools) which you can recommend I look at first (With the understanding we need to solve the bootloader issue specifically for the vox first)-- I see various kitchens for various devices. Do any of them see plausible as a starting point for an HTC/Vox kitchen suite?
GOOD LUCK.
Cheers.
** EDIT **
I REALLY think the S710/S730spec are GREAT devices-- couple of minor issues-- but just fantastic form-factors.
new in the sandbox
Hi guys,
I just got my XPA 1415 some days ago (for info, it's just the same than the others (HTC S710, SPV E650 and Vodafone V1415, VOX, ...) but from Swisscom (Swiss provider).
I've been reading around and found this thread that was the most related. I actually tried to use the techniques provided by jockyw2001 with no luck.
Doing a prun bkondisk does not work, neither any of the itsutil tools. I do think that my device is somehow protected, but I've no clues how to proceed next. I'm going to continue searching, but if any of you has an idea, it's more than welcome.
If I manage to dump that *damned* ROM, I'll make it available...
I've currently (on booloader ONBL 1.23.0000, SPL 1.23.0000, CPLD 04)
Cheers,
Nick
Nevermind...
I think I've been able to proceed with the backup (I've used the Microsoft Security Configuration Manager) when I realized that my system (Windows 2003 x64) the tool was not working.
Which made me think that maybe the procread and the other prun bkondisk might also have been blocked by the x64.
I've tested on my laptop (regular XP) and it works fine... just FYI !
** EDIT **
I've also tested the ELF haret with a downoaded SPL and I got the same result as jockyw2001...
BTW, jocky, did you find a way to re-create a proper nh from the bkondisk end result (bk_##_####.img) ?
nwaelti said:
BTW, jocky, did you find a way to re-create a proper nh from the bkondisk end result (bk_##_####.img) ?
Click to expand...
Click to collapse
The IPL and SPL are useable. The radio dump called bk_02_0005.img is from offset 0xA0000 identical to the radio rom. The first 0xA0000 bytes are other parts, probably splash + gsmdata + simlock + serialnrs. The OS file seems not directly useable and must be reordered somehow. More interesting is the ROM reconstruction method described here. Of course first we need to be able to flash unlock the Vox. I think the SSPL is most suitable for this purpose, this may need some reversing of the SPL with IDA Pro.
Thanks for those info, I'll try to go in that direction. Would be nice to find which one is splash, which one is gsm and the others below 0xA000.
I know we need to rev. SSPL. Don't exactly know where to start though I can't flash mine with any original ROM as Swisscom is not providing any.
BTW. viewimgfs gives me back a "packing DLL not found" (or some similar). Anyone had that also ?
I'll try to download IDA Pro...
It's below 0xA0000
I will do some testing again with the Vox today. I will see if I can paint the screen with a few instructions @0x10000000
I think I can not just run the SPL on VOX in the same way as you can on the ELF. The IPL on the VOX is 128kB, whereas on ELF it is only 2kB. So I think I will have to patch the IPL and run that first. I'm afraid that it will take a bit more time. Basically it will then be a SSPL (search forum for SSPL and user 'des') with both IPL and SPL patched and running in RAM.
But maybe it is also possible to patch just the SPL, because it could be that the default action initiated by IPL is to reset the device in RUU bootloader mode.
Given some time it can all be done I'm sure
[REF] Easiest way to SIM unlock your Elf/Elfin even if it's "MCC+MNC = None"
First of all, sorry for my bad english...
Here goes the best way I found to unlock all Elf/Elfin, even those with the deadly "MCC+MNC=None" (wich is my elfin).
I saw some people say that when flashed with "Elf_Elfin_2.11.0.0_MFG_ModuleBuild" the phone it's not SIM locked anymore, but after reflashing with another rom it got locked again.
I tried that myself and it was true, I flashed "Elf_Elfin_2.11.0.0_MFG_ModuleBuild", then flashed other rom (with only the OS part) over it and bam, was locked again.
So the locking part should be in the OS. After looking over the system files, I found two files (SIMLock.exe and SIMLock.exe.0416.MUI [my OS was BR Portuguese]) and thought "here is the locking problem" (because "Elf_Elfin_2.11.0.0_MFG_ModuleBuild" don't have those files in the system folder!). Then I deleted those files and it wasn't SIM locked anymore... but it didn't find any networks.
So I serached a little more (google is your best friend in times like this) an discovered that the file rilgsm.dll is responsible for the network... It starts and calls SIMLock.exe, if SIMLock.exe returns a valid SIMcard, then rilgsm.dll starts the network service.
So that's the diference between "Elf_Elfin_2.11.0.0_MFG_ModuleBuild" and the other roms, its rilgsm.dll don't have the part that calls to SIMLock.exe, it just starts the network service based on the SIM card you have inserted.
So I just took that dll from that test rom and copied over another rom and it worked like a charm!
Enough talking, here's what you gotta do to SIM unlock your Elf/Elfin (no matter what rom you have):
You will need this file (unlocked "rilgsm.dll")
- Extract the file you just downloaded to a temporary folder.
- Turn on your mobile WITHOUT the SIM Card.
- Connect your Elf to your PC (activesync).
- Find the files "rilgsm.dll", "SIMLock.exe" and "SIMLock.exe.0***.MUI" (the *** depends on the language of your OS) on the windows folder of your mobile and make a bakup of them (in case you want to SIM lock it again).
- Copy the extracted "rilgsm.dll" over the one on the windows folder (say yes when it asks to replace the file).
- Delete both "SIMLock.exe" and "SIMLock.exe.0***.MUI".
- Turn off your mobile.
- Insert any SIM Card (that didn't work before) and turn your mobile on again and enjoy your newly unlocked ELFin!
If you intend to flash some other rom, just copy the dll again and it's ready to go.
Hope this helps.
Great find!!!
For Rogers users who are using the regular stock ROM, it is probably a good idea for them to use the regular free unlocking method because rilgsm.dll is responsible for Rogers Name Display. Other than that, I hope it works well for everyone else!!!
Anyone else tried this?
yes, I have, did not work. phone does not have simlock.exe or simlock.exe.xxxx.mui on windows folder, and just replacing rilgsm.dll does not affect carrier lock. when inserting sim card from other operators, it still asks for subsidy code.
Tested phone is:
ELF010050
BSTAR502
IPL: 2.24.0002
SPL: 2.26.0000pof
99HEH077-00
Operator Tim Brazil
ps.: I tried as well when phone was with stock rom, and was the same thing.
br
Good idea!!
I haven't tried your procedure but I also know that OS contained in "unbricker rom" (test only rom) do SIM unlocking, so I believe this will work . I will try it soon in my free time. Thanks!!!
I'll try to reflash my elfin tomorrow and do some other tests with it, to see if there are any problems with some specific roms.
My elfin:
ELF010050
BSTAR502
IPL 2.24.0002
SPL 2.24.0000
99HEH077-00
Claro Brazil
I'll post something more tomorrow.
Sorry for the lack of testing before posting (newbie yet).
i would feel better by patching or replacing the simlock.exe file instead of changing the dll.
zerostuff, why don't you add a poll to this thread to see if it works for most people?
Thank you for the idea dsixda.
I sent the .exes and .dlls to a friend of mine and asked asked him if he can find the locking part in those files (because i'm just a normal user and don't know anything about hex editing and stuf).
And I'm still testing some roms on my elfin to see if I can find a working and a non-working way to unlock it (so far, all the roms are working).
thinking of buying a htc elf
hi all im thinking of buying a htc elf but its locked to orange is it easy to unlock and get rid of the orange start up logo .
would you give me step by step guide on how to do it ?
thanks in advance
As you can see, some is easy to unlock others no solution yet...
@ zerostuff
elfin ELF010050 BSTAR502 from Vivo Brazil, had the simlock.exe and simlock0416.exe.mui . I replaced those files with and small clock app, and replaced rilgsm.dll , and did not worked (error 'unavailable file', and then hang) . So, I deleted the simlock.* , and phone got into menu, but no signal.
indeed, this is a way to go, but still need improvements.
@ chester-lad-2009
search board, there are many topics regarding that. this topic is not for that discussion.
br
zerostuff said:
- Delete both "SIMLock.exe" and "SIMLock.exe.0***.MUI".
Click to expand...
Click to collapse
hi, i use onyx 4.43 rom and when i try to delete a message tell me "could not delete. i try in windows and in my elfin too using total comander and sktools. how can delete this files?
I've try on my HTC Touch 3450 (PT) substitute the file and i can't! And i can't found these 2 files...
Using Total Commander
First we move the rilgsm.dll to windows folder, then delete the two files SIMLock.exe & SIMLock.exe.0***.mui, and ignore the Warning! Could not delete 1 file(s)...
Then reboot the ELFin and it´s done....loooooool... No need to put codes...
Just doing those steps, it´s done the SIM_Unlock
Strange??? i don´t know, but work´s
Note: Tested with One PT ELF and One ELFin BRS, worked fine!!!
Great post works like a charm!
i needed to use another explorer since my original rom dont let me move or copy windows folder file!
i used WinFileCE.exe to do the trick , but it worked !
1 more thing , is it possible to cook a rom with this files inside!? because if i hard reset the phone it relocks it self by this method!!
These two files they realy removed???
I cant' remove this two files because the cellphone is using them, how can i stop process's on Windows Mobile?
Using TC I was able to copy rilgsm.dll to \Windows. But simlock.* are a different story and I wasn't able to delete them.
Anyway, using this version of rilgsm causes the phone connection to die: it cannot be set on from Comm Manager. And then after some time, Comm Manager throws two or three errors.
It's an HTC Touch from Claro, Argentina. The ROM is http://forum.xda-developers.com/showthread.php?t=442391
Code:
Touch version : Elfin
Device ID : ELF010150
CID : BSTAR301
IPL : 2.24.0002
SPL : 3.07.cmonex
ROM Version : 3.07.720.03
ExtROM Version : None
Operator Version: None
AKU Version : 1.2.7
Page Pool : 12 MB
RAM Size : 128 MB
ROM Size : 256 MB
Model No. : ELF0100
Part Number : 99HEH129-00
MCC+MNC : Not found
Any information you guys want or some tests that could be run in the device, just tell me.
Cheers.
Not worked Efl 3450 ( 64/128)
The idea was great, but not worked with Efl 3450 ( 64/128)...
My device was patched (IPL 2.27/SPL 2.28 cmonex) and Rom ELVES ROM V5.0 - CE OS 5.2.2021.
No files found in windows dir "SIMLock.exe" and "SIMLock.exe.0***.MUI", so i just copy this file (unlocked "rilgsm.dll") to windows dir and i did a soft reset.
Result: deviced hanged.. new soft reset: boot ok, but no radio ( even trying to turning on manually), just wi-fi working..(nice to make calls from skype )
I don't have any clues about how to bypass simlock..
Any help will be appreciate.
Cheers
RILGSM.dll is not locked/unlocked
The thing is, that file controls GSM<-->PDA radio functions. As you took RILGSM from a "test" rom (is unlocked one)
When u sim unlock a device, it doesnt overwrite RILGSM with "unlocked" properties
The solution will be rewrite a RILGSM.dll file, and write a SIMLOCK.exe file with spoof properties to make think device is unlocked
Hi All,
Just wondering if any of you knew how one would dump a Touch Pro ROM, intact from the bootloader (its been hardSPLd & we have level=0 superCID)
pdocread is not an option as we are not allowed to use activesync in the environment in which we are working to recover the data from this phone (we aren't allowed to actually *change* or potentially change data on the phone.
I have tried with mtty using task 32 / d2s in an attempt to dump the ROM to an SD card, task 32 initialised the SD fine.
I also tried rbmc (using set 1e 1 prior to running) but this, even when left overnight, just sits at a line of text saying HTC after the lines of default parameters it prints.
Do any of you learned people know how one would extract the ROM from the Touch Pro (it is for analysis in Encase which will copy with the raw FS) through the bootloader?
TIA
*bump*
Nobody??
123 views & not 1 reply.
How useless is this place?!
You'll catch more flies with honey than with vinegar.
It's possible that no one has any idea on how to accomplish this for you.
I finally got a working recook of the Telus 6.1 dump for the HTC Snap (S510).
Update July 30: first attempt(s) using blank ervius v1.8 kitchen resulted in errors crashing platformrebuilder.exe, so rather than starting with a blank kitchen, I started with JMZ Snap Kitchen
(from h t t p://forum.xda-developers.com/showthread.php?t=670401)
1. using the kitchen, I dumped the "8-27-2009 Verizon Wireless Ozone ROM 1.12.605.30" recooked rom to borrow the payload
(from h t t p://forum.xda-developers.com/showthread.php?t=550863)
2. then I processed the Telus dump
(from h t t p://forum.xda-developers.com/showthread.php?t=712931)
>tools\IMGFS\ImgfsToDump.exe Part02.raw
>tools\IMGFS\ImgfsFromDump.exe Part02.raw imgfs.new.bin
>tools\IMGFS\ImgfsToNB.exe imgfs.new.bin 0_OS.nb.payload telus.payload
(this copies all data except the IMGFS partition from os.nb.old.payload to os.nb.payload, then adds the IMGFS partition from imgfs.new.bin)
3. back to the kitchen, dump the telus payload which created a new kitchen directory under /dump
4. started up the new kitchen from /dump, selected the appropriate device, fill in Device ID with "CEDA****" and chunk with "64", then save and create!
the resulting nbh built with the new kitchen didn't include a splash screen, so I then flashed HTC_SNAP_Splash_CEDA.bmp.nbh
(from h t t p://forum.xda-developers.com/showthread.php?t=550863)
links to rom and kitchen in next two posts below...
link to recooked rom:
h t t p : / / www . mediafire . com/file/5i6p50osa24gpkz/FLASH_TELUS.rar
link to kitchen:
h t t p : / / www . mediafire . com/file/zmlpv0ptq4q9tw2/Telus_Chief_Kitchen.rar
Note of course that you'll need to have previously flashed the HardSPL to your telus phone before you can flash cooked roms.
I had success flashing the Snap S511 HardSPL by JockyW to my S510.
Thanks man, it flashed just fine.
Glad to be back to stock ROM. That VZW 6.5 ROM was starting to annoy me.
[EDIT]
It seems I spoke a bit too soon:
1. I can't install some apps, and SDA unlocker says the phone is not unlockable. Things like MyPhone and MarketPlace complain about insufficient system privileges.
2. 3G Data connection doesn't work. Wifi only. At least I can still send/recv calls.
3. If I try to go to Settings->Phone, I get "The settings could not be opened."
4. CDMA1X connection has a GUID under "connects to", as opposed to a drop-down menu.
Looks like something got corrupted along the way.
thanks for testing.
I'm not at all familiar (yet, becoming more so) with cooking, will attempt to address the platformrebuilder.exe error I got to see what that affects.
Update July 30: issues addressed, rom built without errors
I've successfully recooked the rom without errors crashing platformrebuilder.exe. It flashed fine and no errors as far as I can tell.
I can't check 3G data connection however since the phone I'm using isn't activated - someone please tell me if it works.
I've updated the links to the newly recooked rom and rebuilt kitchen
good rom!!!!
The new ROM works just fine. Whatever you did, it worked.
Cheers!
hello
i have telus snap s510
what is problems in this rom
my phone is unlocked
hello
i try Snap S511 HardSPL by JockyW 3 times
but not work
The link to the updated kitchen is not currently working... anyone have another link or able to re-up this?
Thanks in advance
Confirmed link is dead.
I'm sorry if this has been asked before, I've done a search and can't find anything.
I know there's a few dumps of WP7 roms on the forum. But my understanding is that these have been from the rom files rather than from a phone. My question is is there a way to get a copy of EVERYTHING in the rom/nand from a working WP7 phone onto a computer/drive? I know there's tools on this forum for editing WP7 roms, but again, my understanding is that those roms weren't ripped from a working phone, rather from the rom file.
I know someone has used a HTC TyTn and has terminaled into the bootloader to send commands to dump the rom. Is this possible with a WP7 deivce? Say the HD7?
Any advice would be appreciated.
Thanks
yes i believe ppl flash new roms to unbrand their devices, you should check the devices forum, bet ull find roms there..
puunda said:
I'm sorry if this has been asked before, I've done a search and can't find anything.
I know there's a few dumps of WP7 roms on the forum. But my understanding is that these have been from the rom files rather than from a phone. My question is is there a way to get a copy of EVERYTHING in the rom/nand from a working WP7 phone onto a computer/drive? I know there's tools on this forum for editing WP7 roms, but again, my understanding is that those roms weren't ripped from a working phone, rather from the rom file.
I know someone has used a HTC TyTn and has terminaled into the bootloader to send commands to dump the rom. Is this possible with a WP7 deivce? Say the HD7?
Any advice would be appreciated.
Thanks
Click to expand...
Click to collapse
the rom's here on the forum(except the one's for the hd2) are original stock rom's for wp7 phones that can be flashed on real wp7 phones (with the same vendor ID)
you can't dump the actual rom from your phone right now (maybe later,but it will def take some time)
ceesheim said:
the rom's here on the forum(except the one's for the hd2) are original stock rom's for wp7 phones that can be flashed on real wp7 phones (with the same vendor ID)
you can't dump the actual rom from your phone right now (maybe later,but it will def take some time)
Click to expand...
Click to collapse
What phone(s) can you actually do a dump of the actual rom from the phone right now?
I understand some phones have things like clockwork recovery or magldr installed and use that to write new roms to the phone. Can the same programs not read (or backup) the current rom?
puunda said:
What phone(s) can you actually do a dump of the actual rom from the phone right now?
I understand some phones have things like clockwork recovery or magldr installed and use that to write new roms to the phone. Can the same programs not read (or backup) the current rom?
Click to expand...
Click to collapse
I can only talk for wm/wp and only from wm (6.*) you can dump the rom using a tool that is installed on the phone .
if you had a jtag or something like that you could dump (read the ROM/NAND and copy it) almost any phone.
but a jtag is hardware and it cost money (lots of it) and you need to know exactly how to work with it and you would need to open your phone (till the last screw)
I don't know clockwork .
magldr is something like a second bios (not right , but for you to understand) that help to start the os (normally the spl/hspl will do that )
magldr is used only for playing tetris and to load android/wp7 to a phone that isn't build to run that kind of os
it can only load something , it can't dump a rom.
ceesheim said:
I can only talk for wm/wp and only from wm (6.*) you can dump the rom using a tool that is installed on the phone .
if you had a jtag or something like that you could dump (read the ROM/NAND and copy it) almost any phone.
but a jtag is hardware and it cost money (lots of it) and you need to know exactly how to work with it and you would need to open your phone (till the last screw)
I don't know clockwork .
magldr is something like a second bios (not right , but for you to understand) that help to start the os (normally the spl/hspl will do that )
magldr is used only for playing tetris and to load android/wp7 to a phone that isn't build to run that kind of os
it can only load something , it can't dump a rom.
Click to expand...
Click to collapse
What tools can you use in WM6.* to dump the rom? I've read an article where someone used terminal commands and did a dump through the bootloader. Is there another way to do it?
I know about JTags, and am not touching them!
My point with clockwork and magldr is that if you can write (load) android/wp7 to the rom/nand, surely you should be able to get it to read from it?
It seems like either there's no way to do it with wp7 yet, or at least I've not found a way. But I was thinking if you can't do it with a real wp7 device since there's no clockwork/magldr, then can you take a dump of an HD2 with wp7 loaded into the rom/nand?
I have searched for a samsung focus stock rom in the past but I couldn't find it anywhere? have you seen any one?
ceesheim said:
I can only talk for wm/wp and only from wm (6.*) you can dump the rom using a tool that is installed on the phone .
if you had a jtag or something like that you could dump (read the ROM/NAND and copy it) almost any phone.
but a jtag is hardware and it cost money (lots of it) and you need to know exactly how to work with it and you would need to open your phone (till the last screw)
I don't know clockwork .
magldr is something like a second bios (not right , but for you to understand) that help to start the os (normally the spl/hspl will do that )
magldr is used only for playing tetris and to load android/wp7 to a phone that isn't build to run that kind of os
it can only load something , it can't dump a rom.
Click to expand...
Click to collapse
Excuse me newbieness but if I'm getting you correctly, you're saying that it is possible for my to extract the ROM from a working Samsung Focus and then write it to my bricked Samsung Focus using a JTag?
Totally possible, theoretically.
The WM/WP OS image is only a piece of data saved in a flash partition, bootloader can read the content from the flash partition out and transfer bytes to PC (no need to care about the file system, just perform flash chip level read), but the question is you must know how to communicate with the bootloader and send proper command to it. And as I know in the shipped device, the ability usually will be removed from bootloader for security reasons (e.g. eboot is useful in development phase, but it must be removed from shipped device).
Yes, you also could use JTAG to read content out but due to the same reason, the debug port on the SoC usually also be disabled in shipped device (like Tegra, it has internal fuses to enable/permanently disable the JTAG).
UzEE said:
Excuse me newbieness but if I'm getting you correctly, you're saying that it is possible for my to extract the ROM from a working Samsung Focus and then write it to my bricked Samsung Focus using a JTag?
Click to expand...
Click to collapse
I think reading the OS partition when OS is running is impossible (frankly, I never verified it). Two reasons, first the OS partition should be locked by last phase bootloader or some early bootup codes in OS (just set the NAND controller in SOC), and since OS is running, many system files are in memory so the corresponding files should also be locked by OS.
It is safe to dump whole OS image in bootloader, or so-called recovery mode.
So someone basically has to install a custom bootloader on the device. Then again, if the NAND is locked, that wont be possible.
QPST and Memory Debug allow to download raw NAND and radio copy. i've succesfully one it (even found private info like passwords and contacts), but i don't know how to split it into partitions. Mb anyone will help?
Maybe starting a new topic about it here would help. Might attract the attention of some other devs.
Useless guy said:
QPST and Memory Debug allow to download raw NAND and radio copy. i've succesfully one it (even found private info like passwords and contacts), but i don't know how to split it into partitions. Mb anyone will help?
Click to expand...
Click to collapse
Could you describe how you do that?!
How to do this?..