Related
Still no body knows how to unlock the ext-rom? I try everyehere here, but still no one can do it?
I've been wondering that myself since I moved over from a PDA2k and saw how easy it was to do it there with the Unlocker tools.
Apparently, since it's so comparatively new and the architecture is allegedly different from some of the other models, the only individual who went far enough to hack it is no longer active or no longer a willing participant in the community. His much-appreciated hack simply cleared out the Extended ROM area and moved it into the usable Storage memory area.
Until we get more people who are acclimated and bold enough to risk tinkering with their Magician models, it's either an all-or-nothing scenario when it comes to the Extended ROM. For me, I decided to hold out from installing the "BigStorage" hack until I know we can easily go back and forth without jeopardizing our devices with SD card-flashing techniques. There seems to be too many variables (read: ROM variations) to make me feel comfortable about possibly flashing some other carrier's version or rendition of the ROM onto my i-mate NA-850MHz JAM.
Ext rom
Ok Beondthetech I understand - it's not to easy load aplications to ext rom (like MDA2) . We wont personalize our devices after loading system ( after Hard reset ). Aplications like ewallet , callmanager , ... etc. Metod is not relevant. W wont only automatically instal other programs ( not included on rom ). Or what's the metod to enrich orginal rom. But I prefer upload ext rom. Tools like Unhide and Unlock not work ( Error: FL_IOCTL_HW_PROTECTION- Yhe parameter is incorrect). When I try something write i saw Cannot copy : error code 19 The media is write protect (after use loadvdisk.exe) Thanks for all replies . Sorry for my english.
As I understand it, the memory configuration and layout is different between the Blue Angel and the Magician devices, so the Unlock tools won't work.
I decided to remove my Extended ROM portion altogether and use Anansky's BigStorage hack. I now have 27MB of Storage area instead. I copied out the Extended ROM's CAB files and incorporated it into my normal "build" when redoing all my applications on a new device.
How to make your own ExtROM for the Magician
I recently managed to make my own ExtROM for my Magician.
A short howto:
1. First dump your rom to a SD-card, using the well know method.
2. Next get the rom to your pc, using ntrw
3. Using a Hex-editor, copy 2BC019C (HEX) till 3EC019C (HEX) to a file.
4. Mount that file as a virtual Harddisk (I use the virtualdisk-plugin for total commander)
5. Modify your ExtROM on that Virtualdisk.
6. Umount the Virtualdisk.
7. paste the contents of the (modified) file back into the rom-file, at precicly the same position and save it under a different name.
8. put the modified rom back onto your SD-card, using ntrw.
9. Flash your Magician, with the new rom.
Have fun with your modified ExtRom
Re: How to make your own ExtROM for the Magician
DrChair said:
I recently managed to make my own ExtROM for my Magician.
A short howto:
1. First dump your rom to a SD-card, using the well know method.
2. Next get the rom to your pc, using ntrw
3. Using a Hex-editor, copy 2BC019C (HEX) till 3EC019C (HEX) to a file.
4. Mount that file as a virtual Harddisk (I use the virtualdisk-plugin for total commander)
5. Modify your ExtROM on that Virtualdisk.
6. Umount the Virtualdisk.
7. paste the contents of the (modified) file back into the rom-file, at precicly the same position and save it under a different name.
8. put the modified rom back onto your SD-card, using ntrw.
9. Flash your Magician, with the new rom.
Have fun with your modified ExtRom
Click to expand...
Click to collapse
Does that remove the simlock?
Re: How to make your own ExtROM for the Magician
Oesie said:
Does that remove the simlock?
Click to expand...
Click to collapse
Nope, it's only a way to customize which things are installed after a hard-reset.
Hi DrChair,
I have a question for you. How did you find out that The LOC 2BC019C (HEX) till 3EC019C (HEX) is the ExtROM ?
Thanks
Hi!
I can not find this section in my file. i use hdd Hex editor. see the attachment. thankx
Pamela said:
Hi!
I can not find this section in my file. i use hdd Hex editor. see the attachment. thankx
Click to expand...
Click to collapse
You miss understand. 2BC019C (HEX) is Location not Content.
ups...
Sorry... :wink:
thankx
Pamela, he is referring to the exact position in the file, not a hex string to search for.
The idea is that you're ripping a chunk out of the ROM dump and turning that into a mountable volume, to which you can modify the contents, then inject the modified chunk back into the ROM dump, then SD-flash your device.
3EC019C hex = 65,798,556 decimal
2BC019C hex = 45,875,612 decimal
65,798,556 - 45,875,612 = 19,922,944 bytes
So, from the ROM dump you make, you'll be ripping out nearly 19 MB into a file that you'll use as a "virtual hard disk" to make changes as necessary.
WinHex and UltraEdit are two good hex editors, and WinHex is good for ripping chunks out and injecting them back in (you don't want to "insert" the code, but replace the 19,922,944 bytes with your modifications - inserting will make the ROM dump file larger and corrupt it).
little_frog said:
Hi DrChair,
I have a question for you. How did you find out that The LOC 2BC019C (HEX) till 3EC019C (HEX) is the ExtROM ?
Thanks
Click to expand...
Click to collapse
I was trying to understand Anansky's bigstorage rom, by comparing it with my own rom, when I stumled over something that looked very much like a FAT16 bootsector. So I had the start-address. Knowing that the size of the ext-rom was 1300000 (hex) it's simple math to find the end-address.
DrChair said:
little_frog said:
Hi DrChair,
I have a question for you. How did you find out that The LOC 2BC019C (HEX) till 3EC019C (HEX) is the ExtROM ?
Thanks
Click to expand...
Click to collapse
I was trying to understand Anansky's bigstorage rom, by comparing it with my own rom, when I stumled over something that looked very much like a FAT16 bootsector. So I had the start-address. Knowing that the size of the ext-rom was 1300000 (hex) it's simple math to find the end-address.
Click to expand...
Click to collapse
Thanks.. DrChair
BeyondtheTech said:
Pamela, he is referring to the exact position in the file, not a hex string to search for.
The idea is that you're ripping a chunk out of the ROM dump and turning that into a mountable volume, to which you can modify the contents, then inject the modified chunk back into the ROM dump, then SD-flash your device.
3EC019C hex = 65,798,556 decimal
2BC019C hex = 45,875,612 decimal
65,798,556 - 45,875,612 = 19,922,944 bytes
So, from the ROM dump you make, you'll be ripping out nearly 19 MB into a file that you'll use as a "virtual hard disk" to make changes as necessary.
WinHex and UltraEdit are two good hex editors, and WinHex is good for ripping chunks out and injecting them back in (you don't want to "insert" the code, but replace the 19,922,944 bytes with your modifications - inserting will make the ROM dump file larger and corrupt it).
Click to expand...
Click to collapse
Wow! Is it possible for any1 to make an App that will do this Automatically? similar to the bytecopy app provided by some1 in this forum(great work btw!)? Or go the distance and upload a cooked ROM with the most useful apps that will go in after a Hard Reset?(based on the experience of the gurus and nice peeps in the house)
Use at own risk.
Sorry if it sounds too technical, but theoretically, one can go into the bootloader mode of the Magician and just dump the Extended ROM area to the SD card (i.e. d2s 82BC019C 83EC019C [untested!]), then 'ntrw read' it, mount it, edit it, unmount it, 'ntrw write' it, then 's2d 82BC019C 83EC019C' to write it back to the Magician.
I haven't found any documentation on 's2d' so that might be the reason he's dumping the entire ROM, then extracting the Extended ROM portion.
There are a good threads on how d2s/s2d is used on an iPAQ and an XDA II, but I'm sure it can be applied to most Pocket PCs:
http://discuss.pocketnow.com/showthread.php?s=&postid=46855
http://en.pdamobiz.com/en/forum/PDAforum_posts.asp?TID=62&PN=1
And these are possible commands and its arguments for use in the bootloader mode:
http://www.handhelds.org/hypermail/h2200-port/1/0146.html
Hi!
I have problems to mount the file to a disk. What ending should the file have? *.iso *.nrg ???!!!
i also have problems with total commander. the plugin does not work...
Plz HELP!
Pam
Hi!
now i fixed my problems... thankx
But an other question:
Is it possible to create a small ext. Rom only for IIWPO so that the rest of the Storage is useable to install Programms in?
What about a NEW self cooked Rom with IIWPO. There are many threads about this with the other HTC devices. Is it possible with the Magician without loosing the Big Storage??
Thankx. By, Pam
BeyondtheTech said:
theoretically, one can go into the bootloader mode of the Magician and just dump the Extended ROM area to the SD card (i.e. d2s 82BC019C 83EC019C [untested!])
Click to expand...
Click to collapse
That would be d2s 82c00000 83f00000
BeyondtheTech said:
I haven't found any documentation on 's2d' so that might be the reason he's dumping the entire ROM, then extracting the Extended ROM portion.
Click to expand...
Click to collapse
I didn't know that command existed. I thought i tried that once (s2d, without any arguments) to flash back a entire rom when I'd put back the sd-card when i was already in BL-mode, but iirc that gave me an "Invalid Command" message...
Anyways i'll give it another try this weekend.
And thanks for the url's, already googled for boatloader commands but found none
Pamela said:
Is it possible to create a small ext. Rom only for IIWPO so that the rest of the Storage is useable to install Programms in?
Click to expand...
Click to collapse
I'm still trying to figure that out aswell, but uptill now without any succes...
It would be nice to have approx 10 MB ext-rom and the rest added to storage.
Hi,
I want to delete a bitmap file present in my original device XIP.
(i know how to port a xip from new donor xip for my device, so i know how to extract and rebuild it).
When my device boot, i can see a ms splashscreen, this image is in nk.exe i think, in xip, but i don't know where is the data block to remove it (i'm a noob in hex coding).
Could someone help me in this step ?
Thanks a lot in advance.
Attached files : nk.exe (already dumped from device xip.bin), xip.bin (if you want to dump it with xipport) and an image which resembles that of the boot of my device
Any idea please ?
isn't that the welcomehead96.png ??
That one isn't in the nk.exe..
the-equinoxe said:
isn't that the welcomehead96.png ??
That one isn't in the nk.exe..
Click to expand...
Click to collapse
No, it's not welcomehead96.png, this files doesn't exists on my smartphone device (Vox).
I tried to replace nk.exe (650 Ko) with another nk.exe (320 Ko) from a chinese Vox rom, and on boot, ms splashscreen dosen't exists with this file.
So, i think a data block has been removed from nk.exe, and i want to know how (maybe hex).
Any idea ?
afaik, the splash screens arent in the xips , they are in the SYS
but hey this is smartphone, never played with them ;/
ather90 said:
afaik, the splash screens arent in the xips , they are in the SYS
but hey this is smartphone, never played with them ;/
Click to expand...
Click to collapse
So, why when i use nk.exe from a chinese rom in my xip, ms splashscreen disappears ?
On ATOM PPC, we can see a splash screen in nk.exe, see here :
http://forum.xda-developers.com/showthread.php?t=370023
But it doesn't work for me, i can't find BM6 value.
Any idea ?
Have you tried Axe hex editor?
It has a mode in which you can view binaries as a graphic file (you have to play with zoom and with though to recognize the pictures.).
(only works if the images are raw bitmaps, but this mode has revealed a lot to me).
Thanks for this answer, i'll try and tell you.
Oki, i installed AXE HEX EDITOR, and tried to open nk.exe (s000 and s002 files).
But i don't know how i can see a bmp block. Could you help me on this step ?
Thanks.
Uploaded a screencapture of how I can see the BMP:
S002 contains the bitmap (I was very surprised to see a bitmap in the XIP, but then again, it is smartphone version of WM).
load the S002 file
Switch to grafical mode (blue G button)
Set Width to 480 (this is trial and error, but you will learn to see structures and estimate the propper width when seeing code if you use it a lot.
(and zoom out a couple of times)..
BTW colours aren't the real colours but just colours given to hex values.
This method is also good for seeing other structures in code.
Guess you can make an exe from the module, edit it with an pe-editor and then chunk it into modules again.
Thanks a lot, i can see bitmap now.
I tried to rec nk.exe to a file, but recmod.exe can't, i obtain an error and a little nk.exe file (less than 1Ko).
Do you know another soft to register a module to a file ?
Thanks again !
After some tests, i can replace bitmap with another (with an hex editor), so, i know the data block to remove in nk.exe.
But, if i delete the bitmap data block, my device don't boot.
Maybe, because of nk.exe size is different and i must edit something in tables ?
Could someone help me on this tep ?
Thanks.
Any idea please, i can't find a solution.
Thanks.
Always blocked, any idea please ?
Tried with all tools available, but couldn't rebuild this nk.exe
Normally you can re-assemble modules to a pe-file and vice versa, but the nk.exe seems to be an exception.
Deleting the whole bitmap would shift the whole module, that is why the device won't boot.
Maybe someone who does more with relocation tables etc (eg. the creator of g'reloc) could help you better.
This is out of my league.
Regards,
EquinoXe
the-equinoxe said:
Maybe someone who does more with relocation tables etc (eg. the creator of g'reloc) could help you better.
This is out of my league.
Regards,
EquinoXe
Click to expand...
Click to collapse
Ok, thank you.
Bye.
Does anyone know what type of a file a .nbh is and how to make it veiwable/modifiable. If there was a way that we can mod the NBH file that I believe would be the successful way of rooting the MyTouch 3G. I will be getting one of the production devices in a week or so anyone want to have anything dumped let me know.
the nbh is a ROM and you can't flash it without a modified SPL. i'm not even sure the SPL used for android even supports the file type but any kitchen from winmo can decompile it
Not really so much an android thing but is a hardware thing of HTC. The Dream and Sappihre support these files. There is a NBH file which will take you all the way back to RC29 and also flashes back the original SPL as well. So it is my belief that if we can make a compatible NBH for the sapphire it will accomplish the end result.
Of course it will... That's what NBH files are made for. I don't think you can make one since it's signed (or something) with a key we don't have.
Ehh, i have an idea:
Some has to decompile .nbh and modify it to work on mytouch 3g.
Than you have to create a goldcard.. not sure about if viperbjk is putting sapphire into qmat..
Yeh I have tried to decode with hex editor and have not had any real luck with it at all. Looks coded. Just wondering if anyone knows how to decode would be greatly appreciated. I have tried to use some of the old Windows mobile kitchen tools.
There are lots of tools to extract NBH files, they should work if HTC hasn't changed anything...look for other devices kitchens and you'll find the tools.
Also there's a project which tries to achieve the same result under linux http://code.google.com/p/htc-flasher/.
where did you guys get an android nbh? this is odd because android is updated by placing and update.zip on the root of the sd card (among other ways) which is handled by the SPL. why wouldn't HTC just stick with nbh then?
sammypwns said:
where did you guys get an android nbh? this is odd because android is updated by placing and update.zip on the root of the sd card (among other ways) which is handled by the SPL. why wouldn't HTC just stick with nbh then?
Click to expand...
Click to collapse
android is updated by .zip but NBH is an all in one image type file that flashes htc phones to factory defaults. its usually used by the support techs to restore phones.
android/google=zip
htc =nbh
tripledes said:
There are lots of tools to extract NBH files, they should work if HTC hasn't changed anything...look for other devices kitchens and you'll find the tools.
Also there's a project which tries to achieve the same result under linux http://code.google.com/p/htc-flasher/.
Click to expand...
Click to collapse
this looks promising...i wonder if we can figure out how to resign it....
Hi,
I have just tested the HTC-Flasher and unfortunately it does not work with the DREAIMG.nbh
So i someone know how to extract and re-flash the dream NBH please help.
Bye
Herc. 8)
Hi,
Apologies if this is in the wrong forum location.
I am looking for some help or guidance on decoding a BIN file that has been extracted from a very ropey phone.
Its a BMW X6 Key Fob
http://www.kakatech.com/mini-key-handset-phone-bmw-x6/
http://www.ebay.co.uk/itm/worlds-sm...b-mobile-uk-stock-fast-despatch-/251117679362
I have the full 8MB BIN file. The baseband is MTK6252.
I can see some bits of data, but not much else, its all jibberish (for a better word) I can not find simple data, i.e. the IMEI.
If anybody has seen anything like this, know of any tools etc its much appreciated.
Rgds,
DG
Hi,
MTK usually encrypts the sim data, that's why you can't see it in plaintext.
Former MTK chipsets used wearleveling in combination of FAT.
Cheers
I was always kinda annoyed by the not matching boot logo. After the loader I could change the logo to the car manufacturer but the first seconds still showed "On vehicle navigation system". After installing the Malasyk 8.0 ROM I recognized a different boot logo. So a change was possible. After some playing around with various ROM tools I was able to change the logo (sorry, I don't remember the exact steps). After switching to the HAL9k ROM, the changed logo was gone. The old method didn't work with HAL as the boot loader with the logo was part of the signed update.zip and changing the logo of course breaks the signature.
So I played round with dumping various partitions and check for the logo. There is a way to change it:
NOTE: The slightest mistake in one of the steps WILL brick your device!!!
1. Dump the bootloader partition
2. Find the logo in the dump
3. Replace the logo in the dump
4. Write the new bootloader parition
In general it is a good idea to connect to the device using adb on your PC as typing on the on-screen-keyboard is error prone. dd commands have to be executed as root.
1a. dd if=/dev/block/mmcblk2p4 of=/storage/ext_sd/mmcblk2p4.bin
Note: Depending on your ROM or device the partition might be different. So if you don't find the logo there, try other partitions. Also adapt the of argument. I wrote the file to the "Music" SD card.
1b. Write down the file size. In my case it was exactly 16MB.
2a. Search the dump file for the string "BM6". I used HxD and found it atoffset F800.
2b. Dump everything starting as this offset to a new file and name it with the extension BMP.
2c. Open it with your favorite viewer (I use IrfanView) and check if it is the correct logo.
2d. Check the resolution. In case of the HAL9k 3.1 ROM it should be 800x480x24, for Malasky it was 1024x600x24
2e. Save the file there to a different name.
2f. Check the new file size. In case of the HAL9k 3.1 ROM it should be 1152054 bytes
3a. Create a logo of your choice with exact the same resolution.
3b. Check the file size. It must be identical to the one of the dumped BMP
3c. Replace the data in the compete dump. Make sure, you use the correct offset and use replace, not insert.
3d. Save the new dump and compare the file size. It must not be changed!
4a. Copy the file back on the SD card
4b. Write it back: dd of=/dev/block/mmcblk2p4 if=/storage/ext_sd/mmcblk2p4.bin
Note: if and of is now switched!
4c. Reboot
Just did mine in Hal9k rom.Thank you
Sent from my iPad using Tapatalk
NOTE: The slightest mistake in one of the steps WILL brick your device!!!
Hi,
just a thought of safety..
is it not better that you change that -boot- logo for all cars so that "everybody" can choose his car logo, instead or to prevent that men would make some a mistake which wouldl brick his headunit?
https://www.google.com/search?q=and...KHQHTDu8QsAR6BAgEEAE&biw=1280&bih=726&dpr=1.5
Thanks for this!
In my case, it was mmcblk2p7.
At first, I had a black screen, but file size and resolution was correct.
Somehow, I managed to boot the device again and then I tried another picture and it worked.
I don't know the difference between my first and second try...but I'm lucky that my device isn't bricked.
Maybe we find a safer way for this...
rezi09 said:
Thanks for this!
In my case, it was mmcblk2p7.
At first, I had a black screen, but file size and resolution was correct.
Somehow, I managed to boot the device again and then I tried another picture and it worked.
I don't know the difference between my first and second try...but I'm lucky that my device isn't bricked.
Maybe we find a safer way for this...
Click to expand...
Click to collapse
Great example of New member joining, reading articles, giving it a go and reporting back.
Wonderful but rare.
marchnz said:
Great example of New member joining, reading articles, giving it a go and reporting back.
Wonderful but rare.
Click to expand...
Click to collapse
Well, I'm new since 2009
Thx...it's a great forum with great people!
Pls support