Hi,

I'm trying to customize my extended rom before applying it to my Magician. I've downloaded latest WWE rom from FTP site, and extracted all files to a temp folder. I then used xda3nbftool -t -x ms_.nbf to decrypt the ExtRom file. After that, i used a HEX editor to cut the first 128 bytes and generate a "main" part to try and open it in Winimage, but so far without sucess (I'm using ITSME procedure).
Can someone help me trying to find out what i'm doing wrong?

Many thanks.

Hi,
I then used xda3nbftool -t -x ms_.nbf to decrypt the ExtRom file.
Can someone help me trying to find out what i'm doing wrong?


The most recent versions of the updates are in a different format:
check here (http://wiki.xda-developers.com/index.php?pagename=MagicianUpgradeFiles)...

Ok, thanks.

I've tried with the perl script you mentioned, but i can't seem to get a readable file on winimage. I used the following command line:
decode.pl ms_.nbf -f 0xEBFE904D

However, the header (.hdr) is perfectly readable in hexedit, so i assume the "encryption" key is correct.

Am i doing something wrong? :roll:

Ok, thanks.
However, the header (.hdr) is perfectly readable in hexedit, so i assume the "encryption" key is correct.

That's because the header is not XOR "encrypted".
Try with: decode.pl ms_.nbf -f 0x4D90FEEB

hi, i am not a developer and i got to the point where i have the decode.pl from the link in wiki.xda-developers.com... i dont know if that is correct so far, but i dont know how to get this a) from my computer onto the phone and b) if i can then change the windows language from german to english!?

Hi iDG,

Thanks for your reply. I've tried with the key you sent, but still can't mount the FAT16 part in WinImage.
Where do you get those keys? Are they extracted from the encoded file, and from what position?

Thanks.

Hi iDG,
Thanks for your reply. I've tried with the key you sent, but still can't mount the FAT16 part in WinImage. Where do you get those keys? Are they extracted from the encoded file, and from what position?


The "key" is the first dword of the unencrypted file. It can be obtained from a SD dump. The value seem to be constant (I've tried several versions).

Can you tell me what version are you trying to decode, so I can do the same here to see what happens?

I'm using WWE_11200_550_11200 from shipped_ROMS on XDA ftp site.

I'm using WWE_11200_550_11200 from shipped_ROMS on XDA ftp site.

Works fine here. That's the hexdump of the beginning of the DECODED file:
00000000 eb fe 90 4d 53 57 49 4e 34 2e 31 00 02 04 01 00 |...MSWIN4.1.....|
00000010 01 00 02 00 98 f8 26 00 26 00 01 00 00 00 00 00 |......&.&.......|
00000020 00 00 00 00 80 00 29 2d 00 f1 07 20 20 20 20 20 |......)-... |
00000030 20 20 20 20 20 20 46 41 54 31 36 20 20 20 00 00 | FAT16 ..|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000001b0 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 |................|
000001c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|
00000200 f8 ff ff ff 03 00 04 00 05 00 06 00 07 00 08 00 |................|
00000210 ff ff 0a 00 0b 00 ff ff 0d 00 0e 00 ff ff ff ff |................|
00000220 11 00 12 00 13 00 14 00 15 00 16 00 17 00 18 00 |................|
00000230 19 00 1a 00 1b 00 1c 00 1d 00 1e 00 1f 00 20 00 |.............. .|
00000240 21 00 22 00 23 00 24 00 25 00 26 00 27 00 28 00 |!.".#.$.%.&.'.(.|
00000250 29 00 2a 00 2b 00 2c 00 2d 00 2e 00 2f 00 30 00 |).*.+.,.-.../.0.|
00000260 31 00 32 00 33 00 34 00 35 00 36 00 37 00 38 00 |1.2.3.4.5.6.7.8.|
00000270 39 00 3a 00 3b 00 3c 00 3d 00 3e 00 3f 00 40 00 |9.:.;.<.=.>.?.@.|
00000280 41 00 42 00 43 00 44 00 45 00 46 00 47 00 48 00 |A.B.C.D.E.F.G.H.|
00000290 49 00 4a 00 4b 00 4c 00 4d 00 4e 00 4f 00 50 00 |I.J.K.L.M.N.O.P.|


Check with the results on your side, to see if there's something wrong with the perl script...

Yes, thats what i get too. But WinImage shows no files inside it. I don't think its WinImage problem, because if i use alpine_ext_rom_tool (yes, it works!) from the Alpine forum, i get a similar decoded file which opens right on WinImage. If only the encoding part worked fine...

Yes, thats what i get too. But WinImage shows no files inside it. I don't think its WinImage problem, because if i use alpine_ext_rom_tool (yes, it works!) from the Alpine forum, i get a similar decoded file which opens right on WinImage. If only the encoding part worked fine...

I've checked all the fields in the boot sector and everything matches corretcly. The decoded file is a prefectly valid FAT16 volume. The only quirck I can find is that the boot sector declares the disk to be 0x9800 blocks long whereas the file is actually 0xa000 blocks long.
The space for the Ext_ROM in the flash is really 0x9800 blocks long

You could try to cut the file to be 0x1300000 bytes long to see if winimage likes it.

megalore,

if you know the checksum generation for the magician ext_roms then I'd be quite happy to generate a tool similar to the alpine tool - most of the code will be the same.

Although I thought the magician ext roms could be decoded/encoded using itsme's tool?

Bal

Guys,

if it's anything like the alpine ext roms, then the last part consists of two splash screens (nb format).

hope that helps

The Ext_ROM image on the magician only contains the actual FAT16 filesystem. The boot splash image is in a separate space in the flash.

The only tool I know of is the xda3nbf which does not work with the newer (base64-like) rom headers.

The checksum algorithm is, as far as I can tell, unknown.

HI IDG,

hmmmm, that's interesting - maybe I'm confused .... but

If you take the ms_.nbf file from MA_DT_WWE_DutchRetail_11200_550_11200_Ship.exe and extract the header and fat16 image (well what I think is the fat16 part).

The I end up with an fat16 image of size 20,709,376bytes. If from this I extract 0x1300000 - 0x137FFFF and 0x1380000 - 0x13BFFFF and load these into nb_image_converter_859_418.exe as nb files ....

The first is a blank white image and the second is a "Qtek Keep the world in one" cityscape ....

Perhaps the tool you guys use to extract the fat16 image drops this part?

hmmmm, that's interesting - maybe I'm confused .... but
If you take the ms_.nbf file from MA_DT_WWE_DutchRetail_11200_550_11200_Ship.exe and extract the header and fat16 image (well what I think is the fat16 part).

The I end up with an fat16 image of size 20,709,376bytes. If from this I extract 0x1300000 - 0x137FFFF and 0x1380000 - 0x13BFFFF and load these into nb_image_converter_859_418.exe as nb files ....


Yep You're right!
I've never noticed that but the same thing happens for every ms_.nba I have. When I first examined the fat16 part, I did notice the extra data, but being 0xff the content of an erased flash memory, I didn't bother to check further. This makes sense, because the bootsplash image is in fact right after the Ext_ROM, inside the flash.

I've never removed the "excess" data from the ms_.nba because MacOSX does not seem to care. Maybe WinImage does.

Hi iDG,

yeah weird isn't it? I've just recently noticed it myself - so will start extracting it out separately.

Anyway, Megalore ...

I've attached a tool for the magician similar to the alpine version which allows you to decode and encode extended roms.

It's a bit of a hack at the moment - you'll find some of the message still talk about the alpine, but the mechanics should be fine (I should have a disclaimer about how it could destroy your machine here ... but I'm sure you've already considered that!!!).

For instructions on usage, see the alpine post http://forum.xda-developers.com/viewtopic.php?t=31106&sid=e011e42bce14ded5bf594c1c0484b1bc

Have fun!

PS This retains the splash screens, but "Extra Drive Creator Pro" ignores them ... not sure about winimage - but I'll add that functionality if you have problems.

Thanks bal666!!

Don't worry about the disclaimer, i think we all know the risks, otherwise we wouldn't be here in this forum...

I'll give it a try as soon as i can, and let you know how it turn out.

Thanks guys!

It worked flawlessly. I can now customize my Magician ExtROM without any hassles.


Great Work!!!

Hi Megalore,

that's good news! I'm glad it worked - I'll try to fix the "alpine" messages when I have a chance.

Have fun
Bal

Thanks man

I´ll give it a try.

the day to restore my Magician to glory...

I've tried ysing winimage and extradrivepro but .fat contains nothing. Does it mean that decryptor didn't work?

apdauser,

could be. Try this updated tool http://forum.xda-developers.com/viewtopic.php?p=191164#191164

If that gives the same result - then you can try to run it on another magician ms_.nbf file from an update (at least this way you'll know that it should contain files).

Bal

Is there any similar tools that allow to 'customize' the OS rom ?

Thanks.

Hello bal666. Yes, actally I used your program first and really like your simple interface. It says ROM for unknown device but still decodes ROM properties fine. Did visual inspection against alpinedecoder and seems to match first 1000 bytes fine. Didn't check whole ROM.

Question is when ROM is decoded it becomes binary format. Is that the same as your FAT file?

Apdauser,

Thank you - I was going to do a MDI interface but it would have gotten so complicated (and I would have had to learn how too!).

yep - for Extended ROMs this is a FAT image file, and depending on the device the rom is meant for it can also contain splash screens and padding. This is the reason for having the options to extract splash screen and "remove extraneous data" - which are greyed out if the program can't work out the device type.

You can confirm if it's a FAT output by having a look at the file in a hex editor. In all the roms I've seen so far the format is FAT16 - so look for this "FAT16" at offset 0x36 ... quick and simple check!

If the ROM for OS or Radio, then the data is extracted but I don't know the format - there are some good experts here who can tell you the format of these decoded files.

Hope that helps some
Bal

Bal666 your exactly correct 0x36 says FAT16. OS is FAT16. Radio is FAT12. So, now I've tried again to mount those files using Winimage and ExtraDrivePro but to no avail.

Actually, FAT12 and MS-DOS 5.0 came out using alpinedecoder. Using your decoder on radio file QCOML comes out with no FAT header.

On Extended and OS ROM alpinedecoder gives device type info. With your decoder both show MS-DOS 5.0 FAT16.

So, I'm not sure which method I should be using.

BTW, I do see that unsupported devices have the splash screen and extraneous data greyed out. Very good program to use.

Hmmmm, could you tell me which rom udpate file you're using? This would be complete update, containing all rom images and programs to update the pda.

Easiest thing would be for me to try it too - if you can pm me the file location (if it's on the ftp site here) and I'll download it and give it a whirl too.

Bal

Hi apdauser,

I've had a look at the file you're trying to decode and discovered that it's for a Harrier device ... which you already know!

The alpine decoder, nor the HTC64 decoder, will not work with Harrier roms, the format is a bit different.

But .... The Blue Angel decoder will work - except I've put in a check that stops the program running if it's for any other device than Blue Angel.... Damn.

I'll change the Blue Angel decoder to allow it to continue and post in a few days.

But, if you still want to try it quickly - then this is what I recommend with the GUI HTC64 decoder:
1. Decode the ms_.nbf rom (using default filenames)
2. make two copies of the ms_.fat file, one called ms_.img and other ms_.dat
3. In a hex editor, remove the first 0x70000 bytes from file ms_.img and save.
4. Mount the ms_.img file as another drive using Extra Drive Creator Pro.

You should now see the contents and be able to modify them.

When you want to create a new nbf file from this fat image - do this:
1. copy the first 0x70000 bytes from file ms_.dat to start of ms_.img
2. Encode using the .prj file created on decoding, but make sure FAT filename is that of the ms_.img file

Finished!

Give it a go and let me know how it works out - hopefully I'll have the Blue Angel tool sorted out to work with Harrier roms as well by then.

Bal

Hello to you Bal666.

Using your instructions Winimage and Extradrive
Pro sees ExtROM files.

Re-pasted 70000 bytes and I have a new, working ms.nbf file.

Thank you again from apdauser.

:D