don't unlock CID and read only extended rom........
anyone know how to read and write rom on TyTn
I have Italian TyTn
thanks

I uploaded your ExtROM to FTP, and updated the information on the wiki:

http://wiki.xda-developers.com/index.php?pagename=Hermes_ExtendedRoms

Can you please edit the page and provide information on which extended rom version is it?

Also it would be useful if you edit the Available Hermes Versions (http://wiki.xda-developers.com/index.php?pagename=Hermes_Versions) page and add the details on your device under a new ITA row.

Thanks!

i wrote i little piece about how to dump some of the roms of the hermes.

http://wiki.xda-developers.com/index.php?pagename=Hermes_HowtoDumpRom

i wrote i little piece about how to dump some of the roms of the hermes.


Many thanks!! I will try and post my results when I get back home.

I am always getting this error:


C:\itsutils>pdocread.exe -l
Copying C:\itsutils\itsutils.dll to WCE:\windows\itsutils.dll
Could not update itsutils.dll to the current version, maybe it is inuse?
try restarting your device, or restart activesync


I have tried restarting device and activesync several times, I've searched the forum and RTFM, tried to delete the dll using resco explorer, it gets uploaded again, but then I get the error... I'm stuck and can't find a solution, anyone can help?

I am runing a default WinXP SP2 installation on a VMWare virtual machine under Linux, could this be the problem? I've been using activesync without problems to install soft, browse and sync the device.

i got same error with awizard..........

probably your device is application locked (http://wiki.xda-developers.com/index.php?pagename=ApplicationUnlocking), see the wiki article.

probably your device is application locked (http://wiki.xda-developers.com/index.php?pagename=ApplicationUnlocking), see the wiki article.

Thanks!! That was it, I just changed the registry key and did a softreset, and now I can use itstools. I am having some problems, this is what I've done so far:


C:\itsutils>pdocread.exe -l
114.88M FLASHDR
| 3.12M Part00
| 2.88M Part01
| 50.88M Part02
| 58.00M Part03
968.75M DSK1:
| 968.50M Part00
STRG handles: 834d5e62
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
(968.50M) 03958bce
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 58.00M) 239584da
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 50.88M) 039582ce
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 2.88M) 2395828a
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 3.12M)

C:\itsutils>pdocread -w -n 0 -t
ERROR: ITTFFSGetInfo: outbuf==NULL
WARNING: using default 512 bytes for sectorsize
real nr of sectors: 1 - 512.00byte (0x200)

C:\itsutils>pdocread -w -n 1 -t
ERROR: ITTFFSGetInfo: outbuf==NULL
WARNING: using default 512 bytes for sectorsize
real nr of sectors: 1 - 512.00byte (0x200)

C:\itsutils>pdocread -w -t

0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
real nr of sectors: 6398 - 3.12Mbyte (0x31fc00)

C:\itsutils>pdocread -w 0 0x31fc00 test.raw

0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
CopyTFFSToFile(0x0, 0x31fc00, test.raw)

C:\itsutils>pdocread -w 0 0x2e0000 test2.raw

0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
CopyTFFSToFile(0x0, 0x2e0000, test2.raw)

C:\itsutils>pdocread -w 0 0x32e0000 test3.raw

0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
CopyTFFSToFile(0x0, 0x32e0000, test3.raw)
ERROR: ITReadDisk - Internal error.

C:\itsutils>dir test*

10/08/2006 10:53 3.275.776 test.raw
10/08/2006 10:58 3.014.656 test2.raw
10/08/2006 11:02 3.211.264 test3.raw
3 archivos 9.501.696 bytes

C:\itsutils>


So, I have been able to dump BOOT (coldboot kernel?), and RAWFS (base kernel) but I get this internal error in IMGFS... file test3 should be 58Mb ideally... :(

Anything else I can try? Thanks again!

I attach my itsutils.log file, just in case it can help the troubleshooting...

On the wiki:

note, that with my phone there was a read error in the imgfs, where i had to read one specific 0x800 byte section separately and patch the diskimage to make it work.


I guess it is the same error I am getting... so, let's see if it works that way:


C:\itsutils>pdocread -w 0 0x32e0000 test3_0.raw
CopyTFFSToFile(0x0, 0x32e0000, test3_0.raw)
ERROR: ITReadDisk - An internal error occurred.
C:\itsutils>dir test3_0.raw
10/08/2006 22:22 3.211.264 test3_0.raw

ok, it stops here... i know i have 3211264 bytes which is 0x310000 so I specify this as "start" parameter of pdocread, and as you suggested in the wiki, i read only 0x800 byte:

C:\itsutils>pdocread -w 0x310000 0x800 test3_1.raw
CopyTFFSToFile(0x310000, 0x800, test3_1.raw)

It worked! Now I should continue reading the rest of the imgfs, I already have 0x310800 byte, so I need to read until 0x2fcf800, right? that is:


C:\itsutils>pdocread -w 0x310800 0x2fcf800 test3_2.raw
CopyTFFSToFile(0x310800, 0x2fcf800, test3_2.raw)
ERROR: ITReadDisk - An internal error occurred.

And here we are... the same error again!?!?!

I tried with bigger values than 0x800 byte but I do not success on extracting the whole imgfs. Can you please post the commands you used?? Thanks, thanks, thanks :)

OK, I am stupid, forget my other two previous comments... i think i got the point right now!

I was missing the handle, but for me it's easier to use -d and -p than -h so I did like this to check the sizes:


C:\itsutils>pdocread -w -d FLASHDR -p Part00 -t
real nr of sectors: 6398 - 3.12Mbyte (0x31fc00)
C:\itsutils>pdocread -w -d FLASHDR -p Part01 -t
real nr of sectors: 5888 - 2.88Mbyte (0x2e0000)
C:\itsutils>pdocread -w -d FLASHDR -p Part02 -t
real nr of sectors: 104192 - 50.88Mbyte (0x32e0000)
C:\itsutils>pdocread -w -d FLASHDR -p Part03 -t
real nr of sectors: 118784 - 58.00Mbyte (0x3a00000)


Now let's dump every partition:


C:\itsutils>pdocread -w -d FLASHDR -p Part00 0 0x31fc00 Part00.raw
CopyTFFSToFile(0x0, 0x31fc00, Part00.raw)
C:\itsutils>pdocread -w -d FLASHDR -p Part01 0 0x2e0000 Part01.raw
CopyTFFSToFile(0x0, 0x2e0000, Part01.raw)
C:\itsutils>pdocread -w -d FLASHDR -p Part02 0 0x32e0000 Part02_0.raw
CopyTFFSToFile(0x0, 0x32e0000, Part02_0.raw)
ERROR: ITReadDisk - Not enough storage is available to complete this operation.
C:\itsutils>dir Part*.raw
10/08/2006 22:52 3.275.776 Part00.raw
10/08/2006 22:53 3.014.656 Part01.raw
10/08/2006 23:00 39.911.424 Part02_0.raw
C:\itsutils>

So I guess this is the error pointed in the wiki... I will try to do the 0x800 byte trick to complete dumping the rest of imgfs.

The file size is 39.911.424 (0x2610000 in hex), so I specify this value as start, and 0x800 byte length:


C:\itsutils>pdocread -w -d FLASHDR -p Part02 0x2610000 0x800 Part02_1.raw
CopyTFFSToFile(0x2610000, 0x800, Part02_1.raw)


It worked, now I have to start at 0x2610000 + 0x800 and read the rest of the partition which is 0x32e0000 (total size) - 0x2610800 (what I have already read), so the result is 0xccf800 bytes Iength I need to read:


C:\itsutils>pdocread -w -d FLASHDR -p Part02 0x2610800 0xccf800 Part02_2.raw
CopyTFFSToFile(0x2610800, 0xccf800, Part02_2.raw)


And that's it! All dumped successfully ;)


C:\itsutils>dir Part*.raw
10/08/2006 22:52 3.275.776 Part00.raw
10/08/2006 22:53 3.014.656 Part01.raw
10/08/2006 23:00 39.911.424 Part02_0.raw
11/08/2006 00:02 2.048 Part02_1.raw
11/08/2006 00:06 13.432.832 Part02_2.raw


Now I concatenate the three Part_?.raw files using cat under linux, like this:


$ cat Part02_0.raw Part02_1.raw Part02_2.raw > Part02.raw


And now I can check the filesize is correct, and I have successfully dumped all 3 partitions:


C:\itsutils>dir Part0?.raw
10/08/2006 22:52 3.275.776 Part00.raw
10/08/2006 22:53 3.014.656 Part01.raw
11/08/2006 00:10 53.346.304 Part02.raw


Cool :lol:

I will post the dumped rom on FTP and update the wiki with this information :D

There it is:

1. My dumped rom (ftp://xda:xda@ftp.xda-developers.com/Uploads/Hermes/Hermes_Dumped_ROMs/HTC_TyTN_1.18.255.3_WWE_Dumped_ROM.zip)

2. Wiki page updated (http://wiki.xda-developers.com/index.php?pagename=Hermes_HowtoDumpRom)

itsme: can you explain the process of flashing a device using the dumped rom on the wiki? Thanks! :D

in my case the read error caused a file corruption when trying to decode the imgfs with rdmsflsh.pl (http://wiki.xda-developers.com/index.php?pagename=RomTools/rdmsflsh.pl), where the rdmsflsh.pl script ended prematurely.

there was no error printed by pdocread, but the resulting file was still corrupt.


if you run rdmsflsh.pl with the '-v' parameter, and in the output look for the last / highest offset decoded, then check if the rom image contains anything after that offset. there should only be NULs.

the rdmsflsh output should look something like this:

02aca3c0-02aca400 l=00000040 indexblock filedata for b69277c2-5bd7-41da-9399-4f096341b62c.dsm
02aca680-02acaf14 l=00000894 datablock 0 for indexblock filedata for b69277c2-5bd7-41da-9399-4f096341b62c.dsm
2196 0047 2006-06-12 17:22:12 b69277c2-5bd7-41da-9399-4f096341b62c.dsm
statistics:
16843 [ 0x000041cb ] compressed
23766 [ 0x00005cd6 ] datablocks
1521 [ 0x000005f1 ] ent_fffff6fd
1034 [ 0x0000040a ] ent_fffff6fe
1246 [ 0x000004de ] ent_fffffefb
403 [ 0x00000193 ] ent_fffffefe
1 [ 0x00000001 ] ent_ffffffff
1040 [ 0x00000410 ] files
397 [ 0x0000018d ] modules
1521 [ 0x000005f1 ] sections
2598 [ 0x00000a26 ] uncompressed

02acaf14 is the end of data offset here.


willem

in my case the read error caused a file corruption when trying to decode the imgfs with rdmsflsh.pl (http://wiki.xda-developers.com/index.php?pagename=RomTools/rdmsflsh.pl), where the rdmsflsh.pl script ended prematurely.

there was no error printed by pdocread, but the resulting file was still corrupt.


if you run rdmsflsh.pl with the '-v' parameter, and in the output look for the last / highest offset decoded, then check if the rom image contains anything after that offset. there should only be NULs.

the rdmsflsh output should look something like this:

02aca3c0-02aca400 l=00000040 indexblock filedata for b69277c2-5bd7-41da-9399-4f096341b62c.dsm
02aca680-02acaf14 l=00000894 datablock 0 for indexblock filedata for b69277c2-5bd7-41da-9399-4f096341b62c.dsm
2196 0047 2006-06-12 17:22:12 b69277c2-5bd7-41da-9399-4f096341b62c.dsm
statistics:
16843 [ 0x000041cb ] compressed
23766 [ 0x00005cd6 ] datablocks
1521 [ 0x000005f1 ] ent_fffff6fd
1034 [ 0x0000040a ] ent_fffff6fe
1246 [ 0x000004de ] ent_fffffefb
403 [ 0x00000193 ] ent_fffffefe
1 [ 0x00000001 ] ent_ffffffff
1040 [ 0x00000410 ] files
397 [ 0x0000018d ] modules
1521 [ 0x000005f1 ] sections
2598 [ 0x00000a26 ] uncompressed

02acaf14 is the end of data offset here.


willem

Hi,
how would it work out to dump files from the ROM, such as e.g. ril.dll etc. ?

There is a little software at buzzdev.net called wm5filedump (or so, cannot recall it right now).
If I have it run as is with my German HTC TyTN it runs but doesn't dump anything to the storage card.

As the reason for that I found out - looking at the code using a hex editor - that it obviously tries to save to a directory it creates on "Storage Card".

However on a German localized OS this is "Speicherkarte"...

Managed to rewrite this to "Speicherkarte" for the links shown in the code and actually got lots of files dumped to /dump or /dmp folder on my card.

However some really interesting files were missing, like all those radio library dll's.

Also an other folder the program created, called "modules" stayed empty.

Can anyone prove with the original English OS if something gets dumped there ?

@itsme:
Probably you are very gifted in ROM manipulation. I think I am not as bold as you are, but I'd only like to have the ROM files (the one's you can also see with a good explorer but cannot manipilate because the're ROM; or e.g. the ril.dll which just shows zeros if you view it in a HexEditor etc.) dumped for editing and analysis and maybe a safe way for uploading Splash Screens or so.
Maybe it's possible to look for hidden registry keys that way.
Any ideas ?

Sorry for the delay in answering.. i run rdmsflsh.pl with my Part02.raw file, it reads the whole file without any errors.




c:\xda>mkdir files
c:\xda>rdmsflsh.pl -d files Part02.raw

[...]

1334 0047 2006-01-24 11:37:24 direct16.2bp
1334 0045 2006-01-24 11:29:32 alerts.bmp
1334 0047 2006-01-24 11:38:28 PNotes.2bp
1263 0047 2006-01-24 11:29:44 seekthumb96S.gif
1256 0047 2006-01-24 11:38:28 question.bmp
1248 0045 2006-05-30 09:59:42 ding.amr
statistics:
16595 [ 0x000040d3 ] compressed
22868 [ 0x00005954 ] datablocks
1521 [ 0x000005f1 ] ent_fffff6fd
767 [ 0x000002ff ] ent_fffff6fe
1013 [ 0x000003f5 ] ent_fffffefb
398 [ 0x0000018e ] ent_fffffefe
768 [ 0x00000300 ] files
397 [ 0x0000018d ] modules
1521 [ 0x000005f1 ] sections
2490 [ 0x000009ba ] uncompressed



Now I have extracted all the files contained in the imgfs. (will put them in ftp later, so anyone can have a look....)

What I want is to create a .NBH file and replace the HERMIMG_Dopod_1.23.707.1_SHIP.nbh contained in CHT9000_ENG.exe, so we can use the RUU (Rom Upgrade Utility) with our extracted rom files. I have been playing with romtools, but I can't figure out how to "join" all rom files into a valid .nbh file.

itsme: can you point me to the right directon? Thanks for your help :)

how would it work out to dump files from the ROM, such as e.g. ril.dll etc. ?

[...]

I'd only like to have the ROM files (the one's you can also see with a good explorer but cannot manipilate because the're ROM; or e.g. the ril.dll which just shows zeros if you view it in a HexEditor etc.) dumped for editing and analysis.


1) Download ActiveState perl from here:
http://www.activestate.com/Products/Download/Download.plex?id=ActivePerl

2) Open perl package manager and run 3 commands:


ppm> repository add itsme http://www.xs4all.nl/~itsme/projects/perl/ppm
ppm> install XdaDevelopers-NbfUtils
ppm> install XdaDevelopers-CompressUtils


You should see something like this:

PPM - Programmer's Package Manager version 3.4.
Copyright (c) 2001 ActiveState Software Inc. All Rights Reserved.

Entering interactive shell. Using Term::ReadLine::Perl as readline library.

Type 'help' to get started.

Setting 'target' set to 'ActivePerl 5.8.8.817'.
ppm> repository add itsme http://www.xs4all.nl/~itsme/projects/perl/ppm
Repositories:
[1] ActiveState Package Repository
[2] itsme
ppm> install XdaDevelopers-NbfUtils
====================
Install 'XdaDevelopers-NbfUtils' version 0.20 in ActivePerl 5.8.8.817.
====================
Downloaded 36872 bytes.
Extracting 20/20: blib/lib/XdaDevelopers/NbfUtils.pm
Installing C:\Perl\site\lib\auto\XdaDevelopers\NbfUtils\NbfUt ils.bs
Installing C:\Perl\site\lib\auto\XdaDevelopers\NbfUtils\NbfUt ils.dll
Installing C:\Perl\site\lib\auto\XdaDevelopers\NbfUtils\NbfUt ils.exp
Installing C:\Perl\site\lib\auto\XdaDevelopers\NbfUtils\NbfUt ils.lib
Installing C:\Perl\site\lib\auto\XdaDevelopers\NbfUtils\NbfUt ils.pdb
Files found in blib\arch: installing files in blib\lib into architecture depende
nt library tree
Installing C:\Perl\site\lib\XdaDevelopers\NbfUtils-perlonly.pl
Installing C:\Perl\site\lib\XdaDevelopers\NbfUtils.pm
Successfully installed XdaDevelopers-NbfUtils version 0.20 in ActivePerl 5.8.8.8
17.
ppm> install XdaDevelopers-CompressUtils
====================
Install 'XdaDevelopers-CompressUtils' version 0.30 in ActivePerl 5.8.8.817.
====================
Downloaded 103843 bytes.
Extracting 24/24: blib/script/cecompr_nt.dll
Installing C:\Perl\site\lib\auto\XdaDevelopers\CompressUtils\ CompressUtils.bs
Installing C:\Perl\site\lib\auto\XdaDevelopers\CompressUtils\ CompressUtils.dll
Installing C:\Perl\site\lib\auto\XdaDevelopers\CompressUtils\ CompressUtils.exp
Installing C:\Perl\site\lib\auto\XdaDevelopers\CompressUtils\ CompressUtils.lib
Installing C:\Perl\site\lib\auto\XdaDevelopers\CompressUtils\ CompressUtils.pdb
Files found in blib\arch: installing files in blib\lib into architecture depende
nt library tree
Installing C:\Perl\site\lib\XdaDevelopers\CompressUtils.pm
Installing C:\Perl\bin\CECompressv3.dll
Installing C:\Perl\bin\CECompressv4.dll
Installing C:\Perl\bin\cecompr_nt.dll
Successfully installed XdaDevelopers-CompressUtils version 0.30 in ActivePerl 5.
8.8.817.
ppm>


3) Then download the dumped roms from TyTN or Dopod 838 from here:
http://wiki.xda-developers.com/index.php?pagename=Hermes_DumpedRoms

4) Download rdmsflsh.pl script, here:
http://nah6.com/~itsme/cvs-xdadevtools/dumprom/rdmsflsh.pl

5) The contents of imgfs are on Part02.raw, to extract them just run these commands in the same dir you have Part02.raw:


mkdir files
rdmsflsh.pl -d files Part02.raw


Hope that helps :)

This is the last output part of rdmsflsh.pl -v Part02.rom, using my TyTN extracted imgfs:


[...]
02a87340-02a87374 l=00000034 name entry fileent 191672
fileent 191672: direct16.2bp
02a871c0-02a87200 l=00000040 indexblock filedata for direct16.2bp
02a87b80-02a87c09 l=00000089 datablock 0 for indexblock filedata for direct16.2bp
1334 0047 2006-01-24 11:37:24 direct16.2bp
02a873a8-02a873dc l=00000034 name entry fileent 191776
fileent 191776: alerts.bmp
02a87c40-02a87c80 l=00000040 indexblock filedata for alerts.bmp
02a87c80-02a87fc2 l=00000342 datablock 0 for indexblock filedata for alerts.bmp
1334 0045 2006-01-24 11:29:32 alerts.bmp
02a8803c-02a88070 l=00000034 name entry fileent 191880
fileent 191880: PNotes.2bp
02a88200-02a88240 l=00000040 indexblock filedata for PNotes.2bp
02a88240-02a885fc l=000003bc datablock 0 for indexblock filedata for PNotes.2bp
1334 0047 2006-01-24 11:38:28 PNotes.2bp
02a880d8-02a8810c l=00000034 name entry fileent 192036
fileent 192036: seekthumb96S.gif
02a88b00-02a88b40 l=00000040 indexblock filedata for seekthumb96S.gif
1263 0047 2006-01-24 11:29:44 seekthumb96S.gif
02a88140-02a88174 l=00000034 name entry fileent 192140
fileent 192140: question.bmp
02a89000-02a89040 l=00000040 indexblock filedata for question.bmp
1256 0047 2006-01-24 11:38:28 question.bmp
02a881a8-02a881dc l=00000034 name entry fileent 192244
fileent 192244: ding.amr
02a891c0-02a89200 l=00000040 indexblock filedata for ding.amr
1248 0045 2006-05-30 09:59:42 ding.amr
statistics:
16595 [ 0x000040d3 ] compressed
22868 [ 0x00005954 ] datablocks
1521 [ 0x000005f1 ] ent_fffff6fd
767 [ 0x000002ff ] ent_fffff6fe
1013 [ 0x000003f5 ] ent_fffffefb
398 [ 0x0000018e ] ent_fffffefe
768 [ 0x00000300 ] files
397 [ 0x0000018d ] modules
1521 [ 0x000005f1 ] sections
2490 [ 0x000009ba ] uncompressed


So, I guess 2a89200 is my end of data offset here. I used hexdump to see if I have only NULs (0x00) after this or not, and this is what I get (first column is the offset):


2a891b0 9003 043f bf90 0e00 00b8 303c 0458 5800
2a891c0 2004 e59b 10d1 e1d3 7848 0000 8222 04e0
2a891d0 9330 049b 0419 2411 2054 9302 02e5 9931
2a891e0 3fe7 0804 e35e 3d22 3004 e083 30b2 3ad3
2a891f0 1d04 0439 7827 3008 e082 98f2 8a02 3820
2a89200 3000 59d2 5355 9888 5103 16e1 089c 2085
2a89210 e083 0199 98f2 f201 d920 df00 d108 08d8
2a89220 d804 d308 08df 0c95 08df 9fd1 4104 9801
2a89230 5a04 5004 98a0 f100 01b5 8555 047e be18
2a89240 8508 07f8 f8d3 9507 02e1 5300 12e1 08be
2a89250 00bf b90c fc00 d10c 08d8 d804 5f08 2208


So, I guess my resulting file is also corrupted, there is data until the end of the file:


32dff50 ff7d babd ffbd 0007 f7f4 f7f7 ebde cede
32dff60 cedf d3bd adbd adc7 b694 0094 38ff 8c12
32dff70 8cae 0010 9631 0179 555a b76b 0202 0017
32dff80 05ff 053f 5a11 846d 0508 002f 32ff 035f
32dff90 3f02 ff05 3fa7 1111 0028 0329 1318 ff7d
32dffa0 928c bd8c bdb6 11ff 1004 b6b5 10b5 ad00
32dffb0 adb2 b6ad a5ad a5b2 0010 b294 949c 8cb2
32dffc0 840f 84ae 0028 1480 0178 149f 17ff 1a3f
32dffd0 2f1d ff00 3f65 9505 0040 0017 11ff 181f
32dffe0 87f1 1f7c ff96 7d31 0e69 0013 005f 7f06
32dfff0 ff1f 1752 6500 053f 95ff 116f 5214 846d
32e0000

probably the corruption is a block of NULs.

you should look for an error message stating an invalid magic number found.

can you attach the entire output of "perl rdmsflsh.pl -v romimg.nb"

willem

probably the corruption is a block of NULs.

you should look for an error message stating an invalid magic number found.

can you attach the entire output of "perl rdmsflsh.pl -v romimg.nb"

willem


Here it is! sorry for the delay :)

I don't see the "invalid magic number", only this:

$ cat RDMoutput.txt |egrep -i "(invalid|magic)" |head -n 3
00000200-00000204 l=00000004 dirblock magic
0002c200-0002c204 l=00000004 dirblock magic
0002f800-0002f804 l=00000004 dirblock magic

All,

Followed the instructions, no problems.
Well one small one - i don't get any errors dumping the ROM! all three files dump with straight commands - no funny 0x800 fix required. I'm wondering if i've done something wrong - any comments?

Andrew.

The 0x800 "fix" was a confusion I had... I think the info in the wiki is wrong, maybe itsme can confirm it.

If everything dumped fine, that's ok :)

If you get an error dumping imgfs you just have to dump from the position you got the error until the end and join the two files.

One more question !

From " http://wiki.xda-developers.com/index.php?pagename=Hermes_DumpedRoms " ...

NOTE: It is NOT POSSIBLE to flash or replace the ROM on your device with one of these.

This means i can't go back if things screw up?
(and why dump rom at all?)

Andrew.

This means i can't go back if things screw up?

Yes, that's what it means :P

(and why dump rom at all?)

Basically you can extract the full files from IMGFs which sometimes is not possible to extract from the running device.

It is possible to create a new/modified imgfs out of a dumped one, but as the Hermes uses a "new" NBH format for updates, and rom upgrades must be signed by HTC, it is not possible yet to reflash the Hermes with a NBH file made by yourself (the Hermes gives an error about invalid / wrong cert). We still have to figure out how to do this... itsme and TheBlasphemer have done a great work and I've been testing some of their apps, but we still don't have a solution for signing NBH files or flash them without signing, although thanks to itsme it is now possible to extract all the rom parts from them.

Hi guys,

since I previously had an Universal which I updated without having the patience of dumping the ROMs before (and then I had no way to go back, as voda is not giving out any ROM), this time the first thing I did once I got the Hermes, was to dump it IMMEDIATELY !!!

Here is my experience...


D:\build>pdocread.exe -l
114.88M FLASHDR
| 3.12M Part00
| 2.88M Part01
| 51.50M Part02
| 57.38M Part03
10.00M EXT_FLA
| 10.00M PART00
241.25M DSK1:
| 241.20M Part00
STRG handles: a39d0f92
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
(241.20M) c3854046
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 10.00M) 23958bae
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 57.38M) 239584ba
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 51.50M) 639582ae
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 2.88M) 6395828a
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 3.12M)


then I applied the "check" commands...


D:\build>pdocread -w -d FLASHDR -p Part00 -t
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
real nr of sectors: 6398 - 3.12Mbyte (0x31fc00)

D:\build>pdocread -w -d FLASHDR -p Part01 -t
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
real nr of sectors: 5888 - 2.88Mbyte (0x2e0000)

D:\build>pdocread -w -d FLASHDR -p Part02 -t
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
real nr of sectors: 105472 - 51.50Mbyte (0x3380000)

D:\build>pdocread -w -d FLASHDR -p Part03 -t
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
real nr of sectors: 117504 - 57.38Mbyte (0x3960000)


but I noticed the sizes of the partitions being a little bit different and hence the location I guess I had to use...

For this reason I the used the following commands:


D:\build>pdocread -w -d FLASHDR -p Part00 0 0x31fc00 Part00
.raw
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
CopyTFFSToFile(0x0, 0x31fc00, Part00.raw)

D:\build>pdocread -w -d FLASHDR -p Part01 0 0x2e0000 Part01
.raw
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
CopyTFFSToFile(0x0, 0x2e0000, Part01.raw)

D:\build>pdocread -w -d FLASHDR -p Part02 0 0x3380000 Part0
2_0.raw
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
CopyTFFSToFile(0x0, 0x3380000, Part02_0.raw)


I just named the third file as reported on the wiki page, and waiting for the error as Murphy's law is always present, but I guess I got it right as I did not encountered any error and finally I had the following files:


Part00.raw 3.275.776 bytes
Part01.raw 3.014.656 bytes
Part02_0.raw 54.001.664 bytes


What I'm not sure of is if the above values used for dumping were correct or not (after having seen my device infos) and if the above dumps can be considered "reliable" or not...

Is anyone wishing to give me a comment on this, before I update the archive to the FTP directory ?

Thank you very much.

Best regards.

What I'm not sure of is if the above values used for dumping were correct or not (after having seen my device infos) and if the above dumps can be considered "reliable" or not...

According to the output of pdocread -l, the values you used to dump the partitions are correct and the resulting file should be fine.

However, be sure to read questions 8 and 9 in the hermes upgrading FAQs to make sure you understand that you cannot "go back" even after dumping the rom this way:
http://wiki.xda-developers.com/index.php?pagename=Hermes_UpgradeFAQ

The files you've extracted are only useful for things like this:
http://forum.xda-developers.com/showthread.php?t=279256

According to the output of pdocread -l, the values you used to dump the partitions are correct and the resulting file should be fine.

Hi pof,

thank you for the confirmation. I'm not so fond of memory locations since 32 bits are in use (it was simpler on Commodore64 years ago...)

Hence I needed a "supervisor"...

However, be sure to read questions 8 and 9 in the hermes upgrading FAQs to make sure you understand that you cannot "go back" even after dumping the rom this way:
...


Yes, I already got the FAQ and read it. This is good enough at the moment.

When I had the Universal reverse flashing was not known yet, but I could have done a dump, for future use...

This is what I'm looking now: the chance to take a "picture", store it safe and then to move around.

Thank you anyway for your explanation.

EDIT: the RAW dump files are being uploaded right now... ;-)

Best regards.

This is what I'm looking now: the chance to take a "picture", store it safe and then to move around.

I am also looking into this, but I think we have some technical dificulties here:

1) NBH files are signed and bootloader refuses to flash any unsigned code, even if you could extract the whole contents of a ROM from a device you will not be able to flash it back because you would not know the right keys to sign the updates. This is the main problem.

2) Other than that, gnuharet and pmemdump tools can help you dump some parts you cannot extract using the method described in the wiki to dump the ROM with pdocread.exe. The hermes RAM is at 0x30000000, the first 256K contain the SPL but if you dump them ('pwf splfile 0x30000000 0x40000' in gnuharet.exe) you'll see that the contents are not equal to what you get out of extracting the SPL from a NBH image using nbh2dbh and dbhdecode. Most part is equal but there are some small differences and I think it is because it gets damaged by WM5. So, I don't really know a safe method to do it yet... i'm sure there are a lot of ROM gurus out there who can help with that and I am just a newbie in that area, so any help will be appreciated, and I will gladly help anyone who wants to get involved and has no knowledge, so just post your questions and share your findings :)

Hello,

First of all I want to give my thanks to all people that has contributed to help us, the poor Hermes users, in order to made our daily work easier.

En particular quiero dar las gracias a POF por su magnífico liberador del CID y por habernos dado instrucciones detalladas sobre como trabajar con el firmware de esta máquina, gracias a lo cual tengo la última versión de la ROM de radio instalada, la máquina SuperCID y conozco el Bootloader (que hace una semana no sabía ni que era). También quiero animarte a que sigas buscando la manera de que podamos volcar estas ROM's volcadas en nuestras máquinas. Muchas gracias POF.


I've made a DUMP from an Spanish HTC-TyTN. These are the results:

C:\itsutils\build>pdocread.exe -l
114.88M FLASHDR
| 3.12M Part00
| 2.88M Part01
| 51.13M Part02
| 57.75M Part03
9.63M EXT_FLA
| 9.63M PART00
1.89G DSK1:
| 1.89G Part00
STRG handles: 439a585e
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 1.89G) 239b5f4a
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 9.63M) 43958bce
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 57.75M) 839584da
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 51.13M) e39582ce
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 2.88M) 6395828a
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 3.12M)


C:\itsutils\build>pdocread -w -d FLASHDR -p Part00 -t
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
real nr of sectors: 6398 - 3.12Mbyte (0x31fc00)

C:\itsutils\build>pdocread -w -d FLASHDR -p Part01 -t
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
real nr of sectors: 5888 - 2.88Mbyte (0x2e0000)

C:\itsutils\build>pdocread -w -d FLASHDR -p Part02 -t
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
real nr of sectors: 104704 - 51.13Mbyte (0x3320000)

C:\itsutils\build>pdocread -w -d FLASHDR -p Part03 -t
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
real nr of sectors: 118272 - 57.75Mbyte (0x39c0000)


C:\itsutils\build>pdocread -w -d FLASHDR -p Part00 0 0x31fc00 Part00.raw
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
CopyTFFSToFile(0x0, 0x31fc00, Part00.raw)

C:\itsutils\build>pdocread -w -d FLASHDR -p Part01 0 0x2e0000 Part01.raw
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
CopyTFFSToFile(0x0, 0x2e0000, Part01.raw)

C:\itsutils\build>pdocread -w -d FLASHDR -p Part02 0 0x3320000 Part02.raw
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
CopyTFFSToFile(0x0, 0x3320000, Part02.raw)



The final result:

3.275.776 Part00.raw
3.014.656 Part01.raw
53.608.448 Part02.raw


I ve Zipped these files into the file "HTC_TyTN_1.18.262.2_ES Dumped_ROM.zip" and I've uploaded it to the FTP server.

This is the information of my machine:

http://rt002nf0.eresmas.net/Varios/TyTN001.jpg


Also, I've included the link to the ROM and the version info in the "Available Dumped or Modified ROM Versions" wiki page.


That's all... Best regards!

Thanks VivaErBetis, your dumped rom has been moved to safe heaven :)

Hello,

I've also extracted the imgfs content using the activeperl method and all seems to be correct.


Best regards.

Hola, me he bajado esa ROM y al extraerla me salen tres cachos *.raw. Ahora como tengo que instalarlos para actualizar la ROM de la v1605 que lleva la original de vodafone.

Hay alguna otra ROM en español?

Gracias y un saludo

Please, use English, otherwise I'll use Italian and all this will only be a big mess...

PLEASE !!!

Thanks a lot.

I am sorry, I have read this thread and there are a lot of spanish people. I should written in english.

I have a friend that have a v1605 (tynt) with a vodafone rom and it do not works well. I think that this ROM is in spanish and I have download it to upgrade the pda of my friend.
When I extract it I have three *.raw and I can not upgrade. What I have to do to update??

Thank you and sorry if I have mistakes writting in english

@patxi_80: this is a dumped rom, not valid to flash on the device. You need a shipped rom (http://wiki.xda-developers.com/index.php?pagename=Hermes_Upgrades), and there are no spanish shipped roms available for the hermes yet.

Thank you very much pof

bye

C:\itsutils>dir Part*.raw
10/08/2006 22:52 3.275.776 Part00.raw
10/08/2006 22:53 3.014.656 Part01.raw
10/08/2006 23:00 39.911.424 Part02_0.raw
11/08/2006 00:02 2.048 Part02_1.raw
11/08/2006 00:06 13.432.832 Part02_2.raw


Now I concatenate the three Part_?.raw files using cat under linux, like this:


$ cat Part02_0.raw Part02_1.raw Part02_2.raw > Part02.raw


And now I can check the filesize is correct, and I have successfully dumped all 3 partitions:


C:\itsutils>dir Part0?.raw
10/08/2006 22:52 3.275.776 Part00.raw
10/08/2006 22:53 3.014.656 Part01.raw
11/08/2006 00:10 53.346.304 Part02.raw


is anyone can confirm that we can concatenate under windows please ????

is anyone can confirm that we can concatenate under windows please ????

Copy /b

Check the wiki, was updated long ago.

Copy /b

Check the wiki, was updated long ago.

thank , but i see alway this sentence : In a Windows operating system (UNTESTED - please check if works correctly, because insertion of EOF can create problems)

i forget/don't see something ?

you confirm that concatenate under windows is safe ?

you confirm that concatenate under windows is safe ?
yes, and i've updated the wiki not to confuse you agian.

yes, and i've updated the wiki not to confuse you agian.

ok thank you very much but i have a problem , i am a trinity user and the 0x800 trick seems not to work

here is the result : 0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
CopyTFFSToFile(0x2140000, 0x800, Part02_1.raw)

i have always a error when dumping the part02.raw (active sync shutdown when the size of part02.raw is nearly 30 or 32 Mo) so i need to use the 0x800 trick but :(

any idea ?

EDIT : i said nothing !! this result is normal , i have not read after the wiki article, it's for that i believe the result was wrong

I've dumped the ROM from my UK Orange SPV M700 but when it comes to the rest it looks like it's way above my head.

Can someone finish doing the rest for me so I have something to backup to if my flashing goes awry or I need to send it back?

Can someone finish doing the rest for me so I have something to backup to if my flashing goes awry or I need to send it back?
The way these guys are describing it, restoring a dumped ROM doesn't seem possible. I wanna WM6 my M3100 but I'm very hesitant without a Get Out Of Jail Free Card :) I think I read on the Wiki that you can cannibalise an existing ROM with the stuff you dumped but don't take my word for it.

What we need is a "next next next" wizard that backs the old ROM up, sticks the best (?) WM6 ROM on, complete with all my favourite apps and my favourite ringtone. And an Angelina Jolie today screen. That would be sweet. Come on guys get cracking :D

My original aim (however unrealistic) was to have an SD card with my original ROM / radio / ExtROM (everything to put it back to how it was originally) that I can just stick in to put me back to square one.

Don't get me wrong I'm comfortable with a hex editor but there's a bit too much to take in with SPLs and IPLs and AKUs and god knows what ... And I really don't like the possibility of being forced to go back to my RAZR V3i should I brick it hehe

Think I'll go back to just reading for a bit ... Great thread btw :)

Joining the last thread :-)
Any smart develper who can make a.. next next next application to backup the original ROM in our Hermes, without all that complex things..

Waiting to hear from that genius developer ;-)

Hi guys,to start off with,i am a total beginner with guts to change my HTC TyTn from windows mobile 5 to windows mobile 6,however, my problem is that i cant edit and save my value changes in my registry just to enable my phone to run my own programs in order to backup my ROM so in case i dont like windows mobile 6, i can revert to my original current windows mobile 5. I require step by step instructions because after reading so many posts,i get confused what to do so i need a whole lot of guidance and spoon-feeding for the whole process from beginning to end! thank you guys

Hi, I'm trying to dump my ROM but I got an error dumping Part2_0.raw. I've tried with the trick of 0x800 but I think this is not the problem, I could read almost all the file without problems, but an error occurs next to the end of file.
I got the following output

pdocread -w -d FLASHDR -p Part02 0 0x32e0000 Part02.raw
CopyTFFSToFile(0x0, 0x32e0000, Part02.raw)
ERROR: ITReadDisk : read 00000000 bytes - Dirección de bloque de control de almacenamiento no vßlida.


Resulting file size is 53215232 bytes (0x32c0000). I've tried the 0x800 trick starting in this address and then read the remaining bytes to 0x32e0000 but I've got always the same error.
Error message is in spanish, english translation (more or less) is Address of storage block control not valid.

Any suggestion?

Thank yoy!

Regards

Maybe a stupid question..but what do I need to do with the .RAW files? Can I convert them to .nb some how?

-

SRRRRRRRRRY!!

the answer is here (http://wiki.xda-developers.com/index.php?pagename=Hermes_HowtoReconstruct):D

It seems like I am one of the "I am a newbie and sorry for asking" people... but here it goes...

If I use the Hermes_Howto Reconstruct directions does this now mean that one of the dumped ROMS from the wiki CAN be flashed back to a device?

I am in the same boat as many that use Rogers in Canada and don't have a ROM from them anywhere to use.

Hi ,
I am unablt to get the coredll.dll. The files are dumped as described in the section ,but coredll.dll is missing


regards
Moinuddin

How can i dump the radio (gsm part) from htc trinity?

Thanks

What does pdocread dump?
Does it dump all current installed programs and userdata (like sms and phonnumbers) or does it dump the installation-files and -setting that are used when hard-resetting the phone?

Hi,

now I got the Part?.raw. How can I reload them on my HTC.
Thanks, bye

hello, i try to dump the 3 files */raw from my sam i780 but i have some error
can someone send me the right parameter?
pdocread -w -d FLASHDR -p Part00 0 0x31fc00 Part00.raw, dont' work for me.

thanks

hello, i try to dump the 3 files */raw from my sam i780 but i have some error
can someone send me the right parameter?
pdocread -w -d FLASHDR -p Part00 0 0x31fc00 Part00.raw, dont' work for me.

thanks

Hi All,

i have the latest Singapore ROM (i780DXHC1). But I used the wiki guide but encountered similar errors like sacha06.

Can someone give some pointers?

Hello, can you reply me?
Now I have .raw files, how can I create a self
extracting image executable?
Thanks for you answers.
Bye.

Ok.. i tried the whole procedure...

I had this error

E:\>pdocread -l
Copying E:\itsutils.dll to WCE:\windows\itsutils.dll
Could not update itsutils.dll to the current version, maybe it is inuse?
try restarting your device, or restart activesync
or maybe your device is application-locked.

Then i had to tweak the registry setting...

To keep it short for others:

HKLM\Security\Policies\Policies
valuename '00001001' was set to dword:2, changed it to dword:1

After that, soft reset and then it worked.

Now, here's what i get with the read command

E:\>pdocread -l
215.50M (0xd780000) FLASHDR
| 3.12M (0x31f000) Part00
| 4.00M (0x400000) Part01
| 105.50M (0x6980000) Part02
| 102.88M (0x66e0000) Part03
3.75G (0xf0000000) DSK8:
| 3.75G (0xf0000000) PART00
STRG handles:
handle#0 8e6e6762 3.75G (0xf0000000)
handle#1 2fed9756 102.88M (0x66e0000)
handle#2 4ff90baa 105.50M (0x6980000)
handle#3 4ff90b86 4.00M (0x400000)
handle#4 4ff908d2 3.12M (0x31f000)
disk 8e6e6762
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 2fed9756
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 4ff90baa
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 4ff90b86
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
disk 4ff908d2
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
So i guess so far so good... where it doesn't work is when i try this command:

E:\>pdocread -w -d FLASHDR -p Part00 0 0x31f000 Part00.raw
CopyTFFSToFile(0x0, 0x31f000, Part00.raw)
ERROR: ITReadDisk : read 00000000 bytes - The parameter is incorrect.

What am i doing wrong?