NOTE: I've already posted this into the Development & Hacking forum, but got no reply yet. As it is an Hermes specific topic it is probably better to place it here, sorry for reposting if you've already read this.


The available original shipped ROMs for the HTC Hermes have .nbh files with the RUU, instead of the usual .nbf files found in other HTC rom updates.

By now, there are two shipped ROMs available, containing:

HERMIMG_Dopod_1.23.707.1_SHIP.nbh
hermimg_QtekNOR_1.18.255.3_Ship.nbh

So, it seems that the usual nk.nbf file is no longer used by the Hermes RUU :(

I cannot extract the various rom components (ExtROM, OS, IPL/SPL, SplashScreen, GSM radio, etc...) out of these files using the usual TyphoonNbfTool, however mamaich's prepare_imgfs finds the imgfs and dumps it apparently ok, but it cannot be read using viewimgfs or itsme's rdmsflsh.pl, so I guess the dumped file is invalid.

Anybody knows about this new format?
is it possible to convert it to nk.nbf so we can cook our own roms?
Would it be possible for example to extract the radio rom from Dopod and replace it on QtekNOR rom?

I think we will have to wait for the rom guru's to advise on this. I hope this would be possible so we can get the best rom possible.

I've tried to decode.nbh files with alpinenbfdecode.pl, himalayanbfdecode.pl and typhoonnbfdecode.pl. None of them works, so this must be a completely new format.

Opening nbh files in hex heditor shows interesting strings, but I don't know how to procede to identify each part and decompress or decrypt it... :(

Is it possible to decrypt Extended_ROM of HTC TyTN? I'v found a great extRom, but I can't upgrade my ExtRom because I have only borrowed tytn from my friend and Iam looking for one special aplicattion which is included in this. Any solutions ? Thanks

Jerry, you can unlock & unhide the ExtRom just with a registry tweak, look here:

http://wiki.xda-developers.com/index.php?pagename=Hermes_Unhide_Extrom

Downloading a ROM now to experiment ;)
If I crack it, you guys better donate something to my get-theblasphemer-a-hermes-too-fund :P (yet to set up that fund though ;))

Mate if you crack it I'll be donating to your fund! :)

Hmmm, a very weird file format indeed :S
All files start with "R000FF\r", next 16 bytes of what appears to be random data.
After that it consists of several blocks.
Each block starts with a header:
4-bytes block-length
4-bytes footer-length
1-byte always 1
After that follows the actual data (block-length bytes) + a footer, which appears to be random data but which I suspect to be some kind of checksum

I'm uploading a full USB log of a complete ROM-flash here:

ftp://xda:xda@ftp.xda-developers.com/Hermes/Technical/

Watch for the file Dopod2-FullRomUpgrade.txt.gz, when it is full uploaded it will be around 102Mb.

This is from this ROM file:

HER_DopodAsia_1237074_1060010_WWE_SHIP.exe

______
EDIT: Upload finished.

I created a wiki page with all the info we have about NBH format:

http://wiki.xda-developers.com/index.php?pagename=Hermes_NBH

i added my scripts to extract nbh files to the wiki page

willem

i added my scripts to extract nbh files to the wiki page

Cool :shock:

you always come with splendid work, so pleasant to see... thanks a lot! :D

Hmmm... just took a peek at the USB-dump of a ROM upgrade.
It appears that the whole file is just sent to the device.
The flashing utility doesn't even look at the CID or even the device type, it was happy to start flashing my Universal (however it didn't get very far, as the bootloader doesn't understand all commands :P).
This makes it incredibly difficult to make a RomUpgradeUtility that doesn't look at the CID, or to figure out how the signatures in the .nbh files are generated :(

willem,

I've been trying to extract the roms using your commands, everything runs fine until I have to run the gsmsplit batch file, as in this line you call "bcl" and I don't know what bcl is:

for %%i in (_bcl*) do bcl d %%i _x%%i.nb

I am runing it on WinXP SP2 + cywin 1.5.21-1, this is the error I get:


pof@winpof /cygdrive/c/nbh/files
$ gsmsplit.bat GSM.nb gsm.nbx
'bcl' is not recognized as an internal or external command,
operable program or batch file.
'bcl' is not recognized as an internal or external command,
operable program or batch file.
[...]
'bcl' is not recognized as an internal or external command,
operable program or batch file.
'bcl' is not recognized as an internal or external command,
operable program or batch file.
_x_bcl*.nb
The system cannot find the file specified.
0 file(s) copied.
Could Not Find c:\nbh\files\cing\_x_bcl*

pof@winpof /cygdrive/c/nbh/files
$ dir
GSM.nb MainSplash.nb SPL.nb nksigned.dbh signatures.txt
IPL.nb OS.nb SubSplash.nb nksigned.nbh unknown_601.nb


Is the line correct? if yes, what is bcl and where can I get it?

Thanks! :D

Ok, almost everything went fine... i don't know yet about the bcl command i asked before, and i cannot extract the contents of imgfs from OS.nb using rdmsflsh:


$ rdmsflsh.pl -d files OS.nb > rd.txt
could not find imgfs header


I've also tried prepare_imgfs.exe with OS.nb, it found IMGFS there and dumped it to imgfs_raw_data.bin, but then I cannot use viewimgfs.exe with this file, it complains about "unknown header type", and the file seems corrupt as it is only 6Mb...

BTW... SubSplash.nb seems to be the ExtROM, not the SubSplash.

I get a "Check cert error!" from the bootloader when I try to flash a modified NBH file (thanks TheBlasphemer for your help).

From spv-developers (http://www.spv-developers.com/forum/showthread.php?t=610):

"getting a developer CID (SuperCID) will allow you to flash your system with a ROM that is not digitally signed (i.e. a ROM that you have modified). If you do not modify it, you'll not be able to install a modified ROM on the device."

Is it possible that we can flash NBH files without signing in the Hermes if we get a SuperCID?

I tried using SPV-Services (http://www.spv-developers.com/content/spv-services.zip) to change the Hermes CID, but when I execute the CID tool (Alpha) I get the error: INVALID Storage Manager Handle (SAFE)

The NBH format is also used by HTC STARTrek, more info here (http://www.spv-developers.com/forum/showthread.php?t=3966).

bcl is from bcl.sourceforge.net, and in the latest release called 'bfc'.

willem

Ok, almost everything went fine... i don't know yet about the bcl command i asked before ...

Hey pof, you need to rename the bfc.exe to bcl.exe ...! then you dont get the error but alot other zero lenght values ...

so did anyone manage to get the extraction of the OS.nb done correctly?

Hi! Do you think is possible to manage that NBH file and change htc logo splashscreen in some ways?
I'd like to create a ROM file upgrade with different spalshcreen for my TYTN.

Hi! Do you think is possible to manage that NBH file and change htc logo splashscreen in some ways?
I'd like to create a ROM file upgrade with different spalshcreen for my TYTN.I believe there is no tested solution out until now.
I for one think it's possible, but will take some time until someone with necessary skills will do some work:

- Create your own ROM or edit an existing one
- Sign it using your own self signed cert
- Find out how to create a "fake bootloader" that uses your own cert (as imei-check does to downgrade the SPL-Version)
- Load the fake bootloader from WinCE by jumping to the memory address
- Upgrade your cooked ROM using the normal way
- Bet there is no cert check before the device boots (and the check before the flashing procedure is the only one).
- Bet you did not make a failure and your TyTN is not broken :)

I may be wrong - but this is how I think it should be

To use command like "split -b","mv" these UNIX Command, need to install Windows Services For Unix...
And there is no bcl.exe avaliable, only source could be download, so need to Install software to build this app to use...

And the most important thing is that "rdmsflsh.pl" on the NBH Wiki page is not for OS.nb dump from NBH!!!

How to really dump files from NBH, help me please...

How to really dump files from NBH, help me please...

See here:
http://www.youterm.com/?video=xda/nbh-extract

See here:
http://www.youterm.com/?video=xda/nbh-extract

:D NICE!!!:D

it's only for Linux?

Works on windows too... replace cabextract with winrar or 7zip, and use activestate perl.

Works on windows too... replace cabextract with winrar or 7zip, and use activestate perl.

What is this?? xda.nbh-extract.ytscript ??
not pl/app, How to use it??:confused:

What is this?? xda.nbh-extract.ytscript ??
not pl/app, How to use it??:confused:

It is a video I made to show the process... if you want to extract imgfs files form OS.nb you can use mamaich imgfs tools (http://forum.xda-developers.com/showthread.php?t=249836).

It is a video I made to show the process... if you want to extract imgfs files form OS.nb you can use mamaich imgfs tools (http://forum.xda-developers.com/showthread.php?t=249836).This doesn't work for me :(
I extracted OS.nb and used prepare_imgfs, wich gave me:

Searching for IMGFS start... Found at 031F3BC0
Dumping IMGFS ...
Done!

After that I wanted to dump the files, but when I use viewimgfs.exe I only get:

guidBootSignature: F8 AC 2C 9D E3 D4 2B 4D BD 30 91 6E D8 4F 31 DC
dwFSVersion: 00000001
dwSectorsPerHeaderBlock: 00000001
dwRunsPerFileHeader: 00000001
dwBytesPerHeader: 00000034
dwChunksPerSector: 00000008
dwFirstHeaderBlockOffset: 00000200
dwDataBlockSize: 00001000
szCompressionType: XPR
dwFreeSectorCount: 00003F40
dwHiddenSectorCount: 00000100
dwUpdateModeFlag: 00000000

Address: 00000200, dwBlockSignature: 00003000
dwNextHeaderBlock: FFF9FFFF (size: FFF9FDFF)

Header type: 2F5314CE, Addr: 00000208
Unknown header type, FS_DATA_TABLE??

Header type: 02A3A880, Addr: 0000023C
Unknown header type, FS_DATA_TABLE??

Header type: 00000000, Addr: 00000270
Unknown header type, FS_DATA_TABLE??

Header type: 02A2EF40, Addr: 000002A4
Unknown header type, FS_DATA_TABLE??

Header type: 00000000, Addr: 000002D8
Unknown header type, FS_DATA_TABLE??

Header type: 02A3A900, Addr: 0000030C
Unknown header type, FS_DATA_TABLE??

Header type: 00000000, Addr: 00000340
Unknown header type, FS_DATA_TABLE??

Header type: 02A3A940, Addr: 00000374
Unknown header type, FS_DATA_TABLE??

Header type: 00000000, Addr: 000003A8
Unknown header type, FS_DATA_TABLE??

Address: FFF9FFFF, dwBlockSignature: 00000000
dwNextHeaderBlock: 00000000 (size: 00060001)

Header type: 00000000, Addr: FFFA0007
Unknown header type, FS_DATA_TABLE??

Header type: 00000000, Addr: FFFA003B
Unknown header type, FS_DATA_TABLE??

Header type: 00000000, Addr: FFFA006F
Unknown header type, FS_DATA_TABLE??

Header type: 00000000, Addr: FFFA00A3
Unknown header type, FS_DATA_TABLE??

Header type: 00000000, Addr: FFFA00D7
Unknown header type, FS_DATA_TABLE??

Header type: 00000000, Addr: FFFA010B
Unknown header type, FS_DATA_TABLE??

Header type: 00000000, Addr: FFFA013F
Unknown header type, FS_DATA_TABLE??

Header type: 00000000, Addr: FFFA0173
Unknown header type, FS_DATA_TABLE??

Header type: 00000000, Addr: FFFA01A7
Unknown header type, FS_DATA_TABLE??

I extracted OS.nb from the newest o2 Germany ROM (ftp://xda:xda@ftp.xda-developers.com/Hermes/Shipped_Complete_Updates/o2_1.25.207.2_1.07.03.10_HSDPA_GER.exe)

Everything went fine, except viewimgfs.exe:

# cabextract o2_1.25.207.2_1.07.03.10_HSDPA_GER.exe
Extracting cabinet: o2_1.25.207.2_1.07.03.10_HSDPA_GER.exe
extracting EnterBL.exe
extracting GetDeviceData.exe
extracting HERMIMG_O2_1.25.207.2_SHIP.nbh
extracting README.doc
extracting ROMUpgradeUt.exe
extracting RUU.dll
extracting RUUUI.dll

All done, no errors.
# mv HERMIMG_O2_1.25.207.2_SHIP.nbh hermimg.nbh
# perl nbh2dbh.pl hermimg.nbh hermimg.dbh
magic1='R000FF\n'
magic2= 1d949092bdf752d4ae75389210a986d7
# perl dbhdecode.pl hermimg.dbh
magic: HTCIMAGE
devname: HERM100
cid: O2___102
version: 1.25.207.2
language: GER
00000200: 00000200 00020000 7d0000ea0d0000eafcffffeafbffffea IPL
00020200: 00020200 00040000 fe0300ea000000000000000000000000 SPL
00060200: 00060200 00040000 ef01ef01ef01ef01ef01ef01ef01ef01 MainSplash
000a0200: 000a0200 00040000 ef01ef01ef01ef01ef01ef01ef01ef01 unknown_601
000e0200: 000e0200 00aaa000 ffffffffffffffffffffffffffffffff SubSplash
00b8a200: 00b8a200 00d80000 ca1313de351313de591313deeb1313de GSM
0190a200: 0190a200 03962000 e9fdff00000000000000000000000000 OS
# ls -l *.nb
-rw-r--r-- 1 root root 14155776 2006-12-17 16:07 GSM.nb
-rw-r--r-- 1 root root 131072 2006-12-17 16:06 IPL.nb
-rw-r--r-- 1 root root 262144 2006-12-17 16:06 MainSplash.nb
-rw-r--r-- 1 root root 60170240 2006-12-17 16:07 OS.nb
-rw-r--r-- 1 root root 262144 2006-12-17 16:06 SPL.nb
-rw-r--r-- 1 root root 11182080 2006-12-17 16:07 SubSplash.nb
-rw-r--r-- 1 root root 262144 2006-12-17 16:06 unknown_601.nb

Then I downloaded OS.nb and tried imgs-tools.

Am I missing something?

I did it some time ago, can't remember the process I followed and have no time to test now... tools I used are mamaich imgfs tools, itsme rdmsflsh.pl script and probably bal666 HTC64 Extended ROM Tool.

Any news?

pof, congratulations to your great hard work!

Will be cool cook hermes roms and or finish Linux kernel..

Bump!!!!!!!!!!!!!!!!!!!!!!!!!

I have the same problem as sn00x with viewimgfs not working. I also get errors with rdmsflsh

found hdr at 00659000
00000200: magic =00003000 != 2f5314ce
at rdmsflsh.pl line 258

I'm trying to access the files contained in the rom.

Thanks for any help.

Actually the first error is running the gsmsplit batch file

D:\wlic-s>gsmsplit gsm.nb gsm.nbx
decompress _bclaa to _x_bclaa.nb...
Input file: 327668 bytes
Output file: 1494422494 bytes
Not enough memory
decompress _bclab to _x_bclab.nb...
Input file: 327668 bytes
Output file: -1 bytes
Not enough memory
decompress _bclac to _x_bclac.nb...
Input file: 327668 bytes
Output file: -1 bytes
Not enough memory
decompress _bclad to _x_bclad.nb...
Input file: 327668 bytes
Output file: -1 bytes
Not enough memory
decompress _bclae to _x_bclae.nb...
Input file: 327668 bytes
Output file: -196668450 bytes
Not enough memory
decompress _bclaf to _x_bclaf.nb...
Input file: 327668 bytes
Output file: -687577077 bytes
Not enough memory
decompress _bclag to _x_bclag.nb...
Input file: 327668 bytes
Output file: 379355411 bytes
Unknown compression algorithm: 19
decompress _bclah to _x_bclah.nb...
Input file: 327668 bytes
Output file: -1914372540 bytes

and so on

The ahlok_hk aChef ROM Utils at http://forum.xda-developers.com/showthread.php?t=294364 resolved this issue by creating an imgfs_raw_data.bin file that viewimgfs could use.

thanks,but how to make the .nbh files to usual .nbf files ?


D:\tt2>NBHextract.exe nksigned
=== NBHextract v1.0
=== Extract contents from HTC
=== (c)2007 xda-developers.com
=== by: pof & TheBlasphemer ba

Device: StarTrek
CID: DOPOD001
Version: 1.32.707.0
Language: WWE
Extracting: 00_G3IPL.nb
Extracting: 01_G4IPL.nb
Extracting: 02_SPL.nb
Extracting: 03_GSM.nb
Extracting: 04_ExtROM.nb
Extracting: 05_MainSplash.nb
Encoding: 05_MainSplash.bmp
Extracting: 06_OS.nb

thanks,but how to make the .nbh files to usual .nbf files ?

StarTrk uses NBH, u must use NBH to flash it, you can't make a NBF.... btw you're posting on a very old thread :-)

Thanks! But how to extract the contents of 06_OS.nb?

sorry for posting in this old thread, but anyone know how to extract nb files??

sorry for posting in this old thread, but anyone know how to extract nb files??

If you mean to separate a signed NBH to it's component .NBs then use Dutties nb to NBH tool (real good)... (Search the forums for it - or see the FTP as I'm sure it's on there)

That can build you an NBH from VALID NB's and vice versa dead easily.

If you mean taking a dump of your ROM (in raw format) and turning that into an NB file - then see the wiki under Rom Kitchen
(http://wiki.xda-developers.com/index.php?pagename=Hermes_ROM_kitchen) it is quite a bit more involved tho ;)

I've had no luck extracting an NBH. I'm trying with this Trinity ROM because I am after the Fieldtest.exe from any Trinity ROM.
http://forum.xda-developers.com/showthread.php?t=309959
The RUU_signed.nbh is from the downloaded and extracted exe.

NBHextract.exe (http://forum.xda-developers.com/showthread.php?t=289830) RUU_signed.nbh
java -jar aChef (http://forum.xda-developers.com/showthread.php?t=294364).jar -1 02_OS.nb
viewimgfs.exe (http://forum.xda-developers.com/showthread.php?t=249836) imgfs_raw_data.bin

Unable to load compression DLL!

Any ideas?

btw "Dutties nb to NBH tool" meant nothing to me, I am using pof's NBHextract utility. Please post links!

EDIT: Ok so ignore the above stuff as it seems I have been using some out of date steps. Everything needed to dump a ROM is in this newer thread:
http://forum.xda-developers.com/showthread.php?t=298327
I successfully dumped a Trinity ROM and I just used the -hermes switch in the step