A new bootloader version for HTC Hermes devices is available on XDA-Developers (thanks 300logic (http://forum.xda-developers.com/showthread.php?t=288611)!). This is a very special bootloader version 1.01 MFG which allows to flash unsigned code, meaning that ROM cooking should now be possible on the Hermes :eek:

Warning to those who don't know what you're doing. Don't to be tempted to attempt this for now.

To flash BootLoader 1.01 MFG your DEVICE MUST BE SuperCID first: If you don't have a SuperCID device, this is not useful to you.

* It makes possible flashing custom splash screens
* It makes possible flashing separate ROM parts (only OS, only ExtROM, etc...)
* It makes possible radio upgrade only
* It makes possible flashing roms in NBF format (not tested yet.. research needed)
* It makes possible flashing cooked OS.nb: RESEARCH TO BE DONE IN THIS, AND FULL CAUTION ADVISED

Instructions on how to use this bootloader version have been posted in the wiki:
ROM cooking and Bootloader 1.01 MFG (http://wiki.xda-developers.com/index.php?pagename=Hermes_BootloaderMFG)
Please read everything before asking questions!

Noob FAQs:

Q: Will this VOID my warranty or brick my device?
A: YES if you don't know what you are doing.
--
Q: How to downgrade to bootloader 1.04?
A: Reading this (http://wiki.xda-developers.com/index.php?pagename=Hermes_Howto_Bootloader104).
--
Q: How to make a device superCID?
A: Reading: this (http://forum.xda-developers.com/showthread.php?t=282073).
--
Q: How to check my bootloader version?
A: Put your device in bootloade mode (http://wiki.xda-developers.com/index.php?pagename=Hermes_Resets), when you are on the tri-color screen check the number after SPL-X.XX. This is your bootloader version.
--
Q: Will this help softbank X01HT with 1.14 radio users in any way?
A: No, you can't SuperCID your devices because it is not known how to replace the radio on your device.
--
Q: Will this fix my bricked device?
A: No, unless it is SuperCID after bricking.
--
Q: What is the CID? How do I check my CID? blah, blah...
A: READ THE WIKI (http://wiki.xda-developers.com/index.php?pagename=HTC_Hermes) before asking questions please!


Please don't ask questions on this post if you don't have a SuperCID device yet, your question will probably be answered in any other post, and this is not the place to ask it.

Real FAQs:

Q: What is a NBH file?
A: Read here (http://wiki.xda-developers.com/index.php?pagename=Hermes_NBH).
--
Q: How can I extract the ROM parts from a NBH file?
A: Read here (http://forum.xda-developers.com/showthread.php?t=289830).
--
Q: What is the difference between 'lnb' and 'lnbs' bootloader commands?
A: lnbs is to flash signed code and is available in all bootloader versions, lnb is to flash unsigned code and is only available in 1.01MFG
--
Q: What is the diference between 'wdata' and 'wdatah' bootloader commands?
A: wdatah is to flash signed NBH files and is available in all bootloader versions, wdata is to flash NBF files and is only available in 1.01MFG
--
Q: Why can't I use 'lnbs' in bootloader >= 1.04?
A: You need to issue 'task 32' first to check your SecLevel, it must be Level=0
--
Q: What are the addresses for each ROM part?
A: See NAND Flash distribution (http://wiki.xda-developers.com/index.php?pagename=HermesMemoryMap) here.
--
Q: Has someone successfully cooked OS.nb?
A: Not yet, the format seems to be different from previous NK.NBA, but we're working on it and you are welcome to join us for development/research purposes in this thread (http://forum.xda-developers.com/showthread.php?t=289377).


Do I miss anything? :)

Enjoy! ;)

I think that covers it!

Could we 'upgrade' this preproduction bootloader to version 1.10 for example?!?

Thanks Pof for the Wiki and thanks 300logic for provide the bootloader:)

Please, I some questions;

- is now possible to flash a dumped ROM? If yes, How?

- Is possible to get a backup copy of the actual splash screens before changing it?



Thank you.

Can I really downgrade from BL 1.09 to 1.04 with the Bootloader 1.01 MFG-Tool!:)

Can I really downgrade from BL 1.09 to 1.04 with the Bootloader 1.01 MFG-Tool!:)
POF answers this one later.....

Excellent POF and all of the others; let the cooking begin!

Could we 'upgrade' this preproduction bootloader to version 1.10 for example?!?
You can go from 1.01MFG to 1.09 with 'lnb', and you would to any version too...

is now possible to flash a dumped ROM? If yes, How?
First you have to convert the dumped ROM to OS.nb format of the Hermes... something which will require quite some time until someone can figure out. See here (http://forum.xda-developers.com/showthread.php?t=289377) if you are interested.

Is possible to get a backup copy of the actual splash screens before changing it?
Take a shipped ROM from your vendor, and extract the splash screen with NBHextract (http://forum.xda-developers.com/showthread.php?t=289830).

Can I really downgrade from BL 1.09 to 1.04 with the Bootloader 1.01 MFG-Tool!:)
Yes if your device is SuperCID (Security Level=0).

Hi :)
I'm interrested on informations about rom cooking form hermes trinity :)
Can you tell me if it's possible, with the current imgfs tools , to extract valid dll files and to use this files on other devices...
I currently have problems for loading a dll driver and i'm looking for help for analyzing why...
Anybody know how to use kitl.... ?
Thanx

So... is it possible now to flash a dumped ROM somehow?

Great news.

This mean in future cooked wm6 roms :D :D

bravo, i'am waiting for this days for a long time.

mtty has been sitting at

USB>task 32
Level = 0
USB>lnbs SPL-1.01.nbs 50020000
:F=SPL-1.01.nbs
:A=50020000
:O=00000000
:L=FFFFFFFF

start NB image download

for about 10 minutes now. anything wrong?

never mind, I was using the wrong mtty. when I used the one included, it worked great. thanks!

bravo, i'am waiting for this days for a long time.
+1 thks for all

Can you tell me if it's possible, with the current imgfs tools , to extract valid dll files and to use this files on other devices...
Yes, it should be possible... see this thread (http://forum.xda-developers.com/showthread.php?t=289377) for info on how to split the file to extract correct imgfs_raw_data.bin.

Anybody know how to use kitl.... ?
Put hermes in KITL mode (comm manager + power + softreset) and connect to it with Platform Builder. I can't help you more, because I don't have PB.

Thank you very much, bootloader downgrade from 1.09 to 1.01 MFG now.

you are very cool

pof (maybe we should call u prof.)

as u have mentioned, after flash to bootloader 1.01 can revert to SPL 1.04.
is it possible to re-flash SPL 1.06 which i've extracted from Dopod newer ROM?
[just need advise from an expert before my hermes die :) ]

Why would you want 1.06 over 1.04?

@hang.tuah: yes, it is possible... but I have the same question as ionide... why 1.06?? it does not offer any good over 1.04, just has downsides and annoyances :P

thanx pof. just curious. thought just can revert to SPL 1.04 as provided only.

:)

So, any updates on the ROM cooking front? and success had? or failures?

@mxlaser: one success, several failures :P See the thread on rom cooking (http://forum.xda-developers.com/showthread.php?t=289377).

@mxlaser: one success, several failures :P See the thread on rom cooking (http://forum.xda-developers.com/showthread.php?t=289377).

DelFile - OK!
AddFile - not working :((((((((((((((

I love this bootloader. I was able to put the following on my X01HT.

Radio: 1.27.00.00
OS ROM: 1.33.761.4 (Softbank)
Bootdr: 1.01MFG

After that I used Asukal's English MUI's and it is running like a champ.

Thanks fellas.

I even had to fix the "stuck at bootloader" brick.

Will change of Bootloader to 1.01 MFG require the cold reset (removing of all the content and installed programs) or the content of the machine will stay unchanged ?

@baudy2: it does not require hardreset, nothing will be erased.

pof, how correct add file to the ROM?

When I use addfile.exe, my ROM not loading! But when I use delfile.exe, my ROM loading OK!

pof, how correct add file to the ROM?

When I use addfile.exe, my ROM not loading! But when I use delfile.exe, my ROM loading OK!

I had planned to look into this over the weekend, but didn't find the time. But aren't the Universal folks using AddFIle all the time? Maybe they know about some pitfalls that must be avoided which we haven't found yet?

Cheers
Daniel

pof, how correct add file to the ROM?

When I use addfile.exe, my ROM not loading! But when I use delfile.exe, my ROM loading OK!

@lvsw: did you flashed the cooked ROM after using addfile.exe? If yes, was there any bad block error that your have encountered afterward? Thanks.

@lvsw: did you flashed the cooked ROM after using addfile.exe? If yes, was there any bad block error that your have encountered afterward? Thanks.

After using of addfile exe i have sucsessful flashed my device. while flashing there was no errors or any problems. But the device is booting until the second splash with a label TEST ONLY.
If use only delfile.exe - everything`s ok!

tadzio, In the Universal`s NAND flash and Samsung CPU?

from my days of cooking custom roms for my Universal.. i never used the add file command with maimachs tools.. rather i copied and pasted files directly to dump folder and complied a rom thereafter..
has anyone tried this approach???

When I use addfile.exe, my ROM not loading! But when I use delfile.exe, my ROM loading OK!
I did a quick test and wasn't able to use addfile, delfile worked fine and I haven't had time to look at it more deeply.

But the device is booting until the second splash with a label TEST ONLY.
Second splash has nothing to do with OS.nb.

In the Universal`s NAND flash and Samsung CPU?
No, universal has M-Systems DOC and Intel PXA270 CPU.

from my days of cooking custom roms for my Universal.. i never used the add file command with maimachs tools.. rather i copied and pasted files directly to dump folder and complied a rom thereafter..
has anyone tried this approach???

Yes, and everyone who tried bricked the device. We have to go "step by step" first.

I had planned to look into this over the weekend, but didn't find the time. But aren't the Universal folks using AddFIle all the time? Maybe they know about some pitfalls that must be avoided which we haven't found yet?

I didn't had time too :( Universal rom cooks dump the full rom and work with a rom kitchen that facilitates the rom editing work... add|del file is way too primitive for them :p but it's our starting point, as we risk the device every time we flash something modified. Universal has DOC (Disc-on-Chip) as non-volatile memory storage but Hermes has NAND flash. Most NAND flash devices contain a initial manufacturer marked bad-block table, and I think that the problem we are facing when flashing modified OS.nb is that we flash (overwrite) these factory-marked bad blocks and we loose the marking on the bad-block table inside the memory array. After using those initially marked bad blocks as if they were good, we produce other good blocks to fail.

Today I got a hermes device from a friend who flashed cooked OS.nb and it was not booting OS, it was a SuperCID device with 1.01 MFG on it. Bootloader output for "info 8" showed a lot of bad blocks on it, not enough buffer in mtty to see them all:

...
Block 0x2B7(695) is BAD block !!!
Block 0x2B8(696) is BAD block !!!
Block 0x2B9(697) is BAD block !!!
...
Block 0x3EC(1004) is BAD block !!!
Block 0x3ED(1005) is BAD block !!!
Block 0x3EE(1006) is BAD block !!!
Block 0x3FB(1019) is Reversed block


My first test has been flashing a 64Mb file filled with zeros, after that I got this message when formating NAND:


USB>task 28
Storage format start
Write Nand Success
dwBlockToWrite = 1007
Can't find OS in flash!!!
Storage format success


But the bad blocks where still there when issuing a "info 8" again, then I tried to flash a 64Mb file filled with FF's and this has been the result while flashing:


USB>lnb osFF.nb
:F=osFF.nb
:A=501A0000
:O=00000000
:L=FFFFFFFF

start NB image download
Load ADDR: 501A0000 Length: 3F000AC
*********************NANDFlashWriteBlockWithSector Info: dwBlockIndex=0x400
NANDFlashWriteBlockWithSectorInfo: Address Error2!!!
NANDFlashWriteBlockWithSectorInfo: dwBlockIndex=0x401
NANDFlashWriteBlockWithSectorInfo: Address Error2!!!
NANDFlashWriteBlockWithSectorInfo: dwBlockIndex=0x402
NANDFlashWriteBlockWithSectorInfo: Address Error2!!!
NANDFlashWriteBlockWithSectorInfo: dwBlockIndex=0x403
NANDFlashWriteBlockWithSectorInfo: Address Error2!!!
...
NANDFlashWriteBlockWithSectorInfo: dwBlockIndex=0x7FE
NANDFlashWriteBlockWithSectorInfo: Address Error2!!!
NANDFlashWriteBlockWithSectorInfo: dwBlockIndex=0x7FF
NANDFlashWriteBlockWithSectorInfo: Address Error2!!!


Device got stuck here... we left it for a while, but USB monitor showed there was no traffic, so we finally soft resetted it and it didn't wake up anymore not even the bootloader, so I guess NAND flash god corrupted in the IPL/SPL part.

I wished I had tried to debug it with KITL+PB to see if I coudl find any useful info there, but it was too late :(

auch Pof! that's ugly and sad!
maybe we sould try to trace the jtag connector on the Samsung Cpu

http://www.samsung.com/Products/Semiconductor/MobileSoC/ApplicationProcessor/ARM9Series/SC32442/JtagFlash_Prog_Code.zip

on this page is everything for samsung cpu jtag. you can read and write anything on 4 wires (trough a jtag interface) they supply the program and also the source code on how to write in NAND, Flash Strata, etc. Interface schematic included. In C you can see that you where right about the array of bad-blocks in NAND

Thanks invictus, already looked at almost everything in the samsung cpu page :) however I don't think I am able to connect the jtag to hermes hardware, jtag pins are unknown and I'm not an electronics junkie :rolleyes:

Info about NAND -flash!!!
http://msdn2.microsoft.com/en-us/library/ms836792.aspx#systemmemorymgmtwince_topic1#systemm emorymgmtwince_topic1

...
My first test has been flashing a 64Mb file filled with zeros, after that I got this message when formating NAND:

USB>task 28
Storage format start
Write Nand Success
dwBlockToWrite = 1007
Can't find OS in flash!!!
Storage format success
But the bad blocks where still there when issuing a "info 8" again, then I tried to flash a 64Mb file filled with FF's and this has been the result while flashing:
...
Device got stuck here... we left it for a while, but USB monitor showed there was no traffic, so we finally soft resetted it and it didn't wake up anymore not even the bootloader, so I guess NAND flash god corrupted in the IPL/SPL part.

I wished I had tried to debug it with KITL+PB to see if I coudl find any useful info there, but it was too late :(

Hi pof, I got curious about what you tried here, the infamous bad-block issue. If I'm right, task 28 command formats flash. But what area, and how does it deal with hardware bad-blocks?!? Also I have seen other task x commands on this forum, but can't find any reference for this commands... I simply want to know what different task commands do, is there any known list or something?!?

I simply want to know what different task commands do, is there any known list or something?!?

http://wiki.xda-developers.com/index.php?pagename=Hermes_BootLoader

Can it has sense use old utilities with the key “- acer” (instead of the renovated version with the key “- hermes”)

...
I didn't had time too Universal rom cooks dump the full rom and work with a rom kitchen that facilitates the rom editing work... add|del file is way too primitive for them but it's our starting point, as we risk the device every time we flash something modified. Universal has DOC (Disc-on-Chip) as non-volatile memory storage but Hermes has NAND flash. Most NAND flash devices contain a initial manufacturer marked bad-block table, and I think that the problem we are facing when flashing modified OS.nb is that we flash (overwrite) these factory-marked bad blocks and we loose the marking on the bad-block table inside the memory array. After using those initially marked bad blocks as if they were good, we produce other good blocks to fail.
...

@pof: Do u mean that even we flash the original extracted 06_OS.nb, there is still some risk of bricking the device because of the NAND flash?

I am asking because for me it doesn't make sense if flashing original .nb won't overwrite factory-marked bad blocks but flashing cooked .nb will have them overwritten. I always think that it's the format of the .nb that matters....

I flashed an original ROM extracted from the NBH without bricking it. Is it possible to extract a file from an original ROM (1) then re-inject the same file into a new ROM (2) and compare the Original to the New one? Maybe the bad blocks will be more identifiable that way.

Most NAND flash devices contain a initial manufacturer marked bad-block table, and I think that the problem we are facing when flashing modified OS.nb is that we flash (overwrite) these factory-marked bad blocks.

Unless I misunderstood something in this thread, I thought the problem is only when something is added to the OS image file. So If I use "DelFile" to remove operator themes, ringers and start-up files that image flashes fine, is this correct?

I don't claim to understand squat about NAND Flash Memory but all storage contains a bad-block table. The command we use should not be able to modify this info as it is managed by the bootloader read/write processes (and used exclusively by them) all we can do is send the data in. With the OS image we don't even get to tell it where to start writing.

I'm sure you guys have already looked at the possiblity that when adding a file the image becomes too large to fit so I doubt overwriting past the end of the OS Space is the issue (besides the bootloader should protect against that).

So now I wonder when files are added to the image are they simply appended to the end? I mean is there some kind of sync-bit or something that tell the bootloader "at this point in the image you should be at address XXXX" which would put it at the end of the OS space and now we are adding data after that so it gets written where is should not be?

I hope this isn't just so stupid that I lose credibility, please remember that I understand jack squat about NAND, just trying to think outloud here.

http://wiki.xda-developers.com/index.php?pagename=Hermes_BootLoader

task 28 - format DoC !?!

Format Disk on Chip ??? This is strange, Hermes is NAND not DoC... What exactly this command 'formats'? What ROM range? I guess it does not touch bootloader, right? How does it treat bad blocks? I don't understand...

@pof: Do u mean that even we flash the original extracted 06_OS.nb, there is still some risk of bricking the device because of the NAND flash?

Original extracted OS.nb does not produce bad blocks at all, but cooked/modified OS.nb does. I did several test with delfile.exe and flashed cooked image without problems, I checked before flashing that all the IMGFS_GUID occurrences where kept at the same place in the original OS.nb and my modified OS.nb, this seems to be safe. I wasn't able to use addfile.exe with my dumped imgfs_raw_data, through I haven't looked at the issue deeply.

So If I use "DelFile" to remove operator themes, ringers and start-up files that image flashes fine, is this correct?
Correct.

Please don't start throwing theories and try for yourself, don't flash, just use tadzio tools and play with several OS.nb and [add|del]file.exe and use a good hex editor to compare the results of your cooked file and the original file. Also try to play with other devices nk.nba and compare the results you get with the ones you get cooking hermes OS. Only through this path we will be able to conclude something.

@Zgembo: On hermes it formats NAND, but the help was taken from other device bootloader which has the same command. Hermes bootloader doesn't have help. We don't know how does it treat bad blocks... so get a disassembler (I'd suggest IDA pro) and find yourself if you are curious about it, otherwise nobody will answer your questions because there is no documentation about it and nobody knows (well,.... sure HTC programmers do, but they won't come here and tell us! :P)

@Zgembo: On hermes it formats NAND, but the help was taken from other device bootloader which has the same command. Hermes bootloader doesn't have help. We don't know how does it treat bad blocks... so get a disassembler (I'd suggest IDA pro) and find yourself if you are curious about it, otherwise nobody will answer your questions because there is no documentation about it and nobody knows (well,.... sure HTC programmers do, but they won't come here and tell us! :P)I was afraid you would say that! ;) Do we know, at least, what ROM range it formats? I'm bit afraid of trying to 'format' my working device.

Please don't start throwing theories and try for yourself, don't flash, just use tadzio tools and play with several OS.nb and [add|del]file.exe and use a good hex editor to compare the results of your cooked file and the original file. Also try to play with other devices nk.nba and compare the results you get with the ones you get cooking hermes OS. Only through this path we will be able to conclude something.

pof, I may be crazy but I ain't stupid! I paid $500 US for my 8525 and I don't plan on frying it two weeks in.

I've never editing a Rom image before so I'll probably sh#t myself the first time I get brave enough to flash one I've changed (even simple delete) because it seems with the Hermes you can fry it with just an OS Image unlike the Wizard & BlueAngel.

I think I'll probably flash back an original Shipped Cingular Rom (and wait until they release the PTT AKU 3.3 update) before taking that step because they will warranty replace my phone if the Operator Upgrade makes it toast.

In the meantime, I'm reading everything posted here and will be downloading the tools mentioned so be ready for some Newbie Rom Cooking questions from me!

I was afraid you would say that! ;) Do we know, at least, what ROM range it formats? I'm bit afraid of trying to 'format' my working device.

I have successfully used MTTY to do an OS only flash of my 8525.

Given that you format, flash the os.nb then format again my guess would be that the format command is equal to "Clear Storage" in settings or the "Hard Reset" where it simply removes personal changes to the device and resets the status to "New OS, requires configuration".

@Zgembo: It's just like doing a hard reset. I've done that hundreds of times... it's safe.

@kyphur: I don't like to fry my hermes either, that's why I only try dangerous stuff after examining everything is under my control, but sometimes you just have to risk a device if you want to do some progress :)

@kyphur: I don't like to fry my hermes either, that's why I only try dangerous stuff after examining everything is under my control, but sometimes you just have to risk a device if you want to do some progress :)

I completely agree pof! Keep up the good work!

Original extracted OS.nb does not produce bad blocks at all, but cooked/modified OS.nb does. I did several test with delfile.exe and flashed cooked image without problems, I checked before flashing that all the IMGFS_GUID occurrences where kept at the same place in the original OS.nb and my modified OS.nb, this seems to be safe. I wasn't able to use addfile.exe with my dumped imgfs_raw_data, through I haven't looked at the issue deeply.

Are you saying that when you used Addfile.exe you got an error or that the IMGFC_GUID occurrences were changed?

@kyphur: I got an error, see here (http://forum.xda-developers.com/showthread.php?t=289377&p=1112008).

I haven't tried with other OS.nb after that... not enough time for everything, I got a new device ;)

Have a look.
Just find something, may be it could be usefull to know.
First column-original bin; 2nd-modified
I tryed to del wceload.exe then compared bin files
i saw these at header

69D580: B8 FF
69D581: 00 FF
69D582: B8 FF
69D583: 00 FF
....
then i made new bin file and deleted welcome.exe

1151680: B8 FF
1151681: 00 FF
1151682: B8 FF
1151683: 00 FF

non-module files has this on header (tried to delete camera.exe etc)

33B05A8: FE FF
33B05A9: F6 FF
33B05AC: 00 FF
33B05AD: 00 FF
33B05AE: 00 FF
33B05AF: 00 FF
33B05B0: 00 FF

So, next i tryed to use addfile.exe and compared bin files.
i saw that.
1st-modified, 2nd-original.

347CE05: D2 00
347CE06: 47 00
347CE07: 03 00
347D1C0: 2F FF
347D1C1: 0E FF
347D1C2: 2F FF
347D1C3: 0E FF
347D1C4: 00 FF
347D1C5: D4 FF
347D1C6: 47 FF

Every time addfile writes new files to the same adress. And owerwrites zero values.

Also I compared wizard's bins before and after adding a file. So :) file was written in FF (clear) area only!
I think that we should try to write new file to rom only in FF area. Probably, when we overwrite zero values we get bad block with incorrect values. also i think that addfile get free space of rom incorrectly...and area for searching free space should be fixed

btw, old prepare imgfs with acer key give the same bin file as new prepare imgfs tool with hermes key.

... I wasn't able to use addfile.exe with my dumped imgfs_raw_data, through I haven't looked at the issue deeply.
...


I have tried using addfile.exe to several extracted 06_OS.nb. Except 1.35 ROM, which I found no more free space (I guess FF) left at the end of the 06_OS.nb,
all other ROM can use addfile.exe without error.

But one thing make me hesitate to flash the cooked ROM is that: the original .nb and the cooked .nb have so many differents when using VBinDiff.exe to compare their binary content.

For example, when I just use delfile.exe, the cooked .nb only contains 2 parts of different compare with the original .nb. But the using addfile.exe there are more than 100 parts of different compare with the original.nb.

Every time addfile writes new files to the same adress. And owerwrites zero values.

Also I compared wizard's bins before and after adding a file. So :) file was written in FF (clear) area only!
I think that we should try to write new file to rom only in FF area. Probably, when we overwrite zero values we get bad block with incorrect values. also i think that addfile get free space of rom incorrectly...and area for searching free space should be fixed

Yes, that makes sense :)

I have tried using addfile.exe to several extracted 06_OS.nb. Except 1.35 ROM, which I found no more free space (I guess FF) left at the end of the 06_OS.nb,
all other ROM can use addfile.exe without error.
Thanks for pointing that out, I only tried with 1.35, so I guess this the problem I was having.


But one thing make me hesitate to flash the cooked ROM is that: the original .nb and the cooked .nb have so many differents when using VBinDiff.exe to compare their binary content.

For example, when I just use delfile.exe, the cooked .nb only contains 2 parts of different compare with the original .nb. But the using addfile.exe there are more than 100 parts of different compare with the original.nb.

I've never used VBinDiff, but that's weird. After reading mun_rus explanation I think it should only modify the header depending on if it's a file or a module, and add the content of the file I guess at the same block and not fragmented or splitted over imgfs_raw_data.bin, so you should see only 2 changes also when adding.

I will try to repeat the steps again tonight using OS.nb from a rom other than 1.35 and compare the produced output using radare (http://radare.nopcode.org). Ideally, the bin raw data after deleting and adding a file into it should be exactly the same.

@pof
i tryed to add and delete the same file.
When i deleted file i got different bins files(
Have a look:
After add mun1.jpg

347CE05: D2 00
347CE06: 47 00
347CE07: 03 00
347D1C0: 2F FF
347D1C1: 0E FF
347D1C2: 2F FF
347D1C3: 0E FF
347D1C4: 00 FF
347D1C5: D4 FF
347D1C6: 47 FF
...etc

And after del this file i got only 11 difference in bins!

347CE05: D2 00
347CE06: 47 00
347CE07: 03 00
347D200: CE FF
347D201: 14 FF
347D202: 53 FF
347D203: 2F FF
347D204: 00 FF
347D205: 00 FF
347D206: 00 FF
347D207: 00 FF
Any ideas?
I also told with mamaich he said that in some ways it was nessesary to edit imgfs_removed_data.bin to get correct nb file in output..

In the day when I cooked Wizard ROM, some files are not able to extracted by imgfs_tools. Those file are located at WM5 boot XIP partition. And I used a program called RomMaster.exe ( http://forum.xda-developers.com/showthread.php?t=249015 ) to add or delete files in XIP.

BTW, I think right now we are very close to the point of rom cooking. We need better make_imgfs.exe and then better addfiles.exe only...

IMHO, the critically important stage 1 cooking process will be complete: you will be able to flash cooked os.nb with 1.01MFG bootloader and mtty.

Also: thanks for your info on XIP... I'm off to investigate dumprom now... :)

@pof: what are your thoughts about merging the thread you closed with this one? I'm ambivalent about it. On one hand I don't want to be like HoFo and create gargantuan threads but OTOH its a bit difficult to maintain conversation continuity (as evidenced here)....

I think 1 thread is better, but to keep if from getting too long to manage, people should post less off-topic stuff (like i'm doing now :( )

Everyone, please keep down on the "I'm eagerly waiting, keep up the good work, you people are great" posts. Maybe we should start a seperate thread for praise , compliments and worshipping? :)

Ahhh... XIP = eXecute In Place. I didn't know WM even supported this.... Explains why I've never seen a coredll.dll in imgfs dump...

Still, I may be missing more files. I'm verifying with the universal folks now...

@pof: what are your thoughts about merging the thread you closed with this one? I'm ambivalent about it. On one hand I don't want to be like HoFo and create gargantuan threads but OTOH its a bit difficult to maintain conversation continuity (as evidenced here)....

No because the other one was started before, and we'll loose the 1st main post on this one if we do so.

Ahhh... XIP = eXecute In Place. I didn't know WM even supported this.... Explains why I've never seen a coredll.dll in imgfs dump...

Still, I may be missing more files. I'm verifying with the universal folks now...

These info from msdn
NAND flash memory is a block-accessed storage device, very much like a conventional electro-mechanical disk drive with a serial interface. For this reason, NAND flash memory is not suitable for execute in place (XIP) solutions because the CPU requires program memory to be linear. Instead, NAND flash memory images are typically moved to DRAM during execution either at boot time or by OS paging.
The storage capacity of NOR flash memory devices is typically smaller than that of NAND flash memory, but their simpler SRAM-like hardware interface and their lack of manufactured bad blocks make NOR a suitable choice for certain designs.
NOR flash memory is a random-access storage device with a hardware interface similar to SRAM. Because of this, NOR flash memory is suitable for XIP designs where the CPU is allowed to fetch instructions directly from flash memory. While flash memory read access times are slower than that of DRAM, the performance penalty can be lessened through good design, for example, by optimizing code for cache usage and running select high-impact code from RAM.
NOR flash memory capacities are typically smaller than NAND due to the basic gate design and to yield concerns—NOR flash memory is sold without manufactured bad blocks. This tends to limit capacities while elevating the cost-per-byte ratio. However, for a given design, NOR flash memory can be advantageous because it does not require additional DRAM or bad block management logic.

Everyone, please keep down on the "I'm eagerly waiting, keep up the good work, you people are great" posts. Maybe we should start a seperate thread for praise , compliments and worshipping? :)

Please, noobs (like me) & hangers on, post here :Praise to the Gurus (http://forum.xda-developers.com/showthread.php?t=292241)

@mun_rus: That is what I understood. Is the XIP area of a ROM image an artifact then or is this loaded at boot time? Once I used dumprom on the XIP area, I retrieved coredll.dll.

I have changed my bootloader to 1.01 successfully, but for some reason now I cannot do any ROM updates (specifically the 1.35 ROM). My device is super-CID, etc etc and I have previously changed my ROM to the 1.31 Cing ROM w/aku 2.6. I ran all unlock utilities and I tried to update my radio. Both were successful, but for some reason when I try and load the 1.35 ROM its now telling me "wrong device for this upgrade."

I've done this all before, and in the wiki it says if you get this error, just run the wizard again. I then get comm error, and when I reset into BL mode I keep getting the same "device" error. I have come to conclude that the only reason I cannot update is because of this 1.01 bootloader. ANyone try and install the 1.35 SA ROM AFTER downgrading to 1.01 before?

I may have to re-install 1.04 just for this upgrade.

@patmannyc: 1.01MFG doesn't allow upgrades in NBH format. You have to extract the NBH and upgrade the rom parts using 'lnb' command, or upgrade to 1.04 if you want to flash a full NBH. Read the wiki.

@mun_rus: That is what I understood. Is the XIP area of a ROM image an artifact then or is this loaded at boot time? Once I used dumprom on the XIP area, I retrieved coredll.dll.

Couldn't that be what the different IMGFS_GUID parts are for? To distinguish which parts of the rom have to go in NAND an which parts in NOR for XiP?

I may have to re-install 1.04 just for this upgrade.

You said it yourself ;) Install 1.04 and it will work fine :)

As pof said in the readme that came with the bootloader :)

Oops sorry, somehow it didn't show the new messages before posting this.

Thank you guys.

I figured it was the BL, that's why I asked here instead of wasting another thread. I looked everywhere I thought the info would be, and didn't see it. Thanks for the clarification.

kyphur,are you try to solve NAND Flash Memory in Hermes?
I think NAND Flash Memory in my Hermes is something in Flash Memory, but can not remove.
I am almost mad................

kyphur,are you try to solve NAND Flash Memory in Hermes?
I think NAND Flash Memory in my Hermes is something in Flash Memory, but can not remove.
I am almost mad................


I goofed my NAND Flash also But was able to get my 8525 to look Stock again with a memory error on boot so I simply took it back to the store for replacement (as they are non the wiser). If your device is under warranty I would recommend flashing the latest stock Rom from your carrier and getting it repaired/replaced under warranty.

I'm not have warranty!~~~~~~~~~~~~~~~~~~~~~~~~~~~~

pof
have you had a look at the artemis forum, they seem to have a customized rom for it, more details

http://forum.xda-developers.com/showthread.php?t=292867
and
http://www.pdamobiz.com/show_news.asp?NewsID=77719

if they have customized nbh roms then they must know how to add files to it!!! may be you should have a look at it.

hi pof,

i have an unlocked post dec x01ht that is supercid but has radio bl 0108. as such, i can't change the radio unless i'm in bl 1.09 and of course i can't use radio-only upgrades, even when bl is in 1.04. this is actually quite a pain because every time i want to upgrade a radio i have to "upgrade" to bl 1.09 which involves an entire nbh rom upgrade, which of course wipes out all my data.

what i'm wondering is, do you have a "spl-1.09.nb" file so i can use it with mtty.exe while in 1.01mfg so that i can easily upgrade to 1.09 when i need to. alternatively, can you suggest a better way to do radio upgrades given my device?

Hi, I have a problem. When I run the task 32 command, I get an FF return when it's supposed to be 0.
Now I know that this is because of SuperCID, but I HAVE superCID. I installed it 2 weeks ago, and just now again. It says super CID succesfull, but I still get the FF return when using mtty.

What am I doing wrong?

The program always says "Success" when it finishes. The only way to really see if you are SuperCID or not is in mtty. Do the following command and it will display your device CID:

USB>Info 2

sleuth have you had a look at my post above, i don't understand this stuff but i thought may be you could.

Ok thanks sleuth. The return I get is: HTCSQTEK_001ÖUSB>
Does that mean I need to downgrade to the old radio ROM (1.16 if remember correctly), rerun hermunlock v2a, and THEN try to load bootloader 1.01MFG ?

anyone? is that a valid response to get from info 2 on mtty?

Uh... VIBE... I think you're device ain't SuperCID, cause that's the CID string and your device seems to be locked to QTEK.

I got this HTCSSuperCIDHTCE when I did a info 2. It should be that, or something equivalent like 0000000 if i'm not wrong...

Check the output of task 32 to see if your device is really SuperCID

ok, so how does that happen ? qtek is a U.S. branding, right? could it have happened when I did one one of the radio stack upgrades?

anyway, how do I get superCID to work now? I have allready downgraded to bootloader 1.04, an while the program runs, it won't change my cid security setting to 0.

Downgrade to bootloader 1.04, then do pof's CIDUnlocker.

yes, i've done that. But I still have the same problem.

Did you make sure to flash the ROM included in the unlocker package AND run the unlocker app?

no, I only did the radio stack downgade the first time I loaded superCID, i'll do it again, then superCID again, then bootloader 1.01mfg, then ROM & OS AKU3.3, then bootloader 1.4, then radio 1.27 again. that'l keep me busy all day. thx echo.

no problems. enjoy :)

USB>USB>
USB>task 32
Level = 0
USB>lnbs SPL-1.01.nbs 50020000
:F=SPL-1.01.nbs
:A=50020000
:O=00000000
:L=FFFFFFFF

start NB image download

now it just sits here forever... No status on the phone showing that it is upgrading, and no status in mtty.

I am currently SuperCID on SPL-1.06 (Cingular's latest ROM).

Any ideas?

Thanks,
Jesse

[EDIT - PROBLEM SOLVED]
It appears that i was running a different version of mtty then the one provided. I switched to this new one and connected to the \\WCEUSBSH001 port instead of "USB" (in the other version) and the flash completed as expected.

also note the nb extract tools does not work with the new cingular rom... i tried to manually do things the hard way and i am getting an error at block 187...


Error in block 187 (00BB0000 - 00BC0000)

also note the nb extract tools does not work with the new cingular rom... i tried to manually do things the hard way and i am getting an error at block 187...


Error in block 187 (00BB0000 - 00BC0000)


i think it has something to do with the animated splash screen... actually i bet it does since the tool tries to convert the splash images into bmp's

also note the nb extract tools does not work with the new cingular rom... i tried to manually do things the hard way and i am getting an error at block 187...


Error in block 187 (00BB0000 - 00BC0000)


I was able to extract and flash just the OS and Extended ROM just fine. I had trouble trying to flash the splash screens, though. I do have the new splash screens now, though. I'm currently at bootloader 1.01 and radio 1.27.

also note the nb extract tools does not work with the new cingular rom... i tried to manually do things the hard way and i am getting an error at block 187...
I was able to extract it without problems with NBHExtract, try downloading the rom again.

I was able to extract it without problems with NBHExtract, try downloading the rom again.

Same problem for me i cant extract the new cingular rom...

I have download the rom for two times. Rar file when i extract the rom dont give me error.
CRC is 02B188B6...

NBHextract start and create a new file tempfile.dbh but after the program go in hang on

http://img62.imageshack.us/img62/7703/bloccozu4.jpg

What are you exactly doing? :confused:

Hi pof i have edit the post #91...
Like you see i give right comand but program dont go on...

Do you have enough free space in F:\ ??

Do you have enough free space in F:\ ??

In F i have 3.46 Gb free.
It a pen drive usb 2

I dont have close the program...
Now i see that tempfile.dbh it is increasing very slowly the its dimension

In F i have 3.46 Gb free.
It a pen drive usb 2

Try doing it in a hard drive (ie: c:\).

Chalk me up for being another one to have NO problems extracting the new ROM.

Hi pof.
Thx in C works fine
Sorry for disturb .....

i was also trying it on a usb pen drive... however when i try doing it on a regular hard drive it works just fine...

With The Release Of The SSPL Tool. Does This Advance The ROM Cooking Situation? What Is Left To Be Done To Cook A ROM?Are There Any Tools Still Required Before We Can Cook A ROM?

Cheers

We can delete files then re-package with make_imgfs, but we can't add files yet. It creates corrupted blocks when the resulting image is re-flashed.

The SSPL solution will allow us to create custom RUU installers that make it easy to flash cooked roms. This was fully 50% of the issue IMO, since hermes owners need a way to easily flash cooked roms.

Did Tadzio Ever Find The Reason For The addFile Causing A Corrupted ROM?

I don't think so.

Did Tadzio Ever Find The Reason For The addFile Causing A Corrupted ROM?

Sorry, that didn't make it to the top of my priorities list in the last weeks - too many other things going on. I hope I'll find the time to have another look in the next few days.

Cheers
Daniel

No Worries Tadzio. I Was Just Curious As To Wether Any Development Has Happened. Thankyou For Your Great Contributions So Far And I Hope They Continue To Come.

Cheers

I Supercid my device using the previous v2a tool, I have updated my bootloader to version 1.01 MFG with mtty.exe according to the instructions. and I managed to flash only the os_nb file and the extented rom of the aku 3.3 rom using the NBHextract tool.
After upgrading my radio to version 1.27.00 my device was stuck in bootloader mode but i managed to get out using mtty. exe again with the command usb>set 14 0.
My device now is working ok but i want to go back to my previous bootloader 1.04 but i cannot.
I use mtty. exe again and wiki instructions and I get the following message when i wright task 32
level FF and command error. How can I go back to my previous bootloader 1.04 please advice?
Should I use in my case the newest cid tool?

You've somehow lost SuperCID. It also sounds like you used the RUU updater to do the 1.27 upgrade. That will generally crash leaving your BL set to re-boot in bootloader mode.

Traditionally, you'd need the bootleg 1.04BL solution or flash the 1.04 bl equipped Cingular 1.30 rom in nbh if your device is an 8525

sspl may change this though. I'm not sure of the variations however or if it works correctly with an initial upgrade when bl 1.01MFG is present.

I thought so that I lost my supercid and I did the following:
I went back to the patched radio 1.16 used previously with v2a unlocker and then I tried again to go back to BL 1.04 using mtty.exe and it worked. After I flashed again radio 1.27.00 with BL 1.04 succesfully.
It is obvious that we should not use BL 1.01 MFG for radios updates.

If you want to cook rom, you may try using aChef ( http://forum.xda-developers.com/showthread.php?t=294364 ) to replace prepare_imgfs.exe and make_imgfs.exe. :)

If you want to cook rom, you may try using aChef ( http://forum.xda-developers.com/showthread.php?t=294364 ) to replace prepare_imgfs.exe and make_imgfs.exe. :)

THANX!

It seems to work okay, now just need some quick course in how to cook a rom.

I guess it won't work when I just extract this rom and a wizard Crossbow rom and then start replacing the TYTN OS with the WM6 one from the Wizard?

I think i'm thinking to simple about it, but i guess it won't take long now before the first cooked roms wil show up.

And again, thanx a lot!

If you want to cook rom, you may try using aChef ( http://forum.xda-developers.com/showthread.php?t=294364 ) to replace prepare_imgfs.exe and make_imgfs.exe. :)

THANX!

It seems to work okay, now just need some quick course in how to cook a rom.

I guess it won't work when I just extract this rom and a wizard Crossbow rom and then start replacing the TYTN OS with the WM6 one from the Wizard?

I think i'm thinking to simple about it, but i guess it won't take long now before the first cooked roms wil show up.

And again, thanx a lot!

any new developments, I have not seen a post in several days?

I menaged to upgrade OS but cannot ExtROM. What could be a problem?

KR

Will this brick my Trinity if I install it? I want to downgrade my bootloader so I can run the 'rtask' commands.

@prsnow: This will kill your trinity, this bootloader is only for Hermes.

Sorry if it is not the proper place to post this problem.:(

Want to install SPL-1.01MFG_Pack.
Started mtty, connected, press enter(once), get Cmd> ????
After typing lnbs spl-1.01.nbs 50020000
Get:

:F=spl-1.01.nbs
:A=50020000
:O=00000000
:L=FFFFFFFF

start NB image downloadS
H
Load ADDR: 50020000 Length: 402C4
***
SPL flag is incorrect, please check your SPL is correct.
Write NAND error, addr=0x50020000
Error !! The image must be in ROM area.

What's wrong with it.

Sorry if it is not the proper place to post this problem.:(

Want to install SPL-1.01MFG_Pack.
Started mtty, connected, press enter(once), get Cmd> ????
After typing lnbs spl-1.01.nbs 50020000
Get:

:F=spl-1.01.nbs
:A=50020000
:O=00000000
:L=FFFFFFFF

start NB image downloadS
H
Load ADDR: 50020000 Length: 402C4
***
SPL flag is incorrect, please check your SPL is correct.
Write NAND error, addr=0x50020000
Error !! The image must be in ROM area.

What's wrong with it.

Ah! I have SPL 2.10.olipro. It's hardspl.
So i think i have to get ride of this.
How to do so?

Ah! I have SPL 2.10.olipro. It's hardspl.
So i think i have to get ride of this.
How to do so?

you boot your phone into windows.... Run SSPL on your device... connect to your device through mtty and follow the 1.01MFG flashing procedure...

Quote:
Originally Posted by Cedricguo
Ah! I have SPL 2.10.olipro. It's hardspl.
So i think i have to get ride of this.
How to do so?

you boot your phone into windows.... Run SSPL on your device... connect to your device through mtty and follow the 1.01MFG flashing procedure...


sir, same thing here, but stucked on tricolor bootloader,

help