Hi,
I need help with my Ipaq 6955......i got a french verison and i need a english rom to flash, i have tried the tread that talks about the 6915 but does not work...

Please help need a english rom for it and if some has a wm6 rom for this model please let me know

http://forum.xda-developers.com/showthread.php?t=325051
Might help.
Anyways you (and I) need a Rom or rom upgrade that is in English (F*ckin HP doesn't provide it!!) Anyways P.M. I can give you the dumps of an English rom (I dumped it with pdocread (see link above) but I haven't tried to pdocwrite it so more or less its a shoot in the dark (dawn?) If you want more info about my dilemma see my last post in the above discussion. http://forum.xda-developers.com/showthread.php?t=325051&page=3
Anyways PM if you want those dumps

I guess there is another option available e.g. modify the registry and add some MUI files (Havent researched that option yet)

To convert nb to nbf there is a solution, but some questions stays unanswered...

During an upgrade, RUU uses wdatas which seem to use signature (source: hermes forum...). We don't have information about wdata command availability in bootloader mode.

In fact, the english dump you made is a CEOS file with header and some imgfs_removed_data.bin informations.

I tried to use a dump to create a CEOS file which could be disassembled as any other ipaq69xx ROM, but RUU hangs and the upgrade fails.

If we could know why the upgrade fails (checksum test, signature...), we could try to find a way to bypass it.

After this step, it will be easy to cook some ROM.

One more problem is G3 and G4.... Is it supposed to be the same G3/G4 difference than for wizard?

In another thread earlier you gave this link http://forum.xda-developers.com/showthread.php?p=1480853
Just went through the whole thing - relevant but not helpful. For short:

1) Extracting the osrom.nb using pdocwrite. To be frank I didnt like the usage of -d flag (device name) and -p (windows assigned) partition name. It makes things very confusing (If you try to actually follow the procedures not only re-type) because there are duplicates of device names TrueFFS and duplicates of partition names Part00 Part01 etc. If someone wants to understand the pdocread.exe flags and usage please read the following thread where itsme explains it all :) http://www.spv-developers.com/forum/showthread.php?t=2888

2) That thread describes a method to extract the directories of an OSrom image (using these tools http://forum.xda-developers.com/showthread.php?t=249836)
So this action helps to cook (modify the OSrom's files) and then put them back into .nb (.raw format that is not a flashable .nbf/nba)

3) Also describes how to extract various roms (Osrom, Extrom, RadioRom) from a different type of flashable rom .nbh Basically (not getting into depths, just to better describe it) .nbh is a .nbf/nba rom container used in flashable updates onto other HTC devices. This procedure is completely irrelevant to Sable/hw6915, but we can skip that.

4) This next thing is quite interesting - hexediting your .nb non-flashable rom file (in other words .raw) so that it's header would match the header of a manufacturer supplied .nb file (which is extracted from .nbh). This is done in order to trick the flashing utility/pda device into thinking that the new coocked rom is legit :D This might come in handy someday.

5) The next step is to make a .nbh file container using HTC ROM Tool by Dark Simpson. This is completely irrelevant because sable does not use .nbh


Anyways that is as far as I go with my backup which cannot be restored. :@

Right now Im researching the possibility to just simply restore the osrom using pdocwrite utility form itsutils package. It seems the only simple, clear (and possible) option w/o cooking.

But I have some questions regarding that:
1) If my partitions are as follows :
63.94M (0x3ff0000) TrueFFS
| 3.06M (0x30fc00) Part00
| 3.19M (0x330000) Part01
| 56.75M (0x38c0000) Part02
51.22M (0x3337e00) TRUEFFS
| 3.06M (0x30fc00) Part00
| 3.19M (0x330000) Part01
| 56.75M (0x38c0000) Part02
STRG handles:
handle f3f54ee2 51.22M (0x3337e00)
handle 93f54212 56.75M (0x38c0000)
handle 13f54026 3.19M (0x330000)
handle 33f54002 3.06M (0x30fc00)

What to dump - just the 56.75megs form 93f54212 handle or all 64 megs I can access using this handle? As I understand that the little partitons (first little) are also part of osrom containing xip and spl, but I dont want to change the SPL nor other things, just flash the Spanish rom with a copy of an English hw6915 rom which also happens to have additional software like tomtom for example.
2) And the second is about CID. As b0ris also I'm botherd about the G3/G4 thing. My bootscreen shows

English iPAQ 1.00.00
1.21UK

Spanish iPAQ 1.00.00
1.50
So I guess that I have G3 CID lock, but which tool should I use to unlock?

3) Can I even pdocwrite the OsRom when it is used by windows mobile? Thou guys developing aWizard say yes (I studied their bat file which executes the same pdocwrite and pdocread utils)http://forum.xda-developers.com/showthread.php?t=252957&highlight=awizard

4) This next thing is quite interesting - hexediting your .nb non-flashable rom file (in other words .raw) so that it's header would match the header of a manufacturer supplied .nb file (which is extracted from .nbh). This is done in order to trick the flashing utility/pda device into thinking that the new coocked rom is legit :D This might come in handy someday.


I adapted tadzio tools and mamaich tools to fit ipaq hw69xx rom format. The problem in the upgrade. Some checksum/certificate verification made the upgrade fail. I don't know if this comes from the RUU or from the device.

Someone sent me a USB Monitor log, but I wasn't able to read it... It was a .dmslog... If you know more about this file format, tell me!

The question I would like to answer is: Does the RUU tool send the checksum data to be verified on the device (hard to fix) or checks it on the PC, then send to the device (simple crack!)...

A simple way to answer it would be to upgrade the device using an official ROM, tell me what ROM you used (Orange, Bouygues, German, Spanish) and we'll see if the additional datas are sent or not.

If you got the solution about this, I have some ROMs... ROM headers are OK, ROM can be decompiled as any official ipaq ROM (except the Orange one), but ROM cannot be upgraded...

Of course pdocwrite should write, but we have to find where the CID lock is :)

I think one developer may have the answer to our questions about he cid
Well, I tooked the french Orange sable_ruu, and works everytime when flashing my 6915... The only rom for that update utility is in french.. i looked on internet and i've found sp's from HP, downloaded all, but none in English... Just for fun, i've hexedit every one of these sp's CEOS.nbf with that working french header from original Orange sable update...Then i flashed using sable_ruu from Orange package and i changed 3 or 4 different languages... it worked everytime, all was ok... but still no English CEOS.nbf in order to change language to English using the same method... So now i am looking for HP 6915 original softpack from HP, and that should also work in the same manner... If someone have it, i can give a try... Meanwhile, that's no problem for German, Spanish, Italian and Dutch (i think) languages... These are the only softpacks i've found till now...

He explains some of his techniques in this thread http://forum.xda-developers.com/showthread.php?t=325051&page=3

Of course pdocwrite should write, but we have to find where the CID lock is

It's a pitty though he didn't mention what he'd done with the CID lock thing.

I already PM him this morning but no response yet. Lets just give him a little bit of time and hope for the best :)


I adapted tadzio tools and mamaich tools to fit ipaq hw69xx rom format
What did you change exactly? I used the latest mamaich tools from

http://forum.xda-developers.com/showthread.php?t=249836

And using the -nosplit flag my rom was successfully prepared and after that viewed (e.g extracted from the prepared.bin file) w/o any hassles. I checked the directory tree and it seemed ok (many files and the commandline output in txt file reached 3MB. I checked it too and there were no errors)
The making of the initial .nb file also seemed successfull. Anyways please post here what changes have you made to mamaich tools.

Someone sent me a USB Monitor log, but I wasn't able to read it... It was a .dmslog... If you know more about this file format, tell me!

Well if I ever have a file w/o extension or with unknown extension or purpose I simply try viewing it with far manager. Usually there is some readable text like the program name and version number with which the file was made. So just download that program/util and try opening/editing/viewing the file :)


BTW my devices are original HP (One English and one Spanish) with no operator's contract bugging me :) So please upload your English rom to this forum, rapidshare or my FTP server.

You may want to open the below link in IE or some FTP client app.
ftp://xda:xda-dev@85.254.216.226:82

I would very much appreciate it because I only have my dumped .nb rom :(

What did you change exactly? I used the latest mamaich tools from
http://forum.xda-developers.com/showthread.php?t=249836

if (argv[argc][1] == 'i')
{ rate=0x10089; step=0x10000; skip=0x89; }

it's in the last page of the mamaich thread, and I created a specific thread on the hw69xx forum


And using the -nosplit flag my rom was successfully prepared and after that viewed (e.g extracted from the prepared.bin file) w/o any hassles. I checked the directory tree and it seemed ok (many files and the commandline output in txt file reached 3MB. I checked it too and there were no errors)
The making of the initial .nb file also seemed successfull. Anyways please post here what changes have you made to mamaich tools.

Yes, the ROM stored in DOC is un-encapsulated, unlike current upgradable ROMs. That's one of the points that makes official ROMs upgradable. The other point is "What's contained in the unknown data zones, is it sent to the device for checksum verification or can we bust this verification by cracking RUU?"


Well if I ever have a file w/o extension or with unknown extension or purpose I simply try viewing it with far manager. Usually there is some readable text like the program name and version number with which the file was made. So just download that program/util and try opening/editing/viewing the file :)

try to find some informations... I didn't find any and used the same software as he used...


I would very much appreciate it because I only have my dumped .nb rom :(

There is another ROM dump available here on the forums

I can dump my 6965 ROM for you if you like. This is the Australian (English) model.

http://h10010.www1.hp.com/wwpc/au/en/sm/WF05a/1090709-1113753-1113753-1113753-1117925-12573438.html

If you can dump the bootloader part, it would be great to have it.

I'm asking this because in sable_RUU I'm seeing weird things
-The updater seem to be made to all hw6xxx series
-Very easy to track!
-Seem to be made for wdata command and wdatas command.

So my new question (last one was: "are the extra data of the NBF sent to the device, or checked by sable_RUU?") is:
"In bootloader mode, do your have wdata command or wdatas command?"
And:
"Is it just for hw65xx devices (if confirmed to work) or is it because of some preproduction devices who have a special bootloader (like the HERMES)?"

And that's why having a backup of an unmodified bootloader would be great! Just in case we need it later!

Hi!
I know that it is impossible to dump IPl using pdocread, so I can dump only the SPL (To be frank I dont know the offset and size of the SPL) so if you can link me to a SPL dump manual that would be very nice. If not I can give you my whole Osrom partition dump (Including the xip and other stuff - the 6.25megs before real Osrom) (see my ftp rx-8_en_dump folder)

If you want me to dump bootloader using bootloder mode I must say that I wasnt able to access it (pressing action button+power+soft reset) any suggestions?

http://forum.xda-developers.com/showthread.php?p=2577170#post2577170