boggsie
2nd December 2008, 09:05 PM
Starting with ababrekar's brilliant expose' on how to manually port an XIP from one device to another, there has been a great deal of attention paid to the process of getting the XIP.BIN isolated from the rest of the ROM.
I thought that I could try to contribute with the information others have shared with me. Ultimately, it may prove to be beneficial if there were a development thread dedicated to extracting the XIP.BIN.
credit to dcd, vetvito, ababrekar, gguruusa, lennysh. noonski and of course, all those who develop and update the various tools!
First off, you're best off if you start with a RUU/WWE from HTC/Sprint/Bell. etc.
1) The very first step in this process is to extract the NBH file that includes the OS. Do this by using WinRAR or WinZip to open the executable and look for the largest file with the extension NBH. In the case of our example, that file is VOGUIMG.nbh.
2) The next step is to break VOGUIMG.nbh into it's various pieces by executing the following:
nbhextract.exe VOGUIMG.nbh
The result is the following screen output:
=== NBHextract v1.0
=== Extract contents from HTC NBH files
=== (c)2007 xda-developers.com
=== by: pof & TheBlasphemer based on itsme perl scripts
Device: VOGU10000
CID: VZW__001
Version: 3.14.605.1
Language: USA
Extracting: 00_SPL.nb
Extracting: 01_MainSplash.nb
Encoding: 01_MainSplash.bmp
Extracting: 02_SubSplash.nb
Encoding: 02_SubSplash.bmp
Extracting: 03_Unknown.nb
Extracting: 04_OS.nb
We are after the XIP, which is contained within the file 04_OS.nb
3) The next step is to break 04_OS.nb into it's various pieces by executing the following:
nbsplit.exe –titan 04_OS.nb
The result is the following files:
04_OS.nb.extra
04_OS.nb.payload
We're still not there yet, as the XIP is contained inside 04_OS.nb.payload.
The address where the XIP.BIN ends can be found with imgfsfromnb:
rename 04_OS.nb.payload to OS.nb.payload
imgfsfromnb OS.nb.payload imgfs.bin
output:
Sector size is 0x800 bytes
ImgFs partition starts at 0x00680000 and ends at 0x05680000
Dumping IMGFS at offset 0x006c0000 (size 0x04fc0000)
In the next step, we use RomMaster and we feed it the start address and end address of the XIP.
Remember, these start and end addresses will vary from device to device and in the case of the same device but a custom rom, the address can vary from one custom rom to the other.
Ababrekar has suggested "the best way to find out the start address for each partition would be from the LBA in MBR region"
In the case of the Vogue, when dealing with non-custom ROMs, the XIP usually begins at 0x00320000.
So, the start address is 0x00320000 and you use imgfsfromnb.exe to get the end address 0x006c0000 and feed these two parameters as part of the input to RomMaster:
RomMaster.exe -x -w 5 -s 0x00320000 -e 0x006c0000 OS.nb.payload -o xip.bin
What this does is output a file (XIP.BIN) comprised of all the data between the two (-s START -e END) addresses (-s 0x00320000 -e 0x006c0000) fed into RomMaster.
XIP.BIN
None of this have I discovered myself. It is a compilation of instructions that I received from members credited above. What we could do with this thread is use it as a discussion point for others who have or are having problems getting the XIP out of the os.nb.payload.
Best regards,
-boggsie
I thought that I could try to contribute with the information others have shared with me. Ultimately, it may prove to be beneficial if there were a development thread dedicated to extracting the XIP.BIN.
credit to dcd, vetvito, ababrekar, gguruusa, lennysh. noonski and of course, all those who develop and update the various tools!
First off, you're best off if you start with a RUU/WWE from HTC/Sprint/Bell. etc.
1) The very first step in this process is to extract the NBH file that includes the OS. Do this by using WinRAR or WinZip to open the executable and look for the largest file with the extension NBH. In the case of our example, that file is VOGUIMG.nbh.
2) The next step is to break VOGUIMG.nbh into it's various pieces by executing the following:
nbhextract.exe VOGUIMG.nbh
The result is the following screen output:
=== NBHextract v1.0
=== Extract contents from HTC NBH files
=== (c)2007 xda-developers.com
=== by: pof & TheBlasphemer based on itsme perl scripts
Device: VOGU10000
CID: VZW__001
Version: 3.14.605.1
Language: USA
Extracting: 00_SPL.nb
Extracting: 01_MainSplash.nb
Encoding: 01_MainSplash.bmp
Extracting: 02_SubSplash.nb
Encoding: 02_SubSplash.bmp
Extracting: 03_Unknown.nb
Extracting: 04_OS.nb
We are after the XIP, which is contained within the file 04_OS.nb
3) The next step is to break 04_OS.nb into it's various pieces by executing the following:
nbsplit.exe –titan 04_OS.nb
The result is the following files:
04_OS.nb.extra
04_OS.nb.payload
We're still not there yet, as the XIP is contained inside 04_OS.nb.payload.
The address where the XIP.BIN ends can be found with imgfsfromnb:
rename 04_OS.nb.payload to OS.nb.payload
imgfsfromnb OS.nb.payload imgfs.bin
output:
Sector size is 0x800 bytes
ImgFs partition starts at 0x00680000 and ends at 0x05680000
Dumping IMGFS at offset 0x006c0000 (size 0x04fc0000)
In the next step, we use RomMaster and we feed it the start address and end address of the XIP.
Remember, these start and end addresses will vary from device to device and in the case of the same device but a custom rom, the address can vary from one custom rom to the other.
Ababrekar has suggested "the best way to find out the start address for each partition would be from the LBA in MBR region"
In the case of the Vogue, when dealing with non-custom ROMs, the XIP usually begins at 0x00320000.
So, the start address is 0x00320000 and you use imgfsfromnb.exe to get the end address 0x006c0000 and feed these two parameters as part of the input to RomMaster:
RomMaster.exe -x -w 5 -s 0x00320000 -e 0x006c0000 OS.nb.payload -o xip.bin
What this does is output a file (XIP.BIN) comprised of all the data between the two (-s START -e END) addresses (-s 0x00320000 -e 0x006c0000) fed into RomMaster.
XIP.BIN
None of this have I discovered myself. It is a compilation of instructions that I received from members credited above. What we could do with this thread is use it as a discussion point for others who have or are having problems getting the XIP out of the os.nb.payload.
Best regards,
-boggsie