Hi !!

I'm sorry if I write about talking before but I search for 2 dayes internet (Most link coming from xda :-) ) without success.

I'm pretty sure that is not possible to do on Trinity due to bootloader limitation but I want a last confirm before to flash my device.

My boot loader is a Des' Crash-Proof SPL:

TRIN100
IPL-0.50

TRIN100
SPL-9.99 CP

After I play with the WM6 registry it don't load th OS after reset.

I wondering if is it possible to dump the ROM (The mass storage part) to mount in a linux box from the boot loader.

I read that the Trinity lack of the s2d command and also the rbmc didn't work.

There is any other way to do it

Off course I can't use pdocread.exe due to the OS is not loaded on the Trinity.

Thanks in advance and sorry for my english.

Carlo.

Hi again.

I was able to read ROM whit the rbmc command using the follow command:

password BsaD5SeoA
set 1e 1
task32
rbmc >/tmp/dump.bin 0x3100 0x17900

The problem is that the output is show on the screen and not writed in the file.
I tried on linux using HTCFlasher and mtty on WIndows whit the > and without.
Any Idea ?

Carlo

Try QMAT too, although it's not meant to be used with Trinity, it supports rbmc dumping.

Thanks, I'll try it tonight.

Here's an rbmc partition dumper I've created for dumping os, storage and ext rom. Storage partition doesn't seem to be readable this way...
You need to have a security unlocked device or HSPL that allows rbmc when device is not security unlocked.

Hope this helps...

Thanks for the command, I tried and it don't work.

I have the Des' Crash-Proof SPL on my Trinity and the rbmc command work but I have to give the follow commands before use it.

password BsaD5SeoA
set 1e 1
task32

is your command supplied it before to dump or there is any command line option to pass it to the command ?

Works on my trinity allright... task 32 is not required, btw.
Did you manage to get QMAT working/dumping?

I tried more times but I have allways this message:

C:\Temp2>rbmc.exe
HTC RBMC reader version 1.0, Dec 19 2008

Reading OS.nb...
WARNING: rbmc OS.nb command failed!

Reading Storage.nb...
WARNING: rbmc Storage.nb command failed!

Reading ExtROM.nb...
WARNING: rbmc ExtROM.nb command failed!

Read 0xC1B144 bytes in 0d:00h:00m:01s.953ms

HTCSBye!>.L.HTCE

I switch the Trinity to the bootloader screen and then I plug the usb and ru the command with no args.

Where I wrong ? I tried without ActiveSync open and with it opne with the usb connection disbled.


No, I was unable to use QMAT, the manuals is little different from the version and don't explain the very first operation to recognise the PDA to the program.

Instend I was able to capture the rmbc output on my linux box and minicom on usb but I get error after a while the program is dumping (The same I got on the screen using mtty) and then I'm little confusing about partition dimension showed by the "info 8" command

Bye.

What happens when you manually issue "rbmc c:\temp\os.bin OS" in mtty or minicom?

I start minicom with the capture option active then I use the command

Cmd>rbmc a 0x3100 0x17900

Then the dump start

Cmd>rbmc a 0x3100 0x17900
GetExtRomData+(): *pszPathName=a, dwStartAddress=57600000, dwLength=8C08DAA0
:F=a :A=57600000 :L=8C08DAA0 :rbmc= HTCS¼Ñ
ÿÿùÿ0Ö
ÿÿùÿR

PQ
�Q


"R

TP
¤Q
P
>Ö
ÿÿùÿ¤ì
ÿÿùÿÔ
ÿÿùÿ9Ö
ÿÿùÿ<Ö
ÿÿùÿ=Ö
ÿÿùÿina
condominiale

[.....]

,(*"(B+&*0ùÿNANDFlashReadSectorWithSectorInfo: dwBlockIndex=0x400
NANDFlashReadSectorWithSectorInfo: Address over boundary!!!
rbmc: read data error at 0x8000000

In the [...] I got about 1 MByte of data.

My I was to dump th user partition to recover same data, not the OS.

This syntax is not valid:
rbmc a 0x3100 0x17900

1. Do not use 0x prefix for offset and length
2. Use actual flash offsets (starting at 50000000 (hex))

Can you try this exact command?
rbmc c:\temp\os.bin OS

This is the command rbmc.exe executes and it seems to be failing on your Trinity.

I tried and that is what I had:

C:\temp>rbmc c:\temp\os.bin OS
HTC RBMC reader version 1.0, Dec 19 2008


Reading OS.nb...
WARNING: rbmc OS.nb command failed!

Reading Storage.nb...
WARNING: rbmc Storage.nb command failed!

Reading ExtROM.nb...
WARNING: rbmc ExtROM.nb command failed!

Read 0xC1B144 bytes in 0d:00h:00m:02s.031ms

HTCSBye!>.L.HTCE

C:\temp>

I tried and that is what I had:

C:\temp>rbmc c:\temp\os.bin OS
HTC RBMC reader version 1.0, Dec 19 2008


Reading OS.nb...
WARNING: rbmc OS.nb command failed!

Reading Storage.nb...
WARNING: rbmc Storage.nb command failed!

Reading ExtROM.nb...
WARNING: rbmc ExtROM.nb command failed!

Read 0xC1B144 bytes in 0d:00h:00m:02s.031ms

HTCSBye!>.L.HTCE

C:\temp>

Can you do it in mtty?

Ok, sorry, I missunderstand.

Cmd>password BsaD5SeoA
Pass.
HTCST ÚÈÒHTCEPassWord: BsaD5SeoA

Cmd>set 1e 1

Cmd>rbmc c:\temp\os.bin OS
Command error !!!

Ok, it looks like your SPL doesn't support rbmc command, but if you do "rbmc 50000000 1" in mtty that works?

Yes, it work.

Cmd>rbmc 50000000 1
GetExtRomData+(): *pszPathName=50000000, dwStartAddress=1, dwLength=8C08DAA0
rbmc=8DAA0
Cmd>

But it work only if I supply the "task 32" command after the "password .. " and "set 1e 1"

Colud you modify your command to supply the "task 32" command, maybe by a switch ?

Finally it work !!

I mean your command.. after the message before I tried this way.

I connect to the bootloader with the patched version of TeraTerm (To have the copy and paste function :) ), then I supply the three commands like the message above and finally I close the Teraterm and lunched your command with no parameters and here what I get:

C:\Temp0\rbmc>rbmc.exe
HTC RBMC reader version 1.0, Dec 19 2008

Reading OS.nb...
0x4d50800 bytes read

Reading Storage.nb...
WARNING: rbmc Storage.nb command failed!

Reading ExtROM.nb...
WARNING: rbmc ExtROM.nb command failed!

Read 0x55628D8 bytes in 0d:00h:02m:02s.125ms

HTCSBye!>.L.HTCE


How you can watch it don't read the Storage.nb and the ExtROM.nb, but now I can get OS.

So I think that the "task 32" is mandatory in with the HardSPL I got in my Trinity.

Witch HardSPL do you use for test your command ?

So I think that the "task 32" is mandatory in with the HardSPL I got in my Trinity.

Witch HardSPL do you use for test your command ?

Yeah, well, this seems to be the way HardSPL works, you only get access to locked commands after faking security lock status with "task 32". I've added this command to rbmc.exe, however I want to make it more generic before I post the updated version, because dumping storage doesn't work so far.

I'm using MFG SPL 1.05 patched to allow rbmc, this shouldn't be relevant though.

Ok, so attached is an updated version of rbmc.exe.
It will work just like the old version without any parameters, but you can specify the same parameters as you would feed to rbmc command too now.

E.g. to dump storage you can do
C:\>rbmc.exe storage.bin Storage

However due to a bug in SPL this won't work, it will produce an error message showing the starting offset of storage partition though.

Grab that offset, substract it from 0x60000000 to get the correct storage size and rub rbmc.exe again with parameters:
C:\>rbmc.exe storage.bin 0x53540000 0xACAC0000

You should have a dump of storage partition (albeit not excatly 0xACAC0000 bytes) in storage.bin file as a result. Note that resulting dump has NAND flash block status data (0x10 bytes every 0x200 bytes) that you may need to strip to get an image of storage partition you can work on.

Good luck!

Thanks for this new realese, it work fine.

I have a problem to understand how to calculate the offset.

When I run
rbmc.exe storage.bin Storage

I get:
Dumping rbmc storage.bin Storage to storage.bin...
ERROR: rbmc storage.bin Storage command failed; last message:
"Storage address error.(0x54DC0000, 0xB301000) "

What I must subtract from 0x60000000 to get the offset and which is the other value in the last example you write.
C:\>rbmc.exe storage.bin 0x53540000 0xACAC0000

I'm sorry to waste your time, but I tried to understand but I fail, but I want to reach the end because in future a tool like this will be very usefull to recover data froma crashed Trinity.

Thanks for this new realese, it work fine.

I have a problem to understand how to calculate the offset.

When I run
rbmc.exe storage.bin Storage

I get:
Dumping rbmc storage.bin Storage to storage.bin...
ERROR: rbmc storage.bin Storage command failed; last message:
"Storage address error.(0x54DC0000, 0xB301000) "

What I must subtract from 0x60000000 to get the offset and which is the other value in the last example you write.
C:\>rbmc.exe storage.bin 0x53540000 0xACAC0000

I'm sorry to waste your time, but I tried to understand but I fail, but I want to reach the end because in future a tool like this will be very usefull to recover data froma crashed Trinity.

You need to substract the offset, e.g.
0x60000000-0x54DC0000=0xB240000, then use resulting size.

So in your case the command will be
C:\>rbmc.exe storage.bin 0x54DC0000 0xB240000

Good luck!

BTW, how are you going to extract your data from storage dump?

You need to substract the offset, e.g.
0x60000000-0x54DC0000=0xB240000, then use resulting size.

So in your case the command will be
C:\>rbmc.exe storage.bin 0x54DC0000 0xB240000

Good luck!


Thanks, but omething goes wrong:

C:\Temp0\rbmc>rbmc.exe storage.bin 0x54DC0000 0xB240000
HTC RBMC reader version 1.1, Jan 5 2009


Dumping rbmc storage.bin 54DC0000 0B240000 to storage.bin...

.................................................. ..
WARNING: Dumping to file storage.bin failed!
0x3309000 bytes read

Read 0x3309000 bytes in 0d:00h:01m:22s.078ms

HTCSBye!>.L.HTCE

Any idea ?

How did you define the 0x60000000 ?


BTW, how are you going to extract your data from storage dump?

I found an articles where was talking abount mount a dumped ROm (But made whit the dump-to-sd command) on linux, now I don't have the link here, but I'll post soon.

That sounds about right, there's only 128Mb of flash on Trinity, so you have dumped 0x3309000 bytes. 0x54DC0000+0x3309000=0x580c9000

As I had mentioned, there's some block status data in this dump (extra 0x10 bytes per 0x200 (or whatever your flash block size is) byte block), so it's not aligned. You can grab the storage.bin file generated and see if you can extract anything from there now.

Thanks... I'll try soon to mount the image I grabbed, opening it with an hex editor I watch alot of useful data but I don't know if will be possible to mount how I red in a post on another site.

I'll post the procedure if I'll be able to reach such kind of success.

Bye.

Hi. Tried to download you rbmc.zip but was unable to open the application. Was wondering if you had any new upgrades for this application and if you could please post it. Trying to use the rbmc command to recover a HTC Jasjam.

Much appreciated.

I'm not sure it will work on your device. The application is working perfectly on my Windows XP. It won't work on Vista and Windows 7 :(

Hi stepw

Got rbmc working on another box. Was able to recover OS.nb, Storage.nb and ExtRom.nb.
OS.nb and Storage.nb had the same MD5 hash.

When I recovered OS.bin and Storage.bin separately, files of different sizes where created. Any ideas why?

I'm trying to view the information recovered off the phone. Have tried "dumping" the contents of the OS.nb using Imgfs tools. Any other ideas how I can do this?

Lastly, can your rbmc application output sections in .raw format?

Chers

Hi all,

I have the same issue here. I've been able to retrieve Storage.nb (on Win XP) which contains the data I need, but how can I open the file?
At least if a structure is known I could write a small app to extract all files.?

Hi ,
the problem i am facing is different, probably my wlan eeprom was erased after trying different roms ,so now i lost my mac addres and the wlan does not turn on.
Does anyone has an idea how to make a copy of a healthy rom from another trin, or wich is the address of the wlan eeprom ???

any help is appreciated

Hi ,
the problem i am facing is different, probably my wlan eeprom was erased after trying different roms ,so now i lost my mac addres and the wlan does not turn on.
Does anyone has an idea how to make a copy of a healthy rom from another trin, or wich is the address of the wlan eeprom ???

any help is appreciated

+1 Thanks

+1 , bump

Thanks

Hi ,
the problem i am facing is different, probably my wlan eeprom was erased after trying different roms ,so now i lost my mac addres and the wlan does not turn on.
Does anyone has an idea how to make a copy of a healthy rom from another trin, or wich is the address of the wlan eeprom ???

any help is appreciated



+1 , bump

Thanks