WP8 ROM analysis [UEFI and RUU nbh] by ansar

ansar.ath.gr · Nov 3, 2012

Hi to all,

Update on 17.02.2013, WP8 LEO ROM development

I am developing a new WP8 ROM for LEO and can access all WP8 STORE apps

as HTC apps, apps, games, music and podcasts, under the name of MARKETPLACE

Up to now all music and podcasts work ok but for HTC apps, apps and games

there is a pop up of comparibility warning as can be seen in the following screen shots

In the ROM are also included all WP8 lock screens, wallpapers and sounds, and more items

I hope to develop this LEO ROM as further as posible

//// ROM Screen Shots ////

End of 17.02.2013 update

********************************

Update on 28.12.2012, The WP8 Partitions

The WP8 Partitions, as identified up to now

There are 28 [0x1C] in total, 21 [0x15] Read-Only and 7 Read-Write

READ-ONLY SECTION START

Device Provisioning Partition (FIRST READ-ONLY)
01 DPP 16384 Unknown FS

QUALCOMM 8960 SPECIFIC READ-ONLY PARTITIONS

Modem golden file system - MUST FOLLOW DPP
02 MODEM_FSG 6144 Unknown FS

Secure Software Download
03 SSD 16 Unknown FS

Bootloaders
04 SBL1 3000 Unknown FS
05 SBL2 3000 Unknown FS
06 SBL3 4096 Unknown FS
07 UEFI 5000 Unknown FS
08 RPM 1000 Unknown FS
09 TZ 1000 Unknown FS

fTPM Application
0A WINSECAPP 1024 Unknown FS

Bootloaders Backup Section (Sizes must match)
0B BACKUP_SBL1 3000 Unknown FS
0C BACKUP_SBL2 3000 Unknown FS
0D BACKUP_SBL3 4096 Unknown FS
0E BACKUP_UEFI 5000 Unknown FS
0F BACKUP_RPM 1000 Unknown FS
10 BACKUP_TZ 1000 Unknown FS

fTPM Application Backup Section (Sizes must match)
11 BACKUP_WINSECAPP 1024 Unknown FS

UEFI Variable Services Partitions - Read-Only
12 UEFI_BS_NV 512 Unknown FS
13 UEFI_NV 512 Unknown FS

ACPI table storage
14 PLAT 16384 FAT

EFI System Partition (LAST READ-ONLY)
15 EFIESP 131072 FAT ByteAlignment 0x4000000

READ-ONLY SECTION END

START QUALCOMM 8960 SPECIFIC READ-WRITE PARTITIONS

Modem live file systems
16 MODEM_FS1 6144 FAT ByteAlignment 0x4000000
17 MODEM_FS2 6144 FAT

UEFI Variable Services Partitions - Read-Write
18 UEFI_RT_NV 512 FAT
19 UEFI_RT_NV_RPMB 256 FAT

END QUALCOMM 8960 SPECIFIC READ-WRITE PARTITIONS

MICROSOFT READ-WRITE PARTITIONS

1A MMOS 8192 FAT
1B MainOS 1343488 NTFS ByteAlignment 0x800000
1C Data 0x4000 NTFS ByteAlignment 0x800000

END MICROSOFT READ-WRITE PARTITIONS

SectorSize 512 bytes
ChunkSize 128 Kb

End of 28.12.2012 update

********************************

This thread is devoted to WP8 ROM analysis
.
.
1. The hTC structure of WP8 ROM version 1.00
.
.
A. The Block structure of the WP8 UEFI_signed.nbh
.
.
1st Block, the new file header // Identical to RUU, except 2 bytes
.
.
Start 0x00000000 End 0x000001FF Length 0x200 bytes
.
0x00000000 Htc@egi$ // file name ID
.
0x00000008 0x008F // word:ID [TBN]
.
0x0000000A 0x0500 // word:0x05 [TBN]
.
0x00000014 1.00.401.24 // ROM version
.
0x0000001F 0x08 // byte:0x08 [TBN]
.
0x00000020 PM232000* // Device ID [TBN]
.
0x00000040 WWE // ROM language
.
0x000000D0 HTC__001 // CID list start
.
0x000000D8 HTC__203 // CID list
.
... ... // CID list
.
0x00000120 HTC__K18 // CID list end
.
.
.
.
2nd Block // [TBN]
.
.
Start 0x00000200 End 0x0001001FF Length 0x100000 bytes
.
.
.
.
3rd Block // Identical to the 3rd Block of RUU [TBN]
.
.
Start 0x00100200 End 0x0003067FF Length 0x206600 bytes
.
.
.
.
4th Block // Identical to the 10th Block of RUU [TBN]
.
.
Start 0x000306800 End 0x000322662 Length 0x1BE63 bytes
.
This block ends with non unicode text hTCVer001.532.009 and a trailing 0x0A
.
.
5th Block // Identical to the 11th Block of RUU [TBN]
.
.
Start 0x000322663 End 0x0004594D1 Length 0x136E6F bytes
.
This block ends with non unicode text hTCVer001.532.010 and a trailing 0x0A
.
.
6th Block // Identical to the 12th Block of RUU [TBN]
.
.
Start 0x0004594D2 End 0x00063A129 Length 0x1E0C58 bytes
.
This block ends with non unicode text hTCVer001.532.015 and a trailing 0x0A
.
.
7th Block // [TBN]
.
.
Start 0x00063A12A End 0x00081E815 Length 0x1E46EC bytes
.
This block ends with non unicode text hTCVer001.532.008 and a trailing 0x0A
.
.
.
.
B. The Block structure of the WP8 RUU_signed.nbh
.
.
1st Block, the new file header // Identical to UEFI, except 2 bytes
.
.
Start 0x00000000 End 0x000001FF Length 0x200 bytes
.
0x00000000 Htc@egi$ // File name ID
.
0x00000008 0x008F // word:ID [TBN]
.
0x0000000A 0x0A00 // word:0x0A [TBN]
.
0x00000014 1.00.401.24 // ROM version
.
0x0000001F 0x13 // byte:0x13 [TBN]
.
0x00000040 WWE // ROM language
.
0x000000D0 HTC__001 // CID list start
.
0x000000D8 HTC__203 // CID list
.
... ... // CID list
.
0x00000120 HTC__K18 // CID list end
.
.
.
.
2nd Block // [TBN]
.
.
Start 0x00000200 End 0x0001001FF Length 0x100000 bytes
.
.
.
.
3rd Block // Identical to the 3rd Block of UEFI [TBN]
.
.
Start 0x00100200 End 0x0003067FF Length 0x206600 bytes
.
.
4th Block // the Radio part 01 (Holds hTC certificates)
.
.
Start 0x000306800 End 0x00031E815 Length 0x18016 bytes
.
This block ends with non unicode text hTCVer001.532.008 and a trailing 0x0A
.
.
5th Block // the Radio part 02 (Holds hTC certificates)
.
.
Start 0x00031E816 End 0x00033682B Length 0x18016 bytes
.
This block ends with non unicode text hTCVer001.532.008 and a trailing 0x0A
.
.
6th Block // the Radio part 03 (Holds hTC certificates)
.
.
Start 0x00033682C End 0x00034E841 Length 0x18016 bytes
.
This block ends with non unicode text hTCVer001.532.008 and a trailing 0x0A
.
.
7th Block // the Radio part 04 (Holds hTC certificates)
.
.
Start 0x00034E842 End 0x000366857 Length 0x18016 bytes
.
This block ends with non unicode text hTCVer001.532.008 and a trailing 0x0A
.
.
8th Block // the Radio part 05 (Holds hTC certificates)
.
.
Start 0x000366858 End 0x00037E86D Length 0x18016 bytes
.
This block ends with non unicode text hTCVer001.532.008 and a trailing 0x0A
.
.
9th Block // the Radio part 06 (Holds hTC certificates)
.
.
Start 0x00037E86E End 0x000396883 Length 0x18016 bytes
.
This block ends with non unicode text hTCVer001.532.008 and a trailing 0x0A
.
.
10th Block // Identical to the 4th Block of UEFI [TBN]
.
.
Start 0x000396884 End 0x0003B26E6 Length 0x1BE63 bytes
.
This block ends with non unicode text hTCVer001.532.009, an 0x0D and a trailing 0x0A
.
.
11th Block // Identical to the 5th Block of UEFI [TBN]
.
.
Start 0x0003B26E7 End 0x0004E9555 Length 0x136E6F bytes
.
This block ends with non unicode text hTCVer001.532.010 and a trailing 0x0A
.
.
12th Block // Identical to the 6th Block of UEFI [TBN]
.
.
Start 0x0004E9556 End 0x0006CA1AD Length 0x1E0C58 bytes
.
This block ends with non unicode text hTCVer001.532.015 and a trailing 0x0A
.
.
13th Block // the WP8 image
.
.
Start 0x0006CA1AE End 0x00322D53EF Length 0x31C0B242 bytes
.
This block will be developed in more detail
.
.
.
Both will be more detailed in the next posts #2 and #3
.
.
Notes
,
,
1. that there are certain differences between hTC and Nokia structures
.
2. all info is provided on a development base only
.
.
Regards, ansar

ansar.ath.gr · Nov 3, 2012

UEFI.nbh ROM detailed amalysis development

This post is reserved

ansar.ath.gr · Nov 3, 2012

RUU.nbh ROM detailed analysis development

Also this post is reserved

gigsaw · Nov 3, 2012

xuantunt said:
How to extract? OSBuilder?

no, you can't use osbuilder because this rom isn't built like other winCE's roms (wm6.x, wp7). This rom has got his own filesystem (I think it should be ReFS), and his own structure. You have to wait because some developers are digging into it. Right now we only know that the system structure is similar to a Windows PC, even drivers are in sys format (this is a bad news for those who are waiting a porting to older devices).

sianto1997 · Nov 3, 2012

gigsaw said:
no, you can't use osbuilder because this rom isn't built like other winCE's roms (wm6.x, wp7). This rom has got his own filesystem (I think it should be ReFS), and his own structure. You have to wait because some developers are digging into it. Right now we only know that the system structure is similar to a Windows PC, even drivers are in sys format (this is a bad news for those who are waiting a porting to older devices).

I know what's exactly in it! It has 2 user profiles (default & public), a windows folder + system32 folder. And *.sys drivers.

Regards

(I don't know how, but I have a dump!)

ultrashot · Nov 4, 2012

gigsaw said:
no, you can't use osbuilder because this rom isn't built like other winCE's roms (wm6.x, wp7). This rom has got his own filesystem (I think it should be ReFS), and his own structure. You have to wait because some developers are digging into it. Right now we only know that the system structure is similar to a Windows PC, even drivers are in sys format (this is a bad news for those who are waiting a porting to older devices).

Main partitions are always NTFS

FearL0rd · Nov 4, 2012

ultrashot said:
Main partitions are always NTFS

Maybe it looks like the XBOX FS

Cotulla · Nov 8, 2012

They are really W8 NTFS

timmymarsh · Nov 10, 2012

Guys, please keep the chat relevant to dev work, thread cleaned.

Thanks.

Shaky156 · Nov 18, 2012

I've linked diamondback/flemmard n other deva to this thread, as you're not the only ones with this problem, android is updates HTC are using the same method

So as you can see this isn't specifically windows related

Useless guy · Nov 22, 2012

madman0817 said:
I know enough c@/JS/java/c++ to get me through the door. How can I help and where do I start?

Wow, you should work in the Pentagon with this knowledge

And should hack every KGB server.

Jiihaa · Dec 16, 2012

A few tidbits that might help you guys further. WP8 kernel overview can be found here: Windows Phone 8 Kernel Architecture

It seems to differ also from W8 with that way that the user mode driver model is not supported, just KMDF & WDM kernel mode drivers. Packages are developed by installing The Windows Driver Kit (WDK) and top of that couple of specific WP8 kits. There is user mode only for applications which the OEM installs.

Sorry, it's not much, but that's all info that has floated my way..

ansar.ath.gr · Dec 28, 2012

Hi to all,

The identified up to now WP8 image partitions are listed in #1 post

Regards, ansar

mo3ulla · Dec 31, 2012

Jiihaa said:
A few tidbits that might help you guys further. WP8 kernel overview can be found here: Windows Phone 8 Kernel Architecture

It seems to differ also from W8 with that way that the user mode driver model is not supported, just KMDF & WDM kernel mode drivers. Packages are developed by installing The Windows Driver Kit (WDK) and top of that couple of specific WP8 kits. There is user mode only for applications which the OEM installs.

Sorry, it's not much, but that's all info that has floated my way..

it is not differ . its WOA ( windows on arm ) with some additions ( becose its a phone lol )

1. codebase of gui is shared with 7.8 - you really thought they will rewrite it? becose of it and becose Its a phone where you dont need explorer.exe subsystem. some additions was made into os composition . its more similar to - windows embended then windows RT (WOA ) . biggest example of embended roots is - Image update process . in WP8 system partition with main os - read only ntfs . in order to write something there - system reboots into Windows PE enviroment.. rest of the system is damn similar . even SXS in place lol . ( atleast package structures clearly indicates on that ).

2. disabling kernel mode for all apps is expectable . in early 2012 they sayd. that they did it to minimise of potential security impact in bugged OEM SOFTWARE . or you really think - they does not noticed security hole in HTC connection manager or some OEM software which helps in jailbreak os .. ofc they know it

o2neouzr · Jan 12, 2013

can anyone give me a link to the ROM. I've been looking for a link but all seem either dead, or the ROM is damaged and cant extract the nbh properly.

Jiihaa · Jan 25, 2013

There's an Apollo bring up guide floating on the net, which pretty clear states the differences.

ansar.ath.gr · Feb 17, 2013

Info on WP8 LEO ROM development

Hi to all,

I am developing a WP8 ROM for LEO, see post #1

Regards, ansar

ellokomen · Feb 17, 2013

ansar.ath.gr said:
Hi to all,

I am developing a WP8 ROM for LEO, see post #1

Regards, ansar

I read somewhere that the drivers for WP7 and WP8 were different.

Did you have to write new drivers in order to make it work??

warriorvibhu · Feb 17, 2013

ansar.ath.gr said:
Hi to all,

Update on 17.02.2013, WP8 LEO ROM development
I am developing a new WP8 ROM for LEO and can access all WP8 STORE apps
as HTC apps, apps, games, music and podcasts, under the name of MARKETPLACE
Up to now all music and podcasts work ok but for HTC apps, apps and games
there is a pop up of comparibility warning as can be seen in the following screen shots
In the ROM are also included all WP8 lock screens, wallpapers and sounds, and more items
I hope to develop this LEO ROM as further as posible
Regards, ansar

Seriously Ansar,
Now i am not doubting you here ..i am just looking with eyes wide open .. Is that really windows 8.. wow .. Looking at your screenshots looks like you have made some pretty good progress..People must be going crazy in wait ..
See you soon with a beta build ..
Best
wV

ellokomen · Feb 17, 2013

warriorvibhu said:
Seriously Ansar,
Now i am not doubting you here ..i am just looking with eyes wide open .. Is that really windows 8.. wow .. Looking at your screenshots looks like you have made some pretty good progress..People must be going crazy in wait ..
See you soon with a beta build ..
Best
wV

it's very interesting to see a "non compatible phone" from WP7 running WP8, clearly Microsoft lied to us in the face about the upgrade process to jump from winphone7 to winphone8.

WP8 ROM analysis [UEFI and RUU nbh] by ansar

Retired Recognized Developer

Retired Recognized Developer

Retired Recognized Developer

Senior Member

Senior Member

Inactive Recognized Developer

Senior Member

Retired Senior Recognized Developer

Senior Moderator - Emeritus

Senior Member

Retired Recognized Developer

Member

Retired Recognized Developer

Senior Member

Senior Member

Member

Retired Recognized Developer

Senior Member

Inactive Recognized Developer

Senior Member

Similar threads

Top Liked Posts