Please remember to add a category to the bottom of each page that you create.
See categories help for further details, but most will probably be [[Category:HTC ModelName]].

Hermes HowtoDumpRom

From XDA-Developers
Jump to: navigation, search

How to dump the ROM (step by step)

This page explains the process to dump the ROM of your Hermes. The HTC_Hermes does not have a disk-on-chip flash, like most other HTC devices, you can however use pdocread with the -w switch.

pdocread is part of the itsutils tools collection, you can download the source* executables [http://www.xs4all.nl/~itsme/projects/xda/tools.html here].

Now let's start the process:

1. Unzip the contents of itsutils.zip on
c:\itsutils

2. Connect your Hermes to PC using USB cable, and make sure ActiveSync is running

3.
Start -> run -> cmd.exe

4.
cd c:\itsutils

5. First we are going to find the device handles for all the flash partitions, using
pdocread -l
 
C:\itsutils>pdocread.exe -l 
114.88M FLASHDR 
|-
||           3.12M Part00 
|-
||           2.88M Part01 
|-
||          50.88M Part02 
|-
||          58.00M Part03 
968.75M DSK1: 
|-
||         968.50M Part00 
STRG handles:  834d5e62 
0 partitions, 0 binary partitions 
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
(968.50M) 03958bce 
0 partitions, 0 binary partitions 
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
( 58.00M) 239584da 
0 partitions, 0 binary partitions 
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
( 50.88M) 039582ce 
0 partitions, 0 binary partitions 
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
(  2.88M) 2395828a 
0 partitions, 0 binary partitions 
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
(  3.12M) 

6. If you get the following errror, probably your device is application locked:

 
C:\itsutils>pdocread.exe -l 
Copying C:\itsutils\itsutils.dll to WCE:\windows\itsutils.dll 
Could not update itsutils.dll to the current version, maybe it is inuse? 
try restarting your device, or restart ActiveSync 

Check this wiki article on information about how to avoid that. Basically you have to modify this registry key, and then softreset using power button:

 
HKLM\Security\Policies\Policies 
valuename '00001001' was set to dword:2, change it to dword:1 
 
dword: any thing other than 1 disallows unsigned 
dword: 1 allows unsigned 

If changing the dword is still giving the issue , try HTC_Hermes_SIM_CID_Unlock solved it for me on a Dopod 838pro

If the registry hack is not working and you have Orange device, this helps: http://spvunlock.rd.francetelecom.com/

7. Note: There are two ways to read each partition:

pdocread -h 0xHANDLVALUE 0 0xSIZEVALUE diskimage.nb

or

pdocread -d storename -p partitionname StartValue LengthValue file.raw

We will use the second method for the next step.

Overview of flash partitions (just for your information, not a step)

 
FLASHDR STOREINFO 114.88M (0x72e0000) dev='FLASHDR'  store='Microsoft Flash Disk' 
        nsect=39700 bpsect=200 free=0 maxpartsize=0 
    3.12M ( 0x31fc00) Part00  'BOOT'         end= 18fe  type=20    image update kernel partition (XIP), used while image updates 
    2.88M ( 0x2e0000) Part01  'RAWFS'        end= 1700  type=23    regular kernel partition (XIP), used for normal OS boot 
   50.88M (0x32e0000) Part02  'imgfs.dll'    end=19700  type=25    imgfs 
   58.00M (0x3a00000) Part03  'fatfsd.dll'   end=1d000  type=04    user filesystem 
EXT_FLA STOREINFO  10.00M (0xa00000)  dev='EXT_FLA'  store='' 
        nsect=5000 bpsect=200 free=0 maxpartsize=0 
   10.00M ( 0xa00000) PART00  'fatfsd.dll'   end= 5000  type=04        extended rom 

This does not include the IPL, splash and SPL.

8. Check that all the partition sizes reported by pdocread are correct:

 
C:\itsutils>pdocread -w -d FLASHDR -p Part00 -t 
real nr of sectors: 6398  -   3.12Mbyte (0x31fc00) 
C:\itsutils>pdocread -w -d FLASHDR -p Part01 -t 
real nr of sectors: 5888  -   2.88Mbyte (0x2e0000) 
C:\itsutils>pdocread -w -d FLASHDR -p Part02 -t 
real nr of sectors: 104192  -  50.88Mbyte (0x32e0000) 
C:\itsutils>pdocread -w -d FLASHDR -p Part03 -t 
real nr of sectors: 118784  -  58.00Mbyte (0x3a00000) 

Note the partition sizes (in brackets) for the next step. They may differ from device to device.

9. Now let's dump the first 3 partitions (coldboot kernel, base kernel and imgfs), use the sizes you found in the previous step.

 
C:\itsutils>pdocread -w -d FLASHDR -p Part00 0 0x31fc00 Part00.raw 
CopyTFFSToFile(0x0, 0x31fc00, Part00.raw) 
C:\itsutils>pdocread -w -d FLASHDR -p Part01 0 0x2e0000 Part01.raw 
CopyTFFSToFile(0x0, 0x2e0000, Part01.raw) 
C:\itsutils>pdocread -w -d FLASHDR -p Part02 0 0x32e0000 Part02_0.raw 
CopyTFFSToFile(0x0, 0x32e0000, Part02_0.raw) 
ERROR: ITReadDisk - Not enough storage is available to complete this operation. 

In case there is a read error in the imgfs (as shown here) you'll have to read one specific 0x800 byte section separately and patch the diskimage to make it work. So either the flash is bad, or the driver reading it has bugs.

If your phone returns Part02_0.raw without errors, you can simply rename Par02_0.raw to Part02.raw and skip to step 15

10. Check what we have so far:

 
C:\itsutils>dir Part*.raw 
10/08/2006  22:52         3.275.776 Part00.raw 
10/08/2006  22:53         3.014.656 Part01.raw 
10/08/2006  23:00        39.911.424 Part02_0.raw 
C:\itsutils> 

11. We use the 0x800 byte trick to complete dumping the rest of imgfs.

The file size is 39.911.424 (0x2610000 in hex), so we specify this value as start, and 0x800 byte length:

 
C:\itsutils>pdocread -w -d FLASHDR -p Part02 0x2610000 0x800 Part02_1.raw 
CopyTFFSToFile(0x2610000, 0x800, Part02_1.raw) 

12. It worked, now we have to start at 0x2610000* 0x800 and read the rest of the partition which is 0x32e0000 (total size) - 0x2610800 (what we have already read), so the result is 0xccf800 bytes length we need to read:

 
C:\itsutils>pdocread -w -d FLASHDR -p Part02 0x2610800 0xccf800 Part02_2.raw 
CopyTFFSToFile(0x2610800, 0xccf800, Part02_2.raw) 

13. And that's it, all dumped successfully:

 
C:\itsutils>dir Part*.raw 
10/08/2006  22:52         3.275.776 Part00.raw 
10/08/2006  22:53         3.014.656 Part01.raw 
10/08/2006  23:00        39.911.424 Part02_0.raw 
11/08/2006  00:02             2.048 Part02_1.raw 
11/08/2006  00:06        13.432.832 Part02_2.raw 
14. Now we need to concatenate the three
Part_02_?.raw
files.
  • In a Windows operating system
 
> copy /B Part02_0.raw+Part02_1.raw+Part02_2.raw Part02.raw 
  • In an Unix operating system
 
$ cat Part02_0.raw Part02_1.raw Part02_2.raw > Part02.raw 

15. Now we can check the filesize is correct, and we have successfully dumped all 3 partitions:

 
C:\itsutils>dir Part0?.raw 
10/08/2006  22:52         3.275.776 Part00.raw 
10/08/2006  22:53         3.014.656 Part01.raw 
11/08/2006  00:10        53.346.304 Part02.raw 

If you want you can extract the contents of imgfs too.

IMPORTANT

If you do this process and dump the ROM of your device, please zip the contents of your dumped rom and, and upload the zip file in xda-developers FTP (USERNAME: xdaupload / PASSWORD: xda)

Then and add a link to the file you uploaded in the Available Dumped or Modified ROM Versions wiki page. Make sure you specify the device name (TyTN, Trion, etc..), operator if any, language and version of the ROM.

Related forum thread (post here if you have problems or need help):

http://forum.xda-developers.com/viewtopic.php?t=58656



Back to the Hermes Home Page