I'm not proud and I'm the first to admit when I'm stuck!
I'm trying to upgrade my M1000 but I'm not so hot with dos. I need to sort out the country error code but I don't know how to "Extract the decrypted versions of the nbf files
by entering the following commands at the command prompt:
xda2nbftool -x NK.nbf NK.nba 0x20040304
xda2nbftool -x Radio_.nbf Radio_.nba 0x20040306"
Can someone who is patient please tell me what I type in dos to do this.
I just need to know what the commands are for dos to get it to unpack the above file ( I dodn't know how to "direct" dos to the specific file)
I know some of you might be thinking "what a complete numptie for not knowing the above but please remember that we all have to start somewhere.
Thanks.
Related
In the Excalibur forum we are struggling to flash a file to a particular offset in NAND (samsung onedisk flash). The file is 4Mbyte and was dumped with bkondisk (by itsme). Deploying pof's ideas, I have patched Excalibur SPL which bypasses vendor/model and signature checking and raises security level to 0. Using this SPL the flash commands can be used w/o restrictions
A similar patched bootloader exists for Vox S710. That SPL includes same commands as the Excalibur SPL.
The SPL offers 2 commands to interactively flash files from MTTY: ls ("load signed"??) and lnbs ("load new binary signed"??)
Afaik the commands are invoked as:
Code:
lnbs [pathname [StartAddr [Length [SkipOffset ["cp"]]]]]
ls [pathname [StartAddr [Length [SkipOffset ["cp"]]]]]
The question is what format the files must have and how to figure out start address. I found some info in the Hermes Wiki. I also suggested Excalibur various tests:
1. The file test3.nbs in this case has a 0x20 byte header ("R000FF") which includes data blocksize and signature size and flag. But somehow it doesn't like the start address of which I also don't know how to figure it out for the various ROM parts. How was that done for Hermes? (reversing SPL or sniffing USB)
Code:
Cmd>lnbs test3.nbs 500a0000
clean up the image temp buffer at 0x8C080000 Length 0x03900000
MTTYDownloadImage "test3.nbs"
:F=test3.nbs
start download
S
HAddress A0000000h Length 0040034Dh
Start Address out of boundary
checking image header
2. The file test.nb w/o any header, just the 4MB binary file with no modifications
Code:
Cmd>ls test.nb 500a0000
clean up the image temp buffer at 0x8C080000 Length 0x03900000
MTTYDownloadImage "test.nb"
:F=test.nb
start download
S
HAddress A0000000h Length 00400000h
Start Address out of boundary
checking image header
3. The file test2.nbh with a full .nbh header and given type 0x300 (GSM Radio code, although the 4MB file also includes config and simlock data etc.). This was actually the most succesful since it passed mosts tests in the SPL. So it seems a valid file, but it couldn't be confirmed that anything was flashed at all.
Code:
Cmd>lnbs test2.nbh 500a0000
clean up the image temp buffer at 0x8C080000 Length 0x03900000
MTTYDownloadImage "test2.nbh"
:F=test2.nbh
start download
S
HAddress 00000000h Length 0040054Dh
Start Address out of boundary
checking image headerFirst MTTY record empty
Image Download Finish... please check your image
Please reset the device to restart the program!!
DownloadImage success.
Can anyone with more knowledge about this subject please drop some feedback? Thx!
Cheers
JockyW
Edit: I totally forgot about the wdata command which is used by the official RUU. It can not be used interactive from MTTY, but it is possible to use it from self written programs. I think the idea is that only signed .nbh files (which include ROM type information in the header) can use be flashed using this command:
Code:
wdata length checksum
Once all data and the last signature (flag == 2) has been sent to SDRAM and all CRC and sig checks are passed the flashing process starts. The funny thing is that the help text of wdata suggests that also unsigned data can be flashed or be dropped at any memory location. Is this intentional deceiving by HTC ??
Code:
Cmd>wdata
Usage:
wdata [StartAddr Len]
Write data to memory(if write to ROM, need erase first).
StartAddr : Start address of memory.
Len : How many bytes will be written.
Length must not more than 0x10000 bytes(buffer limitation).
Write to RAM: 4 bytes(CRC checksum limitation).
1 byte(in user mode).
Write to ROM: 4 bytes(CRC checksum limitation).
2(16-bit)/4(32-bit) bytes(in user mode).
Write to ROM(16-bit data bus): 32 bytes(writebuffer mode).
Write to ROM(32-bit data bus): 64 bytes(writebuffer mode).
Length must be 4 bytes boundary(CRC checksum) if not in user mode.
After command execute, then send out the data to terminal.
Data format: HTCS(4 bytes)+DATA+checksum(4 bytes, if not in user mode)+HTCE(4 bytes).
while flashing test2.nbh, wlan data doesn't be modified.
jockyw2001's question is very important to find our wi-fi back. plz help us!Thanks!
details about our problem and what we have done can be seen at http://forum.xda-developers.com/showthread.php?t=328690
jockyw2001
You may use method imei-check - they for flash of the area CID have changed address of the flash splash screen - hereinafter they form file nbh (consists only of splash screen) with necessary area CID.
arc said:
jockyw2001
You may use method imei-check - they for flash of the area CID have changed address of the flash splash screen - hereinafter they form file nbh (consists only of splash screen) with necessary area CID.
Click to expand...
Click to collapse
Ah great! You've got a link as well? Thx!
Hi jocky,
interesting thing..
why don;t u try its utils for the above and check..
issue pdcocread -l command and get the header and rom address.
then try with lnbs or ls command to flash back.From whatever I know, lnb and lnbs/ls command can b used when yr device is Super CID.
While flahing ROM, RUU issues set le 1 command and write the ROM using wdata command.You can check these things, with USB monitor
hdubli
The commands lnb and lnbs different -
lnb - load the unsigned code.
lnbs- load signed code -have other structure and headline
hdubli said:
issue pdcocread -l command and get the header and rom address.
then try with lnbs or ls command to flash back.From whatever I know, lnb and lnbs/ls command can b used when yr device is Super CID.
Click to expand...
Click to collapse
hi,
pdocread -l returns:
Code:
>pdocread.exe -l
58.82M (0x3ad1000) DSK1:
| 2.09M (0x217400) Part00
| 3.20M (0x333000) Part01
| 53.53M (0x3586800) Part02
59.31M (0x3b4f000) DSK2:
| 59.06M (0x3b0e800) Part00
...
You mean the values in parantheses?
On excalibur only signed data is accepted by ls or lnbs (dunno the difference between the two. Anyone?).
I disassembled spl and found the startaddress boundary check routine. In it I see the hardcoded nand address boundaries which have no resemblance whatsoever with pdocread.
I'm now checking arc's hint to patch splash screen flashroutine in same way as imei-check does it. I just hope I can use ls and lnbs (with USPL of course), since that would be far more comfortable
Hi,
I have a big problem, i cannot run the P535RomTool.exe
when i try to run it, the black window pop up for a mili second and then nothing happened..
I have installed the Microsoft Visual C++ 2005 SP1 Redistributable Package (x86): http://www.microsoft.com/downloads/d...displaylang=en. I have Windows XP SP2. what I have still to make it to run this tool? Plaese help me!!!
Thanks
P535RomTool is the console application.
You must run it in cmd console (Start->Run cmd) or by cmd(bat) files with parameters.
Possible Parameters:
-s <ROMFile.nb0> Re-compute CRC on .NB0 file
-d<x> <package.cap> [ROMFile.nb0] Extract .NB0 OS image from WMx (x=5 or 6) .CAP update package
-up <ROMFile.nb0> <N> <destimg> Unpack compressed partition image number N (0-3)
For example:
P535RomTool.exe -d6 AsusP535.cap GalaxyII.NB0
I AM TRYING TO MAKE A FOLDER. TO MAKE A CUSTOM SPLASH SCREEN BUT I DON'T KNOW HOW TO COMPLETE THIS STEP....[Open a command or terminal window and CD to your nbimg folder.
Type in the following command: nbimg -F splash1.bmp -w 480 -h 800
If successful, nbimg should have created an nb file called 'splash1.bmp.nb'.
Rename 'splash1.bmp.nb' to 'splash1.img'.]... I HAVE THE "NBIMG" FOLDER. AND MY CONVRTED IMAGE. I JUST DON'T KNOW TO "CD" TO IT OR WHEN TO TYPE IN THE COMMAND AFTER THAT TO COMBINE THE TWO.....USING COMMAND LINE IS LIKE FRENCH TO ME... PLEASE HELP..
mbancroft41 said:
I AM TRYING TO MAKE A FOLDER. TO MAKE A CUSTOM SPLASH SCREEN BUT I DON'T KNOW HOW TO COMPLETE THIS STEP....[Open a command or terminal window and CD to your nbimg folder.
Type in the following command: nbimg -F splash1.bmp -w 480 -h 800
If successful, nbimg should have created an nb file called 'splash1.bmp.nb'.
Rename 'splash1.bmp.nb' to 'splash1.img'.]... I HAVE THE "NBIMG" FOLDER. AND MY CONVRTED IMAGE. I JUST DON'T KNOW TO "CD" TO IT OR WHEN TO TYPE IN THE COMMAND AFTER THAT TO COMBINE THE TWO.....USING COMMAND LINE IS LIKE FRENCH TO ME... PLEASE HELP..
Click to expand...
Click to collapse
Ok I see no one has answered this so I'll try to take a stab at it.
I've never made a custom splash screen, however, I know my way around a command prompt. I'm assuming that your nbimg folder is on the root of your C:/ drive correct?
If that is so then in a fresh command prompt and type "cd c:\nbimg" now you should be in that folder. If its in a different folder like..idk.. programs files. then you would type cd c:\program files\nbimg, ya see?
Now that your in that folder type "nbimg -F splash1.bmp -w 480 -h 800". Hope that helps out some, if there is anyone else that can shed some more light please take this by the horns.
no actually its in my user \down load folder. should i save it to the root of my c: drive. ....or i would have to figure out what the command for my "downloads" file is ... but I think i'll move it to the root. cause you already gave me the command for that thanks........and yes your the first one to answer on three different fourms i have the same question in..... so thanks so much for your help...
mbancroft41 said:
no actually its in my user \down load folder. should i save it to the root of my c: drive. ....or i would have to figure out what the command for my "downloads" file is ... but I think i'll move it to the root. cause you already gave me the command for that thanks........and yes your the first one to answer on three different fourms i have the same question in..... so thanks so much for your help...
Click to expand...
Click to collapse
Your very welcome. If you can move it to the root of the C: drive then Id do it.
If not then right click in your nbimg folder and click properties and look at your location (ex. C:\users\download). Now, just CD-change directory to that folder with the addition of \nbimg. so it'd look like "C:\users\download\nbimg". Its a little more work but it will give you a little more command prompt experience.
ok... now that it is explained.. it sounds simple.. thanks again
ok.. command line read: c:\users\my name> .. I typed in about three different things but i got it to read: "c:\>" with out the quotations of course by typing in. " cd c:\ "..... but cant get it to the file.....when i type "nbimg" it says " 'nbimg' is not recognized as an internal command opperate program or batch file........ i have relocated the said file to the root of my C drive like u suggested...any ideas????????
ok played around for a while and got it i think.... I found out how to type command in right.. and it spit a whole bunch of stuff back to me.....to bad you cant copy and paste from cmd line window.. cause i sure aint typing all that.. thanks for your help. alot of thanks been waiting two days to get some kinda answer....
mbancroft41 said:
ok played around for a while and got it i think.... I found out how to type command in right.. and it spit a whole bunch of stuff back to me.....to bad you cant copy and paste from cmd line window.. cause i sure aint typing all that.. thanks for your help. alot of thanks been waiting two days to get some kinda answer....
Click to expand...
Click to collapse
You can copy and paste my friend!!! Right click and click paste
c:\nbimg>nbimg -f splash1.bmp -w480 -h800
=== nbimg v1.1
=== Convert NB <--> BMP splash screens
=== (c)2008 Pau Oliva - pof @ xda-developers
nbimg: unknown option -- f
Usage: nbimg -F file.[nb|bmp]
Mandatory arguments:
-F <filename> Filename to convert.
If the extension is BMP it will be converted to NB.
If the extension is NB it will be converted to BMP.
Optional arguments:
-w <width> Image width in pixels. If not specified will be autodetec
.
-h <height> Image height in pixels. If not specified will be autodete
d.
-t <pattern> Manually specify the padding pattern (usually 0 or 255).
-p <size> Manually specify the padding size.
-n Do not add HTC splash signature to NB file.
-s Output smartphone format.
NBH arguments: (only when converting from BMP to NBH)
-D <model_id> Generate NBH with specified Model ID (mandatory)
-S <chunksize> NBH SignMaxChunkSize (64 or 1024)
-T <type> NBH header type, this is typically 0x600 or 0x601
awasome it was just done different then the normal right click and right click paste.so the info it sent back to me is it saying its missing something or did it create the file
sounds like it completed
Just for the hell of it, I'd like to unpack a system.img the easy way. I tried unyaffs for Windows but it doesn't seem to work. Does the factory images from Google even use the yaffs format?
When I try to unyaffs system.img, I get this which I condumped:
Code:
0 [main] unyaffs 6232 exception::handle: Exception: STATUS_ACCESS_VIOLATIO
N
831 [main] unyaffs 6232 open_stackdumpfile: Dumping stack trace to unyaffs.e
xe.stackdump
What am I doing wrong? I open a command window in the directory of the image file, make sure unyaffs.exe and cygwin1.dll is there and then type "unyaffs system.img"
Same question here
Don't forget to hit thanks
I have already posted how to do this in this post... Have a look at the last few lines of the "How to flash" section in blue.
I have the Problem that I need to dump a part of the /dev/block/mmcblk0 to a file. Does someone know how to do this?
I have found a value via hexdump and now I need to dump the next 1000byte to a file on the sdcard.
Can someone help me how to do this in a proper way?
Thanks in advance