modified/pached hpRUU.exe for ipaq hw6915. - Upgrading, Modifying and Unlocking

modified/pached hpRUU.exe?
--------------------------------------------------------------------------------
i would like to know if somebody here already have patched or modified the original hpRUU.exe for the ipaq hw69xx series in order to allow uploading a different ROM-image(e.g different language etc.) to the device.
as far as i know it would be enough to disable the pre-check and jump directly to the start of the flashing routine itself.
i tried In each method this already by myself, but it seems it isn't as easy as i thought.
any help is appreciated...
In the appendix has HP iPAQ hw6900 Mobile Messenger Series ROM Update
BIOS from that link:
http://h20000.www2.hp.com/bizsuppor...18&mode=2&taskId=135&swItem=PSG_I23843-109104
1.download GSM BIOS from that link:
http://h20000.www2.hp.com/bizsuppor...sId=1822489&swLang=8&taskId=135&swEnvOID=2067
2.download all ROM BIOS from that link:
http://h20000.www2.hp.com/bizsuppor...18&mode=2&taskId=135&swItem=PSG_I23843-109104
my icq:381-821-742
my msn:[email protected]
Now,my ipaq hw6915 reatar On demonstrates NO GSM underneath the screen !
Under the picture was I has attempted a method, is not all good .
best regards,
Caoxt

What means do some people know to be possible backup GSM RADIO?
What means do some people know to be possible backup GSM RADIO?
caoxt said:
modified/pached hpRUU.exe?
--------------------------------------------------------------------------------
i would like to know if somebody here already have patched or modified the original hpRUU.exe for the ipaq hw69xx series in order to allow uploading a different ROM-image(e.g different language etc.) to the device.
as far as i know it would be enough to disable the pre-check and jump directly to the start of the flashing routine itself.
i tried In each method this already by myself, but it seems it isn't as easy as i thought.
any help is appreciated...
In the appendix has HP iPAQ hw6900 Mobile Messenger Series ROM Update
BIOS from that link:
http://h20000.www2.hp.com/bizsuppor...18&mode=2&taskId=135&swItem=PSG_I23843-109104
1.download GSM BIOS from that link:
http://h20000.www2.hp.com/bizsuppor...sId=1822489&swLang=8&taskId=135&swEnvOID=2067
2.download all ROM BIOS from that link:
http://h20000.www2.hp.com/bizsuppor...18&mode=2&taskId=135&swItem=PSG_I23843-109104
my icq:381-821-742
my msn:[email protected]
Now,my ipaq hw6915 reatar On demonstrates NO GSM underneath the screen !
Under the picture was I has attempted a method, is not all good .
best regards,
Caoxt
Click to expand...
Click to collapse

Continuation ......................
Continuation ...............

same here
I had same problem with sable_ruu.exe and even though I had
*correct* radio rom, it could not re-flash it after previous flash
failure

Has the warm-hearted person to solve the problem again .
Hi,Please look at here:
http://forum.xda-developers.com/showthread.php?t=353414

Recent clue, Similarly passes on 6915
Recent clue, Similarly passes on 6915
Specially orders reads to flash RADIO has the help:
password
set
erase
task
lw
rtask
The HP IPAQ 6515 uses the boot loader2 password to unlock the full help menu in the serial console interface. It does not allow access to more commands than before and simply shows help for more commands.
If you are interested in viewing the commands there are a couple of passwords that would unlock it depending on your exact 6515 model.
• BOOTLOADER
• BEETLES
• 0000000000000000 - (16 x 0s) password for level 1 which unlocks additional RUU functions
Personally, both BOOTLOADER and 0000000000000000 worked fine for me on a HP IPAQ 6515e and you can enter level 1 directly with 0000000000000000
USB>password BOOTLOADER
HTCSPass.<Y-HTCEUSB>password 0000000000000000
HTCSPass1.CM^EHTCEUSB>
If you typed the wrong password, you will get
USB>password 0000000000000000
HTCSInvalid password
Similarly passes on 6915 !
This is a use MTTY Connection of me exploring the IPAQ 6515e’s bootloader firmware
USB>? full
Available monitor commands are:
? [command] [full]
h [command] [full]
r [[register] [[=] [hex_value]]]
eb Addr
eh Addr
ew Addr
mb [StartAddr [Count [Filler]]]
mh [StartAddr [Count [Filler]]]
mw [StartAddr [Count [Filler]]]
string [Type [String]]
info [Type [Value]]
password [string]
l [path_name [startAddr offset ["cp"]]]
lnb nb-file [StartAddr [Length [SkipOffset ["cp"]]]]
ppdl [startAddr offset["cp"]]
s StartAddr Count Pattern...
map
cp reg# OPC_2 CRm [value]
stress [Type [Count(Hex)]]
d2s [StartAddr [Len [Type [Append[SkipStartAddr SkipLen]]]]]
s2d
set [Type [Value]]
task [Type [Value [Value1]]]
shmsg [Row [Col ["String"]]]
rbmc [FileName [StartAddr [Len]]]
erase [StartAddr [Len]]
wdata [StartAddr [Len]]
checksum [StartAddr [Len]]
prouter [PortID1[Baud1[PortID2[Baud2]]]]
lw [path_name [startAddr offset ["cp"]]]
rtask [Type [Value]]
rroute [UART Path1[Baud Rate1[UART Path2[Baud Rate2]]]]
USB>? set
Usage:
set [Type [Value]]
Set control flags.
Type(hex) : Control function types.
Value(hex) : Setting values for types.
If value is not given, default is 0.
Type 0(Echo on/off): 1(on) and 0(off).
Type 1(Operation mode): 1(auto) and 0(user).
Type 2(Back color on/off): 1(on) and 0(off).
Type 3(Inverse on/off): 1(on) and 0(off).
Type 4(Front color value): 16 bits data
Type 5(Background color value): 16 bits data
Type 6(Set color of screen): Fill color to whole screen one time.
Type 8(COMM queue flag): 0(TX_RX disable),1(RX enable),2(TX enable) and 3(TX_RX enable).
Type 1E(RUU command read/write flag): 1(unlock) and 0(lock).
Current flag settings:
Type 0(Echo flag): cEchoFlag=(0x1).
Type 1(Operation mode flag): cOpModeFlag=(0x0).
Type 2(Back color flag): cBackColorShowFlag=(0x1).
Type 3(Inverse flag): cShowInverseFlag=(0x0).
Type 4(Front color): g_wFColor=(0x0).
Type 5(Background color): g_wBColor=(0xFFFF).
Type 6(Set color of screen): None.
Type 8(COMM queue flag): g_cCommQueueFlag=(0x0).
Type 1E(RUU command read/write flag): g_cRUUCommandRWFlag=(0x0).
USB>? info
Usage:
info [Type [Value]]
Type(hex) 0: Get platform name(16 bytes) and [value](hex) is ignore.
Type(hex) 1: Get bootloader version(16 bytes) and [value](hex) is ignore.
Type(hex) 2: Get device CID(8 bytes CID with 8 bytes dummy data(0x20)) and [value](hex) is ignore.
USB>info 4
HTCS L?3?HTCE
USB>info 5
USB>info 0
BEETLES
USB>info 1
0.21
USB>info 2
USB>info 8
USB>? rtask
Usage:
rtask [Type [Value]]
Type(hex) 0: Reset radio and [value](hex) is ignore.
Type(hex) 1: Turn on radio, lease use type 3 and 4 instead.
Type(hex) 2: Turn off radio and [value](hex) is ignore.
Type(hex) 3: Run radio image and [value](hex) is ignore.
Type(hex) 4: Run radio bootloader and [value](hex) is ignore.
Type(hex) 7: Radio AT Command Debug.
Type(hex) 8: GSM trace route.
Type(hex) 9: Run radio external bootloader and [value](hex) is ignore.
Type(hex) A: Radio image flash by external bootloader and [value](hex) is ignore.
Type(hex) C: Select debug path.
Type(hex) D: Radio AT Command with GSM trace route.
Type(hex) 10: Set radio external boot UART mode(fast(1)/normal(0)).
USB>? task
Usage:
task [Type [Value [Value1]]]
Type,Value and Value1 are both DWORD(hex).
Value and Value1 are ignore in some case.
Type(hex) 0: Do hardware clear boot with delay time and [value](hex) is a delay time(unit is ms).
Type(hex) 7: Do flash ROM lock/unlock and [value]: 1(lock) and 0(unlock).
Type(hex) 8: Software reset with delay time and [value](hex) is a delay time(unit is ms).
Type(hex) 3C: Set terminal COM port baud rate.
Type(hex) 46: Force BT enter test mode.
USB>? lnbs
Usage:
lnbs nb-file [StartAddr [Length [SkipOffset ["cp"]]]]
Download nb file to ROM.
StartAddr : Start address for downloading(default=80000000).
Length : Length for downloading(default=FFFFFFFF).
SkipOffset : SkipOffset for downloading(default=00040000).
cp : Compare image with file data only.
USB>? d2s
Usage:
d2s [StartAddr [Len [Type [Append[SkipStartAddr SkipLen]]]]]
Backup memory to storage.
StartAddr : Start address for backup(0xA0040000).
Len : Length of memory will be backup. And if not given value, it will be
Total ROM size on board - ((StartAddress & 0x0FFFFFFF) - (ROM base address(0) & 0x0FFFFFFF)).
Type : Which storage(cf/sd) type will be selected(cf).
Append : Backup methods(a/).
SkipStartAddr : Start address of skip area(0x0).
SkipLen : Skip length(0x0).
Skip area must be less than or equal to one block size of flash.
Skip area must not over two blocks, must inside one block.
Nand flash: Skip area size need be page boundary.
Nor flash: Skip area size need be DWORD boundary.
DOC flash: Skip area size need equal to MBLOCKLEN(32kB).
USB>? s2d
Usage:
s2d
Restore memory from storage.
USB>? lw
The same as "l" command, but download to radio flash memory.
Usage:
lw [path_name [startAddr offset ["cp"]]]
Download BIN file across from serial/USB port.
Startaddr offset(MSB bit is a sign bit): Start address offset of every packet in bin file.
When 'cp' is given, it will just compare data of file with ROM image.
When path_name is not given, the file to be downloaded is determined
by ppfs on the host.
Otherwise, path_name on the host is downloaded regardless the ppfs setting.
The file must be in the format of BIN (preprocessed SRE).
USB>? password
Usage:
password [string]
Enter the password string to enable full help and command functions.
Enter the password string1 to enable some command functions related to RUU.
USB>rtask 8
GSM Trace Route.
Wait 2413 ms
USB>rtask 1
Please use type 3 and 4 instead.
USB>? task 32
Syntax error!
Usage:
? [command] [full]
Helps on command.
When no command is given, output a list of normal commands.
If "full" option used, display all commands(need password enable).
But if one command is given, It will show the command usage method.
USB>? erase
Usage:
erase [StartAddr [Len]]
Erase the contain of flash ROM.
StartAddr : Start address of ROM(default(hex)=A0040000).
Len : How many bytes will be erased(default(hex)=40000).
USB>rtask a
Radio image flash by external bootloader.
HTCS??6ú??HTCE
The IPAQ froze and I had to reboot the IPAQ before I could reconnect.
USB>password 0000000000000000
HTCSPass1.CM??HTCEUSB>? rtask
Usage:
rtask [Type [Value]]
Type(hex) 0: Reset radio and [value](hex) is ignore.
Type(hex) 1: Turn on radio, lease use type 3 and 4 instead.
Type(hex) 2: Turn off radio and [value](hex) is ignore.
Type(hex) 3: Run radio image and [value](hex) is ignore.
Type(hex) 4: Run radio bootloader and [value](hex) is ignore.
Type(hex) 7: Radio AT Command Debug.
Type(hex) 8: GSM trace route.
Type(hex) 9: Run radio external bootloader and [value](hex) is ignore.
Type(hex) A: Radio image flash by external bootloader and [value](hex) is ignore.
Type(hex) C: Select debug path.
Type(hex) D: Radio AT Command with GSM trace route.
Type(hex) 10: Set radio external boot UART mode(fast(1)/normal(0)).
USB>rtask a
Radio image flash by external bootloader.
2.12.00484830000EF23CB887AC20E08199E335&HTCE
Links
• HOWTO: Change serial number and model number for HP IPAQ 6515
• HP IPAQ 6515 Bootloader password
• HP IPAQ 6510 / 6515 dead GSM after failed Firmware upgrade
http://blogs.unbolt.net/index.php/brinley/2007/07/09/howto_change_serial_number_and_model_num_6515
http://blogs.unbolt.net/index.php/brinley/2007/08/12/hp_ipaq_6515_bootloader_password
http://blogs.unbolt.net/index.php/brinley/2007/07/31/ipaq_6515_dead_gsm_after_failed_firmware

Continuation.....................................

caoxt said:
Continuation.....................................
Click to expand...
Click to collapse
Here:http://forum.xda-developers.com/showthread.php?t=337975&page=10#91
http://forum.xda-developers.com/showthread.php?t=337975&page=10#99

i downloaded ipaq hw 69xx english_update_unit.zip into my ipaq hw6915 and the phone just went of showing just the hp logo, serial/usb and v g 39. pls what can i do to revive my phone. i will appreciate any assistaance. my mail box is [email protected]

Related

Flash ROM using SPL commands

In the Excalibur forum we are struggling to flash a file to a particular offset in NAND (samsung onedisk flash). The file is 4Mbyte and was dumped with bkondisk (by itsme). Deploying pof's ideas, I have patched Excalibur SPL which bypasses vendor/model and signature checking and raises security level to 0. Using this SPL the flash commands can be used w/o restrictions
A similar patched bootloader exists for Vox S710. That SPL includes same commands as the Excalibur SPL.
The SPL offers 2 commands to interactively flash files from MTTY: ls ("load signed"??) and lnbs ("load new binary signed"??)
Afaik the commands are invoked as:
Code:
lnbs [pathname [StartAddr [Length [SkipOffset ["cp"]]]]]
ls [pathname [StartAddr [Length [SkipOffset ["cp"]]]]]
The question is what format the files must have and how to figure out start address. I found some info in the Hermes Wiki. I also suggested Excalibur various tests:
1. The file test3.nbs in this case has a 0x20 byte header ("R000FF") which includes data blocksize and signature size and flag. But somehow it doesn't like the start address of which I also don't know how to figure it out for the various ROM parts. How was that done for Hermes? (reversing SPL or sniffing USB)
Code:
Cmd>lnbs test3.nbs 500a0000
clean up the image temp buffer at 0x8C080000 Length 0x03900000
MTTYDownloadImage "test3.nbs"
:F=test3.nbs
start download
S
HAddress A0000000h Length 0040034Dh
Start Address out of boundary
checking image header
2. The file test.nb w/o any header, just the 4MB binary file with no modifications
Code:
Cmd>ls test.nb 500a0000
clean up the image temp buffer at 0x8C080000 Length 0x03900000
MTTYDownloadImage "test.nb"
:F=test.nb
start download
S
HAddress A0000000h Length 00400000h
Start Address out of boundary
checking image header
3. The file test2.nbh with a full .nbh header and given type 0x300 (GSM Radio code, although the 4MB file also includes config and simlock data etc.). This was actually the most succesful since it passed mosts tests in the SPL. So it seems a valid file, but it couldn't be confirmed that anything was flashed at all.
Code:
Cmd>lnbs test2.nbh 500a0000
clean up the image temp buffer at 0x8C080000 Length 0x03900000
MTTYDownloadImage "test2.nbh"
:F=test2.nbh
start download
S
HAddress 00000000h Length 0040054Dh
Start Address out of boundary
checking image headerFirst MTTY record empty
Image Download Finish... please check your image
Please reset the device to restart the program!!
DownloadImage success.
Can anyone with more knowledge about this subject please drop some feedback? Thx!
Cheers
JockyW
Edit: I totally forgot about the wdata command which is used by the official RUU. It can not be used interactive from MTTY, but it is possible to use it from self written programs. I think the idea is that only signed .nbh files (which include ROM type information in the header) can use be flashed using this command:
Code:
wdata length checksum
Once all data and the last signature (flag == 2) has been sent to SDRAM and all CRC and sig checks are passed the flashing process starts. The funny thing is that the help text of wdata suggests that also unsigned data can be flashed or be dropped at any memory location. Is this intentional deceiving by HTC ??
Code:
Cmd>wdata
Usage:
wdata [StartAddr Len]
Write data to memory(if write to ROM, need erase first).
StartAddr : Start address of memory.
Len : How many bytes will be written.
Length must not more than 0x10000 bytes(buffer limitation).
Write to RAM: 4 bytes(CRC checksum limitation).
1 byte(in user mode).
Write to ROM: 4 bytes(CRC checksum limitation).
2(16-bit)/4(32-bit) bytes(in user mode).
Write to ROM(16-bit data bus): 32 bytes(writebuffer mode).
Write to ROM(32-bit data bus): 64 bytes(writebuffer mode).
Length must be 4 bytes boundary(CRC checksum) if not in user mode.
After command execute, then send out the data to terminal.
Data format: HTCS(4 bytes)+DATA+checksum(4 bytes, if not in user mode)+HTCE(4 bytes).
while flashing test2.nbh, wlan data doesn't be modified.
jockyw2001's question is very important to find our wi-fi back. plz help us!Thanks!
details about our problem and what we have done can be seen at http://forum.xda-developers.com/showthread.php?t=328690
jockyw2001
You may use method imei-check - they for flash of the area CID have changed address of the flash splash screen - hereinafter they form file nbh (consists only of splash screen) with necessary area CID.
arc said:
jockyw2001
You may use method imei-check - they for flash of the area CID have changed address of the flash splash screen - hereinafter they form file nbh (consists only of splash screen) with necessary area CID.
Click to expand...
Click to collapse
Ah great! You've got a link as well? Thx!
Hi jocky,
interesting thing..
why don;t u try its utils for the above and check..
issue pdcocread -l command and get the header and rom address.
then try with lnbs or ls command to flash back.From whatever I know, lnb and lnbs/ls command can b used when yr device is Super CID.
While flahing ROM, RUU issues set le 1 command and write the ROM using wdata command.You can check these things, with USB monitor
hdubli
The commands lnb and lnbs different -
lnb - load the unsigned code.
lnbs- load signed code -have other structure and headline
hdubli said:
issue pdcocread -l command and get the header and rom address.
then try with lnbs or ls command to flash back.From whatever I know, lnb and lnbs/ls command can b used when yr device is Super CID.
Click to expand...
Click to collapse
hi,
pdocread -l returns:
Code:
>pdocread.exe -l
58.82M (0x3ad1000) DSK1:
| 2.09M (0x217400) Part00
| 3.20M (0x333000) Part01
| 53.53M (0x3586800) Part02
59.31M (0x3b4f000) DSK2:
| 59.06M (0x3b0e800) Part00
...
You mean the values in parantheses?
On excalibur only signed data is accepted by ls or lnbs (dunno the difference between the two. Anyone?).
I disassembled spl and found the startaddress boundary check routine. In it I see the hardcoded nand address boundaries which have no resemblance whatsoever with pdocread.
I'm now checking arc's hint to patch splash screen flashroutine in same way as imei-check does it. I just hope I can use ls and lnbs (with USPL of course), since that would be far more comfortable

Asus ABI Decompiler+Compiler (Updated 20090622)

This tool can be used to either decompile or compile ROMs for various Asus devices that used the ABI firmware format (Can also be used in O2 XDA Zest ). The current version can support P835 unencrypted ABI, and even encrypted ABI from updater EXE! Current finding is this tool also supports unreleased Garmin-Asus ROMs!
Thanks (Especially )Harshal and Leon in AsusPda for testing.
Usage:
- Decompiling ROM
1. p835abisplit2 <abi/exe file>
2. os.nb0 and extrom.img released (Only for Pre-P835 devices), os.nb0 cab be processed by imgfsfromnb or osnbtool, extrom.img can be processed by WinImage.
- Compiling ROM
1. First rename the new os.nb0 to os-new.nb0, and rename extrom.img to extrom-new.img (If the new files do not exist, then the compiler will use the parts from original ROM)
2. p835abisplit2 /b <abi/exe file>
3. out.abi releases, which can be used to flash directly (Only for Pre-P835 devices or Post-P835 devices with unencrypted ROM).
4. If you input the updater EXE to p835abisplit2, it will also produce out.exe with region locked patched which can be used to flash your new ROM directly on devices with any region!
- Note when building ROM
1. If you need to modify XIP, make sure the modded XIP is the same size as the original one before merging back to nb0, otherwise booting will fail
2. For Pre-P835 devices, current version can create big-storage ROMs with variable size of imgfs. If the new OS is smaller than the original one, the freed space will be allocated to user space (The left part as shown in Memory setting) after flashing. However the user space display will only reflect the change on second flash.
3. For Post-P835 devices, all partitions must be exactly same size with the original one (i.e. you need to pad the partition before putting it back), otherwise the device won't boot.
4. For Pre-P835 devices, you can modify ExtROM as you like, but not remove or rebuild the image file, otherwise you may get a brick! (Not able to enter bootloader)
Final Warning: Customizing a ROM always has risks, I won't be responsible for any damages lead to your custom ROM!
Release Notes:
v2.40:
- Added support for M930
v2.32:
- Support extraction of encrypted ABI file resource from P835 updater exe
- Support reconstruction of P835 updater exe
- When rebuild to exe, the produced out.exe is patched to install in devices of any region.
V2.20:
- Support extration and rebuilding of P835 ABI file (Note that not for ABI inside EXE)
- When rebuild with exe, OUT.EXE will be produced for direct flashing
starkwong said:
This tool can be used to either decompile or compile ROMs for various Asus devices that used the ABI firmware format (Can also be used in O2 XDA Zest ).
Thanks Harshal and Leon in AsusPda for testing.
Usage:
- Decompiling ROM
1. p565abisplit2 <abi/exe file>
2. os.nb0 and extrom.img released, os.nb0 cab be processed by imgfsfromnb or osnbtool, extrom.img can be processed by WinImage.
- Compiling ROM
1. First rename the new os.nb0 to os-new.nb0, and rename extrom.img to extrom-new.img (If the new files do not exist, then the compiler will use the parts from original ROM)
2. p565abisplit2 /b <abi/exe file>
3. out.abi releases, which can be used to flash directly.
- Note when building ROM
1. If you need to modify XIP, make sure the modded XIP is the same size as the original one before merging back to nb0, otherwise booting will fail
2. OS part doesn't need to be the same size as the original. If the new OS is smaller than the original one, the freed space will be allocated to user space (The left part as shown in Memory setting) after flashing. However the user space display will only reflect the change on second flash.
3. You can modify ExtROM as you like, but not remove or rebuild the image file, otherwise you may get a brick! (Not able to enter bootloader)
Final Warning: Customizing a ROM always has risks, I won't be responsible for any damages lead to your custom ROM!. Moreover, don't use it in P835 abi, it won't work
Click to expand...
Click to collapse
Nice we all waiting for it
Many Congrats for successfully ripping through the ROM !!
Partition offsets and checksums reported by the tool are :
Part #0002 sz:0003e000=>0003e000 cs:625f94b2=>625f94b2 of:000003a0=>000003a0
Part #0004 sz:00100000=>00100000 cs:ffe5f731=>ffe5f731 of:0003e3a0=>0003e3a0
Part #0103 sz:00452a8c=>00452a8c cs:99f65978=>99f65978 of:0013e3a0=>0013e3a0
Part #0104 sz:000fffc0=>000fffc0 cs:5e03943f=>5e03943f of:00590e2c=>00590e2c
Part #0005 sz:07e00000=>07e00000 cs:674f4072=>674f4072 of:00690dec=>00690dec
Part #0013 sz:00a00000=>00a00000 cs:56994bf9=>56994bf9 of:08490dec=>08490dec
I am a little scared to use this tool for following reasons :
1. Actually, the IMGFS & ExtROM offsets are '00690dfc' & '08490dfc' respectively.
2. Checksums( 674f4072, 56994bf9....) can not be located in the Header.
3. The Adler32 checksum for the ExtROM is '5ff94bfa', while your tool reports '56994bf9'.
Any clues ?
rishi2504 said:
Many Congrats for successfully ripping through the ROM !!
Partition offsets and checksums reported by the tool are :
Part #0002 sz:0003e000=>0003e000 cs:625f94b2=>625f94b2 of:000003a0=>000003a0
Part #0004 sz:00100000=>00100000 cs:ffe5f731=>ffe5f731 of:0003e3a0=>0003e3a0
Part #0103 sz:00452a8c=>00452a8c cs:99f65978=>99f65978 of:0013e3a0=>0013e3a0
Part #0104 sz:000fffc0=>000fffc0 cs:5e03943f=>5e03943f of:00590e2c=>00590e2c
Part #0005 sz:07e00000=>07e00000 cs:674f4072=>674f4072 of:00690dec=>00690dec
Part #0013 sz:00a00000=>00a00000 cs:56994bf9=>56994bf9 of:08490dec=>08490dec
I am a little scared to use this tool for following reasons :
1. Actually, the IMGFS & ExtROM offsets are '00690dfc' & '08490dfc' respectively.
2. Checksums( 674f4072, 56994bf9....) can not be located in the Header.
3. The Adler32 checksum for the ExtROM is '5ff94bfa', while your tool reports '56994bf9'.
Any clues ?
Click to expand...
Click to collapse
Tool works properrly.No harm is trying
starkwong, is there any tool to decompile P835's ROM in the same way?
New version posted.
rishi2504:
The image checksum is not calculated by plain Adler32, actually is uses the same formula as older Asus ROMs, however it is not a one-time calculation.
Checksums are inside header, given you decoded it correctly.
starkwong, here's what I get when trying to decompile a ROM:
Code:
v2.40 (Jun 16 2009 19:56:06)
ExtractABI(): Trying to load G5_ALL_V4.11.0_V3.6.12.P2_Ship_WWE_app_MYS00_V2.3.6.exe...
Module loaded, searching for BIN resource...
Found matching resource at BIN #211!
GetPartitions(): Getting Partition Information...
*** Encrypted ABI detected
ABI Version 0x00030012
Project Name: G5
Partition Type: 000f [email protected]
Partition Type: 000e [email protected]
Partition Type: 000e [email protected]
Partition Type: 0004 [email protected]
Partition Type: 0004 [email protected]
Partition Type: 000f [email protected]
Partition Type: 000f [email protected]
Partition Type: 0102 damage [email protected]
Partition Type: 0005 UnKnown [email protected]
Partition Type: 0002 [email protected]
Partition Type: 0003 [email protected]
ProcessABI(): Writing OS data...
* BIN(P835) Image Detected
Warning: OS.nb0/flash.bin is not a NB image, not modifying MSFLSH50 headers
ProcessABI(): No ExtROM partition found.
OK!
So it seems that partitions are not detected correctly, there's no os.nb0 at the output, and the flash.bin apperars to be of no use. Even when I found imgfs partition inside of it, there's still something wrong with it, e.g. bad start block offset, and everything else is also broken.
Can you help me with this?
In fact it is correct, as Asus uses B000FF image on P835, not a plain NB0 image.
You need to use osnbtool to get a nb0 with extra bytes, then use nbsplit -data 2048 -extra 8 to get a nb0 with sector size 0x800.
ginkage said:
starkwong, here's what I get when trying to decompile a ROM:
Code:
v2.40 (Jun 16 2009 19:56:06)
ExtractABI(): Trying to load G5_ALL_V4.11.0_V3.6.12.P2_Ship_WWE_app_MYS00_V2.3.6.exe...
Module loaded, searching for BIN resource...
Found matching resource at BIN #211!
GetPartitions(): Getting Partition Information...
*** Encrypted ABI detected
ABI Version 0x00030012
Project Name: G5
Partition Type: 000f [email protected]
Partition Type: 000e [email protected]
Partition Type: 000e [email protected]
Partition Type: 0004 [email protected]
Partition Type: 0004 [email protected]
Partition Type: 000f [email protected]
Partition Type: 000f [email protected]
Partition Type: 0102 damage [email protected]
Partition Type: 0005 UnKnown [email protected]
Partition Type: 0002 [email protected]
Partition Type: 0003 [email protected]
ProcessABI(): Writing OS data...
* BIN(P835) Image Detected
Warning: OS.nb0/flash.bin is not a NB image, not modifying MSFLSH50 headers
ProcessABI(): No ExtROM partition found.
OK!
So it seems that partitions are not detected correctly, there's no os.nb0 at the output, and the flash.bin apperars to be of no use. Even when I found imgfs partition inside of it, there's still something wrong with it, e.g. bad start block offset, and everything else is also broken.
Can you help me with this?
Click to expand...
Click to collapse
B000FF image cannot be modified without osnbtool or viewbin or cvrtbin tool..For Ext ROM there is no partition in the abi file which can b read as .nb0 Ext ROM is inside the OS and is not as a partition.So what the output u get from the tool is correct.Whatever ROMs u saw mine are from using the same tool
I hope this clarifies.
starkwong, Thank you so much, it worked perfectly!
Can't use this tool on my Asus M530w. Getting this message:
Copyright(C) 2009 Studio KUMA(starkwong). All rights reserved
v2.40 (Jun 16 2009 19:56:06)
ExtractABI(): Trying to load nk.abi...
Failed loading as module (193). Perhaps ABI?
Trying as ABI directly...
Creating file mapping...
GetPartitions(): Getting Partition Information...
Error: AES Key not suitable for this ROM
unencrypted vers encrypted
There is little bit mess in description.
If you will use unecrypted rom + p835abisplit2 you will get os.nb0.
With encrypted rom + p835abisplit2 you will get flash.bin.
starkwong said:
4. For Pre-P835 devices, you can modify ExtROM as you like, but not remove or rebuild the image file, otherwise you may get a brick! (Not able to enter bootloader)
Click to expand...
Click to collapse
Hi,
Can i add my own cab/xml files to this Ext_ROM, after removing the files not needed ?
rishi2504 said:
Hi,
Can i add my own cab/xml files to this Ext_ROM, after removing the files not needed ?
Click to expand...
Click to collapse
Don't bother dude , figured it out ...
Is there anyway I can extract the flash.bin file from a .abi file using this tool?
My P835 is unable to upgrade from the SD card with the .abi file on it.. so I wanted to extract the flash.bin and see if I can use the QPST tool to update the image with flash.bin file..
Sorry if I'm being stupid here (not unusual!). I'm trying to use this tool to get a .abi file out of O2's "Xda_Zest Firmware Update_V7.7.0S.WWE20.00_M4.6.5.P7_V2.1.4 GBR20.exe" so I can stick it on the SD card and flash the ROM, but of course I'm only ending up with the two files you mention, os.nb0 and extrom.img, no .ABI file. I can look in the extrom.img file with winrar, but the file only contains FINDMA~1.000 (300 bytes), 000dummy.001 (0 bytes) and _setup.xml (1205 bytes).
Plainly I'm thick - where am I going wrong, and how do I get the .ABI file?

Help Me Plz..........

I have XDA O2 Orbit ATRE200 HTC INNovation
Tried it 2 flash with Wm6.5 Rom, now it just stucked in bootloader 3 colors showing
IPL 3.04.0001
SPL 1.11.0000
Tried to hard rest but when press send key its shows format failed
after that tried to SD card but wont work just showing checking SD contents but after that enter into bootloader mode nothing happened
tried to use mtty.exe
Cmd>set 32
set 32
+ SD Controller init
- SD Controller init
+StorageInit
SDInit+++
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SDCmd1 Command response time-out. MMC_STAT = 80
SD clock to 24MHz
***** user area size = 0x3BE00000 Bytes
SDInit---
SDInit OK
g_cKeyCardSecurityLevel = 0
HTCE
but when tried to use commands
Cmd>task 29
task 29
Invalid command : task 29
For a help screen, use command ? or h
Cmd>task 28
task 28
Invalid command : task 28
For a help screen, use command ? or h
Cmd>info 2
info 2
Invalid command : info 2
For a help screen, use command ? or h
etc etc
can any one let me know what i do to get rid from this problem
...
hey, you bricked your device, you need to try and revive it using your original/official/ship rom..
you can find it here:
wiki.xda-developers.com/index.php?pagename=Artemis_Upgrades
when you have your original rom flashed back to the device, do Uspl 1.11.cmon
spl 1.11.0000 checks the size, and failed.. which is why your device is a brick..
spl 1.11.cmon - this means you can flash roms no matter what their size.. its doesnt check it..
(click Uspl 1.11.cmon on my signature to download)
I'm curious if the problem is solved.
i cannot connect my device via activsync so how can i flash it???
How can i put 2 cabs of spl 1.11.cmon in the device? i cannot connect my device via activsync so how can i flash it???
...
cutetaurus, add me to msn messenger..
ill try and help you..
[email protected]

[Q] help me ! nexus 7 2013 wifi only with usb mf-190s via OTG

This is my usb log. Plz help me!
PPP Widget version 1.3.3
USB_ModeSwitch log from Tue Oct 01 17:36:52 ICT 2013
Raw args from udev: 1-1/1-1:1.0
Using top device dir /sys/bus/usb/devices/1-1
----------------
USB values from sysfs:
manufacturer HSPA,Incorporated
product HSPA WCDMA Technologies MSM
serial MF190SVIED010000
----------------
bNumConfigurations is 1 - don't check for active configuration
SCSI attributes not needed, moving on
checking config: /data/data/de.draisberghof.pppwidget/app_tmp/19d2.2000
! matched. Reading config data
devList 1:
config: TargetVendor set to 19d2
config: TargetProductList set to 0001,0002,0015,0016,0017,0031,0037,0052,0055,0061,0063,0064,0066,0091,0108,0117,0128,0157,0177,1402,2002,2003
Driver module is "option", ID path is /sys/bus/usb-serial/drivers/option1
Command to be run:
usb_modeswitch -I -W -D -s 20 -u -1 -b 1 -g 2 -v 19d2 -p 2000 -f $cB
Verbose debug output of usb_modeswitch and libusb follows
(Note that some USB errors are to be expected in the process)
--------------------------------
Reading long config from command line
* usb_modeswitch: handle USB devices with multiple modes
* Version 1.2.7 (C) Josua Dietze 2012
* Based on libusb0 (0.1.12 and above)
! PLEASE REPORT NEW CONFIGURATIONS !
DefaultVendor= 0x19d2
DefaultProduct= 0x2000
TargetVendor= 0x19d2
TargetProduct= not set
TargetClass= not set
TargetProductList="0001,0002,0015,0016,0017,0031,0037,0052,0055,0061,0063,0064,0066,0091,0108,0117,0128,0157,0177,1402,2002,2003"
DetachStorageOnly=0
HuaweiMode=0
SierraMode=0
SonyMode=0
QisdaMode=0
QuantaMode=0
GCTMode=0
KobilMode=0
SequansMode=0
MobileActionMode=0
CiscoMode=0
BlackberryMode=0
PantechMode=0
MessageEndpoint= not set
MessageContent="5553424312345678000000000000061e000000000000000000000000000000"
MessageContent2="5553424312345679000000000000061b000000020000000000000000000000"
MessageContent3="55534243123456702000000080000c85010101180101010101000000000000"
NeedResponse=1
ResponseEndpoint= not set
InquireDevice disabled
Success check enabled, max. wait time 20 seconds
System integration mode enabled
Use given bus/device number: 001/002 ...
Looking for default devices ...
bus/device number matched
searching devices, found USB ID 19d2:2000
found matching vendor ID
found matching product ID
adding device
Found device in default mode, class or configuration (1)
Skipping the check for the current configuration
Using interface number 0
Using endpoints 0x01 (out) and 0x81 (in)
USB description data (for identification)
-------------------------
Manufacturer: HSPA,Incorporated
Product: HSPA WCDMA Technologies MSM
Serial No.: MF190SVIED010000
-------------------------
Looking for active driver ...
OK, driver found; name unknown, limitation of libusb1
OK, driver "unkown" detached
Setting up communication with interface 0
Using endpoint 0x01 for message sending ...
Trying to send message 1 to endpoint 0x01 ...
OK, message successfully sent
Reading the response to message 1 (CSW) ...
OK, response successfully read (13 bytes).
Trying to send message 2 to endpoint 0x01 ...
OK, message successfully sent
Reading the response to message 2 (CSW) ...
OK, response successfully read (13 bytes).
Trying to send message 3 to endpoint 0x01 ...
OK, message successfully sent
Reading the response to message 3 (CSW) ...
Response reading got error -32
Device is gone, skipping any further commands
Bus/dev search active, referring success check to wrapper. Bye.
ok:busdev
--------------------------------
(end of usb_modeswitch output)
Checking success of mode switch for max. 20 seconds ...
Reading attributes ...
Reading attributes ...
Reading attributes ...
Reading attributes ...
Waiting for device file system (5 sec.) ...
Reading attributes ...
Mode switch has completed
Mode switching was successful, found 19d2:0108 (HSPA,Incorporated: HSPA WCDMA Technologies MSM)
Device class of first interface is ff
Now checking for bound driver ...
No driver has bound to interface 0 yet
Module loader is /system/bin/insmod
Trying to find and install main driver module "option"
Checking for active driver path: /sys/bus/usb-serial/drivers/option1
Driver not active, try to find module "option"
Can't find module "option"
Existing path found:
No way to use driver "option"
- try falling back to "usbserial"
Module "usb_serial" not found, can't do more here
Driver binding did not work for this device
All done, exiting

[How to] Determine dd Parameters For All LG G4 Models

[How to] determine dd parameters for all LG G4 models
IMPORTANT:
Only for advanced users!
You are an advanced user if you know exactly what you are doing.
You are an advanced user if you know what to do if something went wrong.
You are NOT an advanced user if you know how to do copy+paste.
You can bring your smartphone into a state, so it no longer works.
I am not responsible for anything. The following instructions are only suggestions.
Hello,
everyone knows how to root the LG G4 with the "low effort root" method.
They copied the system partition to an ".img" file, rooted it and copied it back to the "system" partition.
Many users wonder how to get the right parameters for the "dd" commands.
Please read the complete guide and be sure that you understand it until you execute a command!
Information:
Code:
dd if=/inputfile bs=8192 count=12345 of=/outputfile
if = Input File
of = Output File
bs = Blocksize in bytes (default is 512 - to increase copy speed use multiple of 512 e.g. 8192)
count = how many blocks
skip = skip blocks before start reading
seek = skip blocks before start writing
more info: http://man7.org/linux/man-pages/man1/dd.1.html
There are different models of the LG G4 on the market.
We know that the system partition is different depending on the model of the G4.
As an example I will show you how to calculate the parameters for the LG G4 H815 (International Model).
What you need:
Windows with Send_Command.exe
Instructions:
At first we need to know where the "system" partition starts (first sector) and how big it is (partition size).
I used the first method to find these values. But I recommend the second method because it's easier.
First method (difficult method, extracting the GPT and using "gdisk" in linux to read the partition info)
What you need:
Linux with "gdisk" installed
Instructions:
Put your smartphone to "Download Mode" and connect it to the Send_Command.exe command prompt.
We need to copy the partition table to the internal storage.
The partition table of GPT (GUID Partition Table) has a size of 16384 bytes and starts at LBA2.
Each LBA has a size of 512 bytes. Because we start at LBA0 we need to add 1024 bytes.
In summary 16384 + 1024 = 17408 (bytes).
Execute the following command:
Code:
dd if=/dev/block/mmcblk0 bs=1 count=17408 of=/data/media/0/gpt_backup.img
Enter "LEAVE" to restart your phone.
You will find the (very small) file "gpt_backup.img" on your internal storage.
Switch to Linux:
Copy the file to your Linux and open the terminal. Then type this:
Code:
gdisk /yourpath/gpt_backup.img
Some warnings will occur. Ignore them.
You will see:
Code:
Command (? for help):
Enter "p" and hit "enter".
You will get a list of the partitions.
Scroll up a bit and check that you see:
"Logical sector size: 512 bytes"
Scroll down and look for the "system" partition.
You will find a line similar to this:
Code:
47 884736 9363455 4.0GiB FFFF system
Now you know the number of the "system" partition is "47".
You will see:
Code:
Command (? for help):
Type "i" and hit "enter".
You will be asked the partition number.
Enter it and hit "enter".
You will see something conatining lines similar to this:
Code:
First sector: 884736
Last sector: 9363455
Partition size: 8478720
Partition name: 'system'
We need the values from "First sector" and "Partition size".
Second method (easier method, just using "adb shell" to read the partition info)
What you need:
adb shell
usb debugging enabled
To get the "logical sector size" use:
cat /sys/block/mmcblk0/queue/logical_block_size
It should be 512
smason said:
To find in any smartphone the offset and the size of /system:
$ adb shell
[email protected]:/ $ ls -la /dev/block/bootdevice/by-name/system
ls -la /dev/block/bootdevice/by-name/system
lrwxrwxrwx root root 2015-01-02 10:50 system -> /dev/block/mmcblk0p47
[email protected]:/ $ cd /sys/block/mmcblk0/mmcblk0p47
cd /sys/block/mmcblk0/mmcblk0p47
[email protected]:/sys/block/mmcblk0/mmcblk0p47 $ cat start
cat start
884736
[email protected]:/sys/block/mmcblk0/mmcblk0p47 $ cat size
cat size
8478720
[email protected]:/sys/block/mmcblk0/mmcblk0p47 $
so:
offset = 512 * 884736 = 452984832
partition size = 512 * 8478720 = 4341104640
Cheers!
Click to expand...
Click to collapse
So "first sector" is the value from "cat start" (884736).
The "partiton size" is the value from "cat size" (8478720).
Now the mathematics (using the values from above):
Logical sector size = 512 (I never saw something different on LG G4 smartphones)
Assuming bs=8192
skip and seek: "First sector" * "Logical sector size" / bs
884736 * 512 / 8192 = 55296
count: "Partition size" * "Logical sector size" / bs
8478720 * 512 / 8192 = 529920
That was an example for the H815 (International Model).
Use your own values to calulate the "dd" parameters!
Back to Windows:
Put your smartphone to "Download Mode" and connect it to the Send_Command.exe command prompt.
Now you can copy your "system" partition to "system.img" with the following command:
Code:
dd if=/dev/block/mmcblk0 bs=8192 skip=55296 count=529920 of=/data/media/0/system.img
Replace the values with the ones you calculated for your model!
Now you could copy the "system.img" to your Linux and root it or do everything else you want.
Important: Do NOT delete the original "system.img" from your internal storage as long as you are not 100% sure your G4 is stable.
If your modifications don't work, you can copy back the original "system" partition (with "dd").
To copy the modified "system_changed.img" back to the "system" partition use the following command:
Code:
dd if=/data/media/0/system_changed.img bs=8192 seek=55296 count=529920 of=/dev/block/mmcblk0
Replace the values with the ones you calculated for your model!
Important: Be sure to use "skip" when reading and "seek" when writing.
The "dd" command should take about a minute.
Did the instructions help you?
Please give a "Thanks!"
Thank you
Hi,
thanks for this great post.
I just have one question. With your formulas and using 8K block size, I get a floating point number as result. So I used a block size of 4K instead, and I get an even number. This seems better to me so I went with it, as I believe smaller block sizes are always ok?
I'm just wondering one thing which seems not right to me. My system partition is reported to be 2.5GB:
Partition number (1-42): 39
Partition GUID code: EBD0A0A2-B9E5-4433-87C0-68B6B72699C7 (Microsoft basic data)
Partition unique GUID: A8725BAA-9E45-B2F8-8FA3-8C972F60F0CF
First sector: 836608 (at 408.5 MiB)
Last sector: 6074573 (at 2.9 GiB)
Partition size: 5237966 sectors (2.5 GiB)
Attribute flags: 1000000000000000
Partition name: 'system'
So with the formulas:
FACTOR 512 / 4096 = 0.125
skip and seek: "First sector" * "Logical sector size" / bs
836608 *FACTOR = 104576
count: "Partition size" * "Logical sector size" / bs
8478720 * FACTOR = 1059840
If I now run the dd command:
dd if=/dev/block/mmcblk0 bs=4096 skip=104576 count=1059840 of=/storage/external_SD/system.img
I get a file system.img which is 4096 MB. Should it not be 2.5GB as my original system partition?
If I use bs=512 (the default) and type
dd if=/dev/block/mmcblk0 bs=512 skip=836608 count=8478720 of=/storage/external_SD/system.img
I get a system.img of the right size (bit over 2.5GB).
I think the block size to use for "skip" is to be specified with the option ibs=XXX, not bs=XXX which only applies to "count" (according to man dd). I tried the ibs option, but the command then just doesn't work on Send_Command.exe. It doesn't even print an error but simply returns immediately.
Cheers
Jen
Hi,
which phone do you have?
Your calculation seems wrong. It's ok to use BS with 4k. I could be a bit slower then 8k, but that doesn't matter.
BUT: Look at your "count" value. Your partition size is 5237966. You used 8478720 (the value from my G4(H815EU) example). Thats wrong!!!
How to calculate with 1k and your values:
bs=1024
skip=836608*512/1024=418304
count=5237966*512/1024=2618983
Please check my calulation!!!
It's interesting, that the Send_Command shell has access to your external sd card...
I think the block size to use for "skip" is to be specified with the option ibs=XXX, not bs=XXX which only applies to "count" (according to man dd).
Click to expand...
Click to collapse
No. "bs" is the right parameter.
If you use "bs" it sets "ibs" and "obs" to the value of "bs".
Just do "dd --help" on a linux system for more details.
Hi Dominik,
oh my, how embarrassing I actually did take the wrong value from the example you posted. I used my value (the 5237966) for calculating the parameters with bs=8K, and got a floating value, so tried 4K instead... and the wrong value must have snug in. Oups.
I also get floating value on 4K now that you've pointed my mistake out:
5237966 * 512/4096= 654745.75
If I rounded this up, would this not mean that I copy a tiny bit of the next partition on the image? And if I then use the image to restore, would I not run the risk to damage something in the following partition?
Anyway, it's not a huge drama as I can just use bs=512 and it works.
Yes I have access to the SD card, the image also has copied there successfully. I was also surprised because I read in the forums that it's not possible.
I found it out with the "df" command, as the SD was listed there. I needed to use it because there's no room on my internal storage (it's a ridiculous 8GB on the LG H735) to store the image there.
My system partition is only 2.5GB so I don't think I have to reformat, but you are right it would be better to use ext4.
Ok
I removed my information about formatting the sd card.
You dont't have to format it. FAT32 is ok.
So you can use your sd card on systems which don't support ext4 too.
I have the LG G4S (H735). It's unusable without rooting as it only has 8GB internal memory. That's why I'm trying to root it now.
jen.magnolis said:
I have the LG G4S (H735). It's unusable without rooting as it only has 8GB internal memory. That's why I'm trying to root it now.
Click to expand...
Click to collapse
Ok, good luck.
Please open a new thread if you have questions about rooting your phone.
Or is there already one? Maybe these?
http://forum.xda-developers.com/g4/help/rooting-lg-h735-g4-beat-t3192491
http://forum.xda-developers.com/g4/general/lg-g4s-world-root-lg-devices-t3231759/page7
Oh. Just saw that you are already there
dominik-p said:
Ok, good luck.
Please open a new thread if you have questions about rooting your phone.
Or is there already one? Maybe these?
http://forum.xda-developers.com/g4/help/rooting-lg-h735-g4-beat-t3192491
http://forum.xda-developers.com/g4/general/lg-g4s-world-root-lg-devices-t3231759/page7
Oh. Just saw that you are already there
Click to expand...
Click to collapse
I just created a new thread too to focus on the particular problem I have:
http://forum.xda-developers.com/g4/general/rooting-lg-g4s-h735-t3243549
this guide helped in dumping boot and recovery partitions.
thank you very much sir! i successfully dumped my boot and recovery partition using dd in my mediatek device by following your guide.
sparksthedev said:
thank you very much sir! i successfully dumped my boot and recovery partition using dd in my mediatek device by following your guide.
Click to expand...
Click to collapse
Congratulations
Did you use the first (more komplex) oder the second method for your device?
I saw that you had problems in this thread:
http://forum.xda-developers.com/showthread.php?p=65907557#post65907557
And you wrote a guide for MTK devices here:
http://forum.xda-developers.com/general/general/guide-dumping-boot-img-recovery-img-t3339530
This doesn't work with the LG G4, but I think it will help many others.
Thank you
My sister asked me to root her phone. It seems more complicated than anything I did in the past (HTC Wildfire, Galaxy Core Plus, Xperia M4A).
I tried this tutorial and it kinda worked, but I can't mount image I got, so it's useless (image, not tutorial!).
Phone is LG-H736 (Beat). I got this result in gdisk:
Code:
Partition number (1-42): 39
Partition GUID code: EBD0A0A2-B9E5-4433-87C0-68B6B72699C7 (Microsoft basic data)
Partition unique GUID: A9520AE6-ABC6-F107-E8FE-B37C4C30CB77
First sector: 836608 (at 408.5 MiB)
Last sector: 6074573 (at 2.9 GiB)
Partition size: 5237966 sectors (2.5 GiB)
Attribute flags: 1000000000000000
Partition name: 'system'
The 8K bs gave me floating point result, so I used 0,5K.
So the dd command were:
Code:
dd if=/dev/block/mmcblk0 bs=512 skip=836608 count=5237966 of=/storage/external_SD/system.img
BTW, I had access to SDCard and I didn't need to open ports...
EDIT: I got the system.img. The problem was I haven't got enough space on SD card.
But now I bricked it...
https://forum.xda-developers.com/g4/help/softbricked-g4-beat-lg-h735-t3959237

Categories

Resources