Paul's guide to... backing up, rebuilding and restoring your HTC HERMES ROM |
  |
|
 May 22 2007, 22:20
Post
#1
|
||
 Moderately moderating in moderation...  Group: Moderator Team Posts: 1,336 Joined: 9th May 2005 From: Oadby, Leicester, UK Member No.: 128,356 Device(s): Vario II, 8310, C600, C550  |
You'll notice it says Paul's guide in the topic title, the original method for the M700 was done by Paul, however I've tweaked it to be a bit more Hermes specific
 Reflashing your ROM is dangerous, and you could brick your device if it goes wrong. Only proceed if you are confident with what you are doing - we take no responsibility should anything go wrong! Follow the steps below to backup, rebuild and reflash your ROM. Your device will need to be application unlocked prior to following these steps! If you are using a shipped/non-cooked ROM, then you will notice a SIGNIFICANT memory increase (around 48MB on the standard ROM to 55MB after this guide )Step 1: Install Hard-SPL bootloader Consider Hard-SPL an insurance policy. If all else fails, HardSPL will allow you to flash a working ROM onto your device. Tool required: HardSPL for Hermes - download link - original source - Download file. - Extract to a temporary directory. - Run 'RUUWrapper.exe', press 'AutoDetect' (this will automagically determine you bootloader version ) and follow the prompts (you may also have to confirm a prompt on the device itself)Step 2: Dump the OS partition of your device ROM Tools required: itsutils - download link - original source The next step is to get the OS area of the ROM from your device in it's raw format. - Create a new directory (our 'working directory'), e.g. C:\ROM. - Open a command prompt in the your working directory. - Extract the itsutils download to your working directory. - Type 'pdocread -l' at the command prompt. This will produce output similar to below, these are the addresses of the ROM sections. If this fails, ensure your device is application unlocked and that HKLM\Security\Policies\Policies001001 has a value of 1, NOT 2. CODE 114.88M (0x72e0000) FLASHDR | 3.12M (0x31fc00) Part00 | 2.88M (0x2e0000) Part01 | 50.13M (0x3220000) Part02 | 58.75M (0x3ac0000) Part03 10.00M (0xa00000) EXT_FLA | 10.00M (0xa00000) PART00 - We want to read Part02 on FLASHDR, so type 'pdocread -w -d FLASHDR -p Part02 0 0x3220000 Part02.raw' at the command prompt.. Note: The size of Part02 will be different on a HTC Hermes, this will also vary from ROM to ROM. You will need to type in the appropriate length of the block. Eg. If 'pdocread -l' gave you: CODE 114.88M (0x72e0000) FLASHDR | 3.12M (0x31fc00) Part00 | 2.88M (0x2e0000) Part01 | 50.13M (0xRANDOM) Part02 | 58.75M (0x3ac0000) Part03 10.00M (0xa00000) EXT_FLA | 10.00M (0xa00000) PART00 You should type 'pdocread -w -d FLASHDR -p Part02 0 0xRANDOM Part02.raw' Now wait while a raw dump of the OS area of the ROM is created on your PC! It will take a while and not look like it's doing anything, but if you browse your working directory in Windows Explorer, you'll see a Part02.raw file growing in size You should double check your values from the pdocread -l output, and adjust accordingly!Step 3: Extract the RAW (IMGFS) file to a dump directory Tools required: ImgfsTools2rc2b - download link - original source - Extract the ImgfsTools2rc2b download to your working directory. - Now we have the IMGFS file, we're going to extract everything from it, ready for an optimised rebuild by the excellent ImgfsTools2. - Type 'imgfstodump part02.raw' at the command prompt. Step 4: Build a new IMGFS file from the dump directory - We've finished the extraction now, and we're ready to start putting everything back together. - Type 'imgfsfromdump part02.raw imgfs.new.bin' at the command prompt. - When you look at the 2 .bin files in the working directory, you should notice the new one is smaller. Strange eh? They have the same contents! Step 5: Download and split a donor NB file Tools required: A valid HTC Hermes RUU - download link Tools required: WinRAR - download link Tools required: NBHextract - download link - original source - After installing WinRAR, copy the downloaded HTC Trinity RUU to your working directory. - Right click the .EXE file, and select 'Extract Here'. - Extract the NBHextract download to your working directory. - Type 'nbhextract ruu_signed.nbh' at the command prompt to convert the NBH to it's component parts. - Type 'nbsplit -hermes 06_os.nb' at the command prompt to split the OS NB file. - Type 'ren 06_os.nb.payload 06_os.nb.old.payload' at the command prompt to make way for our new NB payload. Step 6: Convert the new IMGFS file to a new NB payload file - Type 'imgfstonb imgfs.new.bin 06_os.nb.old.payload 06_os.nb.payload'. This copies all data except the IMGFS partition from os.nb.old.payload to os.nb.payload, then adds the IMGFS partition from imgfs.new.bin. Step 7: Merge the new NB payload into a new NB file - Type 'nbmerge -hermes 06_os.nb' to create our new NB file. Step 8: Convert the new NB file to a NBH file Tool download required: Custom RUU Updater with NBH Generator and script - download link - Download the tool above and right click and extract to /Flash. - Copy 06_OS.nb to this directory - Open a command prompt at this directory and run 'nbhgen sample.txt' - You will now notice that the file RUU_signed.nbh has been created Step 9: Flash the new NBH file - We're ready to go! - Run 'RUUWrapper.exe', press 'AutoDetect' (this will automagically determine you bootloader version ) and follow the prompts (you may also have to confirm a prompt on the device itself), and enjoy your new ROM build! Keep a copy of this 'Flash' directory, and you always have copy of your ROM to go back to at a later date.Many thanks to Paul for the original method Phil -------------------- |
||
 |
 
|
||
|
Jun 14 2007, 18:20
Post
#2
|
||
|
Newbie  Group: Posters Posts: 2 Joined: 5th June 2007 Member No.: 263,393 Device(s): htc s710 |
Hi Paul -thanks for the detailed instructions! I have an HTC s710 and want to tweak my ROM too. Will your method work for me? I'm running WM6.
Thanks! |
||
|
|
|
||
|
Jun 14 2007, 18:31
Post
#3
|
||
|
Moderately moderating in moderation... Group: Moderator Team Posts: 1,336 Joined: 9th May 2005 From: Oadby, Leicester, UK Member No.: 128,356 Device(s): Vario II, 8310, C600, C550 |
QUOTE(cirius007 @ Jun 14 2007, 19:20)  Hi Paul -thanks for the detailed instructions! I have an HTC s710 and want to tweak my ROM too. Will your method work for me? I'm running WM6. Thanks! Yes and no. You will be able to back up and reconstruct your ROM (you'll need a HTC Vox Update, not a hermes one as I've linked to here) but you won't be able to flash it back to your device until we can flash unsigned code to it... Phil -------------------- |
||
|
|
|
||
|
Jun 18 2007, 03:52
Post
#4
|
||
|
Newbie Group: Posters Posts: 2 Joined: 5th June 2007 Member No.: 263,393 Device(s): htc s710 |
QUOTE(The Doctor @ Jun 14 2007, 18:31) Yes and no. You will be able to back up and reconstruct your ROM (you'll need a HTC Vox Update, not a hermes one as I've linked to here) but you won't be able to flash it back to your device until we can flash unsigned code to it... Phil So I guess I'll have to wait a while... The Vox roms out there seem to be giving people trouble anyways. The only Rom update I've heard of is from the dopod site and now you have to join to download! They require serials & personal info ...Stupid! Ok, dumb question here. On my s710/Vox , I installed total commander 2 -it's got a neat little feature called "hide files in ROM". can this do anything for me? (I've tried, but to no avail) I didn't think you could play with ROMed files like that, but maybe there's a way? l want to work on files one piece at a time... of course, I'd like to take a more active role in this whole thing, but it all seems rather new and my know-how for Smartphones is limited. What do you suggest I do? |
||
|
|
|
||
|
Jun 19 2007, 15:41
Post
#5
|
||
|
Moderately moderating in moderation... Group: Moderator Team Posts: 1,336 Joined: 9th May 2005 From: Oadby, Leicester, UK Member No.: 128,356 Device(s): Vario II, 8310, C600, C550 |
QUOTE(cirius007 @ Jun 18 2007, 04:52) So I guess I'll have to wait a while... The Vox roms out there seem to be giving people trouble anyways. The only Rom update I've heard of is from the dopod site and now you have to join to download! They require serials & personal info ...Stupid! Ok, dumb question here. On my s710/Vox , I installed total commander 2 -it's got a neat little feature called "hide files in ROM". can this do anything for me? (I've tried, but to no avail) I didn't think you could play with ROMed files like that, but maybe there's a way? l want to work on files one piece at a time... of course, I'd like to take a more active role in this whole thing, but it all seems rather new and my know-how for Smartphones is limited. What do you suggest I do? Files 'in ROM' are files that can't be modified by the user, much like some files in Windows. And you can't copy them to and from your PC so it's not really much help. Thinking about your original question more tho, if you use the following command: CODE pdocread -w -d FLASHDR -p Part02 0 0xRANDOM Part02.raw You would end up with a raw backup of your IMGFS (for all intents and purposes, the operating system) If you flashed another ROM update and wanted to restore back to it your raw backup, you could use the following code: CODE pdocwrite -w -d FLASHDR -p Part02 0 0xRANDOM Part02.raw However be warned, this is still untested so could potentially brick your device. Also please note you will have to determine the sector length using pdocread -l as per the above guide. Phil -------------------- |
||
|
|
|
||
|
Jun 19 2007, 15:51
Post
#6
|
||
 The Main Man Group: Admin Team Posts: 21,241 Joined: 6th November 2002 From: Norwich, UK Member No.: 1 Device(s): HTC Touch HD |
How spooky, i'm just playing pdocread/pdocwrite with a Touch atm!
Scary stuff  P --------------------   |
||
|
|
|
||
|
Jun 19 2007, 18:20
Post
#7
|
||
|
The Main Man Group: Admin Team Posts: 21,241 Joined: 6th November 2002 From: Norwich, UK Member No.: 1 Device(s): HTC Touch HD |
That pdocwrite syntax isn't quite right - it gives me an error:
QUOTE ERROR: Unable to open host/destination file - The system cannot find the file specified. Syntax must be slightly wrong... P -------------------- |
||
|
|
|
||
|
Jun 24 2007, 15:48
Post
#8
|
||
|
Regular  Group: Posters Posts: 85 Joined: 5th December 2006 From: High Wycombe Member No.: 216,955 Device(s): MDA Vario II, O2 XDA 2S |
QUOTE(The Doctor @ May 22 2007, 23:20) ........ - Type 'pdocread -l' at the command prompt. This will produce output similar to below, these are the addresses of the ROM sections. If this fails, ensure your device is application unlocked and that HKLM\Security\Policies\Policies\1001 has a value of 1, NOT 2. Phil Paul/Phil, I have a problem. When I type "pdocread -1" at the prompt in the C:\ROM folder, all I get is this: C:\ROM>pdocread -1 Clearly these are just the available commands and prompts but I appear to have an "application unlocked" device (your comments noted) but had to change the Registry key - is that how to application unlock? I have soft reset and the reg key stayed set to 1001. I note there are many 'unlockers' but they are not referred to as application unlockers. Can you (or anybody) help me? Thanks -------------------- Tony
Vario II IPL:1.04 / SPL:2.10 Olipro Radio:1.54.07.00 OS:Schaps 4.01 |
||
|
|
|
||
|
Jun 24 2007, 16:06
Post
#9
|
||
|
Enthusiast  Group: MoDaCo Ad Free Posts: 270 Joined: 11th January 2006 From: North Essex Member No.: 167,028 Device(s): Orange TyTNII |
QUOTE(Tony W @ Jun 24 2007, 16:48) Paul/Phil, I have a problem. When I type "pdocread -1" at the prompt in the C:\ROM folder, all I get is this: C:\ROM>pdocread -1 Clearly these are just the available commands and prompts but I appear to have an "application unlocked" device (your comments noted) but had to change the Registry key - is that how to application unlock? I have soft reset and the reg key stayed set to 1001. I note there are many 'unlockers' but they are not referred to as application unlockers. Can you (or anybody) help me? Thanks The option you need is -l (lower case "ell") and not -1 (digit one) -------------------- |
||
|
|
|
||
|
Jun 24 2007, 16:14
Post
#10
|
||
|
Regular Group: Posters Posts: 85 Joined: 5th December 2006 From: High Wycombe Member No.: 216,955 Device(s): MDA Vario II, O2 XDA 2S |
QUOTE(mwright @ Jun 24 2007, 17:06) The option you need is -l (lower case "ell") and not -1 (digit one) Thanks - will try that. Silly me 
-------------------- Tony
Vario II IPL:1.04 / SPL:2.10 Olipro Radio:1.54.07.00 OS:Schaps 4.01 |
||
|
|
|
||
|
Jun 24 2007, 16:48
Post
#11
|
||
|
Regular Group: Posters Posts: 85 Joined: 5th December 2006 From: High Wycombe Member No.: 216,955 Device(s): MDA Vario II, O2 XDA 2S |
QUOTE(Tony W @ Jun 24 2007, 17:14) Thanks - will try that. Silly me The dump of my raw ROM is starting OK but I keep getting this after about 4-5 mins (dump at about 10Mb): ERROR: ITReadDisk: outbuf==NULL - An established connection was aborted by the software in your host machine At the same time as this appears I get the sound of Activesync loosing contact with the device and activesync shows no device connected - a simply re-dock brings it back. I have tried Google searches and just come up with references to .net framework apps and a need to configure the windows firewall. I use only Zonealarm and have turned that off. I even tried turning off Norton Antivirus in case that was the case of the problem. Device still OK and Antivesync works on re-docking. I have had no previous problems with Activesync. EDIT: With no changes here it just worked! Now have a 53.5Mb raw UK T-Mobile ROM so here goes for the rest... Regards This post has been edited by Tony W: Jun 24 2007, 16:58 -------------------- Tony
Vario II IPL:1.04 / SPL:2.10 Olipro Radio:1.54.07.00 OS:Schaps 4.01 |
||
|
|
|
||
|
Jun 24 2007, 18:17
Post
#12
|
||
|
Regular Group: Posters Posts: 85 Joined: 5th December 2006 From: High Wycombe Member No.: 216,955 Device(s): MDA Vario II, O2 XDA 2S |
QUOTE(The Doctor @ May 22 2007, 23:20) ................ - Run 'RUUWrapper.exe', press 'AutoDetect' (this will automagically determine you bootloader version ) and follow the prompts (you may also have to confirm a prompt on the device itself), and enjoy your new ROM build! Keep a copy of this 'Flash' directory, and you always have copy of your ROM to go back to at a later date.Many thanks to Paul for the original method Phil Phil/Paul, Thank you for all that. I followed it all and got no adverse warnings (apart from the initial failure to dump the existing ROM) so I assume that I have a working way to get back to this original WM5 ROM (T-Mob UK 1.21.110.1). I am keen to know more about what I just did and how the files were created. Not the technical detail but what was going on with regard to kept and replaced files at each stage. I am new to upgrades and have used this method so that I can go back to my current (original T-Mob) ROM if needed after future upgrades. Next steps may well be radio and WM6 upgrades - I assume this ROM copy of mine has no radio it it and used just the OS part (06_OS.nb) to create the upgrade? Did you effectively just take me through 'cooking' my first ROM? I assume that the downloaded Orange upgrade provided the core software (RUU) and that some of the original files were used whilst others were replaced with my original ROM dump? I know that there is a great deal written on this on guides on XDA Developers and I intend to read them..... Thanks for the help - hopefully I will not need to use this. I note that there are no comments from Hermes users who might have downgraded from WM6 for warranty repair - are you aware of any?If T-Mobile were to release a new WM6 and radio upgrade would that be in one RUU file and would that include the appropriate new Extended ROM files too? If so then I assume I could also create a totally new WM6 and radio and Ext ROM RUU that also included all these files (once I had it all working). One last question: you say that I should keep the folder "Flash" but it has a 5 files (as per the attached) - do I not need only to keep the 2 files: RUUWrapper.exe and the actual update RUU_signed.nbh? Thanks for your help This post has been edited by Tony W: Jun 25 2007, 10:55
Attached File(s)
-------------------- Tony
Vario II IPL:1.04 / SPL:2.10 Olipro Radio:1.54.07.00 OS:Schaps 4.01 |
||
|
|
|
||
|
Jun 25 2007, 21:43
Post
#13
|
||
|
Moderately moderating in moderation... Group: Moderator Team Posts: 1,336 Joined: 9th May 2005 From: Oadby, Leicester, UK Member No.: 128,356 Device(s): Vario II, 8310, C600, C550 |
QUOTE(Tony W @ Jun 24 2007, 19:17) Phil/Paul, Thank you for all that. I followed it all and got no adverse warnings (apart from the initial failure to dump the existing ROM) so I assume that I have a working way to get back to this original WM5 ROM (T-Mob UK 1.21.110.1). I am keen to know more about what I just did and how the files were created. Not the technical detail but what was going on with regard to kept and replaced files at each stage. I am new to upgrades and have used this method so that I can go back to my current (original T-Mob) ROM if needed after future upgrades. Next steps may well be radio and WM6 upgrades - I assume this ROM copy of mine has no radio it it and used just the OS part (06_OS.nb) to create the upgrade? Yes this is just the OS section of the ROM. If you can find IPL 1.01, SPL 1.04, extract your splash screen images, and your Radio version and the Extended ROM and then generate the lot into an NBH, you will have a 'complete' ROM backup QUOTE(Tony W @ Jun 24 2007, 19:17) Did you effectively just take me through 'cooking' my first ROM? I assume that the downloaded Orange upgrade provided the core software (RUU) and that some of the original files were used whilst others were replaced with my original ROM dump? 'Cooking' is more a term to describe modifying the ROM such as embedding applications such as Windows Live or tweaking it more to your liking etc. The Orange upgrade provided various essential bits of the ROM that aren't in the IMGFS section you dumped, bits such as the cold boot kernel, the XIP etc. QUOTE(Tony W @ Jun 24 2007, 19:17) Thanks for the help - hopefully I will not need to use this. I note that there are no comments from Hermes users who might have downgraded from WM6 for warranty repair - are you aware of any?I've not heard of anything besides the screen alignment issues in early production batches. QUOTE(Tony W @ Jun 24 2007, 19:17) If T-Mobile were to release a new WM6 and radio upgrade would that be in one RUU file and would that include the appropriate new Extended ROM files too? If so then I assume I could also create a totally new WM6 and radio and Ext ROM RUU that also included all these files (once I had it all working). If T-Mobile UK releases a WM6 ROM update then yes it would contain everything. However as you would have that to flash back to, there wouldn't really be any need to dump the ROM and reconstruct it except possibly the memory you would gain after dumping and reconstructing. QUOTE(Tony W @ Jun 24 2007, 19:17) One last question: you say that I should keep the folder "Flash" but it has a 5 files (as per the attached) - do I not need only to keep the 2 files: RUUWrapper.exe and the actual update RUU_signed.nbh? Yes you only really need to keep RUUWrapper.exe and RUU_signed.nbh. QUOTE(Tony W @ Jun 24 2007, 19:17) Thanks for your help Your welcome Phil -------------------- |
||
|
|
|
||
|
Jun 30 2007, 13:24
Post
#14
|
||
|
Newbie Group: Posters Posts: 36 Joined: 13th September 2006 Member No.: 206,046 Device(s): MDA Vario II |
Hi - When you say 'your device needs to be Applcation Unlocked' - does this just mean you need to install the Hard-SPL bootloader? Or is there another program that you need to run to application unlock the device?
Thanks |
||
|
|
|
||
|
Jul 1 2007, 10:59
Post
#15
|
||
|
Moderately moderating in moderation... Group: Moderator Team Posts: 1,336 Joined: 9th May 2005 From: Oadby, Leicester, UK Member No.: 128,356 Device(s): Vario II, 8310, C600, C550 |
QUOTE(nsm @ Jun 30 2007, 14:24) Hi - When you say 'your device needs to be Applcation Unlocked' - does this just mean you need to install the Hard-SPL bootloader? Or is there another program that you need to run to application unlock the device? Thanks Using a registry editor, check that the value of HKLM\Security\Policies\Policies001001 = 1 If it is, then it's app unlocked. If its not, then change it to 1 to unlock it Phil -------------------- |
||
|
|
|
||
|
Jul 14 2007, 08:02
Post
#16
|
||
|
Newbie Group: Posters Posts: 1 Joined: 14th July 2007 Member No.: 277,733 Device(s): JASJAM |
Hi Everyone:
Thanks for this great guide. I have a JASJAM (aka Dopod 838 pro) device and I am stock in a "invalid vendor ID" situation. I already tried flashing official rom, hard-reset, re-upgrading but without luck. I read in xda-developers about downloading and installing Platform Builder from Microsoft and generate a WinCE system on the device to make it come back to life again. Now of course this process is long considering that the software to be downloaded is around 4GB. My question is that: If after finishing this process of installing WinCE image on the device, I am planning to follow the steps mentions in this page in order to generate an nbh file. So first question? will this guide help in case of WinCE plattform generated by Plattform builder? If that's a yes, then my next step is to use the nbh file from now on as a new guide to fix JASJAM problems using SD card flashing principle found in xda-developers as well. So bascially, this nbh file will be renamed to hermimg.ngh, transfered to SD card root folder, then apply the steps of SD card flashing. In a nutshell: 1- Create a Windows CE platform from Platform builder v5.0 from MS 2- Using this guide to dump this new plattform (and requesting your kind comments if different steps/comments/flags/parameters are required. 3- Use the new generated nbh file as a base for SD card flashing for any brick hermes. If all this go well with your support, and of course if all this sounds reasonable, hopefull I will add a new discussion topic for this subject. Please advise your comments and whether there are any tips to be taken into cosnideration. Thank you and have a pleasant day. samery. |
||
|
|
|
||
|
Oct 31 2007, 12:52
Post
#17
|
||
|
Newbie Group: Posters Posts: 1 Joined: 29th March 2006 Member No.: 180,817 Device(s): torq p120 |
I'm stucked with STEP 4.
When I type imgfsfromdump part02.raw imgfs.new.bin it gives me: ImgfsFromDump 2.0 RC 2 Cannot read 'dump' subdirectory. Exiting. How can solve this issue? |
||
|
|
|
||
