Guest The Doctor Posted May 22, 2007 Report Share Posted May 22, 2007 You'll notice it says Paul's guide in the topic title, the original method for the M700 was done by Paul, however I've tweaked it to be a bit more Hermes specific :rolleyes: Reflashing your ROM is dangerous, and you could brick your device if it goes wrong. Only proceed if you are confident with what you are doing - we take no responsibility should anything go wrong! Follow the steps below to backup, rebuild and reflash your ROM. Your device will need to be application unlocked prior to following these steps! If you are using a shipped/non-cooked ROM, then you will notice a SIGNIFICANT memory increase (around 48MB on the standard ROM to 55MB after this guide :P) Step 1: Install Hard-SPL bootloader Consider Hard-SPL an insurance policy. If all else fails, HardSPL will allow you to flash a working ROM onto your device. Tool required: HardSPL for Hermes - download link - original source - Download file. - Extract to a temporary directory. - Run 'RUUWrapper.exe', press 'AutoDetect' (this will automagically determine you bootloader version :D) and follow the prompts (you may also have to confirm a prompt on the device itself) Step 2: Dump the OS partition of your device ROM Tools required: itsutils - download link - original source The next step is to get the OS area of the ROM from your device in it's raw format. - Create a new directory (our 'working directory'), e.g. C:\ROM. - Open a command prompt in the your working directory. - Extract the itsutils download to your working directory. - Type 'pdocread -l' at the command prompt. This will produce output similar to below, these are the addresses of the ROM sections. If this fails, ensure your device is application unlocked and that HKLM\Security\Policies\Policies001001 has a value of 1, NOT 2. 114.88M (0x72e0000) FLASHDR | 3.12M (0x31fc00) Part00 | 2.88M (0x2e0000) Part01 | 50.13M (0x3220000) Part02 | 58.75M (0x3ac0000) Part03 10.00M (0xa00000) EXT_FLA | 10.00M (0xa00000) PART00 - We want to read Part02 on FLASHDR, so type 'pdocread -w -d FLASHDR -p Part02 0 0x3220000 Part02.raw' at the command prompt.. Note: The size of Part02 will be different on a HTC Hermes, this will also vary from ROM to ROM. You will need to type in the appropriate length of the block. Eg. If 'pdocread -l' gave you: 114.88M (0x72e0000) FLASHDR | 3.12M (0x31fc00) Part00 | 2.88M (0x2e0000) Part01 | 50.13M (0xRANDOM) Part02 | 58.75M (0x3ac0000) Part03 10.00M (0xa00000) EXT_FLA | 10.00M (0xa00000) PART00 You should type 'pdocread -w -d FLASHDR -p Part02 0 0xRANDOM Part02.raw' Now wait while a raw dump of the OS area of the ROM is created on your PC! It will take a while and not look like it's doing anything, but if you browse your working directory in Windows Explorer, you'll see a Part02.raw file growing in size :D You should double check your values from the pdocread -l output, and adjust accordingly! Step 3: Extract the RAW (IMGFS) file to a dump directory Tools required: ImgfsTools2rc2b - download link - original source - Extract the ImgfsTools2rc2b download to your working directory. - Now we have the IMGFS file, we're going to extract everything from it, ready for an optimised rebuild by the excellent ImgfsTools2. - Type 'imgfstodump part02.raw' at the command prompt. Step 4: Build a new IMGFS file from the dump directory - We've finished the extraction now, and we're ready to start putting everything back together. - Type 'imgfsfromdump part02.raw imgfs.new.bin' at the command prompt. - When you look at the 2 .bin files in the working directory, you should notice the new one is smaller. Strange eh? They have the same contents! Step 5: Download and split a donor NB file Tools required: A valid HTC Hermes RUU - download link Tools required: WinRAR - download link Tools required: NBHextract - download link - original source - After installing WinRAR, copy the downloaded HTC Trinity RUU to your working directory. - Right click the .EXE file, and select 'Extract Here'. - Extract the NBHextract download to your working directory. - Type 'nbhextract ruu_signed.nbh' at the command prompt to convert the NBH to it's component parts. - Type 'nbsplit -hermes 06_os.nb' at the command prompt to split the OS NB file. - Type 'ren 06_os.nb.payload 06_os.nb.old.payload' at the command prompt to make way for our new NB payload. Step 6: Convert the new IMGFS file to a new NB payload file - Type 'imgfstonb imgfs.new.bin 06_os.nb.old.payload 06_os.nb.payload'. This copies all data except the IMGFS partition from os.nb.old.payload to os.nb.payload, then adds the IMGFS partition from imgfs.new.bin. Step 7: Merge the new NB payload into a new NB file - Type 'nbmerge -hermes 06_os.nb' to create our new NB file. Step 8: Convert the new NB file to a NBH file Tool download required: Custom RUU Updater with NBH Generator and script - download link - Download the tool above and right click and extract to /Flash. - Copy 06_OS.nb to this directory - Open a command prompt at this directory and run 'nbhgen sample.txt' - You will now notice that the file RUU_signed.nbh has been created Step 9: Flash the new NBH file - We're ready to go! - Run 'RUUWrapper.exe', press 'AutoDetect' (this will automagically determine you bootloader version :rolleyes:) and follow the prompts (you may also have to confirm a prompt on the device itself), and enjoy your new ROM build! Keep a copy of this 'Flash' directory, and you always have copy of your ROM to go back to at a later date. Many thanks to Paul for the original method B) Phil Link to comment Share on other sites More sharing options...
Guest cirius007 Posted June 14, 2007 Report Share Posted June 14, 2007 Hi Paul -thanks for the detailed instructions! I have an HTC s710 and want to tweak my ROM too. Will your method work for me? I'm running WM6. Thanks! Link to comment Share on other sites More sharing options...
Guest The Doctor Posted June 14, 2007 Report Share Posted June 14, 2007 Hi Paul -thanks for the detailed instructions! I have an HTC s710 and want to tweak my ROM too. Will your method work for me? I'm running WM6. Thanks! Yes and no. You will be able to back up and reconstruct your ROM (you'll need a HTC Vox Update, not a hermes one as I've linked to here) but you won't be able to flash it back to your device until we can flash unsigned code to it... Phil Link to comment Share on other sites More sharing options...
Guest cirius007 Posted June 18, 2007 Report Share Posted June 18, 2007 Yes and no. You will be able to back up and reconstruct your ROM (you'll need a HTC Vox Update, not a hermes one as I've linked to here) but you won't be able to flash it back to your device until we can flash unsigned code to it... Phil So I guess I'll have to wait a while... The Vox roms out there seem to be giving people trouble anyways. The only Rom update I've heard of is from the dopod site and now you have to join to download! They require serials & personal info ...Stupid! Ok, dumb question here. On my s710/Vox , I installed total commander 2 -it's got a neat little feature called "hide files in ROM". can this do anything for me? (I've tried, but to no avail) I didn't think you could play with ROMed files like that, but maybe there's a way? l want to work on files one piece at a time... of course, I'd like to take a more active role in this whole thing, but it all seems rather new and my know-how for Smartphones is limited. What do you suggest I do? Link to comment Share on other sites More sharing options...
Guest The Doctor Posted June 19, 2007 Report Share Posted June 19, 2007 So I guess I'll have to wait a while... The Vox roms out there seem to be giving people trouble anyways. The only Rom update I've heard of is from the dopod site and now you have to join to download! They require serials & personal info ...Stupid! Ok, dumb question here. On my s710/Vox , I installed total commander 2 -it's got a neat little feature called "hide files in ROM". can this do anything for me? (I've tried, but to no avail) I didn't think you could play with ROMed files like that, but maybe there's a way? l want to work on files one piece at a time... of course, I'd like to take a more active role in this whole thing, but it all seems rather new and my know-how for Smartphones is limited. What do you suggest I do? Files 'in ROM' are files that can't be modified by the user, much like some files in Windows. And you can't copy them to and from your PC so it's not really much help. Thinking about your original question more tho, if you use the following command: pdocread -w -d FLASHDR -p Part02 0 0xRANDOM Part02.raw You would end up with a raw backup of your IMGFS (for all intents and purposes, the operating system) If you flashed another ROM update and wanted to restore back to it your raw backup, you could use the following code: pdocwrite -w -d FLASHDR -p Part02 0 0xRANDOM Part02.raw However be warned, this is still untested so could potentially brick your device. Also please note you will have to determine the sector length using pdocread -l as per the above guide. Phil Link to comment Share on other sites More sharing options...
Guest Paul (MVP) Posted June 19, 2007 Report Share Posted June 19, 2007 How spooky, i'm just playing pdocread/pdocwrite with a Touch atm! Scary stuff :rolleyes: P Link to comment Share on other sites More sharing options...
Guest Paul (MVP) Posted June 19, 2007 Report Share Posted June 19, 2007 That pdocwrite syntax isn't quite right - it gives me an error: ERROR: Unable to open host/destination file - The system cannot find the file specified. Syntax must be slightly wrong... P Link to comment Share on other sites More sharing options...
Guest Tony W Posted June 24, 2007 Report Share Posted June 24, 2007 ........ - Type 'pdocread -l' at the command prompt. This will produce output similar to below, these are the addresses of the ROM sections. If this fails, ensure your device is application unlocked and that HKLM\Security\Policies\Policies\1001 has a value of 1, NOT 2. Phil Paul/Phil, I have a problem. When I type "pdocread -1" at the prompt in the C:\ROM folder, all I get is this: C:\ROM>pdocread -1 Usage: pdocread [options] start [ length [ filename ] ] when no length is specified, 512 bytes are assumed when no filename is specified, a hexdump is printed -t : find exact disk size -l : list all diskdevices .......lots more..... if no length is specified, 512 bytes are printed numbers can be specified as hex (ex: 0x8000) or decimal (ex: 32768) Clearly these are just the available commands and prompts but I appear to have an "application unlocked" device (your comments noted) but had to change the Registry key - is that how to application unlock? I have soft reset and the reg key stayed set to 1001. I note there are many 'unlockers' but they are not referred to as application unlockers. Can you (or anybody) help me? Thanks Link to comment Share on other sites More sharing options...
Guest mwright Posted June 24, 2007 Report Share Posted June 24, 2007 Paul/Phil, I have a problem. When I type "pdocread -1" at the prompt in the C:\ROM folder, all I get is this: C:\ROM>pdocread -1 Usage: pdocread [options] start [ length [ filename ] ] when no length is specified, 512 bytes are assumed when no filename is specified, a hexdump is printed -t : find exact disk size -l : list all diskdevices .......lots more..... if no length is specified, 512 bytes are printed numbers can be specified as hex (ex: 0x8000) or decimal (ex: 32768) Clearly these are just the available commands and prompts but I appear to have an "application unlocked" device (your comments noted) but had to change the Registry key - is that how to application unlock? I have soft reset and the reg key stayed set to 1001. I note there are many 'unlockers' but they are not referred to as application unlockers. Can you (or anybody) help me? Thanks The option you need is -l (lower case "ell") and not -1 (digit one) Link to comment Share on other sites More sharing options...
Guest Tony W Posted June 24, 2007 Report Share Posted June 24, 2007 The option you need is -l (lower case "ell") and not -1 (digit one) Thanks - will try that. Silly me :) Link to comment Share on other sites More sharing options...
Guest Tony W Posted June 24, 2007 Report Share Posted June 24, 2007 (edited) Thanks - will try that. Silly me :) The dump of my raw ROM is starting OK but I keep getting this after about 4-5 mins (dump at about 10Mb): ERROR: ITReadDisk: outbuf==NULL - An established connection was aborted by the software in your host machine At the same time as this appears I get the sound of Activesync loosing contact with the device and activesync shows no device connected - a simply re-dock brings it back. I have tried Google searches and just come up with references to .net framework apps and a need to configure the windows firewall. I use only Zonealarm and have turned that off. I even tried turning off Norton Antivirus in case that was the case of the problem. Device still OK and Antivesync works on re-docking. I have had no previous problems with Activesync. EDIT: With no changes here it just worked! Now have a 53.5Mb raw UK T-Mobile ROM so here goes for the rest... Regards Edited June 24, 2007 by Tony W Link to comment Share on other sites More sharing options...
Guest Tony W Posted June 24, 2007 Report Share Posted June 24, 2007 (edited) ................ - Run 'RUUWrapper.exe', press 'AutoDetect' (this will automagically determine you bootloader version :)) and follow the prompts (you may also have to confirm a prompt on the device itself), and enjoy your new ROM build! Keep a copy of this 'Flash' directory, and you always have copy of your ROM to go back to at a later date. Many thanks to Paul for the original method :P Phil Phil/Paul, Thank you for all that. I followed it all and got no adverse warnings (apart from the initial failure to dump the existing ROM) so I assume that I have a working way to get back to this original WM5 ROM (T-Mob UK 1.21.110.1). I am keen to know more about what I just did and how the files were created. Not the technical detail but what was going on with regard to kept and replaced files at each stage. I am new to upgrades and have used this method so that I can go back to my current (original T-Mob) ROM if needed after future upgrades. Next steps may well be radio and WM6 upgrades - I assume this ROM copy of mine has no radio it it and used just the OS part (06_OS.nb) to create the upgrade? Did you effectively just take me through 'cooking' my first ROM? I assume that the downloaded Orange upgrade provided the core software (RUU) and that some of the original files were used whilst others were replaced with my original ROM dump? I know that there is a great deal written on this on guides on XDA Developers and I intend to read them..... Thanks for the help ;) - hopefully I will not need to use this. I note that there are no comments from Hermes users who might have downgraded from WM6 for warranty repair - are you aware of any? If T-Mobile were to release a new WM6 and radio upgrade would that be in one RUU file and would that include the appropriate new Extended ROM files too? If so then I assume I could also create a totally new WM6 and radio and Ext ROM RUU that also included all these files (once I had it all working). One last question: you say that I should keep the folder "Flash" but it has a 5 files (as per the attached) - do I not need only to keep the 2 files: RUUWrapper.exe and the actual update RUU_signed.nbh? Thanks for your helpRUU_Files.bmp Edited June 25, 2007 by Tony W Link to comment Share on other sites More sharing options...
Guest The Doctor Posted June 25, 2007 Report Share Posted June 25, 2007 Phil/Paul, Thank you for all that. I followed it all and got no adverse warnings (apart from the initial failure to dump the existing ROM) so I assume that I have a working way to get back to this original WM5 ROM (T-Mob UK 1.21.110.1). I am keen to know more about what I just did and how the files were created. Not the technical detail but what was going on with regard to kept and replaced files at each stage. I am new to upgrades and have used this method so that I can go back to my current (original T-Mob) ROM if needed after future upgrades. Next steps may well be radio and WM6 upgrades - I assume this ROM copy of mine has no radio it it and used just the OS part (06_OS.nb) to create the upgrade? Yes this is just the OS section of the ROM. If you can find IPL 1.01, SPL 1.04, extract your splash screen images, and your Radio version and the Extended ROM and then generate the lot into an NBH, you will have a 'complete' ROM backup :) Did you effectively just take me through 'cooking' my first ROM? I assume that the downloaded Orange upgrade provided the core software (RUU) and that some of the original files were used whilst others were replaced with my original ROM dump? 'Cooking' is more a term to describe modifying the ROM such as embedding applications such as Windows Live or tweaking it more to your liking etc. The Orange upgrade provided various essential bits of the ROM that aren't in the IMGFS section you dumped, bits such as the cold boot kernel, the XIP etc. Thanks for the help :P - hopefully I will not need to use this. I note that there are no comments from Hermes users who might have downgraded from WM6 for warranty repair - are you aware of any? I've not heard of anything besides the screen alignment issues in early production batches. If T-Mobile were to release a new WM6 and radio upgrade would that be in one RUU file and would that include the appropriate new Extended ROM files too? If so then I assume I could also create a totally new WM6 and radio and Ext ROM RUU that also included all these files (once I had it all working). If T-Mobile UK releases a WM6 ROM update then yes it would contain everything. However as you would have that to flash back to, there wouldn't really be any need to dump the ROM and reconstruct it except possibly the memory you would gain after dumping and reconstructing. One last question: you say that I should keep the folder "Flash" but it has a 5 files (as per the attached) - do I not need only to keep the 2 files: RUUWrapper.exe and the actual update RUU_signed.nbh? Yes you only really need to keep RUUWrapper.exe and RUU_signed.nbh. Thanks for your help Your welcome ;) Phil Link to comment Share on other sites More sharing options...
Guest nsm Posted June 30, 2007 Report Share Posted June 30, 2007 Hi - When you say 'your device needs to be Applcation Unlocked' - does this just mean you need to install the Hard-SPL bootloader? Or is there another program that you need to run to application unlock the device? Thanks Link to comment Share on other sites More sharing options...
Guest The Doctor Posted July 1, 2007 Report Share Posted July 1, 2007 Hi - When you say 'your device needs to be Applcation Unlocked' - does this just mean you need to install the Hard-SPL bootloader? Or is there another program that you need to run to application unlock the device? Thanks Using a registry editor, check that the value of HKLM\Security\Policies\Policies001001 = 1 If it is, then it's app unlocked. If its not, then change it to 1 to unlock it :) Phil Link to comment Share on other sites More sharing options...
Guest samery Posted July 14, 2007 Report Share Posted July 14, 2007 Hi Everyone: Thanks for this great guide. I have a JASJAM (aka Dopod 838 pro) device and I am stock in a "invalid vendor ID" situation. I already tried flashing official rom, hard-reset, re-upgrading but without luck. I read in xda-developers about downloading and installing Platform Builder from Microsoft and generate a WinCE system on the device to make it come back to life again. Now of course this process is long considering that the software to be downloaded is around 4GB. My question is that: If after finishing this process of installing WinCE image on the device, I am planning to follow the steps mentions in this page in order to generate an nbh file. So first question? will this guide help in case of WinCE plattform generated by Plattform builder? If that's a yes, then my next step is to use the nbh file from now on as a new guide to fix JASJAM problems using SD card flashing principle found in xda-developers as well. So bascially, this nbh file will be renamed to hermimg.ngh, transfered to SD card root folder, then apply the steps of SD card flashing. In a nutshell: 1- Create a Windows CE platform from Platform builder v5.0 from MS 2- Using this guide to dump this new plattform (and requesting your kind comments if different steps/comments/flags/parameters are required. 3- Use the new generated nbh file as a base for SD card flashing for any brick hermes. If all this go well with your support, and of course if all this sounds reasonable, hopefull I will add a new discussion topic for this subject. Please advise your comments and whether there are any tips to be taken into cosnideration. Thank you and have a pleasant day. samery. Link to comment Share on other sites More sharing options...
Guest sahmedkh Posted October 31, 2007 Report Share Posted October 31, 2007 I'm stucked with STEP 4. When I type imgfsfromdump part02.raw imgfs.new.bin it gives me: ImgfsFromDump 2.0 RC 2 Cannot read 'dump' subdirectory. Exiting. How can solve this issue? Link to comment Share on other sites More sharing options...
Guest Paul (MVP) Posted October 31, 2007 Report Share Posted October 31, 2007 Well is there a dump subdirectory? P Link to comment Share on other sites More sharing options...
Guest crusti Posted November 23, 2007 Report Share Posted November 23, 2007 (edited) i deleted what i said before i kept getting error 260 from the Hermes update utility, had a guy called cmonex help me, he explained it meant the pc and phone wernt communicating during the upgrade ( eventho activesync worked fine) i change my usb cable and everything worked Edited November 24, 2007 by crusti Link to comment Share on other sites More sharing options...
Guest onedagan Posted February 23, 2008 Report Share Posted February 23, 2008 Step 8: Convert the new NB file to a NBH file Tool download required: Custom RUU Updater with NBH Generator and script - download link - Download the tool above and right click and extract to /Flash. - Copy 06_OS.nb to this directory - Open a command prompt at this directory and run 'nbhgen sample.txt' - You will now notice that the file RUU_signed.nbh has been created i stck hare and the lik dad anddd tnxxx :) Link to comment Share on other sites More sharing options...
Guest xenonsky Posted May 24, 2008 Report Share Posted May 24, 2008 After I run Step 9: the screen told me the ROM upgrade had completed successfully. But my Hermes screen is blank and it won't turn on anymore. I tried to hold "power" and side "ok" button and hit soft reset and nothing happend. Then I took battery out and plug in USB cable and I only get red LED on top next to the Internet Explorer button. When I put battery back in the Red LED doesn't turn back to amber (the normal charging light), but I try the buttons to get it to bootloader again but nothing happens. Any suggestion? Thanks Link to comment Share on other sites More sharing options...
Guest Will.x Posted September 1, 2008 Report Share Posted September 1, 2008 (edited) Hello Paul, Thank you for sharing your knowledge, I am still a beginner but learning as I go and plan to take couple of risks with caution. I hope you can give me feedback on the following please I really need it. I have a HP iPAQ 612c it has WM6. My main goal is really simple but maybe dangerous. 1- backup pda images 2- restore pda images <--- dangerous using the latest pdocread and pdocread itsutilsbin-20080731-2.zip from http://www.xs4all.nl/~itsme/projects/xda/tools.html 79.92M (0x4fec000) TRUEFFS | 1.31M (0x14fc00) Part00 | 1.88M (0x1e0000) Part01 | 76.73M (0x4cbc000) Part02 127.88M (0x7fe0000) TRUEFFS | 1.31M (0x14fc00) Part00 | 1.88M (0x1e0000) Part01 | 76.73M (0x4cbc000) Part02 24.98M (0x18fc000) TRUEFFS | 1.31M (0x14fc00) Part00 | 1.88M (0x1e0000) Part01 | 76.73M (0x4cbc000) Part02 7.61G (0x1e6e00000) DSK1: | 7.60G (0x1e6a00000) Part00 The follwing 2 methods is what I used to back up the 3 parts, both methods produced exactly the same file lengths, I am not sure if one method is more accurate than the other, can you please if there is any difference between the 2 methods? Method 1 pdocread -w -d TrueFFS -b 0x800 -p Part00 0 0x14fc00 Part00.raw pdocread -w -d TrueFFS -b 0x800 -p Part01 0 0x1e0000 Part01.raw pdocread -w -d TrueFFS -b 0x800 -p Part02 0 0x4cbc000 Part02.raw Method 2 pdocread -w -d TrueFFS -p Part00 0 0x14fc00 Part00.raw pdocread -w -d TrueFFS -p Part01 0 0x1e0000 Part01.raw pdocread -w -d TrueFFS -p Part02 0 0x4cbc000 Part02.raw I have also learnt that I should backup this file diskimage_Ver.nb0, I am not sure what is the difference between the diskimage_Ver.nb0 and Part02.raw but to show the correct address I typed pdocread -t To back up I type pdocread 0x0 0x5000000 diskimage_Ver.nb0 Here is the most important question of all and one that I've been searching for an answer for, for at least 3 weeks now. I would like to learn how I can safely write the image I created back to the PDA please so here is what I learnt from one of your posts and I wanted to confirm with you if the following line seems to be correct? I changed from FLASHDR to TRUEFFS and also changed the address to map to Part02.raw can you confirm if this is correct? pdocwrite -w -d TRUEFFS -p Part02 0 0x4cbc000 Part02.raw I am not sure how I can write back the diskimage_Ver.nb0 file using pdocwrite? What are the correct arguments? pdocwrite 0x0 0x5000000 diskimage_Ver.nb0 Thanking you in advance and I'd really apprecaite any feedback. Thanks Edited September 1, 2008 by Will.x Link to comment Share on other sites More sharing options...
Guest Will.x Posted September 2, 2008 Report Share Posted September 2, 2008 I tried this line and it is incorrect pdocwrite -w -d TRUEFFS -p Part02 0 0x4cbc000 Part02.raw it will produce the following error: C:\tools>pdocwrite -w -d TRUEFFS -p Part02 0 0x4cbc000 Part02.raw CopyFileToTFFS(0:0, 4cbc000, 00000000) ERROR: Unable to open host/destination file - The system cannot find the file specified. but then I tried the following which seems to be a little more accurate but also produced an error:- pdocwrite part02.raw -w -d TRUEFFS -p Part02 0 0x4cbc000 The error is :- C:\tools>pdocwrite part02.raw -w -d TRUEFFS -p Part02 0 0x4cbc000 CopyFileToTFFS(part02.raw:0, 0, 04cbc000) ERROR: ITWriteDisk - The media is write protected. any ideas? thanks Link to comment Share on other sites More sharing options...
Guest Will.x Posted September 3, 2008 Report Share Posted September 3, 2008 (edited) I feel like I am speaking with myself in here. comon any feedback please! Edited September 3, 2008 by Will.x Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now