Hacked ROM!

[Guest axe]

wowzers ... this sounds like the most impressive development for the SPV ever !!

we could make a hacked rom that doesnt need app unlocking, kick out all the orange and MS applications, and stick it full of freeware .. hehehe

nice one guys .... I hope florin will post his info ... I will look into it if he does .!!

[Guest Paul [MVP]]

Sweet, a custom ROM process would be awesome!

P

[Guest Spine]

Yup,

That was my original plan:

create a hacked rom using the best parts from all the roms out there.

For instance,the qtek rom seems to be the best,but it doesnt support t9 for english users, etc.. Also, as i said before, I live in canada and could care less for all the orange apps that are wasting space. It would also be nice to have some good applications in rom so that they would not need to be reinstalled every reset, etc.. not to mention app unlocking and simunlocked versions too. The only reservation i have about creating a hacked rom is that we have not sucessfully found the jtag port, so if we fry the bootloader on an update we will basically render our phones useless.

I have tried contacting TI regardin their OMAP 710 datasheet but they said they would only relase it to me if I was a large OEM - even when i said i just wanted a pin out description for repair purposes.

So again I will post my question to the modaco audience: If you own a dead smartphone (based onthe canary build) that will not boot up (ie if the rom/bootloader is corrupted) then send it to me and I will attempt to fix it. If i can fix it - it will cost you nothing for my services. If i accidentally break it, well it was useless to begin with. Not to mention the valuable research you would be providing the modaco/smartphone community.

I am not sure if i can post valuable dlls such as the radio and ril dll files on this message board, but my first suggestion would be for someone to load up the ril.dll in a tool such as IDA pro to determine how much of the radio stack HTC has implemented and maybe we can start to get information such as cell towers etc.

Ps. if anyone from orangeimagineering is watching this and is looking to hire an electrical engineer from canada, send me a PM :) - I'd love to work in europe for a bit!

[Guest Arisme]

not to spoil the fun but that's not really hot news :wink:

http://smartphone.modaco.com/viewtopic.php?t=68829

it's interesting if your exe files are "clean" though (ie with a proper structure that allows you to sign them).

[Guest Spine]

I guess,

all I did was use the dumprom tool just as you did.

What do you mean by clean files?

need me to post some samples?

[Guest Spine]

arsime:

I also have seen the post where you say you have extracted files from the rom image? if so how exactly did you do it. and can you post a sample file that is contained in all the roms so i can verify if my dump is proper or not?

Thanks

[Guest Spine]

Hi Arisme

I just read your post again.

From what i can gather from you took rom dumps using the bootloader to dump the regions of the rom currently on the phone to get your list right?

I am actually dumping the sub regions of the update nk.nbf file to get the dump.

The tool doesnt work 100% and no, the executables are not signed. I have tried to copy exes back onto the phone that I have extracted from rom and get an "access denied" message.

I am able to dump the operator regions and the oem regions.

I know most of the files are intact because the gif images, txt files xml files are easily readable, as well as the exes. its just we cannot execute the exes untill we figure out how to disable that aspect of the security.

if anyone wants to chime in here with a good explaination that would be

cool!

Let me know what your thoughts are

Mike

[Guest Arisme]

Right, but it's a nice improvement if you can do it from the .nbf directly (as the "old" method requires an additional dump)

I think that the EXE structure is somehow broken, but didn't investigate too much - there's a small comment regarding that matter on dumprom page, but I don't think it's the only problem

most files seem to have a truncated resources section ( probably due to a bug in microsofts romimage tool )

my first guess would be to try to look carefully at the EXE structure to see what's wrong, or to try an EXE rebuilder - you can find that kind of tools on http://protools.cjb.net (great site btw :wink:)

(but of course if you just need to look at the executable files with a disassembler, you can do it already :))

[Guest Martin@Home]

You could try shutting down all non vital systems and then re-routing all available power through the main deflector dish. A sustained neutronic pulse of say 50megaquads should do the trick I feel, but be carefull of localised time displacement if you aren't using Ionic radiation sheilding and inertial dampers. This should allow you then to attach the snap on fungus turret and snaffle bracket assembly.

Engage :wink:

[Guest Zim]

make it so Number1

:)

"Z"

but on the serious side i really hope this rom works coz i would love to use a custom rom instead of my Smart rom.

[Guest Spine]

Try #2 to attach swiss update 1.5 files

[Guest Spine]

Damn,

Doesnt like me attaching files.

Get it from my website:

http://www.planetsmartphone.com/files/ch15.zip

but take it easy, cause I only have DSL and most likely will only be hosting these files till monday.

Let me know what you think.

[Guest Crispy]

http://www.planetsmartphone.com/files/ch15.zip

You might like to remove smsmsg1.txt and smsmsg2.txt ...

[Guest Spine]

Nope!

they come on the swiss v1.5 rom!!

weird eh??

I dumped these files from the swiss 1.5 upgrade package, not my phone itself, so therefore there should be none of my personal information in the files at all.

This is what i mean - I would love a rom image cut down of all the developmental files like the sms messages and trattoria as well as the orange stuff.

Last night i managed to dump the OEM rom files and then the operater specified files and I beleive that by eliminating most of the "orange added" files and applications we can trim the rom image down by almost 4-5mb. Thats 4-5mb for xbar, smart explorer, mvp, pockettv, etc etc

Mike

[Guest drblow]

All this talk is way over my head, but the idea of hacked ROM's is well sexy - so I'm just lending my support!

Go ROM hackers!!!!! :)

[Guest Crispy]

Nope!

they come on the swiss v1.5 rom!!

weird eh??

LOL! Then the MS programmers did an even poorer job cleaning up after themselves than I thought! :)

[Guest Spine]

Florin_M:

Back from vacation yet?

I was just wondering if you are going to enlighten us on the details to create a rom for smartphone?

Thanks

Mike

[Guest nixy]

How wonderful life would be to have a perfect custom personalised ROM....image/setup after a fresh hard reset.........To only have what one wanted and nothing more............(thinks)................oh....Smart Explorer..............oh..regedit............ect ect ect...............all there fresh and raring to go............no more shifting Start Menu backups from card to phone via active sync..........no more Registry editing........PLEASE KEEP UP THE HARD WORK YOU ARE APPRECIATED

Signed......a fan

[Guest GNU]

Is there some way to extract the stuff thats in RAM?

I'm pretty sure that when I cloned an SPV, with an early boot version. (I used an SD card) The IPSM also got copied?! Am I right or is my memory corrupt? :)

Btw this should be classified as a security threat to all PocketPCs as well since they are being built in the same fashion, right?!

[Guest axe]

GNU : I think the PocketPC community is already much further with this then we are, and we are trying to apply their tricks and tools to our trade.

[Guest Spine]

GNU:

Yes it is possible to basically read the flash memory off of your phone (the IPSM) and dump it to a card. This is how some other users have gotten protected files off their smartphone. This is also how people can downgrade bootloaders and such as well.

I have been extracting the files from an actual update image. The image can be found in any smartphone upgrade software, such as the 1.3.5 UK or 1.50 swiss, 1.50 qtek etc etc etc.

So the files I am posting are what originally gets written to the "windows" folder on your smartphone. This is why i have no problem with posting any of these files: there is no way they can contain any of my personal data. I could have done this work without even owning a smartphone at all.

Ps. for those who care: i have almost dumped the Eurotel rom (about 85% - 15% of the files are giving me problems)

[Guest Uzay]

well to be honest, this is way over my head, i do understand it though and i promise when i reck my phone i'll send it to you ;-)

cheers mush, keep up the good work...

[Guest GNU]

Ah! But that would mean that the Smartphone with password protection is not "safe" at all?! :idea:

[Guest Paul [MVP]]

Any thoughts on how to reconstruct the NBF?

P

[Guest Spine]

Hey paul,

I have a couple ideas about re-constructing the nbf but I have not attempted to do so yet. I was kind of hoping that florin_m would chime in with that part. Right now i am dumping various different rom versions.

my next step is to then do a complete memory dump of my spv and examine how the memory is laid out.

Has anyone else here been doing any work on this project? if so post your results.

The main problem I have is that I am not that familiar with programming for CE devices, so I wont be the one to hack a kernel or anything cool like that. My hope was to cut the fat out of the best rom, and add a t9 for everone (ie take the best t9 for each language) and add a couple applications in rom. If I can pull that off i will be really happy.

What i really wouldnt mind is for someone with the dopod to kindly take a memory dump (as I cannot find any rom images yet) so we can work on putting sp2003 on our spvs :)

I'll try and get some more work done tonight and I will post my results.

Mike