ROM焼き方法の調査

Kaiser

前からずっと気になりつつも、研究する十分な時間がとれず放置していたROM焼きに関する情報収集を始めたので覚え書き。
XDAにあるオリジナルのOEM版ROMを確保しておけば、いざというときは問題ないだろうけど、手元の実機ベースで出荷時状態に戻せるようにしておきたいので、やはりROMのDump作業が必要か?XDAのは自分のと微妙にOSやRadioのverが違い、本当の意味で元に戻せるわけではないので。。。

<実機ROM>
CID HTC__001 WWE
WM6 PRO
CE OS 5.2.1620(Build 18125.0.4.2)
ROM Ver. 1.56.405.5
ROM Date 08/28/07
Radio ver.1.27.12.32
Protocol Ver.22.45.88.07H


<HTC OEM WM6.0 ROMS>
1.56.405.5 (radio 1.27.12.11) original wwe
http://wiki.xda-developers.com/index.php?pagename=Kaiser_ROMs
http://rapidshare.com/files/57816419/RUU_Kaiser_HTC_WWE_1.56.405.5_radio_sign_22.45.88.07_1.27.12.11_Ship.rar.html


<Radio ROM>
xda-developers > Kaiser > Kaiser ROM development > Kaiser Radios [SOUND AND CAMERA ISSUES - READ HERE]
http://forum.xda-developers.com/showthread.php?t=349375


※Radioのみのアップデート方法
http://d.hatena.ne.jp/chai99/20071010/1192036387

RadioだけアップデートPDA, Kaiser

Radio version:1.27.12.11から、1.27.12.17へバージョンアップしてみました。慣れれば10分かかりません。ハードリセットも不要でRadioコードだけアップデートできます。あくまでも自己責任でお願いします。

新しいRadioコードが入っているアップデーターから、RUU_signed.nbhを取り出します。
NBHextract.exeで、.nbファイルに分解します。このうち00_Unknown.nb*1を使用します。
htcrt.exe(htc rom Tool)で、バージョンやCIDを適宜設定*2し、Radioに先の00_Unknown.nbを指定し、ROMをBuildします。
KaiserCustomRUU.exeでアップデート。アップデートが完了し、リブートするときにRadioバージョンが確認できます。
そのまま、するすると立ち上がり、何事も無かったように普通に使えてしまえてます。こんな簡単に書き換えられるというのは、素晴らしいです。

追記:SPEED TESTで試したら、なんだか速くなったような・・・。1.8Mbpsなんて初めて見ました。

 *1:入手した.nbhによって先頭が00でないこともあります

 *2:SuperCID化してあれば、どうでもよかったりします


OEM Packages>
xda-developers > Kaiser > Kaiser ROM development > My OEM Packages to Share
http://forum.xda-developers.com/showthread.php?t=350742


〜Tool関係〜


<Hard-SPL(CustomROM焼き用Boot Loader)>
xda-developers > Kaiser > Kaiser ROM development > HTC Kaiser Hard-SPL v1 - CID Unlock & Flash any ROM to your device (4 free)
http://forum.xda-developers.com/showthread.php?t=334679


<MTTY>
xda-developers > Kaiser > Kaiser ROM development > MTTY (How to fix a bad ROM flash!)
http://forum.xda-developers.com/showthread.php?t=371154
(注意)ROM焼き失敗した場合にtask2aコマンド実行する際は、Bootloader(SPL)以外はすべて削除されてしまうので必ず焼き直しするROMを準備してから実行すること。


<itsutils pdocread.exe(ROMダンプ)>
http://www.xs4all.nl/~itsme/projects/xda/tools.html
xda-developers > Kaiser > Kaiser ROM development > How to dump HTC Kaiser ROM
http://forum.xda-developers.com/showthread.php?t=334680

Hermes_Howto Dump Rom
http://wiki.xda-developers.com/index.php?pagename=Hermes_HowtoDumpRom

How to dump the ROM (step by step)
This page explains the process to dump the ROM of your Hermes. The HTC_Hermes does not have a disk-on-chip flash, like most other HTC devices, you can however use pdocread with the -w switch.

pdocread is part of the itsutils tools collection, you can download the source + executables here.

Now let's start the process:

1. Unzip the contents of itsutils.zip on c:\itsutils
2. Connect your Hermes to PC using USB cable, and make sure ActiveSync is running
3. Start -> run -> cmd.exe
4. cd c:\itsutils


5. First we are going to find the device handles for all the flash partitions, using pdocread -l

C:\itsutils>pdocread.exe -l
114.88M FLASHDR

3.12M Part00
2.88M Part01
50.88M Part02
58.00M Part03

968.75M DSK1:

968.50M Part00

STRG handles: 834d5e62
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
(968.50M) 03958bce
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 58.00M) 239584da
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 50.88M) 039582ce
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 2.88M) 2395828a
0 partitions, 0 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
( 3.12M)6. If you get the following errror, probably your device is application locked:

C:\itsutils>pdocread.exe -l
Copying C:\itsutils\itsutils.dll to WCE:\windows\itsutils.dll
Could not update itsutils.dll to the current version, maybe it is inuse?
try restarting your device, or restart ActiveSyncCheck this wiki article on information about how to avoid that. Basically you have to modify this registry key, and then softreset using power button:

HKLM\Security\Policies\Policies
valuename '00001001' was set to dword:2, change it to dword:1

dword: any thing other than 1 disallows unsigned
dword: 1 allows unsignedIf changing the dword is still giving the issue , try HTC_Hermes_SIM_CID_Unlock solved it for me on a Dopod 838pro

If the registry hack is not working and you have Orange device, this helps: http://spvunlock.rd.francetelecom.com/

7. Note: There are two ways to read each partition: pdocread -h 0xHANDLVALUE 0 0xSIZEVALUE diskimage.nb or pdocread -d storename -p partitionname StartValue LengthValue file.raw

We will use the second method for the next step.

Overview of flash partitions (just for your information, not a step)
FLASHDR STOREINFO 114.88M (0x72e0000) dev='FLASHDR' store='Microsoft Flash Disk'
nsect=39700 bpsect=200 free=0 maxpartsize=0
3.12M ( 0x31fc00) Part00 'BOOT' end= 18fe type=20 image update kernel partition (XIP), used while image updates
2.88M ( 0x2e0000) Part01 'RAWFS' end= 1700 type=23 regular kernel partition (XIP), used for normal OS boot
50.88M (0x32e0000) Part02 'imgfs.dll' end=19700 type=25 imgfs
58.00M (0x3a00000) Part03 'fatfsd.dll' end=1d000 type=04 user filesystem
EXT_FLA STOREINFO 10.00M (0xa00000) dev='EXT_FLA' store=''
nsect=5000 bpsect=200 free=0 maxpartsize=0
10.00M ( 0xa00000) PART00 'fatfsd.dll' end= 5000 type=04 extended romThis does not include the IPL, splash and SPL.

8. Check that all the partition sizes reported by pdocread are correct:

C:\itsutils>pdocread -w -d FLASHDR -p Part00 -t
real nr of sectors: 6398 - 3.12Mbyte (0x31fc00)
C:\itsutils>pdocread -w -d FLASHDR -p Part01 -t
real nr of sectors: 5888 - 2.88Mbyte (0x2e0000)
C:\itsutils>pdocread -w -d FLASHDR -p Part02 -t
real nr of sectors: 104192 - 50.88Mbyte (0x32e0000)
C:\itsutils>pdocread -w -d FLASHDR -p Part03 -t
real nr of sectors: 118784 - 58.00Mbyte (0x3a00000)Note the partition sizes (in brackets) for the next step. They may differ from device to device.

9. Now let's dump the first 3 partitions (coldboot kernel, base kernel and imgfs), use the sizes you found in the previous step.

C:\itsutils>pdocread -w -d FLASHDR -p Part00 0 0x31fc00 Part00.raw
CopyTFFSToFile(0x0, 0x31fc00, Part00.raw)
C:\itsutils>pdocread -w -d FLASHDR -p Part01 0 0x2e0000 Part01.raw
CopyTFFSToFile(0x0, 0x2e0000, Part01.raw)
C:\itsutils>pdocread -w -d FLASHDR -p Part02 0 0x32e0000 Part02_0.raw
CopyTFFSToFile(0x0, 0x32e0000, Part02_0.raw)
ERROR: ITReadDisk - Not enough storage is available to complete this operation.In case there is a read error in the imgfs (as shown here) you'll have to read one specific 0x800 byte section separately and patch the diskimage to make it work. So either the flash is bad, or the driver reading it has bugs.

If your phone returns Part02_0.raw without errors, you can simply rename Par02_0.raw to Part02.raw and skip to step 15*
10. Check what we have so far:

C:\itsutils>dir Part*.raw
10/08/2006 22:52 3.275.776 Part00.raw
10/08/2006 22:53 3.014.656 Part01.raw
10/08/2006 23:00 39.911.424 Part02_0.raw
C:\itsutils>11. We use the 0x800 byte trick to complete dumping the rest of imgfs.

The file size is 39.911.424 (0x2610000 in hex), so we specify this value as start, and 0x800 byte length:

C:\itsutils>pdocread -w -d FLASHDR -p Part02 0x2610000 0x800 Part02_1.raw
CopyTFFSToFile(0x2610000, 0x800, Part02_1.raw)12. It worked, now we have to start at 0x2610000 + 0x800 and read the rest of the partition which is 0x32e0000 (total size) - 0x2610800 (what we have already read), so the result is 0xccf800 bytes length we need to read:

C:\itsutils>pdocread -w -d FLASHDR -p Part02 0x2610800 0xccf800 Part02_2.raw
CopyTFFSToFile(0x2610800, 0xccf800, Part02_2.raw)13. And that's it, all dumped successfully:

C:\itsutils>dir Part*.raw
10/08/2006 22:52 3.275.776 Part00.raw
10/08/2006 22:53 3.014.656 Part01.raw
10/08/2006 23:00 39.911.424 Part02_0.raw
11/08/2006 00:02 2.048 Part02_1.raw
11/08/2006 00:06 13.432.832 Part02_2.raw14. Now we need to concatenate the three Part_02_?.raw files.

In a Windows operating system
> copy /B Part02_0.raw+Part02_1.raw+Part02_2.raw Part02.rawIn an Unix operating system
$ cat Part02_0.raw Part02_1.raw Part02_2.raw > Part02.raw15. Now we can check the filesize is correct, and we have successfully dumped all 3 partitions:

C:\itsutils>dir Part0?.raw
10/08/2006 22:52 3.275.776 Part00.raw
10/08/2006 22:53 3.014.656 Part01.raw
11/08/2006 00:10 53.346.304 Part02.rawIf you want you can extract the contents of imgfs too.

IMPORTANT
If you do this process and dump the ROM of your device, please zip the contents of your dumped rom and, and upload the zip file in xda-developers FTP (USERNAME: xdaupload / PASSWORD: xda)
Then and add a link to the file you uploaded in the Available Dumped or Modified ROM Versions wiki page. Make sure you specify the device name (TyTN, Trion, etc..), operator if any, language and version of the ROM.


Related forum thread (post here if you have problems or need help):
http://forum.xda-developers.com/viewtopic.php?t=58656

http://wiki.xda-developers.com/index.php?pagename=XdaUtils/pdocread.exe

Xda Utils/pdocread.exe
this tool is part of the itsutils tools collection.

source can be found at http://nah6.com/~itsme/cvs-xdadevtools/itsutils/src/pdocread.cpp

This tool can be used to read and list various parts of m-systems DiskOnChip devices. The -d, -p, and -h options can be used to select a specific disk device. Only specifying -d will open that device directly. Specifying -d and -p, will open the device using the storage manager, and then us the partition specified with -p. To circumvent a problem with truncated device names in some WinCE versions, you can also specify a known open device handle, using -h.

Use "pdocread -l" to get a list of known devices, and open handles on your wince device.

The -n, -w, and -o options are used to select what access method is to be used. -n 0 will read from the binary partition number 0. -w will use the standard disk api to access the device, -o will access the One-time-programmable area of your DOC. when no access method is specified, the 'normal' TFFS partition will be accessed.

Be warned that the tffs API is not very stable, it causes device crashes, and on several devices it is only partially implemented.

currently pdocread is rather verbose, both on the commandprompt, and in a logfile on your wince device.

                                                                                                                                                              • -

example usage
find the size of the various partitions:

C:\>pdocread -n 0 -t
real nr of sectors: 4096 - 2.00Mbyte (0x200000)

C:\>pdocread -n 1 -t
real nr of sectors: 6144 - 3.00Mbyte (0x300000)

C:\>pdocread -t
real nr of sectors: 55296 - 27.00Mbyte (0x1b00000)
then copy the contents of these partitions to files, by entering the following commands on the command prompt:

pdocread -n 0 0 0x200000 docbdk0.raw
pdocread -n 1 0 0x300000 docbdk1.raw
pdocread 0 0x1b00000 docpart0.raw
http://www.spv-developers.com/forum/showthread.php?p=8177 - a thread with a much more detailed explanation
using handles
often disk devices are only accessible via their kernel handle, the handles are listed in the output of pdocread -l, and accessed via pdocread -h 0xHANDLEVALUE

commandline details
Usage: pdocread [options] start [ length [ filename ] ]
when no length is specified, 512 bytes are assumed
when no filename is specified, a hexdump is printed
-t : find exact disk size
-l : list all diskdevices
-v : be verbose
-s OFS : seek into source file ( for writing only )
-b SIZE: specify sectorsize to use when accessing disk
-B SIZE: specify blocksize to use when accessing disk
-G SIZE: specify blocksize to use when transfering over activesync
-u PASSWD : unlock DOC device
-S BK1x : specify alternate disksignature ( e.g. BIPO, BK1A .. BK1G )
Source:
-d NAME : devicename or storename
-p NAME : partitionname
-h HANDLE : directly specify handle
either specify -d and optionally -p, or specify -h
Method:
-n NUM : binarypartition number ( normal p if omitted )
-w : read via windows disk api
-o : read OTP area
if the filename is omitted, the data is hexdumped to stdout
if no length is specified, 512 bytes are printed

numbers can be specified as hex (ex: 0x8000) or decimal (ex: 32768)
the -w switch is useful for accessing non-diskonchip type flash devices.

the -S option is useful for accessing the rom on mDOC-H3 based devices. ( like the HTC_Elf or HTC_Herald )

the -G option is useful for accessing the rom on mDOC-G4 based devices.

note that on H3 devices the specified size to read must be exactly the size of the partition. on G4 and G3 devices the tffs api does not complain when specifying a very large size, it will just return the actual amount read.


<NBHextract(NBHファイル展開)>
xda-developers > General discussion > Development and Hacking > NBHextract: Extract contents from NBH files
http://forum.xda-developers.com/showthread.php?t=289830
XDADeveloperWiki - Hermes_NBH
http://wiki.xda-developers.com/index.php?pagename=Hermes_NBH


<htc rom tool(ROMビルド:nbファイルからNBHファイル再構築)>
xda-developers > General discussion > Upgrading, Modifying and Unlocking > htc rom tool: new software to deal with ROMs (NEW RELEASE 1.1.0)
http://forum.xda-developers.com/showthread.php?t=311909


<CustomRUU for Kaiser(ROM焼き)>
xda-developers > Kaiser > Kaiser ROM development > CustomRUU for Kaiser
http://forum.xda-developers.com/showthread.php?t=334890


<その他参考>
htc3g @ ウィキ
Uni向けATOK入り日本語入力 > 表示可能ROMイメージクッキングの方法