Related
NOTE: I've already posted this into the Development & Hacking forum, but got no reply yet. As it is an Hermes specific topic it is probably better to place it here, sorry for reposting if you've already read this.
The available original shipped ROMs for the HTC Hermes have .nbh files with the RUU, instead of the usual .nbf files found in other HTC rom updates.
By now, there are two shipped ROMs available, containing:
HERMIMG_Dopod_1.23.707.1_SHIP.nbh
hermimg_QtekNOR_1.18.255.3_Ship.nbh
So, it seems that the usual nk.nbf file is no longer used by the Hermes RUU
I cannot extract the various rom components (ExtROM, OS, IPL/SPL, SplashScreen, GSM radio, etc...) out of these files using the usual TyphoonNbfTool, however mamaich's prepare_imgfs finds the imgfs and dumps it apparently ok, but it cannot be read using viewimgfs or itsme's rdmsflsh.pl, so I guess the dumped file is invalid.
Anybody knows about this new format?
is it possible to convert it to nk.nbf so we can cook our own roms?
Would it be possible for example to extract the radio rom from Dopod and replace it on QtekNOR rom?
I think we will have to wait for the rom guru's to advise on this. I hope this would be possible so we can get the best rom possible.
I've tried to decode.nbh files with alpinenbfdecode.pl, himalayanbfdecode.pl and typhoonnbfdecode.pl. None of them works, so this must be a completely new format.
Opening nbh files in hex heditor shows interesting strings, but I don't know how to procede to identify each part and decompress or decrypt it...
Is it possible to decrypt Extended_ROM of HTC TyTN? I'v found a great extRom, but I can't upgrade my ExtRom because I have only borrowed tytn from my friend and Iam looking for one special aplicattion which is included in this. Any solutions ? Thanks
Jerry, you can unlock & unhide the ExtRom just with a registry tweak, look here:
http://wiki.xda-developers.com/index.php?pagename=Hermes_Unhide_Extrom
Downloading a ROM now to experiment
If I crack it, you guys better donate something to my get-theblasphemer-a-hermes-too-fund (yet to set up that fund though )
Mate if you crack it I'll be donating to your fund!
Hmmm, a very weird file format indeed :S
All files start with "R000FF\r", next 16 bytes of what appears to be random data.
After that it consists of several blocks.
Each block starts with a header:
4-bytes block-length
4-bytes footer-length
1-byte always 1
After that follows the actual data (block-length bytes) + a footer, which appears to be random data but which I suspect to be some kind of checksum
I'm uploading a full USB log of a complete ROM-flash here:
ftp://xda:[email protected]/Hermes/Technical/
Watch for the file Dopod2-FullRomUpgrade.txt.gz, when it is full uploaded it will be around 102Mb.
This is from this ROM file:
HER_DopodAsia_1237074_1060010_WWE_SHIP.exe
______
EDIT: Upload finished.
I created a wiki page with all the info we have about NBH format:
http://wiki.xda-developers.com/index.php?pagename=Hermes_NBH
i added my scripts to extract nbh files to the wiki page
willem
itsme said:
i added my scripts to extract nbh files to the wiki page
Click to expand...
Click to collapse
Cool :shock:
you always come with splendid work, so pleasant to see... thanks a lot!
Hmmm... just took a peek at the USB-dump of a ROM upgrade.
It appears that the whole file is just sent to the device.
The flashing utility doesn't even look at the CID or even the device type, it was happy to start flashing my Universal (however it didn't get very far, as the bootloader doesn't understand all commands ).
This makes it incredibly difficult to make a RomUpgradeUtility that doesn't look at the CID, or to figure out how the signatures in the .nbh files are generated
willem,
I've been trying to extract the roms using your commands, everything runs fine until I have to run the gsmsplit batch file, as in this line you call "bcl" and I don't know what bcl is:
Code:
for %%i in (_bcl*) do bcl d %%i _x%%i.nb
I am runing it on WinXP SP2 + cywin 1.5.21-1, this is the error I get:
Code:
[email protected] /cygdrive/c/nbh/files
$ gsmsplit.bat GSM.nb gsm.nbx
'bcl' is not recognized as an internal or external command,
operable program or batch file.
'bcl' is not recognized as an internal or external command,
operable program or batch file.
[...]
'bcl' is not recognized as an internal or external command,
operable program or batch file.
'bcl' is not recognized as an internal or external command,
operable program or batch file.
_x_bcl*.nb
The system cannot find the file specified.
0 file(s) copied.
Could Not Find c:\nbh\files\cing\_x_bcl*
[email protected] /cygdrive/c/nbh/files
$ dir
GSM.nb MainSplash.nb SPL.nb nksigned.dbh signatures.txt
IPL.nb OS.nb SubSplash.nb nksigned.nbh unknown_601.nb
Is the line correct? if yes, what is bcl and where can I get it?
Thanks!
Ok, almost everything went fine... i don't know yet about the bcl command i asked before, and i cannot extract the contents of imgfs from OS.nb using rdmsflsh:
Code:
$ rdmsflsh.pl -d files OS.nb > rd.txt
could not find imgfs header
I've also tried prepare_imgfs.exe with OS.nb, it found IMGFS there and dumped it to imgfs_raw_data.bin, but then I cannot use viewimgfs.exe with this file, it complains about "unknown header type", and the file seems corrupt as it is only 6Mb...
BTW... SubSplash.nb seems to be the ExtROM, not the SubSplash.
I get a "Check cert error!" from the bootloader when I try to flash a modified NBH file (thanks TheBlasphemer for your help).
From spv-developers:
"getting a developer CID (SuperCID) will allow you to flash your system with a ROM that is not digitally signed (i.e. a ROM that you have modified). If you do not modify it, you'll not be able to install a modified ROM on the device."
Click to expand...
Click to collapse
Is it possible that we can flash NBH files without signing in the Hermes if we get a SuperCID?
I tried using SPV-Services to change the Hermes CID, but when I execute the CID tool (Alpha) I get the error: INVALID Storage Manager Handle (SAFE)
The NBH format is also used by HTC STARTrek, more info here.
bcl is from bcl.sourceforge.net, and in the latest release called 'bfc'.
willem
pof said:
Ok, almost everything went fine... i don't know yet about the bcl command i asked before ...
Click to expand...
Click to collapse
Hey pof, you need to rename the bfc.exe to bcl.exe ...! then you dont get the error but alot other zero lenght values ...
so did anyone manage to get the extraction of the OS.nb done correctly?
Hi! Do you think is possible to manage that NBH file and change htc logo splashscreen in some ways?
I'd like to create a ROM file upgrade with different spalshcreen for my TYTN.
So far I have tested redbend_ua for backup purposes, and got the bml7 and bml8 partitions backed up, and tested just restoring the bml8 partition with the clockwork recovery that is being tested on the epic. The utility did write the image / partition correctly (afaik) and rebooted the phone upon completion. The phone booted correctly to android, but then upon another reboot to test recovery, it just boot loops, even a normal boot and trying to get to the downloader mode.
This utility seems to work and do what it was meant to, but i would not use this tool without knowledge of what you are doing. On that note, i will not post a link to the tool, just as a safeguard, for now at least.
it is known to work on bml7 (the kernel partition).
for the last few fays ive been trying to gather information regarding flashing an entire rom (all the partitions resides in an odin update file) using redbend_ua only, but i couldn't get a clear understanding of what todo with the two cache.rfs & dbdata.rfs files (each located on both the PDA and the CSC files). also, repartitioning the disk is also needed when flashing a new rom, so i need to recognize the new partition table layout (which i assume resides in the .pit file).
as for now, its only a lot of assumptions for me. they only confirmation i could get was from here: hxxp://forum.xda-developers.com/wiki/index.php?title=Samsung_Galaxy_S
z4ziggy said:
it is known to work on bml7 (the kernel partition).
for the last few fays ive been trying to gather information regarding flashing an entire rom (all the partitions resides in an odin update file) using redbend_ua only, but i couldn't get a clear understanding of what todo with the two cache.rfs & dbdata.rfs files (each located on both the PDA and the CSC files). also, repartitioning the disk is also needed when flashing a new rom, so i need to recognize the new partition table layout (which i assume resides in the .pit file).
as for now, its only a lot of assumptions for me. they only confirmation i could get was from here: hxxp://forum.xda-developers.com/wiki/index.php?title=Samsung_Galaxy_S
Click to expand...
Click to collapse
Both cache and dbdata can largely be ignored; I actually had to nuke my /dbdata partition earlier due to something I did. It gets rebuilt on boot, it's just a SQLite store for the applications and on most Android phones resides within /data. No idea why Samsung felt it necessary to separate this partition.
if this is so, and both cache.rfs & dbdata.rfs can be ignored, then updating an entire rom using redbend_ua from within update.zip is possible (right now the project-voodoo is using the redbend_ua method to flash kernel only from within update.zip file, but the idea is the same).
i think we need to get some more confirmation before actually testing this because failure on flashing the rom will break the phone... and no one wants to have that
z4ziggy said:
if this is so, and both cache.rfs & dbdata.rfs can be ignored, then updating an entire rom using redbend_ua from within update.zip is possible (right now the project-voodoo is using the redbend_ua method to flash kernel only from within update.zip file, but the idea is the same).
i think we need to get some more confirmation before actually testing this because failure on flashing the rom will break the phone... and no one wants to have that
Click to expand...
Click to collapse
I did some more testing and can confirm that cache and dbdata can both be empty on boot.
this is excellent news!
i will work later today on a template for update.zip using redbend_ua and post here for reference.
also, a thought came to mind - what is the difference between redbend_ua and dd? if all redbend_ua does is dumping data from/to a partition, then it is simply a dd replacement. isn't it?
z4ziggy said:
this is excellent news!
i will work later today on a template for update.zip using redbend_ua and post here for reference.
also, a thought came to mind - what is the difference between redbend_ua and dd? if all redbend_ua does is dumping data from/to a partition, then it is simply a dd replacement. isn't it?
Click to expand...
Click to collapse
If you currently have redbend_ua on your device, could i get you to dump /dev/block/BML7 to /sdcard/recovery.bin and upload it / link it? i need it
fallingup said:
If you currently have redbend_ua on your device, could i get you to dump /dev/block/BML7 to /sdcard/recovery.bin and upload it / link it? i need it
Click to expand...
Click to collapse
Yeah.. I could've used that yesterday too.. I ended up swapping out my device this morning.
Sounds like some progress is being made. Very good to hear confirmation on cache and dbdata
i actually got it working now, after my brick anyways. Now i need to find the verizon dump not a USC dump
fallingup said:
i actually got it working now, after my brick anyways. Now i need to find the verizon dump not a USC dump
Click to expand...
Click to collapse
Glad to hear it.. I was getting seg-faults trying to mount /system .
I downloaded roms from samfirmware, after I unrar it, these are the file list
boot.img bootloader.bin cache.img hidden.img modem.bin recovery.img system.img
So How can I extract some files from system.img? I've tried unyaffs, but it segfaulted.
another stupid question is , how I can flash these files using odin? just select *.img in
pda and start?
yo
hi darren.hoo, i faced the same problem as yours and i realised that we should actually boot our tab to the downloading mode before we launch Odin3,pda.Turn on the usb debugging too(i dont know if this is necessary or not).Anyway happy flashing!
*Odin can only read .tar / .md5 extension ,you dont have to extract everything.
Kruel
Hi Darren.hoo,
To read the image files - It depends.
boot.img and recovery.img requires potentially a script to seperate the ramdisk and also the kernel. There are many good article on many wikis that explains which hex point is the seperator between the two.
system.img - I haven't really played with this too much as I don't usually create ROMS or anything - have you tried to mount it normally on a linux system? as if the system.img is just a ISO? (e.g. mount -o loop system.img /mnt). To rebuild this to become "flashable" is a different story (i believe you need the unayffs2 tools).
bootloader.bin - you'll need a hexeditor of some sort. This is as is a bin file (data file)
Not sure about the others. (cache - i'd assume you can recreate anyway and the modem i guess is another binary that requires a hexeditor.)
In terms of flashing the IMG - you need to tar up the *.img files, then do something like md5sum -t #name of tar# >> #name of tar#. Basically, it just appends the hash in md5 format to the tar. rename the file to something like *.tar.md5, and use that to flash as PDA.
Hope this helps.
Really great tips!
frankus0512 said:
system.img - I haven't really played with this too much as I don't usually create ROMS or anything - have you tried to mount it normally on a linux system? as if the system.img is just a ISO? (e.g. mount -o loop system.img /mnt). To rebuild this to become "flashable" is a different story (i believe you need the unayffs2 tools).
Click to expand...
Click to collapse
no luck with this:
debian:/home/darren/gtab/rom/EUR/P7500XWKG9# mount -oloop system.img /mnt
mount: you must specify the filesystem type
But from what I've got from searching xda a lot, maybe it's RFS filesystem?
frankus0512 said:
In terms of flashing the IMG - you need to tar up the *.img files, then do something like md5sum -t #name of tar# >> #name of tar#. Basically, it just appends the hash in md5 format to the tar. rename the file to something like *.tar.md5, and use that to flash as PDA.
Click to expand...
Click to collapse
this tip just really solved my problem.
I've got a tar.md5 file with three files in it: boot.img, system.img, recovery.img, but I don't
want to flash recovery.img coz I've already flashed CWM, yesterday I tried delete recovery.img from the tar ball and then flash it, then ODIN tells me that the files is invalid by
md5sum. I didn't know earlier that it records md5 checksum at the end of the tarball file.
It seems the OP got his answer but I'm having problems figuring out what to do.
I also have a system.img that i unzipped from a tar.md5 package by first editing the file extension to only say tar and then untarring it. When I try to mount the system.img with:
sudo mount -o loop system.img /media/systemimg
I get the filesystem type error:
mount: you must specify the filesystem type
Could someone who knows this please comment on how to mount the system.img to gain access to the files so I can explore system, that would be awesome.
span_01 said:
It seems the OP got his answer but I'm having problems figuring out what to do.
I also have a system.img that i unzipped from a tar.md5 package by first editing the file extension to only say tar and then untarring it. When I try to mount the system.img with:
sudo mount -o loop system.img /media/systemimg
I get the filesystem type error:
mount: you must specify the filesystem type
Could someone who knows this please comment on how to mount the system.img to gain access to the files so I can explore system, that would be awesome.
Click to expand...
Click to collapse
samsung firmwares should have -t rfs but you have to have a linux kernel on your dev machine that has a rfs modules
http://forum.xda-developers.com/showthread.php?t=1081239
darren.hoo said:
I downloaded roms from samfirmware, after I unrar it, these are the file list
boot.img bootloader.bin cache.img hidden.img modem.bin recovery.img system.img
So How can I extract some files from system.img? I've tried unyaffs, but it segfaulted.
another stupid question is , how I can flash these files using odin? just select *.img in
pda and start?[/QUOTE,
........................................
hello,
you can extract system.img by android kitchen but it is long process to setup kitchen.
you make it .tar file to flash as pda in odin.
if you want to extract system.img, contact me by email, [email protected]
I will tell you .
Click to expand...
Click to collapse
Hai all i am working on a working ics rom for the Veolo player and clones.
Now i downloaded a rom from Himedia Q5 and wanted to extract the system.img logo.img and boot.img files to see whats inside
I tried all tools available on this forum (Unjaffs2 etc.) but no luck so far
The firmware is available here https://mega.co.nz/#!KMkHVTCR!XSLG0gNa-z20jDqYNQbNMy89qQZC1WIQpy5SmUGAcbk
Can some one try to extract this img files for me and explain to me how they did it ?
I can,t run it n the veolo beause the veolo has 512mb system memory and the himedia q5 1gb.So i can't make a system dump.
I want to modify the rom to be used on a veolo thats the idea.
I thing these files are packed some how ???
Hope you can help me guys thnx
system.img is an yaffs2 file system: 4K 24bits/1K and contains root filesystem as well.
boot.img is NOT an Android boot image, but an uImage kernel.
bootargs.img contains kernel boot arguments in text.
Quite not-the-way-we-do-it-in-Android, but manageable.
yeah i know the bootimg contains the kernel etc and the system.img is a yaffs2 file system i also know
Buit still the problem is that i can't extract the root file system etc in it all tools i could find gave a error ?
Any idea how i can extract it ? since the common tools seems not to work ?
Thx for the info btw
Anyone who can help me unpack the system.img and the userdata.img ???????????????????
Unpack system.img Q5 and MMB-422 or Veolo aka Godbox
kraakie256 said:
Anyone who can help me unpack the system.img and the userdata.img ???????????????????
Click to expand...
Click to collapse
Yeah, no problem. I own a MMB-422, a Veolo look-a-like. I have an ICS firmware for it, so it should also work on your Veolo. The problem is that you need an RS232 <-> UART or USB <-> UART converter to modify the systems partition and upload the new ICS firmware. I build one myself. I posted the howto on meteorit.wikia.com/wiki/MMB-422.HDTV/Software-Updates
I managed to decompile the system.img and userdata.img from the Q5 with yaffs2utils. I believe I used the following command ./unyaffs2 -p 4096 -s 200
To unpack the MMB-422 firmware (8K chunks and 366B spare) I also use unyaffs2 but with -p 8094 and -s 366
But then......I can pack the system dir again to an system.img with mkyaffs2img but it generates an image with a complete different layout and it cannot be used with our "Godbox".
Maybe we can coöperate? Do you live in The Netherlands? I do......Do you have C++ skills?
bobbes said:
Yeah, no problem. I own a MMB-422, a Veolo look-a-like. I have an ICS firmware for it, so it should also work on your Veolo. The problem is that you need an RS232 <-> UART or USB <-> UART converter to modify the systems partition and upload the new ICS firmware. I build one myself. I posted the howto on meteorit.wikia.com/wiki/MMB-422.HDTV/Software-Updates
I managed to decompile the system.img and userdata.img from the Q5 with yaffs2utils. I believe I used the following command ./unyaffs2 -p 4096 -s 200
To unpack the MMB-422 firmware (8K chunks and 366B spare) I also use unyaffs2 but with -p 8094 and -s 366
But then......I can pack the system dir again to an system.img with mkyaffs2img but it generates an image with a complete different layout and it cannot be used with our "Godbox".
Maybe we can coöperate? Do you live in The Netherlands? I do......Do you have C++ skills?
Click to expand...
Click to collapse
Well i managed to unpack it etc but my Veolo died Flash mem full of bad blocks grrrr
I amw aiting for a replacement
Btw The firmwares MMB-422 choose -p8192 -s368
And for the Himedia -p4096 -s200 and you can repack it with -p8192 -s368 but it seems that somehow the fw crashes when you flaash it
I think it's a library in the lib folder who causes the crash
Can't continue at the moment since my veolo died
And no i dont have C++ Skills i understand it a bit
Btw The firmwares MMB-422 choose -p8192 -s368
Click to expand...
Click to collapse
That's true. I made an mistake.
And for the Himedia -p4096 -s200 and you can repack it with -p8192 -s368 but it seems that somehow the fw crashes when you flaash it
Click to expand...
Click to collapse
The (re)compiled image has a complete different structure so the mkyaffs2img program has to be rewritten to suite our needs. It wont flash it in bootloader (u_boot aka fastboot) mode.
To bad that your Veolo's NAND has died! Are you sure? Did you try a complete erase of the whole NAND and then repartition the NAND again? Do you use UART?
bobbes said:
That's true. I made an mistake.
The (re)compiled image has a complete different structure so the mkyaffs2img program has to be rewritten to suite our needs. It wont flash it in bootloader (u_boot aka fastboot) mode.
To bad that your Veolo's NAND has died! Are you sure? Did you try a complete erase of the whole NAND and then repartition the NAND again? Do you use UART?
Click to expand...
Click to collapse
yeah it's dead i used a uart\
When you recomplile remove the first part of the header with a hexeditor
Look for Yffsv10 or something like that
And remove all crap before that. other wise fastboot won't regonize it as a yaffs2 image
I am making a custom rom.for my android.I need to know where recovery.img is located.Like which partition or directory can I try to find it at.I try ed the system partition but obviously it wasn't there because that's the system.I dumped my firmware image so I could modify it,but I can't find recovery.Img.All I found is recovery.fex.Is this my recovery?Thanks for your answer.[emoji2]