romdumptoCF.exe question

Hey all! I've looked through the threads and haven't found an answer to my question, but if I've overlooked it feel free to correct me.

At the end of the day, I'm trying to dump a flashable image from my pharos drive 140 (PND). It's running CE 5.0 on a 256MB flash disk. romdumptoCF.exe will execute, but I need to edit "\Storage Card" to "\SDMMC" and change the dump size from 32MB to 256MB. I'm not sure if the whole 256MB is needed, but the file path definitely needs to be edited.

I tried hex editing the file path in the .exe, but after I save it it won't run on the device. When I edit it back to the original path, it executes again but without a valid dump path it just loops.

Any help would be greatly appreciated!

I think I've got this right, but who knows!

When I hex edited the .exe before, I did a simple replacement of "\Storage Card\ROM.dump" with "\SDMMC\ROM.dump", so I ended up with a smaller file size, seven characters smaller.

Instead, I added "00" seven times in the beginning of the file path hex string and ta-da! it executes. Now, however, I get an error saying it cannot open the output file.

I'm afraid I might be using the wrong rom dump program, could someone please advise me on how to figure out what to use to dump this rom?

Okay, if anyone out there can help.

I found a program called testdump.exe which displays a file path and dump size dialog when ran. It successfully dumped an 82MB dump.bin file to the SD but it took like four hours. Write speed must be super slow! Dumprom was able to analyze it, but I got an error: could not find pointer for ofs 00000000 at the top of the output, although the output continues after that.

Just so you guys know, this is my very first attempt to dump a ROM and create a flashable image, so any help would be appreciated. I'd like to start by dumping the factory ROM and then flashing it back before trying anything more drastic.

well this will not work on NAND devices, and 99% sure your PNA has nand, i.e. not NOR flash, have you read what my site says about the usage of romdumptocf.exe (i assume you downloaded it from there)?

go to the section "to dump nand flash" on my romstuff page and try those apps.

also, if you want you can upload your dump ZIPPED so i can examine it, but i doubt it'll have more than the bootloader(s) and xipkernel.

also, are you able to enter your bootloader's menu?


p.s.: testdump is also not suitable, though better as it is flexible, and will dump RAM if needed.

Edited by cmonex 2008-02-02 1:54 AM

Thanks for replying, cmonex.

Attached is the zipped dump from testdump for the PNA.

About the bootloader menu, I can get to a certain blue screen, but I don't know what it is or means. When I hold down the power button and do a hard reset, I get a blue screen with ATP System 5.0.2.25 along the top of the window and XP recognizes the device as SEC SOC Test Board.

Also, I tried the pdocread using the XDA wiki, pdocread -l gives me 23.5oM (0x1781000) for Part00 and 225.75M (0xe1c0000) for Part01, but when I check the size with pdocread -w -d FLASHDR -p Part00 -t I get real nr of sectors: 12034 - 5.88Mbyte (0x5e0400). Part01 doesn't match either.

I went ahead with the dump anyway, but after 15 min, Part00.raw was still 0 bytes.

This is a facinating project to me, cmonex, and I'm willing to read any documentation that might be helpful.

Sorry, I couldn't get it less than 9MB down from 82MB. But the directory that dumprom created from it only included:

binfs.dll
coredll.dll
FLASHDRV.DLL
fsdmgr.dll
usbd.dll
filesys.exe
nk.exe

ah wow, pdocread works to some extent. 23MB sounds realistic.

what about trying 0x800 as block size. pdocread defaults to 0x200, but your device might have 0x800 judging from the -t result being exactly four times smaller than expected


and yes, seeing that file list, dumprom only found xipkernel.


as for your bootloader, do you see more than just the blue screen? if not.. does it at least stay on that screen until you do a plain reset?
in that case it might be expecting either a connection from the PC or a memory card with a certain file(s). we should see bootloader dump to figure it out

to do that... exactly what cpu does this device have? how much RAM?

Edited by cmonex 2008-02-02 10:59 AM

The system properities shows the samsung arm920, and it's got 64MB of ram.

Regarding the blue screen, it stays at it until a hard reset.

I tried -B 0x800 -t for Part00 and the output remains 5.88MB. Changing the sector size (-b 0x800) does return 23.50MB, but I still get nothing for the dump. I looked all over, i.e. google and chasing threads, to find out if I have the usage wrong but couldn't find anything. Here's what I used:

pdocread -w -b 0x800 -d FLASHDR -p Part00 -t
returns 23.50MB

pdocread -w -b 0x800 -d FLASHDR -p Part00 0 0x1781000 Part00.raw
returns Part00.raw with size 0 bytes to the working directory, DOS just hangs, and PNA must be hard reset

I even added -B 0x800 to the usage above, and then -G 0x800, both got the same result.

Is it possible to dump Part00 to RAM and then dump it from there, and does that even make sense?

eh, yeah, i meant sector size.

your usage looks fine, just the flash driver ioctl for actually reading the flash is not what pdocread knows.

from here, if bkondisk and bksamsung didn't work, flashdrv.dll that you've dumped needs to be analysed, which isn't too trivial

dumping to ram or via activesync makes no difference to the ioctl issue.

please confirm if you tried bkondisk or bksamsung tools.

I've tried them both and get the same error for each:

ERROR: kioctl(FLASH, init1) - unknownerror: 0x00000032
error initializing flash

I've attached the the flashdrv.dll in case it comes in handy. Just let me know what information I should look for and maybe a push in the right direction on the analysis.





Attachments
----------------
FLASHDRV.DLL (29KB - 6 downloads)

ah well so the device doesn't have the specific kerneliocontrol functions for the bk apps.

by analysis.. i essentially meant disassemble and see if it makes any sense.. pdocread etc source is available from itsme's site so that also helps.

Edited by cmonex 2008-02-03 5:11 PM

Hey cmonex,

I found pedump.exe and looked at the different breakdowns for the FLASHDRV.DLL. It doesn't make much sense to me at the moment, but I thought I'd get your thoughts about it. Here's the options I had for output:

/A include everything in dump
/B show base relocations
/H include hex dump of sections
/I include Import Address Table thunk addresses
/L include line number information
/P include PDATA (runtime functions)
/R include detailed resources (stringtables and dialogs)
/S show symbol table

As I didn't know what was most important, I've attached what looked like the most information rich output.



Attachments
----------------
FLASHDRVsymboltable.txt (4KB - 4 downloads)

P.S. I had trouble getting /A to pause in ways that were easy to manage, so I went with an alternate.

Oh, and I'm reading through your relocate document for pointer on the PE structure.

by disassembling i did not mean PE analyzing, i meant real disassembly in IDA Pro or similar and try to find out what functions the flash driver dll exports for reading (if any) and how it should be used when calling from pdocread or a similar tool.
if it exports none that'd be harder.

also the kernel (nk.exe, also in your dump) might have kernelioctl's for flash read, that's the case for the devices where bkondisk / bksamsung function. but these two tools (bkondisk etc) expect specific ioctl's, but maybe your device just has different ones, worse luck if it has none

Edited by cmonex 2008-02-05 7:18 AM