|
H/PC Oracle Posts: | 16,175 |
Location: | Budapest, Hungary | Status: | |
| i've finally managed to write a program (after getting back home after a full month in the uk )
this dumps the flash of the bqsuare phh
bootloaders and OS image.
the OS image is compressed, i've got the uncompressed image from RAM before but that's no good if you want to flash it back.
I think now just a program is needed that can uncompress/compress raw zlib, just like zpipe for the netbook pro images. that should be doable soon.
so watch this space
until then, here's the romdumper I wrote. it calls functions from docbin.dll to do the read, but maybe later I'll write another that directly calls the trueffs iocontrols, advantage would be that with some luck, it would work on other wince nand devices
download from attachment
usage: run the exe, with a Storage Card inserted that has at least 32MB free space.
it will tell you to wait until finish, so press OK and wait until it pops up another message. then that's all, if it didn't say success but some error message, let me know
the file is bsqromdump.bin in root of Storage Card.
Edited by cmonex 2008-05-04 11:38 PM
Attachments ---------------- bsqflashread.exe (5KB - 62 downloads) |
|
|
|
Factor Fanatic Posts: | 58 |
Location: | Mantova, Italy | Status: | |
| Cmonex, it's great!!
I've left my PHH at home, but as soon as I come back I'm going to try your dumper |
|
|
|
H/PC Oracle Posts: | 16,175 |
Location: | Budapest, Hungary | Status: | |
| I've extracted bootloader images, still trying to decompress OS image.
if you have cygwin I can send a program that can handle raw zlib compressed images, if you want to experiment too
just need to find the offset for decompression.
perazz: if you dump yours and can upload the dump I could compare it to mine, if different it might help find the offset to start decompress from. Edited by cmonex 2008-05-05 1:21 PM
|
|
|
|
H/PC Oracle Posts: | 16,175 |
Location: | Budapest, Hungary | Status: | |
| OK, OS is extracted too
just to document it, you need to remove the part until the 00 byte after "nk.bin" string at the start (including the 00 in this removal ), then add the bytes 78 9C at the start because zlib requires this header. (and remove 000000 at the end of the file )
extract using http://hpcmonex.net/zpipewin32.zipEdited by cmonex 2008-05-06 10:34 PM
|
|
|
|
| i have send a bsq_dump.zip to u. please get email |
|
|
|
Factor Fanatic Posts: | 58 |
Location: | Mantova, Italy | Status: | |
| Cmonex, tomorrow I'll get home and try! |
|
|
|
H/PC Oracle Posts: | 16,175 |
Location: | Budapest, Hungary | Status: | |
| i got no email.. if it is a link to a filesharing page feel free to just post it here.
P.S: I probably wasn't documenting the decompression process clear enough,
so, the OS starts at 0x80000 in the dump, you need to remove 17 bytes, then add the 2-byte signature for zlib. Edited by cmonex 2008-05-08 2:02 PM
|
|
|
|
Factor Fanatic Posts: | 58 |
Location: | Mantova, Italy | Status: | |
| Hi cmonex
I've followed your instructions and dumped my 2 PHHs' roms. I've then cut the bins until 0x80000 and then added the two 78 9C bytes at the beginning.
Then, I've deleted 0000s and ff ff ff ff ... in the end of the file.
At least, I've run zpipe -d bsqromdump.bin NK.BIN
But it tells me "invalid or incomplete deflate data". What's the mistake I've made?
perazz
PS: please, check your PMs! Edited by perazz 2008-05-09 4:24 PM
|
|
|
|
H/PC Oracle Posts: | 16,175 |
Location: | Budapest, Hungary | Status: | |
| I'm not using PM's, nobody is getting any reply over PM from me. but I got the link, i'll check it, thanks.
how many bytes did you cut at the start of the romdump file?
Edited by cmonex 2008-05-09 4:57 PM
|
|
|
|
Factor Fanatic Posts: | 58 |
Location: | Mantova, Italy | Status: | |
| Ok, please accept my apologies for the PM
I've cut 524288 bytes (corresponding to the 0x80000 start ) + 17 (part including the nk.bin label ), in total they are 524305. Then I've added 78 9C
Edited by perazz 2008-05-10 3:24 AM
|
|
|
|
H/PC Oracle Posts: | 16,175 |
Location: | Budapest, Hungary | Status: | |
| sorry I didn't see you already mentioned which offset you cut it at.
do you get a new file larger than 0 bytes? I assumed you didn't, but please confirm.
the error actually never goes away, even when you fully decompress the image - must be very absent minded lately, but you need to cut the last non zero 4 bytes as well. (that's the uncompressed image size btw. the 4 bytes before are crc32 checksum of the compressed image )
if you don't cut those, you will still get it uncompressed but last few kbytes will be missing.
then you should get a msbin image starting with a B000FF signature.
i'm going to check your romdumps now Edited by cmonex 2008-05-10 11:10 AM
|
|
|
|
Factor Fanatic Posts: | 58 |
Location: | Mantova, Italy | Status: | |
| Yeah I've got the msbin image!
Though, dumpromx tells me that it cannot determine loading offset... |
|
|
|
H/PC Oracle Posts: | 16,175 |
Location: | Budapest, Hungary | Status: | |
| because it is a MS BIN file.
use cvrtbin to extract it first
cvrtbin -r -a 94200000 -l 2b4aa38 -w 32 binfilename.bin
(it will create binfilename.nb0 )
p.s.: i think both of your bsquares have a firmware identical to mine ... the passwords differ though
before you ask, no, I can't read the passwords saved in flash, it uses md5 unicode to hash them before storing. Edited by cmonex 2008-05-10 4:10 PM
|
|
|
|
Factor Fanatic Posts: | 58 |
Location: | Mantova, Italy | Status: | |
| Quote cmonex - 2008-05-10 9:58 PM
before you ask, no, I can't read the passwords saved in flash, it uses md5 unicode to hash them before storing.
don't worry, I won't ask you! Thanks to your previous great job on PHH there's no need of knowing the passwords!
BTW, despite some error messages, it seems that the files I've extracted from the rom dump aren't corrupted!
Cmonex, I'd bring you a bunch of flowers! Edited by perazz 2008-05-11 4:33 AM
|
|
|
|
H/PC Oracle Posts: | 16,175 |
Location: | Budapest, Hungary | Status: | |
| yeah, dumprom always throws that error message, that's no problem. if your BIN is 44869039 bytes then it's fine
right now I'm trying to get hold of another bsquare that I can test roms on no problem, when I get back from my little holiday, I'll work on actually flashing in a rom
still need to determine what 8 bytes do at offset 0x80002 before the "nk.bin" string (i know the first two at 0x80000 are a signature to tell the bootloader it is a .GZ image, not uncompressed .BIN ). if that gets figured out maybe from bootloader disasm, then I'll be more confident about the exact flashable format. right now it seems the last 8 bytes of the whole .GZ are crc32 and filesize of uncompressed image. and that will need to be added into flashable image.
also, realized that zpipe throws the error due to missing adler32 checksum at the file end, that doesn't really matter.
I think an attempt to load a NK.BIN as RAM OS would be best first though. already have the implementation, but need to try it
oh and thanks for the flowers Edited by cmonex 2008-05-11 3:30 PM
|
|
|