Better Mobile App

Backup Original ROM before trash my Himalaya

First of all .. my thanks goes to all the people to this forum!
You're really GREAT !!
In any case sorry for my poor english :wink:
I've few questions ...
I've read many many pages but I can't understand the right procedure to follow for dumping my Himalaya original ROMs because in some pages the "d2s" command is followed by some numbers and in other, by other numbers ... confusion bring me !
After that, otherwise, I've tried to follow the XDA II procedure and the storing procedure to SD seems to be ok .. but when I try to save the rom dump from my SD to PC using ntwr (otherwise was unreadable in Win), I've got a read error but, in any case, I obtain only one file on my PC of about 400 MB and I suppose that something is wrong because all of you speaks of about 50 MB ... so ... What's the right procedure with the right command? How can I be sure that my dump is correct? The dump it's only one file or one for separate ROM Radio and Extended?
When I solve this issue I can try to upgrade my Himalaya to WM2005.
Thank you for your help.

Please help me, I'd like don't lose my guarantee.

This post was submitted also to buzz forum
Now this is the situation ...
Qtek 2020 - 1.66.04ITA
-= Preparing the device =-
01 ) I,m gone to Bootloader (Power + Directions + Reset)
02 ) I see on the device "Serial v1.06"
03 ) I stop MSSync service Ctrl+Alt+Canc and stop wcescomm.exe
04 ) Put device on cradle
05 ) Now I see on the device "USB v1.06" instead of "Serial v1.06"
06 ) Put the 512 MB SD into the device
07 ) Start Mtty 1.42
08 ) Leave as is all the parameters
09 ) I've "USB" port (and not ".WCEUSBSH001") and I press USB
10 ) Ok seems to be connected to the device
-= Dumping the ROM on SD =-
11 ) Into mtty command line I write (and not copy and paste and without "sd a" at the end)
d2s 80000000 02000000
12 ) Device tell me % of work while in mtty I found
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SD : Detected one card
SD : ready for transfer OK
pc->drive.total_lba=EEC00
pc->drive.num_heads=0
pc->drive.sec_p_track=0
pc->drive.num_cylinders=0
pc->drive.block_size=200
pc->drive.features=0
pc->drive.RCA=B368
pc->drive.drv_type=40000000
pc->drive.securedAreaSize=0
pc->drive.securityDrv=0
pc->drive.busWidth=1
pc->drive.erasedSize=0
Total card size=1DD80000
SDCARDD2S+,cStoragePlatformTyp e=FF
****************************** ****************************** ****************************** ****************************** ********
Store image to SD/MMC card successful.
USB>
13 ) Then I write
d2s 60000000 00300000 sd a
14 ) Device tell me % of work while in mtty I found
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SD : Detected one card
SD : ready for transfer OK
pc->drive.total_lba=EEC00
pc->drive.num_heads=0
pc->drive.sec_p_track=0
pc->drive.num_cylinders=0
pc->drive.block_size=200
pc->drive.features=0
pc->drive.RCA=B368
pc->drive.drv_type=40000000
pc->drive.securedAreaSize=0
pc->drive.securityDrv=0
pc->drive.busWidth=1
pc->drive.erasedSize=0
Total card size=1DD80000
************
Store image to SD/MMC card successful.
USB>
15 ) Then I write
d2s 70000000 01080000 sd a
16 ) Device tell me % of work while in mtty I found
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SD : Detected one card
SD : ready for transfer OK
pc->drive.total_lba=EEC00
pc->drive.num_heads=0
pc->drive.sec_p_track=0
pc->drive.num_cylinders=0
pc->drive.block_size=200
pc->drive.features=0
pc->drive.RCA=B368
pc->drive.drv_type=40000000
pc->drive.securedAreaSize=0
pc->drive.securityDrv=0
pc->drive.busWidth=1
pc->drive.erasedSize=0
Total card size=1DD80000
DOCInfoTableinitHW+
Binary0:dwSize=80000
BINFS0:dwSize=0
FAT0:dwSize=1000000
FAT1:dwSize=EA0000
All:dwSize=1F20000
****************************** ****************************** ******
Store image to SD/MMC card successful.
USB>
-= Saving ROM from SD Card to PC =-
17 ) Put the SD Card into a Card Reader
18 ) Go to Dos command line into ntrw path
19 ) Type "ntrw read ROM.nb1 H:" where H: is the Card reader drive
Now start the problem ... :shock:
I want to know if it's all ok with this process ...
The output of ntrw is:
NTRW 2.0
Removable media
Cylinders: 0:60
TracksperCylinder: 255
SectorsPerTrack: 63
BytePerSectors: 512
bufsize is 65536
500629504 bytes written bytes: 0
ReadFile(): ROM.nb1 -- Parametro non corretto
First signal of some error but someone tell that's ok!
And then I see prompt.
Now I find the file ROM.nb1 that is 477 MB (like the SD size after a FAT format).
It's ok? ... I don't think so .. but let's going on!
I open the file with an HEX Editor and the file seems ok but after a string like HTCE the file contains all 00h.
Can I cut off that part?
How can I ensure myself that's all ok?
Come on guru don't leave me with the bootloader splash screen instead of the MAGNETO one :lol: :lol: :lol:

Thanks to rhmartin's help (on buzzdev.net) I've reach this situation ..
I've got my dumped rom in SD and in a file.
But ...
I acquire more information about my Qtek 2020 (XDA2):
ROM: 1.66.04ITA
Radio: 1.10
ExtROM: 1.66.148
I think that's a WM2003 (not SE), isn't it?
In any case ... I put back my dumped roms in SD and followed the procedure for rom restore:
1 - Bootloader
2 - Put SD into device
3 - Wait for "Press Power Button"
4 - ecc. ecc.
But I never reached number 3, what's wrong?
I've put back the dump as a single file (as ntrw output give to me), it's correct or I must put it back (and so backup first in that way) as 3 separate files?
I've seen that in download area there's no WM2003 dumped rom, so I search by myself and I found RUU172128ITA (1.72 ITA) but I prefer if my backup can be useful for disaster recovery and can be used for my original version backup.
I think that you understand my situation .. I prefer ask before a not funny situation instead fill the forum with hundreds emergency posts.
I hope you think I've reason.
Thank you for the patience and sorry for possible misunderstandings or english syntax errors!

NO ONE CAN HELP ME ... INCREDIBLE!
I'm ready to ask sorry but ...
There's no one in this great forum that can help me ...
IT'S INCREDIBLE !!! :shock: :shock: :shock:
I don't think that no one haven't my problem ...
PLEASE SOMEONE HELP ME
:evil:

I Cant Make Full Backup, Need Help (g4) Cingular 8125 Sim & Cid Unlocked

I Cant Make Full Backup, Need Help (g4) Cingular 8125 Sim & Cid Unlocked
--------------------------------------------------------------------------------
I have tryied everything nothing had worked I'm able to Backup OS & Extended Rom. Not a nubby even doing sd backup happens same thing I can make individual backup like IPL, SPL, Extended Rom, OS ect. But I want full backup and I cant. When I use aWizard it does great job but on the radio.nba part this is the message that comes out. I have tryied everithing all the programs availables on all forum this has been a 8 day proyect please some one can help me. HELP HELP HELP HELP HELP HELP HELP HELP HELP. ITS A CINGULAR 8125 (G4) UNLOCKED SIM & CID BY CHECK-IMEI. PLEASE SOMEBODY ANY ADVISE.
THIS IS DOING IT WITH SD
r2sd all
R2SDBackup() Pls. insert SD card !!
Cmd>r2sd all
***** user area size = 0x3B880000 Bytes
R2SDBackup() - Download type = 5
usTotalBlock = 1 sizeof(SDCARD_SIGNATRUE_TABLE)=512
Start address = 0x80000000 , Length = 0x800
Start address = 0x80000800 , Length = 0xC0000
Start address = 0x800C0800 , Length = 0x40000
Start address = 0x80100800 , Length = 0x280000
GSM - dwSize = 345DF
GSM Page0
Start address = 0x4E3D4C0 , Length = 0x3900000
Start address = 0x743D4C0 , Length = 0xA00000
The read size is not matched, load failed!
Some Image (8) load failed, we can not backup All images...
Cmd>
============== aWizard 1.3 beta 2 ===============
- By ahlok_hk -
__________________________________________
- [Credits] -
- itsme for 'itsutils' -
- MachinaGod for 'RapiUnlocker' -
- MachinaGod for 'lokiwiz' -
- mamaich for 'WM5 ROM editing tool' -
- psneddon and kenu for Logo Converter -
- nicob for scripting tips -
- xda-developers.com, buzzdev.net n oths -
__________________________________________
* Please Choose one of the following options:
a - View README file
e - Enable RAPI (Run this after each hard reset)
u - Unlock CID (!!!PLEASE RUN THIS ONE TIME FIRST!!!)
b - Backup Radio, OS and Extended ROM from device
s - Write Backup Splash Logo (.nba) to Wizard
c - Convert + write BMP(240x320) Splash Logo to Wizard
r - Write Radio ROM to device (!! RUN unlock CID 1st !!)
w - Write OS ROM to device (!! RUN unlock CID 1st !!)
q - Quit this program
__________________________________________
!!! ATTENTION! Please use this tool at your own risk!!!
__________________________________________
* Type letter then press [Enter]:B
* Backup Wizard ROM Version 1.0
* Please enter the name of "folder" to save the ROM image to (e.g. "QT-1_6_3_4-W
WE"), no space pls
* Then press [Enter], or q to to main menu:radio
* Backup Radio ROM? (y/n/q):Y
* Backup OS ROM? (y/n/q):N
* Backup Extended ROM? (y/n/q):N
* Backup Splash ROM and HTC Logo? (y/n/q):N
* Please make sure the following before running this option:
* - your have connected your Wizard to the PC with USB ActiveSync connection,
* - already run the option 'e' at least once after the last time you hard reset
the Wizard
* then press [Enter] to start, or q to main menu:
[14:29:32.28] Backup Radio ROM [ROM\radio\radio-Radio.nba] Start
* This process takes about 5 to 8 minutes depends on CPU Speed.
* Please wait.....
3 partitions, 2 binary partitions
customerid=00000000 uniqueid= 00 00 00 00 39 07 01 06 27 2c 17 3e 17 05 06 ec
CopyTFFSToFile(0x50000, 0x280000, ROM\radio\radio-Radio.nba)
ERROR: ITReadDisk: outbuf==NULL
[14:30:18.59] Backup Radio ROM [ROM\radio\radio-Radio.nba] End
Press any key to continue . . .

STRTRK CID Unlock

I'm truly sorry about the delay.
I've finally got round to posting a a STAR100 SuperCID guide.
1. Get itsutils: http://www.xs4all.nl/~itsme/projects/xda/tools.html
2. Run pdocread.exe with no args. Take a note of the "uniqueid" value.
3. Run "pdocread -n 1 0x000000 0x10000 -b 0x4000 original-bdk1.nb" - you'll get a file.
4. Head over to http://www.spv-developers.com/strtrkCID/. Feed it the DOCID and the file you got from steps 2 and 3. It'll give you back anoter file.
5. Run "pdocwrite -n 1 patchedfile.bin 0x000000 0x10000 -b 0x4000" where patchedfile.bin is obviously to be replaced with the patched file you got from step 4.
6. There is no 6. Report feedback.
Click to expand...
Click to collapse
All credit goes to itsme - he wrote all the tools and scripts which made all this possible.

Spawning script: perl startrek_cidedit.pl cid1e62995dd1db197b00b697388760b5e3.bin -i DOPOD601 -c 11111111 -o supercid1e62995.bin 2>&1
decrypting
bufend=44bdd4609845fd0931a871b4a31ddba42d4b96386f9 e9c5dff947c035432fc15
result=b2c7c4eede400853eb232eba436f394b3d75a9adf4c e9a1e452b26ea9059dc59
sha64k=8a7e3a8462b8c851ac125710d44abc05da4916f215e 331f98420db7ae5d87a5d
buffer checksum failed
why ?

Looks like the DOCID value you entered is incorrect. It should be a long stream of hex numbers.

Fantastic !!! Working Ok on SPV F600. Now, we need how to simunlock this smartphone.
Thank you very much Zone Mr.

i run pdocread in step 1 and got a dos screen that desaper in a second,and were i find the file in step 2.

Zone-MR said:
Looks like the DOCID value you entered is incorrect. It should be a long stream of hex numbers.
Click to expand...
Click to collapse
thank you Zone-MR,can u tell me how to get a long stream of hex numbers.

wlinsong said:
thank you Zone-MR,can u tell me how to get a long stream of hex numbers.
Click to expand...
Click to collapse
i know how to do,thank Zone-MR very very much
is there someone know how to flash rom use T-flash Card?

someone can't get the docid ,because you must use the old one!

I tried to do first step but when I ran pdocread.exe I get the following message :
Could not update itsutils.dll to the current version, maybe it is inuse?
try restarting your device, or restart activesync
or maybe your device is application-locked.
I've app-unlocked my device, activesync works ok, and restarting does not help. Phone is Qtek8500.
Any ideas?
Thanks

Is the script to calculate CID area for startrek available?
I think this should use the same method on Artemis or Herald, the problem is that they have G4 DOC and we'll not be able to use pdocwrite, but on those phones we're already able to place a hacked SPL in mem with psetmem.exe and jump into it's address with modified haret version. If we have the right CID area we can use the hacked SPL to flash it.

sorry for the ignorance...
I have downloaded itsutils but where is the dpocread.exe??
do I have to connect to the device with the mtty??
Maybe a bit more explanation

I've CID unlocked my Qtek 8500 and installed new ROM 3.6.251.0. Thanks Zone, great work!
Maybe it would be useful to write more detailed instructions, so here it is :
1. Application unlock your phone using regeditstg and do the following :
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1001 = 2 -->Change the value data from 2 to 1
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1005 = 16 --> Change the value data from 16 to 40
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1017 = 128 --> Change the value data from 128 to 144
Reboot the phone
2. Run SDA_ApplicationUnlock tool. Reboot the phone after it finishes.
3. Download itsutil.zip from http://www.xs4all.nl/~itsme/projects/xda/tools.html , version from 2005-6-28. There is even newer version, but with that version you can not use pdocread without arguments.
4. Connect the phone with activesync
5. Run Command Prompt, go to subfolder named "build" in itsutils folder, and run pdocread without arguments
6. Note the value of "uniqueid". It will be something like : "00 00 00 00 12 03 02 14 3b 07 1b b2 04 05 07 54"
7. run pdocread again with these arguments : "pdocread -n 1 0x000000 0x10000 -b 0x4000 original-bdk1.nb". This will make original-bdk1.nb file in build folder (where the pdocread is located).
8. Upload this file and value of uniqueid to http://www.spv-developers.com/strtrkCID/. It will open a new page after few seconds. Go to bottom of the page and click the link "Download patched BDK1"
9. Download the file (it will be named like "supercidxxxxxxx.bin) to "build" folder
10. Run the pdocwrite from command prompt with these arguments : "pdocwrite -n 1 supercidxxxxxxx.bin 0x000000 0x10000 -b 0x4000". Replace supercidxxxxxxx.bin with the original name of downloaded file from step 9.
11. Wait 15-20 seconds and that is it. Reboot the phone and install the ROM you like

It works! I've got now 3.6.251.0_02.67.30 on my Qtek!
Thank's, damird, your guide is unreplaceble for such lamers like me
But maybe anyone can suggest me were can i find and how to install (if it possible) Russian t9 or only russian lang to input? Or maybe how to rollback to original ROM with this that lang... (1.02.261.1)
Thank's
added:
Problem's gone, Russian T9 added.

Damird!
Cheers mate

Hello, can you share with us this script to calculate CID area in StarTrek?
With this script we can SimUnlock the StarTrek very easy (at least I think...)
Thank you very much.

I'm confused here... is CID unlock not the same with SIM unlock?
my carrier is tmob but I'm getting cing 3125 at ebay so I need to SIM unlock the phone for it to work on tmob right?

wow, pof, I can't wait for it! i had bought one herald in China but wireless was disable by default. I hope I could unlock the CID and get a WWE rom to enable the wireless.

sokelut said:
I'm confused here... is CID unlock not the same with SIM unlock?
my carrier is tmob but I'm getting cing 3125 at ebay so I need to SIM unlock the phone for it to work on tmob right?
Click to expand...
Click to collapse
Correct, you still need to pay to carrier unlock the phone. Check the wiki for links to a few services that are known to work.

CID unlock? Error installing ROM
I'm getting an ERROR [294] INVALID VENDER ID
I did the CID unlock
It starts to install the rom but when it gets to 4% I get this error. How do i fix this?
Can anyone help?!

Need a little clarification
Im stuck in steps 3-11. I've downloaded itsutils and I don't know how to proceed.

Qtek 8500 unlock

Hello,
I need help unlocking (simlocked - pda is working) Qtek 8500 from austrian "ONE" provider. Also, I need to change language (from german to english). Since I am new in this windows based phones, I would appreciate any help u people can provide me...
I cant unlock it online, since I dont have paypal account. My country is not listed.
THANK YOU.
Dejan

Here is CID unlocking procedure, that was posted few days ago by Zone-MR. I have unlocked my Qtek8500 and installed a new ROM version 3.6.251.0. :
1. Application unlock your phone using regeditstg and do the following :
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1001 = 2 -->Change the value data from 2 to 1
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1005 = 16 --> Change the value data from 16 to 40
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1017 = 128 --> Change the value data from 128 to 144
Reboot the phone
2. Run SDA_ApplicationUnlock tool. Reboot the phone after it finishes.
3. Download itsutil.zip from http://www.xs4all.nl/~itsme/projects/xda/tools.html , version from 2005-6-28. There is even newer version, but with that version you can not use pdocread without arguments.
4. Connect the phone with activesync
5. Run Command Prompt, go to subfolder named "build" in itsutils folder, and run pdocread without arguments
6. Note the value of "uniqueid". It will be something like : "00 00 00 00 12 03 02 14 3b 07 1b b2 04 05 07 54"
7. run pdocread again with these arguments : "pdocread -n 1 0x000000 0x10000 -b 0x4000 original-bdk1.nb". This will make original-bdk1.nb file in build folder (where the pdocread is located).
8. Upload this file and value of uniqueid to http://www.spv-developers.com/strtrkCID/. It will open a new page after few seconds. Go to bottom of the page and click the link "Download patched BDK1"
9. Download the file (it will be named like "supercidxxxxxxx.bin) to "build" folder
10. Run the pdocwrite from command prompt with these arguments : "pdocwrite -n 1 supercidxxxxxxx.bin 0x000000 0x10000 -b 0x4000". Replace supercidxxxxxxx.bin with the original name of downloaded file from step 9.
11. Wait 15-20 seconds and that is it. Reboot the phone and install the ROM you like

Still not working...
Thank you damird,
I have done everything as you described. Now I have ROM ver. 3.6.251.0 downoaded from ftp.xda...
But my Qtek is still SIM LOCKED!! When I insert sim card, following message appears:
NETWORK IS LOCKED. PLEASE INPUT UNLOCK CODE.
Please help me with this.

IMEI Check
well, i think you have to use the imei check solution
http://www.imei-check.co.uk/f600unlock.php

Cant use imei check
Imei check will be the problem, since my country is not listed in paypal. Simply cant pay it!
Is there any other option?

Paypal
send me the money, i'll pay for you !!!!!

envelope?
All I can do is to send u the money inside trackable envelope. It is not secure, but if I couldnt find other option, I will do that. THANK YOU! It would be 20 GBP, right?
Please wait week or two in order to find another solution... If not, I will contact you.
Thank you again.

How can I find out the value of DOCID?
How can I find out the value of DOCID? What is DOCID?

damird said:
Here is CID unlocking procedure, that was posted few days ago by Zone-MR. I have unlocked my Qtek8500 and installed a new ROM version 3.6.251.0. :
1. Application unlock your phone using regeditstg and do the following :
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1001 = 2 -->Change the value data from 2 to 1
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1005 = 16 --> Change the value data from 16 to 40
HKEY_LOCAL_MACHINE\Security\Policies\Policies\0000 1017 = 128 --> Change the value data from 128 to 144
Reboot the phone
2. Run SDA_ApplicationUnlock tool. Reboot the phone after it finishes.
Click to expand...
Click to collapse
I cannot edit register to change setup, the access id denied....
How can I unlock my phone? Note it is not branded and it works with all SIM, but if I install a new ROM it refuse it...
thanks for the help

All Hurricane ROMS in one place!!!

I would ask all active members to upload or share their collection of roms for Hurricane. I bricked my hurr 2 years from now and yesterday i got one so i would like to try as many roms as possible, and it will be great for all to share roms!!! I found several on this forum (lazaj's, saleng's, shadow's) but i think that there is more!!! So share your collection!!!
Here i found some on forum:
hurricane unlock, patch and upgrade wm 6.1(selang09) ***
Link: http://www.megaupload.com/?d=JLO5H1L7
Thread: http://forum.xda-developers.com/showthread.php?t=475286
Opinion: Good one, but chinese language everywhere! After u change main lang. still some apps name stay in chinese and options too!
wm6.1 for hurricane (with Bluetooth and INFRARED RAY problems solved)0415update!!!
Link: http://rapidshare.com/files/100934508/5x6_wm6.1_0319.rar
Thread: http://forum.xda-developers.com/showthread.php?t=378607
Opinion: Didn't tried!
WM 6 Graphite rom, how to get WMPlayer in English (now in Polish)
Link: http://rapidshare.com/files/108676266/wm6_2_2.zip
Thread: http://forum.xda-developers.com/archive/index.php/t-384972.html
Opinion: Using this one right now! Seems ok, works nice, nice look, except incoming calls didn't show up!!! Very bad bug!
Wm 6.1 Pl/eng
Link: http://rapidshare.com/files/131860280/wm_6_1_by_Lazaj007.zip
Thread: http://forum.xda-developers.com/showthread.php?t=410739
Opinion: Tried before Graphite eng edition, works great, looks great... Main lang polski, after lang change WMP stay in polski! But still ok!
WM6 for SPV C550
Link: http://rapidshare.com/files/56833250/566.zip
Thread: http://forum.xda-developers.com/showthread.php?t=330709
Opinion: Never tried!
And one pack with SPL 1.00.84 & soft spl (nb, nbf), IPL 1.00.15, GSM DATA (hex and dec), bootloader commands, splsplit... etc!
Link: http://rapidshare.com/files/427352270/data_hurricane.rar
Info: This last files can help u to unbrick your hurricane (BUT AVOID TO BRICK IT), i found it on pda2u.ru , and thanks them for that! Special thanks to member SAXON!
I found many links for ROMs but those which is here have alive links! Someone with good upload speed can reup them again in one pack and post a link here!
ENJOY!

I would like to have a non T-Mobile German version (can be a shipped ROM). Have not found any yet, only those that are available at www.shipped-roms.com Have to live with de-branding this as it seems.
Possibly someone with any of the following devices can do a "r2sd all" backup of the ROM?
imate SP4M
Orange C550
Qtek 8200 (the Russian/English is available as RUU)

Thanks for this link tobbbie !

Btw, in selang's rom SMS Send don't work! So, it is useless!!! :S

I have tested all ROM´s below for SDA II, but for me lazaj007 is the best of all
Thanks to lazaj007

Did anyone care to pick up some ROM cooking for that device? I did not succeed in getting the .BIN files manipulated correctly - and I think I have a collection of nearly all ROM tools now :-(

howto convert .bin to .nb0 and back
Foreword:
.BIN files are not all the same by their nature (of course not by content). There are
.bin that are used to identify the bare binary content of the various partitions (you mostly see those)
.bin that are used to flash a ROM to the device. This looks somehow historic though, the format is already described by itsme at: http://www.xs4all.nl/~itsme/projects/xda/wince-flashfile-formats.html. It seems to me that some non HTC devices are still using this format.
The osnbtool.exe (from Weisun at PDACLAN.COM) does not work for any purpose regarding .bin files
at least not for Hurricane.
- The -sp option cuts only the B000F\0a header but does not reconstruct the blocks of the .bin file.
Mind that small .bin files (smaller than 0x1c00000) are treated correctly as there is only one block.
- The -2bin option creates an incorrect .bin header (sets a weird total length) and sets totally confused
block-load addresses for the created blocks of 64k (0x10000) size. Check it with viewbin.exe if you like.
Reference for the filestructure by itsme:
http://www.xs4all.nl/~itsme/projects/xda/wince-flashfile-formats.html
The splitrom.pl (itsme romtools) seems not be able to read the content of any .bin file I have fed to it.
Neither for .BIN files created for Hurricane nor those for Typhoon, I always get:
cmd> splitrom.pl <binfile>
B000FF image: 82040000-84c40000, entrypoint: 00000000
!!! your rom is not known to me: md5: a520f0d1093b36f0a3cfd9323ea99155
this bootloader seems to be No bootloader present
no xipchain found
no bootloader found
no operator rom found
no bitmap found
I am rather sure it should handle everything correctly but I am too stupid to debug .pl :-(
So the only thing that works and will re-create a flash-able .BIN file from a .nb0 is listed below:
convert .bin to .nb0:
enter: viewbin -r <binfile>, you get something like:
Image Start = 0x82040000, length = 0x02C00000
Record [ 0] : Start = 0x82040000, Length = 0x01C00000, Chksum = 0x00000000
Record [ 1] : Start = 0x83C40000, Length = 0x01000000, Chksum = 0x00000000
Record [ 2] : Start = 0x00000000, Length = 0x00000000, Chksum = 0x00000000
Start address = 0x00000000
The above has two blocks of data and a termination block.
The checksum = 0 effectively disables upload checking (so potentially dangerous).
The size just fits the Hurricane's SPL "l" (load) command buffer, as you get when loading a ROM:
"clean up the image temp buffer at 0x8C080000 Length 0x01C40000 "
The blocks can be smaller than 0x1c40000 but not bigger obviously.
then convert to nb0, enter: cvrtbin.exe -r -a <imgstart> -l <length> -w 32 <binfile>
for above viewbin output: cvrtbin.exe -r -a 82040000 -l 2c00000 -w 32 <binfile>
mind to omit the 0x for the start and address, replace <binfile> with your filename, then you get a resulting file from <original-name.bin> to <original-name.nb0> which can further be decomposed and edited with standard ROM tools
convert .nb0 to .bin:
enter: xipbin.exe <input.nb0> <start-in-nb0> <output.bin> <loadaddress>
to get back something flashable like above: xipbin.exe <input.nb0> 0 <output.bin> 82040000
mind to omit the 0x for the loadaddress, replace <"file"> with your filenames
to recheck if the created BIN file is usable, startup the viewbin again
enter: viewbin -r <binfile> you now get something like:
Image Start = 0x82040000, length = 0x02C00000
Record [ 0] : Start = 0x82040000, Length = 0x00040000, Chksum = 0x0208CC79
...many entries deleted...
Record [175] : Start = 0x84C00000, Length = 0x00040000, Chksum = 0x0177FB3C
Record [176] : Start = 0x00000000, Length = 0x00000000, Chksum = 0x00000000
Start address = 0x00000000
Done.
Looks quite different - but this is ok! The loading process in MTTY indocates the loading of each above block with a sequence of |*, so with these many blocks the upload to the device is giving feedback and thus is not tempting people to interrupt it.
I have done my tests with the 566.zip linked in the first post of this thread, but this should work with any .BIN file from the other ROMs as well. So I will continue to see if I can recycle any of the WM6 Roms for inserting my imgfs created for Tornado. As before the imgfs still the XIP is loaded and I know too little about this yet (especially in connection to the imgfs and how close these two are linked) - I am prepared to see non booting device states quite a lot. Luckily there is nothing done to the early boot chain (IPL and SPL) so I can always get back to the bootloader and start over again.
I hope to get a first indication that imgfs is mounted correctly in the "old" XIP before I have to replace the OEMdriver parts in my Tornado ROM.
I just checked if I can still use this flash-method for the Tornado - and it works as well. So the created "os-new.nb" in the OUT directory can be converted to .BIN and then flashed inside MTTY with the "l" command. Not that I like this method - but it works as well.

Tobbbie, you have here a very good research! To bad this device is out of use!