Saturday, January 3, 2009

ROM dump + extraction of files

Hi - despite you can find all what I will write below also at XDA Developers (see related links on the left side) - It took me some time to understand which program does what and which are bare necessity and which are the "nice to have" things (which I do not yet care about).
As already mentioned in my notes about the bootloader, you just need two sets of tools that will do the jobs of dumping the ROM from the device (itsutils) and then extracing (WM5editrom) all the files from the just dumped ROM image to your PC.

Dumping the ROM from the device:
This is done with the itsutils from "itsme". There is one important thing to care about when doing the dump (and it must be stressed - as other wise the dump will be incomplete). OK, so now the step-by-step action list:
  1. Your device must be "application unlocked". If you do not know what that means - stop here and get a little more comfortable with what Windows Mobile is about.
  2. Download the itsutils (sometimes also called XDA-Utils) from the link above.
  3. Extract them to a working folder on the PC.
  4. Connect your device via Active Sync if it is not linked yet - wait until sync is complete.
  5. Now we need find out what file-volumes are known at the device. Get into a CMD window on your PC in the directory where you have extracted the itsutils. Enter the command "pdocread -l" (no quotes) and confirm on your device that it may run an "unknown" program. You will see a list of output similar to this:
    Copying F:\Share\_Smartphone\ROM + Tools\itsutils\itsutils.dll to WCE:\windows\itsutils.dll
    36.00M (0x2400000) TrueFFS
    | 2.06M (0x20fc00) Part00
    | 2.69M (0x2b0000) Part01
    | 31.25M (0x1f40000) Part02
    19.00M (0x1300000) TrueFFS
    | 2.06M (0x20fc00) Part00
    | 2.69M (0x2b0000) Part01
    | 31.25M (0x1f40000) Part02
    3.75G (0xf0300000) DSK1:
    | 3.75G (0xeff00000) (label of your memory-card)
    STRG handles:
    handle 0fb7c76a 3.75G (0xeff00000)
    handle 0fb237ee 18.98M (0x12fc000)
    handle 8fb7ca86 31.25M (0x1f40000)
    handle afb7c88a 2.69M (0x2b0000)
    handle efb7c866 2.06M (0x20fc00)
    disk 0fb7c76a
    0 partitions, 0 binary partitions
    customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    disk 0fb237ee
    2 partitions, 2 binary partitions
    customerid=00000000 uniqueid= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    disk 8fb7ca86
    2 partitions, 2 binary partitions
    customerid=00000000 uniqueid= 00 00 00 00 ee 22 02 01 0a 27 03 95 07 06 05 a0
    disk afb7c88a
    2 partitions, 2 binary partitions
    customerid=00000000 uniqueid= 00 00 00 00 ee 22 02 01 0a 27 03 95 07 06 05 a0
    disk efb7c866
    2 partitions, 2 binary partitions
    customerid=00000000 uniqueid= 00 00 00 00 ee 22 02 01 0a 27 03 95 07 06 05 a0
    I have issued the command above for my Tornado device - not the E72 (which is in a "lets see how long it survives in standby without charging" test), so it will look different, but the important thing to notice is the length of the part02 partition (marked in bold red) above. You need this for the command to actually dump the ROM in the next step.
  6. Now enter "pdocread 0 (your-value-here-no brackets) part02.dump" like I did here:
    pdocread 0 0x1f40000 part02.dump
    CopyTFFSToFile(0x0, 0x1f40000, part02.dump)
    You see above that it starts to copy date from the device to the file. This takes several minutes - you can watch the file grow in the Windows Explorer if you like to - so be patient until you see the prompt again.
    That's it for extacting the ROM - nothing more to do if you just want to share it with others. Put "part02.dump" in a ZIP/RAR and label it with what you know about your device (Kyocera or BenQ - Windows Mobile Version - ROM Version from "Settings - About: Image Version, Build Date, Build Time).
  7. If you want to dig deeper a little you may want to extract the contents of the just dumped ROM image. For this you need the WM5EditRom tools (imgfs_tools). Extract them in a different folder (e.g. aside the itsutils) and move the part02.dump file there as well.
  8. Now enter again a CMD window - this time in the folder where you have extracted the imgfs_tools and moved the part02.dump. There enter "prepare_imgfs part02.dump -nosplit" resulting in:
    Searching for IMGFS start... Found at 004C0000
    Dumping IMGFS ...
    Done!
    This has created two files: imgfs_raw_data.bin and imgfs_removed_data.bin which is empty. The first is now the complete ROM filesystem and needs to be further decomposed with the next command.
    Again mind that the examples above are not originating from an E72/E4000 (WM6) but from an HTC Tornado (WM5), so your filesizes and addresses will be drastically different.
  9. So now the last command for decomposition: Enter "viewimgfs imgfs_raw_data.bin > viewimgfs-output.txt" (no qoutes) on the commandline and press enter. As the command output is redirected into a file (using > filename) you will see nothing - but after a minute or so the command prompt returns. You can now examine the file "viewimgfs-output.txt" for errors (there should be none).
    The command has created a new directory below the current - called DUMP. Within this directory you find all files and modules that have been part of the ROM filesystem. You will notice that some files are just there like in the \windows directory of your device and others are decomposed in own directories. I am not expert enought to tell details here - consult the various discussions abuot ROM cooking at XDA Developers.
    Mind that often the reconstructed *.dll or *.exe in the module directories cannot directly replace their ROM counterparts.
  10. The toolset contains also powerful tools to reassemble an imgfs and reconstruct an item to dump back to ROM. For me there are still too many things I don't understand - so I stop here describing anything more. Look up yourself at the referenced sources.
Still several questions stay which require to dive deeper in the water of understanding how the ROM filesystems on WinCe work before I recommend anyone to dare writing anything back to the device. Things I need to understand include:
  • What do the other partitions of the filesystem contain?
  • How are the partitions of the filesystem depending on each other?
  • What is in the part of the ROM dump before the actual imgfs?
    Here I suspect the boot-image and the Radio ROM - but this needs to be confirmed still.
  • Can the imgfs be cut down to use only the size of the actual (compressed) content?
    In my case the dumped ROM contains only FF starting from address 0x3569250 until the end at 0x4d0bfff - this makes roughly 24 MB of wasted space that was surely intended to hold other ROM options like localizations and programs. Would be good to get that as normal device installation memory.

4 comments:

  1. ty fin ally (with your wolkthrought) i succeded in dump my rom (benqe72 from expansis uk, spanish, polsky, russian, english)and in dump the asian rom...

    thank you :D
    >ZNIAL

    ReplyDelete
  2. Can somebody upload asian dump?

    Gregory (SGregory[at]rambler.ru)

    ReplyDelete
  3. Znial, sorry i dont know how to. but i wnna asking you.
    My Benq E72 has been upgraded to WM6.1 , but i want to reinstaling WM6 standadrd for smartphone. how to do it?

    i have E72.nb ,but i dont know how to

    ReplyDelete
  4. Hi there. Hey dood, i don't speak english natively and i've never been clear on what a dump/dump file is... is this like a backup or something similar? is it for debugging or what is it for?.... my the way, i want to install a linux kernel instead of the Windows Mobile platform it relays on by default. Do you think is a good or bad idea? could some software/hardware features end up useless? thanks in advance.

    ReplyDelete