Buzzdev.org

I haven’t been on here a while and I apologize for that. This summer has been a busy one for me – first in summer school for AP Macroeconomics for 6 weeks and then I went back to India for 4 weeks. I’m back now and of course, school starts in 2 days. But I have been doing some WinMo stuff over the past 2 months. However, I haven’t been working on my OnDemand customization. Instead, something bigger has caught my attention.

Ever since Da_G over at XDA-Developers created a thread about the Image Update system, I’ve been following and developing some of my own software. For those who don’t know, the Image Update system allows for you to update the IMGFS and XIP partition of your phone via cab files instead of flashing the device and losing all personal data/installed applications. To make this mechanism work, which has been present in Windows Mobile since WM5, all of the DSMs (Device Side Manifests) need to be in the proper MS format. Unfortunately, all of the current kitchen tools that we use for ROMs malform these DSMs or completely remove them from the ROMs. Because of that, I’ve been working on applications that will make Image Update work properly. In June, I was able to create two applications – one that regenerated DSMS from scratch in the exact same way MS’s tools are supposed to work. The other would create the Image Update packages and sign them - they produce the same results as the ones generated my MS’s tools as well. I’ve been working to consolidate them into one app that will also act as a ROM kitchen that adheres to MS’s documentation (for the most part ).

For those who are interested, you can check out Da_G’s thread in the Dev & Hacking section of XDA (I’m too lazy to link to it right now )

Here’s the source code of Extended ROM unlocker for:

• HTC Himalaya
• HTC Prophet
• HTC Apache
• HTC Universal

This c++ source works on WindowsMobile 2005 operating system (see the comment in source).

DiskOnChip (DOC) is protected by simple plaintext password, which is readable in bootloader/SPL dumps.

The code is pretty simple and easy, however, if you don’t understand something, feel free to post a comment and ask.

// **********************************************************
// HTC Prophet/Himalaya/Apache/Universal ExtendedROM unlocker
// for WindowsMobile 2005
// by buzz_lightyear
// http://buzzdev.net
// May 2006
// **********************************************************

#include
#include
#include "diskio.h"
#include
#include "ceioctl.h"

#define BUFFER_SIZE 0x200

// this handle works on WindowsMobile2005
LPCTSTR diskname = L"\Extended_ROM\Vol:";

DWORD nReturned = 0;
HANDLE hDevice = NULL;
flProtectionOutput out;

FLStatus PrintFLStatus(const FLStatus bStat) ;

bool PartitionInsertKey(HANDLE hDsk, bool bInsert)
  {
	  BYTE in[10];

  in[0]= 0;
        //      COMMENT/UNCOMMENT as apropriate for given device
        //      |--------------------- HTC Prophet DOC password
        //      |     |--------------- HTC Himalaya DOC password
        //      |     |     |--------- HTC Apache DOC password
        //      |     |     |     |--- HTC Universal DOC password
	in[1]= 'a';//'a';//'A';// a
	in[2]= '!';//'Y';//'p';// S
	in[3]= '0';//'a';//'a';// r
	in[4]= '3';//'L';//'c';// E
	in[5]= '2';//'a';//'M';// v
	in[6]= '1';//'M';//'V';// I
	in[7]= '9';//'i';//'9';// n
	in[8]= '1';//'H';//'4';// U
	in[9]= bInsert?PROTECTION_INSERT_KEY:PROTECTION_REMOVE_KEY;

	memset(&out, 0, sizeof(out));

    DWORD nReturned=0;
    if (!DeviceIoControl(hDsk, FL_IOCTL_BDTL_HW_PROTECTION, &in, sizeof(in), &out, sizeof(out), &nReturned, NULL)) {
		PrintFLStatus(out.status);
        return false;
    }
	//PrintFLStatus(out.status);
    return true;
}

bool PartitionChangeType(HANDLE hDsk, DWORD dwType)
{
    BYTE in[10];

    in[0]= (BYTE)dwType;
	in[1]= 'a';//'a';//'A';// a
	in[2]= '!';//'Y';//'p';// S
	in[3]= '0';//'a';//'a';// r
	in[4]= '3';//'L';//'c';// E
	in[5]= '2';//'a';//'M';// v
	in[6]= '1';//'M';//'V';// I
	in[7]= '9';//'i';//'9';// n
	in[8]= '1';//'H';//'4';// U
    in[9]= PROTECTION_CHANGE_TYPE;

    memset(&out, 0, sizeof(out));

    DWORD nReturned=0;
    if (!DeviceIoControl(hDsk, FL_IOCTL_BDTL_HW_PROTECTION, &in, sizeof(in), &out, sizeof(out), &nReturned, NULL)) {
        //error("FL_IOCTL_BDTL_HW_PROTECTION");
		PrintFLStatus(out.status);
        return false;
    }
	PrintFLStatus(out.status);
    return true;
}

bool unlockdisk(HANDLE hDsk)
{
    if (PartitionInsertKey(hDsk, true) &&  PartitionChangeType(hDsk, PROTECTABLE))
	{
	return true;
	}
	return false;
}

//TRACE
void TRACE(LPCTSTR szFormat, ...)
{

	TCHAR szBuffer[BUFFER_SIZE];

	va_list pArgs;
	va_start(pArgs, szFormat);
	wvsprintf(szBuffer, szFormat, pArgs);
	va_end(pArgs);

	_tcscat(szBuffer, TEXT("rn"));
	OutputDebugString(szBuffer);
}

FLStatus PrintFLStatus(const FLStatus bStat)
{
	switch(bStat)
	{
	case flOK: TRACE(TEXT("FLStatus: OKn"));
		MessageBox(NULL, L"SUCCESS", L"OK", MB_OK | MB_ICONWARNING | MB_TOPMOST | MB_SETFOREGROUND | MB_APPLMODAL);
		break;
	case flBadFunction:
		TRACE(TEXT("FLStatus: BadFunctionn")) ;
		break ;
	case flFileNotFound:
		TRACE(TEXT("FLStatus: FileNotFoundn")) ;
		break ;
	case flPathNotFound:
		TRACE(TEXT("FLStatus: PathNotFoundn")) ;
		break ;
	case flTooManyOpenFiles:
		TRACE(TEXT("FLStatus: TooManyOpenFilesn")) ;
		break ;
	case flNoWriteAccess:
		TRACE(TEXT("FLStatus: NoWriteAccessn")) ;
		break ;
	case flBadFileHandle:
		TRACE(TEXT("FLStatus: BadFileHandlen")) ;
		break ;
	case flDriveNotAvailable:
		TRACE(TEXT("FLStatus: DriveNotAvailablen")) ;
		break ;
	case flNonFATformat:
		TRACE(TEXT("FLStatus: NonFATformatn")) ;
		break ;
	case flFormatNotSupported:
		TRACE(TEXT("FLStatus: FormatNotSupportedn")) ;
		break ;
	case flNoMoreFiles:
		TRACE(TEXT("FLStatus: NoMoreFilesn")) ;
		break ;
	case flWriteProtect:
		TRACE(TEXT("FLStatus: WriteProtectn")) ;
		break ;
	case flBadDriveHandle:
		TRACE(TEXT("FLStatus: BadDriveHandlen")) ;
		MessageBox(NULL, L"BadDriveHandle", L"Error", MB_OK | MB_ICONWARNING | MB_TOPMOST | MB_SETFOREGROUND | MB_APPLMODAL);
		break ;
	case flDriveNotReady:
		TRACE(TEXT("FLStatus: DriveNotReadyn")) ;
		MessageBox(NULL, L"DriveNotReady", L"Error", MB_OK | MB_ICONWARNING | MB_TOPMOST | MB_SETFOREGROUND | MB_APPLMODAL);
		break ;
	case flUnknownCmd:
		TRACE(TEXT("FLStatus: UnknownCmdn")) ;
		break ;
	case flBadFormat:
		TRACE(TEXT("FLStatus: BadFormatn")) ;
		break ;
	case flBadLength:
		TRACE(TEXT("FLStatus: BadLengthn")) ;
		break ;
	case flDataError:
		TRACE(TEXT("FLStatus: DataErrorn")) ;
		break ;
	case flUnknownMedia:
		TRACE(TEXT("FLStatus: UnknownMedian")) ;
		break ;
	case flSectorNotFound:
		TRACE(TEXT("FLStatus: SectorNotFoundn")) ;
		break ;
	case flOutOfPaper:
		TRACE(TEXT("FLStatus: OutOfPapern")) ;
		break ;
	case flWriteFault:
		TRACE(TEXT("FLStatus: WriteFaultn")) ;
		break ;
	case flReadFault:
		TRACE(TEXT("FLStatus: ReadFaultn")) ;
		break ;
	case flGeneralFailure:
		TRACE(TEXT("FLStatus: GeneralFailuren")) ;
		break ;
	case flDiskChange:
		TRACE(TEXT("FLStatus: DiskChangen")) ;
		break ;
	case flVppFailure:
		TRACE(TEXT("FLStatus: VppFailuren")) ;
		break ;
	case flBadParameter:
		TRACE(TEXT("FLStatus: BadParametern")) ;
		break ;
	case flNoSpaceInVolume:
		TRACE(TEXT("FLStatus: NoSpaceInVolumen")) ;
		break ;
	case flInvalidFATchain:
		TRACE(TEXT("FLStatus: InvalidFATchainn")) ;
		break ;
	case flRootDirectoryFull:
		TRACE(TEXT("FLStatus: RootDirectoryFulln")) ;
		break ;
	case flNotMounted:
		TRACE(TEXT("FLStatus: NotMountedn")) ;
		break ;
	case flPathIsRootDirectory:
		TRACE(TEXT("FLStatus: PathIsRootDirectoryn")) ;
		break ;
	case flNotADirectory:
		TRACE(TEXT("FLStatus: NotADirectoryn")) ;
		break ;
	case flDirectoryNotEmpty:
		TRACE(TEXT("FLStatus: DirectoryNotEmptyn")) ;
		break ;
	case flFileIsADirectory:
		TRACE(TEXT("FLStatus: FileIsADirectoryn")) ;
		break ;
	case flAdapterNotFound:
		TRACE(TEXT("FLStatus: AdapterNotFoundn")) ;
		break ;
	case flFormattingError:
		TRACE(TEXT("FLStatus: FormattingErrorn")) ;
		break ;
	case flNotEnoughMemory:
		TRACE(TEXT("FLStatus: NotEnoughMemoryn")) ;
		break ;
	case flVolumeTooSmall:
		TRACE(TEXT("FLStatus: VolumeTooSmalln")) ;
		break ;
	case flBufferingError:
		TRACE(TEXT("FLStatus: BufferingErrorn")) ;
		break ;
	case flFileAlreadyExists:
		TRACE(TEXT("FLStatus: FileAlreadyExistsn")) ;
		break ;
	case flIncomplete:
		TRACE(TEXT("FLStatus: Incompleten")) ;
		break ;
	case flTimedOut:
		TRACE(TEXT("FLStatus: TimedOutn")) ;
		break ;
	case flTooManyComponents:
		TRACE(TEXT("FLStatus: TooManyComponentsn")) ;
		break ;
	case flTooManyDrives:
		TRACE(TEXT("FLStatus: TooManyDrivesn")) ;
		break ;
	case flTooManyBinaryPartitions:
		TRACE(TEXT("FLStatus: TooManyBinaryPartitionsn")) ;
		break ;
	case flPartitionNotFound:
		TRACE(TEXT("FLStatus: PartitionNotFoundn")) ;
		break ;
	case flFeatureNotSupported:
		TRACE(TEXT("FLStatus: FeatureNotSupportedn")) ;
		break ;
	case flWrongVersion:
		TRACE(TEXT("FLStatus: WrongVersionn")) ;
		break ;
	case flTooManyBadBlocks:
		TRACE(TEXT("FLStatus: TooManyBadBlocksn")) ;
		break ;
	case flNotProtected:
		TRACE(TEXT("FLStatus: NotProtectedn")) ;
		MessageBox(NULL, L"ExtROM is not protectednwith password.", L"Error", MB_OK | MB_ICONWARNING | MB_TOPMOST | MB_SETFOREGROUND | MB_APPLMODAL);
		break ;
	case flBadBBT:
		TRACE(TEXT("FLStatus: BadBBTn")) ;
		break ;
	case flWrongKey:
		TRACE(TEXT("FLStatus: WrongKeyn"));
		MessageBox(NULL, L"WrongKey", L"Error", MB_OK | MB_ICONWARNING | MB_TOPMOST | MB_SETFOREGROUND | MB_APPLMODAL);
		break ;
	case flHWProtection:
		TRACE(TEXT("FLStatus: HWProtectionn")) ;
		MessageBox(NULL, L"HWProtection", L"Error", MB_OK | MB_ICONWARNING | MB_TOPMOST | MB_SETFOREGROUND | MB_APPLMODAL);
		break ;
	case flBadDownload:
		TRACE(TEXT("FLStatus: BadDownloadn")) ;
		break ;
	default:
		TRACE(TEXT("FLStatus: Unknown statusn")) ;
		MessageBox(NULL, L"Unknown status", L"Error", MB_OK | MB_ICONWARNING | MB_TOPMOST | MB_SETFOREGROUND | MB_APPLMODAL);
		break ;
}

return (bStat) ;
}

///////////////////////////////////
///////////////////////////////////
///////////////////////////////////
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hInstPrev, LPWSTR pszCmdLine, int nCmdShow)
{
	hDevice = CreateFile(diskname, GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
	if (hDevice == NULL || hDevice == INVALID_HANDLE_VALUE)
	{
		TRACE(TEXT("Create handle failed."));
		return 1;
	}
	TRACE(TEXT("Create handle succeededn"));

	if (unlockdisk(hDevice))
	{
		TRACE(L"Unlockedn");
	}

	//	default:
	if(hDevice)
	{
		CloseHandle(hDevice);
		hDevice = NULL;
	}

	return 0;
}
///////////////////////////////////////////////
///////////////////////////////////////////////
///////////////////////////////////////////////

okih GUYS .. heres my instruction .. i believe buzz will create a UI
for his wonderful Hima_DOC_Tool … its a lot better and a lot easier
to restore the old partition using that option best part is even you
lost your SD backup of DOC .. you can still use that application to
restore the OLD Partition..”;”

anyway for the MEANTIME heres the very long Method on how to restore your Partition using your OLD SD backup ..

for those WHO HAVE THERE ORIGINAL DiscOnChip SD ROM BACKUP ONLY ..

1. Kill or End Processes of wcescomm.exe under Windows Task Manager (Ctrl+Alt+Delete)
2. Put Your device in Bootloader mode (Power+Directional Pad+Reset)
3. Put the Device in your Cradle Then Run Multi-Port TTY (mtty.exe or romupdate.exe)
4. On the ListBox choose .WCEUSBSH001 if you are using mtty v1.11a or USB if newer(like version 1.42)
5. under the Multi-Port TTY Window enter this command ….. task 28
6. Then Remove the Device in your Cradle
7. Then Now put your SD that contain the SD backup ..
8. Put Your Device Again in Bootloader (Power+Directional Pad+Reset)
9. Wait till you see the Message Saying PRESS Power to Flash, Then
   Press power Button, If it didnt respond and the message is not Showing
   just, Press Camera Button

now for those who lost their SD backup heres the instruction ..

• Kill or End Processes of wcescomm.exe under Windows Task Manager (Ctrl+Alt+Delete)

• Put Your device in Bootloader mode (Power+Directional Pad+Reset)

• Put the Device in your Cradle Then Run Multi-Port TTY (mtty.exe or romupdate.exe)

• On the ListBox choose [b]\.\WCEUSBSH001[/b] if you are using mtty v1.11a or [b]USB [/b]if newer(like version 1.45)

• Put a Blank SD/MMC in your Device SD slot

• under the Multi-Port TTY Window enter this command .. d2s 70000000 01080000

• after this dont remove your Device in the cradle, now use
  PSDread.exe to extract the Binary0: or the first 80000h bytes + the SD
  Header

if your using bootloader 1.01 to 1.06 heres the command
psdread.exe i: 0 0×0008019C DOC_Binary0.img

if your using lowerthan bootloader 1.01 (1.01 is not included) use this
psdread.exe i: 0 0×000801DC DOC_Binary0.img

• now Download the DOC_Fat0.img and extract on the same location that you put DOC_Binary0.img

• Open the Command Prompt (Start->RUN->type CMD then Enter)

then type this
type DOC_Binary0.img>DOC.img
type DOC_Fat0.img>>DOC.img

• Now Ntrw the Doc.img to your SD, put your SD to your Card Reader

and under the DOS Command Prompt use this command
NTRW.exe Write DOC.img i:

• Back on the Multi-Port TTY Window enter this command

task 28

• Then Remove the Device in your Cradle

• Then Now put your SD that contain the SD backup ..

• Put Your Device Again in Bootloader (Power+Directional Pad+Reset)

• Wait till you see the Message Saying PRESS Power to Flash, Then
  Press power Button, If it didnt respond and the message is not Showing
  just, Press Camera Button