read out complete Flash ??? - Page 2 - GSM-Forum

phone168 · 09-30-2005, 09:30

thanks ...............

jockyw2001 · 12-27-2005, 15:09

I coded a little tool called "raw2main" to convert a 32mb k750/d750/w800 readout to a flashable bin file with the required headers. Perhaps it's useful for you guys. Sourcecode is included so you can customize at will. I flash the resulting "main" file with Davinci 13.7 or 13.8

Tool can be downloaded here:
http://rapidshare.de/files/9283818/raw2main.rar.html

I reverse enginnered the essentials of flashable SE binary file format. Here is a short explanation:

The file has a header which contains at least 0x380 bytes. Multiple blocks of data are flashed. Each block has a short header indicating the address to flash to and the number of bytes to flash in the block.

The file has a header which contains general info
offset:
0x0000-0003: 0xBABE
0x0010-0010: CID value (e.g. 29 or 36)
0x02E8-02EB: number of blocks to flash (#blocks) (little endian)
0x02EC-02EF: block length of the 1st block (little endian)
0x0300-037F: 128 bytes of dynamic hash data
0x0380-......: one additional checksum byte (hash) per block, so there are #blocks bytes
0x0380+(#blocks) start of first block

*Each* block header is 8 bytes long:
0x0000-0003: flash address (e.g. 0x44000000) (little endian)
0x0004-0007: number of bytes to flash (little endian)

It was easy to generate a file with the right format except for the proper hash data. I tested with a good flash file, as soon as you modify a single byte in payload, flashaddress or any of the checkbytes, DVT returns an error. Usually block not accepted 0x5556 or "there was a flash error in the previous block" or something like that.

By accident I solved the problem. At offset 0x10 there is the File CID. If I set it to 0x25 (CID37) DVT skips the hashchecks and I can flash what I want to where I want

Have fun,
JockyW

jockyw2001 · 01-12-2006, 01:56

Here is a new version of my 'raw2main' tool:
http://rapidshare.de/files/10880229/..._v0.1.rar.html

It's now much more flexible and can convert raw binary readouts to flashable plain binary format for any SE phone. It takes any filesize for the inputfile RAW.BIN and you can now enter the start flash address.

Unrar all files in the same directory, make sure your binary readout is called raw.bin and then run raw2main.exe
The outputfile generated is main.bin which you can flash with e.g. DVT or SeTool2. Some tools require other filename extension, in that case you should rename main.bin (e.g. to main.mbn or filesystem.fbn)

/JockyW

01-12-2006, 01:56	#18 (permalink)
jockyw2001 Major Poster Join Date: Aug 2005 Age: 50 Posts: 44 Member: 175230 Status: Offline Thanks Meter: 2	Here is a new version of my 'raw2main' tool: http://rapidshare.de/files/10880229/..._v0.1.rar.html It's now much more flexible and can convert raw binary readouts to flashable plain binary format for any SE phone. It takes any filesize for the inputfile RAW.BIN and you can now enter the start flash address. Unrar all files in the same directory, make sure your binary readout is called raw.bin and then run raw2main.exe The outputfile generated is main.bin which you can flash with e.g. DVT or SeTool2. Some tools require other filename extension, in that case you should rename main.bin (e.g. to main.mbn or filesystem.fbn) /JockyW Last edited by jockyw2001; 01-12-2006 at 13:35.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Purpose of reading certs?? and after reading certs completly, back up file (******xx	whiteclouds	Universalbox	1	06-17-2008 07:41
...:::1600 Complete Flash Solution With Out Errors:::...	spinbaaz.com	Nokia Digital Core Technology 4 ( DCT-4 )	69	04-09-2008 20:05
Doesn’t it become possible Full Read Out and Flash TOSHIBA’s firmware?	tkhs1157	VygisToolbox	1	06-25-2006 07:47
which tool can read out the flash from my X-6	testpoint	ARM9 BASED M62 / M62+	0	06-13-2006 17:23
How to read out full flash of C55?	szgsm	E-Gold Based Phones	1	04-14-2003 20:44

09-30-2005, 09:30	#16 (permalink)
phone168 Junior Member Join Date: Sep 2005 Posts: 14 Member: 185714 Status: Offline Thanks Meter: 0	thanks ...............

12-27-2005, 15:09	#17 (permalink)
jockyw2001 Major Poster Join Date: Aug 2005 Age: 50 Posts: 44 Member: 175230 Status: Offline Thanks Meter: 2	I coded a little tool called "raw2main" to convert a 32mb k750/d750/w800 readout to a flashable bin file with the required headers. Perhaps it's useful for you guys. Sourcecode is included so you can customize at will. I flash the resulting "main" file with Davinci 13.7 or 13.8 Tool can be downloaded here: http://rapidshare.de/files/9283818/raw2main.rar.html I reverse enginnered the essentials of flashable SE binary file format. Here is a short explanation: The file has a header which contains at least 0x380 bytes. Multiple blocks of data are flashed. Each block has a short header indicating the address to flash to and the number of bytes to flash in the block. The file has a header which contains general info offset: 0x0000-0003: 0xBABE 0x0010-0010: CID value (e.g. 29 or 36) 0x02E8-02EB: number of blocks to flash (#blocks) (little endian) 0x02EC-02EF: block length of the 1st block (little endian) 0x0300-037F: 128 bytes of dynamic hash data 0x0380-......: one additional checksum byte (hash) per block, so there are #blocks bytes 0x0380+(#blocks) start of first block Each block header is 8 bytes long: 0x0000-0003: flash address (e.g. 0x44000000) (little endian) 0x0004-0007: number of bytes to flash (little endian) It was easy to generate a file with the right format except for the proper hash data. I tested with a good flash file, as soon as you modify a single byte in payload, flashaddress or any of the checkbytes, DVT returns an error. Usually block not accepted 0x5556 or "there was a flash error in the previous block" or something like that. By accident I solved the problem. At offset 0x10 there is the File CID. If I set it to 0x25 (CID37) DVT skips the hashchecks and I can flash what I want to where I want Have fun, JockyW