XDA-II flashfile formats

The upgrade consists of 6 files:
a windows CE tool that prevents the current OS from booting. it overwrites the jump at 0x80040000 with zeros
gets devicedata from the device
windows desktop tool that controls the update.
v0500 uses password 'HTC', v0600 uses password '921211'
v0910 xors files (NK with 0x89124137, ms with 0x25863614, Radio with 0x12345678)
contains the operator rom.
contains the OS rom.
contains the gsm rom.
xda2nbftool now has an option '-t' to automatically determine the xorkeys used to encrypt the .nbf files, and decrypt them ( if '-x' is specified as well )


this file is build up as follows:
0000000000000040NBF header
0000004000000028devtype, operator, language
0000804000025800first bitmap
0003004000025800second bitmap
0007004001000000FAT16 filesystem
01070040end of image
the bootsplash image is there twice, at

under linux you can view the contents with the following command: mount -r -o loop,offset=0x70040 -t vfat ms_.nbf /mnt/loop0

     7680 2003-09-01 14:17:04  AutoRun.exe
    46763 2003-09-01 14:16:08  Broadcast_WWE.sa.CAB
   906097 2003-09-01 14:16:12  CallerIDRC11_WWE_1.5.sa.CAB
  3125012 2003-09-01 14:16:28  CameraRC131_WWE_1.5.sa.CAB
  2611351 2003-09-01 14:16:42  ClearVue_WWE.sa.CAB
      789 2003-09-01 14:16:08  Config.txt
   804040 2003-09-01 14:16:44  GPRSMonitor_WWE.sa.CAB
   114901 2003-09-01 14:16:46  MIDI56.sa.CAB
  1338588 2003-09-01 14:16:52  MMS1507_WWE.sa.CAB
   193598 2003-09-01 14:16:52  OEM_AKU1_WWE_4AP.sa.CAB
   369149 2003-09-01 14:16:54  OEM_WWE_03120301.sa.CAB
    50903 2003-09-01 14:16:56  TMCOMREG.sa.CAB
  1146317 2003-09-01 14:17:02  TMDNLCustomize.sa.CAB
    53480 2003-09-01 14:16:56  TMD_AP_NL.sa.CAB
    50847 2003-09-01 14:16:56  TMD_NL.sa.CAB
    47130 2003-09-01 14:16:54  TM_phone_class10.CAB
     4608 2003-09-01 14:16:08  TPDisable.exe
     4608 2003-09-01 14:16:08  TPEnable.exe
    46753 2003-09-01 14:17:04  Version_AKU1.sa.CAB
    71531 2003-09-01 14:16:08  VideoMMS.sa.CAB
    50097 2003-09-01 14:17:04  t-mobile_shortcuts_only(UK).PPC2002_ARM.CAB


this file is DES encrypted with the key 'HTC', or '921211', depending on which update tool is used. see this program for how to decrypt it, or how to convert a plain nbf to encrypted format understood by the upgrade tool.

the decrypted file is a nbf file, with a 64 byte header, 256k bootloader, 31.25M OS Image. note that this is different from the xda-I format
to convert a nbf to be used with the newer upgrade tool:

   xda2nbftool -d NK.nbf test.nba HTC
   xda2nbftool -e test.nba NK.nbf 921211
or use the '-x' option to xor-crypt files.


This is a nbf file with a 64 byte header, containing the entire radio rom image. device specific data at 0x003e0000 is not overwritten by the upgrade tool.

the nbf header

000b20operatorTMOBILE or Qtek
002010languageWWE or ENG
002b9version1.60.00 or 1.60.21
the crcsum is the sum of the crc of the first 0x34 bytes of the header, and the crc's of all 256k blocks in the data.

the crc polynomial is 0xEDB88320, the initial value 0. result not inverted.


a compiled binary can be found here
the source can be found here
to decrypt the nk.nbf file type:
   xda2nbftool -d nk.nbf nk.nba HTC
to calculate the checksum of the file, for instance, if you manually changed something with a hex editor, type:
   xda2nbftool -c ms_.nbf
If you want to update the file with the corrected checksum, add the '-u' option:
   xda2nbftool -c ms_.nbf -u
You can also change values in the nbf header like this:
	xda2nbftool -sd PH10 -so Qtek -sl WWE -v ms_.nbf 


this is the data as returned by my tmobile phone:
all strings are unicode.
note the extra SPACE after WWE. the first line is not relevant to any upgrade procedures.
offsetcharscontentsuse with xda2nbftool
000032"USB 32 1.60.00WWE " 
004011"PH10"add to the -sd option
005621"TMOBILE" or "Qtek", or "O2ASIA"add to the -so option
008011"ENG" or "WWE"add to the -sl option

the flashing process

first the devicedata is obtained from the device, with HimaGetDeviceData.exe, this gets the operatorname, and language/country code from the extended rom, sector 2 of the BDK. Then a tool 'HimaClearJumpCode' is executed, which erases the jump at the start of the kernel. causing the bootloader to start at next reboot. the upgrade tool then connects to the bootloader of the xda, via serial over usb. ( port \\.\WCEUSBSH001 )

note: here is another version of this page