XDA-II flashfile formats

The upgrade consists of 6 files:

HimaClearJumpCode.exe: a windows CE tool that prevents the current OS from booting. it overwrites the jump at 0x80040000 with zeros
HimaGetDeviceData.exe: gets devicedata from the device
HimaUpgradeUt.exe: windows desktop tool that controls the update.
v0500 uses password 'HTC', v0600 uses password '921211'
v0910 xors files (NK with 0x89124137, ms with 0x25863614, Radio with 0x12345678)
ms_.nbf: contains the operator rom.
NK.nbf: contains the OS rom.
Radio_.nbf: contains the gsm rom.

xda2nbftool now has an option '-t' to automatically determine the xorkeys used to encrypt the .nbf files, and decrypt them ( if '-x' is specified as well )

ms_.nbf

this file is build up as follows:

00000000	00000040	NBF header
00000040	00000028	devtype, operator, language
00008040	00025800	first bitmap
00030040	00025800	second bitmap
00070040	01000000	FAT16 filesystem
01070040		end of image

the bootsplash image is there twice, at

under linux you can view the contents with the following command: mount -r -o loop,offset=0x70040 -t vfat ms_.nbf /mnt/loop0

     7680 2003-09-01 14:17:04  AutoRun.exe
    46763 2003-09-01 14:16:08  Broadcast_WWE.sa.CAB
   906097 2003-09-01 14:16:12  CallerIDRC11_WWE_1.5.sa.CAB
  3125012 2003-09-01 14:16:28  CameraRC131_WWE_1.5.sa.CAB
  2611351 2003-09-01 14:16:42  ClearVue_WWE.sa.CAB
      789 2003-09-01 14:16:08  Config.txt
   804040 2003-09-01 14:16:44  GPRSMonitor_WWE.sa.CAB
   114901 2003-09-01 14:16:46  MIDI56.sa.CAB
  1338588 2003-09-01 14:16:52  MMS1507_WWE.sa.CAB
   193598 2003-09-01 14:16:52  OEM_AKU1_WWE_4AP.sa.CAB
   369149 2003-09-01 14:16:54  OEM_WWE_03120301.sa.CAB
    50903 2003-09-01 14:16:56  TMCOMREG.sa.CAB
  1146317 2003-09-01 14:17:02  TMDNLCustomize.sa.CAB
    53480 2003-09-01 14:16:56  TMD_AP_NL.sa.CAB
    50847 2003-09-01 14:16:56  TMD_NL.sa.CAB
    47130 2003-09-01 14:16:54  TM_phone_class10.CAB
     4608 2003-09-01 14:16:08  TPDisable.exe
     4608 2003-09-01 14:16:08  TPEnable.exe
    46753 2003-09-01 14:17:04  Version_AKU1.sa.CAB
    71531 2003-09-01 14:16:08  VideoMMS.sa.CAB
    50097 2003-09-01 14:17:04  t-mobile_shortcuts_only(UK).PPC2002_ARM.CAB

NK.nbf

this file is DES encrypted with the key 'HTC', or '921211', depending on which update tool is used. see this program for how to decrypt it, or how to convert a plain nbf to encrypted format understood by the upgrade tool.

the decrypted file is a nbf file, with a 64 byte header, 256k bootloader, 31.25M OS Image. note that this is different from the xda-I format
to convert a nbf to be used with the newer upgrade tool:

   xda2nbftool -d NK.nbf test.nba HTC
   xda2nbftool -e test.nba NK.nbf 921211

or use the '-x' option to xor-crypt files.

Radio_.nbf

This is a nbf file with a 64 byte header, containing the entire radio rom image. device specific data at 0x003e0000 is not overwritten by the upgrade tool.

the nbf header

offset	size	description	example
0000	10	devicetype	PH10
000a		"-"
000b	20	operator	TMOBILE or Qtek
001f		"-"
0020	10	language	WWE or ENG
002a		"-"
002b	9	version	1.60.00 or 1.60.21
0034		"-"
0035	8	crcsum	a5d35dde
003d		"---"

the crcsum is the sum of the crc of the first 0x34 bytes of the header, and the crc's of all 256k blocks in the data.

the crc polynomial is 0xEDB88320, the initial value 0. result not inverted.

xda2nbftool

a compiled binary can be found here
the source can be found here
to decrypt the nk.nbf file type:

   xda2nbftool -d nk.nbf nk.nba HTC

to calculate the checksum of the file, for instance, if you manually changed something with a hex editor, type:

   xda2nbftool -c ms_.nbf

If you want to update the file with the corrected checksum, add the '-u' option:

   xda2nbftool -c ms_.nbf -u

You can also change values in the nbf header like this:

	xda2nbftool -sd PH10 -so Qtek -sl WWE -v ms_.nbf

DeviceData.txt

this is the data as returned by my tmobile phone:
all strings are unicode.
note the extra SPACE after WWE. the first line is not relevant to any upgrade procedures.

offset	chars	contents	use with xda2nbftool
0000	32	"USB 32 1.60.00WWE "
0040	11	"PH10"	add to the -sd option
0056	21	"TMOBILE" or "Qtek", or "O2ASIA"	add to the -so option
0080	11	"ENG" or "WWE"	add to the -sl option
0096	16	"1.60.06"
00b6	16	"1.06.01"

the flashing process

first the devicedata is obtained from the device, with HimaGetDeviceData.exe, this gets the operatorname, and language/country code from the extended rom, sector 2 of the BDK. Then a tool 'HimaClearJumpCode' is executed, which erases the jump at the start of the kernel. causing the bootloader to start at next reboot. the upgrade tool then connects to the bootloader of the xda, via serial over usb. ( port \\.\WCEUSBSH001 )

note: here is another version of this page