This is how CE roms are laid out

this is a top level overview of what stuff you can find in a xda-1 wince 3.x rom.

this is based on a 3.15.15 o2 rom.

range size used free contents

80000000-80040000 40000 28084 17f7c the bootloader

80040000-802c2000 282000 22a7a8 57858 kernel

802c2000-80580000 2be000 2bb330 2cd0 OS

80580000-80780000 200000 1da690 25970 SHELL

80780000-80a40000 2c0000 292aac 2d554 BROWSING

80a40000-80dc0000 380000 34a33c 35cc4 COREAPPS

80dc0000-80ec0000 100000 fd6c8 2938 SYNC

80ec0000-81080000 1c0000 1788e0 47720 24MAPPS

81080000-81400000 380000 2c8248 b7db8 24MCONSUMER

81400000-81440000 40000 1484 3eb7c xipchain - public keys for updatexip.exe

81440000-81900000 4c0000 3b0f24 10f0dc MISC

81900000-81940000 40000 25800 1a800 bootup bitmap

81940000-81e40000 500000 3339b2 1cc64e autoconfig files

81e40000-81f00000 c0000 c0000 empty

81f00000-81f01000 1000 3b0 c50 saved contacts index

81f01000-81f80000 7f000 4410 7abf0 saved contacts

81f80000-81f81000 1000 290 d70 saved registry index

81f81000-81fc0000 3f000 bf70 33090 saved registry

81fc0000-81fc1000 1000 810 7f0 saved mail index

81fc1000-82000000 3f000 3c740 28c0 saved mail

notes:

range	size	used	free	contents
80000000-80040000	40000	28084	17f7c	the bootloader
80040000-802c2000	282000	22a7a8	57858	kernel
802c2000-80580000	2be000	2bb330	2cd0	OS
80580000-80780000	200000	1da690	25970	SHELL
80780000-80a40000	2c0000	292aac	2d554	BROWSING
80a40000-80dc0000	380000	34a33c	35cc4	COREAPPS
80dc0000-80ec0000	100000	fd6c8	2938	SYNC
80ec0000-81080000	1c0000	1788e0	47720	24MAPPS
81080000-81400000	380000	2c8248	b7db8	24MCONSUMER
81400000-81440000	40000	1484	3eb7c	xipchain - public keys for updatexip.exe
81440000-81900000	4c0000	3b0f24	10f0dc	MISC
81900000-81940000	40000	25800	1a800	bootup bitmap
81940000-81e40000	500000	3339b2	1cc64e	autoconfig files
81e40000-81f00000	c0000		c0000	empty
81f00000-81f01000	1000	3b0	c50	saved contacts index
81f01000-81f80000	7f000	4410	7abf0	saved contacts
81f80000-81f81000	1000	290	d70	saved registry index
81f81000-81fc0000	3f000	bf70	33090	saved registry
81fc0000-81fc1000	1000	810	7f0	saved mail index
81fc1000-82000000	3f000	3c740	28c0	saved mail

it seems as if the length for the SYNC, 24MAPPS, 24MCONSUMER xip block are incorrect
the autoconfig region is padded if 0xff bytes, the rest is padded with 0x00
the bootloader, kernel and XIP-regions start with a 'ECEC' signature
the xipchain does not have a signature
the bitmap does not have a signature
the bitmap is a bmp in 5-6-5 rgb format, bottom row first, 240 x 320 stripped of the 0x46 byte header
the autoconfig data is found by scanning 81bc0000 .. 81400000 downward for 0x34798243

the saved data indexes are formatted as follows:

0000-0005	0000 0000 0000
0006	flag ?
0008+8*i	CEOID ( ce record object id )
000c+8*i	record length
000e+8*i	flag?

the offsets to the saved contacts, xipchain, and bitmap are all constants specified in the nk.exe binary.

idc script to document contacts db layout:

// idx  = entry index
// base = pointer to index entry
// ea   = start of record
// end  = end of record
//
// returns real size of record.
static MakeContactsEntry(idx, base, ea, end) {
    auto ofs, aLen;

    MakeUnknown(ea, end);

    ExtLinA(ea, 0, "");
    ExtLinA(ea, 1, form("--- %3d %08lx %04x %04x", 
        idx, Dword(base),Word(base+4),Word(base+6)) );

    for (ofs= ea ; ofs < ea+6*4 ; ofs = ofs+4)
        MakeDword(ofs);

    SetLongPrm(INF_STRTYPE, ASCSTR_UNICODE);
    do {
        MakeStr(ofs, -1);
        aLen= ItemSize(ofs);

        if (aLen>2)
            ofs = ofs + aLen;
    } while (aLen>2);
    MakeDword(ofs);
    MakeDword(ofs+4);
    MakeDword(ofs+8);
    MakeDword(ofs+12);
    ofs= ofs+16;

    SetLongPrm(INF_STRTYPE, ASCSTR_LEN4);
    MakeStr(ofs,-1);
    aLen= ItemSize(ofs);
    if (aLen>1) {
        ofs= ofs+aLen;
    }
    else {
        MakeDword(ofs);
        ofs= ofs+4;
    }

    if (ofs&3) {
        MakeAlign(ofs,2,2);
        ofs= ofs+ItemSize(ofs);
    }

    return ofs-ea;
}

See dumprom for a tool to extract files from the rom. and romtools for a tool to create roms from a set of files.