analyzing the wm7 htc mondrian rom

my analysis of the wm7 rom posted on xda-developers

the .nbh

this nbh is not signed -> you can unpack it using

  perl dbhdecode.pl -d mondimg_WP7.nbh

this will result in 4 files:

SPL - a relatively normal looking bootloader
OS - the wm7 image in a new format ( D000FF, containing several sections )
GSM - slightly different from the old 'gsmv2' qualcomm binaries
0x804 - unknown

see wm7/nbh.txt for details on the nbh file

the gsm image

the gsm image contains 3 bootloaders, named 'dbl', 'fsbl' and 'osbl', followed by the ELF binary. it is almost the same format as the old gsmv2 binaries. you can partially decode it with parsegsmv2.pl.

the partition table reads like this:

0:MIBIB               0     a [     00000]    0       6       4 feffffff
0:SIM_SECURE          a     6 [    140000]    0       4       2 feffffff
0:FSBL               10     6 [    200000]    0     180     180 ffffffff
0:OSBL               16     8 [    2c0000]    0     200     200 ffffffff
0:OSBL2              1e     8 [    3c0000]    0     200     200 ffffffff
0:AMSS               26    c0 [    4c0000]    0    5880     780 ffffffff  << the ELF binary
0:HTC                e6    10 [   1cc0000]    0     400     400 ffffffff
0:EFS2               f6    41 [   1ec0000]    0    1f40      c8 ffffff01
0:DSP1              137    a0 [   26e0000]    0    4d80     280 ffffffff
0:FOTA              1d7    1a [   3ae0000]    0     900     400 ffffffff
---
0:APPSBL            1f1     c [   3e20000]    0     500     100 ffffffff  << the wince bootloader
0:EFS2APPS          1fd   dcb [   3fa0000]    0   6e500      80 ffff02ff
0:APPS              fc8     4 [  1f900000]    0     100     100 ffffffff  << the wm7 rom
0:HTCMISC           fcc    34 [  1f980000]    0    1780     280 ffffffff

see wm7/gsm-hex-summary.txt for more details.

the os image

there is a wrapper with magic 'D000FF', which contains 0x21800 byte blocks, each with an offset and length. detailed hexdump here: wm7/os-hexdump.txt.
you can use wm7/decodewm7.cpp to decode it to a raw binary

the resulting binary contains several sections:

3 xip sections, these can be decoded and decompressed using my old 'dumpxip' or 'dumprom' tools.
a imgfs partition, split in 2, you have to manually combine them to be able to look at the contents.
several unknown blocks

'dump' commands i used to extract the various portions: wm7/os2-hexdump.txt
note that you need my most recent dump version to do the 'extract 0x800 bytes for every 0x806' trick.
i am not yet sure what the purpose of the extra 6 bytes every 0x800 bytes is, probably some kind of sector address.

contents of the xip sections: wm7/xip.txt
one thing the wonders me: where is the boot.hv?

contents of the imgfs section: wm7/rd.txt
note that i cannot yet decompress it, it uses a new 'XPH' compression method.