Related
we gingerbread guys need to get serious on this fricken flash counter, else we can't truely clone our SGYs.
reedit: by this time Doky has found it in bml15 and resets it in his galaxy tool app. ty !!
Kies knows about it and it has implications for asec stuff too.
manufacturing tried to keep the info on the flash counter's whereabouts a tightly guarded secret like some Bill Clinton sex affair, but now it is busted all out in the open ! <-- link
we gotta be able to reset that data to a fricken pristine state!
then we got a 100% CLONE !!
quote :
The flash counter and triangle state had to be stored somewhere. Everybody knew that ... You can dump and compare the entire /dev/block/mmcblk0 and you won't find a difference (you'll find a few unallocated and unused gaps, though).
on SGY mmcblk0 is the sd card, /dev/block/bml0!c = total internal NAND storage - which is what we are looking for. see: http://forum.xda-developers.com/showthread.php?t=1998471
however, the flash disk actually has two hidden boot partitions,
/dev/block/mmcblk0boot0 and
/dev/block/mmcblk0boot1
The MMC driver in the kernels used for Gingerbread did not present these partitions in the past, the MMC driver in the ICS kernel does.
Dump and compare the partitions and you'll have found them in no time.
Structure /dev/block/mmcblk0boot0 @ 0x00020000:
0x00020000 header magic: 32bit - 0x12340011
0x00020004 flash count: 16bit
0x00020006 future: 16bit - 0x0000
0x00020008 type: 16bit - 0x0000 unknown, 0x0001 custom (triangle), 0x0002 Samsung Official
0x0002000A name: max 16 chars
0x0002001A end: 16bit - 0x0000
The boot partitions are presented as readonly by default, but allowing modification is a simple matter of executing the following before writing the data:
### does not fullly apply to SGY ! other phones only !! ###
echo 0 > /sys/block/mmcblk0boot0/force_ro
A number of bytes trailing this structure also change between flashes and appear to be checksum related.
click Tags below for more related info !
neither I'm able to confirm nor negate, but I'm afraid the SGY have other storage areas.
and keep in mind, on SGSII this hidden device has appears only on the leaked beta ICS kernel. Moreover I don't see any good reason, why is it accessible under Android. Kies does not care about the bin counter. I was able to restore factory state with bin counter>0 and Kies recognized my devce as valid upgradeable. On the other hand, the bin counter is handled on the sbl runlevel, where kernel and android not yet loaded.
For further reference please see my research on the SGY partition system, decoded from the pit file:
Code:
[B]minor bml stl image[/B]
1 /bml1 /stl1 BcmBoot.img
2 /bml2 /stl2 sbl.bin
3 /bml3 /stl3 bl.bin
4 /bml4 /stl4 totoro.pit
5 /bml5 /stl5 BcmCP.img
6 /bml22 /stl6 param.lfs
7 /bml6 /stl7 boot.img
8 /bml7 /stl8 (boot backup)
9 /bml21 /stl9 system.img
10 /bml23 /stl10 csc.rfs
11 /bml24 /stl11 userdata.img
12 /bml8 /stl12 (efs)
13 /bml9 /stl13 sysparm_dep.img
14 /bml10 /stl14 HEDGE_NVRAM8_RF_LE.bin
15 /bml11 /stl15 (cal)
On much deeper details please see my spreadsheet:
https://docs.google.com/spreadsheet/ccc?key=0Arilp8uJromLdHdrdGpiZ2FSN3daRzRQMkIxR0pCZXc
Minor #12 and #15 is suspicious, might have some data, which not used by the OS, and not affected by ROM update packs.
This is good research, doky. I bookmarked your spreadsheet for future reference.
efs
Doky73 said:
12 /bml8 /stl12 (efs)
15 /bml11 /stl15 (cal)
Minor #12 and #15 is suspicious, might have some data, which not used by the OS, and not affected by ROM update packs.
Click to expand...
Click to collapse
efs is directly related to the SIM card file system, I take it.
"the /efs folder is a very sensitive system folder that contains Phone-specific information such as the IMEI (encrypted in the nv_data.bin), wireless devices MAC addresses, product code (also in the nv_data.bin), and much more. Often users trying to change product codes or trying to unlock the mobile will end up corrupting data in this location."
<post deleted>
cal : calibration data
Doky73's SGY layout table: now, spot the flash counter
minor Start-offset --- End-offset ------ Size (hex) units ------- SIZE (bytes) -- BML --------- STL -- Internal name Image name ------ Description
01 0x00000000 0x00040000 0x00040000 001 000262144 /bml1 _/stl1 _bcm_boot BcmBoot.img Primitive boot loader
02 0x00040000 0x00240000 0x00200000 008 002097152 /bml2 _/stl2 _Loke sbl.bin Secondary boot loader
03 0x00240000 0x00440000 0x00200000 008 002097152 /bml3 _/stl3 _loke_bk bl.bin backup sbl
04 0x00440000 0x00480000 0x00040000 001 000262144 /bml4 _/stl4 _systemdata totoro.pit partition table
05 0x00480000 0x01100000 0x00c80000 050 013107200 /bml5 _/stl5 _Modem BcmCP.img modem/phone
06 0x01100000 0x01600000 0x00500000 020 005242880 /bml22 /stl6 _param_lfs param.lfs
07 0x01600000 0x01b00000 0x00500000 020 005242880 /bml6 _/stl7 _boot boot.img kernel & initramfs
08 0x01b00000 0x02000000 0x00500000 020 005242880 /bml7 _/stl8 _boot_backup - backup kernel & initramfs
09 0x02000000 0x10600000 0x0e600000 920 241172480 /bml21 /stl9 _System system.img ROM
10 0x10600000 0x12e00000 0x02800000 160 041943040 /bml23 /stl10 Cache csc.rfs CSC
11 0x12e00000 0x1f340000 0x0c540000 789 206831616 /bml24 /stl11 Userdata userdata.img data
12 0x1f340000 0x1f380000 0x00040000 001 000262144 /bml8 _/stl12 Efs - efs unique phone data
13 0x1f380000 0x1f3c0000 0x00040000 001 000262144 /bml9 _/stl13 sysparm_dep sysparm_dep.img
14 0x1f3c0000 0x1f400000 0x00040000 001 000262144 /bml10 /stl14 umts_cal HEDGE_NVRAM8_RF_LE.bin
15 0x1f400000 0x1f500000 0x00100000 004 001048576 /bml11 /stl15 cal - calibration data
note: not all /bml & /stl devices are visible, some of them not linked under the OS
------------------------------------------------------------
I guess, cloning all of minor 12 would be a mistake.
14 & 15 are sets of calibration data, probably for RF part (gsm radio)
mai77 said:
Darky's SGY layout table: now, spot the flash counter
Click to expand...
Click to collapse
Well, Darky is working on a custom rom for SGY???
Yep, we're saved!
Factory mode
also there is a difference between ODIN mode (via DOWN+HOME+POWER) and FACTORY MODE via USB jig 301KOhm.
makes a diff for displayed "official" vs. "custom" ROM
Any new ideas on this guys? I was wondering if this cant be hacked via the .pit file?
I wish I could find this damn partition and forcefully reset this
Apparently the max count is 255 so if you flash it the 256th time you should be on zero. Take this info with a pinch of salt.
Sent from my GT-I9100
Princeomi said:
Apparently the max count is 255 so if you flash it the 256th time you should be on zero. Take this info with a pinch of salt.
Sent from my GT-I9100
Click to expand...
Click to collapse
Are you sure?where did uou get that info??
Sent from my GT-S5360 using xda premium
Princeomi said:
Apparently the max count is 255 so if you flash it the 256th time you should be on zero. Take this info with a pinch of salt.
Sent from my GT-I9100
Click to expand...
Click to collapse
Very interesting bro
Hmmmm.... That actually does make sense to me, because due to screen size limitations, I can't see the numbers carrying on into infinity. As it is when it gets to the teens, it starts screwing up the text on screen, so an ultimate limit would make sense.
I guess besides the fact that it voids your warranty if anybody had to see it from Samsung, I guess it does nothing but just annoy you cause you cant reset it
Not sure if I will try your method Princeomi but I will keep that in mind
---------- Post added at 08:23 PM ---------- Previous post was at 08:09 PM ----------
What I don't understand though is why does the USB jig not reset it on our phones but it does on the SGS2? I just watched a vid on you tube and Odin mode looks exactly the same as it does on our phones.
I read it in the news section of XDA, never tried it though as I am on zero
Sent from my GT-S5360
NanoSurfer said:
[/COLOR]What I don't understand though is why does the USB jig not reset it on our phones but it does on the SGS2? I just watched a vid on you tube and Odin mode looks exactly the same as it does on our phones.
Click to expand...
Click to collapse
actually it does not resets neither on SGSII. Only on some old/initial ROMs. The SBL has been modified by Samsung, to prevent users resetting the counter simply by USB JIG. To reset my SGSII's counter, I have to downgrade the SBL. (or upgrade to ICS , there's an other method, based on a new feature of the 3.x kernel)
Sent from my SGSII using Tapatalk 2 & Swype
Doky73 said:
actually it does not resets neither on SGSII. Only on some old/initial ROMs. The SBL has been modified by Samsung, to prevent users resetting the counter simply by USB JIG. To reset my SGSII's counter, I have to downgrade the SBL. (or upgrade to ICS , there's an other method, based on a new feature of the 3.x kernel)
Sent from my SGSII using Tapatalk 2 & Swype
Click to expand...
Click to collapse
Interesting Sir Doky
I kinda figured that Samsung would wise up to that trick sooner or later. BTW what you think of the max count trick?
doky's SGY partn table from above attached
remember,
dd if=/dev/block/bml0!c
gives you the complete NAND storage 501 MB file on SGY:
so this shell cmds gave me a 501 MB file which is probably the NAND dump :
adb shell
su
stop
dd if=/dev/block/bml0!c of=/sdcard/bml0c.outfile
## wait 2 minutes to finish
start
## wait 30 sec
I believe, the last 1 MB of the file is junk data or duplicate
bml0!c dump
the dump says:
OneNAND boot rev. 0.2
+cboot_uart_speed_handshake(0x%x)
Set Baudrate to 115k.
Set Baudrate to 230k.
¼:”Set Baudrate to 460k.
Set Baudrate to 921k.
Set Baudrate to 3m.
Invalid Baudrate, try again.
cboot_uart.c
assert at line %d in %s -cboot_uart_speed_handshake
###################################
Secondary Bootloader v3.1 version. Copyright (C) 2011 System S/W Group. Samsung Electronics Co., Ltd.
Board: %s %s / %s %s TOTORO REV 03 Jan 14 2012 07:01:28
%s: debug level 0x%x %s: debug level low! PUMR: %d FOTA_BOOT FOTA_UAUP PUMR: 0x40 (AP only boot mode) loadmodem loadCPDATA loadkernel
boot SBL> %s: parse command error! (%s)
Autoboot (%d seconds) in progress, press any key to stop
Autoboot aborted..
booting code=0x%x stl init failed.. %s: j4fs_open.. success failed %s: bye~ bye! %s: booting stop.
%s: booting stop and power off..
S5360 console=ttyS0,115200n8 mem=362M kmemleak=off root=/dev/ram0 rw
androidboot.console=ttyS0 /mnt/rsv SNBL main
#############
prob. kernel command line for UART FOTA boot or whatever
#############
loke_exit
loke_init
command_loop
boot_kernel
SERIAL_SPEED LOAD_RAMDISK BOOT_DELAY LCD_LEVEL SWITCH_SEL PHONE_DEBUG_ON LCD_DIM_LEVEL LCD_DIM_TIME MELODY_MODE REBOOT_MODE NATION_SEL LANGUAGE_SEL SET_DEFAULT_PARAM PARAM_INT_13 PARAM_INT_14 VERSION CMDLINE DELTA_LOCATION PARAM_STR_3 PARAM_STR_4
mtdparts=bcm_umi-nand: %[email protected]%dK(%s)ro, %[email protected]%dK(%s)rw, fota_reboot FOTA
Boot cause : %s FOTA_BOOT FOTA_UAUP LOKE3 : FOTA_UPDATE_FOTA_BOOT
BOOT_FOTA=1 BOOT_FOTA=0
ATAG_CORE: %x
ATAG_INITRD2: %x
Linux-based NAND Flash software solution, offering higher performance and cost effectiveness for next-generation mobile phones. Samsung's Linux NAND Flash memory software allows the NAND Flash memory to store code as well as data. By eliminating the need for NOR Flash memory and supporting the Linux operating system with a demand-paging function, Samsung can lower overall costs and reduce space requirements in mobile handhelds.
Samsung's Linux file system, Robust File System (RFS), also offers greater data preservation capabilities in case of power disruption as well as wear-leveling for higher reliability. To address the problem of data loss from corrupted file allocation tables (FAT), Samsung's Linux-based NAND Flash memory solution also supports Transactional FAT for external memory cards. Compared to the conventional JFFS2 and YAFFS open file systems, Samsung's Linux file system enhances the NAND Flash write-speed up ten and four times , respectively.
This Flash memory solution is also available with Samsung's OneNAND (tm) Flash memory, which boasts a faster read speed compared to the conventional NAND Flash. With its advanced multi-tasking function, Linux will further accelerate the adoption of NAND Flash in next-generation mobile phones.
Importantly, as Samsung's new Linux NAND Flash memory software, RFS has completed verification in the Linux kernel 2.4.20-based Montavista Linux environment, Samsung's NAND Flash solution addresses the diverse needs of system developers for advanced performance, high reliability, shortened development time, and reduced costs.
SGY heimdall
with UBI running on oneNAND and UBIfs we SGY users can have our own "mobile ODIN" and Heimdall.
UBI is open source and part of the Linux kernel.
This is my usb log. Plz help me!
PPP Widget version 1.3.3
USB_ModeSwitch log from Tue Oct 01 17:36:52 ICT 2013
Raw args from udev: 1-1/1-1:1.0
Using top device dir /sys/bus/usb/devices/1-1
----------------
USB values from sysfs:
manufacturer HSPA,Incorporated
product HSPA WCDMA Technologies MSM
serial MF190SVIED010000
----------------
bNumConfigurations is 1 - don't check for active configuration
SCSI attributes not needed, moving on
checking config: /data/data/de.draisberghof.pppwidget/app_tmp/19d2.2000
! matched. Reading config data
devList 1:
config: TargetVendor set to 19d2
config: TargetProductList set to 0001,0002,0015,0016,0017,0031,0037,0052,0055,0061,0063,0064,0066,0091,0108,0117,0128,0157,0177,1402,2002,2003
Driver module is "option", ID path is /sys/bus/usb-serial/drivers/option1
Command to be run:
usb_modeswitch -I -W -D -s 20 -u -1 -b 1 -g 2 -v 19d2 -p 2000 -f $cB
Verbose debug output of usb_modeswitch and libusb follows
(Note that some USB errors are to be expected in the process)
--------------------------------
Reading long config from command line
* usb_modeswitch: handle USB devices with multiple modes
* Version 1.2.7 (C) Josua Dietze 2012
* Based on libusb0 (0.1.12 and above)
! PLEASE REPORT NEW CONFIGURATIONS !
DefaultVendor= 0x19d2
DefaultProduct= 0x2000
TargetVendor= 0x19d2
TargetProduct= not set
TargetClass= not set
TargetProductList="0001,0002,0015,0016,0017,0031,0037,0052,0055,0061,0063,0064,0066,0091,0108,0117,0128,0157,0177,1402,2002,2003"
DetachStorageOnly=0
HuaweiMode=0
SierraMode=0
SonyMode=0
QisdaMode=0
QuantaMode=0
GCTMode=0
KobilMode=0
SequansMode=0
MobileActionMode=0
CiscoMode=0
BlackberryMode=0
PantechMode=0
MessageEndpoint= not set
MessageContent="5553424312345678000000000000061e000000000000000000000000000000"
MessageContent2="5553424312345679000000000000061b000000020000000000000000000000"
MessageContent3="55534243123456702000000080000c85010101180101010101000000000000"
NeedResponse=1
ResponseEndpoint= not set
InquireDevice disabled
Success check enabled, max. wait time 20 seconds
System integration mode enabled
Use given bus/device number: 001/002 ...
Looking for default devices ...
bus/device number matched
searching devices, found USB ID 19d2:2000
found matching vendor ID
found matching product ID
adding device
Found device in default mode, class or configuration (1)
Skipping the check for the current configuration
Using interface number 0
Using endpoints 0x01 (out) and 0x81 (in)
USB description data (for identification)
-------------------------
Manufacturer: HSPA,Incorporated
Product: HSPA WCDMA Technologies MSM
Serial No.: MF190SVIED010000
-------------------------
Looking for active driver ...
OK, driver found; name unknown, limitation of libusb1
OK, driver "unkown" detached
Setting up communication with interface 0
Using endpoint 0x01 for message sending ...
Trying to send message 1 to endpoint 0x01 ...
OK, message successfully sent
Reading the response to message 1 (CSW) ...
OK, response successfully read (13 bytes).
Trying to send message 2 to endpoint 0x01 ...
OK, message successfully sent
Reading the response to message 2 (CSW) ...
OK, response successfully read (13 bytes).
Trying to send message 3 to endpoint 0x01 ...
OK, message successfully sent
Reading the response to message 3 (CSW) ...
Response reading got error -32
Device is gone, skipping any further commands
Bus/dev search active, referring success check to wrapper. Bye.
ok:busdev
--------------------------------
(end of usb_modeswitch output)
Checking success of mode switch for max. 20 seconds ...
Reading attributes ...
Reading attributes ...
Reading attributes ...
Reading attributes ...
Waiting for device file system (5 sec.) ...
Reading attributes ...
Mode switch has completed
Mode switching was successful, found 19d2:0108 (HSPA,Incorporated: HSPA WCDMA Technologies MSM)
Device class of first interface is ff
Now checking for bound driver ...
No driver has bound to interface 0 yet
Module loader is /system/bin/insmod
Trying to find and install main driver module "option"
Checking for active driver path: /sys/bus/usb-serial/drivers/option1
Driver not active, try to find module "option"
Can't find module "option"
Existing path found:
No way to use driver "option"
- try falling back to "usbserial"
Module "usb_serial" not found, can't do more here
Driver binding did not work for this device
All done, exiting
I was searching for the "ffutoraw.exe" file referenced in the "rawprogram0.xml" file from the Xiaomi Mi4 Windows Mobile 10 ROM when I discovered a small tool which can also do the work.
Here is the eMMC DL tool v2.15 from Qualcomm. This tool is publicly available. It's part of the "DragonBoard Update Tool" (dragonboardupdatetool_x64.zip or dragonboardupdatetool_x86.zip) available on this webpage: https://developer.qualcomm.com/hardware/dragonboard-410c/tools Once installed, you will find the file in "C:\Program Files (x86)\Qualcomm\DragonBoardUpdateTool".
This small EXE actually has 3 useful functions regarding FFU file:
- "Create rawprogram0.xml for a FFU file; need -o"
- szOutputFile = rawprogram0.xml
- "-splitffu szFFUFile -o szOutputFile"
- "Split FFU file into partition binary chunks; need -o"
- szPartName = partition name or "all" to extract all partitions
- szOutputFile = destination folder for bin files
- "-dumpffu szFFUFile szPartName -o szOutputFile"
- "Download FFU file to device in emergency download; need -o and -p"
- "-ffu szFFUFile"
(I tried the rawprogram0.xml creation with the Xiaomi Mi4 Windows Mobile 10 ROM and the produced file was exactly the same as the one included in the ZIP file.)
Launching the EXE from the command line will echo an help screen:
Version 2.15
Usage: emmcdl <option> <value>
Options:
-l List available mass storage devices
-info List HW information about device attached to COM (eg -p COM8 -info)
-MaxPayloadSizeToTargetInBytes The max bytes in firehose mode (DDR or large IMEM use 16384, default=8192)
-SkipWrite Do not write actual data to disk (use this for UFS provisioning)
-SkipStorageInit Do not initialize storage device (use this for UFS provisioning)
-MemoryName <ufs/emmc> Memory type default to emmc if none is specified
-SetActivePartition <num> Set the specified partition active for booting
-disk_sector_size <int> Dump from start sector to end sector to file
-d <start> <end> Dump from start sector to end sector to file
-d <PartName> Dump entire partition based on partition name
-e <start> <num> Erase disk from start sector for number of sectors
-e <PartName> Erase the entire partition specified
-s <sectors> Number of sectors in disk image
-p <port or disk> Port or disk to program to (eg COM8, for PhysicalDrive1 use 1)
-o <filename> Output filename
-x <*.xml> Program XML file to output type -o (output) -p (port or disk)
-f <flash programmer> Flash programmer to load to IMEM eg MPRG8960.hex
-i <singleimage> Single image to load at offset 0 eg 8960_msimage.mbn
-t Run performance tests
-b <prtname> <binfile> Write <binfile> to GPT <prtname>
-g GPP1 GPP2 GPP3 GPP4 Create GPP partitions with sizes in MB
-gq Do not prompt when creating GPP (quiet)
-r Reset device
-ffu <*.ffu> Download FFU image to device in emergency download need -o and -p
-splitffu <*.ffu> -o <xmlfile> Split FFU into binary chunks and create rawprogram0.xml to output location
-protocol <protocol> Can be FIREHOSE, STREAMING default is FIREHOSE
-chipset <chipset> Can be 8960 or 8974 familes
-gpt Dump the GPT from the connected device
-raw Send and receive RAW data to serial port 0x75 0x25 0x10
-verbose Enable verbose output
Examples: emmcdl -p COM8 -info
emmcdl -p COM8 -gpt
emmcdl -p COM8 -SkipWrite -SkipStorageInit -MemoryName ufs -f prog_emmc_firehose_8994_lite.mbn -x memory_configure.xml
emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -x rawprogram0.xml -SetActivePartition 0
emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -ffu wp8.ffu
emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -d 0 1000 -o dump_1_1000.bin
emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -d SVRawDump -o svrawdump.bin
emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -b SBL1 c:\temp\sbl1.mbn
emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -e 0 100
emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -e MODEM_FSG
emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -raw 0x75 0x25 0x10
Click to expand...
Click to collapse
Does the tool only work on a device if it is in EDL mode? Thanks for posting this as I would like to try to find a way to build or flash a compatible rom for a non-windows based smart phone. This helps...
nate0 said:
Does the tool only work on a device if it is in EDL mode? Thanks for posting this as I would like to try to find a way to build or flash a compatible rom for a non-windows based smart phone. This helps...
Click to expand...
Click to collapse
This indeed helps a lot. If I refer to the name of the tool, it probably only works on phone in EDL mode. What do you want to do exactly?
I'm interested to see how difficult it is to compile a Windows Mobile Build, at least a test build, since Production builds require specific vendor signing. Microsoft offers all the resources much like Google for doing this, yet some of them do require subscriptions for access. If this tool is able to formulate the xml for partitioning from a ffu then theoretically building this xml from another rom that is designed for 32gb partitioning could lead to a flashable solution on a device other than the mi4 or other 16gb android phones. I am still reading and researching much, but with the resources now it should not be hard to accomplish this.
nate0 said:
I'm interested to see how difficult it is to compile a Windows Mobile Build, at least a test build, since Production builds require specific vendor signing. Microsoft offers all the resources much like Google for doing this, yet some of them do require subscriptions for access. If this tool is able to formulate the xml for partitioning from a ffu then theoretically building this xml from another rom that is designed for 32gb partitioning could lead to a flashable solution on a device other than the mi4 or other 16gb android phones. I am still reading and researching much, but with the resources now it should not be hard to accomplish this.
Click to expand...
Click to collapse
Yes, you can give any FFU file to this program and it will give you the corresponding rawprogram0.xml file. You need to use the "-splitffu" option for that.
I think this option is available so you can flash the FFU (using the rawprogram0.xml file) with a program like "QFIL" (part of QPST).
emmcdl -splitffu wp8.ffu -o rawprogram0.xml
But you can also directly flash the FFU file to your phone: you just need the FFU file and the Firehose flasher for your phone (it's a MBN file which has a name looking like "prog_emmc_firehose_8909_lite.mbn"). To proceed, you need to use the "-ffu" option:
emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -ffu wp8.ffu
You won't be able to generate a Windows Mobile image from scratch because neither the BSP package or the WMAK kit have been leaked*. The Windows ADK contains all the tools needed to create and flash a ROM but without the CAB files from the Qualcomm BSP package and the Microsoft WMAK kit, you won't be able to do anything.
* Windows Phone 8.1 AK have been leaked (the install program is in the "\WPBLUE\Blue_9651.12393_ProdSigned_OEM\WPAK" folder of the 7Z file available on this page: http://forum.xda-developers.com/win...ools-wdk-wpak-wpdk-cabs-building-wp8-t3183972)
Windows 10 IoT AK have also been leaked (you need to find either "en_windows_10_iot_core_version_1511_updated_feb_2016_x86_arm_dvd_8369778.iso" or "en_windows_10_iot_core_version_1511_x86_arm_dvd_7226982.iso")
I managed to create a small script which recreate the CAB files from a FFU file. Even if they were exactly the same as the originals, they lacked the Microsoft signature so I am unsure the ADK tools can use them.
Oh, I forgot to add that - to my knowledge - this tool doesn't implement the image integrity validation (signature check [embedded catalog] and hash check [embedded hash table]).
Would be interesting to find out what happen if the stock 950 FFU file is flashed as-is to a Nexus phone...
There is 3 problems I can think about:
- UEFI: the phone may need to have a Microsoft key in its "db" store to authenticate the Windows Mobile bootloader.
- Partitions: does the layout need to be exactly the same as the Android version?
- Drivers: even if the SoC is the same, they may be some tweaks...
TristanLeBoss said:
Yes, you can give any FFU file to this program and it will give you the corresponding rawprogram0.xml file. You need to use the "-splitffu" option for that.
I think this option is available so you can flash the FFU (using the rawprogram0.xml file) with a program like "QFIL" (part of QPST).
emmcdl -splitffu wp8.ffu -o rawprogram0.xml
But you can also directly flash the FFU file to your phone: you just need the FFU file and the Firehose flasher for your phone (it's a MBN file which has a name looking like "prog_emmc_firehose_8909_lite.mbn"). To proceed, you need to use the "-ffu" option:
emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -ffu wp8.ffu
You won't be able to generate a Windows Mobile image from scratch because neither the BSP package or the WMAK kit have been leaked*. The Windows ADK contains all the tools needed to create and flash a ROM but without the CAB files from the Qualcomm BSP package and the Microsoft WMAK kit, you won't be able to do anything.
* Windows Phone 8.1 AK have been leaked (the install program is in the "\WPBLUE\Blue_9651.12393_ProdSigned_OEM\WPAK" folder of the 7Z file available on this page: http://forum.xda-developers.com/win...ools-wdk-wpak-wpdk-cabs-building-wp8-t3183972)
Windows 10 IoT AK have also been leaked (you need to find either "en_windows_10_iot_core_version_1511_updated_feb_2016_x86_arm_dvd_8369778.iso" or "en_windows_10_iot_core_version_1511_x86_arm_dvd_7226982.iso")
I managed to create a small script which recreate the CAB files from a FFU file. Even if they were exactly the same as the originals, they lacked the Microsoft signature so I am unsure the ADK tools can use them.
Click to expand...
Click to collapse
I'm going to look into this further. Thank you. What's stopping us from using a Lumia ffu for an identical soc and storage size of another device? I've been contemplating this and since all the drivers and cabs are signed already might be possible. Also with your script what's stopping you from signing those files yourself and making a test build image?
---------- Post added at 07:52 PM ---------- Previous post was at 07:44 PM ----------
Good points. Much deeper than I was thinking but along the same lines. I would think the partitioning needs to be identical the 950 rom since that's how it was built. But it might not matter since ffus blank the entire storage in the process of flashing you can technically partition it however you want but then your building that configuration from scratch. How difficult is it to dump the partitioning of a 6p? I'm still looking but that's the next best candidate being unlockadble in seeing if this is feasible. Sorry for any typos,sending these last two from my phone.
nate0 said:
I'm going to look into this further. Thank you. What's stopping us from using a Lumia ffu for an identical soc and storage size of another device? I've been contemplating this and since all the drivers and cabs are signed already might be possible. Also with your script what's stopping you from signing those files yourself and making a test build image?
Click to expand...
Click to collapse
I added another reply before seeing yours. It contains 3 thing that may be a problem: UEFI, partition layout and drivers.
UEFI: Windows Mobile is said to require Secure Boot. This is not a problem because Nexus phones support it. The problem I see is more with the signature check on the bootloader: the 'Microsoft Windows Production PCA' and 'Microsoft Corporation UEFI CA' keys should be in the "DB" store for the Windows Mobile bootloader to be accepted by the UEFI bios of the Nexus. The worst thing that can happen is the Nexus displaying a message complaining about the bootloader.
Partition layout: Flashing a new image will probably change the partition table. I don't know if it can be a problem.
Drivers: SoC contains most if not all the required systems of a phone so the drivers should work but they may need per-hardware "customatisation".
The problem is that we hear about people succeeding but not about failures: has someone already tried to flash a FFU file to a Nexus? Maybe no one ever tried... and maybe it's working.
I don't think you can really brick a phone by doing so because the Qualcomm 9008 mode is not something that is part of the image.
nate0 said:
Good points. Much deeper than I was thinking but along the same lines. I would think the partitioning needs to be identical the 950 rom since that's how it was built. But it might not matter since ffus blank the entire storage in the process of flashing you can technically partition it however you want but then your building that configuration from scratch. How difficult is it to dump the partitioning of a 6p? I'm still looking but that's the next best candidate being unlockadble in seeing if this is feasible. Sorry for any typos,sending these last two from my phone.
Click to expand...
Click to collapse
The FFU file basically contains a disk image with a GPT partition table. When you will flash the FFU, the eMMC memory will be erased and a new partition table will be installed along with the new partitions. On this forum, there is a tool which convert FFU to VHD: http://forum.xda-developers.com/showthread.php?t=2066903 (On my computer, the conversion works but the mounting fails. You can find the resulting VHD file in your Windows profile TEMP directory.). There is also one Python script available to create a RAW disk image from a FFU file but I HIGHLY DON'T RECOMMEND IT as it doesn't implement the whole FFU specification so it will likely create corrupt disk image.
The thing I don't know is if the partition layout of a phone can be changed: you can of course change it but will the phone still operate? I mean maybe each partition need to start at an exact sector (LBA) [I don't think so but without trying...]
Have you validated the keys exist on current windows phones and if so maybe replicate or extract from one. I own an m8 for windows and am thinking the bootloader being unlocked is the only way of getting near the secureboot partition. Also if the nexus support secureboot most of it might be built in. See requirements. Here. https://msdn.microsoft.com/windows/hardware/drivers/bringup/uefi-requirements-specific-to-windows-mobile
nate0 said:
Have you validated the keys exist on current windows phones and if so maybe replicate or extract from one. I own an m8 for windows and am thinking the bootloader being unlocked is the only way of getting near the secureboot partition. Also if the nexus support secureboot most of it might be built in. See requirements. Here. https://msdn.microsoft.com/windows/hardware/drivers/bringup/uefi-requirements-specific-to-windows-mobile
Click to expand...
Click to collapse
No, I have no Windows Phone
Maybe the Secure Boot is just a requirement but it may not be mandatory to boot.
It's also possible that a retail ROM check for it but that a production ROM may not check for it. ( https://cms-images.idgesg.net/images/article/2015/03/uefi-secure-boot-windows-10-100574859-orig.png )
Okay, I have more information: it seems that on mobile phones, the SecureBoot keys can be stored in a partition from the emmc. This partition name is RPMB for Replay Protected Memory Block.
This partition is encrypted with the PK key which is burnt into the chip.
It seems booting an unverified bootloader is possible on Nexus phone
http://android.stackexchange.com/qu...ot-img-to-nexus-5-when-secure-boot-is-enabled
Q: "As I understand, if secure boot is enabled, the bootloader will verify the boot.img when booting.
Obviously, my custom kernel cannot pass the verification.
In such a case, how to correctly flash my own boot.img?"
A: "This doesn't imply that you cannot boot into the Android with your custom kernel. When the verification would fail, your device would warn you about that and you would be given the choice to continue the boot process or not."
Correct. It warns of this after unlocking the boot loader. Need to acquire an mbn for this phone to boot the rom in question.
nate0 said:
Correct. It warns of this after unlocking the boot loader. Need to acquire an mbn for this phone to boot the rom in question.
Click to expand...
Click to collapse
I attached the one I have but don't know if it's the one to use for this phone.
Did you generate this mbn or locate it elsewhere? I am trying to understand how the mbn file fits into the picture. Is it generated based on the FFU image or generated by the OEM?
I was able to create the program xml from a lumia FW of another 800 SoC (Lumia ICON). With the files and tools gathered I want to just test this flash process by flashing a different Windows ROM designed for the Lumia onto my Ativ SE. I think I have a way of getting the mbn for this phone with samtools which I found in another forum thread, but I will have to double check. The ATIV SE is also the 800 but not designed for this specific Lumia rom or the rom designed for it, however you look at it. I am willing to do this since the ATIV SE has a bad sim slot anyway.
I think "MBN" doesn't mean anything: it's just an extension. I found MBN files containing basically any type of file. The MBN file I attached and which is needed by the emmcdl.exe program should be an ELF (Executable Linkable Format, the EXE files of Linux among many uses ). Open it with an hex editor and it should start with "ELF".
The file I provided has been found by myself. I have not yet any idea if it's possible to generate them. Firehose is the name of one of the many protocols which can be used to talk to a device in emergency mode. I think it only depends on the SoC.
My answer to your PM may be useful for everyone. So I copy it here:
I'm not sure flashing the FFU of the Lumia 950 XL to an Ativ SE will work as is. Indeed they don't use the same SoC. It's possible to install the CAB files (HAL, ...) for the Qualcomm MSM8974AA v2 SoC using ImageApp.exe (from Windows 10) directly on the FFU file:
https://msdn.microsoft.com/en-us/library/windows/hardware/dn789232(v=vs.85).aspx
TO TEST
It may also be possible to install the CAB files (HAL, ...) for the Qualcomm MSM8974AA v2 SoC using DISM (from Windows 10) directly on the FFU file:
Dism /Image:flash.ffu /Add-Package /PackagePath:C:\packages\package1.cab /PackagePath:C:\packages\package2.cab
Click to expand...
Click to collapse
Use the /IgnoreCheck argument if you want the command to process without checking the applicability of each package.
You may want to remove the CAB files related to the Qualcomm MSM8994 SoC of the Lumia 950 XL:
Dism /Image:flash.ffu /Remove-Package /PackageName:Microsoft.Windows.Calc.Demo~6595b6144ccf1df~x86~en~1.0.0.0
Click to expand...
Click to collapse
Use the /Get-Packages option to find the name of the package in the image.
END - TO TEST
Without this step, you will probably ends up with a boot looping phone but you should be able to recover the original Windows Phone 8 OS with the Microsoft Windows Device Recovery Tool.
There is 4 ways to flash a new image to a device:
- Using UEFI download mode (Windows Phone)
- Using fastboot (Android)
- Using the Qualcomm 9008 mode (all phones with a Qualcomm SoC)
- Using the FFU download mode (Windows Phone)
1. How to put the phone in UEFI download mode
If you have a Windows Phone, please try to turn off the phone and then press the power button for a long time until the phone shows a "Windows Phone Boot Menu" with a "USB Mass Storage Mode". You can then release the button.
To select this option, simply press the power button once: you can now connect the phone to your computer. The driver should install automatically and the phone will appear on your computer as a disk drive.
2. How to put the phone in fastboot mode
Go here: http://www.droidviews.com/how-to-bo...astboot-download-bootloader-or-recovery-mode/
3. How to (force) trigger the Qualcomm 9008 mode
NOTE: If you have a working operating system, this is not needed to flash a new image. If the phone feels the need to go in Qualcomm 9008 mode (if it fails to boot from the eMMC), it will do it by itself.
NOTE: For Android, you may be able to reboot the phone in Qualcomm 9008 mode using an adb command:
adb reboot edl
Click to expand...
Click to collapse
The only way to (force) go into Qualcomm 9008 mode is to brick your phone: indeed, if it fails to do any kind of software boot from the eMMC memory, it will fallback to Qualcomm 9008 mode.
( Ok, on some phone, shorting some pins on the motherboard may force the Qualcomm 9008 mode but you need to know which ones )
The first step is to prevent the phone from booting the installed operating system. To do that, we remove the boot partition from the eMMC. Don't worry, the primary boot loader (PBL) is in a chip on your board and can't be erased: you only kill the operating system (Android/Windows) bootloader; also known as secondary boot loader (SBL).
3.1 Android
If you have an Android phone, you will need to boot into fastboot and issue the following command to erase the SBL1 partition (the operating system bootloader):
fastboot erase sbl1
Click to expand...
Click to collapse
3.2 Windows
If you have a Windows phone, you will need to boot into UEFI download mode.
Once the phone is installed on your computer, you need to delete the SBL1 partition from the phone (the operating system bootloader). I think you can do it using any partition software because the phone is detected by the computer as a drive.
You can also use the emmcdl.exe tool:
You first need to list disks:
emmcdl.exe -l
Click to expand...
Click to collapse
Note the number at the begining of your phone's drive. Then issue the following command (replace X with the disk number):
emmcdl.exe -p X -e SBL1
Click to expand...
Click to collapse
4. How to flash a new image
4.1. Using UEFI download mode (Windows Phone)
NOTE: If you don't have the stock FFU file or if your phone is not supported by the Windows Device Recovery Tool, you may also want to do a backup of the phone drive using a free tool like "HDD Raw Copy": this drive image can be reflashed later using the download mode [if you can reach it] or from the Qualcomm 9008 mode.
4.1.1 Method #1: FFU > VHD > HDD Raw Copy
- convert the FFU file to a VHD using ImgMount ( http://forum.xda-developers.com/showthread.php?t=2066903 ),
- mount the VHD as read-only on your PC using VHDAttach ( https://www.medo64.com/vhdattach/ ),
- use "HDD Raw Copy" ( http://hddguru.com/software/HDD-Raw-Copy-Tool/ ) to copy the whole disk corresponding to the VHD to the drive corresponding to your phone (clone the VHD onto the drive).
4.1.2 Method #2: Using DISM.exe
NOTE: You will probably need DISM from a Win 10 installation.
dism.exe /Apply-Image /ImageFile:flash.ffu /ApplyDrive:\\.\PhysicalDriveN
Click to expand...
Click to collapse
Use /SkipPlatformCheck if the FFU file being applied is targeted for a device other than the device performing the application.
URL: https://developer.microsoft.com/en-us/windows/iot/win10/samples/dism
4.2 Using Qualcomm 9008 mode (All phones with a Qualcomm SoC)
If your phone is in Qualcomm 9008, it will show up as "Qualcomm HS-USB QDLoader 9008" [or QHSUSB_DLOAD]. (If it does show up as "Qualcomm HS-USB Diagnostics 9006" [or QHSUSB_BULK] don't do anything as it's not exactly the same thing).
You indeed need drivers. You can find them here: https://mega.nz/#!uhJl0B5R!J6Hbx6Dd6...WrkVNK8IZaOTkg
NOTE: It seems that some phones also mount the eMMC as a drive: you need to look under "Disk drives" in your Windows "Device manager. Indeed, if you find "Qualcomm MMC Storage USB Device", it means your phone eMMC is mounted as a drive. You can use methods from 4.1 instead of continuing here.
Once the phone is detected and installed, you can use this command:
emmcdl.exe -p COMX -f prog_emmc_firehose_XXXX_lite.mbn -FFU Flash-val.FFU
Click to expand...
Click to collapse
Replace COMX with the port used by the phone: you can find it in the "Device Manager" under "Ports (COM & LPT)". You also need the correct flasher for your phone.
// TODO : Add things about protocol
4.3 Using fastboot (Android)
fastboot oem unlock
Click to expand...
Click to collapse
Extract all partitions from the FFU file as BIN files:
emmcdl -dumpffu {FFU_file} all -o {folder}
Click to expand...
Click to collapse
Flash new partition table:
fastboot flash partition {partition_table_file}
Click to expand...
Click to collapse
Flash all partitions:
fastboot flash {partition_name} {partition_file}
Click to expand...
Click to collapse
Reboot:
fastboot reboot
Click to expand...
Click to collapse
4.4 Using FFU download mode (Windows)
NOTE: This method use a flasher from the phone. This flasher does check for image integrity (thanks to the embedded hash table into FFU file) and check if the FFU file is signed (thanks to the embedded catalog file). It also check if the FFU file is for this phone (platform check). So, it can only be used to flash stock image.
To force the device into the FFU download mode manually, press and release the power button to boot the device, and then immediately press and hold the volume up button. This option is available only after an initial FFU has been flashed to the device.
ffutool -flash flash.ffu
Click to expand...
Click to collapse
There is another tool from Microsoft dealing with FFU: ffutool.exe
https://msdn.microsoft.com/en-us/library/windows/hardware/dn789235(v=vs.85).aspx
It's part of Windows Assessment and Deployment Kit (Windows ADK) which is publicly available ( https://msdn.microsoft.com/en-us/windows/hardware/dn913721.aspx ).
NOTE: This program has been coded using C# so it can easily be decompiled back to its source code using ILSpy ( http://ilspy.net/ ). It uses the following assembly: 'FFUComponents, Version=8.0.0.0, Culture=neutral, PublicKeyToken=5d653a1a5ba069fd' which may contains interesting code.
I'm not sure it's useful as it seems to enforce integrity check and platform check.
Usage: FFUTool -flash <path to FFU file to apply to disk> [path to flashing WIM]..
FFUTool -uefiflash <path to FFU, flashed from UEFI directly>..
FFUTool -fastflash <path to FFU, flashed from UEFI directly>..
FFUTool -wim <path to WIM to boot from RAM>..
FFUTool -skip..
FFUTool -list..
FFUTool -massStorage..
FFUTool -clearId..
FFUTool -serial..
FFUTool -setBootMode <boot mode> <optional profile name>
Click to expand...
Click to collapse
The last tool which deals with FFU files is thor2.exe
It's also publicly available: just install the Microsoft Windows Device Recovery Tool ( http://go.microsoft.com/fwlink/p/?LinkId=522381 ) and you will find it in this folder: C:\Program Files (x86)\Microsoft Care Suite\Windows Device Recovery Tool
Usage: thor2 -mode [MODE] -[ARGUMENT]... -[FLAG]...
Thor2 aims to provide SW update and miscellaneous R&D operations for WP8 products, Alpha, Collins, Theta, Quattro and Romulus engines.
MODEs:
Sets mode of operation. Modes are emergency, uefiflash, sdflash, vpl, dump, rnd, retail, ffureader, list_connections and uefiserialflash.
ARGUMENTs:
-ffufile <filepath> Sets path to FFU file
-sdfile <filepath> Sets path to SD file
-vplfile <filepath> Sets path to VPL file
-conn <connection> Sets connection endpoint/identifier. E.g. COMx in Windows (where x is number).
Connection ID notation is controllerID:hubort. Like 0.0200.0003.0100:0004:0002
Controller ID notation is the value of each sub strings of PCI of Device Location Paths USB property.
The values of PCI sub strings are concatenated into resulting value separated by comma.
For example PCIROOT(0)#PCI(0200)#PCI(0003)#PCI(0100)#USBROOT(0)#USB(1)#USB(5)#USB(6)#USB(1) results 0.0200.0003.0100 as controllerID.
If omitted, THOR2 tries to auto-detect a connected device.
Use list_connections mode to findout connected device along connection IDs.
-logfile <filepath> Sets custom log file for THOR2 traces
*** arguments for emergency mode ***
-configfile <filepath> Sets path to 8974 emergency download configuration file (file should be in XML format).
All references to binary files in the configuration file should be located in the same directory.
-protocol <prot> Forces usage of specific emergency download protocol. Supported protocols: sahara ( Quattro/Romulus ) and streaming ( Collins / Alpha as default )
-mbnfile <filepath> Sets path to mbn file
-hexfile <filepath> Sets path to QComm HEX flasher file
-dumpfileforhexflasher <filepath> Sets the path to dump file.
-dumparea <first sector to read,amount of sectors to read>
*** arguments for uefiflash mode ***
-partitionname <partition name> Sets partition name of the GPT to program to.
-partitionimagefile <filepath> Sets path to partition image file to be programmed into the device.
-imagefile <filepath> Sets image file to be programmed into the device.
-startsector <first sector to flash> Sets number of sector from flashing of image begins.
-productcodeupdate <CTR code> Updates product code after successful programming. RM-820 is out-scoped.
-looptest <loopCounter> Tests FFU programming in a loop while staying in the flash mode between programming trials.
-timeout <time in seconds> Waiting time of device to appear.
-maxtransfersizekb <block size in kb> Max programming block size.
-dplfile <filepath> Sets path to DPL file.
-batterylevel <value> Sets minimum battery level that flashing starts.
*** arguments for uefiserialflash mode ***
-serialflash <loopCounter> FFU programming of multiple of devices. Multiple of devices can be programmed in serial one after one.
*** arguments for dump mode ***
-uefifile <filepath> Sets path to UEFI file to be loaded into the device.
-partitionname <name> Sets name of partition to be read out from the device.
-dumparea <first sector to read,amount of sectors to read>
*** arguments for rnd mode ***
-gptfile <filepath> Sets path to GPT image file.
-rawmsgreq <hex message> Message to be send to the device in hexadecimal. Messaging protocol could be NOK, JSON or user defined.
-rawmsgresp <hex message> Expected response message to '-rawmsgreq <hex message>' request message. Returns a zero (0) if match between request and response.
-asciimsgreq <ascii message> Message to be send to the device in ASCII. Messaging protocol could be NOK, JSON or user defined.
-jsonfile <filepath> Sets path to JSON file.
-asciimsgresp <ascii message> Expected response message to '-asciimsgreq <ascii message>' request message. Returns a zero (0) if match between request and response.
-do_authentication -sdauthenticationtype <production|tucson>.
*** arguments for retail mode ***
-nvifile <filepath> Sets path to NVI file.
-writerdc <filepath> Writes RDC from the given file to the device.
-readrdc <filepath> Reads RDC to the given file from device.
-erasepartition <name> Sets name of partition to be erased from the device.
*** arguments for ffureader mode ***
-partitionimagefile <filepath> Sets path to partition image file.
-filedir <dir path> Sets path to directory, where files are dumped.
FLAGs:
*** flags for emergency mode ***
-skipprotocoldetection Skips automatic detection of emergency protocol when connection is opened. Can be used in conjunction
with argument "-protocol sahara"
-skipffuflash Skips FFU flashing at the end of emergency download
-skippayloadsending Skips payload sending of rnd emergency download
-use_legacy_hex Collins and Alpha emergency. Uses legacy HEX flasher.
-orig_gpt Collins and Alpha emergency. Programs MBN image.
-debug Enables raw message tracing (during Sahara protocol stage)
*** flags for uefiflash mode ***
-skip_write Secure FFU flashing. Programming sequence executed without programming to the storage device.
-skip_hash Secure FFU flashing. Skips the hash calculation of the payload data.
-skip_id_check Secure FFU flashing. Skips Platform ID check between the device and FFU file.
-skip_signature_check Secure FFU flashing. Skips signature check of secure header of FFU file.
-skip_reboot_on_failure Secure FFU flashing. Skips reboot option if flashing fails.
-do_factory_reset Restores Modem FSG partition to Modem FS1 and erases Modem FS2.
-verify_write Secure FFU flashing. Normal programming sequence executed followed by read and verify.
-detect_device_after_reboot Detects device after reboot.
-disable_msg_timeout Secure FFU flashing. Disables messaging timeout of UEFI FlashApp
-skip_flash Secure FFU flashing. Boots to the UEFI FlashApp without programming
-skip_rkh_check Secure FFU flashing. Skips the Root Key Hash check between the device and FFU file
-use_crc_in_sffu_prog Secure FFU flashing. CRC32 is used to check integrity of the payload data
-erase_data Secure FFU flashing. Erases the Data partition a.k.a UDA of Windows Phone
-skip_preserve_dpp Skips overwriting prevention of DPP partition. By default programming will fail if the DPP partition of FFU file contains data.
-reboot Reboots the device, if possible
-power_off Powers off the device after the USB cable is disconnected.
-sync_msging_sffu_prog Secure FFU flashing. Uses sync messaging between PC and device.
-do_full_nvi_update Applies the full NVI settings after successful programming. During the first boot after programming the NVI updater updates the NV items.
-unbufferedfileio Use unbuffered file I/O in case of SFFU programming. Aims to fix issues if FFU file is programmed from a network share.
-skip_backup_restore Secure FFU flashing. Skips backup and restore. By default backups of MODEM_FSG, MODEM_FS1, MODEM_FS2, SSD and
DPP partitions to the RAM of device and restores them after successful programming of Windows Phone.
-show_detailed_progress Shows detailed progress info (transferred bytes and transfer speed).
-trace_usb Prints out debugging traces of WinUSB client.
-use_boot_to_flsapp_json Re-boots device into the flash mode from the normal/test mode.
-skip_exit_on_post_op_failure Executes all specified post flash operations (factory reset, full NVI update etc.), even if failures occur.
-restorepartition Restores backup partition into the eMMC.
*** flags for dump mode ***
-dump_via_gpt Reads out the content of eMMC of Windows Phone. The reading is based on the GPT of device.
This is excluded from the official Uefi FlashApp.
-dump_via_sector Reads out the content of eMMC of Windows Phone. The reading is based on -dumparea argument.
This is excluded from the official Uefi FlashApp.
-skip_read Skips read in case of reading out the content of eMMC of Windows Phone.
This enables to load and execute an UEFI app from PC to device.
*** flags for rnd mode ***
-bootmsc Boots the device into the USB mass storage mode.
-detect_device_after_reboot Detects device after reboot.
-readjtagserial Reads serial number of JTAG.
-bootmmos Boots the device into the MMOS.
-normalmode Operations are done in the normal mode of device.
-uefitests Tests DSS UEFI apps of device.
-delgpt Clears the GPT of device.
-skip_gpt_check The R&D mode validates the GPT. Use this flag to skip the check.
-bootflashapp Boots to UEFI Flash App.
-bootphoneinfoapp Boots to UEFI Phone Info App.
-boot_edmode Boots to Emergency Download mode.
-read_public_id Reads public ID from the device.
-power_off Powers off the device after the USB cable is disconnected.
-read_charging_status Reads charging status from the device.
-read_final_config Reads final config from the device.
-skip_com_scan Skips scanning of COM ports.
-reboot Reboots the device, if possible
-do_rpmb Executes RPMB provisioning procedure.
-do_uefikeys_rd Executes UEFI Keys provisioning procedure for RD.
-do_uefikeys_prod Executes UEFI Keys provisioning procedure for production.
-dump_gpt Executes parsing of GPT image file.
-flashappbuildinfo Reads build related information about the UEFI flash application.
-uefisecurebootinfo Reads information about the UEFI secure boot.
-readphoneinfo Reads Phone info.
-continueboot Continue boot.
-readdeviceinfo Reads miscellaneous information from device.
-readrpmbstatus Read RPMB provisioning status.
-readisswversion Reads ISSW version and compilation info.
-do_factory_reset Restores Modem FSG partition to Modem FS1 and erases Modem FS2.
-do_authentication Authenticates device. The default authentication level is
production. Level can be changed by argument sdauthenticationtype.
-bootlumiabootmgr (Re-)Boots to Boot Manager.
-bootnormalmode Boots to the normal mode / Windows Phone OS.
-dump_mbn Chops up MBN image into files according to the GPT of MBN image.
-readcid Reads card identification of eMMC, manufacturer, OID and PSN.
-validatessdhash Validates SSD integrity.
-relock GDR3 devices which have been retail unlocked with MSFT packages
are not booting if Blue SW is updated via FFU flashing.
Re-lock operation should be done prio to flashing Blue FFU.
-oddt Connection created to ODDT Control, if it is found.
-readramsize Reads size of system memory.
-read_reset_protection_status Reads status of reset protection.
-remove_sbcp Removes secure boot configuration policy.
*** flags for retail mode ***
-reboot Reboots the device, if possible
-eraserdc Erases the RDC from the device.
-power_off Powers off the device after the USB cable is disconnected.
*** flags for uefiserialflash mode ***
-power_off Powers off the device after the USB cable is disconnected.
*** flags for ffureader mode ***
-dump_gpt Dumps GPT(s) from FFU file.
-dump_partitions Dumps partitions into files according to the GPT of FFU file.
-read_antitheft_version Reads only antitheft version from FFU file.
*** miscellaneous ***
Thor2 supports drag and drop. The basic flashing can be done by drag&drop ffu file over the thor2.exe.
If thor2 shortcut is added to SendTo menu, you can flash ffu file by sending it to thor2.
-skip_logfile Skips logfile creation.
-mode userauthentication -passcode securitycode [-server saisec001] [-securesessionfile mysession.bin ] Authentication with VIP Access, creates user's securesessionid file
/? Displays this help and exits.
--help Displays this help and exits.
--help -mode [ MODE ] Displays examples according to defined mode and exits.
--version Displays version information and exits.
*-*-* examples *-*-*
*-*-* Uefiflash examples *-*-*
SFFU programming:
thor2 -mode uefiflash -ffufile "RM821_Production_flash_rnd_signed.ffu"
SFFU programming and product code update:
thor2 -mode uefiflash -ffufile "RM821_Production_flash_rnd_signed.ffu" -productcodeupdate 01234567
SFFU programming and Full NVI update:
thor2 -mode uefiflash -ffufile "RM821_Production_flash_rnd_signed.ffu" -do_full_nvi_update -do_factory_reset
SFFU programming along product code and Full NVI updates:
thor2 -mode uefiflash -ffufile "RM821_Production_flash_rnd_signed.ffu" -productcodeupdate 01234567 -do_full_nvi_update -do_factory_reset -reboot
SFFU programming and battery level check:
thor2 -mode uefiflash -ffufile "RM821_Production_flash_rnd_signed.ffu" -batterylevel 10
Partition programming. Programs uefi.mbn partition image file into uefi partition:
thor2 -mode uefiflash -partitionname uefi -partitionimagefile "uefi.mbn"
Image programming. Programs GPT:
thor2 -mode uefiflash -startsector 0 -imagefile "gpt.bin"
Partition programming. Programs sbl1.mbn partition image file into sbl1 partition:
thor2 -mode uefiflash -partitionname sbl1 -partitionimagefile "sbl1.mbn"
Partition restoring. Restores dpp.mbn partition image file into dpp partition:
thor2 -mode uefiflash -partitionname dpp -partitionimagefile "dpp.mbn" -restorepartition -skip_gpt_check
MMOS programming:
thor2 -mode uefiflash -mmosfile "mmos.wim"
MMOS programming according to DPL file:
thor2 -mode uefiflash -dplfile "DPL_RM974.xml"
*-*-* Emergency examples *-*-*
Emergency and SFFU programming for Quattro and Romulus:
thor2 -mode emergency -configfile "emergency_config.xml" -ffufile "Production_flash.ffu"
Emergency programming for Quattro and Romulus:
thor2 -mode emergency -configfile "8974_emergency_config.xml" -ffufile "QUMA_Production_flash.ffu" -skipffuflash
Emergency and SFFU programming for Quattro and Romulus ( RnD ) :
thor2 -mode emergency -hexfile "MPRG8974_fh_v1_0.mbn" -edfile "RM937_1025.0001.1.1.ed" -ffufile "Production_flash.ffu"
Emergency and SFFU programming for Collins and Alpha:
thor2 -mode emergency -hexfile "FAST8960.hex" -mbnfile "8960_msimage_uefi.mbn" -ffufile "RM821_Production_flash_rnd_signed.ffu"
Emergency programming for Collins and Alpha ( GPT from FFU file ):
thor2 -mode emergency -hexfile "FAST8960.hex" -mbnfile "8960_msimage_uefi.mbn" -ffufile "RM821_Production_flash_rnd_signed.ffu" -skipffuflash
Emergency programming for Collins and Alpha ( MBN file only ):
thor2 -mode emergency -hexfile "FAST8960.hex" -mbnfile "8960_msimage_uefi.mbn" -orig_gpt
Reads content of eMMC with HEX flasher. The dump area is in sectors; first_sector_to_read,amount_of_sectors_to_read. Size of one sector is 512 bytes.
The official HEX flasher does not support reading. Thus a RnD version is needed for that.
Reads out the GPT of device:
thor2 -mode emergency -configfile "8974_emergencyflash_config.xml" -dumparea 0,34 -dumpfileforhexflasher "gpt.bin"
*-*-* Rnd mode examples *-*-*
Read phone info:
thor2 -mode rnd -readphoneinfo
Boot to the USB MSC mode:
thor2 -mode rnd -bootmsc -skip_com_scan
Note: PC will freeze, if SBL3 code is used and MSC code is missing from SBL3
Boot to the MMOS:
thor2 -mode rnd -bootmmos -skip_com_scan
Boot to the Emergency Download mode:
thor2 -mode rnd -skip_gpt_check -boot_edmode
Delete the GPT of device:
thor2 -mode rnd -delgpt -skip_com_scan
Execute DSS UEFI app tests:
thor2 -mode rnd -uefitests -skip_com_scan
Reboot the device:
thor2 -mode rnd -reboot
Power off the device:
thor2 -mode rnd -power_off
Read public ID from the device:
thor2 -mode rnd -read_public_id -skip_com_scan
Chop up MBN image into files according to the GPT:
thor2 -mode rnd -mbnfile "8960_msimage_uefi.mbn" -dump_mbn
Extract ed payload image:
thor2 -mode rnd -edfile "ed_payload.ed" -dump_edpayload
Executes UEFI Keys provisioning procedure for RD:
thor2 -mode rnd -do_uefikeys_rd -skip_com_scan
Executes UEFI Keys provisioning procedure for production:
thor2 -mode rnd -do_uefikeys_prod -skip_com_scan
Executes RPMB provisioning procedure:
thor2 -mode rnd -do_rpmb -skip_com_scan
Executes parsing of GPT:
thor2 -mode rnd -gptfile "gpt.mbn" -dump_gpt -skip_com_scan
Raw messaging. Disables messaging timeout (NOKD):
thor2 -mode rnd -rawmsgreq 4e4f4b44 -rawmsgresp 4e4f4b44 -skip_com_scan
Raw messaging. Hello (NOKI):
thor2 -mode rnd -rawmsgreq 4e4f4b49 -rawmsgresp 4e4f4b49 -skip_com_scan
Raw messaging. Reboot (NOKR):
thor2 -mode rnd -rawmsgreq 4e4f4b52 -skip_com_scan
ASCII messaging. Disables messaging timeout:
thor2 -mode rnd -asciimsgreq NOKD -asciimsgresp NOKD -skip_com_scan
ASCII messaging. Hello:
thor2 -mode rnd -asciimsgreq NOKI -asciimsgresp NOKI -skip_com_scan
ASCII messaging. Reboot:
thor2 -mode rnd -asciimsgreq NOKR -skip_com_scan
Reads serial number of JTAG:
thor2 -mode rnd -readjtagserial -skip_com_scan
Reads RPMB provisioning status:
thor2 -mode rnd -readrpmbstatus -skip_gpt_check
Reads PSN:
thor2 -mode rnd -readpsn -skip_com_scan
Sends JSON messages from JSON file to MMOS / label app:
thor2 -mode rnd -jsonfile "json_messages_file.json"
Sends JSON messages from JSON file to normal mode / NCSd:
thor2 -mode rnd -jsonfile "json_messages_file.json -normalmode"
Device authentication:
thor2 -mode rnd -do_authentication -sdauthenticationtype production -skip_com_scan -skip_gpt_check [-server saisec001.europe.nokia.com] [-securesessionfile mysession.sessionid]"
Reads CID (manufactuter of eMMC):
thor2 -mode rnd -readcid -skip_com_scan
Validates SSD integrity:
thor2.exe -mode rnd -validatessdhash -skip_gpt_check
Re-lock:
thor2.exe -mode rnd -relock -skip_gpt_check
Reads ISSW version and compilation info:
thor2.exe -mode rnd -readisswversion -skip_gpt_check
Reads status of reset protection:
thor2.exe -mode rnd -read_reset_protection_status -skip_gpt_check -skip_com_scan
Removes secure boot configuration policy:
thor2.exe -mode rnd -remove_sbcp -skip_gpt_check -skip_com_scan
*-*-* ffureader mode examples *-*-*
Read FFU file and dump partitions into files according to the GPT:
thor2 -mode ffureader -ffufile "RM821_Production_flash_rnd_signed.ffu" -dump_partitions
Read FFU file and dump partitions into files into defined directory according to the GPT:
thor2 -mode ffureader -ffufile "RM821_Production_flash_rnd_signed.ffu" -dump_partitions -filedir c:\temp
Read FFU file and dump GPT(s) into files:
thor2 -mode ffureader -ffufile "RM821_Production_flash_rnd_signed.ffu" -dump_gpt
Read the RKH from partition image file:
thor2 -mode ffureader -partitionimagefile "SBL1.mbn"
Read FFU file and read Antitheft version:
thor2 -mode ffureader -ffufile "RM821_Production_flash_rnd_signed.ffu" -read_antitheft_version
Read FFU file and check integrity:
thor2 -mode ffureader -ffufile "RM821_Production_flash_rnd_signed.ffu"
*-*-* dump mode examples *-*-*
Reads content of eMMC with UEFI flash app. Dumps whole eMMC based on the GPT:
thor2 -mode dump -uefifile "FlashApp_debug_dump.efi" -dump_via_gpt
Reads content of eMMC with UEFI flash app. Dumps eMMC based on the dumparea argument.
The dump area is in sectors; first_sector_to_read,amount_of_sectors_to_read. Size of one sector is 512 bytes.
Reads out the GPT of device:
thor2 -mode dump -uefifile "FlashApp_debug_dump.efi" "-dumparea 0,34" -dump_via_sector
Reads content of eMMC with UEFI flash app based on partitionname argument. Reads uefi partition image file from uefi partition:
thor2 -mode dump -uefifile "FlashApp_debug_dump.efi" -dump_via_gpt -partitionname uefi
*-*-* Retail mode examples *-*-*
Erases partition based on name of partition. Erases Data partition:
thor2 -mode retail -erasepartition Data
Reads the RDC from device into the file:
thor2 -mode retail -readrdc "rdc.bin"
Writes the RDC into the device from file:
thor2 -mode retail -writerdc "rdc.bin"
Erases the RDC from device:
thor2 -mode retail -eraserdc
Sends NVIs messages from nvi file to MMOS / label app:
thor2 -mode retail -nvifile "CustomerNvi.nvi"
Sends NVIs messages from nvi file to normal mode / NCSd:
thor2 -mode retail -nvifile "CustomerNvi.nvi -normalmode"
*-*-* misc examples *-*-*
VPL programming:
thor2 -mode vpl -vplfile "RM821_059R7J4_1232.5951.1249.1003_016.vpl"
SD card programming:
thor2 -mode sdflash -sdfile "RM821_059R7J4_1232.5951.1249.1003_016.img"
Read USB connections and print the result:
thor2 -mode list_connections
Programs the same FFU file into one or multible devices. User needs to change devices between programming states:
thor2 -mode uefiserialflash -ffufile "RM821_Production_flash_rnd_signed.ffu" -serialflash 50 -power_off
Copyright @ 2015 Microsoft Mobile
Click to expand...
Click to collapse
Hi guys ,
I was trying to get rid of from emergency mode and finally I found a solution and want to share with you.Sorry for bad english.
First of all you should know that you are doing this with your own risk and you will lose your all data .
REQUIREMENTS
-Windows Device Recovery Tool (Download)
-Your device's rom (you can get it from here)
-Your device's emergency files (files end with .hex and .mbn. You should see them under the rom details.)
When you get ready , connect your phone to computer via usb. Then open your Command line in administrator and type :
If you are using 32 bit operating system:
Code:
cd "%ProgramFiles%\Microsoft Care Suite\Windows Device Recovery Tool"
If you are using 64 bit operating system:
Code:
cd "%ProgramFiles(x86)%\Microsoft Care Suite\Windows Device Recovery Tool"
Now we will use thor2 for get rid of from emergency mode but we cant do it immediately.We should install bootloader again.Copy your rom and emergency files to desktop.
IMPORTANT
Then type in command line and edit code:
Code:
thor2 -mode emergency -hexfile %HomePath%\Desktop\YOUR_HEX_FILE.hex -mbnfile %HomePath%\Desktop\YOUR_MBN_FILE.mbn -ffufile %HomePath%\Desktop\YOUR_ROM_FILE.ffu -skipffuflash
Press your phone's soft-reset(volume down-power) buttons and Windows will give notification sound about your device disconnect and reconnect.It will take about 10 seconds at least.Timing is important.You should restart your device and hit enter at the same time. Otherwise you will get:
"THOR2_EMERGENCYFLASHV1_ERROR_PROGRAMMER_SEND_FAILED
THOR2 1.8.2.18 exited with error code 85030 (0x14C26)"
You should see "Exited with success".
Then your phone lead to flashing mode but it wont flash any file. For flash your rom type:
Code:
thor2 -mode uefiflash -ffufile "%HomePath%\Desktop\YOUR_ROM_FILE.ffu" -do_full_nvi_update -do_factory_reset -reboot
And you are done.Just wait for flash ends. Then your device will restart in factory settings and you will able to use your device.Hope it helps!
Credits:
DilanCHD's Tutorial
Flash wrong sbl3 file
This process didn't work after flashing wrong sbl3 file. Please help me to fix my dead lumia 525...
A Hassan said:
This process didn't work after flashing wrong sbl3 file. Please help me to fix my dead lumia 525...
Click to expand...
Click to collapse
Hassan, is your device still in emergency mode ?
Flash wrong sbl3 file
bylux07 said:
Hassan, is your device still in emergency mode ?
Click to expand...
Click to collapse
No, it is completely dead, no vibration, no starting up, nothing, Can you help?
A Hassan said:
No, it is completely dead, no vibration, no starting up, nothing, Can you help?
Click to expand...
Click to collapse
Hm okey try take off battery , wait couple a minutes then plug charger and wait for just a bit. Then connect your device and confirm it's status from thor2.
Sir I tried above procedure properly on my Nokia Lumia 525, but my device does not show RED Screen and is still in QHSUSB_DLOAD- Emergency mode, no vibration, no light. After entering
thor2 -mode emergency -hexfile %HomePath%\Desktop\YOUR_HEX_FILE.hex -mbnfile %HomePath%\Desktop\YOUR_MBN_FILE.mbn -ffufile %HomePath%\Desktop\YOUR_ROM_FILE.ffu -skipffuflash
I got exited with success, but no RED Screen, tried several times.
Please Help me to get Lumia 525 back to Life !
It doesn't work with me...
I have a Lumia 1020 RM-875, the correct .hex .mbn .ffu files and WPRT. I tried to use the code after thor2 launcher but after the emergency download i get always this message:
Sending OPEN_MULTI_REQ
Message send failed with error code 8
Failed to get response to OPEN_MULTI_REQ
ALPHA EMERGENCY FLASH END
...
THOR2_EMERGENCYFLASHV1_ERROR_MSG_SEND_RECEIVE_FAILED
THOR2 1.8.2.18 exited with error code 85021 (0x14C1D)
How can i fix? (sorry for eventual bad english and i'm not a very high skilled programmer)
GiovanniDalBenITA said:
It doesn't work with me...
I have a Lumia 1020 RM-875, the correct .hex .mbn .ffu files and WPRT. I tried to use the code after thor2 launcher but after the emergency download i get always this message:
Sending OPEN_MULTI_REQ
Message send failed with error code 8
Failed to get response to OPEN_MULTI_REQ
ALPHA EMERGENCY FLASH END
...
THOR2_EMERGENCYFLASHV1_ERROR_MSG_SEND_RECEIVE_FAILED
THOR2 1.8.2.18 exited with error code 85021 (0x14C1D)
How can i fix? (sorry for eventual bad english and i'm not a very high skilled programmer)
Click to expand...
Click to collapse
if you download mbn file from lumiafirmware, don use it...
create mbn file with (for example, downloaded FFU file is in C:\rm-875\ folder, and xxx.ffu is just example, you must write exact name of ffu file):
Code:
thor2 -mode ffureader -ffufile C:\rm-875\XXX.ffu -dump_gpt -filedir C:\dump
this command will create gpt0.bin and rename it as msimage.mbn
before start process, be sure your battery is charged. charge battery with phone charger some time to be sure.
now use (example when file.hex is in c:\HEX\ folder)
Code:
thor2 -mode emergency -hexfile C:\HEX\HEX.hex -mbnfile C:\dump\msimage.mbn -orig_gpt
when done, disconnect (remove) battery.
connect battery again
now use (file vpl is just example, you must writ exact name of VPL file or rename it to file.vpl)
Code:
thor2.exe -mode vpl -maxtransfersizekb 1 -vplfile C:\rm-875\file.vpl
when done use
Code:
thor2 -mode rnd -bootnormalmode
What is hex file?
omg thanks it's work for my Lumia 920 and yes my device is completely dead, no vibration, no starting up, nothing, before
Problem
Microsoft Windows [Version 10.0.16299.125]
(c) 2017 Microsoft Corporation. All rights reserved.
C:\Users\Serkan>cd "%ProgramFiles(x86)%\Microsoft Care Suite\Windows Device Recovery Tool"
C:\Program Files (x86)\Microsoft Care Suite\Windows Device Recovery Tool> thor2 -mode emergency -hexfile %HomePath%\Desktop\YOUR_HEX_FILE.hex -mbnfile %HomePath%\Desktop\YOUR_MBN_FILE.mbn -ffufile %HomePath%\Desktop\YOUR_ROM_FILE.ffu -skipffuflash
THOR2 1.8.2.18
Built for Windows @ 13:36:46 Jun 16 2015
Thor2 is running on Windows of version 6.2
thor2 -mode emergency -hexfile \Users\Serkan\Desktop\YOUR_HEX_FILE.hex -mbnfile \Users\Serkan\Desktop\YOUR_MBN_FILE.mbn -ffufile \Users\Serkan\Desktop\YOUR_ROM_FILE.ffu -skipffuflash
Process started Thu Feb 08 15:34:38 2018
Logging to file C:\Users\Serkan\AppData\Local\Temp\thor2_win_20180208153438_ThreadId-9024.log
Debugging enabled for emergency
Initiating emergency download
Using default emergency protocol
ALPHA EMERGENCY FLASH START
Emergency Programmer V1 version 2014.10.31.001
Hex download selected
Check if device in Dload
Connection to DLOAD mode succeeded
Get Dload parameters
Sending HEX flasher to the device
Sending GO command if HEX flasher successfully uploaded.
Message send failed with error code -1
ALPHA EMERGENCY FLASH END
Emergency messaging closed successfully
Operation took about 7.00 seconds.
THOR2_EMERGENCYFLASHV1_ERROR_MSG_SEND_RECEIVE_FAILED
THOR2 1.8.2.18 exited with error code 85021 (0x14C1D)
C:\Program Files (x86)\Microsoft Care Suite\Windows Device Recovery Tool>thor2 -mode uefiflash -ffufile "%HomePath%\Desktop\YOUR_ROM_FILE.ffu" -do_full_nvi_update -do_factory_reset -reboot
THOR2 1.8.2.18
Built for Windows @ 13:36:46 Jun 16 2015
Thor2 is running on Windows of version 6.2
thor2 -mode uefiflash -ffufile \Users\Serkan\Desktop\YOUR_ROM_FILE.ffu -do_full_nvi_update -do_factory_reset -reboot
Process started Thu Feb 08 15:35:21 2018
Logging to file C:\Users\Serkan\AppData\Local\Temp\thor2_win_20180208153521_ThreadId-5920.log
Debugging enabled for uefiflash
Initiating FFU flash operation
WinUSB in use.
isDeviceInNcsdMode
isDeviceInNcsdMode is false
Device mode 7 Emergency mode
[THOR2_flash_state] Pre-programming operations
Disable timeouts
my phone is full blackscreen no starting up
THANK YOU
Thank you its worked
My lumia 640 xl is stuck on emergency Mode 7 can anyone help me to fix this
Thanks
EmreA32, THANK YOU
Thank you its worked...
Please help me to.
I have similar problem on lumia 520.
Thor2 -mode Emergency -hexfile hex.hex -mbnfile im.mbn -ffufile C:\ProgramData\Nokia\Packages\Products\rm-914\RM914_1030.6408.1309.0001_RETAIL_eu_russia_229_01_159218_prd_signed.ffu -skipffuflash
--------------
Initiating emergency download
Using default emergency protocol
ALPHA EMERGENCY FLASH START
Emergency Programmer V1 version 2014.10.31.001
Hex download selected
Check if device in Dload
Connection to DLOAD mode succeeded
Get Dload parameters
Sending HEX flasher to the device
Sending HEX flasher to the device failed. Try to re-send.
Re-sending HEX flasher to the device
Message send failed with error code 8
Cannot upload HEX flasher into the device
Sending GO command if HEX flasher successfully uploaded.
ALPHA EMERGENCY FLASH END
Emergency messaging closed successfully
Operation took about 8.00 seconds.
THOR2_EMERGENCYFLASHV1_ERROR_MSG_SEND_RECEIVE_FAILED
THOR2 1.8.2.18 exited with error code 85021 (0x14C1D)
-------------
what helped you?
my phone is full blackscreen and has vibro power on
Thanks
Hello ,
I have a Nokia Lumia 822 with me here , and since 2 days i am trying to fix it .
ERROR ( Unable to find a bootable device : press any key to shutdown )
I have already tried WDRT , WP Internals , doesn't work ( WDRT -Unkown Error , WP Internals gives security Header error ).
With Thor2 , can't flash FFU file . ( I got the FFU from WDRT downloaded RM-845 package in C:/ProgramData)
It's give me an Error RDC file not found. I tried flashing partitions separately but Nothing works until i have this RDC file.
Now where do i get it ? I have dumped FFU via Thor2 , and i do have PLAT , GPT , MAIN OS , MMOS , UEFI , TZ . I dont see any RDC named file here.
Kindly help me any one here.
P.S , I have Following list of files.
WINSECAPP
UEFI
SBL1
SBL2
SBL3
RPM
PLAT
MAIN OS
MMOS
GPT
GPT0
GPT1
EFIESP
DATA
just missing the RDC file and HEX i guess.
I don't know anything about this, but this seems relevant. https://forum.xda-developers.com/chef-central/windows-phone-7/replace-rdc-t3277506/page1
Sent from my Moto G (5S) Plus using Tapatalk
RoshanX said:
Hello ,
Kindly help me any one here.
Click to expand...
Click to collapse
Try to install EFIESP.bin partition from another phone, using WPinternals.
I unbricked lumia 530 flashing the EFIESP.bin from custom ROM of lumia 830.
Unfortunately, after, the phone cant upgrade to windows mobile 10 or hard reset. Sad face appear. Is stuck on wp 8.1.
augustinionut said:
Try to install EFIESP.bin partition from another phone, using WPinternals.
I unbricked lumia 530 flashing the EFIESP.bin from custom ROM of lumia 830.
Unfortunately, after, the phone cant upgrade to windows mobile 10 or hard reset. Sad face appear. Is stuck on wp 8.1.
Click to expand...
Click to collapse
Thank you for your participation , I tried it it , and also tried flashing UEFI paritition , but it gives me an error(see below)
[21:44:40.362] D_MSG : Initiating flash of partition image operations
[21:44:40.362] D_MSG : WinUSB in use.
[21:44:40.380] D_MSG : Using programming of partition image method
[21:44:40.380] D_MSG : isDeviceInNcsdMode
[21:44:40.381] D_MSG : isDeviceInNcsdMode is false
[21:44:40.381] D_MSG : Detecting UEFI responder
[21:44:40.382] D_MSG : HELLO success
[21:44:40.474] D_MSG : Lumia Flash detected
[21:44:40.474] D_MSG : Protocol version 1.18 Implementation version 2.2
[21:44:40.475] D_MSG : Disable timeouts
[21:44:40.476] D_MSG : Get flashing parameters
[21:44:40.567] D_MSG : Lumia Flash detected
[21:44:40.568] D_MSG : Protocol version 1.18 Implementation version 2.2
[21:44:40.568] D_MSG : Size of one transfer is 2363392
[21:44:40.568] D_MSG : Size of buffer is 2359296
[21:44:40.568] D_MSG : Number of eMMC sectors: 30535680
[21:44:40.568] D_MSG : Platform ID of device: Nokia.MSM8960.P5219.3.2.1
[21:44:40.568] D_MSG : Async protocol version: 01
[21:44:40.569] D_MSG : Security info:
[21:44:40.569] D_MSG : Platform secure boot enabled
[21:44:40.569] D_MSG : Secure FFU enabled
[21:44:40.569] D_MSG : JTAG eFuse blown
[21:44:40.569] D_MSG : RDC not found
[21:44:40.569] D_MSG : Authentication not done
[21:44:40.569] D_MSG : UEFI secure boot enabled
[21:44:40.570] D_MSG : SHK enabled
[21:44:40.570] D_MSG : Device supports FFU protocols: 0031
[21:44:40.571] D_ERR : getGpt failed. Error code 12 h
[21:44:40.572] D_ERR : Cannot flash partition image. Write the RDC into the device or use open/RnD HW & SW
[21:44:40.584] D_MSG : Operation took about 0.00 seconds.
[21:44:40.585] D_ERR : THOR2 1.8.2.18 exited with error code 84214 (0x148F6)
I said WPinternals. Capisci?
Anyway, be carefull to not accidentaly click OK when windows will ask to format partition, if you put your phone in mass storage mode. I bricked lumia 640xl that way.
augustinionut said:
I said WPinternals. Capisci?
Anyway, be carefull to not accidentaly click OK when windows will ask to format partition, if you put your phone in mass storage mode. I bricked lumia 640xl that way.
Click to expand...
Click to collapse
Didn't work either. i double checked.
What i need over here i guess is either the RDC , or either the HEX file.
I have seen people generating msimage.mbn via GPT dump
But how do i get the hex file ?! or the RDC ?
WPinternals. Is this? https://forum.xda-developers.com/windows-10-mobile/windows-phone-internals-2-2-t3713157