I was searching for the "ffutoraw.exe" file referenced in the "rawprogram0.xml" file from the Xiaomi Mi4 Windows Mobile 10 ROM when I discovered a small tool which can also do the work.
Here is the eMMC DL tool v2.15 from Qualcomm. This tool is publicly available. It's part of the "DragonBoard Update Tool" (dragonboardupdatetool_x64.zip or dragonboardupdatetool_x86.zip) available on this webpage: https://developer.qualcomm.com/hardware/dragonboard-410c/tools Once installed, you will find the file in "C:\Program Files (x86)\Qualcomm\DragonBoardUpdateTool".
This small EXE actually has 3 useful functions regarding FFU file:
- "Create rawprogram0.xml for a FFU file; need -o"
- szOutputFile = rawprogram0.xml
- "-splitffu szFFUFile -o szOutputFile"
- "Split FFU file into partition binary chunks; need -o"
- szPartName = partition name or "all" to extract all partitions
- szOutputFile = destination folder for bin files
- "-dumpffu szFFUFile szPartName -o szOutputFile"
- "Download FFU file to device in emergency download; need -o and -p"
- "-ffu szFFUFile"
(I tried the rawprogram0.xml creation with the Xiaomi Mi4 Windows Mobile 10 ROM and the produced file was exactly the same as the one included in the ZIP file.)
Launching the EXE from the command line will echo an help screen:
Version 2.15
Usage: emmcdl <option> <value>
Options:
-l List available mass storage devices
-info List HW information about device attached to COM (eg -p COM8 -info)
-MaxPayloadSizeToTargetInBytes The max bytes in firehose mode (DDR or large IMEM use 16384, default=8192)
-SkipWrite Do not write actual data to disk (use this for UFS provisioning)
-SkipStorageInit Do not initialize storage device (use this for UFS provisioning)
-MemoryName <ufs/emmc> Memory type default to emmc if none is specified
-SetActivePartition <num> Set the specified partition active for booting
-disk_sector_size <int> Dump from start sector to end sector to file
-d <start> <end> Dump from start sector to end sector to file
-d <PartName> Dump entire partition based on partition name
-e <start> <num> Erase disk from start sector for number of sectors
-e <PartName> Erase the entire partition specified
-s <sectors> Number of sectors in disk image
-p <port or disk> Port or disk to program to (eg COM8, for PhysicalDrive1 use 1)
-o <filename> Output filename
-x <*.xml> Program XML file to output type -o (output) -p (port or disk)
-f <flash programmer> Flash programmer to load to IMEM eg MPRG8960.hex
-i <singleimage> Single image to load at offset 0 eg 8960_msimage.mbn
-t Run performance tests
-b <prtname> <binfile> Write <binfile> to GPT <prtname>
-g GPP1 GPP2 GPP3 GPP4 Create GPP partitions with sizes in MB
-gq Do not prompt when creating GPP (quiet)
-r Reset device
-ffu <*.ffu> Download FFU image to device in emergency download need -o and -p
-splitffu <*.ffu> -o <xmlfile> Split FFU into binary chunks and create rawprogram0.xml to output location
-protocol <protocol> Can be FIREHOSE, STREAMING default is FIREHOSE
-chipset <chipset> Can be 8960 or 8974 familes
-gpt Dump the GPT from the connected device
-raw Send and receive RAW data to serial port 0x75 0x25 0x10
-verbose Enable verbose output
Examples: emmcdl -p COM8 -info
emmcdl -p COM8 -gpt
emmcdl -p COM8 -SkipWrite -SkipStorageInit -MemoryName ufs -f prog_emmc_firehose_8994_lite.mbn -x memory_configure.xml
emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -x rawprogram0.xml -SetActivePartition 0
emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -ffu wp8.ffu
emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -d 0 1000 -o dump_1_1000.bin
emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -d SVRawDump -o svrawdump.bin
emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -b SBL1 c:\temp\sbl1.mbn
emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -e 0 100
emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -e MODEM_FSG
emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -raw 0x75 0x25 0x10
Click to expand...
Click to collapse
Does the tool only work on a device if it is in EDL mode? Thanks for posting this as I would like to try to find a way to build or flash a compatible rom for a non-windows based smart phone. This helps...
nate0 said:
Does the tool only work on a device if it is in EDL mode? Thanks for posting this as I would like to try to find a way to build or flash a compatible rom for a non-windows based smart phone. This helps...
Click to expand...
Click to collapse
This indeed helps a lot. If I refer to the name of the tool, it probably only works on phone in EDL mode. What do you want to do exactly?
I'm interested to see how difficult it is to compile a Windows Mobile Build, at least a test build, since Production builds require specific vendor signing. Microsoft offers all the resources much like Google for doing this, yet some of them do require subscriptions for access. If this tool is able to formulate the xml for partitioning from a ffu then theoretically building this xml from another rom that is designed for 32gb partitioning could lead to a flashable solution on a device other than the mi4 or other 16gb android phones. I am still reading and researching much, but with the resources now it should not be hard to accomplish this.
nate0 said:
I'm interested to see how difficult it is to compile a Windows Mobile Build, at least a test build, since Production builds require specific vendor signing. Microsoft offers all the resources much like Google for doing this, yet some of them do require subscriptions for access. If this tool is able to formulate the xml for partitioning from a ffu then theoretically building this xml from another rom that is designed for 32gb partitioning could lead to a flashable solution on a device other than the mi4 or other 16gb android phones. I am still reading and researching much, but with the resources now it should not be hard to accomplish this.
Click to expand...
Click to collapse
Yes, you can give any FFU file to this program and it will give you the corresponding rawprogram0.xml file. You need to use the "-splitffu" option for that.
I think this option is available so you can flash the FFU (using the rawprogram0.xml file) with a program like "QFIL" (part of QPST).
emmcdl -splitffu wp8.ffu -o rawprogram0.xml
But you can also directly flash the FFU file to your phone: you just need the FFU file and the Firehose flasher for your phone (it's a MBN file which has a name looking like "prog_emmc_firehose_8909_lite.mbn"). To proceed, you need to use the "-ffu" option:
emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -ffu wp8.ffu
You won't be able to generate a Windows Mobile image from scratch because neither the BSP package or the WMAK kit have been leaked*. The Windows ADK contains all the tools needed to create and flash a ROM but without the CAB files from the Qualcomm BSP package and the Microsoft WMAK kit, you won't be able to do anything.
* Windows Phone 8.1 AK have been leaked (the install program is in the "\WPBLUE\Blue_9651.12393_ProdSigned_OEM\WPAK" folder of the 7Z file available on this page: http://forum.xda-developers.com/win...ools-wdk-wpak-wpdk-cabs-building-wp8-t3183972)
Windows 10 IoT AK have also been leaked (you need to find either "en_windows_10_iot_core_version_1511_updated_feb_2016_x86_arm_dvd_8369778.iso" or "en_windows_10_iot_core_version_1511_x86_arm_dvd_7226982.iso")
I managed to create a small script which recreate the CAB files from a FFU file. Even if they were exactly the same as the originals, they lacked the Microsoft signature so I am unsure the ADK tools can use them.
Oh, I forgot to add that - to my knowledge - this tool doesn't implement the image integrity validation (signature check [embedded catalog] and hash check [embedded hash table]).
Would be interesting to find out what happen if the stock 950 FFU file is flashed as-is to a Nexus phone...
There is 3 problems I can think about:
- UEFI: the phone may need to have a Microsoft key in its "db" store to authenticate the Windows Mobile bootloader.
- Partitions: does the layout need to be exactly the same as the Android version?
- Drivers: even if the SoC is the same, they may be some tweaks...
TristanLeBoss said:
Yes, you can give any FFU file to this program and it will give you the corresponding rawprogram0.xml file. You need to use the "-splitffu" option for that.
I think this option is available so you can flash the FFU (using the rawprogram0.xml file) with a program like "QFIL" (part of QPST).
emmcdl -splitffu wp8.ffu -o rawprogram0.xml
But you can also directly flash the FFU file to your phone: you just need the FFU file and the Firehose flasher for your phone (it's a MBN file which has a name looking like "prog_emmc_firehose_8909_lite.mbn"). To proceed, you need to use the "-ffu" option:
emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -ffu wp8.ffu
You won't be able to generate a Windows Mobile image from scratch because neither the BSP package or the WMAK kit have been leaked*. The Windows ADK contains all the tools needed to create and flash a ROM but without the CAB files from the Qualcomm BSP package and the Microsoft WMAK kit, you won't be able to do anything.
* Windows Phone 8.1 AK have been leaked (the install program is in the "\WPBLUE\Blue_9651.12393_ProdSigned_OEM\WPAK" folder of the 7Z file available on this page: http://forum.xda-developers.com/win...ools-wdk-wpak-wpdk-cabs-building-wp8-t3183972)
Windows 10 IoT AK have also been leaked (you need to find either "en_windows_10_iot_core_version_1511_updated_feb_2016_x86_arm_dvd_8369778.iso" or "en_windows_10_iot_core_version_1511_x86_arm_dvd_7226982.iso")
I managed to create a small script which recreate the CAB files from a FFU file. Even if they were exactly the same as the originals, they lacked the Microsoft signature so I am unsure the ADK tools can use them.
Click to expand...
Click to collapse
I'm going to look into this further. Thank you. What's stopping us from using a Lumia ffu for an identical soc and storage size of another device? I've been contemplating this and since all the drivers and cabs are signed already might be possible. Also with your script what's stopping you from signing those files yourself and making a test build image?
---------- Post added at 07:52 PM ---------- Previous post was at 07:44 PM ----------
Good points. Much deeper than I was thinking but along the same lines. I would think the partitioning needs to be identical the 950 rom since that's how it was built. But it might not matter since ffus blank the entire storage in the process of flashing you can technically partition it however you want but then your building that configuration from scratch. How difficult is it to dump the partitioning of a 6p? I'm still looking but that's the next best candidate being unlockadble in seeing if this is feasible. Sorry for any typos,sending these last two from my phone.
nate0 said:
I'm going to look into this further. Thank you. What's stopping us from using a Lumia ffu for an identical soc and storage size of another device? I've been contemplating this and since all the drivers and cabs are signed already might be possible. Also with your script what's stopping you from signing those files yourself and making a test build image?
Click to expand...
Click to collapse
I added another reply before seeing yours. It contains 3 thing that may be a problem: UEFI, partition layout and drivers.
UEFI: Windows Mobile is said to require Secure Boot. This is not a problem because Nexus phones support it. The problem I see is more with the signature check on the bootloader: the 'Microsoft Windows Production PCA' and 'Microsoft Corporation UEFI CA' keys should be in the "DB" store for the Windows Mobile bootloader to be accepted by the UEFI bios of the Nexus. The worst thing that can happen is the Nexus displaying a message complaining about the bootloader.
Partition layout: Flashing a new image will probably change the partition table. I don't know if it can be a problem.
Drivers: SoC contains most if not all the required systems of a phone so the drivers should work but they may need per-hardware "customatisation".
The problem is that we hear about people succeeding but not about failures: has someone already tried to flash a FFU file to a Nexus? Maybe no one ever tried... and maybe it's working.
I don't think you can really brick a phone by doing so because the Qualcomm 9008 mode is not something that is part of the image.
nate0 said:
Good points. Much deeper than I was thinking but along the same lines. I would think the partitioning needs to be identical the 950 rom since that's how it was built. But it might not matter since ffus blank the entire storage in the process of flashing you can technically partition it however you want but then your building that configuration from scratch. How difficult is it to dump the partitioning of a 6p? I'm still looking but that's the next best candidate being unlockadble in seeing if this is feasible. Sorry for any typos,sending these last two from my phone.
Click to expand...
Click to collapse
The FFU file basically contains a disk image with a GPT partition table. When you will flash the FFU, the eMMC memory will be erased and a new partition table will be installed along with the new partitions. On this forum, there is a tool which convert FFU to VHD: http://forum.xda-developers.com/showthread.php?t=2066903 (On my computer, the conversion works but the mounting fails. You can find the resulting VHD file in your Windows profile TEMP directory.). There is also one Python script available to create a RAW disk image from a FFU file but I HIGHLY DON'T RECOMMEND IT as it doesn't implement the whole FFU specification so it will likely create corrupt disk image.
The thing I don't know is if the partition layout of a phone can be changed: you can of course change it but will the phone still operate? I mean maybe each partition need to start at an exact sector (LBA) [I don't think so but without trying...]
Have you validated the keys exist on current windows phones and if so maybe replicate or extract from one. I own an m8 for windows and am thinking the bootloader being unlocked is the only way of getting near the secureboot partition. Also if the nexus support secureboot most of it might be built in. See requirements. Here. https://msdn.microsoft.com/windows/hardware/drivers/bringup/uefi-requirements-specific-to-windows-mobile
nate0 said:
Have you validated the keys exist on current windows phones and if so maybe replicate or extract from one. I own an m8 for windows and am thinking the bootloader being unlocked is the only way of getting near the secureboot partition. Also if the nexus support secureboot most of it might be built in. See requirements. Here. https://msdn.microsoft.com/windows/hardware/drivers/bringup/uefi-requirements-specific-to-windows-mobile
Click to expand...
Click to collapse
No, I have no Windows Phone
Maybe the Secure Boot is just a requirement but it may not be mandatory to boot.
It's also possible that a retail ROM check for it but that a production ROM may not check for it. ( https://cms-images.idgesg.net/images/article/2015/03/uefi-secure-boot-windows-10-100574859-orig.png )
Okay, I have more information: it seems that on mobile phones, the SecureBoot keys can be stored in a partition from the emmc. This partition name is RPMB for Replay Protected Memory Block.
This partition is encrypted with the PK key which is burnt into the chip.
It seems booting an unverified bootloader is possible on Nexus phone
http://android.stackexchange.com/qu...ot-img-to-nexus-5-when-secure-boot-is-enabled
Q: "As I understand, if secure boot is enabled, the bootloader will verify the boot.img when booting.
Obviously, my custom kernel cannot pass the verification.
In such a case, how to correctly flash my own boot.img?"
A: "This doesn't imply that you cannot boot into the Android with your custom kernel. When the verification would fail, your device would warn you about that and you would be given the choice to continue the boot process or not."
Correct. It warns of this after unlocking the boot loader. Need to acquire an mbn for this phone to boot the rom in question.
nate0 said:
Correct. It warns of this after unlocking the boot loader. Need to acquire an mbn for this phone to boot the rom in question.
Click to expand...
Click to collapse
I attached the one I have but don't know if it's the one to use for this phone.
Did you generate this mbn or locate it elsewhere? I am trying to understand how the mbn file fits into the picture. Is it generated based on the FFU image or generated by the OEM?
I was able to create the program xml from a lumia FW of another 800 SoC (Lumia ICON). With the files and tools gathered I want to just test this flash process by flashing a different Windows ROM designed for the Lumia onto my Ativ SE. I think I have a way of getting the mbn for this phone with samtools which I found in another forum thread, but I will have to double check. The ATIV SE is also the 800 but not designed for this specific Lumia rom or the rom designed for it, however you look at it. I am willing to do this since the ATIV SE has a bad sim slot anyway.
I think "MBN" doesn't mean anything: it's just an extension. I found MBN files containing basically any type of file. The MBN file I attached and which is needed by the emmcdl.exe program should be an ELF (Executable Linkable Format, the EXE files of Linux among many uses ). Open it with an hex editor and it should start with "ELF".
The file I provided has been found by myself. I have not yet any idea if it's possible to generate them. Firehose is the name of one of the many protocols which can be used to talk to a device in emergency mode. I think it only depends on the SoC.
My answer to your PM may be useful for everyone. So I copy it here:
I'm not sure flashing the FFU of the Lumia 950 XL to an Ativ SE will work as is. Indeed they don't use the same SoC. It's possible to install the CAB files (HAL, ...) for the Qualcomm MSM8974AA v2 SoC using ImageApp.exe (from Windows 10) directly on the FFU file:
https://msdn.microsoft.com/en-us/library/windows/hardware/dn789232(v=vs.85).aspx
TO TEST
It may also be possible to install the CAB files (HAL, ...) for the Qualcomm MSM8974AA v2 SoC using DISM (from Windows 10) directly on the FFU file:
Dism /Image:flash.ffu /Add-Package /PackagePath:C:\packages\package1.cab /PackagePath:C:\packages\package2.cab
Click to expand...
Click to collapse
Use the /IgnoreCheck argument if you want the command to process without checking the applicability of each package.
You may want to remove the CAB files related to the Qualcomm MSM8994 SoC of the Lumia 950 XL:
Dism /Image:flash.ffu /Remove-Package /PackageName:Microsoft.Windows.Calc.Demo~6595b6144ccf1df~x86~en~1.0.0.0
Click to expand...
Click to collapse
Use the /Get-Packages option to find the name of the package in the image.
END - TO TEST
Without this step, you will probably ends up with a boot looping phone but you should be able to recover the original Windows Phone 8 OS with the Microsoft Windows Device Recovery Tool.
There is 4 ways to flash a new image to a device:
- Using UEFI download mode (Windows Phone)
- Using fastboot (Android)
- Using the Qualcomm 9008 mode (all phones with a Qualcomm SoC)
- Using the FFU download mode (Windows Phone)
1. How to put the phone in UEFI download mode
If you have a Windows Phone, please try to turn off the phone and then press the power button for a long time until the phone shows a "Windows Phone Boot Menu" with a "USB Mass Storage Mode". You can then release the button.
To select this option, simply press the power button once: you can now connect the phone to your computer. The driver should install automatically and the phone will appear on your computer as a disk drive.
2. How to put the phone in fastboot mode
Go here: http://www.droidviews.com/how-to-bo...astboot-download-bootloader-or-recovery-mode/
3. How to (force) trigger the Qualcomm 9008 mode
NOTE: If you have a working operating system, this is not needed to flash a new image. If the phone feels the need to go in Qualcomm 9008 mode (if it fails to boot from the eMMC), it will do it by itself.
NOTE: For Android, you may be able to reboot the phone in Qualcomm 9008 mode using an adb command:
adb reboot edl
Click to expand...
Click to collapse
The only way to (force) go into Qualcomm 9008 mode is to brick your phone: indeed, if it fails to do any kind of software boot from the eMMC memory, it will fallback to Qualcomm 9008 mode.
( Ok, on some phone, shorting some pins on the motherboard may force the Qualcomm 9008 mode but you need to know which ones )
The first step is to prevent the phone from booting the installed operating system. To do that, we remove the boot partition from the eMMC. Don't worry, the primary boot loader (PBL) is in a chip on your board and can't be erased: you only kill the operating system (Android/Windows) bootloader; also known as secondary boot loader (SBL).
3.1 Android
If you have an Android phone, you will need to boot into fastboot and issue the following command to erase the SBL1 partition (the operating system bootloader):
fastboot erase sbl1
Click to expand...
Click to collapse
3.2 Windows
If you have a Windows phone, you will need to boot into UEFI download mode.
Once the phone is installed on your computer, you need to delete the SBL1 partition from the phone (the operating system bootloader). I think you can do it using any partition software because the phone is detected by the computer as a drive.
You can also use the emmcdl.exe tool:
You first need to list disks:
emmcdl.exe -l
Click to expand...
Click to collapse
Note the number at the begining of your phone's drive. Then issue the following command (replace X with the disk number):
emmcdl.exe -p X -e SBL1
Click to expand...
Click to collapse
4. How to flash a new image
4.1. Using UEFI download mode (Windows Phone)
NOTE: If you don't have the stock FFU file or if your phone is not supported by the Windows Device Recovery Tool, you may also want to do a backup of the phone drive using a free tool like "HDD Raw Copy": this drive image can be reflashed later using the download mode [if you can reach it] or from the Qualcomm 9008 mode.
4.1.1 Method #1: FFU > VHD > HDD Raw Copy
- convert the FFU file to a VHD using ImgMount ( http://forum.xda-developers.com/showthread.php?t=2066903 ),
- mount the VHD as read-only on your PC using VHDAttach ( https://www.medo64.com/vhdattach/ ),
- use "HDD Raw Copy" ( http://hddguru.com/software/HDD-Raw-Copy-Tool/ ) to copy the whole disk corresponding to the VHD to the drive corresponding to your phone (clone the VHD onto the drive).
4.1.2 Method #2: Using DISM.exe
NOTE: You will probably need DISM from a Win 10 installation.
dism.exe /Apply-Image /ImageFile:flash.ffu /ApplyDrive:\\.\PhysicalDriveN
Click to expand...
Click to collapse
Use /SkipPlatformCheck if the FFU file being applied is targeted for a device other than the device performing the application.
URL: https://developer.microsoft.com/en-us/windows/iot/win10/samples/dism
4.2 Using Qualcomm 9008 mode (All phones with a Qualcomm SoC)
If your phone is in Qualcomm 9008, it will show up as "Qualcomm HS-USB QDLoader 9008" [or QHSUSB_DLOAD]. (If it does show up as "Qualcomm HS-USB Diagnostics 9006" [or QHSUSB_BULK] don't do anything as it's not exactly the same thing).
You indeed need drivers. You can find them here: https://mega.nz/#!uhJl0B5R!J6Hbx6Dd6...WrkVNK8IZaOTkg
NOTE: It seems that some phones also mount the eMMC as a drive: you need to look under "Disk drives" in your Windows "Device manager. Indeed, if you find "Qualcomm MMC Storage USB Device", it means your phone eMMC is mounted as a drive. You can use methods from 4.1 instead of continuing here.
Once the phone is detected and installed, you can use this command:
emmcdl.exe -p COMX -f prog_emmc_firehose_XXXX_lite.mbn -FFU Flash-val.FFU
Click to expand...
Click to collapse
Replace COMX with the port used by the phone: you can find it in the "Device Manager" under "Ports (COM & LPT)". You also need the correct flasher for your phone.
// TODO : Add things about protocol
4.3 Using fastboot (Android)
fastboot oem unlock
Click to expand...
Click to collapse
Extract all partitions from the FFU file as BIN files:
emmcdl -dumpffu {FFU_file} all -o {folder}
Click to expand...
Click to collapse
Flash new partition table:
fastboot flash partition {partition_table_file}
Click to expand...
Click to collapse
Flash all partitions:
fastboot flash {partition_name} {partition_file}
Click to expand...
Click to collapse
Reboot:
fastboot reboot
Click to expand...
Click to collapse
4.4 Using FFU download mode (Windows)
NOTE: This method use a flasher from the phone. This flasher does check for image integrity (thanks to the embedded hash table into FFU file) and check if the FFU file is signed (thanks to the embedded catalog file). It also check if the FFU file is for this phone (platform check). So, it can only be used to flash stock image.
To force the device into the FFU download mode manually, press and release the power button to boot the device, and then immediately press and hold the volume up button. This option is available only after an initial FFU has been flashed to the device.
ffutool -flash flash.ffu
Click to expand...
Click to collapse
There is another tool from Microsoft dealing with FFU: ffutool.exe
https://msdn.microsoft.com/en-us/library/windows/hardware/dn789235(v=vs.85).aspx
It's part of Windows Assessment and Deployment Kit (Windows ADK) which is publicly available ( https://msdn.microsoft.com/en-us/windows/hardware/dn913721.aspx ).
NOTE: This program has been coded using C# so it can easily be decompiled back to its source code using ILSpy ( http://ilspy.net/ ). It uses the following assembly: 'FFUComponents, Version=8.0.0.0, Culture=neutral, PublicKeyToken=5d653a1a5ba069fd' which may contains interesting code.
I'm not sure it's useful as it seems to enforce integrity check and platform check.
Usage: FFUTool -flash <path to FFU file to apply to disk> [path to flashing WIM]..
FFUTool -uefiflash <path to FFU, flashed from UEFI directly>..
FFUTool -fastflash <path to FFU, flashed from UEFI directly>..
FFUTool -wim <path to WIM to boot from RAM>..
FFUTool -skip..
FFUTool -list..
FFUTool -massStorage..
FFUTool -clearId..
FFUTool -serial..
FFUTool -setBootMode <boot mode> <optional profile name>
Click to expand...
Click to collapse
The last tool which deals with FFU files is thor2.exe
It's also publicly available: just install the Microsoft Windows Device Recovery Tool ( http://go.microsoft.com/fwlink/p/?LinkId=522381 ) and you will find it in this folder: C:\Program Files (x86)\Microsoft Care Suite\Windows Device Recovery Tool
Usage: thor2 -mode [MODE] -[ARGUMENT]... -[FLAG]...
Thor2 aims to provide SW update and miscellaneous R&D operations for WP8 products, Alpha, Collins, Theta, Quattro and Romulus engines.
MODEs:
Sets mode of operation. Modes are emergency, uefiflash, sdflash, vpl, dump, rnd, retail, ffureader, list_connections and uefiserialflash.
ARGUMENTs:
-ffufile <filepath> Sets path to FFU file
-sdfile <filepath> Sets path to SD file
-vplfile <filepath> Sets path to VPL file
-conn <connection> Sets connection endpoint/identifier. E.g. COMx in Windows (where x is number).
Connection ID notation is controllerID:hubort. Like 0.0200.0003.0100:0004:0002
Controller ID notation is the value of each sub strings of PCI of Device Location Paths USB property.
The values of PCI sub strings are concatenated into resulting value separated by comma.
For example PCIROOT(0)#PCI(0200)#PCI(0003)#PCI(0100)#USBROOT(0)#USB(1)#USB(5)#USB(6)#USB(1) results 0.0200.0003.0100 as controllerID.
If omitted, THOR2 tries to auto-detect a connected device.
Use list_connections mode to findout connected device along connection IDs.
-logfile <filepath> Sets custom log file for THOR2 traces
*** arguments for emergency mode ***
-configfile <filepath> Sets path to 8974 emergency download configuration file (file should be in XML format).
All references to binary files in the configuration file should be located in the same directory.
-protocol <prot> Forces usage of specific emergency download protocol. Supported protocols: sahara ( Quattro/Romulus ) and streaming ( Collins / Alpha as default )
-mbnfile <filepath> Sets path to mbn file
-hexfile <filepath> Sets path to QComm HEX flasher file
-dumpfileforhexflasher <filepath> Sets the path to dump file.
-dumparea <first sector to read,amount of sectors to read>
*** arguments for uefiflash mode ***
-partitionname <partition name> Sets partition name of the GPT to program to.
-partitionimagefile <filepath> Sets path to partition image file to be programmed into the device.
-imagefile <filepath> Sets image file to be programmed into the device.
-startsector <first sector to flash> Sets number of sector from flashing of image begins.
-productcodeupdate <CTR code> Updates product code after successful programming. RM-820 is out-scoped.
-looptest <loopCounter> Tests FFU programming in a loop while staying in the flash mode between programming trials.
-timeout <time in seconds> Waiting time of device to appear.
-maxtransfersizekb <block size in kb> Max programming block size.
-dplfile <filepath> Sets path to DPL file.
-batterylevel <value> Sets minimum battery level that flashing starts.
*** arguments for uefiserialflash mode ***
-serialflash <loopCounter> FFU programming of multiple of devices. Multiple of devices can be programmed in serial one after one.
*** arguments for dump mode ***
-uefifile <filepath> Sets path to UEFI file to be loaded into the device.
-partitionname <name> Sets name of partition to be read out from the device.
-dumparea <first sector to read,amount of sectors to read>
*** arguments for rnd mode ***
-gptfile <filepath> Sets path to GPT image file.
-rawmsgreq <hex message> Message to be send to the device in hexadecimal. Messaging protocol could be NOK, JSON or user defined.
-rawmsgresp <hex message> Expected response message to '-rawmsgreq <hex message>' request message. Returns a zero (0) if match between request and response.
-asciimsgreq <ascii message> Message to be send to the device in ASCII. Messaging protocol could be NOK, JSON or user defined.
-jsonfile <filepath> Sets path to JSON file.
-asciimsgresp <ascii message> Expected response message to '-asciimsgreq <ascii message>' request message. Returns a zero (0) if match between request and response.
-do_authentication -sdauthenticationtype <production|tucson>.
*** arguments for retail mode ***
-nvifile <filepath> Sets path to NVI file.
-writerdc <filepath> Writes RDC from the given file to the device.
-readrdc <filepath> Reads RDC to the given file from device.
-erasepartition <name> Sets name of partition to be erased from the device.
*** arguments for ffureader mode ***
-partitionimagefile <filepath> Sets path to partition image file.
-filedir <dir path> Sets path to directory, where files are dumped.
FLAGs:
*** flags for emergency mode ***
-skipprotocoldetection Skips automatic detection of emergency protocol when connection is opened. Can be used in conjunction
with argument "-protocol sahara"
-skipffuflash Skips FFU flashing at the end of emergency download
-skippayloadsending Skips payload sending of rnd emergency download
-use_legacy_hex Collins and Alpha emergency. Uses legacy HEX flasher.
-orig_gpt Collins and Alpha emergency. Programs MBN image.
-debug Enables raw message tracing (during Sahara protocol stage)
*** flags for uefiflash mode ***
-skip_write Secure FFU flashing. Programming sequence executed without programming to the storage device.
-skip_hash Secure FFU flashing. Skips the hash calculation of the payload data.
-skip_id_check Secure FFU flashing. Skips Platform ID check between the device and FFU file.
-skip_signature_check Secure FFU flashing. Skips signature check of secure header of FFU file.
-skip_reboot_on_failure Secure FFU flashing. Skips reboot option if flashing fails.
-do_factory_reset Restores Modem FSG partition to Modem FS1 and erases Modem FS2.
-verify_write Secure FFU flashing. Normal programming sequence executed followed by read and verify.
-detect_device_after_reboot Detects device after reboot.
-disable_msg_timeout Secure FFU flashing. Disables messaging timeout of UEFI FlashApp
-skip_flash Secure FFU flashing. Boots to the UEFI FlashApp without programming
-skip_rkh_check Secure FFU flashing. Skips the Root Key Hash check between the device and FFU file
-use_crc_in_sffu_prog Secure FFU flashing. CRC32 is used to check integrity of the payload data
-erase_data Secure FFU flashing. Erases the Data partition a.k.a UDA of Windows Phone
-skip_preserve_dpp Skips overwriting prevention of DPP partition. By default programming will fail if the DPP partition of FFU file contains data.
-reboot Reboots the device, if possible
-power_off Powers off the device after the USB cable is disconnected.
-sync_msging_sffu_prog Secure FFU flashing. Uses sync messaging between PC and device.
-do_full_nvi_update Applies the full NVI settings after successful programming. During the first boot after programming the NVI updater updates the NV items.
-unbufferedfileio Use unbuffered file I/O in case of SFFU programming. Aims to fix issues if FFU file is programmed from a network share.
-skip_backup_restore Secure FFU flashing. Skips backup and restore. By default backups of MODEM_FSG, MODEM_FS1, MODEM_FS2, SSD and
DPP partitions to the RAM of device and restores them after successful programming of Windows Phone.
-show_detailed_progress Shows detailed progress info (transferred bytes and transfer speed).
-trace_usb Prints out debugging traces of WinUSB client.
-use_boot_to_flsapp_json Re-boots device into the flash mode from the normal/test mode.
-skip_exit_on_post_op_failure Executes all specified post flash operations (factory reset, full NVI update etc.), even if failures occur.
-restorepartition Restores backup partition into the eMMC.
*** flags for dump mode ***
-dump_via_gpt Reads out the content of eMMC of Windows Phone. The reading is based on the GPT of device.
This is excluded from the official Uefi FlashApp.
-dump_via_sector Reads out the content of eMMC of Windows Phone. The reading is based on -dumparea argument.
This is excluded from the official Uefi FlashApp.
-skip_read Skips read in case of reading out the content of eMMC of Windows Phone.
This enables to load and execute an UEFI app from PC to device.
*** flags for rnd mode ***
-bootmsc Boots the device into the USB mass storage mode.
-detect_device_after_reboot Detects device after reboot.
-readjtagserial Reads serial number of JTAG.
-bootmmos Boots the device into the MMOS.
-normalmode Operations are done in the normal mode of device.
-uefitests Tests DSS UEFI apps of device.
-delgpt Clears the GPT of device.
-skip_gpt_check The R&D mode validates the GPT. Use this flag to skip the check.
-bootflashapp Boots to UEFI Flash App.
-bootphoneinfoapp Boots to UEFI Phone Info App.
-boot_edmode Boots to Emergency Download mode.
-read_public_id Reads public ID from the device.
-power_off Powers off the device after the USB cable is disconnected.
-read_charging_status Reads charging status from the device.
-read_final_config Reads final config from the device.
-skip_com_scan Skips scanning of COM ports.
-reboot Reboots the device, if possible
-do_rpmb Executes RPMB provisioning procedure.
-do_uefikeys_rd Executes UEFI Keys provisioning procedure for RD.
-do_uefikeys_prod Executes UEFI Keys provisioning procedure for production.
-dump_gpt Executes parsing of GPT image file.
-flashappbuildinfo Reads build related information about the UEFI flash application.
-uefisecurebootinfo Reads information about the UEFI secure boot.
-readphoneinfo Reads Phone info.
-continueboot Continue boot.
-readdeviceinfo Reads miscellaneous information from device.
-readrpmbstatus Read RPMB provisioning status.
-readisswversion Reads ISSW version and compilation info.
-do_factory_reset Restores Modem FSG partition to Modem FS1 and erases Modem FS2.
-do_authentication Authenticates device. The default authentication level is
production. Level can be changed by argument sdauthenticationtype.
-bootlumiabootmgr (Re-)Boots to Boot Manager.
-bootnormalmode Boots to the normal mode / Windows Phone OS.
-dump_mbn Chops up MBN image into files according to the GPT of MBN image.
-readcid Reads card identification of eMMC, manufacturer, OID and PSN.
-validatessdhash Validates SSD integrity.
-relock GDR3 devices which have been retail unlocked with MSFT packages
are not booting if Blue SW is updated via FFU flashing.
Re-lock operation should be done prio to flashing Blue FFU.
-oddt Connection created to ODDT Control, if it is found.
-readramsize Reads size of system memory.
-read_reset_protection_status Reads status of reset protection.
-remove_sbcp Removes secure boot configuration policy.
*** flags for retail mode ***
-reboot Reboots the device, if possible
-eraserdc Erases the RDC from the device.
-power_off Powers off the device after the USB cable is disconnected.
*** flags for uefiserialflash mode ***
-power_off Powers off the device after the USB cable is disconnected.
*** flags for ffureader mode ***
-dump_gpt Dumps GPT(s) from FFU file.
-dump_partitions Dumps partitions into files according to the GPT of FFU file.
-read_antitheft_version Reads only antitheft version from FFU file.
*** miscellaneous ***
Thor2 supports drag and drop. The basic flashing can be done by drag&drop ffu file over the thor2.exe.
If thor2 shortcut is added to SendTo menu, you can flash ffu file by sending it to thor2.
-skip_logfile Skips logfile creation.
-mode userauthentication -passcode securitycode [-server saisec001] [-securesessionfile mysession.bin ] Authentication with VIP Access, creates user's securesessionid file
/? Displays this help and exits.
--help Displays this help and exits.
--help -mode [ MODE ] Displays examples according to defined mode and exits.
--version Displays version information and exits.
*-*-* examples *-*-*
*-*-* Uefiflash examples *-*-*
SFFU programming:
thor2 -mode uefiflash -ffufile "RM821_Production_flash_rnd_signed.ffu"
SFFU programming and product code update:
thor2 -mode uefiflash -ffufile "RM821_Production_flash_rnd_signed.ffu" -productcodeupdate 01234567
SFFU programming and Full NVI update:
thor2 -mode uefiflash -ffufile "RM821_Production_flash_rnd_signed.ffu" -do_full_nvi_update -do_factory_reset
SFFU programming along product code and Full NVI updates:
thor2 -mode uefiflash -ffufile "RM821_Production_flash_rnd_signed.ffu" -productcodeupdate 01234567 -do_full_nvi_update -do_factory_reset -reboot
SFFU programming and battery level check:
thor2 -mode uefiflash -ffufile "RM821_Production_flash_rnd_signed.ffu" -batterylevel 10
Partition programming. Programs uefi.mbn partition image file into uefi partition:
thor2 -mode uefiflash -partitionname uefi -partitionimagefile "uefi.mbn"
Image programming. Programs GPT:
thor2 -mode uefiflash -startsector 0 -imagefile "gpt.bin"
Partition programming. Programs sbl1.mbn partition image file into sbl1 partition:
thor2 -mode uefiflash -partitionname sbl1 -partitionimagefile "sbl1.mbn"
Partition restoring. Restores dpp.mbn partition image file into dpp partition:
thor2 -mode uefiflash -partitionname dpp -partitionimagefile "dpp.mbn" -restorepartition -skip_gpt_check
MMOS programming:
thor2 -mode uefiflash -mmosfile "mmos.wim"
MMOS programming according to DPL file:
thor2 -mode uefiflash -dplfile "DPL_RM974.xml"
*-*-* Emergency examples *-*-*
Emergency and SFFU programming for Quattro and Romulus:
thor2 -mode emergency -configfile "emergency_config.xml" -ffufile "Production_flash.ffu"
Emergency programming for Quattro and Romulus:
thor2 -mode emergency -configfile "8974_emergency_config.xml" -ffufile "QUMA_Production_flash.ffu" -skipffuflash
Emergency and SFFU programming for Quattro and Romulus ( RnD ) :
thor2 -mode emergency -hexfile "MPRG8974_fh_v1_0.mbn" -edfile "RM937_1025.0001.1.1.ed" -ffufile "Production_flash.ffu"
Emergency and SFFU programming for Collins and Alpha:
thor2 -mode emergency -hexfile "FAST8960.hex" -mbnfile "8960_msimage_uefi.mbn" -ffufile "RM821_Production_flash_rnd_signed.ffu"
Emergency programming for Collins and Alpha ( GPT from FFU file ):
thor2 -mode emergency -hexfile "FAST8960.hex" -mbnfile "8960_msimage_uefi.mbn" -ffufile "RM821_Production_flash_rnd_signed.ffu" -skipffuflash
Emergency programming for Collins and Alpha ( MBN file only ):
thor2 -mode emergency -hexfile "FAST8960.hex" -mbnfile "8960_msimage_uefi.mbn" -orig_gpt
Reads content of eMMC with HEX flasher. The dump area is in sectors; first_sector_to_read,amount_of_sectors_to_read. Size of one sector is 512 bytes.
The official HEX flasher does not support reading. Thus a RnD version is needed for that.
Reads out the GPT of device:
thor2 -mode emergency -configfile "8974_emergencyflash_config.xml" -dumparea 0,34 -dumpfileforhexflasher "gpt.bin"
*-*-* Rnd mode examples *-*-*
Read phone info:
thor2 -mode rnd -readphoneinfo
Boot to the USB MSC mode:
thor2 -mode rnd -bootmsc -skip_com_scan
Note: PC will freeze, if SBL3 code is used and MSC code is missing from SBL3
Boot to the MMOS:
thor2 -mode rnd -bootmmos -skip_com_scan
Boot to the Emergency Download mode:
thor2 -mode rnd -skip_gpt_check -boot_edmode
Delete the GPT of device:
thor2 -mode rnd -delgpt -skip_com_scan
Execute DSS UEFI app tests:
thor2 -mode rnd -uefitests -skip_com_scan
Reboot the device:
thor2 -mode rnd -reboot
Power off the device:
thor2 -mode rnd -power_off
Read public ID from the device:
thor2 -mode rnd -read_public_id -skip_com_scan
Chop up MBN image into files according to the GPT:
thor2 -mode rnd -mbnfile "8960_msimage_uefi.mbn" -dump_mbn
Extract ed payload image:
thor2 -mode rnd -edfile "ed_payload.ed" -dump_edpayload
Executes UEFI Keys provisioning procedure for RD:
thor2 -mode rnd -do_uefikeys_rd -skip_com_scan
Executes UEFI Keys provisioning procedure for production:
thor2 -mode rnd -do_uefikeys_prod -skip_com_scan
Executes RPMB provisioning procedure:
thor2 -mode rnd -do_rpmb -skip_com_scan
Executes parsing of GPT:
thor2 -mode rnd -gptfile "gpt.mbn" -dump_gpt -skip_com_scan
Raw messaging. Disables messaging timeout (NOKD):
thor2 -mode rnd -rawmsgreq 4e4f4b44 -rawmsgresp 4e4f4b44 -skip_com_scan
Raw messaging. Hello (NOKI):
thor2 -mode rnd -rawmsgreq 4e4f4b49 -rawmsgresp 4e4f4b49 -skip_com_scan
Raw messaging. Reboot (NOKR):
thor2 -mode rnd -rawmsgreq 4e4f4b52 -skip_com_scan
ASCII messaging. Disables messaging timeout:
thor2 -mode rnd -asciimsgreq NOKD -asciimsgresp NOKD -skip_com_scan
ASCII messaging. Hello:
thor2 -mode rnd -asciimsgreq NOKI -asciimsgresp NOKI -skip_com_scan
ASCII messaging. Reboot:
thor2 -mode rnd -asciimsgreq NOKR -skip_com_scan
Reads serial number of JTAG:
thor2 -mode rnd -readjtagserial -skip_com_scan
Reads RPMB provisioning status:
thor2 -mode rnd -readrpmbstatus -skip_gpt_check
Reads PSN:
thor2 -mode rnd -readpsn -skip_com_scan
Sends JSON messages from JSON file to MMOS / label app:
thor2 -mode rnd -jsonfile "json_messages_file.json"
Sends JSON messages from JSON file to normal mode / NCSd:
thor2 -mode rnd -jsonfile "json_messages_file.json -normalmode"
Device authentication:
thor2 -mode rnd -do_authentication -sdauthenticationtype production -skip_com_scan -skip_gpt_check [-server saisec001.europe.nokia.com] [-securesessionfile mysession.sessionid]"
Reads CID (manufactuter of eMMC):
thor2 -mode rnd -readcid -skip_com_scan
Validates SSD integrity:
thor2.exe -mode rnd -validatessdhash -skip_gpt_check
Re-lock:
thor2.exe -mode rnd -relock -skip_gpt_check
Reads ISSW version and compilation info:
thor2.exe -mode rnd -readisswversion -skip_gpt_check
Reads status of reset protection:
thor2.exe -mode rnd -read_reset_protection_status -skip_gpt_check -skip_com_scan
Removes secure boot configuration policy:
thor2.exe -mode rnd -remove_sbcp -skip_gpt_check -skip_com_scan
*-*-* ffureader mode examples *-*-*
Read FFU file and dump partitions into files according to the GPT:
thor2 -mode ffureader -ffufile "RM821_Production_flash_rnd_signed.ffu" -dump_partitions
Read FFU file and dump partitions into files into defined directory according to the GPT:
thor2 -mode ffureader -ffufile "RM821_Production_flash_rnd_signed.ffu" -dump_partitions -filedir c:\temp
Read FFU file and dump GPT(s) into files:
thor2 -mode ffureader -ffufile "RM821_Production_flash_rnd_signed.ffu" -dump_gpt
Read the RKH from partition image file:
thor2 -mode ffureader -partitionimagefile "SBL1.mbn"
Read FFU file and read Antitheft version:
thor2 -mode ffureader -ffufile "RM821_Production_flash_rnd_signed.ffu" -read_antitheft_version
Read FFU file and check integrity:
thor2 -mode ffureader -ffufile "RM821_Production_flash_rnd_signed.ffu"
*-*-* dump mode examples *-*-*
Reads content of eMMC with UEFI flash app. Dumps whole eMMC based on the GPT:
thor2 -mode dump -uefifile "FlashApp_debug_dump.efi" -dump_via_gpt
Reads content of eMMC with UEFI flash app. Dumps eMMC based on the dumparea argument.
The dump area is in sectors; first_sector_to_read,amount_of_sectors_to_read. Size of one sector is 512 bytes.
Reads out the GPT of device:
thor2 -mode dump -uefifile "FlashApp_debug_dump.efi" "-dumparea 0,34" -dump_via_sector
Reads content of eMMC with UEFI flash app based on partitionname argument. Reads uefi partition image file from uefi partition:
thor2 -mode dump -uefifile "FlashApp_debug_dump.efi" -dump_via_gpt -partitionname uefi
*-*-* Retail mode examples *-*-*
Erases partition based on name of partition. Erases Data partition:
thor2 -mode retail -erasepartition Data
Reads the RDC from device into the file:
thor2 -mode retail -readrdc "rdc.bin"
Writes the RDC into the device from file:
thor2 -mode retail -writerdc "rdc.bin"
Erases the RDC from device:
thor2 -mode retail -eraserdc
Sends NVIs messages from nvi file to MMOS / label app:
thor2 -mode retail -nvifile "CustomerNvi.nvi"
Sends NVIs messages from nvi file to normal mode / NCSd:
thor2 -mode retail -nvifile "CustomerNvi.nvi -normalmode"
*-*-* misc examples *-*-*
VPL programming:
thor2 -mode vpl -vplfile "RM821_059R7J4_1232.5951.1249.1003_016.vpl"
SD card programming:
thor2 -mode sdflash -sdfile "RM821_059R7J4_1232.5951.1249.1003_016.img"
Read USB connections and print the result:
thor2 -mode list_connections
Programs the same FFU file into one or multible devices. User needs to change devices between programming states:
thor2 -mode uefiserialflash -ffufile "RM821_Production_flash_rnd_signed.ffu" -serialflash 50 -power_off
Copyright @ 2015 Microsoft Mobile
Click to expand...
Click to collapse
Hello ,
I have a Nokia Lumia 822 with me here , and since 2 days i am trying to fix it .
ERROR ( Unable to find a bootable device : press any key to shutdown )
I have already tried WDRT , WP Internals , doesn't work ( WDRT -Unkown Error , WP Internals gives security Header error ).
With Thor2 , can't flash FFU file . ( I got the FFU from WDRT downloaded RM-845 package in C:/ProgramData)
It's give me an Error RDC file not found. I tried flashing partitions separately but Nothing works until i have this RDC file.
Now where do i get it ? I have dumped FFU via Thor2 , and i do have PLAT , GPT , MAIN OS , MMOS , UEFI , TZ . I dont see any RDC named file here.
Kindly help me any one here.
P.S , I have Following list of files.
WINSECAPP
UEFI
SBL1
SBL2
SBL3
RPM
PLAT
MAIN OS
MMOS
GPT
GPT0
GPT1
EFIESP
DATA
just missing the RDC file and HEX i guess.
I don't know anything about this, but this seems relevant. https://forum.xda-developers.com/chef-central/windows-phone-7/replace-rdc-t3277506/page1
Sent from my Moto G (5S) Plus using Tapatalk
RoshanX said:
Hello ,
Kindly help me any one here.
Click to expand...
Click to collapse
Try to install EFIESP.bin partition from another phone, using WPinternals.
I unbricked lumia 530 flashing the EFIESP.bin from custom ROM of lumia 830.
Unfortunately, after, the phone cant upgrade to windows mobile 10 or hard reset. Sad face appear. Is stuck on wp 8.1.
augustinionut said:
Try to install EFIESP.bin partition from another phone, using WPinternals.
I unbricked lumia 530 flashing the EFIESP.bin from custom ROM of lumia 830.
Unfortunately, after, the phone cant upgrade to windows mobile 10 or hard reset. Sad face appear. Is stuck on wp 8.1.
Click to expand...
Click to collapse
Thank you for your participation , I tried it it , and also tried flashing UEFI paritition , but it gives me an error(see below)
[21:44:40.362] D_MSG : Initiating flash of partition image operations
[21:44:40.362] D_MSG : WinUSB in use.
[21:44:40.380] D_MSG : Using programming of partition image method
[21:44:40.380] D_MSG : isDeviceInNcsdMode
[21:44:40.381] D_MSG : isDeviceInNcsdMode is false
[21:44:40.381] D_MSG : Detecting UEFI responder
[21:44:40.382] D_MSG : HELLO success
[21:44:40.474] D_MSG : Lumia Flash detected
[21:44:40.474] D_MSG : Protocol version 1.18 Implementation version 2.2
[21:44:40.475] D_MSG : Disable timeouts
[21:44:40.476] D_MSG : Get flashing parameters
[21:44:40.567] D_MSG : Lumia Flash detected
[21:44:40.568] D_MSG : Protocol version 1.18 Implementation version 2.2
[21:44:40.568] D_MSG : Size of one transfer is 2363392
[21:44:40.568] D_MSG : Size of buffer is 2359296
[21:44:40.568] D_MSG : Number of eMMC sectors: 30535680
[21:44:40.568] D_MSG : Platform ID of device: Nokia.MSM8960.P5219.3.2.1
[21:44:40.568] D_MSG : Async protocol version: 01
[21:44:40.569] D_MSG : Security info:
[21:44:40.569] D_MSG : Platform secure boot enabled
[21:44:40.569] D_MSG : Secure FFU enabled
[21:44:40.569] D_MSG : JTAG eFuse blown
[21:44:40.569] D_MSG : RDC not found
[21:44:40.569] D_MSG : Authentication not done
[21:44:40.569] D_MSG : UEFI secure boot enabled
[21:44:40.570] D_MSG : SHK enabled
[21:44:40.570] D_MSG : Device supports FFU protocols: 0031
[21:44:40.571] D_ERR : getGpt failed. Error code 12 h
[21:44:40.572] D_ERR : Cannot flash partition image. Write the RDC into the device or use open/RnD HW & SW
[21:44:40.584] D_MSG : Operation took about 0.00 seconds.
[21:44:40.585] D_ERR : THOR2 1.8.2.18 exited with error code 84214 (0x148F6)
I said WPinternals. Capisci?
Anyway, be carefull to not accidentaly click OK when windows will ask to format partition, if you put your phone in mass storage mode. I bricked lumia 640xl that way.
augustinionut said:
I said WPinternals. Capisci?
Anyway, be carefull to not accidentaly click OK when windows will ask to format partition, if you put your phone in mass storage mode. I bricked lumia 640xl that way.
Click to expand...
Click to collapse
Didn't work either. i double checked.
What i need over here i guess is either the RDC , or either the HEX file.
I have seen people generating msimage.mbn via GPT dump
But how do i get the hex file ?! or the RDC ?
WPinternals. Is this? https://forum.xda-developers.com/windows-10-mobile/windows-phone-internals-2-2-t3713157