Better Mobile App

Sensation ! We have found a method to restore dead Bootloader for Atom Exec

Sensation !!!!
We have found a method to restore dead Boot for
Atom, Atom Exec, Rover G5, Orsio n725, HP6815 (may be the all 68xx series).
We found JTAG and developed the recovery technology!
FAQ is translating from Russian and will be written.
Autor's Alex_Beda & 1stMASTER
--------------------------------------
Manual to restore dead BootLoader
Atom, Atom Exec, Rover G5, Orsio n725, HP6815 (may be the all 68xx series).
© Copyright to Alex_Beda & 1stMASTER
PDA-HACK.NET Team http://pda-hack.net
If our article has helped you, you can donate the Web Money
WMID 378286389551
for WMZ: Z396747110007
for WME: E114645323227
for WMR: R351032339900
Thanks to all who helped.
Thanks to Winterice for the technical assistance and moral support.
Thanks to ant 125 for useful information
Thanks to Allbest, deniska.75, Borozavr, Erke for moral support.
Symptoms:
The device is not switching on, not entering bootloader.
(most often after the firmware from a memory card)
React to connect charger.
if the battery insert and connect charger, it orage led must be lit .
if the battery remove and connect charger, it orange led must be flashing.
There is only one way for restore bootloader.
Reflashing flash memory in the PXA272 using JTAG.
This procedure consists of two parts.
Hardware (making cable for reflashing) and software (reflashing).
Hardware part:
This pinouts JTAG of Atom Exec, Rover G5, Orsio n725, O2 Atom, O2 Atom Exec
At O2 Atom (not Exec) is the only internal contacts. Located near the Camera button.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
There are contacts inside the device, near the buttons CAMERA,
for access them, you need to open device.
There are contacts from the outside, near the SIM connector.
All contacts is working
For inside contacts need this connector
http://i218.photobucket.com/albums/cc23/alex_beda/raz012.jpg
You can so using connector from floppy drive 5.25”. (autor vic180)
http://i218.photobucket.com/albums/cc23/alex_beda/PICT0267-.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/PICT0262-.jpg
LPT connector for PC
http://i218.photobucket.com/albums/cc23/alex_beda/LPT1.jpg
Cable length of a 35-40 sm
This connector for outside contacts
Result connector from connector for floppy drive 5.25"
http://i218.photobucket.com/albums/cc23/alex_beda/raz1.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/raz3.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/vid2.jpg
for fixation connector need make this
Or other
http://i218.photobucket.com/albums/cc23/alex_beda/kreplenie.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/vidkrepl.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/vidobsh.jpg
Software part.
[url]http://wiki.xda-developers.com/uploads/RepairBootLoader.zip[/URL]
In attached file is the programm JFlashmm,
in the same directory BOOTLOADER from АТОМ ЕХЕС (ebo_a.nb0) from First Firmware,
and driver the giveio needed for working cable.
If you have O2 Atom (not ЕХЕС), it must be in the folder jflash_mm Deleted file ebo_a.nb0,
copyng the file boot.nb0 from O2 Atom firmware in the jflash_mm folder and renaming this file in ebo_a.nb0.
Before connecting LPT connector , you want to press and hold
micro button near to the sim connector.
http://i218.photobucket.com/albums/cc23/alex_beda/knopka.jpg
For example: sticker on the button.
Ground from LPT connector, connecting on ground the device
(using the crocodile connector)
http://i218.photobucket.com/albums/cc23/alex_beda/ground.jpg
Connect cable to LPT port of PC.
Connect charge to the device
Orange LED is blinking.
If LED not blinking,
Check pressed the micro button.
check fixation the button.
Installing the driver giveio from attached file.
Now you can restore BootLoader.
BootLoader needs to be restored in two places.
Need boot flashing to adress 0 and address 3f400.
In folder jflash_mm there is a file start.bat.
Inside this file:
jflashmm pxa27x32 ebo_a.nb0 P 0 PAR
jflashmm pxa27x32 ebo_a.nb0 P 3F40000 PAR
So file ebo_a.nb0 (boot from атом exec) will be flashing in two places,
To adress 0 and adress 3f40000, data send to parallel port.
Execute start.bat, if all right , you correct making cable,
it must detect processor.
If message screen on "file *.DAT not find", press Soft Reset.
the program will ask you «bla-bla-bla» Y/N? Press Y
-------
JFLASH Version 5.01.007
COPYRIGHT (C) 2000 - 2003 Intel Corporation
PLATFORM SELECTION:
Processor= PXA27x
Development System= Mainstone
Data Version= 1.00.002
PXA27x revision ??
Found flash type: 28F256L18B
Unlocking block at address 0
Erasing block at address 0
Unlocking block at address 10000
Erasing block at address 10000
Unlocking block at address 20000
Erasing block at address 20000
Unlocking block at address 30000
Erasing block at address 30000
Unlocking block at address 40000
Erasing block at address 40000
Starting programming
Using BUFFER programming mode...
Writing flash at hex address 3fe80, 99.85% done
Programming done
Starting Verify
Verifying flash at hex address 3ff68, 99.94% done
Verification successful!
------------
So too for the second time in firmware to address 3f4000
You can disconnect charger and cable.
Enter bootloader :
Press Camera button, insert battery and press Soft Reset.
If everything was done correctly, it bootloader is running!!!
Now, as usual (almost)
Connect the device to PC.
Run update firmware for you device.
Must go update firmware.
If all right, it .......
Operation system update, bootloader update,
Running update ExtROM, but, it should freezes at 6 %!!!!
Disconnect usb cable from device, Enter Hard Reset!!!
Device must switch on, calibrating touch screen etc.
Run again update firmware for you device.
© Copyright to Alex_Beda & 1stMASTER​

Also, you might want to list the hardware we need so we can go look for it.

Ultimate Chicken said:
Also, you might want to list the hardware we need so we can go look for it.
Click to expand...
Click to collapse
Need 4 resistors 100 Om, LPT connector and
old cable for the floppy drive 5.25 ".

This is a great fine. Once you have finalized this one. Please post it in the WIKI. I have constantly updated it with relevant information for our device.

Coola
thnx for this guys....i didnt flash my atom yet because i was afraid of the boot loader problems i ve read in here.now there is no need to worry

greekfragma said:
Coola
thnx for this guys....i didnt flash my atom yet because i was afraid of the boot loader problems i ve read in here.now there is no need to worry
Click to expand...
Click to collapse
The Atom never had a problem with the bootloader. Its the Atom Exec that has it. Also, the solution the common problems with the Atom upgrading has been posted in the Wiki already.

thnx for the fast reply jiggs and sorry for the mis-writing of my post......i have atom exec and i wrote atom just to shorten my post.sorry again for the mess
keep walking mate.u are doing marvelous job in here

oh finally there's solution..i have a dead bootloader o2 ATOM..and service center said i have to replace my BOARD..and it will cost a lot..
keep it up..bro..
thankz..
-=[serialzs]=-

I dont have the O2 Atom and I dont access to the O2 Atom.
The technology will be one, but other pinouts contact (may be)

The time is dancing!!!
Tehnology is working on O2 Atom, O2 Atom Exec, Rover G5, Orsio n725.
TESTED !!!

Nice to hear

See
http://wiki.xda-developers.com/index.php?pagename=HTC_Atom
Problems (Read here before posting on Forum):
Dead Boot Loader on O2 Atom, O2 Atom Exec, Rover G5, Orsio n725

Manual to restore dead BootLoader
Atom, Atom Exec, Rover G5, Orsio n725, HP6815 (may be the all 68xx series).
© Copyright to Alex_Beda & 1stMASTER
Thanks to all who helped.
Thanks to Winterice for the technical assistance and moral support.
Thanks to ant 125 for useful information
Thanks to Allbest, deniska.75, Borozavr, Erke for moral support.
Symptoms:
The device is not switching on, not entering bootloader.
(most often after the firmware from a memory card)
React to connect charger.
if the battery insert and connect charger, it orage led must be lit .
if the battery remove and connect charger, it orange led must be flashing.
There is only one way for restore bootloader.
Reflashing flash memory in the PXA272 using JTAG.
This procedure consists of two parts.
Hardware (making cable for reflashing) and software (reflashing).
Hardware part:
This pinouts JTAG of Atom Exec, Rover G5, Orsio n725, O2 Atom, J2 Atom Exec
At O2 Atom (not Exec) is the only internal contacts. Located near the Camera button.
There are contacts inside the device, near the buttons CAMERA,
for access them, you need to open device.
There are contacts from the outside, near the SIM connector.
All contacts is working
For inside contacts need this connector
http://i218.photobucket.com/albums/cc23/alex_beda/raz012.jpg
You can so using connector from floppy drive 5.25”. (autor vic180)
http://i218.photobucket.com/albums/cc23/alex_beda/PICT0267-.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/PICT0262-.jpg
LPT connector for PC
http://i218.photobucket.com/albums/cc23/alex_beda/LPT1.jpg
Cable length of a 35-40 sm
This connector for outside contacts
Result connector from connector for floppy drive 5.25"
http://i218.photobucket.com/albums/cc23/alex_beda/raz1.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/raz3.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/vid2.jpg
for fixation connector need make this
Or other
http://i218.photobucket.com/albums/cc23/alex_beda/kreplenie.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/vidkrepl.jpg
http://i218.photobucket.com/albums/cc23/alex_beda/vidobsh.jpg
Software part.
[url]http://wiki.xda-developers.com/uploads/RepairBootLoader.zip[/URL]
In attached file is the programm JFlashmm,
in the same directory BOOTLOADER from АТОМ ЕХЕС (ebo_a.nb0) from First Firmware,
and driver the giveio needed for working cable.
If you have O2 Atom (not ЕХЕС), it must be in the folder jflash_mm Deleted file ebo_a.nb0,
copyng the fileeboot.nb0 from O2 Atom firmware in the jflash_mm folder and renaming this file in ebo_a.nb0.
Before connecting LPT connector , you want to press and hold
micro button near to the sim connector.
http://i218.photobucket.com/albums/cc23/alex_beda/knopka.jpg
For example: sticker on the button.
Ground from LPT connector, connecting on ground the device
(using the crocodile connector)
http://i218.photobucket.com/albums/cc23/alex_beda/ground.jpg
Connect cable to LPT port of PC.
Connect charge to the device
Orange LED is blinking.
If LED not blinking,
Check pressed the micro button.
check fixation the button.
Installing the driver giveio from attached file.
Now you can restore BootLoader.
BootLoader needs to be restored in two places.
Need boot flashing to adress 0 and address 3f400.
In folder jflash_mm there is a file start.bat.
Inside this file:
jflashmm pxa27x32 ebo_a.nb0 P 0 PAR
jflashmm pxa27x32 ebo_a.nb0 P 3F40000 PAR
So file ebo_a.nb0 (boot from атом exec) will be flashing in two places,
To adress 0 and adress 3f40000, data send to parallel port.
Execute start.bat, if all right , you correct making cable,
it must detect processor.
If message screen on "file *.DAT not find", press Soft Reset.
the program will ask you «bla-bla-bla» Y/N? Press Y
-------
JFLASH Version 5.01.007
COPYRIGHT (C) 2000 - 2003 Intel Corporation
PLATFORM SELECTION:
Processor= PXA27x
Development System= Mainstone
Data Version= 1.00.002
PXA27x revision ??
Found flash type: 28F256L18B
Unlocking block at address 0
Erasing block at address 0
Unlocking block at address 10000
Erasing block at address 10000
Unlocking block at address 20000
Erasing block at address 20000
Unlocking block at address 30000
Erasing block at address 30000
Unlocking block at address 40000
Erasing block at address 40000
Starting programming
Using BUFFER programming mode...
Writing flash at hex address 3fe80, 99.85% done
Programming done
Starting Verify
Verifying flash at hex address 3ff68, 99.94% done
Verification successful!
------------
So too for the second time in firmware to address 3f4000
You can disconnect charger and cable.
Enter bootloader :
Press Camera button, insert battery and press Soft Reset.
If everything was done correctly, it bootloader is running!!!
Now, as usual (almost)
Connect the device to PC.
Run update firmware for you device.
Must go update firmware.
If all right, it .......
Operation system update, bootloader update,
Running update ExtROM, but, it should freezes at 6 %!!!!
Disconnect usb cable from device, Enter Hard Reset!!!
Device must switch on, calibrating touch screen etc.
Run again update firmware for you device.
© Copyright to Alex_Beda & 1stMASTER​

serialzs said:
oh finally there's solution..i have a dead bootloader o2 ATOM..and service center said i have to replace my BOARD..and it will cost a lot..
keep it up..bro..
thankz..
-=[serialzs]=-
Click to expand...
Click to collapse
hey brother, i was in the same shoes as yours a few days ago.
had a dead bootloader since i upgraded using SD card...
there is a slight chance you can revive your atom this way (which i revived mine)
unplug the battery for a few days - then when you plug the battery in, observe the power light and the hangup button, see if it has a very quick red flash. if it does, you might be in luck.
now, hold the action button (circle button in the middle) and keep plugging and unplugging the battery in the atom. do the same on the power button and the camera button. mine worked with the action button, and it booted into the bootloader menu again!
now im flashing the original rom in the unit =)

How much can be explained?
My method is available for dead bootloader.
Absolutely dead bootloader.
(full erased, flashing the not correct file etc)
kazuni
You message - offtop and flud.
Read forums.
Read documentations.
You bootloader IS NOT DEAD!
If bootloader is dead, this programm is not correct (or no programm) in the ROM.
Programm not working.
Not enter in bootloader.
Flashing with SD card impossible.
Symptoms:
The device is not switching on, not entering bootloader.
(most often after the firmware from a memory card)
React to connect charger.
if the battery insert and connect charger, it orage led must be lit .
if the battery remove and connect charger, it orange led must be flashing.
There is only one way for restore bootloader.
Reflashing flash memory in the PXA272 using JTAG.
Click to expand...
Click to collapse

wow . thanks . although my xda atom never bricked but I'm happy that it will never happend. with your method we never see bricked atom again

alex_beda said:
How much can be explained?
My method is available for dead bootloader.
Absolutely dead bootloader.
(full erased, flashing the not correct file etc)
kazuni
You message - offtop and flud.
- #1 i am not replying your topic, i am merely helping the others and see if my method works.
Read forums.
-duh, who wouldn't read the forum.
Read documentations.
You bootloader IS NOT DEAD!
i didn't say my bootloader is dead or not dead.
If bootloader is dead, this programm is not correct (or no programm) in the ROM.
Programm not working.
Not enter in bootloader.
Flashing with SD card impossible.
Click to expand...
Click to collapse
i am just replying another person, if you have not noticed, i specifically quoted his post, not YOUR thread.

kazuni said:
i am just replying another person, if you have not noticed, i specifically quoted his post, not YOUR thread.
Click to expand...
Click to collapse
Sorry if you are offended
But your method apply for only not absolutely dead bootloader.
if bootloader is absolutely dead -
Not enter in bootloader.
Flashing with SD card impossible.
Device is dead.
Only replace board in Service center,
or reflashing with JTAG.

Is this applicable to Atom Life? I have tried but I got this error:
C:\Boot\JFlash_MM>start.bat
C:\Boot\JFlash_MM>jflashmm pxa27x32 ebo_a.nb0 N 0 PAR
JFLASH Version 5.01.007
COPYRIGHT (C) 2000 - 2003 Intel Corporation
PLATFORM SELECTION:
Processor= PXA27x
Development System= Mainstone
Data Version= 1.00.001
PXA27x revision ??
Upper and Lower flash memory ID does not match.
You may have a damaged flash memory.
Upper half reads: FFFF
Lower half reads: 0
Failed to read the Flash ID. Retrying 4 more times...
Upper and Lower flash memory ID does not match.
You may have a damaged flash memory.
Upper half reads: 90
Lower half reads: 0
Failed to read the Flash ID. Retrying 3 more times...
Upper and Lower flash memory ID does not match.
You may have a damaged flash memory.
Upper half reads: 90
Lower half reads: 0
Failed to read the Flash ID. Retrying 2 more times...
Upper and Lower flash memory ID does not match.
You may have a damaged flash memory.
Upper half reads: 90
Lower half reads: 0
Failed to read the Flash ID. Retrying 1 more times...
Failed to read the Flash ID. Retrying 0 more times...
Cannot open input file: Flash_0_2_32.dat
This program supports flash devices defined by DAT files
contained in the same directory as the executable program.
If the file cannot be opened, there are four possibilities:
1 - The flash device installed is not supported.
2 - The flash device is a licensed product.
3 - The device ID could not be read, resulting in a poorly
constructed filename. The first numeric value in the
filename is the device ID. Verify this value with the
component specification.
4 - The memory bus is not functional. Check all CPLD and FPGA
devices. Make sure that you are using the correct
platform data file.
Mr. Jiggs... Kabayan. Is there any service center of O2 Atom in the Philippines, my atom life is dead due to SD card upgrade. I am here in KSA where the services is not available. Thanks.

Can I use it for PROPHET!!
alex_beda said:
Sensation !!!!
We have found a method to restore dead Boot for
Atom Exec, Rover G5, Orsio n725, and may be Atom (Atom may be, not tested).
We found JTAG and developed the recovery technology!
FAQ is translating from Russian and will be written.
Autor's Alex_Beda & 1stMASTER
Please wait 1-3 days.
Click to expand...
Click to collapse
Hey Buddy
I know its foolish on my part but can I use this method on my o2 Neo --prophet
It does not boot at all.Al that I get when I put it to wall charger is a ORANGE LED which even remains when I remove the Batt..
Soe time again it diapperars.In either cases the area near the USB tends to get very very HOT.
Sometimes I feel it will just bust because of this heat!!
Pls do reply

[Dev] Bootloader unlocked!- ONLY FOR DEVELOPMENT, DO NOT SPAM-

MSM7227 S1Boot has been patched to ignore SIN header signature by the_laser.
You need phone which you either did not unlock by cable, or phone which you unlocked via SEtool2 only.
If you unlocked with Omnius, in C:\ProgramData\Omnius for SE\Backups\Xperia X8
you have file called: Xperia X8_IMEI_DATE_SIMLock.opd
Restore that TA backup, then use semc.cmd in the_laser's release to unlock bootloader - you'll restore SIM lock this way!
Currently there is no unlocked bootloader for Omnius unlocked phones.
Read all instructions here: http://forum.xda-developers.com/showthread.php?p=17338716#post17338716

What will this allow:
* custom kernels
* better/fully working Gingerbread
* no need for chroot to avoid init crash bug
* overclock/Synaptics fake DT/Cypress real DT/MDDI fix built in kernel
This will not enable:
* real DT on Synaptics digitizer

Greetings.
warning.
if you are not developer, please quit reading that post.
wait for user friendly tool with one big button.
here ( View attachment msm7227.7z ) is toolset to permanently "unlock" semcboot of msm7227 semc phones.
that means, you can use own kernel and so on.
steps,precautions, etc.
unpack archive to any directory.
if you using eset antivirus or similar ****, it will find evil virus in adb.exe.
ignore that, it is not virus in any way, it is standard android debug bridge, bundled in one file to save space and usability.
now, if your phone unlocked officially:
flash phone with standard 2.0,2.1 android firmware,because kernel mapper module compiled for "2.6.29" kernel.
of course, enable "usb debugging"
run msm7227_semc.cmd,
( if you want, examine it before run, it is pretty straightforward. )
you will get similar output
Code:
process requires standard 2.x android firmware.
Press any key to continue . . .
Getting ROOT rights.
1743 KB/s (585731 bytes in 0.328s)
error: protocol fault (no status)
Waiting ...
Removing NAND MPU restrictions via SEMC backdoor. Permanent. Require ROOT rights.
192 KB/s (3087 bytes in 0.015s)
success
Waiting ...
Getting ROOT rights.
Waiting ...
Writing patched semcboot. Two step process
First, we need get access to semcboot area
504 KB/s (8064 bytes in 0.015s)
Second, we need to write semcboot ;)
1130 KB/s (596916 bytes in 0.515s)
successfully wrote 0003ff00
Press any key to continue . . .
bingo, your phone now has unlocked bootloader.
if your phone unlocked by setool2 software, use msm7227_setool2.cmd
if your phone unlocked by 3rd-party software other than setool2, do not run anything -
it will disable radio capability of your phone and you will need to unlock phone by setool2 software.
hopefully, mizerable flea and mOxImKo will release something similar for your phone.
okay, now about other details.
1.
unlocked bootloader require unlocked loader, yep ?
loader\loader.sin is special unlocked loader, which will be accepted ONLY after your "unlock" semcboot with previous steps.
to distinguish unlocked semcboot and original semcboot, first letter in version tag of semcboot output will be lower case, i. e. "r8A029"
( same applies for loader version tag )
so, all that stuff with signatures are not for us, so i removed them - loader will ignore signature part of SIN file.
2.
we should make SIN file somehow, right ?
for that i prepared "dumb" bin2sin utility.
Syntax : bin2sin [input] [partition info, 32 digits] [type] [block size]
Click to expand...
Click to collapse
[input] - is input binary file.
[partition info]
android implementation on s1 semc qualcomm phones based on partitions,so we MUST define it for our file.
you can get required partition info from standard semc sin files, it is first 0x10 bytes of DATA, right after header, i.e.
e10 kernel partition info
03000000010000402001000040000000
Click to expand...
Click to collapse
[type] - partition type, 9 - partition without spare, 0xA - partition with spare.
kernel partition is partition without spare.
if that parameter omitted, type = 9
[block size] - nand block size, if omitted, it is standard size 0x20000
there is example in sinTools\example_build.cmd
3.
kernel should be prepared specially to be accepted by semcboot.
for that there is tool bin2elf.
Syntax : bin2Elf.exe [nbrOfSegments] [EntryPoint] [Segment1] [LoadAddress1] [Attributes1] ...
Click to expand...
Click to collapse
we need 2 segments:
segment 1 is unpacked linux kernel image, i.e.
( e10/kernel/arch/arm/boot/Image )
it looks like entrypoint and load address for segment 1 is always same for all msm7227-based semc phone, it is 0x00208000
attributes for image 0x0
segment 2 is ramdisk.
it looks like entrypoint and load address for segment 1 is always same for all msm7227-based semc phone, it is 0x01000000
set attributes for ramdisk 0x80000000, that is extremly important.
there is simple kernel example in sinTools\example_build.cmd
ps.
@blagus:
NAND MPU disabler has only one relation to rFoNe - he took it from setool2, together with entire idea for msm7227 bypass.
your 6-wings friend with many nicks done exactly same.
NAND MPU has nothing to do with memory firewall, so it will not help with kexec things, however, who will care now.

Thread closed because i'm boring of all this OFF TOPICS.
@ Blagus: you can open it when you have something to post.
@ Others: Use topic in general forum from NOW.
EDIT: After 3 hours i'm going to open again this thread, WARNING every off topic here will gain an infraction as " Failed to cooperate with a moderator", so, don't blame on me when you will see the infraction point.

[SOLVED]-[BRICKED]SHV-E160L Korean model

I Have decided that this thread has served it's purpose and will now be closed to future posts. Please direct and 'non' SHV-E160L post's to
Brixfix V2
Please can all Ongoing jobs/works migrate to the above thread.
-----------Final Notes--------------
It has been mentioned many times that i should go back and correct the information below, i started to correct a few post's then realized i was removing the flavour in change of colour and size, parts of this thread documents my mistakes, assumptions and general lack of understanding of how we NOOBS post on XDA, It's with that in mind that i have decided to leave the mistakes in, so you can see in writing what i gained from the support of other Devs here.
Now, if you are NOOB in anyway or have a few questions please click HELP
If you are bricked and need help, read this thread first, there is NO one CLICK solution for anything, even this mentioned device.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
So you Brixed/bricced/BOD/QDL/EDLOAD/QHS-USB/05c6:9008/05c6:9025/ your device? Need a Oil and brush , Need help, follow this
One, Rules
Two, Understanding
--------------------------------------------------------------------------
Tip From the Author,
Some of you may have noticed that i did not start the original thread with a question, I did something my mentor taught me at around 9 years old but didn't put into good use until much later in life.
The tip is write things down as a question for yourself, in the writing process you get to pass the information past the part of your brain that interprets information, virtual sounding board, before posting as a question for others.
--------------------------------------------------------------------------
New Tools for debricking, goto
Brixfix V2
---------------------------Further Info Info -----------------------------
** I have Since Fixed the device and developed soultions for non shv-e160l devices. Prior posts are undergoing edit's for corrections.
** if you want the glory shot, sorry you will just have to read through.
** If you are selling this as a solution, dont. I know who you are.
---------------------------Original Post-----------------------------
Hi All
As i mentioned on this thread http://forum.xda-developers.com/showthread.php?p=32231827#post32231827 i will be attempting to come up with a home grown debrick solution for a SHV-E160L samsung note from korea.
I will use the forum to document what i am doing, i am very new to this so correct me please if i am wrong. I have never done Android dev work at any time but i have a very good understanding of the logic behind it all. `
Things i Have :-
Phone ( SHV-E160L)
bus pirate v3 with jtag firmware
openocd compiled on ubuntu and centos 6
smd jtag adapter and relay wire ( magnetic wire)
things i still need :-
openocd target config file for MSM8660 Snapdragon cpu (and a better understanding of eMMC access, how to load boot loaders either into ram or eMMC or trigger fail over boot to sc-card, USB via software or X0M/Boot pins)
assembled jtag (it's the smallest soldering i've ever seen)
.PIT file for 32GB model (if someone could pull the .PIT file from a working unit I would be happy, specify your radio/kernel versions when uploading)
micro fine solder iron tip and 20w iron (i've got 60w but too high for this type of work)
Does anyone have a idea of the SD-CARD partition layout, files for snapdragon devices, google has given me much for other devices but not a snapdragon .
Another question, I've used the USB jig to trigger 301K mode USB-Factory and seen no activity in dmesg for usb devices, i've yet to try windows, does windows/linux behave in a different way when it comes to usb , as in windows see's the qualcom usb mode but not linux ? does the usb client device always start the comms?
using the 615K usb jig i get nothing too, no pbl message from samsung (hence i am led to think is's the pbl/sbl thats damaged)
My understanding up boot is as follows
iROM code
This loads basic settings to boot the PBL (iROM is in rom) the PBL is loaded into radio(modem) cpu and then loads the SBL(s)
PBL/SBL stored in eMMC at address ????? (need to document the address for the masked access to eMMC and jtag/openocd access unmasked access)
Once the SBL is loaded you with have the ODIN mode (USB/UART)
from what i can see of commercial JTAG boxes is the access the radio cpu via jtag, write a new PBL/SBL to the eMMC then halt/reset cpu which now loads the new bootloaders, (resurrect dead body)
The openocd TAP id for the cpu should be 0x105310E1 but thats a number i got from a riff box log, not any actual testing ( still need to solder the fine pitch connector)
Here is a log from a riff box, not sure if the address's are usable accross to opencd
Taken from gsm-forums:-
Open serial port...OK
Connecting to the RIFF Box...OK
Firmware Version: 1.33, JTAG Manager Version: 1.44
Selected Resurrector: [Samsung E160K V1.0.4535.7001]
Connecting to the dead body...OK
Detected dead body ID: 0x105310E1 - IGNORED!
Set I/O Voltage reads as 1.79V, TCK Frequency is RTCK
Adaptive Clocking RTCK Sampling is: [Sample at MAX]
Resurrection sequence started.
Establish communication with the phone...OK
Initializing internal hardware configuration...OK
Uploading resurrector data into memory...OK
Starting communication with resurrector...OK
Detected an Initialized FLASH1 Chip, ID: 0x0015/0x0000 (KTS00M, 0x0003AB400000 Bytes = 14.68 GB)
Detected an Initialized FLASH2 Chip, ID: 0x0015/0x0000 (KTS00M, 0x000000200000 Bytes = 2.00 MB)
Flashing the dead body...OK
Resurrection complete!
Click to expand...
Click to collapse
I did notice one thing, the riff box opens the serial port, i wonder if they load PBL+SBL into memory, reset the cpu, then using the serial connection activate download mode ? (like on the captive)
I also dont know how the cpu (jtag TAP id? ) and flash variables translate accross to openocd as ive not found a target config file yet ( or my searching is wrong)
in the full stock Firmware I was able to extract the .tar file which contained,
Code:
amss.bin <-- application cpu boot files ?
boot.img <-- kernel/initrd ramdrive
mdm.bin <-- modem cpu boot files
recovery.img <--- recovery image
system.img.ext4 <---- rest of the system applications
so i think we have the two cpu firmware/boot loaders in the .bin files, these bin files are just fat32 images, to access in ubuntu use
Code:
mount -o loop mdm.bin /mnt/mdmmountlocation
My guess is my first approach is getting the right PBL/SBL into the system and getting some feed back via uart, i have the jtag pinouts and further reserach says there is a UART2 on the jtag header, so when soldering up my jtag adapter i will include all pins if i can and sniff for serial logic, i happen to have a Open source logic sniffer, great tool as i do a lot of hacking into serial devices like scales and till printers .
back to topic.
When i do get to the jtag part at a minimum i should have access to the modem radio, afaik jtag devices connect in chains and most of the IC's that have jtag on the phones board all should link to the master device (i am thinking it's the modem cpu, no application) and that the Two cpu's share the eMMC memory some how, or it could be one cpu loads it into the other (it is connected via jtag down the chain) .
hopefully someone could correct me there.
Most of this is theory and my guess work, correct me if you find a mistake. most of the research is only over a few days too so i am far from finished there, does not help that most of the users speak a language that google translate just does not have a flair for.
Most of the info seems to suggest the modem cpu is the first inline so i decided to look further into the files there, notice the mdm.bin file is 23Mb, thats large, when mounted i notice the is a folder called 'image' ( amms.bin has folder called IMAGE , note the case difference, dont yet know whay)
in image folder we have :-
Code:
1.3M Sep 30 13:07 AMSS.MBN
35K Sep 30 13:07 DBL.MBN
2.2M Sep 30 13:07 DSP1.MBN
19M Sep 30 13:07 DSP2.MBN
40 Sep 30 13:07 EFS1.MBN
40 Sep 30 13:07 EFS2.MBN
40 Sep 30 13:07 EFS3.MBN
295K Sep 30 13:07 OSBL.MBN
Ah, i see amss.mbm , that must be the boot loader for the application cpu, DBL.MBM seems to be the PBL , OSBL.MBM could be the SBL
then there is the DSP/EFS files, I did do the command strings on all the files,
DBL.MBM does not have any text in the file that points to being able to do UART on boot, all text seems internal like pointers and references to the original build files e.g
Code:
D:\Q1LGT_MDM\MDM9600\modem_proc\core\boot\secboot2\dbl\target\mdm9x00\src\dbl_ddr.c
9x00B-SCAQSVZM-31613102
D:\Q1LGT_MDM\MDM9600\modem_proc\core\boot\secboot2\dbl\target\mdm9x00\src\dbl_sahara.c
but it also does contain data like this
Code:
auth_image
@[email protected]
@configure_hw
@flash_init
l0:eek:SBL
load_osbl_img
@DBL, Start
hw_init
so it looks more likley that dbl is first in the chain, it refers to loading osbl and configure hardware, i wonder if it means USB/UART at this stage or setting up ram and other GPIO's
in OSBL.MBM we have more interesting text
Code:
MbP?
Unable to attached to ChipInfo DAL
SAMSUNG
TOSHIBA
Flash: Failed to do initialization for probe!
ONFIx
0:ALL
Flash: Multi 2X page read not supported!
Flash: Multi 2X page write not supported!
boot_qdsps
OSBL
hw_init
hw_init_secondary
OSBL, Start
create_vector_table
ram_init
retrieve_shared
clobber_add_protection
mmu_flush_cache
OSBL, End
OSBL, Delta
osbl_sahara_load_amss
osbl_sahara_load_dsp1
osbl_sahara_load_dsp2
osbl_sahara_load_ramfs1
osbl_sahara_load_ramfs2
osbl_sahara_load_ramfs3
smem_boot_init
so it is looking more and more like DBL then SBL which then loads all of the other parts , also if you notice EFS1/2/3 are all tiny 40byte files, now i see why, they are loaded as ram-drives, so i assume those file set out the basic EFS file system in the ram.
again from research the boot stages are often counted as 3, i am assuming the real first part is in rom of the cpu (is this what triggers the qualcom download mode ) that loads DBL from eMMC and chain loads SBL
Now looking around the riff forums i see the list the info in a different way
Code:
Partition 0
SBL1
SBL2
Partition 1
RPM
SBL3
eMMC APPSBoot
TZ
.PIT
Click to expand...
Click to collapse
TZ i think is Trusted Zone
RPM - Power manager ?
now how this translates to file name from full flash and to mmcblk0p1 partitions i have yet to find out, i still dont have a .PIT file from a 32gb model
More updates to come,
regards
DarkSpr1te

CPU Boot order updates
So my digging has taken me back round to some of me early searching which i forgot about , hardware level seems to support the qualcom usb mode, but it can be disabled by manufacturer, so even if you find a resistor to the BOOT_CONFIG GPIO and ground it , it still may not work, and you could toast your board. once the qfuse is gone for that track, the maker can now use the gpio for anything else, it no longer controls the iROM branch choice ( CPU:do i start usb first or last?), it my thinking that on the first board sent out by the designers for a final production run ( those first public devices) they keep the option open to print off DEV models by changing the resistors/value of while the hardware stays same, not to be confused with dev board, that is pin/track simlar but is used to design the software mainly, sometimes hardware debug but as you change the hardware between the dev platform and production this is less helpful, google new.intrinsyc.com and apq8060, they produce a dev board that is the same as the device we hold, but everything is broken out for testing so don't expect to see this left in a bar for you to e-bay.
EDIT:
Above I refer to a dev phone and dev board, these are SURF and FFA, FFA is form factor accurate and SURF is Subscriber Unit Reference.
Here is the link, http://forum.xda-developers.com/showthread.php?t=1856327
Now from what i see, it's the same(edit:simlar) X0M pin setup as other phones, ground the right pin, reverse boot order, but this maybe two pins in the snapdragon,
[copied from other link]
Simplified table:
Code:
------------------------------------------------------------------
BC[5:0] Mapping
------------------------------------------------------------------
0b00000 Emergency Boot from SDC3 (SD) followed by USB-HS
0b00001 SDC3 followed by SDC1 (eMMC)
0b00010 SDC3 followed by SDC2 (if used)
0b00011 SDC1 (eMMC)
Click to expand...
Click to collapse
So if 0b00000 is EM boot and the docs say the the two gpio's that control this (if qfuse not blown) are taken high then it's 0b00011, so grounding those two resistors should give us 0b00000 or EM boot, the cpu docs also say they are internally grounded, the schematic says the voltage goes throught a 10k resistor, so grounding that side of the resistor that 'goes' to the cpu should change the boot order, but before trying this out, remember if you get the live side of the resistor the is no resistor between your probe and ground, that full current, short, blown, no more johnny 5.

Have you managed to unbrick the E160L?
darkspr1te said:
So my digging has taken me back round to some of me early searching which i forgot about , hardware level seems to support the qualcom usb mode, but it can be disabled by manufacturer, so even if you find a resistor to the BOOT_CONFIG GPIO and ground it , it still may not work, and you could toast your board. once the qfuse is gone for that track, the maker can now use the gpio for anything else, it no longer controls the iROM branch choice ( CPU:do i start usb first or last?), it my thinking that on the first board sent out by the designers for a final production run ( those first public devices) they keep the option open to print off DEV models by changing the resistors/value of while the hardware stays same, not to be confused with dev board, that is pin/track simlar but is used to design the software mainly, sometimes hardware debug but as you change the hardware between the dev platform and production this is less helpful, google new.intrinsyc.com and apq8060, they produce a dev board that is the same as the device we hold, but everything is broken out for testing so don't expect to see this left in a bar for you to e-bay.
Here is the link, http://forum.xda-developers.com/showthread.php?t=1856327
Now from what i see, it's the same(edit:simlar) X0M pin setup as other phones, ground the right pin, reverse boot order, but this maybe two pins in the snapdragon,
[copied from other link]
Simplified table:
Code:
------------------------------------------------------------------
BC[5:0] Mapping
------------------------------------------------------------------
0b00000 Emergency Boot from SDC3 (SD) followed by USB-HS
0b00001 SDC3 followed by SDC1 (eMMC)
0b00010 SDC3 followed by SDC2 (if used)
0b00011 SDC1 (eMMC)
So if 0b00000 is EM boot and the docs say the the two gpio's that control this (if qfuse not blown) are taken high then it's 0b00011, so grounding those two resistors should give us 0b00000 or EM boot, the cpu docs also say they are internally grounded, the schematic says the voltage goes throught a 10k resistor, so grounding that side of the resistor that 'goes' to the cpu should change the boot order, but before trying this out, remember if you get the live side of the resistor the is no resistor between your probe and ground, that full current, short, blown, no more johnny 5.
Click to expand...
Click to collapse
I think my E160L got a real brick today after I tried to flash a modified Rom downloaded from a Chinese forum. It can not be powered on after rebooting (installed successfully). I desperately need advice now on how to deal with it.

Jeff_GTA said:
I think my E160L got a real brick today after I tried to flash a modified Rom downloaded from a Chinese forum. It can not be powered on after rebooting (installed successfully). I desperately need advice now on how to deal with it.
Click to expand...
Click to collapse
Do you have any backups like nandroid ? does the 3 button boot still work ?
Regards

Have you looked into using ort-jtag. It's only about $150 (USD).
I've been looking into this myself for low-level debugging/bootloader development on SGH-T959V and SGH-I717.
All three of these devices are supported by ort-jtag and have header connectors for the jtag pins.
So I'm also getting some of these from digi-key, and making a small receptacle, much like in AdamOutler's captivate bootloader development thread. (search for k-ww)
Again, ort-jtag does support the SHV-E160L. (search that link for SHV-E160L)

PBL Dump - I think
So ive been doing some tests.
I think i managed to dump the PBL
i dumped memory and a strings search return this
Code:
pbl_error_handler.c
pbl_flash_nand.c
pbl_flash.c
dload.c
pbl_flash_nand.c
pbl_flash_onenand.c
pbl_auth\secboot_rsa_math.c
pbl_error_handler.c
pbl_auth.c
pbl_auth.c
pbl_auth.c
pbl_auth.c
pbl_auth.c
pbl_mc.c
pbl_mc.c
pbl_error_handler.c
and
Code:
qhsusb\src\dci\qhsusb_dci.c
}^PBL_DloadVER1.0
!8}^
}]^}^
Q`omm
z8}]
DEBUG
SW_ID
OEM_ID
pbl_flash_onfi.c
pbl_flash_nand.c
pbl_flash_sflashc.c
pbl_loader.c
pbl_flash_sdcc.c
pbl_auth.c
pbl_auth\secboot.c
pbl_auth\secboot_x509.c
QUALCOMM COPYRIGHT 2009BOOT ROM VERSION: 1.4QHSUSB VERSION: 00.00.08
BOOT ROM AUTHOR: DHAVAL PATEL
07 0000 SHA1
does any one want the dump that can reverse it ?

Dumps & execute address
I also need the help of other SHV-E160? owners, i need dumps from working phones, i managed to create a 8660_msimage.mbn and flashed it, but i was using i717 bootloaders and i dont think they will work, i need working dumps from working phones, starting with partition table layout, sbl1.mbn and sbl2.mbn
Does anyone know if the is is correct
SBL1 exec address 0x2A000000
SBL2 exec address 0x2E000000
as i can upload the sbl to 0x2a000000 but not the sbl2 to 0x2e000000
i can also upload the tz.mbn to 0x2a020000
i am trying to use sec boot 3 based call stack but am unsure of the real exec values
Ive seen in another post these values
"
It looks like ours deviates slightly from this.
If the headers are to be believed,
TZ is loaded at 0x2A000000
SBL3 is loaded at 0x8FF00000
APPSBL/aboot is loaded at 0x88E00000
"
the post is
http://forum.xda-developers.com/showpost.php?p=30057296&postcount=243
it does explain why i cant load into 0x2e000000

Progress
So today i made real progress, I have been able to flash a basic program to allow me to access the EMMC, i have taken a full backup and now i need to start scanning the dump for need information,
I still need help from other users so please if you are will to provide me dumps of your working device that would help me a great deal
So Part One is a sucess, I have been able to flash my own code and power on the galaxy note. next step is rebuilding the emmc partition tables, testdisk can find the partitions but is not alowing me to write a non standard partition table (which emmc seems to be formatted with)
Thanks
darkspr1te

help QPST Software Download
Hi,
I'm stuck with the same problem can you tell me what image you use to the phone. I stuck here. I' m really don't know what to do?
Thank you for your help.

tyllerdurdent said:
Hi,
I'm stuck with the same problem can you tell me what image you use to the phone. I stuck here. I' m really don't know what to do?
Thank you for your help.
Click to expand...
Click to collapse
First thing i must say is dont flash your phone just yet!! walking blindly into this could render your phone useless due to certain data being lost for good.
if you still wish to continue i will upload a basic guide and files. My method is still in development, it has many bugs ( i flashed the phone with i717 roms, working, SHV-E120 roms, working, N7000 rom complete fail)
But first some questions,
Which model phone is it?
what happened to get you to the point of needing the flash ? ( i ask so i can trace why the bricks are happening and hopefully fix it)

thank you for your help, I will be waiting your method and your files.
Thank you so much for your help.
My phone is a samsung galaxy note SHV-E160L korean version.
what happen was:
I tried to upgrade the firmware with kies and suddenly the program crash. My phone enter in an error issue with the firmware and said use emergency recovery mode.
I tried the recovery several times (uninstalling kies and install it again but that never work).
So, I download odin and this files to restore the original firmware:
CSC - GT-N7000-MULTI-CSC-OZSLPF.tar.md5
Phone - MODEM_N7000XXLR1_REV_05_CL1144476.tar.md5
Bootloader- N7000_APBOOT_N7000ZSLPF_CL558430_REV02_user_low_sh ip.tar.md5
PDA - N7000_CODE_N7000ZSLPF_CL558430_REV02_user_low_ship .tar.md5
Pit for 16GB - Q1_20110914_16GB.pit
I connect my phone and try to install the firmware again, but odin fail and my samsung became a nice brick.
The phone currently does not turn on, the phone is in download mode and I install QPST and the program recognize the system in download mode.
I want to try your method because other information I collected said that I have to send it to guarantee.
Can I install i717 rom in the E160L?
I will be waiting for your post because sincerely I don't know how to repair it.
Thank you so much.

Hello darkspr1te
First of all, nice work there (though I didn't understood most of the things there, but seems there is some good work going on on our SHV-E160's
On your comment;
( i flashed the phone with i717 roms, working, SHV-E120 roms, working, N7000 rom complete fail)
Does that mean that i717 roms can work on the SHV-E160 devices? Please share if that is the case.

The geeky bits
tyllerdurdent said:
Thank you so much for your help.
My phone is a samsung galaxy note SHV-E160L korean version.
what happen was:
I tried to upgrade the firmware with kies and suddenly the program crash. My phone enter in an error issue with the firmware and said use emergency recovery mode.
I tried the recovery several times (uninstalling kies and install it again but that never work).
So, I download odin and this files to restore the original firmware:
CSC - GT-N7000-MULTI-CSC-OZSLPF.tar.md5
Phone - MODEM_N7000XXLR1_REV_05_CL1144476.tar.md5
Bootloader- N7000_APBOOT_N7000ZSLPF_CL558430_REV02_user_low_sh ip.tar.md5
PDA - N7000_CODE_N7000ZSLPF_CL558430_REV02_user_low_ship .tar.md5
Pit for 16GB - Q1_20110914_16GB.pit
I connect my phone and try to install the firmware again, but odin fail and my samsung became a nice brick.
The phone currently does not turn on, the phone is in download mode and I install QPST and the program recognize the system in download mode.
I want to try your method because other information I collected said that I have to send it to guarantee.
Can I install i717 rom in the E160L?
I will be waiting for your post because sincerely I don't know how to repair it.
Thank you so much.
Click to expand...
Click to collapse
Ok, as i said it's still a work in progress at the moment.
I used the i717 bootloaders (thats why we have a brick as it's not getting to the aboot loader or little kernel as some other refer to it) and E160 modem and application cpu as my first target is getting odin mode back.
I was able to also use the E120 bootloaders (screen was messed up though )
I've just got home from a very long shift so i will do a full and clear write up ( STILL a work in progress ) tomorrow (20th)
but i will explain the basic now as you do need to download large files before we continue.
First you need to download the same firmware as you were originally on before the brick, The reason is because between versions i suspect there is minor changes in partition tables (that why the n7000 roms brick )
If you dont have the latest QPST (2.7.3xx or higher ) please google for it now, there are many sites that offer it. (links will folllow tomorrow)
also down load :-
ABOOT_SGH-I717M_I717MUGLA2_user_CL875155_REV00.tar (or tar.md5 )
i717-GB-Modem.tar (or .md5)
now my initital work was based off a chinese link for the A820L
http://blog.csdn.net/su_ky/article/details/7773273
To save you the time of many hours of translation and cross reference here is the quick run down
When the phone is in QDLoad mode its because the PBL (Stored in ROM , read only memory) could not start SBL1 or SBL2 , it stores the error in IRAM location 0x3FF18 and then goes to QDLoad fail mode. At this point it has tried uart, sd-card before hand and those failed too.
IRAM is the small built in memory of the MSM8660 CPU, it has not initiated the main SYSTEM ram yet so our memory space ro running code is 87k and 256k (refer to document 8960_boot_architecture.pdf found the unlock bootloaders section.
Now because our partition table and or our bootloaders are damaged (or we have emmc brick bug) we have to rewrite that data again to revive our bricks.
This is where it gets hard, and where my warnings now come into play.
right now you must think of the EMMC chip (its the name for the internal SD-CARD we boot from and store our normal data, imei and all the other data of the system, it is just a sc-card with better security for our purpose)
This emmc chip holds all of you settings for phone function and we must not loose that,
But...
we have to write data to the chip to boot again, I am not fully aware of all the memory locations so this is assumptions on my part.
we are going to write a basic bootloader that turns the whole phone into a sd-card, then write new bootloaders
using QPST we upload 8660_msimage.mbn (its a out of the box emmc factory image) this file is ment for setting up of dev versions of the phone, it made up of the following parts
sector 0 partition table or (partition0.bin AFTER patching with info from patch0.xml) I do not have a real copy of the original of this, it can be pulled from a working SVH-E160x using the code at the end.
after the MBR (which is the first part of the partiton make up, EBR follows, we can have 3 primary partitions and the fourth is a extended which is just another partiton table pointing to the next EBR and so on, upto 29 parititons i think)
anyway, after the MBR is SBL1, which chainloads SBL2 then that side loads RPM, gets a go signal then loads SBL3, when SBL3 is done most of the device hardware has been mapped into the cpu's memory table, SDRAM is now ready for larger code,
aboot now loads
some of the above loading functions occur at the same time and some wait on go signals from other code in other CPU's and some fail due corruption and or security check fails( JTAG users can watch the memory as it changes and halt, change data and continue which is why JTAGers's have more power , we dont have loader outputting data yet so no feed back, hence the brick)
when aboot is loaded we now have access to odin, so thats the goal, get aboot loaded for now who cares about the rest of the funtions.
we do need to care about those function later so thats why we will backup the entire system, i dont know if this will really work when restored and bring back all of our settings, thats later,
So onto the writing and possibly overwriting of important information, WARNING, i dont know yet if we are overwriting imei or simalr data yet so proceed at your own risk.
We will get the required from factory (qualcomm test or dev board not samsung factory in the box for consumer) from the MUI phone firmware
http://bigota.d.miui.com/QDN43/Mioneplus_QDN43_fastboot_Android_4.0_d3d83nmdk2.zip
from this zip we want 8660_msimage.mbn, patch0.xml, partition0.bin MPRG8660.hex ( this file is uploaded first, its a serial bootloader that is loaded at 0x2a000000 (start of PBL IRAM space 256k in size) and that setups a emmc to command access (we use revskill to upload the same file and dump memory , sadly ive not found a way of pulling the entire emmc to a backup, if we can figure that out we can pull the entire boot chain, fix it and send it back with what ever versions we desire, for now revskill is used to read the PBL error so we can at least see why we cant boot, not quite jtag but best we got ))
so now we have a phone running a basic bit of code that allows us to use code sent to serial port to write (possibly read) the emmc
we then use QPST to write the 8660_msimage.mbn as a one to one copy to the very start of the emmc , reboot phone and then when the phone restarts, it sets up the ram, some hardware (charging system, you will now notice your phone gets warmer that before when plugged in) and gives us direct access to the emmc as if it was a sd-card
at this point you could move the phone to any pc and it's just a sd-card branded qualcomm
BUT at this point the pc or any other computer you connect it too only see's the partition table contained in the 8660_msimage.mbn file , you other data is there so i advise the next step you MUST do.
connect the phone to a linux computer (use a live cd or live usb if you are not a normal linux user)
you will then run the following command
Code:
dd if=/dev/sd? of=/mount/location/shv-e160-full-emmc.bin bs=512
? is the letter of the drive , use dmesg and look for sdb or sdc , if you dont understand this part then i would suggest waiting for a possible script/one click solution. right now i am still booting only 1 in 20 boots and do not yet know why the boots fail and why some work.
of=/mount... this is where you will place the entire 16GB (32GB for 32gb models ) which should be a one to one copy of the system
the bs=512 is very important, it's block size, again, if you dont understand then maybe wait.
Thats enough for now, i am going to spend a hour or two working on some theories i came up with today.
user with working phones, please google how to backup parts of your phone, this may happen to you so it's best to backup asap !!!
from the blog.csd site a script to grab the partition table data, if a working usr could please run this and post the file, it does not contain user data only the partiton table and a direct 1 to 1 restore for any phone, i think it possible to write that direct back to a QDLoad mode phone, re write the bootloaders from linux and bingo working phone. i dont have backups as it's not my phone, it belongs to a client who knows i like to tinker with electronics.
anyway, once i have the partition file i can overlay it on my test phone (which i can activate QSLoad at any time, hence it's unbrick-able dev mode)
once the partition file is written to my phone, i can build a script to backup your important data, write known working bootloaders, and reboot the phone into a usable device.
here is the script in python (user linux live cd with a copy of adb, just google adb linux pack, there is a windows and linux allin one pack)
or you can get the original from the link above, i've not tested this as i dont have a device in adb mode but i've read through it and it looks sound but never tested by me.
Well i hope that enlightens you, am sorry i dont have a all in one solution for you, it's still a dev project and most of the information i have has only been collected over the past week, i only discovered it's QSDload after getting a msm8660 schematic and i still dont know what i am trully shorting out to trigger the QSDload when ever i want, even when it's booted
If any one from the unbrickable project(s) want to get in touch to share info i would be happy, i am also sure this is a usable solution for HTC phones as well
oh and one last thing
i read only a hour ago (via cell phone while in a car so not 100%) that once the phone is in QSDload and stays in QSDload on every power cycle then we can write the partition table to a SD-CARD and it will boot that, i have not tested that yet, i will try and see if the 8660_msimage.mbn file written to a sd-card works
I also suspect that some of my good boots have been when i've mixed up the sdcard with system.img.ext4 etc on it with the one with just update.zip on it. it's one my list of things to check , any suggestions are welcome as to how i correctly format the card (heads,cylinders, block size etc)
ok folks, hope this helps
COPY TEXT BELOW ONLY INTO A FILE AND RUN WITH PYTHON (linux is easier, may be possible to use a vm box, i am but linux is my main os and windows is the vm)
Code:
import os
from struct import *
def mbr():
global offset, partitions
os.popen("adb shell su -c 'dd if=/dev/block/mmcblk0 of=/cache/partition0.bin bs=512 count=1'").close()
os.popen("adb shell su -c 'cp /cache/partition0.bin /sdcard/partition0.bin'").close()
os.popen("adb pull /sdcard/partition0.bin .").close()
f = open("partition0.bin", 'rb')
data = f.read()
f.close()
partitions = [ ]
n=0
while True:
buf = data[446+(16*n):446+(16*(n+1))]
partition = dict(zip(('boot', 'id', 'start', 'size'), unpack('4I', buf)))
partition['type'] = "MBR"
n += 1
partition['no'] = n
partitions.append(partition)
if partition['id'] == 5:
offset = partition['start']
break
def ebr():
global offset, partitions
n = 0
while True:
a = 0
os.popen("adb shell su -c 'dd if=/dev/block/mmcblk0 of=/cache/ebr bs=512 count=1 skip=" + str(offset+n) + "\'").close()
n += 1
os.popen("adb shell su -c 'dd if=/cache/ebr of=/cache/partition0.bin bs=512 count=1 seek=" + str(n) + "'").close()
os.popen("adb shell su -c 'cp /cache/ebr /sdcard/partition0.bin'").close()
os.popen("adb pull /sdcard/partition0.bin .").close()
f = open("partition0.bin", 'rb')
data = f.read()
f.close()
while True:
buf = data[446+16*a:446+16*(a+1)]
partition = dict(zip(('boot', 'id', 'start', 'size'), unpack('4I', buf)))
if partition['id'] == 5:
break
if partition['id'] == 0:
return
partition['type'] = "EBR"
partition['no'] = n
partition['start'] += n-1+offset
partitions.append(partition)
a += 1
if __name__ == "__main__":
mbr()
ebr()
os.popen("adb shell su -c 'cp /cache/partition0.bin /sdcard/partition0.bin'").close()
os.popen("adb pull /sdcard/partition0.bin .").close()
for part in partitions:
print "%s %2i, Boot: 0x%02X, Id: 0x%02X, Start: 0x%08X (%8i), Size: 0x%08X (%8i, %8i KB)" % (part['type'], part['no'], part['boot'],part['id'], part['start'], part['start'], part['size'], part['size'], part['size']/2)
Click to expand...
Click to collapse

beginning
thank you for your help,
I currently have the qpst version 2.7 build 373. You think is enough of download the same version of Chinese post QPST.2.7.374.rar
I will begin to download the other files required and I will be commenting my progress.
Thank you so much for your help, i really appreciate that you share you r knowledge.

Requests
While i try some theories if othe users could possibly provide me with :-
Original partition table via script above and also via adb
use
adb and run
Code:
cat /proc/partitions > /sdcard/partitions.txt
fdisk -l /dev/block/mmcblk0 > /sdcard/fdisklist.txt
mount > /sdcard/mountlist.txt
Then on the pc side using ADB again do the following
Code:
adb pull /sdcard/partitions.txt
adb pull /sdcard/fdisklist.txt
adb pull /sdcard/mountlist.txt
and post those files.
there are many posts on it so wont repeat but later will add a link.
along with some spell checks :laugh:
if you can dump the boot loaders from a original e160x too as my data started currupt.
i also need to talk to someone who can assist me in writing a program to take the pit file and turn it into this
Code:
<?xml version="1.0" ?>
<data>
<!--NOTE: Sector size is 512bytes-->
<program file_sector_offset="0" filename="" label="SMD_HDR" num_partition_sectors="65536" physical_partition_number="0" size_in_KB="32768.0" start_sector="1"/>
<program file_sector_offset="0" filename="sbl1.mbn" label="SBL1" num_partition_sectors="1000" physical_partition_number="0" size_in_KB="500.0" start_sector="65537"/>
<program file_sector_offset="0" filename="sbl2.mbn" label="SBL2" num_partition_sectors="3000" physical_partition_number="0" size_in_KB="1500.0" start_sector="66537"/>
<program file_sector_offset="0" filename="rpm.mbn" label="RPM" num_partition_sectors="1000" physical_partition_number="0" size_in_KB="500.0" start_sector="69559"/>
<program file_sector_offset="0" filename="sbl3.mbn" label="SBL3" num_partition_sectors="4096" physical_partition_number="0" size_in_KB="2048.0" start_sector="70559"/>
<program file_sector_offset="0" filename="aboot.mbn" label="ABOOT" num_partition_sectors="5000" physical_partition_number="0" size_in_KB="2500.0" start_sector="74655"/>
<program file_sector_offset="0" filename="" label="BOOT" num_partition_sectors="20480" physical_partition_number="0" size_in_KB="10240.0" start_sector="79655"/>
<program file_sector_offset="0" filename="tz.mbn" label="TZ" num_partition_sectors="1000" physical_partition_number="0" size_in_KB="500.0" start_sector="100135"/>
<program file_sector_offset="0" filename="partition0.bin" label="MBR" num_partition_sectors="1" physical_partition_number="0" size_in_KB="0.5" start_sector="0"/>
<program file_sector_offset="1" filename="partition0.bin" label="EXT" num_partition_sectors="22" physical_partition_number="0" size_in_KB="11.0" start_sector="69537"/>
</data>
Click to expand...
Click to collapse
*edit
the partiton0.bin provided below is 8.5kb (.5kb MBR, 8kb EBR) and in raw_program0.xml bove it say 0.5kb and 11kb, making that file 11.5kb, i dont know if the A810 has larger or smaller EBR than us, it could be they pulled extra, in my reading of the dumps i've seen lots of padded 0's after files (between sbl2/ebr/rpm) anyway if you just copy paste it will throw a error, ive got it set at 0.5 and 8.
EDIT:- Do not use this file, ive uploaded newer files later on.
some of the questions i need to answer are :-
1. what is the first partition, it's dos, around 105mb and labled smd_hdr and is filled with smd_hdr.bin (or mbn)
2. what are the real sector locations of the files, above you will see the rawpartiton0.xml file, this tells QPST where in the emmc to put the data num_partiton_sectors does match data from the pit files, but i dont know the real offsets yet, (samsung or htc could put the rest of the partiton table in cpu qfuse data areas and not write it to the emmc to confuse us and write the real files to another location and use the pit file as a base+offset calculation)
start_sector is the real location on the emmc, where it starts writing the file.
at the end is partiton locations(its a generic file containing the first few byes of default partition table, patch0.xml then updates this data), i dont have our device specific figures yet, i also dont fully understand patch0.xml and the difference in figures used.
if we have a backup of each of the different version of android partitons we could just write that in replacement of partiton0.bin and we dont need patch0.xml, this file sole job to alter the generic files, oem's have the choice of changing this data.
Code:
<?xml version="1.0" ?>
<patches>
<!--NOTE: This is an ** Autogenerated file **-->
<!--NOTE: Patching is in little endian format, i.e. 0xAABBCCDD will look like DD CC BB AA in the file or on disk-->
<!--NOTE: This file is used by Trace32 - So make sure to add decimals, i.e. 0x10-10=0, *but* 0x10-10.=6.-->
<patch byte_offset="506" filename="partition0.bin" physical_partition_number="0" size_in_bytes="4" start_sector="0" value="NUM_DISK_SECTORS-208801." what="Update MBR with the length of the EXT Partition."/>
<patch byte_offset="506" filename="DISK" physical_partition_number="0" size_in_bytes="4" start_sector="0" value="NUM_DISK_SECTORS-208801." what="Update MBR with the length of the EXT Partition."/>
<patch byte_offset="458" filename="partition0.bin" physical_partition_number="0" size_in_bytes="4" start_sector="16" value="NUM_DISK_SECTORS-1695744." what="Update final partition with actual size."/>
<patch byte_offset="458" filename="DISK" physical_partition_number="0" size_in_bytes="4" start_sector="208816" value="NUM_DISK_SECTORS-1695744." what="Update final partition with actual size."/>
</patches>
Click to expand...
Click to collapse
please note that it's two lines of the same code except one is partition0.bin and the other is DISK,
Do we need both? i know if i dont add the partiton0 section used in raw_program.xml then the drive is blank in linux,
now it's my understanding that the ebr comes as the forth partiton and it point to the next one , above in patch0.xml it start at NUM_DISK_SECTORS-1695744
i am still trying to better understand these figures,
Well time to grab coffee, i guess it's a dev night in.
the file MPRG8660.HEX can be renamed EMMCBLD.HEX and it triggers QPST to always look for a QDLoad mode phone and not debug, you can place all the files you need in one folder, i advise you to keep the originals in one location and only extract what your need to your worrking folder, copy emmcswdowload.exe from the QPST folder there too, we might need to do command line work, ive read that you can pre-create images in emmcswdownload (the same way 8660_msimage.mbn was created ) that you could just drop onto a phone once it's in emmc sd-card mode, almost a one click.

More info, plus help offered
Your welcome tyllerdurdent,
I am going to be putting a few hours into the dev from now actually for if you want assistance then no problems,
I also advise the following, download ubuntu live cd, it has a lot of tools your going to need to extract data you require, if we go step by step we might be good, i did a lot of test writing before i got my first boot, and that again only happens one in 20, i dont know why.
the rawpartiton0.xml above is incorrect for our devices as it states the first partion is 32mb, (i think it's ment to be amss.mbn, or NON-HLOS.mbn , our pit file which i did extract from my emmc dump says it's 105mb. i am confused and to why rawpartiton0.xml says the first bootloader is at start_sector="65537" but fdisk shows it as start 204801, i think someone needs to show me how to convert from blocks to sectors,
in patch0.xml it says
Code:
<patch byte_offset="506" filename="partition0.bin" physical_partition_number="0" size_in_bytes="4" start_sector="0" value="NUM_DISK_SECTORS-208801." what="Update MBR with the length of the EXT Partition."/>
Click to expand...
Click to collapse
208801 is where we have our ebr start,
i also think the IROM based pbl, sbl etc use the partition types in some way, why else have so many types? can any one explain that
this is a fdisk view of what i think our partition table looks like
Code:
Device Boot Start End Blocks Id System
/dev/sdb1 1 204800 102400 c W95 FAT32 (LBA)
/dev/sdb2 * 204801 205800 500 4d QNX4.x
/dev/sdb3 205801 208800 1500 51 OnTrack DM6 Aux1
/dev/sdb4 208801 208801 0 5 Extended
/dev/sdb5 212992 213991 500 47 Unknown
/dev/sdb6 221184 225279 2048 45 Unknown
/dev/sdb7 229376 234375 2500 4c Unknown
/dev/sdb8 237568 258047 10240 48 Unknown
/dev/sdb9 262144 263143 500 46 Unknown
/dev/sdb10 270336 271335 500 5d Unknown
/dev/sdb11 278528 279527 500 91 Unknown
/dev/sdb12 286720 307199 10240 93 Amoeba
/dev/sdb13 311296 511999 100352 c W95 FAT32 (LBA)
/dev/sdb14 516096 522239 3072 4a Unknown
/dev/sdb15 524288 530431 3072 4b Unknown
/dev/sdb16 532480 538623 3072 58 Unknown
/dev/sdb17 540672 741375 100352 8f Unknown
/dev/sdb18 745472 751615 3072 59 Unknown
/dev/sdb19 753664 759807 3072 5a Unknown
/dev/sdb20 761856 29843455 14540800 5b Unknown
/dev/sdb21 770048 790527 10240 ab Darwin boot
/dev/sdb22 794624 815103 10240 60 Unknown
/dev/sdb23 819200 839679 10240 94 Amoeba BBT
/dev/sdb24 843776 3911679 1533952 a5 FreeBSD
/dev/sdb25 3915776 8114175 2099200 a6 OpenBSD
/dev/sdb26 8118272 8736767 309248 a8 Darwin UFS
/dev/sdb27 8740864 9005055 132096 a9 NetBSD
/dev/sdb28 9011200 10035199 512000 95 Unknown
/dev/sdb29 10035200 30777343 10371072 90 Unknown
Oh, download wxdhex or wimlar program, you going to need a hex editor that can load BIG files , 16gb worth

i717-GB-Modem.zip IS THE SAME AS TAR?
i717-GB-Modem.zip 21.35 MB 7 0 2012-06-30 08:45:11
I could not find the i717-gb as tar file but I find it as a zip file. but I'm not sure about thif the contents are correct. Could you check
http://d-h.st/1aP
i717-GB-Modem.zip contents
META-INF
COM
GOOGLE
ANDROID
update-binary
updater-script
TMP
amss.bin
mdm.bin

Blocks and sectors
This may explain it , the different figure in the xml files
Because sectors are logical on the drive (Logical Block Addressing = LBA) you need to convert between LBA and physical (file system) sectors. This is pretty easy to do:
First - get a table of the start and end sectors of the partition table:
Code:
[[email protected] ~]# fdisk -lu /dev/hda
Disk /dev/hda: 120.0 GB, 120034123776 bytes
255 heads, 63 sectors/track, 14593 cylinders, total 234441648 sectors
Units = sectors of 1 * 512 = 512 bytes
Device Boot Start End Blocks Id System
/dev/hda1 * 63 208844 104391 83 Linux
/dev/hda2 208845 4401809 2096482+ 83 Linux
/dev/hda3 4401810 8482319 2040255 82 Linux swap
/dev/hda4 8482320 234436544 112977112+ 5 Extended
/dev/hda5 8482383 29447144 10482381 83 Linux
/dev/hda6 29447208 50411969 10482381 83 Linux
/dev/hda7 50412033 52516484 1052226 83 Linux
/dev/hda8 52516548 234436544 90959998+ 83 Linux
Use this to determine what partition the bad sector is in. In this case 232962120 is inside the start and end values for /dev/hda5
NOTE: This is in partition 5 - ignore partition 4 as it is the extended partition. Any block from partitions 5 through 8 will also be in partition 4, but you want the real partition, not the extended partition.
Next, calculate the file system block using the formula:
b = (int)((L-S)*512/B)
where:
b = File System block number B = File system block size in bytes (almost always is 4096) L = LBA of bad sector S = Starting sector of partition as shown by fdisk -lu and (int) denotes the integer part.
For example:
The reported sector from the smart log above is 232962120, thus:
((14858312 - 8482383) * 512) / 4096 = 796991.125
^Bad Sec. ^Start Sec. ^Cha Ching! This is the sector!
(Use the block number from the smart test section, not from the smart error log section. They are using different methods of reporting file system vs. physical blocks.)
((BadBLock - StartPartition) * 512) / 4096
You can just paste this into Google as a template
Any fraction left indicates the problem sector is in the mid or latter part of the block (which contains a number of sectors). Ignore the fraction and just use the integer.
Next, use debugfs to locate the inode and then file associated with that sector:
Click to expand...
Click to collapse
[[email protected]]# debugfs
debugfs 1.35 (28-Feb-2004)
debugfs: open /dev/hda5
debugfs: icheck 796991
Block Inode number
796991 <block not found>
debugfs: quit
Ah! It didn't give the inode! It if did, you could have found the file with:
[[email protected]]# debugfs
debugfs 1.35 (28-Feb-2004)
debugfs: open /dev/hda5
debugfs: icheck 796991
Block Inode number
796991 41032
debugfs: ncheck 41032
Inode Pathname
41032 /S1/R/H/714197568-714203359/H-R-714202192-16.gwf
So what the heck? Why no inode? Well, remember how it said the sector might be bad?
Click to expand...
Click to collapse
the above copied from
http://timelordz.com/wiki/SMART_Rewriting_Bad_Sectors
i have a feeling we may need to shift our files (the basic files need to start odin are listed in rawpatch0 above, i dont know if that 100% true but it was the only files i wrote on by first sucess)
also
http://forum.xda-developers.com/showthread.php?p=31843525&postcount=13
in the above link they talk about the header of the qualcomm file
+------------+
|Dbl-preamble|
+------------+
|Dbl-header |
+------------+
|Dbl.bin |
+------------+
Click to expand...
Click to collapse
and
data_ptr = autodetectpage;
*data_ptr = sbl_header.codeword;
data_ptr++;
*data_ptr = sbl_header.magic;
data_ptr++;
*data_ptr = AUTODETECT_PAGE_SIZE_MAGIC_NUM;
Click to expand...
Click to collapse
now i used this in a way to find my bootloaders (i717 by this time, not shve-160l )
and to find the partitons
you will see in a hex editor at the start of each boot loader
something else to think about, my lack of success that last two days to produce a boot could be because my partitons are not clean , thats is to say if i write my sbl1 to 1000, and the trailing 0000 of the partition definition of my 99 block ebr/mbr ends at 999 , if i have dirt data between 999 and 1000 the cpu/pbl my interpret that as code(some of my boots is brick, some are into QDLoad, i have no pattern yet) , something i must test or confirm, or just worry about.

tyllerdurdent said:
i717-GB-Modem.zip 21.35 MB 7 0 2012-06-30 08:45:11
I could not find the i717-gb as tar file but I find it as a zip file. but I'm not sure about thif the contents are correct. Could you check
http://d-h.st/1aP
i717-GB-Modem.zip contents
META-INF
COM
GOOGLE
ANDROID
update-binary
updater-script
TMP
amss.bin
mdm.bin
Click to expand...
Click to collapse
Yes thats correct
updater script btw contains text, binary is the flashing exe i think,
Code:
run_program("/sbin/dd", "if=/tmp/mdm.bin", "of=/dev/block/mmcblk0p17");
run_program("/sbin/dd", "if=/tmp/amss.bin", "of=/dev/block/mmcblk0p13");
Click to expand...
Click to collapse
and a google of a simlar sansung product the skyrocket gives me a simlar pit layout
Device Name Size Part Name ODIN tar file Mount Point
mmcblk0boot0 512KB (empty) n/a (empty partition)
mmcblk0boot1 512KB (empty) n/a (empty partition)
mmcblk0p1 100MB SMD_HDR (partition info)
mmcblk0p2 500KB SBL1 sbl1.mbn
mmcblk0p3 1500KB SBL2 sbl2.mbn
mmcblk0p4 1KB (unnamed partition with '55 AA' MBR signature)
mmcblk0p5 500KB RPM rpm.mbn
mmcblk0p6 2MB SBL3 sbl3.mbn
mmcblk0p7 2500KB ABOOT aboot.mbn
mmcblk0p8 10MB BOOT boot.img
mmcblk0p9 500KB TZ tz.mbn
mmcblk0p10 500KB SSD n/a (empty partition)
mmcblk0p11 500KB PIT celox.pit
mmcblk0p12 10MB PARAM param.lfs
mmcblk0p13 98MB MODEM amss.bin /system/etc/firmware/misc
mmcblk0p14 3MB MSM_ST1 efs.img
mmcblk0p15 3MB MSM_ST2 n/a
mmcblk0p16 3MB MSM_FSG n/a
mmcblk0p17 98MB MDM mdm.bin /system/etc/firmware/misc_mdm
mmcblk0p18 3MB M9K_EFS1 efsclear1.bin
mmcblk0p19 3MB M9K_EFS2 efsclear2.bin
mmcblk0p20 3MB M9K_FSG n/a
mmcblk0p21 10MB DEVENC enc.img.ext4 /efs
mmcblk0p22 10MB RECOVERY recovery.img
mmcblk0p23 3MB FOTA n/a
mmcblk0p24 598MB SYSTEM system.img.ext4 /system
mmcblk0p25 2GB USERDATA userdata.img.ext4 /data
mmcblk0p26 302MB CACHE cache.img.ext4 /cache
mmcblk0p27 129MB TOMBSTONES tomb.img.ext4 /tombstones
mmcblk0p28 11.2GB UMS ums.rfs /mnt/sdcard
Click to expand...
Click to collapse

Other files
contents of the i717 boot loaders i used
ABOOT_SGH-I717M_I717MUGLA2_user_CL875155_REV00
Code:
527K Jan 6 2012 aboot.mbn
115K Jan 6 2012 rpm.mbn
72K Jan 6 2012 sbl1.mbn
111K Jan 6 2012 sbl2.mbn
601K Jan 6 2012 sbl3.mbn
117K Jan 6 2012 tz.mbn
other files pulled from
ABOOT_SGH-I717M_I717MUGLA2_user_CL875155_REV00 (no bootloader but all the other system files )

M3Note unlock bootloader manually (apply for other MT67XX and MT65XX soc)

Dear all,
Finally have time to write for the unlock bootloader procedure. I found that search engine (internal / external) might mask new thread, thus for those are urgent need to repair or various reason to unlock bootloader, they might not ahve chance to reach helpful info.
[YOUTUBE]
ps6ngeDPiHc
[/YOUTUBE]
[YOUTUBE]
_9LwOmmF0_s
[/YOUTUBE]
[YOUTUBE]
Gsn8FynWxaU
[/YOUTUBE]
Here are extracted procedure from another thread of mine. Eventually I will remove all unlock bootloader info from the original thread and leave them here.
unlock bootloader manually may apply to many other MT6755 or similar soc can unlock by this way.
~~ YOUR OWN RISK ~~ ~~ YOUR OWN RISK ~~
developemtnt (uncrack procedure) detail is in below.
https://forum.xda-developers.com/m3-note/how-to/m3-note-ported-kernel-source-twrp-3-3-0-t3956911
_AND_
https://github.com/99degree/android_kernel_m3note/tree/m3note_20190813
== Procedure ==
to unlock bootloader, generally the lk have a magic frp partition for security. Either for google suite use, or lk unlock bootloader use. In short, the last dword set to 1 will unlock the bootloader. So you dont have to had a very unfriendly (and possibly not working) tool installed.
if you wanted to know more about the lk and unlock magic, here are the URL, so the myth above can clear. https://github.com/mbskykill/m3note_android_bootable.git
There is a need to check the lk.bin before hand, since unlock bootloader involve "fastboot oem unlock" cmd. so do binary search and see if the string pattern "oem unlock" is appear in the lk.bin itself. if yes, it is likely the lk is capable to unlock. if not, the vendor disable it completely by the source code on purpose. please check the third video for detail idea. one example is m3note intl version, lk does not have "oem unlock", and "boot" cmd is comment out by purpose. that's why the need to install chn version of lk from chn rom that those logic are still available (see some success case is install chn beta rom).
Here are steps to unlock the bootloader.
===YOUR OWN RISK===
(a) make sure lower version (flyme5 ? ) installed
(b) install kingroot(or flyme root, it wont limited to flyme5) to get root
(c) install partitions backup (or other tool)
(d) backup frp partition (need root)
(e) edit with hex tool (hex editor for e.g.)
(f) locate last dword, write 1, save file, write back to frp
(g) reboot and install newer (6.3.0.3A) Chinese version of the rom
(h) optional, step g might fail due to chn/intl (G->A)rom different serial number below script to crack the barrier
http://forum.flymeos.com/thread-38493-1-1.html
(Updated 20191024)
(I)in fastboot mode, do fastboot.exe oem unlock
To garentee the phone is unlocked.
(J)do fastboot boot m3note.img and gets in twrp, format data partition
special notice in step e, the frp modification is shown and highlight clearly in video2 part2, same info is available at first video in 3:39s so please take a look. as well.
special notice in step J, if not doing so, m3note deadloop no matter press any button except power on/off. so in case this case happened, unplug the usb cable and leave it to use up the internal battery power. then vol-down + power button can revive the fastboot env.
then the M3 note is unlocked. please note step h running the said script might have draw back (wipe too much data) such as loss of CDMA MEID (Mobile Equipment Identifier) so do as of
~~ YOUR OWN RISK ~~ ~~ YOUR OWN RISK ~~
technical detail of unlock logic is as below
sec_unlock.c
fastboot_get_unlock_perm {
...
index = partition_get_index(FRP_NAME);
...
size = partition_get_size(index);
unlock_allowed_flag_offset = size - sizeof(unsigned int);
...
}
ok, sizeof(unsigned int) is dword. the offset is (size-1 * dword). so set to 1 means unlock.
Other unlock tutorials:
Meizu E3 bootloader unlock tutorial

WOW mine is L681h version, will it work? any custom rom available for it? TIA

jack dee707 said:
WOW mine is L681h version, will it work? any custom rom available for it? TIA
Click to expand...
Click to collapse
no custom rom atm. Flyme looping at welcoming screen due to an exception of system server.
Mine is intl version, I install chn rom and get v6303 lk and flyme 7, it is Working nicely. For L681h or other model there are many varient. So no garentee. If the chn version rom works on your device, then highly likely this twrp rom works too. The kernel is not fit for m3note at all, so source porting is needed. There are still many device driver missing.
Good luck.

99degree said:
no custom rom atm. Flyme looping at welcoming screen due to an exception of system server.
Mine is intl version, I install chn rom and get v6303 lk and flyme 7, it is Working nicely. For L681h or other model there are many varient. So no garentee. If the chn version rom works on your device, then highly likely this twrp rom works too. The kernel is not fit for m3note at all, so source porting is needed. There are still many device driver missing.
Good luck.
Click to expand...
Click to collapse
Mine is also global international variant. Is your device L681h version or other? I think you should share this in the flyme forum also , a lot of users are waiting to shift from global to chinese for having flyme 7 but due to bootloader issue none can do it. And please try to make a full youtube video tutorial aswell for all steps, that would be very handy. Thanks a lot.

jack dee707 said:
Mine is also global international variant. Is your device L681h version or other? I think you should share this in the flyme forum also , a lot of users are waiting to shift from global to chinese for having flyme 7 but due to bootloader issue none can do it. And please try to make a full youtube video tutorial aswell for all steps, that would be very handy. Thanks a lot.
Click to expand...
Click to collapse
you had better think in another way round. Rooting method and do the surgery should reference to the method mentioned in http://forum.flymeos.com/thread-38493-1-1.html does. If you have any question about rooting and G version ->A version, you can ask the original author for help, it is for your own good to rescue the phone with proper help. After that, you might consider one step further to unlock bootloader.
It is a bit risky, i had my m3 note as old dev machine so not care. And plz bare in mind L681h model itself already have many variant. So not worth mentioning other model. You can have a check for all variant info by http://deviceinfohw.ru/devices/index.php
As i know, those are mainly category with sm5414 or bq24169 pmic. And the A version supports both as greping keyword found in lk.bin. But other parts i not not sure. Like lens and camera lcm etc. I found no problem with mine.
Once again, i already lost cdma meid with above script as drawback. So do you own risky.
Good luck.

Hi, I tried your guide on a Meizu m5c that has an MT67xx but I didn't succeed, I modified the FRP and flashed the modified FRP and Chinese LK but it doesn't let me unlock, you could make a youtube guide on how change the FRP and make the method I think I made a mistake in some passages, or if you want I send you the FRP file and modify it for me and then give it to me but I prefer the first option which I think is better.

XRed_CubeX said:
Hi, I tried your guide on a Meizu m5c that has an MT67xx but I didn't succeed, I modified the FRP and flashed the modified FRP and Chinese LK but it doesn't let me unlock, you could make a youtube guide on how change the FRP and make the method I think I made a mistake in some passages, or if you want I send you the FRP file and modify it for me and then give it to me but I prefer the first option which I think is better.
Click to expand...
Click to collapse
buddy you are welcome to visit here.
Frank speaking, there might not be always hold true for custom lk by some vendor. Samsung and moto have different lock stretagy. Althrough the code is common for mt67xx, Even I cant garentee for every mt67xx phone from same vendor does use same code piece it used from mtk.
So in your case i can provide more info for you to have a try. First you need to test fastboot boot with your boot.img and see if it works in half way. If there is invalid command, then you might not have chance to do something advance.
Please watch the youtube video above again. I grab the frp partition by hexview in twrp. The modification shown is quite clear at 3:39, the pattern at last is 0001 0000, and hexview skip all 0 pattern block in the middle. please have a check if you still wanna try. Please note different phone, frp size might differ, the above lk code require last dword set to 1 anyway.
Here are some basic info how to view hex code.
Repersenting 1 in double word:
Offset : 00 01 02 03 ...... 0c 0d 0e 0f
Value: 00 00 00 00 ..... 01 00 00 00
Hexview: 0000 0000...... 0001 0000
As above offset 00 and 01 are group together as word. Each group, Least significant bit is on right. So 0001 shown in hexview group as word and same to we want 0001 0000 in dword as 00000001.
So 0x1, as byte 01 00 00 00, as short 0001 0000, as dword 00000001
Hope above helps your way to go further.
(Updated 20191024)
Please refer to top post step i, might missed above step, please do try "fastboot oem unlock" and see if needed to fully unlock the phone. I am not sure, it is too long ago to me.

99degree said:
buddy you are welcome to visit here.
Frank speaking, there might not be always hold true for custom lk by some vendor. Samsung and moto have different lock stretagy. Althrough the code is common for mt67xx, Even I cant garentee for every mt67xx phone from same vendor does use same code piece it used from mtk.
So in your case i can provide more info for you to have a try. First you need to test fastboot boot with your boot.img and see if it works in half way. If there is invalid command, then you might not have chance to do something advance.
Please watch the youtube video above again. I grab the frp partition by hexview in twrp. The modification shown is quite clear at 3:39, the pattern at last is 0001 0000, and hexview skip all 0 pattern block in the middle. please have a check if you still wanna try. Please note different phone, frp size might differ, the above lk code require last dword set to 1 anyway.
Here are some basic info how to view hex code.
Repersenting 1 in double word:
Offset : 00 01 02 03 ...... 0c 0d 0e 0f
Value: 00 00 00 00 ..... 01 00 00 00
Hexview: 0000 0000...... 0001 0000
As above offset 00 and 01 are group together as word. Each group, Least significant bit is on right. So 0001 shown in hexview group as word and same to we want 0001 0000 in dword as 00000001.
So 0x1, as byte 01 00 00 00, as short 0001 0000, as dword 00000001
Hope above helps your way to go further.
(Updated 20191024)
Please refer to top post step i, might missed above step, please do try "fastboot oem unlock" and see if needed to fully unlock the phone. I am not sure, it is too long ago to me.
Click to expand...
Click to collapse
I didn't understand any of these things about HxD and then in the video you don't see that you edit this file, look at what it gives me while I try to boot. If I send you the file, please edit it for me?

So, I modified the FRP file and I hope I did well now I send you the screens, after the flash of this FRP, doing fastboot oem unlock and fastboot boot boot-sign (only for test) gives me these:
Code:
Microsoft Windows [Versione 10.0.18362.418]
(c) 2019 Microsoft Corporation. Tutti i diritti sono riservati.
D:\adb>fastboot oem unlock
FAILED (remote: 'unknown command')
fastboot: error: Command failed
D:\adb>fastboot boot boot-sign.img
creating boot image...
creating boot image - 8757248 bytes
Sending 'boot.img' (8552 KB) OKAY [ 0.826s]
Booting FAILED (remote: 'unknown command')
fastboot: error: Command failed
D:\adb>
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

XRed_CubeX said:
So, I modified the FRP file and I hope I did well now I send you the screens, after the flash of this FRP, doing fastboot oem unlock and fastboot boot boot-sign (only for test) gives me these:
Code:
Microsoft Windows [Versione 10.0.18362.418]
(c) 2019 Microsoft Corporation. Tutti i diritti sono riservati.
D:\adb>fastboot oem unlock
FAILED (remote: 'unknown command')
fastboot: error: Command failed
D:\adb>fastboot boot boot-sign.img
creating boot image...
creating boot image - 8757248 bytes
Sending 'boot.img' (8552 KB) OKAY [ 0.826s]
Booting FAILED (remote: 'unknown command')
fastboot: error: Command failed
D:\adb>
Click to expand...
Click to collapse
A bit strange, seemed like the lk does not support "oem unlock" and "boot" cmd like the one m3note intl lk version does. please take a look on https://youtu.be/Gsn8FynWxaU video and see if it give you some insight.
all the best.

I saw the video, it's a very interesting thing ...
Now I put the screen to show you what comes to me when I go to HxD. It says that the oem unlock is false, isn't there a way to change it and make it true? maybe doing this I can activate the bootloader unlock.
Do you have telegram? if you can write me [email protected] in private so it's more comfortable.

P.S: I saw the other video and I realized that I was wrong to edit the FRP file.

XRed_CubeX said:
I saw the video, it's a very interesting thing ...
Now I put the screen to show you what comes to me when I go to HxD. It says that the oem unlock is false, isn't there a way to change it and make it true? maybe doing this I can activate the bootloader unlock.
Do you have telegram? if you can write me [email protected] in private so it's more comfortable.
Click to expand...
Click to collapse
Thx for watching. if your search result shows that is the only place of "oem unlock" then sorry i wont have further advice. if your search shows further (either) "oem unlock", "oem-unlock", "oem bootloader-unlock" kind of pattern is available, then you might have chance to go further. aside, you might worth to have a try to download as many as possible for different version (intl, chn, beta as well) of rom of your phone and do the search to all lk.bin, then see if there is any early version have this fastboot cmd.
PS 1, if you wanted to see if there is any optimized logic of the bootloader-boot-chain, then you better go through the source code (or the one similar to your phone).
one of source of info https://github.com/mbskykill/m3note_android_bootable
PS 2, A side note, your frp image is a bit strange and seem not holding real data. FYI frp is mainly used by google/android for its activation and phone lock etc. so wipe it sometimes overcome the "lost password" issue thats why the key to the solution must written to the last dword to avoid frp content overwrite.
all the best.

For the m5c the lk, they are the same and do not come out like you. Isn't there a way to add support manually to unlock?

XRed_CubeX said:
For the m5c the lk, they are the same and do not come out like you. Isn't there a way to add support manually to unlock?
Click to expand...
Click to collapse
Sorry gentleman, modify frp is an indirect method, your through is a right direction. i was tried to disassembly the lk linking library, seclib.a, early this year. Due to my limited knowledge, i cant come up with something new.
In case you are interested to continue, you might need to check the seclib.a binary and see how it goes.
Best wish.

99degree said:
Sorry gentleman, modify frp is an indirect method, your through is a right direction. i was tried to disassembly the lk linking library, seclib.a, early this year. Due to my limited knowledge, i cant come up with something new.
In case you are interested to continue, you might need to check the seclib.a binary and see how it goes.
Best wish.
Click to expand...
Click to collapse
How to exploit with the seclib.a binary?

XRed_CubeX said:
How to exploit with the seclib.a binary?
Click to expand...
Click to collapse
here are some ideas, so please dont put it too seriously.
In lk, compiling source and linking to lk.bin involve seclib.a and this is the supporting lib that contain functions for check unlock status. In cmd_boot function (yes this is coresponding to fastboot boot cmd) call into this lib for that check. Code snippet:
void cmd_boot(const char *arg, void *data, unsigned sz)
{
.....
lock_state = get_unlocked_status();
if (0 == lock_state)
{
fastboot_fail("oem unlock is false");
return;
}
So you can see your boot cmd fail most likely here. Before you decide to do so, please do full text search the code and your lk.bin and see if those text pattern is available.
the checking function is most likely inside the seclib.a, to prove it, i tried to grep all the lk code and find nothing about it. and this seclib.a file missing from the source tree, you can find it somewhere on the web. I believe disassembly a static lib is easier to disassemble a bin, at least static lib have sections by sections and gcc tools are more handy than ida. Hint: mt6797 is an somewhat more open source one. You can get something from linaro website or github. It should be less chance to make change as it is a static library.
Another supporting fact is, when doing oem unlock and flash unlock, lk itself must write something to the mtd(nand chip) to remember the status. Then every bootstrarp, get_unlocked_status can read the status. That should be similar logic to boot from nand chip for reference. So the frp last dword is the permit for manual unlock, and seclib.a is the gatekeeper and check for every boot.
Hope the above can give you some insight.

Yes but I have to procure the seclib for my preloader that is mt6767, and then handling the preloader is dangerous, if the brick, my device could no longer be started in any way!
P.S:And then it would be difficult to disassemble the preloader, modify the seclib and then reassemble it.
P.S 2: However for me this thing is very difficult, but if LK is able to change the status of unlocking the bootloader, why not modify it by adding the command of the oem unlock and unlock it like this.

XRed_CubeX said:
Yes but I have to procure the seclib for my preloader that is mt6767, and then handling the preloader is dangerous, if the brick, my device could no longer be started in any way!
P.S:And then it would be difficult to disassemble the preloader, modify the seclib and then reassemble it.
P.S 2: However for me this thing is very difficult, but if LK is able to change the status of unlocking the bootloader, why not modify it by adding the command of the oem unlock and unlock it like this.
Click to expand...
Click to collapse
Gentleman, i think you are over-engineered. To disassembly the seclib.a is to get more info about the unlock logic and the condition of unlock, such as where does the oem unlock cmd write to, what value it does write to which partition; or another way, which condition should meet when cmd_boot need; and see if able apply to your phone. Let me raise for example, like the write 1 to frp the last dword, this is exploits should do. I dont think patching the preloader or bootloader is a way to go. They are digitally signed; unlike frp partition, google app and android write to it so it is not digitally signed thus safe to do modification. Of course the rule of thumb is not make any risk on physical damage the phone. Hope this is useful for your further reference.

No, I don't even know how to disassemble and where to start

Difficulty flashing an End of Life Android-based Wall Panel (Kramer KT-1010SC)

So I have a few of these Kramer Panels which aren't supported anymore (The official webpage doesn't have them anymore but the same product here) and I want to wipe out the Kronomeet Software they got going on and install some other flavor of Android (I'm thinking Lineage OS).
To start I got adb and fastboot up and running with Aptitude.
Code:
$ adb --version
Android Debug Bridge version 1.0.41
Version 28.0.2-debian
$ fastboot --version
fastboot version 28.0.2-debian
Connecting fine with adb, and using lsusb we see
Bus 001 Device 037: ID 2207:0011 Fuzhou Rockchip Electronics Company SmartTab
Googling around that name led me to the Rockchip Wiki, which had an article on Fastboot and a bunch of open source repos
https://opensource.rock-chips.com/wiki_Fastboot
Which states: "Rockchip uses 0x2207 as its USB vendor ID. This VID is not in Google's original fastboot code. So every fastboot command has to use "-i" parameter to specify vid to fastboot."
However, running -i on fastboot gives me an invalid option error:
Code:
$ sudo fastboot -i 0x2207 devices
fastboot: invalid option -- 'i'
I also tried downloading the most recent version of the android platform tools with fastboot version 33.0.3-8952118, which gave the same results.
Doing any other fastboot command without the -i just has < waiting for any device >
So essentially, I'm trying to figure out how to load a custom rom onto it, and what my next steps try are.
Other Misc Info I've tried:
In the Developer Settings on the tablet, there's no option to enable "OEM Unlocking"
Tablet doesn't have a power button, just a switch, so no pressing power and volume at the same time.
Rockchip seems to have a TWRP image available to build, which I would like to be able to fastboot flash (https://github.com/rockchip-software/TWRP/tree/android-9.0)
There's also a development tool (https://opensource.rock-chips.com/wiki_Rkdeveloptool) that also lets you load firmware.
Using adb reboot bootloader reboots the tablet to a black empty screen, which I can then communicate with the rkdeveloptool.
In this mode, lsusb returns a new name:
Code:
$ lsusb
Bus 001 Device 038: ID 2207:320a Fuzhou Rockchip Electronics Company RK3288 in Mask ROM mode
$ ./rkdeveloptool ld
DevNo=1 Vid=0x2207,Pid=0x320a,LocationID=106 Loader
$ ./rkdeveloptool ppt
**********Partition Info(parameter)**********
NO LBA Name
00 00002000 uboot
01 00004000 misc
02 00006000 resource
03 0000E000 kernel
04 00016000 boot
05 00026000 recovery
06 00036000 backup
07 00050000 cache
08 00090000 kpanic
09 00092000 system
10 00392000 metadata
11 0039A000 radical_update
12 003BA000 userdata

Found some more useful thread, and am trying to use rkflashkit. But still struggling to find out what .img to use.
Firmware Upgrade Guide For RK3188 RK3288 RK3368 Devices
UPD: Rreflashing guide for linux Host PC added. BEFORE START What you need: 1. Image file 2. Host PC (Windows) 3. USB OTG Cable Supported host OS: 1. Windows XP （32/64bit) 2. Windows 7 (32/64bit) 3. Windows 8 (32/64bit) All manipulations I...
forum.xda-developers.com
[Q] has anyone had success flashing a RK3126 based tablet?
Hello, I've got an irulu X30 (expro 30 plus) running stock firmware, nougat 7.1.2 I've been trying to use rkflashtool in linux and androidtool in windows. Both programs can report some device info and read partitions, the img files created...
forum.xda-developers.com