Question MSM and EDL , UI Recovery flash - Realme 8 Pro

Guess you must be using special version of QC Qfil to flash the device or typical MSM.
In EDL mode I was in current SaharaMode been able to get infos from the firehose :
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
We have SN, MSM HWID and two OEM Hash
Don't forget that OEM SecondBootLoader have it's version also.
From normal QFil :
Code:
16:45:48: INFO: Sending <configure>
16:45:48: INFO: TARGET SAID: 'INFO: Binary build date: Dec 19 2019 @ 20:53:50'
16:45:48: INFO: TARGET SAID: 'INFO: Binary build date: Dec 19 2019 @ 20:53:50
'
16:45:48: INFO: TARGET SAID: 'INFO: Chip serial num: Not shown (0xNot Shown)'
16:45:48: INFO: TARGET SAID: 'ERROR: Verifying signature failed with 3'
16:45:48: INFO: TARGET SAID: 'ERROR: Authentication of signed hash failed 0'
Code:
16:45:48: INFO: fh.attrs.MaxPayloadSizeToTargetInBytes = 49152
16:45:48: INFO: fh.attrs.MaxPayloadSizeToTargetInBytesSupported = 1048576
16:45:48: INFO: Something failed. The target rejected your <configure>. Please inspect log for more information

Ok. Here is the deal new start from the MSM :
It creates files in C:\temp\MsmDownloadTool\
(Further analysis : https://www.joesandbox.com/analysis/372003/0/pdf)
What is interesting is autoedl.exe (It's an agent to send the phone with connected adb to EDL).
Secondary secrecy auto unlocker (SecrecyAutoUnlocker.exe 1.1) Don't know why this is integrated here (OK, for OPPO like https://www.allaboutflashing.com/oppo-a3s-network-unlock/ ), but guess no command lines are available ... (Guess). But will come back if needed that ...
DramScreenTool.exe is interesting ... No feedback ....
Available ERROR strings :
ERROR(Please enter for example. DramScreenTool.exe DRAM/EMMC/UFS CID1 CID2 ... )
DRAM.ERROR(CID size)
FAIL.EMMC.UFS.PASS
Mingw runtime failure
VirtualQuery failed for %d bytes at address %p
Unknown pseudo relocation protocol version %d
Unknown pseudo relocation bit size %d
glob-1.0-mingw32
So this is guess the utility to set the writting position for DRAM or EMMMC or UFS, need CID 1 and or CID 2
CID 1 or DID 2 could be - noticable like handshake in Sahara mode when using correct programmer :
Also HWID for QLM MSM is also noticable !
For now the SaharaMode is still not documented enought to post quick answers :
Some of the logs with implemented QFIL :
Code:
17:40:40: DEBUG: The command completed successfully.
17:40:40: DEBUG:
17:40:40: DEBUG: User set MaxPayloadSizeToTargetInBytes to 49152
17:40:40: DEBUG: User wants FIREHOSE VERBOSE - Target will log much of what it is doing
17:40:40: DEBUG: User set ZLPAWAREHOST to 1
17:40:40: DEBUG: User wants verify_programming
17:40:40: INFO: User wants to talk to port '\\.\COM3'
17:40:40: DEBUG: port_fd=0xC4
17:40:40: INFO: Took 0.00000000 seconds to open port
17:40:40: INFO: Sorting TAGS to ensure order is <configure>,<erase>, others, <patch>,<power>
17:40:40: INFO: Sending <configure>
17:40:40: DEBUG: CHANNEL DATA (P0000) (H00202) ( 225 bytes) - HOST TO TARGET -->
===========================================================================================================
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<configure MemoryName="ufs" Verbose="1" AlwaysValidate="0" MaxDigestTableSizeInBytes="8192" MaxPayloadSizeToTargetInBytes="49152" ZlpAwareHost="1" SkipStorageInit="0" />
</data>
============================================================================================================
17:40:40: DEBUG: CharsInBuffer=0 Trying to read from USB 8192 bytes
17:40:40: DEBUG: CHANNEL DATA (775 bytes) <-- TARGET to HOST
17:40:40: DEBUG: CharsInBuffer = 775
17:40:40: DEBUG: printBuffer:6017 PRETTYPRINT Buffer is 775 bytes
17:40:40: DEBUG: printBuffer:6094 3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 <?xml version="1
17:40:40: DEBUG: printBuffer:6094 2E 30 22 20 65 6E 63 6F 64 69 6E 67 3D 22 55 54 .0" encoding="UT
17:40:40: DEBUG: printBuffer:6094 46 2D 38 22 20 3F 3E 0A 3C 64 61 74 61 3E 0A 3C F-8" ?>.<data>.<
17:40:40: DEBUG: printBuffer:6094 6C 6F 67 20 76 61 6C 75 65 3D 22 49 4E 46 4F 3A log value="INFO:
17:40:40: DEBUG: printBuffer:6094 20 42 69 6E 61 72 79 20 62 75 69 6C 64 20 64 61 Binary build da
17:40:40: DEBUG: printBuffer:6094 74 65 3A 20 44 65 63 20 31 39 20 32 30 31 39 20 te: Dec 19 2019
17:40:40: DEBUG: printBuffer:6094 40 20 32 30 3A 35 33 3A 35 30 22 20 2F 3E 3C 2F @ 20:53:50" /></
17:40:40: DEBUG: printBuffer:6094 64 61 74 61 3E 3C 3F 78 6D 6C 20 76 65 72 73 69 data><?xml versi
17:40:40: DEBUG: printBuffer:6094 6F 6E 3D 22 31 2E 30 22 20 65 6E 63 6F 64 69 6E on="1.0" encodin
17:40:40: DEBUG: printBuffer:6094 67 3D 22 55 54 46 2D 38 22 20 3F 3E 0A 3C 64 61 g="UTF-8" ?>.<da
17:40:40: DEBUG: printBuffer:6094 74 61 3E 0A 3C 6C 6F 67 20 76 61 6C 75 65 3D 22 ta>.<log value="
17:40:40: DEBUG: printBuffer:6094 49 4E 46 4F 3A 20 42 69 6E 61 72 79 20 62 75 69 INFO: Binary bui
17:40:40: DEBUG: printBuffer:6094 6C 64 20 64 61 74 65 3A 20 44 65 63 20 31 39 20 ld date: Dec 19
17:40:40: DEBUG: printBuffer:6094 32 30 31 39 20 40 20 32 30 3A 35 33 3A 35 30 0A 2019 @ 20:53:50.
17:40:40: DEBUG: printBuffer:6094 22 20 2F 3E 3C 2F 64 61 74 61 3E 3C 3F 78 6D 6C " /></data><?xml
17:40:40: DEBUG: printBuffer:6094 20 76 65 72 73 69 6F 6E 3D 22 31 2E 30 22 20 65 version="1.0" e
17:40:40: DEBUG: printBuffer:6094 6E 63 6F 64 69 6E 67 3D 22 55 54 46 2D 38 22 20 ncoding="UTF-8"
17:40:40: DEBUG: printBuffer:6094 3F 3E 0A 3C 64 61 74 61 3E 0A 3C 6C 6F 67 20 76 ?>.<data>.<log v
17:40:40: DEBUG: printBuffer:6094 61 6C 75 65 3D 22 49 4E 46 4F 3A 20 43 68 69 70 alue="INFO: Chip
17:40:40: DEBUG: printBuffer:6094 20 73 65 72 69 61 6C 20 6E 75 6D 3A 20 39 38 31 serial num: 000
17:40:40: DEBUG: printBuffer:6094 38 38 32 32 35 37 20 28 30 78 33 61 38 36 35 35 882000 (0x3xxxxx
17:40:40: DEBUG: printBuffer:6094 39 31 29 22 20 2F 3E 3C 2F 64 61 74 61 3E 3C 3F 91)" /></data><?
17:40:40: DEBUG: printBuffer:6094 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 2E 30 xml version="1.0
17:40:40: DEBUG: printBuffer:6094 22 20 65 6E 63 6F 64 69 6E 67 3D 22 55 54 46 2D " encoding="UTF-
17:40:40: DEBUG: printBuffer:6094 38 22 20 3F 3E 0A 3C 64 61 74 61 3E 0A 3C 6C 6F 8" ?>.<data>.<lo
17:40:40: DEBUG: printBuffer:6094 67 20 76 61 6C 75 65 3D 22 45 52 52 4F 52 3A 20 g value="ERROR:
17:40:40: DEBUG: printBuffer:6094 56 65 72 69 66 79 69 6E 67 20 73 69 67 6E 61 74 Verifying signat
17:40:40: DEBUG: printBuffer:6094 75 72 65 20 66 61 69 6C 65 64 20 77 69 74 68 20 ure failed with
17:40:40: DEBUG: printBuffer:6094 33 22 20 2F 3E 3C 2F 64 61 74 61 3E 3C 3F 78 6D 3" /></data><?xm
17:40:40: DEBUG: printBuffer:6094 6C 20 76 65 72 73 69 6F 6E 3D 22 31 2E 30 22 20 l version="1.0"
17:40:40: DEBUG: printBuffer:6094 65 6E 63 6F 64 69 6E 67 3D 22 55 54 46 2D 38 22 encoding="UTF-8"
17:40:40: DEBUG: printBuffer:6094 20 3F 3E 0A 3C 64 61 74 61 3E 0A 3C 6C 6F 67 20 ?>.<data>.<log
17:40:40: DEBUG: printBuffer:6094 76 61 6C 75 65 3D 22 45 52 52 4F 52 3A 20 41 75 value="ERROR: Au
17:40:40: DEBUG: printBuffer:6094 74 68 65 6E 74 69 63 61 74 69 6F 6E 20 6F 66 20 thentication of
17:40:40: DEBUG: printBuffer:6094 73 69 67 6E 65 64 20 68 61 73 68 20 66 61 69 6C signed hash fail
17:40:40: DEBUG: printBuffer:6094 65 64 20 30 22 20 2F 3E 3C 2F 64 61 74 61 3E 3C ed 0" /></data><
17:40:40: DEBUG: printBuffer:6094 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 2E ?xml version="1.
17:40:40: DEBUG: printBuffer:6094 30 22 20 65 6E 63 6F 64 69 6E 67 3D 22 55 54 46 0" encoding="UTF
17:40:40: DEBUG: printBuffer:6094 2D 38 22 20 3F 3E 0A 3C 64 61 74 61 3E 0A 3C 72 -8" ?>.<data>.<r
17:40:40: DEBUG: printBuffer:6094 65 73 70 6F 6E 73 65 20 76 61 6C 75 65 3D 22 4E esponse value="N
17:40:40: DEBUG: printBuffer:6094 41 4B 22 20 72 61 77 6D 6F 64 65 3D 22 66 61 6C AK" rawmode="fal
17:40:40: DEBUG: printBuffer:6094 73 65 22 20 2F 3E 3C 2F 64 61 74 61 3E 3C 3F 78 se" /></data><?x
17:40:40: DEBUG: printBuffer:6094 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 2E 30 22 ml version="1.0"
17:40:40: DEBUG: printBuffer:6094 20 65 6E 63 6F 64 69 6E 67 3D 22 55 54 46 2D 38 encoding="UTF-8
17:40:40: DEBUG: printBuffer:6094 22 20 3F 3E 0A 3C 64 61 74 61 3E 0A 3C 6C 6F 67 " ?>.<data>.<log
17:40:40: DEBUG: printBuffer:6094 20 76 61 6C 75 65 3D 22 45 52 52 4F 52 3A 20 46 value="ERROR: F
17:40:40: DEBUG: printBuffer:6094 61 69 6C 65 64 20 74 6F 20 72 65 61 64 20 58 4D ailed to read XM
17:40:40: DEBUG: printBuffer:6094 4C 20 63 6F 6D 6D 61 6E 64 20 2D 31 22 20 2F 3E L command -1" />
17:40:40: DEBUG: printBuffer:6094 3C 2F 64 61 74 61 3E </data>
17:40:40: DEBUG: printBuffer:6107
17:40:40: DEBUG: XML FILE (117 bytes): CharsInBuffer=775-117=658
-------------------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="INFO: Binary build date: Dec 19 2019 @ 20:53:50" /></data>
-------------------------------------------------------------------------------------------
17:40:40: INFO: TARGET SAID: 'INFO: Binary build date: Dec 19 2019 @ 20:53:50'
17:40:40: DEBUG: XML FILE (118 bytes): CharsInBuffer=658-118=540
-------------------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="INFO: Binary build date: Dec 19 2019 @ 20:53:50
" /></data>
-------------------------------------------------------------------------------------------
17:40:40: INFO: TARGET SAID: 'INFO: Binary build date: Dec 19 2019 @ 20:53:50
17:40:40: DEBUG: XML FILE (115 bytes): CharsInBuffer=540-115=425
-------------------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="INFO: Chip serial num: 9xxxxxx (0xxxxxxxx)" /></data>
-------------------------------------------------------------------------------------------
17:40:40: INFO: TARGET SAID: 'INFO: Chip serial num: 9srgrg7 (0xrhrhrh)'
17:40:40: DEBUG: XML FILE (110 bytes): CharsInBuffer=425-110=315
-------------------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="ERROR: Verifying signature failed with 3" /></data>
-------------------------------------------------------------------------------------------
17:40:40: INFO: TARGET SAID: 'ERROR: Verifying signature failed with 3'
17:40:40: DEBUG: XML FILE (115 bytes): CharsInBuffer=315-115=200
-------------------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="ERROR: Authentication of signed hash failed 0" /></data>
-------------------------------------------------------------------------------------------
17:40:40: INFO: TARGET SAID: 'ERROR: Authentication of signed hash failed 0'
17:40:40: DEBUG: XML FILE (94 bytes): CharsInBuffer=200-94=106
-------------------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<response value="NAK" rawmode="false" /></data>
-------------------------------------------------------------------------------------------
17:40:40: INFO: IGNORING UNRECOGNIZED Attribute 'rawmode' with value 'false'
17:40:40: DEBUG: Response was 'NAK'
17:40:40: INFO: fh.attrs.MaxPayloadSizeToTargetInBytes = 49152
17:40:40: INFO: fh.attrs.MaxPayloadSizeToTargetInBytesSupported = 1048576
17:40:40: INFO: Something failed. The target rejected your <configure>. Please inspect log for more information
For now reading the Chinese pdf also in MSM temp : MSMDownloadToolSpecificationCHS.pdf
Because have seen the Qualcomm HS-USB Diagnostics 9006 driver and this could be the key for the correct Sahara/Firehose implementation and handshake protocol.
Qualcomm download device (Qualcomm HS-USB QDLoader 9008,
Qualcomm HS-USB Diagnostics 9006) corresponding serial port numbers are increasing
Open the hidden device in the device manager as follows:
① Create a new environment variable, the name is devmgr_show_nonpresent_devices, the value is 1, and then open the device manager;
② Device Manager—View—Display hidden devices;
③ Manually delete one by one or use USBDeview.exe to delete selected device drivers in batches.
Till then ...

For now the only thing to bother is usage of the MSM (pure official) as only flashable program without any dongle.
As seen on the test executables the problem is in the executable program in MSM the DRAM_Screen_Tool_v2.0 or emmcdl.
The second thing is flash boot programmer end provisioning options.
Also the Sahara Download mode.
Been able to do some magic with emmcdl, but cannot get the correct loader and Sahara mode Configuration from phone like SN but vere unable to get HASHES and HWID's.
But after the boot of the flash programmer the device goes into non recognisable mode.
For now the problems are with ERRORS :
Verifying signature failed with 3 and Authentication of signed hash failed 0.
With Qfil and QsaharaServer I'm out of possibilities, when It would be able to prepare the stuff with one all other could be possible.
Some feedback to share :
Code:
emmcdl -p COM4 -f prog_firehose_ddr.elf -info
Version 2.15
Downloading flash programmer: prog_firehose_ddr.elf
Successfully open flash programmer to write: prog_firehose_ddr.elf
Waiting for flash programmer to boot
Failed to write hello response back to device
Did not receive Sahara hello packet from device
Status: 6 The handle is invalid.
Code:
emmcdl -p COM4 -SkipWrite -SkipStorageInit -f prog_firehose_ddr.elf -x memory_configure.xml
Version 2.15
Downloading flash programmer: prog_firehose_ddr.elf
Successfully open flash programmer to write: prog_firehose_ddr.elf
Waiting for flash programmer to boot
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="INFO: Binary build date: Dec 19 2019 @ 20:53:50" /></data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="INFO: Binary build date: Dec 19 2019 @ 20:53:50
" /></data><?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="INFO: Chip serial num: not shown (0xnot shown)" /></data>
Programming device using SECTOR_SIZE=512
<?xml version = "1.0" ?><data><configure MemoryName="emmc" ZLPAwareHost="1" SkipStorageInit="1" SkipWrite="1" MaxPayloadSizeToTargetInBytes="1048576"/></data>
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="ERROR: Verifying signature failed with 3" /></data>
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="ERROR: Authentication of signed hash failed 0" /></data>
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<response value="NAK" rawmode="false" /></data>
---Target returned NAK---
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="ERROR: Failed to read XML command -1" /></data>
ERROR: No response to configure packet
Status: 21 The device is not ready.
So the configuration is needed and preservation of QSahara mode for the successfull flash/diagnostics.

Related

[TUT] Flashing Himalaya from SD card

In nowadays HTC devices flashing from a SD card is a trivial task, just copy your ROM image to the card and boot it... Unfortunately, with elder devices, like with Himalaya for example, it's different - every image to be flashed have to have a special signature, which is individual not only for your device, but... for the given SD card aswell!
1. Getting a header.
How to get it? You have to make a backup of your actually flashed ROM. You'll need an USB cable and your device in a bootloader mode. Make a backup with below command:
Code:
password BOOTLOADER
Pass.
USB>d2s
SD:Waiting for card insert.........
CMD3 for SD, it's OK, ready to get RCA from response.
SD:Detected one card
SD:ready for transfer OK
pc->drive.total_lba=F5800
pc->drive.num_heads=0
pc->drive.sec_p_track=0
pc->drive.num_cylinders=0
pc->drive.block_size=200
pc->drive.features=0
pc->drive.RCA=2
pc->drive.drv_type=40000000
pc->drive.securedAreaSize=0
pc->drive.securityDrv=0
pc->drive.busWidth=1
pc->drive.erasedSize=0
Total card size=1EB00000
SDCARDD2S+,cStoragePlatformType=FF
*******************************************************************************************************************************
Store image to SD/MMC card successful.
USB>
Done... but when you try to read this card, it shows it's not written in the meaning of a file - it's written sector by sector! Normally you would use ntrw for reading that into a normal file, but it has one major flaw: it dumps a whole card, so if you had 1GB card, you gonna get 1GB file... and that's why our beloved itsme wrote a small utility called psdread (and psdwrite, too), which I'm including in this tutorial.
Using this utility you have to read a header first. Assuming your card reader got a letter m: from your system (that's letter I have assigned to my card reader), just type:
Code:
c:>psdread.exe m: 0 0x19c
so you get something like this:
Code:
00000000: 48 49 4d 41 4c 41 59 41 53 20 20 20 20 20 20 20 HIMALAYAS
00000010: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
00000020: 31 2e 30 36 20 20 20 20 20 20 20 20 20 20 20 20 1.06
00000030: 78 7e a8 50 96 f5 45 3b 13 0d 89 0a 1c db ae 32 x~.P..E;.......2
00000040: 20 9a 50 ee 40 78 36 fd 12 49 32 f6 9e 7d 49 dc 1.P..x6..I2..}I.
00000050: ad 4f 14 f2 44 40 66 d0 6b c4 30 b7 32 3b a1 22 .O..D.f.k.0.2;..
00000060: f6 22 91 9d e1 8b 1f da b0 ca 99 02 b9 72 9d 49 .............r.I
00000070: 2c 80 7e c5 99 d5 e9 80 b2 ea c9 cc dd 00 4c f2 ,.~...........L.
00000080: 53 41 30 30 e1 dc d6 ae 83 90 49 f1 f1 ff e9 eb SA00......I.....
00000090: b3 a6 db 1e 87 0c 3e 77 24 42 0d 1c 06 b7 47 de .......w$B....G.
000000a0: 6d 12 4d c8 43 2e cb a6 1f 03 5a 7d 09 38 25 1f m.M.C.....Z}.8%.
000000b0: 5d 9f d4 fc 96 f5 45 3b 13 0d 89 0a 1c d3 90 2d ].....E;.......-
000000c0: 48 9a 50 ee 40 78 36 fd 12 49 32 f6 9e 81 49 dc H.P..x6..I2...I.
000000d0: ad 4f 14 f2 44 40 66 d0 6b c4 30 b7 3c 84 f2 87 .O..D.f.k.0.....
000000e0: 61 49 d1 4f 0a d8 16 e7 72 e6 bb 12 84 34 a6 77 aI.O....r....4.w
000000f0: 02 37 e4 97 2c 74 cb c9 12 68 33 74 9e ad 87 d5 .7..,t...h3t....
00000100: fa 16 bb 11 ad ae 24 88 79 fe 52 db 25 43 e5 3c ......$.y.R.%C..
00000110: b3 12 4d c8 43 bb 8b a6 1f 03 5a 7d 09 38 25 1f ..M.C.....Z}.8%.
00000120: 5d d4 cb fc 96 f5 45 3b 13 0d 89 0a 1c db ae 32 ].....E;.......2
00000130: 20 9a 50 ee 40 78 36 fd 12 49 32 f6 9e 7d 49 dc ..P..x6..I2..}I.
00000140: ad 4f 14 f2 44 40 66 d0 6b c4 30 b7 32 3b a1 22 .O...D.f.k.0.2;.
00000150: f6 22 91 9d e1 8b 1f da b0 ca 99 02 b9 72 9d 49 .............r.I
00000160: 2c 80 7e c5 99 d5 e9 80 b2 ea c9 cc 53 bf 67 d6 ,.~.........S.g.
00000170: bf 14 d6 7e 2d dc 8e 66 83 ef 57 49 61 ff 69 8f ...~-..f..WIa.i.
00000180: 48 54 43 53 41 30 30 34 30 30 30 30 30 31 46 43 HTCSA004000001FC
00000190: 30 30 30 30 46 45 46 39 46 32 43 44 0000FEF9F2CD
Well, it could be the end of the first part of this tutorial, but let's make a full backup file. Let's take a look at the end of this block:
Code:
HTCS A0040000 01FC0000 FEF9F2CD
where:
A0040000 - location of your OS image in a device
01FC0000 - size of the actual OS (decimal 33292288 bytes)
FEF9F2CD - checksum
On the very end of the ROM image there're 4 bytes more (HTCE), so the size of the whole image would be: 19C + 1FC0000 + 4 = 0x1FC01A0 bytes total.
Now you can make your backup image with following commands:
Code:
c:\> psdread.exe m: 0 0x1FC01A0 os.img
While the header itself (needed for the next steps of this tutorial) will be created with:
Code:
c:\> psdread.exe m: 0 0x19c header.img
2. Getting a bare OS.nb file
While in nowadays kitchens a bare OS.nb file os normal, you probably haven't even seen this file... so how to get it?
Normal ROM image is in nk.nbf file, which is XOR-encoded actual image. Decode it with:
Code:
c:\> xda2nbftool.exe -x nk.nbf nk.nba 0x20040304
so you have nk.nba file now. You can dismantle it now with:
Code:
c:\> dump.exe -o 0x40040 -l 0x1FC0000 nk.nba os.nb
and you have your OS.nb
3. Making a flashing ready image file.
Putting this all to a final file is trivial... it's just our header + OS.nb:
Code:
c:\> type header.img > SD_img.img
c:\> type OS.nb >> SD_img.img
And in the end you get SD_img.img file, which you can transfer to your SD card with:
Code:
c:\> psdwrite m: SD_img.img
I'd like to recommend using some good hexeditor.. I recommend you really great freeware one, called HxD (you can get it here). It can even operate on disk images and disks themselves.
4. Flashing your device.
Well, this will be the most tough part...
Well, not really
Turn off your Himalaya (really! the best would be to put out your battery), put your SD card in and turn it on. It will display a message: "press power to flash". Just press the power button and wait until it finishes. YOU CAN'T ABORT THE PROCESS, DON'T TOUCH IT! GO AND MAKE YOURSELF A COFFEE OR TEA OR GO FOR A SMOKE!!!
and... that's it
happy flashing!
......
good work very thank's
Flashing Himalaya from SD card- Many thanks "utak3r"
Atlast !!!!!!!!!
u r my saviour ........
Many Many Thanks for the steps......
I been asking and waiting a proper procedure to flash from sd card especially for xda2.
I will give a try and see if am succeeding.
well actually my usb is broken that is the reason am looking to flash from sd card.
In that case, can anyone post a lasted stable rom which is already ready to flash from SD Card ?
should the same SD card should be used ?
will it not work if I copy the SD image to a different SD card and flash it?
Many thanks utak3r
WOW!!! amazing tut
Stickied it!
gopi159 said:
should the same SD card should be used ?
will it not work if I copy the SD image to a different SD card and flash it?
Click to expand...
Click to collapse
As I said it in this tut - the header is unique for every device and every SD card, so... no, you can't download some image and flash it, sorry. Your bootloader will say: "not allowed" and that's it.
I'm working now on getting this header from a device without a cable - will I succeed? I don't know, last time I tried (about 2 years ago) I failed...
i cant understand all this
can you explain how to flash a new rom with a sd card only without cable
abdelamine said:
i cant understand all this
can you explain how to flash a new rom with a sd card only without cable
Click to expand...
Click to collapse
You can do it only if you have this header I'm talking above. If you don't have it - no flashing, unfortunately.
Flashing from SD card
How long time to be need it for flashing from SD card?
did we can charging battery while flashing from SD Card?
because we have old device with a short period of prodigal battery condition
Well, I can't remember it now, but it's faster than flashing through a cable. It shouldn't be longer than 20 minutes AFAIR.
And no, there's no charging while in this mode...
utak3r said:
I'm working now on getting this header from a device without a cable - will I succeed? I don't know, last time I tried (about 2 years ago) I failed...
Click to expand...
Click to collapse
I wish You luck in this task!
I think, that there must be the way to generate SD header information.
And thanx for such good tutorial - now I can make SDImage without using of sdtool.pl
Avis said:
I wish You luck in this task!
I think, that there must be the way to generate SD header information.
Click to expand...
Click to collapse
well, thanks
As for now I can dump ROM, but with my way, so it doesn't contain this header... it has to be generated by bootloader. So probably I'll end with decompiling a bootloader code
HOW CAN I write password BOOTLOADER and where
hi utak3r,
on the first part of the tutorial, how can we get this header?
where can we actually put this code? is it on command prompt or on device?
thanks...
got it.. use hyperterminal...
abdelamine said:
HOW CAN I write password BOOTLOADER and where
Click to expand...
Click to collapse
while you're in bootloader mode connect with your hima with mtty... and that's where you can issue various commands.
easy
any have easy tool..????
my usb connector is really broken, is there any solution to do it without using a pc and usb connection?
thanks
You have Vista, XP???
same question
& i have xp & vista
utak3r said:
As I said it in this tut - the header is unique for every device and every SD card, so... no, you can't download some image and flash it, sorry. Your bootloader will say: "not allowed" and that's it.
I'm working now on getting this header from a device without a cable - will I succeed? I don't know, last time I tried (about 2 years ago) I failed...
Click to expand...
Click to collapse
Is every header really unique? let us say, there are 1000 hima, so there are 1000 different headers?
If the answer is not, maybe we can flash the device using only our SD card without the help of usb connection. someone may post their ready-made file then try to flash it, if fails, try another.
I just want to make a possibilty coz my usb connection was broken too.
you can go and try to collect few headers... but I really doubt

[Q] [IN DEVELOPMENT] Boot Loader downloader/uploader aka MotoGenius

Hi there.
I am working on program who can get and upload (flash) Boot Loader in bin format from Milestone and Droid devices.
Right now I have following working commands:
- connect to device
- send commands to device
- flash Boot Loader from specific address (partial flash)
- upload Boot Loader binary to device
What is not finished yet:
- get Boot Loader from device
- save Boot Loader
- cosmetic details
Screenshoot will be today here (or link to it as seems that I cannot upload picture)
Any suggestion is very welcome.
Cheers
EDIT: Screenshoot added (I can upload, sorry for confusion)
Good work, looking forward to seeing the final results.
Sent from my Droid using XDA App
I am getting loader but somehow in the middle of process phone freeze... lol
Must to investigate some debug code.
Sent from my Milestone using XDA App
Code:
RQVN
Code:
02 52 53 56 4e 1e 30 30 30 36 30 36 30 31 46 46
30 30 39 30 37 38 2c 30 30 30 36 30 36 30 31 46
46 30 30 39 30 37 38 2c 46 46 46 46 46 46 46 46
46 46 46 46 46 46 46 46 03
Code:
RQHV
Code:
01FF009078FFFFFF
Code:
RSVN
Code:
00060601FF009078
00060601FF009078
FFFFFFFFFFFFFFFF
Anyway, I think that in p2kmoto drivers or in usb lib's is problem, not in My code or in ezxflash (well, it is pretty old but anyway...)

why is 52bytes?

I had search lot of thread which write "busybox dd if=/system/framework/xxxx.odex of=/data/local/tmp/odex/xxx.odex bs=1 count=20 skip=52 seek=52 conv=notrunc".according to http://source.android.com document(odex/dex format), signature don't start at 0x34!
why?how to calculate is 52bytes(0x34)?THX
according to dex/odex format( http://source.android.com ),signature should start at 0x0c,not 0x34.so skip=52 seek=52 should skip = 12 seek= 12.But in lots of thread write 52 bytes,so i dont understand.
quywz said:
I had search lot of thread which write "busybox dd if=/system/framework/xxxx.odex of=/data/local/tmp/odex/xxx.odex bs=1 count=20 skip=52 seek=52 conv=notrunc".according to http://source.android.com document(odex/dex format), signature don't start at 0x34!
why?how to calculate is 52bytes(0x34)?THX
Click to expand...
Click to collapse
Did I understand you right that you want to know how 0x34 can be 52? Well, it's a hexadecimal number. Strike the '0x'(not part of the number) out and you have '34'. Hexadecimal is base 16, so it's:
4*16^0=4 and 3*16^1=48, together it makes 52.
dark_knight35 said:
Did I understand you right that you want to know how 0x34 can be 52? Well, it's a hexadecimal number. Strike the '0x'(not part of the number) out and you have '34'. Hexadecimal is base 16, so it's:
4*16^0=4 and 3*16^1=48, together it makes 52.
Click to expand...
Click to collapse
NO,according to dex/odex format( http://source.android.com ),signature should start at 0x0c,not 0x34.so skip=52 seek=52 should skip = 12 seek= 12.But in lots of thread write 52 bytes,so i dont understand.
quywz said:
I had search lot of thread which write "busybox dd if=/system/framework/xxxx.odex of=/data/local/tmp/odex/xxx.odex bs=1 count=20 skip=52 seek=52 conv=notrunc".according to http://source.android.com document(odex/dex format), signature don't start at 0x34!
why?how to calculate is 52bytes(0x34)?THX
according to dex/odex format( http://source.android.com ),signature should start at 0x0c,not 0x34.so skip=52 seek=52 should skip = 12 seek= 12.But in lots of thread write 52 bytes,so i dont understand.
Click to expand...
Click to collapse
Indeed, this is an interesting question. With the 8 "magic" bytes and the 4 bytes of the checksum, the signature should begin at 12 (0x0c), not 52.
Maybe this is related to the .odex format. I was only able to find documentation for the .dex format, and maybe the optimization process adds 40 bytes at the beginning of the file. I'll try to look into the source code, but if someone has the answer, I'll be glad to hear it as well.
EDIT : Found in libdex/DexFile.h
Code:
/*
* Header added by DEX optimization pass. Values are always written in
* local byte and structure padding. The first field (magic + version)
* is guaranteed to be present and directly readable for all expected
* compiler configurations; the rest is version-dependent.
*
* Try to keep this simple and fixed-size.
*/
struct DexOptHeader {
u1 magic[8]; /* includes version number */
u4 dexOffset; /* file offset of DEX header */
u4 dexLength;
u4 depsOffset; /* offset of optimized DEX dependency table */
u4 depsLength;
u4 optOffset; /* file offset of optimized data tables */
u4 optLength;
u4 flags; /* some info flags */
u4 checksum; /* adler32 checksum covering deps/opt */
/* pad for 64-bit alignment if necessary */
};
This additional header for optimized .dex files (.odex) is indeed 40 bytes-long.
Einril said:
Indeed, this is an interesting question. With the 8 "magic" bytes and the 4 bytes of the checksum, the signature should begin at 12 (0x0c), not 52.
Maybe this is related to the .odex format. I was only able to find documentation for the .dex format, and maybe the optimization process adds 40 bytes at the beginning of the file. I'll try to look into the source code, but if someone has the answer, I'll be glad to hear it as well.
EDIT : Found in libdex/DexFile.h
Code:
/*
* Header added by DEX optimization pass. Values are always written in
* local byte and structure padding. The first field (magic + version)
* is guaranteed to be present and directly readable for all expected
* compiler configurations; the rest is version-dependent.
*
* Try to keep this simple and fixed-size.
*/
struct DexOptHeader {
u1 magic[8]; /* includes version number */
u4 dexOffset; /* file offset of DEX header */
u4 dexLength;
u4 depsOffset; /* offset of optimized DEX dependency table */
u4 depsLength;
u4 optOffset; /* file offset of optimized data tables */
u4 optLength;
u4 flags; /* some info flags */
u4 checksum; /* adler32 checksum covering deps/opt */
/* pad for 64-bit alignment if necessary */
};
This additional header for optimized .dex files (.odex) is indeed 40 bytes-long.
Click to expand...
Click to collapse
struct DexOptHeader is 40 bytes-long,but already include magic + checksum.pls look at dexOffset which is file offset of DEX header and depsOffset which is offset of optimized DEX dependency table.so, maybe the pos of signature is magic + checksum +dexOffset +depsOffset.right?
maybe the dexOffset and depsOffset are according to device models have different value.
I copy aheader 40 bytes from classes.dex(836KB).
Code:
64 65 78 0a 30 33 35 00 a1 f6 7a 1b e6 a3 fb 35
5b d5 66 72 b8 33 36 3a 40 a1 4b ea 40 2f d3 fc
58 0e 0d 00 70 00 00 00
but In Dalvik Executable Format document,dex header is 112 bytes.
according to struct DexOptHeader, checksum = 0x70.dexOffset is so large!depsOffset is large too!
DexOptHeader seem unused.
I copy aheader 40 bytes from classes.dex(836KB).
Code:
64 65 78 0a 30 33 35 00 a1 f6 7a 1b e6 a3 fb 35
5b d5 66 72 b8 33 36 3a 40 a1 4b ea 40 2f d3 fc
58 0e 0d 00 70 00 00 00
but In Dalvik Executable Format document,dex header is 112 bytes.
according to struct DexOptHeader, checksum = 0x70.dexOffset is so large!depsOffset is large too!
DexOptHeader seem unused.
quywz said:
I copy aheader 40 bytes from classes.dex(836KB).
Code:
64 65 78 0a 30 33 35 00 a1 f6 7a 1b e6 a3 fb 35
5b d5 66 72 b8 33 36 3a 40 a1 4b ea 40 2f d3 fc
58 0e 0d 00 70 00 00 00
but In Dalvik Executable Format document,dex header is 112 bytes.
according to struct DexOptHeader, checksum = 0x70.dexOffset is so large!depsOffset is large too!
DexOptHeader seem unused.
Click to expand...
Click to collapse
Actually, you're looking at a .dex file header, not a .odex file header, so I'm not sure what you're looking for. Here there is no dexOffset, nor depsOffset, and the checksum is "a1 f6 7a 1b".
For the magic bytes + checksum, maybe these are redundant, and the optimization process only add a 40 bytes header without altering the old one.
To be sure, we would need to look into a .odex file header.
EDIT : Here are the 0x40 first bytes of systemUI.odex
Code:
000000 [B][COLOR="Red"]64 65 79 0A 30 33 36 00[/COLOR][/B] [B][COLOR="YellowGreen"]28[/COLOR][/B] 00 00 00 58 57 09 00
000010 80 57 09 00 C0 02 00 00 40 5A 09 00 38 16 01 00
000020 00 00 00 00 A2 E1 D9 FA [B][COLOR="Red"]64 65 78 0A 30 33 35 00[/COLOR][/B]
000030 E9 5F F1 ED B3 06 98 D7 80 5D 7D EF 63 7B D7 23
000040 5D 79 05 67 EF 1B 35 E7 58 57 09 00 70 00 00 00
We can see that there are indeed two sets of magic bytes, one beginning at 0 (the .odex magic bytes), and one beginning at 40 bytes (the .dex magic bytes).
As a side note, dexOffset is indeed 0x28 (40).
Einril said:
Actually, you're looking at a .dex file header, not a .odex file header, so I'm not sure what you're looking for. Here there is no dexOffset, nor depsOffset, and the checksum is "a1 f6 7a 1b".
For the magic bytes + checksum, maybe these are redundant, and the optimization process only add a 40 bytes header without altering the old one.
To be sure, we would need to look into a .odex file header.
EDIT : Here are the 0x40 first bytes of systemUI.odex
Code:
000000 [B][COLOR="Red"]64 65 79 0A 30 33 36 00[/COLOR][/B] [B][COLOR="YellowGreen"]28[/COLOR][/B] 00 00 00 58 57 09 00
000010 80 57 09 00 C0 02 00 00 40 5A 09 00 38 16 01 00
000020 00 00 00 00 A2 E1 D9 FA [B][COLOR="Red"]64 65 78 0A 30 33 35 00[/COLOR][/B]
000030 E9 5F F1 ED B3 06 98 D7 80 5D 7D EF 63 7B D7 23
000040 5D 79 05 67 EF 1B 35 E7 58 57 09 00 70 00 00 00
We can see that there are indeed two sets of magic bytes, one beginning at 0 (the .odex magic bytes), and one beginning at 40 bytes (the .dex magic bytes).
As a side note, dexOffset is indeed 0x28 (40).
Click to expand...
Click to collapse
right.
thank for your libdex/DexFile.h.
Pls take note of dexOffset is file offset of DEX header.Refer original android.policy.odex,I guess odex header format is DexOptHeader + dex's Header.now,the signature pos is dexOffset + magic(dex's magic) + checksum(dex's checksum).view original android.policy.odex,we will find dexOffset value is 0x28.so signature = 0x28 +0x8 + 0x4=0x34
quywz said:
right.
thank for your libdex/DexFile.h.
Pls take note of dexOffset is file offset of DEX header.Refer original android.policy.odex,I guess odex header format is DexOptHeader + dex's Header.now,the signature pos is dexOffset + magic(dex's magic) + checksum(dex's checksum).view original android.policy.odex,we will find dexOffset value is 0x28.so signature = 0x28 +0x8 + 0x4=0x34
Click to expand...
Click to collapse
Exactly. When optimizing an .dex file, the process adds the DexOptHeader at the beginning of the file. Thus, the resulting header is DexOptHeader + DexHeader (DexHeader beginning at 0x28), and the new position of the signature is 0x34 = 52 bytes
Einril said:
Exactly. When optimizing an .dex file, the process adds the DexOptHeader at the beginning of the file. Thus, the resulting header is DexOptHeader + DexHeader (DexHeader beginning at 0x28), and the new position of the signature is 0x34 = 52 bytes
Click to expand...
Click to collapse
THX.
Next topic.If you have time,pls help http://forum.xda-developers.com/showthread.php?p=41254960#post41254960:)
dark_knight35 said:
Did I understand you right that you want to know how 0x34 can be 52? Well, it's a hexadecimal number. Strike the '0x'(not part of the number) out and you have '34'. Hexadecimal is base 16, so it's:
4*16^0=4 and 3*16^1=48, together it makes 52.
Click to expand...
Click to collapse
If you have time,pls help http://forum.xda-developers.com/show...#post41254960:)
thx.

Xperia v hard brick recovery

THIS TUTORIAL IS ONLY FOR HARD BRICKED DEVICES.
HARD BRICK MEANS NO FLASHMODE AND NO FASTBOOT.
IN ORDER TO PROCEED DISASSEMBLY OF YOUR DEVICE IS REQUIRED.
IF YOU HAVE WARRANTY,STOP READING THIS, GO THE SONY SERVICE AND PLAY STUPID.
AS AFTER OPENING YOUR DEVICE, YOUR WARRANTY IS 100% VOID.
I AM NOT RESPONSIBLE FOR ANY DAMAGE.
YOU'VE BEEN WARNED.
you need to write back original security units.
this is only possible, if you do have original trim area backup.
you can make it with this way :
using winhex save all unit data as "hex ascii" and add command
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Code:
tawrite:0002<unit number, 4 hex digits><unit data>
you need to find and prepare like this 3 critical units : 07D3, 07DA, 0851
then copy result units into file with extension .gdfs and zip it into file with extension .SIN_FILE_SET
and you can use this way.
Let's get started.
1. Download HARD BRICK RECOVERY & ggsetup :
Code:
http://www.mediafire.com/download/cqk9sl2ec56c65j/ggsetup-3.0.0.7.zip
http://www.mediafire.com/download/d0c01h9i9biqxc7/HARD+BRICK+RECOVERY.zip
2. Install ggsetup-3.0.0.7.exe
3. Open the back cover of your device.
4. Find the test point (See attachments).
5. Disconnect a battery, connect a usb cable. LED RED will start to blink.
6. Using the paper clip connect your test point with the GND. I used the metal shield in the middle of the motherboard.
7. Open the device manager, you should see SEMC Flash Device. If no, you did something wrong.
8. Disconnect your phone from computer.
9, Repeat the step 5.
10.Run the s1tool and select S1 EMERGENCY MODE for the phone type.
11. Press the flash button, and choice the repair script file for your device.
12. Press testpoint ready and repeat the step 6.
13. Remove the testpoint and press READY.when program will ask you to do so.
14. Press the flash button, and choice the APP & FSP file for your device.
15. Press testpoint ready and repeat the step 6.
16. Remove the testpoint and press READY, when program will ask you to do so.
17. If flash was successful, you may disconnect your phone from usb, connect your battery and try to boot.You may have to charge your battery.
18. Now you must root phone, restore full trim area backup.
P.S.
I was not be able to flash on windows 8 64bit, but I flashed without problems on 7 .
I would like to thank:
http://forum.xda-developers.com/member.php?u=3665957 for making the software.
http://forum.xda-developers.com/member.php?u=3508509 for text.
in HARD BRICK RECOVERY package there are some other things :
1-XperiFirm_2.5 → for download FILE of rom .
2-ma3d.exe →for make APP & FSP from FILE (you have it when you download package).
3-DooMLoRD_Easy-Rooting-Toolkit_v18_perf-event-exploit → for root your phone.
4-Backup-TA-9.11 → for restore your orginal TA backup after your phone get start and work normally.
Amazing. Unfortunately I have hard bricked V.
So to unbrick my sxv I just need script made from TA backup?
Nice to see so useful info. :good: Thanks for TestPoint location.
Here is my TA backup.
View attachment TA-backup-20131114.094208.zip
ElArchibald said:
Amazing. Unfortunately I have hard bricked V.
So to unbrick my sxv I just need script made from TA backup?
Nice to see so useful info. :good: Thanks for TestPoint location.
Here is my TA backup.
View attachment 2982634
Click to expand...
Click to collapse
I have just told him .so plz wait until he makes it for you.
here is script, however it is very easy to make script yourself :
using winhex save all unit data as "hex ascii" and add command
Code:
tawrite:0002<unit number, 4 hex digits><unit data>
you need to find and prepare like this 3 critical units : 07D3, 07DA, 0851
then copy result units into file with extension .gdfs and zip it into file with extension .SIN_FILE_SET
Just a question, if there is no TA Backup, we can't restore phone?
nope, this is not possible.
at least for now.
I didn't brick my XV right now
I just forgot to backup TA before unlocking bootloader, I'm just thinking about a backup for ultra emergency situations
Can I somehow take backup now?
Aria.A97 said:
I didn't brick my XV right now
I just forgot to backup TA before unlocking bootloader, I'm just thinking about a backup for ultra emergency situations
Can I somehow take backup now?
Click to expand...
Click to collapse
You can make a backup but it will not contain DRM keys as you has unlocked bootloader.
You can backup via Backup TA v9.11, or use FlashTool (File > Switch Pro then Advanced > Trim Area > Backup), you also can make S1 Dump (Advanced > Trim Area > S1 Dump), i think S1 Dump can be used in *.ftf file since it has an *.ta extension.
ElArchibald said:
You can make a backup but it will not contain DRM keys as you has unlocked bootloader.
You can backup via Backup TA v9.11, or use FlashTool (File > Switch Pro then Advanced > Trim Area > Backup), you also can make S1 Dump (Advanced > Trim Area > S1 Dump), i think S1 Dump can be used in *.ftf file since it has an *.ta extension.
Click to expand...
Click to collapse
OK. Thanks. I backed up with TA Backup on Carbon ROM (BTW F*** those DRM keys, I never use Sony Stock ROMs, I flashed CM 10.2 just 6 hours after buying my phone at 3:35 A.M )
BTW whats difference between with flashtools & making S1 Dump and just backing up with TA Backup?
Aria.A97 said:
OK. Thanks. I backed up with TA Backup on Carbon ROM (BTW F*** those DRM keys, I never use Sony Stock ROMs, I flashed CM 10.2 just 6 hours after buying my phone at 3:35 A.M )
BTW whats difference between with flashtools & making S1 Dump and just backing up with TA Backup?
Click to expand...
Click to collapse
No difference between TA Backup and FlashTool, they make raw TA partition dump.
S1 Dump makes flashable *.ta file which can be added into FTF bundle.
Example: Part of the contents of my S1 dump. said:
Code:
000007D3 05CE 02 00 00 00 03 FC 04 00 00 00 00 00 00 00 29 00 00 00 00 00 00 01 D2 20 66 76 CC DF EB 3D C9 D5 65 95 74 A4 2D 9F 1C 21 B6 4C 93 93 81 55 F6 39 07 1D 19 10 02 28 C0 49 00 00 03 C0 00 01 02 B9 02 B7 30 82 02 B3 30 82 01 9B A0 03 02 01 02 02 01 01 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 17 31 15 30 13 06 03 55 04 03 14 0C 53 31 5F 52 6F 6F 74 5F 37 30 35 34 30 1E 17 0D 31 31 30 38 30 38 31 35 30 30 32 32 5A 17 0D 33 31 30 38 31 30 31 35 30 30 32 32 5A 30 14 31 12 30 10 06 03 55 04 03 14 09 53 31 5F 48 57 43 6F 6E 66 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 B5 09 41 7A C8 78 96 19 06 B7 13 4F 1E D3 28 13 4E 03 E3 A9 B6 AF 45 95 D6 07 E8 22 E8 BE F6 A3 1C AE 86 54 16 87 85 6D 44 81 20 B6 43 5B 26 AB 4B 3C 21 8A 75 A7 EA 8E 3A 3C 5F 02 CF 0A 9B A3 7A 22 CC AF 5D 9B 70 29 18 D6 57 78 57 FD AE 38 1B 3F 15 9E 83 BE 92 30 F9 11 C6 30 D6 D6 01 E3 DA D7 AA 66 5C 8D E3 D8 93 E0 DE DE 96 37 3D 68 47 82 E2 93 E9 09 70 CA 04 07 EF CD 99 7A 70 3D 50 A8 D1 00 45 E8 27 C8 86 79 9D E4 7C A4 78 AE 5E BD 79 52 B4 F5 C2 E8 D3 51 57 76 B7 7E 38 20 79 E5 AE 48 1F D6 3D 54 76 BF 30 2F 76 AD 5D 3E BB B4 E5 0C D0 0E 53 04 95 D0 A1 0E ED E1 58 D1 7E 35 27 13 37 EF 6C AB 07 95 FD C1 12 E3 3C 19 66 5E FD D3 00 AE 4B 56 38 22 CA CC 9A E0 7C DB E3 B2 F1 36 26 96 E5 0E F6 E7 5E AF 73 51 7B AA D1 03 C1 B8 9F 24 DB 85 E2 85 45 ED 98 B0 75 A5 02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 03 82 01 01 00 1B 90 C7 B0 E8 20 0E 1B 83 50 3A C9 E4 1E B6 DA 46 46 AB 55 CA B7 87 CF E7 B0 B5 FA 6E EE 11 19 87 FC 85 00 94 4C 61 B5 60 43 19 BC 4E B3 E7 0D A1 64 37 E0 21 6D B7 E9 E6 58 22 C3 C4 93 B4 C3 0E 05 A7 63 14 02 6E AD 3C 89 CE 54 3D E6 26 43 B0 5C 2D F4 2B DF 9B 59 73 DF 68 B8 FC 20 D8 20 26 70 D7 8E 97 83 04 43 3B 2F B1 5C A7 16 45 8A 7E FB 6F 71 03 EB 4B 5D 18 C0 88 C9 BC 15 DA E9 9B AA F8 08 33 A4 32 6F 40 15 7B B3 86 07 1E D9 1A A1 24 4E EB D1 86 8F F4 90 62 4D 77 3E 5E 89 8A 09 A9 51 25 B6 CF CC D8 14 3B E5 5D B0 98 71 16 B6 B7 69 B3 1C 60 6C A0 83 5A 6C A7 EE A5 BB 71 11 2D 21 83 5D 33 D9 22 E9 D1 94 2E 70 16 AF E8 AA 06 54 56 D3 22 36 FE BF 47 6A 20 A1 30 27 06 06 AA 9A E4 DB 64 96 68 DD 27 C0 63 11 1C 2C 59 BD B4 01 D1 8B CB 53 E4 17 4A 73 53 F7 41 A7 02 01 00 9B 69 55 E8 B2 4E 56 1F 90 9F 54 B9 C3 E9 AF D4 3E CA EB 2A 5B F6 A0 2B C7 71 2D 50 DA D8 98 2F 29 1C E1 77 65 6A CA C9 0A 79 4A FD 34 F6 7E 34 92 C7 4D 54 D7 C7 51 53 9F 82 E8 11 0D 41 42 18 ED 5B 0E 0A A6 A4 75 1E D2 C8 7A D5 1C 77 BB 04 B9 56 DB 95 42 21 42 CB 75 50 AE 87 EE 2F 46 45 15 6D A0 B5 5A 52 95 29 5B D9 CE 6B 89 93 A6 13 65 B8 1D 75 C9 2D AA E2 4B 54 62 2C 9F 62 12 07 EC 6B 55 D9 AF FB 39 3B 0D BD 52 A7 9D 9A CD 0E DB D2 7C 60 09 F8 24 69 70 C9 EE 8D 39 ED FC E3 5E A0 9F F2 CA 9F 9E BB 17 99 61 DC EB F3 D6 FE D0 96 23 F6 DE 38 96 43 B8 29 8A 3D B2 A6 BE F9 47 59 E9 83 DE 53 84 F2 39 DC 4C 93 DE A3 49 7C BA E2 47 7D 5E B3 1A 04 6F E8 E1 A3 8E E6 15 18 9D 98 BE ED AF 10 79 09 9A 2A 43 2B 44 B8 5B A3 71 65 16 EE E5 FB 8C 8D EE 9B 85 C8 21 AA 01 0A 00 05 00 00 00 00 00 4E 02 00 4B 52 45 56 3D 22 52 35 45 22 3B 53 45 52 56 45 52 3D 22 62 6D 63 73 65 63 73 30 34 22 3B 41 55 54 48 43 45 52 54 3D 22 55 4E 4B 4E 4F 57 4E 22 3B 54 49 4D 45 53 54 41 4D 50 3D 22 31 33 30 36 30 33 20 30 39 3A 35 31 3A 33 37 22 00 0B 00 00 08 35 51 01 05 49 30 68 00 00 00 01 51 00 01 00 07 53 31 5F 42 6F 6F 74 00 01 00 13 00 08 00 00 00 01 00 00 00 1A 00 01 00 09 53 31 5F 4C 6F 61 64 65 72 00 01 00 0B 00 00 00 01 00 05 53 31 5F 53 57 00 02 00 13 00 20 00 00 00 03 00 00 00 04 00 00 00 09 00 00 00 0B 00 00 00 0F 00 00 00 10 00 00 00 11 00 00 00 12 00 01 00 08 53 31 5F 52 50 4D 46 57 00 02 00 23 00 00 00 01 00 07 53 31 5F 43 75 73 74 00 01 00 13 00 08 00 00 00 09 00 00 00 12 00 01 00 05 53 31 5F 53 4C 00 01 00 43 00 00 00 01 00 0A 53 31 5F 4D 6F 64 65 6D 4F 53 00 02 00 23 00 00 00 01 00 0A 53 31 5F 4D 6F 64 65 6D 53 57 00 02 00 13 00 0C 00 00 00 07 00 00 00 08 00 00 00 13 00 01 00 08 53 31 5F 53 50 53 53 57 00 02 00 23 00 00 00 01 00 07 53 31 5F 46 4F 54 41 00 02 00 23 00 00 00 01 00 0C 53 31 5F 48 65 78 61 67 6F 6E 53 57 00 02 00 23 00 00 00 01 00 07 53 31 5F 52 49 56 41 00 02 00 23 00 00 00 01 00 06 53 31 5F 45 54 53 00 02 00 13 00 08 00 00 00 03 00 00 00 04 00 01 00 09 53 31 5F 52 41 4D 45 54 53 00 02 00 0B 00 00 00 01 00 09 53 31 5F 54 5A 45 78 65 63 00 02 00 A3 00 00 00 06 00 04 71 C5 8D 09 00 10 10 FE D0 A0 26 F6 D5 08 65 DF EC 9F 76 F2 95 E7
000007DA 0283 CF 47 FE 0E D6 10 53 EC D3 6E 94 31 37 B1 57 A6 CC 9C 6B 8B 02 00 05 0A 02 00 00 00 0A 9F D5 AA F1 20 F8 C8 EE 5D C2 E2 56 C8 E6 22 54 6B B5 70 0B 20 7B 9D BA 0B DE B5 B0 21 97 49 67 D0 0F 9D E3 32 20 F6 36 E2 BE 2D 64 2F 1C 9E 43 1A 65 87 BB 7E 02 00 00 00 0A 15 FC CE 88 A3 E0 10 D6 EE 24 B4 92 21 B1 AB 6E BD CF BD A4 20 F4 7B 67 EA 25 1D AE 08 1C B5 B2 01 0C 53 90 EE 94 69 03 25 B5 5E A3 CF 9E A1 D5 DF 71 68 9C C2 00 8C 4F 50 5F 49 44 3D 22 34 33 22 3B 4F 50 5F 4E 41 4D 45 3D 22 53 69 6E 67 74 65 6C 22 3B 43 44 41 5F 4E 52 3D 22 31 32 36 38 2D 35 39 36 31 22 3B 52 4F 4F 54 49 4E 47 5F 41 4C 4C 4F 57 45 44 3D 22 31 22 3B 52 43 4B 5F 48 3D 22 36 43 41 46 38 45 46 41 44 46 42 32 34 36 31 34 42 42 33 41 45 35 45 30 31 44 38 46 31 46 33 33 41 42 39 42 41 43 30 45 37 37 45 37 38 39 42 45 32 43 30 36 33 37 37 41 41 38 42 36 33 31 39 45 22 00 43 53 45 52 56 45 52 49 44 3D 22 62 6D 63 73 65 63 73 30 34 22 3B 41 55 54 48 43 45 52 54 3D 22 55 4E 4B 4E 4F 57 4E 22 3B 54 49 4D 45 53 54 41 4D 50 3D 22 31 33 30 36 30 33 20 30 39 3A 35 31 3A 33 32 22 00 09 00 07 30 30 31 30 31 2D 2A 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 0A B0 32 D9 5B 3B 36 BA 22 FA 27 E4 0E 02 75 F2 51 C8 DF 19 D3 20 54 F7 EB 9E 05 5A 41 84 BD 3F BA 37 4B 58 06 DC C1 26 9F A9 53 F7 E6 34 0A 39 28 86 AC 8D 56 82 02 00 00 00 0A A2 58 90 B4 02 D5 03 B3 D8 69 68 18 3F 87 66 58 9A 27 E8 76 20 52 FB BA BA EF 58 18 35 C6 A5 8F A3 6F CE 95 E8 ED 39 1E 7E D4 4D 67 06 87 A1 16 FC 7D 98 05 FF 02 00 00 00 0A B6 78 13 0F 42 EE 0E 18 67 8A 27 9B 5D 21 14 6F 0D 9A E1 B3 20 F7 59 B4 2F 87 2C 0C 21 EE CA 68 F0 AE FB B2 AA 93 0D FA B5 5A 91 ED 6B 81 2A 39 47 74 2F 32 92 02 00 00 00 0A C3 3D 2B 5B 5A 4B 1F 4E 57 FD BF 31 42 90 6A 14 9F 8A D4 63 20 AC B7 E7 60 E7 DE 13 7E 52 37 2E CB 89 DB 31 7B 4B 70 86 20 F5 74 A5 62 08 46 72 16 8E 63 63 FB 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 F5 B5 05 DB E7 35 47 E2 02 8C 47 F7 89 1C A4 CB DB 33 31 8E
00000851 03CA 02 00 09 07 DA 27 0F 00 15 02 4A 00 03 BC 00 01 02 B5 02 B3 30 82 02 AF 30 82 01 97 A0 03 02 01 02 02 01 01 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 17 31 15 30 13 06 03 55 04 03 14 0C 53 31 5F 52 6F 6F 74 5F 37 30 35 34 30 1E 17 0D 31 31 30 38 30 38 31 35 30 30 32 30 5A 17 0D 33 31 30 38 31 30 31 35 30 30 32 30 5A 30 10 31 0E 30 0C 06 03 55 04 03 14 05 53 31 5F 53 4C 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 95 7C 28 6C 4F 12 7D E5 DA D2 5F 83 0D 7F A2 B4 0B 0A 26 DB 56 89 0E 7E B5 F9 58 F7 60 3F D6 16 21 BA 75 B4 98 17 C6 23 A0 EB 4A DE 89 99 B8 24 53 21 B6 AE 53 FB 9D 3B C8 64 6E 72 5C A5 B5 43 04 C3 4B 59 76 0F B7 0C 52 CE 17 20 00 52 9D 65 17 F9 A7 56 A4 2F DB BF D7 20 E2 42 25 BF 71 A9 A1 DD 25 06 C3 28 68 DA D8 24 16 61 D8 E4 A8 3B DB 39 E7 89 E4 B8 BC 51 4C 8B C8 24 18 C4 5B C8 AF 1B 31 9D 4B E4 7A 37 F6 2B 9E A9 E7 E2 15 7E E8 35 87 A8 35 B1 2C E5 2E EA CE 3E 01 7B E9 7E 93 EF 81 68 08 4D 5A 82 02 A3 36 FF 60 41 8D FD BC B3 E2 71 77 DE ED C7 3A A2 26 9C A9 91 50 6D 64 72 7F 21 3F 02 51 85 F2 EE 4C 49 92 A1 F2 54 30 E1 60 11 2A EA DB 37 05 76 08 D8 13 58 37 1F EE 22 70 3E 94 15 22 E8 B6 73 73 7D 8F CF 34 DE C2 CA 1C 7D B1 80 2B 69 74 ED 30 52 1D 26 40 F7 02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 03 82 01 01 00 2B 54 DE B3 43 0A EF 6D 18 CB E4 EB F5 DC 5D 18 E4 A6 4C 15 A2 5A 09 DA AE C3 FD 2C 3F B6 0B 89 BF 35 F7 57 E7 0E 4F 88 25 74 3B B5 2B 64 F2 2F B9 FB 4D DA B2 3A 2B 00 2D F2 5C 6A 37 46 FC 82 66 CB 93 58 74 4E E7 FC 71 E9 CA 5D 4F 66 9C 2E 2D 34 4C 71 86 79 DE 54 44 A6 47 A3 44 E8 F3 BD 67 46 E7 E2 02 2B F8 AA 0C FD 5E C2 A9 CE 41 82 3D F7 C7 65 D2 0B 8A AE 23 C5 A6 2F 9A 9A 23 18 F6 96 C7 0B E5 8A 78 A5 77 B4 04 12 95 45 09 E8 B9 7A 13 6C D7 A6 90 D1 44 0F 11 3B 32 D7 99 C5 14 A3 00 B5 BE F2 95 E0 82 51 68 AB DE 02 A8 9B 48 86 BB C9 DF 9F C9 25 FB 3A FF 1C 43 50 D5 68 1B ED 69 EB FE CE 44 C6 69 A1 B4 58 F3 AB 4A 23 50 5D 3B 6C 32 16 73 FF DB 14 8D 59 14 35 AA 34 CD 1F 00 C0 5E 79 D2 FE B3 FA 2F 19 90 BB 53 89 E6 65 E1 C5 71 7B 66 A2 B7 50 D3 7C 2B 5F 6D 2B 02 01 00 52 D9 86 32 22 BC 56 9D 50 94 C6 05 55 A5 40 37 52 DF DE 9F 05 9D 23 CE 51 5D E3 24 21 3F 94 8C 3C F5 C9 D7 B4 97 1E 51 BC 14 2E E3 88 8F 65 17 1A 0E 9B D9 0B A2 57 66 90 49 30 EC 9B BE 82 06 3C 75 9A 02 4E 9D CC 0B D8 A5 89 B7 25 1B B1 1C B4 C5 9D 35 5B 0E 62 89 00 3C 82 04 97 83 39 8F 43 63 DB 19 21 9D B0 BF 61 45 4C 2B 7B 06 12 D0 8F 78 16 29 55 23 EC 01 0A 8D 91 38 2D AE 3B 12 23 68 18 A5 2B 11 53 8D DE F3 C7 D3 60 9B 78 02 C1 46 5D FD B3 89 A8 E1 D6 F0 E1 14 31 88 DB C9 5A BC E0 00 2A 7D 76 D8 E0 88 73 A9 2A C7 6A 1A 87 55 B8 90 45 59 0E B5 EF DC CE A3 9D 32 41 36 3F 9B 23 16 66 34 62 2D 28 21 7C 6D 5B ED C4 6F B6 BA F8 28 4D 08 DF 71 1F 82 69 6D 3C DE 79 F9 CD F9 0E B5 A3 DC 43 23 84 66 79 57 C6 49 3E C5 9D D3 66 1B 24 72 5F 4B 18 A2 49 1B 08 6D E2 5B
Click to expand...
Click to collapse
sony v hard brick
hi every body
special thanks to friend with good information. I have root my Sony xperia V and no problem about root after that I try to make 2 partition in SD card my Sony going to loop the boot when device is booting i disconnect the battery to exit the SD card to back in 1 partition .my Sony not start again no on,no response to charger ,to computer ,and flash tools,completely dead.
I use your site information but I don't have blink in Led. when I try to connect to PC the PC hang it and no response.please help I repair my device.
thanks
the_laser said:
here is script, however it is very easy to make script yourself : View attachment 2983316
using winhex save all unit data as "hex ascii" and add command
Code:
tawrite:0002<unit number, 4 hex digits><unit data>
you need to find and prepare like this 3 critical units : 07D3, 07DA, 0851
then copy result units into file with extension .gdfs and zip it into file with extension .SIN_FILE_SET
Click to expand...
Click to collapse
I tried to repair phone, but seems something wrong. It wont start flashing process.
Phone recognized as ZEUS Flash Device (USB\VID_05C6&PID_9008&REV_0000) when i connect testpoint.
After these steps
10.Run the s1tool and select S1 EMERGENCY MODE for the phone type.
11. Press the flash button, and choice the repair script file for your device.
12. Press testpoint ready and repeat the step 6.
13. Remove the testpoint and press READY.when program will ask you to do so.
Click to expand...
Click to collapse
Device recognized as SOMC Flash Device (USB\VID_0FCE&PID_ADDE&REV_0100
)
Here S1Tool log:
Code:
29.10.2014 14:56:50 Welcome to S1 tool.
29.10.2014 14:56:50 That is small and crippled subset of SETOOL2 service tool.
29.10.2014 14:57:10
29.10.2014 14:57:10 SELECT FIRMWARE PACKAGES
29.10.2014 14:57:10 YOU CAN SELECT SEVERAL PACKAGES WITH CTRL BUTTON
29.10.2014 14:57:13 CHECKING PACKAGES ...
29.10.2014 14:57:13
29.10.2014 14:57:13 DETACH USB CABLE FROM PHONE
29.10.2014 14:57:13 REMOVE BATTERY FROM PHONE
29.10.2014 14:57:13 ATTACH TESTPOINT
29.10.2014 14:57:13 PRESS "READY", THEN ATTACH USB CABLE TO PHONE
29.10.2014 14:57:13
29.10.2014 14:57:23 will use DLOAD protocol ...
29.10.2014 14:57:23 0808010600900000
29.10.2014 14:57:23 0D0F50424C5F446C6F6164564552322E30
29.10.2014 14:57:23 162001000100
29.10.2014 14:57:23 17004001000100E1506B00
29.10.2014 14:57:23 PRODUCT DETECTED: "SONY MSM8960-3 OEM1 Fused"
29.10.2014 14:57:23 1801000F43240892D02F0DC96313C81351B40FD5029ED98FF9EC7074DDAE8B05CDC8E1
29.10.2014 14:57:23 PROCESSING ...
29.10.2014 14:57:25 REMOVE TESTPOINT NOW, THEN PRESS "READY"
29.10.2014 14:57:25
29.10.2014 14:57:29 Emergency loader uploaded ...
29.10.2014 14:57:30
29.10.2014 14:57:30 RUNNING S1_PRELOADER VER "R5F001"
29.10.2014 14:57:30 LOADER AID: 0001
29.10.2014 14:57:33 DEVICE ID: 71C58D09
29.10.2014 14:57:33 FLASH ID: "0015/00000000"
29.10.2014 14:57:33 LOADER VERSION: "R5F001"
29.10.2014 14:57:33
29.10.2014 14:57:33 WRITING PACKAGES ...
29.10.2014 14:57:33 Elapsed:23 secs.
29.10.2014 14:57:57
29.10.2014 14:57:57 SELECT FIRMWARE PACKAGES
29.10.2014 14:57:57 YOU CAN SELECT SEVERAL PACKAGES WITH CTRL BUTTON
29.10.2014 14:58:33 CHECKING PACKAGES ...
29.10.2014 14:58:33
29.10.2014 14:58:33 DETACH USB CABLE FROM PHONE
29.10.2014 14:58:33 REMOVE BATTERY FROM PHONE
29.10.2014 14:58:33 ATTACH TESTPOINT
29.10.2014 14:58:33 PRESS "READY", THEN ATTACH USB CABLE TO PHONE
29.10.2014 14:58:33
29.10.2014 14:58:48 will use DLOAD protocol ...
29.10.2014 14:58:48 0808010600900000
29.10.2014 14:58:48 0D0F50424C5F446C6F6164564552322E30
29.10.2014 14:58:48 162001000100
29.10.2014 14:58:48 17004001000100E1506B00
29.10.2014 14:58:48 PRODUCT DETECTED: "SONY MSM8960-3 OEM1 Fused"
29.10.2014 14:58:48 1801000F43240892D02F0DC96313C81351B40FD5029ED98FF9EC7074DDAE8B05CDC8E1
29.10.2014 14:58:48 PROCESSING ...
29.10.2014 14:58:49 REMOVE TESTPOINT NOW, THEN PRESS "READY"
29.10.2014 14:58:49
29.10.2014 14:58:53 Emergency loader uploaded ...
29.10.2014 14:58:54
29.10.2014 14:58:54 RUNNING S1_PRELOADER VER "R5F001"
29.10.2014 14:58:54 LOADER AID: 0001
29.10.2014 14:58:56 DEVICE ID: 71C58D09
29.10.2014 14:58:56 FLASH ID: "0015/00000000"
29.10.2014 14:58:56 LOADER VERSION: "R5F001"
29.10.2014 14:58:56
29.10.2014 14:58:56 WRITING PACKAGES ...
29.10.2014 14:58:56 Elapsed:59 secs.
29.10.2014 14:59:12
29.10.2014 14:59:12 SELECT FIRMWARE PACKAGES
29.10.2014 14:59:12 YOU CAN SELECT SEVERAL PACKAGES WITH CTRL BUTTON
29.10.2014 14:59:18 CHECKING PACKAGES ...
29.10.2014 14:59:18
29.10.2014 14:59:18 DETACH USB CABLE FROM PHONE
29.10.2014 14:59:18 REMOVE BATTERY FROM PHONE
29.10.2014 14:59:18 ATTACH TESTPOINT
29.10.2014 14:59:18 PRESS "READY", THEN ATTACH USB CABLE TO PHONE
29.10.2014 14:59:18
29.10.2014 14:59:36 will use DLOAD protocol ...
29.10.2014 14:59:36 0808010600900000
29.10.2014 14:59:36 0D0F50424C5F446C6F6164564552322E30
29.10.2014 14:59:36 162001000100
29.10.2014 14:59:36 17004001000100E1506B00
29.10.2014 14:59:36 PRODUCT DETECTED: "SONY MSM8960-3 OEM1 Fused"
29.10.2014 14:59:36 1801000F43240892D02F0DC96313C81351B40FD5029ED98FF9EC7074DDAE8B05CDC8E1
29.10.2014 14:59:36 PROCESSING ...
29.10.2014 14:59:38 REMOVE TESTPOINT NOW, THEN PRESS "READY"
29.10.2014 14:59:38
29.10.2014 14:59:41 Emergency loader uploaded ...
29.10.2014 14:59:42
29.10.2014 14:59:42 RUNNING S1_PRELOADER VER "R5F001"
29.10.2014 14:59:42 LOADER AID: 0001
29.10.2014 14:59:44 DEVICE ID: 71C58D09
29.10.2014 14:59:44 FLASH ID: "0015/00000000"
29.10.2014 14:59:44 LOADER VERSION: "R5F001"
29.10.2014 14:59:44
29.10.2014 14:59:44 WRITING PACKAGES ...
29.10.2014 14:59:44 Elapsed:32 secs.
Last thing that i've done before brick, is wipe in cwm, and accidentally format sdcard0. Could it damage or format whole eMMC? If so, can i repair GPT table, partitions and restore TA somehow?
Is there any way to recover it?
sony v hard brick
last remember is my device have same message as last friend said (ZEUS flash device) when it connect to PC the message come and after that PC hang it until I push the reset push button.please answer to solve this problem.I don't have information about these 07D3-07DA-0851 ????? please somebody guide step by step how we can alive the device back
@ElArchibald:
did you selected .SIN_FILE_SET package ?
if yes - then your phone have damaged trim area structure and only way to fix it - use JTAG interface to copy first ~8 mb from working phone, then using s1tool to restore security units backup.
the_laser said:
@ElArchibald:
did you selected .SIN_FILE_SET package ?
if yes - then your phone have damaged trim area structure and only way to fix it - use JTAG interface to copy first ~8 mb from working phone, then using s1tool to restore security units backup.
Click to expand...
Click to collapse
Yes. I selected .SIN_FILE_SET. Thanks for help and info. As i understand, I only can buy working main board (or cracked phone with working board), and/or find JTAG pinouts to repair my eMMC.
sony v hard brick
I think I cant alive my phone back because our friend here didn't have any solution about to repair my phone
the_laser said:
@ElArchibald:
did you selected .SIN_FILE_SET package ?
if yes - then your phone have damaged trim area structure and only way to fix it - use JTAG interface to copy first ~8 mb from working phone, then using s1tool to restore security units backup.
Click to expand...
Click to collapse
@the_laser
Sorry to bother you.
Can i simply do "dd if=/dev/block/mmcblk0 of=/storage/sdcard1/dump.bin bs=8M count=1" on working device to get dump? Or this is not enough and need dump made through JTAG?
Don't want to disassemble the donor if I find it. And which JTAG solution can i use for Xperia devices 2012-2014?
If so can somebody make a dump for me?
dump is enough
about JTAG - i'm recommend RIFF box.
removed
GDFS is not worked on my Xperia Z1 Compat, I have created gdfs and was not able to repair bricked ta, status was "writing packages" without any error but nothing is writen, status allways was error in header when trying to flash any sin! This might help you -> http://forum.xda-developers.com/showpost.php?p=56571705&postcount=314

[solved] Relocking S1 v37

@RO.maniac ask how to relock his v37 bootloader on another thread:
RO.maniac said:
I have a little situation here. on a D6603.
Was running LP, unlocked, andropluskernel, root, xposed. happy.
Relocked bootloader with flashtool.
Updated to N preview using xperia companion.
Unlocked bootloader with flashtool.
That new bootloader, nexus style, was telling me safe boot off and unlocked bootloader.
Wasn't satisfied with the lack of root on N preview, so I decided to go back to stock LP via Xperia Companion. Then I found out the lastest update Xperia would flash is MM. I said fine.
Tried to relock bootloader with flashtool, I got ok message but it didn't relock the bootloader. tried a lot of times, different pc, flashtool version, regenerated code. nothing. so no Xperia Companion - no big deal, I just have an obsession with latest official builds, since my main device is a Nexus5. oh, what a nice girl that is. and easy to undress.
flashed a LP .ftf, tried to relock bootloader, no success.
[...]
What the heck happened with the relocking of the bootloader??!!
I'm thinking it has something to do with the new bootloader from N preview which I was running when I unlocked it. Now it won't relock on any version.
Click to expand...
Click to collapse
The idea of this dev-thread is understanding why S1 v37 is not re-lockable and if there is a way to relock it or downgrade it then relock, without bricking the phone obviously.
@RO.maniac can you, please, provide
- the S1boot part of your cmdline,
- backups of your TA partition before, after upgrading the bootloader,
- any flashtool log?
Thanks in advance.
N preview TA backup & flashtool log
Here you have the flashtool log and two backups of the current TA partition. One is pulled with ADB and one is from TWRP.
https://drive.google.com/file/d/0B0YzIybNxHcQa3E0Q1JJZlBkUU0/view?usp=sharing - TWRP ver.
https://drive.google.com/file/d/0B0YzIybNxHcQRXR2MjQ0Y3UzOWM/view?usp=sharing - ADB ver.
I don't have a TA backup of my old bootloader.
https://drive.google.com/file/d/0B0YzIybNxHcQcWNMMUtWeF9RNFk/view?usp=sharing - flashtool log. Tried to relock three times.
https://drive.google.com/file/d/0B0YzIybNxHcQVk1CZ1RISmhLMWM/view?usp=sharing - current bootloader mode photo.
I am now running N Preview 3, rooted, permissive.
RO.maniac said:
Here you have the flashtool log and two backups of the current TA partition. One is pulled with ADB and one is from TWRP.
Click to expand...
Click to collapse
Thanks! And no worries for the old TA. Just we can't revert to old version without it.
Can you send me your s1boot partition and the cmdline part with 's1boot'?
Also can you provide me your oem unlock code? (I should be able to find it in your ta partition)
P.S. your name is in plain text in your flashtool log.
nailyk said:
Thanks! And no worries for the old TA. Just we can't revert to old version without it.
Can you send me your s1boot partition and the cmdline part with 's1boot'?
Also can you provide me your oem unlock code? (I should be able to find it in your ta partition)
P.S. your name is in plain text in your flashtool log.
Click to expand...
Click to collapse
My name is no secret.
I'm not familiar with pulling s1boot partition and the cmdline part with 's1boot'. Do you need anything more than the photo I just popped in the post? - oh, you mean the boot partition and the code in the photo. That s1 upfront blinded me.
https://drive.google.com/open?id=0B0YzIybNxHcQMGxSTUdtdzBzTjQ - boot TWRP backup
Unlock code: C88FB2FFCCE72540
RO.maniac said:
My name is no secret.
I'm not familiar with pulling s1boot partition and the cmdline part with 's1boot'. Do you need anything more than the photo I just popped in the post?
Unlock code: C88FB2FFCCE72540
Click to expand...
Click to collapse
Awesome! I miss the picture, sorry.
Your fastbootlog also says: S1_Boot_MSM8974AC_LA3.0_L_Hero_17 which make me doubt....
Never read this version before. and never seen the screen you post before....
For me, fastboot mode was only blue light.... on this bootloader version.
I will start re with this elements, thank you.
Do you know exactly when this Hero_L17 version get installed on your phone? Is it coming from a custom rom?
nailyk said:
Awesome! I miss the picture, sorry.
Your fastbootlog also says: S1_Boot_MSM8974AC_LA3.0_L_Hero_17 which make me doubt....
Never read this version before. and never seen the screen you post before....
For me, fastboot mode was only blue light.... on this bootloader version.
I will start re with this elements, thank you.
Do you know exactly when this Hero_L17 version get installed on your phone? Is it coming from a custom rom?
Click to expand...
Click to collapse
This is the bootloader mode from N preview. Just like the Nexus line. I was really surprised to see it just as on my Nexus5.
Other than stock LP and MM , the only custom rom I've had is RXSW 3.0 which is MM.
I think this Hero_L17 is coming with N preview.
This is what I may seem not to understand. When I flash a complete .ftf doesn't EVERYTHING change, including the bootloader?
You are asking like it's there for some time, surviving .ftf flashes.
---------- Post added at 06:19 PM ---------- Previous post was at 06:17 PM ----------
nailyk said:
Awesome! I miss the picture, sorry.
Your fastbootlog also says: S1_Boot_MSM8974AC_LA3.0_L_Hero_17 which make me doubt....
Never read this version before. and never seen the screen you post before....
For me, fastboot mode was only blue light.... on this bootloader version.
I will start re with this elements, thank you.
Do you know exactly when this Hero_L17 version get installed on your phone? Is it coming from a custom rom?
Click to expand...
Click to collapse
Also, you should watch my past posts here because I tend to edit them a lot and add things instead of writing a new reply. I will let go of this habit, I promise.
RO.maniac said:
This is what I may seem not to understand. When I flash a complete .ftf doesn't EVERYTHING change, including the bootloader?
You are asking like it's there for some time, surviving .ftf flashes.
Click to expand...
Click to collapse
afaik ftf files are almost the same that flashable zip files: partition binaries and script files.
To check that, some tools give you the ability of unpack ftf files.
So some ftf custom rom only flash kernel and system, some other flash everything on the phone. Some other add ta partitions modifying.
But as the full boot process is signed, maybe other process are in cause. That's why i'm digging on.
I hope i didn't miss the point. (my English is really bad )
RO.maniac said:
Also, you should watch my past posts here because I tend to edit them a lot and add things instead of writing a new reply. I will let go of this habit, I promise.
Click to expand...
Click to collapse
No worries, but as I'm really slow to write my answers I miss some edits From now I will double check
Your English is not that bad. Yes, you got the point and I got it about the .ftf files.
From what I can remember when I flashed a .ftf of N preview 3, the flashtool log listed everything, from boot to some TA. I'll do a backup and reflash just to check. Will post log.
---------- Post added at 07:20 PM ---------- Previous post was at 06:49 PM ----------
nailyk said:
afaik ftf files are almost the same that flashable zip files: partition binaries and script files.
To check that, some tools give you the ability of unpack ftf files.
So some ftf custom rom only flash kernel and system, some other flash everything on the phone. Some other add ta partitions modifying.
But as the full boot process is signed, maybe other process are in cause. That's why i'm digging on.
I hope i didn't miss the point. (my English is really bad )
Click to expand...
Click to collapse
https://drive.google.com/open?id=0B0YzIybNxHcQNVA3OTZCM2ZqTm8 - flashtool log of N preview 3 flash
You can continue this little study but just so you know, the screen just died on me. It started flicking all of a sudden and in under an hour is gave away for good. Now is backlit but no color.
So the test object is dead.
For the second time, after the main board water damage. I'm officially done with it. When my friend gets back in the country he'll find out his phone died again. ))
As I've said, my screen died. So I decided to dump the phone and cleaned my pc of flashtool, xperia companion and all that.
Some minutes ago I decided to try another flash because my mind was running scenarios about the facts before the screen just died. What happened exactly before: TWRP backup, updated flashtool at startup, flashed N preview 3, in order to get the log so I can see if that Hero7 bootloader is coming with N preview. And it is indeed.
Booted and the screen was flicking with white flashes on the edges. In a few minutes I saw a vertical black line and then it turned black, but backlight on.
Today I thought, what the hell, flash it again, maybe it's not a hw problem. But now I know it is
So I installed an older version of flashtool, 0.9.18.6, and flashed N preview. Still dead screen
But this version of flashtool RELOCKED my bootloader. I could see the code written to TA and I can flash with Xperia Companion. Too bad I don't have a screen.
One in all, just dump this discussion and everything about my friend's damned Z3. Just close the drawer, as I've done.
RO.maniac said:
https://drive.google.com/open?id=0B0YzIybNxHcQNVA3OTZCM2ZqTm8 - flashtool log of N preview 3 flash
Click to expand...
Click to collapse
I see from the github there is a branch 0.9.16 so that is a good idea to test with this version.
First, we see the ta block between your two tries are different. First try block n° 8B2, second try 8FD. I can't understand why (same version of flashtool used).
It take me a lot of time because that was not a hexadecimal place in the ta partition but an unit in the ta partition.
Investigations:
For memory, your unlock code is C88FB2FFCCE72540 (in hex: 43 38 38 46 42 32 46 46 43 43 45 37 32 35 34 30),
my unlock code is 481FD30094B6F2FC (in hex: 34 38 31 46 44 33 30 30 39 34 42 36 46 32 46 43)
If we look in the 8B2 unit we found that:
my ta partition after unlocking
Code:
[COLOR="Magenta"]B2 08 00 00[/COLOR] [COLOR="SeaGreen"]10 00 00 00[/COLOR] [COLOR="Blue"]C1 E9 F8 3B FF FF FF FF[/COLOR] 34 38 31 46 44 33 30 30 39 34 42 36 46 32 46 43
your ta partition after unlocking:
Code:
[COLOR="magenta"]B2 08 00 00[/COLOR] [COLOR="SeaGreen"]10 00 00 00[/COLOR] [COLOR="Blue"]C1 E9 F8 3B FF FF FF FF[/COLOR] 43 38 38 46 42 32 46 46 43 43 45 37 32 35 34 30
So our unlock code is present. Why it doesn't work?
If I take a look in my ta partition, before unlocking my bootloader, there is no 8b2 unit.
For the 8FD unit, i cannot find it.
So I cannot understand why your first try did not lock the bootloader. Maybe an issue with the usb cable and/or the booted mode, or just with the download of flashtool.
RO.maniac said:
You can continue this little study but just so you know, the screen just died on me. It started flicking all of a sudden and in under an hour is gave away for good. Now is backlit but no color.
So the test object is dead.
For the second time, after the main board water damage. I'm officially done with it. When my friend gets back in the country he'll find out his phone died again. ))
Click to expand...
Click to collapse
That's sad. I read some thread about dead backlights but not about screen. Did you think software cause this?
RO.maniac said:
As I've said, my screen died. So I decided to dump the phone and cleaned my pc of flashtool, xperia companion and all that.
Some minutes ago I decided to try another flash because my mind was running scenarios about the facts before the screen just died. What happened exactly before: TWRP backup, updated flashtool at startup, flashed N preview 3, in order to get the log so I can see if that Hero7 bootloader is coming with N preview. And it is indeed.
Booted and the screen was flicking with white flashes on the edges. In a few minutes I saw a vertical black line and then it turned black, but backlight on.
Today I thought, what the hell, flash it again, maybe it's not a hw problem. But now I know it is
So I installed an older version of flashtool, 0.9.18.6, and flashed N preview. Still dead screen
But this version of flashtool RELOCKED my bootloader. I could see the code written to TA and I can flash with Xperia Companion. Too bad I don't have a screen.
One in all, just dump this discussion and everything about my friend's damned Z3. Just close the drawer, as I've done.
Click to expand...
Click to collapse
Maybe it is just a connection problem between the motherboard and the screen. I read your other post so it maybe is 'just' a bad connection (cleaning or flyed-up)?
Anyway thanks a lot for your time, I learn a lot with information you provide! I will mostly help me for this project.
P.S.: don't forget I'm looking for a dev z3, broken screen is not a big deal for me Contact me privately if your friend is ok to sell that phone to me.
P.S.2: just for fun:
if you take a look in the (critical) 7DA ta unit it look like:
Code:
hexdump -C TA.img -s 0x0002073c -n 664
0002073c [COLOR="Magenta"]da 07 00 00[/COLOR] [COLOR="SeaGreen"]87 02 00 00[/COLOR] [COLOR="Blue"] c1 e9 f8 3b ff ff ff ff[/COLOR] |...........;....|
0002074c 73 eb 3d 40 59 80 18 1a 68 1a 33 84 5b a6 ad c3 |[email protected][...|
0002075c 45 d3 66 47 02 00 05 0a 02 00 00 00 0a db 37 24 |E.fG..........7$|
0002076c 02 0c b2 c4 85 f4 c9 6c 21 f1 84 33 29 4d 27 ff |.......l!..3)M'.|
0002077c 81 20 a3 65 b6 40 3c 80 16 c9 4a e3 1b 59 d6 54 |. [email protected]<...J..Y.T|
0002078c fa 50 37 82 f9 50 53 ce 1c dc aa fb 0b 98 96 e3 |.P7..PS.........|
0002079c 22 6a 02 00 00 00 0a d2 d9 95 24 b0 77 2b 91 59 |"j........$.w+.Y|
000207ac 59 f2 ee 30 a1 dc d9 88 c7 79 51 20 a2 19 73 0e |Y..0.....yQ ..s.|
000207bc 30 4c a1 29 94 4c 43 2b 8a cd 23 e9 3a 09 0b 03 |0L.).LC+..#.:...|
000207cc 06 74 6a 86 1f ce 97 ea 6c d0 b7 ba 00 90 4f 50 |.tj.....l.....OP|
000207dc 5f 49 44 3d 22 34 33 35 22 3b 4f 50 5f 4e 41 4d |_ID="435";OP_NAM|
000207ec 45 3d 22 43 75 73 74 6f 6d 69 7a 65 64 22 3b 43 |E="Customized";C|
000207fc 44 41 5f 4e 52 3d 22 31 32 38 38 2d 35 30 32 38 |DA_NR="1288-5028|
0002080c 22 3b 52 4f 4f 54 49 4e 47 5f 41 4c 4c 4f 57 45 |";ROOTING_ALLOWE|
0002081c 44 3d 22 31 22 3b 52 43 4b 5f 48 3d 22 46 41 45 |D="1";RCK_H="FAE|
0002082c 46 35 31 39 39 31 34 31 39 34 36 38 43 41 37 38 |F51991419468CA78|
0002083c 43 39 43 33 37 30 38 35 36 31 36 43 42 33 31 39 |C9C37085616CB319|
0002084c 42 39 46 36 36 45 30 35 30 45 34 33 31 38 34 37 |B9F66E050E431847|
0002085c 41 39 41 34 36 46 43 33 39 44 42 41 34 22 00 43 |A9A46FC39DBA4".C|
0002086c 53 45 52 56 45 52 49 44 3d 22 62 6d 63 73 65 63 |SERVERID="bmcsec|
0002087c 73 30 33 22 3b 41 55 54 48 43 45 52 54 3d 22 55 |s03";AUTHCERT="U|
0002088c 4e 4b 4e 4f 57 4e 22 3b 54 49 4d 45 53 54 41 4d |NKNOWN";TIMESTAM|
0002089c 50 3d 22 31 35 30 34 30 39 20 32 30 3a 33 31 3a |P="150409 20:31:|
000208ac 35 38 22 00 09 00 07 30 30 31 30 31 2d 2a 00 00 |58"....00101-*..|
000208bc 00 00 00 00 00 00 00 00 00 00 02 00 00 00 0a 4e |...............N|
000208cc d0 29 6b 2c bf 7b ec 14 0b bb 94 f5 9c fa 62 6a |.)k,.{........bj|
000208dc 1c 02 61 20 6d 79 f5 a7 3e ca c6 6e 30 69 30 f7 |..a my..>..n0i0.|
000208ec c3 a4 80 1e 60 bc ba e8 59 7d 5e 99 55 c4 47 e9 |....`...Y}^.U.G.|
000208fc f5 f5 58 be 02 00 00 00 0a 36 04 d9 c2 fd 86 a1 |..X......6......|
0002090c a1 3c 91 c1 d0 8d bb 35 ab a6 b1 10 f0 20 67 0e |.<.....5..... g.|
0002091c dc a5 62 dd 45 db 51 1e eb 6e f7 c6 95 58 f1 d4 |..b.E.Q..n...X..|
0002092c 39 73 5d 53 c5 22 14 b2 06 be 0c 01 ea 5f 02 00 |9s]S."......._..|
0002093c 00 00 0a 22 39 fe 4a f7 2e 93 6d a7 70 5d 3e 53 |..."9.J...m.p]>S|
0002094c a3 11 6c 96 70 84 18 20 3a 17 7b 00 05 63 1b fc |..l.p.. :.{..c..|
0002095c 6b 96 a4 e2 22 33 e2 05 7a 38 7b 72 81 60 ee ec |k..."3..z8{r.`..|
0002096c f9 da 55 c8 c1 81 e7 bd 02 00 00 00 0a cc 10 ff |..U.............|
0002097c a1 49 75 63 f3 c9 ee 40 fa d8 ac 09 65 b6 e6 dc |[email protected]|
0002098c a3 20 9c 57 33 bf 51 c3 ff 29 20 78 fa 57 2c 69 |. .W3.Q..) x.W,i|
0002099c a5 97 52 fc 33 fa 97 f6 3d 5d 38 89 e0 d7 34 1c |..R.3...=]8...4.|
000209ac 95 eb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000209bc 00 00 14 57 0a e6 ee af 30 a1 e8 57 69 59 10 22 |...W....0..WiY."|
000209cc 6f 78 32 5c 5c f4 0b ff |ox2\\...|
000209d4
There is a RCK_H key. With the script provided here i enter your unlock code and the script answer that:
Code:
RCK_H="FAEF51991419468CA78C9C37085616CB319B9F66E050E431847A9A46FC39DBA4"
When you enter 'fastboot oem unlock <key>' the key is computed by s1 and compared to this information.

Categories

Resources