Added some goodies to posts 1 and 2.
Enjoy
VERY NICE!! 1000 times THX
There is also a lot of other usefull docs on your page. WOW man, really nice collection.
I ve read them all, no i didnt, but almost.
To protect my source I couldn't repost these documents, until i removed their personal information.
You were right! It was the right decision. -> My apologize for that!!
Ok i try to do this short.
I sniffed in RAW what QPST (2.7.378)
eMMC Software Download is doing. - just for confirmation.
One of the "many" programmers hex files i found in the internet and my manual created 8960_msimage.mbn plus
the right path is filled in correct. Connection is established. Phone is in Download Mode.
How to sniff?
USBLyzer is very usefull and for some days free for use.
I would prefer Advanced Serial Port Monitor by AGG Soft but it is limited to 1024 bytes
OUT = HOST
IN = PHONE
It stays in permanent handshake with the device. Let us call this pair "idle cycle" between HOST and PHONE
OUT: 7E 06 4E 95 7E (NO-OP)
IN: 7E 02 6A D3 7E (ACK)
Pushing Download Button:
OUT: 7E 0C 14 3A 7E (Parameter Request)
IN: 7E 0D 0F 50 42 4C 5F 44 6C 6F 61 64 56 45 52 32 2E 30 53 AE 7E (Parameters)
As you descriped some posts above...
Now it starts the actual download process of the programmers hex file:
(Write data to memory using 32-bit address) (32 Bit address 0x2A000000) (Data length 0x03F9 -> 1017 bytes)
7E 0F 2A 00 00 00 03 F9 D1 DC 4B 84 34 10 D7 73 0D 00 00 00 FF FF FF FF FF FF FF
FF 50 00 00 00 50 00 00 2A 04 D1 00 00 04 D1 00 00 54 D1 00 2A 00 00 00 00 54 D1
00 2A 00 00 00 00 01 00 00 00 01 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF BA 2D 00 EA 98 B5 00 2A 98 B5 00 2A 98 B5 00 2A 98 B5 00 2A
98 B5 00 2A 98 B5 00 2A 98 B5 00 2A 98 B5 00 2A 78 47 C0 46 64 00 51 E3 A1 2B 00
0A 00 00 B0 E3 1E FF 2F E1 30 B4 8E 4A 08 29 0F D3 8D 4C 05 78 13 0A 12 02 6B 40
5B 00 E3 5A 53 40 1A 04 12 0C 08 39 09 04 09 0C 40 1C 08 29 F0 D2 00 29 17 D0 00
78 03 02 49 1E 08 04 83 49 00 0C 14 00 5C 40 24 04 03 D5 52 04 12 0C 4A 40 01 E0
52 04 12 0C 5B 04 1B 0C 04 00 40 1E 00 04 00 0C 00 2C ED D1 D0 43 30 BC 00 04 00
0C 70 47 10 B4 74 4A 08 29 0D D3 76 4B 04 78 54 40 24 06 E4 0D 1C 5B 12 0A 62 40
08 39 09 04 09 0C 40 1C 08 29 F2 D2 00 29 14 D0 00 78 03 02 49 1E 08 04 6D 49 00
0C 14 00 5C 40 E4 07 02 D0 52 08 4A 40 00 E0 52 08 5B 08 04 00 40 1E 00 04 00 0C
00 2C F0 D1 D0 43 10 BC 00 04 00 0C 70 47 30 B4 62 4A 08 29 0E D3 62 4B 05 78 94
0D 6C 40 24 06 A4 0D 1C 59 12 02 62 40 08 39 09 04 09 0C 40 1C 08 29 F1 D2 00 29
14 D0 00 78 83 05 49 1E 08 04 58 49 00 0C 14 00 5C 40 A4 00 02 D5 52 00 4A 40 00
E0 52 00 5B 00 04 00 40 1E 00 04 00 0C 00 2C F0 D1 D0 43 30 BC 80 00 80 08 70 47
30 B4 4B 4B 83 43 08 2A 0E D3 4A 48 0D 78 9C 0D 6C 40 24 06 A4 0D 04 59 1B 02 63
40 08 3A 12 04 12 0C 49 1C 08 2A F1 D2 00 2A 14 D0 08 78 81 05 52 1E 10 04 40 4A
00 0C 1C 00 4C 40 A4 00 02 D5 5B 00 53 40 00 E0 5B 00 49 00 04 00 40 1E 00 04 00
0C 00 2C F0 D1 D8 43 30 BC 80 00 80 08 70 47 30 B4 C0 43 00 04 00 0C 00 2A 0F D0
2C 4C 0D 78 03 0A 00 02 6B 40 5B 00 E3 5A 43 40 18 04 00 0C 52 1E 12 04 12 0C 49
1C 00 2A F0 D1 C0 43 30 BC 00 04 00 0C 70 47 10 B4 C0 43 00 04 00 0C 00 2A 0B D0
21 4B 0C 78 44 40 24 06 E4 0D 1C 5B 00 0A 60 40 52 1E 49 1C 00 2A F4 D1 C0 43 10
BC 00 04 00 0C 70 47 03 00 30 B4 10 00 08 29 0D D3 1B 4A 1D 78 04 0E 6C 40 A4 00
14 59 00 02 60 40 08 39 09 04 09 0C 5B 1C 08 29 F2 D2 00 29 13 D0 1A 78 12 06 49
1E 12 4B 09 04 09 0C 04 00 54 40 02 D5 40 00 58 40 00 E0 40 00 52 00 0C 00 49 1E
09 04 09 0C 00 2C F1 D1 30 BC 70 47 00 00 FF FF 00 00 74 BF 00 2A 21 10 00 00 74
C1 00 2A 08 84 00 00 FF FF FF 3F 74 BB 00 2A C7 B9 30 60 74 C3 00 2A B7 1D C1 04
00 21 01 60 41 60 70 47 10 B5 25 4C 20 68 0B F0 8D FA 01 28 0D D1 60 68 0B F0 88
FA 00 28 06 D1 00 F0 E6 F8 60 68 0B F0 81 FA 00 28 F8 D0 1D 48 04 61 10 BC 08 BC
18 47 FF F7 E6 FF 00 F0 53 F9 19 48 18 4C 20 60 60 60 A0 60 E0 60 17 48 FF F7 D7
FF 17 48 61 68 0B F0 6A FA 16 48 A1 68 0B F0 66 FA 15 48 E1 68 0B F0 62 FA 01 F0
8B F9 13 4C 20 00 00 F0 C4 F8 FB E7 00 20 70 47 00 20 70 47 10 B5 64 21 48 43 00
F0 BA F8 10 BC 08 BC 18 47 70 47 00 20 0A 49 40 1C 88 42 FC DB 70 47 00 00 F0 CD
00 2A BC CD 00 2A ED 02 00 2A 64 11 01 2A 6C 11 01 2A 74 11 01 2A 7C 11 01 2A 10
27 00 00 E8 03 00 00 10 B5 31 48 00 68 02 F0 0D FC 10 BC 08 BC 18 47 10 B5 01 F0
D4 FF 10 BC 08 BC 18 47 10 B5 02 F0 19 F8 00 28 07 D0 28 4C 20 68 02 F0 FB FB 02
F0 11 F8 00 28 F8 D1 10 BC 08 BC 18 47 01 20 70 47 10 B5 04 00 60 68 02 28 06 5A
AE 7E
IN: 7E 02 6A D3 7E (ACK)
Do this a few times...
...and the last bytes
OUT: 7E 0F 2A 01 1A 0F 00 6D 00 00 00 00 00 38 10 01
2A 09 04 03 00 90 3F 00 2A CC 3F 00 2A 44 3E 00
2A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 01 02 03 00 00 00 00 00 00 00 00 14 00 00
00 0A 00 00 00 00 00 00 00 00 00 50 12 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00
00 00 00 00 00 00 00 00 00 00 02 00 02 00 00 00
00 00 00 00 00 A4 86 7E
IN: 7E 02 6A D3 7E (ACK)
Here it comes the GO Command!
BTW: It is similar to the qdload.pl script
OUT: 7E 05 2A 00 00 00 DE BA 7E
IN: -- nothing -- phone is rebooting and windows is playing unplug/plug sounds
Phone is back in Download Mode
(After feeled 20sec it popups the cookie error window)
In the meanwhile...
The host sends a Parameter Request again:
OUT: 7E 0C 14 3A 7E (Parameter Request)
IN: 7E 0D 0F 50 42 4C 5F 44 6C 6F 61 64 56 45 52 32 2E 30 53 AE 7E (Parameters)
perform one idle cycle
OUT: 7E 06 4E 95 7E (NO-OP)
IN: 7E 02 6A D3 7E (ACK)
And now the ACTION i dont understand!?!
OUT: 7E 19 38 7D 5D 7E
IN: 7E 03 00 06 9E 4C 7E (NAK) (Unknown/invalid command)
1. Case its expecting the hex is executed or test it:
QPST it trying to send the partition table.
According to 80-V5348-1_J_Streaming_DLoad_Protocol.pdf page 13 and 29
19 Partition table Host Y 3.00 Send partition table to use for programming images
2. Case it wants the Cookie: who not?! :silly:
QPST it's trying to send a cookie request
According to 80-39912-1_E_DMSS_Download_Protocol.pdf page 14 and 32
19 QPST™ Cookie Read Request Host Y 9 Request to read QPST Cookie
In both cases there is no explanation for the 38. Any idea?
More things to discuss:
I thought all the time, that the devices MSM8660 and MSM8960 are in princip the same. BUT
i looks like now, that they have fundamental differences. And we cant use the MSM8660.HEX
for flash our MSM8960. Can you confirm this?
In the 80-N5009-1_B_MSM8960_Boot_Architecture_Overview.pdf there are a lot of comparisms between this
both. For example the MSM8960 charges the battery if it is dead.
Another hint for me is, that the HEX files we have, are not executable. That means we still need the MPRG8960.HEX
as it's descriped in the 80-VN930-4_C_AMSS_8960_LA_Programming_Guide_Test_Mobile.pdf
If the HEX file is executed, i would expect it will popup a "new" device to write my image on it!?
Maybe another chance that we can test?! It's just an idea.
Back to Boot_Architecture_Overview page 10.
There is a table with some execution addresses. Maybe we can download some files in binary and than
execute them with GO Command to run into another download mode. Like in odin download mode?!
What do you think about it?
BTW: On the RIFF JTAG BOX page is still no support for the MSM8960 reported !!
Regards
NewBit