DEV ONLY - NAND access + Full Unlock for Lumia 710 & 800

Search This thread

.NetRolller 3D

Senior Member
Jul 15, 2012
335
166
Budapest
@trenbeth: Google is your friend.

BTW, I have another idea for an even simpler hack: simply short TP1555 (eMMC clock) to GND, and plug in the USB cable. This should trigger "QHSUSB_DLOAD" mode.

EDIT: It turns out, for the card reader trick, not any card reader will do - you will need one that operates in SD/MMC host controller mode, and not USB mass storage mode. Thus, most PCI, PCIE, Cardbus and laptop built-in card readers should work, but USB ones usually won't. (Because it's generally a bad idea to solder wires directly into one's laptop just for a phone hack, I suggest getting a MiniSD or MicroSD adapter, and soldering the wires from the phone to that adapter.)
 
Last edited:
  • Like
Reactions: pedrocel85

djtonka

Senior Member
Aug 1, 2010
1,104
514
City
But built-in card readers are still on USB I suposed.
So short TP1555 (eMMC clock) to GND would work?
 

.NetRolller 3D

Senior Member
Jul 15, 2012
335
166
Budapest
The built-in card readers I've seen so far were all PCI-Express, appearing in Device Manager as an SD/MMC host controller.

But even with a USB reader, it should be possible to interop unlock, or maybe even root the device, as the main OS partition (including the registry) should be accessible.

EDIT: The test-point cables are only good for ATF or the testpoint shorting hack, as they don't connect the VCC and VCCQ lines. (ATF operates on a powered-ON PCB, and overrides the logic levels sent by the main CPU, rather than operating with a powered-down PCB with the CPU inactive.)
 
Last edited:

pedrocel85

Senior Member
Sep 14, 2009
366
173
Rio de Janeiro
The built-in card readers I've seen so far were all PCI-Express, appearing in Device Manager as an SD/MMC host controller.

But even with a USB reader, it should be possible to interop unlock, or maybe even root the device, as the main OS partition (including the registry) should be accessible.

EDIT: The test-point cables are only good for ATF or the testpoint shorting hack, as they don't connect the VCC and VCCQ lines. (ATF operates on a powered-ON PCB, and overrides the logic levels sent by the main CPU, rather than operating with a powered-down PCB with the CPU inactive.)

Net,
Does your ideas worked? you managed to flash qualcombootloader?
 

.NetRolller 3D

Senior Member
Jul 15, 2012
335
166
Budapest
Not yet, I have the Lumia 900 (where CLK is not easily accessible - instead, it's VCCQ that can be shorted to ground), and I'm waiting for ankerael's PM with the dumped bootloader. (His earlier dump didn't include the bootloader proper.)
 

.NetRolller 3D

Senior Member
Jul 15, 2012
335
166
Budapest
Yes, that's exactly what I recommended. (Internal card readers are usually PCI/PCIE-based, which present the card directly to the OS, rather than emulating a USB flash drive.)

If you use Linux, changing the bootloader may be even easier, as it will show up as a separate block device "/dev/mmcblkXboot1" (or maybe boot0 - you will need to check it yourself). By default, this device will not be writable, to guard against accidental overwrites - read the documentation for enabling writes to the boot partitions.
 

Bph&co

Senior Member
Apr 14, 2012
110
101
Hi,

I am still yet to see somebody implement off power read/write of the eMMC chip. ATF manages with so many wires by the fact that the chip
is still wired to the CPU and all control signals are handled correct. If you watch the protocol on screen you will see that ATF FGPA asserts
low's and high's(high levels slightly higher than phone's 1s and lows via bridging few gates in parallel to assert low impedance on the bus) during
the important boot mode check when the eMMC is in 1bit SDIO mode, immediately after restart.

To use external MMC reader and not powered phone PCB you will need bit more lines connected, maybe less with a small microcontroller
development board and using the HW SDIO interface(most chips have it these days) e. g. - STM32F4Discovery, but you still need to cook
custom boot sequence yourself.

The standard firmware in off the shelf reader would probably not manage to take control of the eMMC as i suspect it not communicate in 1 bit
SDIO mode, probably do in the beginning and then switches to wider interface.

BR
 

.NetRolller 3D

Senior Member
Jul 15, 2012
335
166
Budapest
Actually, the eMMC chip documentation shows that it fully supports 1-bit MMC (not SDIO, and not SPI) mode, and only switches to a higher bus width when explicitly requested to do so.

EDIT: Not very relevant, but open the Lumia 710 boot loader MBN in a hex editor, and go to address 0x1E490 for a good laugh. :) Or, if you have the Lumia 800 Qualcomm boot loader image, it's @ 0x1E52C.
 
Last edited:

Bph&co

Senior Member
Apr 14, 2012
110
101
Hi,

I guess 1-bit MMC = SDIO, sorry my bad. The phone for sure switches to wider bus after initial boot sequence, i haven't reversed this part, not sure
where it is, probably the bootrom. But during this initial chip inquiry is the golden opportunity to take control and off course hats off to X-Shadow for
the hack and implementation (!).

What version of the bootloader ? I have some old diss, i have ptr to a string at this location.

BR

Actually, the eMMC chip documentation shows that it fully supports 1-bit MMC (not SDIO, and not SPI) mode, and only switches to a higher bus width when explicitly requested to do so.

EDIT: Not very relevant, but open the Lumia 710 boot loader MBN in a hex editor, and go to address 0x1E490 for a good laugh. :) Or, if you have the Lumia 800 Qualcomm boot loader image, it's @ 0x1E52C.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 81
    UPDATE: First custom rom with Interop Unlock flashed succesfully. Requires hard reset after installing and an unlocked bootloader. See post for proof:
    http://xdaforums.com/showpost.php?p=24818275&postcount=242
    BIG THANK YOU TO ULTRASHOT!
    Without you I couldn't have done it!
    NOTICE: Testing full unlock (XIP unlock etc) with ultrashot. Will post new files as soon as I get a working build which doesn't get stucked on boot ;)

    Disclaimer:
    I AM NOT RESPONSIBLE IF YOU LOOSE DATA, BREAK YOUR PHONE, OR SET YOUR HOUSE ON FIRE. DO THIS AT YOUR OWN RISK. BTW, REQUIRES A HARD RESET SO YOU WILL LOOSE ALL THE DATA IN YOUR PHONE BY FLASHING THIS. IF UNSURE, DON'T DO IT.
    PLEASE STOP PM'ING ME FOR HELP, I CAN'T REPLY 20 PMS/HR. Please use the forum, maybe someone can create a discussion topic to help others and leave this for links and development. Thank you very much!

    PLEASE STOP SENDING ME PMS ASKING FOR HELP AND USE THE DEDICATED THREAD
    THIS THREAD IS FOR DEVELOPMENT ONLY, PLEASE RESPECT THAT AND USE THE Q&A THREAD FOR YOUR QUESTIONS.
    LINKS:
    Lumia 800: Full Unlock
    New firmware: May 16, 2012 (removed foursquare and stuff)
    sdb3.rar: Flash it to PARTITION #3. It contains 12070's amss & adsp. Not absolutely required but if you have an older version this should give you better battery life.
    http://www.mediafire.com/?kwjladlgvq81rha
    OS-NEW:
    As always, flash it to PARTITION #9.
    Part1: http://www.mediafire.com/?21by2oj7acnhkhw
    Part2: http://www.mediafire.com/?wkeduvp9l4199qh
    Part3: http://www.mediafire.com/?cnbkms40dy4y06z
    Part4: http://www.mediafire.com/?rabunpmnaqclq3o
    Complete Mediafire folder access: http://www.mediafire.com/?uo2dqcl34b9cy
    ___________________
    Alternate ROM with Full Unlock + Some apps:
    Part1: http://www.mediafire.com/?8gnqm418v32im3e
    Part2: http://www.mediafire.com/?bgtg2t5infrnua1
    Part3: http://www.mediafire.com/?l0sl5hbr0v9gfi1
    Part4: http://www.mediafire.com/?emt2dfswdhn0z0w
    Apps preinstalled:
    DS Supertool
    File Deployer
    Metro Theme
    WebServer
    WinTT
    WM Device Center
    WP7 Root Tool

    ___________________
    Lumia 710: Interop Unlock (no full unlock yet)
    ROM Based on: RM803_059N2L6_1600.3015.8107.12070_010
    Mediafire folder access: http://www.mediafire.com/?9z6og65ozgrnr
    http://www.mediafire.com/download.php?d3bj3dkfbffbakn
    http://www.mediafire.com/download.php?l35zjaebdrsm315
    http://www.mediafire.com/download.php?ys5bapu8ubezybo
    http://www.mediafire.com/download.php?tnadd4uuoxhatv3
    CAUTION: I don't have a 710, so these images AREN'T TESTED. Use at your own risk. Be careful, people are reporting problems with this rom.
    Full Unlock Image for Lumia 710 by lucifer3006 -BE CAREFUL, IT HAS BUGS, FOR TESTING PURPOSES ONLY- (thanks ultrashot & lucifer3006): http://www.mediafire.com/?p3318y5l19abb

    You have a mirror of all the stuff on mediafire on xdafil.es: http://xdafil.es
    Thank you mousey_!

    PLEASE DO A FULL BACKUP OF THE NAND BEFORE PLAYING AROUND.
    If you are developing fixes for the bootloader 'problem', feel free to grab a copy of the rest of partitions and stuff I posted over this thread here: http://www.mediafire.com/?kknt4lnc3tn7w


    INSTRUCTIONS:
    Requires an unlocked bootloader (a.k.a. qualcomm development bootloader).
    Easy to check: Turn the phone OFF, then press and hold VOLUME UP + POWER until you notice a short vibration. Plug in to the computer. If the phone turns up in disk mode (USB Mass Storage Device), then you have an unlocked bootloader. IF you're in Windows, it will ask if you want to format the disk. SAY NO OR IT WILL EXPLODE (it won't explode but you might break it)
    If the device detected by the computer is Nokia DLOAD you have a locked bootloader and you're out of luck, at least for now.

    I used 'dd' in Linux, I guess you can do it with Windows version too (http://www.chrysocome.net/dd) but it's more involved to find the appropiate partition:
    dd if=./os-new.nb of=/dev/sdX9
    Where X is the disk detected by your linux distribution.
    After that, you'll need to hard reset the phone. Hold Power button for 10 seconds to exit Qualcomm's disk mode, and press and hold POWER+VOLUMEDOWN+CAMERA until you feel the phone vibrate. After that, RELEASE power button but KEEP HOLDING volume down + camera for five or more seconds. This will trigger the hard reset.

    Now time to play with bootloaders and try to get this to work for everyone!

    If you like my work and want to donate for a beer (or two), follow this link
    22
    I'd suggest renaming on of the colors. Would be great if it was possible to interop the phone without losing data.

    Well, you can always make a backup and then restore via zune. The thing is the dumped OS is about 600Mb, the generated image is 378Mb. I don't know how it will reside on the flash, you could always check where the flash starts to get filled with zeros and clean it up before the first boot... If they had done it right and separated user data from the main OS we wouldn't have this problem...

    INTEROP UNLOCK ACHIEVED!

    Now time for a nice beeer ;)
    I'll put mediafire to work and upload the image I just did. Everyone who has an unlocked bootloader: after you flash this to the phone, DO A HARD RESET, otherwise it will get stucked on 'Installing Applications'
    12
    Hey everyone,

    I was hoping to be able to crack Nokia's osbl, but time already run out and wasn't able to get it. So sorry, guys, but I had to return both Lumias. It's been a fun month, and at least I helped getting custom roms for at least some of you.

    I'll be uploading here all the files I have on my computer so anyone can mirror them or use them for whatever you might need. If I can help you with something else (development related please) feel free to drop me a PM.

    Once again big thank you to Ultrashot, Beidl, Xsacha, cdbase, ceesheim, HeathCliff & everyone that helped out with this. Now back to my (almost) forgotten Galaxy S2 & to try Boot 2 Gecko and see what progress has been done since the last time I checked :)
    8
    Btw, here is my DppImplant app.
    Implants DPP partition with your stock Live Id to a custom rom.
    Usage:
    1) Put backup of the biggest partition to the folder with DppImplant.exe and call it "stock.nb"
    2) Put "os-new.nb" there - target firmware in which you want to see your old Live Id.
    3) Open DppImplant.exe. It will extract DPP from stock.nb and create mydpp.bin file. (After that you won't really need to have stock.nb in that folder).
    "os-new.nb" will be patched.
    4) Done.

    P.S. if you open DPP using Notepad or any hex editor, you'll see saved Live Id.
    6
    Ok L710 fully unlocked :)
    Those 2 parts are wrong. I used to narod.ru

    ---------- Post added at 07:29 PM ---------- Previous post was at 06:40 PM ----------
    http://www.youtube.com/watch?v=-rQbFp7yasc


    CAN WE KEEP THIS FOR DEVELOPMENT ONLY PLEEEEEEEEEEEEEASSSEEEEE?

    Gift from our friends at Qualcomm:

    Full AMSS firmware + Secboot Sources (Qualcomm loader)! Grab it while it's hot!

    http://www.mediafire.com/?ir2h15f663ja6wc