SHV-E160L Debricking Tool / Qualcomm Tool Pack V2-1

Search This thread
By:
Advanced…
R

RussianBear

Recognized Contributor
Nov 10, 2008
2,062
343
funkym0nk3y said:
darkspr1te, is it possible to repair LG via this method ? I have an optimus g which will be detected as QHUSB_DLOAD if i break any of the following partitions
SBL1, SBL2, SBL3, RPM, TZ
I have access to jtag and can provide any info you are looking for.
Click to expand...
Click to collapse

Lg has lgnpst (qpst equivalent). See if it detects your phone. If so, you might be able to flash it via that tool.
 
A

arie001

Senior Member
Feb 6, 2012
69
9
SGH-I727 (msm8060 chipset) SII Skyrocket

I have tried running the v2 tool in SUSE 12.2 live and the script runs ok but when this is where it hits a brick wall. Have you come across this error before?
--feedback on linux compatibilities--
I get script errors when I try to run it in Ubuntu 12.10 or 12.04 live versions, the output is corrupted with % symbols and such as if it is using a different character set or something. It exits at the "Do you wish to Upload HEX & msimage.mbn now? Warning Dangerous" prompt.
--end feedback on linux compatibilities--
Code: 
linux@linux:~/Brixfix-2-1> sudo sh brixfix.sh

Brick Fix v2-0
______________
By Darkspr1te, See README for thanks & References

Checking For Qualcomm Device
Device Found !!!
Error: device found in QDLOAD Mode, switching to QDLOAD 
see qdload.pl By JC Sullins, xxxxxxxxxxxx

Expected VID/PID of 05c6:9025, Instead I get :-
Bus 002 Device 006: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)

Do you wish to Upload HEX & msimage.mbn now? Warning Dangerous
y
Executing qdload 
Requesting SoftwareVersion...
Version: PBL_DloadVER1.0
Requesting Params...
Params: 06 01 01 00 90 00 00
Uploading file 'MPRG8660.bin' to QDLOAD...
Writing 1024 bytes to 0x2a000000; 164996 bytes left.
Writing 1024 bytes to 0x2a000400; 163972 bytes left.
Writing 1024 bytes to 0x2a000800; 162948 bytes left.
Writing 1024 bytes to 0x2a000c00; 161924 bytes left.
........
Writing 1024 bytes to 0x2a027c00; 2180 bytes left.
Writing 1024 bytes to 0x2a028000; 1156 bytes left.
Writing 1024 bytes to 0x2a028400; 132 bytes left.
Writing 132 bytes to 0x2a028800; 0 bytes left.
Executing file...
Sending MAGIC...
MSG: Qfprom Fuse List: Blowing FAILED    
MSG: Failed Fuse addr:  
MSG: 0x00000000 
MSG:    Error Status:  
MSG: 0x00000000 
Sending secureMode...
Sending openMulti ...
Uploading file '8660_msimage.mbn'...
Writing 1024 bytes to 0x00000000; 1620548 bytes left.
Invalid Response: 0e 57 72 69 74 65 20 75 6e 73 75 63 63 65 73 73 66 75 6c 0a

If HEX/MBN uploaded correctly, please allow for short delay and re-run brixfix to continue the debricking session, a screen showing device options may appear, close this new screen
linux@linux:~/Brixfix-2-1> 

linux@linux:~/Brixfix-2-1> sudo sh brixfix.sh

Brick Fix v2-0
______________
By Darkspr1te, See README for thanks & References

Checking For Qualcomm Device
Device Found !!!
Error: device found in QDLOAD Mode, switching to QDLOAD 
see qdload.pl By JC Sullins ,
Expected VID/PID of 05c6:9025, Instead I get :-
Bus 002 Device 007: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)

Do you wish to Upload HEX & msimage.mbn now? Warning Dangerous
y
Executing qdload 
Requesting SoftwareVersion...
Invalid Response: 0e 49 6e 76 61 6c 69 64 20 43 6f 6d 6d 61 6e 64 0a
Failed to get software version

If HEX/MBN uploaded correctly, please allow for short delay and re-run brixfix to continue the debricking session, a screen showing device options may appear, close this new screen
linux@linux:~/Brixfix-2-1>

Is this error being caused by the emmc requiring a code? If so what would I ask in the SGH-I727 forum to get the file needed?
 
Last edited:
darkspr1te

darkspr1te

Senior Member
Sep 24, 2012
952
595
I will decode the error later but I think it's because you have a different CPU.
My shv-e160l has a msm8660, so brick fix is built for that,
For i727 its been listed with msm8260 & apq8060, can you confirm which CPU you have.
As mentioned, brixfix was originally build for the shv, I need copies of the partition table /boot loaders to expand it's support.
I am currently away from my stash of code (I only took ROMs to rebuild this trip )
But will be back in from of my code by Monday next week, then I can lookup what the error could be, unless SLS decodes it first.
But at a guess on the error, wrong CPU for the hex file uploaded.

sent from the Darkspr1te's lair
 
A

arie001

Senior Member
Feb 6, 2012
69
9
I just read that the APQ8060 is only for devices that don't require cellular service but is otherwise the same as MSM8260. So mine must be the MSM8260. The MSM8660 offers more frequencies I believe and is said to be best suited to international phone use but is otherwise same as the MSM8260. Though I suppose at the low level they could all have subtle differences causing incompatibilities.

Sent from my Nexus 7 using xda app-developers app

-EDIT-
Pulled the phone apart and it is APQ8060.
 
Last edited:
V

visa0kr

New member
Feb 19, 2013
3
0
Big thanks to our Hero *darkspr1te*

Thank u so much darkspr1te, ur hero ^^
Also read ur posts about debricking E160L, great job.
I tried running brickfix under ubuntu 12.2 live usb, there were some problems, it said cant open device, or there is no such directory while writing 8660_msimage.mbn and 8660_MPRG.hex
And the same problem while writing *.mbn files
Then i manual edited paths in brixfix.sh
(example : dd if=$MODEL'/home/ubuntu/Desktop/Brixfix-2-1/SHV-E160L-16GB/partition0.bin' of=/dev/sdb seek=0 count=1 bs=512 )
After writing all needed files to Sdb , remove/replace battery and Power up phone
I was so happy when seeing SAMSUNG logo xD
Thank u again ^^!)
 
darkspr1te

darkspr1te

Senior Member
Sep 24, 2012
952
595
visa0kr said:
Thank u so much darkspr1te, ur hero ^^
Also read ur posts about debricking E160L, great job.
I tried running brickfix under ubuntu 12.2 live usb, there were some problems, it said cant open device, or there is no such directory while writing 8660_msimage.mbn and 8660_MPRG.hex
And the same problem while writing *.mbn files
Then i manual edited paths in brixfix.sh
(example : dd if=$MODEL'/home/ubuntu/Desktop/Brixfix-2-1/SHV-E160L-16GB/partition0.bin' of=/dev/sdb seek=0 count=1 bs=512 )
After writing all needed files to Sdb , remove/replace battery and Power up phone
I was so happy when seeing SAMSUNG logo xD
Thank u again ^^!)
Click to expand...
Click to collapse

Which device did you unbrick ? Also the code shown above if from a very old version of the programs, the new one auto detect the drive it's connected too.
Has the device now fully booted ? Is everything running right?


sent from the Darkspr1te's lair
 
darkspr1te

darkspr1te

Senior Member
Sep 24, 2012
952
595
RussianBear said:
Dark, have you considered rolling this out to other msm8660 devices?
Click to expand...
Click to collapse

Yes I have, I've been changing all the fixed var's inside the code to allow a minor or major amount of tampering with the setup.
Current task is improve the backup system to auto detect the information, currently it does my device perfect, even if I tamper with the locations of the boot loaders , it still follows them around, next step is add code to pull the header from the .mbn file and know 'exactly' which loader it is, from there create a auto table of filename/partition/real partition contents based on header/partition type size etc. That table, inclusive of a backup is enough to create auto debricks, that is we only need to see it once and its supported.
That once still requires a user to upload a file though, something users don't seem always willing to do.

sent from the Darkspr1te's lair
 
R

RussianBear

Recognized Contributor
Nov 10, 2008
2,062
343
darkspr1te said:
Yes I have, I've been changing all the fixed var's inside the code to allow a minor or major amount of tampering with the setup.
Current task is improve the backup system to auto detect the information, currently it does my device perfect, even if I tamper with the locations of the boot loaders , it still follows them around, next step is add code to pull the header from the .mbn file and know 'exactly' which loader it is, from there create a auto table of filename/partition/real partition contents based on header/partition type size etc. That table, inclusive of a backup is enough to create auto debricks, that is we only need to see it once and its supported.
That once still requires a user to upload a file though, something users don't seem always willing to do.

sent from the Darkspr1te's lair
Click to expand...
Click to collapse

I've noticed that.... that's to be expected though. Major props for your work!
 
SouL Shadow

SouL Shadow

Senior Member
Jun 17, 2010
466
326
Stratford, CT
www.soulshadow.net
darkspr1te said:
I will decode the error later but I think it's because you have a different CPU.
My shv-e160l has a msm8660, so brick fix is built for that,
For i727 its been listed with msm8260 & apq8060, can you confirm which CPU you have.
As mentioned, brixfix was originally build for the shv, I need copies of the partition table /boot loaders to expand it's support.
I am currently away from my stash of code (I only took ROMs to rebuild this trip )
But will be back in from of my code by Monday next week, then I can lookup what the error could be, unless SLS decodes it first.
But at a guess on the error, wrong CPU for the hex file uploaded.

sent from the Darkspr1te's lair
Click to expand...
Click to collapse

I'll take a look at it if I get some free time. I've been super busy lately and have barely touched my computer in a couple weeks now.

A quick glance suggests there's multiple small errors, but I would need to dig in to it further.


EDIT:
The command 0e is the Log command in streaming download.

The first log message says:
"Write unsuccessful"

The second log message says:
"Invalid command"

The first message could be due to using the wrong hex file for that chipset (?)

The second message is because the script tries to communicate with download mode, but the phone is still in streaming download.

The third error I see is the phone trying to blow a qfuse (at an invalid address). It's unclear from the output as to why that happened.

-SLS-
 
Last edited:
V

visa0kr

New member
Feb 19, 2013
3
0
darkspr1te said:
Which device did you unbrick ? Also the code shown above if from a very old version of the programs, the new one auto detect the drive it's connected too.
Has the device now fully booted ? Is everything running right?


sent from the Darkspr1te's lair
Click to expand...
Click to collapse

Mine is Galaxy Note E160L 16GB
It's working prolly now xD
I also fixed Menu and Back button not working by flashing E160L_Teamleader_v1.0 rom (GB rom)
Connect Internet via 3G/Wifi, Dial *#2663# then chose Touch key FW update.

Im gonna flash "Dakrpsr1te's Cherry Rom" later today
Great job sir. Thanks again ^^
 
A

arie001

Senior Member
Feb 6, 2012
69
9
Other considerations if having USB problems

SouL Shadow said:
I'll take a deeper look at it later.

You should note that qualcomm chipsets do not have support for USB 3.0. While the linux USB 3.0 driver is backwards compatible with the older standards, it is still buggy so it's best to only use USB 2 and lower ports.

Also, you should be using a 32bit Linux distro with a kernel from 2012 or later.

-SLS-
Click to expand...
Click to collapse

Also avoid USB ports featuring power-share. My laptop has one of it's USB ports designated to charge devices even when the laptop is powered off, it has a small lightning bolt beside the USB logo. I've noticed this port causes problems with Windows device detection and flags it as an unknown device (even with the proper drivers loaded, other ports work fine).

Also for anyone not familiar with USB 3.0, the ports normally have a blue center to them.
 
Last edited:
J

jon1234444

Member
Feb 29, 2012
25
5
still lurking, trying to debrick my Evo 3D (8660) here, could never get past the cookie error in qpst. when running the latest script everything seems to go well until sending magic:

Code: 
Sending MAGIC...
Response: 03 00 03
Invalid MAGIC response.

any idea what that response means?
 
A

arie001

Senior Member
Feb 6, 2012
69
9
Evo 3D unbricking

jon1234444 said:
still lurking, trying to debrick my Evo 3D (8660) here, could never get past the cookie error in qpst. when running the latest script everything seems to go well until sending magic:

Code: 
Sending MAGIC...
Response: 03 00 03
Invalid MAGIC response.

any idea what that response means?
Click to expand...
Click to collapse

Have you been to this thread yet?
http://xdaforums.com/showthread.php?p=25501934

--EDIT--
I noticed this result when experimenting a little, when brixfix.sh sees the phone in :9008 mode it calls the "switchmode.sh" script which qdloads two files in order to get the phone into the SD card mode. I tried loading the 8660_msimage.mbn first on a freshly connected SGH-I727 before loading "sudo perl qdload.pl -pfile MPRG8660.bin" command and got this same exact response:

Code: 
/Brixfix-2-1> sudo perl qdload.pl -lfile 8660_msimage.mbn
Sending MAGIC...
Response: 03 00 03
Invalid MAGIC response.

So it looks like maybe your MPRG8660.bin file is missing/renamed, or is not uploading correctly before the 8660_msimage.bin file is uploaded.
 
Last edited:
darkspr1te

darkspr1te

Senior Member
Sep 24, 2012
952
595
BarakOsama said:
Please someone share a PIT file of 32GB E160x device.. :(
Click to expand...
Click to collapse

I now have the files for a model K, thanks to 2ndcarpenter for making this possible.
This means I can now support L / K 32 GB or 16 GB , I need to do some initial testing and will upload a updated brixfix

Darkspr1te


Sent from my A210 using Tapatalk 2
 
You must log in or register to reply here.

Similar threads

darkspr1te
  • Locked
[SOLVED]-[BRICKED]SHV-E160L Korean model
Replies
307
Views
242K
Clark Joseph Kent
Clark Joseph Kent
P
  • Locked
Sub Forum For Korean Note SHV-E160
Replies
742
Views
252K
Stryke_the_Orc
Stryke_the_Orc
J
[SHV-E160][Root][Kernel]How to Root Korean Note via Tegrak Kernel Setup
Replies
264
Views
255K
J
joseffb
darkspr1te
**WARNING** [ROM][4.1.2]SHV-E160L-MB2-Cherry Rom **WARNING** SHV-E160L Models Only
Replies
159
Views
120K
F
finessin
J
[SHV-E160][Root][Stock]How to Root Korean Note via Flashing with Rooted Stock FW
Replies
229
Views
233K
Atlas7392
Atlas7392

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 34
    darkspr1te
    darkspr1te
    Note to NON SHV-E160L users
    This software & this thread is aimed at developers Mainly, Please don't post 3 line request like "my device is bricked , please help" as you will be ignored, if you cant do the research required to provide the right details plus finding the correct files required then this thread is not for you and you should post in the device thread for your device, This program and it's associated files & thread is NOT being actively developed but the thread remains open for user to post more information, additional files, updates from the public etc.
    It's not here for lazy people to scream fix my device, can those type of users please speak to your retailer, cell phone service shop.

    I will reiterate again, THIS IS A DEVELOPMENT THREAD AND NOT A REQUEST PAGE FOR "fix my device"


    PLEASE NOTE: This tool only comes pre-packed with files for the Korean SHV-E160L galaxy note. Usage on other devices requires that you understand the requirements, this includes but not limited to :-

    1. 1. Alteration of the scripts to use the files specific to your device
    2. 2. Correct HEX and SD-CARD loader also known as sdcard mbn
    3. 3. Correct partition information (knowing if it's MBR/GPT or hybrid)
    4. 4. Correct bootloaders for your device (SBL1/2/3/ABOOT)

    I am not currently doing further development on this tool, it is here for anyone to expand on use how they seem fit so long as the authors involved are given the credit.
    Users are welcome to build and post altered versions specific to their device but PLEASE post plenty of information as to what device/model it is for or the post may be deleted to protect other less educated users.

    darkspr1te


    Hi All,
    I've updated my Debrick tool to Version 2.
    Many Changes to the base code, inclusion of new tools, Almost a one click Linux solution for Qualcomm Development and debricking of Qualcomm devices.
    As documented on this thread SHV-E160L home debrick thread I debricked a qualcomm based msm8660 device without using any special devices.
    my first tools were internal development and had more bugs than a sewer, so after many hours of work i can now bring this new version to you.

    Please do not pm with bugs, POST HERE Only.
    This tool currently only supports the SHV-E160L , if users willing to provide the files from their devices I can expand the support of this tool.
    in most cases linux is required for this, a ubuntu live cd/flash will work perfectly.


    New Feature, Windows Based BACKUP of partitions and bootloaders, ROOT/Python27-windows is required and cannot function without this.
    *nix backup coming soon,

    Rules for posting backups

    Post ONLY the link here, use www.sendspace.com to upload your backup zip (remember to change the .zip filename to reflect your device, example SHV-E160L-16GB.zip )
    zip up only the backup folder, not the whole program, right click on backup folder, sent to compressed folder, rename.
    this program does not backup personal or device specific data like IMEI number, it only backups the bootloaders, partition table and .pit file for samsung SHV based devices
    When Posting links, please include your device details well, a example would be

    SHV-E160L 16 GB, 9000lang rom,

    The rom part is only so if we a tracing possible backup issues that may be rom specific.
    Future backup features will include automatic detection of .mbn partitions based on qualcomm header.

    Support for non SHV devices will be slow, but future versions will include other devices.


    Well Enjoy,

    EDIT: some users are reporting cookie not present error could be fixed by using a winxp/another qpst driver windows driver. this is unconfirmed bu i thought i should mention it. 04-12/2013

    Changelog:- V2-2(dev version only - not a public release)
    • added command line device/folder parameter, you can now specify a unzip copy of posted bootloaders and it will restore them
    • added additional file to specify output sectors based on getpart data, testing option for building partition0.bin by hand based on known simalr devices
    • added dev switches for wiriting specified parts only
    • added skip aboot option (for now it is specified to skip writing of aboot.mbn, public release will be opposite, you will have to force writing aboot , sbl1/2/4/tz/rpm seems to come as one package, interchangeable as a package, aboot is totally device specific)
      bugs:-
    • there is a known bug in the getpartbin.py python program, it cannot handle greater than 29 partitions.

    Changelog:- V2-1
    • added windows backup.bat program to backup all bootloaders and partition0.bin
    • minor changes to code for changing device (current version support only changing of variable $DEVICE, feature will eventually be cmd line based)
    • tesing of backup files
      bugs:-
    • there is a known bug in the getpartbin.py python program, it cannot handle greater than 29 partitions, and one will to help in python please let me know. I am not the author of the program



    Changelog : V2
    • Improved error checking*
    • automated qdload detection*
    • automated qdload hex & .mbn upload
    • automated detection of device in sd-card mode*
    • user input*
    • colours
    • major code changes to start support for automatic parition information & collection allowing backup to be one command and upload to a website for distribution & recovery for all
    • development documentation
    • Code changes to allow expansion to other Qualcomm devices

    Sendspace Links

    BrixFix V2-1-Inc Python27-Inc cwm recoveries
    http://www.androidfilehost.com/?fid=9390355257214632490 mirror tanks too Marduk191

    Brixfix V2-1 No Python for windows, No cwm-recovery-Slim Version
    Brixfix V2-1-Super-SlimNo drivers, bootloaders, python-win.

    Media Fire Links

    BrixFix V2-1-Inc Python27-Inc cwm recoveries



    SHV-E160K 32GB Recovery files
    SHV-E160L 32GB Recovery Files
    SHV-E120L Recovery Files (posted on another page)

    -------------------------
    Here is the README

    brixfix V2
    =================================
    By dakrspr1te ========Doc=V=1====
    =================================
    Thanks To :-
    E:V:A, SLS, JCSullins(Rootz Wiki), Adam Outler, many more, sorry if i've missed you out.

    Warning, Although i've tested this tool many times on my own devices, it always has the potential to damage both computer & cell phone device, YOU HAVE BEEN WARNED!!!!


    This tool is designed to repair SHV-E160L Korean Galaxy Note 1 based on the MSM8660 & MDM9600 Qualcomm Chips
    It Only works with devices that are stuck in QDLOAD mode or 05c6:9008 as the PID/VID
    It uses Tool/info Written By Others as well as myself.


    Namely :-

    qdload - http://github.com/jcsullins/qdloader
    getpartbin.py - http://blog.csdn.net/su_ky/article/details/7773273
    hex2bin - hex2bin.sourceforge.net


    Instructions
    ############


    connect Qualcomm based device to usb port on linux PC, not tested under windows via USB redirection,
    on command line run
    sudo ./brickfix

    Follow on screen instructions, tool will detect device in QDLOAD mode (05c6:9008) and switch to DMSS protocol, upload a hex (converted to bin for this purpose)
    the hex is then executed and the device switches to Streaming Protocol, at this point we write a .mbn file to the internal emmc chip, at the end of the emmc write process the device then reboots
    after the reboot re-running brixfix with detect the device in the second stage for repair , the device's emmc is accssable as a sd-card, we then write back the damaged parts of the bootchain,
    at a minimum you must write a new partition table or the device will always boot in sd-card mode, WARNING, failure to write the rest of the boot chain could leave your device in a situation
    which give only black-screen, no usb enumeration, dead. The only way around that is jtag, or finding the Boot resistor which switches the device back to QDLOAD mode, or emergency boot.
    goto http://xdaforums.com/showthread.php?t=1914359 for further details.


    Come give me thanks on XDA if this tool helped you

    Additional Tools (DEV Level)
    ===========================
    getpartbin.py - A tool for backing up the primary partition & extended parition tables and combines them into a writable parition0.bin file (python)
    qdload.pl - A tool for talking in the HDLC framed DMSS & Streaming Protocol's used by Qualcomm (Perl)
    switchmode.sh - A executes qdload.pl for msm8660 device upload
    get-part.sh - **DEV** unfinished tool by darkspr1te for creating partition tables in sfdisk format and .csv format (to be used in the future to create parition0.bin plus more automated collection)
    tools/ - Folder containing armv5 (arm7 compatible) tools for parition manipulation and data collection
    SHV-E160L-16GB/ - Folder contain SHV-E160L bootloaders & pit file
    ADB/ - Folder containing adb programs
    extras/ - Folder containing odin and clock work mode recovery installers for 160l devices
    QUALCOMM/ - Windows drivers (For QPST, Not required in linux, included for backwards compatability with older guides)
    hex2bin - convert your xxxxMPRG.hex file to bin for use with qdload

    Tips
    ====

    Additional
    ==========
    I will accept brick qualcomm devices for developing further debricks. pm me via XDA Forums

    Darkspr1te
    Click to expand...
    Click to collapse
    View
    4
    darkspr1te
    darkspr1te
    Brixfix 2-2

    Hi All,
    As i promised, the last and final brixfix package. It all open source for you to learn/use as you wish so long as you dont charge for it.


    brixfix-v2-2.zip


    Qpst 2-7-44.zip

    Revskills editor

    File List for files included in brixfix

    If anyone wishes to coninute this effort please let me know.

    darkspr1te
    View
    4
    SouL Shadow
    SouL Shadow
    Ok, for the next generation of curious people, here's a (simplistic) closer look at how modern Qualcomm devices boot up.


    This info is presented as a simple overview so more people understand how the system works and what is happening. It is far from complete and it's not exactly how it works. But for 99% of us, it's all we need to know.

    Also, before anyone asks, my main source was google and some files found on XDA. DO NOT ASK ME FOR "???" I have nothing that you can't find on your own. In fact, most of the following can be found in E:V:A's MSM8960 thread. Also http://www.codeaurora.org contains a lot of info and source code (Gobi and Gobi 3000 source code will help to understand how download mode functions).


    Beginning with Secure Boot 3, the entire PBL is contained on the modem chip (earlier chips depended on the actual PBL being stored in a known location on the flash memory, like an MBR, with an extremely bare bones amount of executable code on processor). This newer design allows for security checking to be done, if enabled, on ANY off-chip program to be executed at boot time. THIS IS THE ONLY REASON, other than hardware failure, that a device becomes "HARD BRICKED". All boot files can be signed with a crypto key. This key is stored in a section of memory in/on the CPU called a QFuse. After writing to a QFuse, as it's name suggests, the fuse can be "blown". That is, a higher electric current is maintained long enough to break the physical connection. Once this connection is broken the QFuse can not be changed. If the security related fuse is blown than ONLY a signed boot file can be executed. The PBL is written to the chip at the factory by Qualcomm. The QFuses can then be written by the OEM. According to the spec, multiple keys can be stored in the QFuses (meaning there COULD be a master key from qualcomm in addition to vender supplied keys). Although it is unknown whether or not this is actually done.

    Now, I don't know much about the actual security or cryptography, but here's the basic boot process from what I've pieced together:

    PBL written by Qualcomm, can not be altered.
    OEM chooses it's own key, writes it to QFuse, blows fuse.
    OEM builds it's own SBL1, SBL2, SBL3, TZ and RPM along with it's own APPSBL (aboot, hboot, etc...)
    OEM performs a hash of the file, like md5, sha1, sha256...
    OEM uses it's key to encrypt the hash and attaches it to executable and writes to flash.
    CPU powers on, runs hard coded PBL, and reads QFuses.
    CPU checks any error messages in memory from a previous boot.
    CPU then tries to load SBL1 in to ram from flash as pointed to by partition table.
    CPU performs same hash and compares with decrypted data.
    If check passes, code is executed.
    If check fails OR flash is unreadable, PBL enters download mode.
    In download mode, if there is an error message from a previous boot, it is automatically sent to the client. (Some people using qdloader.pl may have noticed this message)
    In download mode a special executable (the .hex file) can be loaded in to ram
    *** depending on OEM config, this hex can be loaded from usb AND/OR external sdcard
    Now the hex is security checked exactly as SBL1 would.
    If it passes, it's executed.
    This hex file is a special program called the emergency downloader (or sometimes just the downloader).
    It's only purpose is to download and write the partition table (partition0.bin) and secure boot loader partition data (contained in the .mbn) to the flash.
    IF security check failed, an error message is set and device "warm" reboots.
    The hex can only be sent ONCE per "cold" boot cycle.
    Removing the battery (or using the similar OEM key combo) will "cold" boot the device, clearing the RAM.
    Also, if download mode isn't successfully entered (using qpst or qdloader.pl) within a certain time limit, an error is set and the device "warm" reboots.
    This error message memory is why the device sometimes shows up differently.

    Of course this is only a simple outline of the Secure Boot 3 boot process. There is much more going on, but these are the basic steps that apply for bricked phones. I know less about Secure Boot 2 and earlier, but they follow a similar process and DON'T require a signed hex file. The Snapdragon S4 (msm8960 and others) was the start of the Secure Boot 3. The msm8660 was still using Secure Boot 2. So, if you want to know if your device is recoverable like this, then find out which chipset you have (msm????, apq????, ...) then find out what secure boot it uses. Google should answer this question easily. If it's Secure Boot 3 then most likely it requires signed files, which is still a dead end :(

    misc. extra info:

    There is of course no way to read a QFuse from QDL/qdload/qhsusb_dload until AFTER loading the HEX... (I've heard of some vender specific programs included with their android system (LG Optimus?) that can read qfuses, but that is NOT a standard)


    The "cookie not received" error is simply QPST's way of reporting that it didn't get the "magic" text string from the phone/device. This is because the HEX either could not be uploaded or it could not be executed (either wrong hex for that CPU or it's not signed with the proper key hard coding into that device (OEM vender specific))

    I'm sorry to say that I too have moved on to other projects. There just isn't enough free time anymore.

    darkspr1te said:
    It is possible, this tool makes use of the fact that these devices revert to dev board mode under certain conditions. There are major changes when it comes to partition layouts thought. But the principle remains the same, the hex file allows the CPU to start up in a way that you can then write to the emmc, once the .mbn/sdcard mode files are written you can then rewrite your factory partition.
    It is still very much a work around though, some users are getting "cookie not received" errors which we still don't 100% know what it means, top answer are,
    1. Not a signed hex, CPU rejects it
    2. Damaged emmc, could be kernel wipe bug or true failure of emmc
    3. Additional commands are required for further function.


    Can I also ask that users that do have a hex file and associated files for the phone, please post what you have, further dissection of the files does assist in learning about how these devices run, e.g I learned everything from the 8960 docs and files before the 8660 files came about.
    Also there are a few ports of this programs floating around, but none have been posted for others to research into.
    Not to be confused with sister projects like HP touchpad debrick, my debrick contains code from that project and vice versa.

    It has also come to light that it may be possible to run a hex from a similar device, but this is not yet confirmed.

    I no longer have my Qualcomm device so I have not continued the research , if I get another one then I will.


    Darkspr1te


    Sent from my A210 using Tapatalk HD
    Click to expand...
    Click to collapse
    View
    3
    L
    lovepashah
    Thanks Darkspr1te & Babaknuri

    darkspr1te said:
    ,
    Click to expand...
    Click to collapse

    HI Darkspr1te

    Thanks for the wonderful program that you made and thanks to babaknuri for the bootloaders files of SHV-E160S 32 GB

    By Mistakenly i had Flash my SHV-E160S with N7000 International Version Pit File and Firmware which Bricked by Device to QHSUSH_Dloader Mode. Only Black Screen. No Download Mode, No Recovery Mode.

    And I Came Across your thread and tried your method i was able to get my Device on download Mode but my bootloader changed from SHV-E160S to SHV-E160L

    And Thanks to BABAKNURI who had give me the bootloader files after lot of tries of SHV-E160S and i was able to GET my phone up and running.

    Sharing SHV-E160S 32 BG Bootloader including pit file taken backup from your application darkspr1te. AS you didnt had bottloader and will be helpful other SHV-E160S Users

    Thanks again Darkspr1te a lot for the wonderful application.
    View
    3
    darkspr1te
    darkspr1te
    yakovpol said:
    Could someone help with APQ8064T hard bricked device (e980) please? I have one bricked and another fully operational phone, so all information needed can be extracted from the working phone.
    All possible HEX files I found could not help me to put the device into SDCARD mode. I started thinking that digging into Qualcomm chip specs for a way to boot the device from external SD-card would be more productive...
    Click to expand...
    Click to collapse

    All modern Qcom can in someway boot sd-card , it's controlled via either resistors on gpio pins, 'BOOT_CFG', or set in the chip via q-fuse which once set so far cannot be reset.

    My first suggestion BEFORE WRITING anything to the bricked device is document the un-bricked device, part of writing this information is giving your brain a moment to understand it.

    we have a Grand partition table section where users have posted the partition layout required by many devices, you should read this thread to understand the required files for creating and transferring a backup of the partition table. tools are posted there that can assist in gathering this information.

    Linux is not a 100% requirement but is suggested.
    in some cases its possible to write copies of the required bootloaders to a sd-card and boot the device that way , BUT, as always there is a big but, if the BOOT_CFG gpio is set to emmc -> fail to PBL or if it's set via the qfuse then only fixing the emmc or booting via the PBL will you fix the device.
    Adam outler did a great thread on the unbrick-able mod and bootloaders to which some of my work followed also you must read those.

    What files do you have?, what have you tried?
    View

New posts