I'm from the Windows Phone camp. In the past I've been working on a lot of Windows Phone 7 devices. Currently I'm working on 2 Windows Phone 8 devices: Samsung Ativ S (I8750) and Nokia Lumia 920 (RM-821). The Samsung device is an R&D device which has non-blown fuses, which means that QPST and other goodies are available on this device. The Nokia device is a retail device, which is fully secured. Both have the Qualcomm msm8960 chipset.
I'm quite new to hardware-hacking. I've been reading in this forum and other docs to catch up a little. But I'm still in the dark on some things. This thread seems to be the most appropriate one to ask my question.
For my current research I'm interested in one thing specifically: I want to read the OEM_PK_HASH from the QFuse of the devices. The Nokia has its fuses blown, so that won't be possible. But I'd like to be able to read the QFuse data from the Samsung.
I know how to put the Samsung in Qualcomm COM mode and Qualcomm DLOAD mode. In both cases I can connect QPST. In COM mode I can use the normal Software Downloader (to make a backup of NV) and other tools. In DLOAD mode, I can run the eMMC Software Download app. In the eMMC Software Download app, a QFuse button is available. There I can add addresses and then press the Read button. I'm not able to get this working correctly. First of all, I do know the address where OEM_PK_KEY should be, but I don't know the values for LSB and MSB. When I try to read an address, I always get this error:
Fuse blowing - QfpromRead - response command field (0x3) not equal to 0x35
Fuse read completed
I read that it might be necessary to send a Flash Programmer image to the chip first. It will be loaded in RAM and then communicate with the client on the PC. So I tried that. I selected MPRG8960.hex, but when I try to send it to the chip, the eMMC Software Download app just becomes unresponsive.
When I forcibly restart the eMMC Software Download app, nothing is changed; same error when I try to read the QFuse data.
My questions are:
- Why do I get the error message and how do I get around that?
- Which LSB and MSB values do I need to have, to be able to read the OEM_PK_HASH?
Any other information that could help me in the good direction is welcome.
Thanks a lot all, for posting all this info on XDA.