The esco file only contains a valid signature for the 710 - the 800 will not accept it through the normal flashing interface. Therefore, you must write the bootloader extracted from the esco file directly into the eMMC.
DEV ONLY - NAND access + Full Unlock for Lumia 710 & 800
- Thread starter biktor_gj
- Start date
@trenbeth: Google is your friend.
BTW, I have another idea for an even simpler hack: simply short TP1555 (eMMC clock) to GND, and plug in the USB cable. This should trigger "QHSUSB_DLOAD" mode.
EDIT: It turns out, for the card reader trick, not any card reader will do - you will need one that operates in SD/MMC host controller mode, and not USB mass storage mode. Thus, most PCI, PCIE, Cardbus and laptop built-in card readers should work, but USB ones usually won't. (Because it's generally a bad idea to solder wires directly into one's laptop just for a phone hack, I suggest getting a MiniSD or MicroSD adapter, and soldering the wires from the phone to that adapter.)
BTW, I have another idea for an even simpler hack: simply short TP1555 (eMMC clock) to GND, and plug in the USB cable. This should trigger "QHSUSB_DLOAD" mode.
EDIT: It turns out, for the card reader trick, not any card reader will do - you will need one that operates in SD/MMC host controller mode, and not USB mass storage mode. Thus, most PCI, PCIE, Cardbus and laptop built-in card readers should work, but USB ones usually won't. (Because it's generally a bad idea to solder wires directly into one's laptop just for a phone hack, I suggest getting a MiniSD or MicroSD adapter, and soldering the wires from the phone to that adapter.)
Last edited:
But built-in card readers are still on USB I suposed.
So short TP1555 (eMMC clock) to GND would work?
So short TP1555 (eMMC clock) to GND would work?
The built-in card readers I've seen so far were all PCI-Express, appearing in Device Manager as an SD/MMC host controller.
But even with a USB reader, it should be possible to interop unlock, or maybe even root the device, as the main OS partition (including the registry) should be accessible.
EDIT: The test-point cables are only good for ATF or the testpoint shorting hack, as they don't connect the VCC and VCCQ lines. (ATF operates on a powered-ON PCB, and overrides the logic levels sent by the main CPU, rather than operating with a powered-down PCB with the CPU inactive.)
But even with a USB reader, it should be possible to interop unlock, or maybe even root the device, as the main OS partition (including the registry) should be accessible.
EDIT: The test-point cables are only good for ATF or the testpoint shorting hack, as they don't connect the VCC and VCCQ lines. (ATF operates on a powered-ON PCB, and overrides the logic levels sent by the main CPU, rather than operating with a powered-down PCB with the CPU inactive.)
Last edited:
Net,
Does your ideas worked? you managed to flash qualcombootloader?
Not yet, I have the Lumia 900 (where CLK is not easily accessible - instead, it's VCCQ that can be shorted to ground), and I'm waiting for ankerael's PM with the dumped bootloader. (His earlier dump didn't include the bootloader proper.)
Instead USB card reader could we use MMC card with soldered wires and then put into bulitin reader?
Yes, that's exactly what I recommended. (Internal card readers are usually PCI/PCIE-based, which present the card directly to the OS, rather than emulating a USB flash drive.)
If you use Linux, changing the bootloader may be even easier, as it will show up as a separate block device "/dev/mmcblkXboot1" (or maybe boot0 - you will need to check it yourself). By default, this device will not be writable, to guard against accidental overwrites - read the documentation for enabling writes to the boot partitions.
If you use Linux, changing the bootloader may be even easier, as it will show up as a separate block device "/dev/mmcblkXboot1" (or maybe boot0 - you will need to check it yourself). By default, this device will not be writable, to guard against accidental overwrites - read the documentation for enabling writes to the boot partitions.
Hi,
I am still yet to see somebody implement off power read/write of the eMMC chip. ATF manages with so many wires by the fact that the chip
is still wired to the CPU and all control signals are handled correct. If you watch the protocol on screen you will see that ATF FGPA asserts
low's and high's(high levels slightly higher than phone's 1s and lows via bridging few gates in parallel to assert low impedance on the bus) during
the important boot mode check when the eMMC is in 1bit SDIO mode, immediately after restart.
To use external MMC reader and not powered phone PCB you will need bit more lines connected, maybe less with a small microcontroller
development board and using the HW SDIO interface(most chips have it these days) e. g. - STM32F4Discovery, but you still need to cook
custom boot sequence yourself.
The standard firmware in off the shelf reader would probably not manage to take control of the eMMC as i suspect it not communicate in 1 bit
SDIO mode, probably do in the beginning and then switches to wider interface.
BR
I am still yet to see somebody implement off power read/write of the eMMC chip. ATF manages with so many wires by the fact that the chip
is still wired to the CPU and all control signals are handled correct. If you watch the protocol on screen you will see that ATF FGPA asserts
low's and high's(high levels slightly higher than phone's 1s and lows via bridging few gates in parallel to assert low impedance on the bus) during
the important boot mode check when the eMMC is in 1bit SDIO mode, immediately after restart.
To use external MMC reader and not powered phone PCB you will need bit more lines connected, maybe less with a small microcontroller
development board and using the HW SDIO interface(most chips have it these days) e. g. - STM32F4Discovery, but you still need to cook
custom boot sequence yourself.
The standard firmware in off the shelf reader would probably not manage to take control of the eMMC as i suspect it not communicate in 1 bit
SDIO mode, probably do in the beginning and then switches to wider interface.
BR
Actually, the eMMC chip documentation shows that it fully supports 1-bit MMC (not SDIO, and not SPI) mode, and only switches to a higher bus width when explicitly requested to do so.
EDIT: Not very relevant, but open the Lumia 710 boot loader MBN in a hex editor, and go to address 0x1E490 for a good laugh.
Or, if you have the Lumia 800 Qualcomm boot loader image, it's @ 0x1E52C.
EDIT: Not very relevant, but open the Lumia 710 boot loader MBN in a hex editor, and go to address 0x1E490 for a good laugh.
Or, if you have the Lumia 800 Qualcomm boot loader image, it's @ 0x1E52C.
Last edited:
Hi,
I guess 1-bit MMC = SDIO, sorry my bad. The phone for sure switches to wider bus after initial boot sequence, i haven't reversed this part, not sure
where it is, probably the bootrom. But during this initial chip inquiry is the golden opportunity to take control and off course hats off to X-Shadow for
the hack and implementation (!).
What version of the bootloader ? I have some old diss, i have ptr to a string at this location.
BR
I guess 1-bit MMC = SDIO, sorry my bad. The phone for sure switches to wider bus after initial boot sequence, i haven't reversed this part, not sure
where it is, probably the bootrom. But during this initial chip inquiry is the golden opportunity to take control and off course hats off to X-Shadow for
the hack and implementation (!).
What version of the bootloader ? I have some old diss, i have ptr to a string at this location.
BR
Actually, the eMMC chip documentation shows that it fully supports 1-bit MMC (not SDIO, and not SPI) mode, and only switches to a higher bus width when explicitly requested to do so.
EDIT: Not very relevant, but open the Lumia 710 boot loader MBN in a hex editor, and go to address 0x1E490 for a good laugh.
How about accessing the eMMC while the board is otherwise down? In that case, no worries about switching to a higher bit width.
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone