Finally... unbrick your Lumia device QHSUSB_DLOAD without JTAG

[whoadood]

ah I really forget it , sorry .
QHSUSB_DLOAD is different . I don't know about that .

Again as I said there should be a way to flash whatever we wanted without a signature check. Unfortunately we don't know the protocol.

 

[-W_O_L_F-]

Again as I said there should be a way to flash whatever we wanted without a signature check. Unfortunately we don't know the protocol.

We know.
https://github.com/jcsullins/qdloader
http://forum.xda-developers.com/showthread.php?t=2136738

 

[whoadood]

We know.
https://github.com/jcsullins/qdloader
http://forum.xda-developers.com/showthread.php?t=2136738

That's pretty good... Hmmm... If we knew how to extract the partitions from the .ffu file... Is that known?

We could just flash a modified version of the ROM... We should get serious about this. It's a good start.

 

[-W_O_L_F-]

That's pretty good... Hmmm... If we knew how to extract the partitions from the .ffu file... Is that known?

We could just flash a modified version of the ROM... We should get serious about this. It's a good start.

yes, ffu extracting is possible too.

 

[whoadood]

yes, ffu extracting is possible too.

So what is stopping us?

 

[zapirkon]

took some time to search around again...


F771E62AF89994064F77CD3BC16829503BDF9A3D

try googling this, I think the file is present in ATF tool, but mentioned also in screenshots of BEST (I have many of them in folder named MPRG but I don't remember the tool since I uninstalled them all last week since nothing worked, i just kept some folders)

from what I have read BEST can flash L520 that is detected as QHSUSB_DLOAD (with black screen) but I have no access to service center nor a dongle (the dongle price is same as the phone price) and for flashing the phone, nothing more than USB cable is needed.

so, from the screenshots people post from BEST...

FFU Model ID
FFU ChipSectors : 15155200
located in ffu: ... MMOS.WIM\Windows\ImageUpdate\OEMDevicePlatform.xml

FFU RootKeyHash
???
but i did found
F771E62AF89994064F77CD3BC16829503BDF9A3D
inside ffu: ... efiesp\Nokia\Security\issw_ape_MSM_v1.mbn
right before the string

Bootloader attestation for user

but it is longer hash inside the mbn file
the folder itself looks like it is holding the boot and certificate files

but this part i dont get

Waiting for phone in DLOAD ...
PARAM : 08/01/0600/90
DLOAD : PBL_DloadVER2.0
Switching to FlashProgrammer...
FlashProgrammer init Done!
Sub Init Ok, eMMC , 0x00003C00
Secure Mode init Ok
Program mode Init Ok , 0x0000E900
Writing now ...
Write [GPT] : Ok
Write [SBL1] : Ok
Write [SBL2] : Ok
Write [SBL3] : Ok
Write [UEFI] : Ok
Write [RPM] : Ok
Write [TZ] : Ok
Write [WINSECAPP] : Ok
Program Data finished!

can thor2 do this?

protocol should be streaming ( Collins / Alpha as default )
according to ffu: ... MMOS.WIM\build-info\enosw-image.txt
it says:
RM914 3055.40000.9200.10517 345976 2013/11/20 //collins_engine_8227/PRx_engine_integration

but as this is the default protocol, so from the examples:
Emergency programming for Collins and Alpha ( MBN file only ):
thor2 -mode emergency -hexfile "FAST8960.hex" -mbnfile "8960_msimage_uefi.mbn" -orig_gpt

we need not MPRG8227.hex, but FAST8227.hex

i tried sending other hex file but i get this

Initiating emergency download
Using default emergency protocol
ALPHA EMERGENCY FLASH START
Emergency Programmer V1 version 2014.10.31.001
Hex download selected
Check if device in Dload
Connection to DLOAD mode succeeded
Get Dload parameters
Sending HEX flasher to the device
Sending GO command if HEX flasher successfully uploaded.
Message send failed with error code -1
ALPHA EMERGENCY FLASH END
Emergency messaging closed successfully
Operation took about 8.00 seconds.

THOR2_EMERGENCYFLASHV1_ERROR_MSG_SEND_RECEIVE_FAILED

THOR2 1.8.2.15 exited with error code 85021 (0x14C1D)

so, next step... how to find the hex file, because the above commercial apps seem to have it or know how to flash without it

 

[johntheredimid]

took some time to search around again...

You can create your own MBN and HEX file ... can not remember if the HEX file containing the boot or partition ... but one of the two must be ... you can create bootable taking the files, I have them all I posted this link, and is a tutorial to create , try if you can do, my knowledge does not allow me do it and I need help finding good people like you, thanks

http://m.blog.csdn.net/blog/ziyouwa/16331751

the problem is ... '' size '', '' type '' ... these values should be according to our team .. and i don't understand, should investigate further

Edit: the .mbn containing the boot files

''8xxx_msimage.mbn is released in SW by default, actually, it includes the all the boot images and partition table there. MPRGxxxx.hex will download this image and reset to mass-storage mode.''

 

[zapirkon]

You can create your own MBN and HEX file ... can not remember if the HEX file containing the boot or partition ... but one of the two must be ... you can create bootable taking the files, I have them all I posted this link, and is a tutorial to create , try if you can do, my knowledge does not allow me do it and I need help finding good people like you, thanks

http://m.blog.csdn.net/blog/ziyouwa/16331751

the problem is ... '' size '', '' type '' ... these values should be according to our team .. and i don't understand, should investigate further

Edit: the .mbn containing the boot files

''8xxx_msimage.mbn is released in SW by default, actually, it includes the all the boot images and partition table there. MPRGxxxx.hex will download this image and reset to mass-storage mode.''

hmm, the file MMOS.WIM\Windows\ImageUpdate\DeviceLayout.xml
contains sector count:
SBL1 : 3000
SBL2 : 3000
SBL3 : 4096
RPM : 1000
TZ : 1000
how do we convert to "size"
the error is also strange:

example for "SBL1" size="3000"
i get:
File RM914_SBL1.BIN too large for 1536000 byte partition
but 1536000 = 512 x 3000 exactly

and then i try to set all of them to +1 in the size

SBL1 : 3001
SBL2 : 3001
SBL3 : 4097
RPM : 1001
TZ : 1001

and i get the mbn file of 13.107.200 bytes

but this does not seem right, also newer QPST tools have different commands and xml files, so maybe even this method is wrong
+ there are more bin files: MBR_GPT, UEFI, WINSECAPP
and there is the folder MPRG with <hash>.bin files

update: when I use sbl*, rpm and tz files from the ffu, i can use the original sector sizes 3000, 4096 ... and get different mbn with same size

anyway, how about the hex file, does anybody know the purpose or how to get it and is the direction for solution good?

---------- Post added at 08:11 PM ---------- Previous post was at 07:40 PM ----------

when I stop to realize what are we trying to accomplish here I think that small boot file to get from the black to the red screen. I am almost convinced that is the
F771E62AF89994064F77CD3BC16829503BDF9A3D.bin
since the other files are already in the ffu

 

[johntheredimid]

hmm

Let's go ... infinity box with dongle makes this next procedure to recover the boot and turn the phone on red screen:

Write [GPT]: Ok
Write [SBL1]: Ok
Write [SBL2]: Ok
Write [SBL3]: Ok
Write [UEFI]: Ok
Write [RPM]: Ok
Write [TZ]: Ok
Write [WINSECAPP]: Ok

Ok, let us start from the basis that these 8 files, are included in the .mbn, by logic and experience in other Android devices, should be.

Here are all files, incluids gpt, winsecapp and UEFI https://mega.co.nz/#!1l9A0ShA!y4U3xEDRSgihwaGqyNKSBfTSLhyA94I4FlsLAUfy6Nc

So we know how: partition_boot.xml create the file, like the .mbn, just missing the hex

Now, thanks to googling know that this file belongs to lumia 520
F771E62AF89994064F77CD3BC16829503BDF9A3D.bin

folder called MPRG containing F771E62AF89994064F77CD3BC16829503BDF9A3D.bin in the folder of Advance-box turbo flasher.

And you may be right. Therefore matches the hex file

Ok now if you believe this is the hex file ... bin2hex can use to try to achieve a hex

[Removed broken link]

The hex file is rare, for example this https://github.com/aureljared/unbrick_8960/blob/master/hexmbn/chips/msm8960/MPRG8960.hex
is a text file...
Not that it is not an object in itself :S not understand it at all, someone from some other thread should know that works.

PD:
remember to keep the battery charged to achieve the procedure
Also remember that the infinity tool box forces you to install the driver


X2_FlashDriver_Emergency_XP.rar [Removed broken link]

should say Nokia Emergency Conectivity

 

[-W_O_L_F-]

hex files represent binary data in text form. https://en.wikipedia.org/wiki/Intel_HEX

 

[trogper]

I can't get a correct format of the hex file with this tool

you have to use bin2hex, but it's not just that simple
Qcomm hex files are 10 bytes per line, bin2hex outputs 20 bytes
qcomm hex structure:
"Extended Linear Address Record" position in RAM (I guess) where to write program
~4000 lines of "Data Record" the actual data to write
"Start Linear Address Record" executes the program after it's loaded
"End Of File (EOF) Record" indicates end of hex file

Notepad++ regex for adding spaces (better readability)

(:[0-9A-F].)([0-9A-F]{4})([0-9A-F].)([0-9A-F]*)([0-9A-F].)
replace with
$1 $2 $3 $4 $5

 

[whoadood]

I don't understand any of your posts. A summary is needed in my opinion. Especially, what's needed at this point? Are you stuck creating a hex dump of a file?

 

[johntheredimid]

update

 

[zapirkon]

Can't manage bin->hex conversion
can someone post tools and steps to do it?

---------- Post added at 11:47 PM ---------- Previous post was at 11:36 PM ----------

you have to use bin2hex, but it's not just that simple
Qcomm hex files are 10 bytes per line, bin2hex outputs 20 bytes
qcomm hex structure:
"Extended Linear Address Record" position in RAM (I guess) where to write program
~4000 lines of "Data Record" the actual data to write
"Start Linear Address Record" executes the program after it's loaded
"End Of File (EOF) Record" indicates end of hex file

Notepad++ regex for adding spaces (better readability)

(:[0-9A-F].)([0-9A-F]{4})([0-9A-F].)([0-9A-F]*)([0-9A-F].)
replace with
$1 $2 $3 $4 $5

i think it is not that simple, take a look at MPRG8960.hex ... i have put spaces just like the example in http://forum.xda-developers.com/showpost.php?p=33813888&postcount=2 so there are several parts we need to put "around" the raw bytes... like CRC which I can't put by hand...

:020000042A00D0
:10000000 D1 DC 4B 84 34 10 D7 73 FF FF FF FF FF FF FF FF EE
:10001000 FF FF FF FF 50 00 00 00 50 00 00 2A B8 12 01 00 4F

 

[trogper]

Can't manage bin->hex conversion
can someone post tools and steps to do it?

---------- Post added at 11:47 PM ---------- Previous post was at 11:36 PM ----------




i think it is not that simple, take a look at MPRG8960.hex ... i have put spaces just like the example in http://forum.xda-developers.com/showpost.php?p=33813888&postcount=2 so there are several parts we need to put "around" the raw bytes... like CRC which I can't put by hand...

no, the spaces are not necessary, they are just for asier human reading and comprehension.
I tried bin2hex from sourceforge, but that produces 32 bytes per line. Qcom hex files have just 16

:20 0080 00 [COLOR="DarkOrange"]7847C046640051E3202B000A0000B0E31EFF2FE130B48E4A08290FD38D4C0578[/COLOR] C9
:10 0090 00 [COLOR="DarkOrange"]1EFF2FE130B48E4A08290FD38D4C0578[/COLOR] 0E

then I found linux bin2hex where you can specify how bytecount per line, but that is distributed only as source code, so you need to compile it

 

[zapirkon]

I have made quick bruteforce convertor that converted the F771E62AF89994064F77CD3BC16829503BDF9A3D.bin to hex file and it gets me to the step where we need valid mbn

Initiating emergency download
Using default emergency protocol
ALPHA EMERGENCY FLASH START
Emergency Programmer V1 version 2014.10.31.001
Hex download selected
Check if device in Dload
Connection to DLOAD mode succeeded
Get Dload parameters
Sending HEX flasher to the device
Sending GO command if HEX flasher successfully uploaded.
Emergency Programmer V1 version 2014.10.31.001
Mbn download selected
Waiting for connection to flash programmer
Connecting to flash programmer
Received valid HELLO_RSP
Safe version=true, transfer size=15360
Received valid SECURITY_RSP
Successfully connected to flash programmer
Connection to flash programmer succeeded
Uploading bootloader(s), UEFI, etc from MBN image to the eMMC. This will take up
 to 20 seconds
Reading GPT from binary
Invalid GPT Wrong signature of GPT header.
Cannot read the GPT from mbn file.
ALPHA EMERGENCY FLASH END
Emergency messaging closed successfully
Operation took about 9.00 seconds.

Unknown error code.

THOR2 1.8.2.15 exited with error code 85045 (0x14C35)

 

[zapirkon]

I passed the GPT from ffu as mbnfile parameter which gives me back some layout...

thor2 -mode emergency -hexfile my.hex -mbnfile GPT.bin -orig_gpt

which is simlar to initial post, but we have only some of the files

name / startLBA / endLBA / size
 DPP/4096/20479/0x0000000000800000 bytes
 MODEM_FSG/20480/26623/0x0000000000300000 bytes
 SSD/28672/28703/0x0000000000004000 bytes
 SBL1/32768/35767/0x0000000000177000 bytes
 SBL2/36864/39863/0x0000000000177000 bytes
 SBL3/40960/45055/0x0000000000200000 bytes
 UEFI/45056/50055/0x0000000000271000 bytes
 RPM/53248/54247/0x000000000007d000 bytes
 TZ/57344/58343/0x000000000007d000 bytes
 WINSECAPP/61440/62463/0x0000000000080000 bytes
 BACKUP_SBL1/65536/68535/0x0000000000177000 bytes
 BACKUP_SBL2/69632/72631/0x0000000000177000 bytes
 BACKUP_SBL3/73728/77823/0x0000000000200000 bytes
 BACKUP_UEFI/77824/82823/0x0000000000271000 bytes
 BACKUP_RPM/86016/87015/0x000000000007d000 bytes
 BACKUP_TZ/90112/91111/0x000000000007d000 bytes
 BACKUP_WINSECAPP/94208/95231/0x0000000000080000 bytes
 UEFI_BS_NV/98304/98815/0x0000000000040000 bytes
 UEFI_NV/102400/102911/0x0000000000040000 bytes
 PLAT/106496/122879/0x0000000000800000 bytes
 EFIESP/131072/262143/0x0000000004000000 bytes
 MODEM_FS1/262144/268287/0x0000000000300000 bytes
 MODEM_FS2/270336/276479/0x0000000000300000 bytes
 UEFI_RT_NV/278528/279039/0x0000000000040000 bytes
 UEFI_RT_NV_RPMB/282624/282879/0x0000000000020000 bytes
 MMOS/286720/450399/0x0000000004fec000 bytes
 MainOS/458752/5016799/0x000000008b19c000 bytes
 Data/5029888/15151103/0x0000000134e00000 bytes

... at the end ...

Sending OPEN_MULTI_REQ
Received valid response to OPEN_MULTI_REQ
Checking eMMC read / write test results...
eMMC Read test passed. eMMC Write test passed!
Programming image G
Image opened successfully for reading
SAFE hex file was used and unallowed memory address was being written.
Reset the device and use the correct HEX file.
ALPHA EMERGENCY FLASH END
Emergency messaging closed successfully
Operation took about 13.00 seconds.

Unknown error code.

THOR2 1.8.2.15 exited with error code 85034 (0x14C2A)

---------- Post added at 09:50 AM ---------- Previous post was at 09:50 AM ----------

i don know how, i am at red screen

---------- Post added at 10:27 AM ---------- Previous post was at 09:50 AM ----------

PHONE is OK :victory:

I think the bin/hex file and the GPT file, which are all in the FFU is all needed to make the phone boot again

 

[zapirkon]

draft for steps

STEP 1 - find RootKeyHash and GPT.bin

locate your FFU file. If your phone bricked during Downgrade, you should have it in
c:\ProgramData\Microsoft\Packages\Products\rm-XXX...
or
c:\ProgramData\NOKIA\Packages\Products\rm-XXX...

It should be best if you have the Windows Phone Recovery Tool updated to 1.2.4

then go to the Microsoft / Windows Phone recovery folder (thor2.exe is there)
c:\Program Files (x86)\Microsoft Care Suite\Windows Phone Recovery Tool\

open up command line there, and make the dump in folder of your choice

thor2 -mode ffureader -dump_partitions -ffufile "RM9xx*.ffu" -filedir "c:\dump"

the log will display also the hash needed for you to find correct HEX file

Number of partitions found 28
RKH of SBL1: F771E62AF89994064F77CD3BC16829503BDF9A3D506D3FACECAEF3F808C868FD
RKH of UEFI: F771E62AF89994064F77CD3BC16829503BDF9A3D506D3FACECAEF3F808C868FD

also, the files are large, becaue the above step will make complete dump
you only need GPT.bin which is around 250 KB so get this file only

STEP 2. find the HEX file in the archive attached here

it is named with name starting as the RKH from previous step.
it is the first 40 bytes, so in the example
F771E62AF89994064F77CD3BC16829503BDF9A3D506D3FACECAEF3F808C868FD
is infact
F771E62AF89994064F77CD3BC16829503BDF9A3D.hex

STEP 3. try to get RED screen

thor2 -mode emergency -hexfile bin.hex -mbnfile gpt.bin -orig_gpt

the process above will not finish with success, as the provided GPT file is not only file needed to flash it. so I tried to flash it several times, reseting the phone ... etc., after 3-4 times, the phone vibrated, with red screen

STEP 4. flash your phone FFU image

thor2 -mode vpl -maxtransfersizekb 1 -vplfile "C:\ProgramData\Microsoft\Packages\Products\RM .... \* .vpl"

don't forget the -maxtransfersizekb flag because this flag perhaps was omitted in the Microsoft tool, making the flash procedure stop in the middle

 

[Xebec]

STEP 1 - find RootKeyHash and GPT.bin

STEP 2. find the HEX file in the archive attached here

it is named with name starting as the RKH from previous step.

My RKH file is not included in the zip archive you created. It is:
0CBD2EED6F62230571CBAB55B7DBC15F8A7DC7BB3F37C1E7E4E5ADC77152FBC2

 

[zapirkon]

0CBD2EED6F62230571CBAB55B7DBC15F8A7DC7BB.hex

read the first 40bytes from RKH