Fixing a bootloader-bricked Galaxy S3 using an SD card (Qualcomm SGS3 variants)

[DrGit]

This thread is dedicated to booting Qualcomm Snapdragon-based Samsung Galaxy S3 models from an SD card.
As I understand it, this only works because the Snapdragon boot ROM (NOT the bootloader, which resides on the eMMC - this is part of the CPU) has a fallback mode which reads the bootloader from an SD card if the eMMC fails. To date, the only devices I am aware of that have this fallback mode are the Snapdragon Galaxy S3 models designed for use in the US. As such, this will not work on international/Exynos based phones.

The process of preparing an SD card for this is fairly simple. All that is needed is a working, rooted phone and an empty SD card.
The dumps at the end of this post were obtained by various people using a variant of the following command:

busybox dd if=/dev/block/mmcblk0 of=/sdcard/backup.bin bs=1M count=70

Depending on the device, you may need more than 70MB, but on the Sprint Galaxy S3, the first 70MB of the eMMC contains everything needed for download mode without including identifying information in the dump, like the EFS partition for example.
If you are absolutely certain your SD card is empty, you can change the dd command to "of=/dev/block/mmblk1" to write the eMMC backup image directly to the SD card instead of to a file. Be very careful working with dd! mmcblk0 is the eMMC and mmcblk1 is the external SD card.

This should be obvious, but cross-device dumps will not work! This is the main reason so many people are finding themselves in need of this guide!
Use common sense - do your research and don't cross-flash, especially between US and international ROMs!

If your model is not listed there, search the forums or ask someone to make a dump for you.
Please note: if your phone model is not listed here, that doesn't mean this method won't work - however, I would appreciate it if everyone would do their research instead of bombarding me with private messages.

I hope this helps! Flash wisely!

For posterity, this is the content of the OP that led me to discover the SD boot mode by accident:

I am trying to fix a 16GB Sprint Samsung Galaxy S3 that went through a rooting process and failed, leaving download mode and most other recovery options inaccessible.
I don't have a USB download mode jig or JTAG equipment, but I noticed it's recognized as "05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)" when connected to a Linux computer.
From what I've read, not many people have gotten it out of this mode, however, I've found guides that imply the NAND/eMMC is writable in this mode with qdload.pl. None of the files I've seen want to be flashed with this tool - the generic, unsigned 8960_msimage.mbn/MPRG8960.hex files to get it into EMMC USB storage mode don't execute/stay intact after flashing, so I'm guessing they failed the signature check.

Is anyone willing to dump the partition table/bootloader from their working 16GB Sprint SGS3 for me?

dd if=/dev/block/mmcblk0 of=/sdcard/backup.bin bs=1048576 count=70

I unfortunately don't know what stages of the bootloader were corrupted, and I'm not sure what address to flash aboot to, if that's even possible with qdload.

Downloads:
Sprint SPH-L710: http://www.mediafire.com/download/231uhy6l80jx74n/debrick_sph_l710.img.xz (Thanks @CNexus!)
AT&T SGH-i747: http://d-h.st/iEy (Thanks @Android_Geeek!)
T-Mobile SGH-T999: http://www.mediafire.com/download/grgyera66w0rt25/debrick_SGH-T999.img (Thanks @Techlyfe!)

 

[CNexus]

Sure, gimme a sec.


EDIT: You know you can find these in the firmware zips freezes has in his thread, right?

 

[DrGit]

Sure, gimme a sec.
EDIT: You know you can find these in the firmware zips freezes has in his thread, right?

I've been looking around for stock firmware packages and couldn't find them. I'll look a little harder...

EDIT: This? sbl1.mbn? Downloading it, but I'll be pretty disappointed if it doesn't work after using ~700MB...

 

[Ragnar]

Top of this thread you will find all the latest MD4 stuff
http://forum.xda-developers.com/showthread.php?p=32176586
Sent from the future via Tapatalk 4

 

[CNexus]

No, the firmware zips, not the ROMs

And yes. The bootloaders are there, they're smaller, like 20~ MB

Grab the one that says "MD4 firmware/modem/baseband"


EDIT: This thread may be useful, it's a different device but the board is the same (MSM8960).

 

[DrGit]

No, the firmware zips, not the ROMs

And yes. The bootloaders are there, they're smaller, like 20~ MB

Grab the one that says "MD4 firmware/modem/baseband"

Found it, thanks. Unfortunately, flashing the SBL didn't fix it.
What address does aboot get flashed to? Can someone post the partition table so I can figure out the offset?

 

[CNexus]

Here are two more links that give more technical information on the MSM8960 bootloaders.

Here
http://forum.xda-developers.com/showthread.php?t=1856327

And here
http://forum.xda-developers.com/showthread.php?t=1769411


You should be able to find most everything you need there.

 

[DrGit]

Here are two more links that give more technical information on the MSM8960 bootloaders.

Here
http://forum.xda-developers.com/showthread.php?t=1856327

And here
http://forum.xda-developers.com/showthread.php?t=1769411


You should be able to find most everything you need there.

I've been over those threads multiple times and I still don't know what address to plug into qdload to flash aboot (mmcblk0p5).
parted /dev/block/mmcblk0 might help.

 

[CNexus]

Ok, I was just trying to help.

Disk /dev/block/mmcblk0: 15.8GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt

Number  Start   End     Size    File system  Name      Flags
 1      4194kB  67.1MB  62.9MB               modem
 2      67.1MB  67.2MB  131kB                sbl1
 3      67.2MB  67.5MB  262kB                sbl2
 4      67.5MB  68.0MB  524kB                sbl3
 5      68.0MB  70.1MB  2097kB               aboot
 6      70.1MB  70.6MB  524kB                rpm

 

[DrGit]

Ok, I was just trying to help.

Disk /dev/block/mmcblk0: 15.8GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt

Number  Start   End     Size    File system  Name      Flags
 1      4194kB  67.1MB  62.9MB               modem
 2      67.1MB  67.2MB  131kB                sbl1
 3      67.2MB  67.5MB  262kB                sbl2
 4      67.5MB  68.0MB  524kB                sbl3
 5      68.0MB  70.1MB  2097kB               aboot
 6      70.1MB  70.6MB  524kB                rpm

Thanks! Sorry I'm being so demanding - you have no obligation to help me, after all.
Could I trouble you for the size in bytes? Again, thanks for the help!

Edit: This is probably asking too much, but it would be immensely helpful:
"dd if=/dev/block/mmcblk0 of=/sdcard/backup.bin bs=1M count=70"

 

[DrGit]

"dd if=/dev/block/mmcblk0 of=/sdcard/backup.bin bs=1M count=70"

Anyone with a rooted SGS3 willing to do this? I don't know what got messed up or how - the guy who gave this phone to me just said it wouldn't reboot after one of the steps in the rooting process - but flashing that backup with qdload could be a good method of fixing bricked phones without JTAG!

In the spirit of sharing, if I manage to fix it, I'll be doing an Ubuntu "port" (building a bootloader/kernel for desktop Linux distros, not Ubuntu Touch), hopefully with Freedreno drivers too.

 

[CNexus]

Sorry, couldn't get the size in bytes or else I would have posted that instead of the MB

Here's the output of dd



http://db.tt/nvwsj4e5

 

[DrGit]

Sorry, couldn't get the size in bytes or else I would have posted that instead of the MB
Here's the output of dd
http://db.tt/nvwsj4e5

It's supposed to be the first 70MB of the eMMC chip, containing the partition table, the 64MB firmware partition, the three bootloader stages, and aboot. Unless I gave the wrong command or you changed it, 70 bytes isn't going to be much help

 

[CNexus]

It's supposed to be the first 70MB of the eMMC chip, containing the partition table, the 64MB firmware partition, the three bootloader stages, and aboot. Unless I gave the wrong command or you changed it, 70 bytes isn't going to be much help

I know, but that is the output, I was surprised as well

 

[DrGit]

I know, but that is the output, I was surprised as well

I'm guessing the version of dd on your phone is a stripped down version that doesn't recognize suffixes.
dd if=/dev/block/mmcblk0 of=/sdcard/backup.bin bs=1024 count=71680

 

[CNexus]

It's supposed to be the first 70MB of the eMMC chip, containing the partition table, the 64MB firmware partition, the three bootloader stages, and aboot. Unless I gave the wrong command or you changed it, 70 bytes isn't going to be much help

I know, but that is the output, I was surprised as well

EDIT: dd would not accept "MB" for some reason, so I just wrote out the number of bytes. Here's the file

http://d-h.st/G3l

Md5sum: 12ca987274d905865a337d687f9e2a73

 

[DrGit]

I know, but that is the output, I was surprised as well

EDIT: dd would not accept "MB" for some reason, so I just wrote out the number of bytes. Here's the file

http://d-h.st/G3l

Md5sum: 12ca987274d905865a337d687f9e2a73

I miscalculated - it should have been 70.6MB - but I was able to find the aboot offset, so it's okay!
Huge thanks! Flashing now!

 

[DrGit]

I miscalculated - it should have been 70.6MB - but I was able to find the aboot offset, so it's okay!
Huge thanks! Flashing now!

After the process failed for the umpteenth time, I concluded qdload only loads code into RAM and executes it - of course, in this case, it wasn't executing the backup. It seems I need an alternative method of accessing the eMMC.

The aboot/appsbl address I used was incorrect, so I still need to figure out where it's supposed to be loaded in RAM.
This doesn't appear to be common knowledge, unfortunately. Looks like I may have to JTAG it after all...

 

[DrGit]

Looks like I may have to JTAG it after all...

I am happy to eat those words! I was able to get CNexus's backup onto an SD card (fixing the rpm, tz, and boot.img partitions that weren't part of the backup) and it booted that with no trouble! I'm currently in download mode flashing a stock ROM! Yay!!!

Thanks CNexus for the eMMC dump! I'll be posting a fixed dd image for an SD card soon for anyone who wants it. No more JTAG!

 

[CNexus]

I am happy to eat those words! I was able to get CNexus's backup onto an SD card (fixing the rpm, tz, and boot.img partitions that weren't part of the backup) and it booted that with no trouble! I'm currently in download mode flashing a stock ROM! Yay!!!

Thanks CNexus for the eMMC dump! I'll be posting a fixed dd image for an SD card soon for anyone who wants it. No more JTAG!

HOLY GEEZ. AWESOME SAUCE. Please post a thread in development outlining your process so we can get it stickied !!

Also, PM me a Dropbox link to it or something and I'll mirror everywhere lol :thumbup::beer::beer:

This is actually great. Do you happen to know how the phone was initially bricked?

The Thanks button is just to avoid "THANKS" posts in threads. Nothing more. Don't defeat the purpose of why it was introduced.