Flashing TWRP (and more) using emmcdl (Linux/Win)

Search This thread

vknecht

Senior Member
Feb 23, 2018
150
286
Alcatel Onetouch Idol 3
Sony Xperia X
emmcdl is a command line utility allowing all sorts of manipulations in EDL mode using Sahara/Firehose protocol and a device-specific "programmer" file :

Code:
$ emmcdl
Version 2.10
Usage: emmcdl <option> <value>
       Options:
       -l                               List available mass storage devices
       -info                            List HW information about device attached to COM (eg -p COM8 -info)
       -MaxPayloadSizeToTargetInBytes   The max bytes in firehose mode (DDR or large IMEM use 16384, default=8192)
       -SkipWrite                       Do not write actual data to disk (use this for UFS provisioning)
       -SkipStorageInit                 Do not initialize storage device (use this for UFS provisioning)
       -MemoryName <ufs/emmc>           Memory type default to emmc if none is specified
       -SetActivePartition <num>        Set the specified partition active for booting
       -disk_sector_size <int>          Dump from start sector to end sector to file
       -d <start> <end>                 Dump from start sector to end sector to file
       -d <PartName>                    Dump entire partition based on partition name
       -d [email protected]<start> <size>         Dump size of logbuf to the console
       -e <start> <num>                 Erase disk from start sector for number of sectors
       -e <PartName>                    Erase the entire partition specified
       -s <sectors>                     Number of sectors in disk image
       -p <port or disk>                Port or disk to program to (eg COM8, for PhysicalDrive1 use 1)
       -o <filename>                    Output filename
       [<-x <*.xml> [-xd <imgdir>]>...] Program XML file to output type -o (output) -p (port or disk)
       -f <flash programmer>            Flash programmer to load to IMEM eg MPRG8960.hex
       -i <singleimage>                 Single image to load at offset 0 eg 8960_msimage.mbn
       -t                               Run performance tests
       -b <prtname> <binfile>           Write <binfile> to GPT <prtname>
       -g GPP1 GPP2 GPP3 GPP4           Create GPP partitions with sizes in MB
       -gq                              Do not prompt when creating GPP (quiet)
       -r                               Reset device
       -ffu <*.ffu>                     Download FFU image to device in emergency download need -o and -p
       -splitffu <*.ffu> -o <xmlfile>   Split FFU into binary chunks and create rawprogram0.xml to output location
       -protocol <s|f>                  Can be <s>(STREAMING),  default is <f>(FIREHOSE)
       -gpt                             Dump the GPT from the connected device
       -raw                             Send and receive RAW data to serial port 0x75 0x25 0x10
       -wimei <imei>                    Write IMEI <imei>
       -v                               Enable verbose output



Examples: emmcdl -p ttyUSB0 -info
 emmcdl -p ttyUSB0 -gpt
 emmcdl -p ttyUSB0 -SkipWrite -SkipStorageInit -MemoryName ufs -f prog_emmc_firehose_8994_lite.mbn -x memory_configure.xml
 emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -x rawprogram0.xml  -SetActivePartition 0
 emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -x rawprogram0.xml -xd imagedir  -SetActivePartition 0
 emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -ffu wp8.ffu
 emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -d 0 1000 -o dump_1_1000.bin
 emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -d SVRawDump -o svrawdump.bin
 emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -b SBL1 c:\temp\sbl1.mbn
 emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -e 0 100
 emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -e MODEM_FSG
 emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -raw 0x75 0x25 0x10

Checking in tools/ subdirectory Sugar QCT_SP v11.1.2 (after installation), there are Idol35_5_NPRG7627.bin and Idol34_7_NPRG7627.bin files (among many other models). Trying :
Code:
emmcdl -p ttyUSB0 -f Idol35_5_NPRG7627.bin  -b recovery twrp-3.2.1-0-idol3.img
indeed installed TWRP 3.2.1 :)

It also works for dumping partitions (didn't try restore) :
Code:
emmcdl -p ttyUSB0 -f Idol35_5_NPRG7627.bin -d recovery -o backup-recovery.img

I guess it should be possible to even replace MobileUpgradeQ if we can catch the files and write an Sahara XML file.
The OTUUpgrade log made by MUQ could help a lot for this...

GNU+Linux :
The latest revision from the linked Git repo above won't build (missing files) I had to use previous revision :
Code:
git checkout 05a9615a5b70334d14f95fd194b0f34d482d3803
and correct symlinks for newer automake and probably running "autoreconf".
Windows :
I don't know what the primary download site would be, there are emmcdl.exe around the Net...

And there's this Sahara GUI tool, but seems to require writing a XML file just for writing a partition...

By the way, one can use adb to switch the phone to EDL (no more crushing volume buttons while inserting USB cable) :
Code:
sudo adb reboot edl
 
Last edited:
  • Like
Reactions: el_venga

ahhl

Senior Member
Jul 23, 2007
1,074
114
my vivo v9 bootloader is lock and until now, no one manage to unlock it. i have even send to repair shop to unlock bootloader. they using mrt dongle, but unsuccessful
if i obtained firehose for my phone and dump the boot.image using emmcdl,
can i modify the boot.img using magisk and flash back using emmcdl.
will it work?
i have tried to dump devinfo.img successfully.
 

vknecht

Senior Member
Feb 23, 2018
150
286
Alcatel Onetouch Idol 3
Sony Xperia X
my vivo v9 bootloader is lock and until now, no one manage to unlock it. i have even send to repair shop to unlock bootloader. they using mrt dongle, but unsuccessful
if i obtained firehose for my phone and dump the boot.image using emmcdl,
can i modify the boot.img using magisk and flash back using emmcdl.
will it work?
i have tried to dump devinfo.img successfully.
If the bootloader accepts the modified boot.img I guess it could work.
Switching between SailfishOS and LineageOS works here by writing their respective boot.img without requiring fastboot, rooting or unlocking OEM in Android.
Difficult to say in advance what will work on each specific device...
Make sure you backup first, and have a way to reset/reinstall the phone if things go wrong.
 
  • Like
Reactions: ahhl

vknecht

Senior Member
Feb 23, 2018
150
286
Alcatel Onetouch Idol 3
Sony Xperia X
emmcdl (or more modern and maintained edl tool) should be able to flash any qcom device for which you have a suitable "flash programmer" file.
"Suitable" meaning that the device recognizes it as correctly signed by the OEM/vendor, or that signature verification is disabled in which case you can use a generic programmer file adapted to the SoC of the device.
 

mtek89

Member
Oct 15, 2019
10
1
Hi all, I wrote a 2022 update on how to put the phone into a fastboot state using the edl tool mentioned by vknecht above (btw, thank you so much for all your hard work over the years!)

You can find it here:

 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    emmcdl is a command line utility allowing all sorts of manipulations in EDL mode using Sahara/Firehose protocol and a device-specific "programmer" file :

    Code:
    $ emmcdl
    Version 2.10
    Usage: emmcdl <option> <value>
           Options:
           -l                               List available mass storage devices
           -info                            List HW information about device attached to COM (eg -p COM8 -info)
           -MaxPayloadSizeToTargetInBytes   The max bytes in firehose mode (DDR or large IMEM use 16384, default=8192)
           -SkipWrite                       Do not write actual data to disk (use this for UFS provisioning)
           -SkipStorageInit                 Do not initialize storage device (use this for UFS provisioning)
           -MemoryName <ufs/emmc>           Memory type default to emmc if none is specified
           -SetActivePartition <num>        Set the specified partition active for booting
           -disk_sector_size <int>          Dump from start sector to end sector to file
           -d <start> <end>                 Dump from start sector to end sector to file
           -d <PartName>                    Dump entire partition based on partition name
           -d [email protected]<start> <size>         Dump size of logbuf to the console
           -e <start> <num>                 Erase disk from start sector for number of sectors
           -e <PartName>                    Erase the entire partition specified
           -s <sectors>                     Number of sectors in disk image
           -p <port or disk>                Port or disk to program to (eg COM8, for PhysicalDrive1 use 1)
           -o <filename>                    Output filename
           [<-x <*.xml> [-xd <imgdir>]>...] Program XML file to output type -o (output) -p (port or disk)
           -f <flash programmer>            Flash programmer to load to IMEM eg MPRG8960.hex
           -i <singleimage>                 Single image to load at offset 0 eg 8960_msimage.mbn
           -t                               Run performance tests
           -b <prtname> <binfile>           Write <binfile> to GPT <prtname>
           -g GPP1 GPP2 GPP3 GPP4           Create GPP partitions with sizes in MB
           -gq                              Do not prompt when creating GPP (quiet)
           -r                               Reset device
           -ffu <*.ffu>                     Download FFU image to device in emergency download need -o and -p
           -splitffu <*.ffu> -o <xmlfile>   Split FFU into binary chunks and create rawprogram0.xml to output location
           -protocol <s|f>                  Can be <s>(STREAMING),  default is <f>(FIREHOSE)
           -gpt                             Dump the GPT from the connected device
           -raw                             Send and receive RAW data to serial port 0x75 0x25 0x10
           -wimei <imei>                    Write IMEI <imei>
           -v                               Enable verbose output
    
    
    
    Examples: emmcdl -p ttyUSB0 -info
     emmcdl -p ttyUSB0 -gpt
     emmcdl -p ttyUSB0 -SkipWrite -SkipStorageInit -MemoryName ufs -f prog_emmc_firehose_8994_lite.mbn -x memory_configure.xml
     emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -x rawprogram0.xml  -SetActivePartition 0
     emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -x rawprogram0.xml -xd imagedir  -SetActivePartition 0
     emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -ffu wp8.ffu
     emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -d 0 1000 -o dump_1_1000.bin
     emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -d SVRawDump -o svrawdump.bin
     emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -b SBL1 c:\temp\sbl1.mbn
     emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -e 0 100
     emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -e MODEM_FSG
     emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -raw 0x75 0x25 0x10

    Checking in tools/ subdirectory Sugar QCT_SP v11.1.2 (after installation), there are Idol35_5_NPRG7627.bin and Idol34_7_NPRG7627.bin files (among many other models). Trying :
    Code:
    emmcdl -p ttyUSB0 -f Idol35_5_NPRG7627.bin  -b recovery twrp-3.2.1-0-idol3.img
    indeed installed TWRP 3.2.1 :)

    It also works for dumping partitions (didn't try restore) :
    Code:
    emmcdl -p ttyUSB0 -f Idol35_5_NPRG7627.bin -d recovery -o backup-recovery.img

    I guess it should be possible to even replace MobileUpgradeQ if we can catch the files and write an Sahara XML file.
    The OTUUpgrade log made by MUQ could help a lot for this...

    GNU+Linux :
    The latest revision from the linked Git repo above won't build (missing files) I had to use previous revision :
    Code:
    git checkout 05a9615a5b70334d14f95fd194b0f34d482d3803
    and correct symlinks for newer automake and probably running "autoreconf".
    Windows :
    I don't know what the primary download site would be, there are emmcdl.exe around the Net...

    And there's this Sahara GUI tool, but seems to require writing a XML file just for writing a partition...

    By the way, one can use adb to switch the phone to EDL (no more crushing volume buttons while inserting USB cable) :
    Code:
    sudo adb reboot edl
    1
    after flashing recovery i want the phone to boot to system again. i get Status: 6 then handle is invalid when i add -r.
    1
    my vivo v9 bootloader is lock and until now, no one manage to unlock it. i have even send to repair shop to unlock bootloader. they using mrt dongle, but unsuccessful
    if i obtained firehose for my phone and dump the boot.image using emmcdl,
    can i modify the boot.img using magisk and flash back using emmcdl.
    will it work?
    i have tried to dump devinfo.img successfully.
    If the bootloader accepts the modified boot.img I guess it could work.
    Switching between SailfishOS and LineageOS works here by writing their respective boot.img without requiring fastboot, rooting or unlocking OEM in Android.
    Difficult to say in advance what will work on each specific device...
    Make sure you backup first, and have a way to reset/reinstall the phone if things go wrong.