Flashing TWRP (and more) using emmcdl (Linux/Win)

[vknecht]

emmcdl is a command line utility allowing all sorts of manipulations in EDL mode using Sahara/Firehose protocol and a device-specific "programmer" file :

$ emmcdl
Version 2.10
Usage: emmcdl <option> <value>
       Options:
       -l                               List available mass storage devices
       -info                            List HW information about device attached to COM (eg -p COM8 -info)
       -MaxPayloadSizeToTargetInBytes   The max bytes in firehose mode (DDR or large IMEM use 16384, default=8192)
       -SkipWrite                       Do not write actual data to disk (use this for UFS provisioning)
       -SkipStorageInit                 Do not initialize storage device (use this for UFS provisioning)
       -MemoryName <ufs/emmc>           Memory type default to emmc if none is specified
       -SetActivePartition <num>        Set the specified partition active for booting
       -disk_sector_size <int>          Dump from start sector to end sector to file
       -d <start> <end>                 Dump from start sector to end sector to file
       -d <PartName>                    Dump entire partition based on partition name
       -d logbuf@<start> <size>         Dump size of logbuf to the console
       -e <start> <num>                 Erase disk from start sector for number of sectors
       -e <PartName>                    Erase the entire partition specified
       -s <sectors>                     Number of sectors in disk image
       -p <port or disk>                Port or disk to program to (eg COM8, for PhysicalDrive1 use 1)
       -o <filename>                    Output filename
       [<-x <*.xml> [-xd <imgdir>]>...] Program XML file to output type -o (output) -p (port or disk)
       -f <flash programmer>            Flash programmer to load to IMEM eg MPRG8960.hex
       -i <singleimage>                 Single image to load at offset 0 eg 8960_msimage.mbn
       -t                               Run performance tests
       -b <prtname> <binfile>           Write <binfile> to GPT <prtname>
       -g GPP1 GPP2 GPP3 GPP4           Create GPP partitions with sizes in MB
       -gq                              Do not prompt when creating GPP (quiet)
       -r                               Reset device
       -ffu <*.ffu>                     Download FFU image to device in emergency download need -o and -p
       -splitffu <*.ffu> -o <xmlfile>   Split FFU into binary chunks and create rawprogram0.xml to output location
       -protocol <s|f>                  Can be <s>(STREAMING),  default is <f>(FIREHOSE)
       -gpt                             Dump the GPT from the connected device
       -raw                             Send and receive RAW data to serial port 0x75 0x25 0x10
       -wimei <imei>                    Write IMEI <imei>
       -v                               Enable verbose output



Examples: emmcdl -p ttyUSB0 -info
 emmcdl -p ttyUSB0 -gpt
 emmcdl -p ttyUSB0 -SkipWrite -SkipStorageInit -MemoryName ufs -f prog_emmc_firehose_8994_lite.mbn -x memory_configure.xml
 emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -x rawprogram0.xml  -SetActivePartition 0
 emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -x rawprogram0.xml -xd imagedir  -SetActivePartition 0
 emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -ffu wp8.ffu
 emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -d 0 1000 -o dump_1_1000.bin
 emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -d SVRawDump -o svrawdump.bin
 emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -b SBL1 c:\temp\sbl1.mbn
 emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -e 0 100
 emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -e MODEM_FSG
 emmcdl -p ttyUSB0 -f prog_emmc_firehose_8994_lite.mbn -raw 0x75 0x25 0x10

Checking in tools/ subdirectory Sugar QCT_SP v11.1.2 (after installation), there are Idol35_5_NPRG7627.bin and Idol34_7_NPRG7627.bin files (among many other models). Trying :

emmcdl -p ttyUSB0 -f Idol35_5_NPRG7627.bin  -b recovery twrp-3.2.1-0-idol3.img

indeed installed TWRP 3.2.1

It also works for dumping partitions (didn't try restore) :

emmcdl -p ttyUSB0 -f Idol35_5_NPRG7627.bin -d recovery -o backup-recovery.img

I guess it should be possible to even replace MobileUpgradeQ if we can catch the files and write an Sahara XML file.
The OTUUpgrade log made by MUQ could help a lot for this...

GNU+Linux :
The latest revision from the linked Git repo above won't build (missing files) I had to use previous revision :

git checkout 05a9615a5b70334d14f95fd194b0f34d482d3803

and correct symlinks for newer automake and probably running "autoreconf".
Windows :
I don't know what the primary download site would be, there are emmcdl.exe around the Net...

And there's this Sahara GUI tool, but seems to require writing a XML file just for writing a partition...

By the way, one can use adb to switch the phone to EDL (no more crushing volume buttons while inserting USB cable) :

sudo adb reboot edl

 

[el_venga]

after flashing recovery i want the phone to boot to system again. i get Status: 6 then handle is invalid when i add -r.

 

[ahhl]

my vivo v9 bootloader is lock and until now, no one manage to unlock it. i have even send to repair shop to unlock bootloader. they using mrt dongle, but unsuccessful
if i obtained firehose for my phone and dump the boot.image using emmcdl,
can i modify the boot.img using magisk and flash back using emmcdl.
will it work?
i have tried to dump devinfo.img successfully.

 

[vknecht]

my vivo v9 bootloader is lock and until now, no one manage to unlock it. i have even send to repair shop to unlock bootloader. they using mrt dongle, but unsuccessful
if i obtained firehose for my phone and dump the boot.image using emmcdl,
can i modify the boot.img using magisk and flash back using emmcdl.
will it work?
i have tried to dump devinfo.img successfully.

If the bootloader accepts the modified boot.img I guess it could work.
Switching between SailfishOS and LineageOS works here by writing their respective boot.img without requiring fastboot, rooting or unlocking OEM in Android.
Difficult to say in advance what will work on each specific device...
Make sure you backup first, and have a way to reset/reinstall the phone if things go wrong.

 

[kallumama]

Could i read and write any qualcomm phone with emmcdl..??

 

[vknecht]

emmcdl (or more modern and maintained edl tool) should be able to flash any qcom device for which you have a suitable "flash programmer" file.
"Suitable" meaning that the device recognizes it as correctly signed by the OEM/vendor, or that signature verification is disabled in which case you can use a generic programmer file adapted to the SoC of the device.

 

[mtek89]

Hi all, I wrote a 2022 update on how to put the phone into a fastboot state using the edl tool mentioned by vknecht above (btw, thank you so much for all your hard work over the years!)

You can find it here:

https://xdaforums.com/t/tool-sahara-firehose-test-alcatel-flasher-oncoming.3454855/post-87549905

 

[pablocool]

Hi @vknecht Do you have snapshot of this emmcdl repo of github user binsys stored locally? He deleted it and emmcdl from other users' github repos do not work. I recall binsys worked fine. Can you upload it somewhere and share?

 

[vknecht]

Hi @vknecht Do you have snapshot of this emmcdl repo of github user binsys stored locally? He deleted it and emmcdl from other users' github repos do not work. I recall binsys worked fine. Can you upload it somewhere and share?

Hello !
Seems I switched to this one in 2019 and don't have a binsys checkout locally, does it not work for you ?

GitHub - PL125/emmcdl: Linux port emmcdl

Linux port emmcdl. Contribute to PL125/emmcdl development by creating an account on GitHub.

github.com