[Q] Unbrick Telus Desire HD (QHSUSB_DLOAD after flash boot.img to S-ON DHD)

darkspr1te · Feb 26, 2014 at 7:44 AM

Hi All,
I've gone throught the thread last night (in between the hours of 1am and 2) , I got the jist of the thread but I have some questions.

1. One user said he got the device into the SD-CARD more, which means the device accepted the the hex which is a small loader file and then was able to write the sd-card mini arm application, is this correct?
2. you have access to a device that has root and is working ?
3. you know what type of partition your using (MBR/EBR aka dos or GPT )
4. you know for sure the cpu type (s)
5. have a large drop box to upload the files for reversing so we can figure out with parition/file is sbl1/2/3/rpm/tz etc
6.google+ account to chat in for live reversing of the files plus remote ssh acccess to a pc with device connected.

Not all of these are required but it will make it go quicker if we have as many as we can.

darkspr1te

mickeyasamoah · Feb 26, 2014 at 11:56 AM

darkspr1te said:
Hi All,
I've gone throught the thread last night (in between the hours of 1am and 2) , I got the jist of the thread but I have some questions.

1. One user said he got the device into the SD-CARD more, which means the device accepted the the hex which is a small loader file and then was able to write the sd-card mini arm application, is this correct?
2. you have access to a device that has root and is working ?
3. you know what type of partition your using (MBR/EBR aka dos or GPT )
4. you know for sure the cpu type (s)
5. have a large drop box to upload the files for reversing so we can figure out with parition/file is sbl1/2/3/rpm/tz etc
6.google+ account to chat in for live reversing of the files plus remote ssh acccess to a pc with device connected.

Not all of these are required but it will make it go quicker if we have as many as we can.

darkspr1te

1. I downloaded two hex files.( first one was nammed emmcbld.hex and 7x30prg.hex). When i flash 7x30prg.hex through QPST, the device shows up as a motorola fastboot device and requests for adb drivers but this resets to QHSUSB_DLOAD when i do a battery pull or try to flash a file using fastboot.
The next hex file(emmcbld.hex) turns the device into an unknown mass storage device in device manager, in linux, it fails to enumerate the device as the kernel log show. It keeps on giving errors.
But with this same emmcbld.hex file, QPST is able to flash partition.mbn and other files. So i am thinking its partially compactible with the DHD.
So for your answer, after the emmcbld.hex has been flashed, it fails to flash any of the msm7x30.mbn files. In linux its gives an error saying "partition not found after opening multi" something like that.

2. I dont own the working device. It belongs to a friend and trying as much to get it for the backup.

3. I have no idea about those partitions you named.(maybe if you could elabrate more on them)

4. The device runs on an MSM7x30 Qualcomm CPU

5. Personally i dont have a dropbox(i hate that file sharing site....always 404 error), but i do have 4shared,MEGA,Google Drive if thats okay.

6. Yes i do have a plus account..what do you expect,its a must for android users.

Thanks for dropping by.

mickeyasamoah · Feb 26, 2014 at 1:23 PM

I found this and it seems like a program for generating .hex files.
Here is the link.

http://picprojects.org.uk/projects/mplab/mplabhowto.htm

fairsimple · Feb 26, 2014 at 10:27 PM

Gussta said:
.... His phone didn't want to remember anything because controler for vccq 3,3v in nand was burned. This 3.3v is for tuneling. Something like in picture: http://en.wikipedia.org/wiki/File:Flash-Programming.svg but with 3.3v instead with 12v.

Guys I have to go sleep because it is now 00:04h my local time and I work in the morning. I will stay tuned to help you as much as I can.

Thanks to reply at 4 in the morning

Do you mean that in the case of emmc controler is burned, the phone may also go to the QHSUSB_DLOAD mode? If yes then it is hardware issue, and loading anything or jtag can't fix it, right. Thanks.

fairsimple · Feb 26, 2014 at 11:05 PM

darkspr1te said:
Hi All,
I've gone throught the thread last night (in between the hours of 1am and 2) , I got the jist of the thread but I have some questions.

1. One user said he got the device into the SD-CARD more, which means the device accepted the the hex which is a small loader file and then was able to write the sd-card mini arm application, is this correct?
2. you have access to a device that has root and is working ?
3. you know what type of partition your using (MBR/EBR aka dos or GPT )
4. you know for sure the cpu type (s)
5. have a large drop box to upload the files for reversing so we can figure out with parition/file is sbl1/2/3/rpm/tz etc
6.google+ account to chat in for live reversing of the files plus remote ssh acccess to a pc with device connected.

Not all of these are required but it will make it go quicker if we have as many as we can.

darkspr1te

Hi darkspr1te, I think we make a big progress as getting you the QHSUSB_DLOAD exporter involved

Thank you to spend time on this thread!

I did read your brixfix thread (v1 mostly since it has your working history) and after we got some HEX and MBN files (thinks mickeyasamoah found them), mickeyasamoah and I tried them with both QPST and qdload.pl. With QPST, I got mostly same rsult as mickeyasamoah replys above (I didn't get partition.mbn loaded successfully as him). With my modifed qdload.pl, I confirmed the HEX/BIN file works since after that the phone reboots and reply to some streaming download message. However, I can't go ahead to loading MBN file. You can see the result from post #44 (http://forum.xda-developers.com/showpost.php?p=50274440&postcount=44 ). Personally I don't think we get into the SD mode yet.

FYI as mickeyasamoah and tjnapster555 suggested, we open a new thread in Desire HD forum to ask partition info and emmc backup (http://forum.xda-developers.com/showthread.php?p=50631137), also another post to ask for streaming download protocol doc (http://forum.xda-developers.com/showthread.php?p=50632205). No input so far yet.

BTW, DHD has Qualcomm 8255 chip. When connect to QPST, QPST use 7x30xxx.hex as default file, and some posts mention 7x30 is the code name of 8255 chip.

Also FYI: Fuese replied my PM mentioned he thought our DHD is emmc issue, riffbox should be able to fix it without jtag. So riffbox must have the HEX/MBN/PartitionTable/partitions for DHD.

Thanks for your help!

fairsimple · Feb 26, 2014 at 11:16 PM

mickeyasamoah said:
I found this and it seems like a program for generating .hex files.
Here is the link.

http://picprojects.org.uk/projects/mplab/mplabhowto.htm

As my understanding this is to generate HEX from code binary, but normally no one can have Qualcomm's binary. Also I think the HEX files your found works somehow, we just can't move forward from there, either the motorola/fastboot mode (after loading MPRG7x30.hex), or streaming dl mode (after loading ARMPRG.HEX/EMMCBLD.HEX). Anyway, this is a good reference so let us keep it for now. Thanks.

darkspr1te · Feb 27, 2014 at 10:37 AM

fairsimple said:
Hi darkspr1te, I think we make a big progress as getting you the QHSUSB_DLOAD exporter involved Thank you to spend time on this thread!

I did read your brixfix thread (v1 mostly since it has your working history) and after we got some HEX and MBN files (thinks mickeyasamoah found them), mickeyasamoah and I tried them with both QPST and qdload.pl. With QPST, I got mostly same rsult as mickeyasamoah replys above (I didn't get partition.mbn loaded successfully as him). With my modifed qdload.pl, I confirmed the HEX/BIN file works since after that the phone reboots and reply to some streaming download message. However, I can't go ahead to loading MBN file. You can see the result from post #44 (http://forum.xda-developers.com/showpost.php?p=50274440&postcount=44 ). Personally I don't think we get into the SD mode yet.

I checked DMSS manual you provided on that thread, thats the limited instruction set, also thats a very old document and as E:V:A pointed out to me once, often the qualcomm docs are far behind the actual reality , please find attached a revised copy of the same document, if you compare section 3.3 between the two you will see what i mean.

darkspr1te · Feb 27, 2014 at 10:43 AM

FYI as mickeyasamoah and tjnapster555 suggested, we open a new thread in Desire HD forum to ask partition info and emmc backup (http://forum.xda-developers.com/showthread.php?p=50631137), also another post to ask for streaming download protocol doc (http://forum.xda-developers.com/showthread.php?p=50632205). No input so far yet.

BTW, DHD has Qualcomm 8255 chip. When connect to QPST, QPST use 7x30xxx.hex as default file, and some posts mention 7x30 is the code name of 8255 chip.

Also FYI: Fuese replied my PM mentioned he thought our DHD is emmc issue, riffbox should be able to fix it without jtag. So riffbox must have the HEX/MBN/PartitionTable/partitions for DHD.

Thanks for your help!

plus some more reading

darkspr1te · Feb 27, 2014 at 11:16 AM

@fairsimple , a hex file is just a format of file like a word doc , but you can also have a docx and .wri files, it contains the same data but different format , in our case we take a compiled binary(.bin file from the compiled code) and convert it to the .hex format for upload(text version of the bin file, see hexdump linux tool). the .hex format is used in anything from a arduino/atmega chip to a PIC micro (as per your link)

For completeness i have included the 7x30 compiled for me by a 'ahem' qualcomm coder , worth a try.
I will try and get the .mbn file too.

if we have a device that is in sdcard mode i would like to analyze it via a ssh session, if my theory is right then the bootloaders are still on the emmc, in my case the first 100mb was left free for this same reason, on two other msm devices (churt burst and a chineese clone s4) i found the first 100mb was free also, this allowed me to copy the entire emmc, remove the 100mb and i am left with the entire boot table, from here i just compared each parition (manually using a hex editor, no auto tools for this) to a backup copy from another device, this also allowed me to find the damaged bootloader and write a specific brickfix for the devices.

darkspr1te · Feb 27, 2014 at 11:52 AM

A couple more gems from the net,

QFIT (flash image creation tool)

mickeyasamoah · Feb 27, 2014 at 8:47 PM

I have being running the FixDHD.pl in linux.
The Error it gives is:

[email protected]:~/Documents/XdaFix# ./fixdhd.pl --fixdhd
fixdhd.pl version 20140212.
This function is for HTC Desire HD which is in QDLoader mode only.
!! You are running it on your own risk!!
Please plugin your DHD and press enter...
Qualcomm device is (05c6:9008/9025): Bus 001 Device 043: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)

Please input lower case 'y' if you confirm to move forward.
Device found, load ARMPRG.bin? y
Opening ttyUSB port...
Loading ARMPRG.bin at 2147483648...
....................................................................................................................................................................................................................................................................................................Executing file...
..So far so good, load 7x30_msimage.mbn? y
Opening ttyUSB port...
Sending MAGIC...
..Good magic response from DHD
Sending secureMode...
SENDING: 7e 17 01 57 c6 7e
RECEIVED: 18 b1 6c
Sending openMulti ...
SENDING: 7e 1b 21 f5 4e 7e
RECEIVED: 0e 4e 6f 20 70 61 72 74 69 74 69 6f 6e 20 74 61 62 6c 65 20 72 65 63 65 69 76 65 64 20 62 65 66 6f 72 65 20 6f 70 65 6e 20 6d 75 6c 74 69 0a f5 8f
MSG: No partition table received before open multi
RECEIVED: 0d 0f 00 00 00 4e 6f 20 70 61 72 74 69 74 69 6f 6e 20 74 61 62 6c 65 20 72 65 63 65 69 76 65 64 20 62 65 66 6f 72 65 20 6f 70 65 6e 20 6d 75 6c 74 69 a4 c3
ERROR: No partition table received before open multi
Invalid openMulti response.

And i am thinking the mbn file we are using lacks a file called partition.xml used in creating the mbn files. As it stated Here, the 6TH topic.

fairsimple · Feb 27, 2014 at 9:43 PM

darkspr1te said:
...
For completeness i have included the 7x30 compiled for me by a 'ahem' qualcomm coder , worth a try.
I will try and get the .mbn file too.
...

Thank you for all the docs, looks I have enough to read over this weekend.

I quick checked the streaming dload doc, and find the magic/hello, securitymode and openMulti commands which I used not to understand in qdload.pl. However looks we need to send PartitionTable command (0x19) before openMulti(0x1b), and this matched the error message we got before (as post #44 http://forum.xda-developers.com/showpost.php?p=50274440&postcount=44 )

The m7x30-emmcbld.hex you attached is same as the ARMPRG.HEX which we used in post #44
(thanks mickeyasamoah who attached it in the zip in post #39 http://forum.xda-developers.com/showpost.php?p=50232279&postcount=39)

I will read the protocol doc first, then to add the partitiontable command and try to use the partition.mbn from mickeyasamoah.

fairsimple · Feb 27, 2014 at 10:42 PM

mickeyasamoah said:
I have being running the FixDHD.pl in linux.
The Error it gives is:

And i am thinking the mbn file we are using lacks a file called partition.xml used in creating the mbn files. As it stated Here, the 6TH topic.

So we got same output. As I mention above, I will edit fixdhd.pl and try the partition.mbn you found before (in post #48 http://forum.xda-developers.com/showpost.php?p=50347790&postcount=48).

Yes I think that xml is one important input to build MBN. However, darkspr1te is super good on partition table and MBN so he can help us after getting some input from working DHD phones.

darkspr1te · Feb 28, 2014

fairsimple said:
Thank you for all the docs, looks I have enough to read over this weekend.

I quick checked the streaming dload doc, and find the magic/hello, securitymode and openMulti commands which I used not to understand in qdload.pl. However looks we need to send PartitionTable command (0x19) before openMulti(0x1b), and this matched the error message we got before (as post #44 http://forum.xda-developers.com/showpost.php?p=50274440&postcount=44 )

The m7x30-emmcbld.hex you attached is same as the ARMPRG.HEX which we used in post #44
(thanks mickeyasamoah who attached it in the zip in post #39 http://forum.xda-developers.com/showpost.php?p=50232279&postcount=39)

I will read the protocol doc first, then to add the partitiontable command and try to use the partition.mbn from mickeyasamoah.

I think ive posted wrong hex file, i will hunt down the other, i've archived a lot of stuff and still not setup my file server. i somewhere have a hex file given to me for this device (7x30 not specifically the DHD)

darkspr1te

---------- Post added at 07:25 AM ---------- Previous post was at 07:09 AM ----------

was hunting around and found this, worth a read and it includes info on creating certain MBN files

http://94it.net/a/jingxuanboke/2013/1206/203631_19.html

Jengo · Jan 16, 2012 9 2 0

(New) member in the club

Hi guys,

I also have a DHD in QHSUSB_DLOAD mode.

Here’s my story:
• I had a running “taktiK 4.4.2” for some weeks, before that a “JellyTime“ for many months without any problems. (4ext Recovery, latest)
• One day I had many frozen black screens where I had to pull the battery. Each time after that it was working again (for some time).
• So I decided to wipe cache and dalvik cache in recovery.
• After that the ROM wasn’t booting, stuck at the ROM boot screen.
• So I tried to dirty flash the ROM again, which gave me an error during flashing.
• Then I wanted to do a clean install, so I tried to format all partitions, which also gave me an error.
• After a reboot 4ext Recovery wasn't able to locate/mount the system partition.
• After next reboot into recovery everything seemed to be working again, so I formated everything and flashed the ROM, which worked without any error.
• Reboot -> frozen black screen -> pulled the battery
• DHD was dead.
Now, I could have bricked it or it is a faulty eMMC.

Then I read this thread in an early stage and started hoping. But I also found a local shop who does RIFFBOX JTAG repairs for 20 €. So I asked for the USB debrick method and obviously he didn’t know about that because he told me it wasn’t possible. So we agreed that I disassemble the phone (I find electronics quite interesting) and bring in the mainboard for JTAG flashing. After disassembling I googled for the JTAG pin descriptions and found out that it is possible via pure USB with the RIFFBOX. So I got back to this thread.

I can still ask in the shop, but I think it is more fun to do it by yourself. So if I can be of any help, I’d love to do so.

btw: I did already the “./qd.pl --check” one month ago and got exact your same results.

fairsimple · Feb 28, 2014 at 9:10 PM

Jengo said:
Hi guys,

I also have a DHD in QHSUSB_DLOAD mode.
...
Now, I could have bricked it or it is a faulty eMMC.
...

Welcome to the club

Since your phone went brick step by step (more and more flashing error) so I got a feeling that the eMMC wore out. If this is true, even JTAG can't help since it is hw faulty. Actually this is the biggest concern of my phone also.

Anyway it doesn't make anything worse to stay tuned and try whatever we attempt here. Good luck all!

mickeyasamoah · Feb 28, 2014 at 9:21 PM

fairsimple said:
Welcome to the club

Since your phone went brick step by step (more and more flashing error) so I got a feeling that the eMMC wore out. If this is true, even JTAG can't help since it is hw faulty. Actually this is the biggest concern of my phone also.

Anyway it doesn't make anything worse to stay tuned and try whatever we attempt here. Good luck all!

The partition.mbn file i uploaded isnt for the desire hd specifically. So maybe we should edit it before we use it.
What do you think?

fairsimple · Feb 28, 2014 at 10:51 PM

After adding the command 0x19(partitionTable command) to the perl script, our partition.mbn is accepted by the phone, but loading 7x30_msimage.mbn still failed.

Code:

$ ./fixdhd.pl -fixdhd
fixdhd.pl version 20140228.
This function is for HTC Desire HD which is in QDLoader mode only. 
!! You are running it on your own risk!!
Please plugin your DHD and press enter...
Qualcomm device is (05c6:9008/9025): Bus 001 Device 007: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)

Please input lower case 'y' if you confirm to move forward.
Device found, load ARMPRG.bin? y
Opening ttyUSB port...
Loading ARMPRG.bin ...
...
..Executing file...
..So far so good, load emmc? y
Opening ttyUSB port...
Sending MAGIC...
..Good magic response from DHD
Sending secureMode...
SENDING: 7e 17 01 57 c6 7e
RECEIVED: 18 b1 6c
Checking partition table...
SENDING: 7e 19 00 aa 73 ee 55 db bd 5e e3 
...00 00 00 d1 c2 7e
RECEIVED: 1a 00 a6 67
Partition table accepted.
Write partition table? y
Writing partition table...
SENDING: 7e 19 01 aa 73 ee 55 db bd 5e...
66 a9 7e
RECEIVED: 1a 00 a6 67
Partition table accepted.
Loading 7x30_msimage.mbn ...
Writing 1024 bytes to 0x00000000; 1981480 bytes left.
SENDING: 7e 07 00 00 00 00 0a ...
ae 7e
RECEIVED: 0e 57 72 69 74 65 20 75 6e 73 75 63 63 65 73 73 66 75 6c 0a 65 ac
Invalid Response: 0e 57 72 69 74 65 20 75 6e 73 75 63 63 65 73 73 66 75 6c 0a

[57 72 69 74 65 20 75 6e 73 75 63 63 65 73 73 66 75 6c: Write unsuccessful]

mickeyasamoah · Feb 28, 2014 at 10:59 PM

fairsimple said:

After adding the command 0x19(partitionTable command) to the perl script, our partition.mbn is accepted by the phone, but loading 7x30_msimage.mbn still failed.

Code:

$ ./fixdhd.pl -fixdhd
fixdhd.pl version 20140228.
This function is for HTC Desire HD which is in QDLoader mode only. 
!! You are running it on your own risk!!
Please plugin your DHD and press enter...
Qualcomm device is (05c6:9008/9025): Bus 001 Device 007: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)

Please input lower case 'y' if you confirm to move forward.
Device found, load ARMPRG.bin? y
Opening ttyUSB port...
Loading ARMPRG.bin ...
...
..Executing file...
..So far so good, load emmc? y
Opening ttyUSB port...
Sending MAGIC...
..Good magic response from DHD
Sending secureMode...
SENDING: 7e 17 01 57 c6 7e
RECEIVED: 18 b1 6c
Checking partition table...
SENDING: 7e 19 00 aa 73 ee 55 db bd 5e e3 
...00 00 00 d1 c2 7e
RECEIVED: 1a 00 a6 67
Partition table accepted.
Write partition table? y
Writing partition table...
SENDING: 7e 19 01 aa 73 ee 55 db bd 5e...
66 a9 7e
RECEIVED: 1a 00 a6 67
Partition table accepted.
Loading 7x30_msimage.mbn ...
Writing 1024 bytes to 0x00000000; 1981480 bytes left.
SENDING: 7e 07 00 00 00 00 0a ...
ae 7e
RECEIVED: 0e 57 72 69 74 65 20 75 6e 73 75 63 63 65 73 73 66 75 6c 0a 65 ac
Invalid Response: 0e 57 72 69 74 65 20 75 6e 73 75 63 63 65 73 73 66 75 6c 0a

[57 72 69 74 65 20 75 6e 73 75 63 63 65 73 73 66 75 6c: Write unsuccessful]

I am going to try other mbns over night.
Would give my conclusion tomorrow afternoon.

I have also been PMing @connexion2005 for him to pay us a visit hope he does.

fairsimple · Feb 28, 2014 at 11:01 PM

mickeyasamoah said:
I am going to try other mbns over night.
...

To test other MBN, you can either edit line 1317 of the script or rename your new MBN file to "7x30_msimage.mbn". Thanks.

[Q] Unbrick Telus Desire HD (QHSUSB_DLOAD after flash boot.img to S-ON DHD)

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Attachments

Senior Member

Attachments

Senior Member

Attachments

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Member

Senior Member

Senior Member

Senior Member

Attachments

Senior Member

Senior Member