• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

SHV-E160L Debricking Tool / Qualcomm Tool Pack V2-1

Search This thread

darkspr1te

Senior Member
Sep 24, 2012
947
582
I've some hex files with .ta extension, Are these files OK?

You need a specific hex file and a boot image callied 8???_msimage.mbn
I don't know the contents of the .ta files but I doubt they will be the ones for this purpose.
For further info I've documented the whole research and dev part in my shv debrick thread, this explains what and why you need the hex files.
Sent from my SHV-E160L using Tapatalk 2
 

plasmid09

Member
Jul 12, 2012
35
2
You need a specific hex file and a boot image callied 8???_msimage.mbn
I don't know the contents of the .ta files but I doubt they will be the ones for this purpose.
For further info I've documented the whole research and dev part in my shv debrick thread, this explains what and why you need the hex files.
Sent from my SHV-E160L using Tapatalk 2

So far I can remember the problem of my mobile arose when I've flashed with flashtool. I think my TA file is damaged. Is there anyway to replace this file in QHSUSB_DLOAD mode?
 

brandnew2009

Member
Dec 28, 2009
16
2
File Dumps n Shares

as Russian bear said, we don't have signed files for 8960, but you can try the 8960 hex.

Sent from my A210 using Tapatalk 2


Device Info: P9070 Pantech Burst-- Networked Unlocked/Rooted--USA
Rom: CWR Mod Touch 6.0.x.x -- Gizmolord 4.0
Status: "QLOAD" -- bricked --


I want to contribute wiithout becoming a burden. I worked long, hard, and failed, to produce the dump information from my device due to my lack of expierence with linux. I appreciate your help.

Thank you for your time and consideration.

- list of files needed to be shared/ (if not all of them)
- basics of installing brixfix/(anyprogram) witin ubuntu/linux for file dumps
- any suggestions on how else I may be able to help

I apologize for the mistakes I have made. I thought I was responding the thread which contiained the posted "P9070 Pantech Burst" backup files.
 
Last edited:

marduk191

Senior Member
Aug 23, 2012
131
95
marduk191.blogspot.com
Device Info: P9070 Pantech Burst-- Networked Unlocked/Rooted--USA
Rom: CWR Mod Touch 6.0.x.x -- Gizmolord 4.0
Status: "QLOAD" -- bricked --


I want to contribute wiithout becoming a burden. I worked long, hard, and failed, to produce the dump information from my device due to my lack of expierence with linux. I appreciate your help.

Thank you for your time and consideration.

- list of files needed to be shared/ (if not all of them)
- basics of installing brixfix/(anyprogram) witin ubuntu/linux for file dumps
- any suggestions on how else I may be able to help

lol I posted the reference dumps from a Burst in this thread already. It was for the msm8660 pit information he is gathering I guess. You can do that in windows IF you have a device that will boot into a state that will give you root adb access. I think this excludes your situation (already in CPU mode) unless someone has made progress. One thing, your device would not be ideal because the pit information is overwritten if you flash a deodexed ROM based on davepmers work. We would be better off giving unmodified information in this case as all other ROMs on this device do not flash unneeded modifications to the systems used with this method. You should use the Pantech installer to get everything stock in "Download Mode"and modify the CWM installer to exclude any img files except for the boot kernel and recovery image in order to dump from ROMs based on that package.

P.S. Sorry for spamming up the thread a bit :p
 

twiningstea

Member
Oct 13, 2007
6
3
Hello Folks!

Can one provide me with working link for recent Qcomm documentation leaks.
I am especilay interested in everithing related MSM 8x25.
I have MSM 8625 based mobile and want to understand partition structure and boot process.

Kind thanks!
 
  • Like
Reactions: Naineesh

twiningstea

Member
Oct 13, 2007
6
3
Hello

I have MSM8625 based phone.
I have following files from QPST ROM file set:
- 8X25_msimage.mbn
- MPRG8X25.hex (and formatted to bin analog)
- partition.bin / partition.mbn / partition0.patch.bin

Basicaly i need to port this brixfix tool to be able to recover phone from brick.

I have following trouble and wounder if one can help.

Script qdload.pl expects to see created TTY for USB conected phone
I put phone in Qcomm download mode by Reset+VolumeDown (or Power On + VolumeDown) but this TTY is not created
meanwhile lsusb shows 05c6:9006 Qualcomm device

Not 05c6:9008 but 05c6:9006 device.
05c6:9006 is definitely Qcomm download mode device cause i am able to write to it by QPST from Windows succesfuly.

Any idea how to get TTy created?
And it is strange that 05c6:9006 created instead 05c6:9008.
Do i need any special software or driver installed?
Should i install ADB and other Android tools from Google?

Kind thanks!


p.s.
loaded usb/serial module still no TTY got created :(
Qcomm devoce is presented in /sys/bus/usb/devices/ file structure but there is not TTY there that qdload.pl looking for by glob "/sys/bus/usb/devices/$device/$driver/tty*";

p.s.
Ok it seams that qcserial loadable module should create this TTY. will try this evening to insmod it .......
These TTYs are always rhe mess for me :)

[ 1511.796072] usb 1-4: new high-speed USB device number 2 using ehci_hcd
[ 1512.008462] usbcore: registered new interface driver usbserial
[ 1512.008492] USB Serial support registered for generic
[ 1512.010621] usbcore: registered new interface driver usbserial_generic
[ 1512.010626] usbserial: USB Serial Driver core
[ 1512.022493] USB Serial support registered for Qualcomm USB modem
[ 1512.022531] qcserial 1-4:1.0: Qualcomm USB modem converter detected
[ 1512.022827] usb 1-4: Qualcomm USB modem converter now attached to ttyUSB0
[ 1512.023180] usbcore: registered new interface driver qcserial
 
Last edited:
  • Like
Reactions: Naineesh

twiningstea

Member
Oct 13, 2007
6
3
Since i am still unable to find "MSM8x25 boot architecture PDF" can one coment mentioned in QPST rawprogram0.xml and patch0.xml file partitions/files:

MBR0.bin
qcsblhd_cfgdata.mbn
qcsbl.mbn
fat.bin
EBR0.bin
oemsblhd.mbn
oemsbl.mbn
emmc_appsboothd.mbn - application cpu boot files
emmc_appsboot.mbn - application cpu boot files
recovery.img - recovery image
persist_1.unsparse - persist_3.unsparse
boot.img - kernel/initrd ramdrive
system_1.unsparse - system_7.unsparse - operation system applications
cache_1.unsparse - cache_12.unsparse
splash.logo
udisk.bin

There is only 8960_Boot_Architecture.pdf avalable in Internet but described 8960 boot process not quite coresponds to MSM8625 partitions that i have on my phone.

P.S.

Found [ MSM8225 AND MSM8625 SIMPLE INTRODUCE (paswd www.51mobile-tech.com ).pdf ]
document at http://www.51mobile-tech.com/thread-9700-1-1.html
but it has only 26 pages instead of 130 mentioned in Table of Contents.

Does one have this doc in full version?
 
Last edited:
  • Like
Reactions: Naineesh

kamrul045

New member
Sep 22, 2012
4
1
Wrong QCN restore phone stuck on in boot animation

Today I restored a wrong QCN file to my E160.

Now it is stuck in boot animation.
I can go to download mode.

I flashed the device several times but nothing solved the issue.

can I restore my original QCN file?:crying:
 

nhatnn

Member
Jun 30, 2007
8
3
Can any one show me how to enter download mode again or qdloadmode
Cause After i flash full E160k firmware to my i717m then a can't enter download mode again
My phone screen now is blank
bust device till turn on and my pc recognize that 1 mtp samsung device and 1 samsung usb modem device
 

darkspr1te

Senior Member
Sep 24, 2012
947
582
Can any one show me how to enter download mode again or qdloadmode
Cause After i flash full E160k firmware to my i717m then a can't enter download mode again
My phone screen now is blank
bust device till turn on and my pc recognize that 1 mtp samsung device and 1 samsung usb modem device

What does it show up as under Linux ?

Sent from my SHV-E160L using Xparent ICS Tapatalk 2
 

Ral126

Member
Apr 17, 2013
6
0
Hi) I`ve got nice brick called - Motorola Razr M Xt 907.
It is in QD Loader, and the chipset is MSM8960. I have read the hole branch, but can`t find the answer. Do you have any ideas about unbricking it?
PS. Sorry for my English. I`m from Ukraine)
 

Ral126

Member
Apr 17, 2013
6
0
Hi,
I had the same problem with my xt907. I have a non-bricked one now... @darkspr1te, can I just run that python script to dump the required stuff?
Did you make or found backup of working bootloader?
@darkspr1te after reading your first post i have understand that i have to make few step`s:
1. find someone with working XT907 and make backup with the help of yours utility (backup.bat)
2. after getting huge number of files make an archive XT907_backup.zip - and send it to you
or
2. using utility bin2hex - make hex file for uploading it through a QPST software downloader
am i right? or something wrong?
 

chikorita

Member
Mar 4, 2013
14
0
Hi,
As I understand it, someone with a working xt907 runs the script, which dumps a section of internal storage containing the required file. This is then sent to darkspr1te for analysis/trimming. Or maybe the script can figure it out, I don't remember. Anyway you then get two files, one of which you need to run through hex2bin. Once that's done, you can upload them with qdloader and hopefully have a working phone. I'll check out the backup script and report back soon. As far as my old one is concerned, I wasn't able to find a working image for it. I should be able to get the required stuff off this one though.

Never lose hope :)
Edit: Just tried running the backup script. Got this python error:
Traceback (most recent call last):
File "..\getpartbin.py", line 53, in <module>
mbr()
File "..\getpartbin.py", line 16, in mbr
partition = dict(zip(('boot', 'id', 'start', 'size'), unpack('4I', buf)))
struct.error: unpack requires a string argument of length 16
What'd I break?
edit2: Here's what backup.bat gave me. Although getpartbin.py didn't work, maybe something can be figured out with this?
 
Last edited:

darkspr1te

Senior Member
Sep 24, 2012
947
582
Hi,
As I understand it, someone with a working xt907 runs the script, which dumps a section of internal storage containing the required file. This is then sent to darkspr1te for analysis/trimming. Or maybe the script can figure it out, I don't remember. Anyway you then get two files, one of which you need to run through hex2bin. Once that's done, you can upload them with qdloader and hopefully have a working phone. I'll check out the backup script and report back soon. As far as my old one is concerned, I wasn't able to find a working image for it. I should be able to get the required stuff off this one though.

Never lose hope :)
Edit: Just tried running the backup script. Got this python error:
Traceback (most recent call last):
File "..\getpartbin.py", line 53, in <module>
mbr()
File "..\getpartbin.py", line 16, in mbr
partition = dict(zip(('boot', 'id', 'start', 'size'), unpack('4I', buf)))
struct.error: unpack requires a string argument of length 16
What'd I break?
edit2: Here's what backup.bat gave me. Although getpartbin.py didn't work, maybe something can be figured out with this?

I need to clarify some things here for users wanting to unbrick.
Each device ( msm8960/msm8256/8660) has its own sd-card boot loaders (xxxx_msimage.mbn/xxxx.hex) , to get the device into sd-card mode where the brick fix actually restores info requires these files, sadly if it's not posted i cant help there.
Without this first step functioning we can no way restore the partition table and boot loaders.
my backup script is very limited, i had planned on expanding it but work has kept me away from that.
bootloaders and associated files can be extracted manually using dd, the trick is to work out what each partition is and does,
we know some msm devices will not accept a unsigned hex file let alone the partition file (mbn)
getparition.py is not my work, i am sadly not a python guru (yet, i guess) there are other programs ive been working on, i was ment to hand them over to another dev, sadly work.... yip in the way again.

My suggestion is such, first see if the device will load and execute the .hex file, without this we will never have access to the device(this can be seen when the device changes its usb ID) if it just reboots or hangs then chances are its signed code required (qfuse blown) .
also try via the qualcomm windows tools, our qdloader is far from complete.
further info is covered under qualcomm bootloaders & hacking by E:VA, he after all has been they key in helping me understand my research,
 

AgtPower

Member
Feb 1, 2013
12
1
Hello,

I'm here with a SHV-E160L, which has worked on stock rooted ICS for a few weeks, then randomly crashed during it's use and since then stuck in a boot loop. I tried flashing various ROMs, all without success. ODIN always 'fails' at NAND write start.

I think it's either a very bad kind of brick, or there's something wrong with the flash memory (and I hope it's not broken). I have a 32GB model and it seems to be impossible to find a .PIT file for this phone :(

Since I cannot flash anything on the phone, most recovery methods have failed.

I tried running the Unbrick Script, but it adb says device not found. What am I doing wrong? I'm running windows 7 x64. I'm not an expert on this, but I can try and follow instructions....
 

starteam

Member
Apr 20, 2013
28
1
Hi! my phone is LG Optimus G Pro and korean F240L;it is bricked ,when connected PC,apear "QHSUSB_Dload",after installed its driver,become “QualcommHS-USB QDLoader 9008 (COMx)”
I want use QPST emmcswdownload fix it,but how can I get the HEX file of APQ8064T(SnapDragon 600), MPRG8064?.hex .
Who can Tell me ?
 

rroy915

Member
May 4, 2013
5
4
Bricked Galaxy R (SHV-E170L) (MSM8960)

I recently bricked my Korean Galaxy R (SHV-E170L) trying to flash a stock rom before attempting to flash CWM. I did this via Odin according to the thread at this link:
http://forum.xda-developers.com/showthread.php?t=1864282

When the device is in download mode it shows up as msm8960 in windows device manager. So I'm wondering if I can use the brickfix tool to debrick my phone.

The device boots into download mode immediately after turned on and is unable to boot into recovery mode. However, the mode it boots into is not the usual download mode with the green android robot. The emergency firmware recovery image is displayed instead. It's the one with the icon of the phone

It looks something like this except that the language is in Korean.
20130126_202625.jpg


The text on the top left of the screen reads:

ODIN MODE
PRODUCT NAME: SHV-E170S
CUSTOM BINARY DOWNLOAD: Yes (13 counts)
CURRENT BINARY: Custom
SYSTEM SETTINGS: Official
QUALCOMM SECUREBOOT: ENABLE

I'd like to know if the phone can be recovered. I'd like to not damage it beyond repair if possible, assuming it's not already unrepairable.


EDIT:
I ended up flashing a ROM from http://www.sammobile.com/firmwares/
My phone was at Jelly Bean 4.1.2 before it soft bricked so I used Odin with default settings to flash the Korean firmware of 4.1.2 (March 2013 - E170SKSJMC1, E170SSKTJMC1) from the website.
After booting into recovery (Hold Vol Up + Home + Power Button as soon as I felt vibration upon starting phone) I selected the option wipe data / factory reset.
It took a little while to start up for the first time after this but eventually it did boot up again into setup.
I was only able to flash the Korean Jelly Bean ROM. The other ROMs were incompatible and would give me unsupported device or a sb2l error even though they were for the same device.
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 34
    Note to NON SHV-E160L users
    This software & this thread is aimed at developers Mainly, Please don't post 3 line request like "my device is bricked , please help" as you will be ignored, if you cant do the research required to provide the right details plus finding the correct files required then this thread is not for you and you should post in the device thread for your device, This program and it's associated files & thread is NOT being actively developed but the thread remains open for user to post more information, additional files, updates from the public etc.
    It's not here for lazy people to scream fix my device, can those type of users please speak to your retailer, cell phone service shop.

    I will reiterate again, THIS IS A DEVELOPMENT THREAD AND NOT A REQUEST PAGE FOR "fix my device"


    PLEASE NOTE: This tool only comes pre-packed with files for the Korean SHV-E160L galaxy note. Usage on other devices requires that you understand the requirements, this includes but not limited to :-

    1. 1. Alteration of the scripts to use the files specific to your device
    2. 2. Correct HEX and SD-CARD loader also known as sdcard mbn
    3. 3. Correct partition information (knowing if it's MBR/GPT or hybrid)
    4. 4. Correct bootloaders for your device (SBL1/2/3/ABOOT)

    I am not currently doing further development on this tool, it is here for anyone to expand on use how they seem fit so long as the authors involved are given the credit.
    Users are welcome to build and post altered versions specific to their device but PLEASE post plenty of information as to what device/model it is for or the post may be deleted to protect other less educated users.

    darkspr1te


    Hi All,
    I've updated my Debrick tool to Version 2.
    Many Changes to the base code, inclusion of new tools, Almost a one click Linux solution for Qualcomm Development and debricking of Qualcomm devices.
    As documented on this thread SHV-E160L home debrick thread I debricked a qualcomm based msm8660 device without using any special devices.
    my first tools were internal development and had more bugs than a sewer, so after many hours of work i can now bring this new version to you.

    Please do not pm with bugs, POST HERE Only.
    This tool currently only supports the SHV-E160L , if users willing to provide the files from their devices I can expand the support of this tool.
    in most cases linux is required for this, a ubuntu live cd/flash will work perfectly.


    New Feature, Windows Based BACKUP of partitions and bootloaders, ROOT/Python27-windows is required and cannot function without this.
    *nix backup coming soon,

    Rules for posting backups

    Post ONLY the link here, use www.sendspace.com to upload your backup zip (remember to change the .zip filename to reflect your device, example SHV-E160L-16GB.zip )
    zip up only the backup folder, not the whole program, right click on backup folder, sent to compressed folder, rename.
    this program does not backup personal or device specific data like IMEI number, it only backups the bootloaders, partition table and .pit file for samsung SHV based devices
    When Posting links, please include your device details well, a example would be

    SHV-E160L 16 GB, 9000lang rom,

    The rom part is only so if we a tracing possible backup issues that may be rom specific.
    Future backup features will include automatic detection of .mbn partitions based on qualcomm header.

    Support for non SHV devices will be slow, but future versions will include other devices.


    Well Enjoy,

    EDIT: some users are reporting cookie not present error could be fixed by using a winxp/another qpst driver windows driver. this is unconfirmed bu i thought i should mention it. 04-12/2013

    Changelog:- V2-2(dev version only - not a public release)
    • added command line device/folder parameter, you can now specify a unzip copy of posted bootloaders and it will restore them
    • added additional file to specify output sectors based on getpart data, testing option for building partition0.bin by hand based on known simalr devices
    • added dev switches for wiriting specified parts only
    • added skip aboot option (for now it is specified to skip writing of aboot.mbn, public release will be opposite, you will have to force writing aboot , sbl1/2/4/tz/rpm seems to come as one package, interchangeable as a package, aboot is totally device specific)
      bugs:-
    • there is a known bug in the getpartbin.py python program, it cannot handle greater than 29 partitions.

    Changelog:- V2-1
    • added windows backup.bat program to backup all bootloaders and partition0.bin
    • minor changes to code for changing device (current version support only changing of variable $DEVICE, feature will eventually be cmd line based)
    • tesing of backup files
      bugs:-
    • there is a known bug in the getpartbin.py python program, it cannot handle greater than 29 partitions, and one will to help in python please let me know. I am not the author of the program



    Changelog : V2
    • Improved error checking*
    • automated qdload detection*
    • automated qdload hex & .mbn upload
    • automated detection of device in sd-card mode*
    • user input*
    • colours
    • major code changes to start support for automatic parition information & collection allowing backup to be one command and upload to a website for distribution & recovery for all
    • development documentation
    • Code changes to allow expansion to other Qualcomm devices

    Sendspace Links

    BrixFix V2-1-Inc Python27-Inc cwm recoveries
    http://www.androidfilehost.com/?fid=9390355257214632490 mirror tanks too Marduk191

    Brixfix V2-1 No Python for windows, No cwm-recovery-Slim Version
    Brixfix V2-1-Super-SlimNo drivers, bootloaders, python-win.

    Media Fire Links

    BrixFix V2-1-Inc Python27-Inc cwm recoveries



    SHV-E160K 32GB Recovery files
    SHV-E160L 32GB Recovery Files
    SHV-E120L Recovery Files (posted on another page)

    -------------------------
    Here is the README

    brixfix V2
    =================================
    By dakrspr1te ========Doc=V=1====
    =================================
    Thanks To :-
    E:V:A, SLS, JCSullins(Rootz Wiki), Adam Outler, many more, sorry if i've missed you out.

    Warning, Although i've tested this tool many times on my own devices, it always has the potential to damage both computer & cell phone device, YOU HAVE BEEN WARNED!!!!


    This tool is designed to repair SHV-E160L Korean Galaxy Note 1 based on the MSM8660 & MDM9600 Qualcomm Chips
    It Only works with devices that are stuck in QDLOAD mode or 05c6:9008 as the PID/VID
    It uses Tool/info Written By Others as well as myself.


    Namely :-

    qdload - http://github.com/jcsullins/qdloader
    getpartbin.py - http://blog.csdn.net/su_ky/article/details/7773273
    hex2bin - hex2bin.sourceforge.net


    Instructions
    ############


    connect Qualcomm based device to usb port on linux PC, not tested under windows via USB redirection,
    on command line run
    sudo ./brickfix

    Follow on screen instructions, tool will detect device in QDLOAD mode (05c6:9008) and switch to DMSS protocol, upload a hex (converted to bin for this purpose)
    the hex is then executed and the device switches to Streaming Protocol, at this point we write a .mbn file to the internal emmc chip, at the end of the emmc write process the device then reboots
    after the reboot re-running brixfix with detect the device in the second stage for repair , the device's emmc is accssable as a sd-card, we then write back the damaged parts of the bootchain,
    at a minimum you must write a new partition table or the device will always boot in sd-card mode, WARNING, failure to write the rest of the boot chain could leave your device in a situation
    which give only black-screen, no usb enumeration, dead. The only way around that is jtag, or finding the Boot resistor which switches the device back to QDLOAD mode, or emergency boot.
    goto http://forum.xda-developers.com/showthread.php?t=1914359 for further details.


    Come give me thanks on XDA if this tool helped you

    Additional Tools (DEV Level)
    ===========================
    getpartbin.py - A tool for backing up the primary partition & extended parition tables and combines them into a writable parition0.bin file (python)
    qdload.pl - A tool for talking in the HDLC framed DMSS & Streaming Protocol's used by Qualcomm (Perl)
    switchmode.sh - A executes qdload.pl for msm8660 device upload
    get-part.sh - **DEV** unfinished tool by darkspr1te for creating partition tables in sfdisk format and .csv format (to be used in the future to create parition0.bin plus more automated collection)
    tools/ - Folder containing armv5 (arm7 compatible) tools for parition manipulation and data collection
    SHV-E160L-16GB/ - Folder contain SHV-E160L bootloaders & pit file
    ADB/ - Folder containing adb programs
    extras/ - Folder containing odin and clock work mode recovery installers for 160l devices
    QUALCOMM/ - Windows drivers (For QPST, Not required in linux, included for backwards compatability with older guides)
    hex2bin - convert your xxxxMPRG.hex file to bin for use with qdload

    Tips
    ====

    Additional
    ==========
    I will accept brick qualcomm devices for developing further debricks. pm me via XDA Forums

    Darkspr1te
    4
    Brixfix 2-2

    Hi All,
    As i promised, the last and final brixfix package. It all open source for you to learn/use as you wish so long as you dont charge for it.


    brixfix-v2-2.zip


    Qpst 2-7-44.zip

    Revskills editor

    File List for files included in brixfix

    If anyone wishes to coninute this effort please let me know.

    darkspr1te
    4
    Ok, for the next generation of curious people, here's a (simplistic) closer look at how modern Qualcomm devices boot up.


    This info is presented as a simple overview so more people understand how the system works and what is happening. It is far from complete and it's not exactly how it works. But for 99% of us, it's all we need to know.

    Also, before anyone asks, my main source was google and some files found on XDA. DO NOT ASK ME FOR "???" I have nothing that you can't find on your own. In fact, most of the following can be found in E:V:A's MSM8960 thread. Also http://www.codeaurora.org contains a lot of info and source code (Gobi and Gobi 3000 source code will help to understand how download mode functions).


    Beginning with Secure Boot 3, the entire PBL is contained on the modem chip (earlier chips depended on the actual PBL being stored in a known location on the flash memory, like an MBR, with an extremely bare bones amount of executable code on processor). This newer design allows for security checking to be done, if enabled, on ANY off-chip program to be executed at boot time. THIS IS THE ONLY REASON, other than hardware failure, that a device becomes "HARD BRICKED". All boot files can be signed with a crypto key. This key is stored in a section of memory in/on the CPU called a QFuse. After writing to a QFuse, as it's name suggests, the fuse can be "blown". That is, a higher electric current is maintained long enough to break the physical connection. Once this connection is broken the QFuse can not be changed. If the security related fuse is blown than ONLY a signed boot file can be executed. The PBL is written to the chip at the factory by Qualcomm. The QFuses can then be written by the OEM. According to the spec, multiple keys can be stored in the QFuses (meaning there COULD be a master key from qualcomm in addition to vender supplied keys). Although it is unknown whether or not this is actually done.

    Now, I don't know much about the actual security or cryptography, but here's the basic boot process from what I've pieced together:

    PBL written by Qualcomm, can not be altered.
    OEM chooses it's own key, writes it to QFuse, blows fuse.
    OEM builds it's own SBL1, SBL2, SBL3, TZ and RPM along with it's own APPSBL (aboot, hboot, etc...)
    OEM performs a hash of the file, like md5, sha1, sha256...
    OEM uses it's key to encrypt the hash and attaches it to executable and writes to flash.
    CPU powers on, runs hard coded PBL, and reads QFuses.
    CPU checks any error messages in memory from a previous boot.
    CPU then tries to load SBL1 in to ram from flash as pointed to by partition table.
    CPU performs same hash and compares with decrypted data.
    If check passes, code is executed.
    If check fails OR flash is unreadable, PBL enters download mode.
    In download mode, if there is an error message from a previous boot, it is automatically sent to the client. (Some people using qdloader.pl may have noticed this message)
    In download mode a special executable (the .hex file) can be loaded in to ram
    *** depending on OEM config, this hex can be loaded from usb AND/OR external sdcard
    Now the hex is security checked exactly as SBL1 would.
    If it passes, it's executed.
    This hex file is a special program called the emergency downloader (or sometimes just the downloader).
    It's only purpose is to download and write the partition table (partition0.bin) and secure boot loader partition data (contained in the .mbn) to the flash.
    IF security check failed, an error message is set and device "warm" reboots.
    The hex can only be sent ONCE per "cold" boot cycle.
    Removing the battery (or using the similar OEM key combo) will "cold" boot the device, clearing the RAM.
    Also, if download mode isn't successfully entered (using qpst or qdloader.pl) within a certain time limit, an error is set and the device "warm" reboots.
    This error message memory is why the device sometimes shows up differently.

    Of course this is only a simple outline of the Secure Boot 3 boot process. There is much more going on, but these are the basic steps that apply for bricked phones. I know less about Secure Boot 2 and earlier, but they follow a similar process and DON'T require a signed hex file. The Snapdragon S4 (msm8960 and others) was the start of the Secure Boot 3. The msm8660 was still using Secure Boot 2. So, if you want to know if your device is recoverable like this, then find out which chipset you have (msm????, apq????, ...) then find out what secure boot it uses. Google should answer this question easily. If it's Secure Boot 3 then most likely it requires signed files, which is still a dead end :(

    misc. extra info:

    There is of course no way to read a QFuse from QDL/qdload/qhsusb_dload until AFTER loading the HEX... (I've heard of some vender specific programs included with their android system (LG Optimus?) that can read qfuses, but that is NOT a standard)


    The "cookie not received" error is simply QPST's way of reporting that it didn't get the "magic" text string from the phone/device. This is because the HEX either could not be uploaded or it could not be executed (either wrong hex for that CPU or it's not signed with the proper key hard coding into that device (OEM vender specific))

    I'm sorry to say that I too have moved on to other projects. There just isn't enough free time anymore.

    It is possible, this tool makes use of the fact that these devices revert to dev board mode under certain conditions. There are major changes when it comes to partition layouts thought. But the principle remains the same, the hex file allows the CPU to start up in a way that you can then write to the emmc, once the .mbn/sdcard mode files are written you can then rewrite your factory partition.
    It is still very much a work around though, some users are getting "cookie not received" errors which we still don't 100% know what it means, top answer are,
    1. Not a signed hex, CPU rejects it
    2. Damaged emmc, could be kernel wipe bug or true failure of emmc
    3. Additional commands are required for further function.


    Can I also ask that users that do have a hex file and associated files for the phone, please post what you have, further dissection of the files does assist in learning about how these devices run, e.g I learned everything from the 8960 docs and files before the 8660 files came about.
    Also there are a few ports of this programs floating around, but none have been posted for others to research into.
    Not to be confused with sister projects like HP touchpad debrick, my debrick contains code from that project and vice versa.

    It has also come to light that it may be possible to run a hex from a similar device, but this is not yet confirmed.

    I no longer have my Qualcomm device so I have not continued the research , if I get another one then I will.


    Darkspr1te


    Sent from my A210 using Tapatalk HD
    3
    Thanks Darkspr1te & Babaknuri


    HI Darkspr1te

    Thanks for the wonderful program that you made and thanks to babaknuri for the bootloaders files of SHV-E160S 32 GB

    By Mistakenly i had Flash my SHV-E160S with N7000 International Version Pit File and Firmware which Bricked by Device to QHSUSH_Dloader Mode. Only Black Screen. No Download Mode, No Recovery Mode.

    And I Came Across your thread and tried your method i was able to get my Device on download Mode but my bootloader changed from SHV-E160S to SHV-E160L

    And Thanks to BABAKNURI who had give me the bootloader files after lot of tries of SHV-E160S and i was able to GET my phone up and running.

    Sharing SHV-E160S 32 BG Bootloader including pit file taken backup from your application darkspr1te. AS you didnt had bottloader and will be helpful other SHV-E160S Users

    Thanks again Darkspr1te a lot for the wonderful application.
    3
    Could someone help with APQ8064T hard bricked device (e980) please? I have one bricked and another fully operational phone, so all information needed can be extracted from the working phone.
    All possible HEX files I found could not help me to put the device into SDCARD mode. I started thinking that digging into Qualcomm chip specs for a way to boot the device from external SD-card would be more productive...

    All modern Qcom can in someway boot sd-card , it's controlled via either resistors on gpio pins, 'BOOT_CFG', or set in the chip via q-fuse which once set so far cannot be reset.

    My first suggestion BEFORE WRITING anything to the bricked device is document the un-bricked device, part of writing this information is giving your brain a moment to understand it.

    we have a Grand partition table section where users have posted the partition layout required by many devices, you should read this thread to understand the required files for creating and transferring a backup of the partition table. tools are posted there that can assist in gathering this information.

    Linux is not a 100% requirement but is suggested.
    in some cases its possible to write copies of the required bootloaders to a sd-card and boot the device that way , BUT, as always there is a big but, if the BOOT_CFG gpio is set to emmc -> fail to PBL or if it's set via the qfuse then only fixing the emmc or booting via the PBL will you fix the device.
    Adam outler did a great thread on the unbrick-able mod and bootloaders to which some of my work followed also you must read those.

    What files do you have?, what have you tried?