[SOLVED]-[BRICKED]SHV-E160L Korean model

[darkspr1te]

More info

Right, I was not having any luck last night with getting a boot, i think it may have something to do with parttion table, anyway i gave at 4am and hit the sack, this morning i decided to go back to my full dump (the first thing i did once if got the device flashed with the qualcom 8660_msimage.mbn with gives you full emmc access and a diagnostic com port)
anyway i kept going over the partiotn0.mbn file supplied by some of the zips/firmware
i kept saying to my self that is already patched , so i decided to hunt for my original ebr,

well i found it


with you qualcomm device in emmc sd-card mode
do
dd if=fulldump of=ebr-test-dump.bin skip=208801 count=100

count may not be as high as 100, but i wanted to grab extra data and then cut it off using my hex editor,
i then wrote it back to the phone using

dd if=ebr-test-dump.bin of=/dev/sdc seek=208801 bs=512

now my mbr i wrote using the partiton0.mbn file with
dd if=partition0.mbn of=/dev/sdc bs=512 count=1

i was greeted with this from fdisk -l /dev/sdc

Disk /dev/sdc: 15.8 GB, 15758000128 bytes
1 heads, 32 sectors/track, 961792 cylinders, total 30777344 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

   Device Boot      Start         End      Blocks   Id  System
/dev/sdc1               1      204800      102400    c  W95 FAT32 (LBA)
/dev/sdc2   *      204801      205800         500   4d  QNX4.x
/dev/sdc3          205801      208800        1500   51  OnTrack DM6 Aux1
/dev/sdc4          208801      208801           0    5  Extended
/dev/sdc5          212992      213991         500   47  Unknown
/dev/sdc6          221184      225279        2048   45  Unknown
/dev/sdc7          229376      234375        2500   4c  Unknown
/dev/sdc8          237568      258047       10240   48  Unknown
/dev/sdc9          262144      263143         500   46  Unknown
/dev/sdc10         270336      271335         500   5d  Unknown
/dev/sdc11         278528      279527         500   91  Unknown
/dev/sdc12         286720      307199       10240   93  Amoeba
/dev/sdc13         311296      511999      100352    c  W95 FAT32 (LBA)
/dev/sdc14         516096      522239        3072   4a  Unknown
/dev/sdc15         524288      530431        3072   4b  Unknown
/dev/sdc16         532480      538623        3072   58  Unknown
/dev/sdc17         540672      741375      100352   8f  Unknown
/dev/sdc18         745472      751615        3072   59  Unknown
/dev/sdc19         753664      759807        3072   5a  Unknown
/dev/sdc20         761856      767999        3072   5b  Unknown
/dev/sdc21         770048      790527       10240   ab  Darwin boot
/dev/sdc22         794624      815103       10240   60  Unknown
/dev/sdc23         819200      839679       10240   94  Amoeba BBT
/dev/sdc24         843776     3911679     1533952   a5  FreeBSD
/dev/sdc25        3915776     8114175     2099200   a6  OpenBSD
/dev/sdc26        8118272     8736767      309248   a8  Darwin UFS
/dev/sdc27        8740864     9005055      132096   a9  NetBSD
/dev/sdc28        9011200    10035199      512000   95  Unknown
/dev/sdc29       10035200    30777343    10371072   90  Unknown

this exactly matches the pit file i recovered, i think i now have the information to build a correct rawpartition0.xml,
we wont need the patch0.xml file anymore as we actually have our mbr and ebr files now,

there is a possibility the first 3 partitions could be wrong but after looking at data @ 208801 in the raw backup i think they are right, the location was correct thats for sure.
now i am going to restore dd copies of the sbl etc,

 

[darkspr1te]

dumps

here is the ebr i recovered, plus the partiton0.mbn and pit file for the records

 

[darkspr1te]

more defined partition table information

copy and paste following into a .csv file and load in your spreadsheet program

Device, Boot, Start        , End    ,  Blocks,   Id , System,Partiton Name ,File to restore from backup,file to restore from firmware
/dev/sdc1,,1,204800,102400,c,W95 FAT32 (LBA),SMD_HDR,smd_header.mbn,
/dev/sdc2   ,*,204801,205800,500, 4d , QNX4.x,SBL1,,sbl1.mbn
/dev/sdc3     ,,205801,208800,1500,51,  OnTrack DM6 Aux1,SBL2,,sbl2.mbn
/dev/sdc4      ,,208801,208801,0,5,  Extended,EXT,ebr.mbn,
/dev/sdc5    ,  ,212992,213991,500,47,  Unknown,RPM,,rpm.mbn
/dev/sdc6    ,  ,221184,225279,2048,45,  Unknown,SBL3,,sbl3.mbn
/dev/sdc7    ,  ,229376,234375,2500,  4c,  Unknown,ABOOT,,aboot.mbn
/dev/sdc8    ,  ,237568,258047,10240,48,  Unknown,BOOT,,boot.img
/dev/sdc9    ,  ,262144,263143,500,46,  Unknown,TZ,,tz.mbn
/dev/sdc10   ,  ,270336,271335,500,  5d,  Unknown,SSD,,
/dev/sdc11   ,  ,278528,279527,500,91,  Unknown,PIT,,Shv-e160l.pit
/dev/sdc12   ,  ,286720,307199,10240,93,  Amoeba,PARAM,param.lfs,
/dev/sdc13   ,  ,311296,511999,100352,   c,  W95 FAT32 (LBA),MODEM,,amms.bin
/dev/sdc14   ,  ,516096,522239,3072,  4a,  Unknown,MSM_ST1,efs.img,
/dev/sdc15   ,  ,524288,530431,3072,  4b,  Unknown,MSM_ST2,,
/dev/sdc16   ,  ,532480,538623,3072,58,  Unknown,MSM_FSG,,
/dev/sdc17   ,  ,540672,741375,100352,  8f,  Unknown,MDM,,mdm.bin
/dev/sdc18   ,  ,745472,751615,3072,59,  Unknown,M9K_EFS1,efsclear1.bin,
/dev/sdc19   ,  ,753664,759807,3072,  5a,  Unknown,M9K_EFS2,efsclear2.bin,
/dev/sdc20   ,  ,761856,767999,3072,  5b,  Unknown,M9K_FSG,,
/dev/sdc21   ,  ,770048,790527,10240,  ab,  Darwin boot,DEVENC,enc.img.ext4,
/dev/sdc22   ,  ,794624,815103,10240,60,  Unknown,RECOVERY,,recovery.img
/dev/sdc23   ,  ,819200,839679,10240,94,  Amoeba BBT,FOTA,,
/dev/sdc24   ,  ,843776,3911679,1533952,  a5,  FreeBSD,SYSTEM,,system.img.ext4
/dev/sdc25   ,  ,3915776,8114175,2099200,  a6,  OpenBSD,USERDATA,userdata.img.ext4,
/dev/sdc26   ,  ,8118272,8736767,309248,  a8,  Darwin UFS,CACHE,cache.img.ext4,
/dev/sdc27   ,  ,8740864,9005055,132096,  a9,  NetBSD,TOMBSTONES,tomb.img.ext4,
/dev/sdc28   ,  ,9011200,10035199,512000,95,  Unknown,HIDDEN,hidden.img.ext4,
/dev/sdc29   ,  ,10035200,30777343,10371072,90,  Unknown,UMS,ums.rfs,

 

[darkspr1te]

dump

thank you for your help,

I currently have the qpst version 2.7 build 373. You think is enough of download the same version of Chinese post QPST.2.7.374.rar

I will begin to download the other files required and I will be commenting my progress.

Thank you so much for your help, i really appreciate that you share you r knowledge.

Please pm as soon as you have your dump or are close to that point.
i need to see a dump of the smd_hdr partition before any further work is carried out.

Regards

darkspr1te

 

[tyllerdurdent]

update

Hi darkspr1te,

Sorry, I'm so slow but I'm reading everything and understanding all the information that you upload.

Right, I want to be sure some step because the chinese version has other images programming EMMC.

Copy:


* 8660_msimage.mbn //uploader
* patch0.xml
* partition0.bin
* MPRG8660.hex

to bin folder. image 1.

First, I have to upload the MPRG8660.hex image to the phone using software download?
image 2

Second, what are the order of settings to update the emmc memory?
image 3

I'm in the correct path?

 

[darkspr1te]

Sucess

For those that have been following my attempt to de-brick a Galaxy note without JTAG, well here you go,


Proof it's not only possible, I have done it. There are still bugs in my method but it does work, and it's possible this will work on many qualcomm devices, finally real control over your qualcomm baseband/radio

 

[tyllerdurdent]

congratulations

Hi, darkspr1te

Man you r my hero. Really good job, I will continue follow your work and trying to reproduce your success.

:good:

 

[chrisrotolo]

Persistence pays. Very Well Done. I applaud your efforts.
Cheers.

 

[darkspr1te]

Hi, darkspr1te

Man you r my hero. Really good job, I will continue follow your work and trying to reproduce your success.

:good:

Why Thank Your Young Sire,

Now if i could just ask aother users to just hold on, dont try this just yet!!!!!

I've learned a lot over the past 48hrs, i haver to just document it and process it a little more, my head is kinda full to overload.

But for those of you that want to IGNORE my warnings (brick past here is return to samsung , sorry)

First get 8600_msimage.mbn i mentioned before, and MPRG8660.HEX also, thats all you need to recover the data (Not a UNBRICK yet, we need to recover your data) 
put the two files into a folder and rename MPRG8660.HEX to EMMCBLD.HEX


load QPST latest,
load EMMCSWDOWNLOAD 
make sure there is NO tick on emmc program, 
make sure there is a tick on load bootloaders
QPST should show you a phone in download mode, with a comport
put a tick next to search paths, select the folder that contains your 8660_msimage.mbn and  emmcbld.hex

the two text boxes at the top should contain

EMMCBLD.HEX                  (not MPRG8660.HEX)
8660_msimage.mbn

click download

first it loads the hex file, you device now restarts it's USB system, then it writes the 8660_msimage.mbn to the start of the emmc chip ( ihave not got a dump of partiton 1 so i dont know what data it contains, i have not fixed my baseband so it could be related, also my touch buttons at the front dont work )

once it's finished, unplug device and remove battery,
If it's worked then when you plug your device into a pc (windows or linux) it should show up as a SD-CARD and comport.

now you MUST follow the next step

connect device to linux box

plug in device to linux pc
type dmesg and look for last listed SD? usb device, for example SDB

the next step you must have a place large enough to put the entire file, 16 or 32 gb

dd if=/dev/sdb or=/mnt/largedrive/shv-e160-full-dump.bin bs=512

no go get a drink or coffee, this is a long process

backup that file to another place, you must have two copies, one for workng on, one for in case we make (or my scripts) mistakes,



more to come

darkspr1te

 

[E:V:A]

Awesome! Very nice work!

I'm working on a tutorial for this, but you just beat me to it!
A couple of comments though.

1) Please edit some of your posts and use the CODE and QUOTE tags, so we can follow more easily what YOU have been doing, versus what others have been doing etc etc.

2) Probable reason for only 1/20 of your eMMC flashes working, is the 90 sec (default) timing limit for enumerating HS-USB. This can be set in many ways...

3) AFAIK, you dont need to rename the HEX file to exactly "EMMCBLD.HEX", it should be enough to put a lowercase "e" in front whatever filename you have. PBL is looking for that in order to activate EhostDL mode.

4) Could you provide a download link with the essentials from the Mione QDN43 zip, so that we don't need to download 124 MB.

Excellent.

PS. QPST latest publicly available is build 378.

 

[tyllerdurdent]

progress update

I'm creating the backup of the system.

To begin, the work with the scripts.

For the links for mione look here:

bigota.d.miui.com/QDN43/Mioneplus_QDN43_fastboot_Android_4.0_d3d83nmdk2.zip

I will continue follow the instructions of darkspr1te and update my progress.

 

[tyllerdurdent]

progress update

Now, I have to run the python script?

---------- Post added at 08:09 AM ---------- Previous post was at 08:02 AM ----------

http://depositfiles.com/files/7t7g94niy
Files_step_1.rar file contains:
8660_msimage.mbn
EMMCBLD.hex

 

[darkspr1te]

Awesome! Very nice work!

I'm working on a tutorial for this, but you just beat me to it!
A couple of comments though.

1) Please edit some of your posts and use the CODE and QUOTE tags, so we can follow more easily what YOU have been doing, versus what others have been doing etc etc.

2) Probable reason for only 1/20 of your eMMC flashes working, is the 90 sec (default) timing limit for enumerating HS-USB. This can be set in many ways...

3) AFAIK, you dont need to rename the HEX file to exactly "EMMCBLD.HEX", it should be enough to put a lowercase "e" in front whatever filename you have. PBL is looking for that in order to activate EhostDL mode.

4) Could you provide a download link with the essentials from the Mione QDN43 zip, so that we don't need to download 124 MB.

Excellent.

PS. QPST latest publicly available is build 378.

Thanks for the info, I will upload the Mione files, anybody recomend a quick uploader website other than rapidshare.
is it possible that the MPRG8660 hex file supports just flashing of certain areas? does anyone have the protocol?

On my samsung i can activate the QDload at anytime, so if i brick with the incorrect boot loader or via any other reason i can power off and when i power on press my special QDload button i've installed into the phone to activate, which also means i am happy to help with dev testing, it's kind of unbrickable.

E:V:A i understand you are doing a lot dev wok, let me know if i can help. I am really enjoying this
I would like to produce at the end a one click solution, do you have a link for QPST ?

Is there a recommended file share site people prefer?

I will also go through and edit my post, sorry about my bad format of post's.


One last question is, i want to upload most of what i've found but am unsure of the license behind some of files ( am still new to androids/samsungs) who would be best to advise me on this ( i dont want to upload imei data for example or a qualcomm paid for file)

 

[E:V:A]

anybody recomend a quick uploader website other than rapidshare.

Use Sendspace for big files. (Max 1GB upload per day.)

is it possible that the MPRG8660 hex file supports just flashing of certain areas? does anyone have the protocol?

Not sure what you mean. But I think yes. You can define multiple code regions to be written in the HEX file. I'm just about to complete a tutorial on that! Not sure what you mean with protocol, but I'll cover the HEX format(s) as well...

On my samsung i can activate the QDload at anytime, so if i brick with the incorrect boot loader or via any other reason i can power off and when i power on press my special QDload button i've installed into the phone to activate, which also means i am happy to help with dev testing, it's kind of unbrickable.

Great! What did you connect that button to? (AQP8060 signals/pads ?)

E:V:A i understand you are doing a lot dev wok, let me know if i can help.

You can defenitley be of help. We need help with MSM8960 which is a bit different beast than yours. We need to know:
a) If 8660 HEX can be used as it is with 8960.
b) If the HEX file is signed in anyway, (Secure Boot 3).

do you have a link for QPST ?

You can find QPST 2.7.378 here.

One last question is, i want to upload most of what i've found but am unsure of the license behind some of files

I can't make ethical decisions for you, but most of those files are code that was supplied with the firmware and your phone, so there should be no problem. And if there's problem I'm sure XDA mods will help you sort it out.
Of course you should always censor any IMEI etc data, before making it publicly available.

 

[tyllerdurdent]

help

hello darkspr1te

I have some questions because I'm not sure avoid something.

when I connect the phone in usb mode the memory appears without format in windows, but it also happens in linux.

This is normal?

because, it is not supossed to be the android file system there?

another error:
- the script throw me and error with partition0.bin

Could you please guide me here?

 

[darkspr1te]

hello darkspr1te

I have some questions because I'm not sure avoid something.

when I connect the phone in usb mode the memory appears without format in windows, but it also happens in linux.

This is normal?

because, it is not supossed to be the android file system there?

another error:
- the script throw me and error with partition0.bin

Could you please guide me here?

Sorry for delay in reply as ive just got back 9pm my time from my job site of today.

Yes its not a normal disk format and what ever you do, DO NOT FORMAT THE DRIVE!!!!

Let me grab a shower and i will upload a bit more info as to where you are right now. I will get tech, sorry but you are at the data recovery point,
SO Brb, let me grab coffee, shower and i will reply.

darkspr1te

 

[darkspr1te]

Hi Ya,
Ok let me explain in layman terms for other readers as to whats going on.

"Where we were":
Imagine your normal android bootup is a group of security guards on the way to a party you have a ticket for, each guard at a gate looks at your voucher entry pass all the way to your ginger bread party, each boot is normaly the same, you get to the end and have your gingerbread party(normal phone operation)

"Not bricks of candy, but clay"
Where we are with a brick, as before we have the guards, each guard talks to the next before he lets you in, in our case the guards number 2,3,4 are not answering the radio so guard one says, VIP only to get entry, sadly we dont have a vip pass.

"change the problem to equal solution"
So we cant get past guard one, so we replace the guards so guard #1 has some one to talk to(via baldy scripted indirect means of retired staff ), problem is, like any bad theist of Hollywood we chose the dumb-a$$ guys who don't know where to direct you (where we now are with a 8660_msimage.mbn flashed device)

"Dont scream and I give you ice cream"
Our dumb-a$$ guard is there for one reason, we only need them, to get inside, once inside, we replace them with new replacement original guards and our tickets will now work again and we get properly directed to our gingerbread party. Safe And Sound



So if my attempt at teaching and humour has not offended anyone, Onto the net step

 

[darkspr1te]

DD'ing your device

Ok, Now that you have flashed your bricked device with the default 8660_msimage.mbn device file mentioned before in this thread we now have a disk drive available.

Data recovery 101
Rule 1# Backup device , work on backup of backup first.
We are going to be breaking down the entire backup from your device, this is a needed step and each device has changes in the steps, so generic i will be but only to my understanding.

What we have done is written a new bootloader and partition table to the device (boot loader = intelligence of guard, partition table = gate )
But this new setup has over written our old setup which we now need to rebuild and then replace the aged data on that boot the device with new data,
From here on, please use a Linux platform, I've tried this in windows, and the data does not compare, dd via cygwin has a issue i cant resolve.

So boot to your linux based device supporting USB Host (yes bro, your NAS can do this )
And I now need to shift to my ubuntu laptop so i can copy and paste code and also upload files.
Brb,
darkspr1te
p.s if anyone feels i am talking 'dumb' about this, i am sorry, i am also trying to educate users who are also just curious.
p.p.s If samsung and other fruits would just allow us to backup this data the day when we turn on the phone, restore any time
(their a$$ is more important hence the "do you agree" buttons) <- Last rant

 

[darkspr1te]

Confusing

Lol, does any one else have this issue with their hobbies

 

[RussianBear]

Lol, does any one else have this issue with their hobbies

lol all the time.

question (s): is the emmc mode (usb drive) stable for you? can you be in it for an extended period of time. that's one of the reasons we were not able to explore more of this mode (at least I wasn't), because the sensation was losing it after 8-10 seconds.
another, can you access the emmc mode via putting the phone in a regular download mode? i don't think we could with sensation, had to brick it first.
pardon my ignorance, just don't have time to read the whole thread yet.