# Full analysis of Xiaomi Mi4 Windows Mobile 10 ROM



## TristanLeBoss (Jun 3, 2016)

I have done an extended analysis of the FFU file of Windows Mobile 10 for Xiaomi Mi4.

The partition layout is not the same from Android and Windows Phone. But, some partitions have the same starting LBA, ending LBA and size so they are at the same location and have the same size in both partition layouts. Because the FFU doesn't contain data blocks to write in these partitions, we can assume they stay intact during the update from Android to Windows Mobile.

This way I found out that 5 partitions are kept from Android, 13 are written with data and 6 are nulled (content is all zeroes):


```
+-----+-----------+-----------+--------+-----------------+---------+-------------------+
+  #  | Start LBA | End LBA   | Size   | Name            | In FFU  | Status            |
+-----+-----------+-----------+--------+-----------------+---------+-------------------+
|    0|       1024|       2047|    1024|SBL1             |   Yes   | Written           |
|    1|       2048|       2559|     512|UEFI_BS_NV       |   Yes   | Nulled            |
|    2|       3072|       3583|     512|UEFI_RT_NV       |   Yes   | Nulled            |
|    3|       4096|       8191|    4096|UEFI             |   Yes   | Written           |
|    4|       8192|      10239|    2048|DDR              |         | Kept from Android |
|    5|      10240|      12287|    2048|SSD              |         | Kept from Android |
|    6|      12288|      14335|    2048|PADDING0         |   Yes   | Nulled            |
|    7|      14336|      30719|   16384|DPP              |   Yes   | Written           |
|    8|      30720|      30783|      64|DBI              |   Yes   | Written           |
|    9|      31744|      32743|    1000|RPM              |   Yes   | Written           |
|   10|      32768|      33767|    1000|TZ               |   Yes   | Written           |
|   11|      33792|      34815|    1024|WINSECAPP        |   Yes   | Written           |
|   12|      34816|      67583|   32768|TZAPPS           |   Yes   | Written           |
|   13|      67584|      68607|    1024|BACKUP_SBL1      |         |                   |
|   14|      68608|      68671|      64|BACKUP_DBI       |         |                   |
|   15|      69632|      73727|    4096|BACKUP_UEFI      |         |                   |
|   16|      73728|      74727|    1000|BACKUP_RPM       |         |                   |
|   17|      74752|      75751|    1000|BACKUP_TZ        |         |                   |
|   18|      75776|      76799|    1024|BACKUP_WINSECAPP |         |                   |
|   19|      76800|     109567|   32768|BACKUP_TZAPPS    |   Yes   | Nulled            |
|   20|     109568|     117759|    8192|MMOS             |   Yes   | Written           |
|   21|     117760|     131071|   13312|PADDING1         |         |                   |
|   22|     131072|     134143|    3072|MODEM_FS1        |         | Kept from Android |
|   23|     134144|     137215|    3072|MODEM_FS2        |   Yes   | Nulled            |
|   24|     137216|     137247|      32|MODEM_FSC        |   Yes   | Nulled            |
|   25|     138240|     154623|   16384|PLAT             |   Yes   | Written           |
|   26|     154624|     220159|   65536|EFIESP           |   Yes   | Written           |
|   27|     220160|     262143|   41984|PADDING2         |         |                   |
|   28|     262144|     265215|    3072|MODEM_FSG        |         | Kept from Android |
|   29|     265216|     491519|  226304|PADDING3         |         |                   |
|   30|     491520|     524287|   32768|PERSIST          |         | Kept from Android |
|   31|     524288|    5537791| 5013504|MainOS           |   Yes   | Written           |
|   32|    5537792|   20967423|15429632|Data             |   Yes   | Written           |
+-----+-----------+-----------+--------------------------+---------+-------------------+
```

Regarding the partitions which are in the FFU file, here are all the information I gathered about them:

"*SBL1*" is a SBL (Secondary Boot Loader) file with a 80 bytes header
*The file is not signed (no signature and no certificate chain).*

Codeword[4]: d1dc4b84
Magic[4]: 3410d773
Image ID[4]: 15000000 (SBL1_IMG)
Reserved 1[4]: ffffffff
Reserved 2[4]: ffffffff
Image source[4]: 50000000
Image destination pointer[4]: 00c000f8 (4160798720)
Image size[4]: f8480400
Code size[4]: f8480400
Signature pointer[4]: f80805f8 (4161079544)
Signature size[4]: 00000000 (0)
Certificate chain pointer[4]: f80805f8 (4161079544)
Certificate chain size[4]: 00000000 (0)
OEM root certificate selelected[4]: 01000000
OEM number of root certificates[4]: 01000000
Booting image config[4]: ffffffff
Reserved 6[4]: ffffffff
Reserved 7[4]: ffffffff
Reserved 8[4]: ffffffff
Reserved 9[4]: ffffffff

"*UEFI_BS_NV*" is an empty partition

"*UEFI_RT_NV*" is an empty partition

"*UEFI*" is probably an ARM binary file with a 40 bytes header
*The file is not signed (no signature and no certificate chain).*

Image ID[4]: 05000000 (APPSBL_IMG)
Flash partition version[4]: 03000000
Image source[4]: 00000000
Image destination pointer[4]: 00002000 (2097152)
Image size[4]: 00800d00
Code size[4]: 00800d00
Signature pointer[4]: 00802d00 (2981888)
Signature size[4]: 00000000 (0)
Certificate chain pointer[4]: 00802d00 (2981888)
Certificate chain size[4]: 00000000 (0)

"*PADDING0*" is an empty partition

"*DPP*" is a FAT partition

"*DBI*" is probably an ARM binary file with a 40 bytes header
*The file is not signed (no signature and no certificate chain).*

Image ID[4]: 1e000000
Flash partition version[4]: 03000000
Image source[4]: 00000000
Image destination pointer[4]: 000080fe (4269801472)
Image size[4]: 982d0000
Code size[4]: 982d0000
Signature pointer[4]: 982d80fe (4269813144)
Signature size[4]: 00000000 (0)
Certificate chain pointer[4]: 982d80fe (4269813144)
Certificate chain size[4]: 00000000 (0)

"*RPM*" is an ARM ELF (Executable and Linkable Format) file

Class: ELF32
Magic[16]: 7f454c46010101000000000000000000
Type[2]: 0200 (ET_EXEC [Executable file])
Machine[2]: 2800 (EM_ARM [Advanced RISC Machines ARM])
Version[4]: 01000000
Entry point address[4]: 91001000
Start of program headers[4]: 34000000
Start of section headers[4]: 00000000
Flags[4]: 02000005
Size of this header[2]: 3400
Size of program headers[2]: 2000
Number of program headers[2]: 0400
Size of section headers[2]: 2800
Number of section headers[2]: 0000
Section header string table index[2]: 0000

"*TZ*" is an ARM ELF (Executable and Linkable Format) file

Class: ELF32
Magic[16]: 7f454c46010101000000000000000000
Type[2]: 0200 (ET_EXEC [Executable file])
Machine[2]: 2800 (EM_ARM [Advanced RISC Machines ARM])
Version[4]: 01000000
Entry point address[4]: 000081fe
Start of program headers[4]: 34000000
Start of section headers[4]: 00000000
Flags[4]: 02000005
Size of this header[2]: 3400
Size of program headers[2]: 2000
Number of program headers[2]: 1000
Size of section headers[2]: 2800
Number of section headers[2]: 0000
Section header string table index[2]: 0000

"*WINSECAPP*" is an ARM ELF (Executable and Linkable Format) file

Class: ELF32
Magic[16]: 7f454c46010101000000000000000000
Type[2]: 0200 (ET_EXEC [Executable file])
Machine[2]: 2800 (EM_ARM [Advanced RISC Machines ARM])
Version[4]: 01000000
Entry point address[4]: 0090fe07
Start of program headers[4]: 34000000
Start of section headers[4]: 00000000
Flags[4]: 02000005
Size of this header[2]: 3400
Size of program headers[2]: 2000
Number of program headers[2]: 0400
Size of section headers[2]: 2800
Number of section headers[2]: 0000
Section header string table index[2]: 0000

"*TZAPPS*" is a FAT partition

"*BACKUP_TZAPPS*" is an empty partition

"*MODEM_FS2*" is an empty partition

"*MODEM_FSC*" is an empty partition

"*PLAT*" is a FAT partition

"*EFIESP*" is a FAT partition

"*MMOS*" is a FAT partition

"*MainOS*" is a NTFS partition
-> Boot sector backup at offset 2566913536 match the boot sector from sector 0

"*Data*" is a NTFS partition
-> Boot sector backup at offset 7899971072 match the boot sector from sector 0


----------



## TristanLeBoss (Jun 3, 2016)

Regarding the FFU file itself (10586.1102.3063.Retail.FFU): the image embedded catalog is not signed. I attached it to this post. I also attached the extracted hash table. Indeed, the cat file only contains a SHA1 of the hashtable: it's enough to ensure the data is fine.

All the informations:

"_SECURITY_HEADER" position: 0

_SECURITY_HEADER
----------------

cbSize[4]: 20000000 (32)
Signature[12]: 5369676e6564496d61676520 (SignedImage )
dwChunkSizeInKb[4]: 80000000 (128)
dwAlgId[4]: 0c800000 (32780)
dwCatalogSize[4]: 48010000 (328)
dwHashTableSize[4]: 00a50600 (435456)

"Signed Catalog" position: 32
"Hash table data" position: 360 (+328)
"Padding" position: 435816 (+435456)
"_IMAGE_HEADER" position: 524288 (+88472)

Image Integrity Validation
--------------------------

Verify SHA-1 hash (91b4b4d9944bd90e36891b26c6ecded90190fcd5) of the hash table against the one from the embedded catalog

-> SHA-1 hash of the hash table match the hash from the catalog

Verify 1783627776 bytes of data per chunk of 128 kilobytes using 13608 SHA256 hashes (32 bytes)

-> Done successfully!

_IMAGE_HEADER
-------------

cbSize[4]: 18000000 (24)
Signature[12]: 496d616765466c6173682020 (ImageFlash  )
ManifestLength[4]: f41a0000 (6900)
dwChunkSize[4]: 80000000 (128)

"Manifest" position: 524312
"Padding" position: 531212 (+6900)
"_STORE_HEADER" position: 655360 (+124148)

_STORE_HEADER
-------------

dwUpdateType[4]: 00000000 (0)
MajorVersion[2]: 0100 (1)
MinorVersion[2]: 0000 (0)
FullFlashMajorVersion[2]: 0200 (2)
FullFlashMinorVersion[2]: 0000 (0)
szPlatformId[192]: 5849414f4d49544553542e5869616f6d69383937342e4d49340000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 (XIAOMITEST.Xiaomi8974.MI4)
dwBlockSizeInBytes[4]: 00000200 (131072)
dwWriteDescriptorCount[4]: 25350000 (13605)
dwWriteDescriptorLength[4]: 58520300 (217688)
dwValidateDescriptorCount[4]: 00000000 (0)
dwValidateDescriptorLength[4]: 00000000 (0)
dwInitialTableIndex[4]: 00000000 (0)
dwInitialTableCount[4]: 01000000 (1)
dwFlashOnlyTableIndex[4]: d1000000 (209)
dwFlashOnlyTableCount[4]: 01000000 (1)
dwFinalTableIndex[4]: 23350000 (13603)
dwFinalTableCount[4]: 02000000 (2)
NumOfStores[2]: Skipped because field is only for version 2 FFU image
StoreIndex[2]: Skipped because field is only for version 2 FFU image
StorePayloadSize[8]: Skipped because field is only for version 2 FFU image
DevicePathLength[2]: Skipped because field is only for version 2 FFU image
DevicePath[2]: Skipped because field is only for version 2 FFU image

"_VALIDATION_ENTRY" position: 655608
"_VALIDATION_ENTRY" size: 0

"_BLOCK_DATA_ENTRY" position: 655608
"_BLOCK_DATA_ENTRY" size: 217688

"_IMAGE_PAYLOAD" position: 917504

_VALIDATION_ENTRY
-----------------

Skipped because there is no validation entries

_BLOCK_DATA_ENTRY
-----------------

(Removed because it's really long !)



"Padding" position: 873296
"_IMAGE_PAYLOAD" position: 917504


GUID Partition Table Layouts
----------------------------

GUID Partition Table from data block #0


```
+-----+-----------+-----------+--------+------------------------------------+
+  #  | Start LBA | End LBA   | Size   | Name                               |
+-----+-----------+-----------+--------+------------------------------------+
+-----+-----------+-----------+--------+------------------------------------+
```

GUID Partition Table from data block #209


```
+-----+-----------+-----------+--------+------------------------------------+
+  #  | Start LBA | End LBA   | Size   | Name                               |
+-----+-----------+-----------+--------+------------------------------------+
|    0|       1024|       2047|    1024|SBL1                                |
|    1|       2048|       2559|     512|UEFI_BS_NV                          |
|    2|       3072|       3583|     512|UEFI_RT_NV                          |
|    3|       4096|       8191|    4096|UEFI                                |
|    4|       8192|      10239|    2048|DDR                                 |
|    5|      10240|      12287|    2048|SSD                                 |
|    6|      12288|      14335|    2048|PADDING0                            |
|    7|      14336|      30719|   16384|DPP                                 |
|    8|      30720|      30783|      64|DBI                                 |
|    9|      31744|      32743|    1000|RPM                                 |
|   10|      32768|      33767|    1000|TZ                                  |
|   11|      33792|      34815|    1024|WINSECAPP                           |
|   12|      34816|      67583|   32768|TZAPPS                              |
|   13|      67584|      68607|    1024|BACKUP_SBL1                         |
|   14|      68608|      68671|      64|BACKUP_DBI                          |
|   15|      69632|      73727|    4096|BACKUP_UEFI                         |
|   16|      73728|      74727|    1000|BACKUP_RPM                          |
|   17|      74752|      75751|    1000|BACKUP_TZ                           |
|   18|      75776|      76799|    1024|BACKUP_WINSECAPP                    |
|   19|      76800|     109567|   32768|BACKUP_TZAPPS                       |
|   21|     117760|     131071|   13312|PADDING1                            |
|   22|     131072|     134143|    3072|MODEM_FS1                           |
|   23|     134144|     137215|    3072|MODEM_FS2                           |
|   24|     137216|     137247|      32|MODEM_FSC                           |
|   25|     138240|     154623|   16384|PLAT                                |
|   26|     154624|     220159|   65536|EFIESP                              |
|   27|     220160|     262143|   41984|PADDING2                            |
|   28|     262144|     265215|    3072|MODEM_FSG                           |
|   29|     265216|     491519|  226304|PADDING3                            |
|   30|     491520|     524287|   32768|PERSIST                             |
+-----+-----------+-----------+--------+------------------------------------+
```

GUID Partition Table from data block #13603


```
+-----+-----------+-----------+--------+------------------------------------+
+  #  | Start LBA | End LBA   | Size   | Name                               |
+-----+-----------+-----------+--------+------------------------------------+
|    0|       1024|       2047|    1024|SBL1                                |
|    1|       2048|       2559|     512|UEFI_BS_NV                          |
|    2|       3072|       3583|     512|UEFI_RT_NV                          |
|    3|       4096|       8191|    4096|UEFI                                |
|    4|       8192|      10239|    2048|DDR                                 |
|    5|      10240|      12287|    2048|SSD                                 |
|    6|      12288|      14335|    2048|PADDING0                            |
|    7|      14336|      30719|   16384|DPP                                 |
|    8|      30720|      30783|      64|DBI                                 |
|    9|      31744|      32743|    1000|RPM                                 |
|   10|      32768|      33767|    1000|TZ                                  |
|   11|      33792|      34815|    1024|WINSECAPP                           |
|   12|      34816|      67583|   32768|TZAPPS                              |
|   13|      67584|      68607|    1024|BACKUP_SBL1                         |
|   14|      68608|      68671|      64|BACKUP_DBI                          |
|   15|      69632|      73727|    4096|BACKUP_UEFI                         |
|   16|      73728|      74727|    1000|BACKUP_RPM                          |
|   17|      74752|      75751|    1000|BACKUP_TZ                           |
|   18|      75776|      76799|    1024|BACKUP_WINSECAPP                    |
|   19|      76800|     109567|   32768|BACKUP_TZAPPS                       |
|   20|     109568|     117759|    8192|MMOS                                |
|   21|     117760|     131071|   13312|PADDING1                            |
|   22|     131072|     134143|    3072|MODEM_FS1                           |
|   23|     134144|     137215|    3072|MODEM_FS2                           |
|   24|     137216|     137247|      32|MODEM_FSC                           |
|   25|     138240|     154623|   16384|PLAT                                |
|   26|     154624|     220159|   65536|EFIESP                              |
|   27|     220160|     262143|   41984|PADDING2                            |
|   28|     262144|     265215|    3072|MODEM_FSG                           |
|   29|     265216|     491519|  226304|PADDING3                            |
|   30|     491520|     524287|   32768|PERSIST                             |
|   31|     524288|    5537791| 5013504|MainOS                              |
|   32|    5537792|   20967423|15429632|Data                                |
+-----+-----------+-----------+--------+------------------------------------+
```

Data Blocks to Partitions
-------------------------

Data Block #0-0: -> GPT
Data Block #0-1: -> GPT

Data Block #1-0: -> SBL1
to
Data Block #4-0: -> SBL1

Data Block #5-0: -> UEFI_BS_NV
to
Data Block #8-0: -> UEFI_RT_NV

Data Block #9-0: -> UEFI
to
Data Block #24-0: -> UEFI

Data Block #25-0: -> PADDING0
to
Data Block #32-0: -> PADDING0

Data Block #33-0: -> DPP

Data Block #34-0: -> DBI

Data Block #35-0: -> RPM
to
Data Block #38-0: -> RPM

Data Block #39-0: -> TZ
to
Data Block #42-0: -> TZ

Data Block #43-0: -> WINSECAPP
to
Data Block #46-0: -> WINSECAPP

Data Block #47-0: -> TZAPPS
to
Data Block #48-0: -> TZAPPS

Data Block #49-0: -> BACKUP_TZAPPS
to
Data Block #60-0: -> BACKUP_TZAPPS

Data Block #61-0: -> MODEM_FS2
to
Data Block #68-0: -> MODEM_FS2

Data Block #69-0: -> MODEM_FSC

Data Block #70-0: -> PLAT
to
Data Block #127-0: -> PLAT

Data Block #128-0: -> EFIESP
to
Data Block #208-0: -> EFIESP

Data Block #209-0: -> GPT

Data Block #210-0: -> MMOS
to
Data Block #211-0: -> MMOS

Data Block #212-0: -> MainOS
to
Data Block #12925-0: -> MainOS

Data Block #12926-0: -> Data
to
Data Block #13602-0: -> Data

Data Block #13603-0: -> GPT
Data Block #13604-0: -> GPT


----------



## TristanLeBoss (Jun 3, 2016)

Regarding the Firehose flasher:

"*.\prog_emmc_firehose_8974.mbn*" is a SBL (Secondary Boot Loader) file with a 80 bytes header
*The file is not signed (no signature and no certificate chain).*

Codeword[4]: d1dc4b84
Magic[4]: 3410d773
Image ID[4]: 0d000000
Reserved 1[4]: ffffffff
Reserved 2[4]: ffffffff
Image source[4]: 50000000
Image destination pointer[4]: 50c000f8 (4160798800)
Image size[4]: 90480100
Code size[4]: 90480100
Signature pointer[4]: e00802f8 (4160882912)
Signature size[4]: 00000000 (0)
Certificate chain pointer[4]: e00802f8 (4160882912)
Certificate chain size[4]: 00000000 (0)
OEM root certificate selelected[4]: 01000000
OEM number of root certificates[4]: 01000000
Booting image config[4]: ffffffff
Reserved 6[4]: ffffffff
Reserved 7[4]: ffffffff
Reserved 8[4]: ffffffff
Reserved 9[4]: ffffffff

Finally, the packages installed in this ROM:

*Part of the Windows Mobile Adaptation Kit (AK):*

*C:\Program Files (x86)\Windows Kits\10\MSPackages\Merged\arm\fre*
Probably untouched.

Microsoft.MS_RETAILDEMOCONTENT_NEUTRAL.Data.cab
Microsoft.MS_RETAILDEMOCONTENT_ZH-CN.Data.cab
Microsoft.EFIESP.Production.cab
Microsoft.MS_BOOTSEQUENCE_RETAIL.EFIESP.cab
Microsoft.RELEASE_PRODUCTION.EFIESP.cab
Microsoft.MainOS.Production.cab
Microsoft.MainOS.Production_Lang_en-US.cab
Microsoft.MainOS.Production_Lang_zh-CN.cab
Microsoft.MainOS.Production_Res_1080x1920.cab
Microsoft.MS_BOOTSEQUENCE_RETAIL.MainOS.cab
Microsoft.MS_COMMSENHANCEMENTCHINA.MainOS.cab
Microsoft.MS_COMMSMESSAGINGGLOBAL.MainOS.cab
Microsoft.MS_FACEBOOK.MainOS.cab
Microsoft.MS_OPTIMIZED_BOOT.MainOS.cab
Microsoft.MS_RETAILDEMOCONTENT_NEUTRAL.MainOS.cab
Microsoft.MS_RETAILDEMOCONTENT_ZH-CN.MainOS.cab
Microsoft.MS_SKYPE.MainOS.cab
Microsoft.MS_STANDARD_FEATURE_1.MainOS.cab
Microsoft.PhoneFM.cab
Microsoft.PRERELEASE_PROTECTED.MainOS.cab
Microsoft.PRERELEASE_PROTECTED.MainOS_Lang_en-US.cab
Microsoft.PRERELEASE_PROTECTED.MainOS_Lang_zh-CN.cab
Microsoft.PRERELEASE_PROTECTED.MainOS_Res_1080x1920.cab
Microsoft.RELEASE_PRODUCTION.MainOS.cab
Microsoft.RELEASE_PRODUCTION.UpdateOS.cab
Microsoft.UpdateOS.Production.cab

*C:\Program Files (x86)\Windows Kits\10\MSPackages\mobilecore\ARM\fre*
Probably untouched.

microsoft.mobilecore.prod.efiesp.cab
microsoft.mobilecore.prod.mainos.cab
microsoft.mobilecore.updateos.cab

*C:\Program Files (x86)\Windows Kits\10\MSPackages\retail\ARM\fre*
Probably untouched.

Microsoft.Input.mtf_Lang_en-US.cab
Microsoft.Input.mtf_Lang_zh-CN.cab
Microsoft.Speech.Data_Lang_en-US.cab
Microsoft.Speech.Data_Lang_zh-CN.cab

*Part of the Qualcomm Board Support Package:*

*E:\MI4\BSP\prebuilt.3063.RTF\spkg*

ODM-made packages:

Qualcomm.MI4.Customizations.MainOS.spkg
Qualcomm.MI4.Customizations.StartLayout.spkg
Qualcomm.MI4.Customizations.StaticApps.MainOS.spkg
Qualcomm.MI4.Customizations.EFIESP.spkg
Qualcomm.QC8974.OEMAutobrightness.spkg
Qualcomm.QC8974.OEMDevicePlatform.spkg
Qualcomm.Xiaomi.DeviceLayout.spkg

Qualcomm MSM8974 drivers:
Can ODM recompile these packages? Or are they untouched?

OEM.HalExtensions.UpdateOS.spkg
OEM.Service.ProvisionService.spkg
Qualcomm.QC8974.BattProv.spkg
Qualcomm.QC8974.FlightToken.spkg
Qualcomm.QC8974.startupnsh.spkg
Qualcomm.QC8974.ABD.spkg
Qualcomm.QC8974.AccLSM330.spkg
Qualcomm.QC8974.ADCM.spkg
Qualcomm.QC8974.adsprpc.spkg
Qualcomm.QC8974.AlsPrxTMD27723.spkg
Qualcomm.QC8974.AMSSPeriImage_8974DI4.spkg
Qualcomm.QC8974.AtmelTouch.spkg
Qualcomm.QC8974.AudioDeviceDriver.spkg
Qualcomm.QC8974.bam_dmux.spkg
Qualcomm.QC8974.BCryptCipher_KM.spkg
Qualcomm.QC8974.BT_MainOS.spkg
Qualcomm.QC8974.DataDaemon.spkg
Qualcomm.QC8974.DiagBridge.spkg
Qualcomm.QC8974.DiagCSI.spkg
Qualcomm.QC8974.DiagRouter.spkg
Qualcomm.QC8974.direct3dum11.spkg
Qualcomm.QC8974.DisableSaverF800Bugcheck.spkg
Qualcomm.QC8974.DSPPeriImage.spkg
Qualcomm.QC8974.FveEnable.HardwareCrypto.spkg
Qualcomm.QC8974.GyroLsm330.spkg
Qualcomm.QC8974.HalExtQCTimer.spkg
Qualcomm.QC8974.HalExtQCWdogTimer.spkg
Qualcomm.QC8974.hwnhaptics.spkg
Qualcomm.QC8974.hwnled.spkg
Qualcomm.QC8974.ipc_router.spkg
Qualcomm.QC8974.libadsprpc.spkg
Qualcomm.QC8974.linklocal.spkg
Qualcomm.QC8974.MagAKM8963.spkg
Qualcomm.QC8974.mbb.spkg
Qualcomm.QC8974.mbbuio.spkg
Qualcomm.QC8974.mbrg.spkg
Qualcomm.QC8974.ocmem.spkg
Qualcomm.QC8974.PageFile.UserData.256.spkg
Qualcomm.QC8974.Pep_ROT.spkg
Qualcomm.QC8974.PEPLED.spkg
Qualcomm.QC8974.PEPProxy.spkg
Qualcomm.QC8974.PhoneRadioRevision_8974DI4.spkg
Qualcomm.QC8974.pil.spkg
Qualcomm.QC8974.powerkeygpiodriver.spkg
Qualcomm.QC8974.PPMSettings.spkg
Qualcomm.QC8974.QC_PEP.spkg
Qualcomm.QC8974.qcadc.spkg
Qualcomm.QC8974.qcaud.spkg
Qualcomm.QC8974.QcBattMiniclass.spkg
Qualcomm.QC8974.QcBattMngr.spkg
Qualcomm.QC8974.qcbluetooth.spkg
Qualcomm.QC8974.QcBms.spkg
Qualcomm.QC8974.qccamavs.spkg
Qualcomm.QC8974.qccamflash.spkg
Qualcomm.QC8974.qccamfrontsensor_imx219_8m_bayer.spkg
Qualcomm.QC8974.qccamisp.spkg
Qualcomm.QC8974.QCCamJpegE.spkg
Qualcomm.QC8974.qccamplatform.spkg
Qualcomm.QC8974.qccamrearsensor_imx214_13m_bayer.spkg
Qualcomm.QC8974.qccamsettings.spkg
Qualcomm.QC8974.qccamtuningdata.spkg
Qualcomm.QC8974.qccdi.spkg
Qualcomm.QC8974.QCCI.spkg
Qualcomm.QC8974.qccomposite.spkg
Qualcomm.QC8974.QCDiagLogging.spkg
Qualcomm.QC8974.qcdx11compiler.spkg
Qualcomm.QC8974.qcdxdriver.spkg
Qualcomm.QC8974.qcepmadc.spkg
Qualcomm.QC8974.qcfmminiport.spkg
Qualcomm.QC8974.qcfmtransport.spkg
Qualcomm.QC8974.qcgnss.spkg
Qualcomm.QC8974.QcGnssSvc.spkg
Qualcomm.QC8974.qcgpio.spkg
Qualcomm.QC8974.QcGsiffSvc.spkg
Qualcomm.QC8974.qci2c.spkg
Qualcomm.QC8974.qcimssink.spkg
Qualcomm.QC8974.qcimssrc.spkg
Qualcomm.QC8974.QCJpegEncoderMFT.spkg
Qualcomm.QC8974.QcKmdBam.spkg
Qualcomm.QC8974.qclistensoundmodellib.spkg
Qualcomm.QC8974.QcLTECoexMgr.spkg
Qualcomm.QC8974.qcmchdcpuml.spkg
Qualcomm.QC8974.qcmcumd.spkg
Qualcomm.QC8974.QcMipiBif.spkg
Qualcomm.QC8974.QcPmic.spkg
Qualcomm.QC8974.QcPmicApps.spkg
Qualcomm.QC8974.QcPmicGpio.spkg
Qualcomm.QC8974.QCPowerLog.spkg
Qualcomm.QC8974.qcqdss.spkg
Qualcomm.QC8974.QcRCSPresSvc.spkg
Qualcomm.QC8974.qcSensor1UM.spkg
Qualcomm.QC8974.qcSensors.spkg
Qualcomm.QC8974.qcSensorsConfig.spkg
Qualcomm.QC8974.QcShutdownSvc.spkg
Qualcomm.QC8974.QCSI.spkg
Qualcomm.QC8974.qcslimbus.spkg
Qualcomm.QC8974.qcspi.spkg
Qualcomm.QC8974.qcspmi.spkg
Qualcomm.QC8974.QcUsbFnSsFilter.spkg
Qualcomm.QC8974.qcviddecmft.spkg
Qualcomm.QC8974.QcVidEncmftH263.spkg
Qualcomm.QC8974.QcVidEncmftH264.spkg
Qualcomm.QC8974.QcVidEncMftMPEG4.spkg
Qualcomm.QC8974.qcvidencum.spkg
Qualcomm.QC8974.qcvss.spkg
Qualcomm.QC8974.QcWicEncoder8974.spkg
Qualcomm.QC8974.QmiDaemon.spkg
Qualcomm.QC8974.qmux.spkg
Qualcomm.QC8974.QNFC.spkg
Qualcomm.QC8974.qualcomm_uart.spkg
Qualcomm.QC8974.RegCustomization.spkg
Qualcomm.QC8974.remoteat.spkg
Qualcomm.QC8974.RemoteAtSrvc.spkg
Qualcomm.QC8974.remotefs.spkg
Qualcomm.QC8974.revrmnet.spkg
Qualcomm.QC8974.rmnetbridge.spkg
Qualcomm.QC8974.RPEN.spkg
Qualcomm.QC8974.scm.spkg
Qualcomm.QC8974.ShowVideoCallingSwitch_8974DI4.spkg
Qualcomm.QC8974.smd.spkg
Qualcomm.QC8974.smmu.spkg
Qualcomm.QC8974.SOCProdTest.spkg
Qualcomm.QC8974.ssd.spkg
Qualcomm.QC8974.ssm.spkg
Qualcomm.QC8974.subsys.spkg
Qualcomm.QC8974.TouchDetectionDriver.spkg
Qualcomm.QC8974.UsbFnFilter.spkg
Qualcomm.QC8974.WCNSSPeriImage.spkg
Qualcomm.QC8974.WDFHelper.spkg
Qualcomm.QC8974.WifiNotifierSrvc.spkg
Qualcomm.QC8974.wlan.spkg
Qualcomm.QC8974.wlan_ihv.spkg
Qualcomm.QC8974.WMIms.spkg
Qualcomm.QC8974.WMRil.spkg
Qualcomm.QC8974_MTP.ACSP.spkg
Qualcomm.M8X74SOC_MTP.acpi.spkg
Qualcomm.QC8974.smbios_cfg.spkg

Partitions:

Qualcomm.QC8974.dbi.spkg
Qualcomm.QC8974.rpm.spkg
Qualcomm.QC8974.sbl1.spkg
Qualcomm.QC8974.tz.spkg
Qualcomm.QC8974.tzapps.spkg
Qualcomm.QC8974.uefi.spkg
Qualcomm.QC8974.winsecapp.spkg


----------



## djtonka (Jun 3, 2016)

Do not forget, you can still install android on it without digging


----------



## TristanLeBoss (Jun 4, 2016)

djtonka said:


> Do not forget, you can still install android on it without digging

Click to collapse



Yes, I know you can flip from Android and Windows Mobile as you wish  

I shared these information to understand how they ported Windows Mobile to an Android phone: it seems you need to keep some partition.


----------



## ngame (Jun 4, 2016)

TristanLeBoss said:


> Yes, I know you can flip from Android and Windows Mobile as you wish
> 
> I shared these information to understand how they ported Windows Mobile to an Android phone: it seems you need to keep some partition.

Click to collapse



Kept partitions must be related to flash mode . 
I think if you remove them you will not be able to go back to android


----------



## katsuga (Jun 5, 2016)

Can it be ported to other phones.


----------



## iamsubhranil (Jun 7, 2016)

@TristanLeBoss i just wanna know what's the magic that differentiates an ARM windows to an ARM Android? Basic instruction set is the same. So it can be ported to other ARM devices right?


----------



## TristanLeBoss (Jun 7, 2016)

@katsuga & @iamsubhranil

Windows Mobile 10 can theoretically work on all ARM phones. But that's the theory... 

For example, Secure Boot will be a problem because if the bootloader of your phone is not signed by your manufacturer, your phone won't boot. Some phones like the Google Nexus offer a way to disable Secure Boot...

The next problem I see is with the drivers. I am unsure if they can be customized by manufacturers or if they are generic.


----------



## iamsubhranil (Jun 7, 2016)

TristanLeBoss said:


> For example, Secure Boot will be a problem because if the bootloader of your phone is not signed by your manufacturer, your phone won't boot. Some phones like the Google Nexus offer a way to disable Secure Boot...
> 
> The next problem I see is with the drivers. I am unsure if they can be customized by manufacturers or if they are generic.

Click to collapse



SecureBoot can be disabled by OEM unlocking AFAIK. And regarding the .spkg drivers, I already made some searches and found that they are UWD(Universal Windows Drivers). VS15 itself provides some generic drivers for UWP. Any low level customisations have to be made by the devolper. This is an one time effort as only UWD will reside in any future version of Windows. Being Linux based OpenSource OS, we already have our device sources, bases and all low level components in the source code state. I don't think porting them in UWD won't be any problem. Will it?


----------



## nate0 (Jun 9, 2016)

With these discoveries, what could be considered the most optimal candidate phone to test a port on? Be it not all ducks will line up in a row, but if only 1 or 2 are standing out of line, then it seems there are workarounds that can be implemented...hence the disabling of secure boot.  The other difficulty is how to flash, or what method can be used both ways...from Android to WM10 and vice versa.  Something similar to the miflash tool looks ideal or possibly other qualcomm tools.  Maybe I am thinking too far ahead here...


----------



## iamsubhranil (Jun 10, 2016)

nate0 said:


> With these discoveries, what could be considered the most optimal candidate phone to test a port on? Be it not all ducks will line up in a row, but if only 1 or 2 are standing out of line, then it seems there are workarounds that can be implemented...hence the disabling of secure boot.  The other difficulty is how to flash, or what method can be used both ways...from Android to WM10 and vice versa.  Something similar to the miflash tool looks ideal or possibly other qualcomm tools.  Maybe I am thinking too far ahead here...

Click to collapse



Well at first I think a 100% similar spec-ed Android device with a Windows one could be the target because there'll be much less chance of missing and/or conflicting drivers and other components.


----------



## TristanLeBoss (Jun 10, 2016)

nate0 said:


> With these discoveries, what could be considered the most optimal candidate phone to test a port on? Be it not all ducks will line up in a row, but if only 1 or 2 are standing out of line, then it seems there are workarounds that can be implemented...hence the disabling of secure boot.  The other difficulty is how to flash, or what method can be used both ways...from Android to WM10 and vice versa.  Something similar to the miflash tool looks ideal or possibly other qualcomm tools.  Maybe I am thinking too far ahead here...

Click to collapse



You figured them 

1) Ability to disable Secure Boot or to boot an untrusted boot loader

2) Ability to flash in 9008 mode
2a) A file to flash to restore the original OS
2b) Sahara programmer to restore GPT & need boot partitions (MPRGXXXX.hex & XXXX_msimage.mbn) in case we soft brick it
2b) Firehose programmer (prog_XXXX_firehose.mbn) to flash new partitions once fastboot is gone

3) A SoC supported by one of the Windows Mobile 10 FFU we have (Xiaomi Mi4, Lumia 950, Lumia 950XL...)


----------



## nate0 (Jun 10, 2016)

TristanLeBoss said:


> You figured them
> 
> 1) Ability to disable Secure Boot or to boot an untrusted boot loader
> 
> ...

Click to collapse



EDIT: Has anyone documented successfully disabling secure-boot on a Nexus or accomplished this?  Is this the same as unlocking the boot loader?  I have been thinking along the lines of UEFI/EFI secure boot.  Similar to disabling secure boot on a surface so you can install Android... Wondering if there are any repercussions or if it can be reversed...


----------



## nate0 (Jun 10, 2016)

TristanLeBoss said:


> Regarding the Firehose flasher:
> 
> "*.\prog_emmc_firehose_8974.mbn*" is a SBL (Secondary Boot Loader) file with a 80 bytes header
> *The file is not signed (no signature and no certificate chain).*
> ...

Click to collapse


 @TristanLeBoss
What else do you know about this programmer or others you may be able to analyze, was it supplied through the OEM to use with their tool?  Can it be used on other ARM QC 8974 chip phones? Maybe it can be used on another phone with same partition layout/size?  If not I am curious if there is a way to extract or build the mbn/programmer files needed from another phone via jtag setup or something.

I ask this since the OnePlus 2 (A2001 Chinese model) there are mbn/flash partitions/programmer files available for unbricking.  Maybe those would come in handy...


----------



## nate0 (Jun 12, 2016)

This sounds like your theory would also work with an OTG cable and a thumb drive.  But what do you mean get a uefi image file to pack in the boot image though.  This would be a signed file?


----------



## iamsubhranil (Jun 21, 2016)

feherneoh said:


> If you tell me the exact device you are using (and optionally give me a boot.img for it) I can try to build one image for you (first LK, to make sure drivers are okay, if they work, then EFIDroid)

Click to collapse



Only for same specs device's for now or for all android devices?


----------



## nate0 (Jun 21, 2016)

feherneoh said:


> I should be able to build UEFI for almost any SnapDragon device, but in some cases LCD does not work with it
> And you still have to mess around with W10M to make it work

Click to collapse



Your method uses an SD card to build/boot the separate OS correct?  Can this be done with a OTG connection as well?  Would this work for the OnePlus3?  I currently own one. If not I would be willing to purchase a cheap used OnePlus 2 device seeing how folks are trying to get rid of them now, but not sure how easily available that boot.img is.....


----------



## nate0 (Jun 22, 2016)

Actually it seems a OP2 device has no SD card slot either, if I am able to get a cheap used test device that will work then seems OnePlus X does have a slot. Have you successfully accomplished a boot of W10M off an SD card from an Android phone? What's your test device, and do you have separate thread on this as some this is off topic from the thread Subj... @TristanLeBoss apologies.


----------



## nate0 (Jun 23, 2016)

feherneoh said:


> BTW, I know people who started porting it, but it is extremely hard

Click to collapse



Yes from my small experience digging into it, it is not easy to get all things to line up the way they are needed.


----------



## nate0 (Jun 28, 2016)

Ok, guys.  I hinted at the fact that I am a recent owner of the newest OnePlus phone.  If you are unaware, OnePlus released just about all of the source code available for this phone just before sales opened.  In addition to this, XDA devs have been able to get a hold of bootloader images, in which they have a hard unbrick tool already available.  This is a brand new phone just weeks old now, and it might be something to consider while researching W10M ports for other phones, _especially_ since the firmware/bootloaders/gpt are available to revive from a hardbrick.  I'm really glad I recently bought this phone.


----------



## djamol (Aug 5, 2016)

@TristanLeBoss so do you have Windows 10 Mobile Adaption Kit & MobileOs-arm-fre.zip ? Which mi4i model should needed to run W10M ? I saw 2-3 different devices. They closed first release with 3GB ram specs now comes with 2Gb but diff. 3-4 models ? I think it also good device for research purpose.


----------



## nate0 (Jul 20, 2017)

djamol said:


> @TristanLeBoss so do you have Windows 10 Mobile Adaption Kit & MobileOs-arm-fre.zip ? Which mi4i model should needed to run W10M ? I saw 2-3 different devices. They closed first release with 3GB ram specs now comes with 2Gb but diff. 3-4 models ? I think it also good device for research purpose.

Click to collapse



With the recent leak, I am curious who has available the adaptation kit, and if it will still serve a purpose with the information from this thread. I recently won one of these phones off ebay and plan to use it for testing as well.


----------



## nate0 (Dec 5, 2017)

@TristanLeBoss or anyone:
I am trying to dump the MODEM_FSG partition from an ffu or by phone itself via its flash programmer. I have not found a way to dump it from the FFU yet. From the phone I am running into snags.  Any suggestions?  

I have used thor2 and emmcdl.  Both return the same partitions to extract from the FFU (14) and succeed but am missing all the others including MODEM_FSG. It is a non-lumia FFU the phone model is the IDOL 4s.  I have used the flash programmer with phone in EDL mode to attempt to extract the modem partition but it stalls or hangs.  I can provide more output or potential errors, if someone thinks they can assist.  I could have swore I extracted additional partitions in the past. I am wondering if a method exists and I am currently missing it.  I though the splittffu command from emmcdl dumped them with the rawprogram.xml file.  Seems only dumpffu will output the binaries.  Maybe thor2 might have some options I have not used/tried...Thanks.

EDIT: Answer to my own question...
I have only found one way to do this and it is through Mass Storage mode and making a full eMMC backup.


----------

