# Create rawprogram0.xml from FFU file and extract partition as raw file



## TristanLeBoss (May 24, 2016)

I was searching for the "ffutoraw.exe" file referenced in the "rawprogram0.xml" file from the Xiaomi Mi4 Windows Mobile 10 ROM when I discovered a small tool which can also do the work.

Here is the eMMC DL tool v2.15 from Qualcomm. This tool is publicly available. It's part of the "DragonBoard Update Tool" (dragonboardupdatetool_x64.zip or dragonboardupdatetool_x86.zip) available on this webpage: https://developer.qualcomm.com/hardware/dragonboard-410c/tools Once installed, you will find the file in "C:\Program Files (x86)\Qualcomm\DragonBoardUpdateTool".

This small EXE actually has 3 useful functions regarding FFU file:

- "Create rawprogram0.xml for a FFU file; need -o"
		- szOutputFile = rawprogram0.xml
		- "-splitffu szFFUFile -o szOutputFile"

- "Split FFU file into partition binary chunks; need -o"
		- szPartName = partition name or "all" to extract all partitions
		- szOutputFile = destination folder for bin files
		- "-dumpffu szFFUFile szPartName -o szOutputFile"

- "Download FFU file to device in emergency download; need -o and -p"
		- "-ffu szFFUFile"

(I tried the rawprogram0.xml creation with the Xiaomi Mi4 Windows Mobile 10 ROM and the produced file was exactly the same as the one included in the ZIP file.)

Launching the EXE from the command line will echo an help screen:



> Version 2.15
> Usage: emmcdl <option> <value>
> Options:
> -l                             List available mass storage devices
> ...

Click to collapse


----------



## nate0 (May 25, 2016)

Does the tool only work on a device if it is in EDL mode?  Thanks for posting this as I would like to try to find a way to build or flash a compatible rom for a non-windows based smart phone.  This helps...


----------



## TristanLeBoss (May 25, 2016)

nate0 said:


> Does the tool only work on a device if it is in EDL mode?  Thanks for posting this as I would like to try to find a way to build or flash a compatible rom for a non-windows based smart phone.  This helps...

Click to collapse



This indeed helps a lot. If I refer to the name of the tool, it probably only works on phone in EDL mode. What do you want to do exactly?


----------



## nate0 (May 25, 2016)

I'm interested to see how difficult it is to compile a Windows Mobile Build, at least a test build, since Production builds require specific vendor signing.  Microsoft offers all the resources much like Google for doing this, yet some of them do require subscriptions for access.  If this tool is able to formulate the xml for partitioning from a ffu then theoretically building this xml from another rom that is designed for 32gb partitioning could lead to a flashable solution on a device other than the mi4 or other 16gb android phones.  I am still reading and researching much, but with the resources now it should not be hard to accomplish this.


----------



## TristanLeBoss (May 25, 2016)

nate0 said:


> I'm interested to see how difficult it is to compile a Windows Mobile Build, at least a test build, since Production builds require specific vendor signing.  Microsoft offers all the resources much like Google for doing this, yet some of them do require subscriptions for access.  If this tool is able to formulate the xml for partitioning from a ffu then theoretically building this xml from another rom that is designed for 32gb partitioning could lead to a flashable solution on a device other than the mi4 or other 16gb android phones.  I am still reading and researching much, but with the resources now it should not be hard to accomplish this.

Click to collapse



Yes, you can give any FFU file to this program and it will give you the corresponding rawprogram0.xml file. You need to use the "-splitffu" option for that.
I think this option is available so you can flash the FFU (using the rawprogram0.xml file) with a program like "QFIL" (part of QPST).

emmcdl -splitffu wp8.ffu -o rawprogram0.xml

But you can also directly flash the FFU file to your phone: you just need the FFU file and the Firehose flasher for your phone (it's a MBN file which has a name looking like "prog_emmc_firehose_8909_lite.mbn"). To proceed, you need to use the  "-ffu" option:

emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -ffu wp8.ffu

You won't be able to generate a Windows Mobile image from scratch because neither the BSP package or the WMAK kit have been leaked*. The Windows ADK contains all the tools needed to create and flash a ROM but without the CAB files from the Qualcomm BSP package and the Microsoft WMAK kit, you won't be able to do anything.

* Windows Phone 8.1 AK have been leaked (the install program is in the "\WPBLUE\Blue_9651.12393_ProdSigned_OEM\WPAK" folder of the 7Z file available on this page: http://forum.xda-developers.com/win...ools-wdk-wpak-wpdk-cabs-building-wp8-t3183972)
Windows 10 IoT AK have also been leaked (you need to find either "en_windows_10_iot_core_version_1511_updated_feb_2016_x86_arm_dvd_8369778.iso" or "en_windows_10_iot_core_version_1511_x86_arm_dvd_7226982.iso")

I managed to create a small script which recreate the CAB files from a FFU file. Even if they were exactly the same as the originals, they lacked the Microsoft signature so I am unsure the ADK tools can use them.


----------



## TristanLeBoss (May 25, 2016)

Oh, I forgot to add that - to my knowledge - this tool doesn't implement the image integrity validation (signature check [embedded catalog] and hash check [embedded hash table]).

Would be interesting to find out what happen if the stock 950 FFU file is flashed as-is to a Nexus phone...

There is 3 problems I can think about:

- UEFI: the phone may need to have a Microsoft key in its "db" store to authenticate the Windows Mobile bootloader.
- Partitions: does the layout need to be exactly the same as the Android version?
- Drivers: even if the SoC is the same, they may be some tweaks...


----------



## nate0 (May 25, 2016)

TristanLeBoss said:


> Yes, you can give any FFU file to this program and it will give you the corresponding rawprogram0.xml file. You need to use the "-splitffu" option for that.
> I think this option is available so you can flash the FFU (using the rawprogram0.xml file) with a program like "QFIL" (part of QPST).
> 
> emmcdl -splitffu wp8.ffu -o rawprogram0.xml
> ...

Click to collapse



I'm going to look into this further. Thank you. What's stopping us from using a Lumia ffu for an identical soc and storage size of another device? I've been contemplating this and since all the drivers and cabs are signed already might be possible. Also with your script what's stopping you from signing those files yourself and making a test build image?

---------- Post added at 07:52 PM ---------- Previous post was at 07:44 PM ----------

Good points. Much deeper than I was thinking but along the same lines. I would think the partitioning needs to be identical the 950 rom since that's how it was built. But it might not matter since ffus blank the entire storage in the process of flashing you can technically partition it however you want but then your building that configuration from scratch. How difficult is it to dump the partitioning of a 6p?  I'm still looking but that's the next best candidate being unlockadble in seeing if this is feasible.  Sorry for any typos,sending these last two from my phone.


----------



## TristanLeBoss (May 25, 2016)

nate0 said:


> I'm going to look into this further. Thank you. What's stopping us from using a Lumia ffu for an identical soc and storage size of another device? I've been contemplating this and since all the drivers and cabs are signed already might be possible. Also with your script what's stopping you from signing those files yourself and making a test build image?

Click to collapse



I added another reply before seeing yours. It contains 3 thing that may be a problem: UEFI, partition layout and drivers.

UEFI: Windows Mobile is said to require Secure Boot. This is not a problem because Nexus phones support it. The problem I see is more with the signature check on the bootloader: the 'Microsoft Windows Production PCA' and 'Microsoft Corporation UEFI CA' keys should be in the "DB" store for the Windows Mobile bootloader to be accepted by the UEFI bios of the Nexus. The worst thing that can happen is the Nexus displaying a message complaining about the bootloader.

Partition layout: Flashing a new image will probably change the partition table. I don't know if it can be a problem.

Drivers: SoC contains most if not all the required systems of a phone so the drivers should work but they may need per-hardware "customatisation".

The problem is that we hear about people succeeding but not about failures: has someone already tried to flash a FFU file to a Nexus? Maybe no one ever tried... and maybe it's working.

I don't think you can really brick a phone by doing so because the Qualcomm 9008 mode is not something that is part of the image.


----------



## TristanLeBoss (May 25, 2016)

nate0 said:


> Good points. Much deeper than I was thinking but along the same lines. I would think the partitioning needs to be identical the 950 rom since that's how it was built. But it might not matter since ffus blank the entire storage in the process of flashing you can technically partition it however you want but then your building that configuration from scratch. How difficult is it to dump the partitioning of a 6p?  I'm still looking but that's the next best candidate being unlockadble in seeing if this is feasible.  Sorry for any typos,sending these last two from my phone.

Click to collapse



The FFU file basically contains a disk image with a GPT partition table. When you will flash the FFU, the eMMC memory will be erased and a new partition table will be installed along with the new partitions. On this forum, there is a tool which convert FFU to VHD: http://forum.xda-developers.com/showthread.php?t=2066903 (On my computer, the conversion works but the mounting fails. You can find the resulting VHD file in your Windows profile TEMP directory.). There is also one Python script available to create a RAW disk image from a FFU file but I HIGHLY DON'T RECOMMEND IT as it doesn't implement the whole FFU specification so it will likely create corrupt disk image.

The thing I don't know is if the partition layout of a phone can be changed: you can of course change it but will the phone still operate? I mean maybe each partition need to start at an exact sector (LBA) [I don't think so but without trying...]


----------



## nate0 (May 25, 2016)

Have you validated the keys exist on current windows phones and if so maybe replicate or extract from one. I own an m8 for windows and am thinking the bootloader being unlocked is the only way of getting near the secureboot partition. Also if the nexus support secureboot most of it might be built in. See requirements. Here. https://msdn.microsoft.com/windows/hardware/drivers/bringup/uefi-requirements-specific-to-windows-mobile


----------



## TristanLeBoss (May 25, 2016)

nate0 said:


> Have you validated the keys exist on current windows phones and if so maybe replicate or extract from one. I own an m8 for windows and am thinking the bootloader being unlocked is the only way of getting near the secureboot partition. Also if the nexus support secureboot most of it might be built in. See requirements. Here. https://msdn.microsoft.com/windows/hardware/drivers/bringup/uefi-requirements-specific-to-windows-mobile

Click to collapse



No, I have no Windows Phone 

Maybe the Secure Boot is just a requirement but it may not be mandatory to boot.
It's also possible that a retail ROM check for it but that a production ROM may not check for it. ( https://cms-images.idgesg.net/images/article/2015/03/uefi-secure-boot-windows-10-100574859-orig.png )


----------



## TristanLeBoss (May 25, 2016)

Okay, I have more information: it seems that on mobile phones, the SecureBoot keys can be stored in a partition from the emmc. This partition name is RPMB for Replay Protected Memory Block.

This partition is encrypted with the PK key which is burnt into the chip.


----------



## TristanLeBoss (May 25, 2016)

It seems booting an unverified bootloader is possible on Nexus phone 

http://android.stackexchange.com/qu...ot-img-to-nexus-5-when-secure-boot-is-enabled

Q: "As I understand, if secure boot is enabled, the bootloader will verify the boot.img when booting.

Obviously, my custom kernel cannot pass the verification.

In such a case, how to correctly flash my own boot.img?"

A: "This doesn't imply that you cannot boot into the Android with your custom kernel. When the verification would fail, your device would warn you about that and you would be given the choice to continue the boot process or not."


----------



## nate0 (May 25, 2016)

Correct.  It warns of this after unlocking the boot loader.  Need to acquire an mbn for this phone to boot the rom in question.


----------



## TristanLeBoss (May 25, 2016)

nate0 said:


> Correct.  It warns of this after unlocking the boot loader.  Need to acquire an mbn for this phone to boot the rom in question.

Click to collapse



I attached the one I have but don't know if it's the one to use for this phone.


----------



## nate0 (May 27, 2016)

Did you generate this mbn or locate it elsewhere?  I am trying to understand how the mbn file fits into the picture.  Is it generated based on the FFU image or generated by the OEM?  

I was able to create the program xml from a lumia FW of another 800 SoC (Lumia ICON).  With the files and tools gathered I want to just test this flash process by flashing a different Windows ROM designed for the Lumia onto my Ativ SE.  I think I have a way of getting the mbn for this phone with samtools which I found in another forum thread, but I will have to double check.  The ATIV SE is also the 800 but not designed for this specific Lumia rom or the rom designed for it, however you look at it.  I am willing to do this since the ATIV SE has a bad sim slot anyway.


----------



## TristanLeBoss (May 27, 2016)

I think "MBN" doesn't mean anything: it's just an extension. I found MBN files containing basically any type of file. The MBN file I attached and which is needed by the emmcdl.exe program should be an ELF (Executable Linkable Format, the EXE files of Linux  among many uses ). Open it with an hex editor and it should start with "ELF".

The file I provided has been found by myself. I have not yet any idea if it's possible to generate them. Firehose is the name of one of the many protocols which can be used to talk to a device in emergency mode. I think it only depends on the SoC.


----------



## TristanLeBoss (May 27, 2016)

My answer to your PM may be useful for everyone. So I copy it here:

I'm not sure flashing the FFU of the Lumia 950 XL to an Ativ SE will work as is. Indeed they don't use the same SoC. It's possible to install the CAB files (HAL, ...) for the Qualcomm MSM8974AA v2 SoC using ImageApp.exe (from Windows 10) directly on the FFU file:

https://msdn.microsoft.com/en-us/library/windows/hardware/dn789232(v=vs.85).aspx

*TO TEST*

It may also be possible to install the CAB files (HAL, ...) for the Qualcomm MSM8974AA v2 SoC using DISM (from Windows 10) directly on the FFU file:



> Dism /Image:flash.ffu /Add-Package /PackagePath:C:\packages\package1.cab /PackagePath:C:\packages\package2.cab

Click to collapse



Use the /IgnoreCheck argument if you want the command to process without checking the applicability of each package.

You may want to remove the CAB files related to the Qualcomm MSM8994 SoC of the Lumia 950 XL:



> Dism /Image:flash.ffu /Remove-Package /PackageName:Microsoft.Windows.Calc.Demo~6595b6144ccf1df~x86~en~1.0.0.0

Click to collapse



Use the /Get-Packages option to find the name of the package in the image.

*END - TO TEST*

Without this step, you will probably ends up with a boot looping phone but you should be able to recover the original Windows Phone 8 OS with the Microsoft Windows Device Recovery Tool.

There is 4 ways to flash a new image to a device:

- Using UEFI download mode (Windows Phone)
- Using fastboot (Android)
- Using the Qualcomm 9008 mode (all phones with a Qualcomm SoC)
- Using the FFU download mode (Windows Phone)

*1. How to put the phone in UEFI download mode*

If you have a Windows Phone, please try to turn off the phone and then press the power button for a long time until the phone shows a "Windows Phone Boot Menu" with a "USB Mass Storage Mode". You can then release the button.

To select this option, simply press the power button once: you can now connect the phone to your computer. The driver should install automatically and the phone will appear on your computer as a disk drive.

*2. How to put the phone in fastboot mode*

Go here: http://www.droidviews.com/how-to-bo...astboot-download-bootloader-or-recovery-mode/

*3. How to (force) trigger the Qualcomm 9008 mode*

*NOTE:* If you have a working operating system, this is not needed to flash a new image. If the phone feels the need to go in Qualcomm 9008 mode (if it fails to boot from the eMMC), it will do it by itself.

*NOTE:* For Android, you may be able to reboot the phone in Qualcomm 9008 mode using an adb command:



> adb reboot edl

Click to collapse



The only way to (force) go into Qualcomm 9008 mode is to brick your phone: indeed, if it fails to do any kind of software boot from the eMMC memory, it will fallback to Qualcomm 9008 mode.
( Ok, on some phone, shorting some pins on the motherboard may force the Qualcomm 9008 mode but you need to know which ones  )

The first step is to prevent the phone from booting the installed operating system. To do that, we remove the boot partition from the eMMC. Don't worry, the primary boot loader (PBL) is in a chip on your board and can't be erased: you only kill the operating system (Android/Windows) bootloader; also known as secondary boot loader (SBL).

*3.1 Android*

If you have an Android phone, you will need to boot into fastboot and issue the following command to erase the SBL1 partition (the operating system bootloader):



> fastboot erase sbl1

Click to collapse



*3.2 Windows*

If you have a Windows phone, you will need to boot into UEFI download mode.

Once the phone is installed on your computer, you need to delete the SBL1 partition from the phone (the operating system bootloader). I think you can do it using any partition software because the phone is detected by the computer as a drive.

You can also use the emmcdl.exe tool:

You first need to list disks:



> emmcdl.exe -l

Click to collapse



Note the number at the begining of your phone's drive. Then issue the following command (replace X with the disk number):



> emmcdl.exe -p X -e SBL1

Click to collapse



*4. How to flash a new image*

*4.1. Using UEFI download mode (Windows Phone)*

*NOTE:* If you don't have the stock FFU file or if your phone is not supported by the Windows Device Recovery Tool, you may also want to do a backup of the phone drive using a free tool like "HDD Raw Copy": this drive image can be reflashed later using the download mode [if you can reach it] or from the Qualcomm 9008 mode.

*4.1.1 Method #1: FFU > VHD > HDD Raw Copy*

- convert the FFU file to a VHD using ImgMount ( http://forum.xda-developers.com/showthread.php?t=2066903 ),
- mount the VHD as read-only on your PC using VHDAttach ( https://www.medo64.com/vhdattach/ ),
- use "HDD Raw Copy" ( http://hddguru.com/software/HDD-Raw-Copy-Tool/ ) to copy the whole disk corresponding to the VHD to the drive corresponding to your phone (clone the VHD onto the drive).

*4.1.2 Method #2: Using DISM.exe*

*NOTE:* You will probably need DISM from a Win 10 installation.



> dism.exe /Apply-Image /ImageFile:flash.ffu /ApplyDrive:\\.\PhysicalDriveN

Click to collapse



Use /SkipPlatformCheck if the FFU file being applied is targeted for a device other than the device performing the application.

URL: https://developer.microsoft.com/en-us/windows/iot/win10/samples/dism

*4.2 Using Qualcomm 9008 mode (All phones with a Qualcomm SoC)*

If your phone is in Qualcomm 9008, it will show up as "Qualcomm HS-USB QDLoader 9008" [or QHSUSB_DLOAD]. (If it does show up as "Qualcomm HS-USB Diagnostics 9006" [or QHSUSB_BULK] don't do anything as it's not exactly the same thing).

You indeed need drivers. You can find them here: https://mega.nz/#!uhJl0B5R!J6Hbx6Dd6...WrkVNK8IZaOTkg

*NOTE:* It seems that some phones also mount the eMMC as a drive: you need to look under "Disk drives" in your Windows "Device manager. Indeed, if you find "Qualcomm MMC Storage USB Device", it means your phone eMMC is mounted as a drive. You can use methods from 4.1 instead of continuing here.

Once the phone is detected and installed, you can use this command:



> emmcdl.exe -p COMX -f prog_emmc_firehose_XXXX_lite.mbn -FFU Flash-val.FFU

Click to collapse



Replace COMX with the port used by the phone: you can find it in the "Device Manager" under "Ports (COM & LPT)". You also need the correct flasher for your phone.

// TODO : Add things about protocol

*4.3 Using fastboot (Android)*



> fastboot oem unlock

Click to collapse



Extract all partitions from the FFU file as BIN files:



> emmcdl -dumpffu {FFU_file} all -o {folder}

Click to collapse



Flash new partition table:



> fastboot flash partition {partition_table_file}

Click to collapse



Flash all partitions:



> fastboot flash {partition_name} {partition_file}

Click to collapse



Reboot:



> fastboot reboot

Click to collapse



*4.4 Using FFU download mode (Windows)*

*NOTE:* This method use a flasher from the phone. This flasher does check for image integrity (thanks to the embedded hash table into FFU file) and check if the FFU file is signed (thanks to the embedded catalog file). It also check if the FFU file is for this phone (platform check). So, it can only be used to flash stock image.

To force the device into the FFU download mode manually, press and release the power button to boot the device, and then immediately press and hold the volume up button. This option is available only after an initial FFU has been flashed to the device.



> ffutool -flash flash.ffu

Click to collapse


----------



## TristanLeBoss (May 27, 2016)

There is another tool from Microsoft dealing with FFU: ffutool.exe

https://msdn.microsoft.com/en-us/library/windows/hardware/dn789235(v=vs.85).aspx

It's part of Windows Assessment and Deployment Kit (Windows ADK) which is publicly available ( https://msdn.microsoft.com/en-us/windows/hardware/dn913721.aspx ).

*NOTE:* This program has been coded using C# so it can easily be decompiled back to its source code using ILSpy ( http://ilspy.net/ ). It uses the following assembly: 'FFUComponents, Version=8.0.0.0, Culture=neutral, PublicKeyToken=5d653a1a5ba069fd' which may contains interesting code.

I'm not sure it's useful as it seems to enforce integrity check and platform check.



> Usage: FFUTool -flash <path to FFU file to apply to disk> [path to flashing WIM]..
> FFUTool -uefiflash <path to FFU, flashed from UEFI directly>..
> FFUTool -fastflash <path to FFU, flashed from UEFI directly>..
> FFUTool -wim <path to WIM to boot from RAM>..
> ...

Click to collapse


----------



## TristanLeBoss (May 27, 2016)

The last tool which deals with FFU files is thor2.exe

It's also publicly available: just install the Microsoft Windows Device Recovery Tool ( http://go.microsoft.com/fwlink/p/?LinkId=522381 ) and you will find it in this folder: C:\Program Files (x86)\Microsoft Care Suite\Windows Device Recovery Tool



> Usage: thor2 -mode [MODE] -[ARGUMENT]... -[FLAG]...
> 
> Thor2 aims to provide SW update and miscellaneous R&D operations for WP8 products, Alpha, Collins, Theta, Quattro and Romulus engines.
> 
> ...

Click to collapse


----------



## TristanLeBoss (May 27, 2016)

It seems that there is different Qualcomm protocols to download an image:

- Sahara: Sahara Protocol works a lot differently than the regular software download described below.  In Sahara, the download is driven by the device itself, so the device starts of by sending a Hello command to the PC.
- Streaming: Used to put the phone in download mode. Requires an HEX file and a MBN file containing the GPT + the boot partitions. 
- DMSS: Outdated protocol.
- Firehose: ...

The 2 tools I talked about support different protocols:

thor2.exe
------------

-protocol
sahara
streaming <default>

emmcdl.exe
---------------

-protocol
firehose <default>
streaming


----------



## nate0 (May 27, 2016)

Lumia phones use a different download mode than HTC or Samsung or at least all 3 OEM's go about it differently. As far as testing the flash process of a ffu to a phone of a same soc hw Thor2 should be equipped to handle my m8 since the windows device recovery tool supports it, but the ativ se is not. 
I'm searching for a used nexus currently if found would it matter the storage size whether 32 or 64 gb?

---------- Post added at 05:52 PM ---------- Previous post was at 05:41 PM ----------




TristanLeBoss said:


> Yes, you can give any FFU file to this program and it will give you the corresponding rawprogram0.xml file. You need to use the "-splitffu" option for that.
> I think this option is available so you can flash the FFU (using the rawprogram0.xml file) with a program like "QFIL" (part of QPST).
> 
> emmcdl -splitffu wp8.ffu -o rawprogram0.xml
> ...

Click to collapse





TristanLeBoss said:


> It seems that there is different Qualcomm protocols to download an image:
> 
> - Sahara: Sahara Protocol works a lot differently than the regular software download described below.  In Sahara, the download is driven by the device itself, so the device starts of by sending a Hello command to the PC.
> - Streaming: Used to put the phone in download mode. Requires an HEX file and a MBN file containing the GPT + the boot partitions.
> ...

Click to collapse



Isn't Sahara native for lumias?  There is a way to gain access to contents of the Sahara files/folders on a limited amount of Lumia devices that can be unlocked via wpinternals, I was looking at this last night.


----------



## TristanLeBoss (May 27, 2016)

nate0 said:


> Lumia phones use a different download mode than HTC or Samsung or at least all 3 OEM's go about it differently. As far as testing the flash process of a ffu to a phone of a same soc hw Thor2 should be equipped to handle my m8 since the windows device recovery tool supports it, but the ativ se is not.
> I'm searching for a used nexus currently if found would it matter the storage size whether 32 or 64 gb?
> 
> ---------- Post added at 05:52 PM ---------- Previous post was at 05:41 PM ----------
> ...

Click to collapse



Windows Device Recovery Tool simply checks on a server to know which files and protocol to use with thor2. Exemple for the Lumia 640 :

https://repairavoidance.blob.core.w...gencyFlash/RM-1077/emergency_flash_config.xml

Replace "RM-1077" qith any hardware model (I think you can find the "Model" in the "About" screen of your Windows phone.)


----------



## augustinionut (May 27, 2016)

Ok folks, how to skip id platform check?


----------



## TristanLeBoss (May 27, 2016)

augustinionut said:


> Ok folks, how to skip id platform check?

Click to collapse



Method 3.1.1 of this post ( http://forum.xda-developers.com/showpost.php?p=67045151&postcount=18 ) bypass platform check.

dism.exe also allows to skip platform check using the "SkipPlatformCheck" argument.



> dism.exe /Apply-Image /ImageFile:flash.ffu /ApplyDrive:\\.\PhysicalDriveN /SkipPlatformCheck

Click to collapse



thor2.exe also allows to skip platform check using the "skip_id_check" argument.



> thor2 -mode uefiflash -ffufile "flash.ffu" -skip_id_check

Click to collapse


----------



## TristanLeBoss (May 27, 2016)

*Precautions*

If you plan to play with FFU files, be sure you have your phone's programmer file for the Streaming or Firehose protocol. This file will be needed in the last resort if the phone fails to boot into USB download mode and instead goes into Qualcomm 9008 mode. Even if Windows Mobile doesn't do a complete boot, you may be able to reach the USB download mode and so reflash your original FFU or original image.

So also be sure to have the stock image of your phone (Android or Windows Mobile).


----------



## augustinionut (May 27, 2016)

Thor2 error:
FlashApp returned reported error in SecureFlashResp!
Status: 0x0012, Specifier: 0x00000004
FA_ERR_AUTHENTICATION_REQUIRED
  0xFA000012: Authentication is required to be able to skip integrity and/or signature and/or platform ID check.
If i brick my phone wdrt will be able to flash ?

Tristan, no usb mode on lumia 640 xl dualsim.


----------



## TristanLeBoss (May 28, 2016)

augustinionut said:


> Thor2 error:
> FlashApp returned reported error in SecureFlashResp!
> Status: 0x0012, Specifier: 0x00000004
> FA_ERR_AUTHENTICATION_REQUIRED
> ...

Click to collapse



The Platform ID check is done by the phone itself.  For this reason, no unsigned/unvalid code can be flashed. Also, because Secure Boot is enforced on your phone, even if you reach 9008 mode, you won't be able to flash something that's not signed by Microsoft.


----------



## TristanLeBoss (May 28, 2016)

augustinionut said:


> Thor2 error:
> FlashApp returned reported error in SecureFlashResp!
> Status: 0x0012, Specifier: 0x00000004
> FA_ERR_AUTHENTICATION_REQUIRED
> ...

Click to collapse



You may want to unlock your phone by registering it as a development phone: https://msdn.microsoft.com/en-us/library/windows/apps/ff769508(v=vs.105).aspx

Maybe the error message just means the only way to flash an unsigned/unverified image is to have a development phone (who is unlocked).

You will need Windows Phone 8.1 (not 8.0): http://stackoverflow.com/questions/30121983/developer-unlock-windows-phone-8-error-code-0x64


----------



## nate0 (May 28, 2016)

TristanLeBoss said:


> You may want to unlock your phone by registering it as a development phone: https://msdn.microsoft.com/en-us/library/windows/apps/ff769508(v=vs.105).aspx
> 
> Maybe the error message just means the only way to flash an unsigned/unverified image is to have a development phone (who is unlocked).
> 
> You will need Windows Phone 8.1 (not 8.0): http://stackoverflow.com/questions/30121983/developer-unlock-windows-phone-8-error-code-0x64

Click to collapse



Would there be a way to capture the packet/transfer stream in fiddler or another agent to authenticate outside the phone on it's behalf?  Similar to using fiddler when the GUI Windows Recovery Tool is used to give it the Model ID you would like to force download a different FFU than what is for the phone you are flashing. EDIT: Actually scratch that.  Fiddler may not use the correct protocols.  I know it has access to http and https traffic.  Not sure what type of protocol is at the phone <=> FFU image level.

---------- Post added at 04:20 AM ---------- Previous post was at 03:59 AM ----------




TristanLeBoss said:


> My answer to your PM may be useful for everyone. So I copy it here:
> 
> I'm not sure flashing the FFU of the Lumia 950 XL to an Ativ SE will work as is. Indeed they don't use the same SoC. It's possible to install the CAB files (HAL, ...) for the Qualcomm MSM8974AA v2 SoC using ImageApp.exe (from Windows 10) directly on the FFU file:
> 
> ...

Click to collapse



This is interesting.  Injecting and removing cab files for the needed qualcomm chip.  Has this been successful from your end TristanLeBoss?  BTW I will be picking up a Nexus 5x tonight after work, I am hoping to find time in the next couple of days to use some of the insight here to attempt an ffu flash.


----------



## TristanLeBoss (May 28, 2016)

nate0 said:


> Would there be a way to capture the packet/transfer stream in fiddler or another agent to authenticate outside the phone on it's behalf?  Similar to using fiddler when the GUI Windows Recovery Tool is used to give it the Model ID you would like to force download a different FFU than what is for the phone you are flashing. EDIT: Actually scratch that.  Fiddler may not use the correct protocols.  I know it has access to http and https traffic.  Not sure what type of protocol is at the phone <=> FFU image level.

Click to collapse



You will not encounter the problem faced by augustininout: he just have this problem because the Lumia 640 XL is a well locked phone 

I don't really know what this authentication is (the search for both the error code, ID or message doesn't get a lot of answers on Google). I guessed it may be the fact that the phone is not a developer phone.. We just need to wait for the poster to let us know what happened after he registered it.

People already tried to fake the conversion from a retail phone to developer phone: unfortunately, the phone only accept command signed with a Microsoft certificate. Lumia phones are well secured to prevent flashing and execution of any invalid or uncertified code. Actually, all the checks are done by the phone flash program and the PC only sends the FFU file. When an error like this one occurs, it's the phone who send it. So, we have no real way to bypass this.

A FFU file contains a platform ID but if you change it, the hash table will be incorrect and so will be the catalog file which signs the hash table.



> This is interesting.  Injecting and removing cab files for the needed qualcomm chip.  Has this been successful from your end TristanLeBoss?  BTW I will be picking up a Nexus 5x tonight after work, I am hoping to find time in the next couple of days to use some of the insight here to attempt an ffu flash.

Click to collapse



I don't think the method to test will work (the one with ImageApp.exe sure do) but it's worth the try. Indeed, WIM files which can be normally used with theses commands only contain one partition. A FFU file, like a VHD file, contains a whole drive image. I suspect Dism.exe doesn't (yet ?) support multiple partition. Because Windows Mobile have packages which can be installed on any partitions, it can't install them.

Maybe we can explode a FFU file into WIM files (one per partition) and try to deploy the packages this way. Once done, we remerge the WIM files into a FFU file


----------



## TristanLeBoss (May 28, 2016)

nate0 said:


> BTW I will be picking up a Nexus 5x tonight after work, I am hoping to find time in the next couple of days to use some of the insight here to attempt an ffu flash.

Click to collapse



It's better to get a Nexus 5X because it looks like there is a way to rescue the phone from the infamous 9008 mode:

http://forum.xda-developers.com/nexus-5x/help/req-help-to-unbrick-t3251740

I think the first thing you will want to do is to disable Secure Boot.


----------



## lukjok (May 28, 2016)

Maybe this can be helpful @TristanLeBoss 
Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core


----------



## nate0 (May 28, 2016)

To disable secure boot do you mean deleting sbl1?  I am not aware of a easy way to disable this on a mobile device.  Also is the flash programmer for the 5x msm8992 out there anywhere?  Having a hard time finding.


----------



## TristanLeBoss (May 28, 2016)

nate0 said:


> To disable secure boot do you mean deleting sbl1?  I am not aware of a easy way to disable this on a mobile device.  Also is the flash programmer for the 5x msm8992 out there anywhere?  Having a hard time finding.

Click to collapse



Disable Secure Boot: http://www.droid-life.com/2013/11/04/how-to-unlock-the-nexus-5-bootloader/

Unfortunately, these flash programmers are typically 'signed' by the OEM. In the earlier days, this was not the case and could be used interchangeably, but they are now signed will a hardware ID and revision counter.

Regarding the flash programmer,. I don't think you will need it. Of course, you won't be able to use the methods that need it. But, to flash an image, you only need download mode. If somehow you brick the phone, you should be able to reflash the Android system:

http://forum.xda-developers.com/nexus-5x/help/req-help-to-unbrick-t3251740

This program includes the flash programmer (the "8994 dll").

Which version of the Nexus 5X do you have? H791, H790? 16gb or 32gb?


----------



## nate0 (May 28, 2016)

It's the 32gb intl variant. And I just realized to that emmcdl doesn't look for it. Thanks. The 5x has two download modes. The edl mode is the one your referencing I believe. I validated it comes in on com5 on my laptop in that mode. I'll see how far I get before I leave for work in 1 hour


----------



## TristanLeBoss (May 28, 2016)

nate0 said:


> Have you validated the keys exist on current windows phones and if so maybe replicate or extract from one. I own an m8 for windows and am thinking the bootloader being unlocked is the only way of getting near the secureboot partition. Also if the nexus support secureboot most of it might be built in. See requirements. Here. https://msdn.microsoft.com/windows/hardware/drivers/bringup/uefi-requirements-specific-to-windows-mobile

Click to collapse



Ok, perfect. The recovery program from the other thread should work if you brick it. Can you go to this URL: http://csmg.lgmobile.com:9002/csmg/b2c/client/auth_model_check2.jsp?esn=353627070501849 (Replace "353627070501849" with your IMEI)? You will find the exact model in the "model" tag of the XML file. Also, is there any http address in the resulting XML file (like in the "sw_url" tag?


----------



## nate0 (May 28, 2016)

TristanLeBoss said:


> Ok, perfect. The recovery program from the other thread should work if you brick it. Can you go to this URL: http://csmg.lgmobile.com:9002/csmg/b2c/client/auth_model_check2.jsp?esn=353627070501849 (Replace "353627070501849" with your IMEI)? You will find the exact model in the "model" tag of the XML file. Also, is there any http address in the resulting XML file (like in the "sw_url" tag?

Click to collapse



LGH791
No URLs listed for the sw_ur tag.


----------



## TristanLeBoss (May 28, 2016)

nate0 said:


> LGH791
> No URLs listed for the sw_ur tag.

Click to collapse



Ok, so the LG tool will work if you brick the phone. Indeed, the TOT file is available for the 32gb version of the H791. I'm reasured to know that: I don't want you to kill the phone 

Something awesome would be to convert a FFU file into a TOT file so you can use the LG tool to flash it  Actually, it's probably doable.

But for now, either you explode the FFU file into bin files (using emmcdl -dumpffu) and flash them using fastboot starting fromn the GPT.

Either you try to remove the sbl1 partition using fastboot and hope the phone goes into 9008 mode and mount the emmc. This way, you can use most methods.

EDIT: It seems you can reboot to edl mode using a simple ADB command:



> adb reboot edl

Click to collapse



Some phone will be detected as 9008 + eMMC drive ("Qualcomm MMC Storage USB Device" under "Disk drives" in Windows "Device manager") mounted and some only as 9008. If it's only detected as 9008, we need a flash programmer to use the 9008 mode.


----------



## nate0 (May 28, 2016)

TristanLeBoss said:


> But for now, either you explode the FFU file into bin files (using emmcdl -dumpffu) and flash them using fastboot starting fromn the GPT.
> 
> Either you try to remove the sbl1 partition using fastboot and hope the phone goes into 9008 mode and mount the emmc. This way, you can use most methods.

Click to collapse



Going to try not to kill the phone definitely.  For now I am at work, will take a look at it later tonight.  I have put the phone to edl mode, screen goes black, no lights on, and I think it mounts/connects.  I am going to need to check the next time I plug it in what mounts.  If edl mode is accessible, I will try to succeed with something on that method.  If it fails then dumping the ffu to bin files should result in the amount of parts as described in the flashprogrammer*.xml that is created from emmcdl in prior steps, correct?  I have dumped an xml from two ffu's so far, and I think both displayed 30 disk parts in through the xml code.


----------



## TristanLeBoss (May 28, 2016)

nate0 said:


> Going to try not to kill the phone definitely.  For now I am at work, will take a look at it later tonight.  I have put the phone to edl mode, screen goes black, no lights on, and I think it mounts/connects.  I am going to need to check the next time I plug it in what mounts.  If edl mode is accessible, I will try to succeed with something on that method.  If it fails then dumping the ffu to bin files should result in the amount of parts as described in the flashprogrammer*.xml that is created from emmcdl in prior steps, correct?  I have dumped an xml from two ffu's so far, and I think both displayed 30 disk parts in through the xml code.

Click to collapse



Ah ah, you live at the exact opposite of me  My day is already over here 

I greatly updated my previous post: http://forum.xda-developers.com/showpost.php?p=67045151&postcount=18
I am currently researching more information about the flash programmer file and I will update the guide.

The method (using MiFlash, QFIL, ...) involving the "rawprogram0.xml" are not part of my guide yet as they require the flash programmer so I'm not sure we can use them (unless we find the flash programmer for this phone).

The best would be if your phone can boot in Qualcomm 9008 mode with the eMMC already mounted as a disk drive. If it doesn't, then we will need a flash programmer file...

That's why I thought about another method relying on emmcdl and fastboot: The "emmcdl -dumpffu" command will probably dump 30 raw files (one per partition including the GPT). It's possible that the GPT will be dumped 2 times: it's normal, it's normally at the beginning of the disk and also at the end of it. My idea was to flash them using "fasboot flash" command (see my guide).


----------



## nate0 (May 28, 2016)

Greatly appreciated...I will try and report back with findings, or maybe success...


----------



## TristanLeBoss (May 29, 2016)

Ok, I figured out how to create a TOT file from a FFU file (at least for this phone)  I just need to write the tool to do so. Actually, I'm almost done: I just need to code the GPT reader.


----------



## TristanLeBoss (May 30, 2016)

Okay, my FFU reading tool is now complete. I can read the FFU, locate the GPT, read the GPT and extract untrimmed version of each partition.

I used it against the Xiaomi Mi4 ROM and discovered something interesting: the partition table contains 33 partitions but the FFU only contains data for 19 of them.
I'm thinking that maybe the partition table in the FFU is the same as the one from Android. This way, when the FFU is flashed by the MiFlash tool, the GPT get replaced but it's replaced by the same one so nothing change. Then, the data for the 19 partitions is loaded on the device actually replacing the data of these 19 partitions but leaving the 14 others intact...

Maybe this is the key to port Windows Mobile to any Android devices? Keep the same layout and only replace some partitions...


----------



## TristanLeBoss (May 30, 2016)

Here is the partition layout from the Xiaomi Mi4 FFU. The ones with a "->"  in front of their names are the ones which are untouched. I will try to grab the GPT from the Android version of the Xiaomi Mi4 to confront my hypothesis.


```
+-----+------------+------------+------------------------------------------------------------------------+
+  #  | Start LBA  | End LBA    | Name                                                                   |
+-----+------------+------------+------------------------------------------------------------------------+
|    0|        1024|        2047|SBL1                                                                    |
|    1|        2048|        2559|UEFI_BS_NV                                                              |
|    2|        3072|        3583|UEFI_RT_NV                                                              |
|    3|        4096|        8191|UEFI                                                                    |
|    4|        8192|       10239|->DDR                                                                     |
|    5|       10240|       12287|->SSD                                                                     |
|    6|       12288|       14335|PADDING0                                                                |
|    7|       14336|       30719|DPP                                                                     |
|    8|       30720|       30783|DBI                                                                     |
|    9|       31744|       32743|RPM                                                                     |
|   10|       32768|       33767|TZ                                                                      |
|   11|       33792|       34815|WINSECAPP                                                               |
|   12|       34816|       67583|TZAPPS                                                                  |
|   13|       67584|       68607|->BACKUP_SBL1                                                             |
|   14|       68608|       68671|->BACKUP_DBI                                                              |
|   15|       69632|       73727|->BACKUP_UEFI                                                             |
|   16|       73728|       74727|->BACKUP_RPM                                                              |
|   17|       74752|       75751|->BACKUP_TZ                                                               |
|   18|       75776|       76799|->BACKUP_WINSECAPP                                                        |
|   19|       76800|      109567|BACKUP_TZAPPS                                                           |
|   20|      109568|      117759|MMOS                                                                    |
|   21|      117760|      131071|->PADDING1                                                                |
|   22|      131072|      134143|->MODEM_FS1                                                               |
|   23|      134144|      137215|MODEM_FS2                                                               |
|   24|      137216|      137247|MODEM_FSC                                                               |
|   25|      138240|      154623|PLAT                                                                    |
|   26|      154624|      220159|EFIESP                                                                  |
|   27|      220160|      262143|->PADDING2                                                                |
|   28|      262144|      265215|->MODEM_FSG                                                               |
|   29|      265216|      491519|->PADDING3                                                                |
|   30|      491520|      524287|->PERSIST                                                                 |
|   31|      524288|     5537791|MainOS                                                                  |
|   32|     5537792|    20967423|Data                                                                    |
+-----+------------+------------+------------------------------------------------------------------------+
```


----------



## nate0 (May 30, 2016)

TristanLeBoss said:


> Okay, my FFU reading tool is now complete. I can read the FFU, locate the GPT, read the GPT and extract untrimmed version of each partition.
> 
> I used it against the Xiaomi Mi4 ROM and discovered something interesting: the partition table contains 33 partitions but the FFU only contains data for 19 of them.
> I'm thinking that maybe the partition table in the FFU is the same as the one from Android. This way, when the FFU is flashed by the MiFlash tool, the GPT get replaced but it's replaced by the same one so nothing change. Then, the data for the 19 partitions is loaded on the device actually replacing the data of these 19 partitions but leaving the 14 others intact...
> ...

Click to collapse



This was my thinking as well.  Good find.

---------- Post added at 07:03 AM ---------- Previous post was at 06:47 AM ----------

I dumped the TOT for the 5x to bin files.  It has 37 bin images.

I am in the process of trying to revive the phone at this point.  I made a mistake of flashing the the sbl1 with the dumped sbl1 of the 950 ffu.  Not too worried though as I think if I flash the sbl1 from the 5x back I may revive it.  Do you know where I can find the sbl1 for the 5x? FYI I used emmcdl to send the sbl1, after that I could not write any other binary files due to errors.

---------- Post added at 07:18 AM ---------- Previous post was at 07:03 AM ----------

If I am thinking on this correctly.  The rawprogam xml is what tells the flash programmer how to layout the ffu onto the phone.  On top of that there must be a script that it runs against in order to not wipe out the other partitions, preserving them.  We can confirm this with the mi4 xml file here as each sector lines up with your dump.


```
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="2048" filename="10586.1102.3063.Retail.FFU" label="ffu_image_0" num_partition_sectors="1536" physical_partition_number="0" size_in_KB="768" sparse="false" start_byte_hex="0x80000" start_sector="1024"/>
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="3584" filename="10586.1102.3063.Retail.FFU" label="ffu_image_1" num_partition_sectors="512" physical_partition_number="0" size_in_KB="256" sparse="false" start_byte_hex="0x180000" start_sector="3072"/>
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="4096" filename="10586.1102.3063.Retail.FFU" label="ffu_image_2" num_partition_sectors="4096" physical_partition_number="0" size_in_KB="2048" sparse="false" start_byte_hex="0x200000" start_sector="4096"/>
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="8192" filename="10586.1102.3063.Retail.FFU" label="ffu_image_3" num_partition_sectors="2304" physical_partition_number="0" size_in_KB="1152" sparse="false" start_byte_hex="0x600000" start_sector="12288"/>
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="10496" filename="10586.1102.3063.Retail.FFU" label="ffu_image_4" num_partition_sectors="256" physical_partition_number="0" size_in_KB="128" sparse="false" start_byte_hex="0xf00000" start_sector="30720"/>
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="10752" filename="10586.1102.3063.Retail.FFU" label="ffu_image_5" num_partition_sectors="3584" physical_partition_number="0" size_in_KB="1792" sparse="false" start_byte_hex="0xf80000" start_sector="31744"/>
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="14336" filename="10586.1102.3063.Retail.FFU" label="ffu_image_6" num_partition_sectors="3072" physical_partition_number="0" size_in_KB="1536" sparse="false" start_byte_hex="0x3400000" start_sector="106496"/>
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="17408" filename="10586.1102.3063.Retail.FFU" label="ffu_image_7" num_partition_sectors="2304" physical_partition_number="0" size_in_KB="1152" sparse="false" start_byte_hex="0x4200000" start_sector="135168"/>
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="19712" filename="10586.1102.3063.Retail.FFU" label="ffu_image_8" num_partition_sectors="512" physical_partition_number="0" size_in_KB="256" sparse="false" start_byte_hex="0x4380000" start_sector="138240"/>
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="20224" filename="10586.1102.3063.Retail.FFU" label="ffu_image_9" num_partition_sectors="14336" physical_partition_number="0" size_in_KB="7168" sparse="false" start_byte_hex="0x43e0000" start_sector="139008"/>
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="34560" filename="10586.1102.3063.Retail.FFU" label="ffu_image_10" num_partition_sectors="20480" physical_partition_number="0" size_in_KB="10240" sparse="false" start_byte_hex="0x4b80000" start_sector="154624"/>
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="55040" filename="10586.1102.3063.Retail.FFU" label="ffu_image_11" num_partition_sectors="256" physical_partition_number="0" size_in_KB="128" sparse="false" start_byte_hex="0x55a0000" start_sector="175360"/>
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="55296" filename="10586.1102.3063.Retail.FFU" label="ffu_image_12" num_partition_sectors="256" physical_partition_number="0" size_in_KB="128" sparse="false" start_byte_hex="0x0" start_sector="0"/>
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="55552" filename="10586.1102.3063.Retail.FFU" label="ffu_image_13" num_partition_sectors="512" physical_partition_number="0" size_in_KB="256" sparse="false" start_byte_hex="0x3580000" start_sector="109568"/>
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="56064" filename="10586.1102.3063.Retail.FFU" label="ffu_image_14" num_partition_sectors="17152" physical_partition_number="0" size_in_KB="8576" sparse="false" start_byte_hex="0x10000000" start_sector="524288"/>
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="73216" filename="10586.1102.3063.Retail.FFU" label="ffu_image_15" num_partition_sectors="256" physical_partition_number="0" size_in_KB="128" sparse="false" start_byte_hex="0x108a0000" start_sector="541952"/>
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="73472" filename="10586.1102.3063.Retail.FFU" label="ffu_image_16" num_partition_sectors="29440" physical_partition_number="0" size_in_KB="14720" sparse="false" start_byte_hex="0x108e0000" start_sector="542464"/>
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="102912" filename="10586.1102.3063.Retail.FFU" label="ffu_image_17" num_partition_sectors="71424" physical_partition_number="0" size_in_KB="35712" sparse="false" start_byte_hex="0x11a20000" start_sector="577792"/>
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="174336" filename="10586.1102.3063.Retail.FFU" label="ffu_image_18" num_partition_sectors="256" physical_partition_number="0" size_in_KB="128" sparse="false" start_byte_hex="0x13f40000" start_sector="653824"/>.....................
```

How does your tool work exactly.  How does it read the GPT info?  If you can tell me the GPT layout by name for the 5x I might be able to flash just the images needed to boot??  The phone is already in the 9008 mode state at this point.


----------



## TristanLeBoss (May 30, 2016)

nate0 said:


> This was my thinking as well.  Good find.
> 
> ---------- Post added at 07:03 AM ---------- Previous post was at 06:47 AM ----------
> 
> ...

Click to collapse



You should be able to revive the phone with the tool I posted earlier: LG UP

http://forum.xda-developers.com/nexus-5x/help/req-help-to-unbrick-t3251740

How did you do to upload the sbl1? "emmcdl -dumpffu flash.ffu sbl1 -o "bins/"" then "emmcdl -p sbl1 "bins/sbl1.bin""? Which flash programmer did you use?
I was not expecting you to use this route because we don't have the flash programmer for the phone 
I mean we do have it but it's part of the LG UP tool; hence the fact I am trying to make a TOT file from a FFU file.
I was more thinking about the "fastboot" way from my guide but I realized later that emmcdl doesn't extract the GPT from the FFU.

Which 950XL rom are you using? If you have a download URL so I can work with it.

I can extract the sbl1 from the TOT file if you want.

Sorry for being not crystal clear


----------



## TristanLeBoss (May 30, 2016)

I just posted a request for the original partition layout of  a Xiaomi Mi4 LTE with stock Android ROM: http://forum.xda-developers.com/mi-4/help/request-partition-table-stock-xiaomi-t3388882

I just want to be sure we are going in the right direction but I think we do 

Regarding the "rawprogram0.xml" file, you're right. I'm not 100% sure but from my understanding, the 9008 mode is just a download mode but you can't download to the eMMC: you can only download something in the memory of the phone. What you actually do is send a eMMC (flash) programmer to the phone memory then the flash programmer get the control. 

There is 3 types of flash programmers: STREAMING, SAHARA and FIREHOSE. Firehose is the one using the rawprogram0.xml file. I disassembled a prog_mbn_firehose.mbn file and I think the XML is sent to the Firehose programmer and it's the Firehose programmer who does all the work asking the PC only to send the data.


----------



## TristanLeBoss (May 30, 2016)

The rawprogram0.xml file contains the information about the GPT.

You need to look for the "<program" line who has " start_sector="0"". It's more likely to be at the end of the XML file.


```
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="3484160" filename="10586.1102.3063.Retail.FFU" label="ffu_image_29" num_partition_sectors="256" physical_partition_number="0" size_in_KB="128" sparse="false" start_byte_hex="0x0" start_sector="0"/>
```

Then, you just have to look for the "file_sector_offset="XXXXX"" attribute. Just multiply the sector by 512 and you get the offset of the GPT in the FFU file. To dump the GPT, just extract (512 + 512 + 128 * 128) bytes from the offset.

My tool just implements the FFU file specification and it's easy to find the location of the GPT because the Data Block instruct to write it at sector 0 (like in the XML). Also, there is 3 GPT in a FFU file, all their locations are stored in the "_STORE_HEADER" of the FFU file. The one which is of interest is the one pointed by "dwFinalTableIndex".

https://msdn.microsoft.com/en-us/windows/hardware/commercialize/manufacture/mobile/ffu-image-format


----------



## nate0 (May 30, 2016)

TristanLeBoss said:


> You should be able to revive the phone with the tool I posted earlier: LG UP
> 
> http://forum.xda-developers.com/nexus-5x/help/req-help-to-unbrick-t3251740
> 
> ...

Click to collapse



No Worries TirstanLeBoss.  Consider this my own endeavor.  I used the 950 ROM  RM1104_1078.0038.10586.13080.12745.033045_retail_prod_signed.ffu dumped into bin chunks and sent sbl1 with emmcdl using the flash programmer for the same MSM8992 of another phone, probably why I did not get as far. Used command emmcdl emmcdl -p COM10 -f prog_emmc_firehose_8992_ddr.mbn  SBL1 c:\path_to_sbl1.bin\sbl1.bin.  I am game for this, this is not my only phone, and I am willing to work on it to see it come together.

Though I have not went very far into working with the LGUP commands I am unable to get to the LG FW download mode....I just saw your last post via email.  Curious... can you do this in reverse??? If you are able to get your convert for the 5x a tot file into FFU file, then that would be another workaround for reviving the LG phone from a bricked state such as the qualcomm diag and download modes.  Would just need the actual flash programmer file for it.

---------- Post added at 08:16 AM ---------- Previous post was at 07:49 AM ----------




TristanLeBoss said:


> I just posted a request for the original partition layout of  a Xiaomi Mi4 LTE with stock Android ROM: http://forum.xda-developers.com/mi-4/help/request-partition-table-stock-xiaomi-t3388882
> 
> I just want to be sure we are going in the right direction but I think we do
> 
> ...

Click to collapse





TristanLeBoss said:


> The rawprogram0.xml file contains the information about the GPT.
> 
> You need to look for the "<program" line who has " start_sector="0"". It's more likely to be at the end of the XML file.
> 
> ...

Click to collapse



This is very good for other troubleshooting and potentially more.  

Along the lines or tot and ffu files...Do you think you will be able to have conversion from ffu to tot?  If so I could try to reflash the sbl1 for the 5x back to revive the phone if you could extract it, and or I will work at getting it back to booting again one way or another if the re-flash does not work.

Additionally I tried the solution here  to unbrick it, but no luck yet.  I will inform back if this solution ends up being of any use. 

Lastly I am wondering now if there is a way to dump what would be a rawprogram0.xml from the tot file?


----------



## TristanLeBoss (May 30, 2016)

nate0 said:


> This is very good for other troubleshooting and potentially more.
> 
> Along the lines or tot and ffu files...Do you think you will be able to have conversion from ffu to tot?  If so I could try to reflash the sbl1 for the 5x back to revive the phone if you could extract it, and or I will work at getting it back to booting again one way or another if the re-flash does not work.
> 
> ...

Click to collapse



I will exact the SBL1 partition from the TOT file found on the LG UP thread for the H791 32GB. Then, you can always try to reflash to the phone using 9008 mode and the 8992 flasher. This way we will quickly now if the programmer works or not 
Didn't you get an error message when you first send the sbl1 file?

Yes, FFU to TOT is almost done. For this phone, generating a rawprogram0.xml for a TOT file should also be possible. I will see what I can do  But first I will dump the SBL1.


----------



## nate0 (May 30, 2016)

TristanLeBoss said:


> I will exact the SBL1 partition from the TOT file found on the LG UP thread for the H791 32GB. Then, you can always try to reflash to the phone using 9008 mode and the 8992 flasher. This way we will quickly now if the programmer works or not
> Didn't you get an error message when you first send the sbl1 file?
> 
> Yes, FFU to TOT is almost done. For this phone, generating a rawprogram0.xml for a TOT file should also be possible. I will see what I can do  But first I will dump the SBL1.

Click to collapse



At first I got an error. This programmer I found is for the mi4c, I also have one for the Lenovo device using 8992 soc.  It works only for the sbl1 file, most likely due to the layout being same on all devices for sbl1.


----------



## TristanLeBoss (May 30, 2016)

Hum,. the TOT file doesn't contains the SBL1 partition. It only contains 4 partitions: modem, boot, recovery, system. It's probably more an update package 

I found factory images of Google Nexus here:

https://developers.google.com/android/nexus/images#bullhead

Does any of the versions listed on this page says something to you?

And I also found a tweet saying the "bootloader.img includes many low-level partitions: sbl1 (bootloader), tz, rpm, aboot, pmic, hyp, keymaster, cmnlib, sdi, imgdata, sec.".

This "bootloader.img" is in the zip file from the Google pages.

https://twitter.com/copperheadsec/status/699889806088675328

It's easy to extract sbl1 from the bootloader.img


----------



## nate0 (May 30, 2016)

Downloading the 6.0.1 (MTC19T) Image from google.  Take look at the primary gpt dump bin file from the tot of the Lg5x.  This might be your map of the partitions.  I have attached it here.  I see 46 partitions though. So those others might be protected partions...


----------



## TristanLeBoss (May 30, 2016)

nate0 said:


> No Worries TirstanLeBoss.  Consider this my own endeavor.  I used the 950 ROM  RM1104_1078.0038.10586.13080.12745.033045_retail_prod_signed.ffu dumped into bin chunks and sent sbl1 with emmcdl using the flash programmer for the same MSM8992 of another phone, probably why I did not get as far. Used command emmcdl emmcdl -p COM10 -f prog_emmc_firehose_8992_ddr.mbn  SBL1 c:\path_to_sbl1.bin\sbl1.bin.  I am game for this, this is not my only phone, and I am willing to work on it to see it come together.
> 
> Though I have not went very far into working with the LGUP commands I am unable to get to the LG FW download mode....I just saw your last post via email.  Curious... can you do this in reverse??? If you are able to get your convert for the 5x a tot file into FFU file, then that would be another workaround for reviving the LG phone from a bricked state such as the qualcomm diag and download modes.  Would just need the actual flash programmer file for it.

Click to collapse



There is another method using another LG program: http://forum.xda-developers.com/showpost.php?p=63969457&postcount=10

You may also want to try the MiFlash tool which is able to work with 9008 mode...

I downloaded all stock images from the Goole page and extracted them all to discover there was only 3 unique bootloader.img files.

I then proceeded to extract the partitions included in each file.

You will find everything in the ZIP file. Hope it helps.


----------



## TristanLeBoss (May 30, 2016)

nate0 said:


> Downloading the 6.0.1 (MTC19T) Image from google.  Take look at the primary gpt dump bin file from the tot of the Lg5x.  This might be your map of the partitions.  I have attached it here.  I see 46 partitions though. So those others might be protected partions...

Click to collapse



This file exactly match the one from the TOT file.

The bootloader.img already contains 11 of these partitions; probably the most important ones.


----------



## nate0 (May 30, 2016)

TristanLeBoss said:


> There is another method using another LG program: http://forum.xda-developers.com/showpost.php?p=63969457&postcount=10
> 
> You may also want to try the MiFlash tool which is able to work with 9008 mode...
> 
> ...

Click to collapse



Perfect.  Thank you.


----------



## TristanLeBoss (May 30, 2016)

Xiaomi Mi4 FFU file partitions :

Out of the 19 partitions which contains data in the FFU, 6 of them are empty partitions (the data in the FFU is only zeroes).
We end up with 13 partitions really containing data.

"SBL1" is a Qualcomm Secure Boot file
-> "UEFI_BS_NV" is an empty partition
-> "UEFI_RT_NV" is an empty partition
"UEFI" is an unknown partition/file (first 16 bytes: 05000000030000000000000000002000)
-> "PADDING0" is an empty partition
"DPP" is a FAT partition
"DBI" is an unknown partition/file (first 16 bytes: 1e0000000300000000000000000080fe)
"RPM" is an Executable and Linkable Format (ELF) file
"TZ" is an Executable and Linkable Format (ELF) file
"WINSECAPP" is an Executable and Linkable Format (ELF) file
"TZAPPS" is a FAT partition
-> "BACKUP_TZAPPS" is an empty partition
-> "MODEM_FS2" is an empty partition
-> "MODEM_FSC" is an empty partition
"PLAT" is a FAT partition
"EFIESP" is a FAT partition
"MMOS" is a FAT partition
"MainOS" is a NTFS partition
"Data" is a NTFS partition

If the partition layout from Windows Mobile match the one from the Android (like I speculate), the fact that these partitions are empty but part of the FFU data means that their content is meant to be erased when switching from Android to Windows Mobile.

I just asked for the partition layout on the Mi4 official forum: http://en.miui.com/thread-287522-1-1.html


----------



## TristanLeBoss (May 31, 2016)

Ok, here are the final findings: the partition layout is not the same from Android and Windows Phone. But, some partitions have the same starting LBA, ending LBA and size so they are at the same location and have the same size in both partition layouts. Because the FFU doesn't contain data block to write in these partitions, we can assume they stay intact during the update from Android to Windows Mobile.

This way I found out that 5 partitions are kept from Android, 13 are written with data and 6 are nulled (content is all zeroes):


```
+-----+-----------+-----------+--------+-----------------+---------+-------------------+
+  #  | Start LBA | End LBA   | Size   | Name            | In FFU  | Status            |
+-----+-----------+-----------+--------+-----------------+---------+-------------------+
|    0|       1024|       2047|    1024|SBL1             |   Yes   | Written           |
|    1|       2048|       2559|     512|UEFI_BS_NV       |   Yes   | Nulled            |
|    2|       3072|       3583|     512|UEFI_RT_NV       |   Yes   | Nulled            |
|    3|       4096|       8191|    4096|UEFI             |   Yes   | Written           |
|    4|       8192|      10239|    2048|DDR              |         | Kept from Android |
|    5|      10240|      12287|    2048|SSD              |         | Kept from Android |
|    6|      12288|      14335|    2048|PADDING0         |   Yes   | Nulled            |
|    7|      14336|      30719|   16384|DPP              |   Yes   | Written           |
|    8|      30720|      30783|      64|DBI              |   Yes   | Written           |
|    9|      31744|      32743|    1000|RPM              |   Yes   | Written           |
|   10|      32768|      33767|    1000|TZ               |   Yes   | Written           |
|   11|      33792|      34815|    1024|WINSECAPP        |   Yes   | Written           |
|   12|      34816|      67583|   32768|TZAPPS           |   Yes   | Written           |
|   13|      67584|      68607|    1024|BACKUP_SBL1      |         |                   |
|   14|      68608|      68671|      64|BACKUP_DBI       |         |                   |
|   15|      69632|      73727|    4096|BACKUP_UEFI      |         |                   |
|   16|      73728|      74727|    1000|BACKUP_RPM       |         |                   |
|   17|      74752|      75751|    1000|BACKUP_TZ        |         |                   |
|   18|      75776|      76799|    1024|BACKUP_WINSECAPP |         |                   |
|   19|      76800|     109567|   32768|BACKUP_TZAPPS    |   Yes   | Nulled            |
|   20|     109568|     117759|    8192|MMOS             |   Yes   | Written           |
|   21|     117760|     131071|   13312|PADDING1         |         |                   |
|   22|     131072|     134143|    3072|MODEM_FS1        |         | Kept from Android |
|   23|     134144|     137215|    3072|MODEM_FS2        |   Yes   | Nulled            |
|   24|     137216|     137247|      32|MODEM_FSC        |   Yes   | Nulled            |
|   25|     138240|     154623|   16384|PLAT             |   Yes   | Written           |
|   26|     154624|     220159|   65536|EFIESP           |   Yes   | Written           |
|   27|     220160|     262143|   41984|PADDING2         |         |                   |
|   28|     262144|     265215|    3072|MODEM_FSG        |         | Kept from Android |
|   29|     265216|     491519|  226304|PADDING3         |         |                   |
|   30|     491520|     524287|   32768|PERSIST          |         | Kept from Android |
|   31|     524288|    5537791| 5013504|MainOS           |   Yes   | Written           |
|   32|    5537792|   20967423|15429632|Data             |   Yes   | Written           |
+-----+-----------+-----------+--------------------------+---------+-------------------+
```


----------



## TristanLeBoss (May 31, 2016)

Flashing the Noki Lumia 950XL FFU as-is to another phone will probably not work: we need to craft a special FFU (or a GPT + bin files) which allows to preserve (DDR, SSD, MODEM_FS1 ("modemst1" on Android), MODEM_FSG ("fsg" on Android), PERSIST) from Android.


----------



## nate0 (May 31, 2016)

TristanLeBoss said:


> Flashing the Noki Lumia 950XL FFU as-is to another phone will probably no work: we need to craft a special FFU (or a GPT + bin files) which allows to preserve (DDR, SSD, MODEM_FS1 ("modemst1" on Android), MODEM_FSG ("fsg" on Android), PERSIST) from Android.

Click to collapse



The FFU is just the lock and key of the data though, isn't it?  Maybe the programming of the xml and flashprogrammer would be simpler?  Thoughts...?


----------



## TristanLeBoss (May 31, 2016)

I'm also done identifying each partition:


```
"SBL1" is a SBL (Secondary Boot Loader) file with a 80 bytes header

Codeword[4]: d1dc4b84
Magic[4]: 3410d773
Image ID[4]: 15000000 (SBL1_IMG)
Reserved 1[4]: ffffffff
Reserved 2[4]: ffffffff
Image source[4]: 50000000
Image destination pointer[4]: 00c000f8
Image size[4]: f8480400
Code size[4]: f8480400
Signature pointer[4]: f80805f8
Signature size[4]: 00000000
Certificate chain pointer[4]: f80805f8
Certificate chain size[4]: 00000000
OEM root certificate selelected[4]: 01000000
OEM number of root certificates[4]: 01000000
Reserved 5[4]: ffffffff
Reserved 6[4]: ffffffff
Reserved 7[4]: ffffffff
Reserved 8[4]: ffffffff
Reserved 9[4]: ffffffff

"UEFI_BS_NV" is an empty partition

"UEFI_RT_NV" is an empty partition

"UEFI" is an ARM binary file with a 40 bytes header

Image ID[4]: 05000000 (APPSBL_IMG)
Flash partition version[4]: 03000000
Image source[4]: 00000000
Image destination pointer[4]: 00002000
Image size[4]: 00800d00
Code size[4]: 00800d00
Signature pointer[4]: 00802d00
Signature size[4]: 00000000
Certificate chain pointer[4]: 00802d00
Certificate chain size[4]: 00000000

"PADDING0" is an empty partition

"DPP" is a FAT partition

"DBI" is an ARM binary file with a 40 bytes header

Image ID[4]: 1e000000
Flash partition version[4]: 03000000
Image source[4]: 00000000
Image destination pointer[4]: 000080fe
Image size[4]: 982d0000
Code size[4]: 982d0000
Signature pointer[4]: 982d80fe
Signature size[4]: 00000000
Certificate chain pointer[4]: 982d80fe
Certificate chain size[4]: 00000000

"RPM" is an ARM ELF (Executable and Linkable Format) file

Magic[16]: 7f454c46010101000000000000000000
Type[2]: 0200 (ET_EXEC [Executable file])
Machine[2]: 2800 (EM_ARM [Advanced RISC Machines ARM])
Version[4]: 01000000
Entry point address[4]: 91001000
Start of program headers[4]: 34000000
Start of section headers[4]: 00000000
Flags[4]: 02000005
Size of this header[2]: 3400
Size of program headers[2]: 2000
Number of program headers[2]: 0400
Size of section headers[2]: 2800
Number of section headers[2]: 0000
Section header string table index[2]: 0000

"TZ" is an ARM ELF (Executable and Linkable Format) file

Magic[16]: 7f454c46010101000000000000000000
Type[2]: 0200 (ET_EXEC [Executable file])
Machine[2]: 2800 (EM_ARM [Advanced RISC Machines ARM])
Version[4]: 01000000
Entry point address[4]: 000081fe
Start of program headers[4]: 34000000
Start of section headers[4]: 00000000
Flags[4]: 02000005
Size of this header[2]: 3400
Size of program headers[2]: 2000
Number of program headers[2]: 1000
Size of section headers[2]: 2800
Number of section headers[2]: 0000
Section header string table index[2]: 0000

"WINSECAPP" is an ARM ELF (Executable and Linkable Format) file

Magic[16]: 7f454c46010101000000000000000000
Type[2]: 0200 (ET_EXEC [Executable file])
Machine[2]: 2800 (EM_ARM [Advanced RISC Machines ARM])
Version[4]: 01000000
Entry point address[4]: 0090fe07
Start of program headers[4]: 34000000
Start of section headers[4]: 00000000
Flags[4]: 02000005
Size of this header[2]: 3400
Size of program headers[2]: 2000
Number of program headers[2]: 0400
Size of section headers[2]: 2800
Number of section headers[2]: 0000
Section header string table index[2]: 0000

"TZAPPS" is a FAT partition

"BACKUP_TZAPPS" is an empty partition

"MODEM_FS2" is an empty partition

"MODEM_FSC" is an empty partition

"PLAT" is a FAT partition

"EFIESP" is a FAT partition

"MMOS" is a FAT partition

"MainOS" is a NTFS partition
-> Boot sector backup at offset 2566913536 match the boot sector from sector 0

"Data" is a NTFS partition
-> Boot sector backup at offset 7899971072 match the boot sector from sector 0
```


----------



## TristanLeBoss (May 31, 2016)

nate0 said:


> The FFU is just the lock and key of the data though, isn't it?  Maybe the programming of the xml and flashprogrammer would be simpler?  Thoughts...?

Click to collapse



Yes, the FFU is just one type of container (TOT is another one). But we can of course create a GPT + BIN files to flash with a rawprogram0.xml. or fastboot...

Actually, it depends on how we can flash something on the Nexus 5x...


----------



## nate0 (Jun 1, 2016)

Does the below have any meaning to you.  It looks like it is not reading my sbl version.  Which is not good still.  I blanked out two of the fields for my own good...


```
C:\Users\nate0\Documents\platform-tools\Windows\Flash\test\windows>emmcdl.exe -p COM1 -info
Version 2.15
SerialNumber: -
MSM_HW_ID: 0x009690e1
OEM_PK_HASH: -
SBL SW Version: 0x00000000
Status: 0 The operation completed successfully.
```

The good thing is is that the board is readable.


----------



## TristanLeBoss (Jun 1, 2016)

nate0 said:


> Does the below have any meaning to you.  It looks like it is not reading my sbl version.  Which is not good still.  I blanked out two of the fields for my own good...
> 
> 
> ```
> ...

Click to collapse



Can you try these commands:


```
emmcdl -p COM1 -gpt
```

Dump the GPT from the connected device so we can check if the GPT is intact and has not been damaged.


```
emmcdl -p COM1 -f prog_emmc_firehose_8994_lite.mbn -d SBL1 -o SBL1_from_Phone.bin
```

Dump the SBL1 partition from the connected device so we can check if the SBL1 partition is intact and has been written correctly. This way we can check if the flash programmer you used works.


----------



## nate0 (Jun 1, 2016)

TristanLeBoss said:


> Can you try these commands:
> 
> 
> ```
> ...

Click to collapse



I am realizing now what events took place now.  I never was able to write over or erase the sbl1 from emmcdl in Emergency mode even though I could put the phone in edl mode from fastboot, I actually pushed the SDL1.bin from fastboot.  Then tried to push other images to the other partitions manually.  It was kinda late at night so I did not remember at first.  Then when the phone got stuck in EDL mode I attempted to use the 3 or 4 different flash programmers to send the sdl1 back or do other functions.  None have succeeded.  All fail and I believe since the programmer is not the correct one needed.  Any command I run with the current programmers does not succeed.  See below as all give same or similar output.  They try to run but the phone ends up timing out or disconnecting, because I have to reconnect it to the cable or reboot it to get it to respond normally again

GPT Check:
C:\Users\nate0\Documents\platform-tools\Windows\Flash\test\windows>emmcdl -p COM1 -gpt
Version 2.15
Finding all devices in emergency download mode...
Qualcomm HS-USB QDLoader 9008 (COM1)

Finding all disks on computer ...
0. \\.\PhysicalDrive0  Size: 305245MB, (625142448 sectors), size: 512 Mount:C:, Name:[]
\\.\PhysicalDrive1
No valid GPT found
Status: 13 The data is invalid.

Attempt Dump of GPT:
C:\Users\nate0\Documents\platform-tools\Windows\Flash\test\windows>emmcdl -p COM1 -f prog_emmc_firehose_8994_lite.mbn -d SBL1 -o SBL1_from_Phone.bin
Version 2.15
Downloading flash programmer: prog_emmc_firehose_8994_lite.mbn
Successfully open flash programmer to write: prog_emmc_firehose_8994_lite.mbn
Waiting for flash programmer to boot
Dumping data to file SBL1_from_Phone.bin
Dumping at start sector: 0 for sectors: 0 to file: SBL1_from_Phone.bin

Programming device using SECTOR_SIZE=512

<?xml version = "1.0" ?><data><configure MemoryName="emmc" ZLPAwareHost="1" SkipStorageInit="0" SkipWrite="0" MaxPayloadSizeToTargetInBytes="1048576"/></data>
ERROR: No response to configure packet

Status: 21 The device is not ready.

The GPT is invalid.  I did not notice this before, so I changed the port number and see it now as physical drive41:

C:\Users\nate0\Desktop\8675_W00\8675_W00>emmcdl -p COM41 -gpt
Version 2.15
Finding all devices in emergency download mode...
Qualcomm HS-USB QDLoader 9008 (COM41)

Finding all disks on computer ...
0. \\.\PhysicalDrive0  Size: 305245MB, (625142448 sectors), size: 512 Mount:C:, Name:[]
\\.\PhysicalDrive41
No valid GPT found
Status: 13 The data is invalid.


----------



## TristanLeBoss (Jun 1, 2016)

nate0 said:


> I am realizing now what events took place now.  I never was able to write over or erase the sbl1 from emmcdl in Emergency mode even though I could put the phone in edl mode from fastboot, I actually pushed the SDL1.bin from fastboot.  Then tried to push other images to the other partitions manually.  It was kinda late at night so I did not remember at first.  Then when the phone got stuck in EDL mode I attempted to use the 3 or 4 different flash programmers to send the sdl1 back or do other functions.  None have succeeded.  All fail and I believe since the programmer is not the correct one needed.  Any command I run with the current programmers does not succeed.  See below as all give same or similar output.  They try to run but the phone ends up timing out or disconnecting, because I have to reconnect it to the cable or reboot it to get it to respond normally again
> 
> GPT Check:
> C:\Users\nate0\Documents\platform-tools\Windows\Flash\test\windows>emmcdl -p COM1 -gpt
> ...

Click to collapse



Can you try this tool and see if the "Restore/Upgrade/Download" option works?

http://www.wugfresh.com/nrt/

To be sure the programmer doesn't work, you can try to use these tools (and especially QFIL from Qualcomm; the method #2):

https://boycracked.com/2015/06/03/unbrick-lenovo-a6000/

Indeed, they both use a flash programmer and a rawprogram0.xml + BIN files.  I think if the flash programmers you have don't work, QFIL (the official tool from Qualcomm) should somehow complain.

Can you also try this:

http://forum.xda-developers.com/nexus-5x/general/lg-nexus-5x-download-mode-t3237490


----------



## TristanLeBoss (Jun 2, 2016)

Ok, I created a rawprogram0.xml using the TOT file and the files from the bootloader.img (part of the Google packages).

Unzip and put the TOT file (LGH791AT-00-V10f-NXS-XXX-OCT-03-2015-32G-MDA89E-US.tot) from the other thread in the same folder.

There is also a simpler version which only uses files from the bootloader.img: I think it's best to start with this one as - if it works - it should restore the boot.


----------



## nate0 (Jun 2, 2016)

TristanLeBoss said:


> Ok, I created a rawprogram0.xml using the TOT file and the files from the bootloader.img (part of the Google packages).
> 
> Unzip and put the TOT file (LGH791AT-00-V10f-NXS-XXX-OCT-03-2015-32G-MDA89E-US.tot) from the other thread in the same folder.

Click to collapse



Taking a look...
Any specific way to flash?  Pulling my hair out trying different flashers, some give different errors at times, but honestly the phone seems to time out time to time and I have to reset it holding the power button in for like 15 sec.


----------



## TristanLeBoss (Jun 3, 2016)

nate0 said:


> Taking a look...
> Any specific way to flash?  Pulling my hair out trying different flashers, some give different errors at times, but honestly the phone seems to time out time to time and I have to reset it holding the power button in for like 15 sec.

Click to collapse



Yes, the 2 methods from this page: https://boycracked.com/2015/06/03/unbrick-lenovo-a6000/

QFIL will give you a log file (Right click in the "Status" part of the window and "Save log"), post them here.

Here is a ZIP file with 5 flashers.


----------



## nate0 (Jun 3, 2016)

TristanLeBoss said:


> Yes, the 2 methods from this page: https://boycracked.com/2015/06/03/unbrick-lenovo-a6000/
> 
> QFIL will give you a log file (Right click in the "Status" part of the window and "Save log"), post them here.
> 
> Here is a ZIP file with 5 flashers.

Click to collapse



I ran it from two computers.  QFIL required a patch0.xml which I substituted the generic one from the miflash into.  Both computers produced the same result.  I am at work right now until tomorrow, so I will need to post the log later, but the issue it seems I am running into is the handshakes.  I am inclined to believe it is either the cable USB A to C I am using (meaning I need a different serial cable), drivers, or the flash programmers are not any good for this device.  Are those 5 programmers the Mi4c and two Lenovo programmers?  If so I have those too.  I am all guinea pig to testing at this point, but limited as to how often I can work on it.  So I will post when I can.  Thanks for you help TristanLeBoss.


----------



## nate0 (Jun 5, 2016)

TristanLeBoss:
There was a point during the flash process with miflash that I thought it might work.  But did not.  Attached are two logs.  One with a first attempt and using an 8994 programmer downloaded from this thread that I downloaded.  Second attempt log was after I had tried reinstalling drivers.  I attempted many more times, with the other programmers, and would get the same result as log1 until later all attempts were resulting in log2.  Could not get miflash to talk correctly to the phone after those first attempts looked like they were progressing, but kept failing.  I tried a dozen times with different programmers and different two different PCs.  I am not leaving out the margin for my own error, as I may have not had the phone charged well enough, or may have missed a detail somewhere, so I am still researching and looking into what I can try differently.  Let me know what you make of these logs.  

QFIL could not even get past the sahara initialization, so I did not spend a lot of time with it...

For now I handed the phone off to some folks that have tools to potentially get it back working.  The first thing he asked after he attempted to turn on the phone and found no activity was "does the computer still recognize the phone", which it does of course, so I think there is hope that they might be able to help.  Should know more info after Monday.  Thanks.


----------



## nate0 (Jun 5, 2016)

FYI: I found a post by a user back in March where he developed some tools in linux.  Here is the post.  I am going to look into this, since I have two unix like based systems at home I could work out of...


----------



## David (Jun 5, 2016)

This thread is my last hope :crying:


----------



## TristanLeBoss (Jun 7, 2016)

nate0 said:


> TristanLeBoss:
> There was a point during the flash process with miflash that I thought it might work.  But did not.  Attached are two logs.  One with a first attempt and using an 8994 programmer downloaded from this thread that I downloaded.  Second attempt log was after I had tried reinstalling drivers.  I attempted many more times, with the other programmers, and would get the same result as log1 until later all attempts were resulting in log2.  Could not get miflash to talk correctly to the phone after those first attempts looked like they were progressing, but kept failing.  I tried a dozen times with different programmers and different two different PCs.  I am not leaving out the margin for my own error, as I may have not had the phone charged well enough, or may have missed a detail somewhere, so I am still researching and looking into what I can try differently.  Let me know what you make of these logs.
> 
> QFIL could not even get past the sahara initialization, so I did not spend a lot of time with it...
> ...

Click to collapse



The phone is soft-bricked: it fails to boot and fallback to the 9008 mode. LG/Google can easily reload the system on it because they have the needed files. But without the MPRG8992.hex and 8992_msimage.mbn files, I don't think we can to recover the phone. Maybe JTAG can come to help but "Nexus 5X JTAG" query leads to no interesting result.

The problem is that - for some reason - the GPT seems to be bad. I think it would have been easier if the GPT was still intact.

The phone is covered by a 1 year warranty by either LG or Google. Maybe, the simplest thing to do is to send it to them. Because the phone has been released in September of 2015, it's for sure still covered by the warranty.


----------



## nate0 (Jun 7, 2016)

TristanLeBoss said:


> The phone is soft-bricked: it fails to boot and fallback to the 9008 mode. LG/Google can easily reload the system on it because they have the needed files. But without the MPRG8992.hex and 8992_msimage.mbn files, I don't think we can to recover the phone. Maybe JTAG can come to help but "Nexus 5X JTAG" query leads to no interesting result.
> 
> The problem is that - for some reason - the GPT seems to be bad. I think it would have been easier if the GPT was still intact.
> 
> The phone is covered by a 1 year warranty by either LG or Google. Maybe, the simplest thing to do is to send it to them. Because the phone has been released in September of 2015, it's for sure still covered by the warranty.

Click to collapse



I agree.

I actually called LG US being in the US, but since this is an International variant, they could not locate the imei in their database, oddly enough Google could not locate this imei either...they pointed me toward contacting the supplier of the phone in the country of origin.  I bought it from a private party, who stated he bought it from the Google store while in Canada.  My dialing options did not let me dial into Canada LG support, but I was able to chat with them.  They wanted a proof of purchase from me to be able to work with me. This sounding legit to folks?

Currently I am waiting on this phone repair and will post back if they succeeded or not and then will go from there.

---------- Post added at 01:29 PM ---------- Previous post was at 01:15 PM ----------




TristanLeBoss said:


> ...without the MPRG8992.hex and 8992_msimage.mbn files, I don't think we can to recover the phone.

Click to collapse



There is a way to generate the HEX programmer file from a FFU actually but I only found this on Lumia devices using the thor2 command. But since the original image is packaged in a TOT file it does not seem that is possible here or maybe it is...Have you read this posting? Finally... unbrick your Lumia device QHSUSB_DLOAD without JTAG


----------



## David (Jun 8, 2016)

TristanLeBoss said:


> The phone is soft-bricked: it fails to boot and fallback to the 9008 mode. LG/Google can easily reload the system on it because they have the needed files. But without the MPRG8992.hex and 8992_msimage.mbn files, I don't think we can to recover the phone. Maybe JTAG can come to help but "Nexus 5X JTAG" query leads to no interesting result.
> 
> The problem is that - for some reason - the GPT seems to be bad. I think it would have been easier if the GPT was still intact.
> 
> The phone is covered by a 1 year warranty by either LG or Google. Maybe, the simplest thing to do is to send it to them. Because the phone has been released in September of 2015, it's for sure still covered by the warranty.

Click to collapse



So JTAG is using a box right ? Octoplus box ? I just have ufi box .


----------



## nate0 (Jun 8, 2016)

Ya jtag devices or adapters. Octopus box, medusa, and I think Sigma box is another.  I believe your UFI box has jtg adapters assemblies to tack onto it that you could use...just google.


----------



## nate0 (Jun 8, 2016)

Through this experience I have concluded these things:
-Windows Mobile though not popular is pretty darn secure (XDA WP Secure Boot Post)
-I am not giving up the pursuit of this, but If my Nexus device gets revived I've decided to let it be native to Android.  Even though it is intriguing to think of a dual boot/alternative OS device.
-Since I continually go back and forth between Windows Mobile and Android devices I will hope that there is a chance to own a device with multiple OS support Android/Windows that is released officially in the US.   Seems Microsoft is teaming up with several Chinese Partners to port their OS to already existing devices.


----------



## TristanLeBoss (Jun 9, 2016)

nate0 said:


> Through this experience I have concluded these things:
> -Windows Mobile though not popular is pretty darn secure (XDA WP Secure Boot Post)
> -I am not giving up the pursuit of this, but If my Nexus device gets revived I've decided to let it be native to Android.  Even though it is intriguing to think of a dual boot/alternative OS device.
> -Since I continually go back and forth between Windows Mobile and Android devices I will hope that there is a chance to own a device with multiple OS support Android/Windows that is released officially in the US.   Seems Microsoft is teaming up with several Chinese Partners to port their OS to already existing devices.

Click to collapse



Indeed, experimenting with Windows 10 should be done on a phone that you can recover from soft brick. At least, we learned something about Windows Mobile 10. I shared the discoveries in another thread


----------



## nate0 (Jun 9, 2016)

Your a very bright individual TristanLeBoss.  I read your other post and your research. Question:
With these discoveries, what could be considered the most optimal candidate phone to test a port on?  Be it not all ducks will line up in a row, but if only 1 or 2 are standing out of line, then it seems there are workarounds that can be implemented...hence the disabling of secure boot.


----------



## heineken78 (Oct 11, 2016)

TristanLeBoss said:


> Indeed, experimenting with Windows 10 should be done on a phone that you can recover from soft brick. At least, we learned something about Windows Mobile 10. I shared the discoveries in another thread

Click to collapse



Tristan, thank you for this information you provide, is kinda helpfull in my case but my question is.
I have working Android  device on 8994 chipset with locked bootloader, i have got all partitions and gpt from it. Also Im able to enter EDl mode 
I want to check if i will be able to recover it with file prog_emmc_firehose_8994_lite.mbn.
Can I use emmctool to boot from edl and for example to dump its gpt without risk of loosing any data?
If yes, what should I type?
Thank you in adnvance.


----------



## amcferrin90 (Jan 18, 2017)

heineken78 said:


> Tristan, thank you for this information you provide, is kinda helpfull in my case but my question is.
> I have working Android  device on 8994 chipset with locked bootloader, i have got all partitions and gpt from it. Also Im able to enter EDl mode
> I want to check if i will be able to recover it with file prog_emmc_firehose_8994_lite.mbn.
> Can I use emmctool to boot from edl and for example to dump its gpt without risk of loosing any data?
> ...

Click to collapse



Hello you might be my next new friend! I have a Nexus 6P 8994 device in soft brick, no access to fastboot only to 9008 QD Loader mode. I have the firehose_8994_lite.mbn, I have Google partition image files. I do not have the FFU. It seems if I can create the FFU I could at least maybe get to 9006 mode and rebuild/reimage the partitions? Maybe I could do the opposite of the emmcdl dump command? Any info you can share would be great. It seems the Qualcomm chipsets all work very similarly.

I have a working 6P also so I could make images or whatever from the working device which was my reason for buying it.


----------



## heineken78 (Jan 18, 2017)

amcferrin90 said:


> Hello you might be my next new friend! I have a Nexus 6P 8994 device in soft brick, no access to fastboot only to 9008 QD Loader mode. I have the firehose_8994_lite.mbn, I have Google partition image files. I do not have the FFU. It seems if I can create the FFU I could at least maybe get to 9006 mode and rebuild/reimage the partitions? Maybe I could do the opposite of the emmcdl dump command? Any info you can share would be great. It seems the Qualcomm chipsets all work very similarly.
> 
> I have a working 6P also so I could make images or whatever from the working device which was my reason for buying it.

Click to collapse



hi! Its easy to flash, just look an example https://forum.xda-developers.com/showpost.php?p=69759574&postcount=109


----------



## amcferrin90 (Jan 18, 2017)

heineken78 said:


> hi! Its easy to flash, just look an example https://forum.xda-developers.com/showpost.php?p=69759574&postcount=109

Click to collapse



I think my HLOS is screwed up too because when I plug it in the phone actually doesn't charge. I get flashing red light for maybe 4 or 5 minutes. So likewise I could also flash other minimum partitions to actually boot to fastboot? Once in fastboot I can flash all the image files. That's easier than doing recovery and using dd to rebuild images.

edit:
I tried what was in the link and got this:
D:\temp\Android Stuff\Qualcomm Unbrick\Unbrick_Gigaset_MePro>emmcdl -p COM6 -f prog_emmc_firehose_8994_lite.mbn -b recovery twrp-recovery.img
Version 2.15
Downloading flash programmer: prog_emmc_firehose_8994_lite.mbn
Successfully open flash programmer to write: prog_emmc_firehose_8994_lite.mbn
Waiting for flash programmer to boot

Programming device using SECTOR_SIZE=512

<?xml version = "1.0" ?><data><configure MemoryName="emmc" ZLPAwareHost="1" SkipStorageInit="0" SkipWrite="0" MaxPayloadSizeToTargetInBytes="1048576"/></data>
ERROR: No response to configure packet

Status: 21 The device is not ready.

Then I do emmcdl -p COM6 -gpt and get this:
D:\temp\Android Stuff\Qualcomm Unbrick\Unbrick_Gigaset_MePro>emmcdl -p COM6 -gpt
Version 2.15
Finding all devices in emergency download mode...

Finding all disks on computer ...
\\.\PhysicalDrive6
No valid GPT found
Status: 13 The data is invalid.

I have Nexus factory images downloaded they are saved as "bootloader-angler-angler-03.62.img", "radio-angler-angler-03.78.img", "image-angler-nmf26f.zip"

Got any ideas?


----------



## BigCountry907 (Feb 16, 2017)

*Wonderful Tool & answers to many questions.*

First off thanks bunches for postin this information.

I am going to try and flash with this tool. Just for the heck of it.
I got one hell of a project going here that this is perfect for.
https://forum.xda-developers.com/de...sm8909-service-rom-source-qpst-t3544178/page2

I have dissected an entire device hardware and software.
Will be testing out this tool very soon.

Thanks again.


----------



## nate0 (Feb 17, 2017)

I just read bits and pieces of the wip post. Interesting to say the least.


----------



## haxhxm (Feb 28, 2017)

Can i use this reflash uefi


----------



## nate0 (Mar 1, 2017)

haxhxm said:


> Can i use this reflash uefi

Click to collapse



If you are trying to re-flash the uefi then I will assume it would not hurt to try.


----------



## hunting_ (Mar 14, 2017)

I GOT THIS PLZ ANYONE HELP ME WHERE IS THEES FILE 


```
Version 2.15                                                                    Usage: emmcdl <option> <value>                                                      Options:                                                                        -l                             List available mass storage devices              -info                          List HW information about device attached to COM (eg -p COM8 -info)                                                              -MaxPayloadSizeToTargetInBytes The max bytes in firehose mode (DDR or large IMEM use 16384, default=8192)                                                       -SkipWrite                     Do not write actual data to disk (use this for UFS provisioning)                                                                 -SkipStorageInit               Do not initialize storage device (use this for UFS provisioning)                                                                 -MemoryName <ufs/emmc>         Memory type default to emmc if none is specified                                                                                 -SetActivePartition <num>      Set the specified partition active for booting                                                                                   -disk_sector_size <int>        Dump from start sector to end sector to file                                                                                     -d <start> <end>               Dump from start sector to end sector to file                                                                                     -d <PartName>                  Dump entire partition based on partition name                                                                                    -e <start> <num>               Erase disk from start sector for number of sectors                                                                               -e <PartName>                  Erase the entire partition specified             -s <sectors>                   Number of sectors in disk image                  -p <port or disk>              Port or disk to program to (eg COM8, for PhysicalDrive1 use 1)                                                                   -o <filename>                  Output filename                                  -x <*.xml>                     Program XML file to output type -o (output) -p (port or disk)                                                                    -f <flash programmer>          Flash programmer to load to IMEM eg MPRG8960.hex                                                                                 -i <singleimage>               Single image to load at offset 0 eg 8960_msimage.mbn                                                                             -t                             Run performance tests                            -b <prtname> <binfile>         Write <binfile> to GPT <prtname>                 -g GPP1 GPP2 GPP3 GPP4         Create GPP partitions with sizes in MB           -gq                            Do not prompt when creating GPP (quiet)          -r                             Reset device                                     -ffu <*.ffu>                   Download FFU image to device in emergency download need -o and -p                                                                -splitffu <*.ffu> -o <xmlfile> Split FFU into binary chunks and create rawprogram0.xml to output location                                                       -protocol <protocol>           Can be FIREHOSE, STREAMING default is FIREHOSE                                                                                   -chipset <chipset>             Can be 8960 or 8974 familes                      -gpt                           Dump the GPT from the connected device           -raw                           Send and receive RAW data to serial port 0x75 0x25 0x10                                                                          -verbose                       Enable verbose output                                                                                                                                                                                                                                                                     Examples: emmcdl -p COM8 -info                                                   emmcdl -p COM8 -gpt                                                             emmcdl -p COM8 -SkipWrite -SkipStorageInit -MemoryName ufs -f prog_emmc_firehose_8994_lite.mbn -x memory_configure.xml                                          emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -x rawprogram0.xml -SetActivePartition 0                                                                     emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -ffu wp8.ffu                 emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -d 0 1000 -o dump_1_1000.bin                                                                                 emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -d SVRawDump -o svrawdump.bin                                                                                emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -b SBL1 c:\temp\sbl1.mbn     emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -e 0 100                     emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -e MODEM_FSG                 emmcdl -p COM8 -f prog_emmc_firehose_8994_lite.mbn -raw 0x75 0x25 0x10
```


----------



## hunting_ (Mar 18, 2017)

feherneoh said:


> Seems like you messed the command up, so it shows the help

Click to collapse



ahan which command bro i really want help  how can i get these files


----------



## Xian1996 (May 16, 2017)

*I've 9006 mmc script..*

How to check CPU Model in 9008 mode? 
In some tools , they auto detect CPU model like msm8x10. :angel:


----------



## ceyad (Jun 2, 2017)

any idea to format userdata partition? not erasing, cos erasing will cause the phone bootloop


----------



## ceyad (Jun 6, 2017)

feherneoh said:


> If you mean the WP Data partition, formatting that will cause a bootloop too
> You have to clean up MainOS too at the same time

Click to collapse



any idea to factory reset without full flashing?
it is better if can do reset screen lock without erasing data

thanks


----------



## ceyad (Jun 6, 2017)

feherneoh said:


> have you tried the factory reset button combo? Unlocking the bootloader? (if possible on that phone, no idea which one we are talking about)

Click to collapse



in case of phone is locked by pattern or phonelock code, we must do full flashing or flashing userdata partition to  make phone back to normal.
what i want to know is if there's a way to factory reset device without need to do flashing. or can do erase pattern without erasing userdata.

if phone on bootloader unlocked, we can do factory reset using fastboot mode with command fastboot -w.
but i want to do it use emmcdl

is it possible?


----------



## ceyad (Jun 7, 2017)

feherneoh said:


> Wait, so you are talking about android?

Click to collapse



yes, android. sorry i just recognising if this is windows thread.
i just interest cos emmcdl also can do so much on android, like removing micloud lock, cleaning FRP, etc

but i didnt find any command to use to format data partition on emmc, or only remove pattern lock


----------



## ceyad (Jun 7, 2017)

feherneoh said:


> You have to create a correctly sized .img, format it, and flash that (that is exactly what fastboot format does)

Click to collapse



do you mean same like if we flash userdata.img from stock rom?

some tools can do remove screenlock only using EDL mode, and format using EDL mode. from the time processing, i guess its not flashing something but only send command


----------



## ceyad (Jun 21, 2017)

feherneoh said:


> unless in mass storage mode, they do flash a fresh userdata partition, but they don't wipe it, just flash the data touched by a quick-format

Click to collapse



can you explain more about
" just flash the data touched by a quick-format"

it is better with examples


----------



## craig.buckie (Jun 24, 2017)

Here to see how the big W10 dump with Windows 10 Mobile Adaptation Kit and some ARM64 and ARM builds (though not W10M as far as I've read) effects this thread

***Edit*** Big dump, not so big, but still, will it have any effect?


----------



## nate0 (Jun 26, 2017)

It could allow more adaptation in flashing.  If I'm not wrong the W10M AK is used by oems to adapt to specific platforms. So yes it would have an affect in that if someone wanted to use it to further develop images for flashing on different types of hardware then what is already available out currently.

---------- Post added at 05:52 AM ---------- Previous post was at 05:30 AM ----------

Just read some more and it seems this kit was not announced yet.  So maybe had something to do with WoA...?


----------



## ardian1899 (Jul 21, 2017)

TristanLeBoss said:


> Ok, I created a rawprogram0.xml using the TOT file and the files from the bootloader.img (part of the Google packages).
> 
> Unzip and put the TOT file (LGH791AT-00-V10f-NXS-XXX-OCT-03-2015-32G-MDA89E-US.tot) from the other thread in the same folder.
> 
> There is also a simpler version which only uses files from the bootloader.img: I think it's best to start with this one as - if it works - it should restore the boot.

Click to collapse



Hello,

Probably this post is indeed older than 1 year.. but I've try to create rawprogram0.xml for several days from tot file unsuccessfully. Do you mind to share the method? Thank you


----------



## ekambs (Aug 2, 2017)

Hi everyone I really need your help, about my Lg H960a it reconised as qualcomm HS-usb Qdloader 9008 (COM3). I don't how to use Qfil tool or anyway to bring my phone alive. please help...

or 
Anyone can help me to find these files :
1. rawprogram0.xml
2. patch0.xml
3. prog_emmc_firehose_
I am trying to fix it using the Qualcomm Flash Image Loader. The problem is I need these 3 files.

Thanks in advenced


----------



## ardian1899 (Aug 7, 2017)

ekambs said:


> Hi everyone I really need your help, about my Lg H960a it reconised as qualcomm HS-usb Qdloader 9008 (COM3). I don't how to use Qfil tool or anyway to bring my phone alive. please help...
> 
> or
> Anyone can help me to find these files :
> ...

Click to collapse



Is it v10? if yes, perhaps you can find the 1 and 3 files on v10 section. There's a thread discussing it there and patch files is not needed. As for the XML, I found the F600L and H901 are using the same xml so perhaps you H960 is using the sam xml.


----------



## TheDrive (Feb 22, 2018)

Take attention! I didn't tried (no device on my hands) but some external firehose loader tools could dump partitions (or whole emmc contents), E.g. emmcdl and thor2 some kind too. Firehose loader for your device should support data dumping (sure it does support by default but could be blocked by OEM for the 'security' purposes). The loader you send externally in the PBL 9008 mode is the only [working] SW on the phone side to communicate with your external util. You can dump your userdata (independently of is it damaged or not) extract some sensitive [lost] data and or fix some problems like pattern lock or ANYthing else (you know how to fix). Then flash image back to the device. You should definitely know or explore/find where the particular [should be] data stored on the device. Search forums to find other ppl experience relatively to the particular OS files locations. Use some image mount tools to mount FS images and/or some recovery tools like R-Studio to extract files (incl lost, damaged, deleted, unless they were overwritten by other data) from images directly.

Please note the described possibility is related to the Qualcomm platform and there are no matter if Android or WinPhone (other OS?) installed as OS. On other hand this will not work on other platforms (e.g. MTK or Intel - there are another tools for them) independently of Android or Windows OS is installed on the device.
When you dump partition images then it will be the matter which particular tools and methods you should use to deal with. Platform and platform related tools give you HW and HW related possibilities to deal with HW media and it's sectors/zones/ranges/etc. Primary and secondary bootloaders, required to start up the device, modem FW and data, required to establish communications (work with separate DSP/'CPU'), OEM partition data are also related to the HW and HW to SW bridging. OS partition images are whole related to the OS (i.e. SW) and its data structures. It may contain drivers ot configs for the particular HW but all these drivers and configs are OS related and required to launch this particular OS and it's system and app SW.

Archival:
eMMCDL v2.15 (20 July 2015) from dragonboard update tool
including:
Firehose MSM8916 loader (you should use the one suitable for your SoC and/or device)
QC Serial USB Drivers x86/x64 v2.1.2.0 (08 July 2015) - including for 9008 mode
If your device's VID/PID isn't inculded to these reference drivers you can find OEM's for your device or patch .inf to add your VID/PID's

Thor2 utility v1.8.2.18 (16 June 2015)
Extracted from WDRT v3.13 b3600
Includes small console image signing and dedicated HTC utils
signtool.
imagesigner
HTCDeviceInfo
HTCRomUpdater
May some kind be helpful

There is also list of URL's to download all the WDRT components (actual vers).
List was extracted from WDRT installation data.




Windows Device Recovery Tool v3.13 b3600 (b36001) - at the moment!
http://go.microsoft.com/fwlink/p/?LinkId=522381
https://repairavoidance.blob.core.windows.net/packages/WindowsDeviceRecoveryToolInstaller.exe

Dependecies (optional if already installed)
http://go.microsoft.com/fwlink/?LinkId=225704
(dotNetFx45_Full_setup.exe)
http://download.microsoft.com/downl...-4FF2-B699-5E9B7962F9AE/VSU3/vcredist_x86.exe
(VC2012redist)

WDRT online downloadable components
Please note component versions in the URLs
Please note you needn't to download all the language packages
The only one you need is English or your native language (or both)
The whole space you need is about 60MB. 40MB for your lang installer and 20MB for rest components (helpers/drivers/etc)
https://repairavoidance.blob.core.w...Installers/1.1.12.1526/WinUsbCoInstallers.msi
https://repairavoidance.blob.core.w...patId/1.1.11.1526/WinUsbCompatIdInstaller.msi
https://repairavoidance.blob.core.w...sbDriversExt/1.1.24.1544/WinUsbDriversExt.msi
https://repairavoidance.blob.core.w...river/1.1.16.1526/EmergencyDownloadDriver.msi
https://repairavoidance.blob.core.w...lueDriver/1.1.10.1526/LumiaUEFIBlueDriver.msi
https://repairavoidance.blob.core.w....1.10586.15/Windows IP Over USB-x86_en-us.msi
https://repairavoidance.blob.core.w...ers/FFULoaderDriver/1.0.0/FFULoaderDriver.exe
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/en-US/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/ar-SA/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/cs-CZ/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/da-DK/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/de-DE/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/el-GR/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/es-ES/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/et-EE/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/fi-FI/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/fr-FR/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/he-IL/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/hr-HR/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/hu-HU/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/it-IT/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/ja-JP/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/ko-KR/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/lt-LT/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/lv-LV/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/nb-NO/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/nl-NL/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/pl-PL/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/pt-BR/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/ro-RO/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/ru-RU/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/sk-SK/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/sl-SI/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/sv-SE/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/th-TH/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/tr-TR/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/zh-CN/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/zh-HK/WDRTInstaller.msi
https://repairavoidance.blob.core.windows.net/packages/WDRT/3.13.36001/zh-TW/WDRTInstaller.msi
https://repairavoidance.blob.core.w...ivers/MFP/Win10/1.0.0/Windows10-KB3010081.exe
https://repairavoidance.blob.core.w...ers/MFP/Win8.1/1.0.0/Windows8.1-KB2929699.exe
https://repairavoidance.blob.core.w...ivers/MFP/Win8/1.0.0/Windows6.2-KB2703761.exe
https://repairavoidance.blob.core.w...rivers/MFP/Win7/1.0.0/Windows6.1-KB968211.exe


----------



## darenhoff (Mar 19, 2018)

*Create rawprogram0.xm from FFU*

Hi Dear,
It looks extremely useful.............
But I am unable to understand how to pass the FFU file name argument to emmcdl
In case of android, there is is mbn file and no FFU in the ROM I downloaded as update.zip
Can you please help creating rawprogram0.xml and other two files needed by QFIL?
Thanks a lot




TristanLeBoss said:


> You will not encounter the problem faced by augustininout: he just have this problem because the Lumia 640 XL is a well locked phone
> 
> I don't really know what this authentication is (the search for both the error code, ID or message doesn't get a lot of answers on Google). I guessed it may be the fact that the phone is not a developer phone.. We just need to wait for the poster to let us know what happened after he registered it.
> 
> ...

Click to collapse


----------



## Rizuke (Jun 8, 2018)

*msm8940*

Anyone can help me to find these files for qualcomm MSM8940/Snapdragon 435 Zte nubia m2play/nx907j:
1. rawprogram0.xml
2. patch0.xml
3. prog_emmc_firehose_


----------



## Rizuke (Jun 11, 2018)

can i make it from rom recovery/ota not from fasboot roms? i cant find same phone for back up for unbrick my phone


----------



## Rizuke (Jun 12, 2018)

omg,how to unbrick my phon with qpst program?i dont have files for it

Sent from my Redmi 5 Plus using Tapatalk


----------



## Rizuke (Jun 14, 2018)

what the solution?

Sent from my Redmi 5 Plus using Tapatalk


----------



## Rizuke (Jun 14, 2018)

omg,veey sad

Sent from my Redmi 5 Plus using Tapatalk


----------



## skooter32 (Aug 25, 2018)

how do i launch it from cmd?


----------



## skooter32 (Aug 28, 2018)

hi how do i use this? can i make rawprogram0 from htc one m8s ruu thanks


----------



## eudris2000 (Jan 6, 2020)

alguien me ayda con mi nubia z5s 406e se quedo en modo Qualcomm HS-USB Qdloader 9008 y necesito 1. rawprogram0.xml
2. patch0.xml
3. prog_emmc_firehose
o alguna otra solucion gracias


----------



## nate0 (Jan 6, 2020)

eudris2000 said:


> alguien me ayda con mi nubia z5s 406e se quedo en modo Qualcomm HS-USB Qdloader 9008 y necesito 1. rawprogram0.xml
> 2. patch0.xml
> 3. prog_emmc_firehose
> o alguna otra solucion gracias

Click to collapse



If you'd like help or have your post properly acknowledged it's best to use English words and Grammer. You can refer to the xda rules which I believe still enforce that and explain.  In any case I doubt you'll find much help for your Nubia on this particular thread.


----------



## eudris2000 (Feb 25, 2020)

*ayuda con mi victoria se queda en qualcomm hs usb qd loader 9800*

gracias amigo por la sugerencia


----------



## Ash2489 (Feb 26, 2020)

Can we copy whole internal storage as raw file of lumia 1020 for data recovery  process

---------- Post added at 06:29 PM ---------- Previous post was at 06:28 PM ----------

Please someone help me


----------



## chakroun saifallah (Jan 14, 2021)

TristanLeBoss said:


> I was searching for the "ffutoraw.exe" file referenced in the "rawprogram0.xml" file from the Xiaomi Mi4 Windows Mobile 10 ROM when I discovered a small tool which can also do the work.
> 
> Here is the eMMC DL tool v2.15 from Qualcomm. This tool is publicly available. It's part of the "DragonBoard Update Tool" (dragonboardupdatetool_x64.zip or dragonboardupdatetool_x86.zip) available on this webpage: https://developer.qualcomm.com/hardware/dragonboard-410c/tools Once installed, you will find the file in "C:\Program Files (x86)\Qualcomm\DragonBoardUpdateTool".
> 
> ...

Click to collapse



what about samsung devices ?
i use this tool but sahara has no response .
my phone shown : Qualcomm HS-USB QDLoader 9008
what should i do ?


----------



## ABDUDIVAN (Sep 14, 2021)

chakroun saifallah said:


> what about samsung devices ?
> i use this tool but sahara has no response .
> my phone shown : Qualcomm HS-USB QDLoader 9008
> what should i do ?

Click to collapse



Which variant bro exynos, Qualcomm


----------



## Bingedo (Aug 12, 2022)

can i use it on htc one m8 android 6.0?


----------

