nokia lumia, why we need 3 wires to eMMC ?

[the_laser]

Greetings.

as i understand, ATF found testpoints to disable eMMC, bootrom then entering recovery mode, then loader uploaded, which allow us to work with eMMC.

( as nokia for unknown reasons using qualcomm mcu with not enabled security, we can load anything in phone using that way )

judging from schematics, points are :

eMMC_SDC2_CLK
eMMC_SDC2_DATA0
eMMC_SDC2_DATA1

question:
isn't it enough to just put eMMC_SDC2_CLK to GND, then connect USB ?
recovery bootloader should awake then ...

ps.
i have lumia, but i fear that if i disassemble it, it will be end to poor phone

[asad_nomy7]

Sir Laser and Fear .....................!

[Dzirt]

Quote:

Originally Posted by the_laser

Greetings.

as i understand, ATF found testpoints to disable eMMC, bootrom then entering recovery mode, then loader uploaded, which allow us to work with eMMC.

( as nokia for unknown reasons using qualcomm mcu with not enabled security, we can load anything in phone using that way )

judging from schematics, points are :

eMMC_SDC2_CLK
eMMC_SDC2_DATA0
eMMC_SDC2_DATA1

question:
isn't it enough to just put eMMC_SDC2_CLK to GND, then connect USB ?
recovery bootloader should awake then ...

ps.
i have lumia, but i fear that if i disassemble it, it will be end to poor phone

Seems - not
Was already try a long time ago. Without and with external power.

If connect with TP - currency eat always 30 mA, if without it - jump from 50mA, after go to 30mA.

[Bph&co]

Hi,

I have to admit, i was too lazy to read the full eMMC specification and trace
all points, but from few minutes testing the solution i understand that this
flash chip supports standard MMC serial interface, as well as parallel.

So he just configures the FPGA as SD card reader and does the init and
raw read/write directly to the chip as it is a SD card in a reader.

Am i wrong ?

BR

[the_laser]

@bph&co:
i think about that too, but look :

they only using data0 and data1 lines, while eMMC have 8 lines of data, eMMC_SDC2_CMD and so on, so that 3 points definitely just to "lockdown" eMMC from MCU.

entire idea is to disable eMMC or trash data,received from it so boot hash will be bad and phone switch to qhusb_dload
well, that is pretty easy to check, if you have ATF and lumia 800 - if new usb device appears, then i'm correct ( sure 95% )

@dzirt:
did you try to apply GND to TP1555 when phone without battery and then insert USB cable ?
( sounds stupid, but maybe we need to apply logical one instead ? )

[Dzirt]

Yes, was already try.
Same result - no any luck.
On L800 ad L710.
If need try anything - can anytime

[Bph&co]

Quote:

Originally Posted by the_laser

@bph&co:
if new usb device appears, then i'm correct ( sure 95% )

I understand it is done this way on some Android phones with the same CPU,
but here seems this USB recovery driver in ROM (if exist) is dissabled or at
least no one was able to make it work yet.

But after successful 'Test Connection' from ATF - there is no USB device in
windows, USB is used just for power. To talk to MMC compatible device
you need SPI type interface (data in, data out and clock) + CS. The
thing that is not clear is if you have two masters on the bus, in this case
the ATF FPGA and the Qcom CPU, how do you keep the CPU in reset all the
time, it looks like we are one test point short.

[Bph&co]

So,

red/yellow - CLK(TP DETECT)
blue - MOSI
green - MISO



Looks like pretty standard SPI to me, plus the 0xFF clocked on the data bus before
power on, spot on MMC communication.

[the_laser]

@bph&co:

1.
so, it is 5% - there is no any new usb device appear - and they working with eMMC directly.
my regards to Xshadow programmers

still i wonder, how it is done, maybe need to read eMMC specs.

in any way, i assume that in nearest time only cyclone box will have ability to work with lumia on same level and ATF does, cause it requires good programmable box device. ( or wait, maybe genie can do that ? )

2.
there is no way to disable bootrom recovery downloader, it is embedded in bootrom and will always arise, if phone can't find valid boot on eMMC,supported NAND flash, supported NOR flash.

sadly, i don't have access to sony lt26 schematics, it have eMMC and testpoint for entering recovery downloader known.

ergo:
need to find some point to damage data from eMMC.
maybe if we ground some of eMMC_SDC2_DATAx lines - that will do job ?

Dzirt, try that please ( again, reminding that phone must be without battery and testpoint should be applied without USB cable attached )

[Bph&co]

Quote:

Originally Posted by the_laser

@bph&co:

1.
so, it is 5% - there is no any new usb device appear - and they working with eMMC directly.
my regards to Xshadow programmers

Yes, hats off ! Great hack, i love it. But they proved themselves much
earlier - the quality implementation of Dejan TP hack in their first box,
the SHA bootrom exploit, etc.

Quote:

still i wonder, how it is done, maybe need to read eMMC specs.

Yeah, it is bit confusing if you haven't ever done low level MMC driver,
if you had its pretty obvious.

Quote:

in any way, i assume that in nearest time only cyclone box will have ability to work with lumia on same level and ATF does, cause it requires good programmable box device. ( or wait, maybe genie can do that ? )

Yes, Genie can be configured to do that.

Quote:

2.
there is no way to disable bootrom recovery downloader, it is embedded in bootrom and will always arise, if phone can't find valid boot on eMMC,supported NAND flash, supported NOR flash.

sadly, i don't have access to sony lt26 schematics, it have eMMC and testpoint for entering recovery downloader known.

ergo:
need to find some point to damage data from eMMC.
maybe if we ground some of eMMC_SDC2_DATAx lines - that will do job ?

I know the serial mode better, not that sure about parallel mode, but first
idea would be to play with CS or RESET. Do you have this ROM dumped
from non Nokia phone ?

[Dzirt]

@the_laser
If we remove eMMC, should be it have chances to be detected as QC?
I was format my L710 just for fun, and have 2 other flash ic ( first one fully cleat, second from working L710 )
About tp - was try now, no luck

If I ground data0 or data1 lines - nothing happen.

[the_laser]

@bph&co:

i have bootroms from two different 8x55-based phones, different maker, they are same bit-to-bit.
however, both phones were secure-enabled ( valid rsa signature required and so on )

as secure enabled just by programming eFUSE bit, i heavily doubt that qualcomm will make different bootroms for secure and non-secure msm

here is exempt from emergency download "document"

Quote:

Emergency download is the process by which licensees can program a Flash device that is empty
or that contains a broken Secondary Boot Loader (SBL), such as the Qualcomm SBL or Device
Boot Loader (DBL). This is in contrast to a legacy software download, which requires that the
device is put into Download mode by the licensee’s or OS SBL, which in turn means that the
Flash device contains working modem boot loaders.
The emergency download mechanism is also known as the ***** boot mechanism or blank Flash
programming.

so, as you can see, we need to have blank boot device or checksums should not match.

@dzirt:
well then, it is dead way and need to think more, how to run recovery dload.

[Bph&co]

Quote:

Originally Posted by the_laser

@bph&co:

i have bootroms from two different 8x55-based phones, different maker, they are same bit-to-bit.

Can you e-mail me the bin pls ? Really curious what is the criteria for eMMC
not present.

[Bph&co]

Quote:

Originally Posted by the_laser

so, as you can see, we need to have blank boot device or checksums should not match.

Ok, maybe here is the problem, and thats why Dzirts test failed. You need
to still have valid and responsive eMMC device, with just bad data. So you
need maybe to damage data on the line, at specific moments, not entirely
remove/disable the chip.

This is why i asked for dump, if not ok to share, maybe you can post IDA
code of emergency mode testing routine ?

[the_laser]

emergency mode arised in pbl_error procedure, lets call it so.
i'll cleanup it and post later, i'm only disassembled and commented good required parts for me, most of bootrom not explored

that bootrom still have some value, can't share full version.
i'll cut some security parts and post it later.