Showing posts with label Hardware. Show all posts
Showing posts with label Hardware. Show all posts

Monday, July 3, 2023

Rollback Nokia 8.1 to Android 10 from Android 11 without unlocking bootloder. Needs EDL (emergency download mode)

I updated Nokia 8.1 from Pie to Android 10 and then to Android 11. Pie was good for network because Android 10 made network connection weaker and less stable then Pie. Android 11 is the most worse Android ever released. I started hating it and was desperate to get rid of it. It was slow and didn't offered me worth more than Android 10. For security 11 is better but performance is poor. Finally after 7-10 days of effort gave me success in rolling back Nokia 8.1 to Android 10.


I never unlocked bootloader of my phone and i tried lots of methods and apps and all failed. I then started going deep into the process of how this flashing apps actually worked. I cracked it and i flashed Android 10 431A stock ROM. Before i start the whole process it is critical to understand the basics. I will describe the required details even normal PC user can understand.


Just like PC where we have hard disk which contains OS phones/tablets have solid state storage. The storage that is present in SSD, Pendrive etc.  The storage is split into multiple parts called partitions. Its like C, D, E etc drives of windows. If you are Linux user you will understand the phone storage much better than Windows users. Partitions are important because the files of each partitions doesn't interfere with other files of other partition. Example D drive has multimedia data and if full will not effect C drive which contains OS. If you fill media in C drive it will affect the OS.


Now coming to Phone storage & partitions. Nokia has eMMC storage. There is also UFS storage on many other devices. Knowing this storage type is critical before flashing ROM. Nokia 8.1 is powered by Qualcomm Snapdragon 710 chip. This is another critical information needed for flashing stock rom.


Now coming directly to the flashing process. You need below things and conditions to achieve flashing of rom.


  • Phone in EDL mode. This is another big topic which varies from device to device. I will only write about Nokia 8.1. You can try EDL cables if it works. I opened the back cover of phone and shorted the TEST POINTS to enter into EDL mode. You can search internet for same its easily available how to do it.
  • Qualcomm 9008 driver. Nokia USB driver. You can also download OST tool 6.2.8 which contains all the drivers Or download driver separately.
  • QPST/QFIL (QPST_2.7.496) tool with firehose file. Firehose file is specific to a chip. I will share relevant files which are smaller in size here. Firehose file is available insize stock roms.
  • Any C type cable with fast charging capability. This means cable must be able to handle 18W power which Nokia 8.1 adapter delivers. Also try to flip type c side of port horizontally because sometimes one side does not work.
  • USB 2.0 port
  • Windows 7/8/10. Probably 11 which i have not tested.
  • Global Stock ROM PNX-431A-0-00WW-B01. Search internet to get this rom.
  • "nb0 tools FIH Mobile v3.4.exe" tool to extract NB0 rom file.

 

Now before proceeding to flash process lets understand what these tools do.


NOTE: click on images to see them in bigger size.


Qualcomm EDL mode works with 2 communication protocols. Sahara mode and Firehose mode. Sahara mode allows user to send Firehose file to the device during EDL mode. This file understands how to communicate with device in emergency download mode. One thing to understand is during flashing process DOWNLOAD means to actually upload data to device. Device will download something not us!. This causes confusion among users who are doing it first time.

Firehose protocol works with XML format. It understands XML language and accepts file sent with xml configuration. Firehose only knows to write data to eMMC/UFS storage. Using which we write files on eMMC.


Now install the drivers, QPST, QFIL tool. Verify if drivers are installed. Turn off phone, remove battery connector from motherboard, short the test points with clip, connect phone to PC. Start device manager and check PORTS section. If you can see Qualcomm 9008 COM port everything is setup and ready to flash device. Go to QFIL tool configuration and set settings like below image.

 




The stock rom which you have download contains NB0 file. Which is extracted using nb0 tool. Run QFIL in admin mode and it should show like below.

 


 
 
 

Some critical notes -

- Enter into EDL mode just before taking upload/download actions using QFIL tool. EDL mode can stop responding if not utilized quickly.

- Load firehose file from extracted ROM folder into QFIL. If connected in EDL mode QFIL -> Tools -> Partition Manager will be available. Enter into partition manager. Here you can see partitions of eMMC.

- MAKE BACKUP of your eMMC partitions VERY CAREFULLY. If you lost mfd, fbo etc partitions forget your device will work again because you will need these partitions in any conditions to turn on phone. Below images shows all partitions.









- Left click on a partition then right click on it. DO NOT DIRECTLY right click because this will not select the partition your mouse is over. It will select whole disk or first partition. Click manage partitions and read image. This will create a file like below in %APPDATA%/qualcomm or QPST directory. Look at logs in QFIL where file has been extracted. Collect all partitions and save somewhere.

ReadData_emmc_Lun0_0x828_Len1024_DT_****.bin. DT is followed by date of dump. 0x???? part tell the start location of partition and Len tell length of the partition.


I am warning you again. The above step is more important than anything else in this guide. Don't blame me if your device stops starting again. Try to delete MFD partition and your device will not boot. Delete FDP partition and you will see "Your device is corrupt..... press power button to shutdown.... shutdown in 30 seconds". FDP partition holds data to verify device. MAKE BACKUP OF EVERY PARTITION. You can ignore system, vendor, userdata but this will erase your devices present state. MAKE BACKUP of every partition if possible because you can later write them back into emmc to get your phone back into the exact condition it is now. Read button copies the partition into you PC, load button writes partition into phone.


After making backup lets proceed to preparing ROM to flash. Before writing rom lets understand what these flashing tools actually do. Below is extra information. For quick flashing go to section FLASHING ROM below.


The flashing tools like OST tool, Nokia service tool and other tools simply use sahara, firehose protocols provided by Qualcomm. They use fh_loader.exe file to write data to emmc. The login process, account verification etc all extra stuff they have added to make money from their tool. You can do flashing process from command line itself with just QPST/QFIL.QFIL must be run from within QPST installation folder. Many times QFIL doesn't work when run from its own separate package without QPST.


The first thing these tools do is send firehose programmer file to device using Sahara mode. Its done by this command -

QSaharaServer.exe -p \\.\COM4 -s 13:C:\LogData\OST\Data\PNX-0-6210-prog_firehose_lite.elf

 

This is what OST tool does. -p tells the com port. -s tells the firehose programmer file. After this you are ready to use fh_loader.exe to write data to eMMC (OR UFS).


NOTE:

if your bootloader is unlocked then these commands and tools are not needed. fastboot mode also does the same job. fastboot handles editing of the partitions.

After sahara has sent firehose file fh_loader can write partitions. A big xml file rawprogram0.xml is sent to fh_loader. It reads it and verifies the xml and starts sending the data according to xml file. What we have to do is edit this xml file to send all the partitions at once.


OST etc tools use default raw program xml to write service abl/xbl bootloaders and then use fastboot to flash partitions. This is where flashing fails when bootloader is locked. You can various errors like Error = SE_ERR_ADB_CMD_GET_FAIL_RESULT (0xC6DA), Error 0x0c3be uploading image using sahara protocol failed. These are all due to locked bootloader or other restrictions.


FLASHING ROM:

 

Go to extracted ROM folder and create a new file "rawprogram0_RECOVER_431A.xml" and paste below into it.


<?xml version="1.0" ?>
<data>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-xbl.elf" label="xbl_a" num_partition_sectors="7168" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="3584.0" sparse="false" start_byte_hex="0x4000000" start_sector="131072"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-xbl.elf" label="xbl_b" num_partition_sectors="7168" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="3584.0" sparse="false" start_byte_hex="0x4380000" start_sector="138240"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-xbl_config.elf" label="xbl_config_a" num_partition_sectors="256" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="128.0" sparse="false" start_byte_hex="0xb000000" start_sector="360448"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-xbl_config.elf" label="xbl_config_b" num_partition_sectors="256" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="128.0" sparse="false" start_byte_hex="0xb020000" start_sector="360704"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-tz.mbn" label="tz_a" num_partition_sectors="4096" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="2048.0" sparse="false" start_byte_hex="0xc000000" start_sector="393216"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-tz.mbn" label="tz_b" num_partition_sectors="4096" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="2048.0" sparse="false" start_byte_hex="0xc200000" start_sector="397312"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-aop.mbn" label="aop_a" num_partition_sectors="1024" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="512.0" sparse="false" start_byte_hex="0xc400000" start_sector="401408"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-aop.mbn" label="aop_b" num_partition_sectors="1024" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="512.0" sparse="false" start_byte_hex="0x10000000" start_sector="524288"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-hyp.mbn" label="hyp_a" num_partition_sectors="1024" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="512.0" sparse="false" start_byte_hex="0x14000000" start_sector="655360"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-hyp.mbn" label="hyp_b" num_partition_sectors="1024" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="512.0" sparse="false" start_byte_hex="0x14080000" start_sector="656384"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-keymaster64.mbn" label="keymaster_a" num_partition_sectors="1024" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="512.0" sparse="false" start_byte_hex="0x14300000" start_sector="661504"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-keymaster64.mbn" label="keymaster_b" num_partition_sectors="1024" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="512.0" sparse="false" start_byte_hex="0x14380000" start_sector="662528"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-cmnlib.mbn" label="cmnlib_a" num_partition_sectors="1024" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="512.0" sparse="false" start_byte_hex="0x14400000" start_sector="663552"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-cmnlib64.mbn" label="cmnlib64_a" num_partition_sectors="1024" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="512.0" sparse="false" start_byte_hex="0x14480000" start_sector="664576"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-cmnlib.mbn" label="cmnlib_b" num_partition_sectors="1024" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="512.0" sparse="false" start_byte_hex="0x14500000" start_sector="665600"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-cmnlib64.mbn" label="cmnlib64_b" num_partition_sectors="1024" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="512.0" sparse="false" start_byte_hex="0x14580000" start_sector="666624"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-NON-HLOS.bin" label="modem_a" num_partition_sectors="266240" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="133120.0" sparse="false" start_byte_hex="0x14600000" start_sector="667648"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-NON-HLOS.bin" label="modem_b" num_partition_sectors="266240" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="133120.0" sparse="false" start_byte_hex="0x1c800000" start_sector="933888"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-dspso.bin" label="dsp_a" num_partition_sectors="65536" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="32768.0" sparse="false" start_byte_hex="0x24a00000" start_sector="1200128"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-dspso.bin" label="dsp_b" num_partition_sectors="65536" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="32768.0" sparse="false" start_byte_hex="0x26a00000" start_sector="1265664"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-abl.elf" label="abl_a" num_partition_sectors="2048" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="1024.0" sparse="false" start_byte_hex="0x28a00000" start_sector="1331200"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-abl.elf" label="abl_b" num_partition_sectors="2048" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="1024.0" sparse="false" start_byte_hex="0x28b00000" start_sector="1333248"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-logfs_ufs_8mb.bin" label="logfs" num_partition_sectors="16384" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="8192.0" sparse="false" start_byte_hex="0x34000000" start_sector="1703936"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-BTFM.bin" label="bluetooth_a" num_partition_sectors="2048" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="1024.0" sparse="false" start_byte_hex="0x38104000" start_sector="1837088"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-BTFM.bin" label="bluetooth_b" num_partition_sectors="2048" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="1024.0" sparse="false" start_byte_hex="0x38204000" start_sector="1839136"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-00WW-dtbo.img" label="dtbo_a" num_partition_sectors="16384" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="8192.0" sparse="false" start_byte_hex="0x3c022000" start_sector="1966352"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-00WW-dtbo.img" label="dtbo_b" num_partition_sectors="16384" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="8192.0" sparse="false" start_byte_hex="0x3c822000" start_sector="1982736"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-persist.img" label="persist" num_partition_sectors="65536" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="32768.0" sparse="false" start_byte_hex="0x3d426000" start_sector="2007344"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-00WW-010-keyinfo.img" label="keystore" num_partition_sectors="1024" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="512.0" sparse="false" start_byte_hex="0x3f526000" start_sector="2074928"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-devcfg.mbn" label="devcfg_a" num_partition_sectors="256" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="128.0" sparse="false" start_byte_hex="0x3f5a6000" start_sector="2075952"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-devcfg.mbn" label="devcfg_b" num_partition_sectors="256" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="128.0" sparse="false" start_byte_hex="0x3f5c6000" start_sector="2076208"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-qupv3fw.elf" label="qupfw_a" num_partition_sectors="128" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="64.0" sparse="false" start_byte_hex="0x3f5e6000" start_sector="2076464"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-qupv3fw.elf" label="qupfw_b" num_partition_sectors="128" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="64.0" sparse="false" start_byte_hex="0x3f5f6000" start_sector="2076592"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-storsec.mbn" label="storsec_a" num_partition_sectors="256" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="128.0" sparse="false" start_byte_hex="0x43886000" start_sector="2212912"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-storsec.mbn" label="storsec_b" num_partition_sectors="256" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="128.0" sparse="false" start_byte_hex="0x438a6000" start_sector="2213168"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-00WW-vbmeta.img" label="vbmeta_a" num_partition_sectors="128" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="64.0" sparse="false" start_byte_hex="0x4c000000" start_sector="2490368"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-00WW-vbmeta.img" label="vbmeta_b" num_partition_sectors="128" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="64.0" sparse="false" start_byte_hex="0x4c010000" start_sector="2490496"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-0010-0001-hidden.img.ext4" label="hidden_a" num_partition_sectors="81920" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="40960.0" sparse="false" start_byte_hex="0x50000000" start_sector="2621440"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-0010-0001-hidden.img.ext4" label="hidden_b" num_partition_sectors="81920" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="40960.0" sparse="false" start_byte_hex="0x52800000" start_sector="2703360"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-00WW-030-cda.img" label="cda_a" num_partition_sectors="16384" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="8192.0" sparse="false" start_byte_hex="0x55000000" start_sector="2785280"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-00WW-030-cda.img" label="cda_b" num_partition_sectors="16384" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="8192.0" sparse="false" start_byte_hex="0x55800000" start_sector="2801664"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="systeminfo.img" label="systeminfo_a" num_partition_sectors="512" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="256.0" sparse="false" start_byte_hex="0x56000000" start_sector="2818048"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="systeminfo.img" label="systeminfo_b" num_partition_sectors="512" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="256.0" sparse="false" start_byte_hex="0x56040000" start_sector="2818560"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-00WW-030-splash.img" label="splash_a" num_partition_sectors="65536" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="32768.0" sparse="false" start_byte_hex="0x56080000" start_sector="2819072"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-00WW-030-splash.img" label="splash_b" num_partition_sectors="65536" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="32768.0" sparse="false" start_byte_hex="0x58080000" start_sector="2884608"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-00WW-030-multi-splash.img" label="zplash_a" num_partition_sectors="8192" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="4096.0" sparse="false" start_byte_hex="0x5a080000" start_sector="2950144"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-00WW-030-multi-splash.img" label="zplash_b" num_partition_sectors="8192" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="4096.0" sparse="false" start_byte_hex="0x5a480000" start_sector="2958336"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-NV-default.mbn" label="nvdef_a" num_partition_sectors="8192" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="4096.0" sparse="false" start_byte_hex="0x5a880000" start_sector="2966528"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-NV-default.mbn" label="nvdef_b" num_partition_sectors="8192" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="4096.0" sparse="false" start_byte_hex="0x5ac80000" start_sector="2974720"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-00WW-001-sutinfo.img" label="sutinfo" num_partition_sectors="8" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="4.0" sparse="false" start_byte_hex="0x5b080000" start_sector="2982912"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-00WW-boot.img" label="boot_a" num_partition_sectors="131072" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="65536.0" sparse="false" start_byte_hex="0x5e081000" start_sector="3081224"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-00WW-boot.img" label="boot_b" num_partition_sectors="131072" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="65536.0" sparse="false" start_byte_hex="0x62081000" start_sector="3212296"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-00WW-system.img" label="system_a" num_partition_sectors="6291456" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="3145728.0" sparse="true" start_byte_hex="0x66081000" start_sector="3343368"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-00WW-system_other.img" label="system_b" num_partition_sectors="6291456" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="3145728.0" sparse="true" start_byte_hex="0x126081000" start_sector="9634824"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-00WW-vendor.img" label="vendor_a" num_partition_sectors="1572864" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="786432.0" sparse="true" start_byte_hex="0x1e8000000" start_sector="15990784"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-00WW-vendor.img" label="vendor_b" num_partition_sectors="1572864" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="786432.0" sparse="true" start_byte_hex="0x218000000" start_sector="17563648"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="" label="userdata" num_partition_sectors="0" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="0" sparse="true" start_byte_hex="0x248000000" start_sector="19136512"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-gpt_main0.bin" label="PrimaryGPT" num_partition_sectors="34" partofsingleimage="true" physical_partition_number="0" readbackverify="false" size_in_KB="17.0" sparse="false" start_byte_hex="0x0" start_sector="0"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-gpt_backup0.bin" label="BackupGPT" num_partition_sectors="33" partofsingleimage="true" physical_partition_number="0" readbackverify="false" size_in_KB="16.5" sparse="false" start_byte_hex="(512*NUM_DISK_SECTORS)-16896." start_sector="NUM_DISK_SECTORS-33."/>
</data>

 

 

Flash process:

  • Start QFIL in admin mode. Switch to flat build.
  • Select firehose programmer path "PNX-0-431A-prog_firehose_lite.elf" present inside extracted rom dir. Load XML -> (All files *.* mode) -> load rawprogram0_RECOVER_431A.xml, then do same for patch0.xml. patch is already present in rom dir.
  • Connect phone in EDL mode. Port will be shown in QFIL. If not then select port from select port button.
  • Press download button. Flashing will start. It will takes 5-10+ minutes to write the rom.
  •  Re-enter EDL mode by unplugging usb. Start partition manager and erase userdata. Click userdata then right click userdata and erase it. Same can be done from Phone by entering recovery mode. Turn off phone, press UP button then power for few seconds. When device starts release power button but keep UP pressed. When dead android robot icon is seen press power then press UP. Wipe cache and userdata. Reboot.

 

In case you are seeing "Your device is corrupt. It cannot be trusted. Press button to continue". You should enable dm-verity enforcing. Search internet for multiple ways to do it. e.g. https://forum.xda-developers.com/t/guide-fix-dm-verity-is-not-enforcing-when-trying-to-boot-error.3898526/



If everything has been done as written you must be having a good backup of device to get back into your initial condition and a working Android 10 on your device. I did it and i am enjoying Android 10.



CRITICAL information for experimentation:

Always verify if a file which has to be written into device is sparse or not. elf, mbn etc are raw and not sparse. IMG  files can and cannot be sparse. Sparse means post processed raw image to reduce size or other purpose. Always use sparse="true" in rawprogram xml when not sure. fh_laoder will test and tell itself when download button is pressed. However best way verify xml and data is to try to create xml digest. Its present in tools section in QFIL.



Sunday, March 7, 2021

Connect Dualshock 3 via Bluetooth on WIndows 10 without SCP toolkit and Motionjoy.

Dualshock 3 connects to Linux like butter both wired and wireless but windows requires lots of work to do. I tried motionjoy but it was like a malware so surrendered it immediately. Then i tried SCP toolkit but it barely worked after restart. Below were problems faced with scptoolkit -

- It installs drivers (filter drivers) which disables bluetooth to be used by other devices. Some users may use a dedicated dongle for it.

- After restart almost every time DS3 was not working until drivers are reinstalled.

- SCP toolkit is no longer maintained.

 

Now coming to the solution that worked very well and is also more compatible and doesn't cause unwanted trouble of disabling bluetooth etc. In parallel do take a look at https://vigem.org/projects/BthPS3/Installation-Guide-Shibari-Edition/


Limitations:

- Works on Windows 10 only.

- Pressure sensitivity and sensors not supported.


Download and install the latest versions of software from below links:

- Install BthPS3 from https://github.com/ViGEm/BthPS3/releases/latest. Install this first and restart PC. BthPS3 is the bluetooth driver.

- FireShock from https://downloads.vigem.org/projects/FireShock/stable/. This is the USB driver which detects connected DS3 and sets current PC's bluetooth as its master. More info below.

- ViGEmBus https://github.com/ViGEm/ViGEmBus/releases/latest

- Shibari.zip from https://buildbot.vigem.org/builds/Shibari/master/


How it all works?

Dualshock 3 doesn't work with standard bluetooth protocol because it uses its own custom bluetooth protocol. This protocol must be installed in some form to the OS which connects to DS3. We install BthPS3 for this task.

 

DS3 always saves a master bluetooth MAC address in its memory. This MAC address is set using USB connection therefore DS3 are connected with console via USB cable and then it starts working. When PS button is pressed DS3 sends a pairing request to this master bluetooth device. We install FireShock for this purpose. I don't know what else fireshock does but in theory if using other apps to set DS3's master BT device then we may not need this step. However It must be installed for possible unwanted or unpredictable issues.


When DS3 gets connected we want it to behave as XBOX 360 controller. We install ViGEmBus for this purpose.


Now we have to run Shibari.Dom.Server.exe. As the official page says it acts as a bridge among the bundle of software we installed. Kindly refer to the official page for more details to run this program as a service and auto start after boot.


Troubleshoot:

- Ensure DS3 is not damaged. You may reset the controller by pressing a tiny button at backside. There is a tiny hole at rightside of top-middle bolt. Press it with thin object. This resets the gamepad.

 - Ensure programs are installed as mentioned in official page because the details i have mentioned is for versions released on March 2021. Apps must be run as administrator rights.

- Current version of above software works on Windows 10 only.


Below is example log from shibari:


[06:16:42 INF] Launching Shibari, version: 1.6.186.0
Configuration Result:
[Success] Name Shibari.Dom.Server
[Success] DisplayName Shibari Dom Server
[Success] Description Manages AirBender, FireShock & BthPS3 Devices.
[Success] ServiceName Shibari.Dom.Server
Topshelf v4.2.1.215, .NET Framework v4.0.30319.42000
[06:16:43 INF] Loaded sink plugin ViGEm Xbox 360 Sink
[06:16:43 INF] Loaded bus emulator BthPS3 Bus Emulator
[06:16:43 INF] Starting bus emulator BthPS3 Bus Emulator
[06:16:43 INF] BthPS3 Bus Emulator started
[06:16:43 INF] Bus emulator BthPS3 Bus Emulator started successfully
[06:16:43 INF] Loaded bus emulator FireShock Bus Emulator
[06:16:43 INF] Starting bus emulator FireShock Bus Emulator
[06:16:43 INF] FireShock Bus Emulator started
[06:16:43 INF] Bus emulator FireShock Bus Emulator started successfully
The Shibari.Dom.Server service is now running, press Control+C to exit.
[06:17:43 INF] Found SIXAXIS device \\?\BTHPS3BUS#{53F88889-1AAF-4353-A047-556B69EC6DA6}#A&1E23908E&0&0007040BAF51#{7B0EAE3D-4414-4024-BCBD-1C21523768CE} (BTHPS3BUS\{53F88889-1AAF-4353-A047-556B69EC6DA6}\A&1E23908E&0&0007040BAF51)
[06:17:43 INF] Device DualShock3 (00:07:04:0B:AF:51) got attached via Bluetooth
[06:17:43 WRN] Auto-pairing not supported as BthPS3 and/or Bluetooth Host Radio not found
[06:17:43 INF] Connecting ViGEm target Nefarius.ViGEm.Client.Targets.Xbox360Controller
[06:17:43 INF] ViGEm target Nefarius.ViGEm.Client.Targets.Xbox360Controller connected successfully
Controller 1: [■■■ ]
(its green colored bar)

 


For using other drivers or testing of ds3 using rpcs3 emulator

https://wiki.rpcs3.net/index.php?title=Help:Controller_Configuration

Sunday, February 14, 2021

Connect gen game s3, x3, GSH, shanwan wireless gamepad to various devices

The controller is available in various different brand names but its same. Companies do rebranding and sell.

 

Flipkart page for sample -

https://www.flipkart.com/dwh-x3-mobile-wireless-bluetooth-game-controller-bracket-gamepad-support-ios-android-smart-t-v-pc-black-joystick-black-pc/p/itm5fa472358e25b


 

I have tested it on Android phones, tablet and Ubuntu laptop. It works with both Bluetooth and usb mode. Wifi/wireless mode also supposed to work using a BM-703 dongle which i couldn't test due to lack of dongle.


This seems to be BEST BUDGET gamepad!. Very surprising when compared with others at Rs1000.


Update:

I tested GSH model and it looks like multiple types of other clone models also exist. But the basic idea and techniques to connect are same as described below. Your device may show different name and may have different combinations of keys!. Don't give up by thinking your device is not working it just has different keys and ways to connect. Don't throw your gamepad manual because its hard to find on internet and unique to your device.



As Bluetooth gamepad in Keyboard mode:


Turn on Bluetooth of Android. If gamepad is on then turn it off by long pressing home button until lights are off. Press X or Y then home for ~3-5 seconds. Home led with blink and Bluetooth search will show a wireless keyboard device named "gamepad". Will easily pair and DON'T forget to enable option "show virtual keyboard when hardware keyboard is connected" option in Android otherwise soft keyboard will remain disabled!. In this mode home button can be pressed to switch to Mode 2 and L3,R3 will act as mouse. This seems to be most compatible mode.



Bluetooth HID gamepad mode

Press A or B then home and Bluetooth gamepad will show and gamepadplus name will show. In this mode it doesn't act like keyboard and not every app can detect correct key names. Some apps may show KEY_UNKNOWN while mapping. This mode supports L3,R3 which is needed for PS1, PSP etc games. Retroarch worked very well with both above modes.


Try experimenting with home + all the buttons you have. Even if your model is different, old version or latest some keys can surely work.


Some combinations mentioned in manual below:


Home+X = Android

Home+Y = Ios

Home+A = Switch

Home+B = PS3

Home+L1,L2 for PC Bluetooth or cable.


Manual provides other details for Ios.


USB otg mode:

Press R1 + Home. 1 and 4 leds will blink. If XBox gamepad drivers are present in ANY OS the gamepad will detect after plugging by usb cable. 

NOTE: provided usb cable in box is not data cable but charging cable. Use data cable and gamepad works as Microsoft xbox 360 controller.


Lots of users are unable to find these details and think the gamepad is bad. Gamepad is really great and also has less latency. Almost like wired.



Official manual:


Manual also shows other devices and ways to connect.



Secret/Hidden:


There is a hole at the back side of gamepad to reset the current pairing master device just like dualshock 3 gamepad. Use something like needle and insert in the hole to press a switch. Hole at right side of usb port at back side. After reset the gamepad will not automatically connect to last Bluetooth device.



Common issues:


- Pairing fails on some devices like TV etc. Try different modes to get the connection established. The gamepad didn't connected to my TCL Android TV. May work by forcing to trust the device and pair or use other modes of gamepad.


- Stock androids lack commercial drivers and many other such drivers. This cause no detection of various gadgets not just this gamepad. E.g. F310 Logitech gamepad didn't connected to Nokia 8.1 but worked on other devices. Xinput mode requires drivers.


The gamepad is available with names MJ600, shanwan x3, gsh wireless, Gen Game S3 etc. All are same.


- When connection is getting problematic reset the gamepad by the secret hole at back side.

Friday, December 24, 2010

How to write an emulator?

Well i was just thinking to write a NES emulator since 2008 but that time i could not start due to my game engine. But now after learning these tutorials i must say anyone can make emulators who understands Microprocessors.

Please go through these tutorials to learn emulation. The tutorial is well written, small and very understandable. I will also write tutorials the way i feel simple once i do my NSF player.

Link: http://codeslinger.co.uk/pages/blog/wordpress/

Thursday, January 15, 2009

Output audio through serial port. Serial Port Player v0.1

Serial port player – serialplayer
This software lets us play audio through serial port.
Hardware requirement: (below values are for USB-to-serial chip)

  • female com port connector

  • resistors - 1k

  • capacitors 4.4 uF
For laptop, i used this hardware:-

  • USB serial converter. I am using Nokia 6600 pc data cable. Which is nothing but a prolific PL2303 usb-to-serial chip with cable utilizing only its TX, RX and GND pins.
Software requirement:

  • A Linux distro with gcc (GNU's compiler collection) for source compilation.

  • serialportplayer – binary OR source code.
[Illustration of project]
Raw audio data => serialportplayer => serial port => low pass filter => speaker(s).
Processing:
The software collects raw audio data and processes it according to serial port data transfer speed. The processed data is then output through serial port's TX pin. The processing includes oversampling and modulation (sigma-delta is recommended but current version of program doesn't uses it purely).
Raw data:
The data is raw audio. This raw audio data is extracted from audio files using audacity software as -

  • Run audacity

  • Open any audio file

  • Export that file into raw format.

  • the raw format must be :- unsigned 8 bit / sample, mono(1channel).
Please note down the samplerate of the original audio file and use it during serial play.
Using serialportplayer:

  • start your shell – e.g. Konsole, xterm

  • execute su command and give root's password.

  • Run serial port player as:- ./tplay OR ./serialportplayer

  • e.g. ./tplay humdum.raw 16000
if your system can't run the binary you can compile it from source:
cc –o serialplayer serialplayer.c
The following where the sources using which i accomplished the project:
Any interested person must read about 1 bit audio and sigma-delta modulation.
Please connect 1k resistor to TX pin and capacitor in parallel to TX and GND pins. These values are for USB-to-Serial adapter. Use appropriate values for normal serial port at back of desktop pcs.

Download link: This link has tplay source and binary of ttyUSB, it uses USB-to-Serial device as serial port.

Download :serialportplayer.rar
Password: serialportplayer_homelabs