I have a few questions about Archos' devices, in particular those belonging to the Generation 8 family. Here they are:
How is the partition table setup on the device and is the partition table signature checked? How are the partitions logically laid out?
When the SDE is installed and run, boot1 locks up boot0, itself and the recovery partition to prevent them from being modified. I would imagine that this type of setup would require keeping the partition table from being modified, thereby preventing dual boot. Can dual boot be achieved using the SDE without any extra modifications?
Are some of the partitions on Archos devices contained in compressed images and then loaded into the RAM in a manner similar to the way Damn Small Linux boots?
Is the recovery partition a minimal OS setup that exists to perform recovery operations or is it in fact copied in it entirety to the primary partition when recovery mode is entered?
I have realized/learned some things Linux that I hadn't noticed before such as the fact that folders like /home and /boot have their own partitions and that /boot may contain more than one kernel and that bootloaders like GRUB are actually represented in the filesystem. I don't if these are real partitions or logical partitions so I might have to do some relearning.
I'm bumping this thread.
Master Melab said:
I have a few questions about Archos' devices, in particular those belonging to the Generation 8 family. Here they are:
How is the partition table setup on the device and is the partition table signature checked? How are the partitions logically laid out?
When the SDE is installed and run, boot1 locks up boot0, itself and the recovery partition to prevent them from being modified. I would imagine that this type of setup would require keeping the partition table from being modified, thereby preventing dual boot. Can dual boot be achieved using the SDE without any extra modifications?
Are some of the partitions on Archos devices contained in compressed images and then loaded into the RAM in a manner similar to the way Damn Small Linux boots?
Is the recovery partition a minimal OS setup that exists to perform recovery operations or is it in fact copied in it entirety to the primary partition when recovery mode is entered?
I have realized/learned some things Linux that I hadn't noticed before such as the fact that folders like /home and /boot have their own partitions and that /boot may contain more than one kernel and that bootloaders like GRUB are actually represented in the filesystem. I don't if these are real partitions or logical partitions so I might have to do some relearning.
Click to expand...
Click to collapse
Partition tables are not locked. Devices are populated as normal in kernel. Partitions can be edited and the device repopulated with partprobe as normal.
The bootloader/recovery is held on a partition on mmcblk0, they are signed using a public/device encryption key, that has been broken. When the system is booted it mounts the recovery image and performs requested functions. The AOS firmware format is also encrypted, but has not been broken. The stock firmware is held on mmcblk0 as well, in an 256bit device key encrypted SquashFS(which has also been broken). It is mounted with a chroot as R/O at stock boot.
Dual boot can be achieved in multiple ways, easiest of which is installing the openAOS multiboot menu. A current limitation is that all OSes must use the same kernel, until we can get kexec working correctly(or other more dangerous solutions).
P.S. Folder's like /boot and /home can be many different things. Folders, partitions, images, symlinks, etc. The advantage of linux/debian is that everything is represented in the file system. Even sending commands to devices or modifying driver settings is done by "modifying files". For example, to flip the touchscreen's input on my A101, you write the letter "N" to a "file" called /sys/module/hid_hanvon/parameters/rotate180.
This is actually an interface to the driver for the touchscreen, not an actual file, so sending the letter N to "rotate180" tells the driver to flip the input coming from that device(hid_hanvon = the touchscreen).
If you tell me what you're trying to achieve, I can give you more details. If you are just trying to learn, you should come to the openaos IRC channel. Lot's of years of experience in there.
I didn't think bootloaders were stored on partitions. On PCs, the first stage bootloader is stored outside of any partition on the MBR.
Master Melab said:
I didn't think bootloaders were stored on partitions. On PCs, the first stage bootloader is stored outside of any partition on the MBR.
Click to expand...
Click to collapse
That's flashed on eMMC2. I was talking about the recovery bootloader. Basically, the bios is off limits, and the recovery bootloader allows updates, SDE flashing, etc. without risking bricking, as I'm sure you know.
So boot0, the root of all control on the device, is not stored in a partition, like the first stage bootloader on a PC while boot1 (or whatever special bootloader that exists for recovery purposes) is stored on its respective partition like a second stage bootloader on a PC?
I'm bumping this thread. Please explain further. What do you mean when you say "BIOS" and is boot1 the recovery bootloadr?
Master Melab said:
I'm bumping this thread. Please explain further. What do you mean when you say "BIOS" and is boot1 the recovery bootloadr?
Click to expand...
Click to collapse
Another bump.
I also want to know the partition layout of gen8 devices after installing SDE and UrukDroid.
I already installed SDE and when I plug the device to my computer I see 3 partitions:
/dev/sdb1 76295 469632 12586808+ 83 Linux
/dev/sdb2 1 30518 976563 83 Linux
/dev/sdb3 30518 76295 1464844+ 83 Linux
sdb1 - 13GB, doesn't contain a /system, but here's the menu.lst
sdb2 - 1GB, contains a /system (but i think it's not the stock android installation) ...maybe UrukDroid?
sdb3 - 1.5GB, contains a /system, but has only a few files, etc is missing for example
So is the stock android partition invisible?
I am bumping this thread.
Maybe this thread could be usefull for you : http://forum.xda-developers.com/showthread.php?t=1199450
Unfortunately, my Casio GZOne Commando was bricked while I upgrade rom for it. My computer recognizes it as a com port. This comport was name is Qualcomm HS-USB QDLoader 9008 Mode. Please, some one can help me rescuse my phone. Please tell me step by step instructions to unbrick the phone :crying:
I unfortunately have almost the same problem, I've been looking for a solution, in general; Qpst app does recognize the com port, and you can flash a set of required files such as the firefighter /MCC/XML (not sure of the names), you can find them on the gethub website.
For me, I did so, but got to nowhere except the c811 is now recognized by Windows as g'zone!
Please do update me on what happened with your phone.
Good luck
PLEASE CAREFULLY READ WHOLE MESSAGE and OBEY ALL THE PRECAUTIONS!
Please do NOT DO a thing unless you UNDERSTAND all the infos!!!
This was a total problem for a years. Casio/Nec have hidden original FW and loader required to flash the phone with damaged GPT or SBL (SBL level loaders. It's illegal in the context of consumer rights in many countries and violates GNU/GPL Linux/components licenses (independently of the fact the loaders itself are the Qualcomm/OEM proprietary SW, but we couldn't use and develop this particular Linux build w/o them). No FW sources were published. Casio-NEC JSC ****ed up the users and now gone from the market and closed support services/servers just upon closing. It's a shame for these respectable Japanese companies which reputation was clear for the decades. I don't care about any law aspects related to the JSC. Casio and Nec have used their brands to sell these devices and it's a shame for them all. I can't realize why could a web server support and source publishing cost any much for a billion corps. There are the laws in many countries requiring parts supply for a whole time of declared device serve period. Is Casio/Nec device's serve period now is set as 1 year only now?
If you have lost some money for an ineffective market policy, should your customers , respond for that?
These phines due to unique 'protected' design, good quality and parts are widely popular around the world far away from the official market places. Who have decided not to officially expand to these markets at the time?
There is good sales potential for a good quality protected phones (especially high branded) at the current time.
Adequate ads activity should provide a small but valuable market share.
Let's back to our problems
Now this, PBL-only bricking (QDloader 9008 only) problem has been partially fixed.
You should read my articles here (in English):
http://androidforums.com/threads/rom-stock-c811-m070-firmware-zip-file-4-1-2.878959/page-3
to understand internal eMMC architecture. Please realize you should try to UNDERSTAND, but not simply think how to quickly FIX your brick! You'll fix nothing unless you will understand what's going on and what's the parts responsible for which state.
Next step, go to the Russian 4dpa.ru forums and read my instructions how to flash loaders and get into the Qualcomm QHSUSB_DLOAD 9006 mode.
http://4pda.ru/forum/index.php?showtopic=497930&view=findpost&p=50105534
Sorry, Russian only for a while. You can translate pages with Google translator.
DO NOT DO a THING YET NOW! Simply READ and THINK!
Also read the discussion on that page and a few on the previous and the next pages. DL files (e.g. FW's, utils), you think could help you later on context. (4PDA reg req'd to DL attachments. It's isn't complicated, but service may ask you to enter a numeric capcha described as numeric-words in Russian. That's the problem for non Russian speakers. Once you get the problem note it ask you a random 4-cipher number. Try to translate somehow or request req'd files to upload here. Look may be these files are already uploaded on the AndroidForums (link above and other topics).
(If the messages/links will some kind shift by the time look for the manual posted on 03.06.2016, 02:28 GMT+3 and around)
Big thanks for the correct and the only working Casio C811 / CA-201L loaders go to the nugiedha @ANDROIDForums
http://androidforums.com/threads/casio-c811-soft-brick-possible-fix.967172/#post-7136788
Then realize simple thing. Loaders will NOT bring your phone back to the working condition immediately!!!
They will allow you to get the direct access to the eMMC and do WHAT YOU WANT with it. You can partition it as FAT32 UFD and then write your favorite pron there if you want, as you do it with your favorite UFD, but sure, it's simply useless. and stupid. and it will kill the rest of the data on the phone.
PLEASE NOTE! Upon an eMMC detection as a mass storage device in your PC, YOU SHOULD NOT OCCASIONALLY CLICK OK ON ANY WINDOWS REQUESTS ASKING TO INITIALIZE A NEW DRIVE/PARTITIONS!!! IT WILL DAMAGE DATA ON THE PHONE! BE CAREFUL!!!
THERE ARE MORE THEN 20 PROPRIETARY PARTITIONS ON THIS MEDIA WINDOWS SYSTEM HAVE NOTHING TO DO WITH!
Important! The first thing you should do is to BACKUP the whole image of the BROKEN phone including partition table (GPT) and all the partitions (intact or damaged) as a one big 16GB whole physical disk image to some partition that have enough free space. Do NOT try to backup to the FAT32 partitions. The maximum single file size there is 4GB.
I.e. DO a FULLFLASH backup, aka eMMC full backup image, etc., independently on the fact FW is broken at the moment!
Use HDD Raw Copy Tool form the HDDGuru forums or similar tools to make a full image backup.
You can use any data recovery / disk editing utils, like R-Studio or DMDE later to extract any data and/or whole partition images from there later. Please note, that after the MSImage loader flashing your original GPT will be replaced with a small GPT built into the loader, independently on fact was it correct or damaged at the moment of the failure.
However there is NO way to avoid this. There is NO any other way out to boot damaged phone from the QDLoader 9008 state (it's PBL mode) except JTAG involving tools. That's why you will not ba able to easily find all the partitions in the broken phone eMMC image. But you can scan the image (e.g. with R-Studio) and find the remaining partitions (except proprietary) on their places unless partition header/data was not damaged upon crash.
Next you have 3 options to recover the phone to the working condition:
1. Find Casio CA-201L or C811 FULL FLASH IMAGE (eMMC USER_PART) image dumped from phone placed in the same DLOAD mode
2. Find same image got using JTAG tools (in fact same as above)
3. Recreate partitions (write correct GPT) and all the partition data manually using parts of your backup and original factory partition images, most of which (for C811 and partially for CA-201L) you can find on the AndroidForums topic.
Option 1 (or 2) is easy to understand and perform. But there are 3 notes on it
1. You should find Full eMMC image for your phone or the one who will dump his phone's image for you
2. All the ID's, i.e. IMEI, MAC's etc and current User Data will move from that image to your phone.
You can make a user data wipe (Hard Reset) to destroy user data and get a 'factory state' phone later.
I do not know a way to patch IMEI/MAC's back to your originals for a while (do not have phone on my hands for experiments),
but sure these ID's are stored on some of the 'unique' partitions, listed in AndroidForums topic and you can find and extract this partition (unless it damaged) from your damaged eMMC image and flash it to the recovered phone. by any method (directly to the eMMC, using FastBoot mode, using ADB/Linux DD commands). It's theory, that I can't revert to the practice for a while.
3. YOU SHOULD NOT TO ASK A MAN, WHO WILL AGREE TO DUMP HIS PHONE IMAGE FOR YOU TO USE MSImage LOADER METHOD TO SWITCH PHONE TO THE QHSUSB_DLOAD 9006 MODE!!! Otherwise he will DAMAGE HIS GPT AND MODEM FW and you BOTH will get 2 NON WORKING phones instead of 1!!!
There are another methods available to switch this phone to the eMMC DLOAD mode while it resides in the working condition (unless SBL is able to load). The first is to hold both VOL keys at the powering up.
Switch phone off, remove and insert battery to be on the safe side, then hold down VOL+VOL- and press Power Key, then connect USB cable. Other options is to hold VOL keys and connect USB cable without Power key or hold keys and connect USB cable without battery. However these options, most probably will bring QDLoader 9008 mode related to the PBL instead of QHSUSB_DLOAD 9006 mode related to the SBL. That's why if your phone have GPT or SBL structures you can't get it into the QHSUSB_DLOAD 9006 mode unless you will flash MSImage (containing GPT and all SBL-related code) using described procedure.
So, please NOTE one more time YOU SHOULD NOT flash MSImage loader to the working phone! You will damage GPT and get phone to the non working condition!
Another way to switch WORKING phone to the QHSUSB_DLOAD 9006 mode id to use software switcher like the ones, that can be found in QPST eMMC Flashing app and QPST Memory Debug app. Search by google for a detailed manuals with screenshots how to do it (switch to DLOAD) with any Qualcomm based phone (You can try with any, but not all the phones will switch because of customizations!)
There are some other methods circulating around how to force particular WORKING Qualcomm based phones switch to DLOAD mode (using ARM native code app / loader or send command to the Debug port of the modem).
Upon the eMMC image creation you should disconnect working phone fro the USB cable and reboot it to switch back to the normal mode., Just hold Power key for a long time or remove and reinsert the battery.
You should reserve 15-20 minutes of time to perform full eMMC backup procedure.
Upon your damaged phone will switch to the QHSUSB_DLOAD 9006 mode using MSImage loader,
you can simply write one's full working phone's eMMC image using HDD Raw Copy Tool.
Just write from Image file to the eMMC device, then disconnect phone, reset it (reinsert battery) and switch it on.
Phone will boot identically to the donor phone. Perform further generic recovery procedures to revert to your phone to the required condition. You may switch is to the DLOAD mode again using 'normal' way and continue to perform eMMC editing, particular partition images writing, patching, etc.
Option 3 (manual image combining without one's working full image) is much more complicated to proceed, but there are almost all the required data can be found around. Get the original GPT (and GPT backup) from the AndroidForums factory images or look for the GPT backup at the end of the eMMC (It's standard. GPT should have a backup copy at the end of media and eMMC holds this backup, look for it). If you will find GPT backup, try to compare it with ones from the factory images from the AndroidForums.
It will clear for you is your previous FW have had same GPT partition structure and find differences in the partition sizes and locations between your old FW and particular Factory FW. This will help you to extract unique and/or any other req'd partition images from your broken full and inject them to the new full, you building up for whole phone flashing. Use DMDE Disk Editor (Free version is absolutely enough, unless you would like to mass recover files from your data partition with it). It will show you all the GPT structures, their sector ranges. It will help you to locate and extract particular partition Upon correct GPT written to the device (or your new image preparation), you can start to write partitions at their dedicated places. Once you have checked (and/or fixed) all the partitions your phone is ready to swich on. In most cases you have great chance to recover without one's full. The only condition all the small 'unique' partitions that is not included to the factory FW images should be NOT damaged. Please note, that many people reported that damaged/incorrect ModemSTx (modem data / NVRAM) erasure on THIS PARTICULAR PHONE will lead to the working partition recreation (assume w/o IMEI loss) and could be used as one of the NVRAM fixation techniques.
So you should have at least be able to extract important ID's (may be a few others) partition(s) and inject them to your new image (or directly to the eMMC).
That's why you should NEVER start to the recovery (eMMC writing) UNLESS YOU HAVE MADE A BACKUP COPY OF THE DAMAGED eMMC IMAGE!
Sure in 99% you will recover your phone whether you will find one's full (simple) or your will be able to rebuild it using factory (others, why not?) images and the part of your broken eMMC contents.
Good Luck!
I'm attaching here the required files. Please be careful!
Some people just DL files and do not copy the description.
The novices can broke their devices trying to do 'something idiotic'.
Please note, that attached GPT images are definitely for factory M070 FW for C811 version.
You can flash it to the any compatible versions (like CA-201L) but I don't know, will it be identical to your old partition scheme, so real unique partition data you could look to find mat be located at another offsets.
Check manually if you can and always make full broken FW eMMC image at first.
Get flesh QPST 2.7.425 here, thanks to drkcobra
http://forum.xda-developers.com/showpost.php?p=59235714&postcount=15
Or look the topic to find later vers (if any)
Direct Link:
http://www.mediafire.com/download/neeapht51ub2333/QPST.WIN.2.7_Installer-00425.1.zip
Important Update:
Casio C811 GPT images were broken due to the Windows decryption utility compilation problem.
File re-uploaded! Please update!
TheDrive said:
PLEASE CAREFULLY READ WHOLE MESSAGE and OBEY ALL THE PRECAUTIONS!
Please do NOT DO a thing unless you UNDERSTAND all the infos!!!
This was a total problem for a years. Casio/Nec have hidden original FW and loader required to flash the phone with damaged GPT or SBL (SBL level loaders. It's illegal in the context of consumer rights in many countries and violates GNU/GPL Linux/components licenses (independently of the fact the loaders itself are the Qualcomm/OEM proprietary SW, but we couldn't use and develop this particular Linux build w/o them). No FW sources were published. Casio-NEC JSC ****ed up the users and now gone from the market and closed support services/servers just upon closing. It's a shame for these respectable Japanese companies which reputation was clear for the decades. I don't care about any law aspects related to the JSC. Casio and Nec have used their brands to sell these devices and it's a shame for them all. I can't realize why could a web server support and source publishing cost any much for a billion corps. There are the laws in many countries requiring parts supply for a whole time of declared device serve period. Is Casio/Nec device's serve period now is set as 1 year only now?
If you have lost some money for an ineffective market policy, should your customers , respond for that?
These phines due to unique 'protected' design, good quality and parts are widely popular around the world far away from the official market places. Who have decided not to officially expand to these markets at the time?
There is good sales potential for a good quality protected phones (especially high branded) at the current time.
Adequate ads activity should provide a small but valuable market share.
Let's back to our problems
Now this, PBL-only bricking (QDloader 9008 only) problem has been partially fixed.
You should read my articles here (in English):
http://androidforums.com/threads/rom-stock-c811-m070-firmware-zip-file-4-1-2.878959/page-3
to understand internal eMMC architecture. Please realize you should try to UNDERSTAND, but not simply think how to quickly FIX your brick! You'll fix nothing unless you will understand what's going on and what's the parts responsible for which state.
Next step, go to the Russian 4dpa.ru forums and read my instructions how to flash loaders and get into the Qualcomm QHSUSB_DLOAD 9006 mode.
http://4pda.ru/forum/index.php?showtopic=497930&view=findpost&p=50105534
Sorry, Russian only for a while. You can translate pages with Google translator.
DO NOT DO a THING YET NOW! Simply READ and THINK!
Also read the discussion on that page and a few on the previous and the next pages. DL files (e.g. FW's, utils), you think could help you later on context. (4PDA reg req'd to DL attachments. It's isn't complicated, but service may ask you to enter a numeric capcha described as numeric-words in Russian. That's the problem for non Russian speakers. Once you get the problem note it ask you a random 4-cipher number. Try to translate somehow or request req'd files to upload here. Look may be these files are already uploaded on the AndroidForums (link above and other topics).
(If the messages/links will some kind shift by the time look for the manual posted on 03.06.2016, 02:28 GMT+3 and around)
Big thanks for the correct and the only working Casio C811 / CA-201L loaders go to the nugiedha @ANDROIDForums
http://androidforums.com/threads/casio-c811-soft-brick-possible-fix.967172/#post-7136788
Then realize simple thing. Loaders will NOT bring your phone back to the working condition immediately!!!
They will allow you to get the direct access to the eMMC and do WHAT YOU WANT with it. You can partition it as FAT32 UFD and then write your favorite pron there if you want, as you do it with your favorite UFD, but sure, it's simply useless. and stupid. and it will kill the rest of the data on the phone.
PLEASE NOTE! Upon an eMMC detection as a mass storage device in your PC, YOU SHOULD NOT OCCASIONALLY CLICK OK ON ANY WINDOWS REQUESTS ASKING TO INITIALIZE A NEW DRIVE/PARTITIONS!!! IT WILL DAMAGE DATA ON THE PHONE! BE CAREFUL!!!
THERE ARE MORE THEN 20 PROPRIETARY PARTITIONS ON THIS MEDIA WINDOWS SYSTEM HAVE NOTHING TO DO WITH!
Important! The first thing you should do is to BACKUP the whole image of the BROKEN phone including partition table (GPT) and all the partitions (intact or damaged) as a one big 16GB whole physical disk image to some partition that have enough free space. Do NOT try to backup to the FAT32 partitions. The maximum single file size there is 4GB.
I.e. DO a FULLFLASH backup, aka eMMC full backup image, etc., independently on the fact FW is broken at the moment!
Use HDD Raw Copy Tool form the HDDGuru forums or similar tools to make a full image backup.
You can use any data recovery / disk editing utils, like R-Studio or DMDE later to extract any data and/or whole partition images from there later. Please note, that after the MSImage loader flashing your original GPT will be replaced with a small GPT built into the loader, independently on fact was it correct or damaged at the moment of the failure.
However there is NO way to avoid this. There is NO any other way out to boot damaged phone from the QDLoader 9008 state (it's PBL mode) except JTAG involving tools. That's why you will not ba able to easily find all the partitions in the broken phone eMMC image. But you can scan the image (e.g. with R-Studio) and find the remaining partitions (except proprietary) on their places unless partition header/data was not damaged upon crash.
Next you have 3 options to recover the phone to the working condition:
1. Find Casio CA-201L or C811 FULL FLASH IMAGE (eMMC USER_PART) image dumped from phone placed in the same DLOAD mode
2. Find same image got using JTAG tools (in fact same as above)
3. Recreate partitions (write correct GPT) and all the partition data manually using parts of your backup and original factory partition images, most of which (for C811 and partially for CA-201L) you can find on the AndroidForums topic.
Option 1 (or 2) is easy to understand and perform. But there are 3 notes on it
1. You should find Full eMMC image for your phone or the one who will dump his phone's image for you
2. All the ID's, i.e. IMEI, MAC's etc and current User Data will move from that image to your phone.
You can make a user data wipe (Hard Reset) to destroy user data and get a 'factory state' phone later.
I do not know a way to patch IMEI/MAC's back to your originals for a while (do not have phone on my hands for experiments),
but sure these ID's are stored on some of the 'unique' partitions, listed in AndroidForums topic and you can find and extract this partition (unless it damaged) from your damaged eMMC image and flash it to the recovered phone. by any method (directly to the eMMC, using FastBoot mode, using ADB/Linux DD commands). It's theory, that I can't revert to the practice for a while.
3. YOU SHOULD NOT TO ASK A MAN, WHO WILL AGREE TO DUMP HIS PHONE IMAGE FOR YOU TO USE MSImage LOADER METHOD TO SWITCH PHONE TO THE QHSUSB_DLOAD 9006 MODE!!! Otherwise he will DAMAGE HIS GPT AND MODEM FW and you BOTH will get 2 NON WORKING phones instead of 1!!!
There are another methods available to switch this phone to the eMMC DLOAD mode while it resides in the working condition (unless SBL is able to load). The first is to hold both VOL keys at the powering up.
Switch phone off, remove and insert battery to be on the safe side, then hold down VOL+VOL- and press Power Key, then connect USB cable. Other options is to hold VOL keys and connect USB cable without Power key or hold keys and connect USB cable without battery. However these options, most probably will bring QDLoader 9008 mode related to the PBL instead of QHSUSB_DLOAD 9006 mode related to the SBL. That's why if your phone have GPT or SBL structures you can't get it into the QHSUSB_DLOAD 9006 mode unless you will flash MSImage (containing GPT and all SBL-related code) using described procedure.
So, please NOTE one more time YOU SHOULD NOT flash MSImage loader to the working phone! You will damage GPT and get phone to the non working condition!
Another way to switch WORKING phone to the QHSUSB_DLOAD 9006 mode id to use software switcher like the ones, that can be found in QPST eMMC Flashing app and QPST Memory Debug app. Search by google for a detailed manuals with screenshots how to do it (switch to DLOAD) with any Qualcomm based phone (You can try with any, but not all the phones will switch because of customizations!)
There are some other methods circulating around how to force particular WORKING Qualcomm based phones switch to DLOAD mode (using ARM native code app / loader or send command to the Debug port of the modem).
Upon the eMMC image creation you should disconnect working phone fro the USB cable and reboot it to switch back to the normal mode., Just hold Power key for a long time or remove and reinsert the battery.
You should reserve 15-20 minutes of time to perform full eMMC backup procedure.
Upon your damaged phone will switch to the QHSUSB_DLOAD 9006 mode using MSImage loader,
you can simply write one's full working phone's eMMC image using HDD Raw Copy Tool.
Just write from Image file to the eMMC device, then disconnect phone, reset it (reinsert battery) and switch it on.
Phone will boot identically to the donor phone. Perform further generic recovery procedures to revert to your phone to the required condition. You may switch is to the DLOAD mode again using 'normal' way and continue to perform eMMC editing, particular partition images writing, patching, etc.
Option 3 (manual image combining without one's working full image) is much more complicated to proceed, but there are almost all the required data can be found around. Get the original GPT (and GPT backup) from the AndroidForums factory images or look for the GPT backup at the end of the eMMC (It's standard. GPT should have a backup copy at the end of media and eMMC holds this backup, look for it). If you will find GPT backup, try to compare it with ones from the factory images from the AndroidForums.
It will clear for you is your previous FW have had same GPT partition structure and find differences in the partition sizes and locations between your old FW and particular Factory FW. This will help you to extract unique and/or any other req'd partition images from your broken full and inject them to the new full, you building up for whole phone flashing. Use DMDE Disk Editor (Free version is absolutely enough, unless you would like to mass recover files from your data partition with it). It will show you all the GPT structures, their sector ranges. It will help you to locate and extract particular partition Upon correct GPT written to the device (or your new image preparation), you can start to write partitions at their dedicated places. Once you have checked (and/or fixed) all the partitions your phone is ready to swich on. In most cases you have great chance to recover without one's full. The only condition all the small 'unique' partitions that is not included to the factory FW images should be NOT damaged. Please note, that many people reported that damaged/incorrect ModemSTx (modem data / NVRAM) erasure on THIS PARTICULAR PHONE will lead to the working partition recreation (assume w/o IMEI loss) and could be used as one of the NVRAM fixation techniques.
So you should have at least be able to extract important ID's (may be a few others) partition(s) and inject them to your new image (or directly to the eMMC).
That's why you should NEVER start to the recovery (eMMC writing) UNLESS YOU HAVE MADE A BACKUP COPY OF THE DAMAGED eMMC IMAGE!
Sure in 99% you will recover your phone whether you will find one's full (simple) or your will be able to rebuild it using factory (others, why not?) images and the part of your broken eMMC contents.
Good Luck!
I'm attaching here the required files. Please be careful!
Some people just DL files and do not copy the description.
The novices can broke their devices trying to do 'something idiotic'.
Please note, that attached GPT images are definitely for factory M070 FW for C811 version.
You can flash it to the any compatible versions (like CA-201L) but I don't know, will it be identical to your old partition scheme, so real unique partition data you could look to find mat be located at another offsets.
Check manually if you can and always make full broken FW eMMC image at first.
Get flesh QPST 2.7.425 here, thanks to drkcobra
http://forum.xda-developers.com/showpost.php?p=59235714&postcount=15
Or look the topic to find later vers (if any)
Direct Link:
http://www.mediafire.com/download/neeapht51ub2333/QPST.WIN.2.7_Installer-00425.1.zip
Important Update:
Casio C811 GPT images were broken due to the Windows decryption utility compilation problem.
File re-uploaded! Please update!
Click to expand...
Click to collapse
The Drive, Thank you so much, it 's working. My phone is work normally. Now I want to backup my image phone to restore when my phone was bricked by Qualcomm Qloader 9008, but my computer is recognize it as Gz'One Commando 4G LTE virtual serial port, not HSUSB qloader. What should I do?
To backup eMMC full image from the WORKING device you SHOULDN'T get it into the QDLoader 9008 mode nor flash loaders!!!
Loaders flashing will bring you into the QHSUSB_DLOAD 9006 but It WILL BREAK your GPT so you'll be forced to rebuild it to boot normally later!!! I don't know the name device is detected by the PC because I've never had this device in my hands, but I've explored it's FW's and code and found the way to recover it in many aspects including loader flashing (thanks go to nugiedha from Android Forums) IMEI/MAC/S/N patching (look in the 4pda topic), etc. The QDLoader mode has PID=9008, DLOAD mode has PID=9006. Diags port of the working device usually has PID=9025. USB VID should be 05C6 or may be customized by the device's OEM. There are decades of another PID's for the virtual Qualcomm chipset devices (PID's, e.g. Modem, RMNet, GPS, Mass Storage, MTP, etc)
To get eMMC dump from the WORKING device you should use QPST.
Configure QPST to make it find device's Diags COM port (Qualcomm HS-USB Diagnostics 9025). There are decades of the screened manuals on how to setup and work with QPST around. Then run QPST eMMC Download util (Windows start menu). Then select your found phone on some port and click 'Switch device to DLOAD' button. That's all! Device should switch to the QHSUSB_DLOAD 9006 mode in a few seconds. You should note the new mass storage device found in your Windows device manager. Please avoid occasionally click OK on the any of the device initialization requests Windows will bring to the screen (otherwise you'll damage your FW!). Then get some HDD low level managing tool and backup/restore any partitions/whole image from/to the device. HDD Raw Copy Tool is found good and reliable one for the whole disk image operations. There is also eMMC Raw Tool which is known to useful to backup/restore particular partitions, but I've found it's not reliable for some reasons. Sometimes it doesn't see any eMMC devices (it has too strong restrictions on the accepted USB medias trying to avoid non-eMMC devices) , sometimes it's known to some kind broken FW (many reports but I don't know whether it the tool's or user's failure). You can use DMDE/R-Studio/others professional data recovery utils to manage (recover) any data on the eMMC in the 9006 mode.
GPT images for Casio G'zOne Commando C811 (US Verizon) and Casio CA-201L (Korean) are slightly different.
Compare partition tables below. Most important difference is Modem FW partition size is 100MB for C811 vs 64MB for CA-201L. Modem FW partition is the first one so all the following partitions have the different sector offsets that is important for the successful recovery targets. Also there is ExtRes partition at the end of the C811 eMMC. It contains about a 200MB of the useless Verizon/Commando promotion videos so you can simply omit it when porting FW between devices (simply format it to the ext4 and use as a small 'secret' storage. )
Code:
CASIO C811 vs CASIO CA-201l GPT's
С811 CA-201l
offset : name : size offset : name : size
0x000000000000: partitions : 4608 0x000000000000: partitions : 4608
0x000004000000: modem : 104857600 0x000004000000: modem : 67108864
0x00000c000000: sbl1 : 131072 0x000008000000: sbl1 : 131072
0x00000c020000: sbl2 : 262144 0x000008020000: sbl2 : 262144
0x00000c060000: sbl3 : 524288 0x000008060000: sbl3 : 524288
0x00000c0e0000: aboot : 524288 0x0000080e0000: aboot : 524288
0x00000c160000: rpm : 524288 0x000008160000: rpm : 524288
0x000010000000: boot : 10485760 0x00000c000000: boot : 10485760
0x000014000000: tz : 524288 0x000010000000: tz : 524288
0x000014080000: pad : 1024 0x000010080000: pad : 1024
0x000014080400: modemst1 : 3145728 0x000010080400: modemst1 : 3145728
0x000014380400: modemst2 : 3145728 0x000010380400: modemst2 : 3145728
0x000014680400: nvbackup : 3145728 0x000010680400: nvbackup : 3145728
0x000018000000: system : 1342177280 0x000014000000: system : 1342177280
0x00006c000000: userdata : 11710496768 0x000068000000: userdata : 12113149952
0x000326000000: persist : 8388608 0x00033a000000: persist : 8388608
0x000326800000: cache : 734003200 0x00033a800000: cache : 734003200
0x000354000000: tombstones : 73400320 0x000368000000: tombstones : 73400320
0x000358600000: misc : 1048576 0x00036c600000: misc : 1048576
0x00035c000000: recovery : 10485760 0x000370000000: recovery : 10485760
0x00035ca00000: fsg : 3145728 0x000370a00000: fsg : 3145728
0x000360000000: ssd : 8192 0x000374000000: ssd : 8192
0x000364000000: fota : 536870912 0x000378000000: fota : 536870912
0x000384000000: ftm : 131072 0x000398000000: ftm : 131072
0x000384020000: crash : 131072 0x000398020000: crash : 131072
0x000384040000: f3 : 131072 0x000398040000: f3 : 131072
0x000384060000: log : 8388608 0x000398060000: log : 8388608
0x000388000000: extres : 467648000 0x000398860000: grow : 190430720
0x000398000000: grow : 0
Both binary GPT images are attached below
Update:
Earlier in summer I have fully discovered IMEI/MAC/etc ID storage locations and found the ways to recover them with a binary patch.
This unique phone (unless most other similar Qualcomm-based devices) has a very good feature. It has encrypted EFS/NVRAM partitions (ModemST1/ModemST2) seems to have binary structure identical or close to the reference Qualcomm design. But OEM have made extension to the modem FW. There is one more important partition in the eMMC called nvbackup. This partition contains most important NVRAM setting required to reinitialize NVRAM in the case of the fatal failure.
Binary data structure in the nvbackup is proprietary to the Casio-Nec OEM, however this partition is not encrypted in any manner. For a people familiar with a binary patching there is no problem to find and patch any ID's (IMEI/MAC/Serial/etc) to recover originals lost due to e.g. foreign full eMMC image uploading.
When the main EFS/NVRAM storage is intact, phone will work OK with ID's found there. Once EFS becomes some kind damaged modem FW will erase it and immediately reinitialize the new NVRAM inside. Then NVRAM will be filled with the default values, and ID's will be copied from the nvbackup partition. That's why many users reported (in android-forums etc) they have had ModemSTx partitions erased and got a working modem no other problems, that is simply impossible in any other similar devices. Once encrypted ModemSTx (EFS/NVRAM) some kind damaged it will bring any other device to the inoperable mode with lost IMEI and non-working modem (SP connectivity will be completely impossible). That's why this phone is unique and NVRAM failure-proof.
So to restore your original IMEI/MAC/etc just:
1. Get the working nvbackup image (from other's full or dump from your phone),
2. Find in image and patch all the ID'd you want to restore with the values from the device sticker.
3. Flash [back] nvbackup image to its place (partition). in the device.
4. Erase ModemST1/ModemST2 partitions (make the backup first to be on the safe side!)
5. Reboot device and check modem is working and ID's are in their places.
The big and detailed articles on the theme how to find and patch the particular ID's and other details you can find in the topic on the 4pda.ru Russian forums mentioned above. (in Russian, use google translator.) Look closer to the last pages (May-July 2016)
Moreover!
Yiou can use standard Qualcomm QPST application to work with NVRAM of this device through the Qualcomm Diag COM port.
Use QPST -> Software Download -> Backup/Restore interface to backup or restore the whole [main] NVRAM image to the Qualcomm QCN format file. You can binary patch this file before restoration to fix your ID's. There are many instructions around the internet how to patch QCN with the correct IMEI. You can also view QCN file and export its structure to the human-readable ASCII text form using QCNView utility (provided with QPST installation).
However if you will fix the main NVRAM with a correctly patched QCN uploading you will get the ID's (IMEI) you have written in. and your device will work with them unless EFS/NVRAM failure will occure. On the failure NVRAM will be reinitialized as I've described above and your ID'd will be filled in with the values from the nvbackup. Probability of the EFS failure is very small unless you do not perform 'massive' (dangerous) modem FW related 'experiments'. But this possibility persists. anyway. That's why it's preferred to patch nvbackup image neither QCN to permanently recover ID's.
Now upon a disclosure of all the most important boot and modem related facts, data structures and required code, this device can be recovered, probably, from ANY damaged state and condition, related to the SOFTWARE failure. All you have to do is 'heavily' read and try to understand thousands strings of the multiple articles. There is enough information to recover this device but many procedures are complicated even for an advanced users, who familiar with many advanced techniques and tools. 'The man can do anything' say people in my country. I've done the exploration and disclosure of all these complicated device internals even though I've never seen this device nor touched it with my hands. Sure, you will can fix this device once you willy want to.
Hi, TheDrive . Are you following this post? I have found instruction guide build AOSP for casio GZone from NEC in here: http://www.n-keitai.com/gpl/w/list/GzOne_COMMAND_4G_LTE_Jelly_Bean.html (instruction in procedure.txt). But I don't know how to flash this rom to my device, can you help me to do, please. This is screen from my computer with files built from this project:
https://goo.gl/photos/ARj54MHfThxsB5WV7, and this is some system file was built: https://drive.google.com/file/d/0B46dIM-QMF8pWHY4cXRNWS13LVU/view?usp=sharing
thaihoangduylinh said:
Hi, TheDrive . Are you following this post? I have found instruction guide build AOSP for casio GZone from NEC in here: http://www.n-keitai.com/gpl/w/list/GzOne_COMMAND_4G_LTE_Jelly_Bean.html (instruction in procedure.txt). But I don't know how to flash this rom to my device, can you help me to do, please. This is screen from my computer with files built from this project:
https://goo.gl/photos/ARj54MHfThxsB5WV7, and this is some system file was built: https://drive.google.com/file/d/0B46dIM-QMF8pWHY4cXRNWS13LVU/view?usp=sharing
Click to expand...
Click to collapse
1. Thanks for the sources. Casio closed original site and sources too.
I do attach all the files they published. It seems to be a small piece of all the sources they hide.
View attachment CasioGzOneC811_OpenSource.zip
2. I do rarely visit this topic. I do NOT have this device nor ever had nor even ever seen it live. You can find me via PM here or in the Russian 4pda.ru forums.
It's a good idea to write to this topic, but you should some kind aknowledge me to read. I've now subscribed to this thread and will try to visit if someone is looking for me.
3. I never compiled AOSP for any device. I do afraid and wanna escape when I see instructions I should get 10GB of sources, setup 1GB compilation environment and compile for 2-3 hours on the multicore PC.
I've explored your binaries .
I've no working Casio FW's by my hand now to compare
I don't know what is bootloader (w/o extension). Secondary booloader - SBL on these Casio phones as far as I can remember consists of the files SBL1/SBL2/SBL2/RPM/TZ. 3rd bootoader is aboot - it seems to be bootloader is identical to emmc_appsboot.mbn and EMMCBOOT.MBN so it should be the aboot image.
Aboot should provide fastboot finctionality, useful to flash FW, so I wouldn't touch (reflash) it w/o a reason.
Kernel should be the kernel built into the boot.img It useless for flashing.
Same about ramdisk.img
Same about recovery-ramdisk.img but this package should be built into the recovery.img not the boot.img. boot.img is a Linux kernel with a RAM disk ready to flash. boot.img seems to be correct, but I don't know will it work or hang.
system.img and userdata.img should be ext4 images of the system and data (userdata) partitions. I don't know are they full of required files or not.
Compare contents (unpack ExtFS images compare file lists and contents) with and original firmare images.
cache.img and persist.img seems to be empty ext4 images. I can't remember should factory persist image contain any data or not. Do compare.
You can find a variety of the factory and custom FW's in the 4pda.ru topic I've linked in the above messages. There are instructions there how to flash custom FW's too. That topic seems to be the place this device(s) most discussed in the world ever (over 250 pages). However this device was never officially sold in Russia at all. Idiot's in Casion/Nec failed to enter the most perspective market.
Russians (and CIS) ordered these devices from the USA (locked ones!) and other countries including used ones for an expensive prices. Our country is full of the wild nature places free for visiting and trip (unless you wouldn't do a something scary to the nature). That's why these phones, ready to fall-and-wet, are so required here, espacially by the professional and amateur fishers and hunters and simply trippers.
To flash use standard procedures, I don't know which mode is the best to use.
Images should be ready to flash in the standard fastboot mode. To use official upgrade method there was some util which flashed official FW's assembled into the one-big-file container. One user from AndroidForums have developed util to unpack them. I don't think you should write your util to repack it back.
To be on the safe side you should have all the backups, including full flash image and the particular partition images of the every partition.
In common people most probably custom some parts of the system image. More rarely the kernel (boot.img) and yet more rarely anything else.
It seems userdata partition contains 133MB of the initial data. In many devices userdata could be freely erased and formatted to make device 'factory new' in the FW part. This one contains something of amount. Probably some bundled applications and their data.
You can discuss also in some AOSP/other FW customization topics related to the recompilation of the sources. There should be more people there able to advice you with a source related aspects.
Sorry for an errors and mistyping, if any, no time to check and correct.
Hey guys!
Where are your reports, happy-end stories and thanks?
Files downloaded hundreds of times but no one tries to help
thaihoangduylinh.
Are there no people familiar with an Android compilation? (it dev's forum!!!)
Guys! Please help each other and God will help you!
TheDrive said:
1. Thanks for the sources. Casio closed original site and sources too.
I do attach all the files they published. It seems to be a small piece of all the sources they hide.
View attachment 4128870
2. I do rarely visit this topic. I do NOT have this device nor ever had nor even ever seen it live. You can find me via PM here or in the Russian 4pda.ru forums.
It's a good idea to write to this topi, but you should some king aknowledge me to read. I've now subscribed to this thread and will try to visit if someone is looking for me.
3. I never compiled AOSP for any device. I do afraid and wanna escape when I see instructions I should get 10GB of sources, setup 1GB compilation environment and compile for 2-3 hours on the multicore PC.
I've explore your binaries .
I've no working Casio FW's by my hand now to compare
I don't know what is bootloader (w/o extension). Secondary booloader - SBL on these Casion phones as far as I can remember consists of the files SBL1/SBL2/SBL2/RPM/TZ. 3rd bootoader is aboot - it seems to be bootloader is identical to emmc_appsboot.mbn and EMMCBOOT.MBN so it should be the aboot image.
Aboot should provide fastboot finctionality, useful to flash FW, so I wouldn't touch (reflash) it w/o a reason.
Kernel should be the kernel built into the boot.img It useless for flashing.
Same about ramdisk.img
Same about recovery-ramdisk.img but this package should be built into the recovery.img not the boot.img. boot.img is a Linux kernel with a RAM disk ready to flash. boot.img seems to be correct, but I don't know will it work or hang.
system.img and userdata.img should be ext4 images of the system and data (userdata) partitions. I don't know are they full of required files or not.
Compare contents (unpack ExtFS images compare file lists and contents) with and original firmare images.
cache.img and persist.img seems to be empty ext4 images. I can't remember should factory persist image contain any data or not. Do compare.
You can find a variety of the factory and custom FW's in the 4pda.ru topic I've linked in the above messeages. There are instructions there how to flash custom FW's too. That topic seems to be the place this device(s) most discussed in the world ever (over 250 pages). However this device was never officially sold in Russia at all. Idiot's in Casion/Nec failed to enter the most perspective market.
Russians (and CIS) ordered these devices from the USA (locked ones!) and other countries including used ones for an expensive prices. Our country is full of the wild nature places free for visiting and trip (unless you wouldn't do a something scary to the nature). That's why these phones, ready to fall-and-wet, are so requested here, espacially by the professional and amateur fishers and hunters and simply trippers.
To flash use standard procedures, I don't know which mode is the best to use.
Images should be ready to flash in the standard fastboot mode. To use official upgrade method there was some util which flashed official FW's assembled into the one-big-file container. One user from AndroidForums have developed util to unpack them. I don't think you should write your util to repack it back.
To be on the safe side you should have all the backups, including full flash image and the particular partition images of the every partition.
In common people most probably custom some parts of the system image. More rarely the kernel (boot.img) and yet more rarely anything else.
It seems userdata partition contains 133MB of the initial data. In many devices userdata could be freely erased and formatted to make device 'factory new' in the FW part. This one contains something of amount. Probably some bundled applications and their data.
You can discuss also in some AOSP/other FW customization topics related to the recompilation of the sources. There should be more people there able to advice you with a source related aspects.
Sorry for an errors and mistyping, if any, no time to check and correct.
Click to expand...
Click to collapse
TheDrive, You helped me a lot. Thanks for all your help efforts .
My device has so many bugs, I'm disappointed with the casio brand.
But I like casio gzone, I really want to recreate the rom for it, but it looks like it's not ok, it's beyond my ability
Same problem
TheDrive said:
Hey guys!
Where are your reports, happy-end stories and thanks?
Files downloaded hundreds of times but no one tries to help
thaihoangduylinh.
Are there no people familiar with an Android compilation? (it dev's forum!!!)
Guys! Please help each other and God will help you!
Click to expand...
Click to collapse
Hi Ive been trying to follow your instructions but Im completely lost. Casio gz c811 basically doing the encryption unsuccessful loop. And when I get to recovery the only appears is the dead android dude with no options
Described unbrick procedure was successfully performed by many people and should work unless hardware is OK. There are many cases, not only with this device, when eMMC catches bad blocks and/or fully blocks or hangs due to the internal structures damages (particularily translation tables like it often occures to the USB flash drives). There is no way to fix it mostly because eMMC and SD cards require professional equipement to deal with low level firmware initialization and capacity format. Factory utilities do not leak, like occures with UFD, because almost no one can execute them without a special factory card readers. There are the professional utils for the onboard eMMC management including some eMMC internal FW interaction like ATF-box. But in most cases internal eMMC failures lead to the expensive eMMC replacement (reballing) of the whole device drop.
If you suspect your eMMC have the hardware faiilures you should get you phone to the 9006 DL mode and when it will expose eMMC contents to the PC as a mass storage device try to test capacity for readability. At first make a full image for test and backup. If there will be no read errors, you can test device for write performance.
You have not described your actions to fix the problem and any results you got. If the described architecture and recovery procedures are too complicated for you you can ask some advanced friend to help you on site using provided instructions and discussions in other forums I've pointed to.
WOW Thanks for all the info
TheDrive said:
PLEASE CAREFULLY READ WHOLE MESSAGE and OBEY ALL THE PRECAUTIONS!
Please do NOT DO a thing unless you UNDERSTAND all the infos!!!
This was a total problem for a years. Casio/Nec have hidden original FW and loader required to flash the phone with damaged GPT or SBL (SBL level loaders. It's illegal in the context of consumer rights in many countries and violates GNU/GPL Linux/components licenses (independently of the fact the loaders itself are the Qualcomm/OEM proprietary SW, but we couldn't use and develop this particular Linux build w/o them). No FW sources were published. Casio-NEC JSC ****ed up the users and now gone from the market and closed support services/servers just upon closing. It's a shame for these respectable Japanese companies which reputation was clear for the decades. I don't care about any law aspects related to the JSC. Casio and Nec have used their brands to sell these devices and it's a shame for them all. I can't realize why could a web server support and source publishing cost any much for a billion corps. There are the laws in many countries requiring parts supply for a whole time of declared device serve period. Is Casio/Nec device's serve period now is set as 1 year only now?
If you have lost some money for an ineffective market policy, should your customers , respond for that?
These phines due to unique 'protected' design, good quality and parts are widely popular around the world far away from the official market places. Who have decided not to officially expand to these markets at the time?
There is good sales potential for a good quality protected phones (especially high branded) at the current time.
Adequate ads activity should provide a small but valuable market share.
Let's back to our problems
Now this, PBL-only bricking (QDloader 9008 only) problem has been partially fixed.
You should read my articles here (in English):
http://androidforums.com/threads/rom-stock-c811-m070-firmware-zip-file-4-1-2.878959/page-3
to understand internal eMMC architecture. Please realize you should try to UNDERSTAND, but not simply think how to quickly FIX your brick! You'll fix nothing unless you will understand what's going on and what's the parts responsible for which state.
Next step, go to the Russian 4dpa.ru forums and read my instructions how to flash loaders and get into the Qualcomm QHSUSB_DLOAD 9006 mode.
http://4pda.ru/forum/index.php?showtopic=497930&view=findpost&p=50105534
Sorry, Russian only for a while. You can translate pages with Google translator.
DO NOT DO a THING YET NOW! Simply READ and THINK!
Also read the discussion on that page and a few on the previous and the next pages. DL files (e.g. FW's, utils), you think could help you later on context. (4PDA reg req'd to DL attachments. It's isn't complicated, but service may ask you to enter a numeric capcha described as numeric-words in Russian. That's the problem for non Russian speakers. Once you get the problem note it ask you a random 4-cipher number. Try to translate somehow or request req'd files to upload here. Look may be these files are already uploaded on the AndroidForums (link above and other topics).
(If the messages/links will some kind shift by the time look for the manual posted on 03.06.2016, 02:28 GMT+3 and around)
Big thanks for the correct and the only working Casio C811 / CA-201L loaders go to the nugiedha @ANDROIDForums
http://androidforums.com/threads/casio-c811-soft-brick-possible-fix.967172/#post-7136788
Then realize simple thing. Loaders will NOT bring your phone back to the working condition immediately!!!
They will allow you to get the direct access to the eMMC and do WHAT YOU WANT with it. You can partition it as FAT32 UFD and then write your favorite pron there if you want, as you do it with your favorite UFD, but sure, it's simply useless. and stupid. and it will kill the rest of the data on the phone.
PLEASE NOTE! Upon an eMMC detection as a mass storage device in your PC, YOU SHOULD NOT OCCASIONALLY CLICK OK ON ANY WINDOWS REQUESTS ASKING TO INITIALIZE A NEW DRIVE/PARTITIONS!!! IT WILL DAMAGE DATA ON THE PHONE! BE CAREFUL!!!
THERE ARE MORE THEN 20 PROPRIETARY PARTITIONS ON THIS MEDIA WINDOWS SYSTEM HAVE NOTHING TO DO WITH!
Important! The first thing you should do is to BACKUP the whole image of the BROKEN phone including partition table (GPT) and all the partitions (intact or damaged) as a one big 16GB whole physical disk image to some partition that have enough free space. Do NOT try to backup to the FAT32 partitions. The maximum single file size there is 4GB.
I.e. DO a FULLFLASH backup, aka eMMC full backup image, etc., independently on the fact FW is broken at the moment!
Use HDD Raw Copy Tool form the HDDGuru forums or similar tools to make a full image backup.
You can use any data recovery / disk editing utils, like R-Studio or DMDE later to extract any data and/or whole partition images from there later. Please note, that after the MSImage loader flashing your original GPT will be replaced with a small GPT built into the loader, independently on fact was it correct or damaged at the moment of the failure.
However there is NO way to avoid this. There is NO any other way out to boot damaged phone from the QDLoader 9008 state (it's PBL mode) except JTAG involving tools. That's why you will not ba able to easily find all the partitions in the broken phone eMMC image. But you can scan the image (e.g. with R-Studio) and find the remaining partitions (except proprietary) on their places unless partition header/data was not damaged upon crash.
Next you have 3 options to recover the phone to the working condition:
1. Find Casio CA-201L or C811 FULL FLASH IMAGE (eMMC USER_PART) image dumped from phone placed in the same DLOAD mode
2. Find same image got using JTAG tools (in fact same as above)
3. Recreate partitions (write correct GPT) and all the partition data manually using parts of your backup and original factory partition images, most of which (for C811 and partially for CA-201L) you can find on the AndroidForums topic.
Option 1 (or 2) is easy to understand and perform. But there are 3 notes on it
1. You should find Full eMMC image for your phone or the one who will dump his phone's image for you
2. All the ID's, i.e. IMEI, MAC's etc and current User Data will move from that image to your phone.
You can make a user data wipe (Hard Reset) to destroy user data and get a 'factory state' phone later.
I do not know a way to patch IMEI/MAC's back to your originals for a while (do not have phone on my hands for experiments),
but sure these ID's are stored on some of the 'unique' partitions, listed in AndroidForums topic and you can find and extract this partition (unless it damaged) from your damaged eMMC image and flash it to the recovered phone. by any method (directly to the eMMC, using FastBoot mode, using ADB/Linux DD commands). It's theory, that I can't revert to the practice for a while.
3. YOU SHOULD NOT TO ASK A MAN, WHO WILL AGREE TO DUMP HIS PHONE IMAGE FOR YOU TO USE MSImage LOADER METHOD TO SWITCH PHONE TO THE QHSUSB_DLOAD 9006 MODE!!! Otherwise he will DAMAGE HIS GPT AND MODEM FW and you BOTH will get 2 NON WORKING phones instead of 1!!!
There are another methods available to switch this phone to the eMMC DLOAD mode while it resides in the working condition (unless SBL is able to load). The first is to hold both VOL keys at the powering up.
Switch phone off, remove and insert battery to be on the safe side, then hold down VOL+VOL- and press Power Key, then connect USB cable. Other options is to hold VOL keys and connect USB cable without Power key or hold keys and connect USB cable without battery. However these options, most probably will bring QDLoader 9008 mode related to the PBL instead of QHSUSB_DLOAD 9006 mode related to the SBL. That's why if your phone have GPT or SBL structures you can't get it into the QHSUSB_DLOAD 9006 mode unless you will flash MSImage (containing GPT and all SBL-related code) using described procedure.
So, please NOTE one more time YOU SHOULD NOT flash MSImage loader to the working phone! You will damage GPT and get phone to the non working condition!
Another way to switch WORKING phone to the QHSUSB_DLOAD 9006 mode id to use software switcher like the ones, that can be found in QPST eMMC Flashing app and QPST Memory Debug app. Search by google for a detailed manuals with screenshots how to do it (switch to DLOAD) with any Qualcomm based phone (You can try with any, but not all the phones will switch because of customizations!)
There are some other methods circulating around how to force particular WORKING Qualcomm based phones switch to DLOAD mode (using ARM native code app / loader or send command to the Debug port of the modem).
Upon the eMMC image creation you should disconnect working phone fro the USB cable and reboot it to switch back to the normal mode., Just hold Power key for a long time or remove and reinsert the battery.
You should reserve 15-20 minutes of time to perform full eMMC backup procedure.
Upon your damaged phone will switch to the QHSUSB_DLOAD 9006 mode using MSImage loader,
you can simply write one's full working phone's eMMC image using HDD Raw Copy Tool.
Just write from Image file to the eMMC device, then disconnect phone, reset it (reinsert battery) and switch it on.
Phone will boot identically to the donor phone. Perform further generic recovery procedures to revert to your phone to the required condition. You may switch is to the DLOAD mode again using 'normal' way and continue to perform eMMC editing, particular partition images writing, patching, etc.
Option 3 (manual image combining without one's working full image) is much more complicated to proceed, but there are almost all the required data can be found around. Get the original GPT (and GPT backup) from the AndroidForums factory images or look for the GPT backup at the end of the eMMC (It's standard. GPT should have a backup copy at the end of media and eMMC holds this backup, look for it). If you will find GPT backup, try to compare it with ones from the factory images from the AndroidForums.
It will clear for you is your previous FW have had same GPT partition structure and find differences in the partition sizes and locations between your old FW and particular Factory FW. This will help you to extract unique and/or any other req'd partition images from your broken full and inject them to the new full, you building up for whole phone flashing. Use DMDE Disk Editor (Free version is absolutely enough, unless you would like to mass recover files from your data partition with it). It will show you all the GPT structures, their sector ranges. It will help you to locate and extract particular partition Upon correct GPT written to the device (or your new image preparation), you can start to write partitions at their dedicated places. Once you have checked (and/or fixed) all the partitions your phone is ready to swich on. In most cases you have great chance to recover without one's full. The only condition all the small 'unique' partitions that is not included to the factory FW images should be NOT damaged. Please note, that many people reported that damaged/incorrect ModemSTx (modem data / NVRAM) erasure on THIS PARTICULAR PHONE will lead to the working partition recreation (assume w/o IMEI loss) and could be used as one of the NVRAM fixation techniques.
So you should have at least be able to extract important ID's (may be a few others) partition(s) and inject them to your new image (or directly to the eMMC).
That's why you should NEVER start to the recovery (eMMC writing) UNLESS YOU HAVE MADE A BACKUP COPY OF THE DAMAGED eMMC IMAGE!
Sure in 99% you will recover your phone whether you will find one's full (simple) or your will be able to rebuild it using factory (others, why not?) images and the part of your broken eMMC contents.
Good Luck!
I'm attaching here the required files. Please be careful!
Some people just DL files and do not copy the description.
The novices can broke their devices trying to do 'something idiotic'.
Please note, that attached GPT images are definitely for factory M070 FW for C811 version.
You can flash it to the any compatible versions (like CA-201L) but I don't know, will it be identical to your old partition scheme, so real unique partition data you could look to find mat be located at another offsets.
Check manually if you can and always make full broken FW eMMC image at first.
Get flesh QPST 2.7.425 here, thanks to drkcobra
http://forum.xda-developers.com/showpost.php?p=59235714&postcount=15
Or look the topic to find later vers (if any)
Direct Link:
http://www.mediafire.com/download/neeapht51ub2333/QPST.WIN.2.7_Installer-00425.1.zip
Important Update:
Casio C811 GPT images were broken due to the Windows decryption utility compilation problem.
File re-uploaded! Please update!
Click to expand...
Click to collapse
Well im try and go step by step on this and see if i can get this to work thanks for your help and time
---------- Post added at 10:11 AM ---------- Previous post was at 10:04 AM ----------
TheDrive said:
Hey guys!
Where are your reports, happy-end stories and thanks?
Files downloaded hundreds of times but no one tries to help
thaihoangduylinh.
Are there no people familiar with an Android compilation? (it dev's forum!!!)
Guys! Please help each other and God will help you!
Click to expand...
Click to collapse
still working on it will keep you posted
I would like to sacrifice my C811 for helping all of you to unbrick your devices
TheDrive said:
Please do NOT DO a thing unless you UNDERSTAND all the infos!!!
Click to expand...
Click to collapse
Thanks a lot for so useful infos, Drive :good:
I was made a brick a few years ago and today i saw a little bright of sun, when made a load by your instruction. Now i faced a small hitch - my device after loading by MPRG8960+8960_msimage almost load as a flash-drive, but in devices list i see NCMC_DLOAD
Already tried a drivers from google (com, mdm), qualcomm (most of them) for usb and com-devices - only ADB-drivers from google seems useful, but my system didnt finding an any flash-drives with them
Device working as NCMC_DLOAD even w/o battery.
Update - solutions for all newbies like me novices which will asking about this NCMC_DLOAD - guys, you should install G'zone_USB_driver.exe (found on 4pda.ru community - now i can't add link in my message)
Let's make an next steps and first experiment for me
Sampson78, congrats with your first personal unbricking experience! Knowledge is power and it couldn't be given 'easy'. You've shown your strong intention and got result!
Added native Windows driver from 4pda, you mentioned above.
На 4pda, конечно, читайте. Там подробнее все расписано, больше аспектов раскрыто, обсуждение куда шире и плодотворнее, еще и на русском. В частности там раскрыта структура хранения данных модема и методы работы, есть люди, которые девайс постоянно эксплуатируют и могут помочь (напомню у меня его никогда и не было). Однако, того, что здесь успел дать, достаточно чтобы кирпич поднять, если он аппаратно исправен. Вполне достаточно, еще и подробно очень. Затруднения лишь в том, что много незнакомой инфы для новичка и вся сразу, в один момент, а не как в школе, когда новое добавляют по чуть чуть. Понимание делает процедуру не то что, простой, но куда проще и понятнее. Все это тоже люди делали и для людей, там все разумно и понятно, хотя не всегда оптимально. Другое дело, что "власти скрывают" и втирают примитивные идиотские методы работы, дающие лишь малую долю контроля, хотя и никак не более простые или понятные. Аналогично работают почти все аппараты на Квалкомм, но везде свои нюансы, иногда очень значимые.