Jump to content


Photo

Unbricking d6603 / xperia z3?

z3 d6603 unbrick brick bootloader s1

  • Please log in to reply
11 replies to this topic

#1 OFFLINE   nailyk

nailyk

    Freshly registered FAQ reader

  • User
  • 6 posts
    • Time Online: 2h 22m

Posted 22 May 2017 - 18:47

Sorry I will open another topic about hard-softbricked d6603.

 

Introduction:

I have two z3, one have hardware damage but still boot up. I wasnot able to fix that hardware damage with my air reflow station. So swapping emmc isnot a solution (for now).

I really would find a software way to solve this. I have almost any time it require and *some* lab equipments.

 

How I bricked it:

I 'accidentaly' wrote junk into the TZ partition while attempting to solve HW encryption support into LineageOS. To be accurate, the flashtool sin extract failed and I got like 8B of junk before the right header.

Anyway, the device doesn't start anymore.

 

What had been tested:

Here, in xda, there is almost everything I already have done. I will try to make a resume:

- With the known testpoint device got detected as "SOMC flash device" but no software seems able to handle it.

    - flashtool recognise it but looks like there is no flash mode for it,

    - s1tool is able to communicate, retrieve hardware ID and throw 'unsupported'

- The actual bootloader output show booting until TZ exec where it fail (obviously)

- Insert a sdcard clearly have effects as loading times increased a lot (depending of sdcard speed)

 

Someone on IRC really helped me with that sdcard trick but for now with no results. I just order a v30 sdcard because slow sdcard seems to be problematic on other devices he tried.

The idea behind sdcard is to write a specific gpt table, with the right partition type, as the preloader can load them, instead of the emmc ones.

 

Am wondering if:

- there is a specific testpoint for the sdcard swap,

- it is require to have specific board/box/software for jtag reflash (I prefer software way but, you know, I want to fix it) or a buspirate/raspberrypi can do the trick,

- a specific test point exist to use 'alt_' partition instead of normal ones / how trigger a copy of 'alt_' partition into normal ones?

 

Idea behind is: solve my device, make something usable for everyone (lot of devices are bricked on xda because of that bootloader DRM ****)

 

 

Thanks in advance for your advices.

 

 

P.S.: from the 'UART' connector (lets call RX 1 and the opposite one 20) I notice some similar curves with my scope (analog, no way to dump):

9 seems to be the 'SOMC' testpoint

11,12,13,15,16,18 have really similar curves: jump at high level while cpu is on, but only the 'SOMC' testpoint have a resistance of 150k?. All the ones listed have really low, or really high impedances.

P.S.2: sorry for wrong vocabulary and bad english, am really new to this world :)


Edited by nailyk, 22 May 2017 - 18:51.

  • 0

#2 OFFLINE   Jurij

Jurij

    Emperror of Sony Kingdom

  • Administrator
  • 12,137 posts
    • Time Online: 565d 16h 58m

Posted 24 May 2017 - 01:29

I'm sorry but it's impossible to fix hardware problem using software. If your phone is on warranty, you can try to send it to Sony service centre for repair. If not, buy working Xperia Z3 compact with broken lcd and swap main board.


  • 0

Serwis Sony Ericsson Online | Online Sony Ericsson Service

Xperia.jpg

Więcej informacji, Cennik | More information, Price list GG: 1793684 Skype: gen.jurij


#3 OFFLINE   nailyk

nailyk

    Freshly registered FAQ reader

  • User
  • 6 posts
    • Time Online: 2h 22m

Posted 24 May 2017 - 17:58

Thanks for your answer. I guessed my post was confusing due to my bad English. I own two D6603: One with a hardware damage but still able to boot. One with a software damage (TZ partition) but hardware is good. I will fix the one with the hardware damage, just need some reflow training. But I would like to fix the one with the software damage too. I know you have a lot of knowledge on this @Jurij and wonder if you can help me. Am not able to dump signals as my oscilloscope is analog only but got some idea of the curves (clock, line, analog) and almost the behavior. I know it is fixable because it is a software damage but have no idea how. The last idea I got is to dump the preloader (probably on an i2c eeprom) to disassemble it and understand how it use "alt_" partitions etc... If my bus pirate could do the trick I think jtag flash could be an option too but Id like provide a not-intrusive way as everybody will be able to unbrick his device. Thanks for your time.
  • 0

#4 OFFLINE   Jurij

Jurij

    Emperror of Sony Kingdom

  • Administrator
  • 12,137 posts
    • Time Online: 565d 16h 58m

Posted 25 May 2017 - 00:42

All you can try to do is to flash all firmware parts using professional service tool like Setool2 in order:

 

1. APPSW,

2. FSP,

3. ELABEL,

4. CDF.

 

If that will not help, i can't help you more. As far as i know all partition problems in current Sony phones can't be fixed without access to Sony's factory equipment.


  • 0

Serwis Sony Ericsson Online | Online Sony Ericsson Service

Xperia.jpg

Więcej informacji, Cennik | More information, Price list GG: 1793684 Skype: gen.jurij


#5 OFFLINE   nailyk

nailyk

    Freshly registered FAQ reader

  • User
  • 6 posts
    • Time Online: 2h 22m

Posted 25 May 2017 - 17:31

Damn that is a shame. All other 8974 device can be 'easily' fixed. Except shinano... I don't understand how setool2 works as it pop an error about smartcard at launch time. I will try a last time the sdcard trick as soon as the v30 get delivered, then will try to fix setool2. But from the changelog this device does not appear to be supported. Some jtagbox (riffbox?) support list mention it but it seems it exploit a vulnerability in the bootloader. As mine is half broken I have not enough hope to spend 150$ on it. What do you mean with Sony factory equipement? HW or SW? It seems the OEM tool is emma, with different access level. It is all java so maybe there is a chance to reuse some libs into a custom dev? Thanks for your time.
  • 0

#6 OFFLINE   Jurij

Jurij

    Emperror of Sony Kingdom

  • Administrator
  • 12,137 posts
    • Time Online: 565d 16h 58m

Posted 25 May 2017 - 20:00

 

All other 8974 device can be 'easily' fixed.

 

That's not true. We can flash only a few variants of Xperia smartphones using testpoint for example we can fix Sony Xperia Z1 C6903 variant, but with C6902 it will be a problem cause we do not have s1 emergency loader for that variant. We can't fix Xperia Z2, Z3 etc. And s1 emergency loaders are available only for people which has access to Sony factory service equipment.

 

 

I don't understand how setool2 works as it pop an error about smartcard at launch time.

 

 

Setool2 is paid software. You must have Setool2 smart card + reader or box + all current activations + sometimes credits on Setool2 account to service current Sony phones. And unfortunately that's most likely identify, flash, read / write trim area. For old 6 sony models unlock is available and for a few more boot repair in altbypass mode. But it's still the best tool on the market to service SEMC / SOMC phones.

 

 

What do you mean with Sony factory equipement? HW or SW? It seems the OEM tool is emma, with different access level.

 

Sony service centres and Sony factories have different types of service tools to fix / customize / lock or unlock Sony phones. For example network providers has access to Emma service tool + dongle + account with access level allowing to locking phones to the specific network provider. Authorized Sony service centres has access to Emma + dongle + account with access level allowing to customize or activate current Sony phones. All Emma users has access to S1 security server which generates s1 signatures for serviced phones protected by 2048-bit rsa key which is not broken till nowadays. That's why we do not have permanent unlock solution for current Sony phones. And there is also factory equipment called flashgordon + account with specific access level and that tool can do everything: has access to s1 emergency loaders, can fix damaged trim area etc. But all unauthorised operations are quickly detected by Sony, dongle is being blocked and user prosecuted.

 

You can try to contact with the_laser, creator of Setool2 box, maybe he will give you better advice than me. I have never tried doing tricks with phone like you, cause tampering with partitions in Sony phones almost always ends with bricked device, so i can't help you more :(


  • 0

Serwis Sony Ericsson Online | Online Sony Ericsson Service

Xperia.jpg

Więcej informacji, Cennik | More information, Price list GG: 1793684 Skype: gen.jurij


#7 OFFLINE   nailyk

nailyk

    Freshly registered FAQ reader

  • User
  • 6 posts
    • Time Online: 2h 22m

Posted 03 June 2017 - 12:31

That's not true. We can flash only a few variants of Xperia smartphones using testpoint for example we can fix Sony Xperia Z1 C6903 variant, but with C6902 it will be a problem cause we do not have s1 emergency loader for that variant. We can't fix Xperia Z2, Z3 etc. And s1 emergency loaders are available only for people which has access to Sony factory service equipment.

Thanks. I would mean lot of 8974, except Sony, can be easily unbricked: http://www.androidbr..._qpst_qfil_edl/ .

Setool2 is paid software. You must have Setool2 smart card + reader or box + all current activations + sometimes credits on Setool2 account to service current Sony phones. And unfortunately that's most likely identify, flash, read / write trim area. For old 6 sony models unlock is available and for a few more boot repair in altbypass mode. But it's still the best tool on the market to service SEMC / SOMC phones.

Ok don't know this. I will try to ask on their website and maybe purchase one.

Sony service centres and Sony factories have different types of service tools to fix / customize / lock or unlock Sony phones. For example network providers has access to Emma service tool + dongle + account with access level allowing to locking phones to the specific network provider. Authorized Sony service centres has access to Emma + dongle + account with access level allowing to customize or activate current Sony phones. All Emma users has access to S1 security server which generates s1 signatures for serviced phones protected by 2048-bit rsa key which is not broken till nowadays. That's why we do not have permanent unlock solution for current Sony phones. And there is also factory equipment called flashgordon + account with specific access level and that tool can do everything: has access to s1 emergency loaders, can fix damaged trim area etc. But all unauthorised operations are quickly detected by Sony, dongle is being blocked and user prosecuted.

You can try to contact with the_laser, creator of Setool2 box, maybe he will give you better advice than me. I have never tried doing tricks with phone like you, cause tampering with partitions in Sony phones almost always ends with bricked device, so i can't help you more :(

You helped me a lot. Knowledge is always good :)
For now am still trying (with some help) to boot from the 2nd sd channel. We know the sdcard had effects (see xda thread) but dont know what is missing into to get the sdcard partition booted instead of emmc ones.
Indeed it seems emma have all the necessary tools. And as it is java application it should be almost easy to re-implement some functions. However, like you said, am afraid that a 'custom' version will not be able to sign new images. Am wondering if the 'developper' version are signing them we someone did a full stock reflash.
As I have multiples devices we are able to 'see' how a working device act, dump partitions etc... Hope being able to fix that some days.
Cheers.
  • 0

#8 OFFLINE   Jurij

Jurij

    Emperror of Sony Kingdom

  • Administrator
  • 12,137 posts
    • Time Online: 565d 16h 58m

Posted 03 June 2017 - 14:00

What emma you are talking about? I suppose we are talking about two different programs.


  • 0

Serwis Sony Ericsson Online | Online Sony Ericsson Service

Xperia.jpg

Więcej informacji, Cennik | More information, Price list GG: 1793684 Skype: gen.jurij


#9 OFFLINE   nailyk

nailyk

    Freshly registered FAQ reader

  • User
  • 6 posts
    • Time Online: 2h 22m

Posted 03 June 2017 - 14:03

Am refering to this emma: https://developer.so...the-flash-tool/ After dissembling java everything is into. S[OE]MC libs, s1 libs, signing libs, sahara, etc...
  • 0

#10 OFFLINE   Jurij

Jurij

    Emperror of Sony Kingdom

  • Administrator
  • 12,137 posts
    • Time Online: 565d 16h 58m

Posted 04 June 2017 - 12:29

This is just a flasher, as a PC Companion, can flash only working phones which are able to boot into flash mode and has correct trim_area, security units, partitions etc. It's completely different thing, i was talking about Sony service tools ;) Anyway good luck with fixing your phone :)


  • 0

Serwis Sony Ericsson Online | Online Sony Ericsson Service

Xperia.jpg

Więcej informacji, Cennik | More information, Price list GG: 1793684 Skype: gen.jurij


#11 OFFLINE   nailyk

nailyk

    Freshly registered FAQ reader

  • User
  • 6 posts
    • Time Online: 2h 22m

Posted 04 June 2017 - 16:05

Mhh am confused now.... Your FAQ explain emma had different level access. Disassembling it https://forum.xda-de...21&d=1495385325 prove it had the "SEMC flash device" access. The authenticate functions also prove this tool is used by Sony service center himself (OEM, integrator, service, & 'anonymous' access). I Really think they use that tool for everything, but except the anonymous access we all use, it need a smart card and a credential with Sony server authenticate for almost every commands, checking if you are allowed or not. So my guess was the Sony service tool is emma too. I cannot understand why the SDcard boot doesn't works. I use signed partitions, etc.. we see s1 looking on the sdcard but it doesn't load it instead of the emmc (more details about this into the xda thread: https://forum.xda-de...5262/page3 Many thanks for your time. Am thinking about some 'direct' emmc flashing now, like munjeni does on his z1.
  • 0

#12 OFFLINE   Jurij

Jurij

    Emperror of Sony Kingdom

  • Administrator
  • 12,137 posts
    • Time Online: 565d 16h 58m

Posted 04 June 2017 - 17:34

Because i was talking about Sony service tool, not free flashtool for developers.


  • 0

Serwis Sony Ericsson Online | Online Sony Ericsson Service

Xperia.jpg

Więcej informacji, Cennik | More information, Price list GG: 1793684 Skype: gen.jurij




Also tagged with one or more of these keywords: z3, d6603, unbrick, brick, bootloader, s1

1 user(s) are reading this topic