nailyk

Mhh am confused now.... Your FAQ explain emma had different level access. Disassembling it https://forum.xda-de...21&d=1495385325 prove it had the "SEMC flash device" access. The authenticate functions also prove this tool is used by Sony service center himself (OEM, integrator, service, & 'anonymous' access). I Really think they use that tool for everything, but except the anonymous access we all use, it need a smart card and a credential with Sony server authenticate for almost every commands, checking if you are allowed or not. So my guess was the Sony service tool is emma too. I cannot understand why the SDcard boot doesn't works. I use signed partitions, etc.. we see s1 looking on the sdcard but it doesn't load it instead of the emmc (more details about this into the xda thread: https://forum.xda-de...5262/page3 Many thanks for your time. Am thinking about some 'direct' emmc flashing now, like munjeni does on his z1.

Am refering to this emma: https://developer.so...the-flash-tool/ After dissembling java everything is into. S[OE]MC libs, s1 libs, signing libs, sahara, etc...

That's not true. We can flash only a few variants of Xperia smartphones using testpoint for example we can fix Sony Xperia Z1 C6903 variant, but with C6902 it will be a problem cause we do not have s1 emergency loader for that variant. We can't fix Xperia Z2, Z3 etc. And s1 emergency loaders are available only for people which has access to Sony factory service equipment.

Thanks. I would mean lot of 8974, except Sony, can be easily unbricked: http://www.androidbr..._qpst_qfil_edl/ .

Setool2 is paid software. You must have Setool2 smart card + reader or box + all current activations + sometimes credits on Setool2 account to service current Sony phones. And unfortunately that's most likely identify, flash, read / write trim area. For old 6 sony models unlock is available and for a few more boot repair in altbypass mode. But it's still the best tool on the market to service SEMC / SOMC phones.

Ok don't know this. I will try to ask on their website and maybe purchase one.

Sony service centres and Sony factories have different types of service tools to fix / customize / lock or unlock Sony phones. For example network providers has access to Emma service tool + dongle + account with access level allowing to locking phones to the specific network provider. Authorized Sony service centres has access to Emma + dongle + account with access level allowing to customize or activate current Sony phones. All Emma users has access to S1 security server which generates s1 signatures for serviced phones protected by 2048-bit rsa key which is not broken till nowadays. That's why we do not have permanent unlock solution for current Sony phones. And there is also factory equipment called flashgordon + account with specific access level and that tool can do everything: has access to s1 emergency loaders, can fix damaged trim area etc. But all unauthorised operations are quickly detected by Sony, dongle is being blocked and user prosecuted.

You can try to contact with the_laser, creator of Setool2 box, maybe he will give you better advice than me. I have never tried doing tricks with phone like you, cause tampering with partitions in Sony phones almost always ends with bricked device, so i can't help you more

You helped me a lot. Knowledge is always good
For now am still trying (with some help) to boot from the 2nd sd channel. We know the sdcard had effects (see xda thread) but dont know what is missing into to get the sdcard partition booted instead of emmc ones.
Indeed it seems emma have all the necessary tools. And as it is java application it should be almost easy to re-implement some functions. However, like you said, am afraid that a 'custom' version will not be able to sign new images. Am wondering if the 'developper' version are signing them we someone did a full stock reflash.
As I have multiples devices we are able to 'see' how a working device act, dump partitions etc... Hope being able to fix that some days.
Cheers.

Damn that is a shame. All other 8974 device can be 'easily' fixed. Except shinano... I don't understand how setool2 works as it pop an error about smartcard at launch time. I will try a last time the sdcard trick as soon as the v30 get delivered, then will try to fix setool2. But from the changelog this device does not appear to be supported. Some jtagbox (riffbox?) support list mention it but it seems it exploit a vulnerability in the bootloader. As mine is half broken I have not enough hope to spend 150$ on it. What do you mean with Sony factory equipement? HW or SW? It seems the OEM tool is emma, with different access level. It is all java so maybe there is a chance to reuse some libs into a custom dev? Thanks for your time.

Thanks for your answer. I guessed my post was confusing due to my bad English. I own two D6603: One with a hardware damage but still able to boot. One with a software damage (TZ partition) but hardware is good. I will fix the one with the hardware damage, just need some reflow training. But I would like to fix the one with the software damage too. I know you have a lot of knowledge on this @Jurij and wonder if you can help me. Am not able to dump signals as my oscilloscope is analog only but got some idea of the curves (clock, line, analog) and almost the behavior. I know it is fixable because it is a software damage but have no idea how. The last idea I got is to dump the preloader (probably on an i2c eeprom) to disassemble it and understand how it use "alt_" partitions etc... If my bus pirate could do the trick I think jtag flash could be an option too but Id like provide a not-intrusive way as everybody will be able to unbrick his device. Thanks for your time.