Dumping firmware from phones

This is a guide for dumping the ROM or "firmware" from phones. There's many different types of software and cables necessary to do this depending on the phone, and as a result many programs exist to aid with this.

Like many other older software meant for feature phones, some don't run correctly on newer versions of Windows. A Windows XP virtual machine or actual PC is recommended for said programs.

We encourage you to share any firmware dumps you can do!

= Prerequisites =

A computer running Windows 7 or above

Drivers for the phone you're doing a firmware dump on

The proper software downloaded and installed for the phone

A data cable for the phone you are trying to dump

= Extracting contents = The Phone and firmware manipulation guide page may be of use if you want to extract stuff from the firmware dump. Otherwise, if you just want to see if it worked right, open it up in a hex editor and see if its not all repeating FF or 00 throughout the entire thing.

= MTK = Most methods to dump firmware from MTK powered phones involve UART test points or box software with a standard USB cable.

'''The difficulty of this method depends highly on the phone you are trying to dump the firmware from. This could range to needing a special USB cable or soldering wires from test points to a USB to UART device. The pinout to said UART test points may be available on the phone's PCB, an online forum, or on a phone page on LPCwiki.'''

'''Disclaimer: For phones connected via UART test points, soldering experience is required. As said elsewhere, do this on phones you won't be too upset about losing!

Dumping Firmware with Revskills
Using Revskills, you can dump the firmware of many different MTK feature phones to a single .BIN file.

First, connect the phone to your computer. Open Revskills and go to Hardware -> Port Utils -> MTK (Pro). A window called "MTK Dumper" should open, and then from there you can select the COM port of your phone or USB-UART device.

In the "Device:" tab, select your phone's model if it is listed. If it isn't, use one of the "MTK Generic auth" selections with the model of the chipset in the phone at the end. For example, this would be set to "MTK Generic auth (MT6223)" for the Doro PhoneEasy 410gsm and any other MT6223 powered phone.



Press "Readback Flash". A window should pop up asking you where you want to save readback.bin, which will be the firmware dump of your phone.

Once it says "Please press and hold the power button of the mobile till you see bytes being transferred...", press the power button like instructed until something happens (or both the RXD and TXD lights start flashing on your USB-UART device if it has them).

If it detected a phone, Revskills will attempt to send the the "Download Agent" to the phone in order to dump the firmware.



If all goes well, then a progress bar should appear with the amount of data dumped and the speed of the data transmission.

Once the firmware dump is complete, a pop-up window saying "Done reading." should open.



Common errors
If you get an error about the download agent failing to save into the phone's SRAM, it may have lost power during the data transfer or a connection is loose. Check if your power source is good (e.g. if your phone battery is dead or if the power supply is giving enough current) and check your wires or soldering job for anything that appears disconnected.

DA_MEM_CMD or DA_INVALID_RANGE: The "Flash read length" is set to a value that is larger than the phone's storage capacity. It should tell you the size of the NAND/NOR flash chip in the text log, so if it does, set the read length accordingly. If it doesn't, keep going down on the list until it doesn't give you that error.

= Qualcomm = There are a few different ways to do this, this guide currently covering methods about memory dumps and entire flash chip dumps.

Dumping Firmware with JTAG (difficult)
Using JTAG test points and the appropriate utilities, you can dump the firmware or entire flash chip of a Qualcomm-powered phone.

'''This method is not for the faint of heart. You'll want to be confident in your soldering abilities and know which test points are which. A bench power supply is highly recommended as most phone batteries won't stay in place without anything holding them in.''' Sometimes the JTAG pinouts to phones can be found online, but if this isn't the case, ground pins can usually be identified if they have thicker traces running into them or have the lowest resistance value on a multimeter.

'''Disclaimer: There's a very real risk of damaging the phone's PCB as most JTAG test points are pretty small. Soldering experience is required. As said elsewhere, do this on phones you won't be too upset about losing!

RIFF Box
Make sure you have the appropriate RIFF Box software beforehand.

Also double check if the connections are good between the RIFF Box and the phone's JTAG test points.

If your phone doesn't have an RTCK pin, make sure you switch the "JTAG TCK speed" to something that isn't RTCK. 4 MHz speed works well if you're unsure which to pick.



If you're phone does have an RTCK pin, leave the clock setting at RTCK.

JTAG Read/Write menu
Click the "JTAG Read/Write" tab in the JTAG Manager software. Set the "Target (Core)" settings appropriately for the kind of ARM chip the SoC uses. The Qualcomm systems-on-chip page should help in identifying this, but by the chance a phone isn't listed, most Qualcomm-powered phones made in 2004 or below use ARM7TDMI, while the majority of newer devices use ARM926EJS.

Once you have all the target and I/O voltage settings selected, click "Connect & Get ID" and then "Analyze JTAG Chain". If everything is connected correctly and your phone is receiving enough power, RIFF Box should 'see' the phone and identify the IDCODE of the Qualcomm SoC in the phone.



Leave "Address" at 0x00000000 and set the "Length" to the size of the phone's flash chip in hex. As an example, if you knew the phone has an 8MB flash chip, put 0x00800000.

If you're unsure about what number to put as the length, there's no harm in overestimating. Most phones will loop back the contents of the flash chip once it has reached the end or read out all FF for invalid / out of bounds addresses.

Press "Read Memory". A window should open asking you where to save the file.

Depending on the TCK speed and the size of the phone's flash chip, it might not take very long. Once it's done, verify the dump was good by analyzing it in a hex editor and looking for key items such as a "QCOM" header, the phone's model number (or part of it), and a software version.

You may want to dump the phone a 2nd or 3rd time and use a file compare function on a hex editor or other program if you are keen on making sure everything was dumped correctly.

Direct Memory Programming Plugin
This method might be preferred if you want to use the preloaded voltage and reset methods for specific Qualcomm SoCs as well as having direct access to the flash chip.

Address and Data Length work the same way as they do on the JTAG Read/Write tab, so set those values as you would on that section.

Click "Connect & Flash ID" once you've confirmed your settings are correct. If everything is working, you should get text that looks something like this:



Press "Read Flash" to start the dump. Once it's done, press "Save" in order to save it to a file.

Common errors
RIFF Box gives helpful tips on how to troubleshoot errors, but here are some extra tips if you need them.

If you get an error about RTCK not responding and you know the phone is on and the connections are good, the phone may not even have an RTCK signal. Double check your clock (TCK) settings to save headaches about why the phone won't connect.

Wire length is a major factor in preventing errors as well. Read errors or inconsistencies in dumps may be caused by unequal wire lengths or if your wires are too long. 3-6cm is a threshold that works without issue at 4MHz TCK speeds.

Some phones require you to press the power button before clicking "Connect & Get ID", so make sure the phone is on before trying to tap into its JTAG interface.

Dumping Memory with Revskills or UniCDMA (easiest)
This method only seems to work on phones with a Qualcomm MSM chipset (e.g. no Qualcomm QSCxxxx support).

Using RevSkills or UniCDMA, you can use the Memory Read function to read out the phone's memory, which usually contains at least some part of the firmware. At the very least, this can sometimes contain resources such as graphics and sounds.

Side note regarding Samsung CDMA devices
For the majority of Samsung CDMA phones made after the early 2000s, memory dumping will not work unless you input the 16-digit SP code and the 6-digit MSL / SPC code into RevSkills or UniCDMA.

This also applies to phones where the EFS is inaccessible or certain files are locked.

Revskills
First, connect the phone to your computer. Open Revskills and go to Hardware -> Port Utils -> QC + AT-Cmd. A window called "QC Com Diag Window" should open, and then from there you can select the proper COM port to use.

Go to the "DIAG" tab. Press the "Send" button on the right to test if the phone is being read correctly.



If Revskills can see your phone, it should say "Successfully send command." at the bottom and show a screen similar to this:



Once you've confirmed that Revskills can communicate with your phone, go to the "Diag Functions" part, make sure the selection box is set to "Save Memory to file". After that, press "Lets go" to start the memory read process.

If you know your phone has a large flash memory, you may want to change the end value to something larger than 02600000, as this only dumps ~26MB of data at most.



A window should pop up pointing you to where you want to save the memory read dump as well as what you want to call it. You can put anything for this, it doesn't really matter. "test.bin" is an okay choice.

Revskills should say "Successfully send command." at the bottom again, and the progress bar should start to go forth.



Depending what you set the baud rate to and how big the phone's memory is, this can take a really long time. You'll probably want to leave it going in the background until it finishes.

If your phone supports higher baud rates, definitely set it to Revskills' maximum of 921600. The process will be slightly faster that way.

Once Revskills pops up with a dialog box saying "Memory read not supported by phone. Continue anyway?" or "Successfully read memory." shows up at the bottom of the window, this means that the end of the phone's readable memory has been reached and the memory dump is finished.

UniCDMA
UniCDMA is designed for very old (early 2000s) CDMA phones, so don't expect this to work reliably with anything newer than that.

First, connect the phone to your computer.

Open UniCDMA and set the correct mode.



Select the correct COM port and baud rate.



Go to the "Memory" tab and press "Read and save to file...", and if everything is working okay, it should start reading out the memory contents to that file.