Dumping firmware from phones

This is a guide for dumping the ROM or "firmware" from phones. There's many different types of software and cables necessary to do this depending on the phone, and as a result many programs exist to aid with this.

Like many other older software meant for feature phones, some don't run correctly on newer versions of Windows. A Windows XP virtual machine or actual PC is recommended for said programs.

We encourage you to share any firmware dumps you can do!

= Prerequisites =

A computer running Windows 7 or above

Drivers for the phone you're doing a firmware dump on

The proper software downloaded and installed for the phone

A data cable for the phone you are trying to dump

= Extracting contents = The Phone and firmware manipulation guide page may be of use if you want to extract stuff from the firmware dump. Otherwise, if you just want to see if it worked right, open it up in a hex editor and see if its not all repeating FF or 00 throughout the entire thing.

= MTK = Most methods to dump firmware from MTK powered phones involve UART test points or box software with a standard USB cable.

'''The difficulty of this method depends highly on the phone you are trying to dump the firmware from. This could range to needing a special USB cable or soldering wires from test points to a USB to UART device.'''

'''Disclaimer: For phones connected via UART test points, soldering experience is required. As said elsewhere, do this on phones you won't be too upset about losing!

Dumping Firmware with Revskills
Using Revskills, you can dump the firmware of many different MTK feature phones to a single .BIN file.

First, connect the phone to your computer. Open Revskills and go to Hardware -> Port Utils -> MTK (Pro). A window called "MTK Dumper" should open, and then from there you can select the COM port of your phone or USB-UART device.

In the "Device:" tab, select your phone's model if it is listed. If it isn't, use one of the "MTK Generic auth" selections with the model of the chipset in the phone at the end. For example, this would be set to "MTK Generic auth (MT6223)" for the Doro PhoneEasy 410gsm and any other MT6223 powered phone.



Press "Readback Flash". A window should pop up asking you where you want to save readback.bin, which will be the firmware dump of your phone.

Once it says "Please press and hold the power button of the mobile till you see bytes being transferred...", press the power button like instructed until something happens (or both the RXD and TXD lights start flashing on your USB-UART device if it has them).

If it detected a phone, Revskills will attempt to send the the "Download Agent" to the phone in order to dump the firmware.



If all goes well, then a progress bar should appear with the amount of data dumped and the speed of the data transmission.

Once the firmware dump is complete, a pop-up window saying "Done reading." should open.



Common errors
If you get an error about the download agent failing to save into the phone's SRAM, it may have lost power during the data transfer or a connection is loose. Check if your power source is good (e.g. if your phone battery is dead or if the power supply is giving enough current) and check your wires or soldering job for anything that appears disconnected.

DA_MEM_CMD or DA_INVALID_RANGE: The "Flash read length" is set to a value that is larger than the phone's storage capacity. It should tell you the size of the NAND/NOR flash chip in the text log, so if it does, set the read length accordingly. If it doesn't, keep going down on the list until it doesn't give you that error.

= Qualcomm = There are a few different ways to do this, but currently this only covers the "Revskills" method.

Dumping Memory with Revskills or UniCDMA (easiest)
This method only seems to work on phones with a Qualcomm MSM chipset (e.g. no Qualcomm QSCxxxx support).

Using RevSkills or UniCDMA, you can use the Memory Read function to read out the phone's memory, which usually contains at least some part of the firmware. At the very least, this can sometimes contain resources such as graphics and sounds.

Revskills
First, connect the phone to your computer. Open Revskills and go to Hardware -> Port Utils -> QC + AT-Cmd. A window called "QC Com Diag Window" should open, and then from there you can select the proper COM port to use.

Go to the "DIAG" tab. Press the "Send" button on the right to test if the phone is being read correctly.



If Revskills can see your phone, it should say "Successfully send command." at the bottom and show a screen similar to this:



Once you've confirmed that Revskills can communicate with your phone, go to the "Diag Functions" part, make sure the selection box is set to "Save Memory to file". After that, press "Lets go" to start the memory read process.

If you know your phone has a large flash memory, you may want to change the end value to something larger than 02600000, as this only dumps ~26MB of data at most.



A window should pop up pointing you to where you want to save the memory read dump as well as what you want to call it. You can put anything for this, it doesn't really matter. "test.bin" is an okay choice.

Revskills should say "Successfully send command." at the bottom again, and the progress bar should start to go forth.



Depending what you set the baud rate to and how big the phone's memory is, this can take a really long time. You'll probably want to leave it going in the background until it finishes.

If your phone supports higher baud rates, definitely set it to Revskills' maximum of 921600. The process will be slightly faster that way.

Once Revskills pops up with a dialog box saying "Memory read not supported by phone. Continue anyway?" or "Successfully read memory." shows up at the bottom of the window, this means that the end of the phone's readable memory has been reached and the memory dump is finished.

UniCDMA
UniCDMA is designed for very old (early 2000s) CDMA phones, so don't expect this to work reliably with anything newer than that.

First, connect the phone to your computer.

Open UniCDMA and set the correct mode.



Select the correct COM port and baud rate.



Go to the "Memory" tab and press "Read and save to file...", and if everything is working okay, it should start reading out the memory contents to that file.