Dumping firmware from phones/Qualcomm

There are a few different ways to dump Qualcomm devices. This guide currently covers methods about memory and flash chip dumps.

Dumping Firmware with JTAG (difficult)[edit]

Using JTAG test points and the appropriate utilities, you can dump the firmware or entire flash chip of a Qualcomm-powered phone.

This method is not for the faint of heart. You'll want to be confident in your soldering abilities and know which test points are which. A bench power supply is essentially required as most phone batteries won't stay in place without anything holding them in. Sometimes the JTAG pinouts to phones can be found online, but if this isn't the case, ground pins can usually be identified if they have thicker traces running into them or have the lowest resistance value on a multimeter.

Known JTAG pinouts can be found on the Dumbphone Repo in the "JTAG Pinouts" folder. These are either found by checking under keypad membranes for JTAG labels, or are uncovered with the help of a JTAGulator].

Important disclaimer: There's a very real risk of damaging the phone's PCB as most JTAG test points are pretty small. Soldering experience is required. As said elsewhere, do this on phones you won't be too upset about losing!

RIFF Box[edit]

Make sure you have the appropriate RIFF Box software beforehand.

Double check if the connections are good between the RIFF Box and the phone's JTAG test points.

If your phone doesn't have an RTCK pin, make sure you switch the "JTAG TCK speed" to something that isn't RTCK. If your wire length is short, 4 MHz should work. Otherwise, stick with 1 MHz.

If you're phone does have an RTCK pin, leave the clock setting at RTCK, and set the sample rate accordingly. As with TCK speeds, 1 to 4 MHz is a good range.

Direct Memory Programming Plugin[edit]

Using the Direct Memory Programming plugin (or a suitable "Resurrector" / DCC loader for your phone or chipset) will allow you to dump a phone's entire flash chip.

Address and Data Length work the same way as they do on the JTAG Read/Write tab, but it's best to leave "Auto FullFlash Size" checked as it will detect the flash chip size on its own.

Click "Connect & Flash ID" once you've confirmed your settings are correct. If everything is working, you should get text that looks something like this:

Press "Read Flash" to start the dump. Once it's done, press "Save" in order to save it to a file.

It is recommended that you attempt to firmware dump more than once and compare the dumps until they are exactly identical in a hex editor. If certain bytes are different depending on the dump, there may be a connection / TCK speed issue.

JTAG Read/Write menu[edit]

The JTAG Read/Write menu is akin to dumping memory in RevSkills or UniCDMA. Only use the JTAG Read/Write "Read Memory" option as a last resort if an accompanying DCC Loader or Direct Memory Programming does not work for you.

Click the "JTAG Read/Write" tab in the JTAG Manager software. Set the "Target (Core)" settings appropriately for the kind of ARM chip the SoC uses. The Qualcomm systems-on-chip page should help in identifying this, but by the chance a phone isn't listed, most Qualcomm-powered phones made in 2004 or below use ARM7TDMI, while the majority of newer devices use ARM926EJS.

Once you have all the target and I/O voltage settings selected, click "Connect & Get ID" and then "Analyze JTAG Chain". If everything is connected correctly and your phone is receiving enough power, RIFF Box should 'see' the phone and identify the IDCODE of the Qualcomm SoC in the phone.

Leave "Address" at 0x00000000 and set the "Length" to the size of the phone's flash chip in hex. As an example, if you knew the phone has an 8MB flash chip, put 0x00800000.

If you're unsure about what number to put as the length, there's no harm in overestimating. Most phones will loop back the contents of the flash chip once it has reached the end or read out all FF for invalid / out of bounds addresses.

Press "Read Memory". A window should open asking you where to save the file.

Depending on the TCK speed and the size of the phone's flash chip, it might not take very long. Once it's done, verify the dump was good by analyzing it in a hex editor and looking for key items such as a "QCOM" header, the phone's model number (or part of it), and a software version.

You may want to dump the phone a 2nd or 3rd time and use a file compare function on a hex editor or other program if you are keen on making sure everything was dumped correctly.

Common errors[edit]

RIFF Box has helpful information on how to troubleshoot errors, but here are some extra tips if you need them.

Always double check your TCK settings! If the device has no RTCK pin, make sure you are set to use TCK, and it's generally not recommended to leave RTCK set to Sample at MAX.

Wire length is a major factor in preventing errors as well. Read errors or inconsistencies in dumps may be caused by inequal wire lengths or if your wires are too long. 3-6cm is a threshold that works without issue at 4MHz TCK speeds. You can use slightly longer wires at the tradeoff of data transfer speed by using 1MHz TCK / RTCK speed settings.

Many phones require you to press the power button or connect it to a charger before clicking "Connect & Get ID", so make sure the phone is on and drawing current before trying to tap into its JTAG interface.

QSC6xxx phones in particular are very strict in timing. It may take upwards of 30 reboots for a phone to connect with the DCC loader!

(Sidenote: shorting nRST with ground, pressing Read Flash, and then letting go of nRST after a few seconds may work for you, provided the nRST pin is exposed)

Dumping Memory with Revskills or UniCDMA (easiest)[edit]

This method only seems to work on phones with a Qualcomm MSM or QSC1xxx chipset (e.g. no Qualcomm QSC6xxx support).

Using RevSkills or UniCDMA, you can use the Memory Read function to read out the phone's memory, which usually contains some part of the firmware. At the very least, this can sometimes contain resources such as graphics and sounds.

Side note regarding Samsung CDMA devices[edit]

For the majority of Samsung CDMA phones made after the early 2000s, memory dumping will not work unless you input the 16-digit SP code and the 6-digit MSL / SPC code into RevSkills or UniCDMA.

This also applies to phones where the EFS is inaccessible or certain files are locked. Entering the 16-digit SP and the 6-digit SPC should unlock EFS reading.

An updated list of SP codes for RevSkills and its successor Mobile Revelator can be found here.

Revskills[edit]

First, connect the phone to your computer. Open Revskills and go to Hardware -> Port Utils -> QC + AT-Cmd. A window called "QC Com Diag Window" should open, and then from there you can select the proper COM port to use.

Go to the "DIAG" tab. Press the "Send" button on the right to test if the phone is being read correctly.

If Revskills can see your phone, it should say "Successfully send command." at the bottom and show a screen similar to this:

Once you've confirmed that Revskills can communicate with your phone, go to the "Diag Functions" section, and make sure the selection box is set to "Save Memory to file". After that, press "Lets go" to start the memory read process.

If you know your phone has a large flash memory, you may want to change the end value to something larger than 02600000, as this only dumps ~39MB of data at most.

A window should pop up pointing you to where you want to save the memory read dump as well as what you want to call it. You can put anything for this, it doesn't really matter. "test.bin" is an okay choice.

Revskills should say "Successfully send command." at the bottom again, and the progress bar should start to go forth.

Depending what you set the baud rate to and how big the phone's memory is, this can take a really long time. You'll probably want to leave it going in the background until it finishes.

If your phone supports higher baud rates, definitely set it to Revskills' maximum of 921600. The process will be slightly faster that way.

Once Revskills pops up with a dialog box saying "Memory read not supported by phone. Continue anyway?" or "Successfully read memory." shows up at the bottom of the window, this means that the end of the phone's readable memory has been reached and the memory dump is finished.

UniCDMA[edit]

With few exceptions, UniCDMA was designed for very old (early 2000s) CDMA phones, so don't expect this to work reliably with anything newer than that.

First, connect the phone to your computer.

Open UniCDMA and set the correct mode.

Select the correct COM port and baud rate.

Go to the "Memory" tab and press "Read and save to file...", and if everything is working okay, it should start reading out the memory contents to that file.