Project

General

Profile

EC20 QFlash

The EC20 Qflash utility is using 3 different device modes to update the firmware:
a) QDL
b) QDL SBL / also named "Go mode" by Qflash
c) fastboot

Overview of one flash procedure

  1. Reboot into QDL mode
  2. QDL: Upload NPRG9x15.hex to enter QDL Streaming Mode
  3. Streaming: Flash *.mbn
  4. Streaming: Flash SBL2_temp
  5. Reboot into fastboot mode
  6. fastboot: Flash other parts
  7. Reboot into QDL
  8. QDL: Upload ENPRG9x15.hex to enter QDL Streaming Mode
  9. Streaming: Flash SBL2
  10. Reboot into new Firmware

QFLash in detail

How to enter QDL mode

Do one of:
  • Erase everything
  • Pull down/up a specific GPIO
  • AT+QDL

QDL mode

The QDL mode allows to load code into memory and execute it.
It's also possible to read Memory https://lkml.org/lkml/2017/8/8/177
QFlash is using loading and executing NPRG9x15.hex or ENPRG9x15.hex. to enter the

Try: ./ec20/NPRG9x15.hex or if it fails try ./ec20/ENPRG9x15.hex to enter next mode. E in ENPRG9x15 stand for emergency.

Qflash in QDL

Send Nop `0x7e 0x06 CRC 0x7e`
Send preq `0x7e 0x07 CRC 0x7e`
Upload hex file `0x7e 0x0f loadaddr|32bit size|16bit data CRC 0x7e`.
Go `0x7e 0x05 loadaddr|32bit CRC 0x7e`.
The device now go's into SBL / Go Mode

SBL / Go mode

Magic enter "QCOM fast download protocol host"
Upload partition table `0x7e 0x19 data CRC 0x7e`
- use partition.mbn if not accepted, try partition2.mbn
Flash mbns:
- SBL1: `sbl1.mbn`
- SBL2: `sbl2_tmp.mbn`
- RPM: `rpm.mbn`
- APPSBL: `appsboot_tmp.mbn`

The device now reboots into fastboot using the USB id 18d1:d00d (Google fastboot).

Device is in fastboot mode

flash parts:
- sbl2
- aboot
- dsp1
- dsp2
- dsp3
- system
- userdata
- recoveryfs
- boot
- recovery

Now reboots.

2nd QDL and QDL SBL mode:

The devices now reboots into QDL mode.
Enter SBL mode / Go mode using the emergency ENPRG9x15.hex.

It's flashing now the real SBL2 bootloader.

How Qflash finds out in which mode the device is?

Send `0x7e 0x06 CRC 0x73`
if recv "0x7e,0x02,0x6a,0xd3,0x7e" => download mode (QDL)
if recv "0x13,0x06,0x88,0xd5,0x7e" => normal mode (diag?)
if recv "0x7e,0x0e" => go mode (SBL)

FAQ: The device is in QDL and disconnect and reconnecting every 2 seconds

Uninstall the gobi-loader. The gobi-loader will try to load the Gobi2000 firmware into
the EC20 because the udev rules contains the QDL usb id (9008).

links