Recovery with a Dead Flash (For Motorola E398)

August 16, 2007

Thanks to FusioN and n0wheremany for this:

Sometimes our Motorola E398 dies in a very bad way – nothing you do can help. This can happen if you end up with damaged flash memory, where the phone’s firmware and all memory is stored.
After such a crash, in practice nothing can help at all – no forceboot, no testpoint, no existing known recovery method!

And here we introduce one new method, which can probably  revive your phone, even with a dead flash memory. We already have one successful revival using this procedure!

Symptoms:
– Ramldr shows errors like ERR Г
– MFF and PST cannot flash, they show errors.

We need the following:
– The dead phone
– Full backup of the phone firmware
– Charged battery or at least USB charger
– Ramldr by Vilko
– Loader for Ramldr (ldr_*.bin)
– Hex editor (like XVI32)
– Good understanding and following the procedure below

What to do:
0. Test Point (it is not required)
1. Search for the broken cells
2. Making backup in pieces
3. Final stage of recovery
3a. Making our own ldr_part*.bin
3b. Recovery and obtaining working phone

0. Test point is not required, but you can do it if you want.

1. Download ldr_*.bin, open it with Hex editor, “jump” (в XVI32 – [Ctrl]+[G]) to address F8 (that is the start of the flash memory), put value 10 00 00 00 (4 bytes)
Jump to address FC and put value 12 00 00 00
Save the file.

Connect the phone, go to bootloader and in ramldr click on send ramldr -> choose our new updated ldr_*.bin
When you see err: divide the region of the memory (10 00 00 00 – 12 00 00 00) in two equal length pieces and change the ldr_*.bin with the new values. Here is the example:

Region: 10 00 00 00 – 12 00 00 00
1 Piece: 10 00 00 00 – 10 FF FF FF
2 Piece: 11 00 00 00 – 12 00 00 00

And thus, it is possible to find the “broken addresses”. It may be necessary to divide the erroneous region into half and pass the regions many times…

From the phone with broken memory that we mentioned the region was: 10 F3 FF FF – 10 F6 00 00

2. As soon as we find the bad memory, now it is time to create the backup.
Hint: address 10 00 00 00 in the phone is address 00 00 00 00 in the backup

Here is how you can do it:
Part 1 – From address 00 00 00 00 to the start address of the broken memory we will call it part1.bin
Part 2 – From the end address of the broken memory to address 02 00 00 00 (which is 12 00 00 00 in phone memory),
we will call it part2.bin
Hint: use the windows calculator to calculate the addresses in the “Scientific Mode” using Hex type

3. 3a. Now it is time for recovery. Prepare your ldr_*.bin files:
ldr_part1.bin
ldr_part2.bin
* There can be more in case you have more than 1 erroneous memory part
We need to change the addresses now:
1). In ldr_part1.bin on address F8 write 10 00 00 00, and on address FC – the start address of erroneous memory part
2). In ldr_part2.bin on address F8 write the start address of the erroneous memory part and on FC write 12 00 00 00

3b. Start ramldr, connect the dead phone and load it in bootloader mode, use “Send Ramldr” and choose ldr_part1.bin. Now choose “erase”, you will see ACK ERASE, and select “base addr” as “10000000”. Choose “send binary”
and send part1.bin. Restart the phone (you may need to remove the battery and start back in bootloader using the 4 and 5 pin method)
Do exactly the same with ldr_part2.bin/part2.bin.
Now it is the tricky part – if the bad memory block is not critical for the phone system – your phone will work! Unfortunately if it is – it is time for you to buy a new phone 😉

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: