JioFi JMR1140 – Need Help

[DrNoob]

JioFi JMR1140 – Need Help​

Hi everyone,
I am working on the JioFi JMR1140 (Qualcomm MSM9607, NAND) and I want to enable ADB + custom rootfs.
I want to share what I have done so far and I need help from anyone who has deeper knowledge in Qualcomm USB gadget / NAND / ADB bring-up.

what i have done​

I successfully dumped all partitions using bkerler’s edl tool in 0x9008 mode.

Extracted & rebuilt rootfs UBI​

I extracted the mdm9607-sysfs.ubi, modified some files inside rootfs, and then rebuilt a new UBI image with the same parameters (2048 min_io, 128KB PEB, 2048 VID offset, same image_seq, etc.).

Modified root filesystem​

/etc/init.d/usb
USB compositions under /sbin/usb/compositions/
Made changes so ADB profile gets enabled
Added symlinks for functionfs
Cleaned init startup shell scripts
I basically enabled the ADB function in the USB gadget that OEM had disabled.

Flashed modified UBI​

I flashed the new UBI
The device booted successfully with my custom rootfs.

On Linux, ADB is finally showing:

 

[DrNoob]

## Project: JioFi JMR1140 Unbrick via EDL Mode
| Parameter | Value |
|---|---|
| Device | JioFi JMR1140 |
| Chipset | Qualcomm MSM9x07 (MDM9607) |
| NAND Chip | FM6BD2G2GCA (reported as NM1282KSLAXAL by some loaders) |
| Flash ID | 0x1590aa98 |
| Page Size | 2048 bytes |
| Block Size | 128KB (64 pages/block) |
| OOB Size | 128 bytes |
| ECC | BCH 8-bit |
| Total Blocks | 2048 (256MB) |
| HWID | 0x000490e100000000 |
| MSM_ID | 0x000490e1 |
| PK_HASH | 0xcc3153a80293939b... |
| Secure Boot | DISABLED |



### Fix 1: PAGES_PER_BLOCK default value
File: edlclient/Library/firehose.py

# Line 174 - Change from:
PAGES_PER_BLOCK = 0
# To:
PAGES_PER_BLOCK = 64

### Fix 2: nand_config.py - FM6BD2G2GCA/NM1282KSLAXAL entry
File: edlclient/Library/nand_config.py

# supported_flash dict mein add karo:
0x1590aa98: [(256 << 20), 0, 2048, (2048 << 6), 128, 0],  # FM6BD2G2GCA/NM1282KSLAXAL

### Fix 3: ECC 8-bit for FM6BD2G2GCA
File: edlclient/Library/nand_config.py

# Line ~592 - Change:
if nandid == 0x2690AC98:
# To:
if nandid == 0x2690AC98 or nandid == 0x1590AA98:
    self.settings.ecc_bit = 8

### Fix 4: PAGES_PER_BLOCK in connect command
File: edlclient/Library/firehose.py

# Line ~907:
connectcmd += f" PAGES_PER_BLOCK=\"64\""

 

[DrNoob]

## Partition Layout (JMR1140)
HWID: 0x000490e100000000 (MSM_ID:0x000490e1,OEM_ID:0x0000,MODEL_ID:0x0000)
Unknown CPU, please send log as issue to GitHub - bkerler/edl: Inofficial Qualcomm Firehose / Sahara / Streaming / Diag Tools :)
PK_HASH: 0xcc3153a80293939b90d02d3bf8b23e0292e452fef662c74998421adad42a380f
Serial: 0xe09614bb

sahara - Protocol version: 2, Version supported: 1
sahara - Uploading loader 000480e100000000_cc3153a80293939b_fhprg_9x07.mbn ...
sahara - 32-Bit mode detected.
sahara - Firehose mode detected, uploading...
sahara - Loader successfully uploaded.
main - Trying to connect to firehose loader ...
firehose - Supported Functions: program configure power benchmark read getstorageinfo erase nop
firehose_client
firehose_client - [LIB]: No --memory option set, we assume "eMMC" as default ..., if it fails, try using "--memory" with "UFS","NAND" or "spinor" instead !
firehose
firehose - [LIB]: skipping storage init requested by user
firehose
firehose - [LIB]: Couldn't detect MaxPayloadSizeFromTargetinBytes
firehose
firehose - [LIB]: Couldn't detect Version
firehose - TargetName=MSM9x07
firehose - MemoryName=NAND
firehose - Version=0
firehose - Trying to read first storage sector...
firehose
firehose - [LIB]: Attribute 'SECTOR_SIZE_IN_BYTES'=512 must be equal to disk sector size 2048
firehose
firehose - [LIB]: ERROR 4: Line 2193: STORAGE_READ_FAILURE
firehose - Running configure...
firehose - Storage report:
firehose - total_blocks:2048
firehose - block_size:131072
firehose - page_size:2048
firehose - mem_type:NAND
firehose - prod_name:NM1282KSLAXAL
firehose_client - Supported functions:
-----------------
program,configure,power,benchmark,read,getstorageinfo,erase,nop
firehose - Nand storage detected.
firehose - Scanning for partition table ...
Progress: |██████████| 100.0% Scanning (Sector 0x400 of 0x400, ) 0.00 MB/s
firehose - Found partition table at sector 640

Parsing Lun 0:
Name Offset Length Attr Flash
-------------------------------------------------------------
sbl 00000000 00140000 0xff/0x1/0x0 0
mibib 00140000 00140000 0xff/0x1/0xff 0
efs2 00280000 00C00000 0xff/0x1/0xff 0
tz 00E80000 00100000 0xff/0x1/0x0 0
rpm 00F80000 00080000 0xff/0x1/0x0 0
nandcal 01000000 003C0000 0xff/0x1/0x0 0
amt1 013C0000 002C0000 0xff/0x1/0x0 0
aboot 01680000 000A0000 0xff/0x1/0x0 0
boot 01720000 007E0000 0xff/0x1/0x0 0
scrub 01F00000 00BE0000 0xff/0x1/0x0 0
modem 02AE0000 02820000 0xff/0x1/0x0 0
misc 05300000 00140000 0xff/0x1/0x0 0
recovery 05440000 007E0000 0xff/0x1/0x0 0
fota 05C20000 00180000 0xff/0x1/0x0 0
recoveryfs 05DA0000 01000000 0xff/0x1/0x0 0
sec 06DA0000 00040000 0xff/0x1/0x0 0
system 06DE0000 03B00000 0xff/0x1/0x0 0
userdata 0A8E0000 05720000 0xff/0x1/0x0 0

 

[DrNoob]

1. full nand erase
sudo python3 ./edl.py es 0 131072 \
--loader 000480e100000000_cc3153a80293939b_9x07.bin \
--vid 0x05C6 --pid 0x9008 \
--memory NAND --sectorsize 2048 --pagesperblock 64

************************************************************************

2. mibib.bin combine karo SBL ke saath
python3 -c "
sbl = open('dumps/sbl.bin','rb').read() # sector 0-639
mibib = open('dumps/mibib.bin','rb').read() # sector 640 pe

combined = sbl + mibib
open('sbl_plus_mibib.bin','wb').write(combined)
print('Combined:', len(combined)//2048, 'sectors')
"

3. Flash sbl+mibib
sudo python3 ./edl.py wf sbl_plus_mibib.bin \
--loader 000480e100000000_cc3153a80293939b_9x07.bin \
--vid 0x05C6 --pid 0x9008 \
--memory NAND --sectorsize 2048 --pagesperblock 64


4. use offical tool flash other file

 

[DrNoob]

lsusb:
Bus 001 Device 006: ID 1ecb:02e1 AMTelecom JMR1140
adb devices
List of devices attached
0123456789ABCDEF device



adb shell
/ # ls
WEBSERVER cache etc linuxrc run sys usr
bin config firmware media sbin system var
boot data home mnt sdcard target www
build.prop dev lib proc share tmp



/ # cat /proc/cpuinfo
processor : 0
model name : ARMv7 Processor rev 5 (v7l)
BogoMIPS : 38.40
Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xc07
CPU revision : 5

Hardware : Qualcomm Technologies, Inc MDM9307
Revision : 0000
Serial : 0000000000000000
Processor : ARMv7 Processor rev 5 (v7l)

 

[DrNoob]

Final update
found another way to get adb shell
just send this AT command
at%dbgmode=1
OK
at%dbgusbset=1

done

 

[DrNoob]

quectel eg25 firmware on jiofi jmr1140

Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1.2-00091
S - IMAGE_VARIANT_STRING=LAATANAZA
S - OEM_IMAGE_VERSION_STRING=SH-SW-W-ColinP
S - Boot Config, 0x000002e1
B -      1216 - PBL, Start
B -      3723 - bootable_media_detect_entry, Start
B -      4533 - bootable_media_detect_success, Start
B -      4537 - elf_loader_entry, Start
B -      6685 - auth_hash_seg_entry, Start
B -      6907 - auth_hash_seg_exit, Start
B -     55144 - elf_segs_hash_verify_entry, Start
B -     99976 - PBL, End
B -    108458 - SBL1, Start
B -    167079 - pm_device_init, Start
B -    186965 - PM_SET_VAL:Skip
D -     18086 - pm_device_init, Delta
B -    187971 - boot_config_data_table_init, Start
D -    174948 - boot_config_data_table_init, Delta - (420 Bytes)
B -    366427 - CDT version:3,Platform ID:8,Major ID:1,Minor ID:0,Subtype:0
B -    372618 - sbl1_ddr_set_params, Start
B -    376370 - Pre_DDR_clock_init, Start
D -       213 - Pre_DDR_clock_init, Delta
D -         0 - sbl1_ddr_set_params, Delta
B -    389027 - pm_driver_init, Start
D -      4605 - pm_driver_init, Delta
B -    395493 - cpr_init, Start
D -       122 - cpr_init, Delta
B -    400007 - cpr_cx_mx_apc_vol_update, Start
D -        91 - cpr_cx_mx_apc_vol_update, Delta
B -    414678 - sbl1_qhsusb_al_do_fast_enum, Start
D -        30 - sbl1_qhsusb_al_do_fast_enum, Delta
B -    417819 - clock_init, Start
D -       152 - clock_init, Delta
B -    423614 - boot_flash_init, Start
D -     25406 - boot_flash_init, Delta
B -    453748 - Image Load, Start
D -     63684 - QSEE Image Loaded, Delta - (462100 Bytes)
D -       213 - boot_pm_post_tz_device_init, Delta
B -    521885 - sbl1_efs_handle_cookies, Start
D -         0 - sbl1_efs_handle_cookies, Delta
B -    529175 - Devcfg Partition does not exist
B -    533353 - Image Load, Start
D -       427 - SEC Image Loaded, Delta - (2048 Bytes)
B -    541344 - Image Load, Start
D -     28091 - RPM Image Loaded, Delta - (151464 Bytes)
B -    569984 - Image Load, Start
D -     71400 - APPSBL Image Loaded, Delta - (419244 Bytes)
B -    641445 - QSEE Execution, Start
D -       213 - QSEE Execution, Delta
B -    647118 - SBL1, End
D -    541039 - SBL1, Delta
S - Throughput, 3000 KB/s  (1035340 Bytes,  301181 us)
S - DDR Frequency, 240 MHz
Android Bootloader - UART_DM Initialized!!!
[0] welcome to lk

[10] platform_init()
[10] target_init()
[10] Waiting for the RPM to populate smd channel table
[10] 111 flash->id=0x1590aa98,supported_flash[0]=0x1590ac2c, flash->id2=0x81676,         supported_flash_id2=0x56[20] 111 flash->id=0x1590aa98,supported_flash[1]=0x1590        ac01, flash->id2=0x81676, supported_flash_id2=0x56[30] 111 flash->id=0x1590aa98,        supported_flash[2]=0x1590aaad, flash->id2=0x81676, supported_flash_id2=0x46[40]         111 flash->id=0x1590aa98,supported_flash[3]=0x1590aa98, flash->id2=0x81676, supp        orted_flash_id2=0x76[50] smem ptable found: ver: 4 len: 17
[50] ERROR: No devinfo partition found
[60] Neither 'config' nor 'frp' partition found
[60] [Quectel0125] get fastboot message start !!!
[70] [Quectel0125] get fastboot message end !!!
CTRL+C: enter instruction mode
RECOVERY,PINTEST OR FASTBOOT OR CMD



aboot_init char: ▒
aboot_init char: ▒
aboot_init char: ▒
aboot_init char: ▒
aboot_init char: ▒
aboot_init char: ▒
aboot_init char: ▒
aboot_init char: ▒
aboot_init char: ▒
aboot_init char: ▒
[180] flash_read_image: success (0 errors)
[190] @Quectel0125 Ql_check_RestoreFlag:offset=4a0000, magic1=0,magic2=0
[190] flash_read_image: success (0 errors)
[200] @Quectel0125 check AllRestoring flag =0,fota_updateRecoveryImgFlag=0
[200] AAAAALoading (boot) image (6209536): start
[990] AAAAALoading (boot) image (6209536): done
[1000] Authenticating boot image (6209536): start
[1070] Authenticating boot image: done return value = 1
[1120] DTB Total entry: 29, DTB version: 3
[1130] Using DTB entry 0x0000012a/00010000/0x00000008/0 for device 0x0000012a/00        010000/0x00010008/0
[1140] [Dawn] alloc len: 36864 block len: 131072 pagesize=:2048
[1150] flash_read_image: success (0 errors)
[1150] [Dawn] 0x7fffff01 not exist,Pllease set item before!!
[1160] [Dawn] alloc len: 36864 block len: 131072 pagesize=:2048
[1170] flash_read_image: success (0 errors)
[1170] [Dawn] 0x7fffff02 not exist,Pllease set item before!!
[1170] cmdline: noinitrd ro console=ttyHSL0,115200,n8 androidboot.hardware=qcom         ehci-hcd.park=3 msm_rtb.filter=0x37 lpm_levels.sleep_disabled=1 earlycon=msm_hsl        _uart,0x78b3000 androidboot.serialno=e09614bb androidboot.authorized_kernel=true         androidboot.baseband=[1200] Updating device tree: start
[1200] update_device_tree[1328]:.
[1360] update_device_tree[1464]:Have no set spi/uart switch flag.
[1360] update_device_tree[1515]:Have no set codec  switch flag.
[1390] Updating device tree: done
[1390] Channel alloc freed
[1400] booting linux @ 0x80008000, ramdisk @ 0x80008000 (0), tags/device tree @         0x81e00000
INIT: version 2.88 booting
kernel.core_pattern = /var/tmp/core.%e.%p.%s.%t
/etc/mdev/iio.sh: .: line 10: can't open '/sys/devices/78b8000.i2c/i2c-4/4-0068/        iio:device?*/uevent'
MTD : Detected block device : /cache for usr_data
UBI device number 2, total 479 LEBs (60821504 bytes, 58.0 MiB), available 0 LEBs         (0 bytes), LEB size 126976 bytes (124.0 KiB)
ubiattach wait times= 1
ubiattach wait times= 2
ubiattach wait times= 3
 ubi attach success !!!
 /dev/ubi2_0 mount times =1
usrdata mount success !!!!
Starting port_bridge: done
Fri Jan  7 05:02:04 UTC 2022
hwclock: RTC_SET_TIME: Invalid argument
soc: MDM9307
serialno: e09614bb
INIT: Entering runlevel: 5
Configuring network interfaces... Error: argument "eth0" is wrong: Unknown devic        e
kernel.core_pattern = /var/tmp/core.%e.%p.%s.%t
mkdir: can't create directory '/system/vendor/': Read-only file system
ln: /system/lib: Read-only file system
ln: /vendor: Read-only file system
chown: /media/card: No such file or directory
chown: /sdcard: Read-only file system
Starting syslogd done
Starting tftp_server: /sbin/tftp_server is already running
556
Starting irsc_util: Starting irsc tool
Failed to open file:/etc/sec_config
Absent/Invalid config,Default rules apply
Ending irsc tool
done
Starting time_services: done
Starting modem dependent daemons: Starting/Loading embms_kernel module: done loa        ding embms_kernel module
Starting quectel_pcm_daemon: done
Starting qmuxd: done
Starting thermal-engine: done
Starting qllog: done
Starting csd_server: done
Starting netmgrd: done
Starting qmi_shutdown_modem: done
Starting quectel-gps-handle: done
Starting quectel_daemon: done
Starting quectel-smd-atcmd: done
Starting quectel-thermal: done
Starting quectel_daemon: done
Starting quectel_psm_aware: done
Starting ql_forward done
Starting quectel-remotefs-service done
Starting quectel-tts-service done
Starting subsystem_ramdump: done
Starting wlan_services... start
Setting restart level: system
done
Starting quectel-uart-ddp: done
Starting quectel app monitor: done
Starting system message bus: dbus.
Starting miscellaneous daemons: Starting atreset: done
done
Starting Location Launcher Services: done
Completed starting miscellaneous daemons * Starting Avahi Unicast DNS Configurat        ion Daemon: avahi-dnsconfd
   ...fail!
Starting powerconfig for mdm9607: Starting quectel_slic_daemon: cat: can't open         '/data/slic.conf': No such file or directory
done
Starting fs-scrub-daemon: /sbin/fs-scrub-daemon is already running
557
Starting ql_manager_server: done

mdm-perf 202201071212 mdm9607 /dev/ttyHSL0

mdm9607 login: