BP flashing howto

This page describes EZX gen2 BP firmware upgrade and repair, using hardware testpoint and putusb software.

Contents 1 Requirments 2 Putusb and RAMLDR2 3 Launching python console 4 Prepairing putusb 5 Connecting phone 6 Loading RAMLDR2 7 Saving full backup 8 Flashing 9 Note about repair image

Requirments

• Python 2.5 or higher
• libusb ( libusb-filter on windows )
• pyusb

Putusb and RAMLDR2

Create working directory somewhere ( /tmp/lte in unix or C:\lte in windows ) and place there two files:

• RAMLDR2 loader for phone
• Putusb library for host

Launching python console

In Linux (working directory is /tmp/lte):

1. open terminal emulator
2. type: cd /tmp/lte/
3. type: python you should see something like this

 Python 2.6.2 (r262:71600, Jul 20 2009, 02:23:30) 
 [GCC 4.4.0 20090630 (prerelease)] on linux2
 Type "help", "copyright", "credits" or "license" for more information. 

In Windows (working directory is C:\lte)

1. press Win-R
2. type cmd to open terminal
3. type C: and cd \lte
4. type python

Prepairing putusb

Now loading ramldr into python shell and importing putusb library. Type following:

import putusb
f = open("loader_for_ramldr2.bin","rb")
loader = f.read()
f.close()
loader += '\xff'*(4096 - len(loader))

Connecting phone

If all ok, do testpoint (access to the contact point as shown here) and put phone in passthrough mode (press flash key one more time, "BP Passthrough" should appear on screen). Now connect to phone bootloader from python shell and check its version:

dev = putusb.MotoUsb()
dev.version()

If all is ok, you should see IROM bootloader version:

00130200FF000300,00130200FF000300

If you missed with testpoing, you will get flash bootloader version:

00130201FF000900,00130201FF000900,FFFFFFFF00FFFFFF,00130206FFFF1152,....many other

Version can be different (0900, 0910, 0914, 0980 or somethign else).

Loading RAMLDR2

To load ramldr2 on phone, type following:

dev.set(0x03FD0000,loader)
dev.set(0x03FEF800,'\x03\xFD\x00\x14'*512, True)
dev.recv()

You should get "Ready" after last command. If something wrong, redo from step Connecting phone

Saving full backup

Its good idea to save current flash contents before loading. Be sure, you removed testpoint before doing this.

Type:

dev.read = dev.read_ramldr2
all = dev.get(0x10000000,4*1024*1024)
f = open("bp_backup.dump","wb")
f.write(all)
f.close()

Now you should see 4MB file bp_backup.dump in your working directory. Its your bp backup - go and save it in safe place. If you have some time, please send full dump to me, i`l exctract bootloader and some other interting for me things.

Flashing

Now you can flash anything everywhere. So, get somewhere repair image or your backup and place it in working directory.

Commands below flashes file repair image name here from beginning of flash.

BIG FAT WARNING
This would brick your phone if you miss with address or file contents
Dont do this, if have no backup!

Type:

f = open("repair image name here","rb")
dump = f.read()
f.close()
dev.flash_ramldr2(0x10000000,dump)

Note about repair image

I cant include repair image here, becouse it includes hacked proprietary firmware, but you can find it somewhere. If you flashed repair image, you should not reflash BP any more, so if you want to flash some firmware after repairing BP, you should remove BP codegroups from it or repeate full repair procedure after every reflash.