Flashing the Jolla C2

I have recently received a Jolla C2 and, like many other people here, was also unable to set it up (almost nothing worked on first boot and the phone did not unlock after rebooting). I was initially planning to send it back, but then decided to check if the phone provides some sort of flashing method. It turns out that the Unisoc flashing mode can be entered by holding the Volume Up button while turning on the phone.

Flashing or dumping partitions using this mode requires two loaders (FDL1 and FDL2), which are usually signed using a device-specific key, but an exploit makes it possible to use generic loaders. Both the exploit code and the loaders are available here: GitHub - TomKing062/CVE-2022-38694_unlock_bootloader: This is a one-time signature verification bypass. For persistent signature verification bypass, check https://github.com/TomKing062/CVE-2022-38691_38692 (see ums9230_universal_unlock.zip in the releases section).

This makes it possible to dump partitions and even restore bricked/failed devices, although the latter is quite complicated if no factory images are available. I can try to provide some more detailed instructions if anyone is interested, but please be aware that this is very likely to void your warranty and that it is very easy to do something wrong in this process.

Wow, Very interesting! Even if it will void warranty - it would be very good to know the way, the device is flashed and restored. If you can provide more detailed information - it would be very appreciated by the community!

My process involved extracting the recovery image from a partial dump, modifying and flashing it to boot_a to obtain a root shell. However, this is probably more complicated than necessary. Looking at the boot scripts in the initramfs, it seems that on every boot, the first 2MB of the super are checked, and if they are not all zeros, the entire partition is copied to the userdata partition, after which the first 2MB are zeroed out. Since these 2MB mostly consist of LVM and filesystem headers that do not change significantly, it is probably not that hard to restore the userdata partition to its initial state.

Here are the general steps for flashing/dumping the phone (when the spd_dump command says “waiting for connection”, hold the Power and Volume Up keys of the phone):

1. Download GitHub - TomKing062/spreadtrum_flash: Spreadtrum firmware dumper and build it using make
2. Set up udev rules if you want to run the flashing commands with normal user permissions (see this readme: GitHub - ilyakurdyukov/spreadtrum_flash: Spreadtrum firmware dumper for Linux)
3. Download the ums9230_universal_unlock.zip archive from here and extract it into the spreadtrum_flash directory (required files are custom_exec_no_verify_65015f08.bin, fdl1-dl.bin and fdl2-dl.bin)
4. FDL2 is usually identical to the device bootloader. Run the following command to read out the bootloader, since it is more reliable than the generic FDL2:

./spd_dump exec_addr 0x65015f08 fdl fdl1-dl.bin 0x65000800 fdl fdl2-dl.bin 0x9efffe00 exec r uboot_a reset

Similar commands can be used to access other partitions - just replace fdl2-dl.bin with uboot_a.bin after this step.

Now, to restore the phone to its factory state, I would suggest the following steps (which I have not tested myself):

5. Using the C2’s bootloader as FDL2, dump the first 2MB of the userdata partition, and write this data back to the super partition:

./spd_dump exec_addr 0x65015f08 fdl fdl1-dl.bin 0x65000800 fdl uboot_a.bin 0x9efffe00 exec read_part userdata 0 2m userdata.bin write_part super userdata.bin reset

6. Wait until the phone boots and see if it shows the setup screen again. If it doesn’t, you will have to wait for someone to provide an original super image.

Thanks for this information. Something like this belongs straight to the Wiki…

I’d be very interested to learn how you did that. I would love to try that out when the phone was locked. I have tried a series of well known combinations to bring the phone into “flashing” mode. No luck here.- And no time at the moment.

Yet, you write :

How ? Can you post a video / photos ? Did you receive a phone with version 5.0.0.21 already ? Why did this not work for me ?

The flashing mode is a USB-only thing. You might notice that the phone takes a bit longer to turn on if you hold the Volume Up button. This is because it’s actually waiting for a flashing tool to connect to it. At this point, no display drivers have been loaded yet, so there is nothing to see.

Okay, I did try to detect USB activity, via dmesg. But nothing. This is all out of memory. I didn’t try now again.

@affe_null I want to kiss you.

I was one of the unlucky from the first batch of users who received the C2 in a borked state with empty battery. I sent the device back to Jolla back in November from the UK to arrive to Finland in December. They never received the device for whatever reason and came back just a week ago.

My amount of frustration at that point was… lets say I probably didn’t sound friendly in my reply to Jolla in my Zendsek ticket. I waited for 2 months for nothing.

Apparently, I can’t flash with Flashboot as there is no Flashboot in the factory firmware. I only had to build the repo above copy the files needed and run the commands exactly as you post them as root and boom, I was greeted with the setup screen and this time everything went smoothly. The only tricky thing is that you don’t get any feedback from the phone when booting with the volume up key pressed so it took some time to troubleshoot why the tool above was not working (lsusb was showing nothing until I changed the usb cable).

Fancy doing mine for me? I still haven’t sent mine back to Jolla haha

Have you contacted some Jolla guys here in Forum? @rainemak is very helpful.

Sorry to hear! We have one guy at UK who probably could help you out or at least UK internal mailing should be simpler. Could you send me a private message? Thanks and sorry about your troubles.

@rainemak I assume @explit reply was targeting @Allstar12345 message as I managed to get the device working with the above exploit by erasing the user partition. I mentioned that to my Zendesk ticket too.

Really sorry for doing that a bit late. Dealing with early parenthood at the moment and replying to online matters is a bit lower in my priorities compared to anything else including finding time to sleep.