Flashing the Jolla C2

I have recently received a Jolla C2 and, like many other people here, was also unable to set it up (almost nothing worked on first boot and the phone did not unlock after rebooting). I was initially planning to send it back, but then decided to check if the phone provides some sort of flashing method. It turns out that the Unisoc flashing mode can be entered by holding the Volume Up button while turning on the phone.

Flashing or dumping partitions using this mode requires two loaders (FDL1 and FDL2), which are usually signed using a device-specific key, but an exploit makes it possible to use generic loaders. Both the exploit code and the loaders are available here: GitHub - TomKing062/CVE-2022-38694_unlock_bootloader: This is a one-time signature verification bypass. For persistent signature verification bypass, check https://github.com/TomKing062/CVE-2022-38691_38692 (see ums9230_universal_unlock.zip in the releases section).

This makes it possible to dump partitions and even restore bricked/failed devices, although the latter is quite complicated if no factory images are available. I can try to provide some more detailed instructions if anyone is interested, but please be aware that this is very likely to void your warranty and that it is very easy to do something wrong in this process.

15 Likes

Wow, Very interesting! Even if it will void warranty - it would be very good to know the way, the device is flashed and restored. If you can provide more detailed information - it would be very appreciated by the community!

4 Likes

My process involved extracting the recovery image from a partial dump, modifying and flashing it to boot_a to obtain a root shell. However, this is probably more complicated than necessary. Looking at the boot scripts in the initramfs, it seems that on every boot, the first 2MB of the super are checked, and if they are not all zeros, the entire partition is copied to the userdata partition, after which the first 2MB are zeroed out. Since these 2MB mostly consist of LVM and filesystem headers that do not change significantly, it is probably not that hard to restore the userdata partition to its initial state.

Here are the general steps for flashing/dumping the phone (when the spd_dump command says “waiting for connection”, hold the Power and Volume Up keys of the phone):

  1. Download GitHub - TomKing062/spreadtrum_flash: Spreadtrum firmware dumper and build it using make
  2. Set up udev rules if you want to run the flashing commands with normal user permissions (see this readme: GitHub - ilyakurdyukov/spreadtrum_flash: Spreadtrum firmware dumper for Linux)
  3. Download the ums9230_universal_unlock.zip archive from here and extract it into the spreadtrum_flash directory (required files are custom_exec_no_verify_65015f08.bin, fdl1-dl.bin and fdl2-dl.bin)
  4. FDL2 is usually identical to the device bootloader. Run the following command to read out the bootloader, since it is more reliable than the generic FDL2:
./spd_dump exec_addr 0x65015f08 fdl fdl1-dl.bin 0x65000800 fdl fdl2-dl.bin 0x9efffe00 exec r uboot_a reset

Similar commands can be used to access other partitions - just replace fdl2-dl.bin with uboot_a.bin after this step.

Now, to restore the phone to its factory state, I would suggest the following steps (which I have not tested myself):

  1. Using the C2’s bootloader as FDL2, dump the first 2MB of the userdata partition, and write this data back to the super partition:
./spd_dump exec_addr 0x65015f08 fdl fdl1-dl.bin 0x65000800 fdl uboot_a.bin 0x9efffe00 exec read_part userdata 0 2m userdata.bin write_part super userdata.bin reset
  1. Wait until the phone boots and see if it shows the setup screen again. If it doesn’t, you will have to wait for someone to provide an original super image.
6 Likes

Thanks for this information. Something like this belongs straight to the Wiki…