Flashing the Jolla C2

Devices
3

My process involved extracting the recovery image from a partial dump, modifying and flashing it to boot_a to obtain a root shell. However, this is probably more complicated than necessary. Looking at the boot scripts in the initramfs, it seems that on every boot, the first 2MB of the super are checked, and if they are not all zeros, the entire partition is copied to the userdata partition, after which the first 2MB are zeroed out. Since these 2MB mostly consist of LVM and filesystem headers that do not change significantly, it is probably not that hard to restore the userdata partition to its initial state.

Here are the general steps for flashing/dumping the phone (when the spd_dump command says “waiting for connection”, hold the Power and Volume Up keys of the phone):

  1. Download GitHub - TomKing062/spreadtrum_flash: Spreadtrum firmware dumper and build it using make
  2. Set up udev rules if you want to run the flashing commands with normal user permissions (see this readme: GitHub - ilyakurdyukov/spreadtrum_flash: Spreadtrum firmware dumper for Linux)
  3. Download the ums9230_universal_unlock.zip archive from here and extract it into the spreadtrum_flash directory (required files are custom_exec_no_verify_65015f08.bin, fdl1-dl.bin and fdl2-dl.bin)
  4. FDL2 is usually identical to the device bootloader. Run the following command to read out the bootloader, since it is more reliable than the generic FDL2:
./spd_dump exec_addr 0x65015f08 fdl fdl1-dl.bin 0x65000800 fdl fdl2-dl.bin 0x9efffe00 exec r uboot_a reset

Similar commands can be used to access other partitions - just replace fdl2-dl.bin with uboot_a.bin after this step.

Now, to restore the phone to its factory state, I would suggest the following steps (which I have not tested myself):

  1. Using the C2’s bootloader as FDL2, dump the first 2MB of the userdata partition, and write this data back to the super partition:
./spd_dump exec_addr 0x65015f08 fdl fdl1-dl.bin 0x65000800 fdl uboot_a.bin 0x9efffe00 exec read_part userdata 0 2m userdata.bin write_part super userdata.bin reset
  1. Wait until the phone boots and see if it shows the setup screen again. If it doesn’t, you will have to wait for someone to provide an original super image.
17 Likes