You’ve probably been aware since a few months that I’m able to make FFU firmwares for Lumia devices that are flashable on retail unlocked devices without any issue. Some of you may have also noticed a tool I open sourced on github that enables you to exactly do this. However this tool was never meant for wide use since it’s not finished and requires special instructions to be used properly and safely for a device. This post is aimed to explain you how to use this tool.
But first let’s talk about what made me write such tool. Some of you know about WPinternals, it’s a tool made by @Heathcliff74XDA that can be used to unlock the bootloader of many Nokia Lumia devices. Starting with version 2.0 the tool added support for “Spec B” devices, which are essentially newer generation devices using a new bootloader architecture by Qualcomm. The exploit used by WPinternals involves faking a FFU file header, but the implementation still required some optimization. I thus decided to try to implement this optimization by essentially writing an on the fly FFU generation algorithm, which worked to some degree, but it later ended up being re-used into another project, img2ffu.
img2ffu allows you to convert complete eMMC images into usable FFU files, allowing quick flashing times and space optimization. This effectively can allow you, if used properly, to flash a 32GB img file, converted to an FFU file, in under 2 minutes.
The issue with img2ffu is that it performs 10% of the required optimizations that Microsoft official tooling may actually do. This brings some issue to the table. img2ffu does not in any way erase unallocated sectors from the eMMC, this means if the tool is not used properly you may cause glitches on your device, like that one:
This is not really wanted by anyone, so you need to take special measures.
img2ffu has built in help, here’s what it looks like:
img2ffu 126.96.36.199 Copyright (c) 2019, Gustave Monce - gus33000.me - @gus33000 / Copyright (c) 2018, Rene Lergner - wpinternals.net - @Heathcliff74xda ERROR(S): Required option 'i, img-file' is missing. Required option 'f, ffu-file' is missing. Required option 'p, plat-id' is missing. -i, --img-file Required. A path to the img file to convert *OR* a PhysicalDisk path. i.e. \\.\PhysicalDrive1 -f, --ffu-file Required. A path to the FFU file to output -p, --plat-id Required. Platform ID to use -a, --anti-theft-version (Default: 1.1) Anti theft version. -o, --os-version (Default: 10.0.11111.0) Operating system version. -c, --chunk-size (Default: 131072) Chunk size to use for the FFU file --help Display this help screen. --version Display version information.
Some of these options allow you to make a FFU image directly from an attached phone in mass storage, but I do not recommend you to use this, as it’s very unsafe and you won’t perform any optimization.
Instead here’s what I suggest people to use:
- Download a program that can allow you to capture the phone eMMC as a VHD or VHDX file on Windows
- Capture the phone eMMC to a VHD/VHDX file.
- Detach the phone, and mount the VHD/VHDX file on your computer using Disk Management (diskmgmt.msc)
Once done, you should have a virtual disk with your phone eMMC contents.
What you need to do next, is image all partitions that contain a known file system and that are not a bootloader partition. For example if you are working with Windows Phone, you need to care about the MainOS and Data partitions. To image said partition, use DISM to capture the partition to a wim file. Repeat this process for every partition you need to care about.
Once done, you need to perform a slow format operation on the partitions you’re working with, and only these. This way we will be sure there will be no data remaining across the VHD and every sector will be unallocated. To be extra safe, you may also want to open the Windows Defragmentation tool, it features built in support for slab optimization which is specifically made for VHD files, if you’re using the GUI, simply click optimize and your VHD will be optimized. Once done, you can begin to re-apply the wim files you captured back to their original partitions, and you should have a very optimized VHD. Do note that sometimes applying may fail because DISM is not running as NT AUTHORITY\SYSTEM, if that’s the case, elevate DISM to SYSTEM rights.
You can then unmount the VHD you made using Disk Management (diskmgmt.msc) and this time remount it as read only. This is very important to prevent any capture failures with programs actively working against the VHD in the background.
Now all that is left is using the correct command line arguments for img2ffu. When you switch your phone using WPinternals to flash mode, you may see the following displayed on your screen:
In this example, we can see WPinternals saying my phone platform name is Microsoft.MSM8994.P6211.2.1. This is in fact the Platform ID of the device, albeit with a version number appended. You need to note down the following part only: Microsoft.MSM8994.P6211, and nothing else, this is what we will pass to img2ffu later on.
You can then go back to Disk Management (diskmgmt.msc) and look at the VHD file you mounted, on the left something like this will be displayed:
If you look closely, for me, my VHD is showing up as Disk 3. We can now conclude we will need to pass \\.\PhysicalDrive3 to img2ffu.
To summarize based on my example shown above, here’s what I will run for my FFU image:
img2ffu -i \\PhysicalDrive3 -f C:\Firmwares\MyNew950XLFirmware.ffu -p Microsoft.MSM8994.P6211
You should now get after an hour or so a brand new FFU firmware that should be properly optimized!
You can then flash it back to your device to confirm everything works properly, but you need to remember that the FFU files will not erase unallocated sectors, due to the tool unfinished state. You will thus most likely have to run before flashing the FFU thor2 -mode retail -erasepartition Data in order to clean up allocated sectors on your device.