Skip to main content

Smartphone Flash Tool -runtime Trace Mode- May 2026

Add a new USB class (0xFF, subclass 0x02) for trace data. In brom.cpp :

Patch offsets: SPFlashTool.exe @ 0x2A3F4 – enable hidden menu, then Ctrl+Shift+T for trace console. smartphone flash tool -runtime trace mode-

[PC: 0x0012F4A0] pl_check_battery() -> return 0 (battery low) [PC: 0x0012F4B8] pl_shutdown_thermal() [PC: 0x0012F2C0] reset_system() -> infinite loop. Faulty ADC reading on battery thermistor. Fix: Bypass battery check in DA script. 6.2 Secure Boot Chain Verification Using Full Execution Trace over USB (48 MB/s) while flashing a custom U-Boot: Add a new USB class (0xFF, subclass 0x02) for trace data

A automatically downgrades from Full to PC-Only when the host cannot keep up. 5. Implementation Example: Extending MTK (MediaTek) SP Flash Tool 5.1 Current Limitations MediaTek’s BootROM (Preloader v2) already includes a partial trace capability via SEND_DA_EX command with debug flag 0x80, but it only dumps a fixed 256-byte register file on crash. No continuous streaming. 5.2 RTM Modifications Step 1 – Custom Download Agent (DA): Patch the original DA binary ( MTK_AllInOne_DA.bin ) to include a background thread: Faulty ADC reading on battery thermistor

Document Version: 1.0 Subject Area: Embedded Systems Debugging, Mobile Device Firmware Tooling Target Audience: Firmware Engineers, Security Researchers, Android OEM Developers 1. Abstract Traditional smartphone flash tools (e.g., SP Flash Tool, Qualcomm QFIL, Samsung Odin) operate in a black-box programming mode . They send pre-built firmware images (bootloader, kernel, system) to the device’s memory partitions with minimal runtime feedback. This paper introduces Runtime Trace Mode (RTM) — an extension to conventional flashing tools that enables real-time instruction execution tracing, memory access logging, and register state streaming from the device’s boot ROM and bootloader during the flashing process. RTM transforms the flash tool from a simple programmer into a low-level interactive debugger, crucial for diagnosing boot failures, verifying secure boot chains, and analyzing proprietary bootrom exploits. 2. Introduction Smartphone boot sequences involve multiple stages: BootROM → Preloader → Little Kernel (LK) / U-Boot → Kernel. A single corrupted partition or misconfigured security fuse often results in a dead device (hard brick). Conventional flash tools provide no insight into why the device halts. They only succeed or fail with opaque error codes (e.g., STATUS_BROM_CMD_SEND_DA_FAIL ).