Copyright (C) 2012-2014 Pali Rohár Mk II protocol is the only protocol which can be used to flash eMMC images. NOLO does not support eMMC, so flashing eMMC is done in Maemo system. NOLO will boot device into "update" mode and Maemo will start only softupd daemon (which is responsible for flashing from Maemo system) and load kernel driver g_softupd which handle USB communication to user space daemon. When device is in PC Suite mode Maemo system start softupd daemon and load kernel driver g_nokia which can also handle communication via Mk II protocol. Default Maemo flasher (v2.5.2 (Oct 21 2009)) support only some basic functions via Mk II protocol - it can send eMMC image to softupd server which flash it. But there is unofficial Maemo flasher (flasher v2.8.2 (Jan 8 2010)) distributed with omap aes kernel driver for Nokia RX-51 under name "flasher.rover" which support more functions. So "flasher.rover" is better for RE this protocol. Via Mk II protocol over usb with softupd daemon in device it is possible to flash any type of image except rootfs (xloader, secondary, kernel, mmc, cmt-2nd, cmt-algo, cmt-mcusw). Maemo system using same Mk II protocol over local TCP socket (server also provided by softupd) to update/flash system. Over usb are used only these functions for communication: usb_claim_interface (interface=1) usb_set_altinterface (alternate=1) usb_bulk_write (ep=1, timeout=5000) usb_bulk_read (ep=129, timeout=5000) And this function for sending raw data: usb_bulk_write (ep=2, timeout=1000) For every (request) message which is send by host, server send back response. Format of message every message is same. It has 6 bytes header and (at least) 4 bytes body. HEADER 4 bytes -- type of header 0x8810001B - out (sent by host: usb_bulk_write) 0x8800101B - in (received by host: usb_bulk_read) 2 bytes -- size of body (big endian) BODY 2 bytes -- unknown (always zero) 1 byte -- or. num of message (starting with zero) 1 byte -- type of message N bytes -- data Reply message data always starts with char 0x00 (except pong response). Message types: 0x00 - PING 0x01 - GET 0x02 - TELL 0x0C - REBOOT 0x20 - RESPONCE Here are some sniffed messages from Nokia RX-51. First two messages seems to must be always protocol version exchange (first host ask for protocol version of server and then host send its protocol version). On RX-51 is used version "2". Ping: req_type = 0x00 res_type = 0x20 Get protocol version: req_type = 0x01 req_data = "/update/protocol_version" res_type = 0x21 res_data = 0x00 "2" Tell our protocol version: req_type = 0x02 req_data = "/update/host_protocol_version" 0x00 "2" res_type = 0x22 res_data = 0x00 Get device: req_type = 0x01 req_data = "/device/product_code" res_type = 0x21 res_data = 0x00 "RX-51" Get hwrev: req_type = 0x01 req_data = "/device/hw_build" res_type = 0x21 res_data = 0x00 "2101" Get image types: req_type = 0x01 req_data = "/update/supported_images" res_type = 0x21 res_data = 0x00 "xloader,secondary,kernel,mmc,cmt-2nd,cmt-algo,cmt-mcusw" Reboot device: req_type = 0x0C req_data = "reboot" 0x00 res_type = 0x2C res_data = 0x00 Send image (mmc): req_type = 0x03 res_type = 0x23 res_data = 0x00 req_type = 0x04 req_data = fiasco subimage header res_type = 0x24 res_data = 0x00 0x00 0x00 0x00 0x00 0x00 0x02 0x00 0x00 req_type = 0x05 req_data = 0x00 0x00 0x00 0x00 "usb:raw" res_type = 0x25 res_data = 0x00 req_type = 0x06 req_data = 0x00 0x00 0x00 0x00 res_type = 0x26 res_data = 0x00 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 req_type = 0x0B req_data = 0x00 0x00 0x00 0x64 res_type = 0x2B res_data = 0x00 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x02 0x00 0x00 0x00 0x00 req_type = 0x08 req_data = 0x00 0x00 0x00 0x00 0x00 0x10 0x00 0x00 res_type = 0x28 res_data = 0x00 (raw data on ep=2 size=1048576) req_type = 0x06 req_data = 0x00 0x00 0x00 0x00 res_type = 0x26 res_data = 0x00 0x00 0x00 0x03 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x0F 0x9F 0x2C 0x00 0x00 req_type = 0x0B req_data = 0x00 0x00 0x00 0x64 res_type = 0x2B res_data = 0x00 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x01 0xF0 0x00 0x00 0x00 req_type = 0x08 req_data = 0x00 0x00 0x00 0x00 0x00 0x10 0x00 0x00 res_type = 0x28 res_data = 0x00 (raw data on ep=2 size=1048576) ...