SkillAgentSearch skills...

Seftool

Command-line Sony Ericsson AVR&ARM DB1000/DB2000/DB2010/DB2012/DB2020/PNX5230 flashtool. Supports firmware flashing, patching (with RSA break), GDFS backup/restore, flash reading, and basic unlocking. Cross-platform (Linux, macOS, Windows).

GenerateConvertImprove

Install / Use

/learn @farid1991/Seftool
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

███████╗███████╗███████╗████████╗ ██████╗  ██████╗ ██╗
██╔════╝██╔════╝██╔════╝╚══██╔══╝██╔═══██╗██╔═══██╗██║
███████╗█████╗  █████╗     ██║   ██║   ██║██║   ██║██║
╚════██║██╔══╝  ██╔══╝     ██║   ██║   ██║██║   ██║██║
███████║███████╗██║        ██║   ╚██████╔╝╚██████╔╝███████╗
╚══════╝╚══════╝╚═╝        ╚═╝    ╚═════╝  ╚═════╝ ╚══════╝

SEFTool / SE Flash Tool

A command-line utility for flashing, unlocking, and managing Sony Ericsson AVR & ARM phones (DB1000, DB2000, DB2010, DB2012, DB2020, PNX5230) over a serial connection. Supports firmware flashing and patching, GDFS (phone data) backup/restore, flash reading, and basic unlock operations.

Features

  • Identify connected Sony Ericsson phone
  • Flash main and filesystem firmware
  • Read raw flash memory
  • Backup and restore GDFS (phone settings/data)
  • Unlock phone (usercode, simlock planned)
  • Patch firmware
  • Cross-platform (Linux/Windows, built with CMake + libserialport)

Building

Prerequisites

  • CMake 3.10+
  • C compiler:
    • Linux/macOS: GCC or Clang
    • Windows: MinGW (recommended)

Dependencies

Required runtime/build libraries:

Install packages per platform:

  • Debian / Ubuntu
sudo apt update
sudo apt install build-essential cmake pkg-config libserialport-dev zlib1g-dev libbz2-dev libminizip-dev
  • Fedora
sudo dnf install gcc make cmake pkg-config libserialport-devel zlib-devel bzip2-devel minizip-devel
  • Arch Linux
sudo pacman -S --needed base-devel cmake libserialport zlib bzip2 minizip
  • macOS (Homebrew)
brew install cmake pkg-config libserialport zlib bzip2 minizip
  • Windows (MSYS2 / MinGW64)
pacman -Syu
pacman -S --needed mingw-w64-x86_64-toolchain mingw-w64-x86_64-cmake \
       mingw-w64-x86_64-libserialport \
       mingw-w64-x86_64-zlib mingw-w64-x86_64-bzip2 mingw-w64-x86_64-minizip

Build Steps

Basic build steps (works on Linux/macOS and MSYS2 MinGW when using the appropriate shell):

git clone https://github.com/farid1991/seftool.git
cd seftool
mkdir build && cd build
cmake ..
cmake --build . --config Release

Windows (MSYS2 MinGW64) — recommended in the MinGW64 shell:

git clone https://github.com/farid1991/seftool.git
cd seftool
mkdir build && cd build
/mingw64/bin/cmake -G "MinGW Makefiles" ..
mingw32-make

Linux Serial Port Permissions

On Linux systems (Armbian, Debian, Ubuntu, etc.), accessing /dev/ttyUSB* or /dev/ttyACM* often requires being in the dialout group. If you see: sp_open failed: Permission denied Fix it by adding your user to the dialout group:

sudo usermod -aG dialout $USER

Usage

Usage: ./seftool -p <port> [-b <baudrate>] -a <action>

Options:

    -p, --port <name>                    Serial port name (e.g. COM2, /dev/ttyUSB0)
    -b, --baud <rate>                    Baudrate (default: 115200)
    -a, --action <action>                Specify an action (see below)

General action:
    identify                             Identify phone and show basic info

Ericsson
Platform: Z80
Available actions:
    identify                             Identify phone and show basic info
    read-eeprom                          Backup EEPROM area
    write-eeprom <eeprom_file>           Restore EEPROM area

Platform: AVR
Available actions:
    identify                             Identify phone and show basic info

Sony Ericsson
Platform: pre-A1 (DB1000)
Available actions:
    identify                             Identify phone and show basic info
    flash-avr <avr_file>                 Flash AVR MCU firmware
    flash-arm <arm_file>                 Flash ARM/DSP firmware

Platform: A1 (DB2000 / DB2010 / DB2012 / DB2020 / PNX5230)
Available actions:
    identify                                             Identify phone and show basic info
    flash [main <file>] [fs <file>] [cda <file>]         Flash MAIN / FS firmware and/or upload CDA
    read-flash start <addr> size <bytes> | block <count> Read flash (specify start & size or block count)
    read-gdfs                                            Backup GDFS area
    write-gdfs <filename>                                Restore GDFS from file
    write-script <file1> [file2 ...]                     Apply VKP or GDFS script(s)
    unlock <usercode|simlock>                            Unlock user code or SIM lock
    fsx-upload src <local...> [dest <fs path>]           Upload files to internal FS
    fsx-download src <fs path>/<file> [dest <local>]     Download files from internal FS
    upload-anycid                                        Upload AnyCID package for exploit access

Utility actions:
    convert babe2raw <filename>          Convert BABE -> raw
    convert raw2babe <filename> <addr>   Convert raw -> BABE at address

A1 Global options:
    --anycid                             Ignore CID restrictions (DB2012/DB2020/PNX5230)
    --break-rsa                          Break RSA on DB2000 & DB2010 RED49

General options:
    -h, --help                           Show this help message

Platform-specific action summary

Platform: pre-A1 (DB1000 — chip IDs 0x5807, 0x5808)

  • identify — Identify phone and show basic info
  • flash-avr <avr_file> — Flash AVR MCU firmware
  • flash-arm <arm_file> — Flash ARM/DSP firmware

Platform: A1 (DB2000 / DB2010 / DB2012 / DB2020 / PNX5230)

  • identify — Identify phone and show basic info
  • flash [main <file>] [fs <file>] [cda <file>] — Flash MAIN / FS firmware and/or upload CDA
  • read-flash start <addr> size <bytes> | block <count> — Read flash (specify start & size or block count)
  • read-gdfs — Backup GDFS area
  • write-gdfs <filename> — Restore GDFS from file
  • write-script <file1> [file2 ...] — Apply VKP or GDFS script(s)
  • unlock <usercode|simlock> — Unlock user code or SIM lock
  • fsx-upload src <local...> [dest <fs path>] — Upload files to internal FS
  • fsx-download src <fs path>/<file> [dest <local>] — Download files from internal FS
  • upload-anycid — Upload AnyCID package for exploit access

Utility actions

  • convert babe2raw <filename> — Convert BABE -> raw
  • convert raw2babe <filename> <addr> — Convert raw -> BABE at address

Supported devices

| Action | DB2000 | DB201x | DB2020 | PNX5230 | |:-------------------|:-------------:|:---------------------:|:--------------:|:-------:| | identify | OK | OK | OK | OK | | flash | OK | OK | OK | OK | | read-flash | CID29,36,49 | CID29,36,49 + ANYCID | BROWN49+ANYCID | ANYCID | | read-gdfs | OK | OK | OK | OK | | write-gdfs | OK | OK | OK | OK | | write-script[gdfs] | OK~~CID29~~ | OK | OK | OK | | write-script[vkp] | CID36,49 | CID29,36,49 + ANYCID | BROWN49+ANYCID | ANYCID | | unlock-usercode | OK | OK | OK | OK | | unlock-simlock | TODO | TODO | TODO | TODO | | upload-anycid | NOTHING | OK | OK | OK | | fsx-upload | OK | OK | OK | OK | | fsx-download | OK~~CID29~~ | CID29,36,49 + ANYCID | BROWN49+ANYCID | ANYCID |

Examples

Identify phone (identify)

Backup security units on first operation.

$ .\seftool.exe -p COM2 -b 921600 -a identify
<details> <summary>output</summary> 
Port: COM2
Baudrate: 921600
Action: identify

Powering phone
Waiting for reply (30s timeout):
30 seconds remaining...
Connected

Detected Sony Ericsson
Chip ID: 9900, Platform: DB2020
EMP Protocol: 03.01
SPEED: 921600

LDR: 071130 1150 NPACXC1250330_DB2020_PRODUCTIONIDLOADER_P3M
FLASH ID: 0x897e (Intel)
OTP: LOCKED:1 CID:51 PAF:1 IMEI:35958401******
ACTIVE CID:53 COLOR:RED
Activating GDFS.. activated

Phone Info (from GDFS):
Model: W660i
Brand: Sony Ericsson
MAPP CXC article: R8BB001     prgCXC1250446_GENERIC_FY
MAPP CXC version: R8BB001
Language Package: C_ASIA
CDA article: CDA102568/7
CDA revision: R8A
Default article: cxc1250839
Default version: R6AD001
SIMLOCKS NOT DETECTED
Provider: 000-000

Shutdown phone
Done
</details>

Flashing firmware (flash):

Support only firmware with BABE format. bin, ssw, mbn, fbn.

Flash main + filesystem firmware:

$ ./seftool -p /dev/ttyUSB0 -b 921600 -a flash main main.mbn fs fs.fbn

Flash main + filesystem firmware + CDA upload:

$ ./seftool -p /dev/ttyUSB0 -b 921600 -a flash main main.mbn fs fs.fbn cda cda.zip

Flash main only:

$ ./seftool -p /dev/ttyUSB0 -b 921600 -a flash main main.mbn

Flash ARM firmware (DB1000):

$ ./seftool -p /dev/ttyUSB0 -b 115200 -a flash-arm T610_R6C005_TAE.arm

Flash AVR firmware (DB1000):

$ ./seftool -p /dev/ttyUSB0 -b 115200 -a flash-avr T610_R6C005_ASIAN_LAT_1_EN-ID-MS.bin

Flash filesystem only:

$ ./seftool -p /dev/ttyUSB0 -b 921600 -a flash fs fs.fbn

Flash (upload) CDA only:

$ ./seftool -p /dev/ttyUSB0 -b 921600 -a flash cda cda.zip

Cross-flash DB201x CID49 (example: K310 → W200)

Some DB201x phones (e.g. K310) can be flashed with firmware from a different model (e.g. W200). This requires enabling RSA-break, otherwise the flash is rejected due to CID mismatch.

$ ./seftool -p /dev/ttyUSB0 -b 921600 -a flash main w200_main.mbn fs w200_fs.fbn cda w200_cda.zip --break-rsa

Read flash (read-flash):

Read 512 KB starting at 0x44000000 and save as RAW (.bin):

$ .\seftool.exe -p

farid1991

View profile

View on GitHub
GitHub Stars12
CategoryCustomer
Updated1mo ago
Forks0
farid1991/seftool

Languages

C

Security Score

95/100

Audited on Mar 2, 2026

No findings