This is what i was able to... Um pull from the manufacturer website it explains a clearly documented exploit
MSM8937 platform AP is the eight-core A53 processor, divided into two clusters, the highest frequency support 1.4GHZ, PMIC has two combinations: PM8937 + PMI8937 and PM8937 + PMI8952.
Qualcomm platform starts from the PBL, that is, the internal ROM to start running, PBL load SBL1 and RPM part, SBL1 start running, SBL1 load RPM part, TZ, APPSBL (aboot). After loading should start lk, but SBL1 will not directly start lk, but by the TZ to start, TZ is divided into two parts: QSEE, QHEE. SBL1 operating environment tax 32bit, while the TZ is 64bit. Therefore, in the SBL1 last jump to QSEE need to switch to aarch64, and then trigger a warm reset, this will start to QSEE 64bit operating environment by QSEE run. QSEE will inform the RPM to start running, then QHEE start running, and finally by QHEE start lk.
SBL1 in general to modify a few places are: 1) CDT, here to change the platform information, such as MTP or QRD, etc., there is the DDR parameters; 2) UART port, if you want to see SBL1 print information, then you must To configure the UART port, of course, if the default UART port just like the hardware connection, then this does not have to change. If not consistent, then need to modify uart_sbl_8937.xml as follows:
According to the hardware to modify UART_PHY_DEVICE_X, X can be 1,2,3,4. Serial port baud rate of 115200.
Debugging encountered a very strange problem is that SBL1 finally jump to QSEE trigger warm reset when the system restart, because there is no UART inside the TZ print, it is not clear when the switch to TZ when the problem is still in the Run TZ when the problem is still in the start lk when the problem. And later made a lot of attempts to find that may be related to the control of the UART port. Hardware UART port is UART1, and the default configuration of the version of the UART2, the value of SBL1 and modified, but also in the TZ configuration, TZ BLSP will be the various QUP and UART access control interface The And UART1 default access is TZ, that is, only by the TZ access, but in the initialization of lk also need to initialize the UART port for print output, this will lead to conflict caused the system to restart. Need to modify the TZ is an xml file. After the re-translation devcfg.mbn, so that the system can see the lk run the log.
Related
Hi Everyone,
At the moment, I cannot get my LG G2X to boot into Cyanogen Mod. I cannot get it to boot into recovery mode. I cannot get it to do anything but sit at the second LG logo. This is a problem.
If I allow it to boot with no special button-pressing, it will get to the second LG logo, and stall there until the battery runs out. If I hold the VOLUME DOWN and POWER buttons, it will get as far as the first (white) LG logo and stall there (holding VOLUME DOWN and POWER for a full 60 seconds).
History:
A few weeks ago, I had flashed my G2X and installed CyanogenMod 7 (specifically 7.2.0) from here: http://download.cyanogenmod.com/?type=stable&device=p999. I accomplished this through the excellent One-Click NvFlasher ClockWorkMod provided by TGA_Gunnman (found here: http://forum.xda-developers.com/showthread.php?t=1056847). Once in a while, I would have to clear the caches after a reboot, but that was my biggest problem, and one I was prepared to live with. Until now.
Things I've tried:
Most fixes start with reflashing CWM. I did that, using the aforementioned One-Click NvFlasher ClockWorkMod tool. It stalls as follows:
Code:
===============================================================
===============================================================
One Click ClockWorkMod Recovery Flash for T-Mobile G2x
External SD Support by Koushik Dutta
Version 5.0.2.0
===============================================================
===============================================================
Nvflash started
rcm version 0X20001
System Information:
chip name: unknown
chip id: 0x20 major: 1 minor: 3
chip sku: 0xf
chip uid: 0x033c20824360c4d7
macrovision: disabled
hdcp: enabled
sbk burned: false
dk burned: false
boot device: emmc
operating mode: 3
device config strap: 0
device config fuse: 17
sdram config strap: 0
downloading bootloader -- load address: 0x108000 entry point: 0x108000
sending file: fastboot.bin
/ 1024992/1024992 bytes sent
fastboot.bin sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
sending file: CWM-5020.img
- 65536/3563520 bytes sent
-------------------------------------------------------------------------------------
...and won't do anything else.
So, for whatever reasons, it will not send CWM-5020.img. To check, I tried nvflash.exe directly. Same general result. I tried with a different file (recovery-clockwork-5.0.2.0-p999.img), same result. I also tried the advice here: http://forum.xda-developers.com/showthread.php?t=1590523&highlight=bricked+help and tried to wipe out my partitions. While that tool runs successfully, it does not change the results with One-Click NvFlasher ClockWorkMod
Summary:
Can't boot. Can't boot into recovery. Can't flash the ROM.
Any ideas? Anyone?
Thanks!
I forgot to add: when I unplug from the one-click updater, I get the following error message:
Code:
sending file: CWM-5020.img
- 65536/3563520 bytes sentdata send failed NvError 0x30012
command failure: partition download failed
===============================================================
===============================================================
*****Once nvflash has completed successfully then hit any key to close.*****
****If any step failed then repeat the process****
For when my partitions are messed up
http://forum.xda-developers.com/showthread.php?p=17258229
Sent from my LG-P999 using Tapatalk 2
djvoleur said:
For when my partitions are messed up
http://forum.xda-developers.com/showthread.php?p=17258229
Sent from my LG-P999 using Tapatalk 2
Click to expand...
Click to collapse
Thanks, djvoleur, but when I try that, I get this:
Code:
.\nvflash.exe
--bct E1108_Hynix_512MB_H8TBR00U0MLR-0DM_300MHz_final_emmc_x8.bct --setbct --odm
data 0xC8000 --configfile android_fastboot_emmc_full.cfg --create --bl fastboot.
bin --go
Nvflash started
rcm version 0X20001
System Information:
chip name: unknown
chip id: 0x20 major: 1 minor: 3
chip sku: 0xf
chip uid: 0x033c20824360c4d7
macrovision: disabled
hdcp: enabled
sbk burned: false
dk burned: false
boot device: emmc
operating mode: 3
device config strap: 0
device config fuse: 17
sdram config strap: 0
sending file: E1108_Hynix_512MB_H8TBR00U0MLR-0DM_300MHz_final_emmc_x8.bct
- 4080/4080 bytes sent
E1108_Hynix_512MB_H8TBR00U0MLR-0DM_300MHz_final_emmc_x8.bct sent successfully
odm data: 0xc8000
downloading bootloader -- load address: 0x108000 entry point: 0x108000
sending file: fastboot.bin
\ 888548/888548 bytes sent
fastboot.bin sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
setting device: 2 3
creating partition: BCT
creating partition: PT
creating partition: EBT
creating partition: SOS
creating partition: MBR
creating partition: APP
creating partition: CAC
creating partition: MSC
creating partition: EB1
creating partition: LNX
creating partition: EB2
creating partition: DRM
creating partition: EB3
creating partition: UDA
creating partition: EB4
creating partition: UDB
failed executing command 12 NvError 0x120002
command failure: create failed (bad data)
bootloader status: fatal failure to read / write to mass storage (code: 9) messa
ge: nverror:0x42008 (0x19042008) flags: 0
So it seems that this doesn't help. I scanned through the thread and didn't see anything that seemed like it might address this issue.
It may be driver related. Reinstall drivers then follow the instructions to resurrect your phone.
Core Memory said:
It may be driver related. Reinstall drivers then follow the instructions to resurrect your phone.
Click to expand...
Click to collapse
Would you recommend reinstalling both the LG USB drivers and the ATX drivers for nVidia? (I'm probably going to do both anyway.)
I've forced a reinstall of the NVIDIA USB Boot-recovery driver, using the same files included in the one-click recovery tool. After that, I attempted to run the tool and had the same failure listed above (command failure: partition download failed). For laughs, I tried djvoleur's solution as well, and got the same error again. So it doesn't seem to be a driver issue.
When you do the NVFlash recovery, did you take out the battery, hold the up and down volume buttons in, while holding the buttons in plug in the usb cable, while holding the buttons in run the recovery until it is completed.
Just for ****s, try flashing twrp. I also have another idea, but I can't get it set-up tonight.
Sent from my LG-P999 using xda premium
Core Memory said:
When you do the NVFlash recovery, did you take out the battery, hold the up and down volume buttons in, while holding the buttons in plug in the usb cable, while holding the buttons in run the recovery until it is completed.
Click to expand...
Click to collapse
Yes. The battery was out the whole time. Held the buttons down, plugged in the USB cable, ran recovery, recovery stalls at 65536 bytes. Held it for about five minutes, just to make sure.
Волк said:
Just for ****s, try flashing twrp. I also have another idea, but I can't get it set-up tonight.
Sent from my LG-P999 using xda premium
Click to expand...
Click to collapse
Same result as each of the others: stalls at 65536 bytes sent. I don't think it's an issue with any of the actual recovery mods, at this point. I think it's something wrong with getting data onto my phone, perhaps?
How about trying to update the phone with one of the KDZ updates? Use Emergency mode. There's an offline updater which uses an http server to fool the LG updater into not accessing the LG update website then doing the update. It runs with a VB script which does everything. I once used that with the V21Y_00.kdz file when my phone wouldn't restore.
http://forum.xda-developers.com/showthread.php?t=1601918
http://forum.xda-developers.com/showpost.php?p=22189294&postcount=30
Core Memory said:
How about trying to update the phone with one of the KDZ updates? Use Emergency mode. There's an offline updater which uses an http server to fool the LG updater into not accessing the LG update website then doing the update. It runs with a VB script which does everything. I once used that with the V21Y_00.kdz file when my phone wouldn't restore.
http://forum.xda-developers.com/showthread.php?t=1601918
http://forum.xda-developers.com/showpost.php?p=22189294&postcount=30
Click to expand...
Click to collapse
Tried this. First tried the second link (the all in one with the offline web server). That didn't work because the zipfile with the webserver and other software had a virus which specifically infected the web server.
Followed the directions in the first post, then. These seem to presume that you can get to USB debugging mode (which I can't, because the phone won't boot). Got as far as Step 3 in that post. When I click on "Upgrade Start" I should get a pop-up for "Select Country & Language". I do not. Instead, it starts the LG Mobile Support Tool directly. (I should mention at this point that I'm on WIndows 7, if it matters). The updater checks the connection with the phone, and finds an acceptable connection. Since it was supposed to go into the Updater anyway, I hit "Start Updating". After a while, this fails with some sort of connection problem with the phone. I've tried re-running the LG Updater under several conditions (in Upgrade mode, not in Upgrade mode, etc.). No luck.
Doesn't seem like this is a solution I can get to work. Should I try something else?
The virus warning is false. Disconnect from the internet and/or turn off your wireless connection then run it. Also, if it stalls, let it wait.
If it doesn't continue within 10 minutes, try it again.
---------- Post added at 11:51 AM ---------- Previous post was at 11:46 AM ----------
Also, I made sure that all of the applications in the substitute web-server update package were allowed to run as administrator before I ran the script. If that doesn't work, try running the apps individually without the script in the order they're required to be initiated which is in the instructions that come with that package.
Core Memory said:
The virus warning is false. Disconnect from the internet and/or turn off your wireless connection then run it. Also, if it stalls, let it wait.
If it doesn't continue within 10 minutes, try it again.
---------- Post added at 11:51 AM ---------- Previous post was at 11:46 AM ----------
Also, I made sure that all of the applications in the substitute web-server update package were allowed to run as administrator before I ran the script. If that doesn't work, try running the apps individually without the script in the order they're required to be initiated which is in the instructions that come with that package.
Click to expand...
Click to collapse
I'm having exactly the same problem as that person right now. Using the offline update, I got up to "Normal MTK Upgrade start" but then the program crashed right afterwards. It also doesn't help that the phone keeps on rebooting. For the online update, I can get up to 32% before the phone reboots and I have to restart the update process.
mbamg said:
I'm having exactly the same problem as that person right now. Using the offline update, I got up to "Normal MTK Upgrade start" but then the program crashed right afterwards. It also doesn't help that the phone keeps on rebooting. For the online update, I can get up to 32% before the phone reboots and I have to restart the update process.
Click to expand...
Click to collapse
If it got to 32%, it has installed the baseband, that gets installed first then the Android. Try doing a restore/recovery of just Android that's compatible with the baseband.
Have you tried running the flash with the battery in? I know all the instructions say take the battery out, but im having similar issues with my phone, and once the phone is recognized in Device manager in APX mode, insert the battery, then run the flash. That seemed to work for me.
Core Memory said:
How about trying to update the phone with one of the KDZ updates? Use Emergency mode. There's an offline updater which uses an http server to fool the LG updater into not accessing the LG update website then doing the update. It runs with a VB script which does everything. I once used that with the V21Y_00.kdz file when my phone wouldn't restore.
http://forum.xda-developers.com/showthread.php?t=1601918
http://forum.xda-developers.com/showpost.php?p=22189294&postcount=30
Click to expand...
Click to collapse
Nothing will work in this Case i try all most everything. I thnk 99% Partition or Flash Chip is Damaged
See Reports:
While try with KDZ File
Trying to Flash Recovery
Code:
===============================================================
===============================================================
One Click ClockWorkMod Recovery Flash for T-Mobile G2x
External SD Support by Koushik Dutta
Version 5.0.2.0
===============================================================
===============================================================
Nvflash started
rcm version 0X20001
System Information:
chip name: unknown
chip id: 0x20 major: 1 minor: 3
chip sku: 0xf
chip uid: 0x033c208240ff9497
macrovision: disabled
hdcp: enabled
sbk burned: false
dk burned: false
boot device: emmc
operating mode: 3
device config strap: 0
device config fuse: 17
sdram config strap: 0
downloading bootloader -- load address: 0x108000 entry point: 0x108000
sending file: fastboot.bin
/ 1024992/1024992 bytes sent
fastboot.bin sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
sending file: CWM-5020.img
- 65536/3563520 bytes sent
Recovery Stock
Code:
===============================================================
===============================================================
One Click ClockWorkMod Recovery Flash for T-Mobile G2x
External SD Support by Koushik Dutta
Version 5.0.2.0
===============================================================
===============================================================
Nvflash started
rcm version 0X20001
System Information:
chip name: unknown
chip id: 0x20 major: 1 minor: 3
chip sku: 0xf
chip uid: 0x033c208240ff9497
macrovision: disabled
hdcp: enabled
sbk burned: false
dk burned: false
boot device: emmc
operating mode: 3
device config strap: 0
device config fuse: 17
sdram config strap: 0
downloading bootloader -- load address: 0x108000 entry point: 0x108000
sending file: fastboot.bin
/ 1024992/1024992 bytes sent
fastboot.bin sent successfully
waiting for bootloader to initialize
bootloader downloaded successfully
sending file: CWM-5020.img
- 65536/3563520 bytes sent
Phone Information
Code:
Nvflash started
rcm version 0X20001
System Information:
[COLOR="Red"] [B]chip name: unknown[/B][/COLOR]
chip id: 0x20 major: 1 minor: 3
chip sku: 0xf
chip uid: 0x033c208240ff9497
macrovision: disabled
hdcp: enabled
sbk burned: false
dk burned: false
boot device: emmc
operating mode: 3
device config strap: 0
device config fuse: 17
sdram config strap: 0
Rad Flash
Code:
[R&D Test Tools Log File]
00:54:52 : Start fn_StartUpgrade
00:54:52 : Extract kdz file
00:55:01 : kdz decrypt Success
00:55:05 : Extract file Success.
00:55:05 : LGMobileDL Load.
00:55:05 : Port = -1
00:55:05 : Connection check start.
00:55:05 : Port(or Device) Not Found!
00:55:07 : Finish All test
So to Flash with KDZ ect u need phone on Recovery mode and phone will not steep into recovery mode with vol - + Power
All we have is boot Recovery mode and phone hang on SW Upgrade Please Wait
I Try to Format partition manually via NVFlash but same thing its hang
Best Regards from me i am giving up after 2 days working on it, For me its simply Hardware Problem
In my experience when that happened to me.... It was my firewall/virus scanner. Try disabling those before attempting another flash.
Hello guys,,, so i have this galaxy j5 that i think i fu*ed up...
it is rooted and has twrp... (v2.8.7.0) since it was the only one aviable
in bootloader mode doesn't get recognized, it has all the possible drivers installed and tried different cables but nothing...
in twrp recovery mode, if i try anything to wipe or mount i get error message
Could not mount /data
unable to mount storage
and i get at the top an unable to find the crypto footer or something
Failed to wipe dalvik
tried with usb otg, but nothing, not recognized/mounted
i also get internal storage: 0MB
no adb sideload,,, nothing
if this can help it says frp lock Off
Samsung Galaxy J5 Pc Suite and Usb Driver Installation
You should know that if Samsung Galaxy J5 smartphone is powered by a corresponding MTK processor, here is explained how to install the Usb drivers and Pc Suite for the model of this type.
1- Run and use as an administrator if you are Samsung Galaxy J5 Usb drivers and Pc Suite work very precisely and correctly.
2- Enable USB debugging on Samsung Galaxy J5 to do that, please go to Settings> Developer Options.
3- Download the driver to the computer's usb driver Extract files using WinZip or WinRAR, find the file "PdaNetA4150.exe" and start note (Be sure to close all programs).
4-Select the Type phone model (Samsung Galaxy J5 Smartphone), Please select press / click the install button.
Now you just connect Samsung Galaxy J5, there will be a popup message saying your phone is connected. Congratulations you have completed the installation.
thanks the PdaNetA4150.exe file did the trick and now adb get's recognized via twrp
and this is the only place i have acces,,, i cannot boot, no bootloader recognized, nothing...
after everything i try i get unable to mount /data
any command to erase, mount everything?
If you have TWRP, I think ADB works in TWRP whereas if you boot your phone into download/bootloader mode you use fastboot. So what you need to do is find the correct drivers for FASTBOOT NOT ADB as they both do different things, require different drivers and are used in different modes. You might need to manually update them using Device Manager and downloading the drivers.
AtharvD said:
If you have TWRP, I think ADB works in TWRP whereas if you boot your phone into download/bootloader mode you use fastboot. So what you need to do is find the correct drivers for FASTBOOT NOT ADB as they both do different things, require different drivers and are used in different modes. You might need to manually update them using Device Manager and downloading the drivers.
Click to expand...
Click to collapse
the problem is when i put it in bootloader mode, i get no sign of life...
the smartphone used to work fine, but i wanted to hard reset and i clicked Format Data....
after that, no boot, nothing
i saw that i had messed up with partitions...
like really bad.. i don't know how... here is my result
Code:
print
Model: MMC QN16MB (sd/mmc)
Disk /dev/block/mmcblk0: 7818MB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Number Start End Size File system Name Flags
1 4194kB 19.9MB 15.7MB apnhlos
2 19.9MB 80.2MB 60.2MB modem
3 80.2MB 80.7MB 524kB sbl1
4 80.7MB 80.7MB 32.8kB ddr
5 80.7MB 82.8MB 2097kB aboot
6 82.8MB 83.3MB 524kB rpm
7 83.3MB 83.9MB 524kB qsee
8 83.9MB 84.4MB 524kB qhee
9 84.4MB 87.5MB 3146kB fsg
10 87.5MB 87.5MB 16.4kB sec
11 87.5MB 98.6MB 11.0MB pad
12 98.6MB 109MB 10.5MB param
13 109MB 124MB 14.7MB ext4 efs
14 124MB 127MB 3146kB modemst1
15 127MB 130MB 3146kB modemst2
16 130MB 144MB 13.6MB boot
17 144MB 159MB 15.7MB recovery
18 159MB 172MB 13.1MB fota
19 172MB 180MB 7331kB backup
20 180MB 183MB 3146kB fsc
21 183MB 183MB 8192B ssd
22 183MB 191MB 8389kB ext4 persist
23 191MB 192MB 524kB persistent
24 192MB 201MB 9437kB ext4 persdata
25 201MB 2382MB 2181MB ext4 system
26 2382MB 2592MB 210MB ext4 cache
27 2592MB 2665MB 73.4MB ext4 hidden
28 2665MB 7818MB 5153MB userdata
(parted)
please some moderator if could move this thread to galaxy j support forum!! thanks !!
What is a blankflash file? I have seen people requesting blankflash file for their phones...
Does it help to recover device from bootloop/brick?
A good question.
I see a lot of people glibly saying, "Oh, you have to blankflash first".
I don't know and I have a suspicion that the people who use it don't know either.
I can go to EDL mode (on Qualcomm processors) and wipe every byte in flash to zero (0x00).
Presumably this mystic "blankflash" is something more.
Maybe it's some OEM enforced stupidity where it wipes everything then puts in a signature to say, "No, really, I'm erased".
So, to answer my own question:
Blankflash is a Motorola invention of throwing a bunch of partitions into a tar archive.
You can list it/extract it using 7zip or other utilities.
It's tar-"like", but not tar. Packed inside is:
Code:
programmer
gpt
aboot
rpm
tz
devcfg
cmnlib
cmnlib64
keymaster
prov
sbl1
This is the absolute minimum you need to flash to get fastboot running from aboot.
All of these (except the GPT) are either 32 or 64 bit ELF files with Qualcomm signing.
See: http://www.temblast.com/qcomview.htm
Note, none of this precludes you from using any EDL client to just write all your partitions
hey guys..
i have a module which called bus multimedia.. i need root or read full backup of this device.. but there is no usb socket only exist RX TX pinout and i cannot connect it to pc over putty.. is anyone help me to read backup.?
t-mobile_mda said:
hey guys..
i have a module which called bus multimedia.. i need root or read full backup of this device.. but there is no usb socket only exist RX TX pinout and i cannot connect it to pc over putty.. is anyone help me to read backup.?
Click to expand...
Click to collapse
hey.. i removed the emmc and info..do u think that this device is android based..?
HiPower mode is On
Setting Interface to EasyJtag1/ISP_HiPower
Setting IO Levels to 3.3V
Setting Frequence to 21 Mhz
Setting BusWidth to 1 Bit
CMD Pullup Level: 2134 mV
CMD Active Level: 2609 mV
Setting HS Timing to Enabled
EMMC Device Information :
EMMC CID: 7001004D3732383038801500009374CA
EMMC CSD: D04F01320F5903FFFFFFFFEF8A400060
Manufacturer: KINGSTONE , NAME: M72808 , HEX: 4D3732383038 , S/N: 15000093 , Rev: 80
Manufacturer ID: 70 , OEM ID: 00 , Device Type: BGA (Discrete embedded) , Date: 7/2017
EMMC ROM 1 (Main User Data) Capacity: 7296 MB (0x0001C8000000)
EMMC ROM 2/3 (Boot Partition 1/2) Capacity: 4096 KB (0x000000400000)
EMMC RPMB Capacity: 4096 KB (0x000000400000) , Counter: 0 , Response: Clean
Extended CSD Information :
Extended CSD rev: 1.8 (MMC 5.1)
Boot configuration [PARTITION_CONFIG]: 0x00 , Device not boot enabled
Boot Bus Config: 0x00 , x1 (sdr) or x4 (ddr) bus width in boot operation mode
H/W Reset Function [RST_N_FUNCTION]: 0x00 , RST_n signal is temporarily disabled
Supported partition features [PARTITIONING_SUPPORT]: 0x07
Device supports partitioning features
Device can have enhanced technological features in partitions and user data area
Device can have extended partitions attribute
Partition settings [PARTITION_SETTING_COMPLETED]: 0x00
EMMC Init completed
Backup saved: M72808_15000093_20220611_141710.extcsd (new backup)
Connected successfully
Operation: Scan PartitionTable from Source (Vendor: Binary Read/Write)
Scanning soft partitions from ROM2
GPT header is not found
Scanning soft partitions from ROM3
GPT header is not found
Scanning soft partitions from ROM1
GPT header is not found
MBR header is not found
You need a usb to uart device to get started on that board. You can find one online for about 3 dollars.
Hello XDA community !
To be honest I'm a newbie here, and not really experienced on mobile phone technical stuff
My Zenfone suddenly stopped working last week, without any particular reason.
The only thing I can see when I on the device is the "Powered by Android" logo. But nothing else happens after.
Then I wanted to start the recovery menu, but even when I select "recovery mode" or "fastboot" nothing happens, it's still showing "Powered by Android" logo and no more
See this screenshot :
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I tried to plug the device with USB to my linux laptop with android studio installed, but adb devices show nothing
I also tried to create a microSD card, bootable, with exFAT partition and put the phone firmware on the root of the card (as described https://www.asus.com/supportonly/zenfone max plus (m1)(zb570tl)/helpdesk_download/). Even with it, recovery or fastboot options give the same screen as above
My idea was to be able to boot from sd card and be able to "revive" somehow the phone, and at least being able to download user data from it with the help of adb
I'm not sure if it's possible of if I should prepare the microsd with another format or partition layout
Any idea to guide me ?
Don't think you can recover any user-data this because probably bootloader completely got corrupted. Re-flash Stock ROM.
Thanks for your answer.
Sorry also because I made a mistake : I think fastboot mode is active
What I did : In the menu above, I selected "Fastboot mode"
then I got an output : "CSC FASTBOOT mode"
Then I plugged the phone on my laptop USB
The "lsusb" command returned an additionnal device :
Code:
Bus 001 Device 004: ID 0bb4:0c01 HTC (High Tech Computer Corp.) Dream / ADP1 / G1 / Magic / Tattoo / FP1
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x0bb4 HTC (High Tech Computer Corp.)
idProduct 0x0c01 Dream / ADP1 / G1 / Magic / Tattoo / FP1
bcdDevice 1.00
iManufacturer 1 MediaTek
iProduct 2 Android
iSerial 3 J1AXJR04D658EJ6
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 0x0020
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 256mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 66
bInterfaceProtocol 3
iInterface 4 fastboot
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 1
Device Status: 0x0001
Self Powered
"adb devices" still returns nothing but "fastboot devices" does :
J1AXJR04D658EJ6 fastboot
"fastboot reboot" does also reboot the phone ...
From there I guess at least I can do something. I don't know if I'll be able to recover some data, but anyway if I can recover my phone that would be fine too.
you can unlock bootloader with mtkclient (do a backup beforehand) and flash TWRP from fastboot, to see if that leads to something.
ok thanks a lot. I'll have a look to mtkclient / TWRP and try to manage !
Will let you know soon.
keep in mind unlocking from fastboot forces factory reset. It will flush keystore in TEE, don't try this even with full backup. TEE can't backed up.
unlocking from mtkclient afaik does not wipe userdata. but do a backup of userdata + metadata + seccfg (or even better full dump) just in case.
you can try to boot into EDL mode with both vol keys + usb, modified fastboot, DIY deep flash cable or test point method.
[GUIDE][TOOL] Reboot to EDL mode from FASTBOOT! No More "Test Point Method"! [kenzo]
[GUIDE][TOOL] Reboot to EDL mode from FASTBOOT! No More "Test Point Method"! [kenzo] Reboot to EDL mode from FASTBOOT! No more Test Point Method needed ;) Technical Details: Redmi Note 3 support rebooting to EDL in Android Bootloader aboot...
forum.xda-developers.com
also please note TWRP is maybe not able to decrypt, because encryption keys are bonded to bootloader lock state.
however some people claim it's possible, maybe due the fact that seccfg is patched in way to circumvent this (untested).
if you can't boot into recovery from bootloader, you can boot into file from fastboot (requires bootable slot)
Code:
fastboot boot twrp.img
thanks Alecxs for all the information. I'll take some time to read carefully everything.
In the meantime, I installed successfully mtkclient on my laptop. I didn't know about this tool before
I used first the read partition tool, which went fine for almost all partitions except userdata :-(
it started but stopped after 9 GB (over 52) with the following message
Failed to dump sector 12517376 with sector count 109592543 as MyZenfone-partition dump/userdata.bin
18.0% Read (Sector 0x12D6C80 of 0x6883FDF, 42m:19s left) 18.67 MB/sDAXFlash
DAXFlash - [LIB]: Error on reading data: MMC error (0xc0040030)
looks like game over ...
well.. if this is game over, then you have nothing to lose I guess? so backup all partitions excluding userdata (--skip=userdata) then only try to unlock seccfg (do not erase any partition ignore instructions) then boot into fastboot and check if TWRP can boot
TRY AT OWN RISK YOU MAY CORRUPT USERDATA ENCRYPTION OR ERASE USERDATA
Code:
python3 mtk da seccfg unlock
python3 mtk payload --metamode FASTBOOT
fastboot boot path/to/twrp.img
might be possible to dump userdata excluding unreadable sectors. but you need to read the instructions. nevertheless the dump (even if healthy) is impossible to decrypt on PC, can only be decrypted on the origin phone itself...
thanks alecxs, I think I'll try to boot into twrp
My concern is to find a suitable twrp for my device. There is no official port for Asus X018D
I tried to find it by googling and found this on "unofficial twrp" site
twrp 3.2.3 For Mediatek MT6750 Phone
which could be ok for mine maybe except they it's for android 8 and 8.1, while I was still on Nougat 7
I don't know if trying this could work or not ?
you need TWRP for the Plus variant. can you share boot.img + recovery.img read off device?
yes I can share the dumped partitions from mtkclient (the extension is .bin)
boot.bin :
boot.bin
drive.google.com
recovery.bin
recovery.bin
drive.google.com
okay let me try to port generic TWRP. you can meanwhile try that Oreo+recovery+tested.img (login required)
edit: X018D_TWRP.img for android 9 (no login required)
So I tried to unlock bootloader from mtkclient, which resulted in :
sej - HACC init
sej - HACC run
sej - HACC terminate
sej - HACC init
sej - HACC run
sej - HACC terminate
Done |--------------------------------------------------| 0.0% Write (Sector 0x0 of 0x1) 0.00 MB/sDAXFlash
DAXFlash - [LIB]: Error on writeflash: MMC error (0xc0040030)
and then after (maybe I shouldn't have ...)
python3 mtk payload --metamode FASTBOOT
I think I did something wrong, because now I cannot list GPT
python mtk printgpt
gives
Code:
Port - Device detected :)
Preloader - CPU: MT6755/MT6750/M/T/S(Helio P10/P15/P18)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212c00
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x326
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xcb00
Preloader - SW Ver: 0x1
Preloader - ME_ID: 10A8E97D4708BDEB74D8D7B3C7E0EBFA
PLTools - Loading payload from mt6755_payload.bin, 0x258 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: /home/laurent/Applications/DevOps/Android/mtkclient/mtkclient/payloads/mt6755_payload.bin
Port - Device detected :)
DA_handler - Device is protected.
DA_handler - Device is in BROM mode. Trying to dump preloader.
DAXFlash - Uploading xflash stage 1 from MTK_AllInOne_DA_5.2136.bin
xflashext - Patching da1 ...
Mtk - Patched "Patched loader msg" in preloader
xflashext
xflashext - [LIB]: Error on patching da1 version check...
Mtk - Patched "Patched loader msg" in preloader
xflashext - Patching da2 ...
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash
DAXFlash - [LIB]: xread error: unpack requires a buffer of 12 bytes
DAXFlash
DAXFlash - [LIB]: Error jumping to DA: -1
actually, the second command was just to exit preloader mode and switch into fastboot... sorry for the confusion. I have also attached the android 7 version of twrp for testing.. (see above)
If I got this right, unlocking was trying to write Sector 0x0 of 0x1 but it deny writing anything because eMMC is not writeable at 0xc0040030. But isn't that in userdata area?
however, on android 7 for some mediatek devices it's possible to boot into TWRP on locked bootloader. but needs flashing. you can try another flash tool, but it requires windows
edit:
@arthur.levene I got it wrong, seems there is also linux version. Anyway, please read golden rules for SP Flash Tool.
I recommend to create your own scatter file based on the current partition table, either with mtkclient or with WwR MTK v2.51 (most likely you can use the one that already comes with that twrp as the recovery start address is at 0x8000 on many devices, but I personally generally don't trust any scatter file just random downloaded).
lol thought 0xc0040030 was the address of the unreadable sector. turns out it is a fault code. so that could mean eMMC error (most likely) or insufficient permissions.
So any flashing attempts will probably fail no matter what tool used. maybe there is a cheat with heating gun or refrigerator (just guesswork, beware of condensating water)
thanks again alecxs for your time and advice.
I will continue my investigations based on your informations. If i understand your comment about eMMC error, this is not good news.
I will try also the flashing solution in case it could work, though not very skilled on that part too
actually I have never used mtkclient myself but according to documention flashing looks quite easy.
Code:
python3 mtk w recovery twrp.img
However, as you stated in OP you can't enter recovery mode from bootloader menu, so this could be bigger challenge.
I tried but currently I have an error
DAXFlash - Upload data was accepted. Jumping to stage 2...
DAXFlash - DA Extensions successfully added
Done |--------------------------------------------------| 0.0% Write (Sector 0x0Progress: |███████-------------------------------------------| 14.0% Write (SectProgress: |██████████████------------------------------------| 28.0% Write (Sector 0x2000 of 0x7254, 01s left) 6.74 MB/s
DAXFlash
DAXFlash - [LIB]: unpack requires a buffer of 12 bytes
quick search gives hint is might be driver issue. but you're on linux right? you could try again with libusb-1.0-0-dev_1.0.26-1_amd64.deb
https://github.com/bkerler/mtkclient/issues/192