Related
Hello
A brief timeline of events leading to this thread:
1. I purchased a G-Flex2 H950 from Ebay for $250 and was supposed to be upgrading from a Galaxy S4-I337.
2. Received my device yesterday and set out to update to 5.1.1 & root the device to remove bloatware.
3. I was able to update to 5.1.1 V11x using my StraightTalk sim on AT&T network.
4. After many frustrating hours of trying to root using different methods, I finally was able to root using the technique mentioned in this thread: http://forum.xda-developers.com/g-flex2/development/root-easy-root-att-flex-2-5-1-1-t3178354
5. A nice complement to point "4" above was the firmware update to 5.1.1 V11z.
6. Extremely happy that I was ready to rock, I set out to delete all the bloatware from my device.
7. First surprise obviously was the inability to remove a bunch of AT&T apps because "APK could not found" error.
8. Like the idiot that I am, I went ahead and deleted the "rootsystem.img" from the internal memory (unnecessarily, blame my OCD!).
9. Now after I finished de-bloating the device (or so I thought), I rebooted it and to my horror... I see the error message:
LG Security Error
Authentication Fail #9
10. I attempted to get to the recovery mode and deleted/erased all data & settings. No dice!
11. I'm still able to get to the download mode using the Volume-Up & USB connect method (& this is why I'm cursing myself at point "8" because I could have re-used the easy root method again to flash the img file).
12. I tried to use the "LG Mobile Support Tool", it recognizes the device correctly as "LGH950" but says V11z is the latest software update.
My question to experts: How SOL am I? I don't think LG would honor my warranty since the purchase is NOT from a authorized dealer/reseller. So no chance of warranty repair/replacement, no?
I looked everywhere (for close to 10 hours) for KDZ & TOT files to even attempt something. But I couldn't find anything for H950. Man, I hate AT&T so much now... Why couldn't they just leave the bootloader unlocked? Or LG (AT&T?)even provide the necessary files to start off with?
Could someone with more knowledge please offer any help? Meanwhile, I've pretty much resigned to be joining the queue full of others with bricked H950's...
From what I've heard LG goes by the S/N and date of manufacturing just like Lenovo for warranty. You can just ask their customer service if the warranty is active for your phone.
As for recovering it all you would've needed to do was use the tool as you stated. I have commented many times explaining people should only disable/freeze bloat and not *delete* anything (there are some crucial system apps, editing build prop seems to cause loops for me for ex.). There was another member in this situation if I remember correctly.
In case you can't go the warranty route ask Sj if he has found a way to push files while the phone is in DL mode.
Sent from my XT1528
Hi i have the same problem, I rename many apps in system folder of my ls996 zv8 and now the phone no boot and only show "LG Security Error"
I tried to rename the files in download mode but system partition is mounted as read only, and also fails when attempting to mount this in rw.
In 5.1.1 the download mode remove the option to read files from sd card.
I tried to mount the sd card, but I had no luck.
The sd-card is located in /sys/block/mmcblk1
cat /proc/partitions show: 179 64 1921024 mmcblk1
Click to expand...
Click to collapse
mount -t vfat -o rw,dirsync,nosuid,nodev,noexec,relatime,uid=1023,g id=1023,fmask=0007,dmask=0007,allow_utime=0020,utf 8 /dev/block/vold/179:65 /data/media/1 , fail to mount
Click to expand...
Click to collapse
maxie.maverick said:
Hello
LG Security Error
Authentication Fail #9
10. I attempted to get to the recovery mode and deleted/erased all data & settings. No dice!
11. I'm still able to get to the download mode using the Volume-Up & USB connect method (& this is why I'm cursing myself at point "8" because I could have re-used the easy root method again to flash the img file).
12. I tried to use the "LG Mobile Support Tool", it recognizes the device correctly as "LGH950" but says V11z is the latest software update.
My question to experts: How SOL am I? I don't think LG would honor my warranty since the purchase is NOT from a authorized dealer/reseller. So no chance of warranty repair/replacement, no?
I looked everywhere (for close to 10 hours) for KDZ & TOT files to even attempt something. But I couldn't find anything for H950. Man, I hate AT&T so much now... Why couldn't they just leave the bootloader unlocked? Or LG (AT&T?)even provide the necessary files to start off with?
Could someone with more knowledge please offer any help? Meanwhile, I've pretty much resigned to be joining the queue full of others with bricked H950's...
Click to expand...
Click to collapse
hey have u been able to fix the issue ??
as i just got the ls996 sprint g flex 2, and some how i renamed wrong system file, and got the same issue
my phone is stuck on
SECURITY ERROR
AUTHENTICATION ERROR #9
please help me out if someone around found a solution
same problem here
Security error authentication fail #9 on Lg tribute 2 LGLS665
Hello,
I am stuck on security error authentication fail #9 on Lg tribute 2 LGLS665 at start up.
Got this error when rename the Lgstartupwizard.apk to Lgstartupwizard.bak.
Please Help.........
Same phone and problem as op. H950 V11X Rooted "Authentication Failure #9". Anyone ever figure this out?
We just need someone with the H950 KDZ
Maybe as a G2 user I'm overlooking something but - why not download the kdz from http://csmg.lgmobile.com:9002/csmg/b2c/client/auth_model_check2.jsp?esn=XXXXXX (put your IMEI instead of Xs), eh?
Security Error
Thanks for the link ..
Its not helping me on Lg tribute 2 LGLS665. Below is the text received.
I have replaced the MEID number below with "X".
<response req_cmd="auth_model_check" status="OK">
<auth_model_check>
<result>2</result>
<esn>XXXXXXXXXXXXXX</esn>
<model>LGLS665</model>
<suffix>AVGMBLH</suffix>
<msn>XXXXXXXXX</msn>
<esn_date/>
<sw_version/>
<sw_url/>
<sw_locale_url/>
<sw_recommand_uri/>
<app_version/>
<app_url/>
<cs_em_flag>N</cs_em_flag>
<cs_em_uri>N</cs_em_uri>
<chip_type/>
<prod_type/>
<buyer>VGM</buyer>
<file_name/>
</auth_model_check>
</response>
mwedo said:
Maybe as a G2 user I'm overlooking something but - why not download the kdz from http://csmg.lgmobile.com:9002/csmg/b2c/client/auth_model_check2.jsp?esn=XXXXXX (put your IMEI instead of Xs), eh?
Click to expand...
Click to collapse
Hey man, thanks for the suggestion, but tried that too. Did not get an option to download the kdz when I entered IMEI. Here's the screenshot I get.
hi sorry to bump in
but i made the huge mistake in renaming system apps, so now bootloop and same security error condition with a ls996 zv6,
1.- i know that don't even think to try to downgrade from zv6 to zv5 tot= Brick.
2.- is there a way to push, copy (aroma file manager, twrp file manager), in normal or stock recovery?
3.- is there a way to flash rootedsystem.img zv6 to the phone in: recovery, fastboot or even the command:
Step 11 flash commands:
For LS996 (ZV6/ZV7/ZV8)
Code:
dd if=/data/media/0/rootedsystem.img bs=8192 seek=58368 count=522240 of=/dev/block/mmcblk0, from another source, rather than from internal sd, because obviously i didn't copied to the device previously?
4.- already tried to flash from stock recovery, the ZV6 Update= update.zip but it gives an error to load because some system app not valid, i remember
please, if someone could help me and us with this problem
thank you very much indeed
atv said:
but i made the huge mistake in renaming system apps, so now bootloop and same security error condition with a ls996 zv6,
1.- i know that don't even think to try to downgrade from zv6 to zv5 tot= Brick.
2.- is there a way to push, copy (aroma file manager, twrp file manager), in normal or stock recovery?
3.- is there a way to flash rootedsystem.img zv6 to the phone in: recovery, fastboot or even the command:
Step 11 flash commands:
For LS996 (ZV6/ZV7/ZV8)
Code:
dd if=/data/media/0/rootedsystem.img bs=8192 seek=58368 count=522240 of=/dev/block/mmcblk0, from another source, rather than from internal sd, because obviously i didn't copied to the device previously?
4.- already tried to flash from stock recovery, the ZV6 Update= update.zip but it gives an error to load because some system app not valid, i remember
please, if someone could help me and us with this problem
thank you very much indeed
Click to expand...
Click to collapse
Only solution is to send it back to LG.
There is no way (yet) to flash with dd command from external SD.
and there is no other tot besides ZV5 and as you said thats a Hard brick.
hi
Alex_XV6700 said:
Only solution is to send it back to LG.
There is no way (yet) to flash with dd command from external SD.
and there is no other tot besides ZV5 and as you said thats a Hard brick.
Click to expand...
Click to collapse
thank you very much indeed for your answer, but as another reply i posted, as question in other thread, read this, maybe a solution if semi bricked, LG security error, in: zv06, zv07 or zv08, if it turns to be truth....
hi...... there is a forum member form another site that claims to have a zv8 rooted tot to sell, but i'm not sure if its true or reliable, claims that it fix bricks and its a 4.3 gb file, does anybody knows about it?
any help or guide please, thank you very much indeed
File name:LGLS996AT-00-ZV8-SPR-US-AUG-18-2015+01.zip
Android OS version:5.1
File Download:
Buy topic
Existing 2 People buy This topic is to be paid to the author 1000 Credits Before viewing
This TOT firmware contains the ROOT authority, after the success of flashing, ROOT success
TOT firmware flashing effect:
1.brick the repair
2, upgrade ROM
3, downgrade ROM
4, remove the lock screen password
5, Clear Google locks
6, restore factory settings
Tips:
1,This TOT firmware suitable for LGFlashTool.
2,After the purchase of the post, hidden content will be displayed, then you can free download attachments.
3,After purchase is successful, the second time to visit this page does not appear charges prompt.
atv said:
thank you very much indeed for your answer, but as another reply i posted, as question in other thread, read this, maybe a solution if semi bricked, LG security error, in: zv06, zv07 or zv08, if it turns to be truth....
hi...... there is a forum member form another site that claims to have a zv8 rooted tot to sell, but i'm not sure if its true or reliable, claims that it fix bricks and its a 4.3 gb file, does anybody knows about it?
any help or guide please, thank you very much indeed
File name:LGLS996AT-00-ZV8-SPR-US-AUG-18-2015+01.zip
Android OS version:5.1
File Download:
Buy topic
Existing 2 People buy This topic is to be paid to the author 1000 Credits Before viewing
This TOT firmware contains the ROOT authority, after the success of flashing, ROOT success
TOT firmware flashing effect:
1.brick the repair
2, upgrade ROM
3, downgrade ROM
4, remove the lock screen password
5, Clear Google locks
6, restore factory settings
Tips:
1,This TOT firmware suitable for LGFlashTool.
2,After the purchase of the post, hidden content will be displayed, then you can free download attachments.
3,After purchase is successful, the second time to visit this page does not appear charges prompt.
Click to expand...
Click to collapse
Well I wouldnt trust this.
But if this only flashes the system partition well it shouldnt be harmful. You could download the zv6 stock sys.img and flash it afterwards so you can ota update your phone to zv9 and then root again.
But like I said I wouldnt suggest that...
Alex_XV6700 said:
There is no way (yet) to flash with dd command from external SD.
Click to expand...
Click to collapse
Why no? You can use Push_file.exe.
MAXIMATOR said:
Why no? You can use Push_file.exe.
Click to expand...
Click to collapse
Please, elaborate....
jplum22 said:
Please, elaborate....
Click to expand...
Click to collapse
https://www.google.com.ua/#q=Push_file.exe
---------- Post added at 11:30 AM ---------- Previous post was at 11:26 AM ----------
LS9960 ZV6 with
LG Security Error
Authentication Fail #9
was secsessfuly unbricked without SDcard using Push_file.exe for send system.img to internal sdcard
Well this is new @MAXIMATOR at least it is to me.
If you let me I can add this to my back to stock forum.
Push_file.exe can not send files larger than 16 MB . the image to be split into files no more than 16 MB , after which they can be sent to the device . On the device, combined to one file.
MAXIMATOR said:
Push_file.exe can not send files larger than 16 MB . the image to be split into files no more than 16 MB , after which they can be sent to the device . On the device, combined to one file.
Click to expand...
Click to collapse
I've already tried. It doesn't work. Files can not be combined.
http://forum.xda-developers.com/g-flex2/help/to-unbrick-g-flex-2-ls996-t3286105
Hi,
First I expect my post is in the right section.
I would like to work on a unbricking process for the sony xperia Z based MSM8974AC phones.
I read a lot of posts about LG nexus 5 and other phones based on the same soc, which, in a bricked state, present himself in a "QD Loader 9006" under windows. Also some other devices, under ubuntu, are external storage attached (emmc directly on /dev/sdb)
What I have understand:
when the emmc is corrupt (but not fried) a rom, somewhere, had basics to present the device to the computer and interact with this loader.
With this loader, the computer should load a emergency hex into ram. Then the phone should be recognized as "QD Loader 9008" under windows. At this step the emergency loader is able to 'serial flash'/'jtag-flash' over usb the emmc.
This process had been applied to the z1 (rhine based board) but, AFAIK, not yet on the shinano.
With some research I found the emergency mode on z3 is hidden, it can only be activated with the testpoint. (Are this one the right one? )
Also on every posts I found, the emergency msm8974.hex loaded into ram is device specific. As I have a working d6603 is there a way to extract it? Where can we found it? (I won't break/open my device!)
Another point is the TA partition. The other unbricking guide I found never had TA partitions. I know our boot choinload is signed:
munjeni said:
PBL is first in bootchain and without hacking them first we have no chance since whole bootchain is signed!
Click to expand...
Click to collapse
If you check in the ta partitions they are qualcomm and other sony certificates.
Code:
strings TA.emmc.win| grep -i x509
Do you think this certificates are used to sign the chainload? If not where are they stored? (somewhere I read the famous rom with the SPL reside is OTP).
As my goal is to reflash a full emmc (in case of corrupt gpt partition table for example) a ta backup could be enough?
Last think: I plan to buy a xperia to dev on this but it is really expensive for my (about 80$) so my progress on this can be really slow.....
Sorry for long post but I would be the more accurate possible
What do you think about it? Is there any chance to get an working unbricking process?
P.S.: for reference.
No idea if this is useful info but here goes:
On some devices, i.e. Xiaomi , you get into the Qloader Mode if alle Partitions on the EMMC are deleted. I had the impression that this is similar to the starting point of a newly produced device which has not been flashed with any ROM and thus only offers the "naked" emmc.
Bäcker said:
No idea if this is useful info but here goes:
On some devices, i.e. Xiaomi , you get into the Qloader Mode if alle Partitions on the EMMC are deleted. I had the impression that this is similar to the starting point of a newly produced device which has not been flashed with any ROM and thus only offers the "naked" emmc.
Click to expand...
Click to collapse
Really interesting!
Also I'm following a thread about swapping emmc on a nexus 5 (also snapdragon 801) and they are able to reflash full emmc.
From your xiaomi information I found this post, and this post. But somewhere i read that our shinano boards can't be placed in disaster recovery without a test-point. (here for the z1).
I'm currently discussing with a z3c seller it could be interresting if i can test on a shinano device!
Also, all the xperia bootchain is signed. So what is happening if we start with a empty emmc? Afaik there is a special tag in the GPT header which contain a hash. Could it be the bootchain signature?
First, yes:
xxlsm said:
they will have no possibility to move back to stock or to send the phone to Sony for warranty reasons (because of the unlocked bootloader and missing origin TA partition)
Click to expand...
Click to collapse
is exactly what i mean. Every thread, forums, blogs, TA dumps, s1 sources i can found, make me understand there is no way to get back. Also a lot of rom (ftf versions) flash weird bootloader to the device. Everything on our xperia bootchain is crappy. If you touch one bit of your GPT headers, you are screwed.
BUT i never try the xperia pc companion as i am a Linux guy which refuse to spend 4 days to install a ****ty os on my computer for one software. So i had a windows7 vm with emma. But every times i try sony pc companion, the device reboot 10 seconds after plugin-in and nothing else happened.
So you are right, my information on this are obsolete as i don't try the 'hero' loader.
I have not yet upgraded the op but now i own a third z3, buy to brick it for this kind of experiments. Do you think it is relevant to give a try with pc companion? (I have not found the testpoints yet)
xxlsm said:
Another point ist that the bootloader upgrade is revertible. You can use the repair function of the Xperia PC Companion to downgrade to the older bootloader. Then you are also able to restore old TA Backups.
Click to expand...
Click to collapse
Are you sure? Did you try it personally? I'm really surprised because i parse my TA dump before unlocking, after unlocking, after upgrading and the structure is heavily modified, so if the bootloader is downgraded with PC companion, the TA partition get downgraded too?
(personally interested because sony refused my repair in despite of the law due to bootloader 'rooted' )
Anyway thanks for pointing that, i will take a further look on the hero loader.
After upgrading to the Android N Developer Preview and downgrading back with the Xperia PC Companion, I did a new TA Backup just to compare the origin TA-Partions with included DRM functions. I actually noticed a difference in the size of the two backups. But the restore dry run function of TA-Backup didn't show any errors, therefore all signature checks of the tool were executed succesfully on the device with the downgraded bootloader. For this reason I came to my conclusion that a bootloader downgrade is revertible and old backups are restorable. The "cat /proc/cmdline" command output also showed an older bootloader version (no "hero" term included anymore).I didn't restore it in reality because I din't want to mess with my daily rom. I don't know if a downgrade with the "unofficial" Flashtool would lead into the same results with the downgraded bootloader because I haven't given it a try. Maybe I will test it in the future when I plan a clean install anyway. I actually prefer windows either because of the better compiler collection, but I use dualboot because of a specific software I have to use which is only available for windows right now. That's why I din't try to downgrade with the "unofficial" flashtool.
xxlsm said:
After upgrading to the Android N Developer Preview and downgrading back with the Xperia PC Companion, I did a new TA Backup just to compare the origin TA-Partions with included DRM functions. I actually noticed a difference in the size of the two backups. But the restore dry run function of TA-Backup didn't show any errors, therefore all signature checks of the tool were executed succesfully on the device with the downgraded bootloader. For this reason I came to my conclusion that a bootloader downgrade is revertible and old backups are restorable. The "cat /proc/cmdline" command output also showed an older bootloader version (no "hero" term included anymore).I didn't restore it in reality because I din't want to mess with my daily rom. I don't know if a downgrade with the "unofficial" Flashtool would lead into the same results with the downgraded bootloader because I haven't given it a try. Maybe I will test it in the future when I plan a clean install anyway. I actually prefer windows either because of the better compiler collection, but I use dualboot because of a specific software I have to use which is only available for windows right now. That's why I din't try to downgrade with the "unofficial" flashtool.
Click to expand...
Click to collapse
Just a point, if you get a problem with your TA partition, your device is done, that is why i open this topic: restore a device with screwed TA partition or empty emmc.
All the xperia toolchain is signed, the preloader (not the right word but can remember at the moment), the GPT table, s1 (bootloader), the TA partition and finally the kernel if your bootloader is locked. So if one part of this signed toolchain is 'corrupted' your device won't boot anymore.
I never used the unofficial flashtool too. I never flash ftf files as they always includes TA patches and 'new' bootloader.
I tries multiples times to downgrade my bootloader with the official emma but every times without success, so i guess i will give a try with pc companion on someone else computer.
Thanks.
Well in fact I use the unofficial Flashtool, but I haven't tried to downgrade the bootloader with this tool yet because I sticked with the PC Companion for downgrading. You have the opportunity to exclude every component of the tft file (including TA-Updates). Apart from that, our situation is a bit different. I upgraded to the OpenDevices Bootloader with the PC Companion and my TA-Partition remained locked and untouched because I didn't have to unlock it with the PC Companion like with emma. I will wait until an Android N root exploit gets revealed, so that I can backup the origin TA-Partition on the new bootloader to be on the safe site. But in your place, I would still give the Xperia Companion a try in order to unbrick the device. I just wanted to let you know that. And in my case a downgrade from the Android N Hero Bootloader to an earlier version was possible, so maybe it could be worth to try for you.
Cross post with the boot guide thread.
Good evening everyone,
I spoke briefly with @nailyk about bootloaders and he suggested me to write these pieces of info here.
I'm not a developer nor an expert, so I can't go much in depth, but I was messing around with my D6603 and I flashed the .200 firmware with upgraded bootloader using EMMA.
After that I flashed this firmware (it's Sony's Concept for Marshmallow, latest build), originally posted by @yecomixer on the thread for this ROM here on xda. Flashing it substituted my upgraded bootloader with the Hero bootloader (This one). So I guess that everyone looking to revert back from the EMMA upgraded bootloader may try that since it worked fine on my device.
The same Hero bootloader can be found on the N Developer Preview for the Xperia Z3, but, even though I flashed that ROM (both DP3 and DP4), I didn't try going from the EMMA firmware to the Developer Previews, so I can't say if it would work in the same way.
For some few days I have a (sik!) windows computer. Install pc companion and update my brickable device to N preview. Sadly I don't know how to root N so no TA backups before unlock of this device (never rooted, never unlocked).
Sadly I install N, oem unlock, flash twrp then reboot. N refused to start (as usual, fastboot oem unlock empty the partition but doesn't recreate it :s). Hopefully fastboot format userdata/cache solve this.
Now I hope I will be able to dump the hero loader and install it on my other devices.
Then I will test your downgrade process.
One day, by accident, I restore a (unlocked) TA backup of my daily driver on my dev device (both bootloader 'v2'). Nothing changed, device running fine and was on stock o0.
P.S. we notice this partition scheme:
Code:
Number Start (sector) End (sector) Size Code Name
1 256 4351 2048K 0700 TA
2 4352 5375 512K 0700 sbl1
3 5376 5887 256K 0700 s1sbl
4 5888 6015 65536 0700 dbi
5 6016 7039 512K 0700 aboot
6 7040 8063 512K 0700 rpm
7 8064 9087 512K 0700 tz
8 9088 10111 512K 0700 sbl1bak
9 10112 10623 256K 0700 s1sblbak
10 10624 10751 65536 0700 dbibak
11 10752 11775 512K 0700 abootbak
12 11776 12799 512K 0700 rpmbak
13 12800 13823 512K 0700 tzbak
14 13824 54783 20.0M 0700 boot
15 54784 75263 10.0M 0700 ramdump
16 75264 108031 16.0M 0700 recovery
17 108032 108095 32768 0700 DDR
18 147456 150527 1536K 0700 modemst1
19 155648 158719 1536K 0700 modemst2
20 163840 166911 1536K 0700 fsg
21 172032 188415 8192K 0700 apps_log
22 188416 189439 512K 0700 misc
23 189440 190463 512K 0700 persistent
24 196608 4382719 2044M 0700 system
25 4382720 5406719 500M 0700 oem
26 5406720 5816319 200M 0700 cache
27 5816320 30535646 11.7G 0700 userdata
edit: maybe I will test downgrade quicker than expected because now I'm stuck at error 7 into twrp with empty device
So this hero loader is the worst ever.
With non stock kernel he refused to work at all. No way to enter into recovery, no commands accepted.
I'm now downloading the .575 with emma. At the bottom of the windows the bootloader version included is mentioned. All the version proposed for my device are '27' which is the 2nd one.
So I really don't get how do you downgrade to '15' @xxlsm ... Maybe you have another list of rom proposed and mine doesn't include the first version.
While flashing with pc companion and with emma device is in flashmode and recognized as "SOMC Flash Device".
Sony devices is diferent at least which I found on z1c. Sony unbrick bin is caled s1 boot preloader. Binary file is very similar to mprg binary (the same header have) but sony certificate is at the end of the bin file. That bin is signed with sony certificate. How things work. Test point puts phone into s1 boot download mode, preloader is sent to phone, verified header (0x40 bytes), sent body, and finaly certificate verified, after that unbricking things is sent similar like flashing with ftf. You can't use mprg files which is not signed by sony! Sony unbrick proces you can sniff by an usb protocol sniffer by sniffing for example s1tool which have unbrick binary for z1c, trought sniff dump you can see all protocol things and also construct/extract that preloader as I allready done, that binary file is signed by sony which mean pbl indeed expects sony certificate. If trim area is broken or formated there is no way to unbrick by preloader, only by direct emmc for example by using z3x easy jtag tool with emmc adapter, for that you will need pinout. Just to save your time
munjeni said:
Sony devices is diferent at least which I found on z1c. Sony unbrick bin is caled s1 boot preloader. Binary file is very similar to mprg binary (the same header have) but sony certificate is at the end of the bin file. That bin is signed with sony certificate. How things work. Test point puts phone into s1 boot download mode, preloader is sent to phone, verified header (0x40 bytes), sent body, and finaly certificate verified, after that unbricking things is sent similar like flashing with ftf. You can't use mprg files which is not signed by sony! Sony unbrick proces you can sniff by an usb protocol sniffer by sniffing for example s1tool which have unbrick binary for z1c, trought sniff dump you can see all protocol things and also construct/extract that preloader as I allready done, that binary file is signed by sony which mean pbl indeed expects sony certificate. If trim area is broken or formated there is no way to unbrick by preloader, only by direct emmc for example by using z3x easy jtag tool with emmc adapter, for that you will need pinout. Just to save your time
Click to expand...
Click to collapse
Thanks a lot.
I read many times your mission impossible thread and found a bunch of useful information about a possible unbricking process. With this and some other topics (listed into the OP iirc) I have in mind exactly what you described: sniffing emma to dump the preloader.
I also subscribe this thread which learn me there is a raw eMMC access into the soc.
Maybe you know I'm currently reading free-electrons documentation? Last one. They have some slides about the boot process. So I can't understand something: if we have an empty eMMC and put the phone into qdloader mode, there is no eMMC access by the soc as the minimal loader (s1 boot download) is too small to handle it, that is why we need the preloader. If the preloader isn't signed (custom one or something like this) why would it prevent rewriting TA or the full eMMC?
btw all of this is still untested because I didn't find pinouts. How do you find it for your z1c?
If you brick trim area in hard way as I done 2 years ago, you will not be able to repair trim area by test point anyway (which is a main problem). You can flash other things but not trim area since we don't have trim_area in sin format - mean signed format! In that case your trim area is damaged device will not boot which mean hard bricked. All things put to sony must be signed by sony cert. Not signed mean can't use. But Z3X jtag tool with emmc adapter alow you to solder box pinouts to the your phone emmc pinc - direct access (pins you need to locate on mainboard). In time when I bricked my phone I didn't found pinouts but now after I updated pc software of the easy jtag some devices is updated including my z1c, now I have pinout but thats too late since I already got new mainboard and it was a year ago...
About qhsusb bulk I think it will not work since on nexus device boot chain is totaly diferent that sony one.
. .
I wanna ask you @munjeni about how you find the testpoint but rereading your post make me feel it will be hard.
Anyway I will be more active on this thread now as I just f*ck my device replacing the tz partition.
Who can use tz to boot. Those sony bootchain is a real crap.
some links:
testpoint: https://forum.xda-developers.com/z3/help/help-z3-hard-bricked-t3216404
testpoint: http://www.forensicfocus.com/Forums/viewtopic/t=15219/
hardware manuals: http://gsm-manuals.com/59-Sony schematics and service manuals.html
So the test point of my d6603 is at the same location. I will edit this post with a picture later.
Recognized at:
Code:
Bus 001 Device 022: ID 0fce:9dde Sony Ericsson Mobile Communications AB
Looks like there is no s1tool for z3. The most recent version I found is 19.05.2015 and get this output:
Code:
Welcome S1 Tool [19.05.2015].
That is small and crippled subset of SETOOL2 service tool.
TO CONNECT NEXT PHONES
X10 Xperia,E10 Mini,E15 Xperia X8,U20 Mini Pro
LT15 Xperia ARC,MT15 Xperia NEO,R800 Xperia PLAY
PRESS AND HOLD "BACK" BUTTON...
ST18 Xperia RAY,ST15 Xperia Mini,SK17 Xperia Mini Pro
and Sony Xperia phone
PRESS AND HOLD "Volume Down" BUTTON...
PLEASE ATTACH TURNED OFF PHONE NOW
Waiting for phone ...
PROCEDURE STOPPED BY USER
supported phone was not detected
Elapsed:65 secs.
SELECT FIRMWARE PACKAGES
YOU CAN SELECT SEVERAL PACKAGES WITH CTRL BUTTON
CHECKING PACKAGES ...
DETACH USB CABLE FROM PHONE
REMOVE BATTERY FROM PHONE
ATTACH TESTPOINT
PRESS "READY", THEN ATTACH USB CABLE TO PHONE
will use Sahara protocol ...
REMOVE TESTPOINT NOW, THEN PRESS "READY"
PROCESSING ...
SERIAL NUMBER : 196A460E
HARDWARE ID : 04000100E1407B00
HASH :CF19D6FAD8029B66B15246BF3C9D216FC1D2235D87706E0458C7125BB1E436EC
[B]HARDWARE ID 04000100E1407B00 NOT SUPPORTED
[/B]Elapsed:35 secs.
Edit: Looks like the official website for s1.
d6603 testpoint
sony xperia z3 D6603 testpoint
recognized as
Code:
SOMC Flash Device
or
Code:
0fce:9dde Sony Ericsson Mobile Communications AB
After blinking red one time.
Battery need to be removed.
@mathorv why you deleted your post?
Links looked fine.
I didn't try SEMCTool Flasher but will do asap. @BigCountry907 also tell me about a specific revival cable.
Will try this too asap and report.
nailyk said:
@mathorv why you deleted your post?
Links looked fine.
I didn't try SEMCTool Flasher but will do asap. @BigCountry907 also tell me about a specific revival cable.
Will try this too asap and report.
Click to expand...
Click to collapse
About https://forum.xda-developers.com/showthread.php?t=1333818
Wanted to help but I was afraid of making fool of myself
million different ideas ( no neccessary OPs, but maybe some clues in threads)
http://forum.gsmhosting.com/vbb/f778/sony-xperia-z-c6602-c6603-c6606-c6616-dead-boot-repair-1877259/
http://forum.gsmhosting.com/vbb/f778/sony-xperia-z1-c6902-c6903-dead-boot-repair-1876818/
http://sony.yt/topic/7732-sony-xperia-z3-d6616-bricked/
Explanation of why s1 tool is not for z3 - no broken z3 rsa 4k key(missing vulnerability):
http://sony.yt/topic/7820-sony-xperia-z3-dual-d6633-damaged-ta-trim-area/
s1tool info
http://sony.yt/topic/5324-s1tool-tu...l-xperia-qsd8250-msm7227-msm8255-smartphones/
You are sure that buying one with "borken" screen is out of the question?
some people mentioned holding vol button for two minutes while reviving z3
Hello everyone
I brick my phone huawei P20 during a handling error.
I'm not doing backup system unfortunately.
I have the bootloader unlocked and I still have twrp.
Actually I have screen that appears "error mode Warning please update system again error! Func no: 22 up a factory data reset"
I tried all the methods (dload with recovery but it puts me software installed failed.
I tried the method with the fastboot (system, kernel, ramdisk ...).
I have also tried since twrp but it only error.
But I'm not sure to take the good frimware ...
I almost want to use funky huawei but I do not want to pay for anything since there is no way back.
Could huawei be able to get me back in the state but if the sevice will be paid as my guard jumped
All the info I have is that I have EML-L20 build 8.1.0.103
it's a phone bought from a French operator
Thank you for helping me
Download the latest full update for your device and look for the following in google. It worked for me (HuRUpdater_0.3) is for honor 9 but it does not matter. In the post it tells you how to rename your three files.
A big thank you to you, his walked after a week of searching thank you thank you
Welcome everyone!
This project has started, becouse we need real solution for the problem. The problem of hard bricked Moto devices. It is like a curse.
When my device bricked I have done solid research, I have gathered many informations and files essential to revive my cellphone but 5 years experience of linux, rooting, compiling kernels and roms weren't enough to make it work.
But nevermind. I am even more determinated and I am asking ALL of You guys here to help me. Together we will come to solution.
Here is what I got, happy reading :
DICTIONARY:
PBL - Primary bootloader of the chip - this is like BIOS for phone so it checks chip for damage and problems and then it tries to load SBL but if SBL is corrupted or checksum doesn't match, PBL invokes Qualcomm HS-USB QDLoader 9008 emergency mode. PBL is hard flashed into SoC and can't be corrupted by firmware.
SBL - Second stage bootloader wich is more advanced than PBL. It initializes phone hardware and ABOOT.
ABOOT - Application bootloader (HBOOT). You probably know this one well. Android botloader.
Full mmcblk0 backup - Backup of whole phone flash storage byto to byte.
blankflash - method of repairing msm phones in 9008 state
programmer.mbn - Special type of software programmer that is being sent to chip in Qualcomm 9008 emergency mode. There it comunicates with pc via firehose protocol. Each phone has set of their own programmers, they are unique to phone and other programmers don't work. These programmers are signed so tampering it results in not working one.
firehose protocol - it is used to tell programmer what operations it must do on chip.
singleimage.bin - this package contains instructions for programmer and set of files it need (for example to replace)
gpt_main0.bin - Partition layout
rawprogram0.xml - instructions for programmer
patch0.xml - I don't know yet
STAR.exe - Application for managing and editing contents of singleimage.bin aka blankflash files
QPST - Flash tool from Qualcomm it basic function is to handle blank-flashing in a better way, also it allows for in-depth debugging of the process
Qualcom Premium Tool - Program made by Mppg Myanmar that is capable of making unlocking bootloader, OEM locks, making backup/restore of chip firmware, handling blank-flashing in VERY specific way (creating instructions for programmer), reading eMMC structure from firmware (can generate gpt layout so very useful!!!), modyfing FW and removing Xiaomi account. It also contains ALL programmers
for more:
https://forum.xda-developers.com/android/general/info-android-device-partitions-basic-t3586565
https://alephsecurity.com/
https://github.com/alephsecurity/firehorse
https://github.com/aravindvnair99/Motorola-Moto-E-XT1022-condor-unbrick
INFO:
1. What causes the brick
I bet 100$ that you hard-bricked your Moto Z Play by installing OTA updates after downgrading firmware. This is only known reason for me at the time of writing this. There is most probable reason why it happens, look:
There are two most common chips on which smartphones are built - Qualcomm and Mediatek. While Mediatek chips are "modification friendly" and simple, Qualcomm chips are somewhat more advanced and have many features that can be enabled or disabled during prorammming in factory. One of them is PBL signature checking. During programming of your phone, proper signatures of SBL are written to it. When someone tries to override default SBL with the new one, it checksums are compared with that stored. If they match, new one is flashed, if not, then update does not happen.
Ok, but what it has to do with brick?!
I explain:
1. You decide to downgrade your firmware
2. During flashing, everything goes "well" (Phone boots), but trully update is partial:
FW in chip is (obviously) more recent that the one you downgrade to, and SBL signature is different (updated), so when it is compared to the signature of SBL from FW you want to flash, it don't match. That don't rise error and flashing continues. Only partition that stays untouched is bootloader, but all other partitions get replaced by those in FW zip. SBL is still compatible with the new partition offsets and partition layout overall so phone functions normally.
3 When OTA is executed, it checks the version of currently installed firware. The most reliabe way to do it is to check checksum of SBL which is pretty logical becouse it's checksum is like "fingerprint" of firmware. Normally, if it would detect the old firmware, OTA would be stopped, but newer SBL tricks it and OTA installs anyway.
4 Results are horrible, becouse OTA does not check GPT table and flashes partitions in bad sectors, corrupting FW.
This causes bootloader to go into Qualcomm HS-USB QDLoader 9008 safe mode.
5 Viola! Hard brick!
2. How to fix it?
That is jolly good question! What we have to do is to reflash full chip firmware. Suprisingly I see some solutions, but those need to be developed:
A) SD-BOOT
It turns out that our fancy chip can probably boot from SD-CARD! The procedure works like this:
- When chip starts, one of the very first things it does is loading the memory, so it can actually work. The trick, is that chip loads it from specific disk, marked with exact name (I don't remember which, but I will do research). Speccially repared SD-CARD can appear with that name, so chip boots from it, not from internal memory. (This trick is proved to work on this model)
How to do it?
- Get full dd of working phone - it must be phone with the SAME chip and very likely the same model
- flash it to SD-CARD of 32GB or more, class 10 speed or higher, directly to card, not partition
- put card in phone, turn it on and wait
- you should see HBOOT
- select fastboot and flash new FW via it
- viola!
!!!THIS IS COMPLICATED PROCEDURE, I WILL MAKE DETAILED THREAD SOON, BUT FOLLOW IT ONLY IF YOU KNOW WHAT ARE YOU DOING!!!
B) FIREHOSE/SAHARA ATTACK
This could be achieved by sending payload via Firehose programmer that would allow to break verification of SBL or somehow allow SBL to be flashed. Now, PBL blocks attempts to update SBL. I have thesis that it is becouse PBL do not allows for SBL downgrade, so it's version must be higher, but we try to flash same version of SBL so it doesn't work. That thesis needs confirmation.
C) CRAFT BLANKFLASH
This would be last resort. It will work for sure, but this method needs knowledge and I don't know if it is doable.
STEP 1: Get white-listed blankflash checksums from OTA (we would need to reverse engineer those)
STEP 2: Break hash
STEP 3: Craft blankflash with needed hash
STEP 4: Flash
NEVER USE BLANKFLASH (ATTENTION!)
DO NOT try any blankflash files. They can make situation a lot worse and even physically (!) dmage your phone.
D) JTAG
Medusa Box etc.
E) Qualcomm Premium Tool
This can even work, but it is untested and there is a slight chance that can worsen state of phone (needs confirming).
The tool is very advanced and I need to gather info about usage, so very probable to be a good solution if we will learn how to use it!
E) METHOD 7
Interesting method from this guy: (7th option, I have contacted him if it is compatibile)
https://github.com/aravindvnair99/Motorola-Moto-E-XT1022-condor-unbrick/blob/master/Unbrick%20methods.md
3. DOWNLOAD
(Links will be aded *soon*)
XDA:DevDB Information
Unbrick Developement for Moto Z Play (addison) Full-Brick, Tool/Utility for the Moto Z Play
Contributors
Bobernator, Stayn, Artim_96, Camarda
Version Information
Status: Nightly
Created 2019-05-04
Last Updated 2019-05-14
I really hope we can get a fully working detailed method to unbrick this device, I'll follow this project and try to help what I can, my phone isn't bricked but I think that an unbrick guide is absolutely necessary.
By the way, did you tried the Qualcomm Board Diag method? Before the Moto Z Play I had a LG G3 and got it hard-bricked and my pc would recognize it as "Qualcomm HS-USB QDLoader 9008" too, using the Board Diag method I got to erase completely the emmc and flash each partition manually, that got it back to life again, of course theres a requirement and it's the AP Chipset files. I don't know if you already tried so you tell me
Stayn said:
I really hope we can get a fully working detailed method to unbrick this device, I'll follow this project and try to help what I can, my phone isn't bricked but I think that an unbrick guide is absolutely necessary.
By the way, did you tried the Qualcomm Board Diag method? Before the Moto Z Play I had a LG G3 and got it hard-bricked and my pc would recognize it as "Qualcomm HS-USB QDLoader 9008" too, using the Board Diag method I got to erase completely the emmc and flash each partition manually, that got it back to life again, of course theres a requirement and it's the AP Chipset files. I don't know if you already tried so you tell me
Click to expand...
Click to collapse
Hi! Really nice to read that . I didn't tried it but i will chec k it out in a while. Sorry for not responding immediatelly but this will change from now, I have XDA app so I stay updated.
Have you seen this post? There's apparently a new Oreo blankflash https://forum.xda-developers.com/showpost.php?p=79514510&postcount=419
echo92 said:
Have you seen this post? There's apparently a new Oreo blankflash https://forum.xda-developers.com/showpost.php?p=79514510&postcount=419
Click to expand...
Click to collapse
Website is legit, sounds like something good, but i will byte-compare it to my other blank flashes in collection. Maby it will worsen state of my device but I will try it.
Ps. I am working on a download section!!!
EDIT: DO NOT TRY IT YET. As you can see in the link this has been uploaded 2 days ago. Post has 1 day, so this is suspicous as hell.
Bobernator said:
Website is legit, sounds like something good, but i will byte-compare it to my other blank flashes in collection. Maby it will worsen state of my device but I will try it.
Ps. I am working on a download section!!!
EDIT: DO NOT TRY IT YET. As you can see in the link this has been uploaded 2 days ago. Post has 1 day, so this is suspicous as hell.
Click to expand...
Click to collapse
I understand the reason to be suspicious, since there's also no way to verify the origin of this blankflash. Also, is there a OPNS27.76-12-22-10 firmware? I thought OPNS27.76-12-22-9 was the last build?
I will answer this way:
Bobernator said:
I will answer this way:
Click to expand...
Click to collapse
That blankflash looks like it worked - seems your device is in fastboot mode despite the photo angle.
echo92 said:
That blankflash looks like it worked - seems your device is in fastboot mode despite the photo angle.
Click to expand...
Click to collapse
Yes, it worked! But do not make misteake and after you flash blankflash do not flash full firmware. Instead flash only recovery - TWRP and make backup of modemst1, modemst2 and FSG partitions, so you can revert your IMEI. After that full flash android 8 FW
Bobernator said:
Yes, it worked! But do not make misteake and after you flash blankflash do not flash full firmware. Instead flash only recovery - TWRP and make backup of modemst1, modemst2 and FSG partitions, so you can revert your IMEI. After that full flash android 8 FW
Click to expand...
Click to collapse
Can you see your recovery partition with the dummy bootloader from the blankflash? Do you have to flash the GPT/bootloader from firmware first?
Well, this is nuts @Bobernator, I'm really happy we have an unbrick method.
If MTP is still working, you can flash the file I attached to this post to automatically backup the required partitions, this can also be helpful in case anyone wants a full IMEI Backup, also, I tried this step:
fastboot flash fsg mmcblk0p29_fsg_backup
fastboot flash modemst1 mmcblk0p27_modemst1_backup
fastboot flash modemst2 mmcblk0p28_modemst2_backup
Click to expand...
Click to collapse
and it gives me permission denied when flashing modemst1 and modemst2, I think we should flash modem NON-HLOS.bin and erase modemst1 and modemst2, if you agree I'll update the zip I made to backup NON-HLOS.bin instead of modemst1 and modemst2
Quick question, is it worth mentioning only to perform steps 12 and 13 (flashing your FSG and modemst backups) if your device has no signal/IMEI issues after flashing the Oreo firmware? Just wondering since the firmware flash and subsequent boot may correctly rebuild the modemst files...
echo92 said:
Quick question, is it worth mentioning only to perform steps 12 and 13 (flashing your FSG and modemst backups) if your device has no signal/IMEI issues after flashing the Oreo firmware? Just wondering since the firmware flash and subsequent boot may correctly rebuilt the modemst files...
Click to expand...
Click to collapse
I don't know for sure but a backup is always recommended and more if it is the IMEI, then, you can flash all partitions and then before restoring the backup boot into the system and check by yourself if you're getting signal and its working... :good:
Stayn said:
I don't know for sure but a backup is always recommended and more if it is the IMEI, then, you can flash all partitions and then before restoring the backup boot into the system and check by yourself if you're getting signal and its working... :good:
Click to expand...
Click to collapse
Yup, an IMEI backup is always useful Just wanted to ask since it's not pointed out in the opening post's guide to check your IMEI/signal before committing to step 12/13. If it's working, no need for those two steps!
@echo92 I forgotten about IMEI totally so I can't tell you, but I can't confirm that's safe to flash gpt and bootloader from OREO fw (8.0). I did this way and everthing is working. Even OTA updates to most recent witouth problems! Here are the proofs (language is "Polish" if you want to translate):
Stayn said:
Well, this is nuts @Bobernator, I'm really happy we have an unbrick method.
If MTP is still working, you can flash the file I attached to this post to automatically backup the required partitions, this can also be helpful in case anyone wants a full IMEI Backup, also, I tried this step:
and it gives me permission denied when flashing modemst1 and modemst2, I think we should flash modem NON-HLOS.bin and erase modemst1 and modemst2, if you agree I'll update the zip I made to backup NON-HLOS.bin instead of modemst1 and modemst2
Click to expand...
Click to collapse
I really appreciate this! Thanks!
If you update your ZIP, I will attach it into the project today, and I will try to find out solution for you, becouse it looks if you can't restore IMEI now (correct me if I am wrong)
echo92 said:
Yup, an IMEI backup is always useful Just wanted to ask since it's not pointed out in the opening post's guide to check your IMEI/signal before committing to step 12/13. If it's working, no need for those two steps!
Click to expand...
Click to collapse
You are surely right. I will correct thread today.
Bobernator said:
I really appreciate this! Thanks!
If you update your ZIP, I will attach it into the project today, and I will try to find out solution for you, becouse it looks if you can't restore IMEI now (correct me if I am wrong)
Click to expand...
Click to collapse
Don't worry about the IMEI, I got it again after flashing my fsg backup, modem and erasing modemst1 and modemst2, now the problem is that on every ROM I get everytime a popup "com.android.phone" has stopped, till I remove the sim card, what could this be? This isn't my main phone so I'm not worried at all but this could happen to someone else
Dial *#06#, if you will get nothing or zero's that means it can be modem failure
Ps. Is your zip updated now?
Hello Guys,
I have the exact same problem. All started here with a changed screen that after update to 8 stopped working, so I did downgrade to 7, and the touch as back, than it started doing the OTA updates and I (dumb enough) accepted it, and now I have a bricked device.
***EDIT***
Now I could get access to the bootloader again, the flash blank worked but it had a catch, if I just executed the bat, it would not work, I had to open a CMD with admin rights, go to the folder and run the bat from there.
***EDIT 2***
So restored bootloader, and booted just like before it was corrupted, now it keeps asking for update, and I disabled it on the "Developer Menu", is that enough? Will not play with updates on this device anymore, android 7.1.1 with 2017 security updates will do it.
***EDIT 3***
Now I have a Mobile Network problem, it does recognize the SIM Chip, but won't get network access, I didn't backup before doing the Blank Flash, but it was not showing on the system before (because the downgrade from 8 to 6, and them upgrade to 7), is there a way to recover it or fix this no network registration possible?
Hey! Soon im gona try to fix my 3 month hard bricked black screen p20 , but i dont have the files that i need , can somebody post links to the OEM info (im on C432) version and the right software that i need to use in DC-unlocker!Thanks in advance!
Keep your own device oeminfo, it s just fine.
Don't use stock boardsoftware on P20, that will wipe your nvmodem, oeminfo and then bye-bye imeis with no chances of repair as no method available at this date for kirin970 EML.
I guess your xloader downgraded is what
bricked you ; Look into that and don t start to mess other things :l
Good luck.
oslo83 said:
Keep your own device oeminfo, it s just fine.
Don't use stock boardsoftware on P20, that will wipe your nvmodem, oeminfo and then bye-bye imeis with no chances of repair as no method available at this date for kirin970 EML.
I guess your xloader downgraded is what
bricked you ; Look into that and don t start to mess other things :l
Good luck.
Click to expand...
Click to collapse
I downgrade it from 9 to 8.1 but fails and strange cuz i downgreade it from 9 beta to 8.1 from funnky and now dont work , but to the point , when its reboot to Erecovry updated crashed and till now is sitting with black screen only sounds from connecting cable to fastboot and a blinking LED indicator, thats all , and i was seeing in forums that with DC-Unlock u can revive it , and at lease 10 people that i read from , told that they fix it.