WARNING: THE FOLLOWING IS FOR INFORMATIONAL PURPOSES ONLY AND MAY FURTHER DAMAGE YOUR DEVICE. EXERCISE EXTREME CAUTION. USE ONLY AS A LAST RESORT.
This was tested with a Global OnePlus 9 LE2115
Overview
So I was encountering an error with MSM Download Tool that would show "Sahara communication failed" after about 18 seconds. This resulted in me being 100% unable to recover my device with MSM as it was continuously rebooting into EDL mode with no possibility of entering fastboot.
After much research, I stumbled upon a solution completely by accident. I was able to fix the issue by utilizing the following tools:
Qualcomm Sahara Tools - https://github.com/bkerler/edl
Oppo/OnePlus Decryption Tools - https://github.com/bkerler/oppo_decrypt
You need:
- Latest version of Python 3
- C/C++ build tools (gcc, Visual Studio, XCode) to build pip dependencies
- Dependencies installed using pip as specified in README.md of each repo
- Linux or macOS (Windows untested)
- *.ops file from your corresponding MSM Download Tool package
Process
Follow the instructions contained within the README of the above repos to download all files and install dependencies before continuing.
Spoiler: Extract ops package
Use opscrypto.py to extract the ops file you obtained earlier.
This results in a directory full of the decrypted contents of the update image (a collection of bin, img, and other files):
Code:
$ ./opscrypto.py decrypt lemonade_xxxx.ops
This creates an extract directory containing the decrypted files
Spoiler: Flash using edl.py
The wl subcommand for edl.py can then be used to write the aforementioned partitions.
The documentation describes the command thusly:
Code:
./edl.py wl dumps --memory=ufs >> to write all files from "dumps" folder to according partitions to flash and try to autodetect lun
I ran the command on the extract directory that was previously decrypted.
Additionally, I had to explicitly specify the OP9 EDL loader as well as specify that the flash memory was UFS and not EMMC:
Code:
$ sudo ./edl.py wl extract --memory=ufs --loader=Loaders/oneplus/0000000000514d67_a26bc25799770106_fhprg_op9.bin
This output was produced:
Code:
main - Using loader Loaders/oneplus/0000000000514d67_a26bc25799770106_fhprg_op9.bin ...
main - Waiting for the device
...............
.main - Device detected :)
main - Mode detected: sahara
Device is in EDL mode .. continuing.
sahara -
------------------------
HWID: <CLIPPED>
CPU detected: "lahaina"
PK_HASH: <CLIPPED>
Serial: <CLIPPED>
sahara - Uploading loader Loaders/oneplus/0000000000514d67_a26bc25799770106_fhprg_op9.bin ...
Successfully uploaded programmer :)
firehose - Chip serial num: <CLIPPED>
firehose - Supported Functions: program,read,nop,patch,configure,setbootablestoragedrive,erase,power,firmwarewrite,getstorageinfo,benchmark,emmc,ufs,fixgpt,getsha256digest
firehose -
firehose_client - Target detected: lahaina
firehose - TargetName=
firehose - MemoryName=UFS
firehose - Version=
firehose_client - Supported functions:
-----------------
program,read,nop,patch,configure,setbootablestoragedrive,erase,power,firmwarewrite,getstorageinfo,benchmark,emmc,ufs,fixgpt,getsha256digest
firehose -
Reading from physical partition 0, sector 8, sectors 1
Progress: |██████████████████████████████████████████████████| 100.0% Complete
Progress: |██████████████████████████████████████████████████| 100.0% Complete
oneplus - Oneplus protection with prjid 19825 detected
Writing ./param.bin to partition param.
firehose -
Writing to physical partition 0, sector 8, sectors 256
Writing ./persist.img to partition persist.
firehose -
Writing to physical partition 0, sector 2056, sectors 8192
Writing ./misc.bin to partition misc.
firehose -
Writing to physical partition 0, sector 10248, sectors 256
Writing ./frp.bin to partition frp.
firehose -
Writing to physical partition 0, sector 10632, sectors 128
Writing ./carrier.img to partition carrier.
QCSparse - Sparse Format detected. Using unpacked image.
firehose -
Writing to physical partition 0, sector 18440, sectors 12288
Writing ./opluslog.img to partition opluslog.
QCSparse - Sparse Format detected. Using unpacked image.
firehose -
Writing to physical partition 0, sector 34824, sectors 65536
Writing ./metadata.img to partition metadata.
firehose -
Writing to physical partition 0, sector 108616, sectors 4096
Writing ./super.img to partition super.
QCSparse - Sparse Format detected. Using unpacked image.
firehose -
Writing to physical partition 0, sector 145480, sectors 1
Writing ./userdata.img to partition userdata.
QCSparse - Sparse Format detected. Using unpacked image.
firehose -
Writing to physical partition 0, sector 2877512, sectors 2105
Writing ./ocdt.bin to partition ocdt.
firehose -
Writing to physical partition 3, sector 576, sectors 32
Writing ./oplusreserve2.img to partition oplusreserve2.
QCSparse - Sparse Format detected. Using unpacked image.
firehose -
Writing to physical partition 4, sector 6, sectors 32768
Writing ./devinfo.bin to partition devinfo.
firehose -
Writing to physical partition 4, sector 722224, sectors 1
Writing ./apdp.mbn to partition apdp.
firehose -
Writing to physical partition 4, sector 722481, sectors 4
Writing ./storsec.mbn to partition storsec.
firehose -
Writing to physical partition 4, sector 817779, sectors 6
Writing ./mdcompress.mbn to partition mdcompress.
firehose -
Writing to physical partition 4, sector 826302, sectors 12
Writing ./spunvm.bin to partition spunvm.
firehose -
Writing to physical partition 4, sector 831486, sectors 87
Writing ./rtice.mbn to partition rtice.
firehose -
Writing to physical partition 4, sector 839678, sectors 65
Writing ./abl_log.bin to partition abl_log.
firehose -
Writing to physical partition 4, sector 839870, sectors 4048
Writing ./android_log.bin to partition android_log.
firehose -
Writing to physical partition 4, sector 847966, sectors 4048
Writing ./qsee_log.bin to partition qsee_log.
firehose -
Writing to physical partition 4, sector 852014, sectors 4048
Writing ./hyp_log.bin to partition hyp_log.
firehose -
Writing to physical partition 4, sector 856062, sectors 4048
ConclusionAfter performing the above on a macOS device, the device successfully flashed in MSM on Windows 11.
I rebooted the device prior to attempting to flash after performing the above steps.
AddendumThis isn't a foolproof guide and may not even work for your device or may even damage it further.The process described above is somewhat advanced and very much undocumented and unsupported/unofficial/hacky.
I cannot vouch for the quality, security or effectiveness of the tools linked above.
I'm putting this out there in hopes it helps others and to gather more information about how MSM Download Tool and EDL mode actually work.
Please let me know if this solves any issues with MSM and I can potentially produce a guide if this method is proven safe.
Spoiler: Speculation / Thoughts
Firehose appears to be an executable elf file that is ran on the device, which then parses settings.xml and provision_*.xml contained within the ops file.
These files appear to contain the directives that allow MSM to recover bricked devices.
MSM appears to transmit these XML files to the firehose executable after loading it on the device.
These files reference the stock images, partition sizes, names, and extents that firehose then uses to provision the device.
Since firehose is simply an elf file that appears to rely on some preexisting data to be present on the device, some bricks may cause firehose to fail due to corruption of certain partitions.
Producing errors such as:
- Device mismatch
- Param preload error
- Sahara communication failure
- Waiting for device
- Waiting for COM port
The partitions shown in the output log appear to not be touched by MSM prior to sending firehose to the device, suggesting that it assumes they have been untouched.
Therefore, firehose may throw an error or fail to run entirely when attempting to recover some devices, even when using the correct MSM tool and drivers.
Despite being contained in the ops file, MSM doesn't appear to touch these partitions in its default Upgrade Mode.
That functionality may be locked behind more advanced modes such as SMT Download Mode, however, that mode is well known for causing more issues than it solves.
The tools above are open source reverse engineering tools that can do some rudimentary communication with OnePlus devices in EDL mode by utilizing a custom firehose binary (known as the "loader").
These appear to permit operations not possible with MSM's default behavior.
Spoiler: Observations
I was only able to get the edl.py tool to work on macOS.
I was unable to get this tool (edl.py) to work in Windows. It threw various libusb related errors despite using zadig as directed.
I observed that writing to any partition that was part of A/B dynamic partitioning would report that it was written successfully but in reality would only write 1 sector of the provided file.
However, a handful of other partitions appear to be writable, ones that typically can't be written to/aren't written with fastbootd or OTA side loading.
My IMEI and Serial Number were fully intact after flashing.
Bruh my pro was in that constant reboot state. Buss laugh if this is a Tually a fix for that
Click to expand...
Click to collapse
Hopefully it is. I'm curious to see if it works for others. I stumbled upon this right as I had given up and submitted a ticket to OnePlus.
At which point they said there's nothing to do and the device needed repaired.
So hopefully this is a reliable fix for devices that are super-bricked, because it saved me from having to send my device in.
Op9 was there all except I could always get to fastboot by pressing all buttons and hold until off and back on fb ,also several times monfrios all in one would read it dump and could reboot to fastboot .lol thanks again mon ,and I do some dumb junk to mine trying to get 5g on att all the time eventually I may need this .thanks in advanced for your efforts and interest .
Jessp4046 said:
Op9 was there all except I could always get to fastboot by pressing all buttons and hold until off and back on fb ,also several times monfrios all in one would read it dump and could reboot to fastboot .lol thanks again mon ,and I do some dumb junk to mine trying to get 5g on att all the time eventually I may need this .thanks in advanced for your efforts and interest .
Click to expand...
Click to collapse
This may be a solution to a problem that isn't all that widespread.
I found myself in this situation after flashing an Android 12 GSI to my device which involved mucking around with stuff I probably shouldn't have touched.
I've used MSM many times while experimenting but this time I really messed up and was out of options.
Amazingly, I stumbled across the tools above and was able to bumble my way to a solution. This took me about 4 days to resolve as the device refused to enter fastboot.
GlitterFartzz said:
This may be a solution to a problem that isn't all that widespread.
I found myself in this situation after flashing an Android 12 GSI to my device which involved mucking around with stuff I probably shouldn't have touched.
I've used MSM many times while experimenting but this time I really messed up and was out of options.
Amazingly, I stumbled across the tools above and was able to bumble my way to a solution. This took me about 4 days to resolve as the device refused to enter fastboot.
Click to expand...
Click to collapse
This is exactly what cause mine to loop. I tried flashing a 12 GSI lol
Jhoopes517 said:
This is exactly what cause mine to loop. I tried flashing a 12 GSI lol
Click to expand...
Click to collapse
I was actually able to get the GSI to boot, albeit with no cellular, fingerprint, etc. OP9 claims to be treble-compliant in the props but methinks that's a total lie.
I m waiting here
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
flameteam said:
I m waiting here
View attachment 5364413
Click to expand...
Click to collapse
Looks like you're trying to do a full dump of LUN 0 into a single bin file. LUN 0 contains a large chunk of data as it houses the super partition and the userdata partition.
I would recommend using the r subcommand to dump individual partitions or just use rl which will dump your whole device while neatly separating each partition into individual files.
To see exactly what each LUN is comprised of, you can use the printgpt command:
Code:
./edl.py printgpt --memory=ufs
Given that you're running in a VM, your I/O speeds are likely much lower.
I recommend at least booting into a Linux Live USB to do this.
If security is a concern, at a minimum I would recommend vfio passthrough via QEMU to pass your entire USB controller through from a Linux host.
IMO, virtualizing the USB connection will kill your throughput and put you at risk of data corruption.
GlitterFartzz said:
I was actually able to get the GSI to boot, albeit with no cellular, fingerprint, etc. OP9 claims to be treble-compliant in the props but methinks that's a total lie.
Click to expand...
Click to collapse
I couldn't this time. I was able to prior but no go.
my one plus 8t is completely hard bricked, black screen, no logo, no vibration, nothing. Now i cant use msm cuz always got sahara communication failed. This seems like the way to go, will update you if it works
Help me guys. I can't access anything and it's saying Sahara Comm. error at 18 sec. I tried this on Windows and Linux but it does not work........ It gives me this:
File "opscrypto.py", line 160
self.info = print
^
SyntaxError: invalid syntax
_MartyMan_ said:
Help me guys. I can't access anything and it's saying Sahara Comm. error at 18 sec. I tried this on Windows and Linux but it does not work........ It gives me this:
File "opscrypto.py", line 160
self.info = print
^
SyntaxError: invalid syntax
Click to expand...
Click to collapse
same here! oneplu 9 chinese version model 2110, screen its just black, but computer detects it.
thanks in advance
Kind of progress but still does not work... I get this error message:
Somebody help pls.......
@GlitterFartzz do you have any idea what this could be?
I have tried everything to get my Global one plus 9 back up and running again … monster what I do with drivers I get this error on msm tool . As you can see my phone is detected in tool but can put go past this point . I do not have access to download or fast or mode . Last steps I took was through this thread ——https://forum.xda-developers.com/t/fastboot-rom-pc-required-op9-stock-oos-11-2-2-2aa.4275727/—— and reached 1/2 way point (waiting on device) and now I can’t get oos back on phone .. does anyone have any tips or knowledge they can guide me to get my phone working with msm tool ? Much appreciated
Toggle on "Use lite Firehose" before running
Thanks shooter7889 , got past the SMT error by setting date back 2 years on laptop and turning Wi-Fi off. Now i am getting the Sahara error after 18 sec and if I toggle use lite firehouse i get the PARAM error after 8 sec. I have tried to follow steps on the READ ME section (advanced GitHub page )but i dont have any experience with the process as shown. Is it possible to get a easy step guide that can be put together to get past the Sahara error? for us less advanced members? Anything helps at this point. phone is a brick , only thing i can get into is EDL mode .
Justingaribay7 said:
Thanks shooter7889 , got past the SMT error by setting date back 2 years on laptop and turning Wi-Fi off. Now i am getting the Sahara error after 18 sec and if I toggle use lite firehouse i get the PARAM error after 8 sec. I have tried to follow steps on the READ ME section (advanced GitHub page )but i dont have any experience with the process as shown. Is it possible to get a easy step guide that can be put together to get past the Sahara error? for us less advanced members? Anything helps at this point. phone is a brick , only thing i can get into is EDL mode .
Click to expand...
Click to collapse
Mate what's your device model ? If you device model LE2113 flash https://androidfilehost.com/?fid=2188818919693804750 9pro eu msm rom. and after ınstallation flash op9 https://drive.google.com/drive/folders/1R_j8sML_46YrTp1HGfpS6zrAUeFl8uJU?usp=sharing
This is a great resource to have, nice work. I'll give it a go if I ever hit that state again. I've only had success using the pro msm tools up to this point for some reason with lite firehose when I get the Sahara or param info device not match error. Once I've lite msmed with the pro tool, I can normal msm with the nonpro tool, just like flame team mentioned
flameteam said:
Mate what's your device model ? If you device model LE2113 flash https://androidfilehost.com/?fid=2188818919693804750 9pro eu msm rom. and after ınstallation flash op9 https://drive.google.com/drive/folders/1R_j8sML_46YrTp1HGfpS6zrAUeFl8uJU?usp=sharing
Click to expand...
Click to collapse
Thanks for the reply flameteam . My device is LE2115 Global . Would this method still work on this Version?
I tried running the Eu tool . No luck . Same errors as the O2 tool . Tried different flash options such as light firehouse on and off .. Sahara error and Parameters error still present
Related
So I was able to make a decompressed extracted dump of the UEFI cab update package. After extracting the 2_UEFI.bin file from the cab update, I ran it through some PC bios extraction tools. Just my luck it worked.
This package is only partially extracted. And readable.
MORE STUFF ON POST#2
here is picture attached here
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
PLEASE MAKE NO!!!! ATTEMPT TO FLASH ANY OF THESE FILES. UNLESS YOU KNOW WHAT YOUR DOING.
FULL DUMP CAN BE DOWNLOADED HERE
View attachment UEFI-VOL-DUMP.zip
Here are some strings from EBL module that was extracted from a Vondafone UEFI update cab.
EblCheckRefurbishResult
[FAT_ERROR] fat_get_next_cluster: allocate %d bytes for FAT table sector buffer fail!
[FAT_ERROR] fat_get_next_cluster: read FAT table sector[%d] fail!
fat_read_disk [FAT_ERROR] fat_get_skip_cluster: allocate %d bytes for FAT table sector buffer fail!
[FAT_ERROR] fat_get_skip_cluster: read FAT table sector[%d] fail!
[FAT_ERROR] fat_open_file: can not alloc heap for the file description!
[SSD-PLAT] ReadSector failed, please probe removable media first.
[SSD-PLAT] ReadSector failed, please probe removable media first.
[SSD-PLAT] WriteSector failed, please probe removable media first.
[SSD-PLAT] WriteSector failed, please probe removable media first.
EblEMMCInformation: Not found hTC Sdcc extention protocol!! (%r)
EblEMMCInformation: Not found hTC Sdcc extention protocol!! (%r)
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\EmbeddedPkg\Ebl\hTC\tz.c !EFI_ERROR (gBS->LocateProtocol(&gQcomPmicVregProtocolGuid, 0, (void**)&PmicVregProtocol))
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\EmbeddedPkg\Ebl\hTC\tz.c !EFI_ERROR (gBS->LocateProtocol(&gQcomPmicVregProtocolGuid, 0, (void**)&PmicVregProtocol))
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\EmbeddedPkg\Ebl\hTC\tz.c !EFI_ERROR (gBS->LocateProtocol (&gEfiCpuArchProtocolGuid, 0, (void **)&CpuArch))
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\EmbeddedPkg\Ebl\hTC\tz.c !EFI_ERROR (gBS->LocateProtocol (&gEfiTzeLoaderProtocolGuid, 0, (void**)&TzeLoader))
[SECURITY] TZ_HTC_SVC_READ_SIMLOCK_MASK modified ret = %d, mask = 0x%X
[SECURITY] TZ_HTC_SVC_READ_SIMLOCK_MASK modified ret = %d, mask = 0x%X
[SECURITY] TZ_HTC_SVC_UPDATE_SIMLOCK: TZ NOT return updating record index
[SECURITY] TZ_HTC_SVC_UPDATE_SIMLOCK: TZ NOT return updating record index
[SECURITY] secure_get_simlock_upgrade_magic, ret=%d (0x%x, 0x%x, 0x%x)
[SECURITY] secure_get_simlock_upgrade_magic, ret=%d (0x%x, 0x%x, 0x%x)
[SECURITY] TZ_HTC_SVC_EMMC_WRITE_PROT set magic (0x%X, %d) ret = %d
[SECURITY] TZ_HTC_SVC_EMMC_WRITE_PROT set magic (0x%X, %d) ret = %d
[SECURITY] TZ_HTC_SVC_EMMC_WRITE_PROT get magic 0x%X 0x%X ret = %d
[SECURITY] TZ_HTC_SVC_EMMC_WRITE_PROT get magic 0x%X 0x%X ret = %d
hash: %a 2 [1: sha1 | 2: sha256] [src address] [src len] [digest addr] [digest len]
hash: %a 2 [1: sha1 | 2: sha256] [src address] [src len] [digest addr] [digest len]
aes: %a 3 [0: aes128 | 1: aes256] [0: ECB | 1: CBC | 2: CTR] [0: encrypt | 1: decrypt] [iv addr] [key addr] [src addr] [len] [dest addr]
aes: %a 3 [0: aes128 | 1: aes256] [0: ECB | 1: CBC | 2: CTR] [0: encrypt | 1: decrypt] [iv addr] [key addr] [src addr] [len] [dest addr]
aes encryption with SW key: %a 8 [0: aes128 | 1: aes256] [0: ECB | 1: CBC | 2: CTR] [0: encrypt | 1: decrypt] [key id] [iv addr] [src addr] [len] [dest addr]
aes encryption with SW key: %a 8 [0: aes128 | 1: aes256] [0: ECB | 1: CBC | 2: CTR] [0: encrypt | 1: decrypt] [key id] [iv addr] [src addr] [len] [dest addr]
set ddr mpu config: %a 11 [index] [read vmid mask] [write vmid mask] [start] [end]
set ddr mpu config: %a 11 [index] [read vmid mask] [write vmid mask] [start] [end]
enable_hw_auth
disable_jtag
blow_boot_cfg
blow_sec_key
hide_hwkey
checksbl1
je board_evm
evm
EVM8960
ke board_evm2
evm2
EVM28960
board_evita
evita
EVITA board_accord_wl
accord_wl
PM2310000
board_accord_wr
accord_wr
PM2330000
board_accord_u
accord_u
PM2320000
board_accord_ul
accord_ul
PM2321000
board_accord_td
accord_td
PM2350000
[ERR] partition_update offset is not emmc sector[%d] aligment! Offset[%d]
htc_pg_sanity_check pg %a: calculated checksum 0x%x is mismatched (header checksum 0x%x)
pg %a: calculated checksum 0x%x is mismatched (header checksum 0x%x)
htc_pg_hdr_get
htc_pg_hdr_set
htc_pg_part_hdr_get
htc_pg_alloc_map
htc_pg_find_best_alloc
htc_pg_alloc
htc_pg_part_reduce_size
htc_pg_fix_part_hdr_add
htc_pg_part_hdr_set
htc_pg_part_traverse
htc_pg_link_size
htc_pg_part_update
htc_pg_part_clear
htc_pg_part_read
htc_pg_update_crc
htc_pg_part_modify
htc_pg_part_modify:
part %a,
offset %d,
len %d,
is_erase %d,
update_crc %d
htc_pg_part_modify:
part %a,
offset %d,
len %d,
is_erase %d,
update_crc %d
htc_pg_free_size
htc_pg_part_crc
check_pgfs
check_boardinfo
chipset_setting_init
chipset_reset
chipset_get_device_id
chipset_set_device_id
read_simlock
write_simlock
EMBEDDED BOOT LOADER COMMANDLINE INTERFACE
I think some of the more experienced gurus form the Windows Mobile days can input more knowledge here.
EblBoardInfoCommand
write_simlock_password
read_simlock_password
radio_init_secure_smem
ClearSimLockCode
AddSimLockCode
EnableSimLock
DisableSimLock
HTC
USB BLDR
HandleSetupPkt
HandleUSBEvent
**** Both TX and RX needs to be queued, but only one can be queued. SOMETHING MAY GO WRONG **** OnBoard_USB_Init OnBoard_USB_Write
**** Both TX and RX needs to be queued, but only one can be queued. SOMETHING MAY GO WRONG ****
OnBoard_USB_Read
detectUsbCable
0 . 0 . 0 . 0
PIKS
MSM8960
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\AutoGen.c
No Media
Media changed
Access Denied
Write Protected
Not started
Already started
Aborted
Unsupported
Not Found
Warning
Delete
Failure
Warning
Write Failure
No Response
Bad Buffer Size
No mapping
Warning Unknown Glyph
Warning Buffer Too Small
Volume Full
Invalid Parameter
ICMP Error
TFTP Error
Load Error
Device Error
Protocol Error
Out of Resources
Success
Volume Corrupt
Time out
Not Ready
Snapdragon S4 Processor
GPT PARTITIONS
FFFFFFFF-FFFF-FFFF-FFFF-000000000010
540B4740-D799-497D-9F02-B36D2E958EB0
B7A9BDA8-368C-46BC-B2C7-67501F0E6B52
9183C552-0934-4FD6-AF26-13FE14244223
320D3B19-80D9-467A-99BC-AB2B85287574
A053AA7F-40B8-4B1C-BA08-2F68AC71A4F4
E35F99CF-0025-4252-A608-CAAA1289CAF4
69B4201F-A5AD-45EB-9F49-45B38CCDAEF5
0732095D-CD4E-4492-B229-28D4ECCEC1B6
F0B4F48B-AEBA-4ECF-9142-5DC30CDC3E77
E5C3DF3F-556D-478e-AFE3-DABA98C52897
EBD0A0A2-B9E5-4433-87C0-68B6B72699C7
ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
098DF793-D712-413D-9D4E-89D711772228
400FFDCD-22E0-47E7-9A23-F16ED9382388
DEA0BA2C-CBDD-4805-B4F9-F428251C3E98
E6536BC2-6DA4-495D-A83B-79F93701E799
638FF8E2-22C9-E33B-8F5D-0E81686A68CB
0A288B1F-22C9-E33B-8F5D-0E81686A68CB
EBBEADAF-22C9-E33B-8F5D-0E81686A68CB
3A6A228E-FC35-4A46-A869-4C511F7CE5EC
6BB94537-7D1C-44D0-9DFE-6D77C011DBFC
8C6B52AD-8A9E-4398-AD09-AE916E53AE2D
2373E6C7-FCBE-42B1-B44A-10DDAF18388D
543C031A-4CB6-4897-BFFE-4B485768A8AD
530C3197-F4D2-408F-B886-778ED6CDFDAD
05E044DF-92F1-4325-B69E-374A82E97D6E
74DA3EE7-D422-487C-A573-CE03C261362F
A44D2E89-8B5A-4F42-8FE5-FD36333A3BFF
PARTITION IMAGES
%a:\hTCIMG\QC\MSM8960\%04x\rfg_0.img
%a:\hTCIMG\QC\MSM8960\%04x\rfg_1.img
%a:\hTCIMG\QC\MSM8960\%04x\modem_st1.img
%a:\hTCIMG\QC\MSM8960\%04x\rfg_2.img
%a:\hTCIMG\QC\MSM8960\%04x\modem_st2.img
%a:\hTCIMG\QC\MSM8960\%04x\rfg_3.img
%a:\hTCIMG\QC\MSM8960\%04x\rfg_4.img
%a:\hTCIMG\QC\MSM8960\%04x\rfg_5.img
%a:\hTCIMG\QC\MSM8960\%04x\rfg_6.img
%a:\hTCIMG\QC\MSM8960\%04x\rfg_7.img
%a:\hTCIMG\QC\MSM8960\%04x\disk.img
%a:\hTCIMG\QC\MSM8960\%04x\radio.img
%a:\hTCIMG\QC\MSM8960\%04x\sbl1.mbn
%a:\hTCIMG\QC\MSM8960\%04x\sbl2.mbn
%a:\hTCIMG\QC\MSM8960\%04x\sbl3.mbn
%a:\hTCIMG\QC\MSM8960\%04x\uefi.mbn
%a:\hTCIMG\QC\MSM8960\%04x\rpm.mbn
%a:\hTCIMG\QC\MSM8960\%04x\winsecapp.mbn
%a:\hTCIMG\QC\MSM8960\%04x\tz.mbn
%a:\hTCIMG\QC\MSM8960\%04x\gpt_main0.bin
%a:\hTCIMG\QC\MSM8960\%04x\fat16.bin
%a:\hTCIMG\QC\MSM8960\%04x\MainOS.bin
%a:\hTCIMG\QC\MSM8960\%04x\fat_FFU.bin
%a:\hTCIMG\QC\MSM8960\%04x\UserData.bin
%a:\hTCIMG\QC\MSM8960\%04x\sdata.bin
%a:\hTCIMG\QC\MSM8960\%04x\misc.bin
%a:\hTCIMG\QC\MSM8960\%04x\mfg.bin
%a:\hTCIMG\QC\MSM8960\%04x\modem_fsg.bin
%a:\hTCIMG\QC\MSM8960\%04x\dpp.bin
%a:\hTCIMG\QC\MSM8960\%04x\efiesp.bin
%a:\hTCIMG\QC\MSM8960\%04x\eblogs.bin
RUU CONFIGURATION
THESE VARABLES CAN BE USED TO IN THE ACDUCONF.TXT
[getvzwmid] Query VZW model ID
[getmeid] Query device MEID vzwisLTE
[getdevinfo] Return device Model ID and CID to RUU
[getimei] Return device IMEI to RUU
[blversion] Return bootloader version to RUU wdata
[readconfig ] Read i-th config data or read all config data if no i supplied getmeid getvzwmid
[task TaskNum] Executing task command
[set SetNum SetValue] Executing set command password ResetDevice
[ResetDevice] Reseting the device
[wdata Length Checksum] Writing NBH file format data to device
[ruustart] Enter RUU special command mode
[progress Percentage] Show progress bar and percentage on screen for RUU use readconfig Ask radio to start refurbish startrefurbish getimei task blversion
[password PassWord] RUU password verification getdevinfo progress set Check the refurbish result checkrefurbishresult
[vzwisLTE] Check the device is LTE or not ruustart
FixVoltageMSMC1
FixVoltageMSMC2
KitlIP DCVSParam[0]
DCVSParam[1]
DCVSParam[2]
DCVSParam[3]
DCVSParam[4]
DCVSParam[5]
DebugMethod
PowerSavingDisable
DriverDisable
FixedIdleTime
DriverLocalZone
PagingPoolSize
DebugFlag
DriverFlag
PassiveKitlDbg
HookDebug
ApSwitch
KitlNetMask
FixFreqLevel
USBFlags
RadioDebugFlags
SensorDebugFlags
BootloaderFlags
DLLLowFlags
DummyFlags
SpyFlags
DllBreakPoint
DemFatalCount
AutoFocusTest
DebugBattery
secure erase secure trim
QUALCOMM OEM
STILL NOT SURE ABOUT THESE STRINGS
Q6:
VDDCX:
Krait:
RFSKUIDField_D0
RFSKUIDField_D1
RFSKUIDField_D2
RFSKUIDField_D3
RFSKUIDField_D4
RFSKUIDField_D5
RFSKUIDField_D6
RFSKUIDField_D7
EngineerID
KEK
PK
DPP
HTC OEM SECURE KEYS
fs0:\SecureBootPolicy.p7b
db pDPP.enc
OEM_DB_CLEAR.enc
OEM_KEK_CLEAR.enc
OEM_PK_CLEAR.enc
OEM_DBX_CLEAR.enc
PCBIDField
FunctionSKUField
ssd
delfile
crwfile
fs0:\enc.img
fs0:\ori.img
SKUIDChecksum
fs0:\OEM_dbx_2011.bin
fs0:\OEM_db_2012.bin
fs0:\OEM_KEK.bin
fs0:\OEM_PK.bin
fs3:\pDPP.tmp
fs3:\OEM_DB_CLEAR.tmp
fs3:\OEM_KEK_CLEAR.tmp
fs3:\OEM_PK_CLEAR.tmp
fs3:\OEM_DBX_CLEAR.tmp
var midr
fs0:\keystore.dat
v
w
dbx
CurrentPolicy
QULCOMM SECURE
RFG_0
SBL1
MODEM_FS1
RFG_1
SBL2
MODEM_FS2
RFG_2
SBL3
RFG_3
RFG_4
RFG_5
RFG_6
RFG_7
SDATA
MISC
MODEM_FSG
UEFI
RPM
RADIO
BDP
WINSECAPP
DPP
EFIESP
EBLOGS
MainOS
PLAT
TZ
Data
X
ROM UPDATE UTILITY
HTCIMAGE
GPT_HEADER TOUCH_FW_UPDATE
ACDUIMG.nbh
ACDUNV.nbh
ACDUDIAG.nbh
ACDUCONF.txt
ACDUDIAG.nbh
HTCIMAGE
simunlock
more.
HTCIMAGE
simunlock.
spcustom
prkey
wvkey_lv1
dpkey.
tamper
prmkey
wvkey_lv3.
sbl1_update
c:\apollo_bsp\accord_u_gdr2_00_s\wp\uefi\edk2\Build\Msm8960\RELEASE_RVCT31\ARM\EmbeddedPkg\Ebl\Ebl\DEBUG\Ebl.dll....
More info on the tools used to dump the UEFI can be found here Thanks to CodeRush
I have moved on to using PhoenixTool. Many options to choose from including inserting SLIC, SLP, key and RW file. Full customization of ACPI, OEM, RSDT XSDT tables. Preserve module size andmany more features.
any use? I'm a noob.
fengsam said:
any use? I'm a noob.
Click to expand...
Click to collapse
Using RUU configuration script in the ACDUCONF.txt would probably solve some issues with not being able to flash a rom because of incorrect model number issues.
for instance i cannot flash a factory rom on my device because the text that shows up on boot loader screen is incorrect. do to some of the Microsoft developer updates. for Windows embedded compact and handheld sdk updates that have been pushed to my device.
so using this [getdevinfo] should in theory return the ruu with the correct device info. the radio, dpp. and boot partitions that are in the RUUs contain the device info that have to match for the. i just so happens that those config files can be changed without harming the signed.nbh (technically there are not signed images at all. only mostly encrypted. but still unsigned.) I have not been able to dig up any documentation for use of ACDUCONF.txt and how it should be properly used. but similar ruu config file usage has documented us since the early windows mobile all the way up until windows phone 7. its only up until yesterday that this information has been presented to the public.
I am 99% convinced that HTC 8x uefi is can be configured to dual-boot, boot-android, right now with the UEFI that i extracted modules can be altered, replaced new ones can be inserted and at the same time. be resigned. only issue is creating an nbh. I think some old windows mobile tools can sign the image and a goldcard can b used on a usb thumb drive. The HD2 USB Y Cable dongles is OEM approved to be used with the htc accord and has the code written within the uefi bios image its self.
HTC uefi is very similar to Intels edk2 which is based from Edk II DevKit(Sourceforge.net), which is based off of Tianocore. Many of the packages are compattable. [MdePkg]
Though it is not tianocore some of there packages are still based off of the tianocore edk2 platform. along with many of the other edkII development projects on http://www.sourceforge.net.
Also there is strings i found that allowed the use of using a JAVACARD dongle. Which with a JAVACARD you can achieve s-off, and security unlock. (well at least in the case of Android devices.)
Then again who has ever seen a windows phone 8 uefi broken down like this before. none. or at least that i can find. Closest i found was from forums in China, and original source was being shared for Huawei W1 and W2.
fengsam said:
any use? I'm a noob.
Click to expand...
Click to collapse
No ,
@grilledcheesesandwich What PC BIOS Extraction tools did you use?
compu829 said:
@grilledcheesesandwich What PC BIOS Extraction tools did you use?
Click to expand...
Click to collapse
i forgot who made the tools. but i found them on mydigitallife.com forums. there called UEFIExtract.exe and UEFITool.exe the extractions are not perfect and the rebuilding still is not working 100% on 8x uefi .the process request files that only exist within the phones memory.
sent from the moon
grilledcheesesandwich said:
i forgot who made the tools. but i found them on mydigitallife.com forums. there called UEFIExtract.exe and UEFITool.exe the extractions are not perfect and the rebuilding still is not working 100% on 8x uefi .the process request files that only exist within the phones memory.
sent from the moon
Click to expand...
Click to collapse
http://forum.xda-developers.com/showthread.php?t=1966327
@grilledcheesesandwich What tool are you using to browse the UEFI BIOS (like you see in the screenshots?) Also, you need to use 7zip to extract the zip file to get to the tarball...it's not compatible with the built-in windows zip utility
compu829 said:
@grilledcheesesandwich What tool are you using to browse the UEFI BIOS (like you see in the screenshots?) Also, you need to use 7zip to extract the zip file to get to the tarball...it's not compatible with the built-in windows zip utility
Click to expand...
Click to collapse
i tarballed the bios after i extracted it so i could browse it in a flatview
grilledcheesesandwich said:
i tarballed the bios after i extracted it so i could browse it in a flatview
Click to expand...
Click to collapse
Problem is, even if you manage to repack the different modules, (You could Use Andys Tool for that, I got into Bios modding some time ago ) the phone will detect it and since the signature has been broken it won't flash. But I am quite interested in the volume dump since I have a HTC 8S motherboard stuck in recovery mode because I tried to flash the 8X rom on it, with the 8S signature ('t was an accident) You could try to get the offset you need to change with UIFR by Donovan http://donovan6000.blogspot.de/2014/02/universal-ifr-extractor.html
cheers, hutchinsane_
@grilledcheesesandwich I noticed lol.
From what I can gather, if one uses the Y-Cable method to flash the HTC 8x, it bypasses the signature checking done by the standard RUU. I do know that the nbh files for the HTC 8x are unencrypted. I have always wondered about hand-editing the mainOS partition to enable a developer unlock for our devices. The only issue is that I have the T-Mobile variant, which has AWS HSPA+ enabled and unlocked. This radio firmware is not in the standard RUU for the EURASIA ROMS, so I never bothered with it because I Can't lose AWS support.
hutchinsane_ said:
Problem is, even if you manage to repack the different modules, (You could Use Andys Tool for that, I got into Bios modding some time ago ) the phone will detect it and since the signature has been broken it won't flash. But I am quite interested in the volume dump since I have a HTC 8S motherboard stuck in recovery mode because I tried to flash the 8X rom on it, with the 8S signature ('t was an accident) You could try to get the offset you need to change with UIFR by Donovan http://donovan6000.blogspot.de/2014/02/universal-ifr-extractor.html
cheers, hutchinsane_
Click to expand...
Click to collapse
ok here is what i have so far. Ideas are still out there.
I need to find a tool that can extract a perfect capsule. from the uefi. even though the uegi binary partition is write protected. the capsule may be writeable. no need to worry about signatures and keys as long as the capsule is back to its origiinal size and expands as normal after being flashed to the device. also no alteratiin can been done to Security module within the capsule. thats ok because all the modules are contained within there own class and to do not require signature verification. this has worked with Intel and Amtel Uefi bios. From what i can tell Htc8x has an embedded amtel at24c128bn eeprom security chip present and if there eeprom is as easy as there tpm (trusted platform module) being used for security validation in uefi bios boot process used on pc motherboards we should in some theory be the case here too.
My overal plan is not to only expand the new development into custom roms. the plan is to fully defy microsofts most secure mobile retail device by handing them a fully customizeable device without loosing the featured security.
To my knowledge every htc 8x has the built in feature to change usb connection mode when pluged in to a pc. the only reason we cannot use this feature the same feature offered in pre android 4.3 devices is because the value in the registry is set to disableDialogmenu and the value is set to (1). i think if we can change this to (0) wen will have a popup menu present when plugging in to a pc. i found this key earlier today while searching my phones registry. i will post up this key later.
Another is Andrid. HTC One S Ville U has identical hardware. believe this the hboot for ville U is built just like the uefi for the 8x. so close in fact like you can cee the ebl module refrences the ville u. ok so heres more. when i tore apart ruu ville u i found the exact same files that exist withing the ruu accord. the files im refering to are the platform info files that check for firmware cimpatibility. the only alteration needed would be to replace the secure boot binaries in the ville u rom.zip and inject my certificates i have been holding onto.
i have 2 platform verification keys (pvk) i have found from encrypted jtag nand dumps. probably useless. itsva good refrence start on a possible challenge with DPP partition.
l
self signing certs is not a problem. i have everything to work around the issue of kek db dbx ovk and pvk keys and certificates. found a dev who put together a wpdeveloper pack that creats all needed certificates for wp soc oem ihv developemt and also remotly sets up all the needed requirements and resources to build and flash a signed ffu. i can assure hyc 8x ffu exist. but the only way to get a qualcomm accord u full flash uodate is to build it. you do not have to be an oem to build a ffu. there is a process to doing this. all you need is to create an empty zip archive labeled corrextly likr how nokia ffus look. add a specific xml soap scripts. similar to.the ones for cab update checks. mainly the cabs that are labeled emptypackage.
ive came across a few but not enough. i think a workaround would he microsoft cabinet sdk. to rebuild. whats missing. the cab that contaijes all the xml provision licenses is needed for the ffu build. as well. now the documentation on the wpoem site says you need the phone image design tool to build a ffu........o darn dead end.... nope the is another way. some confedientel ihv documents demonstrate like rhe above mentoned empty zip file correctly labeled with correct xml scemas layed out then added to the zip. you must setup your pc environment with microsoft client connextion to redmond. they validate you contoso build zip is accurate and if doen correctly you will returned with a fully built full flash update package. theres lots i didnt not mention. i should not.
so any ways. back to the topic. once i can find all the correct libraries to correctly rebuild this uefi all options will be on the table. moke like endless opportunities in customizations and features. well almost.
litsvofbwork needs done. anybody else has gots guts to conqueror with me head over to mydigitallife and sure uobthere endless threads on uedi bios hacking.
i completely sandboxied hck adk win sdk win kits wpsdk ack and vs2013. zi
ffutool.exe & ffuresources.dll
sent from the moon
compu829 said:
@grilledcheesesandwich I noticed lol.
From what I can gather, if one uses the Y-Cable method to flash the HTC 8x, it bypasses the signature checking done by the standard RUU. I do know that the nbh files for the HTC 8x are unencrypted. I have always wondered about hand-editing the mainOS partition to enable a developer unlock for our devices. The only issue is that I have the T-Mobile variant, which has AWS HSPA+ enabled and unlocked. This radio firmware is not in the standard RUU for the EURASIA ROMS, so I never bothered with it because I Can't lose AWS support.
Click to expand...
Click to collapse
i have a rom that supports aws hspa. its not directly tmobile its a wwe rom. also mine is also a tmobile usa variant. and the weird part is its not the same as the other usa versions mine has full lte and gsm support and at one time was sim unlocked. the serial number traced back to being built in germany and was sold here in the usa
I IM GOING TO HELP EVERYONE OUT HERE AND HOST MY COLLECTION OF HTC8X ROMS. AND 8S ROMS.. I keephearing that there is only 2 versions available for the 8x. im going to give everybody at least 6.
Sent from my Galaxy Nexus using XDA Free mobile app
hutchinsane_ said:
Problem is, even if you manage to repack the different modules, (You could Use Andys Tool for that, I got into Bios modding some time ago ) the phone will detect it and since the signature has been broken it won't flash. But I am quite interested in the volume dump since I have a HTC 8S motherboard stuck in recovery mode because I tried to flash the 8X rom on it, with the 8S signature ('t was an accident) You could try to get the offset you need to change with UIFR by Donovan http://donovan6000.blogspot.de/2014/02/universal-ifr-extractor.html
cheers, hutchinsane_
Click to expand...
Click to collapse
ifr extractor does not work with a htc 8x uefi binary. i got an error instantly i might be doing something wrong. i will do more ttesting with that one.
i heard there was some uefi bios devrlopement going on with the htc one. it may be possibkr to incorporate some of there knowledge into this project. the boards have some similarities minus the processor cores ram and so on. i do know that msm8960 code is compattable with msm8260a htc8x and apq8064 htc one, dna, and ny fAvorite my ifc6410 qualcomm snapdragon 600 itx motjerboard.
if you have the uefi cab update for your htc8s i could eztract a dump of it for you and send it back.
@
compu829 said:
radio software version is 1.17b.32.19.14_15.62b.32.19
Firmware revision is 3030.0.34101.531
UEFI bootloader version is 0.0.3030.0(173542)
Chipset is the 8260A
Interestingly enough, in the about page is a spot that says "IMS: Not Registered"...I wonder if they are slipped in Wi-Fi calling support and didn't tell anyone?
from the HTC screen:
PM2322002 P S WP8 I
SBL1-303.000.R15
SBL2-303.000.110
SBL3-303.000.008
RPM-303.CRC.76B
TZ-303.000.241
UEFI-0.0.3030.0(173542)
OS-3.41.531.01
eMMC SMS 14910MB F-15
CID T-MOB010
Radio-1.17b.32.19.14_15.62b.32.19
MSM8260A v3.2.1-p1 0x707910e1
Krait:Nom Q6:Fast VDDCX:SLOW 0x30400
Touch FWS1:1195017,13106,41434467
Vdd_dig - 0.5v, 0x4
Click to expand...
Click to collapse
nice only difference is mine is nom slow. I have a a rom that is almost identical too. what i have found out is that some of the nbh htc windows phone 8 roms floating around out there are incorrectly labeled even the 512kb headers are wrong too. when tearing down and dissecting some of these. it seems as though the partitions change. for instance i have 2 identical extractions and on one change all permissions to alow remote users and any nt or network admin or authority to full control. let all the ruu files give 100% internet access through your firewall. now copy run the ruu in dependency walker and find all the files that the ruu is Depends on. most are in windows active sync installer the others are in you phone. and need to be extracted to and copied to the ruu folder. why am i telling you this? you probably know this being a senior member.
on that note. Ive noticed that the 8s and 8x are obviously different than legacy windows mobile mainly due to gpt guid partition format. within system files from my phone and 8x ruu i have found references to Leo, hd2, Shubert, startrek, Hermes, and a few others. which that lead me into researching how wm, wince, wp7 and ec2013 devices were built using Microsoft sdk's. from what i can see to the best of my knowledge is that newer platforms still use the some of the same source as older designs and even though bsp kits for older builds are not one click compatible with the ec2013, shuffle a few files around and match the folder structures & alter some lines of code for embedded compact and one will just have incorporated classic features into a brand new operating system. i do not believe Qualcomm or Microsoft are hiding easter eggs. my guess is it was all htc. ok so last year i bought an evo shift. yea yea funny haha. i was bored so i got this phone, unlocked it, raw dumped every partition and hex away. in the hboot 7630 build i found strings that referenced windows ce. i never took it any further than that. but i can see now that htc has sloppy source control. or they did this on purpose to see if anybody would catch on.
ok back to wp8. i will make this part quick. the wp8.1 sdk leaked emulator dump OEMprovisioning.exe app can be executed on x64 bit win8.1 desktop pc. strange. i found some registry keys and drivers that allows my phone to run applications in win32 compatibility mode. enough said. i still do not know how it and be incorporated into apps.
about wifi calling. mine says ims not registered too. i dont care on mine. its only purpose to be hacked.
i need to do some work on file write/read app. it some what works. start tiles disappear an it broke my wifi. i need to incorporate the app into a file manager maybe GoodDayToDie's webserver app.
Sent from my Galaxy Nexus using XDA Free mobile app
The above is way above my understanding but I have a 8X that I'm more than willing to test with. Let me know if you need some testing
utopiate said:
The above is way above my understanding but I have a 8X that I'm more than willing to test with. Let me know if you need some testing
Click to expand...
Click to collapse
kind of dangerous if you ask me. if your phone is already bricked and its just lying around as DEAD WEIGHT then whats the worst that could happen. let me throw some stuff together. what is theconditin of your phone?
Sent from my Galaxy Nexus using XDA Free mobile app
Its in fine working order running the dev preview and so a but buggy. I'm just about to get a new phone so I don't mind testing with it
try the hawaei w1 rom flashing method.
i found some registry keys that refrence simpleio.efi in the tmobile variant 8x
Sent from my Galaxy Nexus using XDA Free mobile app
Welcome everyone!
This project has started, becouse we need real solution for the problem. The problem of hard bricked Moto devices. It is like a curse.
When my device bricked I have done solid research, I have gathered many informations and files essential to revive my cellphone but 5 years experience of linux, rooting, compiling kernels and roms weren't enough to make it work.
But nevermind. I am even more determinated and I am asking ALL of You guys here to help me. Together we will come to solution.
Here is what I got, happy reading :
DICTIONARY:
PBL - Primary bootloader of the chip - this is like BIOS for phone so it checks chip for damage and problems and then it tries to load SBL but if SBL is corrupted or checksum doesn't match, PBL invokes Qualcomm HS-USB QDLoader 9008 emergency mode. PBL is hard flashed into SoC and can't be corrupted by firmware.
SBL - Second stage bootloader wich is more advanced than PBL. It initializes phone hardware and ABOOT.
ABOOT - Application bootloader (HBOOT). You probably know this one well. Android botloader.
Full mmcblk0 backup - Backup of whole phone flash storage byto to byte.
blankflash - method of repairing msm phones in 9008 state
programmer.mbn - Special type of software programmer that is being sent to chip in Qualcomm 9008 emergency mode. There it comunicates with pc via firehose protocol. Each phone has set of their own programmers, they are unique to phone and other programmers don't work. These programmers are signed so tampering it results in not working one.
firehose protocol - it is used to tell programmer what operations it must do on chip.
singleimage.bin - this package contains instructions for programmer and set of files it need (for example to replace)
gpt_main0.bin - Partition layout
rawprogram0.xml - instructions for programmer
patch0.xml - I don't know yet
STAR.exe - Application for managing and editing contents of singleimage.bin aka blankflash files
QPST - Flash tool from Qualcomm it basic function is to handle blank-flashing in a better way, also it allows for in-depth debugging of the process
Qualcom Premium Tool - Program made by Mppg Myanmar that is capable of making unlocking bootloader, OEM locks, making backup/restore of chip firmware, handling blank-flashing in VERY specific way (creating instructions for programmer), reading eMMC structure from firmware (can generate gpt layout so very useful!!!), modyfing FW and removing Xiaomi account. It also contains ALL programmers
for more:
https://forum.xda-developers.com/android/general/info-android-device-partitions-basic-t3586565
https://alephsecurity.com/
https://github.com/alephsecurity/firehorse
https://github.com/aravindvnair99/Motorola-Moto-E-XT1022-condor-unbrick
INFO:
1. What causes the brick
I bet 100$ that you hard-bricked your Moto Z Play by installing OTA updates after downgrading firmware. This is only known reason for me at the time of writing this. There is most probable reason why it happens, look:
There are two most common chips on which smartphones are built - Qualcomm and Mediatek. While Mediatek chips are "modification friendly" and simple, Qualcomm chips are somewhat more advanced and have many features that can be enabled or disabled during prorammming in factory. One of them is PBL signature checking. During programming of your phone, proper signatures of SBL are written to it. When someone tries to override default SBL with the new one, it checksums are compared with that stored. If they match, new one is flashed, if not, then update does not happen.
Ok, but what it has to do with brick?!
I explain:
1. You decide to downgrade your firmware
2. During flashing, everything goes "well" (Phone boots), but trully update is partial:
FW in chip is (obviously) more recent that the one you downgrade to, and SBL signature is different (updated), so when it is compared to the signature of SBL from FW you want to flash, it don't match. That don't rise error and flashing continues. Only partition that stays untouched is bootloader, but all other partitions get replaced by those in FW zip. SBL is still compatible with the new partition offsets and partition layout overall so phone functions normally.
3 When OTA is executed, it checks the version of currently installed firware. The most reliabe way to do it is to check checksum of SBL which is pretty logical becouse it's checksum is like "fingerprint" of firmware. Normally, if it would detect the old firmware, OTA would be stopped, but newer SBL tricks it and OTA installs anyway.
4 Results are horrible, becouse OTA does not check GPT table and flashes partitions in bad sectors, corrupting FW.
This causes bootloader to go into Qualcomm HS-USB QDLoader 9008 safe mode.
5 Viola! Hard brick!
2. How to fix it?
That is jolly good question! What we have to do is to reflash full chip firmware. Suprisingly I see some solutions, but those need to be developed:
A) SD-BOOT
It turns out that our fancy chip can probably boot from SD-CARD! The procedure works like this:
- When chip starts, one of the very first things it does is loading the memory, so it can actually work. The trick, is that chip loads it from specific disk, marked with exact name (I don't remember which, but I will do research). Speccially repared SD-CARD can appear with that name, so chip boots from it, not from internal memory. (This trick is proved to work on this model)
How to do it?
- Get full dd of working phone - it must be phone with the SAME chip and very likely the same model
- flash it to SD-CARD of 32GB or more, class 10 speed or higher, directly to card, not partition
- put card in phone, turn it on and wait
- you should see HBOOT
- select fastboot and flash new FW via it
- viola!
!!!THIS IS COMPLICATED PROCEDURE, I WILL MAKE DETAILED THREAD SOON, BUT FOLLOW IT ONLY IF YOU KNOW WHAT ARE YOU DOING!!!
B) FIREHOSE/SAHARA ATTACK
This could be achieved by sending payload via Firehose programmer that would allow to break verification of SBL or somehow allow SBL to be flashed. Now, PBL blocks attempts to update SBL. I have thesis that it is becouse PBL do not allows for SBL downgrade, so it's version must be higher, but we try to flash same version of SBL so it doesn't work. That thesis needs confirmation.
C) CRAFT BLANKFLASH
This would be last resort. It will work for sure, but this method needs knowledge and I don't know if it is doable.
STEP 1: Get white-listed blankflash checksums from OTA (we would need to reverse engineer those)
STEP 2: Break hash
STEP 3: Craft blankflash with needed hash
STEP 4: Flash
NEVER USE BLANKFLASH (ATTENTION!)
DO NOT try any blankflash files. They can make situation a lot worse and even physically (!) dmage your phone.
D) JTAG
Medusa Box etc.
E) Qualcomm Premium Tool
This can even work, but it is untested and there is a slight chance that can worsen state of phone (needs confirming).
The tool is very advanced and I need to gather info about usage, so very probable to be a good solution if we will learn how to use it!
E) METHOD 7
Interesting method from this guy: (7th option, I have contacted him if it is compatibile)
https://github.com/aravindvnair99/Motorola-Moto-E-XT1022-condor-unbrick/blob/master/Unbrick%20methods.md
3. DOWNLOAD
(Links will be aded *soon*)
XDA:DevDB Information
Unbrick Developement for Moto Z Play (addison) Full-Brick, Tool/Utility for the Moto Z Play
Contributors
Bobernator, Artim_96, Camarda
Version Information
Status: Testing
Created 2019-05-03
Last Updated 2019-05-03
Hi, same problem. Did you solve it?
Tl;dr = I have studied the boot process. I understand the Qualcomm SOC boot process PBL > SBL/XBL > And so on. I am trying to get a disassembly of the SBL. I dumped the EMMC and can view all its partitions. Now I am stuck at the 80 bytes header containing the "Loading Address". I can't figure out where and how the processor jumps to this loading address.
Greetings XDA community. This post is more relevant to the developers and power users of android and people who work as embedded developers/security researchers/reverse engineers in general.
Background - I am deeply interested in OSDev and running my own code on the hardware I own. Just like I am building my own bootloader for my PC, I had also been wanting to study the android boot processs for quite some time. In the last few days I got to it and found that the whole low level ecosystem of Android, iOS and Smartphones is really toxic and full of proprietary stuff. But I am still determined to make my own bootloader for my smartphone even if it only displays the good old "Hello World" on that little black display. I am not concerned about bricking my few phones as they are pretty much useless to me now and can be used for RE purposes.
Some Useful Links - https://blog.quarkslab.com/analysis-of-qualcomm-secure-boot-chains.html , https://alephsecurity.com/2018/01/22/qualcomm-edl-1/ , https://lineageos.org/engineering/Qualcomm-Firmware/
Technicals - I copied the whole EMMC from my rooted phone (Xiaomi Mi4) and studied the boot process. So apparently the boot process goes something like PBL --> SBL --> And so on... I found the partition labelled SBL in the dump. I am trying to get code execution at the lowest level possible but it seems I might not be able to resurrect the phone easily if I mess with the SBL (as the phone might not even go into EDL mode then). So I am first considering taking control after the SBL (and before Aboot) with my own code (even if it includes some certificate/proprietary blobs from the manufacturer). But for this I have to understand what exactly the SBL is doing in my particular processor's case. So in the SBL partition is an 80 byte header (source : http://vm1.duckdns.org/Public/Qualcomm-Secure-Boot/Qualcomm-Secure-Boot.htm). This header contains a loading address for the processor. What I can't figure out is how the processor jumps to this address. The source mentions to "remove the header and then load the file in IDA Pro" but what file are they talking about (The EMMC dump? The partition? Something else?). How does the CPU use this loading address? In my particular phone the loading address is : 00 C0 00 F8 (
https://imgur.com/a/ngfFsj5
).
Please shed some light on this issue.
I've barely read it and never dealt with qualcomm before but:
Based on the article linked they seem to be referring to SBL1... but also it should be noted according to them PBL authenticates SBL1 so unless it's unlocked or you have a private key to sign your own SBL1 probably SOL.
Also, can't you just replace kernel/rootfs and achieve the same results utilizing the built-in bootloader?
@vigilante_stark Thread closed as duplicate of
Reverse Engineering Android Boot Process - Need Help
Tl;dr = I have studied the boot process. I understand the Qualcomm SOC boot process PBL > SBL/XBL > And so on. I am trying to get a disassembly of the SBL. I dumped the EMMC and can view all its partitions. Now I am stuck at the 80 bytes header...
forum.xda-developers.com
Please review the XDA Forum Rules with special emphasis on rule no. 5 and post only ONCE! Thanks for your cooperation.
Regards
Oswald Boelcke
Maybe you already have a loader for Qualcomm "Emergency DownLoad" (EDL) mode.
Maybe you're looking for one.
You know what? A single loader is for more than one device. But it gets hairy with signing and manufacturers and stuff.
So, I've got a beta release utility here. It can (in most cases) identify which model Qualcomm processors a "Firehose" loader is designed for.
First, it's currently a Windows release.
Second, it doesn't work with the older .mbn style loader (since they don't include that information).
So, just go to My EDL page and go to the bottom and download qcomview.exe
Code:
C:\>qcomview.exe poke3.bin
APQ8096
APQ8098
MDM9250
MDM9255
MDM9350
MDM9650
MDM9655
MSM8996
MSM8997
MSM8998
QDF2432
SDA630
SDA636
SDA658
SDA660
SDM636
SDM658
SDM660
You can see the SDM 636 (which is the actual processor on a Poke3.
Obviously, you have to select your own loader.
I've scanned through 200 loaders and I recognize all the processors.
If you see a "???" please quote it.
Edit: Maybe you're saying, "That ain't nothing but a "string" script!" Eh, mostly, but it is more clever and it sorts things.
Thanks for the tool. I have a small feature request, since xbl and elf firehorse programmer use similar structure(I guess), it would be useful if you add a way to check if xbl and programmer are compatible(by comparing cert hashes?).
HemanthJabalpuri said:
It would be useful if you add a way to check if xbl and programmer are compatible...
Click to expand...
Click to collapse
It would be.
On your device you already have a ton of ELF images that have compatible signing.
The problem is, the certs are not identical since the lowest level (farthest away from the root authority) has things like dates and annotations and the bit fields are not the same.
I've not yet figured out how to generate from an ELF file the 256 bit "Hash" that EDL gets out of the device.
To those who don't know yet, I've added more things to this utility. It can check the regular hashes in the ELF files. If your device is not SecureBoot this can be handy if you want to patch. The hashes on the program segments in an ELF file are always checked, the signing is only checked if SecureBoot is on. So, if your SecureBoot is off, you can patch a file, run qcomview /h whatever.elf. As of now it won't can correct wrong hashes but you can simply hexedit in the bigendian values and then double-check with the same command.
Code:
C:\>qcomview /h xbl
64 bit ELF, SHA384
0 00000000 000003f8 8a46a864b9bec352 69b1dadfcac64bfa a388f7bea37d855e 50f55170277c043c 87c862e23709fd96 34bb545ac49a3d64 OK
1 00001000 00001cd8
2 0005cd10 00002ab0 3d2e7c505458e1e7 9070b1957a8f2520 3bbcf288674548f1 7db146a86b314499 5890e1432dbac635 2bad53bfd2960908 OK
3 0005f7c0 00000d64 ac556708059a1315 41e774e34310b89f 3c3f13183b43fda9 9e3a34bd0899da4b bb43c1080a43925f fd8d6a2ecd864e29 OK
4 00076d70 00000000
5 0005cd10 00000000
6 00003000 0004cd04 a81ab8ec59e2dfb1 f2f98e3ac0a9a396 1cd9f0dfb5a5daa5 2cda2f52d4df97c8 bc398b24528fd10f cd47ced08596f61c OK
7 0004fd10 00000000
8 0004fd10 0000d000 e7d03abb34361774 e030039e096b3e25 64519024c5c15666 efecbd8006deaaae b87884e2bdab52cb e06a4a7a4873e1c5 OK
9 0005cd10 00000000
10 00060530 00016838 2ca0423b6e745b5f c69544b947556ff1 9d04792c579d2f53 d480d2fa738cac82 1674ddaab8078071 648cc10f384ec25a OK
11 00376d70 00022000 18bdbbdeac3e92c0 6f3e5f06f5aa91ae d0daa757a375bab6 5e90d4e2a52d8e95 2255d80c76637316 b24736223e0a0bd2 OK
12 0005cd10 00000000
13 00398d70 00048ded 794528234b46757a 3017481198fa8fd6 c9578e6565ec301a f0ab28fbe105c460 c7cc855f93576767 29302c26357a00bb OK
14 003e8490 00000000
15 003e1b60 0000692d 1354b9b55447ffb8 54ea17d1d9f1ea88 c84bd1045a6bd106 3b38df93fa049fa9 c1b245dc6106098a 0450a75bf7e5ce3f OK
16 00076d70 00300000 7341f2cde09d6a5f 53bcb90714f779a5 53c3ffeeff1824e5 437464f4bfcc545f 6719370d5d6c656d df96e81382315405 OK
For you Motorola users running into "range restricted" you can dump the ranges by:
Code:
C:\>qcomview /r motog.bin
Addr LUN Start Count
------ --- -------- --------
008220 0 0 32
008238 0 -5 5
008250 1 0 32
008268 1 -5 5
008280 2 0 32
008298 2 -5 5
0082b0 3 0 32
0082c8 3 -5 5
0082e0 4 0 32
0082f8 4 -5 5
008310 5 0 32
008328 5 -5 5
008340 1 0 2048
008358 2 0 2048
008370 3 0 2356
008388 5 0 2356
0083a0 0 2080 512
0083b8 0 0 256
0083d0 0 -33 33
0083e8 0 131072 284992
008400 0 416064 2048
008418 1 1 1
The UFS table is on top, followed my the eMMC table.
HemanthJabalpuri said:
It would be useful if you add a way to check if xbl and programmer are compatible (by comparing cert hashes?).
Click to expand...
Click to collapse
I've just added SHA256 fingerprint of the root CA to qcomview.
Code:
C:\>qcomview /f loader.bin
5adc6039 dcb297d4 0c55df73 1580248d a9e18b31 ccc43b45 36795313 f82fd430
If SecureBoot is enabled xbl/abl/Firehose must all have the same fingerprint.
(This also goes for the other two dozen ELF files in flash.)
For most devices this SHA256 will be the same that your EDL client prints out as "Hash".
There appears to sometimes be (on newer devices?) a discrepancy between root CA fingerprint and EDL "Hash".
Possibly the EDL "Hash" is the encrypted version?
In any case, all the fingerprints should agree.
Renate said:
Maybe you already have a loader for Qualcomm "Emergency DownLoad" (EDL) mode.
Maybe you're looking for one.
You know what? A single loader is for more than one device. But it gets hairy with signing and manufacturers and stuff.
So, I've got a beta release utility here. It can (in most cases) identify which model Qualcomm processors a "Firehose" loader is designed for.
First, it's currently a Windows release.
Second, it doesn't work with the older .mbn style loader (since they don't include that information).
So, just go to My EDL page and go to the bottom and download qcomview.exe
Code:
C:\>qcomview.exe poke3.bin
APQ8096
APQ8098
MDM9250
MDM9255
MDM9350
MDM9650
MDM9655
MSM8996
MSM8997
MSM8998
QDF2432
SDA630
SDA636
SDA658
SDA660
SDM636
SDM658
SDM660
You can see the SDM 636 (which is the actual processor on a Poke3.
Obviously, you have to select your own loader.
I've scanned through 200 loaders and I recognize all the processors.
If you see a "???" please quote it.
Edit: Maybe you're saying, "That ain't nothing but a "string" script!" Eh, mostly, but it is more clever and it sorts things.
Click to expand...
Click to collapse
Hello , Renate
I am using you edl.exe programme. it work fine but i would like to know that the tool has any features to flash using xml file or not ? and it is support ufs provisioning or not ? Please confirm
noob9t2 said:
Please confirm
Click to expand...
Click to collapse
Yes, it does UFS (with the /u flag).
No, it doesn't do these XML files. I find the whole idea a bit overblown.
If you're in the habit of overwriting every partition on your device often, simply:
Take the XML file and delete all the redundant stuff besides 1) partition name, 2) image filename.
Add in edl /w /p on each line.
Execute it as a batch file.
Thank You Renate for reply. we flash ufs chip using qfil after flashing on qfil, we need to flash patch file and check ufs provisioning to boot the device properly. On your tool, anything need to do after writing a partition. if i write a single partition, phone will boot normally ?
noob9t2 said:
If i write a single partition, phone will boot normally?
Click to expand...
Click to collapse
Sure, if you didn't break anything.
The reboot command is edl /z
Ha! You motivated me to track down why some devices need you to do that command twice.
I just fixed it.
Download the special Valentine's Day release of edl.exe (from the usual place).
noob9t2 said:
We flash ufs chip using qfil after flashing on qfil?
Click to expand...
Click to collapse
So, if you're using QFIL there's a loader somewhere that you're using. Find it.
Please can you explain how the patch for the loader works
roulo said:
Please can you explain how the patch for the loader works
Click to expand...
Click to collapse
Loaders are made by phone manufacturers from standard editions of xbl (the secondary loader) released by Qualcomm.
Sometimes they put in restrictions (like Lenovo/Motorola), sometimes they put in authorization (like OnePlus).
Sometimes there are two different versions, one with full capabilities, one without.
The word "patched" gets used often for the full capabilities loader.
Patching a loader yourself is not that difficult, the problem is that loaders must be signed and you can't do that.
Many components on Qualcomm SoC phones are signed.
This ensures a "chain of trust".
The only way that you can patch something is if your device does not have SecureBoot enabled.
If you know of a phone without SecureBoot, tell me and I'll buy a case of them.
I never had time but here is a starting point.
https://forum.xda-developers.com/t/k40-bricked.4538285/post-87978383
alecxs said:
I never had time but here is a starting point.
https://forum.xda-developers.com/t/k40-bricked.4538285/post-87978383
Click to expand...
Click to collapse
What I could read of that was talking about analyzing Firehose loaders for vulnerabilities, which you can.
I've largely disassembled a "restricted" Motorola Firehose loader and could patch it easily.
Still, unless some Motorola employee goes rogue I don't see how I could sign it.
Hi everybody,
I may need the help of someone very experimented in flashing smartphones with Mediatek chipsets,
I wanted to unlock the bootloader of my K52, so I downgraded it to Android 10, then I unlocked it with MTKClient, but it got stuck in a bootloop,
Then, searching how to wipe userdata, I accidentally erased all partitions on the phone,
Now it won't boot anymore, I just can download it in BROM mode, with the "python mtk payload" command,
I've tried this guide, the k52 has exactly the same chipset, but with no chance,
Could anyone help me plz ?
I'd be very grateful ! :3
have install twrp?
arfooux said:
have install twrp?
Click to expand...
Click to collapse
what part of 'wiped my whole flash' do you not understand?
also I'm quite sure you are screwed, speaking from personal experiance, as there are some partitions that just don't come with a stock ROM because they're for calibration and other purposes (I can't say what exactly, but things like the modem drivers to comply with regional authority and some such is a good bet)
so really you'd need a full mtkclient flash dump from a good L52 to then flash onto your bricked one
P.S. my experiance being that even though I've flashed a stock rom to my X626B after a whole flash wipe I only get a bootloop and haven't been able to diagnose the problem on account nobody knows how to get a UART console without a bridge despite not needing one...
Hello,
Thanks for answering,
I have spent hours searching on the web different possible solutions to bring my phone back to life, and here is my progress so far :
- I've been able to extract from a stock ROM KDZ file the following partitions :
- boot : boot.img_1064960 and boot.img_1540096, I don't know if they are boot_a or boot_b, they look pretty similar on hex editor, stripped like .bin dump from ROM, and when I make a Get-FileHash on both with powershell I have exactly the same result (and it's applicable to all files with same name)
- dtbo
- efuse
- ftm
- laf
- lk
- logo
- md1img
- OP_COM1_EU (3 different files, and the third neigher has the same size nor the same contents in hex editor as the other ones, so I guess a and b??)
- preloader
- patched_pgpt
- patched_sgpt
- rct
- scp
- spmfw
- sspm
- super (a lot of files with different sizes)
- tee
- userdata (a lot of files with different sizes)
- vbmeta_COM1_EU
I guess they are in the right format when I compare in hex editor the preloader file I extracted with a *.bin I have found I don't remember where they are the same
- I've managed to generate a scatter file from patched_pgpt with WWR
- I've connected my phone and used bypass_utility (https://github.com/MTK-bypass/bypass_utility) flashed partitions using scatter file with SP Flash Tool (https://spflashtool.com/)
- Now, when I open mtk_gui (https://github.com/bkerler/mtkclient), the tabs read/write/erase partitions are not empty anymore, here is what I have
- boot_para
- proinfo
- para
- efuse
- spare1
- nvcfg
- nvdata
- metadata
- misc2
- ftm
- mt_udc
- expdb
- frp
- protect1
- protect2
- seccfg
- nvram
- persist
- persist_lg
- p_persist_lg
- md1img_a
- spmfw_a
- scp_a
- sspm_a
- lk_a
- tee_a
- spare2
- logo_a
- dtbo_a
- vbmeta_a
- vbmeta_system_a
- vbmeta_vendor_a
- boot_a
- laf_a
- md1img_b
- spmfw_b
- scp_b
- sspm_b
- lk_b
- tee_b
- spare3
- logo_b
- laf_b
- eksst
- encrypt
- rct
- spare4
- power
- mpt
- fota
- els
- carrier
- srtc
- operatorlogging
- super
- OP_a
- OP_b
- userdata
- flashinfo
It pretty looks like what I had before I get stupid enough to erase everything, so I guess I progressed in the right way
Anyway, the phone still doesn't start
I can't get to download mode, fastboot mode, etc
Whe I do python mtk plstage --preloader=preloader_muse6765_64_eh35_q.bin, Windows detects LGE Mobile USB Serial Port on device manager, then disappears after a few seconds and becomes MediaTek USB Port, and loops like this
So I guess something is missing
My question is
Which partitions do I need to flash to at least get Download Mode back ? So that I can use LG software and flash KDZ
I'll keep searching, but if anyone has information, or why not a full ROM dump, I'd be glad
Best regards,
François
Just to give some updates, I've tried another tool to extract the KDZ file : https://gist.github.com/iscgar/e0da0868df7b2f179b000c61f12d1a8c
Now I have clearly named files : 0.boot_a.img, 0.boot_b.img, etc.
So, I'm manually flashing partitions. Each partition is mentioned in the generated scatter file by WWR as on this example :
- partition_index: SYS22
partition_name: md1img_a
file_name: md1img.img
is_download: true
type: NORMAL_ROM
linear_start_addr: 0x17000000
physical_start_addr: 0x17000000
partition_size: 0x6000000
region: EMMC_USER
storage: HW_STORAGE_EMMC
boundary_check: true
is_reserved: false
operation_type: UPDATE
is_upgradable: true
empty_boot_needed: false
reserve: 0x00
So, for each one that has a .img file, im doing this
python mtk wo 0x17000000 0x6000000 0.md1img_a.img
with 0x17000000 being the line physical_start_addr and 0x6000000 the line partition_size
all partitions are not in the directory, seccfg, fota, frp, are missing, so, well, we'll see what happens
So far, I have flashed boot_a, boot_b, laf_a, laf_b, lk_a, lk_b, logo_a, logo_b, md1img_a, md1img_b, ssmp_a, ssmp_b, spmfw_a, spmfw_b, rct, tee_a, tee_b, dtbo_a, dtbo_b, efuse, vbmeta_a, vbmeta_b, pgpt, sgpt
I'm not sure about what I have done with OP, I flashed 0.OP_S.img in the OP_a partition
Anyway, so far, I've tried
power : nothing
power + vol up : nothing
power + vol down : nothing
power + both vol buttons : nothing
But, python mtk plstage --preloader=preloader_muse6765_64_eh35_q.bin as usual, LGE device appears for a few seconds on the device manager, and something more, the phone displays the LG K52 boot screen for a few seconds, then turns back off,
Not great yet, the phone is still not usable, but it's encouraging !
I'll keep you informed !
Nothing else than this yet, but satisfying to see progress, I wanted to share this with you
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I just copied super partition, now when I push power button, it vibrates, displays the LG K52 boot screen, and displays "All Slots are unbootable" in red
I can get neither download mode nor fastboot, but I'm confident I'm getting close to get it working again !
Well, I tried to flash everything again, and now the phone is dead again, no more vibration and no more logo...
I noticed it was possible to communicate with the BROM with a UART interface at a baudrate of 115200, 8 bits, 1 stop bit, no parity and no flow control, I found a document yesterday explaining that a few commands could be called like 'Version', 'Start', 'Jump', but nothing happens when I try with PuTTY,
If somebody can help I'd be very glad !
Okay, after idk how many attemts, I managed to have the phone powerong on again after flashing with SP Flash Tool
buuuuuuut
Something more !!
Now, it doesn't only bootloop when the BL is unllocked, it also displays a message I didn't have at the first time I could power it on again !
I haven't progressed more so far, may anyone have a suggestion ?
I've tried :
- reflashing everything
- removing AVB header in the boot partition img to disable verified boot just in case it would change something (replacing the 256 bytes of the header of AVB in HxD with zeroes)
- the whole process from KDZ to manually reflash partitions with another stock ROM to see if it changes something
- erasing userdata, md_udc and metadata
- python mtk payload --metamode FASTBOOT => won't boot in fastboot
I'm now out of ideas...
It keeps displaying in a bootloop the LG logo, then either "all slots are unbootable" or "Your device cannot be checked for corruption. Lock the bootloader"
All I think I know, is that to reach that far in the startup process, it means we're in the LittleKernel (AM I RIGHT PLEASE CAN ANYONE CONFIRM ? ), and I may have something interesting if I manage to build a custom one with debug symbols, but no source code related to MT6765 anywhere on the internet, I guess I'm kinda stuck...
And at the same time, just to try, I build a custom LK with ARM target from the github source code, it generates a LK and a LK.img, but in Hxd, the first bytes are very very very different, the one from my LG stock ROM starts with IDK how many rows ful of "0xFF" bytes, the built one doesn't..
Does anyone have an idea of what I may want do to find what's wrong with the boot process of my phone ?
Up ?
Maybe I can help you solve this problem, because I use the same mobile phone as you. But after repairing the boot, your phone may lose the serial number, so far, I do not know how to repair the serial number. If I have time, I'll look into it
When I turn it on now, if I push simultaneously PWR, VOL+ and VOL- buttons barcodes with S/N, IMEI and manufacturing dates, and all is zero,
Honestly, I don't mind if I don't have the S/N anymore, I know all the numbers have been wiped out, now event the IMEI consist of zeroes, I've called Orange customer service so they told me the IMEI of the terminal I used with my SIM card between feb 2021 and mar 2023 so I'm gonna have to find a way to reinject it but it's okay I'll find a way, I don't know how yet but, if at least, I can get it starting again I'd already be more than happy