I've bought one of those locked Pixel 4As running on ArcaneOS and it's got a locked bootloader but the issue is that like everybody else, I can't do much with the phone. So I'm wondering if there's a way to get a phone into the EDL and then flash the stock firmware through QPST?
Todos123 said:
I've bought one of those locked Pixel 4As running on ArcaneOS and it's got a locked bootloader but the issue is that like everybody else, I can't do much with the phone. So I'm wondering if there's a way to get a phone into the EDL and then flash the stock firmware through QPST?
Click to expand...
Click to collapse
Don't think it's possible as Google doesn't release the firehose (needed by qfil) for pixel phones.
Numerous other device mfg do release the firehose file. Some of them use the same chip as what's in the 4a, but from what I read (I've never tried this), the other mfg file, even though it's for the same chip, won't work.
So ArcaneOS is locking the bootloader and u are now unable to unlock it?
AsItLies said:
Don't think it's possible as Google doesn't release the firehose (needed by qfil) for pixel phones.
Numerous other device mfg do release the firehose file. Some of them use the same chip as what's in the 4a, but from what I read (I've never tried this), the other mfg file, even though it's for the same chip, won't work.
So ArcaneOS is locking the bootloader and u are now unable to unlock it?
Click to expand...
Click to collapse
I've found an mbn file for the pixel 4a and it may be possible to do something with it in qfil (?) but I am unsure. Haven't managed to boot my phone in EDL.
As for the ArcaneOS, I am unsure if it locks the bootloader itself or you need to lock it manually after flashing it. Mine has ArcaneOS installed with no build number which means no access to developer options. There are some articles on pixel phones with this ROM on them and they were apparently used by the FBI undercover agents to sell them to the criminals and catch them.
As of writing this reply, the options for making the device usable are either changing the UFS chip or getting your hands on a broken pixel 4a with a working motherboard. Those usually go from 70 - 100€ from what I've seen. I haven't been able to find one in my country yet.
The issue with changing the UFS chip is that it's hard to find one. I've only found a couple on Ali Express for about 25€. Another issue is that apparently where I live they charge anywhere between 100 - 400€ for a memory chip replacement. What a joke
Todos123 said:
I've found an mbn file for the pixel 4a and it may be possible to do something with it in qfil (?) but I am unsure. Haven't managed to boot my phone in EDL.
As for the ArcaneOS, I am unsure if it locks the bootloader itself or you need to lock it manually after flashing it. Mine has ArcaneOS installed with no build number which means no access to developer options. There are some articles on pixel phones with this ROM on them and they were apparently used by the FBI undercover agents to sell them to the criminals and catch them.
As of writing this reply, the options for making the device usable are either changing the UFS chip or getting your hands on a broken pixel 4a with a working motherboard. Those usually go from 70 - 100€ from what I've seen. I haven't been able to find one in my country yet.
The issue with changing the UFS chip is that it's hard to find one. I've only found a couple on Ali Express for about 25€. Another issue is that apparently where I live they charge anywhere between 100 - 400€ for a memory chip replacement. What a joke
Click to expand...
Click to collapse
edit to add: didn't realize but yes it does look like the proper mbn file *might* allow u to flash stock firmware? Not sure, haven't done it, from what I read the appropriate xml would be needed also... not sure.
... end edit
Just got finished reading the entire Arcane OS thread in same forum. Getting the device into EDL mode shouldn't be a problem, and qualcomm device is capable of that and afaik, it's impossible to defeat that.
but, it's no help if u don't have the programmer firehose file, as u simply can't access the device without it. I've used edl / firehose files for LG devices, but they somehow (the firehose files) become 'leaked' (probably by LG).
But google, nope, I've looked due to the pix 3 (and some others) inadvertently bricking themselves (no one sure why), where u just pick up the device and u have a blank screen. But if u plug it into pc it will connect as QLoader etc (it's basically stuck in edl mode).
But those devices can't be fixed either, same issue in that there's no firehose programmer file for it. So u simply can't access the device.
AsItLies said:
edit to add: didn't realize but yes it does look like the proper mbn file *might* allow u to flash stock firmware? Not sure, haven't done it, from what I read the appropriate xml would be needed also... not sure.
... end edit
Just got finished reading the entire Arcane OS thread in same forum. Getting the device into EDL mode shouldn't be a problem, and qualcomm device is capable of that and afaik, it's impossible to defeat that.
but, it's no help if u don't have the programmer firehose file, as u simply can't access the device without it. I've used edl / firehose files for LG devices, but they somehow (the firehose files) become 'leaked' (probably by LG).
But google, nope, I've looked due to the pix 3 (and some others) inadvertently bricking themselves (no one sure why), where u just pick up the device and u have a blank screen. But if u plug it into pc it will connect as QLoader etc (it's basically stuck in edl mode).
But those devices can't be fixed either, same issue in that there's no firehose programmer file for it. So u simply can't access the device.
Click to expand...
Click to collapse
Ah that's very unfortunate. Well, might as well wait some time. Someone may figure out how to forcefully unlock the bootloader or the firehose file might gets leaked. Who knows... If no, then hopefully I can get a broken pix 4a and just swap the motherboard to my locked one.
Thanks anyways!
Todos123 said:
Ah that's very unfortunate. Well, might as well wait some time. Someone may figure out how to forcefully unlock the bootloader or the firehose file might gets leaked. Who knows... If no, then hopefully I can get a broken pix 4a and just swap the motherboard to my locked one.
Thanks anyways!
Click to expand...
Click to collapse
IMO, the device was flashed with a custom public key to the avb_custom_key partition.
Related
Hello devs, i got a Zte a521. You might not know it, as is mostly used in Mexico. Its a Qualcomm MSM8909 SoC based, CPU details and more info can be found out there.
As is a qualcomm device running Android 7.1, its BL locked. I tryed to root it with conventional methods, such as Magisk, but unsuccessfully. It has a working fastboot and EDL mode can be easily accessed with buttons combo. I also tryed to unlock BL through fastboot, but all commands seem to be disabled. Commands like reboot, flash or oem unlock only throw "unknown command".
With a useless fastboot on the way and no support. I gave up trying to root it. However, i still was searching info and else.
One day i got the idea of pulling files from system with ADB to see what could i find there. I ended up pulling build.prop
While i was examining it i found this flag, which i had never seen in any build.prop:
HTML:
# set fastboot locked for cts
ro.boot.flash.locked=1
When i saw that i immediately knew why fastboot was useless. But how can i modify it? BL is locked. I was thinking on flashing a modified system through edl with qpst, but then i thought on the possibility to get a bootloop, as the bootloader will reject all unsigned partitions.
I managed to find a correct firmware according to the device SoC and vendor (the firmware you might see for this device in Google is not right, that one was meant for MTK, and its dual sim).
However the firmware i found seems to be encrypted. All partitions can't be unpacked. I checked the rawprogram.xml file from it and confirmed this. Im not sure to think if it came encrypted from device or got encrypted on the dumping process ( firmware was dumped from a working phone).
And here's the problem. I can't find the specific firehose for this phone, and without that, QPST is useless. There are some programs that im pretty sure have the firehose im looking for, but those are box dongles.
I dont know what to do now, this phone is getting useless without root for me, and i dont find any clue of support out there. Hope you could give it a check and see if there's something i can do, at least to modify build.prop to remove that flag.
Hello
Currently owning a ROG Phone 5 WW edition, im planning to unlock the bootloader soon and doing a few other things.
Before starting to really mess up with it, i'd like to know about any existing EDL tool i could use to dump some/all of the device partitions, possibly before unlocking it, so i could use em if i ever brick the device during the experiments.
I've been checking about adb and fastboot commands, but im very restricted about what i can do now and some people said that the bootloader can only be unlocked once with the official tool, but i think that it may be possible to unlock the bootloader multiple times with it, as long as its properly relocked/encrypted.
Im really new to this EDL stuff and Asus devices in general, so any infos are welcome !
( Please mention the edition WW or CN if you say anything device-related, as they both seem to differ in their behavior )
zvrsd said:
Hello
Currently owning a ROG Phone 5 WW edition, im planning to unlock the bootloader soon and doing a few other things.
Before starting to really mess up with it, i'd like to know about any existing EDL tool i could use to dump some/all of the device partitions, possibly before unlocking it, so i could use em if i ever brick the device during the experiments.
I've been checking about adb and fastboot commands, but im very restricted about what i can do now and some people said that the bootloader can only be unlocked once with the official tool, but i think that it may be possible to unlock the bootloader multiple times with it, as long as its properly relocked/encrypted.
Im really new to this EDL stuff and Asus devices in general, so any infos are welcome !
( Please mention the edition WW or CN if you say anything device-related, as they both seem to differ in their behavior )
Click to expand...
Click to collapse
Wait some time, when something better come out, don't make your Asus ROG 5 phone a expensive brick right away!
WAIT or PAY the PRICE.
i did pay the price. and my phone is beyond repairable, had to get a new one.
Just wait.
Still wait for Edl firmware. Hope it's release soon.
m8822 said:
WAIT or PAY the PRICE.
i did pay the price. and my phone is beyond repairable, had to get a new one.
Just wait.
Click to expand...
Click to collapse
Could you tell me more about what you did exactly ? And the current state of that device ?
Are you still able to boot it into EDL mode ?
Hi everyone, this question is for developers who have some bases in hexadecimal programming, I would like to know if it is possible to remove the message after unlocking the bootloader, I had an LG V20 H990DS and I had followed the tutorial on this thread and it was working fine, is there a similar solution for the ROG 5.
[Guide][MOD] Hide unlocked Bootloader warning boot screen
. This fix is for those who want to get rid of the annoying Red Corruption warning screen!!. Disclaimer: You apply the fix at your own risk. I'm not responsible for any software or hardware damage it can lead. The only thing i can assure is...
forum.xda-developers.com
zinou213 said:
Hi everyone, this question is for developers who have some bases in hexadecimal programming, I would like to know if it is possible to remove the message after unlocking the bootloader, I had an LG V20 H990DS and I had followed the tutorial on this thread and it was working fine, is there a similar solution for the ROG 5.
Click to expand...
Click to collapse
That depends. I modified a Teclast T30 bootloader (Mediatek garbage) that forced a delay and printed an orange error message about the bootloader being unlocked. A bit of Arm64 reverse-engineering and I shorted the delay to 0ms (none, basically) and just cut the string short (null-byte) and it works fine on my junker tablet. I've just bought an ASUS ROG Phone 5, getting into it, but I'm nervous about touching anything without, say, TWRP or without knowing how to do a full raw backup and restore.
Yuji Saeki said:
That depends. I modified a Teclast T30 bootloader (Mediatek garbage) that forced a delay and printed an orange error message about the bootloader being unlocked. A bit of Arm64 reverse-engineering and I shorted the delay to 0ms (none, basically) and just cut the string short (null-byte) and it works fine on my junker tablet. I've just bought an ASUS ROG Phone 5, getting into it, but I'm nervous about touching anything without, say, TWRP or without knowing how to do a full raw backup and restore.
Click to expand...
Click to collapse
RAW Firmware Collection and Guide
All fastboot / adb commands require using the side USB-C port https://developer.android.com/studio/releases/platform-tools.html#download Make sure you have fastboot installed Add platform tools to PATH (post 2) Make a backup of anything...
forum.xda-developers.com
There ya go. Good luck
twistedumbrella said:
RAW Firmware Collection and Guide
All fastboot / adb commands require using the side USB-C port https://developer.android.com/studio/releases/platform-tools.html#download Make sure you have fastboot installed Add platform tools to PATH (post 2) Make a backup of anything...
forum.xda-developers.com
There ya go. Good luck
Click to expand...
Click to collapse
Thanks. Just waiting to figure out how to do a raw backup and restore, then I can get to it. If TWRP isn't required to do a raw backup and restore, then I can also begin work on porting TWRP. I've some experience, but not the most when it comes to TWRP porting.
*Edit* I'd like to add, reverse-engineering the ASUS Unlock Tool seems to show the limits on unlocking may be artificial by ASUS. Uses a call-home to fetch data to unlock with. The logic though may be in another castle, I mean package. The FOTA app does the same thing.
*Edit* By the way, does anyone have the exact message that displays about the bootloader being unlocked? I might be able to begin work tracking it down to remove as well as any delay (if there is one).
Some mods target the abl.img (possibly Android Boot Loader) so that may be one place to start. I personally never bother with backups, so I didn't really consider that. All of the data for my apps is synced and everything else is installed from Google Play. I guess that would be a bit more difficult if this were my primary phone.
The text for fussing is in tz.img, or at least it is *one location* with it. But since this is a stupid Tencent version, I can't flash anything to test, otherwise I'd have done it by now. Ah well. Sending the Tencent POS back.
OK , So the possible partitions to see deeper are abl.img and tz.img, can anyone help us with some more informations to remove this annoying message, thanks to all for your participation
Use payload_dumper and a hex editor to compare the original to yours.
Still Waiting for help to remove this message, if anyone has the solution
Hi everybody
I'm struggling with pixel 3 OEM enabling which is already grayout and carrier locked issue
I done anything but this thing is still locked
Is there anyway to unlock it? Or cross rom to global to unlock it?
Its looks like verizon
Thanks
Unfortunately a Verizon branded Pixel is not unlockable, and it is not possible to reflash the global firmware because flashing anything requires an unlocked bootloader.
If you aren't sure it's Verizon, you can try this:
Remove the SIM
Factory reset the device
Skip through setup, make sure you connect to a wireless network
Manually set the clock 1 week ahead
Use *#*#checkin#*#* to force a checkin
Leave the device overnight and see if OEM Unlocking is toggleable
Again, if this is for sure a Verizon device, unlocking the bootloader is not possible.
V0latyle said:
Unfortunately a Verizon branded Pixel is not unlockable, and it is not possible to reflash the global firmware because flashing anything requires an unlocked bootloader.
If you aren't sure it's Verizon, you can try this:
Remove the SIM
Factory reset the device
Skip through setup, make sure you connect to a wireless network
Manually set the clock 1 week ahead
Use *#*#checkin#*#* to force a checkin
Leave the device overnight and see if OEM Unlocking is toggleable
Again, if this is for sure a Verizon device, unlocking the bootloader is not possible.
Click to expand...
Click to collapse
Well its looks like verizon coz i done many other brands but this is very hard to fix i was thought we'll able to write global edl rom via edl but now think its also not possible
Mr Hassan said:
Well its looks like verizon coz i done many other brands but this is very hard to fix i was thought we'll able to write global edl rom via edl but now think its also not possible
Click to expand...
Click to collapse
As far as I know, the EDL files are not available. If they were, we wouldn't be having this conversation.
V0latyle said:
As far as I know, the EDL files are not available. If they were, we wouldn't be having this conversation.
Click to expand...
Click to collapse
And what about loaders? If loader available then we can take backup of rom
Assumed we have edl files or dump then possible to do something?
Mr Hassan said:
And what about loaders? If loader available then we can take backup of rom
Assumed we have edl files or dump then possible to do something?
Click to expand...
Click to collapse
Again, if this was possible, we wouldn't be having this conversation. As with most Qualcomm devices, the Pixel 3 has a QPST mode - for Qualcomm Product Support Tool. This tool is not freely available. As far as I know, it can only be used to write binary images to the chips as one might when attempting to resurrect the device; it cannot be used to dump the contents of a device. This idea has been explored before to no success. Unlocking the Verizon bootloader simply isn't possible, and there simply isn't any way around it.
V0latyle said:
Again, if this was possible, we wouldn't be having this conversation. As with most Qualcomm devices, the Pixel 3 has a QPST mode - for Qualcomm Product Support Tool. This tool is not freely available. As far as I know, it can only be used to write binary images to the chips as one might when attempting to resurrect the device; it cannot be used to dump the contents of a device. This idea has been explored before to no success. Unlocking the Verizon bootloader simply isn't possible, and there simply isn't any way around it.
Click to expand...
Click to collapse
in case i brick my device and now it,s in 9008 mode then how can i back my device?
Mr Hassan said:
in case i brick my device and now it,s in 9008 mode then how can i back my device?
Click to expand...
Click to collapse
You could if we had the binary files for use with QPST, but we don't. A bricked device can only be recovered by someone with both the necessary tools and binary images, which again are not available.
Has anyone been able to successfully root or flash TWRP using QPST/QFIL without unlocking the bootloader on lmi?
jason88fr said:
Has anyone been able to successfully root or flash TWRP using QPST/QFIL without unlocking the bootloader on lmi?
Click to expand...
Click to collapse
I'd be surprised.
What is the problem?
hey @NOSS8
I'd be surprised too lol.
No problem really, I came across some info and went down a little rabbit hole and arrived at the conclusion that it seems to be possible to have root on an locked bootloader but the key is apparently some "firehose" programmer files that I can't seem to find anywhere, which when used in conjuction with QPST and a device in EDL mode would in effect allow modification of the boot.img for the sake of rooting the device.
I'm still trying to find out more because I read some time ago on how android verified boot works, so I am sceptical especially when the people that seem to be doing it on youtube are those that unlock devices for a living or are just enthusiasts, both parties seem to glean toward it being possible without any specialised equipment /box/dongle with a success rate depending on flashing order.
So I started searching for the possibility of it being done on lmi.
jason88fr said:
hey @NOSS8
I'd be surprised too lol.
No problem really, I came across some info and went down a little rabbit hole and arrived at the conclusion that it seems to be possible to have root on an unlocked bootloader but the key is apparently some "firehose" programmer files that I can't seem to find anywhere, which when used in conjuction with QPST and a device in EDL mode would in effect allow modification of the boot.img for the sake of rooting the device.
I'm still trying to find out more because I read some time ago on how android verified boot works, so I am sceptical especially when the people that seem to be doing it on youtube are those that unlock devices for a living or are just enthusiasts, both parties seem to glean toward it being possible without any specialised equipment /box/dongle with a success rate depending on flashing order.
So I started searching for the possibility of it being done on lmi.
Click to expand...
Click to collapse
You say "with a locked bootloader" and then the opposite, typos?
Possible with a MediaTek soc device, not Qualcomm.
Finally to flash in EDL mode you must have a special authorization that only repair centers have.
A few years ago it was easy to access and modify the system, then there were the dynamic partitions, then the A/B partitions and the limitations imposed by GOOGLE with A12 A13.
On You Tube you can find everything and anything unlike XDA.
An example here, of useless persistence.
https://forum.xda-developers.com/t/flashing-edl-problem.4534297/
NOSS8 said:
You say "with a locked bootloader" and then the opposite, typos?
Possible with a MediaTek soc device, not Qualcomm.
Finally to flash in EDL mode you must have a special authorization that only repair centers have.
A few years ago it was easy to access and modify the system, then there were the dynamic partitions, then the A/B partitions and the limitations imposed by GOOGLE with A12 A13.
On You Tube you can find everything and anything unlike XDA.
An example here, of useless persistence.
https://forum.xda-developers.com/t/flashing-edl-problem.4534297/
Click to expand...
Click to collapse
yep it was indeed a typo.
I did see a lot of MTK stuff.
Fair enough.
Also, "useless persistence" I believe is the main cause of so many bricks in forums I've seen in the last couple days chasing the same dream.