Related
solved
TheFixItMan said:
This guide is for hard bricked Moto G5 Cedric
Hard bricked means a device which can not enter bootloader mode normally
This method has now been confirmed working
XT1672 32gb version (also works with XT1670 XT1671 and XT1676)
Download mmcblk0 image from here
Thanks to @jcbotelho for providing image
Requirements
Freshly formatted microSD card of at least 32gb
7zip
Linux mint live usb/dvd
USB card reader
Method
The BEST method to flash the sdcard with mmcbk0.img file is to use LINUX!
Windows user have no need to install Linux in pc, you can run Linux from a bootable usb-stick or pendrive that is at least 8gb
0) Put the Moto g5 on mains charge until you have finished flashing the sdcard so it's fully charged ready for the boot test!
1) Run linux, preferable cinnamon or mate versions of linux Mint
2) Insert the sdcard in pc or card reader and open "Disks" app
3) In "Disks" app select sdcard and you will see the sdcard partitions
4) Press "-" to delete the partition (delete all partitions if there is more than one)
5) Press "+" to create a new one and name it mmcblk0, set FAT(FAT32) file format and press "CREATE"
6) Press "Play" button to mount the sdcard, look to see what path the sdcard has (/dev/sd??) and then close the "Disks" app
7) Go to Desktop, open "Computer" and navigate to the location when the img file is extracted (mmcblk0.img)
8) Open the window where img file is with root (right click on window and select "open as root")
9) In root window open the Terminal (right click on window and select "open terminal")
no need to type "su" in terminal, it has root already (see notes if using Linux live usb/dvd)
10) Type in terminal the comand written below and dont forget to eliminate that "1" from the sdcard path,
that "1" can make the differnce betwen phone boot or not!!!!!
Things to note
Linux Live dvd doesn't have open as root so just open in terminal and add sudo to the start of the commands
I've included this in the commands below
If you get a status error just remove status=progress from the terminal command below
Terminal comands
- if your sdcard is seen like " /dev/sdb1"
in terminal aply that comand:
sudo dd bs=4M if=mmcblk0.img of=/dev/sdb status=progress oflag=sync
-if your sdcard is seen like " /dev/mmcblk0p1"
in terminal aply that comand:
sudo dd bs=4M if=mmcblk0.img of=/dev/mmcblk0 status=progress oflag=sync
and the flashing process should start
when it finishes, test the sdcard in the phone and it should boot!
If you get a size error of the sdcard in terminal you have to change the sdcard and try again!
Thanks to vaserbanix for the guide
Re-flash Stock Firmware
Once the phone is in bootloader mode you can flash stock firmware via fastboot
Note that in order to flash gpt the firmware MUST be the same or newer than the version currently on your phone
Once you have firmware that is the same or newer than your current version you can remove the sd card and run these commands (assuming you have fastboot all setup on your pc)
fastboot oem fb_mode_set
fastboot flash partition gpt.bin
fastboot flash bootloader bootloader.img
fastboot flash logo logo.bin
fastboot flash boot boot.img
fastboot flash recovery recovery.img
fastboot flash dsp adspso.bin
fastboot flash oem oem.img
fastboot flash system system.img_sparsechunk.0
fastboot flash system system.img_sparsechunk.1
fastboot flash system system.img_sparsechunk.2
fastboot flash system system.img_sparsechunk.3
fastboot flash system system.img_sparsechunk.4
fastboot flash modem NON-HLOS.bin
fastboot erase modemst1
fastboot erase modemst2
fastboot flash fsg fsg.mbn
fastboot erase cache
fastboot erase userdata
fastboot erase customize (ignore any error)
fastboot erase clogo (ignore any error)
fastboot oem fb_mode_clear
fastboot reboot
Imei fix
If your imei is 0 then follow instructions from here
You should be able to restore stock after & keep imei
Click to expand...
Click to collapse
https://forum.xda-developers.com/g5/how-to/rooted-moto-g5-run-morning-post-image-t3776012
Something went wrong and now it does not start, only the led lights when it is connected to the pc. Only Qualcomm HS-USB QDLoader 9008 appears in the device manager.
I have tried several blankflash (1, 2, 3) but it does not work.
Also with Qfil and the same result.
Code:
greeting device for command mode
ReadFile() failed, error=31
opening device: \\.\COM3
OKAY [ 0.023s]
greeting device for command mode
ReadFile() failed, error=995
opening device: \\.\COM3
opening device: \\.\COM3
OKAY [ 0.008s]
greeting device for command mode
OKAY [ 0.010s]
identifying device
...serial = 0x1B9ACE0A
...chip-id = 0x4F
...chip-rev = 0x0
...sv-sbl = 0x1
OKAY [ 0.038s]
finding files
...programmer = programmer.mbn
...singleimage = singleimage.bin
OKAY [ 0.020s]
validating files
OKAY [ 0.002s]
switching to download mode
OKAY [ 0.004s]
greeting device for image downloading
OKAY [ 0.002s]
sending programmer
Unexpected packet: 4. Was expecting: 3
FAILED (blank-flash:sahara-transfer-image:send-image:unexpected packet)
:crying:
thanks in advance
Its call Hardbrick, dont have for now any flashbank for motog5
Seriously ? And do you know if there will be?
takoa said:
Seriously ? And do you know if there will be?
Click to expand...
Click to collapse
It will never be released officially - Motorola don't release these files - they are either leaked or someone modifies existing files
You can try
www.kriztekblog.com/2016/10/how-to-flash-qualcomm-mbn-firmware-qpst-tool.html/amp
The firehose file I'll put in the attachment below - Unzip it
Make sure you install everything & put all files in root of c: keep paths short with no spaces eg c:/flashtool
Iv no idea what else maybe required as I don't have this device anymore & even if I did I'd only test it if my device needed reimaging
Your only other option is a motherboard replacement or a repair shop with the equipment to reimage devices eg via a j-tag
more files are missing
TheFixItMan said:
It will never be released officially - Motorola don't release these files - they are either leaked or someone modifies existing files
You can try
www.kriztekblog.com/2016/10/how-to-flash-qualcomm-mbn-firmware-qpst-tool.html/amp
The firehose file I'll put in the attachment below - Unzip it
Make sure you install everything & put all files in root of c: keep paths short with no spaces eg c:/flashtool
Iv no idea what else maybe required as I don't have this device anymore & even if I did I'd only test it if my device needed reimaging
Your only other option is a motherboard replacement or a repair shop with the equipment to reimage devices eg via a j-tag
Click to expand...
Click to collapse
you will have the other path and xml files missing, Has someone already worked with you? tendras los demas archivos path y xml que falta, alguien ya le funciono con exito este metodo?
oxxo.andatti said:
you will have the other path and xml files missing, Has someone already worked with you? tendras los demas archivos path y xml que falta, alguien ya le funciono con exito este metodo?
Click to expand...
Click to collapse
You will either have to find one that works or develop your own if the ones that come with the program don't work
Like I said - I no longer have this phone & Iv tested nothing - I can provide ideas it's up to you to research alot of searching & come up with the solution
I have tried all the possible ways that I have found here and on the net ... and nothing. Still the same. Hopefully it will be soon the release of blankflash. I look forward to it. ?
work for me
takoa said:
I have tried all the possible ways that I have found here and on the net ... and nothing. Still the same. Hopefully it will be soon the release of blankflash. I look forward to it.
Click to expand...
Click to collapse
I found something that revive meu cedric that was only with LED blinking...
when conected to pc was found something like qualcomm 9008...
I'll get those files at my windows pc and can send to you
but is a kind of blankflash, write the bootloader and flash the room...
maybe i can get those files tomorow
carlapazin said:
I found something that revive meu cedric that was only with LED blinking...
when conected to pc was found something like qualcomm 9008...
I'll get those files at my windows pc and can send to you
but is a kind of blankflash, write the bootloader and flash the room...
maybe i can get those files tomorow
Click to expand...
Click to collapse
please, as soon as possible
thank you very much
:fingers-crossed::fingers-crossed::fingers-crossed:
files
takoa said:
please, as soon as possible
thank you very much
:fingers-crossed::fingers-crossed::fingers-crossed:
Click to expand...
Click to collapse
done!
just follow the sequence:
1 - blankflash
2 - bootloader gpt
then you can write de ROM with RSD or ADB
let me know if i could help you
drive.google.com/open?id=1pFMczSqIaw9qOPIuU2bywKEAgpeF41v_
carlapazin said:
done!
just follow the sequence:
1 - blankflash
2 - bootloader gpt
then you can write de ROM with RSD or ADB
let me know if i could help you
drive.google.com/open?id=1pFMczSqIaw9qOPIuU2bywKEAgpeF41v_
Click to expand...
Click to collapse
carla that so works in the Motorola cedric already proven it?
NABECKER16 said:
carla that so works in the Motorola cedric already proven it?
Click to expand...
Click to collapse
It works fo me!
carlapazin said:
It works fo me!
Click to expand...
Click to collapse
do you think it works on my moto g5 xt1672 from at & t mex
carlapazin said:
done!
just follow the sequence:
1 - blankflash
2 - bootloader gpt
then you can write de ROM with RSD or ADB
let me know if i could help you
drive.google.com/open?id=1pFMczSqIaw9qOPIuU2bywKEAgpeF41v_
Click to expand...
Click to collapse
it does not work
can you tell us what steps you have followed, the operating system you use, the driver used and so on?
not working in xt1672
takoa said:
it does not work
can you tell us what steps you have followed, the operating system you use, the driver used and so on?
Click to expand...
Click to collapse
I did with battery fully charged!
The bootloader of my XT1676 was locked
used the .bat file in:
1 - blankflash (the phone will restart on fastbot mode)
then the .bat file on 2 - bootloader gpt
again in fastboot mode, you can flash the early rom using ADB or RSD Lite.
my OS = Windows 7 (test mode active)
and the driver i've downloaded from anywere here at xda....
on windows the phone is show qualcomm 9008 (something like that)
oh yeah! uninstall all motorola drivers and just keep the qualcomm!!!
if u don't find those drivers, i can upload
---------- Post added 27th April 2018 at 12:04 AM ---------- Previous post was 26th April 2018 at 11:59 PM ----------
NABECKER16 said:
not working in xt1672
Click to expand...
Click to collapse
Sorry, bro...
Mine is XT1676... but I'm from Brazil... and the official model here is XT1672... I can look for something to ya
carlapazin said:
I did with battery fully charged!
The bootloader of my XT1676 was locked
used the .bat file in:
1 - blankflash (the phone will restart on fastbot mode)
then the .bat file on 2 - bootloader gpt
again in fastboot mode, you can flash the early rom using ADB or RSD Lite.
my OS = Windows 7 (test mode active)
and the driver i've downloaded from anywere here at xda....
on windows the phone is show qualcomm 9008 (something like that)
oh yeah! uninstall all motorola drivers and just keep the qualcomm!!!
if u don't find those drivers, i can upload
---------- Post added 27th April 2018 at 12:04 AM ---------- Previous post was 26th April 2018 at 11:59 PM ----------
Sorry, bro...
Mine is XT1676... but I'm from Brazil... and the official model here is XT1672... I can look for something to ya
Click to expand...
Click to collapse
takoa said:
[ 0.000] Opening device: \\.\COM5
[ 0.000] Detecting device
[ 0.000] ...cpu.id = 79 (0x4f)
[ 0.000] ...cpu.sn = 463130122 (0x1b9ace0a)
[ 0.000] Opening singleimage
[ 0.000] ERROR: error opening singleimage
[ 0.000] Check qboot_log.txt for more details
[ 0.000] Total time: 0.010s
[ 0.000]
[ 0.000] qboot version 3.40
[ 0.000]
[ 0.000] DEVICE {
[ 0.000] name = "\\.\COM5",
[ 0.000] flags = "0x64",
[ 0.000] addr = "0x28FE6C",
[ 0.000] sahara.current_mode = "3",
[ 0.000] api.buffer = "0x24F0020",
[ 0.000] cpu.serial = "463130122",
[ 0.000] cpu.id = "79",
[ 0.000] cpu.sv_sbl = "1",
[ 0.000] api.bnr = "0x652D78",
[ 0.000] }
[ 0.000]
[ 0.000]
[ 0.000] Backup & Restore {
[ 0.000] num_entries = 0,
[ 0.000] restoring = "false",
[ 0.000] backup_error = "not started",
[ 0.000] restore_error = "not started",
[ 0.000] }
[ 0.000]
Click to expand...
Click to collapse
takoa said:
Click to expand...
Click to collapse
let's find another singleImage.... that's the only i've got
sorry, man
carlapazin said:
let's find another singleImage.... that's the only i've got
sorry, man
Click to expand...
Click to collapse
Maybe the image is corrupted when you uploaded it, since it cant be opened.
carlapazin said:
let's find another singleImage.... that's the only i've got
sorry, man
Click to expand...
Click to collapse
Hi. What I do not understand is because it does not work and it gives error being my terminal is the same model as yours, xt1676.
Use w7x64, unlocked bootloader, test mode, compilation 7601 and the correct qualcomm drivers.
Something I have or have overlooked.
Hi everybody.
As I know that it is possible that someone wants to know why I need a deep cable here is a super summary of my catastrophe:
I made a root in my Z2 Force with the bootloader unlocked (thanks to the number that Motorola gives to do that) and with the SU, after that I knew (not before, damn) that some applications don't work on root cell phones (****) among these my bank app, Netflix app, Fox app (**** **** ****), even using the Root Cloak app and others like that the result is that they don't work, so I needed to return to the unroot state, until there everything manageable, buuuuuuuuut, when I had to flash the stock ROM I downloaded the wrong version (fuuuuuuuck), the result was that the cell phone doesn't recognize the SIM cards, doesn't allow the use of WIFI, my IMEI was lost (wtf!) and when I try to flash again (in fastboot) with the correct ROM stock the bootloader doesn't leave me because it says "Flashing_locked", (what? but if I already unlocked it before !, well no, the ****ing cell phone doesn't recognize that, if I try to unblock it through the fastboot commands give as results that the process was satisfactory, but when restarting the bootloader it says NO, I'm still locked mother****er ! ...........
Well, that's why I need a deep cable, to flash with the (foolish) "Flasing_locked" status. So, the problem is basically that I found on the Internet those who do the deep cable with micro-usb, I haven't found how to do it with a usb-c cable. In the cases with micro-usb you only have to bridge the black and green wires and "ta dah" everything is done, in others I also see in micro-usb the pin 4 is jumpered with pin 1 in the micro-usb connector, but on the usb-c cable I have something like 20 pins and more than 4 cables, so I don't know how I can do the deep cable with a usb-c.
Please, I need help :crying:
I think there is another way to go about this than putting your devices into Qualcomm 9008. That is what you are wanting the EDL Deep Cable for, right? Instead of that, why not try this thread here, https://forum.xda-developers.com/z2-force/how-to/how-to-return-to-stock-sprint-t3694783, and see if Uzephi's method doesnt get you back to stock. If for some reason his flashall doesnt work, then I would suggest using a blankflash for your version of Android to wipe the slate clean and then use the return to stock method for your device.
fast69mopar said:
I think there is another way to go about this than putting your devices into Qualcomm 9008. That is what you are wanting the EDL Deep Cable for, right? Instead of that, why not try this thread here, https://forum.xda-developers.com/z2-force/how-to/how-to-return-to-stock-sprint-t3694783, and see if Uzephi's method doesnt get you back to stock. If for some reason his flashall doesnt work, then I would suggest using a blankflash for your version of Android to wipe the slate clean and then use the return to stock method for your device.
Click to expand...
Click to collapse
Okay ! I'm going to try those two options and I'll write you what happens.
Thanks !
Well, I'm here again.
I tried the two methods that you kindly indicated to me:
1. https://forum.xda-developers.com/z2-...print-t3694783 The Flashall.bat file really does not do anything different than being an automated flash of what you can usually do manually, I mean, it does the flash using the fastboot file by file, so because it's the same process (but automated) I got the same result, when the Flashall.bat file tries to send / flash the files the response status is Failed, because the flashing status in the bootloader is locked.
2. Blankflash metod. This method seems to work when the cell phone is bricked and does not enter the bootloader, and that is not my case because I can access the cell phone, for example if I connect the cell phone to the computer in:
a) the boot manager mode, the "Device Manager" recognizes it as "Android Device / Motorola ADB Interface"
b) started the ROM (and activated the "USB Debugging"), the "Device Manager" also recognizes it as "Android Device / Motorola ADB Interface"
c) QCOM mode (selected from the bootloader) the "Device Manager" recognizes it as "Qualcomm HS-USB Diagnostics 9092".
Anyway, if I run the blank-flash file in:
a) bootloader mode, the CMD shows "waiting device" and does nothing
b) started the ROM (and activated the "USB Debugging"), the CMD shows "waiting device" and does nothing
c) QCOM mode (selected from the bootloader), the CMD shows "waiting for the device" and does nothing (this same result with or without the activation of "USB Debugging")
So I'm still the same, I think my only option is Deep Cable, what do you think?
Loperaco said:
Well, I'm here again.
I tried the two methods that you kindly indicated to me:
1. https://forum.xda-developers.com/z2-...print-t3694783 The Flashall.bat file really does not do anything different than being an automated flash of what you can usually do manually, I mean, it does the flash using the fastboot file by file, so because it's the same process (but automated) I got the same result, when the Flashall.bat file tries to send / flash the files the response status is Failed, because the flashing status in the bootloader is locked.
2. Blankflash metod. This method seems to work when the cell phone is bricked and does not enter the bootloader, and that is not my case because I can access the cell phone, for example if I connect the cell phone to the computer in:
a) the boot manager mode, the "Device Manager" recognizes it as "Android Device / Motorola ADB Interface"
b) started the ROM (and activated the "USB Debugging"), the "Device Manager" also recognizes it as "Android Device / Motorola ADB Interface"
c) QCOM mode (selected from the bootloader) the "Device Manager" recognizes it as "Qualcomm HS-USB Diagnostics 9092".
Anyway, if I run the blank-flash file in:
a) bootloader mode, the CMD shows "waiting device" and does nothing
b) started the ROM (and activated the "USB Debugging"), the CMD shows "waiting device" and does nothing
c) QCOM mode (selected from the bootloader), the CMD shows "waiting for the device" and does nothing (this same result with or without the activation of "USB Debugging")
So I'm still the same, I think my only option is Deep Cable, what do you think?
Click to expand...
Click to collapse
To use blankflash you need to be in 9008 mode, since you have adb working try issuing the command 'adb reboot-edl' or 'adb reboot edl' can't recall at the moment. You'll know when you're in edl/9008 mode because the screen will be blank and the device will recognize as 9008. If you can't reboot to edl through adb, go to fastboot and try 'fastboot oem blankflash' again you'll know when you're ready for blankflash because the device will recognize as 9008. If the commands don't take, boot into QCOM mode and try 'fastboot oem blankflash'
*To unlock the bootloader you need to select oem unlock in settings. If it's greyed out you need to connect to internet and sign into google. Try bluetooth connection or a cable since wifi and mobile is borked at the moment.
41rw4lk said:
To use blankflash you need to be in 9008 mode, since you have adb working try issuing the command 'adb reboot-edl' or 'adb reboot edl' can't recall at the moment. You'll know when you're in edl/9008 mode because the screen will be blank and the device will recognize as 9008. If you can't reboot to edl through adb, go to fastboot and try 'fastboot oem blankflash' again you'll know when you're ready for blankflash because the device will recognize as 9008. If the commands don't take, boot into QCOM mode and try 'fastboot oem blankflash'
*To unlock the bootloader you need to select oem unlock in settings. If it's greyed out you need to connect to internet and sign into google. Try bluetooth connection or a cable since wifi and mobile is borked at the moment.
Click to expand...
Click to collapse
Hi.
I have fresh news.
The first thing I tried was to enable the option to unlock the OEM because that option was in gray, try to connect the internet via USB cable and no option worked, but when connecting by bluetooth (which is not easy either for those who don’t know how) I did it! and once connected, I enabled the option again, so I activated it to allow me to unlock the OEM, but when restarting the bootloader to verify it was still showing the status "Flashing_locked" (sad face).
Even knowing this, try the options in this order and with these results:
1. Try the command 'adb reboot-edl' or 'adb reboot edl'. The first command that the console recognized was 'adb reboot -edl' but once accepted by the CMD the cell phone was rebooted alone and went back to the ROM, that is, it was not blank.
2. Go to fastboot and try 'fastboot oem blankflash'. When doing this the result obtained in the CMD was “(bootloader) Command Restricted FAILED (remote failure) finished. total time: 0.006s”, probably due to the fact that the bootloader still indicates "Flashing_locked".
3. Boot into QCOM mode and try 'fastboot oem blankflash'. When I start the QCOM option from the bootloader the cell phone automatically loads the ROM, after this I activated the USB Debugging and ran the command in question but the result was "<waiting for any device>" and nothing happens. I tried the command again without activating the USB Debugging and nothing happened either. If I enter the command "fastboot devices" the command does not give any results, I give way to the next line as if nothing happened.
4. I was sad after all this so I decided to retry everything, starting with the command to put the phone in mode 9008, so, just out of curiosity I tried the second sentence you wrote, that is, 'adb reboot edl' (without the line in the middle before the word “edl”), this command also recognized it but this time if it went to blank (yeah !!!). So after accomplishing this I followed the instructions of https://forum.xda-developers.com/z2-force/help/hard-bricked-blankflash-z2-force-t3705789, but the result when executing the Blank-Flash file was:
[ 0.000] Opening device: \\.\COM11
[ 0.001] Detecting device
[ 0.004] ...cpu.id = 94 (0x5e)
[ 0.005] ...cpu.sn = 3632543294 (0xd884363e)
[ 0.005] Opening singleimage
[ 0.005] Loading package
[ 0.009] ...filename = pkg.xml
[ 0.012] Loading programmer
[ 0.012] ...filename = programmer.elf
[ 0.013] Sending programmer
[ 0.091] ReadFile() failed, GetLastError()=0
[ 0.644] Unexpected command, expecting 3 or 18 or 4, got 1 instead.
[ 0.644] ERROR: sahara_download()->general error
[ 0.644] Check qboot_log.txt for more details
[ 0.645] Total time: 0.646s
[ 0.645]
[ 0.645] qboot version 3.85
[ 0.645]
[ 0.645] DEVICE {
[ 0.645] name = "\\.\COM11",
[ 0.645] flags = "0x64",
[ 0.645] addr = "0x28FD74",
[ 0.645] sahara.current_mode = "0",
[ 0.645] api.buffer = "0x2160020",
[ 0.645] cpu.serial = "3632543294",
[ 0.645] cpu.id = "94",
[ 0.645] cpu.sv_sbl = "0",
[ 0.645] cpu.name = "MSM8998",
[ 0.645] storage.type = "UFS",
[ 0.645] sahara.programmer = "programmer.elf",
[ 0.645] api.bnr = "0x20C7ED0",
[ 0.645] }
[ 0.645]
[ 0.645]
[ 0.645] Backup & Restore {
[ 0.645] num_entries = 0,
[ 0.645] restoring = "false",
[ 0.645] backup_error = "not started",
[ 0.645] restore_error = "not started",
[ 0.645] }
[ 0.645]When executing the "blank-flash" file again, the result obtained was:
[ 0.000] Opening device: \\.\COM11
[ 0.001] Detecting device
[ 34.005] ERROR: sahara_greet_device()->change_mode()->do_hello()->IO error
[ 34.005] Check qboot_log.txt for more details
[ 34.005] Total time: 34.006s
[ 34.005]
[ 34.005] qboot version 3.85
[ 34.005]
[ 34.005] DEVICE {
[ 34.005] name = "\\.\COM11",
[ 34.005] flags = "0x64",
[ 34.005] addr = "0x28FD74",
[ 34.005] api.bnr = "0x612CA8",
[ 34.005] }
[ 34.005]
[ 34.005]
[ 34.005] Backup & Restore {
[ 34.005] num_entries = 0,
[ 34.005] restoring = "false",
[ 34.005] backup_error = "not started",
[ 34.005] restore_error = "not started",
[ 34.005] }
[ 34.005]I thought I had made a worse mistake, but turning off the cell phone normally returned to enter the ROM without problem.
At this point I was left with no more ideas...
You need drivers so that your pc and the phone can communicate, here is a link and it also has a verified blankflash.zip that has worked many times for others in the past. The process is a bit hit and miss, meaning it can be finicky on some pcs. Make sure you use a usb 2.0 port off the mobo, and not a 3.0+ or a hub port, they're not all so universal and can cause problems, so stick to 2.0 mobo ports.
https://forum.xda-developers.com/showpost.php?p=77623934&postcount=5
41rw4lk said:
You need drivers so that your pc and the phone can communicate, here is a link and it also has a verified blankflash.zip that has worked many times for others in the past. The process is a bit hit and miss, meaning it can be finicky on some pcs. Make sure you use a usb 2.0 port off the mobo, and not a 3.0+ or a hub port, they're not all so universal and can cause problems, so stick to 2.0 mobo ports.
https://forum.xda-developers.com/showpost.php?p=77623934&postcount=5
Click to expand...
Click to collapse
Hiiiii.
Well, the file in the forum that you gave me works! I mean, it does something new, it generates a successful process and it was reinitiated to the bootloader, once there I noticed that there was a changed item "Software status: Official" (previously said modified), but the ítem of "Flashing_locked" is still the same ...
Anyway I tried to flash the stock ROM with that and I have the same result whenhen I get to the command "fastboot flash bootloader bootloader.img", here are the results:
(bootloader) is-logical:bootloader: not found
Sending 'bootloader' (9884 KB) OKAY [ 0.266s]
Writing 'bootloader' (bootloader) Validating 'boot
loader.default.xml'
(bootloader) flash permission denied
(bootloader) flash permission denied
(bootloader) flash permission denied
(bootloader) flash permission denied
(bootloader) flash permission denied
(bootloader) flash permission denied
(bootloader) flash permission denied
(bootloader) flash permission denied
(bootloader) flash permission denied
(bootloader) flash permission denied
(bootloader) flash permission denied
(bootloader) flash permission denied
(bootloader) Cancelling 'bootloader.default.xml'
FAILED (remote: '')
fastboot: error: Command failed
Another new thing found: in "bootloader logs" mode it says:
SSM: abl cvs roll back 0,1
Fastboot Reason: UTAG bootmode configured as fastboot
I feel that I am closer to each step, please continue to help me.
What firmware are you trying to flash? At this point it might be easier to use the lenovo moto smart assistant tool to do a rescue on your phone. Do a 'fastboot reboot bootloader' to get a fresh bootloader session, and run the lmsa tool and see it it will recover your phone. Either way, let me know what firmware you're trying to flash.
First of all, you need to make sure you are xt1789-? ? If x is 3, then he is the s version. You only need to install the rom of the corresponding carrier. I remember that the installation tool can choose whether to install the baseband and bp/bl lock (maybe)So your xt1789-? ? What is it?
Refer to the version number in the link image https://m.facebook.com/story.php?story_fbid=624595458056701&id=100015187571561
41rw4lk said:
What firmware are you trying to flash? At this point it might be easier to use the lenovo moto smart assistant tool to do a rescue on your phone. Do a 'fastboot reboot bootloader' to get a fresh bootloader session, and run the lmsa tool and see it it will recover your phone. Either way, let me know what firmware you're trying to flash.
Click to expand...
Click to collapse
Hi again !
I followed his advice to use the "lenovo moto smart assistant tool" but as a result I got that my device isn't supported by the software (see attached image).
On the other hand, regarding the firmware that I'm trying to recover, I don't know if I remembered that I told him to install a wrong ROM at the beginning of my problem, and I never backed up my original ROM, so I do not really have the least idea of what is my stock ROM (for Colombia - South America), if I search for firmware I find many categorized with letters at the beginning (AMXBR, AMXCO, AMXLA, AMXMX, ATT, ATTM, LRA, OPENMX, RETAIL, RETAPAC, RETBR, RETCN, RETEU, RETIN, RETLA, RETRU , SPRINT, TEFBR, TIMBR, TIMIT, TMO, USC, VFEU, VZW) ... investigate how I can know which was the original of my phone (after having made a mess) and can not find any reference in this regard.
I keep trying.
潇霄小云 said:
First of all, you need to make sure you are xt1789-? ? If x is 3, then he is the s version. You only need to install the rom of the corresponding carrier. I remember that the installation tool can choose whether to install the baseband and bp/bl lock (maybe)So your xt1789-? ? What is it?
Refer to the version number in the link image https://m.facebook.com/story.php?story_fbid=624595458056701&id=100015187571561
Click to expand...
Click to collapse
Hi 潇 霄 小云!
I am sure it is an XT1789-05 however I do not know which firmware corresponds to me (never look before deleting my stock ROM) and when looking for the firmware of my device there are many with many letters at the beginning (AMXBR, AMXCO, AMXLA, AMXMX, ATT, ATTM, LRA, OPENMX, RETAIL, RETAPAC, RETBR, RETCN, RETEU, RETIN, RETLA, RETRU , SPRINT, TEFBR, TIMBR, TIMIT, TMO, USC, VFEU, VZW), so I do not know which one corresponds to me for Colombia (South America).
You can not see my model in the image you send me ...
Thanks for the help, I'm still investigating!
Loperaco said:
Hi again !
I followed his advice to use the "lenovo moto smart assistant tool" but as a result I got that my device isn't supported by the software (see attached image).
On the other hand, regarding the firmware that I'm trying to recover, I don't know if I remembered that I told him to install a wrong ROM at the beginning of my problem, and I never backed up my original ROM, so I do not really have the least idea of what is my stock ROM (for Colombia - South America), if I search for firmware I find many categorized with letters at the beginning (AMXBR, AMXCO, AMXLA, AMXMX, ATT, ATTM, LRA, OPENMX, RETAIL, RETAPAC, RETBR, RETCN, RETEU, RETIN, RETLA, RETRU , SPRINT, TEFBR, TIMBR, TIMIT, TMO, USC, VFEU, VZW) ... investigate how I can know which was the original of my phone (after having made a mess) and can not find any reference in this regard.
I keep trying.
Click to expand...
Click to collapse
Well your device is showing -05, that's Mexico and South America I believe. There should be a model printed by the charge port on the phone. As for which firmware, look at your sim and see if you can get an idea from there, or if you can ask whomever you got your phone from. Do you remember what provider was listed under the software update channel originally? Your sim should be able to get you some info as to who the provider is even if it's just a subsidy of a major carrier.
Hi there !
Well today I have very good news!
At last I managed to reinstall everything. How it happened? So I went back to the steps in this way:
1. Having a wrong ROM version (it does not correspond to my stock) connect by bluethooth the cell phone to access the internet, so the cell phone recognized that the OEM had already been authorized and allowed me to access the option and change it (because before it was gray).
2. Go to the bootloader and find the indication "Flashing_locked", but as I knew I had already given the authorization from within the ROM I opened a console and wrote the command "fastboot oem unlock" AND RECOGNIZED IT!, Restart the bootloader and voila! the message already said "Flashing_unlocked"
3. After this it was a matter of trying (without lying) something like six firmware XT1789-05 version because I had no idea what mine was, it took me a long time because some left me without Wi-Fi again, but Finally, I managed to locate one that looked like the one I had (RETLA XT1789-05_NASH_RETLA_DS_8.0.0_OPXS27.109-34-19_subsidy-DEFAULT_regulatory-DEFAULT_CFC.xml), so I tried hard there, but still shows a warning that a version is installed of the different operating system, but it works for me and that's how it will stay for a couple of months.
4. Then I was able to install the TWRP and the Magisk without any problems.
5. Problems that I had: Warning of the bootloader without blocking, Notice of the different operating system, Application of finding my device does not work (it stays looking for the cell phone and never locates it).
Many thanks to 41rw4lk, without your help this would have been impossible.
I hope to share my experience with someone else who may have my problem or something like it!
Postscript: Finally, they never gave me instructions on how to make the Deep Cable when the cell phone is a USB-C type port (lol), so if the data appears I would still be interested only in general knowledge.
Hi, looking for a kind soul who can provide me with some insight or direction.
My Phone:
Moto Z2 Force XT1789-04 AT&T
Carrier unlocked with unlock code from AT&T to use T-Mobile SIM
Updated to either Build number: OCXS27.109-47-20 or Build number: OCXS27.109-47-23 using LMSA (not OTA)
Official build, never tried to root it
My Circumstance:
I was using fingerprint unlock and my login attempts were failing.
In a brief moment of frustration, and stupidity, I repeatedly retried FP unlock (probably 10+ times)
Display went dim and phone became unresponsive, and ultimately turned into a brick with no way to power on; nothing displayed when plugged in to charge.
My Attempts to Fix:
After trying various button reset options with no success, I plugged my phone into my PC and saw QUSB_BULK
Further searching led me to https://forum.xda-developers.com/showpost.php?p=77623934&postcount=5 (thanks 41rw4lk)
I installed the Qualcomm driver and got Qualcomm HS-USB QDLoader 9008 to show up in Device Manager.
I tried blank-flash.bat using blankflash_from_NDX26.183-15_17 (again, thanks, 41rw4lk)
Here is the output from the batch command:
Code:
c:\Downloads\MOTOZ2FORCE\blankflash_from_NDX26.183-15_17>blank-flash.bat
c:\Downloads\MOTOZ2FORCE\blankflash_from_NDX26.183-15_17>.\qboot.exe blank-flash
Motorola qboot utility version 3.85
[ -0.000] Opening device: \\.\COM4
[ -0.000] Detecting device
[ 0.016] ...cpu.id = 94 (0x5e)
[ 0.016] ...cpu.sn = 1009594148 (0x3c2d2f24)
[ 0.016] Opening singleimage
[ 0.016] Loading package
[ 0.016] ...filename = pkg.xml
[ 0.016] Loading programmer
[ 0.016] ...filename = programmer.elf
[ 0.016] Sending programmer
[ 0.176] Handling things over to programmer
[ 0.176] Identifying CPU version
[ 0.176] Waiting for firehose to get ready
[ 3.200] ...MSM8998 2.1
[ 3.200] Determining target secure state
[ 3.200] ...secure = yes
[ 3.247] Configuring device...
[ 3.263] Skipping UFS provsioning as target is secure
[ 3.263] Configuring device...
[ 4.824] Target NAK!
[ 4.824] ...ERROR: Failed to initialize (open whole lun) UFS Device slot 0 partition 1
[ 4.824] ...ERROR: Failed to open the device 3 slot 0 partition 1
[ 4.824] ...INFO: Device type 3, slot 0, partition 1, error 0
[ 4.824] ...WARN: Set bootable failed to open 3 slot 0, partition 1, error 0
[ 4.824] ERROR: do_package()->do_recipe()->NAK
[ 4.824] Check qboot_log.txt for more details
[ 4.824] Total time: 4.824s
FAILED: qb_flash_singleimage()->do_package()->do_recipe()->NAK
Here is the device info from the log:
Code:
[ 4.824] qboot version 3.85
[ 4.824]
[ 4.824] DEVICE {
[ 4.824] name = "\\.\COM4",
[ 4.824] flags = "0x144",
[ 4.824] addr = "0x62FD54",
[ 4.824] sahara.current_mode = "0",
[ 4.824] api.buffer = "0x29C4020",
[ 4.824] cpu.serial = "1009594148",
[ 4.824] cpu.id = "94",
[ 4.824] cpu.sv_sbl = "0",
[ 4.824] cpu.name = "MSM8998",
[ 4.824] storage.type = "UFS",
[ 4.824] sahara.programmer = "programmer.elf",
[ 4.824] module.firehose = "0x6D91C8",
[ 4.824] api.firehose = "0x721F50",
[ 4.824] cpu.ver = "513",
[ 4.824] cpu.vername = "2.1",
[ 4.824] fh.max_packet_sz = "1048576",
[ 4.824] fh.storage_inited = "1",
[ 4.824] }
So, best as I can decipher, the blank-flash is failing because it cannot create a filesystem on the internal memory.
I read something about A/B slots, but I'm starting to lose my way.
Am I done for?
Thanks for looking. Truly appreciate the folks in this community.
Wait! Am I using a Nougat blank-flash? Do I need an Oreo blank-flash? Is there one available for the XT1789-04?
lobbybee said:
Wait! Am I using a Nougat blank-flash? Do I need an Oreo blank-flash? Is there one available for the XT1789-04?
Click to expand...
Click to collapse
See if there is one on
https://mirrors.lolinet.com/firmware/moto
Sent from my Moto E (4) using Tapatalk
The Nougat blankflash is fine. The phone shipped with a Nougat pbl and the way I understand it is that can't be modified or upgraded, it can be reflashed with the same, but that's it. Don't quote me on that though. As for an Oreo blankflash, there is one, but I've never heard any success stories from it and Nougat has always done the trick.
I've seen that error before, it is speculated that maybe the storage is failing, but I don't know if anyone has ever been able to say 'yes, your storage is no good and that's why you get this error' etc. It maybe very well be the case and I'm not sure if those who have faced that error have been able to recover.
What version of windows are you running? Have you tried running as an admin, using different ports?
If you are on Win10 have you tried going old school and disabling integrity checks and turning test signing on? Win10 isn't very friendly when it comes to our phone, we recommend Win7 and command prompt, not powershell. So if you're using Win10 and haven't done the above, it's worth a shot.
41rw4lk said:
What version of windows are you running? Have you tried running as an admin, using different ports?
Click to expand...
Click to collapse
Previously on Win10 as Admin from CMD window.
Also just tried on Win7, per suggestion, with the same results.
I used 3 different USB2 ports on the PC, iterated through 3 different USB-C cables.
I found the --debug=2 flag for qboot.exe and started digging through the output. Now it's got me wondering:
1) Why is it specifying UFS instead of eMMC? Phonemore.com specs says it's UFS 2.1
2) It appears to be skipping storage initialization because "target is secure." Is blankflash failing b/c my bootloader was not unlocked before it bricked?
3) Should I look into using QFIL to manually configure the reinitialization of the file system, whether UFS or eMMC?
lobbybee said:
Previously on Win10 as Admin from CMD window.
Also just tried on Win7, per suggestion, with the same results.
I used 3 different USB2 ports on the PC, iterated through 3 different USB-C cables.
I found the --debug=2 flag for qboot.exe and started digging through the output. Now it's got me wondering:
1) Why is it specifying UFS instead of eMMC? Phonemore.com specs says it's UFS 2.1
2) It appears to be skipping storage initialization because "target is secure." Is blankflash failing b/c my bootloader was not unlocked before it bricked?
3) Should I look into using QFIL to manually configure the reinitialization of the file system, whether UFS or eMMC?
Click to expand...
Click to collapse
I believe the pbl is loaded before bootloader lock is detected, hence the reason it was able to exploit and unlock booloaders. Obviously we all can agree that something is failing when it comes to initializing the UFS storage it needs to write to. Whether it is corrupted, dead, or something else... I'm not knowledgeable enough to answer that. You might explore around with QFIL since it has an option in settings to select storage type, emmc or ufs. What you do from here on out is all you. I'd make sure you have your drivers installed and do only what is necessary to get back to a bootloader where you can flash a clean stock firmware. Keep us posted with your results and good luck.
Hello I have a hardbrick that so far I cannot solve, because I want to close the bootloader, the fastboot rejects any command that I enter (including the "fastboot oem unlock") and when turning on motorola it generates the error 0xC2224571 "No valid operating system could be found. The device will not boot ". I thought about doing a "Blankflash", but I don't know what the Motorola "test point" is. Does anyone know how to do it and get to EDL mode?
seems a/b partition problem.
try fastboot flash recovery_a twrp.img
fastboot flash recovery_b twrp.img
shadowchaos said:
seems a/b partition problem.
try fastboot flash recovery_a twrp.img
fastboot flash recovery_b twrp.img
Click to expand...
Click to collapse
I already tried that of recovery_a and recovery_b, and nothing happens, that gives CMD:
1) fastboot flash recovery_a twrp-3.5.0-0-nairo.img
Sending 'recovery_a' (59392 KB) OKAY [ 1.827s]
Writing 'recovery_a' (bootloader) flash permission denied
FAILED (remote: '')
fastboot: error: Command failed
2) fastboot flash recovery_b twrp-3.5.0-0-nairo.img
Sending 'recovery_b' (59392 KB) OKAY [ 1.308s]
Writing 'recovery_b' (bootloader) flash permission denied
FAILED (remote: '')
fastboot: error: Command failed
Also, everything I try to flash ends with this message "flash (bootloader) permission denied".
supermafari2.0 said:
I already tried that of recovery_a and recovery_b, and nothing happens, that gives CMD:
1) fastboot flash recovery_a twrp-3.5.0-0-nairo.img
Sending 'recovery_a' (59392 KB) OKAY [ 1.827s]
Writing 'recovery_a' (bootloader) flash permission denied
FAILED (remote: '')
fastboot: error: Command failed
2) fastboot flash recovery_b twrp-3.5.0-0-nairo.img
Sending 'recovery_b' (59392 KB) OKAY [ 1.308s]
Writing 'recovery_b' (bootloader) flash permission denied
FAILED (remote: '')
fastboot: error: Command failed
Also, everything I try to flash ends with this message "flash (bootloader) permission denied".
Click to expand...
Click to collapse
Could you describe what moves at last time which causes this situation?
supermafari2.0 said:
I already tried that of recovery_a and recovery_b, and nothing happens, that gives CMD:
1) fastboot flash recovery_a twrp-3.5.0-0-nairo.img
Sending 'recovery_a' (59392 KB) OKAY [ 1.827s]
Writing 'recovery_a' (bootloader) flash permission denied
FAILED (remote: '')
fastboot: error: Command failed
2) fastboot flash recovery_b twrp-3.5.0-0-nairo.img
Sending 'recovery_b' (59392 KB) OKAY [ 1.308s]
Writing 'recovery_b' (bootloader) flash permission denied
FAILED (remote: '')
fastboot: error: Command failed
Also, everything I try to flash ends with this message "flash (bootloader) permission denied".
Click to expand...
Click to collapse
Hey, can I ask you how did you manage to unbrick it? My phone doesn't get recognized via fastboot. It seems dead but when I connect it to the pc, it gets recognized as "Qualcomm HS-USB QDLoader 9008".
What can I do next?
Try a blank flash for your phone.
Hello,
I am in a similar situation and also interested in the test point for EDL mode, so rather than opening a new thread I figured I'd reply here.
As it stands, my phone has the /e/ project ROM and recovery flashed on it, the "Allow OEM unlock" option is disabled, and the bootloader is locked. Meaning, the OS doesn't get recognized and doesn't boot, flashing is disallowed across the board, fastboot oem unlock <UNLOCK_KEY> is rejected, and fastboot boot <any recovery stock or otherwise>.img fails.
fastboot oem blankflash returns "Command Restricted" and well, subsequently tells me it failed.
So my own ignorance left myself with a rather expensive paperweight and the last resort I believe is to flash a stock ROM in EDL mode. I have found a teardown video of the device and seen a few test points there (including 3 under the large heatsinking graphite film), and I'm ready to remove the back cover on mine. It seems that the EDL test point isn't documented... If need be, I could try to find the test points myself. I just need more info to not short and break anything.
Edit: so I've gone and done it. Stabbed all visible test points, one of them scores at 1.8v, one at 1.5v, the rest at 0v. [EDIT] Some actually show something below 0.5v.
The 1.8v test point is connected to a trace going to the connector's pin. Another pad goes just beside that pin. It is very enticing right now to try and bridge them, however I'm not confident those are the EDL test points and I may short something I don't want to. I'm gonna get resistors.
The missing connector tells me it's a connector that's important for Motorola, and clearly not for the end-user. This is a cost-saving measure, don't need to run extensive tests when the device is finalized, you only need the test points to... enable EDL? Ahah. The fact the connector pads are still there is because designing the rerouting to remove them also costs money.
The 1.5v test point is between the screen and bottom daughterboard flexible flat cables connectors. Without certainty, I believe it may be a voltage for one of those or both.
Attached is the photo of the test points around the missing connector, if that helps at all.
Edit2: I found this post about trying for test points. I'm lacking resistors right now to further test. https://forum.xda-developers.com/t/phone-doesnt-boot-even-in-edl-mode.4411915/#post-87260675
Edit3: welp, bridging the points linked to the missing connector pads did nothing. What I tried is keep the phone off, bridge the points, plug the USB, but it keeps sending me to "OS not found" error or fastboot, depending on if fb_mode_set or fb_mode_clear have been used.
Hey @Awilen please keep us posted. I too want to play with this phone, but am frustrated by lack of easy access to EDL mode (to unbrick). (I want to try to roll my own GSI/AOSP build + Moto proprietary drivers, which will likely not boot the first thirty or so times I try it.)
FWIW, I tried this method and a pre-bought cable that allegedly does the same thing- no dice either.
The fact that there ARE EDL IMAGES out there gives me hope.
This repository has some other tricks to try, if you are brave enough:
Use a edl cable (Short D+ with GND) and force reboot the phone (either vol up + power pressing for more than 20 seconds or disconnect battery), works with emmc + ufs flash (this will only work if XBL/SBL isn't broken)
If emmc flash is used, remove battery, short DAT0 with gnd, connect battery, then remove short.
If a ufs flash is used, things are very much more complicated. You will need to open the ufs die and short the clk line on boot, some boards have special test points for that.
Some devices have boot config resistors, if you find the right ones you may enforce booting to sdcard instead of flash.
(I've tried #1)
FWIW, I've never had any success with any "EDL cable" on any device, but that could be entirely due to timing/incompetence on my part.
A few devices I've been able to find EDL test points.
On some non-Qualcomm devices I have gotten to ROM bootloader by using a 100 ohm resistor (for safety, instead of a dead short) from some random test point near eMMC to ground.
Hey @Renate the cable works on my OnePlus (which, also, has a key sequence to do it, making the cable superfluous), so I know that isn't the issue here. I just don't want to unglue the phone and risk breaking something just to play. Once the battery becomes useless and that's inevitable, then I'll probably become a MB-shortin'-mo-fo.
SomeRandomGuy said:
This repository has some other tricks to try, if you are brave enough:
Use a edl cable (Short D+ with GND) and force reboot the phone (either vol up + power pressing for more than 20 seconds or disconnect battery), works with emmc + ufs flash (this will only work if XBL/SBL isn't broken)
If emmc flash is used, remove battery, short DAT0 with gnd, connect battery, then remove short.
If a ufs flash is used, things are very much more complicated. You will need to open the ufs die and short the clk line on boot, some boards have special test points for that.
Some devices have boot config resistors, if you find the right ones you may enforce booting to sdcard instead of flash.
(I've tried #1)
Click to expand...
Click to collapse
Hey! I was waiting on my EDL cable. I just tried it... no dice. No dice at all. I believe I've exhausted all non-intrusive tricks in the book, the next step is cleanly desoldering the EM shield over the processor and flash/RAM combo ICs.
Since the device is out of warranty anyway, I'll try for a repair shop to desolder it, as the only powerful-enough heat source I have is a large heat gun blowing 150°C, 450°C or 600°C air. Other than that I have a 60W soldering iron, I doubt that'll be enough.
The only problem with the desoldering is that the EM shield is part of the cooling solution for the processor/RAM/Flash ICs. It will need to be reapplied.
Edit: I made a thread on the e.foundation forums listing everything I tried: https://community.e.foundation/t/bo...and-wont-boot-am-i-out-of-luck/43362?u=awilen
Awilen said:
Edit: I made a thread on the e.foundation forums listing everything I tried: https://community.e.foundation/t/bo...and-wont-boot-am-i-out-of-luck/43362?u=awilen
Click to expand...
Click to collapse
TIL “fastboot oem qcom-on” and “fastboot oem qcom-off” are a thing.
For my part, to this day I cannot find a way to access this mode, I still have my theories, since on one page I found "official" diagrams of this motorola and the phrase "EDL" is indicated at various points, but I don't really know how to interpret them on the motherboard, I'll leave the link in case someone wants to review it, it's from a Brazilian page:
Motorola_Moto_G_5G XT2075 - LEMCELL.COM.BR.zip
drive.google.com
In that one there are several files, with more technical specifications, in case someone wants to review it and see what they find useful out there, to see if it is possible to reach EDL mode on this model.
The missing connector I shot in my photos is a JTAG connector. Make of that what you will.
I have desoldered the EMI shield above the SoC/eMCP area and there's no dice there either. The traces are hidden, the parts are BGAs, there's no "pin" to short there. The schematics may or may not have confirmed my suspicion the physical trace for the clock signal to the eMCP is unreachable, making reaching EDL mode through "PBL panic from not being able to access the flash" impossible.
The SMDs around the eMCP may or may not seem to all be related to power delivery smoothing, and shorting those is blue smoke waiting to happen. I'll resolder the shield later, I don't think there's any point in desoldering it in the future for the purpose of reaching EDL mode.
There are official blankflash utilities freely available. I have no doubt EDL mode is accessible. This connector must be just how.
BREAKTHROUGH TIME! I GOT INTO QCOM 9008 MODE!
In the attached photo are the EDL pads. Happy flashing!
Edit: now I'm getting some progress, but nothing is working. Here's the two logs I get, the first just after connecting, the second after having tried once already:
Code:
$ sudo ./qcom blank-flash
**** Log buffer [000001] 2022-12-02_19:02:50 ****
[ 0.000] Opening device: /dev/ttyUSB0
[ 0.000] Detecting device
[ 5.889] ERROR: sahara_greet_device()->change_mode()->do_hello()->Invalid command received in current state
[ 5.889] Check qboot_log.txt for more details
[ 5.889] Total time: 5.889s
[ 5.889]
[ 5.889] qboot version 3.86
[ 5.889]
[ 5.889] DEVICE {
[ 5.889] name = "/dev/ttyUSB0",
[ 5.889] flags = "0x60",
[ 5.889] addr = "0xFECAF690",
[ 5.889] serial_nix.device_pathname = "/sys/bus/usb/devices/1-3.2/1-3.2:1.0/ttyUSB0",
[ 5.889] api.bnr = "0x1FE4210",
[ 5.889] }
[ 5.889]
[ 5.889]
[ 5.889] Backup & Restore {
[ 5.889] num_entries = 0,
[ 5.889] restoring = "false",
[ 5.889] backup_error = "not started",
[ 5.889] restore_error = "not started",
[ 5.889] }
[ 5.889]
Code:
$ sudo ./qcom blank-flash
**** Log buffer [000001] 2022-12-02_19:03:50 ****
[ 0.000] Opening device: /dev/ttyUSB0
[ 0.343] Detecting device
[ 34.920] ERROR: sahara_greet_device()->change_mode()->do_hello()->IO error
[ 34.920] Check qboot_log.txt for more details
[ 34.920] Total time: 34.920s
[ 34.920]
[ 34.920] qboot version 3.86
[ 34.920]
[ 34.920] DEVICE {
[ 34.920] name = "/dev/ttyUSB0",
[ 34.920] flags = "0x60",
[ 34.920] addr = "0xAEF35240",
[ 34.920] serial_nix.device_pathname = "/sys/bus/usb/devices/1-3.2/1-3.2:1.0/ttyUSB0",
[ 34.920] api.bnr = "0x21BC210",
[ 34.920] }
[ 34.920]
[ 34.920]
[ 34.920] Backup & Restore {
[ 34.920] num_entries = 0,
[ 34.920] restoring = "false",
[ 34.920] backup_error = "not started",
[ 34.920] restore_error = "not started",
[ 34.920] }
[ 34.920]
Edit 2: I got a blankflash to work! Now I don't know... This is what I got:
Code:
D:\blankflash>.\qboot.exe blank-flash
Motorola qboot utility version 3.86
[ -0.000] Opening device: \\.\COM3
[ -0.000] Detecting device
[ -0.000] ...cpu.id = 286 (0x11e)
[ -0.000] ...cpu.sn = 3786473903 (0xe1b101af)
[ -0.000] Opening singleimage
[ -0.000] Loading package
[ -0.000] ...filename = pkg.xml
[ -0.000] Loading programmer
[ -0.000] ...filename = programmer.elf
[ -0.000] Sending programmer
[ 0.109] Handling things over to programmer
[ 0.109] Identifying CPU version
[ 0.109] Waiting for firehose to get ready
[ 3.220] ReadFile() failed, GetLastError()=0
[ 3.330] ...SM_SAIPAN 2.0
[ 3.330] Determining target secure state
[ 3.330] ...secure = yes
[ 3.377] Configuring device...
[ 3.377] Skipping UFS provsioning as target is secure
[ 3.377] Configuring device...
[ 3.470] Flashing GPT...
[ 3.470] Flashing partition with gpt.bin
[ 3.470] Initializing storage
[ 3.517] ...blksz = 4096
[ 3.580] ReadFile() failed, GetLastError()=0
[ 4.049] Re-initializing storage...
[ 4.049] Initializing storage
[ 4.361] Flashing bootloader...
[ 4.361] Wiping ddr
[ 4.392] Flashing abl_a with abl.elf
[ 4.439] Flashing aop_a with aop.mbn
[ 4.486] Flashing qupfw_a with qupfw.elf
[ 4.517] Flashing tz_a with tz.mbn
[ 4.783] Flashing hyp_a with hyp.mbn
[ 4.839] Flashing devcfg_a with devcfg.mbn
[ 4.854] Flashing keymaster_a with keymaster.mbn
[ 4.901] Flashing storsec_a with storsec.mbn
[ 4.933] Flashing uefisecapp_a with uefi_sec.mbn
[ 5.089] Flashing prov_a with prov64.mbn
[ 5.104] Flashing xbl_config_a with xbl_config.elf
[ 5.151] Flashing xbl_a with xbl.elf
[ 5.649] Rebooting to fastboot
[ 5.665] Total time: 5.665s
Somehow it worked, I got to flash another phone's blankflash (a "Racer" codenamed phone apparently) on it and the ABL (the thing that tells me it won't boot because it didn't find a valid system) changed visually. Now I'll try to unlock the bootloader, or flash a system on it.
Edit 3: Mmh. After clearing that EDL mode flashing worked, the system is still flashing-locked, secured, and fastboot oem unlock <unique_key> isn't working.
so you activated the qcom, but it is not responding to the blankflash? at least it's an advance, maybe it's a blankflash problem or do you think it's some kind of board protection?
Later I will try on my own on my board
Congrats on your quest. Were you literally shorting them, or did you use a resistor? You had to touch all three together?
I guess I still am confused how there is a blankflash out there for this phone, but no way to trigger EDL without a hardware kit. I just ran through all the key combinations (V+,V-, PWR) and USB in/out just to make sure I didn't miss something... no dice to EDL.
supermafari2.0 said:
so you activated the qcom, but it is not responding to the blankflash? at least it's an advance, maybe it's a blankflash problem or do you think it's some kind of board protection?
Later I will try on my own on my board
Click to expand...
Click to collapse
I am confident EDL mode flashing worked. I used a different phone's blankflash that had the same SoC and it worked, giving me a visually different "No OS found" error screen. I posted the log of the blanking process. The "Allow OEM Unlock" bit is still set to "disabled" after blanking, such that I still can't use "fastboot oem unlock" successfully.
There's this line that makes me think the system is still intact: "Skipping UFS provsioning as target is secure", meaning the UFS filesystem might have not been actually blanked. Since singleimage.bin is a signed binary, there's no way to force UFS provisioning or modify it in any other way. I think the only way in will be with a firehose and QFIL... Except I haven't found one for this SoC. The programmer.elf is the firehose, but again that needs to be signed to be useful after getting extracted.
SomeRandomGuy said:
Congrats on your quest. Were you literally shorting them, or did you use a resistor? You had to touch all three together?
I guess I still am confused how there is a blankflash out there for this phone, but no way to trigger EDL without a hardware kit. I just ran through all the key combinations (V+,V-, PWR) and USB in/out just to make sure I didn't miss something... no dice to EDL.
Click to expand...
Click to collapse
I marked two pads of the missing connector with a green rectangle (I reused the photo I posted earlier on which I had already marked the test points' voltages, disregard the test points). I shorted them with only one voltmeter probe.
The idea is that the EDL pads I marked in green are connected to a 1.8V supply and a pin on the SoC with "infinite resistance", so there's no need for an additional resistor. You are not at risk of shorting anything and cause a major disaster on pins on the row of the green rectangle. The connector is very small, so stab confidently in the middle of the row of pads!
The (V+, PWR) combination may be available in development units, and be disabled in production units at the hardware level (missing components).
(Keep in mind I'm talking in hypotheticals at times to keep up plausible deniability regarding the files posted earlier by supermafari2.0... Those are surely under copyright.)
Layers of security upon layers of security just to get a stock firmware on an empty filesystem on my own device... This is getting old...
Edit: I have, out of boredom, decomposed the singleimage.bin into its various files. Here is the file format:
Code:
* SINGLE_N_LONELY Header [256 bytes]
* FILE:
Header:
* file name: 248 bytes (name + "\0" padding)
* file size: 8 bytes, little-endian
Data:
* data: file size in bytes
* 0xA0 padding if (file size % 4096) != 0 : file size + 4096 - (file size % 4096) bytes
[* FILE...]
* LONELY_N_SINGLE Footer [256 bytes]
Do note the 4096 magic number is the flash sector size, thus is device-dependant. In singleimage.bin, there was gpt.bin which also follows the same format. Among the files is programmer.elf, a strong candidate to be a firehose, I'll try to use with QFIL tomorrow. I do take note of Motorola's attempt at psychological warfare.
So I tried the programmer I found in the singleimage.bin file, it's indeed capable of programming through QFIL! (Do note I needed to get QFIL through QPST to get it to work.) However now I'm faced with this as I'm trying to flash recovery.img to get to recovery and get recovery to reinstall a working system:
Code:
INFO: TARGET SAID: 'ERROR: range restricted: lun=5, start_sector=142688, num_sectors=25600'
I guess the programmer checks for the flash being in a locked state, so it's time to try to patch the programmer to force the flash, if at all possible...
Edit: guessed right. The programmer has a routine that does various checks. It isn't encrypted, but I found data that could indicate the file is signed. I didn't see either the PEEK or POKE strings in there, meaning these primitives weren't included in the programmer, so there's no way to manually poke any image by hand, or just enable that blasted "Allow OEM unlock" bit (the fact I don't know where it is not withstanding.)
I think that's the end of the line for my device. At this point the only way it will ever work again will be either getting a patched and signed firehose (unlikely), or getting Motorola to reflash a stock image internally (even more unlikely) or just changing the motherboard (which defeats the purpose of searching how to get the device back in working order after messing up!)
Hi,
I want ask for help with recovery of my One Plus 9 Pro. The smartphone was oryginally in LE2120 (China) version but with India ROM (LE2121). I Wanted change it for EU ROM (LE2123) but that crashesh my phone...
After hours of failed attempts I don;t know what else I can do...
First ROM install attemt ended with errors on first pics. Next I've installed TWRP and now after each start of OnePlus it launches TWRP ant nothing else. I can ewentually go to the fastboot menu.
From TWRP I can't do repair, upload files from my PC, repair filesystem - amost nothing... Errors in another attached pics..
I've try to use MSM Tools and push files using EDL but it also finished with error (another attached pics).
In current state I can't go to the fastbootD menu (only TWRP available and launching automatically). When trying go to fastbootD - getting error (attachement).
I have downloaded many versions of OnePlus ROM's and recovery files with MSM Tolls but with any results - all of them eded with the same eerors like in attachements.
Please help what I should do now to get my Oneplus working again.
Let me think....
Try using the Eu MSM. I've read on oneplus community someone had a similar problem. Google "msmtool for le2120" and it should be one of the first results.
Marffi said:
Hi,
I want ask for help with recovery of my One Plus 9 Pro. The smartphone was oryginally in LE2120 (China) version but with India ROM (LE2121). I Wanted change it for EU ROM (LE2123) but that crashesh my phone...
After hours of failed attempts I don;t know what else I can do...
First ROM install attemt ended with errors on first pics. Next I've installed TWRP and now after each start of OnePlus it launches TWRP ant nothing else. I can ewentually go to the fastboot menu.
From TWRP I can't do repair, upload files from my PC, repair filesystem - amost nothing... Errors in another attached pics..
I've try to use MSM Tools and push files using EDL but it also finished with error (another attached pics).
In current state I can't go to the fastbootD menu (only TWRP available and launching automatically). When trying go to fastbootD - getting error (attachement).
I have downloaded many versions of OnePlus ROM's and recovery files with MSM Tolls but with any results - all of them eded with the same eerors like in attachements.
Please help what I should do now to get my Oneplus working again.
Click to expand...
Click to collapse
In twrp you can goto advanced->adb sideload, to flash roms.
You can also go into twrp fastbootd, if you follow these steps:
normally boot into twrp with "fastboot boot"
in twrp goto reboot->fastboot
while shutting down hold power+vol down (brings you to bootloader)
run fastboot boot twrp.img
For flashing partitions in fastboot you can always use _slot instead of --slot. For example "fastboot flash boot --slot=a boot.img" ->"fastboot flash boot_a boot.img". Same has to be done with slot b.
It could also be a good idea to use LE2120 MSM to go back to a usable state.
Since your original firmware was from India, I can mod you an MSM tool to flash the EU firmware. Give me a couple hours. Have to run an errand in town first...
In the meantime use the IN MSM Tool to revive your phone then wait for my mod MSM Tool to flash EU to phone.
der_akinator said:
In twrp you can goto advanced->adb sideload, to flash roms.
You can also go into twrp fastbootd, if you follow these steps:
normally boot into twrp with "fastboot boot"
in twrp goto reboot->fastboot
while shutting down hold power+vol down (brings you to bootloader)
run fastboot boot twrp.img
For flashing partitions in fastboot you can always use _slot instead of --slot. For example "fastboot flash boot --slot=a boot.img" ->"fastboot flash boot_a boot.img". Same has to be done with slot b.
It could also be a good idea to use LE2120 MSM to go back to a usable state.
Click to expand...
Click to collapse
Unfortunatley not I can't go to fastbootd. When trying do that I'm getting another error:
Marffi said:
Unfortunatley not I can't go to fastbootd. When trying do that I'm getting another error:
Click to expand...
Click to collapse
Use the IN MSM Tool to revive phone... In edl mode.
OP9Pro - Repository of MSM Unbrick Tools (TMO, EU, GLO, IN)
By using these tools, you accept full responsibility for your actions. Your warranty is void should you run any of these utilities without OnePlus support present. I am not responsible for bricks, fires, nuclear war, etc. If you modified any...
forum.xda-developers.com
here you go.......
File on MEGA
mega.nz
In EDL mode using new downlod the same error as previous
TheGhost1951 said:
here you go.......
File on MEGA
mega.nz
Click to expand...
Click to collapse
Using moded MSM Tools I've get messages:
1. Try Firehose Communication Handshake
2. Setting Firehose Communication Data trasmi...
3. Get TID Failed
and nothing more.
Log File:
[2472][05-17 16:38:43.843]<4> Set Proc Mode 0
[2472][05-17 16:38:43.996]<2> =========================================================
[2472][05-17 16:38:43.996]<2> | OnePlus DL PID:14264
[2472][05-17 16:38:43.996]<2> | Execute: 2023/05/17 14:38 GMT
[2472][05-17 16:38:43.996]<2> =========================================================
[2472][05-17 16:38:50.359]<4>
========================================================
[2472][05-17 16:39:06.535]<4> MetadataVersion=2,CryptVersion=1,[2472][05-17 16:39:06.535]<4> m_bIsPackImage=1
[2472][05-17 16:39:06.566]<4> Set Proc Mode 1
[2472][05-17 16:39:06.766]<4> ATO element doesn't exist. Skip.
[2472][05-17 16:39:06.782]<4> Project Name: 20857
[2472][05-17 16:39:06.782]<4> Factory ID: 20857IN
[2472][05-17 16:39:06.782]<4> Image Version: lemonadep_22_I.07_210412
[2472][05-17 16:39:06.782]<4> Skip SHA256 Check: No
[2472][05-17 16:39:06.782]<4> HW CHK: No
[2472][05-17 16:39:06.782]<4> RF CHK: No
[2472][05-17 16:39:06.782]<4> PRJ CHK: No
[2472][05-17 16:39:06.798]<4> MDL CHK: Yes
[2472][05-17 16:39:06.798]<4> ATO build: No
[2472][05-17 16:39:06.798]<4> Load upd cfg failed. continue.
[2472][05-17 16:39:06.798]<4> frp: 1
[2472][05-17 16:39:06.798]<4> Tool version verified! (V5.1.77)
[2472][05-17 16:39:06.798]<4> project 20857 not support boot mode feature
[2472][05-17 16:39:06.798]<4> project 20857 enable fuse
[2472][05-17 16:39:06.835]<4> [1] dwMajorVersion=6,dwMinorVersion=2,is_win7_system=0
[2472][05-17 16:39:06.873]<4> Skip multi-image identify: 0
[13140][05-17 16:39:15.492]<4> Device Arrival: \\?\USB#VID_05C6&PID_9008#5&318e2ee3&0&1#{86e0d1e0-8089-11d0-9ce4-08003e301f73}
[6740][05-17 16:39:19.069]<4> [0] SetComStep: 1
[6740][05-17 16:39:19.069]<4> [0] GetComStep: 1
[6740][05-17 16:39:19.071]<4> CID = -1
[6740][05-17 16:39:19.071]<4> Non TMO group
[6740][05-17 16:39:19.085]<4> [1] Set device as UFS
[6740][05-17 16:39:19.311]<4> [1] [CSerialCommHelper] Buf: 0 (16/10)
[6740][05-17 16:39:19.327]<4> [1] [CSerialCommHelper] No data in buffer to be sent 0
[6740][05-17 16:39:21.514]<4> [1] [SP][195] Check cmd done status failed. 1
[6740][05-17 16:39:21.637]<4> [1] [SP][208] Reset Sahara
[6740][05-17 16:39:21.852]<4> [1] [COM1] AddCpuIDtoIndex cupid(8aeb0289)
[6740][05-17 16:39:25.061]<4> [1] UFS Inquiry Command Output: SAMSUNG KLUEG8UHDB-C2D1 1903
[6740][05-17 16:39:25.061]<4> [1] UFS info Vendor = samsung, TotalLogicalBlocks = 499892224
[6740][05-17 16:39:25.061]<4> [1] [FFU]FWversion 903
[6740][05-17 16:39:25.061]<4> [1] [FFU] UFS Total Active LU 6
[6740][05-17 16:39:25.061]<4> [1] EmmcSizeInGB = 238.367188, TotalLogicalBlocks = 499892224
[6740][05-17 16:39:25.061]<4> [1] Memory size:
[6740][05-17 16:39:25.061]<4> [1] Not in intranet, pass.[6740][05-17 16:39:25.077]<4> [1] [Firehose] HwVersion = 22
[6740][05-17 16:39:25.093]<4> [1] [Firehose] RfVersion = 11
[6740][05-17 16:39:25.124]<4> [1] [Firehose] PrjVersion = 11
[6740][05-17 16:39:25.146]<4> [1] Get SW ID failed.
[13140][05-17 16:40:15.427]<4> Device Remove: \\?\USB#VID_05C6&PID_9008#5&318e2ee3&0&1#{86e0d1e0-8089-11d0-9ce4-08003e301f73}
[13140][05-17 16:42:34.518]<4> Device Arrival: \\?\USB#VID_05C6&PID_9008#5&318e2ee3&0&1#{86e0d1e0-8089-11d0-9ce4-08003e301f73}
[18596][05-17 16:42:36.464]<4> [0] SetComStep: 1
[18596][05-17 16:42:36.464]<4> [0] GetComStep: 1
[18596][05-17 16:42:36.466]<4> CID = -1
[18596][05-17 16:42:36.466]<4> Non TMO group
[18596][05-17 16:42:36.470]<4> [1] Set device as UFS
[18596][05-17 16:42:36.704]<4> [1] [CSerialCommHelper] Buf: 0 (16/10)
[18596][05-17 16:42:36.720]<4> [1] [CSerialCommHelper] No data in buffer to be sent 0
[18596][05-17 16:42:38.924]<4> [1] [SP][195] Check cmd done status failed. 1
[18596][05-17 16:42:39.025]<4> [1] [SP][208] Reset Sahara
[18596][05-17 16:42:39.256]<4> [1] [COM1] AddCpuIDtoIndex cupid(8aeb0289)
[18596][05-17 16:42:42.432]<4> [1] UFS Inquiry Command Output: SAMSUNG KLUEG8UHDB-C2D1 1903
[18596][05-17 16:42:42.432]<4> [1] UFS info Vendor = samsung, TotalLogicalBlocks = 499892224
[18596][05-17 16:42:42.432]<4> [1] [FFU]FWversion 903
[18596][05-17 16:42:42.432]<4> [1] [FFU] UFS Total Active LU 6
[18596][05-17 16:42:42.432]<4> [1] EmmcSizeInGB = 238.367188, TotalLogicalBlocks = 499892224
[18596][05-17 16:42:42.432]<4> [1] Memory size:
[18596][05-17 16:42:42.432]<4> [1] Not in intranet, pass.[18596][05-17 16:42:42.447]<4> [1] [Firehose] HwVersion = 22
[18596][05-17 16:42:42.463]<4> [1] [Firehose] RfVersion = 11
[18596][05-17 16:42:42.501]<4> [1] [Firehose] PrjVersion = 11
[18596][05-17 16:42:42.516]<4> [1] Get SW ID failed.
[13140][05-17 16:42:48.489]<4> Device Remove: \\?\USB#VID_05C6&PID_9008#5&318e2ee3&0&1#{86e0d1e0-8089-11d0-9ce4-08003e301f73}
and second one:
IA V1.0
FCL V1.2
PL V1.9
MVL V1.3
SID 300 is non enc
Encrytped block of item 20 is incorrect
SID 300 is non enc
Encrytped block of item 20 is incorrect
Marffi said:
Unfortunatley not I can't go to fastbootd. When trying do that I'm getting another error:
Click to expand...
Click to collapse
This error shouldn't be a problem, but you probably have to wait 5-10 seconds to use fastboot. You can also flash boot, vendor_boot and dtbo of any rom and use their fastbootd.
der_akinator said:
This error shouldn't be a problem, but you probably have to wait 5-10 seconds to use fastboot. You can also flash boot, vendor_boot and dtbo of any rom and use their fastbootd.
Click to expand...
Click to collapse
Do you think he could get to recovery from fastboot and factory reset?
Or from fastboot flash update payload.bin?
TheGhost1951 said:
Do you think he could get to recovery from fastboot and factory reset?
Click to expand...
Click to collapse
Yes, should work with all recoveries with "fastboot reboot recovery"
Payload has to be extracted, but after that you can flash all partitions from fastbootd.
One caveat is that MSM payload contains some partitions that are not included in OTA payload.bin
Edit:
MSM payload can be extracted with this: https://github.com/bkerler/oppo_decrypt
But I don't know if the extra MSM partitions are flashable with fastboot.
der_akinator said:
Yes, should work with all recoveries with "fastboot reboot recovery"
Payload has to be extracted, but after that you can flash all partitions from fastbootd.
One caveat is that MSM payload contains some partitions that are not included in OTA payload.bin
Click to expand...
Click to collapse
"
C:\ADB>fastboot reboot recovery
Rebooting into recovery OKAY [ 0.016s]
Finished. Total time: 0.016s
"
Phone just restart and automatically load TWRP. Nothing more.
Marffi said:
"
C:\ADB>fastboot reboot recovery
Rebooting into recovery OKAY [ 0.016s]
Finished. Total time: 0.016s
"
Phone just restart and automatically load TWRP. Nothing more.
Click to expand...
Click to collapse
Yes that's was the answer to @TheGhost1951 question.
TheGhost1951 said:
Or from fastboot flash update payload.bin?
Click to expand...
Click to collapse
"
C:\ADB>fastboot devices
8aeb0289 fastboot
C:\ADB>fastboot flash update payload.bin
error: write_sparse_skip_chunk: don't care size 4211328355 is not a multiple of the block size 4096
Sending sparse 'update' 1/7 (786428 KB) error: write_sparse_skip_chunk: don't care size 4211328355 is not a multiple of the block size 4096
error: write_sparse_skip_chunk: don't care size 4211328355 is not a multiple of the block size 4096
OKAY [ 19.952s]
Writing 'update' FAILED (remote: 'Partition not found')
fastboot: error: Command failed
"
So failed as well
What was the last MSM tool tried? Did you try the Indian MSM tool?
TMO 9PRO LAST OPTION HARDBRICKED FIX & BACK TO TMO STOCK FIX
Frist off I'm not Responsible for anything that happens to your phone!!! DO NOT FLASH UNLESS YOU TRIED EVERYTHING ELSE FIRST INDIA MSM TOOL TO FIX YOUR HARD BRICKED T-MOBILE 9PR0!!!! DO THIS AT YOUR OWEN RISK!!! DISCLAIMER: THIS WILL...
forum.xda-developers.com