Related
So, long story short - I hard bricked my phone by trying to flash .bin files when they should have been .img files (rookie mistake). Anyways, once i flashed those the screen went black and the phone would not respond to anything. When i plugged the phone in it showed up as Qualcomm 9008 blah blah blah so i followed this method: http://forum.xda-developers.com/lg-g3/general/fix-unbrick-lg-g3-stuck-qualcomm-hs-usb-t2933853. I was able to flash some of my partitions but then suddenly the screen changed to this:
http://i.imgur.com/G0n16LP.jpg
I believe it was after flashing tz. Regardless, I could not flash any more partitions.
So i plugged in my battery and reconnected it to my computer and it shows up as this: http://i.imgur.com/zRKaNZC.jpg. For those who can't see it it shows up as LGE AndroidNet USB Serial Port. It also shows up as LGE AndroidNet USB Modem. Any idea on how to fix my phone from this? I've installed the Qualcomm Drivers as well as the ADB universal drivers and the LG Drivers for my phone. Using LG Mobile Support Tool the flashing goes until it says it can't connect to the phone. QPST can't see it, LG Flash Tool gives me "Model Information Check Fail" and any KDZ Flashing tool can not flash it.
I heard talk about shorting capacitors to put it into 9006 mode in order to see the partitions. Does anyone know which capacitors?
Any help would be great considering there is not a whole lot of (free) information out there on this.
Click to expand...
Click to collapse
So I fixed my phone. For everyone wondering how to do it follow this thread: http://forum.xda-developers.com/lg-g3/general/unbrick-lg-g3-qhsusbbulk-qualcomm-9008-t3072091.
If you're stuck in the serial mode you have to short the pins on your emmc. Short then pins as described in the above thread and then plug your usb in. Then follow the steps in the thread and flash.
Man I'm in the same boat as you. I couldn't get the Qualcomm tool to work though.
Nothing seems to be working at the moment and neither flashtool or anything else seem to be finding my device.
I'd like to avoid sending it to LG if I can as I need this phone.
Have you had any luck at all?
Look's like your phone diag port. May need your msl/spc to get qualcomm tool to work.
fergie716 said:
How to Get your MSL/SPC
**NOTE** This will only work if your phone is able to turn on
Make sure you have the LG Drivers Installed on your computer (link is in 1st post for that)
Open up your dialer and enter ##DIAG#
Enable DIAG Mode
Connect your phone to your computer
On your phone change the USB Connection type to Charge Only (pull down your statusbar and click on USB Connected)
Download CdmaDevTerm on your computer(I prefer this version)
Extract the CdmaDevTermZip
Inside the extracted folder double click on the cdmaTerm file to start the application
On the right hand side of the CdmaDevTerm screen select "Scan ports"
Next select the LGE AndroidNet USB Serial Port from the drop down menu (mine was COM6) then click Connect
In the SPC/Lock Options change NV to LG from the drop down menu
Now click Read SPC
Success!
Click to expand...
Click to collapse
This looks like your phone is charging, that might mean your boot or aboot partitions are ok. Or maybe recovery, i'm not sure which one is used for phone off charging.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
jcfunk said:
Look's like your phone diag port. May need your msl/spc to get qualcomm tool to work.
This looks like your phone is charging, that might mean your boot or aboot partitions are ok. Or maybe recovery, i'm not sure which one is used for phone off charging.
Click to expand...
Click to collapse
I connected to it (I think) and got the spc number but it doesn't show up in the qualcomm tool/ i don't know what to do with the number haha.
jfedorchuk said:
I connected to it (I think) and got the spc number but it doesn't show up in the qualcomm tool/ i don't know what to do with the number haha.
Click to expand...
Click to collapse
Qualcomm tool, do you mean qpst?
if so you need to add port to server configuration tool. Or maybe try CDMAworkshop.
Have you tried volume + and USB insert?
maybe download or fastboot mode will start
jcfunk said:
Qualcomm tool, do you mean qpst?
if so you need to add port to server configuration tool. Or maybe try CDMAworkshop.
Have you tried volume + and USB insert?
maybe download or fastboot mode will start
Click to expand...
Click to collapse
Ya the qpst. I looked and the port doesn't show up as a phone. It just shows up as the serial port and won't allow me to connect. I'll look for the cdmaworkshop tool though. I'm probably going to just try to short the capactitors to get it into 9006 mode and reflash the partitions. Does anyone know where the specific capacitors are? There was a youtube video of it but the owner flipped out and made it private.... so much for advancing the community.
I tried the volume up and insert but nothing shows up. I'm curious if this were to go in for warranty if the company to fix it would be able to tell if its rooted or if they would be in the same position i am where nothing shows up.
Does it show comm7 , i know there is a box that is checked, in the add port screen, that keeps it from seeing the port. When i get home i'll take a screen shot
I too am having this exact issue.
I'm on the same boat. I don't even know how it happened since I wasn't even trying to flash a ROM. One person told me to look at tablets hard brick but I've had no luck yet. Phone was stuck in a recovery bootloop so I tried to wipe/restore backup which didn't work. Popped the battery, went to download mode, started flashing TOT, got an error (yes I had the right files), popped battery again hoping it was a bad connection but nope. I got it the other week :/ as a replacement because my G2 had hardware issues. There's gotta be a way somewhere. In the mean time, I had my gf call my service provider claiming she got a popup about an upgrade, clicked yes and came back to a black screen. They said to bring it in because it's within 14 days of the refurbished. I'm going to take it in but I'm hoping there's a way to get the phone to not load anything at all (led or the boot error during LG), or do sales reps not know enough and/or don't care enough?
I got it working!!! Somehow I got TWRP'd to boot then restored my backup of 4.4.2 stock. AT&T connecting/dropping and Baseband: "Unknown" before it randomly rebooted into download mode which I'm at now. I tried flashing TOT through COM41 but it wasn't successful. Not sure what to do now.
I had some paragraph typed and it must've not gone through. I got it back to the home screen and AT&T logo once "firmware upgrade" was an option again. I still don't know how I switched it from Qualcomm to LGE Mobile, maybe some files I deleted thinking an app backdoor'd it and injected files. After a fun and exciting 12+ hours straight with errors, bootloops, reading forums, videos, downloading/un-install. I managed a way that worked and booted back into a fresh device.
Flash Tools < BOARD_DL < Booted into Status 2
LG Suite < Restore < Fail
Flash Tools < UPGRADE_DL < Fail at 6%
Flash Tools < BOARD_DL < Fail at download mode
Device Manager < Show Hidden < Portable Devices < Un-install all MTP
Flash Tools < BOARD_DL < got to 8x% < Phone Reboot into AAT < Click < Power+Click on "Normal Boot"
LG Logo < AT&T Logo < Brand new G3
Click to expand...
Click to collapse
Hopefully this method will work for you, and who ever else has the same problem.
Here's part of the log. Not sure if hopeful or not.
[ 9:46:27] == PROPERTY INFO
[ 9:46:27] 1. download cable = USER
[ 9:46:27] 2. battery level = 77
[ 9:46:27] 3. download type =
[ 9:46:27] 4. download speed = 0
[ 9:46:27] 5. usb version = UHS
[ 9:46:27] 6. hardware revision = rev_10
[ 9:46:27] 7. download sw version =
[ 9:46:27] 8. device sw version = D85010d
[ 9:46:27] 9. secure device = S
[ 9:46:27] 10. laf sw version = 1.0
[ 9:46:27] 11. device factory version = LGD850AT-01-V10d-310-410-JUN-19-2014+0
[ 9:46:27] 12. device factory out version = LGD850AT-00-V10d-ATT-US-JUN-19-2014+0
[ 9:46:27] 13. pid = HD58S140925001695
[ 9:46:27] 14. imei = XXXXXXXXXXXXXXXXXXXX
[ 9:46:27] 15. model name = LG-D850
[ 9:46:27] 16. device build type = U
[ 9:46:27] 17. chipset platform = msm8974
[ 9:46:27] 18. target_operator = ATT
[ 9:46:27] 19. target_country = US
[ 9:46:27] 20. ap_factory_reset_status = 2
[ 9:46:27] 21. cp_factory_reset_status = 0
[ 9:46:27] 22. isDownloadNotFinish = 0
[ 9:46:27] 23. qem = 0
[ 9:46:27] 24. cupss swfv = FFFFFFFFFFF-FFFFFFFFFFF-FFFFFFFFFFF-FFFFFFFFFFF-F
[ 9:46:27] 25. is one binary dual plan = 0
[ 9:46:27] 26. memroy size = 61071360
[ 9:46:27] 27. memory_id = 032GE4
[ 9:46:27] 28. bootloader_ver = MiniOS 3.0
[ 9:46:27] LAF : Bin_User_Mode
[ 9:46:27] isValidateSecureImage Device is a qfused.
[ 9:46:27] found sbl1 Partition for secure image check
[ 9:46:27] Secure Image
[ 9:46:27] found aboot Partition for secure image check
[ 9:46:27] Secure Image
[ 9:46:27] found rpm Partition for secure image check
[ 9:46:27] Secure Image
[ 9:46:27] found tz Partition for secure image check
[ 9:46:27] Secure Image
[ 9:46:27] Secure Image Check Success
[ 9:46:27] * Set AP factory_reset= 0
[ 9:46:27] * Set qem_reset= 1
GrayNullFox said:
I'm on the same boat. I don't even know how it happened since I wasn't even trying to flash a ROM. One person told me to look at tablets hard brick but I've had no luck yet. Phone was stuck in a recovery bootloop so I tried to wipe/restore backup which didn't work. Popped the battery, went to download mode, started flashing TOT, got an error (yes I had the right files), popped battery again hoping it was a bad connection but nope. I got it the other week :/ as a replacement because my G2 had hardware issues. There's gotta be a way somewhere. In the mean time, I had my gf call my service provider claiming she got a popup about an upgrade, clicked yes and came back to a black screen. They said to bring it in because it's within 14 days of the refurbished. I'm going to take it in but I'm hoping there's a way to get the phone to not load anything at all (led or the boot error during LG), or do sales reps not know enough and/or don't care enough?
I got it working!!! Somehow I got TWRP'd to boot then restored my backup of 4.4.2 stock. AT&T connecting/dropping and Baseband: "Unknown" before it randomly rebooted into download mode which I'm at now. I tried flashing TOT through COM41 but it wasn't successful. Not sure what to do now.
I had some paragraph typed and it must've not gone through. I got it back to the home screen and AT&T logo once "firmware upgrade" was an option again. I still don't know how I switched it from Qualcomm to LGE Mobile, maybe some files I deleted thinking an app backdoor'd it and injected files. After a fun and exciting 12+ hours straight with errors, bootloops, reading forums, videos, downloading/un-install. I managed a way that worked and booted back into a fresh device.
Hopefully this method will work for you, and who ever else has the same problem.
Here's part of the log. Not sure if hopeful or not.
[ 9:46:27] == PROPERTY INFO
[ 9:46:27] 1. download cable = USER
[ 9:46:27] 2. battery level = 77
[ 9:46:27] 3. download type =
[ 9:46:27] 4. download speed = 0
[ 9:46:27] 5. usb version = UHS
[ 9:46:27] 6. hardware revision = rev_10
[ 9:46:27] 7. download sw version =
[ 9:46:27] 8. device sw version = D85010d
[ 9:46:27] 9. secure device = S
[ 9:46:27] 10. laf sw version = 1.0
[ 9:46:27] 11. device factory version = LGD850AT-01-V10d-310-410-JUN-19-2014+0
[ 9:46:27] 12. device factory out version = LGD850AT-00-V10d-ATT-US-JUN-19-2014+0
[ 9:46:27] 13. pid = HD58S140925001695
[ 9:46:27] 14. imei = XXXXXXXXXXXXXXXXXXXX
[ 9:46:27] 15. model name = LG-D850
[ 9:46:27] 16. device build type = U
[ 9:46:27] 17. chipset platform = msm8974
[ 9:46:27] 18. target_operator = ATT
[ 9:46:27] 19. target_country = US
[ 9:46:27] 20. ap_factory_reset_status = 2
[ 9:46:27] 21. cp_factory_reset_status = 0
[ 9:46:27] 22. isDownloadNotFinish = 0
[ 9:46:27] 23. qem = 0
[ 9:46:27] 24. cupss swfv = FFFFFFFFFFF-FFFFFFFFFFF-FFFFFFFFFFF-FFFFFFFFFFF-F
[ 9:46:27] 25. is one binary dual plan = 0
[ 9:46:27] 26. memroy size = 61071360
[ 9:46:27] 27. memory_id = 032GE4
[ 9:46:27] 28. bootloader_ver = MiniOS 3.0
[ 9:46:27] LAF : Bin_User_Mode
[ 9:46:27] isValidateSecureImage Device is a qfused.
[ 9:46:27] found sbl1 Partition for secure image check
[ 9:46:27] Secure Image
[ 9:46:27] found aboot Partition for secure image check
[ 9:46:27] Secure Image
[ 9:46:27] found rpm Partition for secure image check
[ 9:46:27] Secure Image
[ 9:46:27] found tz Partition for secure image check
[ 9:46:27] Secure Image
[ 9:46:27] Secure Image Check Success
[ 9:46:27] * Set AP factory_reset= 0
[ 9:46:27] * Set qem_reset= 1
Click to expand...
Click to collapse
I appreciate you going through this, but I don't think that you were bricked to the point that we are.
-No Download Mode
-No Recovery
-Black Screen & nothing on it.
-When plugged in via USB it shows up on the pc as: LGE AndroidNet USB Serial Port
-LG Flash Tools will not work.
-When plugged in with no battery, the screen lights up with a symbol with a battery and an exclamation point.
ElectroSh0ck said:
I appreciate you going through this, but I don't think that you were bricked to the point that we are.
-No Download Mode
-No Recovery
-Black Screen & nothing on it.
-When plugged in via USB it shows up on the pc as: LGE AndroidNet USB Serial Port
-LG Flash Tools will not work.
-When plugged in with no battery, the screen lights up with a symbol with a battery and an exclamation point.
Click to expand...
Click to collapse
That's how I was. Secure info boot < red and blue led with black screen, no factory restore. I don't know how I got TWRP to boot. I started messing around with the device manager, deleting any files stored on the computer related to any LG device (AndroidNet, QualComm, MTP, etc) along with popping the battery in with the charge screen and reading a logs.
I hope you guys can get it fixed.
Not even getting a secure info boot here. Black screen no leds
Sent from my SM-N910V using XDA Free mobile app
Same here
After rooting it and installing TRWP, I was getting an Error when rebooting into recovery "Secure Boot error". I found a solution at this page: http://forum.xda-developers.com/lg-g3/help/help-secure-boot-error-trying-to-boot-t3054977 and I was trying to replicate. At the Terminal command step "su" worked, the second line didn't, the third line worked and the final one didn't. I know that the third line bricked my phone.
dd if=/dev/zero of=/dev/block/platform/msm_sdcc.1/by-name/aboot (writes “zeroes” to the partition to “wipe” it out)
Since then the phone is almost dead. No way to wake it up, I've tried every combination of buttons and USB plugin. The only signs that is alive are that when I connect it without the battery to USB it shows the with the phone connected and the yellow triangle with a question mark and that is detected as LGE Androidnet USB and modem in the Device Manager. I tried the TOT method and the KDZ method, nothing worked. In Qpst it is detected as Phone in Download Mode and in QPST Configuration as Sahara Memory Dump (Connected Phone: Q/QCP-XXX).
LGNPST detects it as UNKNOWN, only Emergency active, and doesn't do anything when trying to upload the bin file, gives Error: Could not switch to download mode.
Getting crazy here.
What DLL did you use to get LGNPST to give you that error?
ElectroSh0ck said:
What DLL did you use to get LGNPST to give you that error?
Click to expand...
Click to collapse
The default one... LGNPST_LS970.dll It was the only one that it let me use.
alex_da_fixeru said:
The default one... LGNPST_LS970.dll It was the only one that it let me use.
Click to expand...
Click to collapse
Ah okay that makes sense. We will need a DLL specific to the model of G3 that we have. It is basically telling the program how to interact with the phone in emergency mode. I have tried the DLL's used to flash TOTs, but they will not register in Windows.
ElectroSh0ck said:
Ah okay that makes sense. We will need a DLL specific to the model of G3 that we have. It is basically telling the program how to interact with the phone in emergency mode. I have tried the DLL's used to flash TOTs, but they will not register in Windows.
Click to expand...
Click to collapse
I can't seem to find the correct .dll for LG G3. Anyone has it?
Wouldn't it be the one that came with your firmware file?
Sent from my Nexus 7 using XDA Free mobile app
danmak89 said:
Wouldn't it be the one that came with your firmware file?
Sent from my Nexus 7 using XDA Free mobile app
Click to expand...
Click to collapse
I would think that was the case, but they will not show up in LGNPST. I can get the ones to work that others have provided specifically for LGNPST, but not the ones used to flash a TOT with LG Flash Tool.
ElectroSh0ck said:
I would think that was the case, but they will not show up in LGNPST. I can get the ones to work that others have provided specifically for LGNPST, but not the ones used to flash a TOT with LG Flash Tool.
Click to expand...
Click to collapse
Ah man. I managed to get my device recognised as LGE AndroidNet USB Serial Port but there's still another driver that won't install and I don't know which one it would need to be.
Device just won't boot in to any mode, no LEDs, nothing. Obvious tools don't work like flashtool, b2bsupport. I'm considering swapping out the main board as they don't seem too expensive but I'm trying to see if I can solve this first.
I refuse to accept that this is 100% bricked.
Sent from my Nexus 7 using XDA Free mobile app
I have unlock Xiaomi Mi 6, And I can use the windows flash tools to flash new rom in fastboot mode.
But got no response even I type "fastboot reboot".
Did I miss some steps?
I use the lastest develop version.
$ lsusb.py
2-4 18d1:d00d 00 2.10 480MBit/s 160mA 1IF (Google Android e276dec5)
I have tried "-i 0x18d1"
And I have installed android-udev
$ fastboot reboot-bootloader
< waiting for any device >
rebooting into bootloader...
FAILED (command write failed (Success))
finished. total time: 0.000s
yangtsesu said:
$ fastboot reboot-bootloader
< waiting for any device >
rebooting into bootloader...
FAILED (command write failed (Success))
finished. total time: 0.000s
Click to expand...
Click to collapse
does fastboot recognize your device?
type "fastboot devices", terminal should give you a sort of string of numbers and letters
Pendragon2000 said:
does fastboot recognize your device?
type "fastboot devices", terminal should give you a sort of string of numbers and letters
Click to expand...
Click to collapse
$ fastboot devices -l
e276dec5 fastboot usb:2-4
yangtsesu said:
$ fastboot devices -l
e276dec5 fastboot usb:2-4
Click to expand...
Click to collapse
fastboot recognizes your device. Mhmmm do you use root privilege?
Pendragon2000 said:
fastboot recognizes your device. Mhmmm do you use root privilege?
Click to expand...
Click to collapse
I have tried root and adbusers.
None of these works.
adb is 2717:ff48
fastboot is 18d1:d00d
I have wrote a 51-android.rules myself.
It do not works too.
OEM lock in Developer Options is grey,And I can not change it.
yangtsesu said:
adb is 2717:ff48
fastboot is 18d1:d00d
I have wrote a 51-android.rules myself.
It do not works too.
OEM lock in Developer Options is grey,And I can not change it.
Click to expand...
Click to collapse
Do you have the chance to test fastboot with another computer/ windows?
It could be a driver issue.
If the OEM unlock option is grey then the unlock should be fine.
Dobsgw said:
Do you have the chance to test fastboot with another computer/ windows?
It could be a driver issue.
If the OEM unlock option is grey then the unlock should be fine.
Click to expand...
Click to collapse
I have test on Windows,But with the fastboot.exe compiled by Xiaomi. It works fine.
I do not have chance to test with the origin one.
I use Archlinux latest.
Maybe the issues is fastboot/adb binaries being too old. Remove fastboot/adb and use this script https://drive.google.com/open?id=1lh-nOrpeeJrEeLrBO6i9-aLgWfSVD05b
Try using sudo while using fastboot also.
icrunchbanger said:
Maybe the issues is fastboot/adb binaries being too old. Remove fastboot/adb and use this script https://drive.google.com/open?id=1lh-nOrpeeJrEeLrBO6i9-aLgWfSVD05b
Try using sudo while using fastboot also.
Click to expand...
Click to collapse
Not this issue.
Both not work.
Thank you the same.
Same problem
I'm trying to convert from Windows to Linux and I'm doing great, as I'm using the former only for gaming and Adobe Suite. But I'm still having this problem, and I hate rebooting my computer only to flash a recovery. Everything works fine with windows + powershell + fastboot, but here in linux I'm having the same weird behaviour of fastboot as you.
MEGA BUMP
neflux said:
I'm trying to convert from Windows to Linux and I'm doing great, as I'm using the former only for gaming and Adobe Suite. But I'm still having this problem, and I hate rebooting my computer only to flash a recovery. Everything works fine with windows + powershell + fastboot, but here in linux I'm having the same weird behaviour of fastboot as you.
MEGA BUMP
Click to expand...
Click to collapse
Try this
https://wiki.archlinux.org/index.php/Android_Debug_Bridge#Adding_udev_Rules
Any update I have a xiaomi mi 6 and I have problem connect it to ArchLinux.
The phone connect looks connecting at the beginning but the it keep disconnecting
( I suspect the cause it is the cable so I gonna buy a new one and check )
dmeg shows these lines:
Code:
[ 344.485964] usb 1-1: new full-speed USB device number 12 using xhci_hcd
[ 344.609329] usb 1-1: device descriptor read/64, error -71
[ 344.839332] usb 1-1: device descriptor read/64, error -71
[ 345.069295] usb 1-1: new full-speed USB device number 13 using xhci_hcd
[ 345.192664] usb 1-1: device descriptor read/64, error -71
[ 345.422651] usb 1-1: device descriptor read/64, error -71
[ 345.529405] usb usb1-port1: attempt power cycle
[ 346.172634] usb 1-1: new full-speed USB device number 14 using xhci_hcd
[ 346.172860] usb 1-1: Device not responding to setup address.
[ 346.379531] usb 1-1: Device not responding to setup address.
[ 346.585957] usb 1-1: device not accepting address 14, error -71
[ 346.709323] usb 1-1: new full-speed USB device number 15 using xhci_hcd
[ 346.709569] usb 1-1: Device not responding to setup address.
[ 346.916181] usb 1-1: Device not responding to setup address.
[ 347.122647] usb 1-1: device not accepting address 15, error -71
[ 347.122763] usb usb1-port1: unable to enumerate USB device
Do you have solution? I suspect that Xiaomi's build of fastboot is customized.
For fastboot on linux, the only thing that fixed the inconsistent behavior when trying to send commands was to move the phone onto a usb hub. Im not sure why it never worked for me without a hub, maybe it needs a usb controller all to itself. Hope this helps
8andage said:
For fastboot on linux, the only thing that fixed the inconsistent behavior when trying to send commands was to move the phone onto a usb hub. Im not sure why it never worked for me without a hub, maybe it needs a usb controller all to itself. Hope this helps
Click to expand...
Click to collapse
Crazy. I know this topic is old but this last post helped to fix my issue. I've faced the same situation with a Xiaomi Redmi Note 10. I've tried everything found on the web to connect my phone to Ubuntu on a old Lenovo T430. By everything I mean... everything!
But THIS did the trick. Status were still < waiting for any device > in response to the fastboot flash recovery twrp.img command when I've just unplugged the phone from direct connection to computer to plug it to my ORICO 15 ports USB hub. After plugging I could see in terminal that job was done instantly.
Bash:
$ sudo fastboot devices
45ac2951 fastboot
$ sudo fastboot flash recovery twrp-3.6.1_11-0-sweet.img
< waiting for any device >
target reported max download size of 805306368 bytes
sending 'recovery' (131072 KB)...
OKAY [ 7.805s]
writing 'recovery'...
OKAY [ 0.481s]
finished. total time: 8.286s
$ fastboot reboot
Thanks a lot for the advice 8andage. I could have searched a long time before understanding this workaround.
In my case on Ubuntu 20.04, it was a USB 3.0 port problem. It was detect device with fastboot devices but other commands does not has a response. My laptop hasn't got a USB 2.0 port. Then I disabled internal USB 3.0 support in my BIOS and now fastboot is working normally. But all USB 3.0 support is stopped. It seems USB 2.0 hub is the better option. I will set back the BIOS setting later.
xt-1789-05 was hardbricked after trying install custom rom. I need simple instructions how to unbrick.
I would browse on over to the "Return to Stock" thread by @Uzephi and follow his instructions on how to restore. It is a fairly simple process.
Are you still able to access the bootloader or recovery?
https://forum.xda-developers.com/showpost.php?p=77623934&postcount=5
fast69mopar said:
I would browse on over to the "Return to Stock" thread by @Uzephi and follow his instructions on how to restore. It is a fairly simple process.
Are you still able to access the bootloader or recovery?
Click to expand...
Click to collapse
i dont have access to bootlloader and recovery. it is hardbricked
41rw4lk said:
https://forum.xda-developers.com/showpost.php?p=77623934&postcount=5
Click to expand...
Click to collapse
cant do this
[ 0.000] Opening device: \\.\COM3
[ 0.000] ERROR: device_open()->error opening device
[ 0.000] Check qboot_log.txt for more details
[ 0.000] Total time: 0.000s
[ 0.000]
[ 0.000] qboot version 3.85
[ 0.000]
[ 0.000] DEVICE {
[ 0.000] name = "\\.\COM3",
[ 0.000] flags = "0x60",
[ 0.000] addr = "0x28FD74",
[ 0.000] api.bnr = "0x622848",
[ 0.000] }
[ 0.000]
[ 0.000]
[ 0.000] Backup & Restore {
[ 0.000] num_entries = 0,
[ 0.000] restoring = "false",
[ 0.000] backup_error = "not started",
[ 0.000] restore_error = "not started",
[ 0.000] }
[ 0.000]
Sorry just seem the above post, you need to make sure the drivers are installed.. Also you should use a 2.0 usb port off your motherboard, not a hub port from the from of the pc. It might take a couple of tries but check your device manager to make sure your phone has a driver installed for it.
41rw4lk said:
Sorry just seem the above post, you need to make sure the drivers are installed.. Also you should use a 2.0 usb port off your motherboard, not a hub port from the from of the pc. It might take a couple of tries but check your device manager to make sure your phone has a driver installed for it.
Click to expand...
Click to collapse
is it normal when i connect phone to computer, windows at first says installing software in the right down corner, then says software wasnt installed?
paulinepet7 said:
is it normal when i connect phone to computer, windows at first says installing software in the right down corner, then says software wasnt installed?
Click to expand...
Click to collapse
No, make sure you're using the oem cable and that it's good, and of course use a 2.0 usb mobo port. Might try another port if you can't get it to recognize and install. If that fails or does no good then do this.
Unplug your phone from you pc uninstall your moto drivers and the qualcomm drivers, reboot the pc, then reinstall the moto and qualcomm driver, reboot the pc then connect your phone. Make sure your phone is on when you connect it and give it plenty of time to recognize it and install the drivers for it. Since it's bricked, the qualcomm drivers should install, if by chance they don't just go to device manager, find your 9008 device and try to associate it will the qualcomm drivers.
41rw4lk said:
No, make sure you're using the oem cable and that it's good, and of course use a 2.0 usb mobo port. Might try another port if you can't get it to recognize and install. If that fails or does no good then do this.
Unplug your phone from you pc uninstall your moto drivers and the qualcomm drivers, reboot the pc, then reinstall the moto and qualcomm driver, reboot the pc then connect your phone. Make sure your phone is on when you connect it and give it plenty of time to recognize it and install the drivers for it. Since it's bricked, the qualcomm drivers should install, if by chance they don't just go to device manager, find your 9008 device and try to associate it will the qualcomm drivers.
Click to expand...
Click to collapse
Thank you very much!(it is my the second account(paulinepet7)) i eventually unbricked my phone
Hi, looking for a kind soul who can provide me with some insight or direction.
My Phone:
Moto Z2 Force XT1789-04 AT&T
Carrier unlocked with unlock code from AT&T to use T-Mobile SIM
Updated to either Build number: OCXS27.109-47-20 or Build number: OCXS27.109-47-23 using LMSA (not OTA)
Official build, never tried to root it
My Circumstance:
I was using fingerprint unlock and my login attempts were failing.
In a brief moment of frustration, and stupidity, I repeatedly retried FP unlock (probably 10+ times)
Display went dim and phone became unresponsive, and ultimately turned into a brick with no way to power on; nothing displayed when plugged in to charge.
My Attempts to Fix:
After trying various button reset options with no success, I plugged my phone into my PC and saw QUSB_BULK
Further searching led me to https://forum.xda-developers.com/showpost.php?p=77623934&postcount=5 (thanks 41rw4lk)
I installed the Qualcomm driver and got Qualcomm HS-USB QDLoader 9008 to show up in Device Manager.
I tried blank-flash.bat using blankflash_from_NDX26.183-15_17 (again, thanks, 41rw4lk)
Here is the output from the batch command:
Code:
c:\Downloads\MOTOZ2FORCE\blankflash_from_NDX26.183-15_17>blank-flash.bat
c:\Downloads\MOTOZ2FORCE\blankflash_from_NDX26.183-15_17>.\qboot.exe blank-flash
Motorola qboot utility version 3.85
[ -0.000] Opening device: \\.\COM4
[ -0.000] Detecting device
[ 0.016] ...cpu.id = 94 (0x5e)
[ 0.016] ...cpu.sn = 1009594148 (0x3c2d2f24)
[ 0.016] Opening singleimage
[ 0.016] Loading package
[ 0.016] ...filename = pkg.xml
[ 0.016] Loading programmer
[ 0.016] ...filename = programmer.elf
[ 0.016] Sending programmer
[ 0.176] Handling things over to programmer
[ 0.176] Identifying CPU version
[ 0.176] Waiting for firehose to get ready
[ 3.200] ...MSM8998 2.1
[ 3.200] Determining target secure state
[ 3.200] ...secure = yes
[ 3.247] Configuring device...
[ 3.263] Skipping UFS provsioning as target is secure
[ 3.263] Configuring device...
[ 4.824] Target NAK!
[ 4.824] ...ERROR: Failed to initialize (open whole lun) UFS Device slot 0 partition 1
[ 4.824] ...ERROR: Failed to open the device 3 slot 0 partition 1
[ 4.824] ...INFO: Device type 3, slot 0, partition 1, error 0
[ 4.824] ...WARN: Set bootable failed to open 3 slot 0, partition 1, error 0
[ 4.824] ERROR: do_package()->do_recipe()->NAK
[ 4.824] Check qboot_log.txt for more details
[ 4.824] Total time: 4.824s
FAILED: qb_flash_singleimage()->do_package()->do_recipe()->NAK
Here is the device info from the log:
Code:
[ 4.824] qboot version 3.85
[ 4.824]
[ 4.824] DEVICE {
[ 4.824] name = "\\.\COM4",
[ 4.824] flags = "0x144",
[ 4.824] addr = "0x62FD54",
[ 4.824] sahara.current_mode = "0",
[ 4.824] api.buffer = "0x29C4020",
[ 4.824] cpu.serial = "1009594148",
[ 4.824] cpu.id = "94",
[ 4.824] cpu.sv_sbl = "0",
[ 4.824] cpu.name = "MSM8998",
[ 4.824] storage.type = "UFS",
[ 4.824] sahara.programmer = "programmer.elf",
[ 4.824] module.firehose = "0x6D91C8",
[ 4.824] api.firehose = "0x721F50",
[ 4.824] cpu.ver = "513",
[ 4.824] cpu.vername = "2.1",
[ 4.824] fh.max_packet_sz = "1048576",
[ 4.824] fh.storage_inited = "1",
[ 4.824] }
So, best as I can decipher, the blank-flash is failing because it cannot create a filesystem on the internal memory.
I read something about A/B slots, but I'm starting to lose my way.
Am I done for?
Thanks for looking. Truly appreciate the folks in this community.
Wait! Am I using a Nougat blank-flash? Do I need an Oreo blank-flash? Is there one available for the XT1789-04?
lobbybee said:
Wait! Am I using a Nougat blank-flash? Do I need an Oreo blank-flash? Is there one available for the XT1789-04?
Click to expand...
Click to collapse
See if there is one on
https://mirrors.lolinet.com/firmware/moto
Sent from my Moto E (4) using Tapatalk
The Nougat blankflash is fine. The phone shipped with a Nougat pbl and the way I understand it is that can't be modified or upgraded, it can be reflashed with the same, but that's it. Don't quote me on that though. As for an Oreo blankflash, there is one, but I've never heard any success stories from it and Nougat has always done the trick.
I've seen that error before, it is speculated that maybe the storage is failing, but I don't know if anyone has ever been able to say 'yes, your storage is no good and that's why you get this error' etc. It maybe very well be the case and I'm not sure if those who have faced that error have been able to recover.
What version of windows are you running? Have you tried running as an admin, using different ports?
If you are on Win10 have you tried going old school and disabling integrity checks and turning test signing on? Win10 isn't very friendly when it comes to our phone, we recommend Win7 and command prompt, not powershell. So if you're using Win10 and haven't done the above, it's worth a shot.
41rw4lk said:
What version of windows are you running? Have you tried running as an admin, using different ports?
Click to expand...
Click to collapse
Previously on Win10 as Admin from CMD window.
Also just tried on Win7, per suggestion, with the same results.
I used 3 different USB2 ports on the PC, iterated through 3 different USB-C cables.
I found the --debug=2 flag for qboot.exe and started digging through the output. Now it's got me wondering:
1) Why is it specifying UFS instead of eMMC? Phonemore.com specs says it's UFS 2.1
2) It appears to be skipping storage initialization because "target is secure." Is blankflash failing b/c my bootloader was not unlocked before it bricked?
3) Should I look into using QFIL to manually configure the reinitialization of the file system, whether UFS or eMMC?
lobbybee said:
Previously on Win10 as Admin from CMD window.
Also just tried on Win7, per suggestion, with the same results.
I used 3 different USB2 ports on the PC, iterated through 3 different USB-C cables.
I found the --debug=2 flag for qboot.exe and started digging through the output. Now it's got me wondering:
1) Why is it specifying UFS instead of eMMC? Phonemore.com specs says it's UFS 2.1
2) It appears to be skipping storage initialization because "target is secure." Is blankflash failing b/c my bootloader was not unlocked before it bricked?
3) Should I look into using QFIL to manually configure the reinitialization of the file system, whether UFS or eMMC?
Click to expand...
Click to collapse
I believe the pbl is loaded before bootloader lock is detected, hence the reason it was able to exploit and unlock booloaders. Obviously we all can agree that something is failing when it comes to initializing the UFS storage it needs to write to. Whether it is corrupted, dead, or something else... I'm not knowledgeable enough to answer that. You might explore around with QFIL since it has an option in settings to select storage type, emmc or ufs. What you do from here on out is all you. I'd make sure you have your drivers installed and do only what is necessary to get back to a bootloader where you can flash a clean stock firmware. Keep us posted with your results and good luck.
Hello I have a hardbrick that so far I cannot solve, because I want to close the bootloader, the fastboot rejects any command that I enter (including the "fastboot oem unlock") and when turning on motorola it generates the error 0xC2224571 "No valid operating system could be found. The device will not boot ". I thought about doing a "Blankflash", but I don't know what the Motorola "test point" is. Does anyone know how to do it and get to EDL mode?
seems a/b partition problem.
try fastboot flash recovery_a twrp.img
fastboot flash recovery_b twrp.img
shadowchaos said:
seems a/b partition problem.
try fastboot flash recovery_a twrp.img
fastboot flash recovery_b twrp.img
Click to expand...
Click to collapse
I already tried that of recovery_a and recovery_b, and nothing happens, that gives CMD:
1) fastboot flash recovery_a twrp-3.5.0-0-nairo.img
Sending 'recovery_a' (59392 KB) OKAY [ 1.827s]
Writing 'recovery_a' (bootloader) flash permission denied
FAILED (remote: '')
fastboot: error: Command failed
2) fastboot flash recovery_b twrp-3.5.0-0-nairo.img
Sending 'recovery_b' (59392 KB) OKAY [ 1.308s]
Writing 'recovery_b' (bootloader) flash permission denied
FAILED (remote: '')
fastboot: error: Command failed
Also, everything I try to flash ends with this message "flash (bootloader) permission denied".
supermafari2.0 said:
I already tried that of recovery_a and recovery_b, and nothing happens, that gives CMD:
1) fastboot flash recovery_a twrp-3.5.0-0-nairo.img
Sending 'recovery_a' (59392 KB) OKAY [ 1.827s]
Writing 'recovery_a' (bootloader) flash permission denied
FAILED (remote: '')
fastboot: error: Command failed
2) fastboot flash recovery_b twrp-3.5.0-0-nairo.img
Sending 'recovery_b' (59392 KB) OKAY [ 1.308s]
Writing 'recovery_b' (bootloader) flash permission denied
FAILED (remote: '')
fastboot: error: Command failed
Also, everything I try to flash ends with this message "flash (bootloader) permission denied".
Click to expand...
Click to collapse
Could you describe what moves at last time which causes this situation?
supermafari2.0 said:
I already tried that of recovery_a and recovery_b, and nothing happens, that gives CMD:
1) fastboot flash recovery_a twrp-3.5.0-0-nairo.img
Sending 'recovery_a' (59392 KB) OKAY [ 1.827s]
Writing 'recovery_a' (bootloader) flash permission denied
FAILED (remote: '')
fastboot: error: Command failed
2) fastboot flash recovery_b twrp-3.5.0-0-nairo.img
Sending 'recovery_b' (59392 KB) OKAY [ 1.308s]
Writing 'recovery_b' (bootloader) flash permission denied
FAILED (remote: '')
fastboot: error: Command failed
Also, everything I try to flash ends with this message "flash (bootloader) permission denied".
Click to expand...
Click to collapse
Hey, can I ask you how did you manage to unbrick it? My phone doesn't get recognized via fastboot. It seems dead but when I connect it to the pc, it gets recognized as "Qualcomm HS-USB QDLoader 9008".
What can I do next?
Try a blank flash for your phone.
Hello,
I am in a similar situation and also interested in the test point for EDL mode, so rather than opening a new thread I figured I'd reply here.
As it stands, my phone has the /e/ project ROM and recovery flashed on it, the "Allow OEM unlock" option is disabled, and the bootloader is locked. Meaning, the OS doesn't get recognized and doesn't boot, flashing is disallowed across the board, fastboot oem unlock <UNLOCK_KEY> is rejected, and fastboot boot <any recovery stock or otherwise>.img fails.
fastboot oem blankflash returns "Command Restricted" and well, subsequently tells me it failed.
So my own ignorance left myself with a rather expensive paperweight and the last resort I believe is to flash a stock ROM in EDL mode. I have found a teardown video of the device and seen a few test points there (including 3 under the large heatsinking graphite film), and I'm ready to remove the back cover on mine. It seems that the EDL test point isn't documented... If need be, I could try to find the test points myself. I just need more info to not short and break anything.
Edit: so I've gone and done it. Stabbed all visible test points, one of them scores at 1.8v, one at 1.5v, the rest at 0v. [EDIT] Some actually show something below 0.5v.
The 1.8v test point is connected to a trace going to the connector's pin. Another pad goes just beside that pin. It is very enticing right now to try and bridge them, however I'm not confident those are the EDL test points and I may short something I don't want to. I'm gonna get resistors.
The missing connector tells me it's a connector that's important for Motorola, and clearly not for the end-user. This is a cost-saving measure, don't need to run extensive tests when the device is finalized, you only need the test points to... enable EDL? Ahah. The fact the connector pads are still there is because designing the rerouting to remove them also costs money.
The 1.5v test point is between the screen and bottom daughterboard flexible flat cables connectors. Without certainty, I believe it may be a voltage for one of those or both.
Attached is the photo of the test points around the missing connector, if that helps at all.
Edit2: I found this post about trying for test points. I'm lacking resistors right now to further test. https://forum.xda-developers.com/t/phone-doesnt-boot-even-in-edl-mode.4411915/#post-87260675
Edit3: welp, bridging the points linked to the missing connector pads did nothing. What I tried is keep the phone off, bridge the points, plug the USB, but it keeps sending me to "OS not found" error or fastboot, depending on if fb_mode_set or fb_mode_clear have been used.
Hey @Awilen please keep us posted. I too want to play with this phone, but am frustrated by lack of easy access to EDL mode (to unbrick). (I want to try to roll my own GSI/AOSP build + Moto proprietary drivers, which will likely not boot the first thirty or so times I try it.)
FWIW, I tried this method and a pre-bought cable that allegedly does the same thing- no dice either.
The fact that there ARE EDL IMAGES out there gives me hope.
This repository has some other tricks to try, if you are brave enough:
Use a edl cable (Short D+ with GND) and force reboot the phone (either vol up + power pressing for more than 20 seconds or disconnect battery), works with emmc + ufs flash (this will only work if XBL/SBL isn't broken)
If emmc flash is used, remove battery, short DAT0 with gnd, connect battery, then remove short.
If a ufs flash is used, things are very much more complicated. You will need to open the ufs die and short the clk line on boot, some boards have special test points for that.
Some devices have boot config resistors, if you find the right ones you may enforce booting to sdcard instead of flash.
(I've tried #1)
FWIW, I've never had any success with any "EDL cable" on any device, but that could be entirely due to timing/incompetence on my part.
A few devices I've been able to find EDL test points.
On some non-Qualcomm devices I have gotten to ROM bootloader by using a 100 ohm resistor (for safety, instead of a dead short) from some random test point near eMMC to ground.
Hey @Renate the cable works on my OnePlus (which, also, has a key sequence to do it, making the cable superfluous), so I know that isn't the issue here. I just don't want to unglue the phone and risk breaking something just to play. Once the battery becomes useless and that's inevitable, then I'll probably become a MB-shortin'-mo-fo.
SomeRandomGuy said:
This repository has some other tricks to try, if you are brave enough:
Use a edl cable (Short D+ with GND) and force reboot the phone (either vol up + power pressing for more than 20 seconds or disconnect battery), works with emmc + ufs flash (this will only work if XBL/SBL isn't broken)
If emmc flash is used, remove battery, short DAT0 with gnd, connect battery, then remove short.
If a ufs flash is used, things are very much more complicated. You will need to open the ufs die and short the clk line on boot, some boards have special test points for that.
Some devices have boot config resistors, if you find the right ones you may enforce booting to sdcard instead of flash.
(I've tried #1)
Click to expand...
Click to collapse
Hey! I was waiting on my EDL cable. I just tried it... no dice. No dice at all. I believe I've exhausted all non-intrusive tricks in the book, the next step is cleanly desoldering the EM shield over the processor and flash/RAM combo ICs.
Since the device is out of warranty anyway, I'll try for a repair shop to desolder it, as the only powerful-enough heat source I have is a large heat gun blowing 150°C, 450°C or 600°C air. Other than that I have a 60W soldering iron, I doubt that'll be enough.
The only problem with the desoldering is that the EM shield is part of the cooling solution for the processor/RAM/Flash ICs. It will need to be reapplied.
Edit: I made a thread on the e.foundation forums listing everything I tried: https://community.e.foundation/t/bo...and-wont-boot-am-i-out-of-luck/43362?u=awilen
Awilen said:
Edit: I made a thread on the e.foundation forums listing everything I tried: https://community.e.foundation/t/bo...and-wont-boot-am-i-out-of-luck/43362?u=awilen
Click to expand...
Click to collapse
TIL “fastboot oem qcom-on” and “fastboot oem qcom-off” are a thing.
For my part, to this day I cannot find a way to access this mode, I still have my theories, since on one page I found "official" diagrams of this motorola and the phrase "EDL" is indicated at various points, but I don't really know how to interpret them on the motherboard, I'll leave the link in case someone wants to review it, it's from a Brazilian page:
Motorola_Moto_G_5G XT2075 - LEMCELL.COM.BR.zip
drive.google.com
In that one there are several files, with more technical specifications, in case someone wants to review it and see what they find useful out there, to see if it is possible to reach EDL mode on this model.
The missing connector I shot in my photos is a JTAG connector. Make of that what you will.
I have desoldered the EMI shield above the SoC/eMCP area and there's no dice there either. The traces are hidden, the parts are BGAs, there's no "pin" to short there. The schematics may or may not have confirmed my suspicion the physical trace for the clock signal to the eMCP is unreachable, making reaching EDL mode through "PBL panic from not being able to access the flash" impossible.
The SMDs around the eMCP may or may not seem to all be related to power delivery smoothing, and shorting those is blue smoke waiting to happen. I'll resolder the shield later, I don't think there's any point in desoldering it in the future for the purpose of reaching EDL mode.
There are official blankflash utilities freely available. I have no doubt EDL mode is accessible. This connector must be just how.
BREAKTHROUGH TIME! I GOT INTO QCOM 9008 MODE!
In the attached photo are the EDL pads. Happy flashing!
Edit: now I'm getting some progress, but nothing is working. Here's the two logs I get, the first just after connecting, the second after having tried once already:
Code:
$ sudo ./qcom blank-flash
**** Log buffer [000001] 2022-12-02_19:02:50 ****
[ 0.000] Opening device: /dev/ttyUSB0
[ 0.000] Detecting device
[ 5.889] ERROR: sahara_greet_device()->change_mode()->do_hello()->Invalid command received in current state
[ 5.889] Check qboot_log.txt for more details
[ 5.889] Total time: 5.889s
[ 5.889]
[ 5.889] qboot version 3.86
[ 5.889]
[ 5.889] DEVICE {
[ 5.889] name = "/dev/ttyUSB0",
[ 5.889] flags = "0x60",
[ 5.889] addr = "0xFECAF690",
[ 5.889] serial_nix.device_pathname = "/sys/bus/usb/devices/1-3.2/1-3.2:1.0/ttyUSB0",
[ 5.889] api.bnr = "0x1FE4210",
[ 5.889] }
[ 5.889]
[ 5.889]
[ 5.889] Backup & Restore {
[ 5.889] num_entries = 0,
[ 5.889] restoring = "false",
[ 5.889] backup_error = "not started",
[ 5.889] restore_error = "not started",
[ 5.889] }
[ 5.889]
Code:
$ sudo ./qcom blank-flash
**** Log buffer [000001] 2022-12-02_19:03:50 ****
[ 0.000] Opening device: /dev/ttyUSB0
[ 0.343] Detecting device
[ 34.920] ERROR: sahara_greet_device()->change_mode()->do_hello()->IO error
[ 34.920] Check qboot_log.txt for more details
[ 34.920] Total time: 34.920s
[ 34.920]
[ 34.920] qboot version 3.86
[ 34.920]
[ 34.920] DEVICE {
[ 34.920] name = "/dev/ttyUSB0",
[ 34.920] flags = "0x60",
[ 34.920] addr = "0xAEF35240",
[ 34.920] serial_nix.device_pathname = "/sys/bus/usb/devices/1-3.2/1-3.2:1.0/ttyUSB0",
[ 34.920] api.bnr = "0x21BC210",
[ 34.920] }
[ 34.920]
[ 34.920]
[ 34.920] Backup & Restore {
[ 34.920] num_entries = 0,
[ 34.920] restoring = "false",
[ 34.920] backup_error = "not started",
[ 34.920] restore_error = "not started",
[ 34.920] }
[ 34.920]
Edit 2: I got a blankflash to work! Now I don't know... This is what I got:
Code:
D:\blankflash>.\qboot.exe blank-flash
Motorola qboot utility version 3.86
[ -0.000] Opening device: \\.\COM3
[ -0.000] Detecting device
[ -0.000] ...cpu.id = 286 (0x11e)
[ -0.000] ...cpu.sn = 3786473903 (0xe1b101af)
[ -0.000] Opening singleimage
[ -0.000] Loading package
[ -0.000] ...filename = pkg.xml
[ -0.000] Loading programmer
[ -0.000] ...filename = programmer.elf
[ -0.000] Sending programmer
[ 0.109] Handling things over to programmer
[ 0.109] Identifying CPU version
[ 0.109] Waiting for firehose to get ready
[ 3.220] ReadFile() failed, GetLastError()=0
[ 3.330] ...SM_SAIPAN 2.0
[ 3.330] Determining target secure state
[ 3.330] ...secure = yes
[ 3.377] Configuring device...
[ 3.377] Skipping UFS provsioning as target is secure
[ 3.377] Configuring device...
[ 3.470] Flashing GPT...
[ 3.470] Flashing partition with gpt.bin
[ 3.470] Initializing storage
[ 3.517] ...blksz = 4096
[ 3.580] ReadFile() failed, GetLastError()=0
[ 4.049] Re-initializing storage...
[ 4.049] Initializing storage
[ 4.361] Flashing bootloader...
[ 4.361] Wiping ddr
[ 4.392] Flashing abl_a with abl.elf
[ 4.439] Flashing aop_a with aop.mbn
[ 4.486] Flashing qupfw_a with qupfw.elf
[ 4.517] Flashing tz_a with tz.mbn
[ 4.783] Flashing hyp_a with hyp.mbn
[ 4.839] Flashing devcfg_a with devcfg.mbn
[ 4.854] Flashing keymaster_a with keymaster.mbn
[ 4.901] Flashing storsec_a with storsec.mbn
[ 4.933] Flashing uefisecapp_a with uefi_sec.mbn
[ 5.089] Flashing prov_a with prov64.mbn
[ 5.104] Flashing xbl_config_a with xbl_config.elf
[ 5.151] Flashing xbl_a with xbl.elf
[ 5.649] Rebooting to fastboot
[ 5.665] Total time: 5.665s
Somehow it worked, I got to flash another phone's blankflash (a "Racer" codenamed phone apparently) on it and the ABL (the thing that tells me it won't boot because it didn't find a valid system) changed visually. Now I'll try to unlock the bootloader, or flash a system on it.
Edit 3: Mmh. After clearing that EDL mode flashing worked, the system is still flashing-locked, secured, and fastboot oem unlock <unique_key> isn't working.
so you activated the qcom, but it is not responding to the blankflash? at least it's an advance, maybe it's a blankflash problem or do you think it's some kind of board protection?
Later I will try on my own on my board
Congrats on your quest. Were you literally shorting them, or did you use a resistor? You had to touch all three together?
I guess I still am confused how there is a blankflash out there for this phone, but no way to trigger EDL without a hardware kit. I just ran through all the key combinations (V+,V-, PWR) and USB in/out just to make sure I didn't miss something... no dice to EDL.
supermafari2.0 said:
so you activated the qcom, but it is not responding to the blankflash? at least it's an advance, maybe it's a blankflash problem or do you think it's some kind of board protection?
Later I will try on my own on my board
Click to expand...
Click to collapse
I am confident EDL mode flashing worked. I used a different phone's blankflash that had the same SoC and it worked, giving me a visually different "No OS found" error screen. I posted the log of the blanking process. The "Allow OEM Unlock" bit is still set to "disabled" after blanking, such that I still can't use "fastboot oem unlock" successfully.
There's this line that makes me think the system is still intact: "Skipping UFS provsioning as target is secure", meaning the UFS filesystem might have not been actually blanked. Since singleimage.bin is a signed binary, there's no way to force UFS provisioning or modify it in any other way. I think the only way in will be with a firehose and QFIL... Except I haven't found one for this SoC. The programmer.elf is the firehose, but again that needs to be signed to be useful after getting extracted.
SomeRandomGuy said:
Congrats on your quest. Were you literally shorting them, or did you use a resistor? You had to touch all three together?
I guess I still am confused how there is a blankflash out there for this phone, but no way to trigger EDL without a hardware kit. I just ran through all the key combinations (V+,V-, PWR) and USB in/out just to make sure I didn't miss something... no dice to EDL.
Click to expand...
Click to collapse
I marked two pads of the missing connector with a green rectangle (I reused the photo I posted earlier on which I had already marked the test points' voltages, disregard the test points). I shorted them with only one voltmeter probe.
The idea is that the EDL pads I marked in green are connected to a 1.8V supply and a pin on the SoC with "infinite resistance", so there's no need for an additional resistor. You are not at risk of shorting anything and cause a major disaster on pins on the row of the green rectangle. The connector is very small, so stab confidently in the middle of the row of pads!
The (V+, PWR) combination may be available in development units, and be disabled in production units at the hardware level (missing components).
(Keep in mind I'm talking in hypotheticals at times to keep up plausible deniability regarding the files posted earlier by supermafari2.0... Those are surely under copyright.)
Layers of security upon layers of security just to get a stock firmware on an empty filesystem on my own device... This is getting old...
Edit: I have, out of boredom, decomposed the singleimage.bin into its various files. Here is the file format:
Code:
* SINGLE_N_LONELY Header [256 bytes]
* FILE:
Header:
* file name: 248 bytes (name + "\0" padding)
* file size: 8 bytes, little-endian
Data:
* data: file size in bytes
* 0xA0 padding if (file size % 4096) != 0 : file size + 4096 - (file size % 4096) bytes
[* FILE...]
* LONELY_N_SINGLE Footer [256 bytes]
Do note the 4096 magic number is the flash sector size, thus is device-dependant. In singleimage.bin, there was gpt.bin which also follows the same format. Among the files is programmer.elf, a strong candidate to be a firehose, I'll try to use with QFIL tomorrow. I do take note of Motorola's attempt at psychological warfare.
So I tried the programmer I found in the singleimage.bin file, it's indeed capable of programming through QFIL! (Do note I needed to get QFIL through QPST to get it to work.) However now I'm faced with this as I'm trying to flash recovery.img to get to recovery and get recovery to reinstall a working system:
Code:
INFO: TARGET SAID: 'ERROR: range restricted: lun=5, start_sector=142688, num_sectors=25600'
I guess the programmer checks for the flash being in a locked state, so it's time to try to patch the programmer to force the flash, if at all possible...
Edit: guessed right. The programmer has a routine that does various checks. It isn't encrypted, but I found data that could indicate the file is signed. I didn't see either the PEEK or POKE strings in there, meaning these primitives weren't included in the programmer, so there's no way to manually poke any image by hand, or just enable that blasted "Allow OEM unlock" bit (the fact I don't know where it is not withstanding.)
I think that's the end of the line for my device. At this point the only way it will ever work again will be either getting a patched and signed firehose (unlikely), or getting Motorola to reflash a stock image internally (even more unlikely) or just changing the motherboard (which defeats the purpose of searching how to get the device back in working order after messing up!)