Unable to restore baseband (No IMEI/No WiFi/Blankflash Fails) - Moto Z2 Force Questions & Answers

I have been unable to restore the baseband to one of my TMO Z2 Force. The device was running OCXS27.1.5 since its release and was also rooted with Magisk 19.3. A few days ago I started having random shutdowns that would occur when I would attempt to take a picture or send a message. The first shutdown occured at 30% battery, then 58% battery and then at other random battery percentages.
I decided to return to stock and take the OTA to 27.1.7. I ran the flash-all to return to stock 27.1.5 and it was flawless as usual. After the flash-all was complete I setup my device and let it perform the OTA. The OTA went off without a hitch. Completely stock and running except with some mobile network drops. WiFi was stable but I was losing my LTE connection. Once the network drops started happening I decided to return to 27.1.5 with the same flash-all I had used several times before.
I ran the 27.1.5 flash-all to revert back and when everything was complete I was without a baseband. I have read every single thread and post about this issue. I have had this problem before with another Z2 Force and was able to get the baseband back without much of a hassle. With this current device I have tried every single thing I have found posted in the forums and nothing has worked.
When I put my device in EDL mode to run the blankflash it fails like this...
**** Log buffer [000001] 2019-08-24_12:41:40 ****
[ 0.000] Opening device: \\.\COM10
[ 0.001] Detecting device
[ 14.040] ReadFile() failed, GetLastError()=0
[ 14.143] ReadFile() failed, GetLastError()=0
[ 21.343] ERROR: sahara_greet_device()->device_open()->error opening device
[ 21.343] Check qboot_log.txt for more details
[ 21.343] Total time: 21.344s
[ 21.343]
[ 21.343] qboot version 3.85
[ 21.343]
[ 21.343] DEVICE {
[ 21.343] name = "\\.\COM10",
[ 21.343] flags = "0x64",
[ 21.343] addr = "0x28FD74",
[ 21.343] api.bnr = "0x972948",
[ 21.343] }
[ 21.343]
[ 21.343]
[ 21.343] Backup & Restore {
[ 21.343] num_entries = 0,
[ 21.343] restoring = "false",
[ 21.343] backup_error = "not started",
[ 21.343] restore_error = "not started",
[ 21.343] }
[ 21.343]
Can someone provide any input as to why the blankflash log shows this? I am not well versed on the details of what is occuring during the blankflash. Thanks for any help. I have attached a copy of the qboot log.txt

Update #1
Okay. So, after flashing this thing with blankflash after blankflash in EDL mode with no results and after flashing so many flash-alls with different firmwares I have finally got my baseband back. I have my IMEI back and I can connect to WiFi and mobile networks. It took me some time to get it all figured out but I have prevailed. Here is what I did.
I opened a command prompt and booted TWRP. In TWRP I wiped every single partition I could on
Slot-A and then wiped everything on Slot-B.
Next, I booted to the bootloader and then back to TWRP. Once in TWRP I selected to boot to EDL to attempt another blankflash. The Oreo blankflash failed once again as expected. For those who don't know how to get out of EDL mode and back to the bootloader, press and hold VOLUME DOWN + POWER and then run the blankflash while holding the buttons. It may take a few tries but it will return to the bootloader. Once I was in the bootloader I took Uzephi's flash-all utilities and the 27.1.5 flash-all, combined them and flashed my device. Once it was complete I attempted to boot normally and set up my device. Once booted into the OS I still did not have a baseband.
Next, I went back to the bootloader and put the latest update from mirrors.lollinet.com into Uzephi's flash-all utilities which is 27.1.7 and ran the flash-all. Everything ran smooth during the flash.
I booted to the OS and found that I had my baseband back. I put my SIM Card into my Z2 Force and was finally connected to a mobile network and my WiFi was back as well.
What I'm thinking here is that once the OTA to 27.1.7 was completed I could not revert back to 27.1.5 like I did. Reverting back lost my baseband.
I have this backup Z2 Force back up and running on 27.1.7 with Magisk 19.3 installed. So far so good

fast69mopar said:
Update #1
Okay. So, after flashing this thing with blankflash after blankflash in EDL mode with no results and after flashing so many flash-alls with different firmwares I have finally got my baseband back. I have my IMEI back and I can connect to WiFi and mobile networks. It took me some time to get it all figured out but I have prevailed. Here is what I did.
I opened a command prompt and booted TWRP. In TWRP I wiped every single partition I could on
Slot-A and then wiped everything on Slot-B.
Next, I booted to the bootloader and then back to TWRP. Once in TWRP I selected to boot to EDL to attempt another blankflash. The Oreo blankflash failed once again as expected. For those who don't know how to get out of EDL mode and back to the bootloader, press and hold VOLUME DOWN + POWER and then run the blankflash while holding the buttons. It may take a few tries but it will return to the bootloader. Once I was in the bootloader I took Uzephi's flash-all utilities and the 27.1.5 flash-all, combined them and flashed my device. Once it was complete I attempted to boot normally and set up my device. Once booted into the OS I still did not have a baseband.
Next, I went back to the bootloader and put the latest update from mirrors.lollinet.com into Uzephi's flash-all utilities which is 27.1.7 and ran the flash-all. Everything ran smooth during the flash.
I booted to the OS and found that I had my baseband back. I put my SIM Card into my Z2 Force and was finally connected to a mobile network and my WiFi was back as well.
What I'm thinking here is that once the OTA to 27.1.7 was completed I could not revert back to 27.1.5 like I did. Reverting back lost my baseband.
I have this backup Z2 Force back up and running on 27.1.7 with Magisk 19.3 installed. So far so good
Click to expand...
Click to collapse
Please can u do it for me?? Or help me to recover my imei

I stupidly lost my baseband for a T-Mobile Z2 Force by flashing a Stock Pie Modem

Related

MOTO G5 CEDRIC XT1676 Only the led lights up, HELP PLEASE

solved
TheFixItMan said:
This guide is for hard bricked Moto G5 Cedric
Hard bricked means a device which can not enter bootloader mode normally
This method has now been confirmed working
XT1672 32gb version (also works with XT1670 XT1671 and XT1676)
Download mmcblk0 image from here
Thanks to @jcbotelho for providing image
Requirements
Freshly formatted microSD card of at least 32gb
7zip
Linux mint live usb/dvd
USB card reader
Method
The BEST method to flash the sdcard with mmcbk0.img file is to use LINUX!
Windows user have no need to install Linux in pc, you can run Linux from a bootable usb-stick or pendrive that is at least 8gb
0) Put the Moto g5 on mains charge until you have finished flashing the sdcard so it's fully charged ready for the boot test!
1) Run linux, preferable cinnamon or mate versions of linux Mint
2) Insert the sdcard in pc or card reader and open "Disks" app
3) In "Disks" app select sdcard and you will see the sdcard partitions
4) Press "-" to delete the partition (delete all partitions if there is more than one)
5) Press "+" to create a new one and name it mmcblk0, set FAT(FAT32) file format and press "CREATE"
6) Press "Play" button to mount the sdcard, look to see what path the sdcard has (/dev/sd??) and then close the "Disks" app
7) Go to Desktop, open "Computer" and navigate to the location when the img file is extracted (mmcblk0.img)
8) Open the window where img file is with root (right click on window and select "open as root")
9) In root window open the Terminal (right click on window and select "open terminal")
no need to type "su" in terminal, it has root already (see notes if using Linux live usb/dvd)
10) Type in terminal the comand written below and dont forget to eliminate that "1" from the sdcard path,
that "1" can make the differnce betwen phone boot or not!!!!!
Things to note
Linux Live dvd doesn't have open as root so just open in terminal and add sudo to the start of the commands
I've included this in the commands below
If you get a status error just remove status=progress from the terminal command below
Terminal comands
- if your sdcard is seen like " /dev/sdb1"
in terminal aply that comand:
sudo dd bs=4M if=mmcblk0.img of=/dev/sdb status=progress oflag=sync
-if your sdcard is seen like " /dev/mmcblk0p1"
in terminal aply that comand:
sudo dd bs=4M if=mmcblk0.img of=/dev/mmcblk0 status=progress oflag=sync
and the flashing process should start
when it finishes, test the sdcard in the phone and it should boot!
If you get a size error of the sdcard in terminal you have to change the sdcard and try again!
Thanks to vaserbanix for the guide
Re-flash Stock Firmware
Once the phone is in bootloader mode you can flash stock firmware via fastboot
Note that in order to flash gpt the firmware MUST be the same or newer than the version currently on your phone
Once you have firmware that is the same or newer than your current version you can remove the sd card and run these commands (assuming you have fastboot all setup on your pc)
fastboot oem fb_mode_set
fastboot flash partition gpt.bin
fastboot flash bootloader bootloader.img
fastboot flash logo logo.bin
fastboot flash boot boot.img
fastboot flash recovery recovery.img
fastboot flash dsp adspso.bin
fastboot flash oem oem.img
fastboot flash system system.img_sparsechunk.0
fastboot flash system system.img_sparsechunk.1
fastboot flash system system.img_sparsechunk.2
fastboot flash system system.img_sparsechunk.3
fastboot flash system system.img_sparsechunk.4
fastboot flash modem NON-HLOS.bin
fastboot erase modemst1
fastboot erase modemst2
fastboot flash fsg fsg.mbn
fastboot erase cache
fastboot erase userdata
fastboot erase customize (ignore any error)
fastboot erase clogo (ignore any error)
fastboot oem fb_mode_clear
fastboot reboot
Imei fix
If your imei is 0 then follow instructions from here
You should be able to restore stock after & keep imei
Click to expand...
Click to collapse
https://forum.xda-developers.com/g5/how-to/rooted-moto-g5-run-morning-post-image-t3776012
Something went wrong and now it does not start, only the led lights when it is connected to the pc. Only Qualcomm HS-USB QDLoader 9008 appears in the device manager.
I have tried several blankflash (1, 2, 3) but it does not work.
Also with Qfil and the same result.
Code:
greeting device for command mode
ReadFile() failed, error=31
opening device: \\.\COM3
OKAY [ 0.023s]
greeting device for command mode
ReadFile() failed, error=995
opening device: \\.\COM3
opening device: \\.\COM3
OKAY [ 0.008s]
greeting device for command mode
OKAY [ 0.010s]
identifying device
...serial = 0x1B9ACE0A
...chip-id = 0x4F
...chip-rev = 0x0
...sv-sbl = 0x1
OKAY [ 0.038s]
finding files
...programmer = programmer.mbn
...singleimage = singleimage.bin
OKAY [ 0.020s]
validating files
OKAY [ 0.002s]
switching to download mode
OKAY [ 0.004s]
greeting device for image downloading
OKAY [ 0.002s]
sending programmer
Unexpected packet: 4. Was expecting: 3
FAILED (blank-flash:sahara-transfer-image:send-image:unexpected packet)
:crying:
thanks in advance
Its call Hardbrick, dont have for now any flashbank for motog5
Seriously ? And do you know if there will be?
takoa said:
Seriously ? And do you know if there will be?
Click to expand...
Click to collapse
It will never be released officially - Motorola don't release these files - they are either leaked or someone modifies existing files
You can try
www.kriztekblog.com/2016/10/how-to-flash-qualcomm-mbn-firmware-qpst-tool.html/amp
The firehose file I'll put in the attachment below - Unzip it
Make sure you install everything & put all files in root of c: keep paths short with no spaces eg c:/flashtool
Iv no idea what else maybe required as I don't have this device anymore & even if I did I'd only test it if my device needed reimaging
Your only other option is a motherboard replacement or a repair shop with the equipment to reimage devices eg via a j-tag
more files are missing
TheFixItMan said:
It will never be released officially - Motorola don't release these files - they are either leaked or someone modifies existing files
You can try
www.kriztekblog.com/2016/10/how-to-flash-qualcomm-mbn-firmware-qpst-tool.html/amp
The firehose file I'll put in the attachment below - Unzip it
Make sure you install everything & put all files in root of c: keep paths short with no spaces eg c:/flashtool
Iv no idea what else maybe required as I don't have this device anymore & even if I did I'd only test it if my device needed reimaging
Your only other option is a motherboard replacement or a repair shop with the equipment to reimage devices eg via a j-tag
Click to expand...
Click to collapse
you will have the other path and xml files missing, Has someone already worked with you? tendras los demas archivos path y xml que falta, alguien ya le funciono con exito este metodo?
oxxo.andatti said:
you will have the other path and xml files missing, Has someone already worked with you? tendras los demas archivos path y xml que falta, alguien ya le funciono con exito este metodo?
Click to expand...
Click to collapse
You will either have to find one that works or develop your own if the ones that come with the program don't work
Like I said - I no longer have this phone & Iv tested nothing - I can provide ideas it's up to you to research alot of searching & come up with the solution
I have tried all the possible ways that I have found here and on the net ... and nothing. Still the same. Hopefully it will be soon the release of blankflash. I look forward to it. ?
work for me
takoa said:
I have tried all the possible ways that I have found here and on the net ... and nothing. Still the same. Hopefully it will be soon the release of blankflash. I look forward to it.
Click to expand...
Click to collapse
I found something that revive meu cedric that was only with LED blinking...
when conected to pc was found something like qualcomm 9008...
I'll get those files at my windows pc and can send to you
but is a kind of blankflash, write the bootloader and flash the room...
maybe i can get those files tomorow
carlapazin said:
I found something that revive meu cedric that was only with LED blinking...
when conected to pc was found something like qualcomm 9008...
I'll get those files at my windows pc and can send to you
but is a kind of blankflash, write the bootloader and flash the room...
maybe i can get those files tomorow
Click to expand...
Click to collapse
please, as soon as possible
thank you very much
:fingers-crossed::fingers-crossed::fingers-crossed:
files
takoa said:
please, as soon as possible
thank you very much
:fingers-crossed::fingers-crossed::fingers-crossed:
Click to expand...
Click to collapse
done!
just follow the sequence:
1 - blankflash
2 - bootloader gpt
then you can write de ROM with RSD or ADB
let me know if i could help you
drive.google.com/open?id=1pFMczSqIaw9qOPIuU2bywKEAgpeF41v_
carlapazin said:
done!
just follow the sequence:
1 - blankflash
2 - bootloader gpt
then you can write de ROM with RSD or ADB
let me know if i could help you
drive.google.com/open?id=1pFMczSqIaw9qOPIuU2bywKEAgpeF41v_
Click to expand...
Click to collapse
carla that so works in the Motorola cedric already proven it?
NABECKER16 said:
carla that so works in the Motorola cedric already proven it?
Click to expand...
Click to collapse
It works fo me!
carlapazin said:
It works fo me!
Click to expand...
Click to collapse
do you think it works on my moto g5 xt1672 from at & t mex
carlapazin said:
done!
just follow the sequence:
1 - blankflash
2 - bootloader gpt
then you can write de ROM with RSD or ADB
let me know if i could help you
drive.google.com/open?id=1pFMczSqIaw9qOPIuU2bywKEAgpeF41v_
Click to expand...
Click to collapse
it does not work
can you tell us what steps you have followed, the operating system you use, the driver used and so on?
not working in xt1672
takoa said:
it does not work
can you tell us what steps you have followed, the operating system you use, the driver used and so on?
Click to expand...
Click to collapse
I did with battery fully charged!
The bootloader of my XT1676 was locked
used the .bat file in:
1 - blankflash (the phone will restart on fastbot mode)
then the .bat file on 2 - bootloader gpt
again in fastboot mode, you can flash the early rom using ADB or RSD Lite.
my OS = Windows 7 (test mode active)
and the driver i've downloaded from anywere here at xda....
on windows the phone is show qualcomm 9008 (something like that)
oh yeah! uninstall all motorola drivers and just keep the qualcomm!!!
if u don't find those drivers, i can upload
---------- Post added 27th April 2018 at 12:04 AM ---------- Previous post was 26th April 2018 at 11:59 PM ----------
NABECKER16 said:
not working in xt1672
Click to expand...
Click to collapse
Sorry, bro...
Mine is XT1676... but I'm from Brazil... and the official model here is XT1672... I can look for something to ya
carlapazin said:
I did with battery fully charged!
The bootloader of my XT1676 was locked
used the .bat file in:
1 - blankflash (the phone will restart on fastbot mode)
then the .bat file on 2 - bootloader gpt
again in fastboot mode, you can flash the early rom using ADB or RSD Lite.
my OS = Windows 7 (test mode active)
and the driver i've downloaded from anywere here at xda....
on windows the phone is show qualcomm 9008 (something like that)
oh yeah! uninstall all motorola drivers and just keep the qualcomm!!!
if u don't find those drivers, i can upload
---------- Post added 27th April 2018 at 12:04 AM ---------- Previous post was 26th April 2018 at 11:59 PM ----------
Sorry, bro...
Mine is XT1676... but I'm from Brazil... and the official model here is XT1672... I can look for something to ya
Click to expand...
Click to collapse
takoa said:
[ 0.000] Opening device: \\.\COM5
[ 0.000] Detecting device
[ 0.000] ...cpu.id = 79 (0x4f)
[ 0.000] ...cpu.sn = 463130122 (0x1b9ace0a)
[ 0.000] Opening singleimage
[ 0.000] ERROR: error opening singleimage
[ 0.000] Check qboot_log.txt for more details
[ 0.000] Total time: 0.010s
[ 0.000]
[ 0.000] qboot version 3.40
[ 0.000]
[ 0.000] DEVICE {
[ 0.000] name = "\\.\COM5",
[ 0.000] flags = "0x64",
[ 0.000] addr = "0x28FE6C",
[ 0.000] sahara.current_mode = "3",
[ 0.000] api.buffer = "0x24F0020",
[ 0.000] cpu.serial = "463130122",
[ 0.000] cpu.id = "79",
[ 0.000] cpu.sv_sbl = "1",
[ 0.000] api.bnr = "0x652D78",
[ 0.000] }
[ 0.000]
[ 0.000]
[ 0.000] Backup & Restore {
[ 0.000] num_entries = 0,
[ 0.000] restoring = "false",
[ 0.000] backup_error = "not started",
[ 0.000] restore_error = "not started",
[ 0.000] }
[ 0.000]
Click to expand...
Click to collapse
takoa said:
Click to expand...
Click to collapse
let's find another singleImage.... that's the only i've got
sorry, man
carlapazin said:
let's find another singleImage.... that's the only i've got
sorry, man
Click to expand...
Click to collapse
Maybe the image is corrupted when you uploaded it, since it cant be opened.
carlapazin said:
let's find another singleImage.... that's the only i've got
sorry, man
Click to expand...
Click to collapse
Hi. What I do not understand is because it does not work and it gives error being my terminal is the same model as yours, xt1676.
Use w7x64, unlocked bootloader, test mode, compilation 7601 and the correct qualcomm drivers.
Something I have or have overlooked.

Hard Brick Moto Z Play patch April

Guys i looked everywhere, i have almost 19 files of blank flash with me, i tried every file.
most of them i get this error
Code:
**** Log buffer [000001] 2018-04-26_17:50:55 ****
[ 0.000] Opening device: \\.\COM4
[ 0.001] Detecting device
[ 4.007] ERROR: sahara_greet_device()->change_mode()->do_hello()->IO error
[ 4.007] Check qboot_log.txt for more details
[ 4.008] Total time: 4.009s
[ 4.008]
[ 4.008] qboot version 3.40
[ 4.008]
[ 4.008] DEVICE {
[ 4.008] name = "\\.\COM4",
[ 4.008] flags = "0x64",
[ 4.008] addr = "0x61FE5C",
[ 4.008] api.bnr = "0x2932F80",
[ 4.008] }
[ 4.008]
[ 4.008]
[ 4.008] Backup & Restore {
[ 4.008] num_entries = 0,
[ 4.008] restoring = "false",
[ 4.008] backup_error = "not started",
[ 4.008] restore_error = "not started",
[ 4.008] }
[ 4.008]
Sometimes i get this error:
Code:
**** Log buffer [000001] 2018-04-26_18:50:06 ****
[ 0.000] Opening device: \\.\COM3
[ 0.001] Detecting device
[ 0.004] ...cpu.id = 70 (0x46)
[ 0.004] ...cpu.sn = 2664816212 (0x9ed5de54)
[ 0.004] Opening singleimage
[ 0.005] Loading package
[ 0.006] ...filename = singleimage.pkg.xml
[ 0.007] Loading programmer
[ 0.008] ...filename = programmer.mbn
[ 0.008] Sending programmer
[ 0.227] Handling things over to programmer
[ 0.227] Identifying CPU version
[ 0.233] Waiting for firehose to get ready
[ 60.789] Waiting for firehose to get ready
[120.875] ...MSM8953 unknown
[120.875] Determining target secure state
[120.882] Waiting for firehose to get ready
[180.966] ...secure = no
[181.005] Waiting for firehose to get ready
[241.083] Configuring device...
[241.086] Waiting for firehose to get ready
[301.165] Waiting for firehose to get ready
[361.257] Waiting for firehose to get ready
[421.340] Waiting for firehose to get ready
[481.421] ERROR: do_package()->do_recipe()->do_configure()->buffer_read()->device_read()->IO error
[481.421] Check qboot_log.txt for more details
[481.422] Total time: 481.423s
[481.422]
[481.422] qboot version 3.40
[481.422]
[481.422] DEVICE {
[481.422] name = "\\.\COM3",
[481.422] flags = "0x64",
[481.422] addr = "0x61FE5C",
[481.422] sahara.current_mode = "0",
[481.422] api.buffer = "0x2D9D020",
[481.422] cpu.serial = "2664816212",
[481.422] cpu.id = "70",
[481.422] cpu.sv_sbl = "0",
[481.422] cpu.name = "MSM8953",
[481.422] storage.type = "eMMC",
[481.422] sahara.programmer = "programmer.mbn",
[481.422] module.firehose = "0xEEBC8",
[481.422] cpu.ver = "0",
[481.422] cpu.vername = "unknown",
[481.422] api.bnr = "0x2CD8388",
[481.422] }
[481.422]
[481.422]
[481.422] Backup & Restore {
[481.422] num_entries = 0,
[481.422] restoring = "false",
[481.422] backup_error = "not started",
[481.422] restore_error = "not started",
[481.422] }
[481.422]
i was at 7.0 and got a update *april* i just clicked and forgot that my phone was rooted, when i look back my cellphone was off . cant access bootloader...
and no blank flash help me.
OBS: used windows 10, 3.0 USB and Vmware with windows 7.
Qualcomm driver installed.
what should i do?
I get these errors too, in my case I did downgrade the oreo 8.0.0 patch from March to Nougat 7.1.1 after I was applying a patch by OTA. I had forgotten that this was how hardbrick got, lol. now I'm hoping to get the blankflash for Oreo 8.0.0 and hope to revive my Z Play.
translated from google translate
Guys, you all know that expecially on this Motorola phone you need to avoid flashing an older bootloader to apply after an OTA update. It ends with hardbrick, that is not the first time we've seen this on this forum.
Systemlessly said:
Guys, you all know that expecially on this Motorola phone you need to avoid flashing an older bootloader to apply after an OTA update. It ends with hardbrick, that is not the first time we've seen this on this forum.
Click to expand...
Click to collapse
but , my rom was 7 , so none of this bootloaders are old. i just cant find one to fix and cant understand this error what means.
carolnap said:
Guys i looked everywhere, i have almost 19 files of blank flash with me, i tried every file.
most of them i get this error
i was at 7.0 and got a update *april* i just clicked and forgot that my phone was rooted, when i look back my cellphone was off . cant access bootloader...
and no blank flash help me.
OBS: used windows 10, 3.0 USB and Vmware with windows 7.
Qualcomm driver installed.
what should i do?
Click to expand...
Click to collapse
Have you you tried the blankflash here? https://forum.xda-developers.com/showpost.php?p=73402033&postcount=181
If so and it doesn't work, or your device was previously updated to the stock 7.1.1 or 8.0 stock firmware, then you may well have to either wait for a newer blankflash or send your device for a service repair.
Generally, if you downgrade your device stock firmware, please do not use OTA updates.
Systemlessly said:
Guys, you all know that expecially on this Motorola phone you need to avoid flashing an older bootloader to apply after an OTA update. It ends with hardbrick, that is not the first time we've seen this on this forum.
Click to expand...
Click to collapse
echo92 said:
Have you you tried the blankflash here? https://forum.xda-developers.com/showpost.php?p=73402033&postcount=181
If so and it doesn't work, or your device was previously updated to the stock 7.1.1 or 8.0 stock firmware, then you may well have to either wait for a newer blankflash or send your device for a service repair.
Generally, if you downgrade your device stock firmware, please do not use OTA updates.
Click to expand...
Click to collapse
hello, i used, it always stucked on "waiting for the firehose to come"
and then error
so if i use the oreo blankflash... ill only be able to use oreo from now on.
it that what u means?
obs: i think is stock 7.1.1
carolnap said:
hello, i used, it always stucked on "waiting for the firehose to come"
and then error
so if i use the oreo blankflash... ill only be able to use oreo from now on.
it that what u means?
Click to expand...
Click to collapse
Try the blankflash a few times, sometimes it fails to receive a response from your device (hence waiting for the firehose). Alternatively it could mean the blankflash is too old for your bootloader to rescue it (blankflashes appear to only be able to repair bootloaders that are older or as new as the blankflash supplied bootloader).
If you use the Oreo blankflash, then your bootloader would be likely updated to the Oreo bootloader. In theory, you could flash older stock firmware, but again, using OTA updates on a device with downgraded stock firmware is a really bad idea.
However, that is dependent on even if we get an Oreo blankflash, as these are leaked from internal Motorola development. As such, we're very lucky to have them...
echo92 said:
Try the blankflash a few times, sometimes it fails to receive a response from your device (hence waiting for the firehose). Alternatively it could mean the blankflash is too old for your bootloader to rescue it (blankflashes appear to only be able to repair bootloaders that are older or as new as the blankflash supplied bootloader).
If you use the Oreo blankflash, then your bootloader would be likely updated to the Oreo bootloader. In theory, you could flash older stock firmware, but again, using OTA updates on a device with downgraded stock firmware is a really bad idea.
However, that is dependent on even if we get an Oreo blankflash, as these are leaked from internal Motorola development. As such, we're very lucky to have them...
Click to expand...
Click to collapse
can you tell me if metters that i use windows 10 or windows 7, because both give me the same error.
and when is at waiting the firehose i listen to a driver sound that is unpluggin and then pluggin ...
carolnap said:
can you tell me if metters that i use windows 10 or windows 7, because both give me the same error.
and when is at waiting the firehose i listen to a driver sound that is unpluggin and then pluggin ...
Click to expand...
Click to collapse
Hmm, are you seeing your device present in Device Manager? It should either show up as Motorola ADB interface or perhaps fastboot addison_s, or is it showing up as Qualcomm HS_USB 9008 or similar?
Do you have the Motorola ADB drivers installed? Also, do you have driver signature enforcement disabled if you are running a 64 bit build of Windows? (one guide to disable enforcement is here: https://www.howtogeek.com/167723/ho...8.1-so-that-you-can-install-unsigned-drivers/ )
Also, try with the original USB Motorola cable or a high quality USB data cable. You could try the following too (credit to: https://forum.xda-developers.com/moto-g4-plus/help/solved-unbrick-hard-bricked-dead-t3585016 )
Follow the below steps.
1. Keep your mobile connected using USB, obviously.
2. using one hand keep power button and volume down button pressed at same time and using other hand click blank-flash.bat file.
3. It might be possible that blank-flash.bat scritps get finished earlier, in that case, keep clicking .bat file continuously, you don't need to close previous cmd window. For me it took 5-6 run to get script detect/communicate with device. Here idea is that your mobile should get detected when you press power button+volume button while blank-flash.bat file is still executing.
4. keep trying step 3 unless you dont see below logs.
However, if you were originally on 7.1.1 then downgraded to 7.0, then took the April OTA update, depending on what 7.1.1 firmware you had, you may have to wait for the Oreo blankflash or pay for a service repair, as the blankflashes we have may be too old, and won't rescue a corrupted 7.1.1 bootloader (since downgrading stock firmware does not downgrade your bootloader in many cases. Hence, taking an old OTA - which does not check your bootloader version - corrupts your newer bootloader when the OTA flashes an old bootloader onto your device).
That being said, given you were rooted in the first place, the OTA should have failed as it detected root. What happens when you power off your device and then hold down the power and volume down keys, anything?
echo92 said:
Hmm, are you seeing your device present in Device Manager? It should either show up as Motorola ADB interface or perhaps fastboot addison_s, or is it showing up as Qualcomm HS_USB 9008 or similar?
Do you have the Motorola ADB drivers installed? Also, do you have driver signature enforcement disabled if you are running a 64 bit build of Windows? (one guide to disable enforcement is here: https://www.howtogeek.com/167723/ho...8.1-so-that-you-can-install-unsigned-drivers/ )
Also, try with the original USB Motorola cable or a high quality USB data cable. You could try the following too (credit to: https://forum.xda-developers.com/moto-g4-plus/help/solved-unbrick-hard-bricked-dead-t3585016 )
Follow the below steps.
1. Keep your mobile connected using USB, obviously.
2. using one hand keep power button and volume down button pressed at same time and using other hand click blank-flash.bat file.
3. It might be possible that blank-flash.bat scritps get finished earlier, in that case, keep clicking .bat file continuously, you don't need to close previous cmd window. For me it took 5-6 run to get script detect/communicate with device. Here idea is that your mobile should get detected when you press power button+volume button while blank-flash.bat file is still executing.
4. keep trying step 3 unless you dont see below logs.
However, if you were originally on 7.1.1 then downgraded to 7.0, then took the April OTA update, depending on what 7.1.1 firmware you had, you may have to wait for the Oreo blankflash or pay for a service repair, as the blankflashes we have may be too old, and won't rescue a corrupted 7.1.1 bootloader (since downgrading stock firmware does not downgrade your bootloader in many cases. Hence, taking an old OTA - which does not check your bootloader version - corrupts your newer bootloader when the OTA flashes an old bootloader onto your device).
That being said, given you were rooted in the first place, the OTA should have failed as it detected root. What happens when you power off your device and then hold down the power and volume down keys, anything?
Click to expand...
Click to collapse
hi,
-- on device manager is showing Qualcomm HS_USB 9008
-- driver signature enforcement disabled ( ive done that)
-- original USB Motorola cable (im using this one)
-- That being said, given you were rooted in the first place, the OTA should have failed as it detected root. What happens when you power off your device and then hold down the power and volume down keys, anything?
well my cellphone shut down in the middle of update and nothing happens when i press those keys.
thanks for helping me, but i really dont know why when i finnaly get those message of waiting the firehose it get the error. it should be working right, i dont think its driver anymore...
on the 0.233 (in the picture) is where i hear the sound of driver unpluggin and the pluggin so i stop pressing vol down and power...
but nothing happens after that. even if i keep pressing the sound continue and the error is the same
carolnap said:
hi,
-- on device manager is showing Qualcomm HS_USB 9008
-- driver signature enforcement disabled ( ive done that)
-- original USB Motorola cable (im using this one)
-- That being said, given you were rooted in the first place, the OTA should have failed as it detected root. What happens when you power off your device and then hold down the power and volume down keys, anything?
well my cellphone shut down in the middle of update and nothing happens when i press those keys.
thanks for helping me, but i really dont know why when i finnaly get those message of waiting the firehose it get the error. it should be working right, i dont think its driver anymore...
on the 0.233 (in the picture) is where i hear the sound of driver unpluggin and the pluggin so i stop pressing vol down and power...
but nothing happens after that. even if i keep pressing the sound continue and the error is the same
Click to expand...
Click to collapse
Ah, if your device shut down in the middle of the update, then that suggests a definite hard brick (presumably when the OTA attempted to flash the old April 2017 bootloader onto a 7.1.1 bootloader and corrupted the newer bootloader).
The info you've provided suggests that your device is communicating in the Qualcomm fallback mode (HS_USB 9008) to your computer, hence why you're hearing the driver sounds. However, the multitude of 'waiting for firehose' suggests that the blankflash is still not communicating properly with your device. As I understand it, when the blankflash communicates with your device, it sends over a (signed) programmer to establish a connection and to verify your device CPU and bootloader are suitable for sending over the new bootloader. If it is not suitable, the blankflash is left waiting for a reply (waiting for firehose) before timing out. That suggests the blankflashes you're using are too old for your device bootloader, especially if you're getting MSM8953 unknown, which likely points to the blankflash being unable to identify your CPU/chipset and/or bootloader and so cannot authorise the transfer.
For more info: https://github.com/openpst/sahara/blob/master/README.md
Also, here's an interesting article on firehose programmers (the part of the blankflash that authorises the transfer of the new bootloader) and why some OEMs don't want to give them out, as you could in theory compromise the bootloader security: https://alephsecurity.com/2018/01/22/qualcomm-edl-1/
echo92 said:
Ah, if your device shut down in the middle of the update, then that suggests a definite hard brick (presumably when the OTA attempted to flash the old April 2017 bootloader onto a 7.1.1 bootloader and corrupted the newer bootloader).
The info you've provided suggests that your device is communicating in the Qualcomm fallback mode (HS_USB 9008) to your computer, hence why you're hearing the driver sounds. However, the multitude of 'waiting for firehose' suggests that the blankflash is still not communicating properly with your device. As I understand it, when the blankflash communicates with your device, it sends over a (signed) programmer to establish a connection and to verify your device CPU and bootloader are suitable for sending over the new bootloader. If it is not suitable, the blankflash is left waiting for a reply (waiting for firehose) before timing out. That suggests the blankflashes you're using are too old for your device bootloader.
For more info: https://github.com/openpst/sahara/blob/master/README.md
Also, here's an interesting article on firehose programmers (the part of the blankflash that authorises the transfer of the new bootloader) and why some OEMs don't want to give them out, as you could in theory compromise the bootloader security: https://alephsecurity.com/2018/01/22/qualcomm-edl-1/
Click to expand...
Click to collapse
what you means by definite hard brick, ill not able to recover even with the blankflash oreo?
carolnap said:
what you means by definite hard brick, ill not able to recover even with the blankflash oreo?
Click to expand...
Click to collapse
By definite hard brick, I mean you may likely need to wait for a much newer blankflash than any we have available. Hard bricks are very difficult to resolve without the correct/newest blankflashes. As I mentioned earlier, any blankflash you use can only work if it's flashing a 7.1.1 or newer bootloader onto a device that was formally updated to 7.1.1 - any blankflashes designed for 7.0 or blankflashes for older 7.1.1 builds may not work. Again, you may wish to repeat using the blankflash as sometimes it takes a few tries to get the connection working.
The Oreo blankflash should work, as that likely carries the newest bootloader available. However, I have no idea when that will be leaked, or if it will even be leaked. You may be able to find a member who knows a sympathetic Motorola engineer to get an updated blankflash from, or a factory Oreo stock fastboot ROM, but those are leaks and as such it is very difficult to know if or when they will be released.
If you need a device in a hurry, you would likely be best served by possibly paying for a motherboard replacement or buying a new device, and putting your Z Play aside in the hope there's a rescue blankflash in the future.
usuario do Z play said:
I get these errors too, in my case I did downgrade the oreo 8.0.0 patch from March to Nougat 7.1.1 after I was applying a patch by OTA. I had forgotten that this was how hardbrick got, lol. now I'm hoping to get the blankflash for Oreo 8.0.0 and hope to revive my Z Play.
translated from google translate
Click to expand...
Click to collapse
What date was the security patch of Nougat that you flashed? @echos97 told me that if it was the Feb 2018 one, (which was the one directly before the March and April Oreo builds), you might have been safe to update via OTA. Perhaps you flashed an older build?
djdelarosa25 said:
What date was the security patch of Nougat that you flashed? @echos97 told me that if it was the Feb 2018 one, (which was the one directly before the March and April Oreo builds), you might have been safe to update via OTA. Perhaps you flashed an older build?
Click to expand...
Click to collapse
i have this file next to the rom
BUILD REQUEST INFO:
SW Version: addison-user 7.0 NPNS25.137-24-1-4 5 release-keysM8953_10222.33.04.62R
MBM Version: C1.06
Modem Version: M8953_10222.33.04.62R
FSG Version: FSG-8953-04.81
Build Fingerprint: motorola/addison/addison:7.0/NPNS25.137-24-1-4/5:user/release-keys
VERSION INFO FOUND UNDER 'ABOUT PHONE' SCREEN:
System Version: 25.201.5.addison.retail.en.US
Model number: XT1635-02
Android Version: 7.0
Baseband Version: M8953_10222.33.04.62R
Build Number: addison-user 7.0 NPNS25.137-24-1-4 5 release-keys
Build Date: Thu Mar 16 08:38:42 CDT 2017
OTHER MISC VERSION INFO:
Subsidy Lock Config: slcf_rev_d_default_v1.0.nvm
Regulatory Info (eLabel): regulatory_info_default.png
Blur Version: Blur_Version.25.201.5.addison.retail.en.US
Version when read from CPV: addison-user 7.0 NPNS25.137-24-1-4 5 release-keys
was the first update i got when i started the rom
right now i dont even knw if was april
carolnap said:
i have this file next to the rom
BUILD REQUEST INFO:
SW Version: addison-user 7.0 NPNS25.137-24-1-4 5 release-keysM8953_10222.33.04.62R
MBM Version: C1.06
Modem Version: M8953_10222.33.04.62R
FSG Version: FSG-8953-04.81
Build Fingerprint: motorola/addison/addison:7.0/NPNS25.137-24-1-4/5:user/release-keys
VERSION INFO FOUND UNDER 'ABOUT PHONE' SCREEN:
System Version: 25.201.5.addison.retail.en.US
Model number: XT1635-02
Android Version: 7.0
Baseband Version: M8953_10222.33.04.62R
Build Number: addison-user 7.0 NPNS25.137-24-1-4 5 release-keys
Build Date: Thu Mar 16 08:38:42 CDT 2017
OTHER MISC VERSION INFO:
Subsidy Lock Config: slcf_rev_d_default_v1.0.nvm
Regulatory Info (eLabel): regulatory_info_default.png
Blur Version: Blur_Version.25.201.5.addison.retail.en.US
Version when read from CPV: addison-user 7.0 NPNS25.137-24-1-4 5 release-keys
was the first update i got when i started the rom
right now i dont even knw if was april
Click to expand...
Click to collapse
You didn't answer my question. You posted that you flashed back to Nougat after flashing Oreo. May I ask again, what date was the security patch of the Nougat firmware that you flashed?
EDIT: Apologies, seems like you flashed way back to 7.0. Well, if that's the case, I think there's nothing you can do but wait for the Oreo firmware to become available. If you flashed back to Feb 2018 7.1.1, this may not have been an issue.
djdelarosa25 said:
You didn't answer my question. You posted that you flashed back to Nougat after flashing Oreo. May I ask again, what date was the security patch of the Nougat firmware that you flashed?
Click to expand...
Click to collapse
If that's the stock ROM they flashed, Googling the build number suggests it was March 2017. If they had formally updated to 7.1.1, their bootloader would have been at least the August 2017 build. The large disparity in firmware build versions is the likely reason they hard bricked when taking the Nougat April 2017 OTA patch. Credit to: https://forum.xda-developers.com/moto-z-play/how-to/moto-z-play-reteu-firmware-otas-t3557917
djdelarosa25 said:
You didn't answer my question. You posted that you flashed back to Nougat after flashing Oreo. May I ask again, what date was the security patch of the Nougat firmware that you flashed?
Click to expand...
Click to collapse
i didnt flashed oreo anytime
guys, i was with a custom rom, and flashed this rom (last topic)
so i got the update after reboot the cellphone (right after flashed this rom) ok?
and then the cellphone died.
djdelarosa25 said:
You didn't answer my question. You posted that you flashed back to Nougat after flashing Oreo. May I ask again, what date was the security patch of the Nougat firmware that you flashed?
EDIT: Apologies, seems like you flashed way back to 7.0. Well, if that's the case, I think there's nothing you can do but wait for the Oreo firmware to become available. If you flashed back to Feb 2018 7.1.1, this may not have been an issue.
Click to expand...
Click to collapse
why 7 is a problem and not 7.1
7 is older...
carolnap said:
why 7 is a problem and not 7.1
7 is older...
Click to expand...
Click to collapse
Not all 7.1.1 builds are SAFE to flash, ONLY the latest build prior to the Android version jump - in this case, the Feb 2018 patch
7.0 is way older. If you came from Oreo and flashed Feb 2018 7.1.1 Nougat, you would still have the Oreo bootloader. In this case, updating back to Oreo would work, as it is the same bootloader version. But if you flashed 7.0 and accepted an OTA, this would brick your device due to bootloader incompatibility. AFAIK, you can't skip OTA releases. You'd have to update to the next patch before the next one if your device is a few builds outdated.
I have to credit my friend @echo92 here for all the knowledge. Though to be fair, I haven't completely gotten the whole idea and I ask for your help again in helping this poor fellow.

Help Help help !!! Deep Cable / Flash Cable Moto Z2 Force

Hi everybody.
As I know that it is possible that someone wants to know why I need a deep cable here is a super summary of my catastrophe:
I made a root in my Z2 Force with the bootloader unlocked (thanks to the number that Motorola gives to do that) and with the SU, after that I knew (not before, damn) that some applications don't work on root cell phones (****) among these my bank app, Netflix app, Fox app (**** **** ****), even using the Root Cloak app and others like that the result is that they don't work, so I needed to return to the unroot state, until there everything manageable, buuuuuuuuut, when I had to flash the stock ROM I downloaded the wrong version (fuuuuuuuck), the result was that the cell phone doesn't recognize the SIM cards, doesn't allow the use of WIFI, my IMEI was lost (wtf!) and when I try to flash again (in fastboot) with the correct ROM stock the bootloader doesn't leave me because it says "Flashing_locked", (what? but if I already unlocked it before !, well no, the ****ing cell phone doesn't recognize that, if I try to unblock it through the fastboot commands give as results that the process was satisfactory, but when restarting the bootloader it says NO, I'm still locked mother****er ! ...........
Well, that's why I need a deep cable, to flash with the (foolish) "Flasing_locked" status. So, the problem is basically that I found on the Internet those who do the deep cable with micro-usb, I haven't found how to do it with a usb-c cable. In the cases with micro-usb you only have to bridge the black and green wires and "ta dah" everything is done, in others I also see in micro-usb the pin 4 is jumpered with pin 1 in the micro-usb connector, but on the usb-c cable I have something like 20 pins and more than 4 cables, so I don't know how I can do the deep cable with a usb-c.
Please, I need help :crying:
I think there is another way to go about this than putting your devices into Qualcomm 9008. That is what you are wanting the EDL Deep Cable for, right? Instead of that, why not try this thread here, https://forum.xda-developers.com/z2-force/how-to/how-to-return-to-stock-sprint-t3694783, and see if Uzephi's method doesnt get you back to stock. If for some reason his flashall doesnt work, then I would suggest using a blankflash for your version of Android to wipe the slate clean and then use the return to stock method for your device.
fast69mopar said:
I think there is another way to go about this than putting your devices into Qualcomm 9008. That is what you are wanting the EDL Deep Cable for, right? Instead of that, why not try this thread here, https://forum.xda-developers.com/z2-force/how-to/how-to-return-to-stock-sprint-t3694783, and see if Uzephi's method doesnt get you back to stock. If for some reason his flashall doesnt work, then I would suggest using a blankflash for your version of Android to wipe the slate clean and then use the return to stock method for your device.
Click to expand...
Click to collapse
Okay ! I'm going to try those two options and I'll write you what happens.
Thanks !
Well, I'm here again.
I tried the two methods that you kindly indicated to me:
1. https://forum.xda-developers.com/z2-...print-t3694783 The Flashall.bat file really does not do anything different than being an automated flash of what you can usually do manually, I mean, it does the flash using the fastboot file by file, so because it's the same process (but automated) I got the same result, when the Flashall.bat file tries to send / flash the files the response status is Failed, because the flashing status in the bootloader is locked.
2. Blankflash metod. This method seems to work when the cell phone is bricked and does not enter the bootloader, and that is not my case because I can access the cell phone, for example if I connect the cell phone to the computer in:
a) the boot manager mode, the "Device Manager" recognizes it as "Android Device / Motorola ADB Interface"
b) started the ROM (and activated the "USB Debugging"), the "Device Manager" also recognizes it as "Android Device / Motorola ADB Interface"
c) QCOM mode (selected from the bootloader) the "Device Manager" recognizes it as "Qualcomm HS-USB Diagnostics 9092".
Anyway, if I run the blank-flash file in:
a) bootloader mode, the CMD shows "waiting device" and does nothing
b) started the ROM (and activated the "USB Debugging"), the CMD shows "waiting device" and does nothing
c) QCOM mode (selected from the bootloader), the CMD shows "waiting for the device" and does nothing (this same result with or without the activation of "USB Debugging")
So I'm still the same, I think my only option is Deep Cable, what do you think?
Loperaco said:
Well, I'm here again.
I tried the two methods that you kindly indicated to me:
1. https://forum.xda-developers.com/z2-...print-t3694783 The Flashall.bat file really does not do anything different than being an automated flash of what you can usually do manually, I mean, it does the flash using the fastboot file by file, so because it's the same process (but automated) I got the same result, when the Flashall.bat file tries to send / flash the files the response status is Failed, because the flashing status in the bootloader is locked.
2. Blankflash metod. This method seems to work when the cell phone is bricked and does not enter the bootloader, and that is not my case because I can access the cell phone, for example if I connect the cell phone to the computer in:
a) the boot manager mode, the "Device Manager" recognizes it as "Android Device / Motorola ADB Interface"
b) started the ROM (and activated the "USB Debugging"), the "Device Manager" also recognizes it as "Android Device / Motorola ADB Interface"
c) QCOM mode (selected from the bootloader) the "Device Manager" recognizes it as "Qualcomm HS-USB Diagnostics 9092".
Anyway, if I run the blank-flash file in:
a) bootloader mode, the CMD shows "waiting device" and does nothing
b) started the ROM (and activated the "USB Debugging"), the CMD shows "waiting device" and does nothing
c) QCOM mode (selected from the bootloader), the CMD shows "waiting for the device" and does nothing (this same result with or without the activation of "USB Debugging")
So I'm still the same, I think my only option is Deep Cable, what do you think?
Click to expand...
Click to collapse
To use blankflash you need to be in 9008 mode, since you have adb working try issuing the command 'adb reboot-edl' or 'adb reboot edl' can't recall at the moment. You'll know when you're in edl/9008 mode because the screen will be blank and the device will recognize as 9008. If you can't reboot to edl through adb, go to fastboot and try 'fastboot oem blankflash' again you'll know when you're ready for blankflash because the device will recognize as 9008. If the commands don't take, boot into QCOM mode and try 'fastboot oem blankflash'
*To unlock the bootloader you need to select oem unlock in settings. If it's greyed out you need to connect to internet and sign into google. Try bluetooth connection or a cable since wifi and mobile is borked at the moment.
41rw4lk said:
To use blankflash you need to be in 9008 mode, since you have adb working try issuing the command 'adb reboot-edl' or 'adb reboot edl' can't recall at the moment. You'll know when you're in edl/9008 mode because the screen will be blank and the device will recognize as 9008. If you can't reboot to edl through adb, go to fastboot and try 'fastboot oem blankflash' again you'll know when you're ready for blankflash because the device will recognize as 9008. If the commands don't take, boot into QCOM mode and try 'fastboot oem blankflash'
*To unlock the bootloader you need to select oem unlock in settings. If it's greyed out you need to connect to internet and sign into google. Try bluetooth connection or a cable since wifi and mobile is borked at the moment.
Click to expand...
Click to collapse
Hi.
I have fresh news.
The first thing I tried was to enable the option to unlock the OEM because that option was in gray, try to connect the internet via USB cable and no option worked, but when connecting by bluetooth (which is not easy either for those who don’t know how) I did it! and once connected, I enabled the option again, so I activated it to allow me to unlock the OEM, but when restarting the bootloader to verify it was still showing the status "Flashing_locked" (sad face).
Even knowing this, try the options in this order and with these results:
1. Try the command 'adb reboot-edl' or 'adb reboot edl'. The first command that the console recognized was 'adb reboot -edl' but once accepted by the CMD the cell phone was rebooted alone and went back to the ROM, that is, it was not blank.
2. Go to fastboot and try 'fastboot oem blankflash'. When doing this the result obtained in the CMD was “(bootloader) Command Restricted FAILED (remote failure) finished. total time: 0.006s”, probably due to the fact that the bootloader still indicates "Flashing_locked".
3. Boot into QCOM mode and try 'fastboot oem blankflash'. When I start the QCOM option from the bootloader the cell phone automatically loads the ROM, after this I activated the USB Debugging and ran the command in question but the result was "<waiting for any device>" and nothing happens. I tried the command again without activating the USB Debugging and nothing happened either. If I enter the command "fastboot devices" the command does not give any results, I give way to the next line as if nothing happened.
4. I was sad after all this so I decided to retry everything, starting with the command to put the phone in mode 9008, so, just out of curiosity I tried the second sentence you wrote, that is, 'adb reboot edl' (without the line in the middle before the word “edl”), this command also recognized it but this time if it went to blank (yeah !!!). So after accomplishing this I followed the instructions of https://forum.xda-developers.com/z2-force/help/hard-bricked-blankflash-z2-force-t3705789, but the result when executing the Blank-Flash file was:
[ 0.000] Opening device: \\.\COM11
[ 0.001] Detecting device
[ 0.004] ...cpu.id = 94 (0x5e)
[ 0.005] ...cpu.sn = 3632543294 (0xd884363e)
[ 0.005] Opening singleimage
[ 0.005] Loading package
[ 0.009] ...filename = pkg.xml
[ 0.012] Loading programmer
[ 0.012] ...filename = programmer.elf
[ 0.013] Sending programmer
[ 0.091] ReadFile() failed, GetLastError()=0
[ 0.644] Unexpected command, expecting 3 or 18 or 4, got 1 instead.
[ 0.644] ERROR: sahara_download()->general error
[ 0.644] Check qboot_log.txt for more details
[ 0.645] Total time: 0.646s
[ 0.645]
[ 0.645] qboot version 3.85
[ 0.645]
[ 0.645] DEVICE {
[ 0.645] name = "\\.\COM11",
[ 0.645] flags = "0x64",
[ 0.645] addr = "0x28FD74",
[ 0.645] sahara.current_mode = "0",
[ 0.645] api.buffer = "0x2160020",
[ 0.645] cpu.serial = "3632543294",
[ 0.645] cpu.id = "94",
[ 0.645] cpu.sv_sbl = "0",
[ 0.645] cpu.name = "MSM8998",
[ 0.645] storage.type = "UFS",
[ 0.645] sahara.programmer = "programmer.elf",
[ 0.645] api.bnr = "0x20C7ED0",
[ 0.645] }
[ 0.645]
[ 0.645]
[ 0.645] Backup & Restore {
[ 0.645] num_entries = 0,
[ 0.645] restoring = "false",
[ 0.645] backup_error = "not started",
[ 0.645] restore_error = "not started",
[ 0.645] }
[ 0.645]​When executing the "blank-flash" file again, the result obtained was:
[ 0.000] Opening device: \\.\COM11
[ 0.001] Detecting device
[ 34.005] ERROR: sahara_greet_device()->change_mode()->do_hello()->IO error
[ 34.005] Check qboot_log.txt for more details
[ 34.005] Total time: 34.006s
[ 34.005]
[ 34.005] qboot version 3.85
[ 34.005]
[ 34.005] DEVICE {
[ 34.005] name = "\\.\COM11",
[ 34.005] flags = "0x64",
[ 34.005] addr = "0x28FD74",
[ 34.005] api.bnr = "0x612CA8",
[ 34.005] }
[ 34.005]
[ 34.005]
[ 34.005] Backup & Restore {
[ 34.005] num_entries = 0,
[ 34.005] restoring = "false",
[ 34.005] backup_error = "not started",
[ 34.005] restore_error = "not started",
[ 34.005] }
[ 34.005]​I thought I had made a worse mistake, but turning off the cell phone normally returned to enter the ROM without problem.
At this point I was left with no more ideas...
You need drivers so that your pc and the phone can communicate, here is a link and it also has a verified blankflash.zip that has worked many times for others in the past. The process is a bit hit and miss, meaning it can be finicky on some pcs. Make sure you use a usb 2.0 port off the mobo, and not a 3.0+ or a hub port, they're not all so universal and can cause problems, so stick to 2.0 mobo ports.
https://forum.xda-developers.com/showpost.php?p=77623934&postcount=5
41rw4lk said:
You need drivers so that your pc and the phone can communicate, here is a link and it also has a verified blankflash.zip that has worked many times for others in the past. The process is a bit hit and miss, meaning it can be finicky on some pcs. Make sure you use a usb 2.0 port off the mobo, and not a 3.0+ or a hub port, they're not all so universal and can cause problems, so stick to 2.0 mobo ports.
https://forum.xda-developers.com/showpost.php?p=77623934&postcount=5
Click to expand...
Click to collapse
Hiiiii.
Well, the file in the forum that you gave me works! I mean, it does something new, it generates a successful process and it was reinitiated to the bootloader, once there I noticed that there was a changed item "Software status: Official" (previously said modified), but the ítem of "Flashing_locked" is still the same ...
Anyway I tried to flash the stock ROM with that and I have the same result whenhen I get to the command "fastboot flash bootloader bootloader.img", here are the results:
(bootloader) is-logical:bootloader: not found
Sending 'bootloader' (9884 KB) OKAY [ 0.266s]
Writing 'bootloader' (bootloader) Validating 'boot
loader.default.xml'
(bootloader) flash permission denied
(bootloader) flash permission denied
(bootloader) flash permission denied
(bootloader) flash permission denied
(bootloader) flash permission denied
(bootloader) flash permission denied
(bootloader) flash permission denied
(bootloader) flash permission denied
(bootloader) flash permission denied
(bootloader) flash permission denied
(bootloader) flash permission denied
(bootloader) flash permission denied
(bootloader) Cancelling 'bootloader.default.xml'
FAILED (remote: '')
fastboot: error: Command failed
Another new thing found: in "bootloader logs" mode it says:
SSM: abl cvs roll back 0,1
Fastboot Reason: UTAG bootmode configured as fastboot
I feel that I am closer to each step, please continue to help me.
What firmware are you trying to flash? At this point it might be easier to use the lenovo moto smart assistant tool to do a rescue on your phone. Do a 'fastboot reboot bootloader' to get a fresh bootloader session, and run the lmsa tool and see it it will recover your phone. Either way, let me know what firmware you're trying to flash.
First of all, you need to make sure you are xt1789-? ? If x is 3, then he is the s version. You only need to install the rom of the corresponding carrier. I remember that the installation tool can choose whether to install the baseband and bp/bl lock (maybe)So your xt1789-? ? What is it?
Refer to the version number in the link image https://m.facebook.com/story.php?story_fbid=624595458056701&id=100015187571561
41rw4lk said:
What firmware are you trying to flash? At this point it might be easier to use the lenovo moto smart assistant tool to do a rescue on your phone. Do a 'fastboot reboot bootloader' to get a fresh bootloader session, and run the lmsa tool and see it it will recover your phone. Either way, let me know what firmware you're trying to flash.
Click to expand...
Click to collapse
Hi again !
I followed his advice to use the "lenovo moto smart assistant tool" but as a result I got that my device isn't supported by the software (see attached image).
On the other hand, regarding the firmware that I'm trying to recover, I don't know if I remembered that I told him to install a wrong ROM at the beginning of my problem, and I never backed up my original ROM, so I do not really have the least idea of ​​what is my stock ROM (for Colombia - South America), if I search for firmware I find many categorized with letters at the beginning (AMXBR, AMXCO, AMXLA, AMXMX, ATT, ATTM, LRA, OPENMX, RETAIL, RETAPAC, RETBR, RETCN, RETEU, RETIN, RETLA, RETRU , SPRINT, TEFBR, TIMBR, TIMIT, TMO, USC, VFEU, VZW) ... investigate how I can know which was the original of my phone (after having made a mess) and can not find any reference in this regard.
I keep trying.
潇霄小云 said:
First of all, you need to make sure you are xt1789-? ? If x is 3, then he is the s version. You only need to install the rom of the corresponding carrier. I remember that the installation tool can choose whether to install the baseband and bp/bl lock (maybe)So your xt1789-? ? What is it?
Refer to the version number in the link image https://m.facebook.com/story.php?story_fbid=624595458056701&id=100015187571561
Click to expand...
Click to collapse
Hi 潇 霄 小云!
I am sure it is an XT1789-05 however I do not know which firmware corresponds to me (never look before deleting my stock ROM) and when looking for the firmware of my device there are many with many letters at the beginning (AMXBR, AMXCO, AMXLA, AMXMX, ATT, ATTM, LRA, OPENMX, RETAIL, RETAPAC, RETBR, RETCN, RETEU, RETIN, RETLA, RETRU , SPRINT, TEFBR, TIMBR, TIMIT, TMO, USC, VFEU, VZW), so I do not know which one corresponds to me for Colombia (South America).
You can not see my model in the image you send me ...
Thanks for the help, I'm still investigating!
Loperaco said:
Hi again !
I followed his advice to use the "lenovo moto smart assistant tool" but as a result I got that my device isn't supported by the software (see attached image).
On the other hand, regarding the firmware that I'm trying to recover, I don't know if I remembered that I told him to install a wrong ROM at the beginning of my problem, and I never backed up my original ROM, so I do not really have the least idea of ​​what is my stock ROM (for Colombia - South America), if I search for firmware I find many categorized with letters at the beginning (AMXBR, AMXCO, AMXLA, AMXMX, ATT, ATTM, LRA, OPENMX, RETAIL, RETAPAC, RETBR, RETCN, RETEU, RETIN, RETLA, RETRU , SPRINT, TEFBR, TIMBR, TIMIT, TMO, USC, VFEU, VZW) ... investigate how I can know which was the original of my phone (after having made a mess) and can not find any reference in this regard.
I keep trying.
Click to expand...
Click to collapse
Well your device is showing -05, that's Mexico and South America I believe. There should be a model printed by the charge port on the phone. As for which firmware, look at your sim and see if you can get an idea from there, or if you can ask whomever you got your phone from. Do you remember what provider was listed under the software update channel originally? Your sim should be able to get you some info as to who the provider is even if it's just a subsidy of a major carrier.
Hi there !
Well today I have very good news!
At last I managed to reinstall everything. How it happened? So I went back to the steps in this way:
1. Having a wrong ROM version (it does not correspond to my stock) connect by bluethooth the cell phone to access the internet, so the cell phone recognized that the OEM had already been authorized and allowed me to access the option and change it (because before it was gray).
2. Go to the bootloader and find the indication "Flashing_locked", but as I knew I had already given the authorization from within the ROM I opened a console and wrote the command "fastboot oem unlock" AND RECOGNIZED IT!, Restart the bootloader and voila! the message already said "Flashing_unlocked"
3. After this it was a matter of trying (without lying) something like six firmware XT1789-05 version because I had no idea what mine was, it took me a long time because some left me without Wi-Fi again, but Finally, I managed to locate one that looked like the one I had (RETLA XT1789-05_NASH_RETLA_DS_8.0.0_OPXS27.109-34-19_subsidy-DEFAULT_regulatory-DEFAULT_CFC.xml), so I tried hard there, but still shows a warning that a version is installed of the different operating system, but it works for me and that's how it will stay for a couple of months.
4. Then I was able to install the TWRP and the Magisk without any problems.
5. Problems that I had: Warning of the bootloader without blocking, Notice of the different operating system, Application of finding my device does not work (it stays looking for the cell phone and never locates it).
Many thanks to 41rw4lk, without your help this would have been impossible.
I hope to share my experience with someone else who may have my problem or something like it!
Postscript: Finally, they never gave me instructions on how to make the Deep Cable when the cell phone is a USB-C type port (lol), so if the data appears I would still be interested only in general knowledge.

Help with Hard Brick Z2 Force (XT1789-04 AT&T) Is Internal Memory Fried?

Hi, looking for a kind soul who can provide me with some insight or direction.
My Phone:
Moto Z2 Force XT1789-04 AT&T
Carrier unlocked with unlock code from AT&T to use T-Mobile SIM
Updated to either Build number: OCXS27.109-47-20 or Build number: OCXS27.109-47-23 using LMSA (not OTA)
Official build, never tried to root it
My Circumstance:
I was using fingerprint unlock and my login attempts were failing.
In a brief moment of frustration, and stupidity, I repeatedly retried FP unlock (probably 10+ times)
Display went dim and phone became unresponsive, and ultimately turned into a brick with no way to power on; nothing displayed when plugged in to charge.
My Attempts to Fix:
After trying various button reset options with no success, I plugged my phone into my PC and saw QUSB_BULK
Further searching led me to https://forum.xda-developers.com/showpost.php?p=77623934&postcount=5 (thanks 41rw4lk)
I installed the Qualcomm driver and got Qualcomm HS-USB QDLoader 9008 to show up in Device Manager.
I tried blank-flash.bat using blankflash_from_NDX26.183-15_17 (again, thanks, 41rw4lk)
Here is the output from the batch command:
Code:
c:\Downloads\MOTOZ2FORCE\blankflash_from_NDX26.183-15_17>blank-flash.bat
c:\Downloads\MOTOZ2FORCE\blankflash_from_NDX26.183-15_17>.\qboot.exe blank-flash
Motorola qboot utility version 3.85
[ -0.000] Opening device: \\.\COM4
[ -0.000] Detecting device
[ 0.016] ...cpu.id = 94 (0x5e)
[ 0.016] ...cpu.sn = 1009594148 (0x3c2d2f24)
[ 0.016] Opening singleimage
[ 0.016] Loading package
[ 0.016] ...filename = pkg.xml
[ 0.016] Loading programmer
[ 0.016] ...filename = programmer.elf
[ 0.016] Sending programmer
[ 0.176] Handling things over to programmer
[ 0.176] Identifying CPU version
[ 0.176] Waiting for firehose to get ready
[ 3.200] ...MSM8998 2.1
[ 3.200] Determining target secure state
[ 3.200] ...secure = yes
[ 3.247] Configuring device...
[ 3.263] Skipping UFS provsioning as target is secure
[ 3.263] Configuring device...
[ 4.824] Target NAK!
[ 4.824] ...ERROR: Failed to initialize (open whole lun) UFS Device slot 0 partition 1
[ 4.824] ...ERROR: Failed to open the device 3 slot 0 partition 1
[ 4.824] ...INFO: Device type 3, slot 0, partition 1, error 0
[ 4.824] ...WARN: Set bootable failed to open 3 slot 0, partition 1, error 0
[ 4.824] ERROR: do_package()->do_recipe()->NAK
[ 4.824] Check qboot_log.txt for more details
[ 4.824] Total time: 4.824s
FAILED: qb_flash_singleimage()->do_package()->do_recipe()->NAK
Here is the device info from the log:
Code:
[ 4.824] qboot version 3.85
[ 4.824]
[ 4.824] DEVICE {
[ 4.824] name = "\\.\COM4",
[ 4.824] flags = "0x144",
[ 4.824] addr = "0x62FD54",
[ 4.824] sahara.current_mode = "0",
[ 4.824] api.buffer = "0x29C4020",
[ 4.824] cpu.serial = "1009594148",
[ 4.824] cpu.id = "94",
[ 4.824] cpu.sv_sbl = "0",
[ 4.824] cpu.name = "MSM8998",
[ 4.824] storage.type = "UFS",
[ 4.824] sahara.programmer = "programmer.elf",
[ 4.824] module.firehose = "0x6D91C8",
[ 4.824] api.firehose = "0x721F50",
[ 4.824] cpu.ver = "513",
[ 4.824] cpu.vername = "2.1",
[ 4.824] fh.max_packet_sz = "1048576",
[ 4.824] fh.storage_inited = "1",
[ 4.824] }
So, best as I can decipher, the blank-flash is failing because it cannot create a filesystem on the internal memory.
I read something about A/B slots, but I'm starting to lose my way.
Am I done for?
Thanks for looking. Truly appreciate the folks in this community.
Wait! Am I using a Nougat blank-flash? Do I need an Oreo blank-flash? Is there one available for the XT1789-04?
lobbybee said:
Wait! Am I using a Nougat blank-flash? Do I need an Oreo blank-flash? Is there one available for the XT1789-04?
Click to expand...
Click to collapse
See if there is one on
https://mirrors.lolinet.com/firmware/moto
Sent from my Moto E (4) using Tapatalk
The Nougat blankflash is fine. The phone shipped with a Nougat pbl and the way I understand it is that can't be modified or upgraded, it can be reflashed with the same, but that's it. Don't quote me on that though. As for an Oreo blankflash, there is one, but I've never heard any success stories from it and Nougat has always done the trick.
I've seen that error before, it is speculated that maybe the storage is failing, but I don't know if anyone has ever been able to say 'yes, your storage is no good and that's why you get this error' etc. It maybe very well be the case and I'm not sure if those who have faced that error have been able to recover.
What version of windows are you running? Have you tried running as an admin, using different ports?
If you are on Win10 have you tried going old school and disabling integrity checks and turning test signing on? Win10 isn't very friendly when it comes to our phone, we recommend Win7 and command prompt, not powershell. So if you're using Win10 and haven't done the above, it's worth a shot.
41rw4lk said:
What version of windows are you running? Have you tried running as an admin, using different ports?
Click to expand...
Click to collapse
Previously on Win10 as Admin from CMD window.
Also just tried on Win7, per suggestion, with the same results.
I used 3 different USB2 ports on the PC, iterated through 3 different USB-C cables.
I found the --debug=2 flag for qboot.exe and started digging through the output. Now it's got me wondering:
1) Why is it specifying UFS instead of eMMC? Phonemore.com specs says it's UFS 2.1
2) It appears to be skipping storage initialization because "target is secure." Is blankflash failing b/c my bootloader was not unlocked before it bricked?
3) Should I look into using QFIL to manually configure the reinitialization of the file system, whether UFS or eMMC?
lobbybee said:
Previously on Win10 as Admin from CMD window.
Also just tried on Win7, per suggestion, with the same results.
I used 3 different USB2 ports on the PC, iterated through 3 different USB-C cables.
I found the --debug=2 flag for qboot.exe and started digging through the output. Now it's got me wondering:
1) Why is it specifying UFS instead of eMMC? Phonemore.com specs says it's UFS 2.1
2) It appears to be skipping storage initialization because "target is secure." Is blankflash failing b/c my bootloader was not unlocked before it bricked?
3) Should I look into using QFIL to manually configure the reinitialization of the file system, whether UFS or eMMC?
Click to expand...
Click to collapse
I believe the pbl is loaded before bootloader lock is detected, hence the reason it was able to exploit and unlock booloaders. Obviously we all can agree that something is failing when it comes to initializing the UFS storage it needs to write to. Whether it is corrupted, dead, or something else... I'm not knowledgeable enough to answer that. You might explore around with QFIL since it has an option in settings to select storage type, emmc or ufs. What you do from here on out is all you. I'd make sure you have your drivers installed and do only what is necessary to get back to a bootloader where you can flash a clean stock firmware. Keep us posted with your results and good luck.

EDL mode and test point of the Moto G 5G Plus?

Hello I have a hardbrick that so far I cannot solve, because I want to close the bootloader, the fastboot rejects any command that I enter (including the "fastboot oem unlock") and when turning on motorola it generates the error 0xC2224571 "No valid operating system could be found. The device will not boot ". I thought about doing a "Blankflash", but I don't know what the Motorola "test point" is. Does anyone know how to do it and get to EDL mode?
seems a/b partition problem.
try fastboot flash recovery_a twrp.img
fastboot flash recovery_b twrp.img
shadowchaos said:
seems a/b partition problem.
try fastboot flash recovery_a twrp.img
fastboot flash recovery_b twrp.img
Click to expand...
Click to collapse
I already tried that of recovery_a and recovery_b, and nothing happens, that gives CMD:
1) fastboot flash recovery_a twrp-3.5.0-0-nairo.img
Sending 'recovery_a' (59392 KB) OKAY [ 1.827s]
Writing 'recovery_a' (bootloader) flash permission denied
FAILED (remote: '')
fastboot: error: Command failed
2) fastboot flash recovery_b twrp-3.5.0-0-nairo.img
Sending 'recovery_b' (59392 KB) OKAY [ 1.308s]
Writing 'recovery_b' (bootloader) flash permission denied
FAILED (remote: '')
fastboot: error: Command failed
Also, everything I try to flash ends with this message "flash (bootloader) permission denied".
supermafari2.0 said:
I already tried that of recovery_a and recovery_b, and nothing happens, that gives CMD:
1) fastboot flash recovery_a twrp-3.5.0-0-nairo.img
Sending 'recovery_a' (59392 KB) OKAY [ 1.827s]
Writing 'recovery_a' (bootloader) flash permission denied
FAILED (remote: '')
fastboot: error: Command failed
2) fastboot flash recovery_b twrp-3.5.0-0-nairo.img
Sending 'recovery_b' (59392 KB) OKAY [ 1.308s]
Writing 'recovery_b' (bootloader) flash permission denied
FAILED (remote: '')
fastboot: error: Command failed
Also, everything I try to flash ends with this message "flash (bootloader) permission denied".
Click to expand...
Click to collapse
Could you describe what moves at last time which causes this situation?
supermafari2.0 said:
I already tried that of recovery_a and recovery_b, and nothing happens, that gives CMD:
1) fastboot flash recovery_a twrp-3.5.0-0-nairo.img
Sending 'recovery_a' (59392 KB) OKAY [ 1.827s]
Writing 'recovery_a' (bootloader) flash permission denied
FAILED (remote: '')
fastboot: error: Command failed
2) fastboot flash recovery_b twrp-3.5.0-0-nairo.img
Sending 'recovery_b' (59392 KB) OKAY [ 1.308s]
Writing 'recovery_b' (bootloader) flash permission denied
FAILED (remote: '')
fastboot: error: Command failed
Also, everything I try to flash ends with this message "flash (bootloader) permission denied".
Click to expand...
Click to collapse
Hey, can I ask you how did you manage to unbrick it? My phone doesn't get recognized via fastboot. It seems dead but when I connect it to the pc, it gets recognized as "Qualcomm HS-USB QDLoader 9008".
What can I do next?
Try a blank flash for your phone.
Hello,
I am in a similar situation and also interested in the test point for EDL mode, so rather than opening a new thread I figured I'd reply here.
As it stands, my phone has the /e/ project ROM and recovery flashed on it, the "Allow OEM unlock" option is disabled, and the bootloader is locked. Meaning, the OS doesn't get recognized and doesn't boot, flashing is disallowed across the board, fastboot oem unlock <UNLOCK_KEY> is rejected, and fastboot boot <any recovery stock or otherwise>.img fails.
fastboot oem blankflash returns "Command Restricted" and well, subsequently tells me it failed.
So my own ignorance left myself with a rather expensive paperweight and the last resort I believe is to flash a stock ROM in EDL mode. I have found a teardown video of the device and seen a few test points there (including 3 under the large heatsinking graphite film), and I'm ready to remove the back cover on mine. It seems that the EDL test point isn't documented... If need be, I could try to find the test points myself. I just need more info to not short and break anything.
Edit: so I've gone and done it. Stabbed all visible test points, one of them scores at 1.8v, one at 1.5v, the rest at 0v. [EDIT] Some actually show something below 0.5v.
The 1.8v test point is connected to a trace going to the connector's pin. Another pad goes just beside that pin. It is very enticing right now to try and bridge them, however I'm not confident those are the EDL test points and I may short something I don't want to. I'm gonna get resistors.
The missing connector tells me it's a connector that's important for Motorola, and clearly not for the end-user. This is a cost-saving measure, don't need to run extensive tests when the device is finalized, you only need the test points to... enable EDL? Ahah. The fact the connector pads are still there is because designing the rerouting to remove them also costs money.
The 1.5v test point is between the screen and bottom daughterboard flexible flat cables connectors. Without certainty, I believe it may be a voltage for one of those or both.
Attached is the photo of the test points around the missing connector, if that helps at all.
Edit2: I found this post about trying for test points. I'm lacking resistors right now to further test. https://forum.xda-developers.com/t/phone-doesnt-boot-even-in-edl-mode.4411915/#post-87260675
Edit3: welp, bridging the points linked to the missing connector pads did nothing. What I tried is keep the phone off, bridge the points, plug the USB, but it keeps sending me to "OS not found" error or fastboot, depending on if fb_mode_set or fb_mode_clear have been used.
Hey @Awilen please keep us posted. I too want to play with this phone, but am frustrated by lack of easy access to EDL mode (to unbrick). (I want to try to roll my own GSI/AOSP build + Moto proprietary drivers, which will likely not boot the first thirty or so times I try it.)
FWIW, I tried this method and a pre-bought cable that allegedly does the same thing- no dice either.
The fact that there ARE EDL IMAGES out there gives me hope.
This repository has some other tricks to try, if you are brave enough:
Use a edl cable (Short D+ with GND) and force reboot the phone (either vol up + power pressing for more than 20 seconds or disconnect battery), works with emmc + ufs flash (this will only work if XBL/SBL isn't broken)
If emmc flash is used, remove battery, short DAT0 with gnd, connect battery, then remove short.
If a ufs flash is used, things are very much more complicated. You will need to open the ufs die and short the clk line on boot, some boards have special test points for that.
Some devices have boot config resistors, if you find the right ones you may enforce booting to sdcard instead of flash.
(I've tried #1)
FWIW, I've never had any success with any "EDL cable" on any device, but that could be entirely due to timing/incompetence on my part.
A few devices I've been able to find EDL test points.
On some non-Qualcomm devices I have gotten to ROM bootloader by using a 100 ohm resistor (for safety, instead of a dead short) from some random test point near eMMC to ground.
Hey @Renate the cable works on my OnePlus (which, also, has a key sequence to do it, making the cable superfluous), so I know that isn't the issue here. I just don't want to unglue the phone and risk breaking something just to play. Once the battery becomes useless and that's inevitable, then I'll probably become a MB-shortin'-mo-fo.
SomeRandomGuy said:
This repository has some other tricks to try, if you are brave enough:
Use a edl cable (Short D+ with GND) and force reboot the phone (either vol up + power pressing for more than 20 seconds or disconnect battery), works with emmc + ufs flash (this will only work if XBL/SBL isn't broken)
If emmc flash is used, remove battery, short DAT0 with gnd, connect battery, then remove short.
If a ufs flash is used, things are very much more complicated. You will need to open the ufs die and short the clk line on boot, some boards have special test points for that.
Some devices have boot config resistors, if you find the right ones you may enforce booting to sdcard instead of flash.
(I've tried #1)
Click to expand...
Click to collapse
Hey! I was waiting on my EDL cable. I just tried it... no dice. No dice at all. I believe I've exhausted all non-intrusive tricks in the book, the next step is cleanly desoldering the EM shield over the processor and flash/RAM combo ICs.
Since the device is out of warranty anyway, I'll try for a repair shop to desolder it, as the only powerful-enough heat source I have is a large heat gun blowing 150°C, 450°C or 600°C air. Other than that I have a 60W soldering iron, I doubt that'll be enough.
The only problem with the desoldering is that the EM shield is part of the cooling solution for the processor/RAM/Flash ICs. It will need to be reapplied.
Edit: I made a thread on the e.foundation forums listing everything I tried: https://community.e.foundation/t/bo...and-wont-boot-am-i-out-of-luck/43362?u=awilen
Awilen said:
Edit: I made a thread on the e.foundation forums listing everything I tried: https://community.e.foundation/t/bo...and-wont-boot-am-i-out-of-luck/43362?u=awilen
Click to expand...
Click to collapse
TIL “fastboot oem qcom-on” and “fastboot oem qcom-off” are a thing.
For my part, to this day I cannot find a way to access this mode, I still have my theories, since on one page I found "official" diagrams of this motorola and the phrase "EDL" is indicated at various points, but I don't really know how to interpret them on the motherboard, I'll leave the link in case someone wants to review it, it's from a Brazilian page:
Motorola_Moto_G_5G XT2075 - LEMCELL.COM.BR.zip
drive.google.com
In that one there are several files, with more technical specifications, in case someone wants to review it and see what they find useful out there, to see if it is possible to reach EDL mode on this model.
The missing connector I shot in my photos is a JTAG connector. Make of that what you will.
I have desoldered the EMI shield above the SoC/eMCP area and there's no dice there either. The traces are hidden, the parts are BGAs, there's no "pin" to short there. The schematics may or may not have confirmed my suspicion the physical trace for the clock signal to the eMCP is unreachable, making reaching EDL mode through "PBL panic from not being able to access the flash" impossible.
The SMDs around the eMCP may or may not seem to all be related to power delivery smoothing, and shorting those is blue smoke waiting to happen. I'll resolder the shield later, I don't think there's any point in desoldering it in the future for the purpose of reaching EDL mode.
There are official blankflash utilities freely available. I have no doubt EDL mode is accessible. This connector must be just how.
BREAKTHROUGH TIME! I GOT INTO QCOM 9008 MODE!
In the attached photo are the EDL pads. Happy flashing!
Edit: now I'm getting some progress, but nothing is working. Here's the two logs I get, the first just after connecting, the second after having tried once already:
Code:
$ sudo ./qcom blank-flash
**** Log buffer [000001] 2022-12-02_19:02:50 ****
[ 0.000] Opening device: /dev/ttyUSB0
[ 0.000] Detecting device
[ 5.889] ERROR: sahara_greet_device()->change_mode()->do_hello()->Invalid command received in current state
[ 5.889] Check qboot_log.txt for more details
[ 5.889] Total time: 5.889s
[ 5.889]
[ 5.889] qboot version 3.86
[ 5.889]
[ 5.889] DEVICE {
[ 5.889] name = "/dev/ttyUSB0",
[ 5.889] flags = "0x60",
[ 5.889] addr = "0xFECAF690",
[ 5.889] serial_nix.device_pathname = "/sys/bus/usb/devices/1-3.2/1-3.2:1.0/ttyUSB0",
[ 5.889] api.bnr = "0x1FE4210",
[ 5.889] }
[ 5.889]
[ 5.889]
[ 5.889] Backup & Restore {
[ 5.889] num_entries = 0,
[ 5.889] restoring = "false",
[ 5.889] backup_error = "not started",
[ 5.889] restore_error = "not started",
[ 5.889] }
[ 5.889]
Code:
$ sudo ./qcom blank-flash
**** Log buffer [000001] 2022-12-02_19:03:50 ****
[ 0.000] Opening device: /dev/ttyUSB0
[ 0.343] Detecting device
[ 34.920] ERROR: sahara_greet_device()->change_mode()->do_hello()->IO error
[ 34.920] Check qboot_log.txt for more details
[ 34.920] Total time: 34.920s
[ 34.920]
[ 34.920] qboot version 3.86
[ 34.920]
[ 34.920] DEVICE {
[ 34.920] name = "/dev/ttyUSB0",
[ 34.920] flags = "0x60",
[ 34.920] addr = "0xAEF35240",
[ 34.920] serial_nix.device_pathname = "/sys/bus/usb/devices/1-3.2/1-3.2:1.0/ttyUSB0",
[ 34.920] api.bnr = "0x21BC210",
[ 34.920] }
[ 34.920]
[ 34.920]
[ 34.920] Backup & Restore {
[ 34.920] num_entries = 0,
[ 34.920] restoring = "false",
[ 34.920] backup_error = "not started",
[ 34.920] restore_error = "not started",
[ 34.920] }
[ 34.920]
Edit 2: I got a blankflash to work! Now I don't know... This is what I got:
Code:
D:\blankflash>.\qboot.exe blank-flash
Motorola qboot utility version 3.86
[ -0.000] Opening device: \\.\COM3
[ -0.000] Detecting device
[ -0.000] ...cpu.id = 286 (0x11e)
[ -0.000] ...cpu.sn = 3786473903 (0xe1b101af)
[ -0.000] Opening singleimage
[ -0.000] Loading package
[ -0.000] ...filename = pkg.xml
[ -0.000] Loading programmer
[ -0.000] ...filename = programmer.elf
[ -0.000] Sending programmer
[ 0.109] Handling things over to programmer
[ 0.109] Identifying CPU version
[ 0.109] Waiting for firehose to get ready
[ 3.220] ReadFile() failed, GetLastError()=0
[ 3.330] ...SM_SAIPAN 2.0
[ 3.330] Determining target secure state
[ 3.330] ...secure = yes
[ 3.377] Configuring device...
[ 3.377] Skipping UFS provsioning as target is secure
[ 3.377] Configuring device...
[ 3.470] Flashing GPT...
[ 3.470] Flashing partition with gpt.bin
[ 3.470] Initializing storage
[ 3.517] ...blksz = 4096
[ 3.580] ReadFile() failed, GetLastError()=0
[ 4.049] Re-initializing storage...
[ 4.049] Initializing storage
[ 4.361] Flashing bootloader...
[ 4.361] Wiping ddr
[ 4.392] Flashing abl_a with abl.elf
[ 4.439] Flashing aop_a with aop.mbn
[ 4.486] Flashing qupfw_a with qupfw.elf
[ 4.517] Flashing tz_a with tz.mbn
[ 4.783] Flashing hyp_a with hyp.mbn
[ 4.839] Flashing devcfg_a with devcfg.mbn
[ 4.854] Flashing keymaster_a with keymaster.mbn
[ 4.901] Flashing storsec_a with storsec.mbn
[ 4.933] Flashing uefisecapp_a with uefi_sec.mbn
[ 5.089] Flashing prov_a with prov64.mbn
[ 5.104] Flashing xbl_config_a with xbl_config.elf
[ 5.151] Flashing xbl_a with xbl.elf
[ 5.649] Rebooting to fastboot
[ 5.665] Total time: 5.665s
Somehow it worked, I got to flash another phone's blankflash (a "Racer" codenamed phone apparently) on it and the ABL (the thing that tells me it won't boot because it didn't find a valid system) changed visually. Now I'll try to unlock the bootloader, or flash a system on it.
Edit 3: Mmh. After clearing that EDL mode flashing worked, the system is still flashing-locked, secured, and fastboot oem unlock <unique_key> isn't working.
so you activated the qcom, but it is not responding to the blankflash? at least it's an advance, maybe it's a blankflash problem or do you think it's some kind of board protection?
Later I will try on my own on my board
Congrats on your quest. Were you literally shorting them, or did you use a resistor? You had to touch all three together?
I guess I still am confused how there is a blankflash out there for this phone, but no way to trigger EDL without a hardware kit. I just ran through all the key combinations (V+,V-, PWR) and USB in/out just to make sure I didn't miss something... no dice to EDL.
supermafari2.0 said:
so you activated the qcom, but it is not responding to the blankflash? at least it's an advance, maybe it's a blankflash problem or do you think it's some kind of board protection?
Later I will try on my own on my board
Click to expand...
Click to collapse
I am confident EDL mode flashing worked. I used a different phone's blankflash that had the same SoC and it worked, giving me a visually different "No OS found" error screen. I posted the log of the blanking process. The "Allow OEM Unlock" bit is still set to "disabled" after blanking, such that I still can't use "fastboot oem unlock" successfully.
There's this line that makes me think the system is still intact: "Skipping UFS provsioning as target is secure", meaning the UFS filesystem might have not been actually blanked. Since singleimage.bin is a signed binary, there's no way to force UFS provisioning or modify it in any other way. I think the only way in will be with a firehose and QFIL... Except I haven't found one for this SoC. The programmer.elf is the firehose, but again that needs to be signed to be useful after getting extracted.
SomeRandomGuy said:
Congrats on your quest. Were you literally shorting them, or did you use a resistor? You had to touch all three together?
I guess I still am confused how there is a blankflash out there for this phone, but no way to trigger EDL without a hardware kit. I just ran through all the key combinations (V+,V-, PWR) and USB in/out just to make sure I didn't miss something... no dice to EDL.
Click to expand...
Click to collapse
I marked two pads of the missing connector with a green rectangle (I reused the photo I posted earlier on which I had already marked the test points' voltages, disregard the test points). I shorted them with only one voltmeter probe.
The idea is that the EDL pads I marked in green are connected to a 1.8V supply and a pin on the SoC with "infinite resistance", so there's no need for an additional resistor. You are not at risk of shorting anything and cause a major disaster on pins on the row of the green rectangle. The connector is very small, so stab confidently in the middle of the row of pads!
The (V+, PWR) combination may be available in development units, and be disabled in production units at the hardware level (missing components).
(Keep in mind I'm talking in hypotheticals at times to keep up plausible deniability regarding the files posted earlier by supermafari2.0... Those are surely under copyright.)
Layers of security upon layers of security just to get a stock firmware on an empty filesystem on my own device... This is getting old...
Edit: I have, out of boredom, decomposed the singleimage.bin into its various files. Here is the file format:
Code:
* SINGLE_N_LONELY Header [256 bytes]
* FILE:
Header:
* file name: 248 bytes (name + "\0" padding)
* file size: 8 bytes, little-endian
Data:
* data: file size in bytes
* 0xA0 padding if (file size % 4096) != 0 : file size + 4096 - (file size % 4096) bytes
[* FILE...]
* LONELY_N_SINGLE Footer [256 bytes]
Do note the 4096 magic number is the flash sector size, thus is device-dependant. In singleimage.bin, there was gpt.bin which also follows the same format. Among the files is programmer.elf, a strong candidate to be a firehose, I'll try to use with QFIL tomorrow. I do take note of Motorola's attempt at psychological warfare.
So I tried the programmer I found in the singleimage.bin file, it's indeed capable of programming through QFIL! (Do note I needed to get QFIL through QPST to get it to work.) However now I'm faced with this as I'm trying to flash recovery.img to get to recovery and get recovery to reinstall a working system:
Code:
INFO: TARGET SAID: 'ERROR: range restricted: lun=5, start_sector=142688, num_sectors=25600'
I guess the programmer checks for the flash being in a locked state, so it's time to try to patch the programmer to force the flash, if at all possible...
Edit: guessed right. The programmer has a routine that does various checks. It isn't encrypted, but I found data that could indicate the file is signed. I didn't see either the PEEK or POKE strings in there, meaning these primitives weren't included in the programmer, so there's no way to manually poke any image by hand, or just enable that blasted "Allow OEM unlock" bit (the fact I don't know where it is not withstanding.)
I think that's the end of the line for my device. At this point the only way it will ever work again will be either getting a patched and signed firehose (unlikely), or getting Motorola to reflash a stock image internally (even more unlikely) or just changing the motherboard (which defeats the purpose of searching how to get the device back in working order after messing up!)

Categories

Resources