Related
Hello,
So continuing my experiments on the nexus 7 2013 (deb version), I have come to the point of IMEI being read as "0". :crying:
I have tried qualcomm NV tools, efs professional, qpst, factory reset, full wipe and then factory reset, custom roms, full wipe and then flash custom roms and the list goes on...
I understand that the entire re-writing process would have been much easier if I had a backup of all the partitions but unfortunately my system went kaput leading to massive data loss (including the backups).
So here I am seeking help from the community : : :
1. Any knowledge or methods to restore the IMEI number on a Qualcomm/Nexus/Asus device.
2. Backups of partitions - the DEB versions - the FSG, MODEMST1, MODEMST2
- For backup of the above partitions use the file attached in TWRP.
- It will create backups of the partitions in the location /sdcard/
I don't want to lose this device; it is out of warranty; still strong and does the job for me. The only issue right now for me is the connectivity (no signal because of "0" IMEI).
Please help.
Thankyou.
jared.leto said:
Backups of partitions the DEB versions (other than the radio, recovery, system partitions)
I don't want to lose this device; it is out of warranty; still strong and does the job for me. The only issue right now for me is the connectivity (no signal because of "0" IMEI).
Please help. Thankyou.
Click to expand...
Click to collapse
I prepared backup and restore scripts for the fsg partition with IMEI number. Perhaps a DEB user will donate fsg partition for you. You will need:
p8-backup.zip and p8-restore.zip from the above link
TWRP recovery
USB OTG adapter + a flash drive or OTG flash drive
Then do:
boot TWRP
connect OTG FAT32-formatted drive with the ZIPs
in TWRP "install" the backup ZIP
Your fsg partition will be compressed with gzip and saved on the flash drive. It then can be restored in TWRP.
Incidentally, all DEB users should do a backup of fsg anyway.
Did it. Attached.
HEX Editors show it's empty. I don't remember erasing the fsg partition but I guess that has happened.
Thanku for helping.
k23m said:
I prepared backup and restore scripts for the fsg partition with IMEI number. Perhaps a DEB user will donate fsg partition for you. You will need:
p8-backup.zip and p8-restore.zip from the above link
TWRP recovery
USB OTG adapter + a flash drive or OTG flash drive
Then do:
boot TWRP
connect OTG FAT32-formatted drive with the ZIPs
in TWRP "install" the backup ZIP
Your fsg partition will be compressed with gzip and saved on the flash drive. It then can be restored in TWRP.
Incidentally, all DEB users should do a backup of fsg anyway.
Click to expand...
Click to collapse
jared.leto said:
Did it. Attached.
HEX Editors show it's empty. I don't remember erasing the fsg partition but I guess that has happened.
Thanku for helping.
Click to expand...
Click to collapse
It is empty indeed. My FLO fsg has lots of stuff including IMEI-like strings. Just try my fsg, link in pm.
@k23m
Please help.
Hi, friend, did you restore your Deb IMEI?
I successfully clone IMEI, we need to copy/restore this partitions for this:
M9kefs1 (/dev/bl**ock/mmcblk0p5)
M9kefs2 (/dev/bl**ock/mmcblk0p6)
M9kefs3 (/dev/bl**ock/mmcblk0p7).
TechnicsKuzya said:
I successfully clone IMEI, we need to copy/restore this partitions for this:
M9kefs1 (/dev/bl**ock/mmcblk0p5)
M9kefs2 (/dev/bl**ock/mmcblk0p6)
M9kefs3 (/dev/bl**ock/mmcblk0p7).
Click to expand...
Click to collapse
Thank you for this info. The attached script will backup m9kefs* partitions. In TWRP do 'install' and find the backup file in the root of internal storage - /sdcard/IMEI-backup.tgz
BTW, DEB users, please check this post.
.
imei 0
Hi, also such a problem, have imei 0 after marking up the memory. help fix, thanks
IMEI 0 after flashing stock firmware is due to modem not being able to recreate EFS (modemst1-2) since persist is compromised. Motorola has removed dedicated dhob & hob partitions (which used to store IMEI info in earlier moto g's) and moved them to persist. Pure persist backup is therefore NECESSARY before flashing anything. See here for persist backup instructions.
Note: persist is unique to device. Flashing someone else's persist will NOT restore your IMEI. Instead, it'll PERMANENTLY wipe dhob bin holding your IMEI.
Edit: Confirmed. Persist is unique to device. I restored my pure persist backup and got IMEI & VOLTE.
Please go through the entire thread carefully.
Edit: Problem is caused by incorrect user id for rfs. Can be fixed if you have your own persist. See here
hey,
As you all know, fastbooting stock 7.0 over custom 8.1 corrupts our QCN. However, if you first restore a twrp 7.0 system.img and boot.img, the problem doesn't occur.
Numerous guides exist on XDA but they are very bad hacky workarounds with no explanation given.
I'm making a non-hacky fix for imei0/volte/other baseband problems since it is unlikely that upcoming official 8.1 will fix the issue. Moto service center also doesn't know how to fix this.
To achieve this, I need some files from people with stock 7.0 (preferably indian variant) who satisfy the following criteria:
1. never flashed custom 8.1
or
2. successfully reverted to 7.0 from 8.1 without flashing any hacks from xda (i.e, restored twrp system/boot backup instead of fastbooting whole fw)
If everything goes through, I'll release a detailed guide for this.
I urge the volunteers to PM me asap. Note that root/unlock is not necessary for this.
wish i could help but my imei for the US variant is trashed, wish you the best of luck getting a correct fix for this because I think waiting on oreo is a bit optimistic. Thanks:good::good:
Totally stock locked bootloader, how can i help?
TL;DR: IMEI 0 is most likely a firmware bug. Our best hope is the upcoming oreo firmware.
Hey all,
After spending hours on the IMEI 0 problem, here are my findings:
1. IMEI is stored in nv 550 variable in QCN. However, this variable is write protected. This means all IMEI write programs such as QCOM Write IMEI tool will fail.
2. Interestingly, only IMEI 1 is stored in the nv. IMEI 2 is derived by performing some fixed hex arithmetic on IMEI 1.
3. IMEI also seems encrypted since the nv 550 in QCN never has a correct hex notation of IMEI. For example, Only half of the IMEI is correct.
4. Any attempt to restore the QCN backup of someone else will successfully write all nv variables except nv 550. Means you cannot rewrite your factory IMEI.
5. The above is true even if you hexedit the QCN with your own IMEI. NV 550 is write protected.
6. modemst1 and modemst2 are sort of some baseband cache which are created by radio/bootloader using fsg. fsg seems to be some sort of backup partition for modemst.
7. After downgrading and erasing modemst1-2, these modemst are not recreated successfully by the modem. The nv 550 variable goes missing.
8. My guess is that modem has some checksum mechanism wherein if any discrepancy is found, the modemst cache recreation fails. Not sure.
9. Our IMEI is most likely intact somewhere (not talking about fastboot IMEI). Just not interpreted properly.
10. People who restored their efs after IMEI 0 are essentially restoring working cached modemst1-2. However, if fastboot erase modemst is done, it'll likely result in IMEI 0 again because modem cannot recreate modemst correctly.
rachitrawat said:
TL;DR: IMEI 0 is most likely a firmware bug. Our best hope is the upcoming oreo firmware.
Hey all,
After spending hours on the IMEI 0 problem, here are my findings:
1. IMEI is stored in nv 550 variable in QCN. However, this variable is write protected. This means all IMEI write programs such as QCOM Write IMEI tool will fail.
2. Interestingly, only IMEI 1 is stored in the nv. IMEI 2 is derived by performing some fixed hex arithmetic on IMEI 1.
3. IMEI also seems encrypted since the nv 550 in QCN never has a correct hex notation of IMEI. For example, Only half of the IMEI is correct.
4. Any attempt to restore the QCN backup of someone else will successfully write all nv variables except nv 550. Means you cannot rewrite your factory IMEI.
5. The above is true even if you hexedit the QCN with your own IMEI. NV 550 is write protected.
6. modemst1 and modemst2 are sort of some baseband cache which are created by radio/bootloader using fsg. fsg seems to be some sort of backup partition for modemst.
7. After downgrading and erasing modemst1-2, these modemst are not recreated successfully by the modem. The nv 550 variable goes missing.
8. My guess is that modem has some checksum mechanism wherein if any discrepancy is found, the modemst cache recreation fails. Not sure.
9. Our IMEI is most likely intact somewhere (not talking about fastboot IMEI). Just not interpreted properly.
10. People who restored their efs after IMEI 0 are essentially restoring working cached modemst1-2. However, if fastboot erase modemst is done, it'll likely result in IMEI 0 again because modem cannot recreate modemst correctly.
Click to expand...
Click to collapse
Even though I'm sure it's not the news we all wanted to hear I still want to say thanks for spending the time to try and figure it out:good::good:
---------- Post added at 02:36 AM ---------- Previous post was at 02:31 AM ----------
Also I feel that you are correct about IMEI still being present somewhere just not being relayed correctly because if you select the barcode option in fastboot it will correctly display the imei number but once booted the imei is back to zero unless it's very possible the barcode images are just static images
Great work dev
Man you are doing an awesome work which is in need I have a motog5plus untouched stock (maybe some updates of stock) so i can obtain the required files needed for you to solve this
Just leave a reply @Sid_Karthik #telegram so that I can know how to obtain those files :good::good:
Some more update:
1. falcon had partitions dhob and hob which contained device specific information about the IMEI, ESN etc.
2. potter doesn't have these partitions. However, I've found some dhob & shob related binaries after mounting persist img.
3. persist acts as a bridge in properly interpreting device specific info like IMEI.
4. Most contents of persist including hob, shob are write protected.
4. Since modem updates nv items on the fly, you can get imei 0 after fiddling with persist.
5. A compromised persist can easily be detected by checksum mechanism.
6. Custom ROMs most likely fiddled with persist. After downgrade and erasing modemst1-2, the bridge broke and modem cannot initialize modemst1-2 properly. Thus, imei 0.
Yes i can confirm it .
I have a Moto g5 plus XT1686 which was on stock & is my daily driver. But as i completed one year with this device and lost my warranty I unlocked my bootloader flashed twrp recovery took a backup. Then installed an Oreo rom (android 8.1) . That rom had some serious volte issues. So i went back to stock through Twrp backup. As this is my daily driver i couldn't take any chances so i fastbooted flashed stock rom of January security patch & locked my bootloader. But during fastboot i didn't use earse modemst1, earse modemst2 commands. And every thing was fine, i didn't lost my imei or volte. Even i took March security patch & April security patch ota without any issues.
The only difference i saw in fastboot mode was when i fastbooted to stock (January security patch) my software status was unofficial. But with March security patch Ota it became official. But my baseband changed to 47e which was 47r on pure stock.
Abhineet m25 said:
Yes i can confirm it .
I have a Moto g5 plus XT1686 which was on stock & is my daily driver. But as i completed one year with this device and lost my warranty I unlocked my bootloader flashed twrp recovery took a backup. Then installed an Oreo rom (android 8.1) . That rom had some serious volte issues. So i went back to stock through Twrp backup. As this is my daily driver i couldn't take any chances so i fastbooted flashed stock rom of January security patch & locked my bootloader. But during fastboot i didn't use earse modemst1, earse modemst2 commands. And every thing was fine, i didn't lost my imei or volte. Even i took March security patch & April security patch ota without any issues.
The only difference i saw in fastboot mode was when i fastbooted to stock (January security patch) my software status was unofficial. But with March security patch Ota it became official. But my baseband changed to 47e which was 47r on pure stock.
Click to expand...
Click to collapse
So I guess that your stock backup had your IMEI and VoLTE intact. Interesting. If yours was an XT1687 I would ask if you could post that backup, sans account info and sensitive stuff.
Maybe a TWRP backup for every model of the phone could save everyone, as long as the backup was taken before flashing an 8.1 ROM.
Abhineet m25 said:
Yes i can confirm it .
I have a Moto g5 plus XT1686 which was on stock & is my daily driver. But as i completed one year with this device and lost my warranty I unlocked my bootloader flashed twrp recovery took a backup. Then installed an Oreo rom (android 8.1) . That rom had some serious volte issues. So i went back to stock through Twrp backup. As this is my daily driver i couldn't take any chances so i fastbooted flashed stock rom of January security patch & locked my bootloader. But during fastboot i didn't use earse modemst1, earse modemst2 commands. And every thing was fine, i didn't lost my imei or volte. Even i took March security patch & April security patch ota without any issues.
The only difference i saw in fastboot mode was when i fastbooted to stock (January security patch) my software status was unofficial. But with March security patch Ota it became official. But my baseband changed to 47e which was 47r on pure stock.
Click to expand...
Click to collapse
You saved yourself by not erasing working modemst cache.
However, if you erase it now, you'll likely get imei 0 since your persist is compromised by flashing custom ROM. Unless of course you took a pure persist dump before flashing anything.
My guess about the baseband letters:
R: persist ok, efs ok
e: persist not ok, efs ok
u: persist not ok, efs not ok
Jrhotrod said:
So I guess that your stock backup had your IMEI and VoLTE intact. Interesting. If yours was an XT1687 I would ask if you could post that backup, sans account info and sensitive stuff.
Maybe a TWRP backup for every model of the phone could save everyone, as long as the backup was taken before flashing an 8.1 ROM.
Click to expand...
Click to collapse
If you've erased your modemst and your persist is modified, his persist/efs backup won't restore your imei/volte. The modem has checksum mechanism to verify imei. So no cheating.
rachitrawat said:
You saved yourself by not erasing working modemst cache.
However, if you erase it now, you'll likely get imei 0 since your persist is compromised by flashing custom ROM. Unless of course you took a pure persist dump before flashing anything.
My guess about the baseband letters:
R: persist ok, efs ok
e: persist not ok, efs ok
u: persist not ok, efs not ok
If you've erased your modemst and your persist is modified, his persist/efs backup won't restore your imei/volte. The modem has checksum mechanism to verify imei. So no cheating.
Click to expand...
Click to collapse
Would it work for other ppl to use my presist image with them getting my imei...i have the single sim xt1687 abd have a backed up presist via twrp and also pulled the image via root and adb...was on stock January build when i backed.both up before flash aosp
Tech_Savvy said:
Would it work for other ppl to use my presist image with them getting my imei...i have the single sim xt1687 abd have a backed up presist via twrp and also pulled the image via root and adb...was on stock January build when i backed.both up before flash aosp
Click to expand...
Click to collapse
No. Persist is unique to each device.
I was on Lineage 15 when after trying to flash Magisk and DolbyAtmos my signal was gone. I have xt1686 which is dua sim and on both the sims there was no siggnal but the sims were detected. So i tried reflashing the Rom but it didnt help . I fasboot flashed stock with erase modem cmds and lost IMEI . Then I tried some work around ang got signal back on debloated ROM , but made a mistake by going back to stock again. Now I have tried every ROM but no signal in any. I had made a TWRP backup before installing 8.1 ROM so i have efs but even then I can only get my IMEI back but not the signal. Also when I try restoring the backup it says no OS , so there is something wrong with it.
Attention.
Before flashing anything, backup your unique persist and save it for your life.
How to backup::
1. Boot and not flash twrp
Code:
fastboot boot twrp.img
2. do
Code:
adb shell
dd if=/dev/block/mmcblk0p30 of=/sdcard/persist.img
When you revert to stock, restore persist.img:
Code:
adb shell
dd if=/sdcard/persist.img of=/dev/block/mmcblk0p30
Note: efs backup is not required at all.
Those who don't have their persist backup and have flashed custom are stuck with IMEI 0 forever. Including me.
rachitrawat said:
Attention.
Before flashing anything, backup your unique persist and save it for your life.
How to backup::
1. flash twrp
2. do
When you revert to stock, restore persist.img:
Note: efs backup is not required at all.
Those who don't have their persist backup and have flashed custom are stuck with IMEI 0 forever. Including me.
Click to expand...
Click to collapse
Forever ? Seriously bro? Nopes hopes even after Oreo?
Did some more digging.
1. IMEI is likely stored in /persist/rfs/msm/mpss/dhob.bin
You can't view this dir in root browser as it is locked. You need to mount it (linux in my case) and give admin permission.
dhob is encrypted by default. There is also a HMAC (keyed hash) to verify its integrity. So you can't use someone else's persist dump.
You can check your dhob log with this: (taken on LOS 15.1)
Code:
cat /data/vendor/tombstones/rfs/modem/dhob_report.txt
mot_d_hob_stg_ram.c, 547: initializing dynamic hob...
mot_d_hob_stg_ram.c, 570: Failed to read DHOB file, err = 3
mot_d_hob_stg_ram.c, 446: [COLOR="Red"]couldn't verify hmac[/COLOR]
mot_d_hob_stg_ram.c, 447: status = 2
mot_d_hob_stg_ram.c, 448: verified = 0
mot_d_hob_stg_ram.c, 618: dhob in trusted boot
mot_d_hob_crypto.c, 291: [COLOR="Red"]FATAL: decryption failed with st 20[/COLOR]
mot_d_hob_crypto.c, 292: in size = 16320
mot_d_hob_crypto.c, 293: dec size = 16320
mot_d_hob_stg_ram.c, 666: FATAL: blank dhob in trusted mode
mot_d_hob_stg_ram.c, 779: FATAL: dhob functionality blocked
mot_d_hob_stg_ram.c, 860: dHOB DB recover
mot_d_hob_stg_ram.c, 898: dHOB recover failed
mot_d_hob_stg_ram.c, 1250: comparing dynamic hob...
mot_d_hob_stg_ram.c, 1253: DHOB ops not allowed
mot_d_hob_stg_ram.c, 1081: refreshing dynamic hob...
mot_d_hob_stg_ram.c, 1085: dhob ops not allowed
2. To check hob's log (also related to imei):
Code:
cat /data/vendor/tombstones/rfs/modem/hob_report.txt
mot_s_hob_stg.c, 197: RFS read finished - in 1272 ms
mot_s_hob_stg.c, 326: ERR: Can't access HOB file, errno = 3
mot_s_hob_stg.c, 327: ERR: read -2025043604 bytes
mot_s_hob_amss.c, 825: s_hob_phase_check
mot_s_hob_amss.c, 590: ERR: HOB NV 540 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 1864 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 3691 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 5459 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 5461 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 5464 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 6683 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 6684 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 6735 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 6736 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 20309 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 20310 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 20825 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 20826 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 20883 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 20884 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 22982 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 24226 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 24228 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 24230 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 24233 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 24250 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 24252 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 24255 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 24256 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 24964 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 24965 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 24966 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 24967 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 24972 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 24973 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 24974 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 24975 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 27779 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 27781 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 27783 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 27786 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 27812 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 28329 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 28333 inactive
mot_s_hob_amss.c, 590: ERR: HOB NV 28334 inactive
mot_s_hob_amss.c, 852: ERR: Found 41 NV items from HOB list that are not populated
Badshah deep said:
Forever ? Seriously bro? Nopes hopes even after Oreo?
Click to expand...
Click to collapse
Likely no if you have flashed someone else's persist.
Maybe yes if you have your own but flashed custom ROMs. Currently, modem fails to initialize efs even if you modify just 1 bit of persist because of hash check.
I flashed a Oreo ROM without doing backup, later I flashed stock ROM, and got IMEI 0. Now, after multiples trys I got my IMEI and signal back, with stock ROM (Deodexed zip).
Doing a backup of "persist" will help?
rachitrawat said:
Currently, modem fails to initialize efs even if you modify just 1 bit of persist because of hash check.
Click to expand...
Click to collapse
Ive noticed that twrp adds is configuration file ".twrps" in persist partition,that is ok?
caiquejd said:
I flashed a Oreo ROM without doing backup, later I flashed stock ROM, and got IMEI 0. Now, after multiples trys I got my IMEI and signal back, with stock ROM (Deodexed zip).
Doing a backup of "persist" will help?
Click to expand...
Click to collapse
Interesting. If you've intact persist, your device will not loose imei even after full fastboot factory flash.
attack11 said:
Ive noticed that twrp adds is configuration file ".twrps" in persist partition,that is ok?
Click to expand...
Click to collapse
Likely yes. But flashing custom ROM triggers hash mismatch for sure. When I took my persist backup (which I lost damn), I fastboot boot twrp and not flash. Before reverting to stock, I simply restored my persist. The baseband letter in stock changed to R from e and it'd detect imei even after fastboot erase modemsts.
rachitrawat said:
Interesting. If you've intact persist, your device will not loose imei even after full fastboot factory flash.
Likely yes. But flashing custom ROM triggers hash mismatch for sure. When I took my persist backup (which I lost damn), I fastboot boot twrp and not flash. Before reverting to stock, I simply restored my persist. The baseband letter in stock changed to R from e and it'd detect imei even after fastboot erase modemsts.
Click to expand...
Click to collapse
If I understand you correctly, people who do not have the original persist file have no chance to restore IMEI?
Hi,
I am trying to flash my neffos X1 Lite with the official firmware here http://www.neffos.com/en/support/download/X1-Lite using the SP_Flash_Tool-5.1916_Win
The scatter file inside looks like this
preloader 0x0
pgpt 0x0
recovery 0x8000
para 0x1008000
expdb 0x1088000
frp 0x1a88000
ppl 0x1b88000
nvdata 0x1bc8000
metadata 0x3bc8000
protect1 0x5bc8000
protect2 0x63c8000
seccfg 0x7000000
proinfo 0x7040000
oemkeystore 0x7800000
md1img 0x8000000
md1dsp 0x9800000
md1arm7 0x9c00000
md3img 0x9f00000
nvram 0xa400000
lk 0xa900000
lk2 0xaa00000
boot 0xab00000
logo 0xbb00000
tee1 0xc300000
tee2 0xc800000
secro 0xcd00000
keystore 0xd300000
system 0xe000000
cache 0xeb800000
userdata 0x106800000
flashinfo 0xFFFF0080
sgpt 0xFFFF0000
The SP Flash Tool does not recognize this format and reports "Status Scatter File Invalid - (0xC0030001)". So how am I supposed to flash my phone ?
Currently boots only in twrp and not to the OS.
Regards,
Hi everyone,
I purchased a OnePlus 9 Pro directly from the OnePlus website itself while in the US. I was very disappointed to discover that they removed dual-sim support from the NA variant of the device. I travel between two countries for work, and having dual-sim support would be incredibly useful.
I did cheer up, however, when I read some posts saying that the physical pins weren't removed from the device, and that it's likely a software block.
Various people are saying different things, though, so I was hoping to get some clarification.
Is it at all likely that the US variant can get dual-sim support, whether by changing some device props or flashing a different variant's (or custom) ROM?
Thanks in advance for taking the time to answer.
I am trying to determine if there is actually a hardware fuse somewhere that is set for Dual SIM, or if it's purely software, so I need some help from you all. If you are close to the Phoenix, AZ area in the USA, or know anyone who is nearby, and have a Chinese or EU version of the OP9Pro, I would like to borrow the device for a few hours.
If it turns out that nobody lives in the desert, then I would like the help of someone with a Dual SIM enabled device to make a ufs dump via edl and allow me to have a copy of it, roughly 6.5GB. Linux and knowledge of bash required. PM me if available.
craznazn said:
I am trying to determine if there is actually a hardware fuse somewhere that is set for Dual SIM, or if it's purely software, so I need some help from you all. If you are close to the Phoenix, AZ area in the USA, or know anyone who is nearby, and have a Chinese or EU version of the OP9Pro, I would like to borrow the device for a few hours.
If it turns out that nobody lives in the desert, then I would like the help of someone with a Dual SIM enabled device to make a ufs dump via edl and allow me to have a copy of it, roughly 6.5GB. Linux and knowledge of bash required. PM me if available.
Click to expand...
Click to collapse
Not sure what exactly you want to check on SW side, but can't you "just" compare the full OTA zips of different versions?
craznazn said:
I am trying to determine if there is actually a hardware fuse somewhere that is set for Dual SIM, or if it's purely software, so I need some help from you all. If you are close to the Phoenix, AZ area in the USA, or know anyone who is nearby, and have a Chinese or EU version of the OP9Pro, I would like to borrow the device for a few hours.
If it turns out that nobody lives in the desert, then I would like the help of someone with a Dual SIM enabled device to make a ufs dump via edl and allow me to have a copy of it, roughly 6.5GB. Linux and knowledge of bash required. PM me if available.
Click to expand...
Click to collapse
Unfortunately, I'm nowhere near Arizona and only own the US variant, or I'd be more than happy to help.
I do encourage owners of those variants to volunteer a bit of their time to help with this.
Nobody knows, I'm sure I'm not the only one
drozd128 said:
Not sure what exactly you want to check on SW side, but can't you "just" compare the full OTA zips of different versions?
Click to expand...
Click to collapse
Nope, you can just flash the EU OTA to US and it obviously won't work. I need more than just the extracted MSM too, I actually need to compare other partitions baked into each device.
craznazn said:
Nobody knows, I'm sure I'm not the only one
Nope, you can just flash the EU OTA to US and it obviously won't work. I need more than just the extracted MSM too, I actually need to compare other partitions baked into each device.
Click to expand...
Click to collapse
I see your idea of dumping the phone to PC, but I don't think you need the dump of the EU phone. You should be able to compare either full OTAs, or your dump with full EU OTA (as far as I remember, there should be everything, boot, kernel, ... but I can be wrong on this, that was my experience with TCL phone 2-3y ago).
Also quick google search brought me this: https://forum.xda-developers.com/t/how-i-achieved-dual-sim-operation-on-rp2.3923159/ I guess, it is worth reading.
EDIT: I'm talking about unpacking and comparing, not flashing.
drozd128 said:
I see your idea of dumping the phone to PC, but I don't think you need the dump of the EU phone. You should be able to compare either full OTAs, or your dump with full EU OTA (as far as I remember, there should be everything, boot, kernel, ... but I can be wrong on this, that was my experience with TCL phone 2-3y ago).
Also quick google search brought me this: https://forum.xda-developers.com/t/how-i-achieved-dual-sim-operation-on-rp2.3923159/ I guess, it is worth reading.
EDIT: I'm talking about unpacking and comparing, not flashing.
Click to expand...
Click to collapse
You are operating under the assumption that the OTA has the SW to enable dual sim. If that was the case, flashing a EU rom on US would finish the job already.
To give you an idea of the difference, this is the directory list of the extracted OTA:
Code:
abl.img
aop.img
bluetooth.img
boot.img
cpucp.img
devcfg.img
dsp.img
dtbo.img
featenabler.img
hyp.img
imagefv.img
keymaster.img
modem.img
multiimgoem.img
odm.img
oplus_sec.img
oplusstanvbk.img
product.img
qupfw.img
qweslicstore.img
shrm.img
splash.img
system_ext.img
system.img
tz.img
uefisecapp.img
vbmeta.img
vbmeta_system.img
vbmeta_vendor.img
vendor_boot.img
vendor.img
vm-bootsys.img
xbl_config.img
xbl.img
Now, this is the directory list of an extracted MSM, ignoring folder structure:
Code:
carrier.img
frp.bin
gpt_backup0.bin
gpt_main0.bin
metadata.img
misc.bin
oem_stanvbk.bin
opluslog.img
param.bin
patch0.xml
persist.img
rawprogram0.xml
super.img
userdata.img
vbmeta_system.img
vbmeta_vendor.img
gpt_backup1.bin
gpt_main1.bin
patch1.xml
rawprogram1.xml
xbl_config.elf
xbl.elf
gpt_backup2.bin
gpt_main2.bin
patch2.xml
rawprogram2.xml
engineering_cdt.img
gpt_backup3.bin
gpt_main3.bin
ocdt.bin
patch3.xml
rawprogram3.xml
abl.elf
abl_log.bin
android_log.bin
aop.mbn
apdp.mbn
boot.img
BTFM.bin
cpucp.elf
devcfg.mbn
devinfo.bin
DRIVER.ISO
dspso.bin
dtbo.img
featenabler.mbn
gpt_backup4.bin
gpt_main4.bin
hyp_log.bin
hypvm.mbn
imagefv.elf
kernel_log16M.bin
km41.mbn
logfs_ufs_8mb.bin
mdcompress.mbn
multi_image.mbn
NON-HLOS.bin
oplusreserve2.img
oplus_sec.mbn
patch4.xml
qsee_log.bin
qupv3fw.elf
qweslicstore.bin
rawprogram4.xml
rtice.mbn
sec.elf
shrm.elf
splash.img
spunvm.bin
storsec.mbn
tz.mbn
uefi_sec.mbn
vbmeta.img
vendor_boot.img
vm-bootsys.img
emmc_fw.bin
gpt_backup5.bin
gpt_main5.bin
patch5.xml
rawprogram5.xml
Finally, an extracted phone with all the partitions dumped, again ignoring folder structure:
Code:
carrier.bin
frp.bin
gpt_backup0.bin
gpt_main0.bin
keystore.bin
metadata.bin
misc.bin
oplusdycnvbk.bin
opluslog.bin
oplusstanvbk_a.bin
oplusstanvbk_b.bin
param.bin
persist.bin
persist_bkp.bin
rawdump.bin
rawprogram0.xml
ssd.bin
super.bin
vbmeta_system_a.bin
vbmeta_system_b.bin
vbmeta_vendor_a.bin
vbmeta_vendor_b.bin
gpt_backup1.bin
gpt_main1.bin
rawprogram1.xml
xbl_a.bin
xbl_config_a.bin
gpt_backup2.bin
gpt_main2.bin
rawprogram2.xml
xbl_b.bin
xbl_config_b.bin
ALIGN_TO_128K_1.bin
cdt.bin
ddr.bin
dinfo.bin
engineering_cdt_a.bin
engineering_cdt_b.bin
gpt_backup3.bin
gpt_main3.bin
ocdt.bin
rawprogram3.xml
abl_a.bin
abl_b.bin
abl_log.bin
android_log.bin
aop_a.bin
aop_b.bin
apdp.bin
apdp_full.bin
bluetooth_a.bin
bluetooth_b.bin
boot_a.bin
boot_b.bin
connsec.bin
cpucp_a.bin
cpucp_b.bin
devcfg_a.bin
devcfg_b.bin
devinfo.bin
dip.bin
DRIVER.bin
dsp_a.bin
dsp_b.bin
dtbo_a.bin
dtbo_b.bin
featenabler_a.bin
featenabler_b.bin
gpt_backup4.bin
gpt_main4.bin
hyp_a.bin
hyp_b.bin
hyp_log.bin
imagefv_a.bin
imagefv_b.bin
kernel_log.bin
keymaster_a.bin
keymaster_b.bin
limits.bin
limits-cdsp.bin
logdump.bin
logfs.bin
mdcompress.bin
mdtp_a.bin
mdtp_b.bin
mdtpsecapp_a.bin
mdtpsecapp_b.bin
modem_a.bin
modem_b.bin
modemdump.bin
multiimgoem_a.bin
multiimgoem_b.bin
oplusreserve2.bin
oplusreserve3.bin
oplusreserve4.bin
oplusreserve5.bin
oplus_sec_a.bin
oplus_sec_b.bin
qmcs.bin
qsee_log.bin
qupfw_a.bin
qupfw_b.bin
qweslicstore_a.bin
qweslicstore_b.bin
rawprogram4.xml
rtice.bin
secdata.bin
shrm_a.bin
shrm_b.bin
splash_a.bin
splash_b.bin
spunvm.bin
storsec.bin
tz_a.bin
tz_b.bin
tzsc.bin
uefisecapp_a.bin
uefisecapp_b.bin
uefivarstore.bin
vbmeta_a.bin
vbmeta_b.bin
vendor_boot_a.bin
vendor_boot_b.bin
vm-bootsys_a.bin
vm-bootsys_b.bin
vm-data.bin
ALIGN_TO_128K_2.bin
fsc.bin
fsg.bin
gpt_backup5.bin
gpt_main5.bin
modemst1.bin
modemst2.bin
oplusreserve1.bin
rawprogram5.xml
OTA: 34 files
MSM: 80 files
Full dump: 135 files
In fact, I'll attach the MSM manifest.xml for you to check. Anywhere that has file="" means the public (non-factory) MSM doesn't even write. This includes obvious things like modemst1, and less obvious things like oplusdycnvbk. Obviously, things in _b doesn't need to be dumped, and is not even included in the MSM, but the fact is that even a MSM doesn't have all the SW components I need to analyze. EDIT: doesn't let me attach manifest.xml for some reason, oh well.
As for your link, thats one of the first things I did.... It might have worked in previous OP devices, since device_policy.xml was the same in all devices... however, see attached device_policy, we're gonna be flashing via QPST if we even get it to work. (Yes, I tried flashing it already, crashes modem)
Trust me, I don't want to have to borrow other people's devices...
craznazn said:
You are operating under the assumption that the OTA has the SW to enable dual sim. If that was the case, flashing a EU rom on US would finish the job already.
To give you an idea of the difference, this is the directory list of the extracted OTA:
Code:
abl.img
aop.img
bluetooth.img
boot.img
cpucp.img
devcfg.img
dsp.img
dtbo.img
featenabler.img
hyp.img
imagefv.img
keymaster.img
modem.img
multiimgoem.img
odm.img
oplus_sec.img
oplusstanvbk.img
product.img
qupfw.img
qweslicstore.img
shrm.img
splash.img
system_ext.img
system.img
tz.img
uefisecapp.img
vbmeta.img
vbmeta_system.img
vbmeta_vendor.img
vendor_boot.img
vendor.img
vm-bootsys.img
xbl_config.img
xbl.img
Now, this is the directory list of an extracted MSM, ignoring folder structure:
Code:
carrier.img
frp.bin
gpt_backup0.bin
gpt_main0.bin
metadata.img
misc.bin
oem_stanvbk.bin
opluslog.img
param.bin
patch0.xml
persist.img
rawprogram0.xml
super.img
userdata.img
vbmeta_system.img
vbmeta_vendor.img
gpt_backup1.bin
gpt_main1.bin
patch1.xml
rawprogram1.xml
xbl_config.elf
xbl.elf
gpt_backup2.bin
gpt_main2.bin
patch2.xml
rawprogram2.xml
engineering_cdt.img
gpt_backup3.bin
gpt_main3.bin
ocdt.bin
patch3.xml
rawprogram3.xml
abl.elf
abl_log.bin
android_log.bin
aop.mbn
apdp.mbn
boot.img
BTFM.bin
cpucp.elf
devcfg.mbn
devinfo.bin
DRIVER.ISO
dspso.bin
dtbo.img
featenabler.mbn
gpt_backup4.bin
gpt_main4.bin
hyp_log.bin
hypvm.mbn
imagefv.elf
kernel_log16M.bin
km41.mbn
logfs_ufs_8mb.bin
mdcompress.mbn
multi_image.mbn
NON-HLOS.bin
oplusreserve2.img
oplus_sec.mbn
patch4.xml
qsee_log.bin
qupv3fw.elf
qweslicstore.bin
rawprogram4.xml
rtice.mbn
sec.elf
shrm.elf
splash.img
spunvm.bin
storsec.mbn
tz.mbn
uefi_sec.mbn
vbmeta.img
vendor_boot.img
vm-bootsys.img
emmc_fw.bin
gpt_backup5.bin
gpt_main5.bin
patch5.xml
rawprogram5.xml
Finally, an extracted phone with all the partitions dumped, again ignoring folder structure:
Code:
carrier.bin
frp.bin
gpt_backup0.bin
gpt_main0.bin
keystore.bin
metadata.bin
misc.bin
oplusdycnvbk.bin
opluslog.bin
oplusstanvbk_a.bin
oplusstanvbk_b.bin
param.bin
persist.bin
persist_bkp.bin
rawdump.bin
rawprogram0.xml
ssd.bin
super.bin
vbmeta_system_a.bin
vbmeta_system_b.bin
vbmeta_vendor_a.bin
vbmeta_vendor_b.bin
gpt_backup1.bin
gpt_main1.bin
rawprogram1.xml
xbl_a.bin
xbl_config_a.bin
gpt_backup2.bin
gpt_main2.bin
rawprogram2.xml
xbl_b.bin
xbl_config_b.bin
ALIGN_TO_128K_1.bin
cdt.bin
ddr.bin
dinfo.bin
engineering_cdt_a.bin
engineering_cdt_b.bin
gpt_backup3.bin
gpt_main3.bin
ocdt.bin
rawprogram3.xml
abl_a.bin
abl_b.bin
abl_log.bin
android_log.bin
aop_a.bin
aop_b.bin
apdp.bin
apdp_full.bin
bluetooth_a.bin
bluetooth_b.bin
boot_a.bin
boot_b.bin
connsec.bin
cpucp_a.bin
cpucp_b.bin
devcfg_a.bin
devcfg_b.bin
devinfo.bin
dip.bin
DRIVER.bin
dsp_a.bin
dsp_b.bin
dtbo_a.bin
dtbo_b.bin
featenabler_a.bin
featenabler_b.bin
gpt_backup4.bin
gpt_main4.bin
hyp_a.bin
hyp_b.bin
hyp_log.bin
imagefv_a.bin
imagefv_b.bin
kernel_log.bin
keymaster_a.bin
keymaster_b.bin
limits.bin
limits-cdsp.bin
logdump.bin
logfs.bin
mdcompress.bin
mdtp_a.bin
mdtp_b.bin
mdtpsecapp_a.bin
mdtpsecapp_b.bin
modem_a.bin
modem_b.bin
modemdump.bin
multiimgoem_a.bin
multiimgoem_b.bin
oplusreserve2.bin
oplusreserve3.bin
oplusreserve4.bin
oplusreserve5.bin
oplus_sec_a.bin
oplus_sec_b.bin
qmcs.bin
qsee_log.bin
qupfw_a.bin
qupfw_b.bin
qweslicstore_a.bin
qweslicstore_b.bin
rawprogram4.xml
rtice.bin
secdata.bin
shrm_a.bin
shrm_b.bin
splash_a.bin
splash_b.bin
spunvm.bin
storsec.bin
tz_a.bin
tz_b.bin
tzsc.bin
uefisecapp_a.bin
uefisecapp_b.bin
uefivarstore.bin
vbmeta_a.bin
vbmeta_b.bin
vendor_boot_a.bin
vendor_boot_b.bin
vm-bootsys_a.bin
vm-bootsys_b.bin
vm-data.bin
ALIGN_TO_128K_2.bin
fsc.bin
fsg.bin
gpt_backup5.bin
gpt_main5.bin
modemst1.bin
modemst2.bin
oplusreserve1.bin
rawprogram5.xml
OTA: 34 files
MSM: 80 files
Full dump: 135 files
In fact, I'll attach the MSM manifest.xml for you to check. Anywhere that has file="" means the public (non-factory) MSM doesn't even write. This includes obvious things like modemst1, and less obvious things like oplusdycnvbk. Obviously, things in _b doesn't need to be dumped, and is not even included in the MSM, but the fact is that even a MSM doesn't have all the SW components I need to analyze. EDIT: doesn't let me attach manifest.xml for some reason, oh well.
As for your link, thats one of the first things I did.... It might have worked in previous OP devices, since device_policy.xml was the same in all devices... however, see attached device_policy, we're gonna be flashing via QPST if we even get it to work. (Yes, I tried flashing it already, crashes modem)
Trust me, I don't want to have to borrow other people's devices...
Click to expand...
Click to collapse
It still can be driver enabling/disabling 2nd SIM slot based on SN of board or something... I will download EU OTA and check if I can find something in there (I don't have the phone so can't do much more than that, sorry).
I can confirm that flashing the full EU OTA does not result in the slot being active. The getprop still shows persist.radio.multisim.config = ssss, despite the build.prop for the EU ROM having it set to dsds. I also flashed the param partition from an EU device, and that also did not resolve the issue. I have a second tray coming in the mail, so I'll do more testing when I receive it.
Something I noticed in getprop from an EU device was the presence of this parameter: persist.radio.check.two.sim = 1. Setting that prop manually does not change anything, but interesting to note that the parameter only exists on EU devices, and not my US device flashed to the EU build.
There must be a flag somewhere else that's tripping it.
I just got my dual-sim tray today. I'm not very technical but I know my way around, would be happy to help with any testing
I already have my device rooted and flashed the EU ROM
baselaa said:
I just got my dual-sim tray today. I'm not very technical but I know my way around, would be happy to help with any testing
I already have my device rooted and flashed the EU ROM
Click to expand...
Click to collapse
Does the dual SIM tray you ordered fit flush? If so, can you share the link? The one I ordered unfortunately doesn't fit right.
xian1243 said:
Does the dual SIM tray you ordered fit flush? If so, can you share the link? The one I ordered unfortunately doesn't fit right.
Click to expand...
Click to collapse
Actually I haven't tried it yet, I'm not staying home for a few days, will try it once I get back.
This is the one I got
https://www.aliexpress.com/item/1005002505723328.html?spm=a2g0o.productlist.0.0.716232d9cFVzRo&algo_pvid=5137e46b-7079-4bda-9876-75b2433ee2a6&algo_expid=5137e46b-7079-4bda-9876-75b2433ee2a6-0&btsid=0b0a556716201128566294751e9b01&ws_ab_test=searchweb0_0,searchweb201602_,searchweb201603_
Is there any progress on this?
So the Dual-Sim tray does remain flush and 100% for the 9Pro, however, even with the EU ROM it doesn't run dual-sim.
Is there anything I can test? I'm rooted and please feel free to have me try anything
The sim reader part numbers are different.
You can see the part numbers by watching the teardown videos of a single and dual sim phone.
Single Sim: c114 0001
Dual Sim: c114 0003
I can't find the dual sim board for sale.
Since I've now read every thread in my search results, is it safe to assume no one has gotten dual SIM working for the US version of the phone? I'm rooted and running EU/BA version of OOS. I ordered a dual SIM tray but it won't be here for a couple of weeks. I don't see options for SIM2 in Settings, but I'm sure it was there at one point (earlier version of OOS?). I'm also happy to install a custom ROM if there's one that works.
I can also enable dual sim but 2nd slot sim not working
I have been trying and I'm telling you trying to root this phone for that I have to unlock the bootloader it's driving me insane I have a windows 11 laptop I am a noob on all this so I've been watching videos STEP BY STEP AND NOTHING no progress
IvXotiic said:
I have been trying and I'm telling you trying to root this phone for that I have to unlock the bootloader it's driving me insane I have a windows 11 laptop I am a noob on all this so I've been watching videos STEP BY STEP AND NOTHING no progress
Click to expand...
Click to collapse
I used https://github.com/bkerler/mtkclient on Windows 10.
Had to press the 2 volume buttons on device while turning it on.
There are some requirements there, like python to be installed.
Easily done with chocolatey on Windows.
me to need to unlock bootloader REVVL 5G t790w
have you got it rooted yet? its really easy to do. theres a guide on here, or i can walk you through it and i have all the files you'll need in case you cant find them DM me. i also now have the MT6833_Android_scatter.txt and all the firmware needed to revert to stock also. working on how to actually do that as we speak
R41N MuTT said:
have you got it rooted yet? its really easy to do. theres a guide on here, or i can walk you through it and i have all the files you'll need in case you cant find them DM me. i also now have the MT6833_Android_scatter.txt and all the firmware needed to revert to stock also. working on how to actually do that as we speak
Click to expand...
Click to collapse
Would really like to restore my T-Mobile REVVL V+ 5G to stock.
It does not turn on the display but tries to connect to mtkclient.
Issue is it keeps giving me (indefinitely):
DAXFlash - [LIB]: Error on sending parameter: DA exceed max num (0xc0070005)
mtkclient GUI Log:
..Port - Device detected
Preloader - CPU: MT6833(Dimensity 700 5G k6833)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x73
Preloader - Disabling Watchdog...
Preloader - HW code: 0x989
Preloader - Target config: 0xe7
Preloader - SBC enabled: True
Preloader - SLA enabled: True
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: 96C8388057AFD372754DCBB4B155D5B1
Preloader - SOC_ID: 116C6A57A536601BE60E0E7BA9C4E0B86D979A21F11E8ABA0FB2E6A7DAA9E062
Port - Device detected
DAXFlash - Uploading xflash stage 1 from MTK_AllInOne_DA_5.2152.bin
xflashext - Patching da1 ...
xflashext
xflashext - [LIB]: Error on patching da1 version check...
xflashext - Patching da2 ...
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - UFS Blocksize:0x1000
DAXFlash - UFS ID: H9HQ54ACPMMDAR
DAXFlash - UFS MID: 0xad
DAXFlash - UFS CID: ad014839485135344143504d4d444152
DAXFlash - UFS FWVer: 41303032
DAXFlash - UFS Serial: 323031304238453143413030
DAXFlash - UFS LU0 Size: 0xee5800000
DAXFlash - UFS LU1 Size: 0x400000
DAXFlash - UFS LU2 Size: 0x400000
DAXFlash - DRAM config needed for : ad014839485135344143504d4d444152
DAXFlash - No preloader given. Searching for preloader
DAXFlash - Sending emi data ...
DAXFlash
DAXFlash - [LIB]: Error on sending parameter: DA exceed max num (0xc0070005)
DAXFlash
DAXFlash - [LIB]: Error on sending parameter: DA exceed max num (0xc0070005)
DAXFlash
DAXFlash - [LIB]: Error on sending parameter: DA exceed max num (0xc0070005)
DAXFlash
DAXFlash - [LIB]: Error on sending parameter: DA exceed max num (0xc0070005)
DAXFlash
DAXFlash - [LIB]: Error on sending parameter: DA exceed max num (0xc0070005)
R41N MuTT said:
have you got it rooted yet? its really easy to do. theres a guide on here, or i can walk you through it and i have all the files you'll need in case you cant find them DM me. i also now have the MT6833_Android_scatter.txt and all the firmware needed to revert to stock also. working on how to actually do that as we speak
Click to expand...
Click to collapse
Would love to get a copy of those files if possible.
djismgaming said:
Would really like to restore my T-Mobile REVVL V+ 5G to stock.
It does not turn on the display but tries to connect to mtkclient.
Issue is it keeps giving me (indefinitely):
DAXFlash - [LIB]: Error on sending parameter: DA exceed max num (0xc0070005)
mtkclient GUI Log:
..Port - Device detected
Preloader - CPU: MT6833(Dimensity 700 5G k6833)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0x73
Preloader - Disabling Watchdog...
Preloader - HW code: 0x989
Preloader - Target config: 0xe7
Preloader - SBC enabled: True
Preloader - SLA enabled: True
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: 96C8388057AFD372754DCBB4B155D5B1
Preloader - SOC_ID: 116C6A57A536601BE60E0E7BA9C4E0B86D979A21F11E8ABA0FB2E6A7DAA9E062
Port - Device detected
DAXFlash - Uploading xflash stage 1 from MTK_AllInOne_DA_5.2152.bin
xflashext - Patching da1 ...
xflashext
xflashext - [LIB]: Error on patching da1 version check...
xflashext - Patching da2 ...
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - UFS Blocksize:0x1000
DAXFlash - UFS ID: H9HQ54ACPMMDAR
DAXFlash - UFS MID: 0xad
DAXFlash - UFS CID: ad014839485135344143504d4d444152
DAXFlash - UFS FWVer: 41303032
DAXFlash - UFS Serial: 323031304238453143413030
DAXFlash - UFS LU0 Size: 0xee5800000
DAXFlash - UFS LU1 Size: 0x400000
DAXFlash - UFS LU2 Size: 0x400000
DAXFlash - DRAM config needed for : ad014839485135344143504d4d444152
DAXFlash - No preloader given. Searching for preloader
DAXFlash - Sending emi data ...
DAXFlash
DAXFlash - [LIB]: Error on sending parameter: DA exceed max num (0xc0070005)
DAXFlash
DAXFlash - [LIB]: Error on sending parameter: DA exceed max num (0xc0070005)
DAXFlash
DAXFlash - [LIB]: Error on sending parameter: DA exceed max num (0xc0070005)
DAXFlash
DAXFlash - [LIB]: Error on sending parameter: DA exceed max num (0xc0070005)
DAXFlash
DAXFlash - [LIB]: Error on sending parameter: DA exceed max num (0xc0070005)
Click to expand...
Click to collapse
Right, I'm working on a fix for that. Standby, I'm so close to cracking this. Any day now. Also, do you have another phone handy? I think I might be able to help you get that phone working again in a rooted state. Possibly.
R41N MuTT said:
Right, I'm working on a fix for that. Standby, I'm so close to cracking this. Any day now. Also, do you have another phone handy? I think I might be able to help you get that phone working again in a rooted state. Possibly.
Click to expand...
Click to collapse
I have another as the REVVL is not my main phone since it got "bricked" as I call it
Thanks for your concern.
Having this same issue, anyone have any recovery files that work?
yahdeeez said:
Having this same issue, anyone have any recovery files that work?
Click to expand...
Click to collapse
Try this https://forum.xda-developers.com/t/root-flash-stock.4541841/ please let me know if you encounter any problems and I'll try to help you through it if I can
R41N MuTT said:
Try this https://forum.xda-developers.com/t/root-flash-stock.4541841/ please let me know if you encounter any problems and I'll try to help you through it if I can
Click to expand...
Click to collapse
Thanks for the quick response.
I just realized that this is for the REVVL V+ 5G and my phone is the REVVL 6 PRO 5G
Im just trying to unbrick it i dont care about root or anything. Are the steps the same since they are both MT6833 devices?
yahdeeez said:
Thanks for the quick response.
I just realized that this is for the REVVL V+ 5G and my phone is the REVVL 6 PRO 5G
Im just trying to unbrick it i dont care about root or anything. Are the steps the same since they are both MT6833 devices?
Click to expand...
Click to collapse
Unlocking the bootloader for any chipset will be the same method across devices with the same chipset. Rooting and firmware modifications are device specific.
If your device is bricked, probably the best thing is to reflash everything back to stock.
To flash this device back to stock, I believe you have to mount partition a and reflash, then mount partition b and reflash. Repeat this for every file. There is an order to it.
There is also a way to do it with SP flash tool, which uses scatter.txt to automate the flashing to both partitions, making the process much simpler.
There may be other hangups, like bypassing Download Authorization, etc.
The key to completing this would be having the firmware and scatter file.
You can get the scatter file by taking a bug report. You start an OTA update and navigate to developer options and capture a bug report.
Next you save the bug report and pull the OTA.
Next you extract payload.bin with payload dumper tool and this is where you will find scatter.txt.
I have been unable to locate an OTA capture or official firmware for the 6 pro. I've got 3 other people waiting for it. It's a matter of when. I no longer own this device and cannot capture the OTA myself. It's still possible, but I don't have the computing resources to do it. You'd have to be filthy rich. And I'm very far from that.
If you can locate stock firmware, official OTA, or if you know somebody with this phone and they are willing to factory reset and capture the OTA for you, perhaps we can proceed. As it stands for right now, I am not able to unbrick your device. Not yet. I know, it sucks, it's not what you want to hear. And maybe somebody else out there already figured it out- I encourage you to keep looking. Although xda is your best bet, they aren't the only development team out there. Sometimes people get lucky and figure it out before the xda crew.
I will continue to look for a solution. Stand by, posts are updated as these things are discovered.
*Edit* to cover all the bases, how did you brick your 6 pro? Was it during the unlocking the bootloader process, or was it during a firmware flash? If it happened while unlocking your bootloader, or rooting, then recovering your device may be extremely possible... Just tell me the steps you took up to where something went wrong
I was trying to root it. (well firstly trying to do the MTK unlock bootloader thing I found from these threads, whole time it was for the REVVL V+ 5G
The last thing I remember seeing was dm-verity is corrupt and it wouldn't boot eventually giving me a option to factory reset or reboot I rebooted and it hasn't worked since. I can get it detected to bypass with the auth tool but I cant get anything in SP flash tool to flash. Im uploading the firmware I found for it now its the only one I found and had to subscribe some site to get it.
I can't do nothing adb or fastboot its just the mediatek drivers being detected and Ive tried everything on win 10 as well as Garuda Linux
Its my main phone Ive been going at it for 3 days Im debating on whether I should take it to metro and try and get a replacement with the insurance
yahdeeez said:
I was trying to root it.
The last thing I remember seeing was dm-verity is corrupt and it wouldn't boot eventually giving me a option to factory reset or reboot I rebooted and it hasn't worked since. I can get it detected to bypass with the auth tool but I cant get anything in SP flash tool to flash. Im uploading the firmware I found for it now its the only one I found and had to subscribe some site to get it.
I can't do nothing adb or fastboot its just the mediatek drivers being detected and Ive tried everything on win 10 as well as Garuda Linux
Its my main phone Ive been going at it for 3 days Im debating on whether I should take it to metro and try and get a replacement with the insurance
Click to expand...
Click to collapse
Unfortunately, once you root, unlock the bootloader, or otherwise tamper with the software, your device warranty and insurance are voided. Now, if the device fails naturally then it's their fault. Just like gasoline goes in your car. If your poured maple syrup in it the warranty is voided. But this doesn't mean all hope is lost. If you DM me or email me I have other solutions. I don't want my account deleted and I don't think xda would appreciate me putting it out there.
Okay, DM verity corrupted? There are ways to fix that. I don't think you need the firmware to fix it. I'm fact, I believe flashing firmware is a wasted effort. Your error, I believe is in the unlocking the bootloader. Did you ever try to root?
Check this out.
How to unlock Revvl 6 Pro 5g?
I need help unlocking bootloader on my new Revvl 6 Pro 5g, this is my first mtk device, and I'm a Windows guy and I'm lost on the whole mtk client tool and python. Any and all help would be a phenomenal help! I think this phone would have a lot...
forum.xda-developers.com
Also _hollywood_ seems to know a lot about this device. Perhaps asking their advice would prove helpful