Hi all,
I own one i9300_TIZEN phone thanks to a Tizen event, and since I've saw what Tizen OS looks like (no comment), I'm really interesting in flashing Android on the device. Before coming in the forum and asking question, I previously made researchs and try some things.
So first I tried heimdall in order to directly flash a recovery (i hoped it will be as easy) but it gives the following output :
Code:
[email protected] ~/Desktop $ sudo heimdall flash -RECOVERY recovery-clockwork-touch-6.0.3.1-i9300.img --verbose --stdout-errors --no-reboot
[sudo] password for padawan:
Heimdall v1.4 RC1
Copyright (c) 2010-2012, Benjamin Dobell, Glass Echidna
This software is provided free of charge. Copying and redistribution is
encouraged.
If you appreciate this software and you would like to support future
development please consider donating:
Initialising connection...
Detecting device...
Manufacturer: "SAMSUNG"
Product: "SLP"
length: 18
device class: 2
S/N: 0
VID:PID: 04E8:685D
bcdDevice: 0100
iMan:iProd:iSer: 1:2:0
nb confs: 1
interface[0].altsetting[0]: num endpoints = 1
Class.SubClass.Protocol: 02.02.00
endpoint[0].address: 83
max packet size: 0010
polling interval: 09
interface[1].altsetting[0]: num endpoints = 2
Class.SubClass.Protocol: 0A.00.FF
endpoint[0].address: 81
max packet size: 0200
polling interval: 00
endpoint[1].address: 02
max packet size: 0200
polling interval: 00
Claiming interface...
Setting up interface...
Checking if protocol is initialised...
Protocol is not initialised.
Initialising protocol...
WARNING: Control transfer #1 failed. Result: -9
WARNING: Control transfer #1 failed. Result: -1089611880
WARNING: Control transfer #2 failed. Result: -9
WARNING: Control transfer #2 failed. Result: -1089611880
WARNING: Control transfer #3 failed. Result: -9
WARNING: Control transfer #3 failed. Result: -1089611880
WARNING: Control transfer #4 failed. Result: -9
WARNING: Control transfer #4 failed. Result: -1089611880
WARNING: Control transfer #5 failed. Result: -9
WARNING: Control transfer #5 failed. Result: -1089611880
WARNING: Control transfer #6 failed. Result: -9
WARNING: Control transfer #6 failed. Result: -1089611880
ERROR: Failed to send data: "ODIN"
ERROR: Failed to send data: "�"
Releasing device interface...
It seems that the device is just not recognize by the tools, and I don't know how to solve this issue.
So for the moment I don't really know how to proceed. I know that first I may have to do a dump of my device in order to reflash it in case of issue. I saw that I may be able to do it thanks to Tizen commands, but I'm not completely sure. Some tizen tools looks very similar to android ones (like sdb with the same functions that adb), but I didn't know if it may be a solution (because tizen commands may do tizen stuff, and that's not what I'm looking for).
It may also be useful for me to know the exact hardware of my device. It may be very close to i9300, but I want to be sure before doing anything.
Another solution may be to flash a I9300 .pit file to "flash" my device, but I never use it before so i don't really understand the real risks of this solution and the process.
So for the moment I don't really know how to proceed, that's why i'm creating this thread.
Thank you,
up
I think there will no further investigation in this case. I'm interested too. But to less people got access to this devices.
So I think we have to wait until the tizen release.
Gesendet vom Handy mit Tapatalk.
Catscratch said:
I think there will no further investigation in this case. I'm interested too. But to less people got access to this devices.
So I think we have to wait until the tizen release.
Gesendet vom Handy mit Tapatalk.
Click to expand...
Click to collapse
I know but my main problem is that I don't know the tools needed to make these investigations. I don't want someone to write a precise tutorial, but I just need some advices to go further in my investigations.
http://www.youtube.com/watch?v=JXvOcGJ6zXo
Maybe in this way...
Untested from Tizen to Android...
Best Regards
Edit 1.
As hint...
Odin Tool for Android receive ODIN as text string for identification from Android handset...
Thor receive THOR from Tizen crap...
I can not try complete... as no Android nor Tizen real handset here in my hands...
Short played with S8500 and SBL Bootloader from Android handsets...
http://forum.xda-developers.com/showpost.php?p=44162575&postcount=12
http://forum.xda-developers.com/showpost.php?p=44188307&postcount=13
Edit 2.
Found this Decrypted:
https://hotfile.com/dl/234791315/5b8c314/GSIII_Recovery_guide_v2.pdf.html?lang=en
I have found this encrypted Doc and files too...
Nascar encrypted files seems often used by Sxmsung...
2.2.1 is released...
Maybe big "surprice"...
http://download.tizen.org/releases/2.2.1/tizen-2.2.1/images/RD-PQ-REF/
No idea why the wifi Version is 1100 MB big...
Best Regards
Hello,
I was working on a project to run linux on my Geniatech ATV1220 but it didn't work out as planned. So I want to run android on the box again, but I can't do it. I think it is because I updated the uboot with the latest amlogic release (which probably broke something). Right now the box is directly booting to command line. I tried putting the update files on sd card, which I did with another of those boxes to update the android version and it worked flawlessly, when I booted it up after holding down the reset button, but this box seems to ignore this all. Is there any way I can restore my box from command line? I have UART connection so I can see the log and enter commands etc. My bootlog is here:
Code:
EEEE I3000000032940xf300110303;77520EEEE I400000004294_M6_BL1_3431>2534313
TE : 77484
BT : 16:08:27 Apr 10 2014
CPU clock is 1200MHz
wait pll-0x03 target is 0204 now it is 0x00000203
DDR clock is 516MHz with Low Power & 1T mode
DDR training :
DX0DLLCR:40000000
DX0DQTR:ffffffff
DX0DQSTR:3db05001
DX1DLLCR:40000000
DX1DQTR:ffffffff
DX1DQSTR:3db05001
DX2DLLCR:40000000
DX2DQTR:ffffffff
DX2DQSTR:3db05001
DX3DLLCR:40000000
DX3DQTR:ffffffff
DX3DQSTR:3db05001
Stage 00 Result 00000000
Stage 01 Result 00000000
Stage 02 Result 00000000
Stage 03 Result 00000000
DDR init use : 41812 us
HHH
BootFrom SPI
0x12345678
Boot from int dev 1stSPI RESERVED
TE : 346489
System Started
U-boot([email protected]) (Apr 10 2014 - 16:08:14)
aml_rtc_init
aml rtc init first time!
clr h-ram
DRAM: 1 GiB
relocation Offset is: 105e0000
MMC: [mmc_register] add mmc dev_num=0, port=1, if_type=6
[mmc_register] add mmc dev_num=1, port=2, if_type=6
SDIO Port B: 0, SDIO Port C: 1
aml_i2c_init
NAND: Amlogic nand flash uboot driver, Version U1.06.017 (c) 2010 Amlogic Inc.
SPI BOOT : continue i 0
No NAND device found!!!
NAND device id: 98 d7 84 93 72 57
NAND device: Manufacturer ID: 0x98, Chip ID: 0x98 (Toshiba A serials NAND 4GiB TC58TEG5DCJTA00 )
1 NAND chips detected
#####aml_nand_init, with RB pins and chip->chip_delay:20
bus_cycle=5, bus_timing=7, start_cycle=6, end_cycle=9,system=5.0ns
oob size is not enough for selected bch mode: NAND_BCH60_1K_MODE force bch to mode: NAND_BCH40_1K_MODE
aml_chip->oob_fill_cnt =128,aml_chip->oob_size =1280,bch_bytes =70
multi plane error for selected plane mode: NAND_TWO_PLANE_MODE force plane to : NAND_SINGLE_PLANE_MODE
aml_nand_init:oobmul =1,chip->ecc.layout->oobfree[0].length=32,aml_chip->oob_size=1280
aml nand env valid addr: 58000 ,status =0
key start_blk=1016,end_blk=1023,aml_nand_key_init:684
aml nand key valid addr: fe000000
aml nand key valid addr: fe400000
aml nand key valid addr: fe800000
aml nand key valid addr: fec00000
CONFIG_KEYSIZE=0x10000; KEYSIZE=0xfffc; bbt=0x1330; default_keyironment_size=0xeccc
i=0,register --- nand_key
NAND bbt detect Bad block at 0
NAND bbt detect factory Bad block at 8000000
NAND bbt detect factory Bad block at 15400000
NAND bbt detect factory Bad block at 1ec00000
NAND bbt detect factory Bad block at 43c00000
NAND bbt detect factory Bad block at 5b800000
NAND bbt detect factory Bad block at 65800000
NAND bbt detect factory Bad block at 69c00000
Creating 8 MTD partitions on "nandnormal":
0x000000800000-0x000001000000 : "logo"
0x000001000000-0x000001800000 : "aml_logo"
0x000001800000-0x000002000000 : "recovery"
0x000002000000-0x000002800000 : "boot"
0x000002800000-0x000043400000 : "system"
NAND bbt detect factory Bad block at 8000000
NAND bbt detect factory Bad block at 15400000
NAND bbt detect factory Bad block at 1ec00000
0x000043400000-0x00004b800000 : "cache"
NAND bbt detect factory Bad block at 43c00000
0x00004b800000-0x00006c400000 : "userdata"
NAND bbt detect factory Bad block at 5b800000
NAND bbt detect factory Bad block at 65800000
NAND bbt detect factory Bad block at 69c00000
0x00006c400000-0x0000fe000000 : "NFTL_Part"
NAND bbt detect factory Bad block at 72000000
NAND bbt detect factory Bad block at 76400000
NAND bbt detect factory Bad block at 7dc00000
NAND bbt detect factory Bad block at 8dc00000
NAND bbt detect factory Bad block at a0000000
NAND bbt detect factory Bad block at a0800000
NAND bbt detect factory Bad block at a1800000
NAND bbt detect factory Bad block at b4000000
NAND bbt detect factory Bad block at d2000000
NAND bbt detect factory Bad block at f4400000
NAND bbt detect factory Bad block at f4800000
NAND bbt detect factory Bad block at f4c00000
NAND bbt detect factory Bad block at f5000000
NAND bbt detect factory Bad block at f5400000
nandnormal initialized ok
detect mx chiprevD :1 and nand_type: 20
nand_curr_device =1
SPI BOOT,spi_env_relocate_spec : env_relocate_spec 53
SF: Detected MX25L3205D with page size 256, total 4 MiB
SPI NOR Flash have write protect!!!
In: serial
Out: serial
Err: serial
register usb cfg[0] = 9fe83258
Net: Meson_Ethernet
init suspend firmware done. (ret:0)
detect_storage
nand exist return 0
setenv storage nand
reboot_mode=charging
---wipe_data=
itest - return true/false on integer compare
Usage:
itest [.b, .w, .l, .s] [*]value1 <op> [*]value2
SARADC open channel(4).
SARADC open channel(4).
ir init
Hit any key to stop autoboot -- : 0
exit abortboot: 0
Saving Environment to SPI Flash...
SPI BOOT,spi_saveenv : saveenv 97
Erasing SPI flash...Writing to SPI flash...done
m6_mbx_v1#
Any help is appreciated.
Thanks
egon
Hi,
i have an old samsung i9100 (galaxy S2) that i would like to prepare for my 9 yo kid.
i wanted to upgrade ROM to android 7 but it crashed and when phone boots it displays "Firmware upgrade encountered an issue. Please select recovery mode in Kies & try again"
I read a lot of articles and saw several videos about it but nothing work as they said.
Therefore i was thinking to flash a new version of TWRP at first like 3.1.1 but when i do that in ODIN 3.12 it always failed. Phone is normally connected as COM1.
The same issue i have when i try to flash a new rom...it fails on CACHE part.
Someone can help me please ? I already flashed a lot this phone without any issue as 2 other Samsung S5 Neo. So i do not understand what is the problem.
if i try Heimdall i got this error when i run "heimdall print-pit --verbose" command:
Code:
Heimdall v1.4.0
Copyright (c) 2010-2013, Benjamin Dobell, Glass Echidna
http://www.glassechidna.com.au/
This software is provided free of charge. Copying and redistribution is
encouraged.
If you appreciate this software and you would like to support future
development please consider donating:
http://www.glassechidna.com.au/donate/
Initialising connection...
Detecting device...
Manufacturer: "SAMSUNG"
Product: "Gadget Serial"
length: 18
device class: 2
S/N: 0
VID:PID: 04E8:685D
bcdDevice: 021B
iMan:iProd:iSer: 1:2:0
nb confs: 1
interface[0].altsetting[0]: num endpoints = 1
Class.SubClass.Protocol: 02.02.01
endpoint[0].address: 83
max packet size: 0010
polling interval: 09
interface[1].altsetting[0]: num endpoints = 2
Class.SubClass.Protocol: 0A.00.00
endpoint[0].address: 81
max packet size: 0040
polling interval: 00
endpoint[1].address: 02
max packet size: 0040
polling interval: 00
Claiming interface...
Setting up interface...
Initialising protocol...
ERROR: Failed to send data: "ODIN"
Releasing device interface...
thx
is there someone on this part of forum ?
Flash Lineage 16 or Carbon 7!
We give children the best things.
Let him learn. When you help your child, he will quickly chase you away.
The message "Firmware upgrade encountered an issue. Please select recovery mode in Kies & try again" means that you have lost the stock ROM system partitions.
You need to flash again the ROM stock you find in the Carbon thread.
With the help of Odin you flash in the download mode.
I have the stock ROM but ODIN still do not send data to mobile. Even a single PIT file worked but did not allow to flash stock ROM
heimdall just show it in command line with "ERROR: Failed to send data: "ODIN"" as error
here it is where it stucks when i upload stock firmware using ODIN 1.85
using ODIN 3.12 is almost the same issue:
i tried in comptibility "Windows XP - SP 2" and also in SP3... running ODIN under administrator
unfortunately, nothing helped so far. any idea ?
Hello folks,
I've been fighting for three days with my PX5 board from my Xtrons radio.
As the first I tried to flash the core board with OTP USB cable with Android 10.
First I did it with the loader that I connected to the RK Dev Tool and then I clicked on RUN!
Everything went to the end without Fefler. Log file here:
20:27:03 217 RKDevTool v2.7.1.0 start run
20:29:23 860 RKDevTool v2.7.1.0 start run
20:38:00 243 Layer<>: RunProc is ending, ret=0
21:14:18 490 Layer<>: RunProc is ending, ret=0
21:25:10 623 RKDevTool v2.7.1.0 start run
21:33:09 243 RKDevTool v2.7.1.0 start run
22:20:46 879 Layer<1-4>:Test Device Start
22:20:46 886 Layer<1-4>:Test Device Success
22:20:46 890 Layer<1-4>:Check Chip Start
22:20:46 895 Layer<1-4>: Check Chip Success
22:20:46 899 Layer<1-4>:Get FlashInfo Start
22:20:46 902 <LAYER 1-4> INFO:FlashInfo: 00 00 A4 03 00 04 04 00 28 00 01
22:20:46 906 <LAYER 1-4> INFO:GetFlashInfo-->Emmc storage.
22:20:46 911 Layer<1-4>:Get FlashInfo Success
22:20:46 915 Layer<1-4>repare IDB Start
22:20:46 918 <LAYER 1-4> INFO:CS(1) (29824MB) (SAMSUNG)
22:20:46 929 Layer<1-4>repare IDB Success
22:20:46 931 Layer<1-4>ownload IDB Start
22:20:47 056 Layer<1-4>ownload IDB Success
22:20:47 058 Layer<1-4>:Wait For Loader Start
22:20:47 633 Layer<1-4>:Wait For Loader Success
22:20:47 635 Layer<1-4>:Test Device Start
22:20:47 641 Layer<1-4>:Test Device Success
22:20:47 649 Layer<1-4>: Download gpt...
22:20:47 666 Layer<1-4>: Download uboot at 0x00004000...
22:20:47 848 Layer<1-4>: Download trust at 0x00006000...
22:20:48 007 Layer<1-4>: Download misc at 0x00008000...
22:20:48 020 Layer<1-4>: Download dtbo at 0x0000c000...
22:20:48 030 Layer<1-4>: Download vbmeta at 0x0000e000...
22:20:48 044 Layer<1-4>: Download boot at 0x0000e800...
22:20:49 208 Layer<1-4>: Download recovery at 0x0001e800...
22:20:51 116 Layer<1-4>: DownloadSparse super at 0x00150c00...
22:20:51 116 INFOownloadSparseImage-->erase start,file=..\rockdev\Image\super.img,unsparse=9437184,partition=9437184
22:20:53 460 INFOownloadSparseImage-->write sparse start,total_chunk=3084
22:22:08 987 Layer<1-4>: DownloadSparse oem at 0x00a50c00...
22:22:08 987 INFOownloadSparseImage-->erase start,file=..\rockdev\Image\oem.img,unsparse=2097152,partition=2097152
22:22:09 435 INFOownloadSparseImage-->write sparse start,total_chunk=14
22:22:12 927 Layer<1-4>: RunProc is ending, ret=1
22:25:41 358 Layer<>: RunProc is ending, ret=0
Click to expand...
Click to collapse
Then I unplugged the USB cable and I no longer have a connection.
Today I tried again and with the help of short circuits from contact to ground and I have Maskrom connection.
Like HERE
Then I clicked on erase under UPDATE FIRMWARE and everything went to the end without any problems. Then I tried to UPDATE the appropriate inage but keep getting the error "prepare idb fail" and connection are lost.
Can someone help me?
Does anyone have what idea how do I get ahead?
thanks
Try different versions of rktool, Ive experienced this problem before.
Unfortunately does not help! I tried with 3-4 versions of rktool and also with RockChip_Batch_Tool_v1.8.
Always the same.
I would try two different thing, first see if you have a USB 2 only port and test using that one, second trick that has worded many times for me is using a VM under virtualbox, i find the client(1/2 cpu's only) being a little slower helps and setting usb 2 under settings.
darkspr1te
Hello people,
I reinstalled my core board, but without an operating system it is practically empty.
Then the radio switched on and booted from SD card with Android 10 installation.
The radio boots from the SD card and the display shows ANDROID 10 lettering and then the Androird 10 is being installed and "the circle" can be seen.
After a short time you can see Android male on the display and it says "ERROR".
Then the picture below appears.
What does that mean?
And what am i doing wrong?
vouager said:
Hello people,
I reinstalled my core board, but without an operating system it is practically empty.
Then the radio switched on and booted from SD card with Android 10 installation.
The radio boots from the SD card and the display shows ANDROID 10 lettering and then the Androird 10 is being installed and "the circle" can be seen.
After a short time you can see Android male on the display and it says "ERROR".
Then the picture below appears.
View attachment 5426343
What does that mean?
And what am i doing wrong?
Click to expand...
Click to collapse
While I have never had sent to me a SOM with defective storage, it's entirely possible. Every SOM sent to me was recoverable.
You're welcome to send the SOM to me in New Zealand with return freight. No cost other than freight.
Hello marchnz ,
Thank you for your offer, but unfortunately because of our distance and postage costs it does not pay off that I send you the part to NZ.
I bought a new PX5 and my radio works again.
1 week ago everything was ok with the old PX5 and worked perfectly with Android 9
Then I tried to install Android 10 and this mistake happened.
think I'm doing something wrong.
Maybe I have to format flash memory first, but how? Or do I need special files.
I don't want to give up on that part, especially because of my job as an electronics technician and of pure curiosity.
If you can help me in any way it will be great. But shipping and returning really doesn't pay off.
Thanks,
At least it happens to you about test devices, I always fail, I don't know what to do anymore, we have the same board.
Could you upload the files you have to see if I have something that I should not or how you tried to flahse it.
What is a new plate worth and where did you get it? Sorry for my English I use the google translator. greetings from Spain
i have this case, i try lot of many things but nothing happen. so i try plug usb to other port on my computer and it's work. so i think, may be it have some trouble on usb port. or please try on other computer or laptop
I bricked my phone (XT2041-1 "sofiar") by flashing an unnoficial build of TWRP 3.5.0 downloaded from a Telegram channel by doing:
$ fastboot flash recovery_a twrp-3.5.0-0-rav-sofia.img
$ fastboot flash recovery_b twrp-3.5.0-0-rav-sofia.img
$ fastboot reboot recovery
Since then, my phone is hard bricked - won't boot, recognized on Linux in EDL Mode only (i.e. ID 05c6:9008).
I got the latest official stock firmware, named SOFIAR_RETAIL_11_RPES31.Q4U-47-35-12_subsidy-DEFAULT_regulatory-DEFAULT_CFC.xml.zip, from lolinet, and in its contents there's boot.img and recovery.img (among others).
I have qdl on my Arch Linux, and am wondering whether I can use it to flash the stock recovery image back to both slots and get my phone booting again.
How should I approach it?
P.s. I also got a blankflash from https://forum.xda-developers.com/t/...equest-solicitud-blankflash-g8-power.4431193/ that is supposed to get the phone working again, but am unsure whether using it will cause loss of data.
I absolutely cannot lose any data from internal storage.
Any help appreciated. Thanks in advance.
Ok, now we're rolling...
First things first. Motorola sucks because they only give you restricted Firehose loaders.
That means of the 70-odd partitions that you have you can only read/write about 1/3 of them using EDL.
If you post your Firehose loader I can tell you which ones you can read/write.
Second, are you sure that the only damage you did was by writing recovery_a and recovery_b?
And you're on Linux, *sad face*.
I was disassembling the Motorola Firehose for my Moto G (2021) and I discovered that they have more reboot options than stock.
There's reset-to-edl and reset-to-fastboot.
I've added those options to my edl.exe (in the sig) this morning. You need to download the very latest.
What may have happened is that you wrote a bad recovery which may have set the boot option in the BCB or misc.
Since the recovery is good enough to be recognized as an image but not good enough to reset this boot option you're stuck.
Your first recourse is flashing a proper recovery.
I'm not sure whether "blank flash" tries to wipe everything. In any case I wouldn't risk it.
Your first try should be to fix the broken things, not everything.
Yes, any edl client that supports ad-hoc xml should be able to get you to fastboot but I'll only answer for my code.
I've tested it.
Code:
C:\>edl /lwhatever.bin
C:\>edl /zf
C:\>fastboot flash recovery_a good_recovery.img
C:\>fastboot flash recovery_b good_recovery.img
C:\>fastboot reboot
I admit to not properly understand what a firehose loader is. :x
Second, are you sure that the only damage you did was by writing recovery_a and recovery_b?
Click to expand...
Click to collapse
Yes, 100%.
So, for now, I should try booting Windows, installing the 9008 driver and following your instructions... Will let you know how it goes.
Thanks a lot.
marc.2377 said:
I admit to not properly understand what a firehose loader is. :x
Click to expand...
Click to collapse
A Firehose loader is a replacement xbl/sbl secondary loader that has special sauce added to it to make it interactive.
It is not to be confused with a Windows driver (which, in this case is Zadig, as per the instructions on my web page).
In this case, your Firehose loader is packed in singleimage.bin in the RPE here: https://mirrors.lolinet.com/firmware/motorola/sofiar/blankflash/
I extracted it for you. I renamed it sofiar.bin
The extension name does not matter.
Code:
C:\>edl /lsofiar.bin
That's slash-ell-sofiar.bin
Edit: And yes, your Firehose loader has the reset-to-fastboot.
Right, thanks for the explanation. I figured that was programmer.elf from my files.
Ok, I got as far as:
> edl /l
Found EDL 9008
Serial: 69cccc95
HWID: 0010a0e102e80000, QC: 0010a0e1, OEM: 02e8, Model: 0000
Hash: 974359c4290cac7f-9f0dc9a802815b5e-2b376b7a7c1be92c-1e816b5287f18610
> edl /lsofiar.bin
Found EDL 9008
Resetting Sahara
Serial: 69cccc95
HWID: 0010a0e102e80000, QC: 0010a0e1, OEM: 02e8, Model: 0000
Hash: 974359c4290cac7f-9f0dc9a802815b5e-2b376b7a7c1be92c-1e816b5287f18610
Sending sofiar.bin 100% Ok
Waiting for Firehose... Ok
> edl.exe /zf
Found EDL 9008
Requesting reset to fastboot... Ok
But it doesn't boot to fastboot.
It seems to me that your tool, edl could be used to write the recovery partition directly, no?
I tried this:
> edl /w /precovery_a recovery.img
Found EDL 9008
Configuring... Ok
Requesting GPT 0 header... Ok, receiving... Ok, requesting entries... Ok, receiving... Ok
Requesting write recovery.img...
<log value="ERROR: range restricted: lun=0, start_sector=1591552, num_sectors=131072" />
Nope
P.s. curiously, the file I downloaded from https://raw.githubusercontent.com/b...a/0010a0e102e80000_974359c4290cac7f_fhprg.bin wasn't accepted as a valid firehose loader file.
Edit: nevermind. Had to restart the phone.
I believe that's an older loader, anyway.
How shall I proceed?
marc.2377 said:
But it doesn't boot to fastboot.
Click to expand...
Click to collapse
Hmm, the screen stays black?
Is it still in EDL mode or some other mode?
Does Windows "bong" when you pull the USB cable?
It's possible that this goes to a fastboot without a screen?
Try holding various buttons, both by long power button reset and /zf
marc.2377 said:
It seems to me that your tool, edl could be used to write the recovery partition directly, no?
Click to expand...
Click to collapse
Yes, it could if Motorola wasn't such a pain with the "range restricted".
They've really clamped down (that other file you mentioned is the same):
Code:
qcomview /r sofiar.bin
Addr LUN Start Count
------ --- -------- --------
007f10 0 0 256
007f28 0 256 78336
007f40 0 1609948 512
007f58 0 1610496 512
007f70 1 1 1
You can do this to see which partitions this means:
Code:
C:\>edl /lsofiar.bin
C:\>edl /g
I have a feeling that the Motorola "Blankflash" stuff writes something to those 3 areas that allow it to write everything.
But it probably wipes the userdata.
I'm not an expert on their tools.
Tell me what the GPT says (you only need to quote stuff in the area of that table).
Edit: It looks like in the multi GB zip there are two "instruction" files, flashfile.xml and servicefile.xml
They are mostly the same except that flashfile will wipe userdata!
Curious. The partition table is as follows:
Code:
Found EDL 9008
Configuring... Ok
Requesting GPT 0 header... Ok, receiving... Ok, requesting entries... Ok, receiving... Ok
# Name Start Count Type
-- ---------------- ---------- ---------- --------------------
1 xbl_a 256 9216 Inactive
2 xbl_b 9472 9216 Bootloader
3 tz_a 18688 8192 Inactive
4 tz_b 26880 8192 TrustZone
5 rpm_a 35072 1024 Inactive
6 rpm_b 36096 1024 Resource/power mgmt
7 hyp_a 37120 1024 Inactive
8 hyp_b 38144 1024 Hypervisor
9 devcfg_a 39168 256 Inactive
10 devcfg_b 39424 256 Device config
11 xbl_config_a 39680 256 Inactive
12 xbl_config_b 39936 256 Boot config
13 abl_a 40192 2048 Inactive
14 abl_b 42240 2048 Android bootloader
15 uefisecapp_a 44288 4096 Inactive
16 uefisecapp_b 48384 4096 be8a7e08
17 qupfw_a 52480 160 Inactive
18 qupfw_b 52736 160 QUP firmware
19 cmnlib_a 52992 1024 Inactive
20 cmnlib64_a 54016 1024 Inactive
21 cmnlib_b 55040 1024 Common lib
22 cmnlib64_b 56064 1024 Common lib64
23 keymaster_a 57088 1024 Inactive
24 keymaster_b 58112 1024 Key master
25 storsec_a 59136 256 Inactive
26 storsec_b 59392 256 Store secure
27 spunvm 59648 16384 Spun VM
28 uefivarstore 76032 1024 165bd6bc
29 multiimgoem_a 77056 64 Inactive
30 multiimgoem_b 77120 64 e126a436
31 multiimgqti_a 77184 64 Inactive
32 multiimgqti_b 77248 64 846c6f05
33 prov_a 77312 512 Inactive
34 prov_b 77824 512 d05e0fc0
35 modem_a 78336 368640 Inactive
36 modem_b 446976 368640 FAT32
37 fsc 815616 256 FSC
38 ssd 815872 16 Secure SW download
39 dsp_a 816128 65536 Inactive
40 dsp_b 881664 65536 DSP
41 ddr 947200 2048 DDR
42 utags 949248 1024 1dd40d18
43 utagsBackup 950272 1024 c490f39c
44 modemst1 951296 8192 Modem ST1
45 modemst2 959488 8192 Modem ST2
46 fsg_a 967680 49152 Inactive
47 fsg_b 1016832 49152 Modem storage
48 persist 1065984 65536 Persist
49 prodpersist 1131520 16384 Persist
50 frp 1147904 1024 FRP
51 cid 1148928 256 459abd04
52 carrier 1149184 32768 c63d32d8
53 metadata 1181952 32768 988a98c9
54 kpan 1214720 16384 56465e10
55 boot_a 1231104 131072 Inactive
56 boot_b 1362176 131072 Boot
57 dtbo_a 1493248 49152 Inactive
58 dtbo_b 1542400 49152 DTBO
59 recovery_a 1591552 131072 Inactive
60 recovery_b 1722624 131072 Recovery
61 misc 1853696 2048 Misc
62 logfs 1855744 16384 Log FS
63 apdp 1872128 512 APDP
64 msadp 1872640 512 MSADP
65 dpo 1873152 2 DPO
66 devinfo 1873160 8 Device info
67 bluetooth_a 1873168 9216 Inactive
68 bluetooth_b 1882384 9216 Bluetooth
69 logo_a 1891600 66848 Inactive
70 logo_b 1958448 66848 Splash
71 vbmeta_a 2025296 128 Inactive
72 vbmeta_b 2025424 128 Verified Boot meta
73 padA 2025552 6064 Empty
74 hw 2031616 16384 b2d77ec0
75 padB 2048000 16384 Empty
76 sp 2064384 16384 40aef62a
77 padC 2080768 16384 Empty
78 padD 2097152 32768 Empty
79 super 2129920 16973824 System
80 userdata 19103744 103038943 User data
Doesn't seem to match the output of qcomview.
Also, the file 0010a0e102e80000_974359c4290cac7f_fhprg.bin lists the following codenames:
Code:
QCA6390
QCS605
SA8150
SDA670
SDA845
SDA855
SDA855A
SDA865
SDC830
SDM450
SDM670
SDM830
SDM845
SDM855
SDM855A
SDM1000
SDX24
SDX24M
SDX55
SM6150
SM6150P
SM7150
SM7150P
SM_NICOBAR
While programmer.elf (same as sofiar.bin that you uploaded) lists, additionally, QCM_NICOBAR and QCS_NICOBAR.
I wonder whether this is actually the correct file for me...
Btw, before attempting any further writing strategies, I confess to being interested in pulling userdata. As I understand the real decryption key is stored in the TEE functionality of the chipset and such an image would be unreadable for me, except if I were to restore it later.
With your tool I got the "range restricted" for edl /r /puserdata parts\userdata.img /t too.
Code:
Addr LUN Start Count
------ --- -------- --------
007f10 0 0 256 - GPT
007f28 0 256 78336 - xbl_a to prov_b
007f40 0 1609948 512 - ??? random spot in recovery_a
007f58 0 1610496 512 - ??? random spot in recovery_a
007f70 1 1 1
So, basically, you have free read/write access to partions 1 to 34
Reading is always safe.
Also, you're on the B slot.
So why does reboot to fastboot fail?
It could be that it was never implemented correctly in this Firehose
It could be that this Firehose is not for your device
It could be that xbl and/or abl was damaged somehow
I'd do some checking, xbl_b and abl_b to start with.
Read 'em then compare them to the xbl and abl you have in your big packages.
Code:
C:\>edl /lsofiar.bin
C:\>edl /r /t /pxbl_b xblb.img
C:\>edl /r /t /pabl_b ablb.img
The /t will copy these ELF files only as big as they need to be (not all the blank space).
OTOH, they will enlarge to an exact number of 512 byte sector.
So they could be 511 bytes bigger than what comes out of that package.
If things are wacky, try without /t, but they'll be padded with all the zeroes in the partition.
If those files aren't in the big package, here's ones I extracted from the blankflash.
Check 'em all.
Also, it's possible that somehow the slots got switched.
While you're at it, look at xbl_a and abl_a also.
Hey, thanks for the continued efforts to help me. Sorry for absence for the past days, real life caugh in ^^
I'm glad to report that, amidst some binary checking and all that, I managed to resuscitate my phone using the blankflash strategy, after carefully revising it.
Strangely, it seems that TWRP got installed in the boot partition, such as that "normal boot" kept entering TWRP, despite I having flashed the stock recovery images to both recovery slots. I'll detail this all later.
At this point my phone is on and I backed up what I needed, and have been using it. A few strange glitches are present, i.e. battery charging is acting weird. I plan on doing a clean flashing of the stock ROM soon. Maybe I should take the opportunity to study how to make a fully working port of the latest LineageOS for this device, too.
Will get back within a few days with a detailed report of the endeavour
marc.2377 said:
Will get back within a few days with a detailed report of the endeavour
Click to expand...
Click to collapse
I'm looking forward to hearing how you got EDL mode working.
I bricked XT2041-3 Sofiar (downgrade to A10) and am stuck trying the phone to succeed at qboot blank-flash, but it hangs (on linux):
Code:
< waiting for device >
Motorola qboot utility version 3.86
[ 0.000] Opening device: /dev/ttyUSB0
[ 0.000] Detecting device
[ 0.002] ...cpu.id = 266 (0x10a)
[ 0.002] ...cpu.sn = 3773339940 (0xe0e89924)
[ 0.002] Opening singleimage
[ 0.002] Loading package
[ 0.004] ...filename = pkg.xml
[ 0.005] Loading programmer
[ 0.005] ...filename = programmer.elf
[ 0.005] Sending programmer
[ 0.178] Handling things over to programmer
[ 0.178] Identifying CPU version
[ 0.178] Waiting for firehose to get ready
With --debug=2 there can be seen some parsing errors in xmls being passed for about 13 more seconds. On Windows VM phone is recognized as a single QDLoader 9008 device, but qboot fails after half a minute with IO Errors. Is this even EDL mode?
A tried without luck Renate's edl tool. edl.exe /lsingleimage.bin:
Code:
Found EDL 9008
Could not open device
I was growing increasingly desperate, so I opened the phone and played with EDL points according to
MatiasLopezxD. No combination of vol-, power, shorting points, plugging usb seem to make a difference. I must be missing something simple.
Any help would be appreciated.
@ybea: Quick answer for now - I got into EDL mode by holding down VolDown+Power for about 8-10 seconds. Let me know if it works for you. What's your output for lsusb?
Same as yours - ID 05c6:9008 (Qualcomm, Inc. Gobi Wireless Modem (QDL mode)). It reconnects after pressing power for 9 seconds (with or without vol-), nothing new.
Try restarting it into EDL mode while it's plugged. I found that to be necessary sometimes.
Edit: Btw, I don't remember why exactly, but I only had success running the blankflash from Windows. Linux didn't do the magic, nor a Windows VM with USB redirection...
marc.2377 said:
Edit: Btw, I don't remember why exactly, but I only had success running the blankflash from Windows. Linux didn't do the magic, nor a Windows VM with USB redirection...
Click to expand...
Click to collapse
That was it! I didn't event try it on the metal, because Motorola driver installer and uninstaller crash for me for some reason. Should be straightforward from now.
Thank you so much. You saved the day.
ybea said:
A tried without luck Renate's edl tool. edl.exe /lsingleimage.bin
Click to expand...
Click to collapse
Sorry. edl.exe uses the generic Zadig (i.e. WinUsb) driver).
If you have the Qualcomm driver loaded it's stealing the poor WinUsb interface and forcing it into some bogus virtual com port.
Also, singleimage is Motorola's completely morally bankrupt idea of packing stuff in a file.
It is not a Firehose loader, although it contains one.
Add to all your miseries, Motorola is crap and releases only restricted Firehose loaders.
If you're still stuck, ship me the "single-and-totally-bogus.bin" and I'll extract the Firehose loader for you.
Better poke me or I won't see it.
No longer stuck. The problem for me was neither VM USB passthrough nor blankflash tools for linux did work, although both showed proper EDL mode. It seems it only works on native Windows. Thanks for your interest.