They say, that unfortunately, a majority of new Unisoc (Spreadtrum) chips have bootloaders that cannot be unlocked without a key, which is not provided by the SoC manufacturer, and is beyond the control of the ODM. Many low-end Android smartphones are powered by such chips, and the end result is that root is impossible on those devices, i.e. ZTE Blade A5 2019, Doogee N10, etc. (Unisoc SC9863A)
Some have obtained the source code of the U-boot bootloader used on those devices, however, the algorithm for the key verification is stored on the Trusted Execution Environment, which means it cannot be extracted (the TEE is a SecureEnclave-like device, with no possible direct access to it's memory or storage, besides de-capping it and reading the bits with an electron microscope) -- more info here: https://source.android.com/security/trusty
However, Spreadtrum actually does verify the whole boot process, meaning that booting a modified binary is impossible. If you change the boot partition, it will infinitely reboot with a black screen and vibration. If you leave the boot as-is, but change system, it will get to the splash screen and then reboot. etc.
It genuinely does cryptographicaly verify the signature and hash of every partition. Which is great for security, in theory, unless the OS has preloaded spyware, but the secureboot process prevents you from removing it.
Been there, and I didn't even realised the cause.
MTK is quite good, but it's becoming worse in the perf/$ ratio, i.e. the SC9863A is a octa core A55 chip at 1.5GHz, while similar MTK devices are dual core A7 at 1.2 GHz. The architecture improvements alone are excellent, not mentioning the extra cores and higher clock speed.
The key is most certainly not the same, because I doubt they would go through the trouble of doing actual secure boot verification, and storing the data in the TEE, and just have the same key. Additionally, the U-boot code I obtained lies to the user about commands not being found, if the command doesn't contain a valid unlock key.
there is a dedicated thread on hovatek forum for rooitng this chipset
that thread on hovatek is thrilling...
Hovatek forums indicate you need a PAC or FDL file to do anything unless you buy extra hardware. Can anything be done for a vendor that hasn't released either? Even a temproot exploit like mtk-su is fine, if it works on Android 9.
those El-Cheapo phones are simply not supported well by hackerdom.
if we can port mtk-su to this processor or create a new temp root we are done
Skorpion96 said:
if we can port mtk-su to this processor or create a new temp root we are done
Click to expand...
Click to collapse
You cant port mtk-su. The sercuity exploit is a defect built into the CPU. A CPU is made up on millions of transistors , A transistor is a switch (On/Off) , Creates a workload that targets the switch would normally return no to yes is very difficult n can very easily destroy the CPU by creating a internal short. NOTE The device manufacturer can help provide a bootloader key if request
lepusang said:
You cant port mtk-su. The sercuity exploit is a defect built into the CPU. A CPU is made up on millions of transistors , A transistor is a switch (On/Off) , Creates a workload that targets the switch would normally return no to yes is very difficult n can very easily destroy the CPU by creating a internal short. NOTE The device manufacturer can help provide a bootloader key if request
Click to expand...
Click to collapse
i know that mtk-su can't be ported but maybe we can use the source of mtk easy su and the cve-2015-1474 to make a working app
Skorpion96 said:
i know that mtk-su can't be ported but maybe we can use the source of mtk easy su and the cve-2015-1474 to make a working app
Click to expand...
Click to collapse
Can it really be done? I have a ZTE blade vantage 2 and I'd love to root it if possible.
I just tried a zip to enable fastboot on the axon mini on my zte blade A5 2019, it flashes, fails because model is different but it is not a signature error meaning that it has the same signature. So signature is the same for every zte, now I'm asking zte Italy to help me getting the unlock file or the signature itself which is the same since or I will flash the file directly or I will sign it and flash. I hope they will help.
Useless try, they refused to help because of their policy
Went out and bought an m8l plus to try it. This is the first time I've ever dealt with a unisoc sc9863a. I was optimistic about it at first, but now I'm doubtful
*Update* found modified fastboot folder and did the following. Unlocked bootloader, about to try to root with magisk. Root achieved with magisk. Made copy of firmware, moved boot_a to phone and patched with magisk. Flashed patched boot_a with adb. Currently deleting system apps. Root is go. This is unisoc sc9863a blu m8l Android 11
Found this. Can't post the link, but I'll c&p the text:
Open the modified_fastboot folder, right-click then select Open in Terminal
Test detection using
Code:
./fastboot devices
Get Identifier Token using
Code:
./fastboot oem get_identifier_token
You should get an output like
Identifier token:
XXXXXXXXXXXXXXXXXXXXXXXX
OKAY [ 0.019s]
finished. total time: 0.019s
Copy out the Identifier token
Run this command ; replace XXXXXXXXXXXXXXXXXXXXXXXX with your Identifier token
Code:
./signidentifier_unlockbootloader.sh XXXXXXXXXXXXXXXXXXXXXXXX rsa4096_vbmeta.pem signature.bin
You should have an output like
Identifier sign script, ver 0.10
1+0 records in
1+0 records out
50 bytes copied, 0.000257562 s, 194 kB/s
Identifier sign successfully
You should also see a signature.bin file in the modified_fastboot folder
Finally, run this command
Code:
./fastboot flashing unlock_bootloader signature.bin
You should get a prompt on the device asking you to push a volume button to confirm unlock, do so
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
You should now have an output like
downloading 'unlock_message'...
OKAY [ 0.001s]
unlocking bootloader...
Info:Unlock bootloader success! OKAY [ 85.787s]
finished. total time: 85.788s
Reboot the device using
Code:
./fastboot reboot
Your bootloader should now be unlocked
They request you log in and register in exchange for the modified fastboot folder
you can get the modified Fastboot folder anywhere, used that trick to bl unlock all my blu and wiko phones
R41N MuTT said:
Found this. Can't post the link, but I'll c&p the text:
Open the modified_fastboot folder, right-click then select Open in Terminal
Test detection using
Code:
./fastboot devices
Get Identifier Token using
Code:
./fastboot oem get_identifier_token
You should get an output like
Identifier token:
XXXXXXXXXXXXXXXXXXXXXXXX
OKAY [ 0.019s]
finished. total time: 0.019s
Copy out the Identifier token
Run this command ; replace XXXXXXXXXXXXXXXXXXXXXXXX with your Identifier token
Code:
./signidentifier_unlockbootloader.sh XXXXXXXXXXXXXXXXXXXXXXXX rsa4096_vbmeta.pem signature.bin
You should have an output like
Identifier sign script, ver 0.10
1+0 records in
1+0 records out
50 bytes copied, 0.000257562 s, 194 kB/s
Identifier sign successfully
You should also see a signature.bin file in the modified_fastboot folder
Finally, run this command
Code:
./fastboot flashing unlock_bootloader signature.bin
You should get a prompt on the device asking you to push a volume button to confirm unlock, do so
You should now have an output like
downloading 'unlock_message'...
OKAY [ 0.001s]
unlocking bootloader...
Info:Unlock bootloader success! OKAY [ 85.787s]
finished. total time: 85.788s
Reboot the device using
Code:
./fastboot reboot
Your bootloader should now be unlocked
They request you log in and register in exchange for the modified fastboot folder
Click to expand...
Click to collapse
It succeeded ....but. when i try
fastboot flash recovery recovery.img
It says
Sending recovery... (Size shows in KB)
Then says writing recovery... Fot infinity ....
I ported custom twrp recovery using hovatek's automatic unisoc twrp porting guide....have any solution? I also tried to flash twrp by spd research tool and it stuck at probably 95/97 percent
R41N MuTT said:
Found this. Can't post the link, but I'll c&p the text: ....
Click to expand...
Click to collapse
fastboot oem get_identifier_token
Give only back the Serial Number in hexadecimal
Put your SN of your Device in a Hexeditor and change the view to Hexview
when you compare you will see its the SN
I show you the output of my Device, it's an blackview A70 Smartphone. This device is my favorite victim, because it is stubborn as a donkey.
Code:
d:\android\blackview\a70>fastboot oem get_identifier_token
(bootloader) identifier token:
(bootloader) 334b3032384137304545413037313431
(bootloader) 37
okay [ 0.031s]
finished. total time: 0.031s
(the number above in a phantasy number)
Interesting is, here are 3 lines (bootloader)
1. is title
2. is first part of SN
3. is 2. Part of SN
yes the length of the SN of this device is 17 characters. In this case you have to put line 2 and line 3 together to build the number.
If you dont do that, not success with unlock.
for example, this is my SN read with
fastboot devices
3K028A70EEA071417
fastboot oem get_identifier_token
334b3032384137304545413037313431
37
the difference is only binary and hex view
Related
MSM7227 S1Boot has been patched to ignore SIN header signature by the_laser.
You need phone which you either did not unlock by cable, or phone which you unlocked via SEtool2 only.
If you unlocked with Omnius, in C:\ProgramData\Omnius for SE\Backups\Xperia X8
you have file called: Xperia X8_IMEI_DATE_SIMLock.opd
Restore that TA backup, then use semc.cmd in the_laser's release to unlock bootloader - you'll restore SIM lock this way!
Currently there is no unlocked bootloader for Omnius unlocked phones.
Read all instructions here: http://forum.xda-developers.com/showthread.php?p=17338716#post17338716
What will this allow:
* custom kernels
* better/fully working Gingerbread
* no need for chroot to avoid init crash bug
* overclock/Synaptics fake DT/Cypress real DT/MDDI fix built in kernel
This will not enable:
* real DT on Synaptics digitizer
Greetings.
warning.
if you are not developer, please quit reading that post.
wait for user friendly tool with one big button.
here ( View attachment msm7227.7z ) is toolset to permanently "unlock" semcboot of msm7227 semc phones.
that means, you can use own kernel and so on.
steps,precautions, etc.
unpack archive to any directory.
if you using eset antivirus or similar ****, it will find evil virus in adb.exe.
ignore that, it is not virus in any way, it is standard android debug bridge, bundled in one file to save space and usability.
now, if your phone unlocked officially:
flash phone with standard 2.0,2.1 android firmware,because kernel mapper module compiled for "2.6.29" kernel.
of course, enable "usb debugging"
run msm7227_semc.cmd,
( if you want, examine it before run, it is pretty straightforward. )
you will get similar output
Code:
process requires standard 2.x android firmware.
Press any key to continue . . .
Getting ROOT rights.
1743 KB/s (585731 bytes in 0.328s)
error: protocol fault (no status)
Waiting ...
Removing NAND MPU restrictions via SEMC backdoor. Permanent. Require ROOT rights.
192 KB/s (3087 bytes in 0.015s)
success
Waiting ...
Getting ROOT rights.
Waiting ...
Writing patched semcboot. Two step process
First, we need get access to semcboot area
504 KB/s (8064 bytes in 0.015s)
Second, we need to write semcboot ;)
1130 KB/s (596916 bytes in 0.515s)
successfully wrote 0003ff00
Press any key to continue . . .
bingo, your phone now has unlocked bootloader.
if your phone unlocked by setool2 software, use msm7227_setool2.cmd
if your phone unlocked by 3rd-party software other than setool2, do not run anything -
it will disable radio capability of your phone and you will need to unlock phone by setool2 software.
hopefully, mizerable flea and mOxImKo will release something similar for your phone.
okay, now about other details.
1.
unlocked bootloader require unlocked loader, yep ?
loader\loader.sin is special unlocked loader, which will be accepted ONLY after your "unlock" semcboot with previous steps.
to distinguish unlocked semcboot and original semcboot, first letter in version tag of semcboot output will be lower case, i. e. "r8A029"
( same applies for loader version tag )
so, all that stuff with signatures are not for us, so i removed them - loader will ignore signature part of SIN file.
2.
we should make SIN file somehow, right ?
for that i prepared "dumb" bin2sin utility.
Syntax : bin2sin [input] [partition info, 32 digits] [type] [block size]
Click to expand...
Click to collapse
[input] - is input binary file.
[partition info]
android implementation on s1 semc qualcomm phones based on partitions,so we MUST define it for our file.
you can get required partition info from standard semc sin files, it is first 0x10 bytes of DATA, right after header, i.e.
e10 kernel partition info
03000000010000402001000040000000
Click to expand...
Click to collapse
[type] - partition type, 9 - partition without spare, 0xA - partition with spare.
kernel partition is partition without spare.
if that parameter omitted, type = 9
[block size] - nand block size, if omitted, it is standard size 0x20000
there is example in sinTools\example_build.cmd
3.
kernel should be prepared specially to be accepted by semcboot.
for that there is tool bin2elf.
Syntax : bin2Elf.exe [nbrOfSegments] [EntryPoint] [Segment1] [LoadAddress1] [Attributes1] ...
Click to expand...
Click to collapse
we need 2 segments:
segment 1 is unpacked linux kernel image, i.e.
( e10/kernel/arch/arm/boot/Image )
it looks like entrypoint and load address for segment 1 is always same for all msm7227-based semc phone, it is 0x00208000
attributes for image 0x0
segment 2 is ramdisk.
it looks like entrypoint and load address for segment 1 is always same for all msm7227-based semc phone, it is 0x01000000
set attributes for ramdisk 0x80000000, that is extremly important.
there is simple kernel example in sinTools\example_build.cmd
ps.
@blagus:
NAND MPU disabler has only one relation to rFoNe - he took it from setool2, together with entire idea for msm7227 bypass.
your 6-wings friend with many nicks done exactly same.
NAND MPU has nothing to do with memory firewall, so it will not help with kexec things, however, who will care now.
Thread closed because i'm boring of all this OFF TOPICS.
@ Blagus: you can open it when you have something to post.
@ Others: Use topic in general forum from NOW.
EDIT: After 3 hours i'm going to open again this thread, WARNING every off topic here will gain an infraction as " Failed to cooperate with a moderator", so, don't blame on me when you will see the infraction point.
I am trying to unlock my HTC Incredible 4G on Verizon to load a new ROM onto it. All of my attempts have failed up to this point, by using the WinDroid v2.3 automated tool. I get the following output during the process:
Code:
Task:
1) WINDROID USERS CHOOSE THIS OPTION!
2) Set CID to SuperCID (11111111) - Requires Root
3) Revert CID to original state (VZW__001) - Requires Root
4) Re-lock the bootloader
5) Install recovery
6) Put phone into temp-root mode
10) Exit
Choose a task: 1
========================
= Step 1: Temp-Root =
========================
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
List of devices attached
FA************ device
Under "List of devices attached" above, you should see your device
listed (looks like HTXXXXXXXXXX).
Do you see your device (Y/N)? y
Now unlock your device and confirm the restore operation.
By the time you are done reading this sentence, it should be safe to
accept the restore prompt on your device. You should not have a backup
password set on your phone, so leave both password fields empty.
If this process is successful, the script will continue. If not, this
shell will run forever and you must exit by closing this window.
When you see this message, the restore is complete. Your phone will
now reboot to what looks like an unusable state (be patient!). A
status bar will show across the top, but there will be no ring unlock.
This is good! Wait for the script to begin step 2: SuperCID.
========================
= Step 2: SuperCID =
========================
Your phone's CID is being modified to SuperCID. Once complete, your
phone will reboot to the bootloader.
2+0 records in
2+0 records out
1024 bytes transferred in 0.025 secs (40960 bytes/sec)
142 KB/s (1024 bytes in 0.007s)
31 KB/s (1024 bytes in 0.032s)
2+0 records in
2+0 records out
1024 bytes transferred in 0.035 secs (29257 bytes/sec)
< waiting for device >
...
(bootloader) cid: VZW__001
OKAY [ 0.011s]
finished. total time: 0.012s
Just above, you should see (bootloader) cid: 11111111
1) Yes, my cid is 11111111. Keep going.
2) No, my cid is VZW__001. Factory reset and try again.
3) No, my cid is VZW__001. Exit the script.
There are two things I notice here:
1) My phone is not identified as "HTxxxxxxxxxx" but rather "FA**********".
2) It appears to work, with the reading and writing of the files, but then it doesn't work.
One thing that I noticed was that when I go into the bootloader when this does not work, I get the first attachment.
When I go to the "Recovery" option, then I get the second attachment.
It appears that I originally put a ROM or S-off'd and unlocked my phone, but somehow lost the unlock and can't figure out how to fix it.
Any help in figure it out would be appreciated.
Do you know which OTA is currently on the phone? The unlock method depends greatly on which one is installed. Assuming you're on the latest, try this method: http://forum.xda-developers.com/showthread.php?t=2664460 The script looks slightly different than what you've posted above.
junkmail9 said:
Do you know which OTA is currently on the phone? The unlock method depends greatly on which one is installed. Assuming you're on the latest, try this method: http://forum.xda-developers.com/showthread.php?t=2664460 The script looks slightly different than what you've posted above.
Click to expand...
Click to collapse
Thanks for the input.
My device is at the most current OTA: 2.19.605.2 710RD
Android: 4.0.4
Kernel:
3.0.8-01625-g9d06ef9
[email protected] #1
SMP PREEMPT
I tried the link that you pointed to with no success. I got the following error messages:
Code:
/sdcard/cid: cannot open for write: Read-only file system
remote object '/sdcard/cid' does not exist
The system cannot find the file specified.
cannot stat 'cid': No such file or directory
/sdcard/cid: cannot open for read: No such file or directory
rm failed for /sdcard/cid, No such file or directory
Could Not Find C:\Users\Keith\Downloads\cid
I've tried just the straight-forward process of a number of different scripts. I think there is something specific that I am missing.
keithsmessina said:
Thanks for the input.
My device is at the most current OTA: 2.19.605.2 710RD
Android: 4.0.4
Kernel:
3.0.8-01625-g9d06ef9
[email protected] #1
SMP PREEMPT
I tried the link that you pointed to with no success. I got the following error messages:
Code:
/sdcard/cid: cannot open for write: Read-only file system
remote object '/sdcard/cid' does not exist
The system cannot find the file specified.
cannot stat 'cid': No such file or directory
/sdcard/cid: cannot open for read: No such file or directory
rm failed for /sdcard/cid, No such file or directory
Could Not Find C:\Users\Keith\Downloads\cid
I've tried just the straight-forward process of a number of different scripts. I think there is something specific that I am missing.
Click to expand...
Click to collapse
Sorry for the delay in response. Looking again at your screenshot in the OP, you are indeed missing the CID. It should appear between "FIREBALL" and "HBOOT":
I have not dealt directly with that one before, but I would imaging that during temproot, you'll need to recreate the directory. I vaguely recall in a post in this forum on how to manually push a different CID via memory chunk. That might be the best approach to rebuild that area so that you can get going again.
Two questions for the general community:
1. Does anyone know if flashing the RUU will restore the CID?
@keithsmessina - It probably wouldn't hurt to try this anyway. I am guessing it will fail due to lack of CID.
2. Will sending the following command work while phone is in bootloader if the phone is not s-off and the \sdcard\CID directory is missing? What, if any other damage could occur if the \sdcard\CID directory is missing?
Code:
fastboot oem writecid VZW__001
junkmail9 said:
Two questions for the general community:
1. Does anyone know if flashing the RUU will restore the CID?
@keithsmessina - It probably wouldn't hurt to try this anyway. I am guessing it will fail due to lack of CID.
2. Will sending the following command work while phone is in bootloader if the phone is not s-off and the \sdcard\CID directory is missing? What, if any other damage could occur if the \sdcard\CID directory is missing?
Code:
fastboot oem writecid VZW__001
Click to expand...
Click to collapse
Thank you for the suggestions.
1. I tried this, but got the message: "Main version is older." I think I can only do that if my version is lower than the current RUU.
2. I tried the fastboot write, but I got:
Code:
(bootloader) fighter_init_sd, SD card already power on
(bootloader) sdhw_7xxx_open: id=0
(bootloader) sdcc_init_memory_device done
(bootloader) SD clock freq = 19MHz....
(bootloader) [FAT_ERROR] fat_open_file: can not find SMART_IO.CRD
(bootloader) [JAVACARD_ERR] SMART_IO.CRD cann't find
OKAY [ 0.172s]
finished. total time: 0.174s
When I tried: adb devices with the phone at "fastboot USB", I didn't see anything, so I think it failed for that reason. I tried killing adb, removing and reinserting the USB, adn then running adb devices, but still comes up empty.
I'm really at a loss, but appreciate the help from you guys.
I managed to figure out the read-inly access. HTC Sync Manager started each time and grabbed the SD card before the script could do anything. I renamed the HTC Sync Manager to stop it from running. Then I re-ran the script and got:
Code:
2+0 records in
2+0 records out
1024 bytes transferred in 0.002 secs (512000 bytes/sec)
333 KB/s (1024 bytes in 0.003s)
71 KB/s (1024 bytes in 0.014s)
2+0 records in
2+0 records out
1024 bytes transferred in 0.002 secs (512000 bytes/sec)
< waiting for device >
...
(bootloader) cid: VZW__001
OKAY [ 0.010s]
finished. total time: 0.012s
So, I am still not getting the right CID, but progress nonetheless.
Try uninstalling all HTC software rather than renaming it. Also I believe
http://forum.xda-developers.com/showthread.php?t=2664460 does not require the super cid.
From my Chroma Flo
wmuflyer said:
Try uninstalling all HTC software rather than renaming it. Also I believe
http://forum.xda-developers.com/showthread.php?t=2664460 does not require the super cid.
From my Chroma Flo
Click to expand...
Click to collapse
Thank you for that. I don't know how many times I've gone through it, but I finally got that you just have to do step 6 rather than step 1 to get S-Off. I now have S-Off with TWRP.
The next problem that I am running into is getting an error message when trying to flash the pacman fireball ROM:
Code:
This package is for device: fireballx; this device is .
Really appreciate all the help in getting me to this point.
Need to use the modified TWRP. Read the OP carefully it takes a bit of work, it swaps partitions so you have more space for apps.
Edit: OP in the PAC thread.
Sent from my Nexus 5 using XDA Free mobile app
wmuflyer said:
Need to use the modified TWRP. Read the OP carefully it takes a bit of work, it swaps partitions so you have more space for apps.
Edit: OP in the PAC thread.
Sent from my Nexus 5 using XDA Free mobile app
Click to expand...
Click to collapse
I realize that I kept running into an issue changing one of the file systems during that first process which meant that only one of them changed: the "Data" filesystem.
The "Internal Storage" filesystem gave me an MTP error, but then said it finished successfully. It stayed as a vFAT filesystem.
I did get Liquidsmooth up and running with PaGapps, but am now looking for a way to resize my partitions, as there isn't much room left to install apps.
People have looked at resizing the partitions but nobody has had any luck. The partition change seems to be the best bet it was set up by MDMower for his CM builds http://mdmower.cmphys.com/cyanogenmod-fireball/ it might give you more information to make the swap. Beeko has stopped work on Liquid Smooth so for current Android 5.x PAC or CM are the choices and they only work with the partition swap. I have PAC on my Fireball but will probably try CM 12.1 soon.
keithsmessina said:
Thank you for that. I don't know how many times I've gone through it, but I finally got that you just have to do step 6 rather than step 1 to get S-Off. I now have S-Off with TWRP.
Click to expand...
Click to collapse
Excellent! Glad you got it done.
junkmail9 said:
Excellent! Glad you got it done.
Click to expand...
Click to collapse
I've managed to swap the partitions and get the Pacman ROM installed, thanks to the instructions you sent me, wmuflyer. No hiccups with the Pacman ROM, it seems to be polished and working flawlessly. Thanks again for all the help, guys! Really appreciate it.
Dear all,
Finally have time to write for the unlock bootloader procedure. I found that search engine (internal / external) might mask new thread, thus for those are urgent need to repair or various reason to unlock bootloader, they might not ahve chance to reach helpful info.
[YOUTUBE]
ps6ngeDPiHc
[/YOUTUBE]
[YOUTUBE]
_9LwOmmF0_s
[/YOUTUBE]
[YOUTUBE]
Gsn8FynWxaU
[/YOUTUBE]
Here are extracted procedure from another thread of mine. Eventually I will remove all unlock bootloader info from the original thread and leave them here.
unlock bootloader manually may apply to many other MT6755 or similar soc can unlock by this way.
~~ YOUR OWN RISK ~~ ~~ YOUR OWN RISK ~~
developemtnt (uncrack procedure) detail is in below.
https://forum.xda-developers.com/m3-note/how-to/m3-note-ported-kernel-source-twrp-3-3-0-t3956911
_AND_
https://github.com/99degree/android_kernel_m3note/tree/m3note_20190813
== Procedure ==
to unlock bootloader, generally the lk have a magic frp partition for security. Either for google suite use, or lk unlock bootloader use. In short, the last dword set to 1 will unlock the bootloader. So you dont have to had a very unfriendly (and possibly not working) tool installed.
if you wanted to know more about the lk and unlock magic, here are the URL, so the myth above can clear. https://github.com/mbskykill/m3note_android_bootable.git
There is a need to check the lk.bin before hand, since unlock bootloader involve "fastboot oem unlock" cmd. so do binary search and see if the string pattern "oem unlock" is appear in the lk.bin itself. if yes, it is likely the lk is capable to unlock. if not, the vendor disable it completely by the source code on purpose. please check the third video for detail idea. one example is m3note intl version, lk does not have "oem unlock", and "boot" cmd is comment out by purpose. that's why the need to install chn version of lk from chn rom that those logic are still available (see some success case is install chn beta rom).
Here are steps to unlock the bootloader.
===YOUR OWN RISK===
(a) make sure lower version (flyme5 ? ) installed
(b) install kingroot(or flyme root, it wont limited to flyme5) to get root
(c) install partitions backup (or other tool)
(d) backup frp partition (need root)
(e) edit with hex tool (hex editor for e.g.)
(f) locate last dword, write 1, save file, write back to frp
(g) reboot and install newer (6.3.0.3A) Chinese version of the rom
(h) optional, step g might fail due to chn/intl (G->A)rom different serial number below script to crack the barrier
http://forum.flymeos.com/thread-38493-1-1.html
(Updated 20191024)
(I)in fastboot mode, do fastboot.exe oem unlock
To garentee the phone is unlocked.
(J)do fastboot boot m3note.img and gets in twrp, format data partition
special notice in step e, the frp modification is shown and highlight clearly in video2 part2, same info is available at first video in 3:39s so please take a look. as well.
special notice in step J, if not doing so, m3note deadloop no matter press any button except power on/off. so in case this case happened, unplug the usb cable and leave it to use up the internal battery power. then vol-down + power button can revive the fastboot env.
then the M3 note is unlocked. please note step h running the said script might have draw back (wipe too much data) such as loss of CDMA MEID (Mobile Equipment Identifier) so do as of
~~ YOUR OWN RISK ~~ ~~ YOUR OWN RISK ~~
technical detail of unlock logic is as below
sec_unlock.c
fastboot_get_unlock_perm {
...
index = partition_get_index(FRP_NAME);
...
size = partition_get_size(index);
unlock_allowed_flag_offset = size - sizeof(unsigned int);
...
}
ok, sizeof(unsigned int) is dword. the offset is (size-1 * dword). so set to 1 means unlock.
Other unlock tutorials:
Meizu E3 bootloader unlock tutorial
WOW mine is L681h version, will it work? any custom rom available for it? TIA
jack dee707 said:
WOW mine is L681h version, will it work? any custom rom available for it? TIA
Click to expand...
Click to collapse
no custom rom atm. Flyme looping at welcoming screen due to an exception of system server.
Mine is intl version, I install chn rom and get v6303 lk and flyme 7, it is Working nicely. For L681h or other model there are many varient. So no garentee. If the chn version rom works on your device, then highly likely this twrp rom works too. The kernel is not fit for m3note at all, so source porting is needed. There are still many device driver missing.
Good luck.
99degree said:
no custom rom atm. Flyme looping at welcoming screen due to an exception of system server.
Mine is intl version, I install chn rom and get v6303 lk and flyme 7, it is Working nicely. For L681h or other model there are many varient. So no garentee. If the chn version rom works on your device, then highly likely this twrp rom works too. The kernel is not fit for m3note at all, so source porting is needed. There are still many device driver missing.
Good luck.
Click to expand...
Click to collapse
Mine is also global international variant. Is your device L681h version or other? I think you should share this in the flyme forum also , a lot of users are waiting to shift from global to chinese for having flyme 7 but due to bootloader issue none can do it. And please try to make a full youtube video tutorial aswell for all steps, that would be very handy. Thanks a lot.
jack dee707 said:
Mine is also global international variant. Is your device L681h version or other? I think you should share this in the flyme forum also , a lot of users are waiting to shift from global to chinese for having flyme 7 but due to bootloader issue none can do it. And please try to make a full youtube video tutorial aswell for all steps, that would be very handy. Thanks a lot.
Click to expand...
Click to collapse
you had better think in another way round. Rooting method and do the surgery should reference to the method mentioned in http://forum.flymeos.com/thread-38493-1-1.html does. If you have any question about rooting and G version ->A version, you can ask the original author for help, it is for your own good to rescue the phone with proper help. After that, you might consider one step further to unlock bootloader.
It is a bit risky, i had my m3 note as old dev machine so not care. And plz bare in mind L681h model itself already have many variant. So not worth mentioning other model. You can have a check for all variant info by http://deviceinfohw.ru/devices/index.php
As i know, those are mainly category with sm5414 or bq24169 pmic. And the A version supports both as greping keyword found in lk.bin. But other parts i not not sure. Like lens and camera lcm etc. I found no problem with mine.
Once again, i already lost cdma meid with above script as drawback. So do you own risky.
Good luck.
Hi, I tried your guide on a Meizu m5c that has an MT67xx but I didn't succeed, I modified the FRP and flashed the modified FRP and Chinese LK but it doesn't let me unlock, you could make a youtube guide on how change the FRP and make the method I think I made a mistake in some passages, or if you want I send you the FRP file and modify it for me and then give it to me but I prefer the first option which I think is better.
XRed_CubeX said:
Hi, I tried your guide on a Meizu m5c that has an MT67xx but I didn't succeed, I modified the FRP and flashed the modified FRP and Chinese LK but it doesn't let me unlock, you could make a youtube guide on how change the FRP and make the method I think I made a mistake in some passages, or if you want I send you the FRP file and modify it for me and then give it to me but I prefer the first option which I think is better.
Click to expand...
Click to collapse
buddy you are welcome to visit here.
Frank speaking, there might not be always hold true for custom lk by some vendor. Samsung and moto have different lock stretagy. Althrough the code is common for mt67xx, Even I cant garentee for every mt67xx phone from same vendor does use same code piece it used from mtk.
So in your case i can provide more info for you to have a try. First you need to test fastboot boot with your boot.img and see if it works in half way. If there is invalid command, then you might not have chance to do something advance.
Please watch the youtube video above again. I grab the frp partition by hexview in twrp. The modification shown is quite clear at 3:39, the pattern at last is 0001 0000, and hexview skip all 0 pattern block in the middle. please have a check if you still wanna try. Please note different phone, frp size might differ, the above lk code require last dword set to 1 anyway.
Here are some basic info how to view hex code.
Repersenting 1 in double word:
Offset : 00 01 02 03 ...... 0c 0d 0e 0f
Value: 00 00 00 00 ..... 01 00 00 00
Hexview: 0000 0000...... 0001 0000
As above offset 00 and 01 are group together as word. Each group, Least significant bit is on right. So 0001 shown in hexview group as word and same to we want 0001 0000 in dword as 00000001.
So 0x1, as byte 01 00 00 00, as short 0001 0000, as dword 00000001
Hope above helps your way to go further.
(Updated 20191024)
Please refer to top post step i, might missed above step, please do try "fastboot oem unlock" and see if needed to fully unlock the phone. I am not sure, it is too long ago to me.
99degree said:
buddy you are welcome to visit here.
Frank speaking, there might not be always hold true for custom lk by some vendor. Samsung and moto have different lock stretagy. Althrough the code is common for mt67xx, Even I cant garentee for every mt67xx phone from same vendor does use same code piece it used from mtk.
So in your case i can provide more info for you to have a try. First you need to test fastboot boot with your boot.img and see if it works in half way. If there is invalid command, then you might not have chance to do something advance.
Please watch the youtube video above again. I grab the frp partition by hexview in twrp. The modification shown is quite clear at 3:39, the pattern at last is 0001 0000, and hexview skip all 0 pattern block in the middle. please have a check if you still wanna try. Please note different phone, frp size might differ, the above lk code require last dword set to 1 anyway.
Here are some basic info how to view hex code.
Repersenting 1 in double word:
Offset : 00 01 02 03 ...... 0c 0d 0e 0f
Value: 00 00 00 00 ..... 01 00 00 00
Hexview: 0000 0000...... 0001 0000
As above offset 00 and 01 are group together as word. Each group, Least significant bit is on right. So 0001 shown in hexview group as word and same to we want 0001 0000 in dword as 00000001.
So 0x1, as byte 01 00 00 00, as short 0001 0000, as dword 00000001
Hope above helps your way to go further.
(Updated 20191024)
Please refer to top post step i, might missed above step, please do try "fastboot oem unlock" and see if needed to fully unlock the phone. I am not sure, it is too long ago to me.
Click to expand...
Click to collapse
I didn't understand any of these things about HxD and then in the video you don't see that you edit this file, look at what it gives me while I try to boot. If I send you the file, please edit it for me?
So, I modified the FRP file and I hope I did well now I send you the screens, after the flash of this FRP, doing fastboot oem unlock and fastboot boot boot-sign (only for test) gives me these:
Code:
Microsoft Windows [Versione 10.0.18362.418]
(c) 2019 Microsoft Corporation. Tutti i diritti sono riservati.
D:\adb>fastboot oem unlock
FAILED (remote: 'unknown command')
fastboot: error: Command failed
D:\adb>fastboot boot boot-sign.img
creating boot image...
creating boot image - 8757248 bytes
Sending 'boot.img' (8552 KB) OKAY [ 0.826s]
Booting FAILED (remote: 'unknown command')
fastboot: error: Command failed
D:\adb>
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
XRed_CubeX said:
So, I modified the FRP file and I hope I did well now I send you the screens, after the flash of this FRP, doing fastboot oem unlock and fastboot boot boot-sign (only for test) gives me these:
Code:
Microsoft Windows [Versione 10.0.18362.418]
(c) 2019 Microsoft Corporation. Tutti i diritti sono riservati.
D:\adb>fastboot oem unlock
FAILED (remote: 'unknown command')
fastboot: error: Command failed
D:\adb>fastboot boot boot-sign.img
creating boot image...
creating boot image - 8757248 bytes
Sending 'boot.img' (8552 KB) OKAY [ 0.826s]
Booting FAILED (remote: 'unknown command')
fastboot: error: Command failed
D:\adb>
Click to expand...
Click to collapse
A bit strange, seemed like the lk does not support "oem unlock" and "boot" cmd like the one m3note intl lk version does. please take a look on https://youtu.be/Gsn8FynWxaU video and see if it give you some insight.
all the best.
I saw the video, it's a very interesting thing ...
Now I put the screen to show you what comes to me when I go to HxD. It says that the oem unlock is false, isn't there a way to change it and make it true? maybe doing this I can activate the bootloader unlock.
Do you have telegram? if you can write me [email protected] in private so it's more comfortable.
P.S: I saw the other video and I realized that I was wrong to edit the FRP file.
XRed_CubeX said:
I saw the video, it's a very interesting thing ...
Now I put the screen to show you what comes to me when I go to HxD. It says that the oem unlock is false, isn't there a way to change it and make it true? maybe doing this I can activate the bootloader unlock.
Do you have telegram? if you can write me [email protected] in private so it's more comfortable.
Click to expand...
Click to collapse
Thx for watching. if your search result shows that is the only place of "oem unlock" then sorry i wont have further advice. if your search shows further (either) "oem unlock", "oem-unlock", "oem bootloader-unlock" kind of pattern is available, then you might have chance to go further. aside, you might worth to have a try to download as many as possible for different version (intl, chn, beta as well) of rom of your phone and do the search to all lk.bin, then see if there is any early version have this fastboot cmd.
PS 1, if you wanted to see if there is any optimized logic of the bootloader-boot-chain, then you better go through the source code (or the one similar to your phone).
one of source of info https://github.com/mbskykill/m3note_android_bootable
PS 2, A side note, your frp image is a bit strange and seem not holding real data. FYI frp is mainly used by google/android for its activation and phone lock etc. so wipe it sometimes overcome the "lost password" issue thats why the key to the solution must written to the last dword to avoid frp content overwrite.
all the best.
For the m5c the lk, they are the same and do not come out like you. Isn't there a way to add support manually to unlock?
XRed_CubeX said:
For the m5c the lk, they are the same and do not come out like you. Isn't there a way to add support manually to unlock?
Click to expand...
Click to collapse
Sorry gentleman, modify frp is an indirect method, your through is a right direction. i was tried to disassembly the lk linking library, seclib.a, early this year. Due to my limited knowledge, i cant come up with something new.
In case you are interested to continue, you might need to check the seclib.a binary and see how it goes.
Best wish.
99degree said:
Sorry gentleman, modify frp is an indirect method, your through is a right direction. i was tried to disassembly the lk linking library, seclib.a, early this year. Due to my limited knowledge, i cant come up with something new.
In case you are interested to continue, you might need to check the seclib.a binary and see how it goes.
Best wish.
Click to expand...
Click to collapse
How to exploit with the seclib.a binary?
XRed_CubeX said:
How to exploit with the seclib.a binary?
Click to expand...
Click to collapse
here are some ideas, so please dont put it too seriously.
In lk, compiling source and linking to lk.bin involve seclib.a and this is the supporting lib that contain functions for check unlock status. In cmd_boot function (yes this is coresponding to fastboot boot cmd) call into this lib for that check. Code snippet:
void cmd_boot(const char *arg, void *data, unsigned sz)
{
.....
lock_state = get_unlocked_status();
if (0 == lock_state)
{
fastboot_fail("oem unlock is false");
return;
}
So you can see your boot cmd fail most likely here. Before you decide to do so, please do full text search the code and your lk.bin and see if those text pattern is available.
the checking function is most likely inside the seclib.a, to prove it, i tried to grep all the lk code and find nothing about it. and this seclib.a file missing from the source tree, you can find it somewhere on the web. I believe disassembly a static lib is easier to disassemble a bin, at least static lib have sections by sections and gcc tools are more handy than ida. Hint: mt6797 is an somewhat more open source one. You can get something from linaro website or github. It should be less chance to make change as it is a static library.
Another supporting fact is, when doing oem unlock and flash unlock, lk itself must write something to the mtd(nand chip) to remember the status. Then every bootstrarp, get_unlocked_status can read the status. That should be similar logic to boot from nand chip for reference. So the frp last dword is the permit for manual unlock, and seclib.a is the gatekeeper and check for every boot.
Hope the above can give you some insight.
Yes but I have to procure the seclib for my preloader that is mt6767, and then handling the preloader is dangerous, if the brick, my device could no longer be started in any way!
P.S:And then it would be difficult to disassemble the preloader, modify the seclib and then reassemble it.
P.S 2: However for me this thing is very difficult, but if LK is able to change the status of unlocking the bootloader, why not modify it by adding the command of the oem unlock and unlock it like this.
XRed_CubeX said:
Yes but I have to procure the seclib for my preloader that is mt6767, and then handling the preloader is dangerous, if the brick, my device could no longer be started in any way!
P.S:And then it would be difficult to disassemble the preloader, modify the seclib and then reassemble it.
P.S 2: However for me this thing is very difficult, but if LK is able to change the status of unlocking the bootloader, why not modify it by adding the command of the oem unlock and unlock it like this.
Click to expand...
Click to collapse
Gentleman, i think you are over-engineered. To disassembly the seclib.a is to get more info about the unlock logic and the condition of unlock, such as where does the oem unlock cmd write to, what value it does write to which partition; or another way, which condition should meet when cmd_boot need; and see if able apply to your phone. Let me raise for example, like the write 1 to frp the last dword, this is exploits should do. I dont think patching the preloader or bootloader is a way to go. They are digitally signed; unlike frp partition, google app and android write to it so it is not digitally signed thus safe to do modification. Of course the rule of thumb is not make any risk on physical damage the phone. Hope this is useful for your further reference.
No, I don't even know how to disassemble and where to start
I'm looking to pinout both test pins. I bought this phone a few days ago. I unlocked it with TWRP, I looked at the possibilities. I made a mistake with TWRP by switching the system to sideload B (I chose between A and B) and the system refused to start. I do not have access to the bootloader with the buttons. I only enter QDLoader HS-USB Driver mode working. I read the instructions on how to make a blank flash. I took the 18 files out of the phone and made a new blank flash for this model - moto g9 power / but in the end it gives me an error. Now I'm looking for a solution. - "C: \ Documents and Settings \ Administrator \ Desktop \ MOTO G9 POWER blankflash \ Blankflash for G9 POWER>. \ Qboot.exe blank-flash Motorola qboot utility version 3.86 [0.000] Opening device: \\. \ COM4 [0.000] Detecting device [0.000] ... cpu.id = 333 (0x14d) [0.000] ... cpu.sn = 2936128399 (0xaf01c38f) [0.000] Opening singleimage [0.000] Loading package [0.000] ... filename = pkg.xml [0.000] Loading programmer [0.000] ... filename = programmer.elf [0.000] Sending programmer [0.156] Handling things over to programmer [0.156] Identifying CPU version [0.156] Waiting for firehose to get ready [3.297] ... SM_KAMORTA_H 1.0 [3.297] Determining target secure state [3.297] ... secure = yes [3.375] Configuring device ... [3.391] Flashing GPT ... [3.391] Flashing partition with gpt.bin [3.406] Initializing storage [3,484] ... blksz = 512 [37.016] Re-initializing storage ... [37.016] Initializing storage [37328] Flashing bootloader ... [37.344] Flashing abl_a with abl.elf [37.344] partition abl_a not found! [37.359] ERROR: do_package () -> do_recipe () -> do_flash () -> pt_find () -> not found [37.375] Check qboot_log.txt for more details [37.375] Total time: 37.375s FAILED: qb_flash_singleimage () -> do_package () -> do_recipe () -> do_flash () -> pt_find () -> not found "the last message puzzles me. I want to transfer the system to sideload A again, so I have to reset the device firmly. Are there people familiar with the possibilities?
2 I built a blankflash for the Moto G8
1 How To Blank Flash & Fix/Repair Hard Bricked Motorola Devices/Moto G8+|Tutorial Get It Working Again - YouTube
Version Bootloader MBM-3.O-cebu retail 232f3ba894-201209
motostockrom.com/motorola-moto-g9-power-xt2091-3
I'm looking to pinout both test pins.
Have you tried using LMSA?
It recovered a dead phone for me once.
Rescue and Smart Assistant (LMSA)
Also, I too once accidentally switched slot to B, and system didn't boot. However, I was able to get into fastboot mode and switch by entering the command to switch slots.
https://support.lenovo.com/bg/en/downloads/ds101291 i saw this but my computer is 32 bit / i am looking for the program qualcomm edl mode flash tool or something like Axon10Pro_ (More) _EDL_Tools_v1.1d because i want to make active a siteloader because i saw that this can be done not so difficult otherwise for edl pinout I saw how it works and no problem
man88nam said:
https://support.lenovo.com/bg/en/downloads/ds101291 i saw this but my computer is 32 bit / i am looking for the program qualcomm edl mode flash tool or something like Axon10Pro_ (More) _EDL_Tools_v1.1d because i want to make active a siteloader because i saw that this can be done not so difficult otherwise for edl pinout I saw how it works and no problem
Click to expand...
Click to collapse
qualcomm edl mode flash tool / Axon10Pro_ (More) _EDL_Tools_v1.1d
In those .XML files, can you delete the line that says "abl" and try again?
I will do, but these files can be downloaded according to the instructions on how to make closed files extracted from the phone itself
https://www.reddit.com/r/MotoG/comments/k73n66
I downloaded from the bootloader 18 files that are original, this is in connection with blank flash, where in the end there is an error, because eight made active "B" sector instead of A
I removed the ABL file from the XML, but the error remains, plus the message for a missing ABL file ELF
[ 37.297] file abl.elf not found in singleimage.bin!
[ 37.297] ERROR: do_package()->do_recipe()->do_flash()->not found
[ 37.297] Check qboot_log.txt for more details
[ 37.297] Total time: 37.297s
I'm just looking for an EDL program that works similar to this command line Set Bootable Partition- Slot A / run_AB-partition-swap - but here it wants some text file for the presence of a port, port_trace.txt
I'm sorry, I can't help further here. Even though the active slot is B, the partition abl_a should exist and should be flashable regardless. It looks as though there isn't such a partition at all, which I don't even know how that happened.
The tool which you are using is correct, it's doing its job properly. Are you sure you have the right firmware version and software channel? Because bootloader.img differ depending on the firmware version and the carrier. I'd also suggest downloading from https://mirrors.lolinet.com/firmware/moto/cebu/official/, instead of the link you mentioned, motostockroms.
Also, try asking in this Telegram group: https://t.me/lolinet. There are people on there who are more knowledgeable, maybe they can help.
After trying the firmware image from lolinet and trying the process again with that firmware, I'd try to get into bootloader mode once again through power buttons, and if that doesn't work, send the phone into the service center.
Motorola_Moto_G9_Power_XT2091-3_RETUK_CEBU_RETAIL_QZC30.Q4-22-57_10_by_(motostockrom.com) With the TWRP program I chose with active slot B / I don't know if it deleted the content from slot A of the bootloader. By the way, I downloaded the original product firmware XT2091-3 according to the instructions for this, which I get when I try blank flash / I have no idea what to do, so I'm looking for a program "qualcomm edl mode flash tool" and I constantly get Indian sites with dangerous behavior.
I thank you for your time
Hey,
Today I found EDL points for Moto G9 power. Infact im also facing firmware issue.
I accidentally locked bootloader with stockrom again trying to unlock but not working.
Causing No valid OS to boot.
if i try unlock again showing message like " enable OEM unlocking in developer options"
unfortunately not podsible. But still waiting for proper EDL flash tool.
feel free to guide if any one got resolution.
These partitions are important when you'll have to restore the phone back to normal from worst case.
Code:
elableinfo (/dev/block/sda4) - This partition contains Certification Image, may not important.
imeilock (/dev/block/sdg1) - This partition contains your device IMEI.
persist (/dev/block/sda8) - This partition contains your device PSN, MAC, Bluetooth.
oemowninfo (/dev/block/sda2) - This partition contains SKUID, exclusive info, etc.
simlock (/dev/block/sde63) - Carrier locked TA-1251 only. Mandatory to allow your phone boot if your phone isn't carrier locked.
Other Snapdragon 765G based Android phones can also refer this, although we can't guarantee it will 100% apply on your phone. DO NOT FOLLOW THIS GUIDE IF YOU ARE USING TA-1257 (NOKIA 8 V 5G UW from Verizon Wireless).
WARNING:
1. DO NOT SHARE YOUR CRITICAL PARTITION BACKUP IMAGES TO ANYONE ELSE TO PREVENT ABUSE, PLUS, SHARING THIS VIOLATES THE RULE OF XDA.
2. CRITICAL PARTITION BACKUP IMAGES FOR BOTH TA-1243 AND TA-1251 AREN'T INTERCHANGEDABLE.
Click to expand...
Click to collapse
To backup these partitions:
1. Unlock the bootloader and root your phone with Magisk.
2. Execute these commands:
Code:
adb shell mkdir /storage/emulated/0/bgt-critical/
adb shell su
(Confirm root permission on your phone - if you missed that or didn't confirm it, open Magisk app and grant it manually)
adb shell su -c dd if=/dev/block/bootdevice/by-name/imeilock of=/storage/emulated/0/bgt-critical/imeilock.img
adb shell su -c dd if=/dev/block/bootdevice/by-name/persist of=/storage/emulated/0/bgt-critical/persist.img
adb shell su -c dd if=/dev/block/bootdevice/by-name/oemowninfo of=/storage/emulated/0/bgt-critical/oemowninfo.img
adb shell su -c dd if=/dev/block/bootdevice/by-name/simlock of=/storage/emulated/0/bgt-critical/simlock.img
adb pull /storage/emulated/0/bgt-critical/
3. Save entire bgt-critical directory at safe place.
Additionally, you must do QCN backup in case you erased NVRAM at worst case.
To do that:
1. Root your phone with Magisk.
2. Execute this command on your PC with ADB shell for enabling Qualcomm Diag Port:
Code:
adb shell su -c setprop sys.usb.config diag,serial_cdev,rmnet,adb
3. Install QPST 2.7.496 and use QPST Software Download to backup both XQCN and QCN images, and save both of them at bgt-critical partition you have saved.
Here's how to reinstall stock firmware, in case you bricked the phone at worst situation.
Please disable automatic translation on your web browser if you can't click "CLICK TO SHOW CONTENT" button.
Click to expand...
Click to collapse
Assuming you have UFS lun0-lun6 erased, or the phone is currently at Qualcomm 900E which are considered worst situation.
1. Download following firmware, and extract it 3 times - you'll get tons of files inside.
bgt-2210-0-00WW-B01.HMDSW.7z | by Hikari Calyx for Generic Device/Other
Download GApps, Roms, Kernels, Themes, Firmware, and more. Free file hosting for all Android developers.
www.androidfilehost.com
2. Use text editor to open rawprogram0_sparse.xml and delete the string super.img inside to save time when doing part 1 flashing.
Use text editor to open rawprogram4.xml and replace the string abl.elf into BGT-abl.elf , then save it.
3. Copy prototype ABL into the firmware directory, and make sure the filename is BGT-abl.elf .
4A. (For Windows users)
Please install QPST 2.7.496 or newer and Qualcomm USB Driver before you proceed. You'd better to erase all other incompatible drivers to increase success rate.
Once installed, please copy QSaharaServer.exe and fh_loader.exe from QPST installation directory (C:\Program Files (x86)\Qualcomm\QPST\bin by default) to firmware directory.
4B. (For macOS / Linux users)
Please install Python EDL from following website:
GitHub - bkerler/edl: Inofficial Qualcomm Firehose / Sahara / Streaming / Diag Tools :)
Inofficial Qualcomm Firehose / Sahara / Streaming / Diag Tools :) - GitHub - bkerler/edl: Inofficial Qualcomm Firehose / Sahara / Streaming / Diag Tools :)
github.com
5. If your phone is currently at 900E, you must disassemble the phone by opening the back cover and make sure the motherboard is exposed.
Disconnect the battery, use a pair of tweezers to short the test point, then connect your phone to PC. Using USB 2.0 port is strongly recommended for best stability.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
If you're using PC that only has USB 3.1 port you may like encounter USB port throttling issue. In this case you must buy an USB hub as workaround.
To check if your phone is properly connected:
(For Windows users)
Please open Device Manager and check if your phone is listed as Qualcomm HS-USB QDLoader 9008 / Qualcomm HS-USB Diagnostics 9008. If not you need to disconnect the phone, short the test point and connect the phone to PC again. Once it's listed you can remove the tweezer.
(For macOS / Linux users)
Please execute this command:
Code:
lsusb
and see if a device started from 05C6:9008 is listed. If yes, you can remove the tweezer and proceed to next step.
6A. (For Windows users)
Please check the COM port in Device Manager, assuming the COM port number is 8.
Open a Command Prompt or PowerShell window at directory where you have tons of firmware files extracted.
Execute this command (replace the COM port number to actual COM port number you see in Device Manager)
Code:
.\QSaharaServer -p \\.\COM8 -s 13:prog_firehose_ddr.elf
If you see a message says image uploaded successfully, you can proceed to next step.
Execute this command to upload rawprogram XML configuration:
Code:
.\fh_loader --port=\\.\COM8 --search_path=. --sendxml=rawprogram0_sparse.xml,rawprogram1.xml,rawprogram2.xml,rawprogram3.xml,rawprogram4.xml,rawprogram5.xml,rawprogram6.xml --noprompt --showpercentagecomplete --zlpawarehost=1 --memoryname=UFS
Wait for image files being uploaded, now write patch XML configuration:
Code:
.\fh_loader.exe --port=\\.\COM8 --search_path=. --sendxml=patch0.xml,patch1.xml,patch2.xml,patch3.xml,patch4.xml,patch5.xml,patch6.xml --noprompt --showpercentagecomplete --zlpawarehost=1 --memoryname=UFS
Once these commands are executed successfully, you can disconnect the phone, reconnect the battery and power it on.
Your phone should boot straight into Fastboot mode. If it doesn't boot the battery might be drained, recharge it a little bit before you proceed.
6B. (For macOS / Linux users)
Assuming you have Python EDL installed properly.
Open a terminal under the directory where you have firmware extracted, and execute this command:
Code:
edl qfil rawprogram0_sparse.xml,rawprogram1.xml,rawprogram2.xml,rawprogram3.xml,rawprogram4.xml,rawprogram5.xml,rawprogram6.xml patch0.xml,patch1.xml,patch2.xml,patch3.xml,patch4.xml,patch5.xml,patch6.xml /path/to/where/firmware/images/arelocated/ --memory=ufs --loader=prog_firehose_ddr.elf
Wait for image files being uploaded. If the flashing procedure is throttling, you may want to execute this command before connecting phone with test point shorted.
Once this command is executed successfully, you can disconnect the phone, reconnect the battery and power it on.
Your phone should boot straight into Fastboot mode. If it doesn't boot the battery might be drained, recharge it a little bit before you proceed.
7. Reinstall all other partitions with Fastboot command.
If you're Windows user, please DO NOT USE Minimal ADB and Fastboot, but use this instead: https://developer.android.com/studio/releases/platform-tools
Code:
fastboot flash partition:0 gpt_both0.bin
fastboot --set-active=a reboot-bootloader
fastboot flash xbl xbl.elf
fastboot flash xbl_config xbl_config.elf
fastboot flash abl abl.elf
fastboot flash tz tz.mbn
fastboot flash hyp hyp.mbn
fastboot flash devcfg devcfg.mbn
fastboot flash storsec storsec.mbn
fastboot flash pwinfo pwinfo.img
fastboot flash bluetooth BTFM.bin
fastboot flash modem NON-HLOS.bin
fastboot flash core_nhlos Core_NON-HLOS.bin
fastboot flash dsp dspso.bin
fastboot flash logfs logfs_ufs_8mb.bin
fastboot flash keymaster km4.mbn
fastboot flash featenabler featenabler.mbn
fastboot flash toolsfv tools.fv
fastboot flash metadata metadata.img
fastboot flash aop aop.mbn
fastboot flash qupfw qupv3fw.elf
fastboot flash imagefv imagefv.elf
fastboot flash uefisecapp uefi_sec.mbn
fastboot flash multiimgoem multi_image.mbn
fastboot flash vbmeta_system vbmeta_system.img
fastboot flash vbmeta vbmeta.img
fastboot flash dtbo dtbo.img
fastboot flash userdata userdata.img
fastboot flash recovery recovery.img
fastboot flash super super.img
fastboot flash boot boot.img
fastboot flash persist persist.img
By doing this will allow your phone boot as the bare minimal situation, but not ideally functional.
Next you must restore critical partitions you have backed up before.
Code:
fastboot erase fsc
fastboot erase modemst1
fastboot erase modemst2
fastboot flash fsg fs_image.img
fastboot flash elableinfo /path/to/bgt-critical/elableinfo.img
fastboot flash imeilock /path/to/bgt-critical/imeilock.img
fastboot flash persist /path/to/bgt-critical/persist.img
fastboot flash oemowninfo /path/to/bgt-critical/oemowninfo.img
fastboot reboot
8. Once your phone boots into normal OS, use Magisk to root your phone, and execute this command to enable Qualcomm Diag Port:
Code:
adb shell su -c setprop sys.usb.config diag,serial_cdev,rmnet,adb
9. (For Windows users) Use QPST Software Download to restore the QCN/XQCN image you backed up before. Eject SIM before you doing so to prevent issues.
10. (Skip if you're not using Carrier locked TA-1251) Reboot the phone into Fastboot mode and flash simlock partition:
Code:
adb reboot bootloader
fastboot flash simlock /path/to/bgt-critical/simlock.img
fastboot reboot
11. Enjoy your fully revived Nokia 8.3.
Reserved #3