Hey,
I've recently updated my Nord 2 from A21 to C10. Phone was unlocked and rooted, so after having reflashed the original boot.img, I forced the installation of the official OTA through TWRP. I had to set ro.commonsoft.ota=OP515BL1 to make it work. After the installation, TWRP failed to mount /system, but that didn't surprised me. I checked that the boot partition has been well flashed.
Now every time I try to power on the phone, it directly tries to run into recovery mode. However it fails and start again and again...
Maybe the system tries to install the OTA using the original recovery, which of course fails, and because of an unknown reason, it doesn't reboot to system.
Because of the last update, fastboot is not accessible anymore using vol -, and BROM mode is not accessible using vol + / vol -.
I tried to crash the preloader using mtkclient but it didn't work.
I tried to use META mode to switch to fastboot, but preloader only answers "READY" (instead of "READYTOOBTSAF"), and nothing changes.
I try to reverse engineer preloader and lk but it's something new for me. META mode code is still present in the preloader, so I don't understand what's wrong with it. Maybe disabled by default on USB...
Does anyone has a solution to boot into BROM mode or make META mode work ?
Or maybe I could find DA authentication files somewhere ?
@Petitoto can you share a bit about how you got the meta command running?
I'm in a similar situation with a Nord 2T. While mtkclient can get some info out of the preloader, meta never seems to connect.
Code:
mtk gettargetconfig
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Port - Device detected :)
Preloader - CPU: MT6893(Dimensity 1200)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x950
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Main - Getting target info...
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Code:
mtk meta FASTBOOT
META - Status: Waiting for PreLoader VCOM, please connect mobile
META - Hint:
Power off the phone before connecting.
For preloader mode, don't press any hw button and connect usb.
...........
META - Hint:
Power off the phone before connecting.
For preloader mode, don't press any hw button and connect usb.
...........
META - Hint:
Power off the phone before connecting.
For preloader mode, don't press any hw button and connect usb.
Hey @Beanow,
I have the same gettargetconfig output, which indicates that the phone is not in BROM mode but stuck in preloader. Trying to interact with the preloader always lead to error because of the DAA (DAA_SIG_VERIFY_FAILED for example).
I have the same issue with mtkclient and meta mode. You can use the following modified mtk-bootseq.py:
py mtk-bootseq.py FASTBOOT COMXX (or python3 mtk-bootseq.py FASTBOOT /dev/ttyACMXX on linux).
Python:
import sys
import time
from serial import Serial
BOOTSEQ = bytes(sys.argv[1], "ascii")
DEVICE = sys.argv[2]
CONFIRM = b"READY" + BOOTSEQ[::-1]
while True:
try:
s = Serial(DEVICE, 115200, timeout=0.1)
print(".\n[+] Device detected")
break
except OSError as e:
sys.stdout.write("."); sys.stdout.flush()
time.sleep(0.1)
print("<-", s.read(256))
def send(bytes):
s.write(bytes)
print("->", str(bytes))
resp = s.read(256)
print("<-", str(resp))
return resp
resp = b''
while resp != CONFIRM:
resp = send(BOOTSEQ)
print("[+] Boot sequence sent")
On another device, it works and I get:
Code:
...............................
[+] Device detected
<- b'READYREADYREADYREADYREADY'
-> b'FASTBOOT'
<- b'READYTOOBTSAF'
[+] Boot sequence sent
However, on my Nord 2, I get:
Code:
...........................................
[+] Device detected
<- b'READYREADYREADYREADYREADY'
-> b'FASTBOOT'
<- b'READY'
-> b'FASTBOOT'
<- b''
-> b'FASTBOOT'
<- b''
Then the next s.write() is hanging.
I get the same result for any other boot mode. However, the code is still present in the preloader.
I unfolded my phone to try to find a test point. I tried all golden points but I only found:
- a point which loads preloader (and not BROM...) in the same way vol + / - do (in red in the picture)
- a point which boots the phone but without Android and OnePlus pictures (what's that ??) (in green)
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I don't know how test point is handled: if that's the role of preloader, it may have been disabled by the update (as the BROM and fastboot). We may need to find the DAT0 point of the eMMC to short it and prevent the BROM to find the preloader, making it to go in EDL mode. However, I think that this point isn't exposed, and I won't disassemble my phone further without beeing sure of success...
Thank you so much for the work so far!
Unfortunately I get no response at all on the Nord 2T.
Code:
.......................................
[+] Device detected
<- b''
-> b'FASTBOOT'
<- b''
-> b'FASTBOOT'
Traceback (most recent call last):
File "/media/droid-work/mtkclient/mtk-bootseq.py", line 31, in <module>
resp = send(BOOTSEQ)
File "/media/droid-work/mtkclient/mtk-bootseq.py", line 24, in send
resp = s.read(256)
File "/usr/lib/python3.10/site-packages/pyserial-3.5-py3.10.egg/serial/serialposix.py", line 595, in read
raise SerialException(
serial.serialutil.SerialException: device reports readiness to read but returned no data (device disconnected or multiple access on port?)
How did you connect to the device that you're getting these responses?
In my case, I need to use vol+, vol- and power, like mtkclient, or the ttyACM0 won't exist.
(I've got udevadm monitor up, watching for the usb/tty to be added)
Indeed, you need to run into preloader using vol +, vol -
Maybe a driver / python module issue. I've got similar issues on my linux. Try on windows or try to reinstall drivers.
It should work at least for the first answer. Else it means that your preloader doesn't send any data, which is not the case as mtkclient works.
I also tried a different baud, because a pl_lk log from oplusreserve2 partition suggested it may be used. No luck though. Note, this was a very old log I saved early on. Definitely not reflective of latest Nord 2T update.
Code:
[PLFM] boot_tag size = 0x0
BOOT_TAG_VERSION: 0
BOOT_REASON: 0
BOOT_MODE: 0
META_COM TYPE: 0
META_COM ID: 0
META_COM PORT: 285220864
META LOG DISABLE: 0
FAST META GPIO: 5906
LOG_COM PORT: 285220864
LOG_COM BAUD: 921600
LOG_COM EN: 1
LOG_COM SWITCH: 0
MEM_NUM: 2
MEM_SIZE: 0xAE7B
MEM_SIZE: 0xAE8D
I guess I'll try windows then
Code:
python mtk-bootseq.py FASTBOOT COM4
...................................................................................................................................
[+] Device detected
<- b''
-> b'FASTBOOT'
<- b''
-> b'FASTBOOT'
<- b''
-> b'FASTBOOT'
<- b''
Windows looks to behave similar. Though windows wouldn't take the MTK VCOM driver, so this is win10 default serial, in a VM over USB passthrough.
So, same result not in a VM. Though specifically with powershell I got the same output as you did.
Code:
...........................................
[+] Device detected
<- b'READYREADYREADYREADYREADY'
-> b'FASTBOOT'
<- b'READY'
-> b'FASTBOOT'
<- b''
-> b'FASTBOOT'
<- b''
This is really a helpfull post for us. I've already a oneplus nord 2 phn,from this post i know the more information about this phn.
Thank you so much.
@Beanow So same results...
It's weird that it doesn't work on Linux. Maybe an issue related to pyserial or connection settings.
What's preventing the device to be detected by mtkclient is line 54 in mtkclient/Library/meta.py: and cdc.pid == 0x2000 should be removed. So you can try to switch to fastboot using mtkclient on Linux, but with my Nord2 I get the same results as mtk-bootseq.py on Windows
Petitoto said:
@Beanow So same results...
It's weird that it doesn't work on Linux. Maybe an issue related to pyserial or connection settings.
What's preventing the device to be detected by mtkclient is line 54 in mtkclient/Library/meta.py: and cdc.pid == 0x2000 should be removed. So you can try to switch to fastboot using mtkclient on Linux, but with my Nord2 I get the same results as mtk-bootseq.py on Windows
Click to expand...
Click to collapse
Thanks for this. No need to switch to windows anymore, to use mtk client.
Petitoto said:
It's weird that it doesn't work on Linux. Maybe an issue related to pyserial or connection settings.
Click to expand...
Click to collapse
Is it 'not working' though? It's also weird to me that I had the same output as Linux using Windows' cmd, while there was READY spam in powershell. Same drivers, same python, same libraries, but different output?
I suspect that it might be a timing issue. Maybe the serial console doesn't care about or wait for input at all. And just spams READY a few times. It would be a matter of how fast the connection is established.
Perhaps as well there's a different subsystem sending commands to the 'meta' environment and the READY spam means it's processing those commands rather than whatever we're sending.
All theories, but I would find it really hard to believe there's a problem with Linux drivers / libraries for something as basic as a UART/serial console over USB.
Petitoto said:
@Beanow So same results...
It's weird that it doesn't work on Linux. Maybe an issue related to pyserial or connection settings.
What's preventing the device to be detected by mtkclient is line 54 in mtkclient/Library/meta.py: and cdc.pid == 0x2000 should be removed. So you can try to switch to fastboot using mtkclient on Linux, but with my Nord2 I get the same results as mtk-bootseq.py on Windows
Click to expand...
Click to collapse
I also suspected this PID check and tried to log the else cases, but never reaches those for me.
So removing the check didn't help for mtkclients' meta commands.
Is it 'not working' though? It's also weird to me that I had the same output as Linux using Windows' cmd, while there was READY spam in powershell. Same drivers, same python, same libraries, but different output?
Click to expand...
Click to collapse
Differents results when using cmd and powershell? There is really no reason for that. Unless it's not the same Python environment, with different pyserial for eg. I have issues to run mtk-bootseq on Linux, but always the same output on Windows' cmd.
I suspect that it might be a timing issue. Maybe the serial console doesn't care about or wait for input at all. And just spams READY a few times. It would be a matter of how fast the connection is established.
Click to expand...
Click to collapse
Maybe. On linux, I can get different results depending on baud rate, timeout (and luck?). If there is an issue related to the connection, it might explain why the preloader doesn't answer as expected. But as other commands (like mtk gettargetconfig, but also manually handshaking connections and gathering informations in pyserial) work well, I tend to think it's just disabled.
Perhaps as well there's a different subsystem sending commands to the 'meta' environment and the READY spam means it's processing those commands rather than whatever we're sending.
Click to expand...
Click to collapse
I don't really know how it works. The code is still present in the preloader. However this functionnality is not always enabled. Maybe reversing the preloader more or analysing the log you provided on Github might help to determine whether or not it is enabled. Moreover, even if we manage to switch to fastboot, if the bootloader has been fully disabled, we may face the issue of the preloader trying to run into a non existant fastboot. Maybe the FACTFACT mode may help to reset the device, but I don't really know a lot about this mode.
So removing the check didn't help for mtkclients' meta commands.
Click to expand...
Click to collapse
Once you removed this check, if you print the data sent by the preloader, you'll get the multiple "READY" like mtk-bootseq on Windows. Moreover, I can switch to fastboot using this command on another MTK device.
Dear Sir,
Do you have any method to recover my phone as the figure show?
Thank You
Related
I flashed a wrong rom, and now have phone N9006 mtk 6572 bricked, it gives this error now , dont turn on and connection takes few second,,
it gives this error now
Flash files count is :12
Action : Firmware update.
Selected Samsung Clone: Note 3 Clone(MT6572)
Phone must be off with battery inside.
Please insert USB cable now...
Detected : MTK USB Port (COM21)
Phone detected...Please wait
Sending DA agent, please wait...
Connect error: S_FT_ENABLE_DRAM_FAIL
Error connect phone, aborting.
All done.
I didnt make backup my fault, before that I read the info of phone which was stuck at logo, the info read via volcano box is this, can some one give a backup or any rom to at least revive this phone,
Version: V3.8
SN:xxxxxxxxxxx
Port:COM57
After format or Flash you have to press & hold power button for at least 1.30 mins.
Note for win7 users :
Start your Win 7 64bit with F8 key and choose 'Disable Driver Signature Enforcement'.
After that the spd drivers will have the ability to be loaded.
Available Ports:COM1 COM3 COM8 COM9 COM57
Current Port:COM57
Analysis of USB port,Please insert phone USB cable.
Connecting...
CPU TYPE:MT6572
Hardware version:CA01
Software version:0000
Boot downloading complete!
EMMC_ID:0x45010053454D3034472805A6827A513B
EMMC_PRODUCT_NAME: SAMSUNG :0x53454D303447
EMMC_BOOT1_SIZE: 0x00200000
EMMC_BOOT2_SIZE: 0x00200000
EMMC_PRMB_SIZE: 0x00200000
EMMC_GP1_SIZE: 0x00000000
EMMC_GP2_SIZE: 0x00000000
EMMC_GP3_SIZE: 0x00000000
EMMC_GP4_SIZE: 0x00000000
EMMC_USER_SIZE: 0x0EC000000(3.69 G)
Analysis of system files...
PRELOADER: addr:0x000000 --length:0x880000
MBR: addr:0x880000 --length:0x080000
EBR1: addr:0x900000 --length:0x080000
PRO_INFO: addr:0x980000 --length:0x300000
NVRAM: addr:0xC80000 --length:0x500000
PROTECT_F: addr:0x1180000 --length:0xA00000
PROTECT_S: addr:0x1B80000 --length:0xA00000
SECCFG: addr:0x2580000 --length:0x020000
UBOOT: addr:0x25A0000 --length:0x060000
BOOTIMG: addr:0x2600000 --length:0x600000
RECOVERY: addr:0x2C00000 --length:0x600000
SEC_RO: addr:0x3200000 --length:0x040000
MISC: addr:0x3240000 --length:0x080000
LOGO: addr:0x32C0000 --length:0x300000
EXPDB: addr:0x35C0000 --length:0xA00000
ANDROID: addr:0x3FC0000 --length:0x28A00000
CACHE: addr:0x2C9C0000 --length:0x17800000
USRDATA: addr:0x441C0000 --length:0x52C00000
FAT: addr:0x96DC0000 --length:0x54340000
BMTPOOL: addr:0xFFFF00A8 --length:0x000000
Format addr:0x481C0000 --Format length:0x4EC00000
>>Read phone information success.
these are the info , so please can some one help me urgently thankyou.
bcnboy
Hello,
This OP3 I got here, had a dm_verity error. Afterwards I used the Qualcomm way to get past that.
Now I'm getting the issue that it shows me the "Start do md5 checksum" list and there are 2 things in red (System : failed) and at the end it said md5 checksum failed.
I tried various amount of things I found all around the internet but this is what prevents them from fixing my problem:
- My lack of skill and probably knowledge
- Phone isn't oem unlocked
- Phone's partition can't be edited
- Bootloader version is empty (locked aswell, used an AIO tool to confirm)
- FastBoot is possible (volume up + power)
- I can't get into ADB sideload
- There's no TWRP or anything
There are some stuff in this list that most likely are the same thing (as I said, I lack knowledge).
I don't know what else I can do. Do you guys have an idea?
Much love,
rZergling
fastboot oem device-info gives:
Code:
Device tampered: false
Device unlocked: false
Device critical unlocked: false
Display panel:
Have console: true
Selinux type: <none>
Boot_mode: normal
Kmemleak_detext: false
Most likely USB debugging is off.
after further testing and finally restoring my IMEIs using this rom, i can say that it is indeed working, so hope it helps a lot of you guys stuck with a phone without IMEIs.
link :
Xiaomi Redmi 9 ENG Firmware (Engineering Rom)
MediaFire is a simple to use free service that lets you put all your photos, documents, music, and video in a single place so you can access them anywhere and share them everywhere.
www.mediafire.com
Requirements:
- SP flash tool and right DA file (provided in the post).
-brom bypass (also provided).
-patience and perseverance.
Steps to install:
1)steps to install brom bypass:
-first install python 3 (check on google)
- then run this code in a cmd
Code:
pip install pyusb pyserial json5
-after that make sure to have all the mediatek drivers installed and install libusb from the archive i provided
- after installing libusb you will be greeted by a filter wizard window, check the "install new device filter" then connect the phone to the pc while pressing (volume +, volume - and power button) all at the same time you
will see in the list a new mtk com port appear click on it and then on install, done with the prep'.
2)steps to flash:
-first launch the brom bypass, a window will appear saying 'waiting for bootrom' connect your phone while pressing (volume +, volume - and power button) all together then you will see on the command prompt 'protection disabled' it means you have successfully bypassed the brom.
- now oppen up sp flash tool, select the download agent, select the scatter fille from the rom folder and the auth file (provided with sp flash tool archive on the post) then setup sp flash tool in uart mode with a bud rate of 921600 then flash in format all.
-done.
Hope this helped, cheers !
Thanks Bro <3
Sammar Prince said:
Thanks Bro <3
Click to expand...
Click to collapse
No problem
razers211 said:
after further testing and finally restoring my IMEIs using this rom, i can say that it is indeed working, so hope it helps a lot of you guys stuck with a phone without IMEIs.
link :
Xiaomi Redmi 9 ENG Firmware (Engineering Rom)
MediaFire is a simple to use free service that lets you put all your photos, documents, music, and video in a single place so you can access them anywhere and share them everywhere.
www.mediafire.com
Requirements:
- SP flash tool and right DA file (provided in the post).
-brom bypass (also provided).
-patience and perseverance.
Steps to install:
1)steps to install brom bypass:
-first install python 3 (check on google)
- then run this code in a cmd
Code:
pip install pyusb pyserial json5
-after that make sure to have all the mediatek drivers installed and install libusb from the archive i provided
- after installing libusb you will be greeted by a filter wizard window, check the "install new device filter" then connect the phone to the pc while pressing (volume +, volume - and power button) all at the same time you
will see in the list a new mtk com port appear click on it and then on install, done with the prep'.
2)steps to flash:
-first launch the brom bypass, a window will appear saying 'waiting for bootrom' connect your phone while pressing (volume +, volume - and power button) all together then you will see on the command prompt 'protection disabled' it means you have successfully bypassed the brom.
- now oppen up sp flash tool, select the download agent, select the scatter fille from the rom folder and the auth file (provided with sp flash tool archive on the post) then setup sp flash tool in uart mode with a bud rate of 921600 then flash in format all.
-done.
Hope this helped, cheers !
Click to expand...
Click to collapse
Help sir, how to fix this error? Thanks
razers211 said:
after further testing and finally restoring my IMEIs using this rom, i can say that it is indeed working, so hope it helps a lot of you guys stuck with a phone without IMEIs.
link :
Xiaomi Redmi 9 ENG Firmware (Engineering Rom)
MediaFire is a simple to use free service that lets you put all your photos, documents, music, and video in a single place so you can access them anywhere and share them everywhere.
www.mediafire.com
Requirements:
- SP flash tool and right DA file (provided in the post).
-brom bypass (also provided).
-patience and perseverance.
Steps to install:
1)steps to install brom bypass:
-first install python 3 (check on google)
- then run this code in a cmd
Code:
pip install pyusb pyserial json5
-after that make sure to have all the mediatek drivers installed and install libusb from the archive i provided
- after installing libusb you will be greeted by a filter wizard window, check the "install new device filter" then connect the phone to the pc while pressing (volume +, volume - and power button) all at the same time you
will see in the list a new mtk com port appear click on it and then on install, done with the prep'.
2)steps to flash:
-first launch the brom bypass, a window will appear saying 'waiting for bootrom' connect your phone while pressing (volume +, volume - and power button) all together then you will see on the command prompt 'protection disabled' it means you have successfully bypassed the brom.
- now oppen up sp flash tool, select the download agent, select the scatter fille from the rom folder and the auth file (provided with sp flash tool archive on the post) then setup sp flash tool in uart mode with a bud rate of 921600 then flash in format all.
-done.
Hope this helped, cheers !
Click to expand...
Click to collapse
Help sir, how to fix this error? Thanks
razers211 said:
after further testing and finally restoring my IMEIs using this rom, i can say that it is indeed working, so hope it helps a lot of you guys stuck with a phone without IMEIs.
link :
Xiaomi Redmi 9 ENG Firmware (Engineering Rom)
MediaFire is a simple to use free service that lets you put all your photos, documents, music, and video in a single place so you can access them anywhere and share them everywhere.
www.mediafire.com
Requirements:
- SP flash tool and right DA file (provided in the post).
-brom bypass (also provided).
-patience and perseverance.
Steps to install:
1)steps to install brom bypass:
-first install python 3 (check on google)
- then run this code in a cmd
Code:
pip install pyusb pyserial json5
-after that make sure to have all the mediatek drivers installed and install libusb from the archive i provided
- after installing libusb you will be greeted by a filter wizard window, check the "install new device filter" then connect the phone to the pc while pressing (volume +, volume - and power button) all at the same time you
will see in the list a new mtk com port appear click on it and then on install, done with the prep'.
2)steps to flash:
-first launch the brom bypass, a window will appear saying 'waiting for bootrom' connect your phone while pressing (volume +, volume - and power button) all together then you will see on the command prompt 'protection disabled' it means you have successfully bypassed the brom.
- now oppen up sp flash tool, select the download agent, select the scatter fille from the rom folder and the auth file (provided with sp flash tool archive on the post) then setup sp flash tool in uart mode with a bud rate of 921600 then flash in format all.
-done.
Hope this helped, cheers !
Click to expand...
Click to collapse
Hi thank you i was succesfuly installed this rom and now what to restore IMEI? AT commands not working it says +CME ERROR: 100
thank you in advice i was tryed a lot of forms and i cant make calls, only 4G and SMS, restricted calls
yoalcuadrao said:
thank you in advice i was tryed a lot of forms and i cant make calls, only 4G and SMS, restricted calls
Click to expand...
Click to collapse
don't restore the imei 1 of the phone and put your sim in slot 2, might work now
willkurt27 said:
Help sir, how to fix this error? Thanks
Click to expand...
Click to collapse
did you properly install the mtk drivers ???
Well i hope i would be finally able to unbrick my phone with this... No recovery and fastoboot and by far everything works my device is recognized as mtk device but cannot flash any stock rom with SM Flash Tool
razers211 said:
after further testing and finally restoring my IMEIs using this rom, i can say that it is indeed working, so hope it helps a lot of you guys stuck with a phone without IMEIs.
link :
Xiaomi Redmi 9 ENG Firmware (Engineering Rom)
MediaFire is a simple to use free service that lets you put all your photos, documents, music, and video in a single place so you can access them anywhere and share them everywhere.
www.mediafire.com
Requirements:
- SP flash tool and right DA file (provided in the post).
-brom bypass (also provided).
-patience and perseverance.
Steps to install:
1)steps to install brom bypass:
-first install python 3 (check on google)
- then run this code in a cmd
Code:
pip install pyusb pyserial json5
-after that make sure to have all the mediatek drivers installed and install libusb from the archive i provided
- after installing libusb you will be greeted by a filter wizard window, check the "install new device filter" then connect the phone to the pc while pressing (volume +, volume - and power button) all at the same time you
will see in the list a new mtk com port appear click on it and then on install, done with the prep'.
2)steps to flash:
-first launch the brom bypass, a window will appear saying 'waiting for bootrom' connect your phone while pressing (volume +, volume - and power button) all together then you will see on the command prompt 'protection disabled' it means you have successfully bypassed the brom.
- now oppen up sp flash tool, select the download agent, select the scatter fille from the rom folder and the auth file (provided with sp flash tool archive on the post) then setup sp flash tool in uart mode with a bud rate of 921600 then flash in format all.
-done.
Hope this helped, cheers !
Click to expand...
Click to collapse
thank very much bro
muito obrigado, tive que usar o META modem para escrever IMEI. so deu certo com essa room, deus te abençoe. BRASIL
----------
MOD EDIT: English Translation Below
thank you very much, had to use META modem to write IMEI. it just worked out with this room, god bless you. BRAZIL
tiagoql said:
muito obrigado, tive que usar o META modem para escrever IMEI. so deu certo com essa room, deus te abençoe. BRASIL
Click to expand...
Click to collapse
in english or indonesia please
hello if I flash this rom to my miui 12.5.1 will this work? or my phone will be stucked in bootloop? sorry im newbie
work.
only write imei simcard 2 brother
razers211 said:
after further testing and finally restoring my IMEIs using this rom, i can say that it is indeed working, so hope it helps a lot of you guys stuck with a phone without IMEIs.
link :
Xiaomi Redmi 9 ENG Firmware (Engineering Rom)
MediaFire is a simple to use free service that lets you put all your photos, documents, music, and video in a single place so you can access them anywhere and share them everywhere.
www.mediafire.com
Click to expand...
Click to collapse
Hello and thanks for sharing, I have the same error as @willkurt27
while using SPFlash Tool
What I do:
Launch bypass.bat
Plug my phone with vol - pressed and battery unplugged.
[2021-08-24 21:33:09.958798] Waiting for device
[2021-08-24 21:39:08.793257] Found device = 0e8d:0003
[2021-08-24 21:39:14.833772] Device hw code: 0x707
[2021-08-24 21:39:14.833772] Device hw sub code: 0x8a00
[2021-08-24 21:39:14.833772] Device hw version: 0xca00
[2021-08-24 21:39:14.833772] Device sw version: 0x0
[2021-08-24 21:39:14.833772] Device secure boot: True
[2021-08-24 21:39:14.833772] Device serial link authorization: True
[2021-08-24 21:39:14.833772] Device download agent authorization: True
[2021-08-24 21:39:14.833772] Disabling watchdog timer
[2021-08-24 21:39:14.849712] Disabling protection
[2021-08-24 21:39:14.849712] Using kamakiri
[2021-08-24 21:39:14.849712] Protection disabled
Appuyez sur une touche pour continuer...
Then I use SPFlash Tool v5.1924.0
Tried with DA_6765_6785_6768_6873_6885_6853.bin and MTK_AllInOne_DA.bin
What am I doing wrong?
hckbkl said:
work.
only write imei simcard 2 brother
Click to expand...
Click to collapse
which da will i use? DA_6765_6785_6768_6873_6885_6853 or MTK_AllInOne_DA for redmi 9 mt6768
lobothefoots said:
Hello and thanks for sharing, I have the same error as @willkurt27
while using SPFlash Tool
What I do:
Launch bypass.bat
Plug my phone with vol - pressed and battery unplugged.
[2021-08-24 21:33:09.958798] Waiting for device
[2021-08-24 21:39:08.793257] Found device = 0e8d:0003
[2021-08-24 21:39:14.833772] Device hw code: 0x707
[2021-08-24 21:39:14.833772] Device hw sub code: 0x8a00
[2021-08-24 21:39:14.833772] Device hw version: 0xca00
[2021-08-24 21:39:14.833772] Device sw version: 0x0
[2021-08-24 21:39:14.833772] Device secure boot: True
[2021-08-24 21:39:14.833772] Device serial link authorization: True
[2021-08-24 21:39:14.833772] Device download agent authorization: True
[2021-08-24 21:39:14.833772] Disabling watchdog timer
[2021-08-24 21:39:14.849712] Disabling protection
[2021-08-24 21:39:14.849712] Using kamakiri
[2021-08-24 21:39:14.849712] Protection disabled
Appuyez sur une touche pour continuer...
Then I use SPFlash Tool v5.1924.0
Tried with DA_6765_6785_6768_6873_6885_6853.bin and MTK_AllInOne_DA.bin
View attachment 5392951
What am I doing wrong?
Click to expand...
Click to collapse
try to insert the auth file
lobothefoots said:
Hello and thanks for sharing, I have the same error as @willkurt27
while using SPFlash Tool
What I do:
Launch bypass.bat
Plug my phone with vol - pressed and battery unplugged.
[2021-08-24 21:33:09.958798] Waiting for device
[2021-08-24 21:39:08.793257] Found device = 0e8d:0003
[2021-08-24 21:39:14.833772] Device hw code: 0x707
[2021-08-24 21:39:14.833772] Device hw sub code: 0x8a00
[2021-08-24 21:39:14.833772] Device hw version: 0xca00
[2021-08-24 21:39:14.833772] Device sw version: 0x0
[2021-08-24 21:39:14.833772] Device secure boot: True
[2021-08-24 21:39:14.833772] Device serial link authorization: True
[2021-08-24 21:39:14.833772] Device download agent authorization: True
[2021-08-24 21:39:14.833772] Disabling watchdog timer
[2021-08-24 21:39:14.849712] Disabling protection
[2021-08-24 21:39:14.849712] Using kamakiri
[2021-08-24 21:39:14.849712] Protection disabled
Appuyez sur une touche pour continuer...
Then I use SPFlash Tool v5.1924.0
Tried with DA_6765_6785_6768_6873_6885_6853.bin and MTK_AllInOne_DA.bin
View attachment 5392951
What am I doing wrong?
Click to expand...
Click to collapse
or install mtk drivers properly
lobothefoots said:
Hello and thanks for sharing, I have the same error as @willkurt27
while using SPFlash Tool
What I do:
Launch bypass.bat
Plug my phone with vol - pressed and battery unplugged.
[2021-08-24 21:33:09.958798] Waiting for device
[2021-08-24 21:39:08.793257] Found device = 0e8d:0003
[2021-08-24 21:39:14.833772] Device hw code: 0x707
[2021-08-24 21:39:14.833772] Device hw sub code: 0x8a00
[2021-08-24 21:39:14.833772] Device hw version: 0xca00
[2021-08-24 21:39:14.833772] Device sw version: 0x0
[2021-08-24 21:39:14.833772] Device secure boot: True
[2021-08-24 21:39:14.833772] Device serial link authorization: True
[2021-08-24 21:39:14.833772] Device download agent authorization: True
[2021-08-24 21:39:14.833772] Disabling watchdog timer
[2021-08-24 21:39:14.849712] Disabling protection
[2021-08-24 21:39:14.849712] Using kamakiri
[2021-08-24 21:39:14.849712] Protection disabled
Appuyez sur une touche pour continuer...
Then I use SPFlash Tool v5.1924.0
Tried with DA_6765_6785_6768_6873_6885_6853.bin and MTK_AllInOne_DA.bin
View attachment 5392951
What am I doing wrong?
Click to expand...
Click to collapse
use mtkbypass
I'm looking to pinout both test pins. I bought this phone a few days ago. I unlocked it with TWRP, I looked at the possibilities. I made a mistake with TWRP by switching the system to sideload B (I chose between A and B) and the system refused to start. I do not have access to the bootloader with the buttons. I only enter QDLoader HS-USB Driver mode working. I read the instructions on how to make a blank flash. I took the 18 files out of the phone and made a new blank flash for this model - moto g9 power / but in the end it gives me an error. Now I'm looking for a solution. - "C: \ Documents and Settings \ Administrator \ Desktop \ MOTO G9 POWER blankflash \ Blankflash for G9 POWER>. \ Qboot.exe blank-flash Motorola qboot utility version 3.86 [0.000] Opening device: \\. \ COM4 [0.000] Detecting device [0.000] ... cpu.id = 333 (0x14d) [0.000] ... cpu.sn = 2936128399 (0xaf01c38f) [0.000] Opening singleimage [0.000] Loading package [0.000] ... filename = pkg.xml [0.000] Loading programmer [0.000] ... filename = programmer.elf [0.000] Sending programmer [0.156] Handling things over to programmer [0.156] Identifying CPU version [0.156] Waiting for firehose to get ready [3.297] ... SM_KAMORTA_H 1.0 [3.297] Determining target secure state [3.297] ... secure = yes [3.375] Configuring device ... [3.391] Flashing GPT ... [3.391] Flashing partition with gpt.bin [3.406] Initializing storage [3,484] ... blksz = 512 [37.016] Re-initializing storage ... [37.016] Initializing storage [37328] Flashing bootloader ... [37.344] Flashing abl_a with abl.elf [37.344] partition abl_a not found! [37.359] ERROR: do_package () -> do_recipe () -> do_flash () -> pt_find () -> not found [37.375] Check qboot_log.txt for more details [37.375] Total time: 37.375s FAILED: qb_flash_singleimage () -> do_package () -> do_recipe () -> do_flash () -> pt_find () -> not found "the last message puzzles me. I want to transfer the system to sideload A again, so I have to reset the device firmly. Are there people familiar with the possibilities?
2 I built a blankflash for the Moto G8
1 How To Blank Flash & Fix/Repair Hard Bricked Motorola Devices/Moto G8+|Tutorial Get It Working Again - YouTube
Version Bootloader MBM-3.O-cebu retail 232f3ba894-201209
motostockrom.com/motorola-moto-g9-power-xt2091-3
I'm looking to pinout both test pins.
Have you tried using LMSA?
It recovered a dead phone for me once.
Rescue and Smart Assistant (LMSA)
Also, I too once accidentally switched slot to B, and system didn't boot. However, I was able to get into fastboot mode and switch by entering the command to switch slots.
https://support.lenovo.com/bg/en/downloads/ds101291 i saw this but my computer is 32 bit / i am looking for the program qualcomm edl mode flash tool or something like Axon10Pro_ (More) _EDL_Tools_v1.1d because i want to make active a siteloader because i saw that this can be done not so difficult otherwise for edl pinout I saw how it works and no problem
man88nam said:
https://support.lenovo.com/bg/en/downloads/ds101291 i saw this but my computer is 32 bit / i am looking for the program qualcomm edl mode flash tool or something like Axon10Pro_ (More) _EDL_Tools_v1.1d because i want to make active a siteloader because i saw that this can be done not so difficult otherwise for edl pinout I saw how it works and no problem
Click to expand...
Click to collapse
qualcomm edl mode flash tool / Axon10Pro_ (More) _EDL_Tools_v1.1d
In those .XML files, can you delete the line that says "abl" and try again?
I will do, but these files can be downloaded according to the instructions on how to make closed files extracted from the phone itself
https://www.reddit.com/r/MotoG/comments/k73n66
I downloaded from the bootloader 18 files that are original, this is in connection with blank flash, where in the end there is an error, because eight made active "B" sector instead of A
I removed the ABL file from the XML, but the error remains, plus the message for a missing ABL file ELF
[ 37.297] file abl.elf not found in singleimage.bin!
[ 37.297] ERROR: do_package()->do_recipe()->do_flash()->not found
[ 37.297] Check qboot_log.txt for more details
[ 37.297] Total time: 37.297s
I'm just looking for an EDL program that works similar to this command line Set Bootable Partition- Slot A / run_AB-partition-swap - but here it wants some text file for the presence of a port, port_trace.txt
I'm sorry, I can't help further here. Even though the active slot is B, the partition abl_a should exist and should be flashable regardless. It looks as though there isn't such a partition at all, which I don't even know how that happened.
The tool which you are using is correct, it's doing its job properly. Are you sure you have the right firmware version and software channel? Because bootloader.img differ depending on the firmware version and the carrier. I'd also suggest downloading from https://mirrors.lolinet.com/firmware/moto/cebu/official/, instead of the link you mentioned, motostockroms.
Also, try asking in this Telegram group: https://t.me/lolinet. There are people on there who are more knowledgeable, maybe they can help.
After trying the firmware image from lolinet and trying the process again with that firmware, I'd try to get into bootloader mode once again through power buttons, and if that doesn't work, send the phone into the service center.
Motorola_Moto_G9_Power_XT2091-3_RETUK_CEBU_RETAIL_QZC30.Q4-22-57_10_by_(motostockrom.com) With the TWRP program I chose with active slot B / I don't know if it deleted the content from slot A of the bootloader. By the way, I downloaded the original product firmware XT2091-3 according to the instructions for this, which I get when I try blank flash / I have no idea what to do, so I'm looking for a program "qualcomm edl mode flash tool" and I constantly get Indian sites with dangerous behavior.
I thank you for your time
Hey,
Today I found EDL points for Moto G9 power. Infact im also facing firmware issue.
I accidentally locked bootloader with stockrom again trying to unlock but not working.
Causing No valid OS to boot.
if i try unlock again showing message like " enable OEM unlocking in developer options"
unfortunately not podsible. But still waiting for proper EDL flash tool.
feel free to guide if any one got resolution.
See This F11 Device Has Been Unlocked
You will need:
PC (With atleast 2gb ram)
Python
Do not do this if you are a kid!
Anything could go wrong.
Goto your phone's developer options and turn these 2 options on
-USB Debugging
-OEM Unlock
So, after that, open your pc, now you need to install Python 3.9 or Python 3.10 from microsoft store or from the web.
After it is installed, you are ready to go..
Download this: https://github.com/bkerler/mtkclient/archive/refs/heads/main.zip
This: https://github.com/daynix/UsbDk/releases/
When you have downloaded both of these, open usbdk and install drivers from there.
Once you've done that, extract the mtkclient_main folder, and go into it.
Now click the right mouse button and shift in an empty place in the folder and click open with powershell. (You can also do it with cmd)
Once you're inside, type this command (no need to connect phone right now)
pip3 install -r requirements.txt (make sure you have internet access)
Once you've entered it, wait for it to complete the installation.
After you've done that, get ready with your phone.
Now enter the final command to unlock the bootloader.
python mtk da seccfg unlock
Enter it, and remove the usb, don't turn on the device, now hold the volume buttons again and connect usb
Wait for the command to complete. Keep holding.
After it's done, hold volume up and power button.
After you've turned on your phone, there will be something written in small text, don't worry about it, and press power button once.
Wait for the phone to boot, it will take a while.
After it's booted, goto developer options, and check if OEM Unlocking is locked at enabled.
If it is, great job, you've unlocked the bootloader!
Hi, I unlocked my F11 on Color OS 11. Now I want to root it using Magisk, what should I do now?
dathtd119 said:
Hi, I unlocked my F11 on Color OS 11. Now I want to root it using Magisk, what should I do now?
Click to expand...
Click to collapse
first dump boot. img use mtk client commandython mtk r boot boot.img
after this boot.img file have in folder mtk client you can patch magisk and tick vbmeta/avb, after patch rename boot patched to boot.img copy to folder mtk client and flash use commadython mtk w boot boot.img
MuhammadRafiAsyddiq(ID) said:
first dump boot. img use mtk client commandython mtk r boot boot.img
after this boot.img file have in folder mtk client you can patch magisk and tick vbmeta/avb, after patch rename boot patched to boot.img copy to folder mtk client and flash use commadython mtk w boot boot.img
Click to expand...
Click to collapse
I made it, thanks so much
dathtd119 said:
Hi, I unlocked my F11 on Color OS 11. Now I want to root it using Magisk, what should I do now?
dathtd119 said:
Hi, I unlocked my F11 on Color OS 11. Now I want to root it using Magisk, what should I do now?
Click to expand...
Click to collapse
need
Click to expand...
Click to collapse
dathtd119 said:
I made it, thanks so much
Click to expand...
Click to collapse
need tester twrp and custom kernel
MuhammadRafiAsyddiq(ID) said:
need tester twrp and custom kernel
Click to expand...
Click to collapse
It's my main phone so I cannot do that, sorrry.
MuhammadRafiAsyddiq(ID) said:
need tester twrp and custom kernel
Click to expand...
Click to collapse
Hi, my phone is oppo f11 pro cph1969, so i can & will be your tester for flashing your TWRP project
MuhammadRafiAsyddiq(ID) said:
need tester twrp and custom kernel
Click to expand...
Click to collapse
Why should I use TWRP? Is there a custom ROM for Oppo F11?
itsmeboy0 said:
Why should I use TWRP? Is there a custom ROM for Oppo F11?
Click to expand...
Click to collapse
Test Bruh Will Avaible soon
broo can help me how to ubl??
jakolaja said:
broo can help me how to ubl??
View attachment 5880183
Click to expand...
Click to collapse
install python first
I am always stuck on something in this phone, I doubt I'm pressing buttons correctly. I'm pressing volume up and down at once and holding and waiting.
PrabeshAryal said:
View attachment 5895725I am always stuck on something in this phone, I doubt I'm pressing buttons correctly. I'm pressing volume up and down at once and holding and waiting.
Click to expand...
Click to collapse
full screenshot
MuhammadRafiAsyddiq(ID) said:
full screenshot
Click to expand...
Click to collapse
something wrong with py code .. heres my result
Port - Device detected
Traceback (most recent call last):
File "D:\DESKTOP\Oppo F11 Pro Root\mtkclient-main\mtk", line 815, in <module>
mtk = Main(args).run(parser)
File "D:\DESKTOP\Oppo F11 Pro Root\mtkclient-main\mtkclient\Library\mtk_main.py", line 619, in run
mtk = da_handler.configure_da(mtk, preloader)
File "D:\DESKTOP\Oppo F11 Pro Root\mtkclient-main\mtkclient\Library\mtk_da_cmd.py", line 78, in configure_da
mtk.preloader.init()
File "D:\DESKTOP\Oppo F11 Pro Root\mtkclient-main\mtkclient\Library\mtk_preloader.py", line 163, in init
if self.config.iot:
AttributeError: 'Mtk_Config' object has no attribute 'iot' <<<<<<<<<<This is the error!
first steps are done completely fine until this error came out.
Pres Lii said:
something wrong with py code .. heres my result
Port - Device detected
Traceback (most recent call last):
File "D:\DESKTOP\Oppo F11 Pro Root\mtkclient-main\mtk", line 815, in <module>
mtk = Main(args).run(parser)
File "D:\DESKTOP\Oppo F11 Pro Root\mtkclient-main\mtkclient\Library\mtk_main.py", line 619, in run
mtk = da_handler.configure_da(mtk, preloader)
File "D:\DESKTOP\Oppo F11 Pro Root\mtkclient-main\mtkclient\Library\mtk_da_cmd.py", line 78, in configure_da
mtk.preloader.init()
File "D:\DESKTOP\Oppo F11 Pro Root\mtkclient-main\mtkclient\Library\mtk_preloader.py", line 163, in init
if self.config.iot:
AttributeError: 'Mtk_Config' object has no attribute 'iot' <<<<<<<<<<This is the error!
first steps are done completely fine until this error came out.
Click to expand...
Click to collapse
Full log sir no like this
help i cant unlock bootloader it, i just followed all the step but it send this "Device has is either already unlocked or algo is unknown. Aborting."
Alawin said:
help i cant unlock bootloader it, i just followed all the step but it send this "Device has is either already unlocked or algo is unknown. Aborting."
Click to expand...
Click to collapse
Full Log:
Port - Device detected
Preloader - CPU: MT6771/MT8385/MT8183/MT8666(Helio P60/P70/G80)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x788
Preloader - Target config: 0xe5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: True
Preloader - Mem write auth: True
Preloader - Cmd 0xC8 blocked: True
Preloader - Get Target info
Preloader - BROM mode detected.
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Preloader - ME_ID: 78B6DF272A6AC641C9F5B438F624F39E
Preloader - SOC_ID: BFA68752DA81E7A82AAD320C7D7A8ADEEC19B9B5707E1FCDF85168B09B469094
PLTools - Loading payload from mt6771_payload.bin, 0x264 bytes
PLTools - Kamakiri / DA Run
Kamakiri - Trying kamakiri2..
Kamakiri - Done sending payload...
PLTools - Successfully sent payload: C:\Users\JOEY\Downloads\mtkclient-main\mtkclient\payloads\mt6771_payload.bin
Port - Device detected
DA_handler - Device is protected.
DA_handler - Device is in BROM mode. Trying to dump preloader.
DAXFlash - Uploading xflash stage 1 from MTK_AllInOne_DA_5.2136.bin
xflashext - Patching da1 ...
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "hash_check" in preloader
xflashext
xflashext - [LIB]: Error on patching da1 version check...
Mtk - Patched "Patched loader msg" in preloader
Mtk - Patched "get_vfy_policy" in preloader
xflashext - Patching da2 ...
DAXFlash - Successfully uploaded stage 1, jumping ..
Preloader - Jumping to 0x200000
Preloader - Jumping to 0x200000: ok.
DAXFlash - Successfully received DA sync
DAXFlash - DRAM config needed for : 150100335636434d
DAXFlash - Sending emi data ...
DAXFlash - DRAM setup passed.
DAXFlash - Sending emi data succeeded.
DAXFlash - Uploading stage 2...
DAXFlash - Upload data was accepted. Jumping to stage 2...
DAXFlash - Successfully uploaded stage 2
DAXFlash - EMMC FWVer: 0x0
DAXFlash - EMMC ID: 3V6CMB
DAXFlash - EMMC CID: 150100335636434d42022f2fdada4683
DAXFlash - EMMC Boot1 Size: 0x400000
DAXFlash - EMMC Boot2 Size: 0x400000
DAXFlash - EMMC GP1 Size: 0x0
DAXFlash - EMMC GP2 Size: 0x0
DAXFlash - EMMC GP3 Size: 0x0
DAXFlash - EMMC GP4 Size: 0x0
DAXFlash - EMMC RPMB Size: 0x1000000
DAXFlash - EMMC USER Size: 0x1d1ec00000
DAXFlash - HW-CODE : 0x788
DAXFlash - HWSUB-CODE : 0x8A00
DAXFlash - HW-VERSION : 0xCA00
DAXFlash - SW-VERSION : 0x0
DAXFlash - CHIP-EVOLUTION : 0x0
DAXFlash - DA-VERSION : 1.0
DAXFlash - Extensions were accepted. Jumping to extensions...
DAXFlash - DA Extensions successfully added
xflashext - Detected V4 Lockstate
sej - HACC init
sej - HACC run
sej - HACC terminate
sej - HACC init
sej - HACC run
sej - HACC terminate
DA_handler
DA_handler - [LIB]: Device has is either already unlocked or algo is unknown. Aborting.
can you fix this problem?