Related
Just got a XT1789-01 from a friend whos daughters phone just abruptly stopped working. No signs of life, except when plugged in to a computer I see the QLoader 9008 driver load. I tried some blank flash that says to bring the booloader back but it did nothing but say Generic Error. The tool does seem to detect the phone though.
Any ideas? The girl that uses this phone is like 10 so I know its not been tampered with software wise to cause this.
Motorola devices are not my cup of tea when it comes to flashing.
Thanks!
https://forum.xda-developers.com/showpost.php?p=76850077&postcount=6
At the bottom of the post is a link for qualcomm diag drivers, signed for windows.
Attached is the unbrick.zip, use the drivers mentioned above though. Basically unplug your phone and install the drivers, reboot pc and plug in, wait for the drivers to recognize and settle, then blankflash. Afterwards you'll be in a clean bootloader. Flash the latest firmware for your variant. This thread has instructions and links for flashing firmwares, just make sure it's for your variant. You can also try using the lmsa tool mentioned in post #275 to flash the firmware needed.
41rw4lk said:
https://forum.xda-developers.com/showpost.php?p=76850077&postcount=6
At the bottom of the post is a link for qualcomm diag drivers, signed for windows.
Attached is the unbrick.zip, use the drivers mentioned above though. Basically unplug your phone and install the drivers, reboot pc and plug in, wait for the drivers to recognize and settle, then blankflash. Afterwards you'll be in a clean bootloader. Flash the latest firmware for your variant. This thread has instructions and links for flashing firmwares, just make sure it's for your variant. You can also try using the lmsa tool mentioned in post #275 to flash the firmware needed.
Click to expand...
Click to collapse
Thanks. But I still get "FAILED General error" on the blank flash.
C:\1>.\qboot.exe blank-flash
Motorola qboot utility version 3.85
[ -0.000] Opening device: \\.\COM4
[ 0.001] Detecting device
[ 0.004] ...cpu.id = 94 (0x5e)
[ 0.004] ...cpu.sn = 3695693525 (0xdc47ced5)
[ 0.004] Opening singleimage
[ 0.005] Loading package
[ 0.007] ...filename = pkg.xml
[ 0.008] Loading programmer
[ 0.008] ...filename = programmer.elf
[ 0.008] Sending programmer
[ 0.016] ReadFile() failed, GetLastError()=0
[ 0.342] Unexpected command, expecting 3 or 18 or 4, got 1 instead.
[ 0.344] ERROR: sahara_download()->general error
[ 0.344] Check qboot_log.txt for more details
[ 0.345] Total time: 0.346s
FAILED: qb_flash_singleimage()->sahara_download()->general error
C:\1>pause
Press any key to continue . . .
hyelton said:
Thanks. But I still get "FAILED General error" on the blank flash.
C:\1>.\qboot.exe blank-flash
Motorola qboot utility version 3.85
[ -0.000] Opening device: \\.\COM4
[ 0.001] Detecting device
[ 0.004] ...cpu.id = 94 (0x5e)
[ 0.004] ...cpu.sn = 3695693525 (0xdc47ced5)
[ 0.004] Opening singleimage
[ 0.005] Loading package
[ 0.007] ...filename = pkg.xml
[ 0.008] Loading programmer
[ 0.008] ...filename = programmer.elf
[ 0.008] Sending programmer
[ 0.016] ReadFile() failed, GetLastError()=0
[ 0.342] Unexpected command, expecting 3 or 18 or 4, got 1 instead.
[ 0.344] ERROR: sahara_download()->general error
[ 0.344] Check qboot_log.txt for more details
[ 0.345] Total time: 0.346s
FAILED: qb_flash_singleimage()->sahara_download()->general error
C:\1>pause
Press any key to continue . . .
Click to expand...
Click to collapse
Try holding pwr+vol down, then execute the bat file
Same exact error
hyelton said:
Same exact error
Click to expand...
Click to collapse
I've only had to use that once and I didn't run into problems. Double check that the right driver is installed in your device manager, make sure you're running admin prompt (best from the folder so the path is all set). Try executing the command then plug in your phone. Make sure you're using a 2.0 usb port off the mobo and not a hub or 3+ port. Outside of those suggestions I can't help, I don't know the error correlation. I know some had issues getting to to go, but ultimately it was "things just clicked and worked this time" scenario.
The post where you got the drivers has links to unbricking guides, check those if needed.
41rw4lk said:
I've only had to use that once and I didn't run into problems. Double check that the right driver is installed in your device manager, make sure you're running admin prompt (best from the folder so the path is all set). Try executing the command then plug in your phone. Make sure you're using a 2.0 usb port off the mobo and not a hub or 3+ port. Outside of those suggestions I can't help, I don't know the error correlation. I know some had issues getting to to go, but ultimately it was "things just clicked and worked this time" scenario.
The post where you got the drivers has links to unbricking guides, check those if needed.
Click to expand...
Click to collapse
Yeah drivers are correct, laptop and desktop both usb 2.0 and 3.0 has been tried. Different usb cables, I’m assuming something has went wrong with this phone. As it’s never been tampered with. So I’ll give it a few more goes before giving up on it.
Sent from my iPhone using Tapatalk
which blank flash did you try N or O?
Same here, I think we need an updated blankflash
**** Log buffer [000001] 2019-03-14_20:10:40 ****
[ 0.000] Opening device: \\.\COM3
[ 0.004] Detecting device
[ 0.008] ...cpu.id = 94 (0x5e)
[ 0.008] ...cpu.sn = 4062057235 (0xf21e1313)
[ 0.009] Opening singleimage
[ 0.015] Loading package
[ 0.027] ...filename = pkg.xml
[ 0.037] Loading programmer
[ 0.040] ...filename = programmer.elf
[ 0.040] Sending programmer
[ 0.100] ReadFile() failed, GetLastError()=0
[ 0.370] Unexpected command, expecting 3 or 18 or 4, got 1 instead.
[ 0.454] ERROR: sahara_download()->general error
[ 0.457] Check qboot_log.txt for more details
[ 0.475] Total time: 0.489s
[ 0.485]
[ 0.485] qboot version 3.85
[ 0.485]
[ 0.485] DEVICE {
[ 0.485] name = "\\.\COM3",
[ 0.485] flags = "0x64",
[ 0.485] addr = "0x28FD64",
[ 0.485] sahara.current_mode = "0",
[ 0.485] api.buffer = "0x2525020",
[ 0.485] cpu.serial = "4062057235",
[ 0.485] cpu.id = "94",
[ 0.485] cpu.sv_sbl = "15",
[ 0.485] cpu.name = "MSM8998",
[ 0.485] storage.type = "UFS",
[ 0.485] sahara.programmer = "programmer.elf",
[ 0.485] api.bnr = "0x475FF8",
[ 0.485] }
[ 0.485]
[ 0.485]
[ 0.485] Backup & Restore {
[ 0.485] num_entries = 0,
[ 0.485] restoring = "false",
[ 0.485] backup_error = "not started",
[ 0.485] restore_error = "not started",
[ 0.485] }
[ 0.485]
Same problem here!
I think that I need some updated blankflash files. I have tried to found in 4PDA, but the link was removed, the file name was "blankflash_SPRINT_8.0.0_OCXS27.109-48-6.zip" or " blankflash_VZW_8.0.0_ODXS27.109-34-12_12.zip". I have a xt1789-05, dual sim, but I think these files can save me! Anyone have these files? Thanks.
i have this error, can you help me?
[ 0.000] Opening device: \\.\COM5
[ 0.000] ERROR: device_open()->error opening device
[ 0.000] Check qboot_log.txt for more details
[ 0.000] Total time: 0.001s
[ 0.001]
[ 0.001] qboot version 3.85
[ 0.001]
[ 0.001] DEVICE {
[ 0.001] name = "\\.\COM5",
[ 0.001] flags = "0x60",
[ 0.001] addr = "0x62FD54",
[ 0.001] api.bnr = "0x1D2D70",
[ 0.001] }
[ 0.001]
[ 0.001]
[ 0.001] Backup & Restore {
[ 0.001] num_entries = 0,
[ 0.001] restoring = "false",
[ 0.001] backup_error = "not started",
[ 0.001] restore_error = "not started",
[ 0.001] }
[ 0.001]
XxeAgLeAnGeLxX said:
i have this error, can you help me?
[ 0.000] Opening device: \\.\COM5
[ 0.000] ERROR: device_open()->error opening device
[ 0.000] Check qboot_log.txt for more details
[ 0.000] Total time: 0.001s
[ 0.001]
[ 0.001] qboot version 3.85
[ 0.001]
[ 0.001] DEVICE {
[ 0.001] name = "\\.\COM5",
[ 0.001] flags = "0x60",
[ 0.001] addr = "0x62FD54",
[ 0.001] api.bnr = "0x1D2D70",
[ 0.001] }
[ 0.001]
[ 0.001]
[ 0.001] Backup & Restore {
[ 0.001] num_entries = 0,
[ 0.001] restoring = "false",
[ 0.001] backup_error = "not started",
[ 0.001] restore_error = "not started",
[ 0.001] }
[ 0.001]
Click to expand...
Click to collapse
I was experiencing this exact same issue when running the blankflash. I ran it several times only to receive the same error over and over.
Did you put your device into EDL Mode or did it happen after a bad flash?
Do you know if your bootloader is still intact? Do you know how to exit EDL Mode to get back to the bootloader?
Here is what you do...
Since you are in EDL Mode trying to run the blankflash, get everything set up like you are about to run the blankflash again. Connect your device and verify it is connected in the Device Manager. Press and Hold Volume Down + Power and double-click the file to run the blankflash. Continue holding the Volume Down + Power while attempting to run the blankflash and if your bootloader is still intact this will take you back into the bootloader. It may take a few attempts to get back. Just keep holding the Volume Down + Power and double clicking the blankflash file until it takes you back to the bootloader.
Now, this is assuming that your bootloader is still intact. If it is and you can get back to the bootloader then you can run a flash-all for your device that matches the software you were running and get your device back to an operational state. Good luck.
pekenolucas said:
I think that I need some updated blankflash files. I have tried to found in 4PDA, but the link was removed, the file name was "blankflash_SPRINT_8.0.0_OCXS27.109-48-6.zip" or " blankflash_VZW_8.0.0_ODXS27.109-34-12_12.zip". I have a xt1789-05, dual sim, but I think these files can save me! Anyone have these files? Thanks.
Click to expand...
Click to collapse
Follow this guide it has worked for many. Make sure you read it all first, and make sure your phone is in edl mode. Your phone will have a blank screen but you'll see HS-USB QLoader 9008 in your device manager when connected to your pc.
https://forum.xda-developers.com/showpost.php?p=77623934&postcount=5
Blank flash after reomal of battery works
hyelton said:
Just got a XT1789-01 from a friend whos daughters phone just abruptly stopped working. No signs of life, except when plugged in to a computer I see the QLoader 9008 driver load. I tried some blank flash that says to bring the booloader back but it did nothing but say Generic Error. The tool does seem to detect the phone though.
Any ideas? The girl that uses this phone is like 10 so I know its not been tampered with software wise to cause this.
Motorola devices are not my cup of tea when it comes to flashing.
Thanks!
Click to expand...
Click to collapse
Dear remove battery and then blank flash it will work
Hi. Sorry my english)
I bought a phone on Ali. I tried to install LOS16, but after flashing the phone became a black screen and QUSB_BULK.
The phone was Android 8.0.0 retcn.
When I try to restore blankflash_oreo, I get the following errors:
Code:
**** Log buffer [000001] 2019-05-01_23:10:10 ****
[ 0.000] Opening device: \\.\COM7
[ 0.002] Detecting device
[ 0.005] ...cpu.id = 94 (0x5e)
[ 0.005] ...cpu.sn = 2549234984 (0x97f23d28)
[ 0.005] Opening singleimage
[ 0.006] Loading package
[ 0.009] ...filename = pkg.xml
[ 0.011] Loading programmer
[ 0.012] ...filename = programmer.elf
[ 0.012] Sending programmer
[ 0.084] ReadFile() failed, GetLastError()=0
[ 0.390] Unexpected command, expecting 3 or 18 or 4, got 1 instead.
[ 0.390] ERROR: sahara_download()->general error
[ 0.391] Check qboot_log.txt for more details
[ 0.391] Total time: 0.391s
[ 0.391]
[ 0.391] qboot version 3.85
[ 0.391]
[ 0.391] DEVICE {
[ 0.391] name = "\\.\COM7",
[ 0.391] flags = "0x64",
[ 0.391] addr = "0x28FD64",
[ 0.391] sahara.current_mode = "0",
[ 0.391] api.buffer = "0x2145020",
[ 0.391] cpu.serial = "2549234984",
[ 0.391] cpu.id = "94",
[ 0.391] cpu.sv_sbl = "0",
[ 0.391] cpu.name = "MSM8998",
[ 0.391] storage.type = "UFS",
[ 0.391] sahara.programmer = "programmer.elf",
[ 0.391] api.bnr = "0x2085FF8",
[ 0.391] }
[ 0.391]
[ 0.391]
[ 0.391] Backup & Restore {
[ 0.391] num_entries = 0,
[ 0.391] restoring = "false",
[ 0.391] backup_error = "not started",
[ 0.391] restore_error = "not started",
[ 0.391] }
[ 0.391]
Please share blankflash on 1789-05 for 8.0.0
https://forum.xda-developers.com/showpost.php?p=77623934&postcount=5
Thanks, but not work
Code:
F:\1789-05\blankflash_from_NDX26.183-15_17>.\qboot.exe blank-flash
Motorola qboot utility version 3.85
[ 0.000] Opening device: \\.\COM6
[ 0.001] Detecting device
[ 0.004] ...cpu.id = 94 (0x5e)
[ 0.004] ...cpu.sn = 2549234984 (0x97f23d28)
[ 0.004] Opening singleimage
[ 0.005] Loading package
[ 0.008] ...filename = pkg.xml
[ 0.010] Loading programmer
[ 0.011] ...filename = programmer.elf
[ 0.011] Sending programmer
[ 0.164] Handling things over to programmer
[ 0.164] Identifying CPU version
[ 0.166] Waiting for firehose to get ready
[ 29.142] ReadFile() failed, GetLastError()=0
[ 45.246] ReadFile() failed, GetLastError()=0
[141.851] ReadFile() failed, GetLastError()=0
[156.494] Waiting for firehose to get ready
[174.054] ReadFile() failed, GetLastError()=0
[190.155] ReadFile() failed, GetLastError()=0
[206.257] ReadFile() failed, GetLastError()=0
[217.966] ...MSM8998 unknown
[217.966] Determining target secure state
[217.968] Waiting for firehose to get ready
[222.356] ReadFile() failed, GetLastError()=0
Make sure you have the drivers installed, use a 2.0 usb port off the mobo. It can be finicky, so check your cable, check your drivers, use another port. It'll work. Some have had luck by unplugging the phone, starting the script, holding vol dwn, and replugging the phone. It can be finicky, just try it again.
I try more and more, but still not work.
I try: win vista x32, win 8.1 x64, win 10 x 64,
two cables, stock and other,
drivers qualcomm x32 and x64,
desktop and notebook, other port.
I try:
blankflash_from_NDX26.183-15_17
blankflash_oreo
blankflash_SPRINT_8.0.0_OCXS27.109-48-6
I don't know what to try yet.
MarkNsk87 said:
I try more and more, but still not work.
I try: win vista x32, win 8.1 x64, win 10 x 64,
two cables, stock and other,
drivers qualcomm x32 and x64,
desktop and notebook, other port.
I try:
blankflash_from_NDX26.183-15_17
blankflash_oreo
blankflash_SPRINT_8.0.0_OCXS27.109-48-6
I don't know what to try yet.
Click to expand...
Click to collapse
Idk if anyone has been successful using the oreo blankflash, the one I linked to has been used successfully many times, so use that one. Verify that the proper driver is assigned to the phone in your device manager, and make sure you're using an administrator cmd prompt. Might try uninstalling the drivers, reboot pc, reinstall drivers, reboot pc, plug in the phone and let everything recognize and settle, verify drivers in device manager, open admin prompt and go for it with the ndx (nougat) blankflash.
I reinstalled the driver, rebooted and tried to execute the command under the administrator, the log changed a little, but still unsuccessfully
Code:
**** Log buffer [000001] 2019-05-02_13:23:28 ****
[ 0.000] Opening device: \\.\COM3
[ 0.000] Detecting device
[ 12.844] ReadFile() failed, GetLastError()=0
[ 13.372] ...cpu.id = 94 (0x5e)
[ 13.372] ...cpu.sn = 2549234984 (0x97f23d28)
[ 13.372] Opening singleimage
[B][ 13.372] ERROR: error opening singleimage[/B]
[ 13.388] Check qboot_log.txt for more details
[ 13.388] Total time: 13.388s
[ 13.388]
[ 13.388] qboot version 3.85
[ 13.388]
[ 13.388] DEVICE {
[ 13.388] name = "\\.\COM3",
[ 13.388] flags = "0x64",
[ 13.388] addr = "0x28FD64",
[ 13.388] sahara.current_mode = "3",
[ 13.388] api.buffer = "0x25DB020",
[ 13.388] cpu.serial = "2549234984",
[ 13.388] cpu.id = "94",
[ 13.388] cpu.sv_sbl = "0",
[ 13.388] api.bnr = "0x5D2F78",
[ 13.388] }
[ 13.388]
[ 13.388]
[ 13.388] Backup & Restore {
[ 13.388] num_entries = 0,
[ 13.388] restoring = "false",
[ 13.388] backup_error = "not started",
[ 13.388] restore_error = "not started",
[ 13.388] }
[ 13.388]
Blankflash did not work because of the Motorola_Mobile_Drivers_v6.4.0 drivers, I don’t know how they interfere, but because of them there were errors reading the device and the blankflash did not work.
I worked on my body with blankflash_from_NDX26.183-15_17 - and this is a Verizon bout campaign, judging by the information in the bootloader.
Important all have brick: uninstall Motorola_Mobile_Drivers, before you start blankflash!
Don't wory Mark. I think I have the same gold retcn version of 1789-05. I tried flash some versions of LOS 15 and 16, always ends with Qualcomm mode. For me works blankflash from nougat, but only when battery is less than 10%. When my phone is fully charged, when I try blankflash the phone reconnect to pc. Take me a few evenings to figure it out. Works with Motorola drivers and Qualcomm certificate driver installed in the same time.
Now I have stock EU 8.0 and radio from retcn.
Works everything except Smart lock.
Good luck.
Wysłane z mojego Moto Z (2) przy użyciu Tapatalka
I get this error, can someone help me?
[ 0.000] Opening device: \\.\COM7
[ 0.003] Detecting device
[ 0.006] ...cpu.id = 94 (0x5e)
[ 0.007] ...cpu.sn = 2357123697 (0x8c7eda71)
[ 0.007] Opening singleimage
[ 0.008] Loading package
[ 0.013] ...filename = pkg.xml
[ 0.015] Loading programmer
[ 0.017] ...filename = programmer.elf
[ 0.017] Sending programmer
[ 0.181] Handling things over to programmer
[ 0.182] Identifying CPU version
[ 0.185] Waiting for firehose to get ready
[ 3.642] ...MSM8998 2.1
[ 3.804] Determining target secure state
[ 3.987] ...secure = yes
[ 4.334] Configuring device...
[ 4.361] Skipping UFS provsioning as target is secure
[ 4.362] Configuring device...
[ 5.938] Target NAK!
[ 5.939] ...ERROR: Failed to initialize (open whole lun) UFS Device slot 0 partition 1
[ 5.939] ...ERROR: Failed to open the device 3 slot 0 partition 1
[ 5.940] ...INFO: Device type 3, slot 0, partition 1, error 0
[ 5.940] ...WARN: Set bootable failed to open 3 slot 0, partition 1, error 0
[ 5.940] ERROR: do_package()->do_recipe()->NAK
[ 5.942] Check qboot_log.txt for more details
[ 5.943] Total time: 5.946s
FAILED: qb_flash_singleimage()->do_package()->do_recipe()->NAK
Thank you
41rw4lk said:
https://forum.xda-developers.com/showpost.php?p=77623934&postcount=5
Click to expand...
Click to collapse
thanks this method heleped me
you need a blank flash updated for your bootloader, theres at least 5 updates on oreo (OTA UPDATES), then you will need the latest blankflash compatible, maybe the Oreo blank flash that you found here is older than your bricked bootloader. (Sorry for my bad english)
iurd2007 said:
you need a blank flash updated for your bootloader, theres at least 5 updates on oreo (OTA UPDATES), then you will need the latest blankflash compatible, maybe the Oreo blank flash that you found here is older than your bricked bootloader. (Sorry for my bad english)
Click to expand...
Click to collapse
This is a bit of an old post, and I assume those issues are resolved, not sure who you're addressing. As far as oreo blankflash, there is one but as far as I know no one has had success with it. The one that I post frequently uses nougat believe it or not, but it has worked many many times even on oreo and there is no reason to mess with what works. Especially when it comes to blankflashing, it's usually your last chance to resolve the problem.
41rw4lk said:
This is a bit of an old post, and I assume those issues are resolved, not sure who you're addressing. As far as oreo blankflash, there is one but as far as I know no one has had success with it. The one that I post frequently uses nougat believe it or not, but it has worked many many times even on oreo and there is no reason to mess with what works. Especially when it comes to blankflashing, it's usually your last chance to resolve the problem.
Click to expand...
Click to collapse
To blankflash Oreo , you need oreo blankflash, but the last version. There is a oreo (soak test) but not the official stock. But recently someone post the final blankflash for the latest OTA.
iurd2007 said:
To blankflash Oreo , you need oreo blankflash, but the last version. There is a oreo (soak test) but not the official stock. But recently someone post the final blankflash for the latest OTA.
Click to expand...
Click to collapse
You're mistaken. I won't argue the point, by all means do what you will.
41rw4lk said:
You're mistaken. I won't argue the point, by all means do what you will.
Click to expand...
Click to collapse
Ok...
Hi,
At the risk of sounding retarded or like I have not searched and read through so many forums I could almost quote them verbatim... I am having trouble unbricking my Moto G7 Play... I've followed dadgum near every guide I've found here and other places... Somewhere along the path to unbricking my device the CPU board ID of my device changed which has a few phone guru friends scratching their heads... Now instead of getting communication errors I am getting the following from the blank-flash.bat when I run it... Maybe I've overlooked the issue in my weeks of searching... Any leads or ideas would be greatly appreciated.
C:\G7PlayBlankFlash>.\qboot.exe blank-flash
Motorola qboot utility version 3.86
[ -0.000] Opening device: \\.\COM5
[ 0.016] Detecting device
[ 17.442] ReadFile() failed, GetLastError()=0
[ 19.255] ...cpu.id = 186 (0xba)
[ 19.255] ...cpu.sn = 1196350551 (0x474edc57)
[ 19.255] Opening singleimage
[ 19.271] Loading package
[ 19.271] Failed identify board. Wrong package?
[ 19.271] ERROR: error loading package
[ 19.286] Check qboot_log.txt for more details
[ 19.286] Total time: 19.286s
FAILED: qb_flash_singleimage()->error loading package
The following is the original device information obtained by LMSA which is the root cause for my phone being bricked in the first place.
[ 11.065] name = "\\.\COM5",
[ 11.065] flags = "0x64",
[ 11.065] addr = "0x62FD54",
[ 11.065] sahara.current_mode = "0",
[ 11.065] api.buffer = "0x29D0020",
[ 11.065] cpu.serial = "255476381",
[ 11.065] cpu.id = "204",
[ 11.065] cpu.sv_sbl = "0",
[ 11.065] cpu.name = "SDM636",
[ 11.065] storage.type = "eMMC",
[ 11.065] sahara.programmer = "programmer.elf",
[ 11.065] api.bnr = "0x2911CA8",
Thanks again in advance for any assistance that could be provided.
Wes Satterwhite
NinjaMonkey1183 said:
Hi,
At the risk of sounding retarded or like I have not searched and read through so many forums I could almost quote them verbatim... I am having trouble unbricking my Moto G7 Play... I've followed dadgum near every guide I've found here and other places... Somewhere along the path to unbricking my device the CPU board ID of my device changed which has a few phone guru friends scratching their heads... Now instead of getting communication errors I am getting the following from the blank-flash.bat when I run it... Maybe I've overlooked the issue in my weeks of searching... Any leads or ideas would be greatly appreciated.
C:\G7PlayBlankFlash>.\qboot.exe blank-flash
Motorola qboot utility version 3.86
[ -0.000] Opening device: \\.\COM5
[ 0.016] Detecting device
[ 17.442] ReadFile() failed, GetLastError()=0
[ 19.255] ...cpu.id = 186 (0xba)
[ 19.255] ...cpu.sn = 1196350551 (0x474edc57)
[ 19.255] Opening singleimage
[ 19.271] Loading package
[ 19.271] Failed identify board. Wrong package?
[ 19.271] ERROR: error loading package
[ 19.286] Check qboot_log.txt for more details
[ 19.286] Total time: 19.286s
FAILED: qb_flash_singleimage()->error loading package
The following is the original device information obtained by LMSA which is the root cause for my phone being bricked in the first place.
[ 11.065] name = "\\.\COM5",
[ 11.065] flags = "0x64",
[ 11.065] addr = "0x62FD54",
[ 11.065] sahara.current_mode = "0",
[ 11.065] api.buffer = "0x29D0020",
[ 11.065] cpu.serial = "255476381",
[ 11.065] cpu.id = "204",
[ 11.065] cpu.sv_sbl = "0",
[ 11.065] cpu.name = "SDM636",
[ 11.065] storage.type = "eMMC",
[ 11.065] sahara.programmer = "programmer.elf",
[ 11.065] api.bnr = "0x2911CA8",
Thanks again in advance for any assistance that could be provided.
Wes Satterwhite
Click to expand...
Click to collapse
It says you're using a snapdragon 636 which, the only device in our family with that CPU is the Moto G7 Plus. Try using the blank flash file for the "Lake". I've attached it below.
Spaceminer said:
It says you're using a snapdragon 636 which, the only device in our family with that CPU is the Moto G7 Plus. Try using the blank flash file for the "Lake". I've attached it below.
Click to expand...
Click to collapse
Still receiving error...
C:\G7PlayBlankFlash>blank-flash.bat
C:\G7PlayBlankFlash>.\qboot.exe blank-flash
Motorola qboot utility version 3.86
[ 0.000] Opening device: \\.\COM5
[ 0.003] Detecting device
[ 24.989] ReadFile() failed, GetLastError()=0
[ 26.743] ...cpu.id = 186 (0xba)
[ 26.754] ...cpu.sn = 1196350551 (0x474edc57)
[ 26.758] Opening singleimage
[ 26.764] Loading package
[ 26.780] Failed identify board. Wrong package?
[ 26.786] ERROR: error loading package
[ 26.795] Check qboot_log.txt for more details
[ 26.803] Total time: 26.805s
FAILED: qb_flash_singleimage()->error loading package
C:\G7PlayBlankFlash>pause
Press any key to continue . . .
C:\G7PlayBlankFlash>
Its as if my cpu id changed and qboot is not recognizing the cpu as snapdragon 636 any longer.
Thanks again,
Wes
NinjaMonkey1183 said:
Still receiving error...
C:\G7PlayBlankFlash>blank-flash.bat
C:\G7PlayBlankFlash>.\qboot.exe blank-flash
Motorola qboot utility version 3.86
[ 0.000] Opening device: \\.\COM5
[ 0.003] Detecting device
[ 24.989] ReadFile() failed, GetLastError()=0
[ 26.743] ...cpu.id = 186 (0xba)
[ 26.754] ...cpu.sn = 1196350551 (0x474edc57)
[ 26.758] Opening singleimage
[ 26.764] Loading package
[ 26.780] Failed identify board. Wrong package?
[ 26.786] ERROR: error loading package
[ 26.795] Check qboot_log.txt for more details
[ 26.803] Total time: 26.805s
FAILED: qb_flash_singleimage()->error loading package
C:\G7PlayBlankFlash>pause
Press any key to continue . . .
C:\G7PlayBlankFlash>
Its as if my cpu id changed and qboot is not recognizing the cpu as snapdragon 636 any longer.
Thanks again,
Wes
Click to expand...
Click to collapse
Try reflashing the bank flash for the G7 Play and see if it works now.
Spaceminer said:
Try reflashing the bank flash for the G7 Play and see if it works now.
Click to expand...
Click to collapse
E:\UNBRICK G7 Play\blankflashg7play\blankflash>.\qboot.exe blank-flash
< waiting for device >
Motorola qboot utility version 3.86
[ 0.000] Opening device: \\.\COM5
[ 0.003] Detecting device
[ 0.007] ...cpu.id = 186 (0xba)
[ 0.008] ...cpu.sn = 1196350551 (0x474edc57)
[ 0.009] Opening singleimage
[ 0.024] Loading package
[ 0.030] Failed identify board. Wrong package?
[ 0.031] ERROR: error loading package
[ 0.032] Check qboot_log.txt for more details
[ 0.032] Total time: 0.033s
FAILED: qb_flash_singleimage()->error loading package
E:\UNBRICK G7 Play\blankflashg7play\blankflash>pause
Press any key to continue . . .
Same results over and over... anymore Ideas? is there a way I can completely reformat the phone completely?
NinjaMonkey1183 said:
E:\UNBRICK G7 Play\blankflashg7play\blankflash>.\qboot.exe blank-flash
< waiting for device >
Motorola qboot utility version 3.86
[ 0.000] Opening device: \\.\COM5
[ 0.003] Detecting device
[ 0.007] ...cpu.id = 186 (0xba)
[ 0.008] ...cpu.sn = 1196350551 (0x474edc57)
[ 0.009] Opening singleimage
[ 0.024] Loading package
[ 0.030] Failed identify board. Wrong package?
[ 0.031] ERROR: error loading package
[ 0.032] Check qboot_log.txt for more details
[ 0.032] Total time: 0.033s
FAILED: qb_flash_singleimage()->error loading package
E:\UNBRICK G7 Play\blankflashg7play\blankflash>pause
Press any key to continue . . .
Same results over and over... anymore Ideas? is there a way I can completely reformat the phone completely?
Click to expand...
Click to collapse
The best thing I can think of is, reinstall Motorola's USB drivers, then try following this post. The blank flash files need to be in the same folder as the qpst binaries.
Esperimenta este amigo??
https://forum.xda-developers.com/attachment.php?attachmentid=4985183&d=1585912069
Solution!!!
I finally managed to get back to fastboot...
I believe I used the .rar blankflash above (spanish post)
I had no luck with linux nor windows, what I finally did that worked:
---Extract that .rar, "BlackFlash-MotoG7Power"... to the Desktop (Windows 10)
------ That's right. G7 Power. Yet - I'm giving instructions for the g7 PLAY. Infuriating.
---Open command prompt as administrator
---CD to the Desktop
---Run blank-flash.bat
This worked the first time I tried it. I literally was at something like 60 hours of effort towards unbricking my xt1952-4, and this is what worked. I'm relieved, very relieved, but I'm so fed up with everything that didn't work/not knowing WHY it didn't work... Eh, I guess I ought to just take the win...
New rescue tool from Motorola (LMSA) fixes hard bricks
Google search LMSA download and get the new rescue tool from Moto..it wrjs great. I used it to save my G7 play
devine3035 said:
Google search LMSA download and get the new rescue tool from Moto..it wrjs great. I used it to save my G7 play
Click to expand...
Click to collapse
This is now called rescue and smart assistant but you have to be on stock software or it wont work
krbzzr said:
Solution!!!
I finally managed to get back to fastboot...
I believe I used the .rar blankflash above (spanish post)
I had no luck with linux nor windows, what I finally did that worked:
---Extract that .rar, "BlackFlash-MotoG7Power"... to the Desktop (Windows 10)
------ That's right. G7 Power. Yet - I'm giving instructions for the g7 PLAY. Infuriating.
---Open command prompt as administrator
---CD to the Desktop
---Run blank-flash.bat
This worked the first time I tried it. I literally was at something like 60 hours of effort towards unbricking my xt1952-4, and this is what worked. I'm relieved, very relieved, but I'm so fed up with everything that didn't work/not knowing WHY it didn't work... Eh, I guess I ought to just take the win...
Click to expand...
Click to collapse
Holy crap!!!! Your post just saved my new G7! Yes that's right. It's a G7 and I used that blankflash from the spanish post which is for the G7 Power. And why did I try that? Because your G7 Play and my G7 both showed a CPU id of 186 in blankflash mode. So it was like ... what else do I have to lose at that point?
And like with your device, it worked on mine the first time I tried it!
NinjaMonkey1183 said:
E:\UNBRICK G7 Play\blankflashg7play\blankflash>.\qboot.exe blank-flash
< waiting for device >
Motorola qboot utility version 3.86
[ 0.000] Opening device: \\.\COM5
[ 0.003] Detecting device
[ 0.007] ...cpu.id = 186 (0xba)
[ 0.008] ...cpu.sn = 1196350551 (0x474edc57)
[ 0.009] Opening singleimage
[ 0.024] Loading package
[ 0.030] Failed identify board. Wrong package?
[ 0.031] ERROR: error loading package
[ 0.032] Check qboot_log.txt for more details
[ 0.032] Total time: 0.033s
FAILED: qb_flash_singleimage()->error loading package
E:\UNBRICK G7 Play\blankflashg7play\blankflash>pause
Press any key to continue . . .
Same results over and over... anymore Ideas? is there a way I can completely reformat the phone completely?
Click to expand...
Click to collapse
Hello I have a hardbrick that so far I cannot solve, because I want to close the bootloader, the fastboot rejects any command that I enter (including the "fastboot oem unlock") and when turning on motorola it generates the error 0xC2224571 "No valid operating system could be found. The device will not boot ". I thought about doing a "Blankflash", but I don't know what the Motorola "test point" is. Does anyone know how to do it and get to EDL mode?
seems a/b partition problem.
try fastboot flash recovery_a twrp.img
fastboot flash recovery_b twrp.img
shadowchaos said:
seems a/b partition problem.
try fastboot flash recovery_a twrp.img
fastboot flash recovery_b twrp.img
Click to expand...
Click to collapse
I already tried that of recovery_a and recovery_b, and nothing happens, that gives CMD:
1) fastboot flash recovery_a twrp-3.5.0-0-nairo.img
Sending 'recovery_a' (59392 KB) OKAY [ 1.827s]
Writing 'recovery_a' (bootloader) flash permission denied
FAILED (remote: '')
fastboot: error: Command failed
2) fastboot flash recovery_b twrp-3.5.0-0-nairo.img
Sending 'recovery_b' (59392 KB) OKAY [ 1.308s]
Writing 'recovery_b' (bootloader) flash permission denied
FAILED (remote: '')
fastboot: error: Command failed
Also, everything I try to flash ends with this message "flash (bootloader) permission denied".
supermafari2.0 said:
I already tried that of recovery_a and recovery_b, and nothing happens, that gives CMD:
1) fastboot flash recovery_a twrp-3.5.0-0-nairo.img
Sending 'recovery_a' (59392 KB) OKAY [ 1.827s]
Writing 'recovery_a' (bootloader) flash permission denied
FAILED (remote: '')
fastboot: error: Command failed
2) fastboot flash recovery_b twrp-3.5.0-0-nairo.img
Sending 'recovery_b' (59392 KB) OKAY [ 1.308s]
Writing 'recovery_b' (bootloader) flash permission denied
FAILED (remote: '')
fastboot: error: Command failed
Also, everything I try to flash ends with this message "flash (bootloader) permission denied".
Click to expand...
Click to collapse
Could you describe what moves at last time which causes this situation?
supermafari2.0 said:
I already tried that of recovery_a and recovery_b, and nothing happens, that gives CMD:
1) fastboot flash recovery_a twrp-3.5.0-0-nairo.img
Sending 'recovery_a' (59392 KB) OKAY [ 1.827s]
Writing 'recovery_a' (bootloader) flash permission denied
FAILED (remote: '')
fastboot: error: Command failed
2) fastboot flash recovery_b twrp-3.5.0-0-nairo.img
Sending 'recovery_b' (59392 KB) OKAY [ 1.308s]
Writing 'recovery_b' (bootloader) flash permission denied
FAILED (remote: '')
fastboot: error: Command failed
Also, everything I try to flash ends with this message "flash (bootloader) permission denied".
Click to expand...
Click to collapse
Hey, can I ask you how did you manage to unbrick it? My phone doesn't get recognized via fastboot. It seems dead but when I connect it to the pc, it gets recognized as "Qualcomm HS-USB QDLoader 9008".
What can I do next?
Try a blank flash for your phone.
Hello,
I am in a similar situation and also interested in the test point for EDL mode, so rather than opening a new thread I figured I'd reply here.
As it stands, my phone has the /e/ project ROM and recovery flashed on it, the "Allow OEM unlock" option is disabled, and the bootloader is locked. Meaning, the OS doesn't get recognized and doesn't boot, flashing is disallowed across the board, fastboot oem unlock <UNLOCK_KEY> is rejected, and fastboot boot <any recovery stock or otherwise>.img fails.
fastboot oem blankflash returns "Command Restricted" and well, subsequently tells me it failed.
So my own ignorance left myself with a rather expensive paperweight and the last resort I believe is to flash a stock ROM in EDL mode. I have found a teardown video of the device and seen a few test points there (including 3 under the large heatsinking graphite film), and I'm ready to remove the back cover on mine. It seems that the EDL test point isn't documented... If need be, I could try to find the test points myself. I just need more info to not short and break anything.
Edit: so I've gone and done it. Stabbed all visible test points, one of them scores at 1.8v, one at 1.5v, the rest at 0v. [EDIT] Some actually show something below 0.5v.
The 1.8v test point is connected to a trace going to the connector's pin. Another pad goes just beside that pin. It is very enticing right now to try and bridge them, however I'm not confident those are the EDL test points and I may short something I don't want to. I'm gonna get resistors.
The missing connector tells me it's a connector that's important for Motorola, and clearly not for the end-user. This is a cost-saving measure, don't need to run extensive tests when the device is finalized, you only need the test points to... enable EDL? Ahah. The fact the connector pads are still there is because designing the rerouting to remove them also costs money.
The 1.5v test point is between the screen and bottom daughterboard flexible flat cables connectors. Without certainty, I believe it may be a voltage for one of those or both.
Attached is the photo of the test points around the missing connector, if that helps at all.
Edit2: I found this post about trying for test points. I'm lacking resistors right now to further test. https://forum.xda-developers.com/t/phone-doesnt-boot-even-in-edl-mode.4411915/#post-87260675
Edit3: welp, bridging the points linked to the missing connector pads did nothing. What I tried is keep the phone off, bridge the points, plug the USB, but it keeps sending me to "OS not found" error or fastboot, depending on if fb_mode_set or fb_mode_clear have been used.
Hey @Awilen please keep us posted. I too want to play with this phone, but am frustrated by lack of easy access to EDL mode (to unbrick). (I want to try to roll my own GSI/AOSP build + Moto proprietary drivers, which will likely not boot the first thirty or so times I try it.)
FWIW, I tried this method and a pre-bought cable that allegedly does the same thing- no dice either.
The fact that there ARE EDL IMAGES out there gives me hope.
This repository has some other tricks to try, if you are brave enough:
Use a edl cable (Short D+ with GND) and force reboot the phone (either vol up + power pressing for more than 20 seconds or disconnect battery), works with emmc + ufs flash (this will only work if XBL/SBL isn't broken)
If emmc flash is used, remove battery, short DAT0 with gnd, connect battery, then remove short.
If a ufs flash is used, things are very much more complicated. You will need to open the ufs die and short the clk line on boot, some boards have special test points for that.
Some devices have boot config resistors, if you find the right ones you may enforce booting to sdcard instead of flash.
(I've tried #1)
FWIW, I've never had any success with any "EDL cable" on any device, but that could be entirely due to timing/incompetence on my part.
A few devices I've been able to find EDL test points.
On some non-Qualcomm devices I have gotten to ROM bootloader by using a 100 ohm resistor (for safety, instead of a dead short) from some random test point near eMMC to ground.
Hey @Renate the cable works on my OnePlus (which, also, has a key sequence to do it, making the cable superfluous), so I know that isn't the issue here. I just don't want to unglue the phone and risk breaking something just to play. Once the battery becomes useless and that's inevitable, then I'll probably become a MB-shortin'-mo-fo.
SomeRandomGuy said:
This repository has some other tricks to try, if you are brave enough:
Use a edl cable (Short D+ with GND) and force reboot the phone (either vol up + power pressing for more than 20 seconds or disconnect battery), works with emmc + ufs flash (this will only work if XBL/SBL isn't broken)
If emmc flash is used, remove battery, short DAT0 with gnd, connect battery, then remove short.
If a ufs flash is used, things are very much more complicated. You will need to open the ufs die and short the clk line on boot, some boards have special test points for that.
Some devices have boot config resistors, if you find the right ones you may enforce booting to sdcard instead of flash.
(I've tried #1)
Click to expand...
Click to collapse
Hey! I was waiting on my EDL cable. I just tried it... no dice. No dice at all. I believe I've exhausted all non-intrusive tricks in the book, the next step is cleanly desoldering the EM shield over the processor and flash/RAM combo ICs.
Since the device is out of warranty anyway, I'll try for a repair shop to desolder it, as the only powerful-enough heat source I have is a large heat gun blowing 150°C, 450°C or 600°C air. Other than that I have a 60W soldering iron, I doubt that'll be enough.
The only problem with the desoldering is that the EM shield is part of the cooling solution for the processor/RAM/Flash ICs. It will need to be reapplied.
Edit: I made a thread on the e.foundation forums listing everything I tried: https://community.e.foundation/t/bo...and-wont-boot-am-i-out-of-luck/43362?u=awilen
Awilen said:
Edit: I made a thread on the e.foundation forums listing everything I tried: https://community.e.foundation/t/bo...and-wont-boot-am-i-out-of-luck/43362?u=awilen
Click to expand...
Click to collapse
TIL “fastboot oem qcom-on” and “fastboot oem qcom-off” are a thing.
For my part, to this day I cannot find a way to access this mode, I still have my theories, since on one page I found "official" diagrams of this motorola and the phrase "EDL" is indicated at various points, but I don't really know how to interpret them on the motherboard, I'll leave the link in case someone wants to review it, it's from a Brazilian page:
Motorola_Moto_G_5G XT2075 - LEMCELL.COM.BR.zip
drive.google.com
In that one there are several files, with more technical specifications, in case someone wants to review it and see what they find useful out there, to see if it is possible to reach EDL mode on this model.
The missing connector I shot in my photos is a JTAG connector. Make of that what you will.
I have desoldered the EMI shield above the SoC/eMCP area and there's no dice there either. The traces are hidden, the parts are BGAs, there's no "pin" to short there. The schematics may or may not have confirmed my suspicion the physical trace for the clock signal to the eMCP is unreachable, making reaching EDL mode through "PBL panic from not being able to access the flash" impossible.
The SMDs around the eMCP may or may not seem to all be related to power delivery smoothing, and shorting those is blue smoke waiting to happen. I'll resolder the shield later, I don't think there's any point in desoldering it in the future for the purpose of reaching EDL mode.
There are official blankflash utilities freely available. I have no doubt EDL mode is accessible. This connector must be just how.
BREAKTHROUGH TIME! I GOT INTO QCOM 9008 MODE!
In the attached photo are the EDL pads. Happy flashing!
Edit: now I'm getting some progress, but nothing is working. Here's the two logs I get, the first just after connecting, the second after having tried once already:
Code:
$ sudo ./qcom blank-flash
**** Log buffer [000001] 2022-12-02_19:02:50 ****
[ 0.000] Opening device: /dev/ttyUSB0
[ 0.000] Detecting device
[ 5.889] ERROR: sahara_greet_device()->change_mode()->do_hello()->Invalid command received in current state
[ 5.889] Check qboot_log.txt for more details
[ 5.889] Total time: 5.889s
[ 5.889]
[ 5.889] qboot version 3.86
[ 5.889]
[ 5.889] DEVICE {
[ 5.889] name = "/dev/ttyUSB0",
[ 5.889] flags = "0x60",
[ 5.889] addr = "0xFECAF690",
[ 5.889] serial_nix.device_pathname = "/sys/bus/usb/devices/1-3.2/1-3.2:1.0/ttyUSB0",
[ 5.889] api.bnr = "0x1FE4210",
[ 5.889] }
[ 5.889]
[ 5.889]
[ 5.889] Backup & Restore {
[ 5.889] num_entries = 0,
[ 5.889] restoring = "false",
[ 5.889] backup_error = "not started",
[ 5.889] restore_error = "not started",
[ 5.889] }
[ 5.889]
Code:
$ sudo ./qcom blank-flash
**** Log buffer [000001] 2022-12-02_19:03:50 ****
[ 0.000] Opening device: /dev/ttyUSB0
[ 0.343] Detecting device
[ 34.920] ERROR: sahara_greet_device()->change_mode()->do_hello()->IO error
[ 34.920] Check qboot_log.txt for more details
[ 34.920] Total time: 34.920s
[ 34.920]
[ 34.920] qboot version 3.86
[ 34.920]
[ 34.920] DEVICE {
[ 34.920] name = "/dev/ttyUSB0",
[ 34.920] flags = "0x60",
[ 34.920] addr = "0xAEF35240",
[ 34.920] serial_nix.device_pathname = "/sys/bus/usb/devices/1-3.2/1-3.2:1.0/ttyUSB0",
[ 34.920] api.bnr = "0x21BC210",
[ 34.920] }
[ 34.920]
[ 34.920]
[ 34.920] Backup & Restore {
[ 34.920] num_entries = 0,
[ 34.920] restoring = "false",
[ 34.920] backup_error = "not started",
[ 34.920] restore_error = "not started",
[ 34.920] }
[ 34.920]
Edit 2: I got a blankflash to work! Now I don't know... This is what I got:
Code:
D:\blankflash>.\qboot.exe blank-flash
Motorola qboot utility version 3.86
[ -0.000] Opening device: \\.\COM3
[ -0.000] Detecting device
[ -0.000] ...cpu.id = 286 (0x11e)
[ -0.000] ...cpu.sn = 3786473903 (0xe1b101af)
[ -0.000] Opening singleimage
[ -0.000] Loading package
[ -0.000] ...filename = pkg.xml
[ -0.000] Loading programmer
[ -0.000] ...filename = programmer.elf
[ -0.000] Sending programmer
[ 0.109] Handling things over to programmer
[ 0.109] Identifying CPU version
[ 0.109] Waiting for firehose to get ready
[ 3.220] ReadFile() failed, GetLastError()=0
[ 3.330] ...SM_SAIPAN 2.0
[ 3.330] Determining target secure state
[ 3.330] ...secure = yes
[ 3.377] Configuring device...
[ 3.377] Skipping UFS provsioning as target is secure
[ 3.377] Configuring device...
[ 3.470] Flashing GPT...
[ 3.470] Flashing partition with gpt.bin
[ 3.470] Initializing storage
[ 3.517] ...blksz = 4096
[ 3.580] ReadFile() failed, GetLastError()=0
[ 4.049] Re-initializing storage...
[ 4.049] Initializing storage
[ 4.361] Flashing bootloader...
[ 4.361] Wiping ddr
[ 4.392] Flashing abl_a with abl.elf
[ 4.439] Flashing aop_a with aop.mbn
[ 4.486] Flashing qupfw_a with qupfw.elf
[ 4.517] Flashing tz_a with tz.mbn
[ 4.783] Flashing hyp_a with hyp.mbn
[ 4.839] Flashing devcfg_a with devcfg.mbn
[ 4.854] Flashing keymaster_a with keymaster.mbn
[ 4.901] Flashing storsec_a with storsec.mbn
[ 4.933] Flashing uefisecapp_a with uefi_sec.mbn
[ 5.089] Flashing prov_a with prov64.mbn
[ 5.104] Flashing xbl_config_a with xbl_config.elf
[ 5.151] Flashing xbl_a with xbl.elf
[ 5.649] Rebooting to fastboot
[ 5.665] Total time: 5.665s
Somehow it worked, I got to flash another phone's blankflash (a "Racer" codenamed phone apparently) on it and the ABL (the thing that tells me it won't boot because it didn't find a valid system) changed visually. Now I'll try to unlock the bootloader, or flash a system on it.
Edit 3: Mmh. After clearing that EDL mode flashing worked, the system is still flashing-locked, secured, and fastboot oem unlock <unique_key> isn't working.
so you activated the qcom, but it is not responding to the blankflash? at least it's an advance, maybe it's a blankflash problem or do you think it's some kind of board protection?
Later I will try on my own on my board
Congrats on your quest. Were you literally shorting them, or did you use a resistor? You had to touch all three together?
I guess I still am confused how there is a blankflash out there for this phone, but no way to trigger EDL without a hardware kit. I just ran through all the key combinations (V+,V-, PWR) and USB in/out just to make sure I didn't miss something... no dice to EDL.
supermafari2.0 said:
so you activated the qcom, but it is not responding to the blankflash? at least it's an advance, maybe it's a blankflash problem or do you think it's some kind of board protection?
Later I will try on my own on my board
Click to expand...
Click to collapse
I am confident EDL mode flashing worked. I used a different phone's blankflash that had the same SoC and it worked, giving me a visually different "No OS found" error screen. I posted the log of the blanking process. The "Allow OEM Unlock" bit is still set to "disabled" after blanking, such that I still can't use "fastboot oem unlock" successfully.
There's this line that makes me think the system is still intact: "Skipping UFS provsioning as target is secure", meaning the UFS filesystem might have not been actually blanked. Since singleimage.bin is a signed binary, there's no way to force UFS provisioning or modify it in any other way. I think the only way in will be with a firehose and QFIL... Except I haven't found one for this SoC. The programmer.elf is the firehose, but again that needs to be signed to be useful after getting extracted.
SomeRandomGuy said:
Congrats on your quest. Were you literally shorting them, or did you use a resistor? You had to touch all three together?
I guess I still am confused how there is a blankflash out there for this phone, but no way to trigger EDL without a hardware kit. I just ran through all the key combinations (V+,V-, PWR) and USB in/out just to make sure I didn't miss something... no dice to EDL.
Click to expand...
Click to collapse
I marked two pads of the missing connector with a green rectangle (I reused the photo I posted earlier on which I had already marked the test points' voltages, disregard the test points). I shorted them with only one voltmeter probe.
The idea is that the EDL pads I marked in green are connected to a 1.8V supply and a pin on the SoC with "infinite resistance", so there's no need for an additional resistor. You are not at risk of shorting anything and cause a major disaster on pins on the row of the green rectangle. The connector is very small, so stab confidently in the middle of the row of pads!
The (V+, PWR) combination may be available in development units, and be disabled in production units at the hardware level (missing components).
(Keep in mind I'm talking in hypotheticals at times to keep up plausible deniability regarding the files posted earlier by supermafari2.0... Those are surely under copyright.)
Layers of security upon layers of security just to get a stock firmware on an empty filesystem on my own device... This is getting old...
Edit: I have, out of boredom, decomposed the singleimage.bin into its various files. Here is the file format:
Code:
* SINGLE_N_LONELY Header [256 bytes]
* FILE:
Header:
* file name: 248 bytes (name + "\0" padding)
* file size: 8 bytes, little-endian
Data:
* data: file size in bytes
* 0xA0 padding if (file size % 4096) != 0 : file size + 4096 - (file size % 4096) bytes
[* FILE...]
* LONELY_N_SINGLE Footer [256 bytes]
Do note the 4096 magic number is the flash sector size, thus is device-dependant. In singleimage.bin, there was gpt.bin which also follows the same format. Among the files is programmer.elf, a strong candidate to be a firehose, I'll try to use with QFIL tomorrow. I do take note of Motorola's attempt at psychological warfare.
So I tried the programmer I found in the singleimage.bin file, it's indeed capable of programming through QFIL! (Do note I needed to get QFIL through QPST to get it to work.) However now I'm faced with this as I'm trying to flash recovery.img to get to recovery and get recovery to reinstall a working system:
Code:
INFO: TARGET SAID: 'ERROR: range restricted: lun=5, start_sector=142688, num_sectors=25600'
I guess the programmer checks for the flash being in a locked state, so it's time to try to patch the programmer to force the flash, if at all possible...
Edit: guessed right. The programmer has a routine that does various checks. It isn't encrypted, but I found data that could indicate the file is signed. I didn't see either the PEEK or POKE strings in there, meaning these primitives weren't included in the programmer, so there's no way to manually poke any image by hand, or just enable that blasted "Allow OEM unlock" bit (the fact I don't know where it is not withstanding.)
I think that's the end of the line for my device. At this point the only way it will ever work again will be either getting a patched and signed firehose (unlikely), or getting Motorola to reflash a stock image internally (even more unlikely) or just changing the motherboard (which defeats the purpose of searching how to get the device back in working order after messing up!)
I need help with the G10 XT2127-1 blankflash. I tried 3 blankflash and when trying to install this error.
[ 0.000] Opening device: \\.\COM30
[ 0.000] Detecting device
[ 3,659] ReadFile() failed, GetLastError()=0
[ 6,619] ...cpu.id = 310 (0x136)
[ 6,619] ...cpu.sn = 3251673319 (0xc1d098e7)
[ 6,619] Opening singleimage
[ 6,619] Loading package
[ 6,635] ...filename = pkg.xml
[ 6,635] Loading programmer
[ 6,635] ...filename = programmer.elf
[ 6,635] Sending programmer
[ 6.741] Handling things over to programmer
[ 6.741] Identifying CPU version
[ 6.741] Waiting for firehose to get ready
[ 9,820] ...SM_KAMORTA 1.0
[ 9,820] Determining target secure state
[ 9,820] ...secure = yes
[ 9.851] Configuring device...
[ 9,851] Flashing GPT...
[ 9,851] Flashing partition with gpt.bin
[ 9,867] Initializing storage
[11,040] Target NAK!
[ 11.040] ...INFO: handler getStorageInfo allowed
[ 11.040] ...INFO: Calling handler for getStorageInfo
[ 11.040] ...ERROR: Failed to open the SDCC Device slot 0 partition 0
[ 11.040] ...ERROR: Failed to open the device:1 slot:0 partition:0 error:0
[ 11.040] ...ERROR: OPEN handle NULL and no error, weird 203917508
[ 11.040] ...ERROR: Failed to open device, type:eMMC, slot:0, lun:0 error:3
[ 11.040] ERROR: do_package()->do_recipe()->do_flash()->flash_simg()->do_package()->do_recipe()->do_flash()->gpt_flash()->get_storage()-> init_storage()->firehose_do_fmt()->do_recipe()->NAK
[ 11.040] Check qboot_log.txt for more details
[ 11,040] Total time: 11,040s
FAILED: qb_flash_singleimage()->do_package()->do_recipe()->do_flash()->flash_simg()->do_package()->do_recipe()->do_flash()->gpt_flash()->get_storage() ->init_storage()->firehose_do_fmt()->do_recipe()->NAK