Database Users

[LIBRARY]libpit-X Online PIT analysis Tool and Library

I would like to first start by sharing a bit of history behind this library. @Benjamin Dobell started the Heimdall project where he packet-sniffed the Odin(desktop client)/Loke(on-device server) protocol in order to create Heimdall, an open source flashing tool which I've personally used in my own projects Heimdall one-click and One-Click UnBrick as well as my current project, CASUAL. Heimdall was released with a very rough, but working, analysis of the PIT files and has been slowly increasing over time.
@Ralekdev , @Rebellos and myself began looking at the PIT files much later than Benjamin. Ralekdev and Rebellos were to reverse-engineer the bootloaders of several Samsung devices and was able to come up exploits while I somewhat brought the work together and assisted where I could. Ralekdev even identified proper sizes of data blocks and has created a few tools to assist.
Introduction
I'm happy to announce that we have 100% identification of all parts of the PIT files as they stand today. We are no longer working on identifying variables thanks to Ralekdev, Rebellos and Benjamin's work. We can read, and write and integrate PIT files into our Java Applications. As a demonstration of this library, i encourage you to
Analyze Your Pit File Online
If you don't have a PIT file, you can use this one. This will provide you with human-readable analysis of a PIT file.
This can also be accomplished locally on your computer with this file: http://goo.im/devs/AdamOutler/libpitX/libpit-X-R917.jar
Code:
[email protected]:~$libpit-X.jar GalaxyCamera.pit
PIT Name: Mx
Entry Count: 17
File Type: COM_TAR2
--- Entry #0 ---
ID: 80 Partition Name: BOOTLOADER
Filename: sboot.bin param: md5
Block Size: 1734 (887.8 kB)
Block range: 0 - 1733 (hex 0x0 - 0x6c5)
PartType: 2 FilesystemType: 1 BinType: 0 DevType: 2
Offset:0 Size: 0 FOTA:
This Basic format Bootloader partition resides on the AP EMMC.
--- Entry #1 ---
ID: 81 Partition Name: TZSW
Filename: tz.img param: md5
Block Size: 312 (159.7 kB)
Block range: 1734 - 2045 (hex 0x6c6 - 0x7fd)
PartType: 5 FilesystemType: 1 BinType: 0 DevType: 2
Offset:0 Size: 0 FOTA:
This Basic format Data partition resides on the AP EMMC.
--- Entry #2 ---
ID: 70 Partition Name: PIT
Filename: camera.pit
Block Size: 16 (8.2 kB)
Block range: 34 - 49 (hex 0x22 - 0x31)
PartType: 5 FilesystemType: 1 BinType: 0 DevType: 2
Offset:0 Size: 0 FOTA:
This Basic format Data partition resides on the AP EMMC.
--- Entry #3 ---
ID: 71 Partition Name: MD5HDR
Filename: md5.img param: in.md5
Block Size: 2048 (1.0 MB)
Block range: 50 - 2097 (hex 0x32 - 0x831)
PartType: 5 FilesystemType: 1 BinType: 0 DevType: 2
Offset:0 Size: 0 FOTA:
This Basic format Data partition resides on the AP EMMC.
--- Entry #4 ---
ID: 1 Partition Name: BOTA0
Filename: -
Block Size: 8192 (4.2 MB)
Block range: 8192 - 16383 (hex 0x2000 - 0x3fff)
PartType: 5 FilesystemType: 1 BinType: 0 DevType: 2
Offset:0 Size: 0 FOTA:
This Basic format Data partition resides on the AP EMMC.
--- Entry #5 ---
ID: 2 Partition Name: BOTA1
Filename: -
Block Size: 8192 (4.2 MB)
Block range: 16384 - 24575 (hex 0x4000 - 0x5fff)
PartType: 5 FilesystemType: 1 BinType: 0 DevType: 2
Offset:0 Size: 0 FOTA:
This Basic format Data partition resides on the AP EMMC.
--- Entry #6 ---
ID: 3 Partition Name: EFS
Filename: efs.img param: md5
Block Size: 40960 (21.0 MB)
Block range: 24576 - 65535 (hex 0x6000 - 0xffff)
PartType: 5 FilesystemType: 5 BinType: 0 DevType: 2
Offset:0 Size: 0 FOTA:
This EXT4 format Data partition resides on the AP EMMC.
--- Entry #7 ---
ID: 4 Partition Name: PARAM
Filename: param.bin param: md5
Block Size: 16384 (8.4 MB)
Block range: 65536 - 81919 (hex 0x10000 - 0x13fff)
PartType: 5 FilesystemType: 1 BinType: 0 DevType: 2
Offset:0 Size: 0 FOTA:
This Basic format Data partition resides on the AP EMMC.
--- Entry #8 ---
ID: 5 Partition Name: BOOT
Filename: boot.img param: md5
Block Size: 16384 (8.4 MB)
Block range: 81920 - 98303 (hex 0x14000 - 0x17fff)
PartType: 5 FilesystemType: 1 BinType: 0 DevType: 2
Offset:0 Size: 0 FOTA:
This Basic format Data partition resides on the AP EMMC.
--- Entry #9 ---
ID: 6 Partition Name: RECOVERY
Filename: recovery.img param: md5
Block Size: 16384 (8.4 MB)
Block range: 98304 - 114687 (hex 0x18000 - 0x1bfff)
PartType: 5 FilesystemType: 1 BinType: 0 DevType: 2
Offset:0 Size: 0 FOTA:
This Basic format Data partition resides on the AP EMMC.
--- Entry #10 ---
ID: 7 Partition Name: RADIO
Filename: modem.bin param: md5
Block Size: 65536 (33.6 MB)
Block range: 114688 - 180223 (hex 0x1c000 - 0x2bfff)
PartType: 5 FilesystemType: 1 BinType: 0 DevType: 2
Offset:0 Size: 0 FOTA:
This Basic format Data partition resides on the AP EMMC.
--- Entry #11 ---
ID: 8 Partition Name: CACHE
Filename: cache.img param: md5
Block Size: 2097152 (1.1 GB)
Block range: 180224 - 2277375 (hex 0x2c000 - 0x22bfff)
PartType: 5 FilesystemType: 5 BinType: 0 DevType: 2
Offset:0 Size: 0 FOTA:
This EXT4 format Data partition resides on the AP EMMC.
--- Entry #12 ---
ID: 9 Partition Name: SYSTEM
Filename: system.img param: md5
Block Size: 3145728 (1.6 GB)
Block range: 2277376 - 5423103 (hex 0x22c000 - 0x52bfff)
PartType: 5 FilesystemType: 5 BinType: 0 DevType: 2
Offset:0 Size: 0 FOTA:
This EXT4 format Data partition resides on the AP EMMC.
--- Entry #13 ---
ID: 10 Partition Name: HIDDEN
Filename: hidden.img param: md5
Block Size: 737280 (377.5 MB)
Block range: 5423104 - 6160383 (hex 0x52c000 - 0x5dffff)
PartType: 5 FilesystemType: 5 BinType: 0 DevType: 2
Offset:0 Size: 0 FOTA:
This EXT4 format Data partition resides on the AP EMMC.
--- Entry #14 ---
ID: 11 Partition Name: OTA
Filename: -
Block Size: 16384 (8.4 MB)
Block range: 6160384 - 6176767 (hex 0x5e0000 - 0x5e3fff)
PartType: 5 FilesystemType: 1 BinType: 0 DevType: 2
Offset:0 Size: 0 FOTA:
This Basic format Data partition resides on the AP EMMC.
--- Entry #15 ---
ID: 12 Partition Name: TDATA param: TA
Filename: - param: erdata.img param: md5
Block Size: 409600 (209.7 MB)
Block range: 6176768 - 6586367 (hex 0x5e4000 - 0x647fff)
PartType: 5 FilesystemType: 5 BinType: 0 DevType: 2
Offset:0 Size: 0 FOTA: param: Dmained
This EXT4 format Data partition resides on the AP EMMC.
--- Entry #16 ---
ID: 13 Partition Name: USERDATA
Filename: userdata.img
Block Size: 0 (0 B)
Block range: 6586368 - 6586367 (hex 0x648000 - 0x647fff)
PartType: 5 FilesystemType: 5 BinType: 0 DevType: 2
Offset:0 Size: 0 FOTA: remained
This EXT4 format Data partition resides on the AP EMMC. The partition will expand to fill the remainder of the EMMC.
Development Library/Downloads/Documentation
The libpit-X library is an extremely heavy overhaul of the libpit--Java- library by Benjamin Dobell. It features 100% accurate read/write/modification ability. It is also very well documented. I've submitted an issue for Benjamin to pull my changes. Until then you can find the library here.
Online documentation can be found here: http://javadoc.casual-dev.com/namespacecom_1_1casual__dev_1_1libpit_x.html
When you load a Library into your development environment, you need three parts. The Package, the Javadoc and the Source. The latest version of these three parts can be found here:
Package: http://jenkins.casual-dev.com/view/All/job/Build libpitX/ws/trunk/X/libpitX/dist/libpit-X.jar
Javadoc: http://jenkins.casual-dev.com/view/...runk/X/libpitX/dist/javadoc/*zip*/javadoc.zip
Source: http://jenkins.casual-dev.com/view/All/job/Build libpitX/ws/trunk/X/libpitX/src/*zip*/src.zip
Library Archives can be found here: http://goo.im/devs/AdamOutler/libpitX
Here's a picture of the library in action: http://dl.xda-developers.com/attach...3/7/8/Screenshot_from_2013-11-23_21_16_36.png
Automated Testing
Testing is conducted on EVERY SINGLE REVISION and compiled code is not published to the archvies if testing fails.
Latest test results: http://jenkins.casual-dev.com/job/CASUALbuild Test/lastBuild/console
Test code for this $X project: https://code.google.com/p/android-c...trunk/CASUALcore/test/CASUAL/archiving/libpit
And of course you can always test version yourself with our Analyze Your Pit File Online utility.
About
This is a $X project. The $ represents CASUAL for two reasons; CASUAL commands start with $, and the way CASUAL is commonly pronounced is cash-ual. In $X projects, the $ is silent. $X projects are not CASUAL core projects but rather offshoots. Rather than create an entire new repository for $X projects, we will host them in the http://android-casual.googlecode.com repository. For example, the working source code for this project is located in the CASUAL-Core and during build, the $X project is automatically created in the X.casual_dev.libpitX pacakge.
If you wish to contribute to this project, or any other CASUAL project, check out the "Developers" section of this page: http://casual-dev.com/about/. There's a lot to do and we are wiling to help you learn.

Please tell how to redistribute space from cache and hidden partions to increase user space with your utility?

Adam, most PIT files I analyze have one or two strange partitions at the end..is this the fault of the analysis software or is just something else completely? Also, have you ever been able to extract the pit from a device that you was the same as ( md5 match) one you would get in a odin tar? The pit files I extract never end up being the exact same as the pit files that come in the odin tar for a particular device regardless of the method used; Heimdall and/or using dd if/of= w/ correct skip/count don't yield the right results. The PIT analysis tool you helped make lists everything correctly for the VZW GS4 but doesnt list the strange partition at the end thats found with other analysis tools like the one below, so I assume the last thing isn't a partition then?
TL;DR - What is the partition at the end with strange characters?
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

Surge1223 said:
TL;DR - What is the partition at the end with strange characters?
Click to expand...
Click to collapse
That would appear to be a signature.

Please tell me this is going to lead 16gig Samsung Sg4 users to get more than 9 gigs free space when using a non touch wiz ROM . Great project and congrats

igoa said:
Please tell how to redistribute space from cache and hidden partions to increase user space with your utility?
Click to expand...
Click to collapse
This isn't a utility, it's a library. You would include it in your Android Application or Java Desktop App.
Here's how you would use it for your project
Code:
Class BlockResizer{
public void remove100BlocksFromCACHE(){
//Open the PIT file
PitData pd=new PitData("mypit.pit");
//get the CACHE partition
PitEntry CACHE=pd.findEntry(String partitionName);
//Remove 100 blocks from CACHE
int blocksToRemove=100;
CACHE.block_count=CACHE.block_count-blocksToRemove;
//Loop through the rest of the partitions and bump them up 100 blocks.
for (int i=CACHE.part_id+1; i<pd.entryCount; i++){
pd.getEntry(i).BLOCK_START=pd.getEntry(i).BLOCK_START-blocksToRemove;
}
//write out the new PIT to "newPit.pit"
pd.pack(new DataOutputStream(new FileOutputStream("newPit.pit");
}
This would work just fine assuming that the rest of the partitions after the CACHE are in proper order.

igoa said:
Please tell how to redistribute space from cache and hidden partions to increase user space with your utility?
Click to expand...
Click to collapse
Hey, i just added the ability to do this easily after reviewing the code for a bit. The commit is still processing and the new library and documentation should be up shortly... Here goes a partition resize
Code:
public void resize(){
PitData instance = new PitData("MyPitFile.pit");
String partName="CACHE"; //partition name to change
int changeToSize=-2000; //size to change partition (-2000 blocks= 1 megabyte smaller)
try {
instance.resizePartition(partName, changeToSize); //actually resizes the partiton and all others are moved.
} catch (ClassNotFoundException ex) {
Logger.getLogger(PitDataTest.class.getName()).log(Level.SEVERE, null, ex); //this occurs if the partition specified is not found
}
instance.pack(new DataOutputStream(new FileOutputStream("newPit.pit"); //write out the new PIT to "newPit.pit"
}
This code has accompanying test code. So, if you'd like to resize a PIT, all you need to do is add the libpitX library into an existing project then run the code above.

AdamOutler said:
That would appear to be a signature.
Click to expand...
Click to collapse
This is very interesting. Is there anything we can do with it? Or is this read only/unknown flash protocol?

ryanbg said:
This is very interesting. Is there anything we can do with it? Or is this read only/unknown flash protocol?
Click to expand...
Click to collapse
You can append it to the end of the file.

AdamOutler said:
You can append it to the end of the file.
Click to expand...
Click to collapse
So it's not possible to write my own certificate to this 'partition' yet?

ryanbg said:
So it's not possible to write my own certificate to this 'partition' yet?
Click to expand...
Click to collapse
Yeah but it's worthless without Samsung's private key.

AdamOutler said:
Yeah but it's worthless without Samsung's private key.
Click to expand...
Click to collapse
Have you seen this post? here
and more specifically this:
ERROR: Image Invalid, X509_Certificate is NULL!
ERROR: Boot Invalid, RSA_KEY is NULL!
ERROR: Image Invalid! Decryption failed!
ERROR: Image Invalid! Please use another image!
Does this make a difference?

That's just strings and it says what error you'll get if you put in a null signature.

@AdamOutler for the VZW Galaxy S4 I analyzed the PIT file produced by Heimdall and it reports the last four partitions as "remained" so I decided to manually extract my PIT file using
Code:
su
dd if=/dev/block/mmcblk0 of=/sdcard/sch1545.pit bs=8 count=580 skip=2176
which is specific to MSM8690 S4's and the PIT analysis now shows the "remained" partitions actual values and you can see the PIT I extracted is factory signed, because I compare the md5 to the PIT from a factory Odin tar here so is this problem unique to just the S4 or is it a Heimdall problem? I assumed Heimdall just extracted the padded PIT file but even so it should still show the information for the last 4 partitions.
Before
Code:
--- Entry #29 ---
ID: -1 Partition Name: remained
Filename: remained
Block Size: -1 (-512 B)
Block range: -1 - -3 (hex 0xffffffff - 0xfffffffd)
PartType: -1 FilesystemType: -1 BinType: -1 DevType: -1
Offset:-1 Size: -1 FOTA: remained
This unknown format unknown partition resides on the CP unknwon. The partition will expand to fill the remainder of the unknwon.
--- Entry #30 ---
ID: -1 Partition Name: remained
Filename: remained
Block Size: -1 (-512 B)
Block range: -1 - -3 (hex 0xffffffff - 0xfffffffd)
PartType: -1 FilesystemType: -1 BinType: -1 DevType: -1
Offset:-1 Size: -1 FOTA: remained
This unknown format unknown partition resides on the CP unknwon. The partition will expand to fill the remainder of the unknwon.
--- Entry #31 ---
ID: -1 Partition Name: remained
Filename: remained
Block Size: -1 (-512 B)
Block range: -1 - -3 (hex 0xffffffff - 0xfffffffd)
PartType: -1 FilesystemType: -1 BinType: -1 DevType: -1
Offset:-1 Size: -1 FOTA: remained
This unknown format unknown partition resides on the CP unknwon. The partition will expand to fill the remainder of the unknwon.
--- Entry #32 ---
ID: -1 Partition Name: remained
Filename: remained
Block Size: -1 (-512 B)
Block range: -1 - -3 (hex 0xffffffff - 0xfffffffd)
PartType: -1 FilesystemType: -1 BinType: -1 DevType: -1
Offset:-1 Size: -1 FOTA: remained
This unknown format unknown partition resides on the CP unknwon. The partition will expand to fill the remainder of the unknwon.
After
Code:
--- Entry #29 ---
ID: 70 Partition Name: PGPT
Filename: pgpt.img
Block Size: 34 (17.4kB)
Block range: 0 - 33 (hex 0x0 - 0x21)
FilesystemType: 1 PartType: 5 DevType: 2 BinType: 0
Offset:0 Size: 0 FOTA:
The PGPT partition, identified as partition number 70, is 17.4kB in size and carries a Basic format. This partition resides on the Data section of the AP EMMC. It identifies itself to Odin as pgpt.img.
--- Entry #30 ---
ID: 71 Partition Name: PIT
Filename: MSM8960.pit
Block Size: 16 (8.2kB)
Block range: 34 - 49 (hex 0x22 - 0x31)
FilesystemType: 1 PartType: 5 DevType: 2 BinType: 0
Offset:0 Size: 0 FOTA:
The PIT partition, identified as partition number 71, is 8.2kB in size and carries a Basic format. This partition resides on the Data section of the AP EMMC. It identifies itself to Odin as MSM8960.pit.
--- Entry #31 ---
ID: 72 Partition Name: MD5
Filename: md5.img
Block Size: 32 (16.4kB)
Block range: 50 - 81 (hex 0x32 - 0x51)
FilesystemType: 1 PartType: 5 DevType: 2 BinType: 0
Offset:0 Size: 0 FOTA:
The MD5 partition, identified as partition number 72, is 16.4kB in size and carries a Basic format. This partition resides on the Data section of the AP EMMC. It identifies itself to Odin as md5.img.
--- Entry #32 ---
ID: 73 Partition Name: SGPT
Filename: sgpt.img
Block Size: 33 (16.9kB)
Block range: 30777311 - 30777343 (hex 0x1d59fdf - 0x1d59fff)
FilesystemType: 1 PartType: 5 DevType: 2 BinType: 0
Offset:0 Size: 0 FOTA:
The SGPT partition, identified as partition number 73, is 16.9kB in size and carries a Basic format. This partition resides on the Data section of the AP EMMC. It identifies itself to Odin as sgpt.img.

bump

Surge1223 said:
@AdamOutler for the VZW Galaxy S4 I analyzed the PIT file produced by Heimdall and it reports the last four partitions as "remained" so I decided to manually extract my PIT file using
Code:
su
dd if=/dev/block/mmcblk0 of=/sdcard/sch1545.pit bs=8 count=580 skip=2176
which is specific to MSM8690 S4's and the PIT analysis now shows the "remained" partitions actual values and you can see the PIT I extracted is factory signed, because I compare the md5 to the PIT from a factory Odin tar here so is this problem unique to just the S4 or is it a Heimdall problem? I assumed Heimdall just extracted the padded PIT file but even so it should still show the information for the last 4 partitions.
Before
Code:
--- Entry #29 ---
ID: -1 Partition Name: remained
Filename: remained
Block Size: -1 (-512 B)
Block range: -1 - -3 (hex 0xffffffff - 0xfffffffd)
PartType: -1 FilesystemType: -1 BinType: -1 DevType: -1
Offset:-1 Size: -1 FOTA: remained
This unknown format unknown partition resides on the CP unknwon. The partition will expand to fill the remainder of the unknwon.
--- Entry #30 ---
ID: -1 Partition Name: remained
Filename: remained
Block Size: -1 (-512 B)
Block range: -1 - -3 (hex 0xffffffff - 0xfffffffd)
PartType: -1 FilesystemType: -1 BinType: -1 DevType: -1
Offset:-1 Size: -1 FOTA: remained
This unknown format unknown partition resides on the CP unknwon. The partition will expand to fill the remainder of the unknwon.
--- Entry #31 ---
ID: -1 Partition Name: remained
Filename: remained
Block Size: -1 (-512 B)
Block range: -1 - -3 (hex 0xffffffff - 0xfffffffd)
PartType: -1 FilesystemType: -1 BinType: -1 DevType: -1
Offset:-1 Size: -1 FOTA: remained
This unknown format unknown partition resides on the CP unknwon. The partition will expand to fill the remainder of the unknwon.
--- Entry #32 ---
ID: -1 Partition Name: remained
Filename: remained
Block Size: -1 (-512 B)
Block range: -1 - -3 (hex 0xffffffff - 0xfffffffd)
PartType: -1 FilesystemType: -1 BinType: -1 DevType: -1
Offset:-1 Size: -1 FOTA: remained
This unknown format unknown partition resides on the CP unknwon. The partition will expand to fill the remainder of the unknwon.
After
Code:
--- Entry #29 ---
ID: 70 Partition Name: PGPT
Filename: pgpt.img
Block Size: 34 (17.4kB)
Block range: 0 - 33 (hex 0x0 - 0x21)
FilesystemType: 1 PartType: 5 DevType: 2 BinType: 0
Offset:0 Size: 0 FOTA:
The PGPT partition, identified as partition number 70, is 17.4kB in size and carries a Basic format. This partition resides on the Data section of the AP EMMC. It identifies itself to Odin as pgpt.img.
--- Entry #30 ---
ID: 71 Partition Name: PIT
Filename: MSM8960.pit
Block Size: 16 (8.2kB)
Block range: 34 - 49 (hex 0x22 - 0x31)
FilesystemType: 1 PartType: 5 DevType: 2 BinType: 0
Offset:0 Size: 0 FOTA:
The PIT partition, identified as partition number 71, is 8.2kB in size and carries a Basic format. This partition resides on the Data section of the AP EMMC. It identifies itself to Odin as MSM8960.pit.
--- Entry #31 ---
ID: 72 Partition Name: MD5
Filename: md5.img
Block Size: 32 (16.4kB)
Block range: 50 - 81 (hex 0x32 - 0x51)
FilesystemType: 1 PartType: 5 DevType: 2 BinType: 0
Offset:0 Size: 0 FOTA:
The MD5 partition, identified as partition number 72, is 16.4kB in size and carries a Basic format. This partition resides on the Data section of the AP EMMC. It identifies itself to Odin as md5.img.
--- Entry #32 ---
ID: 73 Partition Name: SGPT
Filename: sgpt.img
Block Size: 33 (16.9kB)
Block range: 30777311 - 30777343 (hex 0x1d59fdf - 0x1d59fff)
FilesystemType: 1 PartType: 5 DevType: 2 BinType: 0
Offset:0 Size: 0 FOTA:
The SGPT partition, identified as partition number 73, is 16.9kB in size and carries a Basic format. This partition resides on the Data section of the AP EMMC. It identifies itself to Odin as sgpt.img.
Click to expand...
Click to collapse
@Benjamin Dobell may know something about this.

Can anyone share the file http://goo.im/devs/AdamOutler/libpitX/libpit-X-R917.jar? The link fails.

t2060079 said:
Can anyone share the file http://goo.im/devs/AdamOutler/libpitX/libpit-X-R917.jar? The link fails.
Click to expand...
Click to collapse
I'm looking for the same stuff. I think that the dev has relocated to here:
http://3of5.com/builds.casual-dev.com/files/libpit-X/
HTH, J

[Q] U8800 Pro bricked

Here is the long version.
My phone a U8800 Pro was running the official B928 version downloaded from Huawei
I wanted to install the latest version Cyanogen 11. That needed me to install the latest version of TWRP which led me to the mistake that I needed to update the bootloader as well.
And then I did another mistake where I installed what is obviously the wrong bootloader from here (http://forum.xda-developers.com/showthread.php?t=1800045) using
Code:
dd if=/tmp/bootloader.bin of=/dev/block/mmcblk0p3
The phone since then just boot cycles continously and cannot even login to recovery mode.
I attempted to re-install B928 from the SD card but always fails at about 1/4 of the way through with a
Code:
dload_sd_ram_data_proc->(retry >= DLOAD_RETRY) failed!
msg.
Now interestingly if I remove the battery and just use the USB I get an empty pink screen and I can see at least the partitions of the internal drive
Code:
Disk /dev/sdg: 3.7 GiB, 3959422976 bytes, 7733248 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00000000
Device Boot Start End Blocks Id System
/dev/sdg1 1 524287 262143+ c W95 FAT32 (LBA)
/dev/sdg2 * 524288 525287 500 4d QNX4.x
/dev/sdg3 525288 531287 3000 46 Unknown
/dev/sdg4 531288 7733247 3600980 5 Extended
/dev/sdg5 655360 679935 12288 59 Unknown
/dev/sdg6 786432 1052671 133120 4c Unknown
/dev/sdg7 1179648 1183743 2048 5a Unknown
/dev/sdg8 1310720 1316863 3072 58 Unknown
/dev/sdg9 1441792 1455791 7000 50 OnTrack DM
/dev/sdg10 1572864 1579007 3072 4a Unknown
/dev/sdg11 1703936 1710079 3072 4b Unknown
/dev/sdg12 1835008 2621439 393216 83 Linux
/dev/sdg13 2621440 4456447 917504 83 Linux
/dev/sdg14 4456448 7733247 1638400 69 Unknown
and can mount some of them.
Now where can I find an appropriate bootloader and which partition should I attempt to copy it on .
And secondly if that works out, how do I install TWRP 2.8.0.0 . Using TWRP manager fails which led to this whole mess really.
On /dev/sdg1 I can see a dir called image and it contains
Code:
amss.mbn boot.img cust.img EMMCBOOT.MBN recovery.img
but don't want to touch anything before I know more since I can do more dmg.
Thanks for all the help in advance
Edit: I managed to copy the bootloader from a friend and copy it back on my phone so that problem was solved. It needed to go to the /dev/sdg3 partition if anyone is wandering. Now pink screen seems locked and can't access the internal storage through USB so back to square 1.

Glad you got the problem solved out. When you unlock your bootloader (like I said in here), boot your phone to pink screen and plug it to your computer. You're using linux? If so, there probably is going to be four difference device's to be shown, the one which you're interested is the device containing "image" folder, in there replace the recovery.img with appropriate one.

[Stock][ROM][5.1.1] Lenovo Yoga Tab 3 YT3-850L – How I bricked and restored

Hi all,
First of all I wanted to thank baikal0912 from lenovo-forums.ru , without Him this guide haven’t been possible, so all the glory and kudos go to Him in first place. (baikal0912 if You’re reading this – Thank You once again)
THIS GUIDE IS FOR LENOVO YOGA TAB 3 YT3-850L! AS ALWAYS I’M NOT RESPONSIBLE FOR DAMAGED DEVICES AND LOST DATA! ALWAYS MAKE BACKUP! (DON’T MAKE MY MISTAKES)
SOME HISTORY (read if You want to know how I bricked my device)
I had stock 5.1.1 Android on my Yoga, tablet has been updated to 6.0.1 in which i had problems with writing to SDCard (permissions), so I managed to unlock bootloader, flash TWRP, install Xposed and SDFix. Sadly after some time I saw that randomly applications disappeared (like Google Play Store).
So I was searching for 5.1.1 ROM (because I didn’t had any backup), only 2 ROM’s where available to download and it was for „M” model (YT3-850M) not „L”. First ROM was 785MB – it was only Chinese/English language, after flashing my device I saw that my LTE didn’t work, WIFI, BT, GPS and Sound doesn’t work either.
So I tried second ROM downloaded for „M”, It was 1,2GB and there were all languages available, but still LTE, WIFI, BT, GPS and Sound didn’t work.
I was searching for some info about my problem and manager to go to lenovo-forums.ru where I find out It’s because missing/damaged NVRam data (the data where tablet stores IMEI, Mac address and other stuff)
Surely It was my fault because I didn’t do any backup in first place (and yes, I’m an idiot)
Trying to find NVRam backup (in .QCN file) I ended in lenovo-forums.ru talking with baikal0912, He shared with me stock „L” ROM and trying to help me flash the device back again, so I made this topic because there is a problem finding „L” ROM and so everyone know how I flashed my device (which tools and drivers are needed, which mode to enter to flash device.
So let’s get started….
First, if Your tablet boots to Android make sure it has ADB debugging enabled (If You want to know how to enable ADB debug search the forum, there are plenty of answers)
Second make sure You grab SIMCard from device (You’ll gonna insert it later at end of my guide)
GRAB ALL THE NEEDED FILES: (ROM is 1GB 7zip compressed)
Code:
https://drive.google.com/drive/folders/0B2EmK9gw0mTdYUdJUGlDUm0zTW8?resourcekey=0-1iw6MlGugBOz6J5sDQRcaw&usp=sharing
You will need ROM (YT3-850L_S000026_151217_ROW_qpst.7z), QPST v2.7.429 (QPST_2.7.429.7z), drivers (Qualcomm USB Drivers For Windows.zip and Qualcomm_USBDriver_2.1.0.5_x64.cab), IMEI writing software (A100_WriteDualIMEI(W+G_eMMC).rar).
Also You are going to need ADB tools, search for them here at XDA (minimal ADB and fastboot).
NOTE: I’ve been trying to restore ROM with other QPST version and drivers without any success.
Install QPST, extract ROM to „C:\Lenovo” then connect turned on Yoga to PC, there should be 3 new devices shown in device manager named YT3-850M (in my case it was „M”, Yours can be „L”), install drivers from „Qualcomm USB Drivers for Windows.zip”, Windows should install two of them (modem fails to install, just ignore), the most important is device installed as „Lenovo HS-USB Diagnostics (COMx)” where X is Your COM port numer needed LATER.
ENTER FLASHING MODE
For now run ADB command to check if Your device is recognized:
Code:
adb devices
If It’s recognized then command will show You some numbers, if You’re ready to go then run this command:
Code:
adb reboot edl
Above command will change Android to something I call „Flashing Mode” (the screen on tablet will be black), for now tablet is waiting for flashing, You should now see that device manager in Windows shows only one new devices o install from „Qualcomm_USBDriver_2.1.0.5_x64.cab”, the device manager should install „Qualcomm HS-USB QDLoader 9008 (COMx)”, note the COM port X needed to flash.
Others at forums tell me to enter „Diagnostic Mode” to start flashing but they were wrong, „Diagnostic Mode” is something else needed later.
FLASH THE DEVICE
Run QFIL.exe from installed QPST directory (c:\Program Files (x86)\Qualcomm\QPST\bin\), make sure to run with Administrator privileges (from right click context menu).
Code:
- Make sure that QFIL recognized Your device showing „Qualcomm HS-USB DQLoader 9008” with COM port numer at top of QFIL screen.
- Select FLAT BUILD
- In „Programmer Path” choose „Browse”, go to extracted ROM directory and choose file named „prog_emmc_firehose_8909_ddr.mbn”
- Click on „LoadXML” below on right, choose „rawprogram0” file, then choose „patch0” file
If You are 100% sure You want to flash then press blue „Download” button and wait to finish flashing (don’t disconnect or turn off tablet before it ends).
You should notice that in „Status” window in QFIL there should be LOG, here’s my example of LOG file (shortened, doesn't fit all):
Start Download
Program Path:C:\lenovo\prog_emmc_firehose_8909_ddr.mbn
COM Port number:5
Sahara Connecting ...
Sahara Version:2
Start Sending Programmer
Sending Programmer Finished
Switch To FireHose
Wait for 3 seconds...
Max Payload Size to Target:49152 Bytes
Device Type:eMMC
Platform:8x26
Disable Ack Raw Data Every N Packets
Skip Write:False
Always Validate:False
Use Verbose:False
COM Port number:5
Sending NOP
FireHose NOP sent successfully
Sending Configuration
Device Type:eMMC
Platform:8x26
FireHose Log: [email protected] [email protected]
Request payload size 0xc000 is not the same as support payload size, change to 0x100000
Request payload size 0x100000 is too big, reduce to 0x20000
FireHose Log: [email protected] [email protected]
Set TxBuffer 0x20000, RxBuffer 0x4000
Firehose configure packet sent successfully!
ReadBackMode:No_Readback
Disable read back
Total Bytes To Program 0x86846CA0
Download Image
PROGRAM: Replace the partition sectors number 0x400 to file size in sector 0x1e3
PROGRAM: Partition 0, Sector: 40, Length: 483 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\sbl1.mbn
FireHose Log: start 40, num 483
FireHose Log: Finished sector address 523
PROGRAM: Written Bytes 0x3c600 (64)
Program Size: 0.24 MB
PROGRAM: Replace the partition sectors number 0x400 to file size in sector 0x1e3
PROGRAM: Partition 0, Sector: 1064, Length: 483 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\sbl1.mbn
.......
.......
.......
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 7799808, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_8.img
FireHose Log: start 7799808, num 16
FireHose Log: Finished sector address 7799824
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 7800712, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_9.img
FireHose Log: start 7800712, num 16
FireHose Log: Finished sector address 7800728
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 8061952, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_10.img
FireHose Log: start 8061952, num 16
FireHose Log: Finished sector address 8061968
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 8324096, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_11.img
FireHose Log: start 8324096, num 16
FireHose Log: Finished sector address 8324112
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 8325000, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_12.img
FireHose Log: start 8325000, num 16
FireHose Log: Finished sector address 8325016
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 8586240, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_13.img
FireHose Log: start 8586240, num 16
FireHose Log: Finished sector address 8586256
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 8848384, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_14.img
FireHose Log: start 8848384, num 16
FireHose Log: Finished sector address 8848400
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 8849288, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_15.img
FireHose Log: start 8849288, num 16
FireHose Log: Finished sector address 8849304
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 9110528, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_16.img
FireHose Log: start 9110528, num 16
FireHose Log: Finished sector address 9110544
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 9372672, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_17.img
FireHose Log: start 9372672, num 16
FireHose Log: Finished sector address 9372688
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 9634816, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_18.img
FireHose Log: start 9634816, num 16
FireHose Log: Finished sector address 9634832
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 9896960, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_19.img
FireHose Log: start 9896960, num 16
FireHose Log: Finished sector address 9896976
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 9901032, Length: 218048 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_20.img
FireHose Log: start 9901032, num 218048
FireHose Log: Finished sector address 10119080
PROGRAM: Written Bytes 0x6a78000 (64)
Program Size: 106.47 MB
PROGRAM: Partition 0, Sector: 0, Length: 34 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\gpt_main0.bin
FireHose Log: start 0, num 34
FireHose Log: Finished sector address 34
PROGRAM: Written Bytes 0x4400 (64)
Program Size: 0.02 MB
PROGRAM: Partition 0, Sector: NUM_DISK_SECTORS-33., Length: 33 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\gpt_backup0.bin
FireHose Log: start 30535647, num 33
FireHose Log: Finished sector address 30535680
PROGRAM: Written Bytes 0x4200 (64)
Program Size: 0.02 MB
Total Size: 2155.12 MB
Total Time: 265 Seconds
Throughput: 8.13 MB/Seconds
PATCH: Partition 0, Sector: 9, Offset 296 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
FireHose Log: Patched sector 9 with 01D1EFDE
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-26., Offset 296 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
FireHose Log: Patched sector 30535654 with 01D1EFDE
PATCH: Partition 0, Sector: 1, Offset 48 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
FireHose Log: Patched sector 1 with 01D1EFDE
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-1., Offset 48 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
FireHose Log: Patched sector 30535679 with 01D1EFDE
PATCH: Partition 0, Sector: 1, Offset 32 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-1.
FireHose Log: Patched sector 1 with 01D1EFFF
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-1., Offset 24 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-1.
FireHose Log: Patched sector 30535679 with 01D1EFFF
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-1, Offset 72 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-33.
FireHose Log: Patched sector 30535679 with 01D1EFDF
PATCH: Partition 0, Sector: 1, Offset 88 Bytes, Size: 4 Bytes, Value: CRC32(2,4096)
FireHose Log: crc start sector 2, over bytes 4096
FireHose Log: Patched sector 1 with 7315C503
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-1., Offset 88 Bytes, Size: 4 Bytes, Value: CRC32(NUM_DISK_SECTORS-33.,4096)
FireHose Log: crc start sector 30535647, over bytes 4096
FireHose Log: Patched sector 30535679 with 7315C503
PATCH: Partition 0, Sector: 1, Offset 16 Bytes, Size: 4 Bytes, Value: 0
FireHose Log: Patched sector 1 with 00000000
PATCH: Partition 0, Sector: 1, Offset 16 Bytes, Size: 4 Bytes, Value: CRC32(1,92)
FireHose Log: crc start sector 1, over bytes 92
FireHose Log: Patched sector 1 with 2EB8C0BF
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-1., Offset 16 Bytes, Size: 4 Bytes, Value: 0
FireHose Log: Patched sector 30535679 with 00000000
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-1., Offset 16 Bytes, Size: 4 Bytes, Value: CRC32(NUM_DISK_SECTORS-1.,92)
FireHose Log: crc start sector 30535679, over bytes 92
FireHose Log: Patched sector 30535679 with B8615551
Total download file size: 2155,119MB
Total download time: 4 Min 26 Sec
Throughput: 8,096117MB/s
FireHose Log: Set bootable drive to 0.
Download Succeed
Finish Download
If there’s „Download Succeed” and „Finish Download” in LOG You could try to boot new ROM holding POWER button, the first boot should take some time, after boot don’t install any apps, we need to change IMEI before we use tablet.
CHECK IMEI
After booting check Your IMEI numer if exists in NVRam, go to „CONTACTS”, click „Search” magnifier button, enter:
Code:
*#06#
If IMEI is good, skip to „Region Change” guide.
If IMEI is 0 then note Your IMEI from the „Standing Plate” of Your tablet.
WRITING IMEI
First shut down tablet, boot with holding „POWER” „+” and „-„ buttons, there should show something I call „Diagnostic Mode”, there will be some tests like:
Code:
1 SYSTEM INFO
2 KEYPAD BACKLIGHT
3 LCD BACKLIGHT
…..
…..
You should connect tablet to PC, and if You previously installed „Qualcomm USB Drivers For Windows.zip” drivers, then run WriteDualIMEI(W+G_eMMC).exe as Administrator.
Program will auto detect COM port, there will be two fileds (IMEI1, IMEI2), just insert Your IMEI in BOTH FIELDS, click START, wait to program show PASS.
If it pass, disconnect tablet from USB, click on REBOOT in „Diagnostic Mode”, choose „(3) Reboot to Android”, hit „OK”
After booting check IMEI number as mentioned above, if it’s ok then last thing to do is…
CHANGE REGION CODE
To change region code, to the same as checking IMEI but with other code, so go to „CONTACTS”, click „Search” magnifier button, enter:
Code:
####682#
Region changing settings should appear, at top there is Your currently selected region, below You can choose new region, note that after changing region Android should reboot.
For now shut down Android, insert SIMCard, and enjoy.
That’s all, thanks for reading, I hope this guide will help someone like baikal0912 :good: helped me.
Regards.
P.S. If someone know how to enter „Flashing Mode” in other way than „adb reboot edl” let me know so I can update this guide (maybe there is someone who can’t boot device and enter „Flashing Mode” via ADB)
P.S.2. Flashing done under Windows 10 Home 64 bit, connected to USB 2.0
P.S.3. I haven't done Serial Number (SN) writing to tablet, don't know how.
P.S.4. Sorry for my bad English

I cant install the drivers automaticly because I dont have a working Yoga Tab. I just can boot into fastboot mode. I run "fastboot devices" and therre it is, but not with "adb devices". My device manager knows my tablet and tell me "Android Bootloader Interface" when I connect the tablet. If I try to update the driver it says they are allready installed.

Rookie1919 said:
I cant install the drivers automaticly because I dont have a working Yoga Tab. I just can boot into fastboot mode. I run "fastboot devices" and therre it is, but not with "adb devices". My device manager knows my tablet and tell me "Android Bootloader Interface" when I connect the tablet. If I try to update the driver it says they are allready installed.
Click to expand...
Click to collapse
Have You try "fastboot boot recovery.img" to boot recovery?
Do You have recovery.img?
If You have problem entering "Flashing Mode" (via "adb reboot edl"), You can try this link with patched fastboot to support rebooting to edl, I didn't test it, someone can try....
https://forum.xda-developers.com/an.../guide-how-to-reboot-to-edl-fastboot-t3394292

I connected the pad while i pressed Vol-. Then I used the exe in the new fastboot thing. Then I did this:
C:\adb>adb devices
List of devices attached
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
C:\adb>adb reboot edl
error: no devices/emulators found

Rookie1919 said:
I connected the pad while i pressed Vol-. Then I used the exe in the new fastboot thing. Then I did this:
C:\adb>adb devices
List of devices attached
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
C:\adb>adb reboot edl
error: no devices/emulators found
Click to expand...
Click to collapse
So if You maneged to run new fastboot exe to boot to edl, the screen should be black on Yoga (and device is in "Flashing Mode", check device manager in Windows, You should install driver from „Qualcomm_USBDriver_2.1.0.5_x64.cab”, the device manager should install „Qualcomm HS-USB QDLoader 9008 (COMx)” device.
Next You should do the flashing by QFIL as described in my tutorial above.
In my tutorial I was using adb to boot to edl ("Flashing Mode") because my tablet was booting, as I understand Your tablet don't boot anywhere beside fastboot, so You must enter edl ("Flashing Mode") via fastboot without using adb (adb should work only if You boot tablet)

Doestn work. I booted to recovery and tried a factory reset. Then the message "couldnt mount system" appears. Could this be the problem? And how coult I solve this?

Hmmm, I think its because of damaged system, dont know how to help (Im not Android pro), if internal storage isnt damaged then only way I know is to flash ROM via QFIL, and for that You must enter edl ("Flashing Mode") either with adb, fastboot or booting with some magic key combination.
Unless You enter edl You couldnt flash device, try in recovery mode if adb is working to boot edl.

I don't know exactly where to post I just need the plain stock image of the yt3 x50f ROW so I can put it on the tablet I somehow got a PRC CN ROM on it and now no Google apps or anything just the zip file I need to place on the SD card is all I need I've looked everywhere spent all night I'm surprised I havnt bricked it I found 1 but qfil or qdloader wouldn't put it on the tablet I just want my tablet back.....

Dont know exactly why, but i managed it to run. Now all is fine. Thx 4 your help.

tapayn02 said:
I don't know exactly where to post I just need the plain stock image of the yt3 x50f ROW so I can put it on the tablet I somehow got a PRC CN ROM on it and now no Google apps or anything just the zip file I need to place on the SD card is all I need I've looked everywhere spent all night I'm surprised I havnt bricked it I found 1 but qfil or qdloader wouldn't put it on the tablet I just want my tablet back.....
Click to expand...
Click to collapse
Hi, I think flashing with only update.zip can cause bricked device like I bricked mine, fast search on lenovo-forums.ru gives me a link and another link to ROM flashed via QPST/QFIL, don't know if flashing can be done exacly with tools I unbricked mine YT3-850L, for details ask them at lenovo-forums.ru (You could use translate.google.com if You don't know Russian language, just as I did)

That's how I got the Chinese version on the tablet just putting it on the SD card

tapayn02 said:
That's how I got the Chinese version on the tablet just putting it on the SD card
Click to expand...
Click to collapse
The links above that I gave You isn't for flashing via SD-Card (dont flash It via Android recovery), It's mean to flash from PC via QFIL application.
When I was searching for ROM for my YT3-850L I found Chinese version too, i dont think You can find any update.zip with full ROM for Your Lenovo, there are only ROW's which are only updates from one version to another (not full android).
If You wish to try something i recommend backing up to .QNC file via QPST (it's NVRAM which stores IMEI, WIFI Mac, BT Mac, GPSID and other settings - for me it was additional sound not working).
The ROM's flashed via QFIL/QPST are full android backups, I don't think that in lenovo-forums.ru are Chinese versions.
If You go to lenovo-forums.ru there is at top on right on site button to choose language and translate so it's easy to read.

OK Thanks I'll give it a shot

hi wpinacz
i have lenovo yt3-850M tab and i install chines rom from through the sd card please give row version of qpst rom and very very thank for giveing yt3-850l row rom
i am very trbul this time if you help i feel greatful
thank you

rj3689 said:
hi wpinacz
i have lenovo yt3-850M tab and i install chines rom from through the sd card please give row version of qpst rom and very very thank for giveing yt3-850l row rom
i am very trbul this time if you help i feel greatful
thank you
Click to expand...
Click to collapse
Here's the link , be sure to READ INSTRUCTIONS before flashing, as I read it's mean to flash from PC not from SCDARD.
For all to know, I don't have any other ROM than for YT3-850L, different models (like "M" or "Y") are using different ROM than mine, the tools and drivers could be different to flash, the steps to flash device could be different too. So if anyone else got other version than "L" should be searching on other xda topics like here , or at lenovo-forums.ru

Thanks for help.
wpinacz said:
Hi all,
First of all I wanted to thank baikal0912 from lenovo-forums.ru , without Him this guide haven’t been possible, so all the glory and kudos go to Him in first place. (baikal0912 if You’re reading this – Thank You once again)
THIS GUIDE IS FOR LENOVO YOGA TAB 3 YT3-850L! AS ALWAYS I’M NOT RESPONSIBLE FOR DAMAGED DEVICES AND LOST DATA! ALWAYS MAKE BACKUP! (DON’T MAKE MY MISTAKES)
SOME HISTORY (read if You want to know how I bricked my device)
I had stock 5.1.1 Android on my Yoga, tablet has been updated to 6.0.1 in which i had problems with writing to SDCard (permissions), so I managed to unlock bootloader, flash TWRP, install Xposed and SDFix. Sadly after some time I saw that randomly applications disappeared (like Google Play Store).
So I was searching for 5.1.1 ROM (because I didn’t had any backup), only 2 ROM’s where available to download and it was for „M” model (YT3-850M) not „L”. First ROM was 785MB – it was only Chinese/English language, after flashing my device I saw that my LTE didn’t work, WIFI, BT, GPS and Sound doesn’t work either.
So I tried second ROM downloaded for „M”, It was 1,2GB and there were all languages available, but still LTE, WIFI, BT, GPS and Sound didn’t work.
I was searching for some info about my problem and manager to go to lenovo-forums.ru where I find out It’s because missing/damaged NVRam data (the data where tablet stores IMEI, Mac address and other stuff)
Surely It was my fault because I didn’t do any backup in first place (and yes, I’m an idiot)
Trying to find NVRam backup (in .QCN file) I ended in lenovo-forums.ru talking with baikal0912, He shared with me stock „L” ROM and trying to help me flash the device back again, so I made this topic because there is a problem finding „L” ROM and so everyone know how I flashed my device (which tools and drivers are needed, which mode to enter to flash device.
So let’s get started….
First, if Your tablet boots to Android make sure it has ADB debugging enabled (If You want to know how to enable ADB debug search the forum, there are plenty of answers)
Second make sure You grab SIMCard from device (You’ll gonna insert it later at end of my guide)
GRAB ALL THE NEEDED FILES: (ROM is 1GB 7zip compressed)
Code:
https://drive.google.com/drive/folders/0B2EmK9gw0mTdYUdJUGlDUm0zTW8?usp=sharing
You will need ROM (YT3-850L_S000026_151217_ROW_qpst.7z), QPST v2.7.429 (QPST_2.7.429.7z), drivers (Qualcomm USB Drivers For Windows.zip and Qualcomm_USBDriver_2.1.0.5_x64.cab), IMEI writing software (A100_WriteDualIMEI(W+G_eMMC).rar).
Also You are going to need ADB tools, search for them here at XDA (minimal ADB and fastboot).
NOTE: I’ve been trying to restore ROM with other QPST version and drivers without any success.
Install QPST, extract ROM to „C:\Lenovo” then connect turned on Yoga to PC, there should be 3 new devices shown in device manager named YT3-850M (in my case it was „M”, Yours can be „L”), install drivers from „Qualcomm USB Drivers for Windows.zip”, Windows should install two of them (modem fails to install, just ignore), the most important is device installed as „Lenovo HS-USB Diagnostics (COMx)” where X is Your COM port numer needed LATER.
ENTER FLASHING MODE
For now run ADB command to check if Your device is recognized:
Code:
adb devices
If It’s recognized then command will show You some numbers, if You’re ready to go then run this command:
Code:
adb reboot edl
Above command will change Android to something I call „Flashing Mode” (the screen on tablet will be black), for now tablet is waiting for flashing, You should now see that device manager in Windows shows only one new devices o install from „Qualcomm_USBDriver_2.1.0.5_x64.cab”, the device manager should install „Qualcomm HS-USB QDLoader 9008 (COMx)”, note the COM port X needed to flash.
Others at forums tell me to enter „Diagnostic Mode” to start flashing but they were wrong, „Diagnostic Mode” is something else needed later.
FLASH THE DEVICE
Run QFIL.exe from installed QPST directory (c:\Program Files (x86)\Qualcomm\QPST\bin\), make sure to run with Administrator privileges (from right click context menu).
Code:
- Make sure that QFIL recognized Your device showing „Qualcomm HS-USB DQLoader 9008” with COM port numer at top of QFIL screen.
- Select FLAT BUILD
- In „Programmer Path” choose „Browse”, go to extracted ROM directory and choose file named „prog_emmc_firehose_8909_ddr.mbn”
- Click on „LoadXML” below on right, choose „rawprogram0” file, then choose „patch0” file
If You are 100% sure You want to flash then press blue „Download” button and wait to finish flashing (don’t disconnect or turn off tablet before it ends).
You should notice that in „Status” window in QFIL there should be LOG, here’s my example of LOG file (shortened, doesn't fit all):
Start Download
Program Path:C:\lenovo\prog_emmc_firehose_8909_ddr.mbn
COM Port number:5
Sahara Connecting ...
Sahara Version:2
Start Sending Programmer
Sending Programmer Finished
Switch To FireHose
Wait for 3 seconds...
Max Payload Size to Target:49152 Bytes
Device Type:eMMC
Platform:8x26
Disable Ack Raw Data Every N Packets
Skip Write:False
Always Validate:False
Use Verbose:False
COM Port number:5
Sending NOP
FireHose NOP sent successfully
Sending Configuration
Device Type:eMMC
Platform:8x26
FireHose Log: [email protected] [email protected]
Request payload size 0xc000 is not the same as support payload size, change to 0x100000
Request payload size 0x100000 is too big, reduce to 0x20000
FireHose Log: [email protected] [email protected]
Set TxBuffer 0x20000, RxBuffer 0x4000
Firehose configure packet sent successfully!
ReadBackMode:No_Readback
Disable read back
Total Bytes To Program 0x86846CA0
Download Image
PROGRAM: Replace the partition sectors number 0x400 to file size in sector 0x1e3
PROGRAM: Partition 0, Sector: 40, Length: 483 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\sbl1.mbn
FireHose Log: start 40, num 483
FireHose Log: Finished sector address 523
PROGRAM: Written Bytes 0x3c600 (64)
Program Size: 0.24 MB
PROGRAM: Replace the partition sectors number 0x400 to file size in sector 0x1e3
PROGRAM: Partition 0, Sector: 1064, Length: 483 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\sbl1.mbn
.......
.......
.......
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 7799808, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_8.img
FireHose Log: start 7799808, num 16
FireHose Log: Finished sector address 7799824
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 7800712, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_9.img
FireHose Log: start 7800712, num 16
FireHose Log: Finished sector address 7800728
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 8061952, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_10.img
FireHose Log: start 8061952, num 16
FireHose Log: Finished sector address 8061968
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 8324096, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_11.img
FireHose Log: start 8324096, num 16
FireHose Log: Finished sector address 8324112
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 8325000, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_12.img
FireHose Log: start 8325000, num 16
FireHose Log: Finished sector address 8325016
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 8586240, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_13.img
FireHose Log: start 8586240, num 16
FireHose Log: Finished sector address 8586256
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 8848384, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_14.img
FireHose Log: start 8848384, num 16
FireHose Log: Finished sector address 8848400
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 8849288, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_15.img
FireHose Log: start 8849288, num 16
FireHose Log: Finished sector address 8849304
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 9110528, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_16.img
FireHose Log: start 9110528, num 16
FireHose Log: Finished sector address 9110544
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 9372672, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_17.img
FireHose Log: start 9372672, num 16
FireHose Log: Finished sector address 9372688
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 9634816, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_18.img
FireHose Log: start 9634816, num 16
FireHose Log: Finished sector address 9634832
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 9896960, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_19.img
FireHose Log: start 9896960, num 16
FireHose Log: Finished sector address 9896976
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 9901032, Length: 218048 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_20.img
FireHose Log: start 9901032, num 218048
FireHose Log: Finished sector address 10119080
PROGRAM: Written Bytes 0x6a78000 (64)
Program Size: 106.47 MB
PROGRAM: Partition 0, Sector: 0, Length: 34 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\gpt_main0.bin
FireHose Log: start 0, num 34
FireHose Log: Finished sector address 34
PROGRAM: Written Bytes 0x4400 (64)
Program Size: 0.02 MB
PROGRAM: Partition 0, Sector: NUM_DISK_SECTORS-33., Length: 33 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\gpt_backup0.bin
FireHose Log: start 30535647, num 33
FireHose Log: Finished sector address 30535680
PROGRAM: Written Bytes 0x4200 (64)
Program Size: 0.02 MB
Total Size: 2155.12 MB
Total Time: 265 Seconds
Throughput: 8.13 MB/Seconds
PATCH: Partition 0, Sector: 9, Offset 296 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
FireHose Log: Patched sector 9 with 01D1EFDE
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-26., Offset 296 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
FireHose Log: Patched sector 30535654 with 01D1EFDE
PATCH: Partition 0, Sector: 1, Offset 48 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
FireHose Log: Patched sector 1 with 01D1EFDE
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-1., Offset 48 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
FireHose Log: Patched sector 30535679 with 01D1EFDE
PATCH: Partition 0, Sector: 1, Offset 32 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-1.
FireHose Log: Patched sector 1 with 01D1EFFF
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-1., Offset 24 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-1.
FireHose Log: Patched sector 30535679 with 01D1EFFF
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-1, Offset 72 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-33.
FireHose Log: Patched sector 30535679 with 01D1EFDF
PATCH: Partition 0, Sector: 1, Offset 88 Bytes, Size: 4 Bytes, Value: CRC32(2,4096)
FireHose Log: crc start sector 2, over bytes 4096
FireHose Log: Patched sector 1 with 7315C503
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-1., Offset 88 Bytes, Size: 4 Bytes, Value: CRC32(NUM_DISK_SECTORS-33.,4096)
FireHose Log: crc start sector 30535647, over bytes 4096
FireHose Log: Patched sector 30535679 with 7315C503
PATCH: Partition 0, Sector: 1, Offset 16 Bytes, Size: 4 Bytes, Value: 0
FireHose Log: Patched sector 1 with 00000000
PATCH: Partition 0, Sector: 1, Offset 16 Bytes, Size: 4 Bytes, Value: CRC32(1,92)
FireHose Log: crc start sector 1, over bytes 92
FireHose Log: Patched sector 1 with 2EB8C0BF
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-1., Offset 16 Bytes, Size: 4 Bytes, Value: 0
FireHose Log: Patched sector 30535679 with 00000000
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-1., Offset 16 Bytes, Size: 4 Bytes, Value: CRC32(NUM_DISK_SECTORS-1.,92)
FireHose Log: crc start sector 30535679, over bytes 92
FireHose Log: Patched sector 30535679 with B8615551
Total download file size: 2155,119MB
Total download time: 4 Min 26 Sec
Throughput: 8,096117MB/s
FireHose Log: Set bootable drive to 0.
Download Succeed
Finish Download
If there’s „Download Succeed” and „Finish Download” in LOG You could try to boot new ROM holding POWER button, the first boot should take some time, after boot don’t install any apps, we need to change IMEI before we use tablet.
CHECK IMEI
After booting check Your IMEI numer if exists in NVRam, go to „CONTACTS”, click „Search” magnifier button, enter:
Code:
*#06#
If IMEI is good, skip to „Region Change” guide.
If IMEI is 0 then note Your IMEI from the „Standing Plate” of Your tablet.
WRITING IMEI
First shut down tablet, boot with holding „POWER” „+” and „-„ buttons, there should show something I call „Diagnostic Mode”, there will be some tests like:
Code:
1 SYSTEM INFO
2 KEYPAD BACKLIGHT
3 LCD BACKLIGHT
…..
…..
You should connect tablet to PC, and if You previously installed „Qualcomm USB Drivers For Windows.zip” drivers, then run WriteDualIMEI(W+G_eMMC).exe as Administrator.
Program will auto detect COM port, there will be two fileds (IMEI1, IMEI2), just insert Your IMEI in BOTH FIELDS, click START, wait to program show PASS.
If it pass, disconnect tablet from USB, click on REBOOT in „Diagnostic Mode”, choose „(3) Reboot to Android”, hit „OK”
After booting check IMEI number as mentioned above, if it’s ok then last thing to do is…
CHANGE REGION CODE
To change region code, to the same as checking IMEI but with other code, so go to „CONTACTS”, click „Search” magnifier button, enter:
Code:
####682#
Region changing settings should appear, at top there is Your currently selected region, below You can choose new region, note that after changing region Android should reboot.
For now shut down Android, insert SIMCard, and enjoy.
That’s all, thanks for reading, I hope this guide will help someone like baikal0912 :good: helped me.
Regards.
P.S. If someone know how to enter „Flashing Mode” in other way than „adb reboot edl” let me know so I can update this guide (maybe there is someone who can’t boot device and enter „Flashing Mode” via ADB)
P.S.2. Flashing done under Windows 10 Home 64 bit, connected to USB 2.0
P.S.3. I haven't done Serial Number (SN) writing to tablet, don't know how.
P.S.4. Sorry for my bad English
Click to expand...
Click to collapse
Thanks WPINACZ, you took me out of that PRC rom. now i can use my tab once again. updated the chinese rom while downgrading and then was unable to load gaps or any google apps.
Your elaborate process took me out of the rom.:good::good::good::good:
Only thing to update is, i did it on the Windows 10 Pro. I did not have to install any drivers while following the procedures.
Thanks again.

I'm glad to know that my guide helped someone, I've made it because there wasn't any guide on net and so anyone could flash device fast, I've spent about 1 week to find all that I need to flash device because of work I had only few hours daily to write through translator in Russian language, hopefully I managed to meet baikal0912 who shared with me rom as I share with You, I've tested all drivers, tools and methods to bring back my Yoga to life and figured to write this guide so others can flash without problems.
Regards

Phone featuers not working
wpinacz said:
I'm glad to know that my guide helped someone, I've made it because there wasn't any guide on net and so anyone could flash device fast, I've spent about 1 week to find all that I need to flash device because of work I had only few hours daily to write through translator in Russian language, hopefully I managed to meet baikal0912 who shared with me rom as I share with You, I've tested all drivers, tools and methods to bring back my Yoga to life and figured to write this guide so others can flash without problems.
Regards
Click to expand...
Click to collapse
Dear WPINACZ,
only Q i have is now my tab is with 850L rom, which does not support Phone feature.But my tab earlier was 850M (with phone features). I don't need the phone but because of this few apps which i use regularly cannot be installed (basically because they need the phone permissions) Please if you could help.

Bhaskar1091 said:
Dear WPINACZ,
only Q i have is now my tab is with 850L rom, which does not support Phone feature.But my tab earlier was 850M (with phone features). I don't need the phone but because of this few apps which i use regularly cannot be installed (basically because they need the phone permissions) Please if you could help.
Click to expand...
Click to collapse
Sorry but I don't know any possible way to enable phone on L rom, I was reading how enable phone on other tablets (like Samsung) and the process needs rooted device and .zip patch for device which I don't think will work on Lenovo, messing with low level settings in QPST could damage device too, so I think the easiest and cleanest way is to grab M rom from lenovo-forums.ru
You could try to install some phone .apk from other developers but it won't enable phone permissions, and of course You can't make phone calls.

wpinacz said:
Here's the link , be sure to READ INSTRUCTIONS before flashing, as I read it's mean to flash from PC not from SCDARD.
For all to know, I don't have any other ROM than for YT3-850L, different models (like "M" or "Y") are using different ROM than mine, the tools and drivers could be different to flash, the steps to flash device could be different too. So if anyone else got other version than "L" should be searching on other xda topics like here , or at lenovo-forums.ru
Click to expand...
Click to collapse
thankyou my friend my problem for chines rom in my lenovo tab is solved by Brandon thank you very much

Debricking my Rockchip Device

I would like to share my experience from the weekend to help others.
At first let me explain the situation:
I got my A5X Max+ 64GB eMMC preinstalled with Android 8.1 but I thought that the latest firmware available on the net can maybe make a positive difference to the shipped one.
Seraching the web I found 3 different firmware version I thoght it would be good to give it a try.
An A5X MAX+ Android 8.1 firmware
An A5X MAX+ Android 7 firmware
An A5X MAX Android 9 firmware (non "+" uses a dirfferent WiFi Chipset,....)
Next Step folowing the firmware upgrade guides:
1. Trying to directly flash a new firmware via a SD card and SD_Firmware_Tool_v146_eng_AndroidPC failed
2. Trying to flash with a computer using RK_Batch_tool_v1_8_AndroidPC in combination with Rockchip_DriverAssitant_v4.4 is working
Ok no difference to the preinstalled one so next step flashing a different firmware.
The most interesting was the Android 9.0 firmware even when I know that it is for the non "+" version using a slightly different peripheral hardware.
So I use the Batch tool again and start flashing. ==> Do not flash similar firmware on any device.
The flash process abort after flashing only parts of the whole image.
My Box is not starting anymore, and there is no video output when booting and it is not recognized by my computer anymore via USB
My process to debrick my Device:
My luck when starting into Recovery it is still recognized via USB
Also there a dedicated test pins marked with TX, GND and RX so I connect a Serial to USB converter and check if I can find the problem.
I could not find out what kind of baud rate the serial is using neither Start/Stop Bit configuration.
A oscilloscope (Red Pitaya) helped a lot to see that the serial interface is working at a abnormal high baud rate: ~1350000 baud per second / 8N1
find here the current bootloop log:
normal boot
Code:
Wed Oct 31 06:28:55 UTC 2018 aarch64)
INF [0x0] TEE-CORE:init_primary_helper:338: Release version: 1.4
INF [0x0] TEE-CORE:init_teecore:83: teecore inits done
INFO: BL31: Preparing for EL3 exit to normal world
INFO: Entry point address = 0x200000
INFO: SPSR = 0x3c9
U-Boot 2017.09-02211-gd8ce1d0-dirty (Nov 27 2018 - 09:57:42 +0800)
Model: Rockchip RK3328 EVB
DRAM: 4 GiB
Relocation Offset is: fcbda000
Using default environment
[email protected]: 1, [email protected]: 0
Card did not respond to voltage select!
mmc_init: -95, time 10
switch to partitions #0, OK
mmc0(part 0) is current device
boot mode: normal
bad resource image magic: oint (current EL)
DTB: rk-kernel.dtb
bad resource image magic: oint (current EL)
Can't find file:rk-kernel.dtb
init_kernel_dtb dtb in resource read fail
In: serial
Out: serial
Err: serial
Model: Rockchip RK3328 EVB
rockchip_set_serialno: could not find efuse device
CLK: apll 400000000 Hz
dpll 664000000 Hz
cpll 1200000000 Hz
gpll 491009999 Hz
npll 600000000 Hz
armclk 600000000 Hz
aclk_bus 150000000 Hz
hclk_bus 75000000 Hz
pclk_bus 75000000 Hz
aclk_peri 150000000 Hz
hclk_peri 75000000 Hz
pclk_peri 75000000 Hz
Net: Net Initialization Skipped
No ethernet found.
Hit any key to stop autoboot: 0
ca head not found
ANDROID: reboot reason: "(none)"
get share memory, arg0=0x0 arg1=0x9e08000 arg2=0x3f8000 arg3=0x1
read_is_device_unlocked() ops returned that device is UNLOCKED
avb_slot_verify.c:637: ERROR: vbmeta: Error verifying vbmeta image: OK_NOT_SIGNE D
get share memory, arg0=0x0 arg1=0x9e08000 arg2=0x3f8000 arg3=0x1
DDR version 1.13 20180428
ID:0x805 N
In
DDR3
333MHz
Bus Width=32 Col=11 Bank=8 Row=16 CS=1 Die Bus-Width=16 Size=4096MB
ddrconfig:3
OUT
Boot1 Release Time: Sep 7 2018 15:49:55, version: 2.49
ChipType = 0x11, 193
mmc2:cmd19,100
SdmmcInit=2 0
BootCapSize=2000
UserCapSize=59640MB
FwPartOffset=2000 , 2000
SdmmcInit=0 NOT PRESENT
StorageInit ok = 286281
Raw SecureMode = 0
SecureInit read PBA: 0x4
SecureInit read PBA: 0x404
SecureInit read PBA: 0x804
SecureInit read PBA: 0xc04
SecureInit read PBA: 0x1004
SecureInit ret = 0, SecureMode = 0
GPT part: 0, name: uboot, start:0x4000, size:0x2000
GPT part: 1, name: trust, start:0x6000, size:0x2000
GPT part: 2, name: misc, start:0x8000, size:0x2000
GPT part: 3, name: baseparameter, start:0xa000, size:0x800
GPT part: 4, name: resource, start:0xa800, size:0x8000
GPT part: 5, name: kernel, start:0x12800, size:0x10000
GPT part: 6, name: dtb, start:0x22800, size:0x2000
GPT part: 7, name: dtbo, start:0x24800, size:0x2000
GPT part: 8, name: logo, start:0x26800, size:0x8000
GPT part: 9, name: vbmeta, start:0x2e800, size:0x800
GPT part: 10, name: boot, start:0x2f000, size:0x10000
GPT part: 11, name: recovery, start:0x3f000, size:0x20000
GPT part: 12, name: backup, start:0x5f000, size:0x8000
GPT part: 13, name: cache, start:0x67000, size:0x80000
GPT part: 14, name: system, start:0xe7000, size:0x400000
GPT part: 15, name: metadata, start:0x4e7000, size:0x8000
GPT part: 16, name: vendor, start:0x4ef000, size:0x60000
GPT part: 17, name: oem, start:0x54f000, size:0x20000
GPT part: 18, name: frp, start:0x56f000, size:0x400
GPT part: 19, name: security, start:0x56f400, size:0x1000
GPT part: 20, name: userdata, start:0x570400, size:0x6f0bbdf
find partition:uboot OK. first_lba:0x4000.
find partition:trust OK. first_lba:0x6000.
LoadTrust Addr:0x6000
No find bl30.bin
HashBits:256, HashData:
6cf28742
2df532aa
1ea29e7b
85e4e128
9675b550
859f84c1
c47158c4
9373e8ea
CalcHash:
2a0cacfb
655bd8b6
09989b08
c0ff4464
9d525d13
47eb7212
89197119
20d1a938
bl31.bin_0:CheckImage Fail!
LoadTrust Addr:0x6400
LoadTrust Addr:0x6800
LoadTrust Addr:0x6c00
LoadTrust Addr:0x7000
No find bl30.bin
Load uboot, ReadLba = 4000
hdr 000000000337a380 + 0x0:0x50,0x41,0x52,0x4d,0x66,0x03,0x00,0x00,0x46,0x49,0x52,0x4d,0x57,0x41,0x52,0x45,
Load OK, addr=0x200000, size=0xeb934
RunBL31 0x10000
NOTICE: BL31: v1.3(debug):9d3f591
NOTICE: BL31: Built : 14:39:02, Jan 17 2018
NOTICE: BL31:Rockchip release version: v1.3
INFO: ARM GICv2 driver initialized
INFO: Using opteed sec cpu_context!
INFO: boot cpu mask: 1
INFO: plat_rockchip_pmu_init: pd status 0xe
INFO: BL31: Initializing runtime services
INFO: BL31: Initializing BL32
ERR [0x0] TEE-CORE:atags_get_tag:146: atags_get_tag: find unknown magic(d7f5f65b)
INF [0x0] TEE-CORE:init_primary_helper:337: Initializing (1.1.0-187-g3f0aafa6 #9 Wed Oct 31 06:28:55 UTC 2018 aarch64)
pressing and holding reset (without connecting to USB)
Code:
Wed Oct 31 06:28:55 UTC 2018 aarch64)
INF [0x0] TEE-CORE:init_primary_helper:338: Release version: 1.4
INF [0x0] TEE-CORE:init_teecore:83: teecore inits done
INFO: BL31: Preparing for EL3 exit to normal world
INFO: Entry point address = 0x200000
INFO: SPSR = 0x3c9
U-Boot 2017.09-02211-gd8ce1d0-dirty (Nov 27 2018 - 09:57:42 +0800)
Model: Rockchip RK3328 EVB
DRAM: 4 GiB
Relocation Offset is: fcbda000
Using default environment
[email protected]: 1, [email protected]: 0
Card did not respond to voltage select!
mmc_init: -95, time 10
switch to partitions #0, OK
mmc0(part 0) is current device
boot mode: normal
bad resource image magic: oint (current EL)
DTB: rk-kernel.dtb
bad resource image magic: oint (current EL)
Can't find file:rk-kernel.dtb
init_kernel_dtb dtb in resource read fail
In: serial
Out: serial
Err: serial
Model: Rockchip RK3328 EVB
rockchip_set_serialno: could not find efuse device
CLK: apll 400000000 Hz
dpll 664000000 Hz
cpll 1200000000 Hz
gpll 491009999 Hz
npll 600000000 Hz
armclk 600000000 Hz
aclk_bus 150000000 Hz
hclk_bus 75000000 Hz
pclk_bus 75000000 Hz
aclk_peri 150000000 Hz
hclk_peri 75000000 Hz
pclk_peri 75000000 Hz
Net: Net Initialization Skipped
No ethernet found.
Hit any key to stop autoboot: 0
ca head not found
ANDROID: reboot reason: "(none)"
get share memory, arg0=0x0 arg1=0x9e08000 arg2=0x3f8000 arg3=0x1
read_is_device_unlocked() ops returned that device is UNLOCKED
avb_slot_verify.c:637: ERROR: vbmeta: Error verifying vbmeta image: OK_NOT_SIGNE D
get share memory, arg0=0x0 arg1=0x9e08000 arg2=0x3f8000 arg3=0x1
DDR version 1.13 20180428
ID:0x805 N
In
DDR3
333MHz
Bus Width=32 Col=11 Bank=8 Row=16 CS=1 Die Bus-Width=16 Size=4096MB
ddrconfig:3
OUT
Boot1 Release Time: Sep 7 2018 15:49:55, version: 2.49
ChipType = 0x11, 193
mmc2:cmd19,100
SdmmcInit=2 0
BootCapSize=2000
UserCapSize=59640MB
FwPartOffset=2000 , 2000
SdmmcInit=0 NOT PRESENT
StorageInit ok = 286281
Raw SecureMode = 0
SecureInit read PBA: 0x4
SecureInit read PBA: 0x404
SecureInit read PBA: 0x804
SecureInit read PBA: 0xc04
SecureInit read PBA: 0x1004
SecureInit ret = 0, SecureMode = 0
GPT part: 0, name: uboot, start:0x4000, size:0x2000
GPT part: 1, name: trust, start:0x6000, size:0x2000
GPT part: 2, name: misc, start:0x8000, size:0x2000
GPT part: 3, name: baseparameter, start:0xa000, size:0x800
GPT part: 4, name: resource, start:0xa800, size:0x8000
GPT part: 5, name: kernel, start:0x12800, size:0x10000
GPT part: 6, name: dtb, start:0x22800, size:0x2000
GPT part: 7, name: dtbo, start:0x24800, size:0x2000
GPT part: 8, name: logo, start:0x26800, size:0x8000
GPT part: 9, name: vbmeta, start:0x2e800, size:0x800
GPT part: 10, name: boot, start:0x2f000, size:0x10000
GPT part: 11, name: recovery, start:0x3f000, size:0x20000
GPT part: 12, name: backup, start:0x5f000, size:0x8000
GPT part: 13, name: cache, start:0x67000, size:0x80000
GPT part: 14, name: system, start:0xe7000, size:0x400000
GPT part: 15, name: metadata, start:0x4e7000, size:0x8000
GPT part: 16, name: vendor, start:0x4ef000, size:0x60000
GPT part: 17, name: oem, start:0x54f000, size:0x20000
GPT part: 18, name: frp, start:0x56f000, size:0x400
GPT part: 19, name: security, start:0x56f400, size:0x1000
GPT part: 20, name: userdata, start:0x570400, size:0x6f0bbdf
find partition:uboot OK. first_lba:0x4000.
find partition:trust OK. first_lba:0x6000.
LoadTrust Addr:0x6000
No find bl30.bin
HashBits:256, HashData:
6cf28742
2df532aa
1ea29e7b
85e4e128
9675b550
859f84c1
c47158c4
9373e8ea
CalcHash:
2a0cacfb
655bd8b6
09989b08
c0ff4464
9d525d13
47eb7212
89197119
20d1a938
bl31.bin_0:CheckImage Fail!
LoadTrust Addr:0x6400
LoadTrust Addr:0x6800
LoadTrust Addr:0x6c00
LoadTrust Addr:0x7000
No find bl30.bin
Load uboot, ReadLba = 4000
hdr 000000000337a380 + 0x0:0x50,0x41,0x52,0x4d,0x66,0x03,0x00,0x00,0x46,0x49,0x52,0x4d,0x57,0x41,0x52,0x45,
Load OK, addr=0x200000, size=0xeb934
RunBL31 0x10000
NOTICE: BL31: v1.3(debug):9d3f591
NOTICE: BL31: Built : 14:39:02, Jan 17 2018
NOTICE: BL31:Rockchip release version: v1.3
INFO: ARM GICv2 driver initialized
INFO: Using opteed sec cpu_context!
INFO: boot cpu mask: 1
INFO: plat_rockchip_pmu_init: pd status 0xe
INFO: BL31: Initializing runtime services
INFO: BL31: Initializing BL32
ERR [0x0] TEE-CORE:atags_get_tag:146: atags_get_tag: find unknown magic(d7f5f65b)
INF [0x0] TEE-CORE:init_primary_helper:337: Initializing (1.1.0-187-g3f0aafa6 #9 Wed Oct 31 06:28:55 UTC 2018 aarch64)
INF [0x0] TEE-CORE:init_primary_helper:338: Release version: 1.4
INF [0x0] TEE-CORE:init_teecore:83: teecore inits done
INFO: BL31: Preparing for EL3 exit to normal world
INFO: Entry point address = 0x200000
INFO: SPSR = 0x3c9
U-Boot 2017.09-02211-gd8ce1d0-dirty (Nov 27 2018 - 09:57:42 +0800)
Model: Rockchip RK3328 EVB
DRAM: 4 GiB
Relocation Offset is: fcbda000
Using default environment
[email protected]: 1, [email protected]: 0
Card did not respond to voltage select!
mmc_init: -95, time 9
switch to partitions #0, OK
mmc0(part 0) is current device
boot mode: None
bad resource image magic: oint (current EL)
DTB: rk-kernel.dtb
bad resource image magic: oint (current EL)
Can't find file:rk-kernel.dtb
init_kernel_dtb dtb in resource read fail
In: serial
Out: serial
Err: serial
Model: Rockchip RK3328 EVB
rockchip_set_serialno: could not find efuse device
CLK: apll 400000000 Hz
dpll 664000000 Hz
cpll 1200000000 Hz
gpll 491009999 Hz
npll 600000000 Hz
armclk 600000000 Hz
aclk_bus 150000000 Hz
hclk_bus 75000000 Hz
pclk_bus 75000000 Hz
aclk_peri 150000000 Hz
hclk_peri 75000000 Hz
pclk_peri 75000000 Hz
Net: Net Initialization Skipped
No ethernet found.
Hit any key to stop autoboot: 0
ca head not found
ANDROID: reboot reason: "(none)"
get share memory, arg0=0x0 arg1=0x9e08000 arg2=0x3f8000 arg3=0x1
read_is_device_unlocked() ops returned that device is UNLOCKED
avb_slot_verify.c:637: ERROR: vbmeta: Error verifying vbmeta image: OK_NOT_SIGNED
get share memory, arg0=0x0 arg1=0x9e08000 arg2=0x3f8000 arg3=0x1
Booting kernel at 0x207f800 with fdt at f4dcfca0...
## Booting Android Image at 0x0207f800 ...
Kernel load addr 0x02080000 size 19005 KiB
## Flattened Device Tree blob at f4dcfca0
Booting using the fdt blob at 0xf4dcfca0
XIP Kernel Image ... OK
Loading Device Tree to 00000000081fb000, end 00000000081ff0f8 ... OK
Adding bank: 0x00200000 - 0x08400000 (size: 0x08200000)
Adding bank: 0x0a200000 - 0xff000000 (size: 0xf4e00000)
Starting kernel ...
"Synchronous Abort" handler, esr 0x02000000
* Relocate offset = 00000000fcbda000
* ELR(PC) = ffffffff064c6000
* LR = 0000000000201f00
* SP = 00000000f4dcf2a0
* ESR_EL2 = 0000000002000000
EC[31:26] == 000000, Exception with an unknown reason
IL[25] == 1, 32-bit instruction trapped
* DAIF = 00000000000003c0
D[9] == 1, DBG masked
A[8] == 1, ABORT masked
I[7] == 1, IRQ masked
F[6] == 1, FIQ masked
* SPSR_EL2 = 00000000600003c9
D[9] == 1, DBG masked
A[8] == 1, ABORT masked
I[7] == 1, IRQ masked
F[6] == 1, FIQ masked
M[4] == 0, Exception taken from AArch64
M[3:0] == 1001, EL2h
* SCTLR_EL2 = 0000000030c50830
I[12] == 0, Icache disabled
C[2] == 0, Dcache disabled
M[0] == 0, MMU disabled
* HCR_EL2 = 0000000000000002
* VBAR_EL2 = 00000000fcdda800
* TTBR0_EL2 = 00000000feff0000
x0 : 00000000081fb000 x1 : 0000000000000000
x2 : 0000000000000000 x3 : 0000000000000000
x4 : 0000000002080000 x5 : 0000000000000001
x6 : 0000000000000008 x7 : 0000000000000000
x8 : 00000000f4dcf320 x9 : 0000000001008000
x10: 000000000a200023 x11: 0000000000000002
x12: 0000000000000002 x13: 00000000f4dcf36c
x14: 00000000081fb000 x15: 00000000fcddb5a8
x16: 0000000000000002 x17: 00000000081ff0f9
x18: 00000000f4dd1da0 x19: 0000000000000400
x20: 00000000fcec52e0 x21: 0000000000000000
x22: 0000000000000003 x23: 00000000f4dcf630
x24: 0000000000000000 x25: 0000000002080000
x26: 00000000fcddbea4 x27: 0000000000000400
x28: 0000000002080000 x29: 00000000f4dcf480
SP:
f4dcf2a0: 00000000 00000000 00000000 00000000
f4dcf2b0: 00000000 00000000 fcea3759 00000000
f4dcf2c0: 00000000 00000000 00000000 00000000
f4dcf2d0: fcea37a0 00000000 fcea37c6 00000000
f4dcf2e0: fcea3813 00000000 fcea3860 00000000
f4dcf2f0: fcea38a0 00000000 fcea38e0 00000000
f4dcf300: fcea391d 00000000 00000000 00000000
f4dcf310: 00000000 00000000 fcea395a 00000000
f4dcf320: f4dcf480 00000000 fcddaa0c 00000000
f4dcf330: 00000400 00000000 fce9d415 00000000
f4dcf340: feff0000 00000000 00000002 00000000
f4dcf350: 30c50830 00000000 f4dcf2a0 00000000
f4dcf360: 600003c9 00000000 fcdda800 00000000
f4dcf370: 000003c0 00000000 02000000 00000000
f4dcf380: 030a0000 00000000 081fb000 00000000
f4dcf390: 00000000 00000000 00000000 00000000
Resetting CPU ...
WARN: PSCI sysreset is disabled
DDR version 1.13 20180428
ID:0x805 N
In
SRX
DDR3
333MHz
Bus Width=32 Col=11 Bank=8 Row=16 CS=1 Die Bus-Width=16 Size=4096MB
ddrconfig:3
OUT
Boot1 Release Time: Sep 7 2018 15:49:55, version: 2.49
ChipType = 0x11, 261
mmc2:cmd19,100
SdmmcInit=2 0
BootCapSize=2000
UserCapSize=59640MB
FwPartOffset=2000 , 2000
SdmmcInit=0 NOT PRESENT
StorageInit ok = 285008
Raw SecureMode = 0
SecureInit read PBA: 0x4
SecureInit read PBA: 0x404
SecureInit read PBA: 0x804
SecureInit read PBA: 0xc04
SecureInit read PBA: 0x1004
SecureInit ret = 0, SecureMode = 0
GPT part: 0, name: uboot, start:0x4000, size:0x2000
GPT part: 1, name: trust, start:0x6000, size:0x2000
GPT part: 2, name: misc, start:0x8000, size:0x2000
GPT part: 3, name: baseparameter, start:0xa000, size:0x800
GPT part: 4, name: resource, start:0xa800, size:0x8000
GPT part: 5, name: kernel, start:0x12800, size:0x10000
GPT part: 6, name: dtb, start:0x22800, size:0x2000
GPT part: 7, name: dtbo, start:0x24800, size:0x2000
GPT part: 8, name: logo, start:0x26800, size:0x8000
GPT part: 9, name: vbmeta, start:0x2e800, size:0x800
GPT part: 10, name: boot, start:0x2f000, size:0x10000
GPT part: 11, name: recovery, start:0x3f000, size:0x20000
GPT part: 12, name: backup, start:0x5f000, size:0x8000
GPT part: 13, name: cache, start:0x67000, size:0x80000
GPT part: 14, name: system, start:0xe7000, size:0x400000
GPT part: 15, name: metadata, start:0x4e7000, size:0x8000
GPT part: 16, name: vendor, start:0x4ef000, size:0x60000
GPT part: 17, name: oem, start:0x54f000, size:0x20000
GPT part: 18, name: frp, start:0x56f000, size:0x400
GPT part: 19, name: security, start:0x56f400, size:0x1000
GPT part: 20, name: userdata, start:0x570400, size:0x6f0bbdf
find partition:uboot OK. first_lba:0x4000.
find partition:trust OK. first_lba:0x6000.
LoadTrust Addr:0x6000
No find bl30.bin
HashBits:256, HashData:
6cf28742
2df532aa
1ea29e7b
85e4e128
9675b550
859f84c1
c47158c4
9373e8ea
CalcHash:
2a0cacfb
655bd8b6
09989b08
c0ff4464
9d525d13
47eb7212
89197119
20d1a938
bl31.bin_0:CheckImage Fail!
LoadTrust Addr:0x6400
LoadTrust Addr:0x6800
LoadTrust Addr:0x6c00
LoadTrust Addr:0x7000
No find bl30.bin
Load uboot, ReadLba = 4000
hdr 000000000337a380 + 0x0:0x50,0x41,0x52,0x4d,0x66,0x03,0x00,0x00,0x46,0x49,0x52,0x4d,0x57,0x41,0x52,0x45,
Load OK, addr=0x200000, size=0xeb934
RunBL31 0x10000
NOTICE: BL31: v1.3(debug):9d3f591
NOTICE: BL31: Built : 14:39:02, Jan 17 2018
NOTICE: BL31:Rockchip release version: v1.3
INFO: ARM GICv2 driver initialized
INFO: Using opteed sec cpu_context!
INFO: boot cpu mask: 1
INFO: plat_rockchip_pmu_init: pd status 0xe
INFO: BL31: Initializing runtime services
INFO: BL31: Initializing BL32
INF [0x0] TEE-CORE:init_primary_helper:337: Initializing (1.1.0-187-g3f0aafa6 #9 Wed Oct 31 06:28:55 UTC 2018 aarch64)
When connecting USB for flashing the Log shows the detection and do not loop anymore, it is waiting for the process to be initiated by the computer
I try to flash the Android 8.1 firmware without luck because the automatic checks stopped the process before starting
So I tried to flash with Factory Tool 1.6 but also without success, it is checking also before starting the flash process
Searching all over the web I found different versions of these tools and test newer ones but also without success.
After a while I found a Tool called Rockchip Android Tool 2.1 for Rockchip based single board computers.
This tool has much more options to check and flash a Rockchip board over USB.
Most of the checks failed and I figured out that a normal flashing process will always reboot the board into Maskrom mode
It seems that my device is not able to go into Maskrom Mode anymore because after starting the flash process it is reseting and booting normal (bootloop) instead of switching to Maskrom Mode.
A bit of evaluation tells me that the Maskrom Mode can also be achieved by shorting the Flash CLK to ground during boot. (I know a similar process for my Fire HD8 Tablet)
I checked if I can find the CLK line on the board but it seems that it is not accessably from the surface of the PCB.
After minutes of reaserch I figured out that there are also newer version of the Android Tool available and I tested all I can find.
Also Device drivers shall be updated due to a problem report of an Rockchip device singel board computer owner that has also some difficulties working with the tools.
My luck I found RKDevTool 2.52 (The new name of the Android Tool), in this tool a few of the tests for Rockchip devices are working and I was able to flash Android 8.1 and enter the Maskrom Mode sucessfully.
Now that my Device is back alive I will also post some logs and pictures of my device to help others when trying to debrick/reacticate from an unexpected state.

@sandman01
Try this

thanks for your post.
I think I was a bit to euphoric because my box is working again and I only want to share my experiance for others runnign in the same Situation.
It was hard to get all the Information out of the web, from multiple places.

sandman01 said:
thanks for your post.
I think I was a bit to euphoric because my box is working again and I only want to share my experiance for others runnign in the same Situation.
It was hard to get all the Information out of the web, from multiple places.
Click to expand...
Click to collapse
Ok no probs

Can't find those files on Drive anymore, can you please share them? Can't find a place to download RKDevtool
Thanks in advance

[GUIDE] UnBrick your OnePlus X on a Linux machine

DISCLAIMER: This guide describes procedures with tools that are designed to write directly to the storage of your device. This has the potential to lead to data loss or bricking your device. If you follow this guide carefully, none of these things should happen. That being said, you are still responsible for your own actions and how you handle the tools mentioned in this guide. Caution is advised.
When do i need this?​The following procedure can be used to get your device back into a booting state if all else fails. Usually you'd want to use this tool to get a working recovery running on your device and then go from there. If your bootloader is locked you can use this tool to flash the stock recovery again and unlock the bootloader as ususal.
If that is not sufficient, you can also reflash all of firmware, bootloader and stock recovery.
This guide is not needed if:​- The device still boots into stock recovery or TWRP
Flashing the official OxygenOS can fix many issues and you can unlock your bootloader as needed.
- The bootloader is unlocked. Use fastboot flash recovery <twrp image>
Check it with fastboot oem device-info
Use TWRP v3.0.2-0 with the OxygenOS 2 bootloader and the latest TWRP with the OxygenOS 3 bootloader.
- The ROM still boots and is rooted. Flash a stock recovery in a root shell:
adb root && adb shell
dd of=/dev/block/platform/msm_sdcc.1/by-name/recovery if=/sdcard/OxygenOS_recovery.img
OxygenOS 2 Lollipop recovery - OxygenOS 3 Marshmallow recovery
On custom ROMs, you can usually enable root access for ADB in developer settings, even if you didn't root them youself.
If any link is dead, search for it on https://web.archive.org
Spoiler: Verify downloaded files
The OxygenOS recovery links download from OnePlus's official amazon cloud storage. To verify, compare with the OxygenOS download link from the official page. OnePlus no longer links to these files and provides no checksums, you can use these to verify your download:
Code:
de38f20e72da38d48899f14d022cc1b1cd6bff0f4a506adb7bcf0153e73b1934 OPX_recovery.img
2810feb0d87686ea0529d8718600fdf3181cf0c93f0b9e29e5f13004af0e2d84 OPX_MM_recovery.img
e2fb0f0fef7d644cf3e6c1c0699381074fd4a83f64be319b75b9942443a95c90 OnePlusXOxygen_14_OTA_019_all_201611071506_03f73e21449d4d31.zip
fd58d703cf677dc5148ab5dd0f4af6c3df13faeb51166719e17aa192a86a6c0a OPX_UnBrick_Mini_By_Naman_Bhalla.zip
Don't continue unless you actually checked if your bootloader is still unlocked. Sometime it is re-locked on accident if some things go wrong.
Recovery and ROM only boot with a compatible bootloader. If you're not sure, try one then the other.
There are two major versions of the OnePlus X bootloader, one from OxygenOS 2 (Lollipop) and one from OxygenOS 3 (Marshmallow), released ca. September 2016, all newer ROMs should be compatible.
Trying to boot into a ROM or recovery that is incompatible with the installed bootloader will get you stuck on the bootlogo screen. On the OxygenOS 2 bootloader the "Powered by Android" part will disappear.
A locked OxygenOS 2 bootloader will boot any compatible software.
A locked OxygenOS 3 bootloader will only boot software signed by OnePlus. When trying to boot an unsigned ROM or recovery the device will vibrate, splash the bootlogo for a second and reboot, resulting in an endless loop.
If all else fails: Flashing through EDL​
You may know the legendary Mega Unbrick Guide for A Hard Bricked OnePlus X by Naman Bhalla but it only works on Windows.
It uses EDL, a hidden Qualcomm interface that allows direct read/write access to the devices flash storage to restore firmware, bootloader and stock recovery.
EDL is a powerful tool. A device in EDL mode will follow all instructions given to it without checking whether it would be a good idea to do so. If the instructions tell your device to overwrite userdata, IMEI or MAC address it will do so. Only flash files that are meant for your device. Don't edit any file unless you know what it does.
Preparation:​You need to be at least somewhat familiar with the command line to do this.
- Install git from your distribution
- Download and compile the open source flashing tool QDL. Follow the section "Get the Linux flashing tool" from these instructions.
- Temporarily add QDL to your $PATH with export PATH="$(pwd):$PATH"
QDL must be able to communicate with your device. You can install the appropriate udev rules right now or try it without them first.
- Open a text editor sudo nano /etc/udev/rules.d/51-edl.rules
- Copy these rules and paste them. Ctrl+S to save, Ctrl+X to exit
- The rules should apply the next time you connect your device
- If flashing does not work check the file contents: cat /etc/udev/rules.d/51-edl.rules
- If you can't read the file: sudo chmod a+r /etc/udev/rules.d/51-edl.rules
- If the new rules still don't load for some reason: sudo udevadm control --reload
- Download the "UnBrick tool mini" as uploaded by Naman Bhalla. (direct link)
- Create a clean working directory and extract the zip file.
Customize what to flash:​By default, the UnBrick tool mini will flash OxygenOS 2 bootloader, firmware and stock recovery. From there you can flash the latest OxygenOS and unlock your bootloader again for a clean start.
Flashing OxygenOS will always install a compatible bootloader and firmware and OxygenOS will automatically upgrade the recovery during the boot process.
If this is what you want just skip to the next step.
The UnBrick tool will flash config.bin and persist.img and reset these partitions.
Resetting config will re-lock the bootloader.
Resetting persist will require it to be repopulated again. OxygenOS can do this but most Custom ROMs will have broken sensors.
If you don't want to flash certain files, rename them or move them to another directory.
If you only want to flash certain partitions like the recovery, create a new directory, e.g. flash_recovery-only. Download the recovery version you need:
OxygenOS 2 Lollipop recovery - OxygenOS 3 Marshmallow recovery
Copy it to the new directory and rename it to recovery.img to match the filename the UnBrick tool uses.
Additionaly, copy these files from the UnBrick tool:
gpt_main0.bin
gpt_backup0.bin
patch0.xml
prog_emmc_firehose_8974.mbn
rawprogram0.xml
Main procedure:​
cd to the directory with the files from the UnBrick tool. Go to your custom directory if you created one in the previous step.
Run qdl prog_emmc_firehose_8974.mbn rawprogram0.xml patch0.xml
QDL will wait for your device to connect.
If QDL asks for permissions go back to "Preparation" and install the udev rules.
With the OnePlus X powered off hold VolUp and connect it to the PC. Otherwise, connect it to the PC first and hold Power+VolUp until it connects in EDL mode.
To verify the connection you can check lsusb or sudo dmesg -w
Devices in EDL mode show up with idVendor=05c6 and idProduct=9008, usually as Product: QHSUSB__BULK
lsusb example: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)
To filter the output: lsusb -d 05c6:9008
QDL should print several lines of output, reporting what is flashed etc.
Once it's done, QDL will kick your device out of EDL mode. If everything is alright your phone should vibrate and boot to the charging screen. You should be able to boot to recovery now.
Congratulations on unbricking your device on a Linux machine, enjoy.
Changelog:
2019-12-12 - Original post
??? - undocumented edits
2020-05-24 - Fix possible execution of QDL without patch0.xml which would break the partition table
2022-09-05 - Fix unnessesarily confusing instructions

Thanks

I have a new TWRP on my OPX, but I don't really know what to change in the rawprogram0.xml file.

emilianoheyns said:
I have a new TWRP on my OPX, but I don't really know what to change in the rawprogram0.xml file.
Click to expand...
Click to collapse
I'm not sure if i correctly understood your situation so i am going to assume the folloing:
- You are running a Linux based operating system on your desktop computer
- You have downloaded all necessary files as mentioned in the guide and successfully compiled qdl
- You want to use modern (newer than 2016) ROMs and the current OnePlus firmware and bootloader, i.e. from OxygenOS 3.1.4
- On your OnePlus X, you have "the old bootloader" installed, that is firmware prior to OxygenOS 3 (based on Marshmallow), i.e. firmware from OxygenOS 2.2.1 or similar
- Additionally, you accidentaly flashed TWRP version 3.0.2-1 or newer to your OnePlus X and rebooted into a soft-bricked state
If these assumptions are correct, i suggest as the easiest solution to reflash a compatible TWRP and update your firmware using that version of TWRP. If you can use your recovery, it is almost always the easiest method to make any remaining modifications in the recovery.
The procedure is as follows:
- From https://dl.twrp.me/onyx/, download TWRP version 3.0.2-0 and 3.3.1-0
- Reflash an old version of TWRP that is compatible, i.e. anything version 3.0.2-0 and below.
Once you flashed TWRP in one way or another, continue with the following steps to update your bootloader:
- Reboot to that version of TWRP to see if you succeeded
- In TWRP, install either one of the following to update your firmware:
- The official OxygenOS 3.1.4 zip downloaded from OnePlus via https://www.oneplus.com/support/softwareupgrade​- Only the firmware by following this guide: https://forum.xda-developers.com/oneplus-x/general/guide-update-bootloader-firmware-to-t347891766​- Copy to your device: twrp-3.3.1-0-onyx.img and the installation zip you chose in the previous step
- Flash the zip in TWRP. Once TWRP is done flashing, immediately flash a version of TWRP 3.0.2-1 or later to recovery
- In TWRP, choose Reboot > Recovery. If your OnePlus X reboots to TWRP, everything went good and you can go on to flash roms and anything else like you're used to. Just note that very old ROMs (like from 2016 and before) will no longer boot on your device, but you can revert your Firmware by flashing the follwing zip: https://forum.xda-developers.com/oneplus-x/general/zip-recovery-flashable-firmware-radio-t3381420
Just remember that immediately after flashing this zip in TWRP, you have to flash TWRP version 3.0.2-0 or older again.
Now, there are some differnt cases that affect how TWRP initially needs to be flashed:
1. Your OnePlus X bootloader is not locked
(tested by running "fastboot oem device-info" on your desktop while your phone is connected in fastboot mode)
If your bootloader is still unlocked you can avoid the hassle of using qdl and simply resort to "fastboot flash recovery <recovery image file>" to fix your device.
2. Your ROM still boots and that ROM is rooted.
In this situation you can still avoid going through the hassle of using qdl.
All you need to do is to get a root shell running. There are several ways to achieve this:
- In a Terminal Emulator on the device run the command "su"
- On a desktop with your phone connected with adb enabled:
- Run either "adb root" and then "adb shell"
- Or run "adb shell" and within that shell, run "su"
Once you got the shell running you can flash your recovery with
"dd of=/dev/block/bootdevice/by-name/recovery if=/sdcard/twrp-3.0.2-0-onyx.img"
To get the image to your device if downloaded on your desktop you can use "adb push twrp-3.0.2-0-onyx.img /sdcard/"
3. Your ROM does not boot or is not rooted.
This is the case where you absolutely need qdl and the situation i assume you are in.
Once you downloaded and unpacked the package from Naman Bhalla, you should see a directory containing the rawprogram0.xml and prog_emmc_firehose_8974.mbn files and a lot of others. You can take just the rawprogram0.xml and the prog_emmc_firehose_8974.mbn file and copy them to your working directory for the next steps.
Now, open rawprogram0.xml in a text editor. Search for the string "recovery". You will see a line starting with "<program" and ending in "/>". In your case, only the line containing " label="recovery" " and " filename="recovery.img" " is relevant. Remove all other lines starting with "<program" and save. Optionally, rename the file to "program-onyx-recovery.xml" or something you will recognize. This might be useful if you plan to keep the file and use it again in the future.
Now, optionally change filename="recovery.img" to the file name of your TWRP file or just rename your downloaded TWRP file to "recovery.img".
To flash, make sure that the following files are in your working directory:
- prog_emmc_firehose_8974.mbn
- rawprogram0.xml (but your customized version)
- recovery.img (whatever recovery you want to flash)
If that is settled, run qdl as explained in my initial guide in the original post to flash the recovery file.
Edit 2022-09-04: This whole paragraph only applies to the OxygenOS 2 bootloader. A locked OxygenOS 3 bootloader will only boot a signed ROM or a signed recovery. However, the device storage can always be dumped through EDL and the final point about encryption always applies.
Some final remarks on locked bootloader on the OnePlus X:
For the future, remember to just keep your bootloader unlocked. It can save you a lot of hassle.
And if you feel uncomfortable about walking around with an unlocked bootloader:
Re-locking the bootloader while TWRP is installed doesn't give any security benefit at all (for obvious reasons). Even if your Recevery would not be open to any local attacker, a locked bootloader doesn't give you much of a benefit on the OnePlus X.
Yes, the generic attac surface of simply using "fastboot flash" is gone, but remember how easy it is to find the UnBrick tool for the OnePlus X we used in this guide. Any attacker can use it as well to flash a malicious recovery onto your device, even if your bootloader is locked - and your OnePlus will boot it.
This is because the OnePlus X does not support Android Verified Boot. This is a security feature on newer Android devices that prevents booting unsigned software if the bootloader is locked. This can prevent flashing malicious firmware, OS or revovery onto a device. But since it also prevents booting TWRP you'd likely be walking around with an unlocked bootloader anyway even if your device were to support this security feature.
Funnily enough, this leads to the conclusion that running your OnePlus X with stock OxygenOS, Recovery and locked bootloader is about as insecure as running TWRP and having an unlocked bootloader if we are talking about an attacker with physical access to the device who also knows about this tool. And since such a tool exists for pretty much every android device as it is originally used to flash these devices in their factories and can be publicly found for most devices, it can be assumed that any attacker has access to this tool.
So remember, the only protection you can have on a OnePlus X is encrypting your data with a strong passcode and hoping that your data stays private even if you might lose your device.

I have no problems with having an unlocked bootloader -- I thought this device had one already. Yesterday it was running TWRP3.0.2-1 and LOS Marshmellow, I just screwed it up trying to upgrade it to an unofficial LOS16. It would first bootloop constantly, then I tried QDL, and now it doesn't even seem to turn on; I can hold the power button for a full minute but the screen remains black, and there's no vibration as I'm used to. It does show up in QDL mode; I tried the procedure as per point 3, using twrp-3.0.2-1 as the recovery image. QDL says:
Code:
HELLO version: 0x2 compatible: 0x1 max_len: 1024 mode: 0
READ image: 13 offset: 0x0 length: 0x50
READ image: 13 offset: 0x50 length: 0x1000
READ image: 13 offset: 0x1050 length: 0x1000
READ image: 13 offset: 0x2050 length: 0x1000
READ image: 13 offset: 0x3050 length: 0x1000
READ image: 13 offset: 0x4050 length: 0x1000
READ image: 13 offset: 0x5050 length: 0x1000
READ image: 13 offset: 0x6050 length: 0x1000
READ image: 13 offset: 0x7050 length: 0x1000
READ image: 13 offset: 0x8050 length: 0x1000
READ image: 13 offset: 0x9050 length: 0x1000
READ image: 13 offset: 0xa050 length: 0x1000
READ image: 13 offset: 0xb050 length: 0x1000
READ image: 13 offset: 0xc050 length: 0x1000
READ image: 13 offset: 0xd050 length: 0x1000
READ image: 13 offset: 0xe050 length: 0x1000
READ image: 13 offset: 0xf050 length: 0x1000
READ image: 13 offset: 0x10050 length: 0x1000
READ image: 13 offset: 0x11050 length: 0x1000
READ image: 13 offset: 0x12050 length: 0x1000
READ image: 13 offset: 0x13050 length: 0x1000
READ image: 13 offset: 0x14050 length: 0x890
END OF IMAGE image: 13 status: 0
DONE status: 0
qdl: failed to read: Connection timed out
LOG: Host's payload to target size is too large
LOG: [email protected] [email protected]
LOG: [email protected] [email protected]
LOG: [email protected] [email protected]
LOG: start 1409024, num 31680
LOG: Finished sector address 1440704
[PROGRAM] flashed "recovery" successfully at 3960kB/s
no boot partition found
but the OPX still won't boot.

Is your bootloader actually unlocked?
The OnePlus X ships with a locked bootloader that prevents flashing files to the device using fastboot.
The usual steps to modify the OnePlus X and installing custom ROMs are:
- Unlock the bootloader by running "fastboot oem unlock" on a desktop PC while the phone is connected in fastboot mode.
- Flash TWRP by running "fastboot flash recovery TWRP.img" on a desktop PC while the phone is connected in fastboot mode.
Pressing the volume up button while turning on the device normally puts it into fastboot mode and "Fasboot Mode" will be displayed in the middle of the screen along with the oneplus logo.
Unlocking only works with the original OnePlus recovery and if the option "Allow OEM unlocking" is checked in the developer settings. Unlocking requires wiping all userdata.
Did you never do this yourself with your OnePlus X? Did you get this device as a used phone from someone else who already unlocked the bootloader?
What do you mean by "bootloop constantly"? Could you not boot the recovery?
Are you saying you already ran QDL with the unmodified files from the UnBrick tool?
If you really had TWRP 3.0.2-1 running before all your problems started, then doing so initially soft-bricked your device to begin with, as i outlined in footnote [1] of my original post.
I am not sure of the precise timeline and order of your descriptions. I currently assume that you're saying:
1. Had a working device with ROM: "LineageOS 13.0" Recovery: "TWRP version 3.0.2-1" Firmware: Unknown
2. Flashed some "lineage-16.0-unofficial.zip" in TWRP
3. When rebooting, "bootloops" appeared [How did that look? What was affected - just ROM or recovery as well?]
4. Run QDL with the unmodified files from the UnBrick tool that is linked in my original post
5. Phone does not react to button presses except when putting into EDL mode
6. Run QDL with recovery only as described in Point 3 of my follow up post, with the image file of TWRP version 3.0.2-1, QDL repoted success
7. Still not booting [What exactly does this mean? Still no reaction to button presses? Dees the phone vibrate and bring up the OnePlus logo?]

I've followed the mentioned steps and Im still stuck on linux logo..
I desesperately need help, bought a bricked second hand Oneplus X which I know nothing of in terms of past actions but previous owner

BolitaBolita said:
I've followed the mentioned steps and Im still stuck on linux logo..
I desesperately need help, bought a bricked second hand Oneplus X which I know nothing of in terms of past actions but previous owner
Click to expand...
Click to collapse
If you did not modify any files from the unbrick tool by Naman Bhalla and qdl ran through sucessfully, it should have flashed a compatible combination of bootloader and stock recovery so you should be able to reboot to that one.
If this is not the case, you can also go with flashing just a TWRP image. Since there are really just two possible versions of the bootloader (at least in regards to booting compatibility) this should succeed after the second try at most. If not, it means that some other stuff might be broken as well.
As i wrote in my OP, for the OnePlus X any TWRP v3.0.2-0 or older is compatible with the "old bootloader" (Lollipop) and any TWRP v3.0.2-1 or newer is compatible with the "new bootloader" (Marshmallow).
What you basically want to achieve is to just get any recovery booting (be it Stock, TWRP, orangefox or any other useful recovery). From that point, it is fairly easy to get anywhere else on the OnePlus X.
As for other things that can break:
Most of the partitions in your device can be restored to an intact state by flashing an official OxygenOS zip (https://www.oneplus.com/support/softwareupgrade). There are some other ways but this is the safe and easy method.
Only a few partitions cannot be restored once tampered, since they are unique to the specific device. If this happens to be the case, then it can be fairly hard to fix. If the previous owner had unlocked the devices bootloader and flashed some stuff on it, you should ask them whether they might have some TWRP backups around, namely of the partitions "Persist" and "EFS".

SebiderSushi said:
If you did not modify any files from the unbrick tool by Naman Bhalla and qdl ran through sucessfully, it should have flashed a compatible combination of bootloader and stock recovery so you should be able to reboot to that one.
If this is not the case, you can also go with flashing just a TWRP image. Since there are really just two possible versions of the bootloader (at least in regards to booting compatibility) this should succeed after the second try at most. If not, it means that some other stuff might be broken as well.
As i wrote in my OP, for the OnePlus X any TWRP v3.0.2-0 or older is compatible with the "old bootloader" (Lollipop) and any TWRP v3.0.2-1 or newer is compatible with the "new bootloader" (Marshmallow).
What you basically want to achieve is to just get any recovery booting (be it Stock, TWRP, orangefox or any other useful recovery). From that point, it is fairly easy to get anywhere else on the OnePlus X.
As for other things that can break:
Most of the partitions in your device can be restored to an intact state by flashing an official OxygenOS zip (https://www.oneplus.com/support/softwareupgrade). There are some other ways but this is the safe and easy method.
Only a few partitions cannot be restored once tampered, since they are unique to the specific device. If this happens to be the case, then it can be fairly hard to fix. If the previous owner had unlocked the devices bootloader and flashed some stuff on it, you should ask them whether they might have some TWRP backups around, namely of the partitions "Persist" and "EFS".
Click to expand...
Click to collapse
Thank you for your reply SebiderSushi.
The only option I have in terms of recovery booting is the Oneplus original one since I bought the phone bricked (can't access dev options and can't connect through ADB for oem unlock).
I've managed to unlock the bootloader and tried to flash the official OsOxygen zip. The update stopped halfway and the phone bricked once again.
I've tried the Naman Bhalla unbrick tool with the MSMdownloadtool 2.1 (previously attempted 2.0). The process runs successfully, until its marked in green 'download complete'. Phone still bricked.
I'm currently attempting with QFIL through this thread https://www.droidsavvy.com/unbrick-qualcomm-mobiles/
Drivers correctly installed, port 9008 is detected and QFIL is currently. I'm using the files from the unbrick tool by Naman Bhalla for this. The output is the following:
Process Index:0
Programmer Path:C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\prog_emmc_firehose_8974.mbn
Image Search Path:C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla
Please select the XML file
Start Download
Program Path:C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\prog_emmc_firehose_8974.mbn
COM Port number:3
Sahara Connecting ...
Sahara Version:0
Start Sending Programmer
Download Fail:System.Exception: Unable to download Flash Programmer using Sahara Protocol
at QC.QMSLPhone.Phone.QPHONEMS_SaharaArmPrgDownload(String sFileName)
at QC.SwDownloadDLL.SwDownload.QPHONEMSSaharaDownloadArmPrg(UInt64& version, String armPrgPath)
Download Fail:Sahara FailSahara Fail
Finish Download
Start Download
Program Path:C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\prog_emmc_firehose_8974.mbn
COM Port number:3
Sahara Connecting ...
Sahara Version:0
Start Sending Programmer
Download Fail:System.Exception: Unable to download Flash Programmer using Sahara Protocol
at QC.QMSLPhone.Phone.QPHONEMS_SaharaArmPrgDownload(String sFileName)
at QC.SwDownloadDLL.SwDownload.QPHONEMSSaharaDownloadArmPrg(UInt64& version, String armPrgPath)
Download Fail:Sahara FailSahara Fail
Finish Download
Start Download
Program Path:C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\prog_emmc_firehose_8974.mbn
COM Port number:3
Sahara Connecting ...
Sahara Version:0
Start Sending Programmer
Download Fail:System.Exception: Unable to download Flash Programmer using Sahara Protocol
at QC.QMSLPhone.Phone.QPHONEMS_SaharaArmPrgDownload(String sFileName)
at QC.SwDownloadDLL.SwDownload.QPHONEMSSaharaDownloadArmPrg(UInt64& version, String armPrgPath)
Download Fail:Sahara FailSahara Fail
Finish Download
Start Download
Program Path:C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\prog_emmc_firehose_8974.mbn
COM Port number:3
Sahara Connecting ...
Sahara Version:0
Start Sending Programmer
Download Fail:System.Exception: Unable to download Flash Programmer using Sahara Protocol
at QC.QMSLPhone.Phone.QPHONEMS_SaharaArmPrgDownload(String sFileName)
at QC.SwDownloadDLL.SwDownload.QPHONEMSSaharaDownloadArmPrg(UInt64& version, String armPrgPath)
Download Fail:Sahara FailSahara Fail
Finish Download
Start Download
Program Path:C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\prog_emmc_firehose_8974.mbn
COM Port number:3
Sahara Connecting ...
Sahara Version:2
Start Sending Programmer
Sending Programmer Finished
Switch To FireHose
Max Payload Size to Target:49152 Bytes
Device Type:eMMC
Platform:8x26
Disable Ack Raw Data Every N Packets
Ack Raw Data:False
Skip Write:False
Always Validate:False
Use Verbose:False
COM Port number:3
Sending NOP
FireHose NOP sent successfully
Sending Configuration
Device Type:eMMC
Platform:8x26
Request payload size 0xc000 is not the same as support payload size, change to 0x20000
Set TxBuffer 0x20000, RxBuffer 0x4000
Firehose configure packet sent successfully!
Total Bytes To Program 0x62AE4A0
Download Image
PROGRAM: Partition 0, Sector: 0, Length: 33 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\gpt_backup0.bin
PROGRAM: Written Bytes 0x4200 (64)
Program Size: 0.02 MB
PROGRAM: Partition 0, Sector: 0, Length: 34 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\gpt_main0.bin
PROGRAM: Written Bytes 0x4400 (64)
Program Size: 0.02 MB
PROGRAM: Partition 0, Sector: 1609554, Length: 1024 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\config.bin
PROGRAM: Written Bytes 0x80000 (64)
Program Size: 0.50 MB
PROGRAM: Replace the partition sectors number 0x8000 to file size in sector 0x254
PROGRAM: Partition 0, Sector: 1460242, Length: 596 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\logo.bin
PROGRAM: Written Bytes 0x4a800 (64)
Program Size: 0.29 MB
PROGRAM: Replace the partition sectors number 0x8000 to file size in sector 0x74f0
PROGRAM: Partition 0, Sector: 1409024, Length: 29936 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\recovery.img
PROGRAM: Written Bytes 0xe9e000 (64)
Program Size: 14.62 MB
PROGRAM: Replace the partition sectors number 0x10000 to file size in sector 0x26a3
PROGRAM: Partition 0, Sector: 294912, Length: 9891 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\persist.img
PROGRAM: Written Bytes 0x4d4600 (64)
Program Size: 4.83 MB
PROGRAM: Partition 0, Sector: 259048, Length: 20480 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\static_nvbk.bin
PROGRAM: Written Bytes 0xa00000 (64)
Program Size: 10.00 MB
PROGRAM: Partition 0, Sector: 238568, Length: 20480 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\dynamic_nvbk.bin
PROGRAM: Written Bytes 0xa00000 (64)
Program Size: 10.00 MB
PROGRAM: Replace the partition sectors number 0x3e8 to file size in sector 0x28d
PROGRAM: Partition 0, Sector: 229376, Length: 653 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\tz.mbn
PROGRAM: Written Bytes 0x51a00 (64)
Program Size: 0.32 MB
PROGRAM: Replace the partition sectors number 0x3e8 to file size in sector 0x174
PROGRAM: Partition 0, Sector: 182272, Length: 372 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\rpm.mbn
PROGRAM: Written Bytes 0x2e800 (64)
Program Size: 0.18 MB
PROGRAM: Replace the partition sectors number 0x800 to file size in sector 0x380
PROGRAM: Partition 0, Sector: 180224, Length: 896 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\emmc_appsboot.mbn
PROGRAM: Written Bytes 0x70000 (64)
Program Size: 0.44 MB
PROGRAM: Replace the partition sectors number 0x40 to file size in sector 0x17
PROGRAM: Partition 0, Sector: 148480, Length: 23 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\sdi.mbn
PROGRAM: Written Bytes 0x2e00 (64)
Program Size: 0.01 MB
PROGRAM: Replace the partition sectors number 0x400 to file size in sector 0x22d
PROGRAM: Partition 0, Sector: 147456, Length: 557 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\sbl1.mbn
PROGRAM: Written Bytes 0x45a00 (64)
Program Size: 0.27 MB
PROGRAM: Replace the partition sectors number 0x20000 to file size in sector 0x1c983
PROGRAM: Partition 0, Sector: 16384, Length: 117123 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\NON-HLOS.bin
PROGRAM: Written Bytes 0x3930600 (64)
Program Size: 57.19 MB
Total Size: 98.68 MB
Total Size: 28 Seconds
Throughput: 3.52 MB/Seconds
PATCH: Partition 0, Sector: 9, Offset 40 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
PATCH: Partition 0, Sector: 0, Offset 40 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
PATCH: Partition 0, Sector: 1, Offset 48 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
PATCH: Partition 0, Sector: 0, Offset 48 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
PATCH: Partition 0, Sector: 1, Offset 32 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-1.
PATCH: Partition 0, Sector: 0, Offset 24 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-1.
PATCH: Partition 0, Sector: 0, Offset 72 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-33.
PATCH: Partition 0, Sector: 1, Offset 88 Bytes, Size: 4 Bytes, Value: CRC32(2,4096)
PATCH: Partition 0, Sector: 0, Offset 88 Bytes, Size: 4 Bytes, Value: CRC32(NUM_DISK_SECTORS-33.,4096)
PATCH: Partition 0, Sector: 1, Offset 16 Bytes, Size: 4 Bytes, Value: 0
PATCH: Partition 0, Sector: 1, Offset 16 Bytes, Size: 4 Bytes, Value: CRC32(1,92)
PATCH: Partition 0, Sector: 0, Offset 16 Bytes, Size: 4 Bytes, Value: 0
PATCH: Partition 0, Sector: 0, Offset 16 Bytes, Size: 4 Bytes, Value: CRC32(NUM_DISK_SECTORS-1.,92)
Total download file size: 98.68066MB
Throughput: 3.524309M/s
Reset Phone
Waiting for reset done...
Download Fail:FireHose Fail Fail to find QDLoader port after switch
Finish Download

BolitaBolita said:
The only option I have in terms of recovery booting is the Oneplus original one since I bought the phone bricked (can't access dev options and can't connect through ADB for oem unlock).
Click to expand...
Click to collapse
Now what exactly do you even mean when you say "Bricked"?
If you can boot into recovery, then your device is usually not bricked, but even if, it is usually not in a state where using a flashing tool and risking to **** up the device for good has any real advantage over solving whatever problem in the recovery.
As long as your device doesn't have any hardware errors (broken storage) then the official OnePlus Recovery should almost always be able to install the official OxygenOS.
Under what terms did you even buy this device? How did the previous owner describe the state of the device and its defects if they mentioned them?
BolitaBolita said:
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\config.bin
Click to expand...
Click to collapse
You are using windows, so how did you even end up in this thread?

Sorry for the delay -- I thought I had set up notifications and didn't want to push on the point until you had time, but I did not receive a notification for this.
SebiderSushi said:
Is your bootloader actually unlocked?
The OnePlus X ships with a locked bootloader that prevents flashing files to the device using fastboot.
The usual steps to modify the OnePlus X and installing custom ROMs are:
- Unlock the bootloader by running "fastboot oem unlock" on a desktop PC while the phone is connected in fastboot mode.
- Flash TWRP by running "fastboot flash recovery TWRP.img" on a desktop PC while the phone is connected in fastboot mode.
Click to expand...
Click to collapse
I had a LineageOS running on the OPX before I screwed up an upgrade of LOS. I had TWRP on the phone. The bootloader must be unlocked then yes?
SebiderSushi said:
Pressing the volume up button while turning on the device normally puts it into fastboot mode and "Fasboot Mode" will be displayed in the middle of the screen along with the oneplus logo.
Click to expand...
Click to collapse
broadly, that is what I had done before, but right now I don't even get the fastboot logo.
SebiderSushi said:
Unlocking only works with the original OnePlus recovery and if the option "Allow OEM unlocking" is checked in the developer settings. Unlocking requires wiping all userdata.
Click to expand...
Click to collapse
Right, but I had passed that station before, as it was running LOS.
SebiderSushi said:
Did you never do this yourself with your OnePlus X? Did you get this device as a used phone from someone else who already unlocked the bootloader?
Click to expand...
Click to collapse
No, I did all this myself, but screwed up the update to a non-official LOS.
SebiderSushi said:
What do you mean by "bootloop constantly"? Could you not boot the recovery?
Click to expand...
Click to collapse
I could not, no, but now I'm not even getting the fastboot logo
SebiderSushi said:
Are you saying you already ran QDL with the unmodified files from the UnBrick tool?
Click to expand...
Click to collapse
Correct, yes.
SebiderSushi said:
I am not sure of the precise timeline and order of your descriptions. I currently assume that you're saying:
1. Had a working device with ROM: "LineageOS 13.0" Recovery: "TWRP version 3.0.2-1" Firmware: Unknown
2. Flashed some "lineage-16.0-unofficial.zip" in TWRP
3. When rebooting, "bootloops" appeared [How did that look? What was affected - just ROM or recovery as well?]
Click to expand...
Click to collapse
Initially I could get to recovery, I tried to upgrade to the latest TWRP for the OPX, when I tried to restart that to recovery, it would just vibrate and reboot continuously
SebiderSushi said:
7. Still not booting [What exactly does this mean? Still no reaction to button presses? Dees the phone vibrate and bring up the OnePlus logo?]
Click to expand...
Click to collapse
Currently, the screen stays black, and I can hold volume up or power for 20 seconds with no reaction (no vibrate, no logo)

First off, i'm extremely sorry for my delay! I also happened to notice your message just today.
Right now i got around and tried reproducing your scenario on my own OnePlus X.
As you said that you ran the unmodified setup from the unbrick tool according to my guide, i did as well - and ran into the same issue you were describing.
After some fiddling around, i realized that you must supply the patch0.xml file as well for a complete flash on the OnePlus X when you also modify the GPT (partition table), which the unmodified rawprogram0.xml does. This is not the case if you only install a recovery or other individual partitions so it slipped my mind. I deeply apologize for not testing the command line for the unmodified UnBrick tool package well enough while writing my Guide.
If nothing else is wrong, running
"/path/to/qdl_source_code/qdl prog_emmc_firehose_8974.mbn rawprogram0.xml patch0.xml"
with the unmodified UnBrick tool will fix the device back to a booting state with the stock recovery and Lollipop Bootloader installed on the device., it did so in my case.
Alternatively, if you don't want to reflash all partitions from the package, you can also just try running
"/path/to/qdl_source_code/qdl prog_emmc_firehose_8974.mbn patch0.xml"
Short of any good documentation, i guessed that the problem appeared because the unmodified rawprogram0.xml also writes the GPT table in its last two program elements. If you look in patch0.xml, you can see that it takes care of the GPT in some way. Once i removed the two program items regarding the GPT, rawprogram0.xml could be applied without needing to flash patch0.xml together with it.
So i assume that it is safe to individually flash any partition listed it rawprogram0.xml apart from the GPT. If your GPT is not in a valid state, there's not much booting going on, since your device won't be able to even read your bootloader from the disk without a partition table.
emilianoheyns said:
I had a LineageOS running on the OPX before I screwed up an upgrade of LOS. I had TWRP on the phone. The bootloader must be unlocked then yes?
Click to expand...
Click to collapse
While this implies that you very likely once had an unlocked bootloader to allow installation of TWRP to your device, it is not necessarily the case. For one, it is possible to re-lock the bootloader on the OnePlus X and still boot and use custom recoveries and software. Only flashing images via fastboot becomes impossible again if you relock the bootloader. This is because the OnePlus X is a fairly old device (remember it came out with android 5.1). Such old devices don't support features like Android Verified Boot yet. This is the standard on modern android devices and it implies that a locked bootloader should only load and boot untampered system partitions as signed by the device vendor.
Edit 2022-09-04: I was wrong about this. This only applies to the OxygenOS 2 bootloader. Trying to boot an unsigned ROM or recovery with an unlocked OxygenOS 3 bootloader causes the exact symptoms that were described; The bootloader repeatedly tries booting in an infinite loop. Probably the LOS fash that went wrong caused the bootloader to re-lock, which is why rebooting to recovery didn't work afterwards as well as booting the ROM.
Also, qdl (or any othe software using the Qualcomm Emergency Download Mode) can also install custom Recoveries or ROMs to the devices without unlocking the bootloader and flashing stuff through fastboot.

After that, you can also boot back into fastboot mode and the run
fastboot oem device-info
from your computer to check if your devices bootloader is currently unlocked or not. If it is not, this is a perfect chance to unlock it, since you already got the official recovery installed and probably no user data to take care of anyway.

Hi, thanks for getting back to me. The problem I'm facing currently is that the OPX currently seems unresponsive -- the screen stays black, and no vibration, seemingly regardless of what button combination I use or how long I keep it on the charger. Any idea what key combo is most likely to bring it up in a state that QDL would see it?
I have fetched a fresh copy of OPX_UnBrick_Mini_By_Naman_Bhalla; I'm sorry to have to ask again, but I should then copy over prog_emmc_firehose_8974.mbn, rawprogram0.xml and patch0.xml unchanged, and run `/path/to/qdl_source_code/qdl prog_emmc_firehose_8974.mbn rawprogram0.xml patch0.xml`? I think I'd prefer to get it back to a booting state to then figure out what I can safely flash on it.
---------- Post added at 04:35 PM ---------- Previous post was at 04:30 PM ----------
I should note, if I connect the charger, the red charging light comes on for a second, maybe two, end then goes out again. It does not come back on unless I plug in again, even if I let it charge overnight.

In my case the usual route to enter EDL mode worked fine - that is, disconnect your OnePlus X from any power source for a few seconds, then press and hold the Volume Up button and after a few seconds reconnect it to your PC where you run qdl, then release the button and execute qdl.
If you want to flash the default confuguration of the unbrick tool you must open your terminal window in the folder you extracted from the download (or cd to it). This is because the files that are flashed to the device are in this folder as you caj see and they are being referenced with relative paths / their filenames from within "rawprogram0.xml".

SebiderSushi said:
In my case the usual route to enter EDL mode worked fine - that is, disconnect your OnePlus X from any power source for a few seconds, then press and hold the Volume Up button and after a few seconds reconnect it to your PC where you run qdl, then release the button and execute qdl.
Click to expand...
Click to collapse
Ah well, it must have died somewhere along the way then. When I do that, even after having it on the charger, nothing shows up in dmesg. Thanks in any case!

I wouldn't give up just yet. The actual rule for entering EDL mode on the OnePlus X is:
- The device must be powered off at the beginning
- The Volume Up button must be in pressed state when connecting it to the computer
Edit 2022-09-04: I was wrong about this. It is also possible to hold Power+Vol Up while connected to the PC until the device shows up in dmesg -w
Everything else, like waiting few seconds here and there is mostly safeties to ensure each state is entered or recognized cleanly.
I mostly had my phone running fresh from the last flashing process, which means that qdl had turned it off cleanly for me. So i definitely had good conditions to enter EDL mode.
I don't know what's going on with your notification LED since i didn't notice this on my device or payed any attention to it - but it might indicate that your phone could be in a not cleanly powered off state.
You can still try pressing the power button for a longer time (maybe about 10 to 30 seconds) to see if that switches off your device the right way before you retry entering EDL mode.
Or do any other experiments pressing buttons or try with different cables.
When was the last time you could successfully connect your device in any mode and which mode was it?

The symptoms you described about black screen, no vibrations or any reaction to button presses were also present on my device as well so this is i'd guess it's just normal for the state.

If you get it back to a booting state you should be able to install the official OxygenOS right from the stock recovery, or flash a compatible TWRP image using qdl or fastboot and copy any remaining data that you want to keep.

@SebiderSushi, could you please take a look at >this post< and hint if anything else can be done using edl on linux?