[R&D][UNBRICKING] - Thread for trying to solve the OTA brick problem - Nexus 7 (2013) General

Intro
Someone contacted me because of my work unbricking Amlogic tablets and sent me their bricked Nexus 7 2013 32GB Wifi version tablet. I have the same tablet and I’ve been exploring unbricking options and looking at the devices. I have not found a solution yet but I have found a lot of interesting things. I worked on several models of Ainol's AML8726-MX SoC tablets and unbricked them in from various states, including having no signs of life and jumping some pins on the nand chip to get it recognized by the computer. Some tablets had similar problems to the Nexus when the bootloader was corrupted from a bad flash. The internal memory showed as zero in TWRP and the tablets wouldn't boot into the system. Checking debug logs showed the memory chip was not initializing. The Ainol tablets don't have a bootloader with a GUI but they did have a external SD card slot, so the tablet could boot from the SD card and run a "rescue flash". If that didn't work, Amlogic also had low-level USB Burning software to write to the tablet, although special files were needed and flashing was tricky.
I don’t know if we will be able to fix the Nexus tablets with this problem or if they are even fixable with the tools available but I’m providing all this information because I’m working on the problem in my spare time and maybe other people want to experiment with their bricked devices as well. There are a couple obvious routes to explore, one being Qualcomm's QPST and QFIL software, as well as other similar software programs for these chips, like the BoardDiag Tool. Another option is try and boot the tablet from a "rescue card" like I used for the Ainol tablets but to do it through an On-The-Go cable. Even if we don't unbrick any tablets, if anything, at least this thread might provide some documentation on the Nexus 7 2013 that doesn’t seem to be available elsewhere. I’ll keep updating this thread with new info and links to drivers, software, documentation and relevant websites. I’ll post what I’ve updated into the “Updates to this thread” section.
The problem
OTA update bricks device and we get one of the following scenarios:
Users can enter fastboot but can not flash, format or erase anything. Trying to start the device or boot into recovery gets stuck on the Google screen with the lock icon.
Same as above but when entering a recovery like TWRP, device hangs on the TWRP logo screen.
Users can not enter fastboot. Plugging the device into the computer shows QHSUSB_DLOAD in the device manager
Users can not enter fastboot. Plugging the device into the computer shows Qualcomm HS-USB QDLoader 9008 in the device manager
Users can not enter fastboot. Plugging the device into the computer shows Qualcomm HS-USB Diagnostics 9006 in the device manager
In 9006 mode the storage shows as Qualcomm MMC Storage USB Device in the Device Manager
---
Trying to flash or format in fastboot returns the following error:
Code:
FAILED <status read failed <Too many links>>
I’ve figured out a way to boot into TWRP and have started collecting logs and other information about the problem. I’ve also figured out the majority of fastboot oem commands which I’ll list below. The device is not initializing the MMC card when it starts up. In dmesg we can see the error:
Code:
mmc0: error -110 whilst initialising MMC card
Where on a working device we see:
Code:
mmc0: new HS200 MMC card at address 0001
mmcblk0: mmc0:0001 MMC32G 28.8 GiB
In the TWRP log we see:
Code:
[COLOR="Red"]E: Could not mount /data and unable to find crypto footer.
E: Unable to mount ‘/data’
E: Unable to recreate /data/media folder.[/COLOR]
Updating partition details…
[COLOR="Red"]E: Unable to mount ‘/system’
E: Unable to mount ‘/data’
E: Unable to mount ‘/cache’[/COLOR]
...done
[COLOR="Red"]E: Unable to mount storage
E: Unable to mount /data/media during GUI startup
E: Unable to mount ‘/cache’[/COLOR]
Full SELinux support is present.
[COLOR="Red"]E: Unable to mount ‘/cache’
E: Unable to set emmc bootloader message.
E: Unable to mount ‘/cache’
E: Unable to mount /data/media/TWRP/ .twrps when trying to read settings file.
E: Unable to mount ‘/data’[/COLOR]
MTP Enabled
Trying to wipe partitions or flash in TWRP fails because the card isn’t mounted at all and the partition table isn’t being read. Everything is running in the RAM and the only filesystems mounted are rootfs, tmpfs, devpts, proc, sysfs, selinuxfs and tmpfs.
Checking the partition table in fastboot using “fastboot oem gpt-info” does return the same results as a working device though. When booting into TWRP we can see “Nexus 7” as an MTP device but there is nothing on it. In Qualcomm’s 9006 Diagnostics mode we can see the device under disk drives in the device manager as Qualcomm MMC Storage USB Device but it doesn’t show up in Qualcomm’s 9008 Download mode. In disk management we can see it as an Unknown 28.81 GB Unallocated Disk. We can see the same thing in MiniTool Partition Wizard but neither Windows or MiniTool can initialize or format the disk. In HDD Raw Copy Tool the device shows as Qualcomm MMC Storage with a capacity of 30.93 GB. I was unable to write a RAW image of mmcblk0.img using HDD Raw Copy Tool, getting the error “Write Error occured at offset 0 (1)”.
My Working Theory
Looking at both the most recent reports of the OTA brick and past reports, it seems like the problem occurs when there is a bootloader update packaged in with the firmware update. It is possible that the eMMC chip is fried because we've seen bugs in the past but I'm working on the assumption that it is not since the chip is recognized, shows the correct capacity and gets registered it in by the kernel. We can also see that persistent_ram has an uncorrectable error in the header and no valid data in the buffer. This could mean a bad eMMC chip but it could also mean the parts of the bootloader are gone or corrupt. It could also mean the GPT is bad.
We can also see that the device is always booting into ttyHSL0 mode which is the UART Serial Console mode for debugging. I don't know a lot about Qualcomm architecture but I do know that there are several modes including diagnostics, download and emergency download mode. It's possible that the tablet is stuck in one of these modes. I read though some Qualcomm documents and it mentions using the NPRGxxxx.hex file to flash your device but it also mentions that, if the chipset supports it, changing the name of the NPRGxxxx.hex file to eNPRGxxxx.hex "allows you to download new images to a mobile device that has an empty or currupt flash device." That function was implemented in 2008 though and I'm unsure if the implementation has changed at all.
Getting Started
I’m not going to cover any of the basics like installing ADB and Fastboot on your computer. This thread is intended for people who already have a working knowledge of using these tools and want to try and work on the bricking problem. If you are don’t have that knowledge and would still like to experiment with your bricked device you can find lots of tutorials on XDA on how to install and use ADB and Fastboot.
I will mention a couple of things I ran into though. Since I hadn't been working on tablets for a while I wasn't able to use ADB in TWRP at first. I noticed that it only worked if I disabled MTP in the TWRP menu. However, updating the Android SDK solved this problem and the updated drivers allow both an MTP and ADB connected at the same time.
There may also be times when you need to disable Windows Driver Signature Verification to be able to install unsigned drivers. Here is a link showing how to do it temporarily. There is also a way to disable it permanently which I think is to run the Command Prompt as Admin and type:
Code:
bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS
bcdedit -set TESTSIGNING ON
Lastly, you'll probably want to stop Windows from automatically installing drivers for new hardware. You can do that by right clicking on your computer and then going to "properties -> advanced system settings -> hardware -> device installation settings -> no let me choose what to do -> never install driver software from windows update". There are also guides with screenshots on how to do this if you Google it.
---
We can get into a recovery like TWRP by using the fastboot command:
Code:
fastboot boot twrp.img
If booting into recovery fails and the you get stuck on the TWRP logo screen then go back to the bootloader and use the fastboot command:
Code:
fastboot oem reset-dev_info
---
To enter Qualcomm HS-USB QDLoader 9008 “download mode” you can hold down all three hardware buttons when the device is powered off and plugged in. You can also power down the device, hold the Vol+ and the Vol- buttons and then plug in the device. To enter Qualcomm HS-USB Diagnostics 9006 “diagnostic mode” you can press the power button repeatedly then wait around 30 seconds and see if it connects in the device manager. I don’t know what the speed you are supposed to press the button is but it seems to take at least 10 presses, sometimes more. You’ll have to test it out until you get used to doing it.
Tasks
Want to help out? Here are some things I'm working on. There's a good deal of research to do, so even if you don't have a working device you can help. If you have a device that you've totally given up on and are pretty much going to throw out but can still get into the bootloader, test those fastboot oem erase_ commands before tossing the tablet. It will be fastboot oem erase_"partition name". An example is fastboot oem erase_aboot. Just run through them and write down which ones work and which ones don't.
If someone with a bricked tablet has UART off in the bootloader and can boot into TWRP, please check "adb shell cat /proc/cmdline" and tell me if "console=ttyHSL0,115200,n8" is in the commandline. You can check if UART is on or off in the bootloader by using "fastboot getvar all".
Look into other APQ8064 devices to see if files relevant to QPST work. There is a list of devices below that have the same SoC but not the 1AA or FLO tag at the end. Its possible some of these files might work well enough to at least get the memory recognized.
Pull partition table from a working device and format it in partition.bin or partition.mbn for use in QPST.
Try to write partitions pulled from working device back to the tablet in fastboot.
Format partitions from a working device as .mbn files for QPST.
Pull first few raw GB from a bricked tablet and examine it to see if there is data present. If there is then it might mean that those partitions are corrupted and we can focus on writing working partitions back to those location. Try with RAW copy tool and with dd.
Testing QPST software to resurrect the device. Will need more files first, need to structure them as .xml files necessary for the software.
Test "fastboot oem erase_" on other partitions.
Test "fastboot flash" of partitions that aren't normally included in a firmware update, like sb1.img, rpm.img, aboot.img, etc.
General Device Info
Here is a spreadsheet with all the partition info that I've pulled and sorted.
The Nexus 7 2013 is an APQ8064 1AA/FLO Snapdragon 600 series device that is advertised as a S4 Pro. The APQ8064–1AA is the WiFi version and APQ8064-FLO is the LTE version. The ASUS MeMO Pad FHD 10 ME302KL LTE also has the same SoC according to wiki. The platform board is listed as MSM8960 in most of the code.
Here are other devices with an APQ8064 soc but aren't listed as 1AA or FLO:
LG Optimus G
MDP / T
Xiaomi MI-2
Pantech Vega R3
Sharp Aquos Phone Zeta SH-02E
Oppo Find 5
Asus MeMO pad 10 LTE
Asus padfone 2
HTC J Butterfly
HTC Droid DNA
Nexus 4
HTC Butterfly
ZTE Nubia Z5
ZTE Nubia Z5 Mini
ZTE Grand S
Sony Xperia Z
Xperia ZL Sony
Sony Xperia ZR
Fujitsu Arrows S
Sony Xperia Tablet Z
LG Optimus GJ
Nexus 7 2013 Tablet’s Vendor ID is 18d1 and Hexidecimal Syntax is 0x18D1 (used in fastboot). The USB device ID's for different connections are:
Qualcomm HS-USB Diagnostics 9006 (COM3) - USB\VID_05C6&PID_9006&MI_00
Qualcomm HS-USB Diagnostics 9008 (COM4) - USB\VID_05C6&PID_9008
Android Bootloader Interface - USB\VID_18D1&PID_4EE0
Android ADB Interface - USB\VID_18D1&PID_D002
Serial Numbers I've seen are:
Bricked Device - SERIAL NUMBER 2143658709BADCFE ← According to HDD Raw Copy Tool
Bricked Device - SERIAL NUMBER 049973d5 ← According to adb get-serialno
Dumps, Unpacked Partitions and Other Files
Here is a link to a MediaFire folder with various files. So far I have:
Unpacked the 4.04 Bootloader
aboot.img
bootloader.img
rpm.img
sbl1.img
sbl2.img
sbl3.img
tz.img
Pulled all partitions from HDD Raw Copy Backup of a working device
aboot.img
abootb.img
boot.img
DDR.im
first_131071_sectors.img
fsg.img
m9kefs.img
m9kefs2.img
m9kefs3.img
m9kefsc.img
metadata.img
misc.img
modemst1.img
modemst2.img
pad.img
radio.img
recovery.img
rpm.img
rpmb.img
sbl1.img
sbl2.img
sbl2b.img
sbl3.img
sbl3b.img
ssd.img
tz.img
tzb.img
QPST Memory Debug Dump from a bricked device
CODERAM.BIN
CPU_REG.BIN
CPU0_WDT.BIN
CPU1_WDT.BIN
CPU2_WDT.BIN
CPU3_WDT.BIN
EBICS0.BIN
ETB_ERR.BIN
ETB_REG.BIN
IMEM_A.BIN
IMEM_C.BIN
load.cmm
LPASS.BIN
MM_IMEM.BIN
PMIC_PON.BIN
RPM_MSG.BIN
RPM_WDT.BIN
RST_STAT.BIN
SPS_BUFF.BIN
SPS_PIPE.BIN
SPS_RAM.BIN
Unpacked Radio partition from a working device
ACDB.MBN
APPS.MBN
DSP1.MBN
DSP2.MBN
DSP3.MBN
EFS1.MBN
EFS2.MBN
EFS3.MBN
MDM_ACDB.IMG
RPM.MBN
SBL1.MBN
SBL2.MBN

Fastboot Commands
Click To Show Content for examples of each commands usage, partitions that are excepted by a command and additional info.
Regular fastboot commands
Code:
fastboot update
Code:
fastboot update update.img
Code:
fastboot flashall
Code:
fastboot flash
Code:
fastboot flash aboot aboot.img ?
fastboot flash bootloader bootloader.img
fastboot flash rpm rpm.img ?
fastboot flash sbl1 sbl1.img ?
fastboot flash sbl2 sbl2.img ?
fastboot flash sbl3 sbl3.img ?
fastboot flash tz tz.img ?
fastboot flash boot boot.img
fastboot flash cache cache.img
fastboot flash recovery recovery.img
fastboot flash system system.img
fastboot flash userdata userdata.img
Code:
fastboot erase
Code:
fastboot erase all
fastboot erase boot
fastboot erase cache
fastboot erase recovery
fastboot erase system
fastboot erase userdata
Code:
fastboot format
Code:
fastboot format boot
fastboot format cache
fastboot format recovery
fastboot format system
fastboot format userdata
Example of advanced functions:
Code:
fastboot format cache:ext4:0x0000000023000000 cache
(hex value for 587202560 bytes (= 587 MB / 573440 don’t know what this value is but it equals a hex value of 008c000)
Code:
fastboot format cache:0x0000000023000000 cache
(skips fs type and uses default)
Code:
fastboot getvar
Code:
fastboot getvar all
fastboot getvar version-bootloader
fastboot getvar version-baseband
fastboot getvar version-hardware
fastboot getvar ersion-cdma
fastboot getvar variant
fastboot getvar serialno
fastboot getvar product
fastboot getvar secure_boot
fastboot getvar lock_state
fastboot getvar project
fastboot getvar off-mode-charge
fastboot getvar uart-on
fastboot getvar partition-type:<partition name>
fastboot getvar partition-size:<partition name>
Code:
fastboot continue
Code:
fastboot boot
Code:
fastboot boot recovery.img
fastboot boot boot.img
fastboot boot bootloader.img
Example of advanced functions:
Code:
fastboot boot <kernel> [ <ramdisk> [ <second> ] ]
Examples of booting the kernel and ramdisk:
Code:
fastboot boot zImage boot.img-ramdisk.cpio.gz
fastboot -c *cmdline* boot zImage boot.img-ramdisk.cpio.gz
Code:
fastboot flash:raw boot
Same command format as the advanced "fastboot boot" command:
Code:
fastboot flash:raw boot <kernel> [ <ramdisk> [ <second> ] ]
fastboot flash:raw boot zImage boot.img-ramdisk.cpio.gz
Code:
fastboot devices
fastboot continue
fastboot reboot
fastboot reboot-bootloader
fastboot help
Regular fastboot options that might be useful
-c <cmdline> override kernel commandline
Add -c followed by a kernel command. If more than one kernel command is in the line then they should have parenthesis around them like this "console=ttyHSL0,115200,n8 androidboot.hardware=flo". This is used for the "fastboot boot" command to boot into a kernel with different commandline parameters. Here are the kernel commandlines listed in /proc/cmdline:
Code:
console=ttyHSL0,115200,n8 androidboot.hardware=flo user_debug=31 msm_rtb.filter=0x3F ehci-hcd.park=3 androidboot.emmc=true androidboot.serialno=049973d5 bootreason=PowerKey fuse_info=Y ddr_vendor=hynix androidboot.baseband=apq asustek.hw_rev=rev_e androidboot.bootloader=FLO-04.04
-i <vendor id> specify a custom USB vendor id
Add -i and then the vendor id you want to use. The Nexus 7 vendor id is 18d1 and Hexidecimal Syntax is 0x18D1. Fastboot wants the Hex value:
Code:
-i 0x18D1
-b <base_addr> specify a custom kernel base address.
I haven't done this in long enough that I've forgotten how to use it. The default is 0x10000000 and the BOARD_KERNEL_BASE is listed as 0x80200000 in the Nexus code.
-n <page size> specify the nand page size.
The default value is 2048. Add -n and then the value you want to use:
Code:
-n 2048
-S <size>[K|M|G] automatically sparse files greater than size. 0 to disable.
I've never used this. If anyone has any insight, let me know.
fastboot oem commands
I extracted the aboot.img and used Notepad++ to look at the commands. I’m not sure what the variables are for some of them but I’m working on testing some things out. This is how how I figured out “fastboot oem reset-dev_info” would allow “fastboot boot twrp.img” though.
Code:
fastboot oem unlock
fastboot oem lock
fastboot oem device-info
fastboot oem memtest_
fastboot oem gpt-info
fastboot oem fuse_blow
fastboot oem check-fuse
fastboot oem reset-dev_info
Code:
fastboot oem erase_
Usage is erase_<partition name>. I've only tested it on persist so far. I'm assuming this is for partitions that aren't supported by the regular "fastboot erase" command.
Code:
fastboot oem erase_persist
Code:
fastboot oem off-mode-charge 1
fastboot oem off-mode charge 0
fastboot oem uart-on
fastboot oem uart-off

Links
Drivers and Software
Qualcomm Drivers - The one marked 2012 seems to be the newest I could find and is the one I've been using the most.
Qualcomm Product Support Tools (QPST)
Qualcomm Documents
HDD Raw Copy Tool
Nexus 5 Boarddiag Tool
EFS Professional
Links to relevant threads
[REF][R&D] MSM8960 Info, Architecture and Bootloader(s)
[DEV][REF] El Grande Partition Table Reference

Logs
All logs posted to Pastebin.
Fastboot Logs
Nexus 7 2013 - fastboot getvar all
Nexus 7 2013 - fastboot oem gpt-info
ADB Logs
Nexus 7 2013 - Big Collection of Partition Info
Nexus 7 2013 - mmc error - kernel log snippet
Nexus 7 2013 - Bricked Tablet - dmesg
Nexus 7 2013 - Working Tablet - dmesg
Nexus 7 2013 - Bricked Tablet - last_kmsg
Nexus 7 2013 - Working Tablet - last_kmsg
Nexus 7 2013 - Bricked Tablet - Recovery Log
Nexus 7 2013 - Working Tablet - Recovery Log
Nexus 7 2013 - adb shell dmesg | grep mmc0
Nexus 7 2013 - adb shell cat /proc/devices
Nexus 7 2013 - adb shell tail ./etc/fstab
Nexus 7 2013 - adb shell tail ./etc/recovery.fstab
Nexus 7 2013 - adb shell mount
Nexus 7 2013 - adb shell df
Nexus 7 2013 - adb shell cat /proc/cmdline
Nexus 7 2013 - adb shell ls /dev/block
Nexus 7 2013 - adb shell cat /proc/partitions

Updates to this thread
1/24/2015
- Added a link to a spreadsheet with partition info to the original post under "General Info".
- Added a section to the original post for files. Added a link to a MediaFire folder with QPST memory debug of a bricked device as well as dumped and unpacked partitions from a working device. Listed all files in each folder.
- Added another build of the QPST software to the MediaFire folder.
- Edited "Tasks" in original post.
6/01/2015
- Added info on how to pull a full raw backup of a working Nexus 7.
- Added all fastboot and adb logs I have.
- Added more documents to the MediaFire folder.
05/28/2015
- Added a working theory to the initial post.
05/26/2015
- Added more info to the Intro section and the Problem section.
- Formatted the Fastboot Command section differently.
05/25/2015
- Added links to drivers, software and relevant websites.
- Added Qualcomm Documents to the links section.
- Added info about driver installation to the Getting Started section.
- Added a list of other APQ8064 devices.
- Reformatting some things to look better. I'll keep working on it.
05/24/2015
- Initial Post

Reserved
Reserved for if there is ever a solution.

I extracted all the partitions in RAW format today. I'll add some more detailed info here in the near future on how I did it but I used software called DiskInternals Linux Reader.
-----
Update: The info on how to make a full RAW backup of the entire device without having an external SD card to save it to can be found in this thread. I made some adjustments for the Nexus 7 and I did it all in Cygwin.
To make device backup in Cygwin and TWRP open a terminal and do this:
Code:
adb forward tcp:5555 tcp:5555
adb shell
/sbin/busybox nc -l -p 5555 -e /sbin/busybox dd if=/dev/block/mmcblk0
Then open a second Cygwin Terminal and do this:
Code:
adb forward tcp:5555 tcp:5555
cd /nexus
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0.img
You can then mount the image you pulled with DiskInternals Linux Reader. It will show you all of the individual partitions, all of the unllocated gaps between partitions and some info about each one. You can open the EXT4 partitions like /system to explore them and you can also open the radio.img and see everything inside. You can then save all the partitions as individual images. This method doesn't work with the bricked tablet. I'm building a spreadsheet with info on all the partitions.

fuser-invent said:
I extracted all the partitions in RAW format today. I'll add some more detailed info here in the near future on how I did it but I used software called DiskInternals Linux Reader.
Click to expand...
Click to collapse
From a working or an OTA-bricked device?

MattG987 said:
From a working or an OTA-bricked device?
Click to expand...
Click to collapse
I pulled them all from a working device so I can try to write them back to the bricked device but also so I can try and make the flash programming files for use in QFIL. On another note the bricked devices can show up in the Windows file manager as a single small partitions with a list of files. I found out today that those files are the contents of the radio partition. I have a folder with those files from a bricked and working device now and I'll do a hex comparison to see if they are still all intact on the bricked device. That also means the FAT partition at the very beginning of the eMMC chip is still there and working, so the whole chip isn't "dead".

Hi fuser-invent,
Thank you for your job.
Do you have any solution to write a stock rom to flash memory ?
Lollipop OTA bricked my Nexus 7 2013. Several people reporting this problem.
I can't unlock bootloader and adb sideload not work.
Thanks.

yodtc said:
Hi fuser-invent,
Thank you for your job.
Do you have any solution to write a stock rom to flash memory ?
Lollipop OTA bricked my Nexus 7 2013. Several people reporting this problem.
I can't unlock bootloader and adb sideload not work.
Thanks.
Click to expand...
Click to collapse
Still working on it but my job suddenly got really, really busy. Hoping to get back into it after the holiday rush. I wish there were other people trying to work on this problem too though.
Sent from my iPhone using Tapatalk

I just received a new Nexus 7 on 5.1.1
It isn't bricked but when I flash TWRP it shows all the unable to mount errors in your first post and I can't access the sdcard. When I use the TWRP option to boot to system it says there's no OS installed but it does boot into android. I flashed the 6.0 img without any issues. Still the same problem with TWRP.
I've never had any issues like this before.

Andrew025 said:
I just received a new Nexus 7 on 5.1.1
It isn't bricked but when I flash TWRP it shows all the unable to mount errors in your first post and I can't access the sdcard. When I use the TWRP option to boot to system it says there's no OS installed but it does boot into android. I flashed the 6.0 img without any issues. Still the same problem with TWRP.
I've never had any issues like this before.
Click to expand...
Click to collapse
Have you tried the multi-rom TWRP that fixes the mount point problems?

autocon said:
Have you tried the multi-rom TWRP that fixes the mount point problems?
Click to expand...
Click to collapse
No, I wasn't aware of that until you mentioned it.
Thanks for the suggestion. I'll give it a shot when I have a chance. Should probably fix it since apparently the devices that shipped with 5.0 have the issue.

Andrew025 said:
No, I wasn't aware of that until you mentioned it.
Thanks for the suggestion. I'll give it a shot when I have a chance. Should probably fix it since apparently the devices that shipped with 5.0 have the issue.
Click to expand...
Click to collapse
I've the same issue and used the Multirom to workaround, but what about ROMs that say "use the latest version of TWRP" ?
If this is a software-caused problem, has the Android team been notified with a bug report or something?

As owner of 2 N7 2013 devices, one of them bricked, I would like to thank you for your work and time.
I find this thread very instructive and I think I will try to follow the leads you provided and try to get my device back to life.
Alas, much study is needed on my part!
I also found some info that may or may not be useful here:
github.com/aureljared/unbrick_8960
I hope I can find and share something useful, and wish you all good luck!

N7 2013 32GB Bricked
I look forward to doing some testing my self with this tablet... Problem is, my bootloader is locked and I can't unlock it since it won't format the internal storage... can't even boot into TWRP because of that.
Anyway, I'm very interested in using DD to flash the partitions at some point if that's available. I can also get into download mode, so using the qualcomm utility to write that way. It's just sitting here, waiting to be revived!

Following the instructions above, I could get to the point where I have the partitions of the working device.
I can also put both devices in 9008 mode, and the bricked device only in 9006 mode also. Although windows registers it as diagnostic mode, QPST is reading both 9008 and 9006 as Download Mode, and does not allow me to backup the working device.
So, as far as QPST goes, I'm kind of stuck.
But, reading what I found in github.com/aureljared/unbrick_8960 I might still have a chance: I just have to understand how to set up the files that are needed though...
Wish you all a good day!

orzem said:
Following the instructions above, I could get to the point where I have the partitions of the working device.
I can also put both devices in 9008 mode, and the bricked device only in 9006 mode also. Although windows registers it as diagnostic mode, QPST is reading both 9008 and 9006 as Download Mode, and does not allow me to backup the working device.
So, as far as QPST goes, I'm kind of stuck.
But, reading what I found in github.com/aureljared/unbrick_8960 I might still have a chance: I just have to understand how to set up the files that are needed though...
Wish you all a good day!
Click to expand...
Click to collapse
I think we need to build our own flashing files using aureljared's method. I have a ton of partitions and data ripped. I'll try to upload it soon so everyone has access to expirement with.
Sent from my iPhone using Tapatalk

Yes, I think so too. Also considering the fact that those scripts are much more understandable than a closed source program, even to me and my scarce knowledge.
Just a thought: why try and rebuild the partition table and then copy each partition in its place? Wouldn't it be much easier to just "dd" the working device in one single file and then "dd" it back on the bricked one?
Of course, IF (and only if) the hex and mbn provided by aureljared succed in switching the device into Streaming Protocol and let us actually write to memory.
If there's anything I can do, I'll be glad to do it.
Have a nice day!

Related

[PROJECT] Reviving Hard Bricked YU (QLoader 9008 Mode)

Anybody here wants to downgrade their YU from the sweet candy rom (Lollipop) to the old chocolate bar (Kitkat), please use this procedure post in this THREAD.​
Click to expand...
Click to collapse
So here is the guide to unbrick your YU from "Qualcomm HS-USB QDLoader 9008", I hope it works for you as I fried my YU's eMMC by attempting to brick and unbrick my YU for nearly 200 times in three days just to confirm that this guide is working. And here are some pics of my current YU (an expensive desktop charger). And all of this, because I love XDA, hahahahahahaha, just hope it worthed. For God sake, I have invested nearly US$200 for this thread (at least that is how much I bought my YU plus shipping), so this post has to work. And please, don't ask whether I am serious or not, you should know the answer already.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Please read this guide thoroughly. It took hours of my precious time to make this post, but I bet you that it will olny takes minutes to read it. So once again, please read this guide thoroughly.
Now the important part, this guide was tested by me with my Lenovo laptop that run Windows 7sp1 Ultimate edition, and this is my hardware specs:
1. ANALYZING THE PHONE PROBLEM
In qualcomm NEW firmware (not the HLOS part, but NON-Hlos, SBL1, TZ, HYP, RPM, and Aboot), especially ARMv8-A, Qualcomm diminished the famous "Qualcomm HS-USB Diagnostics 9006", and introduce two types of "Qualcomm HS-USB QDLoader 9008" (source: fybon article ). So, before we proceed with the guide, we should analyse the phone first, on which 9008 mode your phone is in. To do this, follow these steps below:
1.a SETTING UP WINDOWS
I know that some fellow YU's owners who have bricked their phone are "Senior Member" and highly experience user if it comes to Android and Qualcomm phone, but I just want to ask you to give some respect for my death YU by following each of the steps that need to be taken to setup Windows.
Please turn off internet connections.
Remove your YU from PC or Laptops.
Install the latest ".net Framework" for your Windows.
Uninstall all the driver related to YU, as well as any Qualcomm driver if you have install any. Uninstall them through Device Manager FIRST, then program manager. Here I used a software called "REVOUninstaller" to remove completely the driver softwares and Device Remover to completely remove installed unnecessary device.
Then run "CMD" or "Windows Terminal" as administrator and type:
Code:
bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS
bcdedit -set TESTSIGNING ON
Restart your PC or Laptops, and you should see this watermark at the bottom right of your desktop, just like the pic below"
Download QualcommDrv.zip from here, extract to an empty folder, then open the folder according to your Windows type (x64 or x86) and double click dpinst64.exe to install the Qualcomm driver.
Now it is safe to connect your YU to PC or laptop (I connected it in USB2 port). BUT BEFORE YOU CONNECT YOU YU, REMEMBER TO UNPLUG YOUR BATTERY FOR FIVE SECS, REPLUG IT, AND CONNECT YOUR YU WITHOUT PRESSING ANY OF ITS BUTTONS. Your phone should now being detected as "Qualcomm HS-USB QDLoader 9008" and the driver version 2.0.8.7 (please check it through Windows' "Device Manager")
1.b ANALYSING PROCESS
If you were just messing with system image, boot image, system's framework or other things that does not related to Qualcomm's stuff (modem-NON-HLOS.bin, aboot-emmc_appsboot.mbn, sbl1, hyp, tz, rpm partition, for example installing sound patch, etc, you possibly will enter the new 9008 mode, which is a combination of the old "Qualcomm HS-USB Diagnostics 9006" and "Qualcomm HS-USB QDLoader 9008". When you first brick the phone into this mode, you would experience such symptoms below:
The LED charging indicator near the phone speaker will light red.
Your phone will vibrate endlessly, and this vibration will end only if you disconnect your phone from your PC or laptop and unplug the battery.
If you open Windows' Device Manager, you'll see "Qualcomm HS-USB QDLoader 9008" under PORTS (COM & LPT) or "QHUSB_BULK" under Other devices, and "Qualcomm MMC Storage USB Device" under Disk drives, similar to the pics below (NOTICE THAT RED BOX IN PIC):
OR
However, if you messed with your YU's qualcomm's partition playing with NON-HLOS.bin, emmc_appsboot.mbn, sbl1.mbn, hyp.mbn, tz.mbn, rpm.mbn, or by other mean messing the whole Qualcomm's eMMC partition, such as by using this zip I made while your YU is in Fastboot, then you will most likely go into the OLD "Qualcomm HS-USB QDLoader 9008" mode. You will find symptoms similar to below:
The phone charging indicator would not light if you connect your YU with PC or Laptop.
Device Manager only listed "Qualcomm HS-USB QDLoader 9008" under PORTS (COM & LPT) or "QHUSB_BULK" under Other devices, but no "Qualcomm MMC Storage USB Device" under Disk drives, similar to pic below:
So, now you need to analyse your YU, whether it is in the OLD '9008" or NEW "9008" mode, as the procedure to revive your beloved YU will be different.
2. REVIVING YOUR YU BACK
2.a NEW "Qualcomm HS-USB QDLoader 9008" MODE
If you are that lucky person, who is stuck in the NEW "Qualcomm HS-USB QDLoader 9008" mode, to be honest, the steps to be taken are a lot easier. However, you need somebody in this forum to upload the complete YU's eMMC image for you. To get such image, you could ask your friend to do these steps (root the phone first):
Format your external MicroSD card with "exfat" system file, and the size of this SD card should be morethan 16 GB , which is the size of the whole partition.
Do a full factory reset, meaning wipe your cache, data, and internal storage using either CWM, TWRP, or PhillzTouch.
Insert the SD card to your phone and connect your YU with ADB, type:
Code:
adb shell
su
dd if=/dev/block/mmcblk0 of=/storage/sdcard1/backup.img bs=512 count=30535646
The size of the "backup.img" is around 16 GB, However, if you compressed it, it would be around 2 GB.
Now, if you have the backup.img in your hand, you can do these steps:
Download partition tools from the net, I recommend you to use "Minitool Partition Wizard".
Download "HDD Raw Copy Tool", it is a free tool that can copy your "backup.img" to you YU's eMMC sector per sector.
Now connect your phone, remember to UNPLUG YOUR BATTERY FOR FIVE SECS, REPLUG IT, AND CONNECT YOUR YU WITHOUT PRESSING ANY OF ITS BUTTONS.
FROM NOW ON DON'T YOU EVER DISCONNECT THE PHONE FROM YOUR PC OR LAPTOPS.
Open "Minitool" and you will see that your phone has 29 partitions in total, similar to the pic below (this pic was taken from Windows' "Disk Management Tool" just to describe Qualcomm's partitions):
Delete all 29 partitions and click apply (remember don't remove your phone while "Minitool" is completing the process).
If all process finished successfully, open "HDD Raw Copy Tool", and you'll see things similar to this (please note that because my phone is now death, the pics that describe how to use "HDD Raw Copy Tool" was taken from my friend websites using a different type of Qualcomm phone, however the process that needs to be taken is similar):
Choose your "backup.img" and click "Continue >>>>>>".
Put a highlight on "Qualcomm MMC Storage USB Device" and click "Continue >>>>>>".
Check every things and click "START".
However, if you can't find a good fellow member in this forum, who is willing to give you the "backup.img", then I'm afraid you have to do it the hard way, which is forcing your beloved YU to go to the OLD "Qualcomm HS-USB QDLoader 9008" mode. You can do this using "Minitool":
Open "Minitool" again.
Delete all 29 partitions.
Then choose "Create Partition" on the whole "Qualcomm MMC Storage USB Device" (making it one big 16 GB partition) as "Primary Partition" with an "ext4" file system. By the way, DON'T GIVE THE PARTITION A NAME.
Click APPLY.
When "Minitool" completed all the process, disconect your YU from PC or Laptop, UNPLUG YOUR BATTERY FOR FIVE SECS, REPLUG IT, AND CONNECT YOUR YU WITHOUT PRESSING ANY OF ITS BUTTONS.
And I have to greet you, "Welcome, now you are in the OLD 'Qualcomm HS-USB QDLoader 9008' mode".
2.b OLD "Qualcomm HS-USB QDLoader 9008" MODE
Download "QPST 2.7 build 422" from HERE and extract it to an empty folder. It has to be this version of "QPST". Install QPST by double clicking setup.exe, see pic below:
Download 8675_W00.zip attached with this post HERE, and extract it to an empty folder. You will get a folder called "8675_W00", just open it.
Download the official YU's firmware from CyanogenOS website HERE, and extract all the files inside the previous "8675_W00" folder, and now you'll get files like the pic below:
You can run QFil in two ways:
By using QFil UI
Open it from your "Start" menu, see pic below:
Insert all the necessary file needed by "QFil": (1)The programmer will be prog_emmc_firehose_8936.mbn found inside the "8675_W00" folder; (2)Use the rawprogram0.xml found inside the "8675_W00" folder; (3)Use the patch0.xml found inside the "8675_W00" folder; (3)Hit "Download" button. For details, see the pic below:
By using CMD's Command Line (intermediate to advance user
Open "CMD" inside QPST's "bin" folder, which can be found inside QPST install directory, see image for detail:
In the opened CMD, type:
Code:
qfil.exe -Mode=1 -COM="enter your comport number setting here" -SEARCHPATH="[COLOR="Red"]enter your complete path to [B]8675_W00[/B] folder[/COLOR]" -Sahara=true;"[COLOR="red"]enter your complete path to the [B]prog_emmc_FireHose_8936.mbn[/B][/COLOR]" -RawProgram=rawprogram0.xml -patch=patch0.xml -AckRawDataEveryNumPackets=TRUE;100 -DeviceTYPE="eMMC" -PlatForm="8x26" -MaxPayloadSizeToTargetInBytes="49152"
[B]Here are example to use it[/B]
qfil.exe -Mode=1 -COM=64 -SEARCHPATH="D:\CBW8600A01_A_T1701" -Sahara=true;"D:\CBW8600A01_A_T1701\prog_emmc_FireHose_8x26.mbn" -RawProgram=rawprogram_unsparse.xml,rawprogram2.xml -patch=patch0,patch2.xml -AckRawDataEveryNumPackets=TRUE;100 -DeviceTYPE="eMMC" -PlatForm="8x26" -MaxPayloadSizeToTargetInBytes="49152"
Or you can play with does commands, here are their descriptions:
If you run "QFil" through command line, you'll get a slightly different user interface, and perhaps by running it through command line we could overcome the "sahara: fail" problem.
If the process you did with "QFil" finished successfully, the phone will reboot by itself.
After the phone rebooted, it will suffer from an endless bootloop. Don't do anything, just disconnect it from your PC, and straight away put your phone into bootloader by pressing "volume-up" button while connecting your phone again to your PC.
Go to "8675_W00" folder again, and run FlashAll(AfterQFil).bat by double clicking it.
Your YU will reboot normally to stock CM.
3. REVIVING YOUR IMEIs
To be honest this is the easiest part of the guide, and here are the steps that need to be taken (REMEMBER TO REMOVE ALL SIM CARDS BEFORE YOU DO THESE STEPS BELOW):
First of all, please root again your just revived YU.
Next, download QXDM 3.13.714 from HERE, extract it and then install (there is no special treatment for "QXDM").
Download "boot.zip" from HERE, and extratct "boot.img" found inside the zip file within our beloved "8675_W00" folder (just replace the old "boot.img").
Connect your phone with your PC, and open ADB from our beloved "8675_W00" folder, and type these command:
Code:
adb shell
su
dd if=/sdcard/boot.img of=/dev/block/mmcblk0p20
reboot
After the phone rebooted, open device manager in windows, and you should find that your phone is recognised as "Qualcom HS-USB Diagnostics 903A". Now you can connect to QPST, QXDM, ADB, and MTP at once, each time you phone rebooted.
Now open "QPST Configuration" and see whether your phone is listed there, see pic below:
Open "QXDM Professional", go to "Options", "Communications" and set "Target Port" to your phone.
Back to "QXDM" main window, in the "View" dropdown menu, select "NV Browser", put a check mark on "Dual SIM" option, select "ALL" in "Catagory Filter" dropdown menu, and go to "ID 00550", see pic for details:
Now choose "0" on "Subscription ID" dropdown menu. By the way here, "Subscription ID = 0" means your SIM1 and "Subscription ID = 1" means your SIM2. After choosing "0", click Read, fill your SIM1's IMEI in the Input Fields, and click Write. Do the same with SIM2's IMEI, which is listed as "Subscription ID = 1" .
AND HERE IS HOW YOU PUT YOUR IMEI:
Code:
If for instance, your IMEI for SIM1 was: 954091051099226, then the boxes would be in below order:
0x08 [COLOR="red"](The first hex is always 0x08)[/COLOR]
0x9A [COLOR="Red"](The second hex is always ends by "A" or "0x9A")[/COLOR]
0x45
0x90
0x01
0x15
0x90
0x29
0x62
YOUR YU IS OFFICIALLY REVIVE, YEEEE
3. PLAYING WITH COOLPAD CPB FILES
I guess Micromax's officials have to admit that YU YUREKA is indeed Coolpad 大神 F2 8675-XXX, and do you know that the chinese word "大神" mean "Great God" in english. Yup, I'm betting a US$100 here that our beloved motto of "YU Play God" comes from the word "大神" a.k.a "Great God". I'm also suspecting that W00 are the right replacement for the missing XXX in Coolpad 大神 F2 8675-XXX, and I finally confirmed my suspection through some hex comparison between the "GPT" (the MBR of an eMMC, I would thank Ekhasti in providing me YU's "GPT.bin") of the two phones, thus making me possible to make all of the above guide. Just for your info, "GPT" resides in sector 0 until before the start sector of NON-HLOS a.k.a the modem partition of our YU's eMMC. If you want to and eager to get YU's GPT partition, all you have to do is just connect your phone with ADB, and type:
Code:
adb shell
su
dd if=/dev/block/mmcblk0 of=/sdcard/gpt.bin bs=512 count=65535
And, you'll find your gpt.bin in your phone's internal storage.
Since, Coolpad 大神 F2 8675-W00 has similar GPT, at that time, I believed that I can flash directly coolpad's firmwares into our YU, and guess what, I was right. Although at first the phone experienced endless bootloop, it booted seamlessly after I "oem unlock" the bootloader via Fastboot. So, if somebody in this forum is eager enough to try the CoolUI of Coolpad 大神 F2 8675-W00, you can unpack its CPB's file by following all the steps below:
First, of course you have to download Coolpad 大神 F2 8675-W00's CPB files, and you can get it from Yulong (the name of the company that make Coolpad) official website HERE, the file is the one with 1.6 GB file size
Download my hack edition of Coolpad Download Assistant from HERE, and install it. See all the pics below on how to, as the language is in chinese:
Upon finishing installation, copy the "dProdRes.dll" found inside the "Hacked" folder of "CDA.zip" into Coolpad Download Assistant installation directory (just replace the old "dProdRes.dll", with the hacked version). See pic below:
Run "Coolpad Download Assistant", and do as depicted by pics below:
Wait until the progress bar reach 100%:
Don't close "Coolpad Download Assistant" first, just go to "downfile" folder inside "CDA" installation directory:
Copy "8675_W00" folder inside the folder where you keep adb.exe and fastboot.exe.
Now, to flash all those unpacks file to your, just do the following steps:
Connect your phone to your PC or Laptop in fastboot mode.
Type commands below:
Code:
fastboot -i 0x1ebf oem unlock
fastboot -i 0x1ebf erase modem
fastboot -i 0x1ebf erase sbl1
fastboot -i 0x1ebf erase sbl1bak
fastboot -i 0x1ebf erase aboot
fastboot -i 0x1ebf erase abootbak
fastboot -i 0x1ebf erase rpm
fastboot -i 0x1ebf erase rpmbak
fastboot -i 0x1ebf erase tz
fastboot -i 0x1ebf erase tzbak
fastboot -i 0x1ebf erase hyp
fastboot -i 0x1ebf erase hypbak
fastboot -i 0x1ebf erase misc
fastboot -i 0x1ebf erase DDR
fastboot -i 0x1ebf erase fsg
fastboot -i 0x1ebf erase boot
fastboot -i 0x1ebf erase params
fastboot -i 0x1ebf erase panic
fastboot -i 0x1ebf erase persist
fastboot -i 0x1ebf erase recovery
fastboot -i 0x1ebf format system
fastboot -i 0x1ebf format userdata
fastboot -i 0x1ebf format cache
fastboot -i 0x1ebf flash modem /8675_W00/NON-HLOS.bin
fastboot -i 0x1ebf flash sbl1 /8675_W00/sbl1.mbn
fastboot -i 0x1ebf flash sbl1bak /8675_W00/sbl1.mbn
fastboot -i 0x1ebf flash aboot /8675_W00/emmc_appsboot.mbn
fastboot -i 0x1ebf flash abootbak /8675_W00/emmc_appsboot.mbn
fastboot -i 0x1ebf flash rpm /8675_W00/rpm.mbn
fastboot -i 0x1ebf flash rpmbak /8675_W00/rpm.mbn
fastboot -i 0x1ebf flash tz /8675_W00/tz.mbn
fastboot -i 0x1ebf flash tzbak /8675_W00/tz.mbn
fastboot -i 0x1ebf flash hyp /8675_W00/hyp.mbn
fastboot -i 0x1ebf flash hypbak /8675_W00/hyp.mbn
fastboot -i 0x1ebf flash misc /8675_W00/MISC.img
fastboot -i 0x1ebf flash DDR /8675_W00/DDR.bin
fastboot -i 0x1ebf flash fsg /8675_W00/nv.tar.mbn
fastboot -i 0x1ebf flash boot /8675_W00/boot.img
fastboot -i 0x1ebf flash params /8675_W00/param.bin
fastboot -i 0x1ebf flash panic /8675_W00/panic.img
fastboot -i 0x1ebf flash persist /8675_W00/persist.img
fastboot -i 0x1ebf flash recovery /8675_W00/recovery.img
fastboot -i 0x1ebf flash system /8675_W00/system.img
fastboot -i 0x1ebf flash userdata /8675_W00/userdata.img
fastboot -i 0x1ebf flash cache /8675_W00/cache.img
fastboot -i 0x1ebf format userdata
fastboot -i 0x1ebf format cache
fastboot -i 0x1ebf reboot-bootloader
fastboot -i 0x1ebf oem unlock
fastboot -i 0x1ebf reboot
Here I also like to say thanks to:
darkspr1te and his thread for giving some insight about on how Qualcomm chips work.
quakze for supporting this project, and also for spending his precious time testing the guide (although the result is totally negative).
ekhasti for his kindness in giving the whole partition dump of his YU.
Furthermore, if somebody in this forum manage to unbrick her/his YU using this guide, please post a reply on how you did it, what changes or improvisation that you had undertaken, as it would help other members as well. And without your reply, this thread would be dead and has to be closed, because I myself doesn't own any YU anymore.
PS.
I will be very delighted to buy your bricked YU for half price of the new one and also pay the shipping fees, but under several conditions:
Windows could detect it minimum as "QHUSB_BULK"
Does not have stain, scratch, or any deform shape and all hardware should be functional before you bricked it.
Perhaps Rohan, Ayush, or Rahul could help me finding someone that willing to sell their bricked YU.
tirta.agung said:
I just wonder, does anyone in this forum know how to make our Yureka to enter Qualcomm download mode or Qualcomm HS-USB Diagnostics 9006 mode? It would be great if we could do so, as it would enable us to make raw copy of the whole Yu's eMMC using HDD Raw Copy Tools. Beside the rawprogram0.xml, patch0.xml, 8939_msimage.mbn, MPRG8939.hex, and MPRG8939.mbn, this raw image is also very important to recover our Yureka from hard bricked.
Click to expand...
Click to collapse
it will be in hs-usb qdloader 9008 first, we just need “8939_msimage.mbn” and “MPRG8939.mbn” to bring the phone to hs-usb diagnostics 9006 mode.
quakze said:
it will be in hs-usb qdloader 9008 first, we just need “8939_msimage.mbn” and “MPRG8939.mbn” to bring the phone to hs-usb diagnostics 9006 mode.
Click to expand...
Click to collapse
Yep, I know the order. I usually use QPST's eMMC Software Download Tool to get my phone from 9008 to 9006 mode, then after Windows detects all the phone's eMMC partitions, I use HDD Raw Copy Tools to restore all the files (here I really mean ALL) to get my phone working again. So, although you managed to enter 9006 from 9008 mode, without a RAW Image of your phone made by HDD Raw Copy Tools, everything will be useless. Just like the rawprogram0.xml, patch0.xml, msimage.mbn, MPRG.hex, and MPR.mb, somebody in this forum, whose phone is bricked (either soft-9006 mode brick or hard-9008 mode brick), could use anybody's YU's RAW Image made by HDD Raw Copy Tools to get their phone working again. All they have to do afterwards, is just changing their IMEIs to their own using QXDM .
So back to the thread question. I used to have several android phones powered by qualcomm chipset, the last one before the Yu was ZTE V5 Max, which is a snapdragon 410 (MSM8916) phone. Usually after connecting a qualcomm android phone in diag mode (by putting "persist.sys.usb.config=mtp,diag,adb" either in the build.prop or default.prop inside boot.img) with Qualcomm NV Tools found in EFS Professional Suite (EFSPS), I could restart the phone into 9006 mode to make a raw image of my phone's eMMC. I usually do this first each time i bought a new qualcomm phone, just incase if I hard bricked my phone into qualcomm 9008 mode. However, I can't get my Yu into the 9006 mode, instead it went to 9008 mode (the LED near the phone speaker turns red and the phone keeps on vibrating) after I select reboot into download mode in EFSPS.
By the way quakze, i think msm8939 use the same eMMC's enumeration properties as MSM8916. Perhaps we can use MSM8916 rawprogram0.xml, patch0.xml, msimage.mbn, MPRG.hex, and MPRG.mbn. All we need is just an already bricked phone to try, and I guarantee that it would not make the bricked phone any worser. You can find the necessary file here (please use chrome to auto translate the website). The file is a full service firmware for Lenovo K3 Music Lemon, a snapdragon 410 phone. Please keep me update if my hypothesis is true.
Anybody???
tirta.agung said:
Anybody???
Click to expand...
Click to collapse
better wait for the Xiaomi Ferrari. . .RBTL
Sir, we want to change LTE frequency
thru QPST
Need help
Check here and please help us
tirta.agung said:
I just wonder, does anyone in this forum know how to make our Yureka to enter Qualcomm download mode or Qualcomm HS-USB Diagnostics 9006 mode? It would be great if we could do so, as it would enable us to make raw copy of the whole Yu's eMMC using HDD Raw Copy Tools. Beside the rawprogram0.xml, patch0.xml, 8939_msimage.mbn, MPRG8939.hex, and MPRG8939.mbn, this raw image is also very important to recover our Yureka from hard bricked.
Click to expand...
Click to collapse
I have got rom of Huawei C199s (MSM8939), which has many file packed into UPDATE.APP.
I have unpacked it, but the file name and extensions are unknown.
At present I am trying to identify the msimage.mbm and mprg files.
The rom link is http://www.needrom.com/wp-content/uploads/2015/03/C199s-V100R001C92B260-Telecom.zip
Is it just the two of us?
quakze said:
I have got rom of Huawei C199s (MSM8939), which has many file packed into UPDATE.APP.
I have unpacked it, but the file name and extensions are unknown.
At present I am trying to identify the msimage.mbm and mprg files.
The rom link is http://www.needrom.com/wp-content/uploads/2015/03/C199s-V100R001C92B260-Telecom.zip
Click to expand...
Click to collapse
Hi there Quakze, I just wonder is it only the two of us who are interested in reviving death YUs? By the way, at last I hard bricked my Yu, and I think it is true that curiosity kills. Hahahaha, so yippee for me .
Ok, back to our business, I only know three major companies who always pack qualcomm's mbn files in their firmwares, they are Lenovo, Xiaomi, and Hisense. So, if you have time to wait you can hunt these phone firmwares when they released:
Hisense HS-H910 TD-LTE (expected release firmware June 2015)
Lenovo Vibe X2 PRO Dual SIM LTE (expected release firmware June 2015)
Lenovo Vibe Shot Dual SIM LTE (expected release firmware June 2015)
Xiaomi Ferrari (expected release firmware unknown)
However, if you are curious enough to find out by yourself on how to create qualcomm's mbn file for our YUs, then we can join hands in this thread.
And this is an update from me on my effort in reviving my death YU. When I did hex readings on some CPB files, I found out that each of those files contain at least one msimage.mbn. That is why, I spend my last weekend just to do some research on Coolpad Download Assistant (CDA) Software in order to hack it, and the good news is I managed to do it.
So with this post, I have attached the hacked version of our beloved CDA software. All you have to do is just download and unzip the zip file attached in this post, install the software and copy paste the "dProdRes.dll" into Coolpad Download Assistant installation directory. Afterwards, run the program as usual, put the right path of the CPB file you want to unpack and press "ok" (of course the language use by the software is in chinese). You will find the unpack CPB files inside "DownFiles" folder found in Coolpad Download Assistant installation directory.
Please post me a reply if you have succeeded in unpacking the CPB files, and tell me what do you think about the unpacked files, as I did find some strange stuff inside it .
ekhasti said:
Sir, we want to change LTE frequency
thru QPST
Need help
Check here and please help us
Click to expand...
Click to collapse
Just head on to this thread. If you have anymore question, just don't hesitate to ask me.
tirta.agung said:
Just head on to this thread. If you have anymore question, just don't hesitate to ask me.
Click to expand...
Click to collapse
Sir
I already try that but stuck on YU Diagnostics Driver
OPO drivers not working for me
From where I get that
How to revert this command (old USB setting)
setprop sys.usb.config diag,adb
tirta.agung said:
Just head on to this thread. If you have anymore question, just don't hesitate to ask me.
Click to expand...
Click to collapse
Go till step 8 (with force install drivers) successfully
when Open QPST Configuration, go to the Ports tab, Add New Port .....
QPST stop working...
Flash rmt_storage patch device go bootloop
Thank God I make orignal rmt_storage patch zip
now device working
but QPST still not working
Help me please
something wrong with QPST
tirta.agung said:
Just head on to this thread. If you have anymore question, just don't hesitate to ask me.
Click to expand...
Click to collapse
I follow this Thread
Do complete process successfully :good:
all done
recheck repeat step 1 to 13
digits also changed
but until now show H or H+
is there any way to know which band is active now??
@hem12
tirta.agung said:
Hi there Quakze, I just wonder is it only the two of us who are interested in reviving death YUs? By the way, at last I hard bricked my Yu, and I think it is true that curiosity kills. Hahahaha, so yippee for me .
Ok, back to our business, I only know three major companies who always pack qualcomm's mbn files in their firmwares, they are Lenovo, Xiaomi, and Hisense. So, if you have time to wait you can hunt these phone firmwares when they released:
Hisense HS-H910 TD-LTE (expected release firmware June 2015)
Lenovo Vibe X2 PRO Dual SIM LTE (expected release firmware June 2015)
Lenovo Vibe Shot Dual SIM LTE (expected release firmware June 2015)
Xiaomi Ferrari (expected release firmware unknown)
However, if you are curious enough to find out by yourself on how to create qualcomm's mbn file for our YUs, then we can join hands in this thread.
And this is an update from me on my effort in reviving my death YU. When I did hex readings on some CPB files, I found out that each of those files contain at least one msimage.mbn. That is why, I spend my last weekend just to do some research on Coolpad Download Assistant (CDA) Software in order to hack it, and the good news is I managed to do it.
So with this post, I have attached the hacked version of our beloved CDA software. All you have to do is just download and unzip the zip file attached in this post, install the software and copy paste the "dProdRes.dll" into Coolpad Download Assistant installation directory. Afterwards, run the program as usual, put the right path of the CPB file you want to unpack and press "ok" (of course the language use by the software is in chinese). You will find the unpack CPB files inside "DownFiles" folder found in Coolpad Download Assistant installation directory.
Please post me a reply if you have succeeded in unpacking the CPB files, and tell me what do you think about the unpacked files, as I did find some strange stuff inside it .
Click to expand...
Click to collapse
Succeeded in unpacking the CPB, and there much needed files. I tried with version 27, now I am downloading version 40.
Will start testing with these files, hope for success :good:
BTW, U did a great job in cracking the CDA, Thank You
Boot image, MTP, Diag, and ADB all at one
ekhasti said:
I follow this Thread
Do complete process successfully :good:
all done
recheck repeat step 1 to 13
digits also changed
but until now show H or H+
is there any way to know which band is active now??
@hem12
Click to expand...
Click to collapse
Congratulations my friend, but don't forget to say thanks to devilsshadow and Albirew for their tips.
As for the changes, did you do these things before you change all the parameter with QXDM:
Put out all your sim cards from the phone?
While in qxdm, did you put a check mark on the dual sim option and applied all changes to both sims (sim0 and sim1)?
Perhaps you could also try typing *#*#4636#*#* via your phone dialer, and I think there will be some debug menu, hahaha my phone is bricked remember. But, if you want to know for sure, put a different card that use a different frequencies.
Here, I would also like to share a different method, besides using "setprop" command, to connect our YU with QPST or QXDM:
Download and unzip the attach file. You will find a boot image and a qualcomm driver inside it.
Uninstall all drivers that you have installed previously, and then install the qualcomm driver according to the type of your Windows (x64 or x86).
Copy the boot image into your phone internal storage.
Open the build.prop inside your phone "/system" directory, and find this line "persist.sys.usb.config="
If you found that line, then erase the whole line, if you can't find it then proceed to the next step.
Connect your phone with your PC, and open ADB (here, I assume you have already root you YU).
type:
Code:
adb shell
su
dd if=/sdcard/boot.img of=/dev/block/mmcblk0p20"
reboot
After the phone rebooted, open device manager in windows, and you should find that your phone is recognised as "Qualcom HS-USB Diagnostics 903A"
Now you can connect to QPST, QXDM, ADB, and MTP at one, every time you phone rebooted
By the way I recommend you to backup your fsc, fsg, modemst1, and modemst2 before you messed things up, by doing some steps below:
Connect your phone with ADB.
Type:
Code:
adb shell
su
dd if=/dev/block/mmcblk0p15 of=/sdcard/fsc.mbn
dd if=/dev/block/mmcblk0p22 of=/sdcard/fsg.mbn
dd if=/dev/block/mmcblk0p12 of=/sdcard/modemst1.mbn
dd if=/dev/block/mmcblk0p13 of=/sdcard/modemst2.img
You will find your backup files in your internal storege
quakze said:
Succeeded in unpacking the CPB, and there much needed files. I tried with version 27, now I am downloading version 40.
Will start testing with these files, hope for success :good:
BTW, U did a great job in cracking the CDA, Thank You
Click to expand...
Click to collapse
Did you find MPRG8639.hex or MPRG8639.mbn in your CPBs ? Do you notice that all the qualcomm files inside have 8936 marking, not 8939, which is the chipset code of our YU? Strange indeed, it makes me wonder whether MSM8936 (snapdragon 610) has the same enumeration with MSM8939 (snapdragon 615). By the way, I'm still stuck with all those files found in the CPBs. I have use QPST and QFIL, but nothing avail.
@tirta.agung
When I reboot device all settings gone
I search & found there is some lock with NV in CM
now all same as before
need that rmt_storage type trick (which you give me link of OPO) for unlock
is that boot.img which you share here work for this??
---------- Post added at 07:22 AM ---------- Previous post was at 07:12 AM ----------
As for the changes, did you do these things before you change all the parameter with QXDM:
Put out all your sim cards from the phone?
While in qxdm, did you put a check mark on the dual sim option and applied all changes to both sims (sim0 and sim1)?
Click to expand...
Click to collapse
No.. Don't mention any where so miss these both point.
Perhaps you could also try typing *#*#4636#*#* via your phone dialer, and I think there will be some debug menu, hahaha my phone is bricked remember. But, if you want to know for sure, put a different card that use a different frequencies.
Click to expand...
Click to collapse
Don't found any debug menu..
Here, I would also like to share a different method, besides using "setprop" command, to connect our YU with QPST or QXDM:
Download and unzip the attach file. You will find a boot image and a qualcomm driver inside it.
Uninstall all drivers that you have installed previously, and then install the qualcomm driver according to the type of your Windows (x64 or x86).
Copy the boot image into your phone internal storage.
Open the build.prop inside your phone "/system" directory, and find this line "persist.sys.usb.config="
If you found that line, then erase the whole line, if you can't find it then proceed to the next step.
Connect your phone with your PC, and open ADB (here, I assume you have already root you YU).
type:
Code:
adb shell
su
dd if=/sdcard/boot.img of=/dev/block/mmcblk0p20"
reboot
After the phone rebooted, open device manager in windows, and you should find that your phone is recognised as "Qualcom HS-USB Diagnostics 903A"
Now you can connect to QPST, QXDM, ADB, and MTP at one, every time you phone rebooted
Click to expand...
Click to collapse
this portion is new for me :good:
This boot.img is modified? I think so..
Safe for YU?
By the way I recommend you to backup your fsc, fsg, modemst1, and modemst2 before you messed things up, by doing some steps below:
Connect your phone with ADB.
Type:
Code:
adb shell
su
dd if=/dev/block/mmcblk0p15 of=/sdcard/fsc.mbn
dd if=/dev/block/mmcblk0p22 of=/sdcard/fsg.mbn
dd if=/dev/block/mmcblk0p12 of=/sdcard/modemst1.mbn
dd if=/dev/block/mmcblk0p13 of=/sdcard/modemst2.img
You will find your backup files in your internal storege
Click to expand...
Click to collapse
That useful tip for me
Thanks a lot for all this
This QPST stuff use first time
so sorry if I ask some idiotic
and sorry for my horriable ENGLISH :silly:
tirta.agung said:
Did you find MPRG8639.hex or MPRG8639.mbn in your CPBs ? Do you notice that all the qualcomm files inside have 8936 marking, not 8939, which is the chipset code of our YU? Strange indeed, it makes me wonder whether MSM8936 (snapdragon 610) has the same enumeration with MSM8939 (snapdragon 615). By the way, I'm still stuck with all those files found in the CPBs. I have use QPST and QFIL, but nothing avail.
Click to expand...
Click to collapse
What U say is right happened with me also, so trying different CBP.
ekhasti said:
@tirta.agung
This boot.img is modified? I think so..
Safe for YU?
Click to expand...
Click to collapse
Yup, it is a modified YU original boot image, I just made some changes in the default.prop, so it is 100% safe as long you use stock CM. Hahaha, btw I'm an Indonesian and my English is terrible as well, hehehehehe:laugh:
YUs eMMC Raw image through ADB
quakze said:
What U say is right happened with me also, so trying different CBP.
Click to expand...
Click to collapse
Hi Quakze, I think I made some progress, but have to reconfirm the steps that I have done, so I will post those steps later. But in a mean time, do you have a life YU? If you do, could you upload a full raw image of your life YU's eMMC image?
Here is the how to:
Put a 32GB of empty Micro SD in your life YU
Do a factory reset of your YU, or you can go to recovery by formatting cache and data.
Format all the content of your internal storage
Connect your phone with adb.
Type:
Code:
adb shell
su
dd if=/dev/block/mmcblk0 of=/storage/sdcard1/backup.img bs=512 count=30535646
[B]THIS PROCESS WILL TAKE AROUND 45-60 minutes, SO ADB WILL FREEZE FOR THAT MOMENT[/B]
When the above process has finished, go to your external storage of your YU, copy the backup.img (the size will be around 16GB) to your computer.
Zip your backup.img with the best compression method, and now you will get around 2GB of zip file.
Could you upload that zip file to this thread. I'm sure it will be valuable not just for both of us, but also to other YU owners in this forum.

wifi turning itself off, driver not being loaded.

Edit: Considering all the complex processes that I've done, I'm willing to do some series of steps again with the gathered knowledge, but I still need some guidance.
Actual status: Losing my mind (not fixed)
Here's the info of my current problem:
I have a XT1563, cid12 (cl)
Working perfectly until android 6.0 OTA. After restart, in the wifi screen loading bar is constantly present and switches itself off after a couple of seconds of activated. Network list is empty, mac address appears as 02:00:00:00:00:00 in wifi details and status of the phone.
Sent it to support and they 'updated the software', when I got it back wifi was working, but when I installed sd and sim cards back it stopped working.
The most relevant logcat message that appears to be the main one is from WifiStateMachine:
Code:
WifiStateMachine: Fail to set up pno, want false now false
WifiStateMachine: Failed to load driver
Things I've done
Most of this steps have been tried with clean installs and removing sd/sim cards
Network Reset
Factory Reset
Flash different stock roms (currently on 6.0.1 MPD24.107-52)
Flashed ultra kernel R2, R3 and squid kernels 14, 15, 15 oc, 15b
Used twrp 2.8.7 and 3.0.0-r2
Used rsd to flash official firmware for my carrier (RETLA-ENTEL_6.0_MPD24.65-25.1)
Flashed CM 12 and CM 13 unofficial
Installed SuperSU and Busybox
Changed owners and permits in persist/
Copied new persist from different sources
Hex edited .bin file in persist/
downloaded WCNSS_wlan_dictionary.dat and put it in persist to comply with symlink in prima/
fastboot oem install [2 of my carriers; entel, claro]
Replaced WCNSS files in persist with the ones available the motorola repo
Copied WCNSS factory file to prima/ folder
Copied WCNSS_qcom_cfg.ini to /data/misc/wifi
went crazy with 776 permissions
Even after flashing stock with RSDLite, bootloader show the modified status as 3 when I think it should be 2. This has led me to think that something is in the file system that android does not like but is not being fixed by RSD nor clean wipes.
From what I understand, the only thing that could be surviving full flashes and wipes are contents in persist/ and modifications to the root of the system, like busybox and superSU. I've not been able to find any way of cleaning the root of the phone and I imagine that's really dangerous.
TL;DR Wifi driver is not loading, persist folder is ok and clean flash does not fix it.
Possibly relevant logcat entries:
E WifiService: Invoking mWifiStateMachine.setWifiEnable
D WifiStateMachine: setting operational mode to 1
E WifiHW : User build,dont Start logging service.
E WifiService: Invoking mWifiStateMachine.setWifiEnabled
E WifiStateMachine: Failed to load driver
D WifiStateMachine: setWifiState: unknown state
Info for nerds:
Source code of WifiStateMachine.java containing the error message:
Code:
public boolean processMessage(Message message) {
switch (message.what) {
case CMD_START_SUPPLICANT:
[B]if (mWifiNative.loadDriver())[/B] {
// Code for loading supplicant
} else {
loge("Failed to load driver");
}
break;
# More code
}
}
WifiNative.java cointains the class being instantiated where the evaluation calls a empty abstract method:
Code:
public native static boolean loadDriver();
I'm having problems for identifying where this class is being extended for this method to actually do something. If anyone knows please leave a comment.
Wifi problems and fixes
I've still not found a solution for myself, but I figured I still can give some tips for people with problems, especially considering how confusing is to get information about this.
This is a work in progress. I would gladly receive corrections and new info.
Before anything, do a backup. Even if your wifi does not work, it can save you from a lot of problems. Remember to backup the persist folder, a lot of automated recoveries don't make a backup of that folders because it's supposed to survive flashes but there's ways in which you can do it by mistake. It also helps a lot with bug hunting.
Things you should have already tried:
Plane mode on, reboot, wifi on and plane mode off
Network settings reset in android and reboot
Rebooted to safemode (longpress in power off when turning phone off]
Factory reset in android
Removal of SD and SIM cards
Factory reset in recovery
Flash Stock ROM in RDSlite
Unlock bootloader
Activate developer mode and set usb debug on
Installed custom recovery
Clean Flash stock ROM trough fastboot
Flash custom Kernels
Things you need:
adb and fastboot
usb drivers for the phone
Optional Text editor that preserves text format (avoid notepad and MS word)
Optional Busybox for extended commands in android shell (root required)
Optional If you're in windows and want to mess with adb: A decent console to work with.
Option A: cash with cmder
Install cmder
Install NodeJs
Install cash tipping in cmd npm install cash-global -g (after NodeJs)
Option B: babun
http://babun.github.io/
optional Open text editor for easy copy-paste of long paths and commands
optional Hex editor if you want to edit .bin files. I use XVI32
Useful console commands (In windows you need one of the optional shells described above)
List files and folders
Code:
ls -la [path to list]
Find file/folder in linux (and android shell)
Code:
find / -iname '*[word you're looking]*'
* are 'wildcards', they allow for matching any text (or no text at all)
you can add, before -iname, -type f (for files) or -type d (for folders)
Symlink
It's an alternative of copying files. this allows you to simulate having a file in two different places, but really all paint to one. Modifications in this source are going to affect all the links, so it's easier to configure. Android does this a lot.
Code:
ln -s [path to] [from]
Copy files and folders
Code:
cp [-R if you want to move folders] [path to source] [path to target]
logcat for essential wifi messages (short-colored) If someone know more, please let me know
Code:
adb logcat -v brief -v color WifiSerice:V WifiHW:V WifiStateMachine:V FileUtils:V QSEECOMAPI:V *:S
change owners and permissions
the flag -R makes the command work for files and subfolders
Code:
chown user:group [path to file or folder]
chmod [num of user][num of group][num of all] [path to file or folder] [SIZE="2"](e.g. chmod 660 /persist/WCNSS_qcom_wlan_nv.bin)[/SIZE]
grep
This one is awesome; It's for filtering the results of any command, so you can use it for filtering.
Code:
[command you want to filter] | grep -i [term you're looking for]
For example, [adb logcat] gives you a huge list of messages, but [adb logcat | grep -i wifi] gives you just the lines that contain 'wifi'
From my experience, this are the common folders related to wifi configs:
Code:
/persist/
/system/etc/firmware/wlan/prima/
/system/etc/wifi/
/data/misc/wifi/
Command list for do a full clean flash:
please note that system.img_sparsechunk can vary in number according to ROM, but I've put 9 in here because failed commands don't write to phone
note: fastboot flash partition gpt.bin works perfectly when used first, but for me it's failing when I erase system and boot first.
Code:
fastboot erase system -w
fastboot erase boot
fastboot erase fsg
fastboot flash partition gpt.bin
fastboot flash bootloader bootloader.img
fastboot flash logo logo.bin
fastboot flash boot boot.img
fastboot flash recovery recovery.img
fastboot flash system system.img_sparsechunk.0
fastboot flash system system.img_sparsechunk.1
fastboot flash system system.img_sparsechunk.2
fastboot flash system system.img_sparsechunk.3
fastboot flash system system.img_sparsechunk.4
fastboot flash system system.img_sparsechunk.5
fastboot flash system system.img_sparsechunk.6
fastboot flash system system.img_sparsechunk.7
fastboot flash system system.img_sparsechunk.8
fastboot flash system system.img_sparsechunk.9
fastboot flash modem NON-HLOS.bin.
fastboot erase modemst1
fastboot erase modemst2
fastboot flash fsg fsg.mbn
fastboot erase cache
fastboot erase userdata
fastboot erase customize
fastboot erase clogo
fastboot reboot (or reboot-bootloader)
Important: Every time you flash, do a clean wipe. In fastboot this usually means using erase system -w and erase boot before flashing.
Be aware that for getting the logcat your phone must be booted to android OS.
Be aware that for copying and modifying important files you must access the phone's shell either in recovery mode or switching to root with the command (su) that's only accesible if you're rooted.
Ok. If you made it this far you're probably losing your mind. To debug this, especially if you're going to post asking for help, get the catlog of your phone and/or a precise description to look for clues to your problem (I have a command ready for you above).
Here's some common solutions I've found while trying to solve my own problem: (Credits to the authors of the solutions)
Bad permissions/users
These appear to be correct or usable permissions for relevant files. Consider that there's a lot of fragmentation in this info so they might be wrong.
Confirmation of these would be great:
Code:
-rwxrwx--- wifi wifi /system/etc/wifi
-rw-rw---- wifi wifi /system/etc/wifi/wpa_supplicant.conf
-rwxrwx--- wifi wifi /data/misc/wifi
-rwxrwx--- wifi wifi /data/misc/wifi/sockets
-rw-rw---- wifi wifi /data/misc/wifi/wpa_supplicant.conf
-rw-rw---- system:wifi /data/misc/wifi/WCNSS_qcom_cfg.ini
-rw-rw---- wifi wifi WCNSS_qcom_wlan_nv.bin
-rw-rw---- root root WCNSS_wlan_dictionary.dat
-rwxrwx--- is 770, -rw-rw---- is 660
Is reported in some places that the parent folder of wpa_supplicant.conf should be -rw-rw---- wifi wifi
Missing or badly configured wpa_supplicant.conf
The solution is place a new copy of the file in the correct folders. If someone has a 'oficial' source or more info let me know
I remember reading that some people had success deleting the file so the SO rebuilds it. Do it to your discretion and remember to backup
Missing WCNSS files
These files are essential and must be in the correct paths for wifi drivers to load.
There's a lot of different sources for this files, but from my experiencie they don't change a lot (last commits are more than one year old).
Files in oficial source repository from motorola
These posts have info and files
http://forum.xda-developers.com/showthread.php?t=2589790
http://forum.xda-developers.com/showpost.php?p=48861415&postcount=19
Paths of relevant files. Please consider that not just because it's here means you need it
Code:
/persist/WCNSS_qcom_wlan_nv.bin
/persist/WCNSS_qcom_wlan_factory_nv.bin
/persist/WCNSS_qcom_wlan_dictionary.dat
/system/etc/firmware/wlan/prima/WCNSS_qcom_cfg.ini
/system/etc/firmware/wlan/prima/WCNSS_cfg.dat
/system/etc/firmware/wlan/prima/WCNSS_qcom_wlan_nv.bin
/system/etc/firmware/wlan/prima/WCNSS_qcom_wlan_dictionary.dat
/system/etc/firmware/wlan/prima/WCNSS_qcom_wlan_factory_nv.bin
/data/misc/wifi/WCNSS_qcom_cfg.ini
/data/misc/wifi/wpa_supplicant.conf
Missing /persist/drm/widevine and/or /persist/prov
Check this two posts:
http://forum.xda-developers.com/showthread.php?t=2589790
http://forum.xda-developers.com/showpost.php?p=48861415&postcount=19
In there you can find backups to get the folders, restore them to /persist/ and check permissions.
Bad MAC address in WCNSS_qcom_wlan_nv.bin
Sometimes the file WCNSS_qcom_wlan_nv.bin needs to be updated with the correct mac address.
Since it's a .bin file, it cannot be changed with a text editor. You need to use a hex editor (XVI32 link is in 'things you need' above).
The mac address starts at 'A' (since is hex) or, more simply, after 10 'cells'. Be aware that in this editor changes get 'inserted' instead of modified, so you have to delete the initial 6 addresses of the old mac.
Put the file back, and check permissions. There's two copies of this file: one in /persist/ and another in /system/etc/firmware/wlan/prima/ change one or both according with your situation
Some logcat messages and details about them
For getting more messages about wifiHW you need a userdebug build like CyanogenMod. Stock roms don't log wifiHW.
Code:
WifiStateMachine: failed to load driver
WCNSS_qcom_cfg.ini and/or WCNSS_cfg.dat is missing somewhere. In my case this was missing from /system/etc/wifi.
Code:
wcnss_service: CAL file not found
This refers to the calibration file. The source of wcnss-service.c defines this file as "WCNSS_qcom_wlan_cal.bin" in the path "/data/misc/wifi/WCNSS_qcom_wlan_cal.bin". however, source show that CAL file is not used if the factory file is present. Source in link gives this address '"/data/misc/wifi/WCN_FACTORY" which is weird because from posts in xda this file has the name "CNSS_qcom_wlan_factory_nv.bin" I'll update if I have more info
Info for nerds:
How android Wifi works:
https://community.freescale.com/docs/DOC-93603
source code for wifi opt framework - android 6.0.1 r22
source code for wifi qcom framework - android 6.0.1 r22
you need hex editor to edit those .bin files.www.droidrzr.com/topic/65438-how-to-change-your-mac-address-xt926/
forum.xda-developers.com/nexus-4/help/nexus-4-mac-changer-spoofing-t2180809/page3
Thank you for your answer!
I'll make the edit in the file but I'll take a while to report back on the results because it's already too late in here.
Considering this, would it make sense for a nonmatching mac address show up as 02:00:00:00:00 in the wifi details screen?
RoDeltaLambda said:
Thank you for your answer!
I'll make the edit in the file but I'll take a while to report back on the results because it's already too late in here.
Considering this, would it make sense for a nonmatching mac address show up as 02:00:00:00:00 in the wifi details screen?
Click to expand...
Click to collapse
Yes, your Mac address is fine, just checked I also have the same
try this and report if its working
1. Put the phone into airplane mode.
2. Restart the phone.
3. Turn on WiFi.
4. Connect to the WiFi network.
5. Turn off airplane mode.
bablu048 said:
Yes, your Mac address is fine, just checked I also have the same
try this and report if its working
1. Put the phone into airplane mode.
2. Restart the phone.
3. Turn on WiFi.
4. Connect to the WiFi network.
5. Turn off airplane mode.
Click to expand...
Click to collapse
I've tried those steps and it's not working.
Logcat shows "WifiStateMachine: Failed to load driver" in each attempt.
I will update the .bin modifications results in a couple of minutes
bablu048 said:
you need hex editor to edit those .bin files.www.droidrzr.com/topic/65438-how-to-change-your-mac-address-xt926/
forum.xda-developers.com/nexus-4/help/nexus-4-mac-changer-spoofing-t2180809/page3
Click to expand...
Click to collapse
I have tried the modifications to no avail.
Steps I did:
get the wifi mac address from the recovery logs
adb pull the files on recovery with persist mounted
hex edited the lines taken from the screenshot on your second link (Both _factory_nv.bin and _nv.bin
adb pushed lines back to mounted persist on recovery
cleaned data/cache/dalvik
rebooted to system
Is there something in the /data/ folder that could be causing the issue? Now both files show back at -rw-r--r-- permissions with root:root owner. I'll try again without wiping data this time and post the report.
RoDeltaLambda said:
I have tried the modifications to no avail.
Click to expand...
Click to collapse
I think this thread solved the problem just by replacing the files from another device forum.cyanogenmod.org/topic/84876-wifi-failure-after-cm11-install-still-present-after-restore-from-backup/
bablu048 said:
I think this thread solved the problem just by replacing the files from another device forum.cyanogenmod.org/topic/84876-wifi-failure-after-cm11-install-still-present-after-restore-from-backup/
Click to expand...
Click to collapse
I have tried the steps in that topic, copying the exact same files in /persist and /prima. Problem still persists
From that topic I've learned that at flash time the files from persist are taken out and sent to system folders. I will try to reflash now with the new files and permissions set up
After the actions of my last post and before the new flash, I scanned the results of adb logcat *: D | grep Wifi
Here are some entries that could be of interest:
more possibly relevant logcat entries:
Code:
[SIZE="2"][I]Initially country code appears to be empty:[/I][/SIZE]
I WifiService: WifiService trying to set country code to with persist set to true
WifiService: Client connection lost with reason: 4
I WifiService: WifiService trying to set country code to cl with persist set to true
E WifiService: Invoking mWifiStateMachine.setWifiEnable
D WifiStateMachine: setting operational mode to 1
E WifiHW : User build,dont Start logging service.
E WifiService: Invoking mWifiStateMachine.setWifiEnabled
E WifiStateMachine: Failed to load driver
D WifiStateMachine: setWifiState: unknown state
RoDeltaLambda said:
I have tried the steps in that topic, copying the exact same files in /persist and /prima. Problem still persists
From that topic I've learned that at flash time the files from persist are taken out and sent to system folders. I will try to reflash now with the new files and permissions set up
Click to expand...
Click to collapse
I've fully flashed the device with RSD and problem still persist.
Eager to hear some more ideas.
I noticed that in system/etc/firmware/prima, adding to the files I copied, there's one symlink: WCNSS_wlan_dictionary.dat -> /persist/WCNSS_wlan_dictionary.dat
This file is not present in my persist folder (nor the rest of the files in the phone, based on adb shell find . -name WCNSS_wlan_dictionary.dat). I imagine this could clearly cause a problem with the wifi driver looking for a file that does not exist.
Someone has a reliable source where I could get this file? I can try to delete it to see if the SO tries to rebuild something, but I would prefer the safest option first.
have you tried flashing back stock recovery then do a factory reset from there?
copy WCNSS_qcom_wlan_factory_nv.bin to your SD card. Use your filemanger to copy this file to /prima. Reboot
Activate wi-fi, the you'll find your mac adress under Settings > About Phone > Status > Wi-fi MAC Adress
Open WCNSS_qcom_wlan_factory_nv.bin on your phone or PC with a hex editor and type your mac adress inside that file and save it.
File attached just remove .txt
The file is from xt1562
bablu048 said:
copy WCNSS_qcom_wlan_factory_nv.bin to your SD card. Use your filemanger to copy this file to /prima. Reboot
Activate wi-fi, the you'll find your mac adress under Settings > About Phone > Status > Wi-fi MAC Adress
Open WCNSS_qcom_wlan_factory_nv.bin on your phone or PC with a hex editor and type your mac adress inside that file and save it.
File attached just remove .txt
The file is from xt1562
Click to expand...
Click to collapse
Thank you for the file and the instructions. I've checked the diff with 3 different sources:
Meninblack007 - vendor
huawei_msm8916
google android source code
All match, so I'll asume this is a universal file without modifications.
Moving this file to persist/ folder made no difference
I've also tried taking the files from motorola official github repo, copy them to persist/ and flash. Without success this far.
I'll send factory_nv.bin to prima folder and report back
flash the firmware through rsd lite, lock the bootloader and take it again to service center.
I am out of ideas and also Google searches.. I'll keep looking and report if I find anything else.
bablu048 said:
copy WCNSS_qcom_wlan_factory_nv.bin to your SD card. Use your filemanger to copy this file to /prima. Reboot
Activate wi-fi, the you'll find your mac adress under Settings > About Phone > Status > Wi-fi MAC Adress
Open WCNSS_qcom_wlan_factory_nv.bin on your phone or PC with a hex editor and type your mac adress inside that file and save it.
File attached just remove .txt
The file is from xt1562
Click to expand...
Click to collapse
I've copied the file between the locations trough adb shell and there's no noticeable difference.
MAC address does not appear either in this screen:
I'll post this image and the versions of the phone in the OP
did u try ultra kernel?
i have same problem.
i flash ultra kernel(r3), and my wifi work fine.
jalal-jap said:
did u try ultra kernel?
i have same problem.
i flash ultra kernel(r3), and my wifi work fine.
Click to expand...
Click to collapse
Yes I've tried.
Flashed ultra kernel R2, R3 and squid kernels 14, 15, 15 oc, 15b
Click to expand...
Click to collapse
Considering all the changes I've done, it was a good idea to try again.
I've tried the last release of squid kernel, since the dev of ultra kernel recommended this one for 6.0.1.
Installed the kernel, wiped cache/dalvik and rebooted without success. Logcat is still showing failure at loading drivers.
The main problem I'm having is that the failure point is not correctly specified, so now I'll try to dig deeper into logcats to see if I pinpoint the source of the issue. If anyone can let me know about some complementary logs, I would be super grateful.
I've installed CM to have a userdebug build, in order to debug more in detail thanks to the logs of wifiHW.
After fixing an error of missing WCNSS_qcom_cfg.ini in /system/etc/wifi (Copied from prima folder) I've came across this error appearing persistently:
Code:
wcnss_service: Failed to open /dev/wcnss_ctrl : Bad address
I've looked around but there's no info of how could I deal with this. I will dig around a little more but if someone has a tip I would gladly hear

Complete Partition Backup Script

After trying to install the March security patch and revert to stock, my XT1644 changed from a Moto G4 Plus to a Moto G4 without fingerprints etc.
I learned after the fact that my TWRP backup only backed up 3 partitions of my phone's 48 partitions (only 4 were offered on the first version of TWRP I tried). Reflashing all ROMS, including npjs25-93-14-4 via fastboot does not help. I have since found the solution. The hw partition had become corrupted.
Because of this issue, I wrote a script which dumps all partitions (by default only partitions of 102400 blocks or less). It writes a summary to a file called partitions.txt which includes checksums of all partitions. It also writes the output from getprop to build.prop. It writes everything to a sub directory of wherever the script is uploaded to.
The options are as follows:
Code:
#adb shell /data/media/0/PartitionImages/backupPartitions.sh -h
Usage /data/media/0/PartitionImages/backupPartitions.sh [-z] [-b MaxBlocks] [-n partition1 ] [-n partition2 ]
options:
-z optional to tar.gz the output folder default=false
-b 102400 optional maximum number of blocks of the partition - 0 will dump all partitions default=102400
-n partitionName... optional - one or more partitions to dump
To use do this, all you need is an unlocked bootloader and ADB debugging turned on.
The steps are as follows:
1) Boot into TWRP Recovery
2) Run the following commands via ADB to prepare the backup (note /data/media/0/ can be substituted for /sdcard if you have one)
Code:
adb shell mkdir /data/media/0/PartitionImages
adb push .\backupPartitions.sh /data/media/0/PartitionImages/backupPartitions.sh
adb shell chmod 0755 /data/media/0/PartitionImages/backupPartitions.sh
3) Perform the backup to backup (see options above if you want a full backup or a more limited backup)
Code:
adb shell /data/media/0/PartitionImages/backupPartitions.sh
4) Copy the results back to your computer
Code:
adb pull /data/media/0/PartitionImages .\PartitionImages
Try to flash twrp and clear internal memory as well
And after that flash dec security version of android 7..
dont try to lock the bootloader.
It worked for me ...
Best of luck
Resolved!
As posted on a related thread I just found, I have resolved the issue:
Moto G4 Plus's Model changed to G4,lost one imei and finger print.
Excellent tool, thank you very much.
So, in the unlucky case that i would lose fingerprint scanner, etc. due to bootloader downgrade or whatsoever that causes it. if i flash my previously backuped (with your script) hw.img partition with ' fastboot flash hw hw.img ', my device will be recognized as a Moto G4 plus?
And features like fingerprint, network, will be in working condition again?
I think that your script is a "must have" for every flashaholic that owns a G4 Plus. I did the backup, just in case. Thanks for sharing it.
moonlightdrive said:
Excellent tool, thank you very much.
So, in the unlucky case that i would lose fingerprint scanner, etc. due to bootloader downgrade or whatsoever that causes it. if i flash my previously backuped (with your script) hw.img partition with ' fastboot flash hw hw.img ', my device will be recognized as a Moto G4 plus?
And features like fingerprint, network, will be in working condition again?
I think that your script is a "must have" for every flashaholic that owns a G4 Plus. I did the backup, just in case. Thanks for sharing it.
Click to expand...
Click to collapse
That is the idea yes, but I haven't tested restoring anything - only done a binary patch of the first little bit of that partition - using dd. I wrote it mostly to get the MD5s of each partition from someone with a working phone so I could start looking for differences. There are lots of more professional backup tools out there which are likely all just wrappers around dd - but this will likely do the job with very basic requirements.
Nice work mate :good: @givitago
givitago said:
After trying to install the March security patch and revert to stock, my XT1644 changed from a Moto G4 Plus to a Moto G4 without fingerprints etc.
I learned after the fact that my TWRP backup only backed up 3 partitions of my phone's 48 partitions (only 4 were offered on the first version of TWRP I tried). Reflashing all ROMS, including npjs25-93-14-4 via fastboot does not help. I have since found the solution. The hw partition had become corrupted.
Because of this issue, I wrote a script which dumps all partitions (by default only partitions of 102400 blocks or less). It writes a summary to a file called partitions.txt which includes checksums of all partitions. It also writes the output from getprop to build.prop. It writes everything to a sub directory of wherever the script is uploaded to.
The options are as follows:
Code:
#adb shell /data/media/0/PartitionImages/backupPartitions.sh -h
Usage /data/media/0/PartitionImages/backupPartitions.sh [-z] [-b MaxBlocks] [-n partition1 ] [-n partition2 ]
options:
-z optional to tar.gz the output folder default=false
-b 102400 optional maximum number of blocks of the partition - 0 will dump all partitions default=102400
-n partitionName... optional - one or more partitions to dump
To use do this, all you need is an unlocked bootloader and ADB debugging turned on.
The steps are as follows:
1) Boot into TWRP Recovery
2) Run the following commands via ADB to prepare the backup (note /data/media/0/ can be substituted for /sdcard if you have one)
Code:
adb shell mkdir /data/media/0/PartitionImages
adb push .\backupPartitions.sh /data/media/0/PartitionImages/backupPartitions.sh
adb shell chmod 0755 /data/media/0/PartitionImages/backupPartitions.sh
3) Perform the backup to backup (see options above if you want a full backup or a more limited backup)
Code:
adb shell /data/media/0/PartitionImages/backupPartitions.sh
4) Copy the results back to your computer
Code:
adb pull /data/media/0/PartitionImages .\PartitionImages
Click to expand...
Click to collapse
guys i dont understand what to do my pls help me can u describe in detail what are the steps to get back my moto g4 plus fingerprint can you make a video
or explain this
can anyone can upload their full backup of his moto g4 plus ? it will me really helpful because after 201-1 aka june security patch update totally bricked my phone and from since no bootloader and nothing is in my phone. and the blackflash method is also not working. so if I somehow use tour backup as emmc and bering my phone back to life ?!?! Thanks.....
Hello,
Please help me my moto g4 plus is dead after nougat update only white LED is blinking
i have try blankflash aslo but same issue...
error is.
Motorola qboot utility version 3.40
[ -0.000] Opening device: \\.\COM3
[ 0.001] Detecting device
[ 0.003] ...cpu.id = 2418 (0x972)
[ 0.003] ...cpu.sn = 30871031 (0x1d70df7)
[ 0.004] Opening singleimage
[ 0.012] Loading package
[ 0.016] ...filename = singleimage.pkg.xml
[ 0.018] Loading programmer
[ 0.019] ...filename = programmer.mbn
[ 0.019] Sending programmer
[ 0.240] Handling things over to programmer
[ 0.240] Identifying CPU version
[ 0.246] Waiting for firehose to get ready
[ 60.377] Waiting for firehose to get ready
[120.466] ...MSM8952 unknown
[120.466] Determining target secure state
[120.469] Waiting for firehose to get ready
[180.546] ...secure = no
[180.584] Flashing GPT...
[180.601] Flashing partition:0 with gpt_main0.bin
[180.602] Initializing storage
[180.606] Waiting for firehose to get ready
[240.617] Configuring device...
[240.622] Waiting for firehose to get ready
[300.634] Waiting for firehose to get ready
[360.651] Waiting for firehose to get ready
[420.661] Waiting for firehose to get ready
[480.668] ERROR: do_package()->do_recipe()->do_flash()->gpt_flash()->get_storage
()->init_storage()->firehose_do_fmt()->do_recipe()->do_configure()->buffer_read(
)->device_read()->IO error
[480.668] Check qboot_log.txt for more details
[480.668] Total time: 480.668s
FAILED: qb_flash_singleimage()->do_package()->do_recipe()->do_flash()->gpt_flash
()->get_storage()->init_storage()->firehose_do_fmt()->do_recipe()->do_configure(
)->buffer_read()->device_read()->IO error
please help
Hi, is there is any hardware partition for camera and flashlight???? Bcoz ny device camera hardwares are good but not opening. Camera says "camera is busy" and flashlight option is missing from my device ans it says flashlight not detected in flashlight app. Same issue i had for network and fingerprint. It is solved via hw partition image. Is there is any hardware partition for camera also???? If it is there, plz include in this thread...
Aashakmeeran said:
Hi, is there is any hardware partition for camera and flashlight???? Bcoz ny device camera hardwares are good but not opening. Camera says "camera is busy" and flashlight option is missing from my device ans it says flashlight not detected in flashlight app. Same issue i had for network and fingerprint. It is solved via hw partition image. Is there is any hardware partition for camera also???? If it is there, plz include in this thread...
Click to expand...
Click to collapse
This can be software related or hardware issue.. not any partition related..
For Hardware*
I don't know anything.. you can see fixing videos or go to service center..
For software* (two methods)
1) Try this app, https://f-droid.org/en/packages/info.aario.killcamera/
2) reflash ROM, try different ROM.
3) this is hardware issue.
Do you know if it was working before you flashed ROM and device changed to normal G4..??
____Mdd said:
This can be software related or hardware issue.. not any partition related..
For Hardware*
I don't know anything.. you can see fixing videos or go to service center..
For software* (two methods)
1) Try this app, https://f-droid.org/en/packages/info.aario.killcamera/
2) reflash ROM, try different ROM.
3) this is hardware issue.
Do you know if it was working before you flashed ROM and device changed to normal G4..??
Click to expand...
Click to collapse
Ya it works fine before the name I got g(4) but after doing frp flash it is not getting. Even the flashlight also not works.
Aashakmeeran said:
Ya it works fine before the name I got g(4) but after doing frp flash it is not getting. Even the flashlight also not works.
Click to expand...
Click to collapse
Tried app i mentioned ?
Tried reflashing other/stock rom?
If still not working, it's definitely hardware issue, because others with same issue (g4plus > g4) haven't reported any camera problem.
If you know hardware stuff, then go and check it. Otherwise service centers are best choice..
____Mdd said:
Tried app i mentioned ?
Tried reflashing other/stock rom?
If still not working, it's definitely hardware issue, because others with same issue (g4plus > g4) haven't reported any camera problem.
If you know hardware stuff, then go and check it. Otherwise service centers are best choice..
Click to expand...
Click to collapse
That app need root it seems. So root process is going on. Ill try my best and thank you:good:
By doing this I lost my Imei number plz help:crying: anyone
givitago said:
After trying to install the March security patch and revert to stock, my XT1644 changed from a Moto G4 Plus to a Moto G4 without fingerprints etc.
I learned after the fact that my TWRP backup only backed up 3 partitions of my phone's 48 partitions (only 4 were offered on the first version of TWRP I tried). Reflashing all ROMS, including npjs25-93-14-4 via fastboot does not help. I have since found the solution. The hw partition had become corrupted.
Because of this issue, I wrote a script which dumps all partitions (by default only partitions of 102400 blocks or less). It writes a summary to a file called partitions.txt which includes checksums of all partitions. It also writes the output from getprop to build.prop. It writes everything to a sub directory of wherever the script is uploaded to.
The options are as follows:
Code:
#adb shell /data/media/0/PartitionImages/backupPartitions.sh -h
Usage /data/media/0/PartitionImages/backupPartitions.sh [-z] [-b MaxBlocks] [-n partition1 ] [-n partition2 ]
options:
-z optional to tar.gz the output folder default=false
-b 102400 optional maximum number of blocks of the partition - 0 will dump all partitions default=102400
-n partitionName... optional - one or more partitions to dump
To use do this, all you need is an unlocked bootloader and ADB debugging turned on.
The steps are as follows:
1) Boot into TWRP Recovery
2) Run the following commands via ADB to prepare the backup (note /data/media/0/ can be substituted for /sdcard if you have one)
Code:
adb shell mkdir /data/media/0/PartitionImages
adb push .\backupPartitions.sh /data/media/0/PartitionImages/backupPartitions.sh
adb shell chmod 0755 /data/media/0/PartitionImages/backupPartitions.sh
3) Perform the backup to backup (see options above if you want a full backup or a more limited backup)
Code:
adb shell /data/media/0/PartitionImages/backupPartitions.sh
4) Copy the results back to your computer
Code:
adb pull /data/media/0/PartitionImages .\PartitionImages
Click to expand...
Click to collapse
hey bro can u please explain me this actually my moto g4 plus isnt accepting new hw image

[Guide] [Unbrick] How to revive a hard bricked Moto G5

This guide is for hard bricked Moto G5 Cedric
Hard bricked means a device which can not enter bootloader mode normally
This method has now been confirmed working
Works with XT1672 XT1670 XT1671 XT1675 XT1676 XT1677 (and most likely all others and if you ask if it will work on your version I will just copy & paste this to you!)
Smaller Image
Thanks to Luka Panio, Omega, and nift4 we now have a smaller image size
Goto This github page and under assets download mmcblk0.img.gz
Extract mmcblk0.img from the zip file to PC
Previous Larger Images
Mega
Download mmcblk0.zip image from Mega
Create your own mega account and import the file into your mega account. Log into your account and download it from your own account
Extract mmcblk0.img from mmcblk0.zip to PC
Or for those of you who can't use mega or have unstable Internet I've split the large file size into smaller multiple zip files. You must download each part and then extract using an unzip tool like winrar or 7zip
Android File Host
Download mmcblk0.zip mmcblk0-part1.zip and mmcblk0-part2.zip from Android File Host
Extract mmcblk0.z01 from mmcblk0-part1.zip
Extract mmcblk0.z02 from mmcblk0-part2.zip
Extract mmcblk0.img from mmcblk0.zip (If prompted point to mmcblk0.z01 and mmcblk0.z02 but it shouldn't ask if all files are in the same folder)
Requirements
Freshly formatted microSD card 16gb if using the smaller image or at least 32gb if using the previous larger images (It needs to have at least 31.3gb free after formatting - if it displays as less you will need to buy a 64gb microSD card or use the smaller image)
7zip
Linux mint live usb/dvd
USB card reader
Method
The BEST method to flash the sdcard with mmcbk0.img file is to use LINUX!
Windows users have no need to install Linux on their PC, you can run Linux from a bootable usb-stick that is at least 8gb or a dvd
Do not run Linux as a virtual machine on Windows! Use the live USB/DVD
0) Put the Moto g5 on mains charge until you have finished flashing the sdcard so it's fully charged ready for the boot test!
1) Run Linux, preferably cinnamon or mate versions of Linux Mint
2) Insert the sdcard in pc or card reader and open "Disks" app
3) In "Disks" app select sdcard and you will see the sdcard partitions
4) Press "-" to delete the partition (delete all partitions if there is more than one)
5) Press "+" to create a new one and name it mmcblk0, set FAT(FAT32) file format and press "CREATE"
6) Press "Play" button to mount the sdcard, look to see what path the sdcard has (/dev/sd??) and then close the "Disks" app
7) Go to Desktop, open "Computer" and navigate to the location where the img file is extracted (mmcblk0.img)
8) Open the window where img file is with root (right click on window and select "open as root")
9) In root window open the Terminal (right click on window and select "open terminal")
no need to type "su" in terminal, it has root already (see notes if using Linux live usb/dvd)
10) Type in terminal the command written below and don't forget to eliminate that "1" from the sdcard path,
that "1" can make the difference between the phone booting or not!!!!!
Things to note
Linux Live dvd doesn't have open as root so just open in terminal and add sudo to the start of the commands
I've included this in the commands below
If you get a status error just remove status=progress from the terminal command below
Terminal comands
- if your sdcard is seen like " /dev/sdb1"
in terminal apply this command:
Code:
sudo dd bs=4M if=mmcblk0.img of=/dev/sdb status=progress oflag=sync
-if your sdcard is seen like " /dev/mmcblk0p1"
in terminal apply this command:
Code:
sudo dd bs=4M if=mmcblk0.img of=/dev/mmcblk0 status=progress oflag=sync
and the flashing process should start
When it finishes, test the sdcard in the phone and it should boot!
If you get a size error of the sdcard in terminal you have to change the sdcard and try again!
Thanks to @vaserbanix for the original version of this guide
Re-flash Stock Firmware
Once the phone is in bootloader mode you can flash stock firmware via fastboot
Note that in order to flash gpt the firmware MUST be the same or newer than the version currently on your phone
Firmware can be download from Here
Once you have firmware that is the same or newer than your current version you can remove the sd card and run these commands (assuming you have fastboot all setup on your pc)
If you get a security downgrade error when you try to flash gpt.bin or bootloader.img then the firmware you are trying to flash is too old!
Code:
fastboot oem fb_mode_set
fastboot flash partition gpt.bin
fastboot flash bootloader bootloader.img
fastboot flash logo logo.bin
fastboot flash boot boot.img
fastboot flash recovery recovery.img
fastboot flash dsp adspso.bin
fastboot flash oem oem.img
fastboot flash system system.img_sparsechunk.0
fastboot flash system system.img_sparsechunk.1
fastboot flash system system.img_sparsechunk.2
fastboot flash system system.img_sparsechunk.3
fastboot flash system system.img_sparsechunk.4
fastboot flash system system.img_sparsechunk.5
fastboot flash system system.img_sparsechunk.6
fastboot flash system system.img_sparsechunk.7
fastboot flash system system.img_sparsechunk.8
fastboot flash modem NON-HLOS.bin
fastboot erase modemst1
fastboot erase modemst2
fastboot flash fsg fsg.mbn
fastboot erase cache
fastboot erase userdata
fastboot oem fb_mode_clear
fastboot reboot
I might consider doing this if you explained what this loader.img is?
Is it something one would flash to recover their G5?
Exanneon said:
I might consider doing this if you explained what this loader.img is?
Is it something one would flash to recover their G5?
Click to expand...
Click to collapse
Potentially - its used to boot off the sd card so those with a bricked phone can access the bootloader through booting it off their sd card & then flash the firmware via fastboot
See
https://www.aryk.tech/2017/02/how-to-unbrick-debrick-qualcomm-android.html?m=1
I hope the solution is achieved soon
Here you go:
https://cloud.wdata.de/index.php/s/JK2by8YBQCSrsof
Device Info:
Cedric XT1676 Retail
LineageOS 14.1
TWRP 3.2.1 (32bit)
staffe said:
Here you go:
https://cloud.wdata.de/index.php/s/JK2by8YBQCSrsof
Device Info:
Cedric XT1676 Retail
LineageOS 14.1
TWRP 3.2.1 (32bit)
Click to expand...
Click to collapse
Thanks for uploading it
Hello, I followed all the steps of the link, using a 16gb card and the file here hung and nothing, the phone does not start.
In my case it is an xt1676 which only turns on the led and blinks when I connect it to the pc by usb or the wall charger.
takoa said:
Hello, I followed all the steps of the link, using a 16gb card and the file here hung and nothing, the phone does not start.
In my case it is an xt1676 which only turns on the led and blinks when I connect it to the pc by usb or the wall charger.
Click to expand...
Click to collapse
I take it the programme wrote the loader image successfully to sdcard
So either the person who uploaded the Loader.img interrupted the extract & so its corrupted or this phone can't boot off the sd card with this method
It does say it may take a while to boot but who knows
If anyone else can upload a Loader.img using the methods in the first post so there's a comparison please do
Yeah right.
What is strange to me, although maybe it is, is the size of the file hung here, 165 mb.
the 16gb card is formatted in fat32, is it correct?
Does the DiskImageRev2 program automatically create the card to be bootable?
Why install the qualcomm drivers if the phone does not have to be connected to the PC? It is assumed that the phone will boot in bootloader mode and there only need the adb / fastboot controllers.
I do not mind to keep trying since the phone I give for lost at the moment.
Can someone return to the first post with an xt1676?
Thank you.
TheFixItMan said:
I'm trying to work on a solution for guys with a hard bricked moto g5 but as I no longer own this device anymore I need someone to provide the following
Requirements
Rooted moto g5
Busybox installed
Terminal emulator installed
What I need
In terminal emulator type su and grant superuser access
Then type
Code:
dd if=/dev/block/mmcblk0 of=/sdcard/Loader.img bs=1024 count=168960
Wait for the command prompt to return (it may take a few mins)
Post the Loader.img file created on the root of sdcard here
Click to expand...
Click to collapse
https://drive.google.com/file/d/1H2Qkc1XKbr7Is46n5xdCFlgiuIH1m-vE/view
Device : XT1677
takoa said:
Yeah right.
What is strange to me, although maybe it is, is the size of the file hung here, 165 mb.
the 16gb card is formatted in fat32, is it correct?
Does the DiskImageRev2 program automatically create the card to be bootable?
Why install the qualcomm drivers if the phone does not have to be connected to the PC? It is assumed that the phone will boot in bootloader mode and there only need the adb / fastboot controllers.
I do not mind to keep trying since the phone I give for lost at the moment.
Can someone return to the first post with an xt1676?
Thank you.
Click to expand...
Click to collapse
I presume it's needed for some devices who use different methods of flashing stock firmware
Someone else has uploaded an image file so you can try that one from a xt1677
Yes formatted fat32 - you should just have to select the drive the sdcard card is assigned to on your pc in the program eg f: and then select image file & then write - and accept the warning
It should make it bootable
Iv no idea if this method will work with this device
then it does not work in this model or the file posted here is wrong. Because I have done it as here is exposed and nothing.
I'm going to try the one from xt1677
TheFixItMan said:
So either the person who uploaded the Loader.img interrupted the extract & so its corrupted or this phone can't boot off the sd card with this method
It does say it may take a while to boot but who knows
Click to expand...
Click to collapse
Hmm, there haven't been any error messages on my side. I pulled the image again with above dd-command. I also tried with adb shell instead of terminal emulator but it's always the same file with the exact same file size.
staffe said:
Hmm, there haven't been any error messages on my side. I pulled the image again with above dd-command. I also tried with adb shell instead of terminal emulator but it's always the same file with the exact same file size.
Click to expand...
Click to collapse
I assume the file is correct - it's probably more the case of this phone doesn't support this method
If I get my hands on this device again in the future I can properly test things but at the moment all I can do is throw out ideas for people to try
Think I'll leave it now as without the device there's not a lot I can do
nothing, it does not work. it does not start :crying:
As I said, only the LED flashes when connected by USB or charger.
I recommend using rufus for flashing it to the sd card, it has never failed me yet, and supports up to 16gb.
Edit: I have the XT1675, if anyone would find it useful for me to post this variant's bootloader then I'd be happy to do so.
Edit again: Isn't dd used for writing an image to flash storage for later booting rather than extracting it?
takoa said:
nothing, it does not work. it does not start :crying:
As I said, only the LED flashes when connected by USB or charger.
Click to expand...
Click to collapse
It seems, some qualcomm devices need a full mmcblk0 dump to be able to boot from sdcard (e.g. LG G5)¹. I don't know if thats the case for our device but you can give it a try:
Loader_XT1676.zip Uncompressed filesize: ~4GB
¹ "The Loader method requires a full ROM Dump also known as a full blk0 backup of a working LG G5 H850 correctly flashed or written on a pretty good and fast class 10 SD Card."
Source: https://www.aryk.tech/2018/03/lg-g5-h850-unbrick-solutions.html
Exanneon said:
Edit again: Isn't dd used for writing an image to flash storage for later booting rather than extracting it?
Click to expand...
Click to collapse
dd basically clones/copies the source-data block by block to another disk, partition or (img-)file.
staffe said:
It seems, some qualcomm devices need a full mmcblk0 dump to be able to boot from sdcard (e.g. LG G5)¹. I don't know if thats the case for our device but you can give it a try:
Loader_XT1676.zip Uncompressed filesize: ~4GB
¹ "The Loader method requires a full ROM Dump also known as a full blk0 backup of a working LG G5 H850 correctly flashed or written on a pretty good and fast class 10 SD Card."
Source: https://www.aryk.tech/2018/03/lg-g5-h850-unbrick-solutions.html
dd basically clones/copies the source-data block by block to another disk, partition or (img-)file.
Click to expand...
Click to collapse
Thanks for the info - if someone can try this full Loader.img & let me know if it works I'll write up a guide
Iv added the guide to the first post if people want to test
Like Iv said before I no longer own this device - I have not tested this & it may not work
Feel free to add potential solutions to help those with bricked devices

Some luv for moto e 1st gen (xt830c)

I kinda doubt too many folks are still using a first gen moto e (xt830c..), however if you
are heres a little - albeit late - love from the cactus patch! I had one of these given to
me a week or so ago, so I set out to root it and what not. Welps, root'in wasn't tootin since
BL couldnt be unlocked.. Until I stumbled upon the Aleph Security initroot path to gaining adb
shell root via command line injection exploit. Woot! So I set out to do this, and succeeded after
a little head banging. Heres how it works:
Boot phone into fastboot mode (volume down + power)
fastboot flash a malicious image to a non-existent partition
set a utag variable via fastboot oem config command
resume booting.
The utag variable set is actually the memnory location aboot will find the malicious payload
at in the form of a ramdisk init string. This string is added to the command line, forcing aboot
to populate the filesystem with the malicious ramdisk contents. This allows you to replace init with a edited copy that sets selinux to permissive, and replaces adbd with a hacked copy.
I decided to take things one step further, and modified this to load TWRP. And hey, it werx gr8!
Anyhow, useage has been beaver-proofed. Extract the motoinit.zip to a folder. Put your phone intofastboot mode, then run init-root.cmd to load the payload for root adb shell, or run init-twrp.cmd to boot into TWRP recovery. These exploits aren't (currently...) persistent, so they would need ran each time you wanted into TWRP or wanted a shell root session. Also, once you are done you'll need to drop back to fastboot mode again and run init-fixbootloop.cmd. This will unset the UTAG variable and allow you to boot normally.
I have an XT830C too. TWRP worked for me and boots, but problem is I get the line "INFOPermission denied" after the flash on both init-xxxx.cmd files on the command prompt, even if I ran it as administrator. Rooting still doesn't work for me. Wish someone found a way to decipher the bootloader unlock code.

Categories

Resources