[GUIDE] UnBrick your OnePlus X on a Linux machine - OnePlus X General

DISCLAIMER: This guide describes procedures with tools that are designed to write directly to the storage of your device. This has the potential to lead to data loss or bricking your device. If you follow this guide carefully, none of these things should happen. That being said, you are still responsible for your own actions and how you handle the tools mentioned in this guide. Caution is advised.
When do i need this?​The following procedure can be used to get your device back into a booting state if all else fails. Usually you'd want to use this tool to get a working recovery running on your device and then go from there. If your bootloader is locked you can use this tool to flash the stock recovery again and unlock the bootloader as ususal.
If that is not sufficient, you can also reflash all of firmware, bootloader and stock recovery.
This guide is not needed if:​- The device still boots into stock recovery or TWRP
Flashing the official OxygenOS can fix many issues and you can unlock your bootloader as needed.
- The bootloader is unlocked. Use fastboot flash recovery <twrp image>
Check it with fastboot oem device-info
Use TWRP v3.0.2-0 with the OxygenOS 2 bootloader and the latest TWRP with the OxygenOS 3 bootloader.
- The ROM still boots and is rooted. Flash a stock recovery in a root shell:
adb root && adb shell
dd of=/dev/block/platform/msm_sdcc.1/by-name/recovery if=/sdcard/OxygenOS_recovery.img
OxygenOS 2 Lollipop recovery - OxygenOS 3 Marshmallow recovery
On custom ROMs, you can usually enable root access for ADB in developer settings, even if you didn't root them youself.
If any link is dead, search for it on https://web.archive.org
Spoiler: Verify downloaded files
The OxygenOS recovery links download from OnePlus's official amazon cloud storage. To verify, compare with the OxygenOS download link from the official page. OnePlus no longer links to these files and provides no checksums, you can use these to verify your download:
Code:
de38f20e72da38d48899f14d022cc1b1cd6bff0f4a506adb7bcf0153e73b1934 OPX_recovery.img
2810feb0d87686ea0529d8718600fdf3181cf0c93f0b9e29e5f13004af0e2d84 OPX_MM_recovery.img
e2fb0f0fef7d644cf3e6c1c0699381074fd4a83f64be319b75b9942443a95c90 OnePlusXOxygen_14_OTA_019_all_201611071506_03f73e21449d4d31.zip
fd58d703cf677dc5148ab5dd0f4af6c3df13faeb51166719e17aa192a86a6c0a OPX_UnBrick_Mini_By_Naman_Bhalla.zip
Don't continue unless you actually checked if your bootloader is still unlocked. Sometime it is re-locked on accident if some things go wrong.
Recovery and ROM only boot with a compatible bootloader. If you're not sure, try one then the other.
There are two major versions of the OnePlus X bootloader, one from OxygenOS 2 (Lollipop) and one from OxygenOS 3 (Marshmallow), released ca. September 2016, all newer ROMs should be compatible.
Trying to boot into a ROM or recovery that is incompatible with the installed bootloader will get you stuck on the bootlogo screen. On the OxygenOS 2 bootloader the "Powered by Android" part will disappear.
A locked OxygenOS 2 bootloader will boot any compatible software.
A locked OxygenOS 3 bootloader will only boot software signed by OnePlus. When trying to boot an unsigned ROM or recovery the device will vibrate, splash the bootlogo for a second and reboot, resulting in an endless loop.
If all else fails: Flashing through EDL​
You may know the legendary Mega Unbrick Guide for A Hard Bricked OnePlus X by Naman Bhalla but it only works on Windows.
It uses EDL, a hidden Qualcomm interface that allows direct read/write access to the devices flash storage to restore firmware, bootloader and stock recovery.
EDL is a powerful tool. A device in EDL mode will follow all instructions given to it without checking whether it would be a good idea to do so. If the instructions tell your device to overwrite userdata, IMEI or MAC address it will do so. Only flash files that are meant for your device. Don't edit any file unless you know what it does.
Preparation:​You need to be at least somewhat familiar with the command line to do this.
- Install git from your distribution
- Download and compile the open source flashing tool QDL. Follow the section "Get the Linux flashing tool" from these instructions.
- Temporarily add QDL to your $PATH with export PATH="$(pwd):$PATH"
QDL must be able to communicate with your device. You can install the appropriate udev rules right now or try it without them first.
- Open a text editor sudo nano /etc/udev/rules.d/51-edl.rules
- Copy these rules and paste them. Ctrl+S to save, Ctrl+X to exit
- The rules should apply the next time you connect your device
- If flashing does not work check the file contents: cat /etc/udev/rules.d/51-edl.rules
- If you can't read the file: sudo chmod a+r /etc/udev/rules.d/51-edl.rules
- If the new rules still don't load for some reason: sudo udevadm control --reload
- Download the "UnBrick tool mini" as uploaded by Naman Bhalla. (direct link)
- Create a clean working directory and extract the zip file.
Customize what to flash:​By default, the UnBrick tool mini will flash OxygenOS 2 bootloader, firmware and stock recovery. From there you can flash the latest OxygenOS and unlock your bootloader again for a clean start.
Flashing OxygenOS will always install a compatible bootloader and firmware and OxygenOS will automatically upgrade the recovery during the boot process.
If this is what you want just skip to the next step.
The UnBrick tool will flash config.bin and persist.img and reset these partitions.
Resetting config will re-lock the bootloader.
Resetting persist will require it to be repopulated again. OxygenOS can do this but most Custom ROMs will have broken sensors.
If you don't want to flash certain files, rename them or move them to another directory.
If you only want to flash certain partitions like the recovery, create a new directory, e.g. flash_recovery-only. Download the recovery version you need:
OxygenOS 2 Lollipop recovery - OxygenOS 3 Marshmallow recovery
Copy it to the new directory and rename it to recovery.img to match the filename the UnBrick tool uses.
Additionaly, copy these files from the UnBrick tool:
gpt_main0.bin
gpt_backup0.bin
patch0.xml
prog_emmc_firehose_8974.mbn
rawprogram0.xml
Main procedure:​
cd to the directory with the files from the UnBrick tool. Go to your custom directory if you created one in the previous step.
Run qdl prog_emmc_firehose_8974.mbn rawprogram0.xml patch0.xml
QDL will wait for your device to connect.
If QDL asks for permissions go back to "Preparation" and install the udev rules.
With the OnePlus X powered off hold VolUp and connect it to the PC. Otherwise, connect it to the PC first and hold Power+VolUp until it connects in EDL mode.
To verify the connection you can check lsusb or sudo dmesg -w
Devices in EDL mode show up with idVendor=05c6 and idProduct=9008, usually as Product: QHSUSB__BULK
lsusb example: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)
To filter the output: lsusb -d 05c6:9008
QDL should print several lines of output, reporting what is flashed etc.
Once it's done, QDL will kick your device out of EDL mode. If everything is alright your phone should vibrate and boot to the charging screen. You should be able to boot to recovery now.
Congratulations on unbricking your device on a Linux machine, enjoy.
Changelog:
2019-12-12 - Original post
??? - undocumented edits
2020-05-24 - Fix possible execution of QDL without patch0.xml which would break the partition table
2022-09-05 - Fix unnessesarily confusing instructions

Thanks

I have a new TWRP on my OPX, but I don't really know what to change in the rawprogram0.xml file.

emilianoheyns said:
I have a new TWRP on my OPX, but I don't really know what to change in the rawprogram0.xml file.
Click to expand...
Click to collapse
I'm not sure if i correctly understood your situation so i am going to assume the folloing:
- You are running a Linux based operating system on your desktop computer
- You have downloaded all necessary files as mentioned in the guide and successfully compiled qdl
- You want to use modern (newer than 2016) ROMs and the current OnePlus firmware and bootloader, i.e. from OxygenOS 3.1.4
- On your OnePlus X, you have "the old bootloader" installed, that is firmware prior to OxygenOS 3 (based on Marshmallow), i.e. firmware from OxygenOS 2.2.1 or similar
- Additionally, you accidentaly flashed TWRP version 3.0.2-1 or newer to your OnePlus X and rebooted into a soft-bricked state
If these assumptions are correct, i suggest as the easiest solution to reflash a compatible TWRP and update your firmware using that version of TWRP. If you can use your recovery, it is almost always the easiest method to make any remaining modifications in the recovery.
The procedure is as follows:
- From https://dl.twrp.me/onyx/, download TWRP version 3.0.2-0 and 3.3.1-0
- Reflash an old version of TWRP that is compatible, i.e. anything version 3.0.2-0 and below.
Once you flashed TWRP in one way or another, continue with the following steps to update your bootloader:
- Reboot to that version of TWRP to see if you succeeded
- In TWRP, install either one of the following to update your firmware:
- The official OxygenOS 3.1.4 zip downloaded from OnePlus via https://www.oneplus.com/support/softwareupgrade​- Only the firmware by following this guide: https://forum.xda-developers.com/oneplus-x/general/guide-update-bootloader-firmware-to-t347891766​- Copy to your device: twrp-3.3.1-0-onyx.img and the installation zip you chose in the previous step
- Flash the zip in TWRP. Once TWRP is done flashing, immediately flash a version of TWRP 3.0.2-1 or later to recovery
- In TWRP, choose Reboot > Recovery. If your OnePlus X reboots to TWRP, everything went good and you can go on to flash roms and anything else like you're used to. Just note that very old ROMs (like from 2016 and before) will no longer boot on your device, but you can revert your Firmware by flashing the follwing zip: https://forum.xda-developers.com/oneplus-x/general/zip-recovery-flashable-firmware-radio-t3381420
Just remember that immediately after flashing this zip in TWRP, you have to flash TWRP version 3.0.2-0 or older again.
Now, there are some differnt cases that affect how TWRP initially needs to be flashed:
1. Your OnePlus X bootloader is not locked
(tested by running "fastboot oem device-info" on your desktop while your phone is connected in fastboot mode)
If your bootloader is still unlocked you can avoid the hassle of using qdl and simply resort to "fastboot flash recovery <recovery image file>" to fix your device.
2. Your ROM still boots and that ROM is rooted.
In this situation you can still avoid going through the hassle of using qdl.
All you need to do is to get a root shell running. There are several ways to achieve this:
- In a Terminal Emulator on the device run the command "su"
- On a desktop with your phone connected with adb enabled:
- Run either "adb root" and then "adb shell"
- Or run "adb shell" and within that shell, run "su"
Once you got the shell running you can flash your recovery with
"dd of=/dev/block/bootdevice/by-name/recovery if=/sdcard/twrp-3.0.2-0-onyx.img"
To get the image to your device if downloaded on your desktop you can use "adb push twrp-3.0.2-0-onyx.img /sdcard/"
3. Your ROM does not boot or is not rooted.
This is the case where you absolutely need qdl and the situation i assume you are in.
Once you downloaded and unpacked the package from Naman Bhalla, you should see a directory containing the rawprogram0.xml and prog_emmc_firehose_8974.mbn files and a lot of others. You can take just the rawprogram0.xml and the prog_emmc_firehose_8974.mbn file and copy them to your working directory for the next steps.
Now, open rawprogram0.xml in a text editor. Search for the string "recovery". You will see a line starting with "<program" and ending in "/>". In your case, only the line containing " label="recovery" " and " filename="recovery.img" " is relevant. Remove all other lines starting with "<program" and save. Optionally, rename the file to "program-onyx-recovery.xml" or something you will recognize. This might be useful if you plan to keep the file and use it again in the future.
Now, optionally change filename="recovery.img" to the file name of your TWRP file or just rename your downloaded TWRP file to "recovery.img".
To flash, make sure that the following files are in your working directory:
- prog_emmc_firehose_8974.mbn
- rawprogram0.xml (but your customized version)
- recovery.img (whatever recovery you want to flash)
If that is settled, run qdl as explained in my initial guide in the original post to flash the recovery file.
Edit 2022-09-04: This whole paragraph only applies to the OxygenOS 2 bootloader. A locked OxygenOS 3 bootloader will only boot a signed ROM or a signed recovery. However, the device storage can always be dumped through EDL and the final point about encryption always applies.
Some final remarks on locked bootloader on the OnePlus X:
For the future, remember to just keep your bootloader unlocked. It can save you a lot of hassle.
And if you feel uncomfortable about walking around with an unlocked bootloader:
Re-locking the bootloader while TWRP is installed doesn't give any security benefit at all (for obvious reasons). Even if your Recevery would not be open to any local attacker, a locked bootloader doesn't give you much of a benefit on the OnePlus X.
Yes, the generic attac surface of simply using "fastboot flash" is gone, but remember how easy it is to find the UnBrick tool for the OnePlus X we used in this guide. Any attacker can use it as well to flash a malicious recovery onto your device, even if your bootloader is locked - and your OnePlus will boot it.
This is because the OnePlus X does not support Android Verified Boot. This is a security feature on newer Android devices that prevents booting unsigned software if the bootloader is locked. This can prevent flashing malicious firmware, OS or revovery onto a device. But since it also prevents booting TWRP you'd likely be walking around with an unlocked bootloader anyway even if your device were to support this security feature.
Funnily enough, this leads to the conclusion that running your OnePlus X with stock OxygenOS, Recovery and locked bootloader is about as insecure as running TWRP and having an unlocked bootloader if we are talking about an attacker with physical access to the device who also knows about this tool. And since such a tool exists for pretty much every android device as it is originally used to flash these devices in their factories and can be publicly found for most devices, it can be assumed that any attacker has access to this tool.
So remember, the only protection you can have on a OnePlus X is encrypting your data with a strong passcode and hoping that your data stays private even if you might lose your device.

I have no problems with having an unlocked bootloader -- I thought this device had one already. Yesterday it was running TWRP3.0.2-1 and LOS Marshmellow, I just screwed it up trying to upgrade it to an unofficial LOS16. It would first bootloop constantly, then I tried QDL, and now it doesn't even seem to turn on; I can hold the power button for a full minute but the screen remains black, and there's no vibration as I'm used to. It does show up in QDL mode; I tried the procedure as per point 3, using twrp-3.0.2-1 as the recovery image. QDL says:
Code:
HELLO version: 0x2 compatible: 0x1 max_len: 1024 mode: 0
READ image: 13 offset: 0x0 length: 0x50
READ image: 13 offset: 0x50 length: 0x1000
READ image: 13 offset: 0x1050 length: 0x1000
READ image: 13 offset: 0x2050 length: 0x1000
READ image: 13 offset: 0x3050 length: 0x1000
READ image: 13 offset: 0x4050 length: 0x1000
READ image: 13 offset: 0x5050 length: 0x1000
READ image: 13 offset: 0x6050 length: 0x1000
READ image: 13 offset: 0x7050 length: 0x1000
READ image: 13 offset: 0x8050 length: 0x1000
READ image: 13 offset: 0x9050 length: 0x1000
READ image: 13 offset: 0xa050 length: 0x1000
READ image: 13 offset: 0xb050 length: 0x1000
READ image: 13 offset: 0xc050 length: 0x1000
READ image: 13 offset: 0xd050 length: 0x1000
READ image: 13 offset: 0xe050 length: 0x1000
READ image: 13 offset: 0xf050 length: 0x1000
READ image: 13 offset: 0x10050 length: 0x1000
READ image: 13 offset: 0x11050 length: 0x1000
READ image: 13 offset: 0x12050 length: 0x1000
READ image: 13 offset: 0x13050 length: 0x1000
READ image: 13 offset: 0x14050 length: 0x890
END OF IMAGE image: 13 status: 0
DONE status: 0
qdl: failed to read: Connection timed out
LOG: Host's payload to target size is too large
LOG: [email protected] [email protected]
LOG: [email protected] [email protected]
LOG: [email protected] [email protected]
LOG: start 1409024, num 31680
LOG: Finished sector address 1440704
[PROGRAM] flashed "recovery" successfully at 3960kB/s
no boot partition found
but the OPX still won't boot.

Is your bootloader actually unlocked?
The OnePlus X ships with a locked bootloader that prevents flashing files to the device using fastboot.
The usual steps to modify the OnePlus X and installing custom ROMs are:
- Unlock the bootloader by running "fastboot oem unlock" on a desktop PC while the phone is connected in fastboot mode.
- Flash TWRP by running "fastboot flash recovery TWRP.img" on a desktop PC while the phone is connected in fastboot mode.
Pressing the volume up button while turning on the device normally puts it into fastboot mode and "Fasboot Mode" will be displayed in the middle of the screen along with the oneplus logo.
Unlocking only works with the original OnePlus recovery and if the option "Allow OEM unlocking" is checked in the developer settings. Unlocking requires wiping all userdata.
Did you never do this yourself with your OnePlus X? Did you get this device as a used phone from someone else who already unlocked the bootloader?
What do you mean by "bootloop constantly"? Could you not boot the recovery?
Are you saying you already ran QDL with the unmodified files from the UnBrick tool?
If you really had TWRP 3.0.2-1 running before all your problems started, then doing so initially soft-bricked your device to begin with, as i outlined in footnote [1] of my original post.
I am not sure of the precise timeline and order of your descriptions. I currently assume that you're saying:
1. Had a working device with ROM: "LineageOS 13.0" Recovery: "TWRP version 3.0.2-1" Firmware: Unknown
2. Flashed some "lineage-16.0-unofficial.zip" in TWRP
3. When rebooting, "bootloops" appeared [How did that look? What was affected - just ROM or recovery as well?]
4. Run QDL with the unmodified files from the UnBrick tool that is linked in my original post
5. Phone does not react to button presses except when putting into EDL mode
6. Run QDL with recovery only as described in Point 3 of my follow up post, with the image file of TWRP version 3.0.2-1, QDL repoted success
7. Still not booting [What exactly does this mean? Still no reaction to button presses? Dees the phone vibrate and bring up the OnePlus logo?]

I've followed the mentioned steps and Im still stuck on linux logo..
I desesperately need help, bought a bricked second hand Oneplus X which I know nothing of in terms of past actions but previous owner

BolitaBolita said:
I've followed the mentioned steps and Im still stuck on linux logo..
I desesperately need help, bought a bricked second hand Oneplus X which I know nothing of in terms of past actions but previous owner
Click to expand...
Click to collapse
If you did not modify any files from the unbrick tool by Naman Bhalla and qdl ran through sucessfully, it should have flashed a compatible combination of bootloader and stock recovery so you should be able to reboot to that one.
If this is not the case, you can also go with flashing just a TWRP image. Since there are really just two possible versions of the bootloader (at least in regards to booting compatibility) this should succeed after the second try at most. If not, it means that some other stuff might be broken as well.
As i wrote in my OP, for the OnePlus X any TWRP v3.0.2-0 or older is compatible with the "old bootloader" (Lollipop) and any TWRP v3.0.2-1 or newer is compatible with the "new bootloader" (Marshmallow).
What you basically want to achieve is to just get any recovery booting (be it Stock, TWRP, orangefox or any other useful recovery). From that point, it is fairly easy to get anywhere else on the OnePlus X.
As for other things that can break:
Most of the partitions in your device can be restored to an intact state by flashing an official OxygenOS zip (https://www.oneplus.com/support/softwareupgrade). There are some other ways but this is the safe and easy method.
Only a few partitions cannot be restored once tampered, since they are unique to the specific device. If this happens to be the case, then it can be fairly hard to fix. If the previous owner had unlocked the devices bootloader and flashed some stuff on it, you should ask them whether they might have some TWRP backups around, namely of the partitions "Persist" and "EFS".

SebiderSushi said:
If you did not modify any files from the unbrick tool by Naman Bhalla and qdl ran through sucessfully, it should have flashed a compatible combination of bootloader and stock recovery so you should be able to reboot to that one.
If this is not the case, you can also go with flashing just a TWRP image. Since there are really just two possible versions of the bootloader (at least in regards to booting compatibility) this should succeed after the second try at most. If not, it means that some other stuff might be broken as well.
As i wrote in my OP, for the OnePlus X any TWRP v3.0.2-0 or older is compatible with the "old bootloader" (Lollipop) and any TWRP v3.0.2-1 or newer is compatible with the "new bootloader" (Marshmallow).
What you basically want to achieve is to just get any recovery booting (be it Stock, TWRP, orangefox or any other useful recovery). From that point, it is fairly easy to get anywhere else on the OnePlus X.
As for other things that can break:
Most of the partitions in your device can be restored to an intact state by flashing an official OxygenOS zip (https://www.oneplus.com/support/softwareupgrade). There are some other ways but this is the safe and easy method.
Only a few partitions cannot be restored once tampered, since they are unique to the specific device. If this happens to be the case, then it can be fairly hard to fix. If the previous owner had unlocked the devices bootloader and flashed some stuff on it, you should ask them whether they might have some TWRP backups around, namely of the partitions "Persist" and "EFS".
Click to expand...
Click to collapse
Thank you for your reply SebiderSushi.
The only option I have in terms of recovery booting is the Oneplus original one since I bought the phone bricked (can't access dev options and can't connect through ADB for oem unlock).
I've managed to unlock the bootloader and tried to flash the official OsOxygen zip. The update stopped halfway and the phone bricked once again.
I've tried the Naman Bhalla unbrick tool with the MSMdownloadtool 2.1 (previously attempted 2.0). The process runs successfully, until its marked in green 'download complete'. Phone still bricked.
I'm currently attempting with QFIL through this thread https://www.droidsavvy.com/unbrick-qualcomm-mobiles/
Drivers correctly installed, port 9008 is detected and QFIL is currently. I'm using the files from the unbrick tool by Naman Bhalla for this. The output is the following:
Process Index:0
Programmer Path:C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\prog_emmc_firehose_8974.mbn
Image Search Path:C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla
Please select the XML file
Start Download
Program Path:C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\prog_emmc_firehose_8974.mbn
COM Port number:3
Sahara Connecting ...
Sahara Version:0
Start Sending Programmer
Download Fail:System.Exception: Unable to download Flash Programmer using Sahara Protocol
at QC.QMSLPhone.Phone.QPHONEMS_SaharaArmPrgDownload(String sFileName)
at QC.SwDownloadDLL.SwDownload.QPHONEMSSaharaDownloadArmPrg(UInt64& version, String armPrgPath)
Download Fail:Sahara FailSahara Fail
Finish Download
Start Download
Program Path:C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\prog_emmc_firehose_8974.mbn
COM Port number:3
Sahara Connecting ...
Sahara Version:0
Start Sending Programmer
Download Fail:System.Exception: Unable to download Flash Programmer using Sahara Protocol
at QC.QMSLPhone.Phone.QPHONEMS_SaharaArmPrgDownload(String sFileName)
at QC.SwDownloadDLL.SwDownload.QPHONEMSSaharaDownloadArmPrg(UInt64& version, String armPrgPath)
Download Fail:Sahara FailSahara Fail
Finish Download
Start Download
Program Path:C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\prog_emmc_firehose_8974.mbn
COM Port number:3
Sahara Connecting ...
Sahara Version:0
Start Sending Programmer
Download Fail:System.Exception: Unable to download Flash Programmer using Sahara Protocol
at QC.QMSLPhone.Phone.QPHONEMS_SaharaArmPrgDownload(String sFileName)
at QC.SwDownloadDLL.SwDownload.QPHONEMSSaharaDownloadArmPrg(UInt64& version, String armPrgPath)
Download Fail:Sahara FailSahara Fail
Finish Download
Start Download
Program Path:C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\prog_emmc_firehose_8974.mbn
COM Port number:3
Sahara Connecting ...
Sahara Version:0
Start Sending Programmer
Download Fail:System.Exception: Unable to download Flash Programmer using Sahara Protocol
at QC.QMSLPhone.Phone.QPHONEMS_SaharaArmPrgDownload(String sFileName)
at QC.SwDownloadDLL.SwDownload.QPHONEMSSaharaDownloadArmPrg(UInt64& version, String armPrgPath)
Download Fail:Sahara FailSahara Fail
Finish Download
Start Download
Program Path:C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\prog_emmc_firehose_8974.mbn
COM Port number:3
Sahara Connecting ...
Sahara Version:2
Start Sending Programmer
Sending Programmer Finished
Switch To FireHose
Max Payload Size to Target:49152 Bytes
Device Type:eMMC
Platform:8x26
Disable Ack Raw Data Every N Packets
Ack Raw Data:False
Skip Write:False
Always Validate:False
Use Verbose:False
COM Port number:3
Sending NOP
FireHose NOP sent successfully
Sending Configuration
Device Type:eMMC
Platform:8x26
Request payload size 0xc000 is not the same as support payload size, change to 0x20000
Set TxBuffer 0x20000, RxBuffer 0x4000
Firehose configure packet sent successfully!
Total Bytes To Program 0x62AE4A0
Download Image
PROGRAM: Partition 0, Sector: 0, Length: 33 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\gpt_backup0.bin
PROGRAM: Written Bytes 0x4200 (64)
Program Size: 0.02 MB
PROGRAM: Partition 0, Sector: 0, Length: 34 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\gpt_main0.bin
PROGRAM: Written Bytes 0x4400 (64)
Program Size: 0.02 MB
PROGRAM: Partition 0, Sector: 1609554, Length: 1024 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\config.bin
PROGRAM: Written Bytes 0x80000 (64)
Program Size: 0.50 MB
PROGRAM: Replace the partition sectors number 0x8000 to file size in sector 0x254
PROGRAM: Partition 0, Sector: 1460242, Length: 596 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\logo.bin
PROGRAM: Written Bytes 0x4a800 (64)
Program Size: 0.29 MB
PROGRAM: Replace the partition sectors number 0x8000 to file size in sector 0x74f0
PROGRAM: Partition 0, Sector: 1409024, Length: 29936 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\recovery.img
PROGRAM: Written Bytes 0xe9e000 (64)
Program Size: 14.62 MB
PROGRAM: Replace the partition sectors number 0x10000 to file size in sector 0x26a3
PROGRAM: Partition 0, Sector: 294912, Length: 9891 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\persist.img
PROGRAM: Written Bytes 0x4d4600 (64)
Program Size: 4.83 MB
PROGRAM: Partition 0, Sector: 259048, Length: 20480 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\static_nvbk.bin
PROGRAM: Written Bytes 0xa00000 (64)
Program Size: 10.00 MB
PROGRAM: Partition 0, Sector: 238568, Length: 20480 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\dynamic_nvbk.bin
PROGRAM: Written Bytes 0xa00000 (64)
Program Size: 10.00 MB
PROGRAM: Replace the partition sectors number 0x3e8 to file size in sector 0x28d
PROGRAM: Partition 0, Sector: 229376, Length: 653 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\tz.mbn
PROGRAM: Written Bytes 0x51a00 (64)
Program Size: 0.32 MB
PROGRAM: Replace the partition sectors number 0x3e8 to file size in sector 0x174
PROGRAM: Partition 0, Sector: 182272, Length: 372 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\rpm.mbn
PROGRAM: Written Bytes 0x2e800 (64)
Program Size: 0.18 MB
PROGRAM: Replace the partition sectors number 0x800 to file size in sector 0x380
PROGRAM: Partition 0, Sector: 180224, Length: 896 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\emmc_appsboot.mbn
PROGRAM: Written Bytes 0x70000 (64)
Program Size: 0.44 MB
PROGRAM: Replace the partition sectors number 0x40 to file size in sector 0x17
PROGRAM: Partition 0, Sector: 148480, Length: 23 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\sdi.mbn
PROGRAM: Written Bytes 0x2e00 (64)
Program Size: 0.01 MB
PROGRAM: Replace the partition sectors number 0x400 to file size in sector 0x22d
PROGRAM: Partition 0, Sector: 147456, Length: 557 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\sbl1.mbn
PROGRAM: Written Bytes 0x45a00 (64)
Program Size: 0.27 MB
PROGRAM: Replace the partition sectors number 0x20000 to file size in sector 0x1c983
PROGRAM: Partition 0, Sector: 16384, Length: 117123 Sectors, Sector Size: 512 Bytes
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\NON-HLOS.bin
PROGRAM: Written Bytes 0x3930600 (64)
Program Size: 57.19 MB
Total Size: 98.68 MB
Total Size: 28 Seconds
Throughput: 3.52 MB/Seconds
PATCH: Partition 0, Sector: 9, Offset 40 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
PATCH: Partition 0, Sector: 0, Offset 40 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
PATCH: Partition 0, Sector: 1, Offset 48 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
PATCH: Partition 0, Sector: 0, Offset 48 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
PATCH: Partition 0, Sector: 1, Offset 32 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-1.
PATCH: Partition 0, Sector: 0, Offset 24 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-1.
PATCH: Partition 0, Sector: 0, Offset 72 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-33.
PATCH: Partition 0, Sector: 1, Offset 88 Bytes, Size: 4 Bytes, Value: CRC32(2,4096)
PATCH: Partition 0, Sector: 0, Offset 88 Bytes, Size: 4 Bytes, Value: CRC32(NUM_DISK_SECTORS-33.,4096)
PATCH: Partition 0, Sector: 1, Offset 16 Bytes, Size: 4 Bytes, Value: 0
PATCH: Partition 0, Sector: 1, Offset 16 Bytes, Size: 4 Bytes, Value: CRC32(1,92)
PATCH: Partition 0, Sector: 0, Offset 16 Bytes, Size: 4 Bytes, Value: 0
PATCH: Partition 0, Sector: 0, Offset 16 Bytes, Size: 4 Bytes, Value: CRC32(NUM_DISK_SECTORS-1.,92)
Total download file size: 98.68066MB
Throughput: 3.524309M/s
Reset Phone
Waiting for reset done...
Download Fail:FireHose Fail Fail to find QDLoader port after switch
Finish Download

BolitaBolita said:
The only option I have in terms of recovery booting is the Oneplus original one since I bought the phone bricked (can't access dev options and can't connect through ADB for oem unlock).
Click to expand...
Click to collapse
Now what exactly do you even mean when you say "Bricked"?
If you can boot into recovery, then your device is usually not bricked, but even if, it is usually not in a state where using a flashing tool and risking to **** up the device for good has any real advantage over solving whatever problem in the recovery.
As long as your device doesn't have any hardware errors (broken storage) then the official OnePlus Recovery should almost always be able to install the official OxygenOS.
Under what terms did you even buy this device? How did the previous owner describe the state of the device and its defects if they mentioned them?
BolitaBolita said:
File: C:\Users\simao\Desktop\AAA\OPX_UnBrick_Mini_By_Naman_Bhalla\config.bin
Click to expand...
Click to collapse
You are using windows, so how did you even end up in this thread?

Sorry for the delay -- I thought I had set up notifications and didn't want to push on the point until you had time, but I did not receive a notification for this.
SebiderSushi said:
Is your bootloader actually unlocked?
The OnePlus X ships with a locked bootloader that prevents flashing files to the device using fastboot.
The usual steps to modify the OnePlus X and installing custom ROMs are:
- Unlock the bootloader by running "fastboot oem unlock" on a desktop PC while the phone is connected in fastboot mode.
- Flash TWRP by running "fastboot flash recovery TWRP.img" on a desktop PC while the phone is connected in fastboot mode.
Click to expand...
Click to collapse
I had a LineageOS running on the OPX before I screwed up an upgrade of LOS. I had TWRP on the phone. The bootloader must be unlocked then yes?
SebiderSushi said:
Pressing the volume up button while turning on the device normally puts it into fastboot mode and "Fasboot Mode" will be displayed in the middle of the screen along with the oneplus logo.
Click to expand...
Click to collapse
broadly, that is what I had done before, but right now I don't even get the fastboot logo.
SebiderSushi said:
Unlocking only works with the original OnePlus recovery and if the option "Allow OEM unlocking" is checked in the developer settings. Unlocking requires wiping all userdata.
Click to expand...
Click to collapse
Right, but I had passed that station before, as it was running LOS.
SebiderSushi said:
Did you never do this yourself with your OnePlus X? Did you get this device as a used phone from someone else who already unlocked the bootloader?
Click to expand...
Click to collapse
No, I did all this myself, but screwed up the update to a non-official LOS.
SebiderSushi said:
What do you mean by "bootloop constantly"? Could you not boot the recovery?
Click to expand...
Click to collapse
I could not, no, but now I'm not even getting the fastboot logo
SebiderSushi said:
Are you saying you already ran QDL with the unmodified files from the UnBrick tool?
Click to expand...
Click to collapse
Correct, yes.
SebiderSushi said:
I am not sure of the precise timeline and order of your descriptions. I currently assume that you're saying:
1. Had a working device with ROM: "LineageOS 13.0" Recovery: "TWRP version 3.0.2-1" Firmware: Unknown
2. Flashed some "lineage-16.0-unofficial.zip" in TWRP
3. When rebooting, "bootloops" appeared [How did that look? What was affected - just ROM or recovery as well?]
Click to expand...
Click to collapse
Initially I could get to recovery, I tried to upgrade to the latest TWRP for the OPX, when I tried to restart that to recovery, it would just vibrate and reboot continuously
SebiderSushi said:
7. Still not booting [What exactly does this mean? Still no reaction to button presses? Dees the phone vibrate and bring up the OnePlus logo?]
Click to expand...
Click to collapse
Currently, the screen stays black, and I can hold volume up or power for 20 seconds with no reaction (no vibrate, no logo)

First off, i'm extremely sorry for my delay! I also happened to notice your message just today.
Right now i got around and tried reproducing your scenario on my own OnePlus X.
As you said that you ran the unmodified setup from the unbrick tool according to my guide, i did as well - and ran into the same issue you were describing.
After some fiddling around, i realized that you must supply the patch0.xml file as well for a complete flash on the OnePlus X when you also modify the GPT (partition table), which the unmodified rawprogram0.xml does. This is not the case if you only install a recovery or other individual partitions so it slipped my mind. I deeply apologize for not testing the command line for the unmodified UnBrick tool package well enough while writing my Guide.
If nothing else is wrong, running
"/path/to/qdl_source_code/qdl prog_emmc_firehose_8974.mbn rawprogram0.xml patch0.xml"
with the unmodified UnBrick tool will fix the device back to a booting state with the stock recovery and Lollipop Bootloader installed on the device., it did so in my case.
Alternatively, if you don't want to reflash all partitions from the package, you can also just try running
"/path/to/qdl_source_code/qdl prog_emmc_firehose_8974.mbn patch0.xml"
Short of any good documentation, i guessed that the problem appeared because the unmodified rawprogram0.xml also writes the GPT table in its last two program elements. If you look in patch0.xml, you can see that it takes care of the GPT in some way. Once i removed the two program items regarding the GPT, rawprogram0.xml could be applied without needing to flash patch0.xml together with it.
So i assume that it is safe to individually flash any partition listed it rawprogram0.xml apart from the GPT. If your GPT is not in a valid state, there's not much booting going on, since your device won't be able to even read your bootloader from the disk without a partition table.
emilianoheyns said:
I had a LineageOS running on the OPX before I screwed up an upgrade of LOS. I had TWRP on the phone. The bootloader must be unlocked then yes?
Click to expand...
Click to collapse
While this implies that you very likely once had an unlocked bootloader to allow installation of TWRP to your device, it is not necessarily the case. For one, it is possible to re-lock the bootloader on the OnePlus X and still boot and use custom recoveries and software. Only flashing images via fastboot becomes impossible again if you relock the bootloader. This is because the OnePlus X is a fairly old device (remember it came out with android 5.1). Such old devices don't support features like Android Verified Boot yet. This is the standard on modern android devices and it implies that a locked bootloader should only load and boot untampered system partitions as signed by the device vendor.
Edit 2022-09-04: I was wrong about this. This only applies to the OxygenOS 2 bootloader. Trying to boot an unsigned ROM or recovery with an unlocked OxygenOS 3 bootloader causes the exact symptoms that were described; The bootloader repeatedly tries booting in an infinite loop. Probably the LOS fash that went wrong caused the bootloader to re-lock, which is why rebooting to recovery didn't work afterwards as well as booting the ROM.
Also, qdl (or any othe software using the Qualcomm Emergency Download Mode) can also install custom Recoveries or ROMs to the devices without unlocking the bootloader and flashing stuff through fastboot.

After that, you can also boot back into fastboot mode and the run
fastboot oem device-info
from your computer to check if your devices bootloader is currently unlocked or not. If it is not, this is a perfect chance to unlock it, since you already got the official recovery installed and probably no user data to take care of anyway.

Hi, thanks for getting back to me. The problem I'm facing currently is that the OPX currently seems unresponsive -- the screen stays black, and no vibration, seemingly regardless of what button combination I use or how long I keep it on the charger. Any idea what key combo is most likely to bring it up in a state that QDL would see it?
I have fetched a fresh copy of OPX_UnBrick_Mini_By_Naman_Bhalla; I'm sorry to have to ask again, but I should then copy over prog_emmc_firehose_8974.mbn, rawprogram0.xml and patch0.xml unchanged, and run `/path/to/qdl_source_code/qdl prog_emmc_firehose_8974.mbn rawprogram0.xml patch0.xml`? I think I'd prefer to get it back to a booting state to then figure out what I can safely flash on it.
---------- Post added at 04:35 PM ---------- Previous post was at 04:30 PM ----------
I should note, if I connect the charger, the red charging light comes on for a second, maybe two, end then goes out again. It does not come back on unless I plug in again, even if I let it charge overnight.

In my case the usual route to enter EDL mode worked fine - that is, disconnect your OnePlus X from any power source for a few seconds, then press and hold the Volume Up button and after a few seconds reconnect it to your PC where you run qdl, then release the button and execute qdl.
If you want to flash the default confuguration of the unbrick tool you must open your terminal window in the folder you extracted from the download (or cd to it). This is because the files that are flashed to the device are in this folder as you caj see and they are being referenced with relative paths / their filenames from within "rawprogram0.xml".

SebiderSushi said:
In my case the usual route to enter EDL mode worked fine - that is, disconnect your OnePlus X from any power source for a few seconds, then press and hold the Volume Up button and after a few seconds reconnect it to your PC where you run qdl, then release the button and execute qdl.
Click to expand...
Click to collapse
Ah well, it must have died somewhere along the way then. When I do that, even after having it on the charger, nothing shows up in dmesg. Thanks in any case!

I wouldn't give up just yet. The actual rule for entering EDL mode on the OnePlus X is:
- The device must be powered off at the beginning
- The Volume Up button must be in pressed state when connecting it to the computer
Edit 2022-09-04: I was wrong about this. It is also possible to hold Power+Vol Up while connected to the PC until the device shows up in dmesg -w
Everything else, like waiting few seconds here and there is mostly safeties to ensure each state is entered or recognized cleanly.
I mostly had my phone running fresh from the last flashing process, which means that qdl had turned it off cleanly for me. So i definitely had good conditions to enter EDL mode.
I don't know what's going on with your notification LED since i didn't notice this on my device or payed any attention to it - but it might indicate that your phone could be in a not cleanly powered off state.
You can still try pressing the power button for a longer time (maybe about 10 to 30 seconds) to see if that switches off your device the right way before you retry entering EDL mode.
Or do any other experiments pressing buttons or try with different cables.
When was the last time you could successfully connect your device in any mode and which mode was it?

The symptoms you described about black screen, no vibrations or any reaction to button presses were also present on my device as well so this is i'd guess it's just normal for the state.

If you get it back to a booting state you should be able to install the official OxygenOS right from the stock recovery, or flash a compatible TWRP image using qdl or fastboot and copy any remaining data that you want to keep.

@SebiderSushi, could you please take a look at >this post< and hint if anything else can be done using edl on linux?

Related

[Q] U8800 Pro bricked

Here is the long version.
My phone a U8800 Pro was running the official B928 version downloaded from Huawei
I wanted to install the latest version Cyanogen 11. That needed me to install the latest version of TWRP which led me to the mistake that I needed to update the bootloader as well.
And then I did another mistake where I installed what is obviously the wrong bootloader from here (http://forum.xda-developers.com/showthread.php?t=1800045) using
Code:
dd if=/tmp/bootloader.bin of=/dev/block/mmcblk0p3
The phone since then just boot cycles continously and cannot even login to recovery mode.
I attempted to re-install B928 from the SD card but always fails at about 1/4 of the way through with a
Code:
dload_sd_ram_data_proc->(retry >= DLOAD_RETRY) failed!
msg.
Now interestingly if I remove the battery and just use the USB I get an empty pink screen and I can see at least the partitions of the internal drive
Code:
Disk /dev/sdg: 3.7 GiB, 3959422976 bytes, 7733248 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00000000
Device Boot Start End Blocks Id System
/dev/sdg1 1 524287 262143+ c W95 FAT32 (LBA)
/dev/sdg2 * 524288 525287 500 4d QNX4.x
/dev/sdg3 525288 531287 3000 46 Unknown
/dev/sdg4 531288 7733247 3600980 5 Extended
/dev/sdg5 655360 679935 12288 59 Unknown
/dev/sdg6 786432 1052671 133120 4c Unknown
/dev/sdg7 1179648 1183743 2048 5a Unknown
/dev/sdg8 1310720 1316863 3072 58 Unknown
/dev/sdg9 1441792 1455791 7000 50 OnTrack DM
/dev/sdg10 1572864 1579007 3072 4a Unknown
/dev/sdg11 1703936 1710079 3072 4b Unknown
/dev/sdg12 1835008 2621439 393216 83 Linux
/dev/sdg13 2621440 4456447 917504 83 Linux
/dev/sdg14 4456448 7733247 1638400 69 Unknown
and can mount some of them.
Now where can I find an appropriate bootloader and which partition should I attempt to copy it on .
And secondly if that works out, how do I install TWRP 2.8.0.0 . Using TWRP manager fails which led to this whole mess really.
On /dev/sdg1 I can see a dir called image and it contains
Code:
amss.mbn boot.img cust.img EMMCBOOT.MBN recovery.img
but don't want to touch anything before I know more since I can do more dmg.
Thanks for all the help in advance
Edit: I managed to copy the bootloader from a friend and copy it back on my phone so that problem was solved. It needed to go to the /dev/sdg3 partition if anyone is wandering. Now pink screen seems locked and can't access the internal storage through USB so back to square 1.
Glad you got the problem solved out. When you unlock your bootloader (like I said in here), boot your phone to pink screen and plug it to your computer. You're using linux? If so, there probably is going to be four difference device's to be shown, the one which you're interested is the device containing "image" folder, in there replace the recovery.img with appropriate one.

[Q] Bricked, no bootloader - recoverable?

Hi all,
Is there any way to recover my bricked Defy if the bootloader is not running (corrupt eMMC)? RSDLite will detect the phone as "Blank OMAP3630" if the option "TI Blank Flash" is selected, but flashing then fails immediately with "Error sending TI ROM data packet request. Device API Error: 0xE003009F".
Looking at the TI SoC documentation, the OMAP ROM code tries to boot from USB (hence the device is detectable for 3 seconds), so it should be possible to upload the original Motorola bootloader to RAM, execute it, then communicate with the (now running) bootloader to erase the eMMC and reflash it. The first file in the SBF (3.4.2-177UK) is the RAM downloader, which looks like the bootloader itself (it contains the same strings, eg. "OK to program" etc.) Can this be uploaded with only the OMAP ROM code running, or is it impossible to do anything if the eMMC is blank? Alternatively, would it be possible to load the bootloader from the SD card? This is possible on GP (ie. unsecured) OMAP devices.
Some background on the failure:
- MB525, green lens, CM710, running great for 2 years
- Got into a boot loop at the skater animation, for no apparent reason
- Used stock recovery to wipe data/cache (mistake?), didn't complete, battery out/in and booted to lock screen then froze, battery out/in and back into boot loop
- Used CWM recover to wipe data/cache, didn't complete, after a few seconds spontaneously rebooted to black screen, bricked
- Battery is fully charged
- With empty battery and plugged in, the white LED comes on, but in this state the processor is not running as the battery is trickle charged. When the voltage comes up, the OMAP starts, tries to boot over USB (3 seconds) and then hangs
- Various combinations of power/battery/volume up/down make no difference, the bootloader is not running
- I think the eMMC is corrupt (possibly hardware failure?)
Thanks for your help!
Defy boot process
Here's a summary of what I've learnt so far about the Defy boot process, from the many great posts on this forum and various other sites including the droid-developers wiki:
SoC:
- Defy SoC is Texas Instruments OMAP3630, locked by eFuse in HS (high security) mode, JTAG is disabled
- OMAP contains core boot ROM that runs first to start the boot chain
- OMAP contains Motorola 128-bit RSA public key hash programmed in eFuses, used to validate external bootstrap code (mbmloader)
- OMAP supports booting from external memory (MMC, NAND, NOR) and peripheral booting (USB, UART3)
- OMAP boot sequence is set by sys_boot pins, Defy configured boot sequence is 0b00101, ie. MMC2 then USB (only)
Storage:
- External flash is Sandisk SDIN5D2-2G (2GB eMMC, BGA package) connected to OMAP MMC2 interface, mapped as mmcblk1 in linux
- eMMC device is physically located under the metal can between the connectors for SIM card and battery
- eMMC behaves as conventional 512-byte sector hard disk and is partitioned with FAT MBR
- eMMC does not use separate ECC area, unlike the NAND flash used on the Droid, ECC is handled transparently by eMMC device
- SD card is connected to OMAP MMC1 interface, mapped as mmcblk0 in linux
The Defy (stock) power-on reset boot process works as follows:
- OMAP boot ROM code starts
- OMAP reads boot configuration 0b00101 from sys_boot pins
- MMC2 boot is selected
- OMAP reads first eMMC sector (the MBR)
- OMAP finds the first valid partition entry in the MBR
- OMAP reads the first eMMC partition (which is the Defy CG63/mbmloader) as a raw image (not a filesystem)
- OMAP processes the CH table (OMAP clock and SDRAM settings) from the first sector of the image (possibly unsigned)
- OMAP validates the public keys, PPA and ISW stored in the image, using the eFuse key hash
- OMAP copies the ISW (which is MLO, or the actual Motorola mbmloader bootstrap executable) into internal RAM
- mbmloader (if validated) is executed from RAM, otherwise the boot process skips to USB (below)
- mbmloader validates and loads mbm (the Motorola bootloader) from the second eMMC partition
- mbm detects the "volume up" button if pressed to interrupt boot and display the bootloader screen
- mbm displays the boot logo and loads lbl (linux bootloader)
- lbl loads the stock linux (android) kernel (or the stock recovery kernel, if the "volume down" button is pressed)
- linux kernel displays the startup animation
If MMC2 boot fails (no valid MBR/mbmloader):
- USB boot is selected
- USB is initialised (device is now detectable as TI OMAP3630 for 3 seconds)
- OMAP sends ASIC ID
- OMAP waits 300ms for response
- If no response, OMAP halts (infinite loop)
- USB host can send command to change boot device or upload (signed) boot image (unknown format) for execution in RAM
Therefore if the device is trying to boot via USB, it probably means that the eMMC MBR or the first partition (containing mbmloader) is corrupt, or the eMMC is blank. Presumably if the mbm (and mbmbackup?) partition is corrupt, the device will hang with screen off and no USB boot (unless mbmloader can exit to OMAP USB boot), and if lbl or the kernel is corrupt then mbm will stop and display the bootloader screen.
eMMC partition table for Defy (start/end sectors), based on a dump of mmcblk1 from a working Defy, noting respective CGs for SBF:
Code:
Device Boot Start End Blocks Id System CG ID Function
0 255 128 64 mbr FAT MBR
1 * 256 511 128 83 Linux 63 mbmloader Motorola bootstrap
2 1024 2047 512 83 Linux 30 mbm Motorola bootloader
3 2048 3071 512 83 Linux 55 mbmbackup
4 3072 31358975 15677952 5 Extended 65 ebr FAT EBR
5 4096 5119 512 83 Linux 56 bploader
6 5120 6143 512 83 Linux 31 cdt.bin CG table
7 6144 14335 4096 83 Linux 38 pds
8 14336 15359 512 83 Linux 34 lbl Linux bootloader
9 15360 16383 512 83 Linux 57 lbl_backup
10 16384 18431 1024 83 Linux 42 logo.bin mbm startup logo
11 18432 22527 2048 83 Linux 41 sp
12 22528 23551 512 83 Linux 61 devtree
13 23552 24575 512 83 Linux 62 devtree_backup
14 24576 32767 4096 83 Linux 45 bpsw
15 32768 49151 8192 83 Linux 35 boot Stock android kernel and ramdisk
16 49152 65535 8192 83 Linux 47 recovery Stock recovery kernel and ramdisk
17 65536 94207 14336 83 Linux 33 cdrom
18 94208 95231 512 83 Linux 44 misc
19 95232 96255 512 83 Linux 43 cid
20 96256 104447 4096 83 Linux 53 kpanic
21 104448 774143 334848 83 Linux 39 system
22 774144 775167 512 83 Linux 32 prek
23 775168 776191 512 83 Linux 46 pkbackup
24 776192 1185791 204800 83 Linux 40 cache
25 1185792 31358975 15086592 83 Linux 37 userdata
My understanding is that if the eMMC is blank, I need to flash an SBF that contains at least the RAM downloader, CG64, CG63, CG30, CG65 and CG31 to reinstate the eMMC partition structure and bootloader. I think RSDLite should be capable of this (with "TI Blank Flash" enabled), unless the flash loader (RAM downloader) somehow depends on some content of the eMMC containing valid data. I don't know if such an SBF exists, and in any case RSDLite so far fails with "Error sending TI ROM data packet request", and I don't know why (tested under XP and Windows 7/8).
Awesome references:
http://forum.xda-developers.com/showthread.php?t=1443678
http://www.droid-developers.org/wiki/Booting_chain
http://www.droid-developers.org/wiki/Mbmloader
http://blog.opticaldelusion.org/search/label/sbf_flash
https://docs.google.com/spreadsheets/d/1jF8LjoS1yiMxn775QDm-cn5kxpoYw_biIC70uf9_ldY/pub?single=true&gid=0&output=html
OMAP Peripheral Boot - booting via USB
I've found out a little more about the OMAP USB peripheral boot mode, as a possible way to unbrick my Defy. The Texas Instruments OMAPFlash command line tool (for Windows) can be used to send executable code to the OMAP3630 (first into internal RAM, and then into SRAM), via the ROM code peripheral boot. This might allow the eMMC to be reflashed without a functioning Motorola bootloader (which is needed by RSDLite).
I think the unbricking process could work as follows:
- The Defy OMAP3630 starts in USB peripheral boot mode (OMAP ROM code - 1st bootstrap), because the eMMC is corrupt/blank
- OMAPFlash uploads a signed USB bootloader executable (2nd bootstrap) to internal RAM, via the OMAP ROM code
- Defy validates the uploaded 2nd bootstrap and executes it - this is the USB equivalent of mbmloader
- OMAPFlash communicates with the now running 2nd bootstrap and uploads the signed Motorola bootloader (mbm) to SRAM
- Defy executes mbm from SRAM and is now running the Motorola bootloader
- RSDLite can now be used to flash the eMMC with a special .SBF file containing mbr, mbmloader, mbm and ebr
- Defy can now boot mbm normally from eMMC and can be reflashed via RSDLite with a normal full .SBF
The following would be needed:
- OMAPFlash configured for Defy - available and possible
- USB bootloader (2nd bootstrap) for the Defy, signed with Defy private key - not available?
- Motorola bootloader (mbm) for the Defy, signed with Defy private key - available, as dumped from eMMC on working phone
- .SBF file with CG64, CG63, CG30 and CG65 - can be created, as all these signed binaries are available from eMMC dump
OMAPFlash is supplied with an unsigned OMAP3 2nd bootstrap and a version signed with the TI private key. There is also one available for the Droid (called pbrdl.bin), signed with the Droid private key (Droid is OMAP4). None of these will run on the Defy. (The TI OMAPFlash installer is available via http at 59.124.231.13/index.php/OMAPFlash, as a new user I can't post a direct external link).
OMAPFlash also seems to be able to flash the eMMC directly via a binary driver that it uploads to the device, but the documentation claims that this is only possible for OMAP4 devices (and it would still need a signed 2nd bootstrap).
So, to use this method, we need a signed OMAP3 2nd bootstrap file (pbrdl.bin) for the Defy. Does it exist?
RSDLite - reason for "TI Blank Flash" not working
With the "TI Blank Flash" option selected, RSDLite detects the phone as "Blank OMAP3630", but fails to flash the full .SBF with the message "Error sending TI ROM data packet request. Device API Error: 0xE003009F".
The reason for this is that RSDLite attempts to send the RAM downloader in the .SBF, which is 315392 bytes. The OMAP internal RAM is only 65536 bytes and some of this is used for workspace by the ROM code. In fact the Defy seems to refuse to accept a file uploaded via USB peripheral boot (the USB connection is terminated) if it will exceed about 28664 bytes. The reason for this is not clear (it is not publicly documented for HS devices).
So I think that for RSDLite to be used with the "TI Blank Flash" option, there would need to be a special .SBF with a small sized RAM downloader that fits into the OMAP RAM. Maybe this small RAM downloader would be the signed Defy 2nd bootstrap that can download and execute mbm. I don't know if such an .SBF file exists.
When Linux is the Solution
Hi @Teedub, I had the same Problem with my Defy+. Dead, no bootloader,no recovery, Nothing. RSDLite didn't recognize my phone. So I tried sbf_flash on Linux. After downloading sbf_flash I typed this on the terminal
Code:
./sbf_flash name_of_the_sbf.sbf
And magically, it loaded the bootloader and flashed my Rom .
So I suggest you to try this program. It's very useful when RSD LIte does't want to work

[BOOTLOADER] Analysis

Brief synopsis
Bootloader unlock isn't likely. Amazon provide the facility to unlock the bootloader, but there is no way of getting the key.
The program which is locking the bootloader appears to be specific to MediaTek and Amazon, therefore, there isn't any source code.
The partitions with an Android bootimg header are all signed with two Amazon certificates. This includes the Little Kernel (LK) and the kernel itself.
The preloader is custom built for Amazon. The preloader doesn't respond to SP Flash Tool because it's constantly in a reboot loop when in 'META mode'. I presume it's intentional; a different version can however be installed (See 'However...').
However...
@bibikalka has found some strings in tz.img refering to a bootloader unlock. There is an amzn_unlock_verify function in lk too.
There must be a is a way to get the preloader to work properly with SP Flash Tool. However, this won't allow you custom ROMs, just reinstall Amazon's software. The software installed is still verified during the boot process. See this unbrick guide to install a different preloader. The preloader is not signed or checked by the boot process.
There is a small chance some part of the boot process could be fooled.
Downgrade potential
An anti-rollback program appears to have been built in to the bootloader which prevents any attempt at downgrading the software on the device. This is rather irritating, and means that downgrading is almost impossible. Only the preloader seems to be unaffected by this anti-rollback system – so, if you attempted to downgrade, and caused your device to become bricked, then you can restore the version you left.
Note that I vaguely reference to the preloader, uboot and lk collectively as 'the bootloader'.
Original post
I previously had downloaded the 5.0.1 and 5.1.1 LK versions, and thought, why not run these through binwalk?
For the old, 5.0.1 bootloader, putting lk.bin through binwalk gave:
Code:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
204256 0x31DE0 SHA256 hash constants, little endian
292292 0x475C4 Android bootimg, kernel size: 0 bytes, kernel addr: 0x5D73255B, ramdisk size: 1869570592 bytes, ramdisk addr: 0x6D692074, product name: ""
330144 0x509A0 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
330752 0x50C00 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
334248 0x519A8 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
339912 0x52FC8 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
341028 0x53424 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
350360 0x55898 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
351732 0x55DF4 Certificate in DER format (x509 v3), header length: 4, sequence length: 1067
353656 0x56578 Certificate in DER format (x509 v3), header length: 4, sequence length: 1069
369736 0x5A448 CRC32 polynomial table, little endian
397548 0x610EC LZMA compressed data, properties: 0x91, dictionary size: 33554432 bytes, uncompressed size: 134217728 bytes
Whilst the 5.1.1 bootloader's lk.bin gave:
Code:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
204960 0x320A0 SHA256 hash constants, little endian
293720 0x47B58 Android bootimg, kernel size: 0 bytes, kernel addr: 0x5D73255B, ramdisk size: 1869570592 bytes, ramdisk addr: 0x6D692074, product name: ""
332024 0x510F8 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/cry
332628 0x51354 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/mem
336096 0x520E0 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/asn
341712 0x536D0 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/evp
342820 0x53B24 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/obj
352064 0x55F40 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/x50
353420 0x5648C Certificate in DER format (x509 v3), header length: 4, sequence length: 1067
355344 0x56C10 Certificate in DER format (x509 v3), header length: 4, sequence length: 1069
371656 0x5ABC8 CRC32 polynomial table, little endian
So there you go! The bootloader uses OpenSSL to check the partition against two DER format certificates. Ignore the LZMA header for now; binwalk thinks almost everything is LZMA compressed.
Can you run binwalk with -e and post the 5.1.1 certs here
benwaffle said:
Can you run binwalk with -e and post the 5.1.1 certs here
Click to expand...
Click to collapse
Look at the thread about the 5.1.1 lk.bin in this forum and download the binary so you can run binwalk on it yourself.
Here is the lk.bin file, zipped. You can try and run '-e' on this binary.
The extracted certificates appear to contain format strings for decompression/compression error and debug messages. It doesn't look right. But the top of the files are valid certificate headers (or appear to be to the untrained eye).
Thanks @benwaffle.
Good effort!
I shall note that Amazon must have a way to un-brick the devices with MTK tools, they would not swap motherboards in order to revive them ...
The problem with the public MTK tools that it's even impossible to create a scatter file automatically (read only operation), meaning that the formats are such that MTK tools don't understand:
http://forum.xda-developers.com/fire-hd/help/mtk-tools-people-hopeless-bricks-t3139784
There is also an attempt to look at which partitions change when 5.0.1 goes to 5.1.1, and frankly, it's not many places to hide (only a couple of partitions):
http://forum.xda-developers.com/amazon-fire/help/understand-5-1-1-bootloader-bricking-fix-t3301991
On Fire 2014 I also looked at the strings within the bootloaders, and they had some interesting stuff regarding unlocking:
http://forum.xda-developers.com/showpost.php?p=61288384&postcount=57
I wonder if it's possible to patch the very first thing that boots (preloader), and have it pass the unlocking flags around ? Or is preloader also encrypted fully ?
bibikalka said:
Good effort!
I shall note that Amazon must have a way to un-brick the devices with MTK tools, they would not swap motherboards in order to revive them ...
The problem with the public MTK tools that it's even impossible to create a scatter file automatically (read only operation), meaning that the formats are such that MTK tools don't understand:
http://forum.xda-developers.com/fire-hd/help/mtk-tools-people-hopeless-bricks-t3139784
There is also an attempt to look at which partitions change when 5.0.1 goes to 5.1.1, and frankly, it's not many places to hide (only a couple of partitions):
http://forum.xda-developers.com/amazon-fire/help/understand-5-1-1-bootloader-bricking-fix-t3301991
On Fire 2014 I also looked at the strings within the bootloaders, and they had some interesting stuff regarding unlocking:
http://forum.xda-developers.com/showpost.php?p=61288384&postcount=57
I wonder if it's possible to patch the very first thing that boots (preloader), and have it pass the unlocking flags around ? Or is preloader also encrypted fully ?
Click to expand...
Click to collapse
Thanks @bibikalka!
Yes – Amazon must have a way of flashing firmware. I wonder if there is a JTAG header on the board as well. The Fire HD 6 had a 'JDEBUG' port, as seen in iFixit's teardown photographs: https://www.ifixit.com/Teardown/Kindle+Fire+HD+6+Teardown/29815#s70239
There might be a bootloader unlock then! It might need someone to decompile uboot to see how to trigger the unlock.
I've only managed to get the preloader_prod.img at this moment in time (I haven't taken preloader.img off). The SHA256 hash starts at around 95% (117KB out of 121KB) of the file, according to binwalk.
Hi,
I'm sorry to shatter hopes for bootloader rollback, but I was looking at the strings in preloader_prod.img and found this:
Code:
$ strings images/preloader_prod.img | grep -i rollback
[ANTI-ROLLBACK] Processing anti-rollback data
[ANTI-ROLLBACK] Failed to read block 0
[ANTI-ROLLBACK] PL: %x TEE: %x LK: %x
[ANTI-ROLLBACK] Need to update version
[ANTI-ROLLBACK] Invalid checksum!
[ANTI-ROLLBACK] Checksum validated
[ANTI-ROLLBACK] PL version mismatch!
[ANTI-ROLLBACK] L: %x R: %x
[ANTI-ROLLBACK] Updating PL version
[ANTI-ROLLBACK] TEE version mismatch!
[ANTI-ROLLBACK] Updating TEE version
[ANTI-ROLLBACK] LK version mismatch!
[ANTI-ROLLBACK] Updating LK version
[ANTI-ROLLBACK] All checks passed
[ANTI-ROLLBACK] Updating RPMB block...
[ANTI-ROLLBACK] Unable to update RPMB block (wc)
[ANTI-ROLLBACK] Unable to update RPMB block (write)
[ANTI-ROLLBACK] RPMB block updated
[RPMB] Failed to initialize anti-rollback block
[RPMB] Anti-rollback block initialized
[RPMB] Valid anti-rollback block exists
[ANTI-ROLLBACK] Invalid anti-rollback state, skipping
There is more stuff when looking for rpmb...
A little bit of googling leads to: https://docs.google.com/viewer?url=patentimages.storage.googleapis.com/pdfs/US20140250290.pdf
This doesn't look good at all
These strings might give a bit hope:
Code:
[RPMB] Invalid magic, re-creating...
[RTC] clear rpmb program mode flag in rtc register
So something could be stored in the realtime clock and the device might recover if the RPMB block gets destroyed. I can't find any mention of OTP or fuses in the image.
EDIT: It seems rpmb can be accessed through /dev/block/mmcblk0rpmb. I've uploaded mine (5.0.1) to: http://bork.cs.fau.de/~michael/fire/
It seems to only contain a few ones and many zeroes.
It would be interesting to get the rpmb of a 5.1.1 device to compare:
Code:
$ adb shell
[email protected]:/ $ su
[email protected]:/ # dd if=/dev/block/mmcblk0rpmb of=/sdcard/rpmb.bin
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.093 secs (5637505 bytes/sec)
I would not advise trying to flash the 5.0.1 rpmb to a 5.1.1 device!
Regards,
Michael
stargo said:
Hi,
I'm sorry to shatter hopes for bootloader rollback, but I was looking at the strings in preloader_prod.img and found this:
Code:
$ strings images/preloader_prod.img | grep -i rollback
[ANTI-ROLLBACK] Processing anti-rollback data
[ANTI-ROLLBACK] Failed to read block 0
[ANTI-ROLLBACK] PL: %x TEE: %x LK: %x
[ANTI-ROLLBACK] Need to update version
[ANTI-ROLLBACK] Invalid checksum!
[ANTI-ROLLBACK] Checksum validated
[ANTI-ROLLBACK] PL version mismatch!
[ANTI-ROLLBACK] L: %x R: %x
[ANTI-ROLLBACK] Updating PL version
[ANTI-ROLLBACK] TEE version mismatch!
[ANTI-ROLLBACK] Updating TEE version
[ANTI-ROLLBACK] LK version mismatch!
[ANTI-ROLLBACK] Updating LK version
[ANTI-ROLLBACK] All checks passed
[ANTI-ROLLBACK] Updating RPMB block...
[ANTI-ROLLBACK] Unable to update RPMB block (wc)
[ANTI-ROLLBACK] Unable to update RPMB block (write)
[ANTI-ROLLBACK] RPMB block updated
[RPMB] Failed to initialize anti-rollback block
[RPMB] Anti-rollback block initialized
[RPMB] Valid anti-rollback block exists
[ANTI-ROLLBACK] Invalid anti-rollback state, skipping
There is more stuff when looking for rpmb...
A little bit of googling leads to: https://docs.google.com/viewer?url=patentimages.storage.googleapis.com/pdfs/US20140250290.pdf
This doesn't look good at all
These strings might give a bit hope:
Code:
[RPMB] Invalid magic, re-creating...
[RTC] clear rpmb program mode flag in rtc register
So something could be stored in the realtime clock and the device might recover if the RPMB block gets destroyed. I can't find any mention of OTP or fuses in the image.
EDIT: It seems rpmb can be accessed through /dev/block/mmcblk0rpmb. I've uploaded mine (5.0.1) to: http://bork.cs.fau.de/~michael/fire/
It seems to only contain a few ones and many zeroes.
It would be interesting to get the rpmb of a 5.1.1 device to compare:
Code:
$ adb shell
[email protected]:/ $ su
[email protected]:/ # dd if=/dev/block/mmcblk0rpmb of=/sdcard/rpmb.bin
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.093 secs (5637505 bytes/sec)
I would not advise trying to flash the 5.0.1 rpmb to a 5.1.1 device!
Regards,
Michael
Click to expand...
Click to collapse
How interesting. Thanks @stargo! I've updated the OP accordingly to your findings. Yes, it seems more complex than previously thought. I'll upload my 5.1.1 rpmb binary soon.
Hi there! As se en within I read mtk is a very hard platform to work with, because they are very closed, and they hardly ever release any source, so most Roms are ports of a similar decide. I'll have a search for a device with this same soc to ser if i can come back with related info. That's why I'm surprised we have cm here!

[Stock][ROM][5.1.1] Lenovo Yoga Tab 3 YT3-850L – How I bricked and restored

Hi all,
First of all I wanted to thank baikal0912 from lenovo-forums.ru , without Him this guide haven’t been possible, so all the glory and kudos go to Him in first place. (baikal0912 if You’re reading this – Thank You once again)
THIS GUIDE IS FOR LENOVO YOGA TAB 3 YT3-850L! AS ALWAYS I’M NOT RESPONSIBLE FOR DAMAGED DEVICES AND LOST DATA! ALWAYS MAKE BACKUP! (DON’T MAKE MY MISTAKES)
SOME HISTORY (read if You want to know how I bricked my device)
I had stock 5.1.1 Android on my Yoga, tablet has been updated to 6.0.1 in which i had problems with writing to SDCard (permissions), so I managed to unlock bootloader, flash TWRP, install Xposed and SDFix. Sadly after some time I saw that randomly applications disappeared (like Google Play Store).
So I was searching for 5.1.1 ROM (because I didn’t had any backup), only 2 ROM’s where available to download and it was for „M” model (YT3-850M) not „L”. First ROM was 785MB – it was only Chinese/English language, after flashing my device I saw that my LTE didn’t work, WIFI, BT, GPS and Sound doesn’t work either.
So I tried second ROM downloaded for „M”, It was 1,2GB and there were all languages available, but still LTE, WIFI, BT, GPS and Sound didn’t work.
I was searching for some info about my problem and manager to go to lenovo-forums.ru where I find out It’s because missing/damaged NVRam data (the data where tablet stores IMEI, Mac address and other stuff)
Surely It was my fault because I didn’t do any backup in first place (and yes, I’m an idiot)
Trying to find NVRam backup (in .QCN file) I ended in lenovo-forums.ru talking with baikal0912, He shared with me stock „L” ROM and trying to help me flash the device back again, so I made this topic because there is a problem finding „L” ROM and so everyone know how I flashed my device (which tools and drivers are needed, which mode to enter to flash device.
So let’s get started….
First, if Your tablet boots to Android make sure it has ADB debugging enabled (If You want to know how to enable ADB debug search the forum, there are plenty of answers)
Second make sure You grab SIMCard from device (You’ll gonna insert it later at end of my guide)
GRAB ALL THE NEEDED FILES: (ROM is 1GB 7zip compressed)
Code:
https://drive.google.com/drive/folders/0B2EmK9gw0mTdYUdJUGlDUm0zTW8?resourcekey=0-1iw6MlGugBOz6J5sDQRcaw&usp=sharing
You will need ROM (YT3-850L_S000026_151217_ROW_qpst.7z), QPST v2.7.429 (QPST_2.7.429.7z), drivers (Qualcomm USB Drivers For Windows.zip and Qualcomm_USBDriver_2.1.0.5_x64.cab), IMEI writing software (A100_WriteDualIMEI(W+G_eMMC).rar).
Also You are going to need ADB tools, search for them here at XDA (minimal ADB and fastboot).
NOTE: I’ve been trying to restore ROM with other QPST version and drivers without any success.
Install QPST, extract ROM to „C:\Lenovo” then connect turned on Yoga to PC, there should be 3 new devices shown in device manager named YT3-850M (in my case it was „M”, Yours can be „L”), install drivers from „Qualcomm USB Drivers for Windows.zip”, Windows should install two of them (modem fails to install, just ignore), the most important is device installed as „Lenovo HS-USB Diagnostics (COMx)” where X is Your COM port numer needed LATER.
ENTER FLASHING MODE
For now run ADB command to check if Your device is recognized:
Code:
adb devices
If It’s recognized then command will show You some numbers, if You’re ready to go then run this command:
Code:
adb reboot edl
Above command will change Android to something I call „Flashing Mode” (the screen on tablet will be black), for now tablet is waiting for flashing, You should now see that device manager in Windows shows only one new devices o install from „Qualcomm_USBDriver_2.1.0.5_x64.cab”, the device manager should install „Qualcomm HS-USB QDLoader 9008 (COMx)”, note the COM port X needed to flash.
Others at forums tell me to enter „Diagnostic Mode” to start flashing but they were wrong, „Diagnostic Mode” is something else needed later.
FLASH THE DEVICE
Run QFIL.exe from installed QPST directory (c:\Program Files (x86)\Qualcomm\QPST\bin\), make sure to run with Administrator privileges (from right click context menu).
Code:
- Make sure that QFIL recognized Your device showing „Qualcomm HS-USB DQLoader 9008” with COM port numer at top of QFIL screen.
- Select FLAT BUILD
- In „Programmer Path” choose „Browse”, go to extracted ROM directory and choose file named „prog_emmc_firehose_8909_ddr.mbn”
- Click on „LoadXML” below on right, choose „rawprogram0” file, then choose „patch0” file
If You are 100% sure You want to flash then press blue „Download” button and wait to finish flashing (don’t disconnect or turn off tablet before it ends).
You should notice that in „Status” window in QFIL there should be LOG, here’s my example of LOG file (shortened, doesn't fit all):
Start Download
Program Path:C:\lenovo\prog_emmc_firehose_8909_ddr.mbn
COM Port number:5
Sahara Connecting ...
Sahara Version:2
Start Sending Programmer
Sending Programmer Finished
Switch To FireHose
Wait for 3 seconds...
Max Payload Size to Target:49152 Bytes
Device Type:eMMC
Platform:8x26
Disable Ack Raw Data Every N Packets
Skip Write:False
Always Validate:False
Use Verbose:False
COM Port number:5
Sending NOP
FireHose NOP sent successfully
Sending Configuration
Device Type:eMMC
Platform:8x26
FireHose Log: [email protected] [email protected]
Request payload size 0xc000 is not the same as support payload size, change to 0x100000
Request payload size 0x100000 is too big, reduce to 0x20000
FireHose Log: [email protected] [email protected]
Set TxBuffer 0x20000, RxBuffer 0x4000
Firehose configure packet sent successfully!
ReadBackMode:No_Readback
Disable read back
Total Bytes To Program 0x86846CA0
Download Image
PROGRAM: Replace the partition sectors number 0x400 to file size in sector 0x1e3
PROGRAM: Partition 0, Sector: 40, Length: 483 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\sbl1.mbn
FireHose Log: start 40, num 483
FireHose Log: Finished sector address 523
PROGRAM: Written Bytes 0x3c600 (64)
Program Size: 0.24 MB
PROGRAM: Replace the partition sectors number 0x400 to file size in sector 0x1e3
PROGRAM: Partition 0, Sector: 1064, Length: 483 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\sbl1.mbn
.......
.......
.......
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 7799808, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_8.img
FireHose Log: start 7799808, num 16
FireHose Log: Finished sector address 7799824
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 7800712, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_9.img
FireHose Log: start 7800712, num 16
FireHose Log: Finished sector address 7800728
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 8061952, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_10.img
FireHose Log: start 8061952, num 16
FireHose Log: Finished sector address 8061968
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 8324096, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_11.img
FireHose Log: start 8324096, num 16
FireHose Log: Finished sector address 8324112
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 8325000, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_12.img
FireHose Log: start 8325000, num 16
FireHose Log: Finished sector address 8325016
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 8586240, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_13.img
FireHose Log: start 8586240, num 16
FireHose Log: Finished sector address 8586256
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 8848384, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_14.img
FireHose Log: start 8848384, num 16
FireHose Log: Finished sector address 8848400
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 8849288, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_15.img
FireHose Log: start 8849288, num 16
FireHose Log: Finished sector address 8849304
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 9110528, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_16.img
FireHose Log: start 9110528, num 16
FireHose Log: Finished sector address 9110544
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 9372672, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_17.img
FireHose Log: start 9372672, num 16
FireHose Log: Finished sector address 9372688
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 9634816, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_18.img
FireHose Log: start 9634816, num 16
FireHose Log: Finished sector address 9634832
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 9896960, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_19.img
FireHose Log: start 9896960, num 16
FireHose Log: Finished sector address 9896976
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 9901032, Length: 218048 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_20.img
FireHose Log: start 9901032, num 218048
FireHose Log: Finished sector address 10119080
PROGRAM: Written Bytes 0x6a78000 (64)
Program Size: 106.47 MB
PROGRAM: Partition 0, Sector: 0, Length: 34 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\gpt_main0.bin
FireHose Log: start 0, num 34
FireHose Log: Finished sector address 34
PROGRAM: Written Bytes 0x4400 (64)
Program Size: 0.02 MB
PROGRAM: Partition 0, Sector: NUM_DISK_SECTORS-33., Length: 33 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\gpt_backup0.bin
FireHose Log: start 30535647, num 33
FireHose Log: Finished sector address 30535680
PROGRAM: Written Bytes 0x4200 (64)
Program Size: 0.02 MB
Total Size: 2155.12 MB
Total Time: 265 Seconds
Throughput: 8.13 MB/Seconds
PATCH: Partition 0, Sector: 9, Offset 296 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
FireHose Log: Patched sector 9 with 01D1EFDE
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-26., Offset 296 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
FireHose Log: Patched sector 30535654 with 01D1EFDE
PATCH: Partition 0, Sector: 1, Offset 48 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
FireHose Log: Patched sector 1 with 01D1EFDE
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-1., Offset 48 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
FireHose Log: Patched sector 30535679 with 01D1EFDE
PATCH: Partition 0, Sector: 1, Offset 32 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-1.
FireHose Log: Patched sector 1 with 01D1EFFF
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-1., Offset 24 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-1.
FireHose Log: Patched sector 30535679 with 01D1EFFF
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-1, Offset 72 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-33.
FireHose Log: Patched sector 30535679 with 01D1EFDF
PATCH: Partition 0, Sector: 1, Offset 88 Bytes, Size: 4 Bytes, Value: CRC32(2,4096)
FireHose Log: crc start sector 2, over bytes 4096
FireHose Log: Patched sector 1 with 7315C503
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-1., Offset 88 Bytes, Size: 4 Bytes, Value: CRC32(NUM_DISK_SECTORS-33.,4096)
FireHose Log: crc start sector 30535647, over bytes 4096
FireHose Log: Patched sector 30535679 with 7315C503
PATCH: Partition 0, Sector: 1, Offset 16 Bytes, Size: 4 Bytes, Value: 0
FireHose Log: Patched sector 1 with 00000000
PATCH: Partition 0, Sector: 1, Offset 16 Bytes, Size: 4 Bytes, Value: CRC32(1,92)
FireHose Log: crc start sector 1, over bytes 92
FireHose Log: Patched sector 1 with 2EB8C0BF
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-1., Offset 16 Bytes, Size: 4 Bytes, Value: 0
FireHose Log: Patched sector 30535679 with 00000000
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-1., Offset 16 Bytes, Size: 4 Bytes, Value: CRC32(NUM_DISK_SECTORS-1.,92)
FireHose Log: crc start sector 30535679, over bytes 92
FireHose Log: Patched sector 30535679 with B8615551
Total download file size: 2155,119MB
Total download time: 4 Min 26 Sec
Throughput: 8,096117MB/s
FireHose Log: Set bootable drive to 0.
Download Succeed
Finish Download
If there’s „Download Succeed” and „Finish Download” in LOG You could try to boot new ROM holding POWER button, the first boot should take some time, after boot don’t install any apps, we need to change IMEI before we use tablet.
CHECK IMEI
After booting check Your IMEI numer if exists in NVRam, go to „CONTACTS”, click „Search” magnifier button, enter:
Code:
*#06#
If IMEI is good, skip to „Region Change” guide.
If IMEI is 0 then note Your IMEI from the „Standing Plate” of Your tablet.
WRITING IMEI
First shut down tablet, boot with holding „POWER” „+” and „-„ buttons, there should show something I call „Diagnostic Mode”, there will be some tests like:
Code:
1 SYSTEM INFO
2 KEYPAD BACKLIGHT
3 LCD BACKLIGHT
…..
…..
You should connect tablet to PC, and if You previously installed „Qualcomm USB Drivers For Windows.zip” drivers, then run WriteDualIMEI(W+G_eMMC).exe as Administrator.
Program will auto detect COM port, there will be two fileds (IMEI1, IMEI2), just insert Your IMEI in BOTH FIELDS, click START, wait to program show PASS.
If it pass, disconnect tablet from USB, click on REBOOT in „Diagnostic Mode”, choose „(3) Reboot to Android”, hit „OK”
After booting check IMEI number as mentioned above, if it’s ok then last thing to do is…
CHANGE REGION CODE
To change region code, to the same as checking IMEI but with other code, so go to „CONTACTS”, click „Search” magnifier button, enter:
Code:
####682#
Region changing settings should appear, at top there is Your currently selected region, below You can choose new region, note that after changing region Android should reboot.
For now shut down Android, insert SIMCard, and enjoy.
That’s all, thanks for reading, I hope this guide will help someone like baikal0912 :good: helped me.
Regards.
P.S. If someone know how to enter „Flashing Mode” in other way than „adb reboot edl” let me know so I can update this guide (maybe there is someone who can’t boot device and enter „Flashing Mode” via ADB)
P.S.2. Flashing done under Windows 10 Home 64 bit, connected to USB 2.0
P.S.3. I haven't done Serial Number (SN) writing to tablet, don't know how.
P.S.4. Sorry for my bad English
I cant install the drivers automaticly because I dont have a working Yoga Tab. I just can boot into fastboot mode. I run "fastboot devices" and therre it is, but not with "adb devices". My device manager knows my tablet and tell me "Android Bootloader Interface" when I connect the tablet. If I try to update the driver it says they are allready installed.
Rookie1919 said:
I cant install the drivers automaticly because I dont have a working Yoga Tab. I just can boot into fastboot mode. I run "fastboot devices" and therre it is, but not with "adb devices". My device manager knows my tablet and tell me "Android Bootloader Interface" when I connect the tablet. If I try to update the driver it says they are allready installed.
Click to expand...
Click to collapse
Have You try "fastboot boot recovery.img" to boot recovery?
Do You have recovery.img?
If You have problem entering "Flashing Mode" (via "adb reboot edl"), You can try this link with patched fastboot to support rebooting to edl, I didn't test it, someone can try....
https://forum.xda-developers.com/an.../guide-how-to-reboot-to-edl-fastboot-t3394292
I connected the pad while i pressed Vol-. Then I used the exe in the new fastboot thing. Then I did this:
C:\adb>adb devices
List of devices attached
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
C:\adb>adb reboot edl
error: no devices/emulators found
Rookie1919 said:
I connected the pad while i pressed Vol-. Then I used the exe in the new fastboot thing. Then I did this:
C:\adb>adb devices
List of devices attached
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
C:\adb>adb reboot edl
error: no devices/emulators found
Click to expand...
Click to collapse
So if You maneged to run new fastboot exe to boot to edl, the screen should be black on Yoga (and device is in "Flashing Mode", check device manager in Windows, You should install driver from „Qualcomm_USBDriver_2.1.0.5_x64.cab”, the device manager should install „Qualcomm HS-USB QDLoader 9008 (COMx)” device.
Next You should do the flashing by QFIL as described in my tutorial above.
In my tutorial I was using adb to boot to edl ("Flashing Mode") because my tablet was booting, as I understand Your tablet don't boot anywhere beside fastboot, so You must enter edl ("Flashing Mode") via fastboot without using adb (adb should work only if You boot tablet)
Doestn work. I booted to recovery and tried a factory reset. Then the message "couldnt mount system" appears. Could this be the problem? And how coult I solve this?
Hmmm, I think its because of damaged system, dont know how to help (Im not Android pro), if internal storage isnt damaged then only way I know is to flash ROM via QFIL, and for that You must enter edl ("Flashing Mode") either with adb, fastboot or booting with some magic key combination.
Unless You enter edl You couldnt flash device, try in recovery mode if adb is working to boot edl.
I don't know exactly where to post I just need the plain stock image of the yt3 x50f ROW so I can put it on the tablet I somehow got a PRC CN ROM on it and now no Google apps or anything just the zip file I need to place on the SD card is all I need I've looked everywhere spent all night I'm surprised I havnt bricked it I found 1 but qfil or qdloader wouldn't put it on the tablet I just want my tablet back.....
Dont know exactly why, but i managed it to run. Now all is fine. Thx 4 your help.
tapayn02 said:
I don't know exactly where to post I just need the plain stock image of the yt3 x50f ROW so I can put it on the tablet I somehow got a PRC CN ROM on it and now no Google apps or anything just the zip file I need to place on the SD card is all I need I've looked everywhere spent all night I'm surprised I havnt bricked it I found 1 but qfil or qdloader wouldn't put it on the tablet I just want my tablet back.....
Click to expand...
Click to collapse
Hi, I think flashing with only update.zip can cause bricked device like I bricked mine, fast search on lenovo-forums.ru gives me a link and another link to ROM flashed via QPST/QFIL, don't know if flashing can be done exacly with tools I unbricked mine YT3-850L, for details ask them at lenovo-forums.ru (You could use translate.google.com if You don't know Russian language, just as I did)
That's how I got the Chinese version on the tablet just putting it on the SD card
tapayn02 said:
That's how I got the Chinese version on the tablet just putting it on the SD card
Click to expand...
Click to collapse
The links above that I gave You isn't for flashing via SD-Card (dont flash It via Android recovery), It's mean to flash from PC via QFIL application.
When I was searching for ROM for my YT3-850L I found Chinese version too, i dont think You can find any update.zip with full ROM for Your Lenovo, there are only ROW's which are only updates from one version to another (not full android).
If You wish to try something i recommend backing up to .QNC file via QPST (it's NVRAM which stores IMEI, WIFI Mac, BT Mac, GPSID and other settings - for me it was additional sound not working).
The ROM's flashed via QFIL/QPST are full android backups, I don't think that in lenovo-forums.ru are Chinese versions.
If You go to lenovo-forums.ru there is at top on right on site button to choose language and translate so it's easy to read.
OK Thanks I'll give it a shot
hi wpinacz
i have lenovo yt3-850M tab and i install chines rom from through the sd card please give row version of qpst rom and very very thank for giveing yt3-850l row rom
i am very trbul this time if you help i feel greatful
thank you
rj3689 said:
hi wpinacz
i have lenovo yt3-850M tab and i install chines rom from through the sd card please give row version of qpst rom and very very thank for giveing yt3-850l row rom
i am very trbul this time if you help i feel greatful
thank you
Click to expand...
Click to collapse
Here's the link , be sure to READ INSTRUCTIONS before flashing, as I read it's mean to flash from PC not from SCDARD.
For all to know, I don't have any other ROM than for YT3-850L, different models (like "M" or "Y") are using different ROM than mine, the tools and drivers could be different to flash, the steps to flash device could be different too. So if anyone else got other version than "L" should be searching on other xda topics like here , or at lenovo-forums.ru
Thanks for help.
wpinacz said:
Hi all,
First of all I wanted to thank baikal0912 from lenovo-forums.ru , without Him this guide haven’t been possible, so all the glory and kudos go to Him in first place. (baikal0912 if You’re reading this – Thank You once again)
THIS GUIDE IS FOR LENOVO YOGA TAB 3 YT3-850L! AS ALWAYS I’M NOT RESPONSIBLE FOR DAMAGED DEVICES AND LOST DATA! ALWAYS MAKE BACKUP! (DON’T MAKE MY MISTAKES)
SOME HISTORY (read if You want to know how I bricked my device)
I had stock 5.1.1 Android on my Yoga, tablet has been updated to 6.0.1 in which i had problems with writing to SDCard (permissions), so I managed to unlock bootloader, flash TWRP, install Xposed and SDFix. Sadly after some time I saw that randomly applications disappeared (like Google Play Store).
So I was searching for 5.1.1 ROM (because I didn’t had any backup), only 2 ROM’s where available to download and it was for „M” model (YT3-850M) not „L”. First ROM was 785MB – it was only Chinese/English language, after flashing my device I saw that my LTE didn’t work, WIFI, BT, GPS and Sound doesn’t work either.
So I tried second ROM downloaded for „M”, It was 1,2GB and there were all languages available, but still LTE, WIFI, BT, GPS and Sound didn’t work.
I was searching for some info about my problem and manager to go to lenovo-forums.ru where I find out It’s because missing/damaged NVRam data (the data where tablet stores IMEI, Mac address and other stuff)
Surely It was my fault because I didn’t do any backup in first place (and yes, I’m an idiot)
Trying to find NVRam backup (in .QCN file) I ended in lenovo-forums.ru talking with baikal0912, He shared with me stock „L” ROM and trying to help me flash the device back again, so I made this topic because there is a problem finding „L” ROM and so everyone know how I flashed my device (which tools and drivers are needed, which mode to enter to flash device.
So let’s get started….
First, if Your tablet boots to Android make sure it has ADB debugging enabled (If You want to know how to enable ADB debug search the forum, there are plenty of answers)
Second make sure You grab SIMCard from device (You’ll gonna insert it later at end of my guide)
GRAB ALL THE NEEDED FILES: (ROM is 1GB 7zip compressed)
Code:
https://drive.google.com/drive/folders/0B2EmK9gw0mTdYUdJUGlDUm0zTW8?usp=sharing
You will need ROM (YT3-850L_S000026_151217_ROW_qpst.7z), QPST v2.7.429 (QPST_2.7.429.7z), drivers (Qualcomm USB Drivers For Windows.zip and Qualcomm_USBDriver_2.1.0.5_x64.cab), IMEI writing software (A100_WriteDualIMEI(W+G_eMMC).rar).
Also You are going to need ADB tools, search for them here at XDA (minimal ADB and fastboot).
NOTE: I’ve been trying to restore ROM with other QPST version and drivers without any success.
Install QPST, extract ROM to „C:\Lenovo” then connect turned on Yoga to PC, there should be 3 new devices shown in device manager named YT3-850M (in my case it was „M”, Yours can be „L”), install drivers from „Qualcomm USB Drivers for Windows.zip”, Windows should install two of them (modem fails to install, just ignore), the most important is device installed as „Lenovo HS-USB Diagnostics (COMx)” where X is Your COM port numer needed LATER.
ENTER FLASHING MODE
For now run ADB command to check if Your device is recognized:
Code:
adb devices
If It’s recognized then command will show You some numbers, if You’re ready to go then run this command:
Code:
adb reboot edl
Above command will change Android to something I call „Flashing Mode” (the screen on tablet will be black), for now tablet is waiting for flashing, You should now see that device manager in Windows shows only one new devices o install from „Qualcomm_USBDriver_2.1.0.5_x64.cab”, the device manager should install „Qualcomm HS-USB QDLoader 9008 (COMx)”, note the COM port X needed to flash.
Others at forums tell me to enter „Diagnostic Mode” to start flashing but they were wrong, „Diagnostic Mode” is something else needed later.
FLASH THE DEVICE
Run QFIL.exe from installed QPST directory (c:\Program Files (x86)\Qualcomm\QPST\bin\), make sure to run with Administrator privileges (from right click context menu).
Code:
- Make sure that QFIL recognized Your device showing „Qualcomm HS-USB DQLoader 9008” with COM port numer at top of QFIL screen.
- Select FLAT BUILD
- In „Programmer Path” choose „Browse”, go to extracted ROM directory and choose file named „prog_emmc_firehose_8909_ddr.mbn”
- Click on „LoadXML” below on right, choose „rawprogram0” file, then choose „patch0” file
If You are 100% sure You want to flash then press blue „Download” button and wait to finish flashing (don’t disconnect or turn off tablet before it ends).
You should notice that in „Status” window in QFIL there should be LOG, here’s my example of LOG file (shortened, doesn't fit all):
Start Download
Program Path:C:\lenovo\prog_emmc_firehose_8909_ddr.mbn
COM Port number:5
Sahara Connecting ...
Sahara Version:2
Start Sending Programmer
Sending Programmer Finished
Switch To FireHose
Wait for 3 seconds...
Max Payload Size to Target:49152 Bytes
Device Type:eMMC
Platform:8x26
Disable Ack Raw Data Every N Packets
Skip Write:False
Always Validate:False
Use Verbose:False
COM Port number:5
Sending NOP
FireHose NOP sent successfully
Sending Configuration
Device Type:eMMC
Platform:8x26
FireHose Log: [email protected] [email protected]
Request payload size 0xc000 is not the same as support payload size, change to 0x100000
Request payload size 0x100000 is too big, reduce to 0x20000
FireHose Log: [email protected] [email protected]
Set TxBuffer 0x20000, RxBuffer 0x4000
Firehose configure packet sent successfully!
ReadBackMode:No_Readback
Disable read back
Total Bytes To Program 0x86846CA0
Download Image
PROGRAM: Replace the partition sectors number 0x400 to file size in sector 0x1e3
PROGRAM: Partition 0, Sector: 40, Length: 483 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\sbl1.mbn
FireHose Log: start 40, num 483
FireHose Log: Finished sector address 523
PROGRAM: Written Bytes 0x3c600 (64)
Program Size: 0.24 MB
PROGRAM: Replace the partition sectors number 0x400 to file size in sector 0x1e3
PROGRAM: Partition 0, Sector: 1064, Length: 483 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\sbl1.mbn
.......
.......
.......
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 7799808, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_8.img
FireHose Log: start 7799808, num 16
FireHose Log: Finished sector address 7799824
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 7800712, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_9.img
FireHose Log: start 7800712, num 16
FireHose Log: Finished sector address 7800728
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 8061952, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_10.img
FireHose Log: start 8061952, num 16
FireHose Log: Finished sector address 8061968
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 8324096, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_11.img
FireHose Log: start 8324096, num 16
FireHose Log: Finished sector address 8324112
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 8325000, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_12.img
FireHose Log: start 8325000, num 16
FireHose Log: Finished sector address 8325016
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 8586240, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_13.img
FireHose Log: start 8586240, num 16
FireHose Log: Finished sector address 8586256
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 8848384, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_14.img
FireHose Log: start 8848384, num 16
FireHose Log: Finished sector address 8848400
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 8849288, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_15.img
FireHose Log: start 8849288, num 16
FireHose Log: Finished sector address 8849304
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 9110528, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_16.img
FireHose Log: start 9110528, num 16
FireHose Log: Finished sector address 9110544
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 9372672, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_17.img
FireHose Log: start 9372672, num 16
FireHose Log: Finished sector address 9372688
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 9634816, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_18.img
FireHose Log: start 9634816, num 16
FireHose Log: Finished sector address 9634832
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 9896960, Length: 16 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_19.img
FireHose Log: start 9896960, num 16
FireHose Log: Finished sector address 9896976
PROGRAM: Written Bytes 0x2000 (64)
Program Size: 0.01 MB
PROGRAM: Partition 0, Sector: 9901032, Length: 218048 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\userdata_20.img
FireHose Log: start 9901032, num 218048
FireHose Log: Finished sector address 10119080
PROGRAM: Written Bytes 0x6a78000 (64)
Program Size: 106.47 MB
PROGRAM: Partition 0, Sector: 0, Length: 34 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\gpt_main0.bin
FireHose Log: start 0, num 34
FireHose Log: Finished sector address 34
PROGRAM: Written Bytes 0x4400 (64)
Program Size: 0.02 MB
PROGRAM: Partition 0, Sector: NUM_DISK_SECTORS-33., Length: 33 Sectors, Sector Size: 512 Bytes
File: C:\lenovo\gpt_backup0.bin
FireHose Log: start 30535647, num 33
FireHose Log: Finished sector address 30535680
PROGRAM: Written Bytes 0x4200 (64)
Program Size: 0.02 MB
Total Size: 2155.12 MB
Total Time: 265 Seconds
Throughput: 8.13 MB/Seconds
PATCH: Partition 0, Sector: 9, Offset 296 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
FireHose Log: Patched sector 9 with 01D1EFDE
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-26., Offset 296 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
FireHose Log: Patched sector 30535654 with 01D1EFDE
PATCH: Partition 0, Sector: 1, Offset 48 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
FireHose Log: Patched sector 1 with 01D1EFDE
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-1., Offset 48 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-34.
FireHose Log: Patched sector 30535679 with 01D1EFDE
PATCH: Partition 0, Sector: 1, Offset 32 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-1.
FireHose Log: Patched sector 1 with 01D1EFFF
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-1., Offset 24 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-1.
FireHose Log: Patched sector 30535679 with 01D1EFFF
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-1, Offset 72 Bytes, Size: 8 Bytes, Value: NUM_DISK_SECTORS-33.
FireHose Log: Patched sector 30535679 with 01D1EFDF
PATCH: Partition 0, Sector: 1, Offset 88 Bytes, Size: 4 Bytes, Value: CRC32(2,4096)
FireHose Log: crc start sector 2, over bytes 4096
FireHose Log: Patched sector 1 with 7315C503
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-1., Offset 88 Bytes, Size: 4 Bytes, Value: CRC32(NUM_DISK_SECTORS-33.,4096)
FireHose Log: crc start sector 30535647, over bytes 4096
FireHose Log: Patched sector 30535679 with 7315C503
PATCH: Partition 0, Sector: 1, Offset 16 Bytes, Size: 4 Bytes, Value: 0
FireHose Log: Patched sector 1 with 00000000
PATCH: Partition 0, Sector: 1, Offset 16 Bytes, Size: 4 Bytes, Value: CRC32(1,92)
FireHose Log: crc start sector 1, over bytes 92
FireHose Log: Patched sector 1 with 2EB8C0BF
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-1., Offset 16 Bytes, Size: 4 Bytes, Value: 0
FireHose Log: Patched sector 30535679 with 00000000
PATCH: Partition 0, Sector: NUM_DISK_SECTORS-1., Offset 16 Bytes, Size: 4 Bytes, Value: CRC32(NUM_DISK_SECTORS-1.,92)
FireHose Log: crc start sector 30535679, over bytes 92
FireHose Log: Patched sector 30535679 with B8615551
Total download file size: 2155,119MB
Total download time: 4 Min 26 Sec
Throughput: 8,096117MB/s
FireHose Log: Set bootable drive to 0.
Download Succeed
Finish Download
If there’s „Download Succeed” and „Finish Download” in LOG You could try to boot new ROM holding POWER button, the first boot should take some time, after boot don’t install any apps, we need to change IMEI before we use tablet.
CHECK IMEI
After booting check Your IMEI numer if exists in NVRam, go to „CONTACTS”, click „Search” magnifier button, enter:
Code:
*#06#
If IMEI is good, skip to „Region Change” guide.
If IMEI is 0 then note Your IMEI from the „Standing Plate” of Your tablet.
WRITING IMEI
First shut down tablet, boot with holding „POWER” „+” and „-„ buttons, there should show something I call „Diagnostic Mode”, there will be some tests like:
Code:
1 SYSTEM INFO
2 KEYPAD BACKLIGHT
3 LCD BACKLIGHT
…..
…..
You should connect tablet to PC, and if You previously installed „Qualcomm USB Drivers For Windows.zip” drivers, then run WriteDualIMEI(W+G_eMMC).exe as Administrator.
Program will auto detect COM port, there will be two fileds (IMEI1, IMEI2), just insert Your IMEI in BOTH FIELDS, click START, wait to program show PASS.
If it pass, disconnect tablet from USB, click on REBOOT in „Diagnostic Mode”, choose „(3) Reboot to Android”, hit „OK”
After booting check IMEI number as mentioned above, if it’s ok then last thing to do is…
CHANGE REGION CODE
To change region code, to the same as checking IMEI but with other code, so go to „CONTACTS”, click „Search” magnifier button, enter:
Code:
####682#
Region changing settings should appear, at top there is Your currently selected region, below You can choose new region, note that after changing region Android should reboot.
For now shut down Android, insert SIMCard, and enjoy.
That’s all, thanks for reading, I hope this guide will help someone like baikal0912 :good: helped me.
Regards.
P.S. If someone know how to enter „Flashing Mode” in other way than „adb reboot edl” let me know so I can update this guide (maybe there is someone who can’t boot device and enter „Flashing Mode” via ADB)
P.S.2. Flashing done under Windows 10 Home 64 bit, connected to USB 2.0
P.S.3. I haven't done Serial Number (SN) writing to tablet, don't know how.
P.S.4. Sorry for my bad English
Click to expand...
Click to collapse
Thanks WPINACZ, you took me out of that PRC rom. now i can use my tab once again. updated the chinese rom while downgrading and then was unable to load gaps or any google apps.
Your elaborate process took me out of the rom.:good::good::good::good:
Only thing to update is, i did it on the Windows 10 Pro. I did not have to install any drivers while following the procedures.
Thanks again.
I'm glad to know that my guide helped someone, I've made it because there wasn't any guide on net and so anyone could flash device fast, I've spent about 1 week to find all that I need to flash device because of work I had only few hours daily to write through translator in Russian language, hopefully I managed to meet baikal0912 who shared with me rom as I share with You, I've tested all drivers, tools and methods to bring back my Yoga to life and figured to write this guide so others can flash without problems.
Regards
Phone featuers not working
wpinacz said:
I'm glad to know that my guide helped someone, I've made it because there wasn't any guide on net and so anyone could flash device fast, I've spent about 1 week to find all that I need to flash device because of work I had only few hours daily to write through translator in Russian language, hopefully I managed to meet baikal0912 who shared with me rom as I share with You, I've tested all drivers, tools and methods to bring back my Yoga to life and figured to write this guide so others can flash without problems.
Regards
Click to expand...
Click to collapse
Dear WPINACZ,
only Q i have is now my tab is with 850L rom, which does not support Phone feature.But my tab earlier was 850M (with phone features). I don't need the phone but because of this few apps which i use regularly cannot be installed (basically because they need the phone permissions) Please if you could help.
Bhaskar1091 said:
Dear WPINACZ,
only Q i have is now my tab is with 850L rom, which does not support Phone feature.But my tab earlier was 850M (with phone features). I don't need the phone but because of this few apps which i use regularly cannot be installed (basically because they need the phone permissions) Please if you could help.
Click to expand...
Click to collapse
Sorry but I don't know any possible way to enable phone on L rom, I was reading how enable phone on other tablets (like Samsung) and the process needs rooted device and .zip patch for device which I don't think will work on Lenovo, messing with low level settings in QPST could damage device too, so I think the easiest and cleanest way is to grab M rom from lenovo-forums.ru
You could try to install some phone .apk from other developers but it won't enable phone permissions, and of course You can't make phone calls.
wpinacz said:
Here's the link , be sure to READ INSTRUCTIONS before flashing, as I read it's mean to flash from PC not from SCDARD.
For all to know, I don't have any other ROM than for YT3-850L, different models (like "M" or "Y") are using different ROM than mine, the tools and drivers could be different to flash, the steps to flash device could be different too. So if anyone else got other version than "L" should be searching on other xda topics like here , or at lenovo-forums.ru
Click to expand...
Click to collapse
thankyou my friend my problem for chines rom in my lenovo tab is solved by Brandon thank you very much

Copy binary by odin (Samsung SM-G531M android 5.1)

Greetings to all.
I have a Samsung SM-G531M Galaxy Grand Prime. Android 5.1
By mistake delete a system binary (linker) and now the phone does not start. And every time I try to start it in recovery (loop) mode but I have the FRP lock. Only the downlad mode works for me.
Can you copy the binary linker by odin? Ie edit the stock rom and put only the linker (delete all, just leave / system / bin / linker).
If so, I have tried modifying the stock rom, but I can not extract a file from boot.img (file_contexts from the boot.img \ ramdisk) that it is essential to package the new modified system(using program Auto Tool v3.0 x64).
-My system is windows 7.
-CarlivImageKitchen_x64
Your image: boot.img
Create the boot folder.
*Printing information for "boot.img"
*Unpack image utility by carliv @ xda
*Header:
**Magic: ANDROID!
**Magic offset: 0
**Page size: 50331648 (0x03000000)
**Base address: 0x10000000
**Kernel address: 0x10008000
**Kernel size: 6294484 (0x00600bd4)
**Kernel offset: 0x00008000
*>> kernel written to 'boot / boot.img-kernel' (6294484 bytes)
**Ramdisk address: 0x11000000
**Ramdisk size: 1532010 (0x0017606a)
**Ramdisk offset: 0x01000000
*>> ramdisk written to 'boot / boot.img-ramdisk.unknown' (1532010 bytes)
**Second address: 0x10f00000
**Tags address: 0x0001f800
**Tags offset: 0xf001f800
**Dt size: 268435712 (0x10000100)
*>> device_tree written to 'boot / boot.img-dt' (268435712 bytes)
Compression used: unknown
Unpacking the ramdisk ....
The system can not find the specified batch label: unknown
And the ramdisk folder appears empty.
Thanks in advance.

Categories

Resources