Related
Hi, I haven't seen any good resources for how to edit edify scripts, so I thought I would create this thread so we can pool our knowledge on the subject.
Intro
Inside your typical CWM zip there is a folder called META-INF, inside that there is a folder called com and come CERT files, inside that com folder there is a google folder, inside that is an android folder containing an update-binary file and an updater-script. If you only see an update-script, that means you are back in the Android 1.5 era and need to move on.
The updater-script
The updater-script file is a text file, it is linux formatted with regard to end of line conventions. If you use Windows then you have to edit the file using a program that keeps line feeds the way they are and has options for doing the conversion from <CR><LF> to just <LF>.
Like lisp, the contents of the text file evaluate to one big expression, but it does have the ";" end of command convention to make things more familiar, it just means perform the action on the left. (ref. google source README) You can ignore that and just treat everything as a series of commands for all practical purposes. I mention it because you need not worry about having too large a procedural block or worry about having extra spaces or worry about ending on a line boundary. You could have your entire script on one giant line and it wouldn't matter.
There are around a dozen commands, it's not terribly difficult to learn.
The updater-binary
There are a lot of updater-binary files out there in the wild, each manufacturer basically compiles there own with every other OTA update. Success in flashing your CWM zip is determined by picking the right one that works with what you are trying to do. If your knowledge says mount needs 4 arguments and the binary only supports 3, then you need to change your script to use 3 and vice versa. If you are trying to flash a radio, the updater-binary might have been recompiled to allow for that specific functionality and you will get a status 6 error when trying to flash it unless you use that update-binary. You will see the write_raw_image() function not supporting "/dev/block/mmcblk0p8" but instead "logo.bin".
However, by and large, the generic functionality is the same across the board.
Updater-script functions (In order of interest)
ui_print(msg1, .. msgN); This is the means you have to display something on the screen in CWM, it takes a series of comma separated arguments, each comma needs to have a space after it, this applies to all commands.
Ex. ui_print("Your version is: ", file_getprop("/system/build.prop", "ro.build.id"));
show_progress(TOTALAMOUNT, TIMEINSEC); This command and the following command control what you see in the progress bar at the bottom. It is not necessary to use it, it's just another way to display information.TIMEINSEC refers to how long it will take for the progress bar to move to the AMOUNT specified. You would use this perhaps when something is taking a long time, you know approximately how long and want the screen to keep showing something while it is going on. If you use zero for TIME then nothing is done, you have just set the maximum amount for use with set_progress. The amount is a decimal number, 0.5 would be half the progress bar being filled.
Ex. show_progress("0.300000", 10);
set_progress(AMOUNT); This command sets the pointer or fill amount of the progress bar according to the last show_progress command. It should never be greater than the total of the show_progress amount.
Ex. show_progress("0.300000", 0);
set_progress("0.15");
mount(TYPE, DEV, PATH); This is one version of the mount command. The TYPE arg is usually "MTD", which refers to memory technology device. The DEV for a MTD would be something like "system", "userdata", "cache", and the PATH would be "/system", "/data", or "/cache". You will also see TYPE be "vfat".
mount(FSTYPE, TYPE, DEV, PATH); This seems to be the more current mount command. It adds in the file system type. Ex. "ext3", "yaffs". TYPE with this command can be "MTD" or "EMMC". You would use "EMMC" with "/dev/block/mmcblk0p8".
umount(PATH); This simply removes a previous mounted PATH from the system. Ex. umount("/system"); You'll notice the double quotes around command arguments, they are not strictly necessary. Unless it's a reserved word (if then else endif) then they can be anything. "consisting of only letters, numbers, colons, underscores, slashes, and periods". So if you just spend 10 minutes uploading your zip to your phone and notice that your unmount command is umount(/system);, it will work just fine.
sleep(SECS); Simply pauses for SECS seconds.
package_extract_file(FILE, FILEWITHPATH); This command extracts one of your files from the CWM zip package and save it to the phone.
Ex. package_extract_file("bootanimation.zip", "/system/media/bootanimation.zip");
package_extract_dir(ZIPPATH, PATH); This command extracts an entire folder in your CWM zip to a folder on your phone.
Ex. package_extract_dir("system", "/system"); *This is where having system mounted would be handy, without it being mounted, the files would be copied to the ramdisk /system.
write_raw_image(PATH, PARTITION); This is one of those tricky ones, the PATH is somewhere on your phone with the image to be flashed to a PARTITION on your phone. The trouble is, how do you specify what partition gets flashed? Is there any restriction on where the file has to be? If MTD conventions are used, you are looking for "system", "boot", "recovery", "logo.bin". (All this means that each partition has a name stored somewhere, and if you know it, you can write to it.) Maybe it will accept device references like /dev/block/mmcblk0p8. This depends on the update-binary file you are using.
Ex. write_raw_image("/tmp/logo.bin", "logo.bin");
Ex. write_raw_image("/tmp/logo.bin", "/dev/block/mmcblk0p8");
write_firmware_image(PATH, PARTITION); You would think it would be the same as write_raw_image. Not sure what the difference is.
run_program(PROG, ARG1, .., ARGN); Pretty self explanatory, This command allows you to execute a program or script on the phone. Instead of all the bits of the command being separated by spaces, commas are used. It returns an error code as a string.
Ex. run_command("ls", "-R", "/system");
Assert(condition); You'll see this one a lot in OTA updates, all it does is abort the script if something goes wrong. If condition is false, the script ends displaying a description on the phone of what command caused the exit. You can put in more than one statement here, separated by ";", if any one of them returns with an error, the script exits.
Ex. Assert(mount("ext3", "EMCC", "/dev/block/mmcblk0p12", "/system")); *If you can't mount /system and your CWM zip only writes to system, you might as well stop it before continuing on to write to the ramdisk.
ifelse(condition, true path, false path); This is your basic conditional statement, the tricky bit is to figure out what statements in edify can trigger a true of false condition. As for the rest of it, the commas separate the two blocks.
Ex. ifelse(file_getprop("/system/default.prop", "ro.build.id") == "OLYFR1.2.3.4", ui_print("yes"), ui_print("false"));
abort(); This stops the script, useful with ifelse.
file_getprop(PATH, VALUE); This command looks for a text file containing A=B pairs and returns B if it can find an A.
Ex. file bob.txt exists in /tmp, it contains cool=yes, and dorky=true123 each on separate lines.
file_getprop("/tmp/bob.txt", "cool") == "yes"
file_getprop("/tmp/bob.txt", "dorky") == "true123"
getprop(VALUE); Functions the same as file_getprop, without the file part. It looks through the system value pairs for a matching value.
Ex. getprop("ro.build.id") == "OLYEM1.2.3.4"
delete(PATH1, ...,PATHN); Nothing to see here, just a delete command, full path to the file(s) as argument(s).
delete_recursive(PATH1, ...,PATHN); It's a delete everything in a folder, including subfolders command. The folder itself is deleted as well.
set_perm(UID, GID, MODE, PATH1, ..., PATHN); Set the linux permissions on a file, ownership and flags at the same time. Equivalent to chown and chmod in the one command.
Ex. set_perm(0, 0, 06755, /system/bin/su, /system/bin/shsu); *0 stands for root, so it would be owned by root, of the group root, with suid bit set and standard executable bits set.
set_perm_recursive(UID, GID, DIRMODE, FILEMODE, PATH1, ...,PATHN); Same as above except with folders instead of files. Use the DIRMODE to set the permissions and ownership of the folders themselves, and FILEMODE to set the permissions of the files within them.
symlink(TARGET, LINK1, ...,LINKN); It's the equivalent to the linux ln -s command. For our purposes, it might as well be called busybox install.
Ex. symlink("/system/bin/busybox", "/system/bin/awk", "/system/bin/wget", "/system/bin/sed");
To Be Continued..
References
http://devphone.org/development/edify-script-syntax-explained/
http://www.synfulgeek.com/main/index.php/articles/76-scratchpad-documenting-edify-commands-for-android-updater-scritps-based-off-of-kernel-source-code
https://github.com/koush/android_bootable_recovery/blob/eclair/edify/README
http://tjworld.net/wiki/Android/UpdaterScriptEdifyFunctions
Tips:
You can use the abort() command to step through your updater script, for instance if you wanted to check various combinations on syntax for write_raw_image();
In /tmp there is a text file called recovery.log, do a cat /tmp/recovery.log to see extra output of your script from failed commands.
NFHimself said:
The updater-script file is a text file, it is linux formatted with regard to end of line conventions. If you use Windows then you have to edit the file using a program that keeps line feeds the way they are and has options for doing the conversion from <CR><LF> to just <LF>.
Click to expand...
Click to collapse
If you are in windows, I have found that notepad++ does the job just fine.
http://notepad-plus-plus.org/
what about the FORMAT command?
actually i have error on a CM installation, its says
Code:
format() expects 3 args, got 2.
but my format command have 3 args:
Code:
format("ext4", "/dev/block/mmcblk0p10", "/system");
NFHimself said:
Hi, I haven't seen any good resources for how to edit edify scripts, so I thought I would create this thread so we can pool our knowledge on the subject.
Intro
Click to expand...
Click to collapse
Thanks for this... but I do have a question....
I am attempting to see if busybox is installed on a device, and if not install it, or proceed
so, so far I have:
Code:
ifelse(
BUSYBOX DOESNT EXIST,
(
ui_print("* Did not find it. Installing...");
set_perm(0, 1000, 0755, "/system/xbin/busybox");
symlink("/system/xbin/busybox", "/system/bin/busybox");
run_program("/system/xbin/busybox", "--install", "-s", "/system/xbin");
),
(
ui_print("* Found it. Proceeding...");
)
);
You can see where I'm lost I was thinking of using assert to run_program("/system/xbin/busybox", "vi", "/system/xbin"); just as a simple check... but from what I can see, if the assertion fails it will stop the script, and print out the failure message, which of course is not what I am after here... or maybe I am, can it be used to do a check rather than stop the script?
Just an idea (ie. untested):
Code:
ifelse(
run_program("/system/bin/sh", "-c", "test -e /system/xbin/busybox")
...
)
ravilov said:
Just an idea (ie. untested):
Code:
ifelse(
run_program("/system/bin/sh", "-c", "test -e /system/xbin/busybox")
...
)
Click to expand...
Click to collapse
trying to run that in adb sheel, and don't get a response, but it does seem like a good idea... I assume Edify would return a 1/0 or true/false string from it, and I can just check for that?
EDIT: Maybe I do get something back... after running that in adb shell my next line looks like the following:
Code:
1|[email protected]:/ #
Am I right in assuming that "1" is the output?
Yes. The command won't ever return any output, it only returns the exit status. Your shell is obviously set so it includes a non-zero exit status in the prompt. (Non-zero traditionally means error.)
ravilov said:
Yes. The command won't ever return any output, it only returns the exit status. Your shell is obviously set so it includes a non-zero exit status in the prompt. (Non-zero traditionally means error.)
Click to expand...
Click to collapse
that prompt means that the test failed, and I don't have busybox installed?
I'm just a tad confused... (this is my first full-on edify script), and I do have busybox installed
I appreciate the help, and once I get my tapatalk working right on my phone, I'll give ya all the "thanks" for the help with this
Eh... everything I 'test' returns the same thing
Code:
1|[email protected]:/ #
Hm, weird. It works for me...
Code:
# /system/bin/sh -c 'test -e /system/xbin/busybox'; echo $?
0 [color=silver]<-- no error - file exists[/color]
# /system/bin/sh -c 'test -e /system/xbin/busybox1'; echo $?
1 [color=silver]<-- error - file does not exist[/color]
I didn't try it in an edify script because I don't feel like rebooting my phone right now, but I don't see why it wouldn't work.
Try running the "sh -c test ..." command in adb shell while in recovery and see what happens.
Also, just a side note: backslash is NOT the same as slash. If you are going to write shell/edify scripts, you need to know at least that distinction. That is why your
Code:
tags are not working right.[/b][/i][/size]
ravilov said:
Hm, weird. It works for me...
Code:
# /system/bin/sh -c 'test -e /system/xbin/busybox'; echo $?
0 [color=silver]<-- no error - file exists[/color]
# /system/bin/sh -c 'test -e /system/xbin/busybox1'; echo $?
1 [color=silver]<-- error - file does not exist[/color]
I didn't try it in an edify script because I don't feel like rebooting my phone right now, but I don't see why it wouldn't work.
Try running the "sh -c test ..." command in adb shell while in recovery and see what happens.
Also, just a side note: backslash is NOT the same as slash. If you are going to write shell/edify scripts, you need to know at least that distinction. That is why your
Code:
tags are not working right.[/b][/i][/size][/QUOTE]
I see, I wasn't doing the echo, and what you posted shows exactly what you posted. DOH on the CODE :good:
So I have it on record (for my own personal reference)
[CODE]
ifelse(
((run_program("/system/bin/sh", "-c", "test -e /system/xbin/busybox; echo $?") == 1 ||
(run_program("/system/bin/sh", "-c", "test -e /system/bin/busybox; echo $?") == 1 ||
(run_program("/system/bin/sh", "-c", "test -e /system/xbin/busibox; echo $?") == 1 ||
(run_program("/system/bin/sh", "-c", "test -e /system/bin/busibox; echo $?") == 1),
(
ui_print("* Did not find it. Installing...");
set_perm(0, 1000, 0755, "/system/xbin/busybox");
symlink("/system/xbin/busybox", "/system/bin/busybox");
run_program("/system/xbin/busybox", "--install", "-s", "/system/xbin");
),
(
ui_print("* Found it. Proceeding...");
)
);
and yes, I meant the 'busibox' part, because I have seen that in some roms
Click to expand...
Click to collapse
You guys know way more about this stuff than I do... although i am a programmer
could I get some insight over here: http://forum.xda-developers.com/showthread.php?t=2796055
having an issue getting my shell scripts to actually run...
Rockin' it from my Smartly GoldenEye 35 NF1 (muchas gracias:* @iB4STiD @loganfarrell @muniz_ri @Venom0642 @ted77usa @rebel1699* @iB4STiD) ~ 20GB free cloud https://copy.com?r=vtiraF
Check me out online @ http://kevin.pirnie.us
note: the scripts do run in adb shell
published API docs
NFHimself said:
Hi, I haven't seen any good resources for how to edit edify scripts, so I thought I would create this thread so we can pool our knowledge on the subject.
Click to expand...
Click to collapse
I found some official documentation of the API on the Android Web site here:
https://source.android.com/devices/tech/ota/inside_packages.html
NFHimself said:
[*]write_raw_image(PATH, PARTITION); This is one of those tricky ones, the PATH is somewhere on your phone with the image to be flashed to a PARTITION on your phone. The trouble is, how do you specify what partition gets flashed? Is there any restriction on where the file has to be? If MTD conventions are used, you are looking for "system", "boot", "recovery", "logo.bin". (All this means that each partition has a name stored somewhere, and if you know it, you can write to it.) Maybe it will accept device references like /dev/block/mmcblk0p8. This depends on the update-binary file you are using.
Ex. write_raw_image("/tmp/logo.bin", "logo.bin");
Ex. write_raw_image("/tmp/logo.bin", "/dev/block/mmcblk0p8");
[*]write_firmware_image(PATH, PARTITION); You would think it would be the same as write_raw_image. Not sure what the difference is.
Click to expand...
Click to collapse
I didn't do a line by line comparison between your description and theirs, but I noticed this part because I was trying to find information about these functions. Only write_raw_image() is a published API function. This is the description:
write_raw_image(filename_or_blob, partition)
Writes the image in filename_or_blob to the MTD partition. filename_or_blob can be a string naming a local file or a blob-valued argument containing the data to write. To copy a file from the OTA package to a partition, use: write_raw_image(package_extract_file("zip_filename"), "partition_name");
Probably write_firmware_image() is used internally. It could be removed at any time, or it even could be a stub - not a good idea to use it.
Code:
<Disclaimer>
[FONT=Verdana]All the information and tools mentioned in this post are not my work.
I still need to add a proper credits section to this post, which will take a while,
since the tools and documentation came from many different sources.
As with any experimental tool, proceed with caution.
</Disclaimer>
[/FONT]
Hi Everyone,
I've managed to get myself in a bit of a pickle by hard bricking my Nexus 4 (By accidentally running mkfs on all the block devices, DOH).
This has led me to take a serious look into how the Nexus 4 can be unbricked using the Qualcomm High Speed USB Device (QHSUSB_DLOAD).
The Nexus 4 has a Qualcomm APQ8064 SoC,
As far as I can tell, we will be able to unbrick hard bricked Nexus 4 devices using QPST if we manage to get a couple of files:
1. A working copy of MPRG8064.hex - This is a set of instructions (specific to the APQ8064)
that are sent to the flash programmer on the phone that tells it how to download a copy of the boot image package.
2. A boot image generated for the Nexus 4. This file is typically named 8064_msimage.mbn, which is generated from a couple of other Nexus 4 mbn images.
This file is generated using a Qualcomm utility called emmcswdownload.exe and an XML describing the mbn images and the partition layout of the final 8064_msimage.mbn image.
I have found a couple of examples of these XML files on http://www.anyclub.org/2012/05/how-to-generate-8660msimagembn.html:
Code:
[COLOR=#000000] <?xml version="1.0"?>[/COLOR]
[COLOR=#000000] <image>[/COLOR]
[COLOR=#000000] <physical_partition number="0">[/COLOR]
[COLOR=#000000] <primary order="1" type="4d" bootable="true" label="SBL1" size="1000" readonly="false">[/COLOR]
[COLOR=#000000] <file name="sbl1.mbn" offset="0"/>[/COLOR]
[COLOR=#000000] </primary>[/COLOR]
[COLOR=#000000] <primary order="2" type="51" bootable="false" label="SBL2" size="3000" readonly="false">[/COLOR]
[COLOR=#000000] <file name="sbl2.mbn" offset="0"/>[/COLOR]
[COLOR=#000000] </primary>[/COLOR]
[COLOR=#000000] <primary order="3" type="45" bootable="false" label="SBL3" size="1500" readonly="false">[/COLOR]
[COLOR=#000000] <file name="sbl3.mbn" offset="0"/>[/COLOR]
[COLOR=#000000] </primary>[/COLOR]
[COLOR=#000000] <primary order="4" type="5" bootable="false" label="EXT" size="1000000">[/COLOR]
[COLOR=#000000] <extended order="1" type="47" label="RPM" size="1000" readonly="false">[/COLOR]
[COLOR=#000000] <file name="rpm.mbn" offset="0"/>[/COLOR]
[COLOR=#000000] </extended>[/COLOR]
[COLOR=#000000] <extended order="2" type="46" label="TZ" size="1000" readonly="false">[/COLOR]
[COLOR=#000000] <file name="tz.mbn" offset="0"/>[/COLOR]
[COLOR=#000000] </extended>[/COLOR]
[COLOR=#000000] </primary>[/COLOR]
[COLOR=#000000] </physical_partition>[/COLOR]
[COLOR=#000000] </image>[/COLOR]
and
Code:
<? Xml version = "1.0"?>
<data>
<! - NOTE: Sector size is 512bytes ->
<program file_sector_offset = "0" filename = "" label = "MODEM" num_partition_sectors = "65536" physical_partition_number = " 0 "size_in_KB =" 32768.0 "start_sector =" 1 "/>
<program file_sector_offset =" 0 "filename =" sbl1.mbn "label =" SBL1 "num_partition_sectors =" 1000 "physical_partition_number =" 0 "size_in_KB =" 500.0 "start_sector = "65537" />
<program file_sector_offset="0" filename="sbl2.mbn" label="SBL2" num_partition_sectors="3000" physical_partition_number="0" size_in_KB="1500.0" start_sector="66537"/>
<program file_sector_offset = "0" filename = "rpm.mbn" label = "RPM" num_partition_sectors = "1000" physical_partition_number = "0" size_in_KB = "500.0" start_sector = "69559" />
<program file_sector_offset = "0" filename = "sbl3.mbn "label =" SBL3 "num_partition_sectors =" 4096 "physical_partition_number =" 0 "size_in_KB =" 2048.0 "start_sector =" 70559 "/>
<program file_sector_offset =" 0 "filename =" emmc_appsboot.mbn "label =" ABOOT "num_partition_sectors =" 5000 "physical_partition_number =" 0 "size_in_KB =" 2500.0 "start_sector =" 74655 "/>
<program file_sector_offset =" 0 "filename =" "label =" BOOT "num_partition_sectors =" 20480 "physical_partition_number =" 0 "size_in_KB =" 10240.0 " start_sector = "79655" />
<program file_sector_offset="0" filename="tz.mbn" label="TZ" num_partition_sectors="1000" physical_partition_number="0" size_in_KB="500.0" start_sector="100135"/>
<program file_sector_offset = "0" filename = "pdl_phoneinfo.bin" label = "INFO" num_partition_sectors = "8192" physical_partition_number = "0" size_in_KB = "4096.0" start_sector = "131072" />
<program file_sector_offset = "0" filename = "partition0 . bin "label =" MBR "num_partition_sectors =" 1 "physical_partition_number =" 0 "size_in_KB =" 0.5 "start_sector =" 0 "/>
<program file_sector_offset =" 1 "filename =" partition0.bin "label =" EXT "num_partition_sectors = "22" physical_partition_number = "0" size_in_KB = "11.0" start_sector = "69537" />
</ data>
The relevant mbn images for the Nexus 4.
These can be extracted from either of the following files:
Code:
modem.img radio-mako-m9615a-cefwmazm-2.0.1700.48.img
which in turn is extracted using the BinExtractor tool (included in the tools package) from either the Nexus 4 factory image or a Nexus 4 tot image or .
In order to extract the mbn images from the image file, you have to mount it on a loopback device.
For example:
Code:
sudo mount -o loop /path/to/occam-jdq39/radio-mako-m9615a-cefwmazm-2.0.1700.48.img /mount/point
Nexus 4 Factory images
occam-jdq39-factory-345dc199.tgz
Nexus 4 tot images
LGE960AT-00-V10c-NXS-XX-NOV-14-2012-JVP15L-FACTORY_0.zip
BIN_LGE960AT-00-V10c-NXS-XX-NOV-13-2012-JOP40C-USER+0.zip
File links:
Nexus 4 Unbricking Tools Package Link
DMSS Protocol Documentation (Used by the QPST tool)
PBL Tool (A perl script that implements part of the DMSS protocol)
Some relevant information:
http://www.anyclub.org/2012/04/how-to-build-emmc-flash-programmer.html
http://forum.xda-developers.com/showthread.php?t=1978703
http://forum.xda-developers.com/showthread.php?t=2086142
Current Issues:
1. I cant figure out how to use the MPRG8064.hex with the QPST Software Download tool.
It claims that it can't unscramble the file, it could be that the file isn't valid or needs to be prepared in some way.
2. I'm not sure how to prepare the XML file for the emmcswdownload tool.
If the XML examples above are any indication, we might be able to do this by getting information
from the BinExtractor tool or by examining the Nexus 4 mbn files.
3. I'm not exactly sure which images need to be used in the QPST Software Download tool (Under the Multi-image tab).
If I understand correctly, the boot system we need to use here is Sec Boot 2.0.
More than 100 views and not one reply?
Come on people!
FLYN said:
More than 100 views and not one reply?
Come on people!
Click to expand...
Click to collapse
Here's your reply
But I'll dig into this like I dug into the TouchPad when WebOS Doctor was being an asshole, but for now:
5AM=sleep
FLYN said:
3. I'm not exactly sure which images need to be used in the QPST [/FONT]Software Download tool (Under the Multi-image tab).
If I understand correctly, the boot system we need to use here is Sec Boot 2.0.
Click to expand...
Click to collapse
Doesn't the apq8064 use Secure Boot 3?
At least the most recent QPST version in your package has the option for SB3.0 in the download tool, which in turn asks for a *.xml file.
What it needs to include? Heck if I know..
By the way, thanks for uploading that whole package, there's some nice stuff in there.
I took a good look at all this stuff when I was working on unbricking the at&t lg optimus g, e970, which is basically identical to this phone. By looking through some tools made to rescue samsung qualcomm based devices, and basically concluded that we would require a signed MPRG8064.hex. By using the qdload.pl script found here, http://forum.xda-developers.com/showthread.php?t=2086142, I found that my pbl would stop responding after I sent and attempted to execute the .hex file. I figured that it would seem that the code is signature checked by the pbl before execution, similar to how sbl1 is during the secureboot 3.0 sequence, causing it to die at that stage because of not having a valid signature.
Most likely, the 8064_msimage.mbn would need sbl1, sbl2, sbl3, rpm, and tz at a minimum, but I believe it is essentially just a raw file containing a header and those five partitions that is imaged directly to the internal storage using the MPRG8064.hex.
I found a couple other interesting threads on similar topics that helped me understand a lot of the secure boot sequence, and how qualcomm devices boot in general.
[SOLVED]-[BRICKED]SHV-E160L Korean model
[REF][R&D] MSM8960 Info, Architecture and Bootloader(s)
[REF][R&D] Building Bootloaders on Qualcomm Devices
[R&D] Unlock Bootloaders
I never got it working for my phone, as I found an alternate method to restore the phone based off of booting from our external sdcard, but if you find anything out, I would be interested in it.
I've seen the same concept on the HTC One X. They've never been able to get it to work. Proper hex and mbn files could never be sourced and in the end jtag was the only solution for some hardbricks.
I do however wish you luck and will follow the thread until it dies!
What do you guys think, could it be that the HEX file needs to be converted with Intel HEX2BIN?
Looks like these guys know how to unbrick stuff. I sent them my Nexus 4 couple of days ago with Nexus 7 kernel flashed, we'll see if they can fix it.
http://www.youtube.com/watch?feature=player_embedded&v=gYtNWt1h66E
moldovanos said:
Looks like these guys know how to unbrick stuff. I sent them my Nexus 4 couple of days ago with Nexus 7 kernel flashed, we'll see if they can fix it.
http://www.youtube.com/watch?feature=player_embedded&v=gYtNWt1h66E
Click to expand...
Click to collapse
jtag is "cheating"
lg tool or qualcomm tool method is preferred.
The radio image is not important to get your phone up and running from what I can tell. The APQ chip does not have the modem built in like traditional Qualcomm devices, so there are separate boot images for the APQ and the modem.
So I am not sure you can use those mbn images from the modem image. In the latest 4.2.2 update Google updated the core APQ mbn files, so you can look into the diff to see which files it uses exactly:
http://android.clients.google.com/p...4.signed-occam-JDQ39-from-JOP40D.de8b8d10.zip
If you open the file, you will notice these files:
bootloader.aboot.img
bootloader.rpm.img
bootloader.sbl2.img
bootloader.sbl3.img
bootloader.tz.img
Those are the equivilent mbn files (i.e rpm.mbn, sbl2.mbn). This is what it does with them:
Code:
ui_print("Writing bootloader...");
package_extract_file("bootloader-flag.txt", "/dev/block/platform/msm_sdcc.1/by-name/misc");
package_extract_file("bootloader.sbl2.img", "/dev/block/platform/msm_sdcc.1/by-name/sbl2");
package_extract_file("bootloader.sbl3.img", "/dev/block/platform/msm_sdcc.1/by-name/sbl3");
package_extract_file("bootloader.tz.img", "/dev/block/platform/msm_sdcc.1/by-name/tz");
package_extract_file("bootloader.rpm.img", "/dev/block/platform/msm_sdcc.1/by-name/rpm");
package_extract_file("bootloader.aboot.img", "/dev/block/platform/msm_sdcc.1/by-name/aboot");
package_extract_file("bootloader-flag-clear.txt", "/dev/block/platform/msm_sdcc.1/by-name/misc");
I would try these files instead of the ones in the modem image, as the modem image is flashed as a whole image to /dev/block/platform/msm_sdcc.1/by-name/modem later on instead of individual files to partitions. You also need to find sbl1 somewhere.
Where did you source the hex file? It was a consensus that a hex had to be signed for some devices (htc, wink-wink).
Did you try getting the nexus in download mode? I forgot the button combo, but worth a try. Lgnpst? Looks like you've already found the link for lgnpst stock roms.
What is the status of this forum? Any good news on unbricking the Nexus 4?
SnowLeopardJB said:
I took a good look at all this stuff when I was working on unbricking the at&t lg optimus g, e970, which is basically identical to this phone. By looking through some tools made to rescue samsung qualcomm based devices, and basically concluded that we would require a signed MPRG8064.hex. By using the qdload.pl script found here, http://forum.xda-developers.com/showthread.php?t=2086142, I found that my pbl would stop responding after I sent and attempted to execute the .hex file. I figured that it would seem that the code is signature checked by the pbl before execution, similar to how sbl1 is during the secureboot 3.0 sequence, causing it to die at that stage because of not having a valid signature.
Most likely, the 8064_msimage.mbn would need sbl1, sbl2, sbl3, rpm, and tz at a minimum, but I believe it is essentially just a raw file containing a header and those five partitions that is imaged directly to the internal storage using the MPRG8064.hex.
I found a couple other interesting threads on similar topics that helped me understand a lot of the secure boot sequence, and how qualcomm devices boot in general.
[SOLVED]-[BRICKED]SHV-E160L Korean model
[REF][R&D] MSM8960 Info, Architecture and Bootloader(s)
[REF][R&D] Building Bootloaders on Qualcomm Devices
[R&D] Unlock Bootloaders
I never got it working for my phone, as I found an alternate method to restore the phone based off of booting from our external sdcard, but if you find anything out, I would be interested in it.
Click to expand...
Click to collapse
Booting from an extsd on a nexus 4? R u on krak? Or am I missing something?
Sent from my Nexus 4 using xda app-developers app
"I took a good look at all this stuff when I was working on unbricking the at&t lg optimus g, e970, which is basically identical to this phone."
You missed the first line of the post.
andybfmv96 said:
Booting from an extsd on a nexus 4? R u on krak? Or am I missing something?
Sent from my Nexus 4 using xda app-developers app
Click to expand...
Click to collapse
Recon Freak said:
"I took a good look at all this stuff when I was working on unbricking the at&t lg optimus g, e970, which is basically identical to this phone."
You missed the first line of the post.
Click to expand...
Click to collapse
Oops maybe I on krak
Sent from my Nexus 4
Hmmm
FLYN said:
Current Issues:
1. I cant figure out how to use the MPRG8064.hex with the QPST Software Download tool.
It claims that it can't unscramble the file, it could be that the file isn't valid or needs to be prepared in some way.
2. I'm not sure how to prepare the XML file for the emmcswdownload tool.
If the XML examples above are any indication, we might be able to do this by getting information
from the BinExtractor tool or by examining the Nexus 4 mbn files.
3. I'm not exactly sure which images need to be used in the QPST Software Download tool (Under the Multi-image tab).
If I understand correctly, the boot system we need to use here is Sec Boot 2.0.
Click to expand...
Click to collapse
I've installed QPST, but since I don't have my nexus 4 bricked I can't tell you if this works. But I think that you just have to put the phone image there and the boot image and it shall work.
P.S.
My Nexus 4 is vanilla (just got it for 1 week) so I can provide backups and so on plus the Internal LG Service Manual for the N4(I found it on the web). We shall not give up finding the answer for this as it saves money (no RMA/JTAG repair)
Hello everyone,
In my tinkering with me bricked N4 i have gotten it to show up as QHSUSB_DLOAD in device manager once, and can't seem to get it to do it again. right now it shows up as either a "USB input Device" or an "Unknown device" with a yellow "!". suggestions any one?
Update: After mucking with it for hours, the device hardware ID only shows up as "USB\UNKNOWN" still. I drop on down to Radio Shack as well and picked up a few resistors and made my self a 910K-ohm "download cable"
Still no luck how ever.
Jeffery.Lenz said:
Hello everyone,
In my tinkering with me bricked N4 i have gotten it to show up as QHSUSB_DLOAD in device manager once, and can't seem to get it to do it again. right now it shows up as either a "USB input Device" or an "Unknown device" with a yellow "!". suggestions any one?
Click to expand...
Click to collapse
I'm interested too
JIG USB?
Jeffery.Lenz said:
Hello everyone,
In my tinkering with me bricked N4 i have gotten it to show up as QHSUSB_DLOAD in device manager once, and can't seem to get it to do it again. right now it shows up as either a "USB input Device" or an "Unknown device" with a yellow "!". suggestions any one?
Update: After mucking with it for hours, the device hardware ID only shows up as "USB\UNKNOWN" still. I drop on down to Radio Shack as well and picked up a few resistors and made my self a 910K-ohm "download cable"
Still no luck how ever.
Click to expand...
Click to collapse
Are you trying to do sth like the Samsung JIG USB (300k ohms)?:good:
Hte point of this thread is using the Qualcom HiSpeed USB Download Mode to unbrick our N4!!
I've recently returned to work on an app I developed while ago (targeted then to 4.4). at the time I had a galaxy s2 for debugging and now I have s4 (i9500).
I tried to run the app while my phone connected and got installation failed. So I installed Android studio and imported (converted) and changed target to 5.0.1 (my phone's version).
When I hit run (or debug) I get this message:
HTML:
nstalling myapp.leff.app
DEVICE SHELL COMMAND: pm install -r "/data/local/tmp/myapp.leff.app"
Aborted
Launching application: myapp.leff.app/myapp.leff.app.myappAppActivity.
DEVICE SHELL COMMAND: am start -n "myapp.leff.app/myapp.leff.app.myappAppActivity" -a android.intent.action.MAIN -c android.intent.category.LAUNCHER
Aborted
filltering the log-cat (Android) i've noticed this lines:
HTML:
06-24 02:20:34.641 3269-3685/? D/SettingsProvider﹕ name = verifier_verify_adb_installs
06-24 02:21:30.331 3576-3576/? W/Settings﹕ Setting install_non_market_apps has moved from android.provider.Settings.Global to android.provider.Settings.Secure, returning read-only value.
06-24 02:21:30.426 3576-3576/? W/Settings﹕ Setting install_non_market_apps has moved from android.provider.Settings.Global to android.provider.Settings.Secure, returning read-only value.
06-24 02:21:46.231 9094-9094/? I/MultiDex﹕ install
06-24 02:21:46.261 9094-9094/? I/ProviderInstaller﹕ Insert disabled by gate 'gms:security:enable_conscrypt_in_gms_application'
06-24 02:21:49.656 3576-3576/? W/Settings﹕ Setting install_non_market_apps has moved from android.provider.Settings.Global to android.provider.Settings.Secure, returning read-only value.
06-24 02:21:49.716 3576-3576/? W/Settings﹕ Setting install_non_market_apps has moved from android.provider.Settings.Global to android.provider.Settings.Secure, returning read-only value.
06-24 02:22:00.016 3269-3269/? I/ActivityManager﹕ Killing 4849:com.samsung.android.app.filterinstaller/1000 (adj 15): empty for 1806s
I've re-installed new version of my custom rom - result is the same
I took another phone (samsung s5) and install was success. connected my s4 again. same error.
And ideas on how to resolve this?
note: usb-debugging is active
Hello,
Your project before conversion was built with Eclipse, if I understood it correctly? If so,
in Android Studio, the API targeting is not being read from the Android Manifest, but from the Gradle files.
In Android Studio, open (on your Project tree on the left), under the Gradle Scripts the build.gradle (Module: app) and check if inside the defaultConfig the targetSdkVersion has the correct API level. Then, press Build->Clean project from the menu bar on the top
If your application works with this String: INSTALL_NON_MARKET_APPS from the Settings.Global class , it is deprecated in API level 21, so use INSTALL_NON_MARKET_APPS from the Settings.Secure class instead. Check here.
I think it has to do with this class, the getString method with the above String that has been deprecated. I could help you further if I knew how is your app accessing this class or any code related to that
The S5 you tested has custom rom? Can you post the full logcat with the S4?
If you still need help, let me know
Hello,
I'm trying to get UART output of gt-s6500d, but it's not working.
I've connected 620kΩ resistor between GND and ID pin, I got messages "AST_POWERON" and "BOOTING COMPLETED", however I cannot send anything on my own.
I'v tried
Code:
su;
echo "test" > /dev/ttyMSM0
(as well as tty0, ttyHS0, ttyGS0, ttyGS1) but nothing worked so far.
UART settings: 115200baud, no parity, no flow control, 1 stop bit, 8 data bits.
I've RS-232 connector powered with 3.3V, phone sends 1.8V signal but considering PC can read those two messages I assume this part is okay, I haven't connected phone VCC line, only ground, ID and TX.
Stock software and kernel, Android 2.3.6(S6500DXXMD1), kernel 2.6.38.6, phone is rooted and contains CWM recovery
Update 2018-09-28:
As it turns out 620kΩ resistor is ideal to get bootloader data, not sure if it even work with kernel, but I needed to add line
Code:
/dev/ttyHSL0 0660 system system
to ueventd.rc in initram to get one additional line on boot: "AST_UPLOAD" but the phone now is in a boot loop, maybe the boot.img is broken so bootloader send this information that uploading new boot.img is needed and restarts itself?
Bootloader outputs info with following resistors:
* 619kΩ (automatic boot)
* 150kΩ (manual boot)
* ~520kΩ probably works too
As it turn out I am unable to set cmdline to console=ttyMSM0 to allow any output from kernel, something (I think that may be bootloader) append this to cmdline:
Code:
console=null androidboot.hardware=qcom hw=3 androidboot.emmc=true androidboot.serialno=25db5e2a androidboot.baseband=msm
hardcoding cmdline into kernel seems only option for now
I'll update the post if I find out more
I started working to get QFIL to work with the Sprint OnePlus 7 Pro 5G as soon as I got the MSMDownloadTool for it.
I accomplished getting the partition manager working, which allows us to flash individual (SIGNED) partitions. We can now try flashing individual international partitions to gain unlocked bootloaders WITHOUT MSM and the need to flash entirely different variants. Plus, 5G users will keep their 5G modems! I need somebody with an international version to join me in TeamView or something, in order to pull the Bootloader and other Partitions.
If another dev here can help me in getting this to work, we could be on the road to bootloader unlocks without SIM unlocks.
jthein1989 said:
I started working to get QFIL to work with the Sprint OnePlus 7 Pro 5G as soon as I got the MSMDownloadTool for it.
I accomplished getting the partition manager working, which allows us to flash individual (SIGNED) partitions. We can now try flashing individual international partitions to gain unlocked bootloaders WITHOUT MSM and the need to flash entirely different variants. Plus, 5G users will keep their 5G modems! I need somebody with an international version to join me in TeamView or something, in order to pull the Bootloader and other Partitions.
If another dev here can help me in getting this to work, we could be on the road to bootloader unlocks without SIM unlocks.
Click to expand...
Click to collapse
Wow, you did it?
I saw the first thread you made where you were talking about extracting .xml files and firehose from OPS file for OP7P 5G for single partition backup/restore via qfil, but oneplus didn't provide you msm tool for 5g variant because "they didn't have it" (which is a lie, becuse if you watch a video from linus tech tips on how he visited oneplus quality test thing back in oneplus 6t days, you would have seen a section where they use THE SAME TOOL, in the firmware flashing section)
Could you provide a full list of files you got from .ops file? Did you get everything that is needed for flashing?
It would be nice if you could do something like this for oneplus 7 pro regular one, so we don't have to have our phones factory reset and BL locked after msm tool flash.
jthein1989 said:
I started working to get QFIL to work with the Sprint OnePlus 7 Pro 5G as soon as I got the MSMDownloadTool for it.
Click to expand...
Click to collapse
I've gotten to around the same point as you have, however I'm having a little bit a trouble getting QFIL to flash a partition. I think it has to do with me missing the proper rawprogram and patch0 XML files. Did you need these at all? If so, how did you obtain them? Appreciate the effort by the way, this ain't easy stuff.
---------- Post added at 09:46 PM ---------- Previous post was at 09:42 PM ----------
Xenos7 said:
Wow, you did it?
I saw the first thread you made where you were talking about extracting .xml files and firehose from OPS file for OP7P 5G for single partition backup/restore via qfil, but oneplus didn't provide you msm tool for 5g variant because "they didn't have it" (which is a lie, becuse if you watch a video from linus tech tips on how he visited oneplus quality test thing back in oneplus 6t days, you would have seen a section where they use THE SAME TOOL, in the firmware flashing section)
Could you provide a full list of files you got from .ops file? Did you get everything that is needed for flashing?
It would be nice if you could do something like this for oneplus 7 pro regular one, so we don't have to have our phones factory reset and BL locked after msm tool flash.
Click to expand...
Click to collapse
He was actually able to obtain the MSM tool from OnePlus. There's a thread on this forum for the download somewhere.
I've also been able to somewhat decrypt and extract files from OPS, but all I was able to obtain was the Firehose binary and an XML file, which contains program and patch commands. There's more to extract but I'm not completely sure how he did it to be honest.
Xenos7 said:
Wow, you did it?
I saw the first thread you made where you were talking about extracting .xml files and firehose from OPS file for OP7P 5G for single partition backup/restore via qfil, but oneplus didn't provide you msm tool for 5g variant because "they didn't have it" (which is a lie, becuse if you watch a video from linus tech tips on how he visited oneplus quality test thing back in oneplus 6t days, you would have seen a section where they use THE SAME TOOL, in the firmware flashing section)
Could you provide a full list of files you got from .ops file? Did you get everything that is needed for flashing?
It would be nice if you could do something like this for oneplus 7 pro regular one, so we don't have to have our phones factory reset and BL locked after msm tool flash.
Click to expand...
Click to collapse
I finally got the MSM for the Sprint variant. You can find that in my other post.
It's actually quite easy to pull partitions from the phone. As a matter of fact you can use both QFIL or MSM to do it. I haven't created a guide to do it through QFIL, yet... You can find my MSM guide in my Sprint MSM post.
To flash through QFIL you use partition manager to read and write individual partitions because the xmls aren't needed, partition manager maps out the UFS through Sahara.
And I must state. DO NOT use provision xmls to download, only to open Partition Manager.
You can only decrypt the firehose and provisioning xml from ops, not the partitions unfortunately. But you can pull every partition through MSM if you really want them. In my personal opinion, you only need a couple really. Except in the case of 5G phones, you need more for those.
Guy50570 said:
I've gotten to around the same point as you have, however I'm having a little bit a trouble getting QFIL to flash a partition. I think it has to do with me missing the proper rawprogram and patch0 XML files. Did you need these at all? If so, how did you obtain them? Appreciate the effort by the way, this ain't easy stuff.
---------- Post added at 09:46 PM ---------- Previous post was at 09:42 PM ----------
He was actually able to obtain the MSM tool from OnePlus. There's a thread on this forum for the download somewhere.
I've also been able to somewhat decrypt and extract files from OPS, but all I was able to obtain was the Firehose binary and an XML file, which contains program and patch commands. There's more to extract but I'm not completely sure how he did it to be honest.
Click to expand...
Click to collapse
You shouldn't need the RawProgram or Patch XMLs to write through partition manager. The partition manager already knows where they are located.
Provisioning XMLs are used by QFIL to map out LUNs, which are just virtual drives on the UFS. RawProgram and Patch XMLs are used by QFIL to map the partitions in the LUNs. Which in this case aren't needed. (MSMDownloadTool maps both LUNs and Partitions, but doesn't have the ability to flash single partitions).
Edit: Sorry, I didn't see the other question. In order to get RawProgram and Patch XMLs, you have to decrypt the GPT partitions. I have the scripts to make them, but it's a headache, and they shouldn't be needed.
jthein1989 said:
You shouldn't need the RawProgram or Patch XMLs to write through partition manager. The partition manager already knows where they are located.
Provisioning XMLs are used by QFIL to map out LUNs, which are just virtual drives on the UFS. RawProgram and Patch XMLs are used by QFIL to map the partitions in the LUNs. Which in this case aren't needed. (MSMDownloadTool maps both LUNs and Partitions, but doesn't have the ability to flash single partitions).
Edit: Sorry, I didn't see the other question. In order to get RawProgram and Patch XMLs, you have to decrypt the GPT partitions. I have the scripts to make them, but it's a headache, and they shouldn't be needed.
Click to expand...
Click to collapse
So those 2 xmls are generated from PrimaryGPT and BackupGPT, and they are used to generate partition table of the device, and to point qfil to which partitions to flash different images correct?
If that's the case then it's logical they are not needed for single partition flashing.
Single partition flashing is done with only using sahara comunication with the device (and firehose?) correct?
And what is counted in as a "signed" image for flashing. Can we just take a dd of an image and flash it with qfil later, or do we need to use msm tool readback to do so? Those should be fine right?
If not then only ones which should work are ones in .ops, and there is a little bit of a problem when it comes to obtaining them.
Edit: When I said what is counted in as signed, dd or msm dump, I meant if they are unchanged, and all official, will they still be counted as signed, or recognized as official?
Xenos7 said:
So those 2 xmls are generated from PrimaryGPT and BackupGPT, and they are used to generate partition table of the device, and to point qfil to which partitions to flash different images correct?
If that's the case then it's logical they are not needed for single partition flashing.
Single partition flashing is done with only using sahara comunication with the device (and firehose?) correct?
And what is counted in as a "signed" image for flashing. Can we just take a dd of an image and flash it with qfil later, or do we need to use msm tool readback to do so? Those should be fine right?
If not then only ones which should work are ones in .ops, and there is a little bit of a problem when it comes to obtaining them.
Click to expand...
Click to collapse
You bring up a great point. I'm not sure if you can write partitions gained from MSM's ReadBack functionality in QFIL? I'm sure, no I'm positive you can write partitions read from QFIL though. I'm not aware of any way to extract partitions from an ops in order to even attempt to write them.
That is why I needed somebody with an unlocked phone to ReadBack through MSM or Read from QFIL their partitions. In order to attempt to write them individually through QFIL.
jthein1989 said:
You shouldn't need the RawProgram or Patch XMLs to write through partition manager. The partition manager already knows where they are located.
Provisioning XMLs are used by QFIL to map out LUNs, which are just virtual drives on the UFS. RawProgram and Patch XMLs are used by QFIL to map the partitions in the LUNs. Which in this case aren't needed. (MSMDownloadTool maps both LUNs and Partitions, but doesn't have the ability to flash single partitions).
Edit: Sorry, I didn't see the other question. In order to get RawProgram and Patch XMLs, you have to decrypt the GPT partitions. I have the scripts to make them, but it's a headache, and they shouldn't be needed.
Click to expand...
Click to collapse
Hm, I see. Wonder why I'm getting this error then.
Code:
09:42:54: {ERROR: program FAILED - Please see log}
Writing log to 'C:\Users\{username}\AppData\Roaming\Qualcomm\QFIL\COMPORT_5\port_trace.txt', might take a minute
Log is 'C:\Users\{username}\AppData\Roaming\Qualcomm\QFIL\COMPORT_5\port_trace.txt'
Send Image Fail:FireHose Fail:FHLoader Fail:Process fail
Finish Send Image
Everything else before this point seems to work just fine so, slightly confused here as to what I need.
Guy50570 said:
Hm, I see. Wonder why I'm getting this error then.
Everything else before this point seems to work just fine so, slightly confused here as to what I need.
Click to expand...
Click to collapse
I will try to look. Sundays are a busy day for me. I'll let you know.
jthein1989 said:
I will try to look. Sundays are a busy day for me. I'll let you know.
Click to expand...
Click to collapse
Hey, no worries, I'm not in any rush, just trying to help out the best I can.
Any update?
Flashing a single partition is not hard, you do need the payload and the patch both xml, not to mention loader,
Below is an example from a ZTE: Zmax Pro:
rawprogram0.xml
Code:
<?xml version="1.0" ?>
<data>
<!--NOTE: This is an ** Autogenerated file **-->
<!--NOTE: Sector size is 512bytes-->
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="recovery.img" label="recovery" num_partition_sectors="98304" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="49152.0" sparse="false" start_byte_hex="0x15000000" start_sector="688128"/>
</data>
patch0.xml:
Code:
<?xml version="1.0" ?>
<patches>
<!--NOTE: This is an ** Autogenerated file **-->
<!--NOTE: Patching is in little endian format, i.e. 0xAABBCCDD will look like DD CC BB AA in the file or on disk-->
<!--NOTE: This file is used by Trace32 - So make sure to add decimals, i.e. 0x10-10=0, *but* 0x10-10.=6.-->
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="168" filename="gpt_main0.bin" physical_partition_number="0" size_in_bytes="8" start_sector="11" value="NUM_DISK_SECTORS-34." what="Update last partition 38 'userdata' with actual size in Primary Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="168" filename="DISK" physical_partition_number="0" size_in_bytes="8" start_sector="11" value="NUM_DISK_SECTORS-34." what="Update last partition 38 'userdata' with actual size in Primary Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="168" filename="gpt_backup0.bin" physical_partition_number="0" size_in_bytes="8" start_sector="9" value="NUM_DISK_SECTORS-34." what="Update last partition 38 'userdata' with actual size in Backup Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="168" filename="DISK" physical_partition_number="0" size_in_bytes="8" start_sector="NUM_DISK_SECTORS-24." value="NUM_DISK_SECTORS-34." what="Update last partition 38 'userdata' with actual size in Backup Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="48" filename="gpt_main0.bin" physical_partition_number="0" size_in_bytes="8" start_sector="1" value="NUM_DISK_SECTORS-34." what="Update Primary Header with LastUseableLBA."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="48" filename="DISK" physical_partition_number="0" size_in_bytes="8" start_sector="1" value="NUM_DISK_SECTORS-34." what="Update Primary Header with LastUseableLBA."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="48" filename="gpt_backup0.bin" physical_partition_number="0" size_in_bytes="8" start_sector="32" value="NUM_DISK_SECTORS-34." what="Update Backup Header with LastUseableLBA."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="48" filename="DISK" physical_partition_number="0" size_in_bytes="8" start_sector="NUM_DISK_SECTORS-1." value="NUM_DISK_SECTORS-34." what="Update Backup Header with LastUseableLBA."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="32" filename="gpt_main0.bin" physical_partition_number="0" size_in_bytes="8" start_sector="1" value="NUM_DISK_SECTORS-1." what="Update Primary Header with BackupGPT Header Location."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="32" filename="DISK" physical_partition_number="0" size_in_bytes="8" start_sector="1" value="NUM_DISK_SECTORS-1." what="Update Primary Header with BackupGPT Header Location."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="24" filename="gpt_backup0.bin" physical_partition_number="0" size_in_bytes="8" start_sector="32" value="NUM_DISK_SECTORS-1." what="Update Backup Header with CurrentLBA."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="24" filename="DISK" physical_partition_number="0" size_in_bytes="8" start_sector="NUM_DISK_SECTORS-1." value="NUM_DISK_SECTORS-1." what="Update Backup Header with CurrentLBA."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="72" filename="gpt_backup0.bin" physical_partition_number="0" size_in_bytes="8" start_sector="32" value="NUM_DISK_SECTORS-33." what="Update Backup Header with Partition Array Location."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="72" filename="DISK" physical_partition_number="0" size_in_bytes="8" start_sector="NUM_DISK_SECTORS-1" value="NUM_DISK_SECTORS-33." what="Update Backup Header with Partition Array Location."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="88" filename="gpt_main0.bin" physical_partition_number="0" size_in_bytes="4" start_sector="1" value="CRC32(2,5120)" what="Update Primary Header with CRC of Partition Array."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="88" filename="DISK" physical_partition_number="0" size_in_bytes="4" start_sector="1" value="CRC32(2,5120)" what="Update Primary Header with CRC of Partition Array."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="88" filename="gpt_backup0.bin" physical_partition_number="0" size_in_bytes="4" start_sector="32" value="CRC32(0,5120)" what="Update Backup Header with CRC of Partition Array."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="88" filename="DISK" physical_partition_number="0" size_in_bytes="4" start_sector="NUM_DISK_SECTORS-1." value="CRC32(NUM_DISK_SECTORS-33.,5120)" what="Update Backup Header with CRC of Partition Array."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="16" filename="gpt_main0.bin" physical_partition_number="0" size_in_bytes="4" start_sector="1" value="0" what="Zero Out Header CRC in Primary Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="16" filename="gpt_main0.bin" physical_partition_number="0" size_in_bytes="4" start_sector="1" value="CRC32(1,92)" what="Update Primary Header with CRC of Primary Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="16" filename="DISK" physical_partition_number="0" size_in_bytes="4" start_sector="1" value="0" what="Zero Out Header CRC in Primary Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="16" filename="DISK" physical_partition_number="0" size_in_bytes="4" start_sector="1" value="CRC32(1,92)" what="Update Primary Header with CRC of Primary Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="16" filename="gpt_backup0.bin" physical_partition_number="0" size_in_bytes="4" start_sector="32" value="0" what="Zero Out Header CRC in Backup Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="16" filename="gpt_backup0.bin" physical_partition_number="0" size_in_bytes="4" start_sector="32" value="CRC32(32,92)" what="Update Backup Header with CRC of Backup Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="16" filename="DISK" physical_partition_number="0" size_in_bytes="4" start_sector="NUM_DISK_SECTORS-1." value="0" what="Zero Out Header CRC in Backup Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="16" filename="DISK" physical_partition_number="0" size_in_bytes="4" start_sector="NUM_DISK_SECTORS-1." value="CRC32(NUM_DISK_SECTORS-1.,92)" what="Update Backup Header with CRC of Backup Header."/>
</patches>
Now you see the idea?
Have there been any developments on the Sprint OP7Pro 5g? I was gifted one this holiday and practically have no use for it until bootloader unlock is available.
jthein1989 said:
I started working to get QFIL to work with the Sprint OnePlus 7 Pro 5G as soon as I got the MSMDownloadTool for it.
I accomplished getting the partition manager working, which allows us to flash individual (SIGNED) partitions. We can now try flashing individual international partitions to gain unlocked bootloaders WITHOUT MSM and the need to flash entirely different variants. Plus, 5G users will keep their 5G modems! I need somebody with an international version to join me in TeamView or something, in order to pull the Bootloader and other Partitions.
If another dev here can help me in getting this to work, we could be on the road to bootloader unlocks without SIM unlocks.
Click to expand...
Click to collapse
What would you like from my 7Pro?
I'm running 10.3 though.
Del
I have to give a big shout out and I just want to thank everyone for their hard work on figuring the procedures out for unlocking the bootloader, and flashing the these phones.
The tutorial for unlocking the bootloader for the Sprint Oneplus 7 Pro 5G work flawlessly if you follow the tutoralial:
https://forum.xda-developers.com/on...otloader-unlock-sprint-oneplus-7-pro-t4042145
When I first received my phone I bought off eBay I went ahead and set the phone up and upgraded the phone over OTA to
android OS to v10.0.2. This was so I could use the TWRP for Q (10) during the bootloder unlock setup to fix the issues with it
rebooting back into the bootloader. One thing I did learn during the process that it might try to boot into system and
get stuck on the Sprint 5G boot animation. So to force it to power cycle press (VOLUME UP + POWER) buttons and hold them
until it does reboot and then quickly press and hold the (VOLUME UP + VOLUME DOWN + POWER) buttons to boot back into bootloader and
run the FIX instructions again.
Once the bootloader was unlocked I used this tutorial to cross flash the firmware to the OnePlus 7 Pro 5G European. Then went through
the phone setup process and then installed the Oxegen Updater APK to downloaded the firmware to forced it to update to the latest 10.0.6 firmware by manually installing
it through the System Update under the gear Local update. Tutorial found here:
https://forum.xda-developers.com/oneplus-7-pro/how-to/discussion-oneplus-7-pro-5g-rom-gsi-t4042583
Then I followed the tutorial to installing TWRP for Q (10) and to root installing Magisk:
https://forums.oneplus.com/threads/...magisk-twrp-oneplus-7-pro-android-10.1178410/
I found out during the process of flashing and updating to the Oxegen 10.0.6 European firmware the bootloader had re-locked.
So I had to follow the steps once again to unlock the bootloader and then followed the guide of rooting the Sprint OnePlus 7 Pro
5G.
Now to the part I have run into trouble trying to remove the SIM LOCK on the phone to Sprint:
I tried to follow the tutorial of SIM UNLOCKING the T-Mobile OnePlus 7 Pro:
https://forum.xda-developers.com/oneplus-6t/how-to/guide-sim-unlock-t-mobile-version-type-t3915269
Fist I did back up my phone in TWRP. However, when you run these two fastboot commands from the bootloader it will FAIL:
fastboot erase modemst1
fastboot erase modemst2
The Error messages are:
Erasing 'modemst1' FAILED (remote: 'Erase is not allowed for Critical Partitions')
fastboot: error: Command failed
Erasing 'modemst1' FAILED (remote: 'Erase is not allowed for Critical Partitions')
fastboot: error: Command failed
So after doing some research and running this fastboot command I found out that not everything unlocked:
fastboot oem device-info
And it's output:
(bootloader) Verity mode: true
(bootloader) Device unlocked: true
(bootloader) Device critical unlocked: false
(bootloader) Charger screen enabled: true
(bootloader) enable_dm_verity: true
(bootloader) have_console: false
(bootloader) selinux_type: SELINUX_TYPE_INVALID
(bootloader) boot_mode: NORMAL_MODE
(bootloader) kmemleak_detect: false
(bootloader) force_training: 0
(bootloader) mount_tempfs: 0
(bootloader) op_abl_version: 0x31
(bootloader) cal_rebootcount: 0x31
OKAY [ 0.064s]
Finished. Total time: 0.071s
As you can see the Device critical unlocked is: false. So you cannot write to those partitions.
I tried the fastboot commands:
fastboot flashing unlock_critical
fastboot oem unlock_critical
Both with same message:
FAILED (remote: ' Device already : unlocked!')
fastboot: error: Command failed
I even tried the shell commands to overwrite the two partitions from TWRP and from command prompt using
adb from platform tools:
dd if=/dev/zero of=/dev/block/bootdevice/by-name/modemst1
dd if=/dev/zero of=/dev/block/bootdevice/by-name/modemst2
And it's output:
/system/bin/sh: adb: inaccessible or not found
Modemst1, modemst2 and zero do exist but being bootloader critial locked you still cannot write to the partitions even with root.
So next I looked into using QPST package and erasing the partitions using Partition Manager from QFIL utility but need the firehose
file for SM8150 chipset and the following site does not have it listed:
https://forum.hovatek.com/thread-25696.html
Good tutorial on using the QFIL and updating partition:
https://www.youtube.com/watch?v=MdknZvaTwl4
So finding this thread it was said you extract the firehose file from the MsmDownloadTool OPS file. I tried using the python script github to dump the OPS file
but I could never get crypto to compile correctly on my windows box for python and used another branch said not a WIN32 file error for crypto. Found here:
https://github.com/bkerler/oppo_decrypt
So my question is how do you extract the firehose file from the MsmDownloadTool OPS file so we can possibly enable writing to the critical partitions so you can make other updates
such as modifying the apns-conf.xml because you cannot write to critical partitions even with root privileges.
Thanks in advance for any advice and help!
Hi pulled with oppo_decrypt..
joecowboy said:
I have to give a big shout out and I just want to thank everyone for their hard work on figuring the procedures out for unlocking the bootloader, and flashing the these phones.
The tutorial for unlocking the bootloader for the Sprint Oneplus 7 Pro 5G work flawlessly if you follow the tutoralial:
https://forum.xda-developers.com/on...otloader-unlock-sprint-oneplus-7-pro-t4042145
When I first received my phone I bought off eBay I went ahead and set the phone up and upgraded the phone over OTA to
android OS to v10.0.2. This was so I could use the TWRP for Q (10) during the bootloder unlock setup to fix the issues with it
rebooting back into the bootloader. One thing I did learn during the process that it might try to boot into system and
get stuck on the Sprint 5G boot animation. So to force it to power cycle press (VOLUME UP + POWER) buttons and hold them
until it does reboot and then quickly press and hold the (VOLUME UP + VOLUME DOWN + POWER) buttons to boot back into bootloader and
run the FIX instructions again.
Once the bootloader was unlocked I used this tutorial to cross flash the firmware to the OnePlus 7 Pro 5G European. Then went through
the phone setup process and then installed the Oxegen Updater APK to downloaded the firmware to forced it to update to the latest 10.0.6 firmware by manually installing
it through the System Update under the gear Local update. Tutorial found here:
https://forum.xda-developers.com/oneplus-7-pro/how-to/discussion-oneplus-7-pro-5g-rom-gsi-t4042583
Then I followed the tutorial to installing TWRP for Q (10) and to root installing Magisk:
https://forums.oneplus.com/threads/...magisk-twrp-oneplus-7-pro-android-10.1178410/
I found out during the process of flashing and updating to the Oxegen 10.0.6 European firmware the bootloader had re-locked.
So I had to follow the steps once again to unlock the bootloader and then followed the guide of rooting the Sprint OnePlus 7 Pro
5G.
Now to the part I have run into trouble trying to remove the SIM LOCK on the phone to Sprint:
I tried to follow the tutorial of SIM UNLOCKING the T-Mobile OnePlus 7 Pro:
https://forum.xda-developers.com/oneplus-6t/how-to/guide-sim-unlock-t-mobile-version-type-t3915269
Fist I did back up my phone in TWRP. However, when you run these two fastboot commands from the bootloader it will FAIL:
fastboot erase modemst1
fastboot erase modemst2
The Error messages are:
Erasing 'modemst1' FAILED (remote: 'Erase is not allowed for Critical Partitions')
fastboot: error: Command failed
Erasing 'modemst1' FAILED (remote: 'Erase is not allowed for Critical Partitions')
fastboot: error: Command failed
So after doing some research and running this fastboot command I found out that not everything unlocked:
fastboot oem device-info
And it's output:
(bootloader) Verity mode: true
(bootloader) Device unlocked: true
(bootloader) Device critical unlocked: false
(bootloader) Charger screen enabled: true
(bootloader) enable_dm_verity: true
(bootloader) have_console: false
(bootloader) selinux_type: SELINUX_TYPE_INVALID
(bootloader) boot_mode: NORMAL_MODE
(bootloader) kmemleak_detect: false
(bootloader) force_training: 0
(bootloader) mount_tempfs: 0
(bootloader) op_abl_version: 0x31
(bootloader) cal_rebootcount: 0x31
OKAY [ 0.064s]
Finished. Total time: 0.071s
As you can see the Device critical unlocked is: false. So you cannot write to those partitions.
I tried the fastboot commands:
fastboot flashing unlock_critical
fastboot oem unlock_critical
Both with same message:
FAILED (remote: ' Device already : unlocked!')
fastboot: error: Command failed
I even tried the shell commands to overwrite the two partitions from TWRP and from command prompt using
adb from platform tools:
dd if=/dev/zero of=/dev/block/bootdevice/by-name/modemst1
dd if=/dev/zero of=/dev/block/bootdevice/by-name/modemst2
And it's output:
/system/bin/sh: adb: inaccessible or not found
Modemst1, modemst2 and zero do exist but being bootloader critial locked you still cannot write to the partitions even with root.
So next I looked into using QPST package and erasing the partitions using Partition Manager from QFIL utility but need the firehose
file for SM8150 chipset and the following site does not have it listed:
https://forum.hovatek.com/thread-25696.html
Good tutorial on using the QFIL and updating partition:
So finding this thread it was said you extract the firehose file from the MsmDownloadTool OPS file. I tried using the python script github to dump the OPS file
but I could never get crypto to compile correctly on my windows box for python and used another branch said not a WIN32 file error for crypto. Found here:
https://github.com/bkerler/oppo_decrypt
So my question is how do you extract the firehose file from the MsmDownloadTool OPS file so we can possibly enable writing to the critical partitions so you can make other updates
such as modifying the apns-conf.xml because you cannot write to critical partitions even with root privileges.
Thanks in advance for any advice and help!
Click to expand...
Click to collapse
I pulled the firehose for the T-Mobile. It's uploaded on my sim unlock post
Awesome, I will have to do some more testing! I love this phone. Thank you!
joecowboy said:
Awesome, I will have to do some more testing! I love this phone. Thank you!
Click to expand...
Click to collapse
I have been testing like crazy.i just confurmed the lock is 100% in the modemst1 and modemst2. But they are encrypted so that the sim info has to pass through them .so that if deleted there no way to get the sims to work.we need a programmer this is way over my head.