I started working to get QFIL to work with the Sprint OnePlus 7 Pro 5G as soon as I got the MSMDownloadTool for it.
I accomplished getting the partition manager working, which allows us to flash individual (SIGNED) partitions. We can now try flashing individual international partitions to gain unlocked bootloaders WITHOUT MSM and the need to flash entirely different variants. Plus, 5G users will keep their 5G modems! I need somebody with an international version to join me in TeamView or something, in order to pull the Bootloader and other Partitions.
If another dev here can help me in getting this to work, we could be on the road to bootloader unlocks without SIM unlocks.
jthein1989 said:
I started working to get QFIL to work with the Sprint OnePlus 7 Pro 5G as soon as I got the MSMDownloadTool for it.
I accomplished getting the partition manager working, which allows us to flash individual (SIGNED) partitions. We can now try flashing individual international partitions to gain unlocked bootloaders WITHOUT MSM and the need to flash entirely different variants. Plus, 5G users will keep their 5G modems! I need somebody with an international version to join me in TeamView or something, in order to pull the Bootloader and other Partitions.
If another dev here can help me in getting this to work, we could be on the road to bootloader unlocks without SIM unlocks.
Click to expand...
Click to collapse
Wow, you did it?
I saw the first thread you made where you were talking about extracting .xml files and firehose from OPS file for OP7P 5G for single partition backup/restore via qfil, but oneplus didn't provide you msm tool for 5g variant because "they didn't have it" (which is a lie, becuse if you watch a video from linus tech tips on how he visited oneplus quality test thing back in oneplus 6t days, you would have seen a section where they use THE SAME TOOL, in the firmware flashing section)
Could you provide a full list of files you got from .ops file? Did you get everything that is needed for flashing?
It would be nice if you could do something like this for oneplus 7 pro regular one, so we don't have to have our phones factory reset and BL locked after msm tool flash.
jthein1989 said:
I started working to get QFIL to work with the Sprint OnePlus 7 Pro 5G as soon as I got the MSMDownloadTool for it.
Click to expand...
Click to collapse
I've gotten to around the same point as you have, however I'm having a little bit a trouble getting QFIL to flash a partition. I think it has to do with me missing the proper rawprogram and patch0 XML files. Did you need these at all? If so, how did you obtain them? Appreciate the effort by the way, this ain't easy stuff.
---------- Post added at 09:46 PM ---------- Previous post was at 09:42 PM ----------
Xenos7 said:
Wow, you did it?
I saw the first thread you made where you were talking about extracting .xml files and firehose from OPS file for OP7P 5G for single partition backup/restore via qfil, but oneplus didn't provide you msm tool for 5g variant because "they didn't have it" (which is a lie, becuse if you watch a video from linus tech tips on how he visited oneplus quality test thing back in oneplus 6t days, you would have seen a section where they use THE SAME TOOL, in the firmware flashing section)
Could you provide a full list of files you got from .ops file? Did you get everything that is needed for flashing?
It would be nice if you could do something like this for oneplus 7 pro regular one, so we don't have to have our phones factory reset and BL locked after msm tool flash.
Click to expand...
Click to collapse
He was actually able to obtain the MSM tool from OnePlus. There's a thread on this forum for the download somewhere.
I've also been able to somewhat decrypt and extract files from OPS, but all I was able to obtain was the Firehose binary and an XML file, which contains program and patch commands. There's more to extract but I'm not completely sure how he did it to be honest.
Xenos7 said:
Wow, you did it?
I saw the first thread you made where you were talking about extracting .xml files and firehose from OPS file for OP7P 5G for single partition backup/restore via qfil, but oneplus didn't provide you msm tool for 5g variant because "they didn't have it" (which is a lie, becuse if you watch a video from linus tech tips on how he visited oneplus quality test thing back in oneplus 6t days, you would have seen a section where they use THE SAME TOOL, in the firmware flashing section)
Could you provide a full list of files you got from .ops file? Did you get everything that is needed for flashing?
It would be nice if you could do something like this for oneplus 7 pro regular one, so we don't have to have our phones factory reset and BL locked after msm tool flash.
Click to expand...
Click to collapse
I finally got the MSM for the Sprint variant. You can find that in my other post.
It's actually quite easy to pull partitions from the phone. As a matter of fact you can use both QFIL or MSM to do it. I haven't created a guide to do it through QFIL, yet... You can find my MSM guide in my Sprint MSM post.
To flash through QFIL you use partition manager to read and write individual partitions because the xmls aren't needed, partition manager maps out the UFS through Sahara.
And I must state. DO NOT use provision xmls to download, only to open Partition Manager.
You can only decrypt the firehose and provisioning xml from ops, not the partitions unfortunately. But you can pull every partition through MSM if you really want them. In my personal opinion, you only need a couple really. Except in the case of 5G phones, you need more for those.
Guy50570 said:
I've gotten to around the same point as you have, however I'm having a little bit a trouble getting QFIL to flash a partition. I think it has to do with me missing the proper rawprogram and patch0 XML files. Did you need these at all? If so, how did you obtain them? Appreciate the effort by the way, this ain't easy stuff.
---------- Post added at 09:46 PM ---------- Previous post was at 09:42 PM ----------
He was actually able to obtain the MSM tool from OnePlus. There's a thread on this forum for the download somewhere.
I've also been able to somewhat decrypt and extract files from OPS, but all I was able to obtain was the Firehose binary and an XML file, which contains program and patch commands. There's more to extract but I'm not completely sure how he did it to be honest.
Click to expand...
Click to collapse
You shouldn't need the RawProgram or Patch XMLs to write through partition manager. The partition manager already knows where they are located.
Provisioning XMLs are used by QFIL to map out LUNs, which are just virtual drives on the UFS. RawProgram and Patch XMLs are used by QFIL to map the partitions in the LUNs. Which in this case aren't needed. (MSMDownloadTool maps both LUNs and Partitions, but doesn't have the ability to flash single partitions).
Edit: Sorry, I didn't see the other question. In order to get RawProgram and Patch XMLs, you have to decrypt the GPT partitions. I have the scripts to make them, but it's a headache, and they shouldn't be needed.
jthein1989 said:
You shouldn't need the RawProgram or Patch XMLs to write through partition manager. The partition manager already knows where they are located.
Provisioning XMLs are used by QFIL to map out LUNs, which are just virtual drives on the UFS. RawProgram and Patch XMLs are used by QFIL to map the partitions in the LUNs. Which in this case aren't needed. (MSMDownloadTool maps both LUNs and Partitions, but doesn't have the ability to flash single partitions).
Edit: Sorry, I didn't see the other question. In order to get RawProgram and Patch XMLs, you have to decrypt the GPT partitions. I have the scripts to make them, but it's a headache, and they shouldn't be needed.
Click to expand...
Click to collapse
So those 2 xmls are generated from PrimaryGPT and BackupGPT, and they are used to generate partition table of the device, and to point qfil to which partitions to flash different images correct?
If that's the case then it's logical they are not needed for single partition flashing.
Single partition flashing is done with only using sahara comunication with the device (and firehose?) correct?
And what is counted in as a "signed" image for flashing. Can we just take a dd of an image and flash it with qfil later, or do we need to use msm tool readback to do so? Those should be fine right?
If not then only ones which should work are ones in .ops, and there is a little bit of a problem when it comes to obtaining them.
Edit: When I said what is counted in as signed, dd or msm dump, I meant if they are unchanged, and all official, will they still be counted as signed, or recognized as official?
Xenos7 said:
So those 2 xmls are generated from PrimaryGPT and BackupGPT, and they are used to generate partition table of the device, and to point qfil to which partitions to flash different images correct?
If that's the case then it's logical they are not needed for single partition flashing.
Single partition flashing is done with only using sahara comunication with the device (and firehose?) correct?
And what is counted in as a "signed" image for flashing. Can we just take a dd of an image and flash it with qfil later, or do we need to use msm tool readback to do so? Those should be fine right?
If not then only ones which should work are ones in .ops, and there is a little bit of a problem when it comes to obtaining them.
Click to expand...
Click to collapse
You bring up a great point. I'm not sure if you can write partitions gained from MSM's ReadBack functionality in QFIL? I'm sure, no I'm positive you can write partitions read from QFIL though. I'm not aware of any way to extract partitions from an ops in order to even attempt to write them.
That is why I needed somebody with an unlocked phone to ReadBack through MSM or Read from QFIL their partitions. In order to attempt to write them individually through QFIL.
jthein1989 said:
You shouldn't need the RawProgram or Patch XMLs to write through partition manager. The partition manager already knows where they are located.
Provisioning XMLs are used by QFIL to map out LUNs, which are just virtual drives on the UFS. RawProgram and Patch XMLs are used by QFIL to map the partitions in the LUNs. Which in this case aren't needed. (MSMDownloadTool maps both LUNs and Partitions, but doesn't have the ability to flash single partitions).
Edit: Sorry, I didn't see the other question. In order to get RawProgram and Patch XMLs, you have to decrypt the GPT partitions. I have the scripts to make them, but it's a headache, and they shouldn't be needed.
Click to expand...
Click to collapse
Hm, I see. Wonder why I'm getting this error then.
Code:
09:42:54: {ERROR: program FAILED - Please see log}
Writing log to 'C:\Users\{username}\AppData\Roaming\Qualcomm\QFIL\COMPORT_5\port_trace.txt', might take a minute
Log is 'C:\Users\{username}\AppData\Roaming\Qualcomm\QFIL\COMPORT_5\port_trace.txt'
Send Image Fail:FireHose Fail:FHLoader Fail:Process fail
Finish Send Image
Everything else before this point seems to work just fine so, slightly confused here as to what I need.
Guy50570 said:
Hm, I see. Wonder why I'm getting this error then.
Everything else before this point seems to work just fine so, slightly confused here as to what I need.
Click to expand...
Click to collapse
I will try to look. Sundays are a busy day for me. I'll let you know.
jthein1989 said:
I will try to look. Sundays are a busy day for me. I'll let you know.
Click to expand...
Click to collapse
Hey, no worries, I'm not in any rush, just trying to help out the best I can.
Any update?
Flashing a single partition is not hard, you do need the payload and the patch both xml, not to mention loader,
Below is an example from a ZTE: Zmax Pro:
rawprogram0.xml
Code:
<?xml version="1.0" ?>
<data>
<!--NOTE: This is an ** Autogenerated file **-->
<!--NOTE: Sector size is 512bytes-->
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="recovery.img" label="recovery" num_partition_sectors="98304" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="49152.0" sparse="false" start_byte_hex="0x15000000" start_sector="688128"/>
</data>
patch0.xml:
Code:
<?xml version="1.0" ?>
<patches>
<!--NOTE: This is an ** Autogenerated file **-->
<!--NOTE: Patching is in little endian format, i.e. 0xAABBCCDD will look like DD CC BB AA in the file or on disk-->
<!--NOTE: This file is used by Trace32 - So make sure to add decimals, i.e. 0x10-10=0, *but* 0x10-10.=6.-->
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="168" filename="gpt_main0.bin" physical_partition_number="0" size_in_bytes="8" start_sector="11" value="NUM_DISK_SECTORS-34." what="Update last partition 38 'userdata' with actual size in Primary Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="168" filename="DISK" physical_partition_number="0" size_in_bytes="8" start_sector="11" value="NUM_DISK_SECTORS-34." what="Update last partition 38 'userdata' with actual size in Primary Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="168" filename="gpt_backup0.bin" physical_partition_number="0" size_in_bytes="8" start_sector="9" value="NUM_DISK_SECTORS-34." what="Update last partition 38 'userdata' with actual size in Backup Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="168" filename="DISK" physical_partition_number="0" size_in_bytes="8" start_sector="NUM_DISK_SECTORS-24." value="NUM_DISK_SECTORS-34." what="Update last partition 38 'userdata' with actual size in Backup Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="48" filename="gpt_main0.bin" physical_partition_number="0" size_in_bytes="8" start_sector="1" value="NUM_DISK_SECTORS-34." what="Update Primary Header with LastUseableLBA."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="48" filename="DISK" physical_partition_number="0" size_in_bytes="8" start_sector="1" value="NUM_DISK_SECTORS-34." what="Update Primary Header with LastUseableLBA."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="48" filename="gpt_backup0.bin" physical_partition_number="0" size_in_bytes="8" start_sector="32" value="NUM_DISK_SECTORS-34." what="Update Backup Header with LastUseableLBA."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="48" filename="DISK" physical_partition_number="0" size_in_bytes="8" start_sector="NUM_DISK_SECTORS-1." value="NUM_DISK_SECTORS-34." what="Update Backup Header with LastUseableLBA."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="32" filename="gpt_main0.bin" physical_partition_number="0" size_in_bytes="8" start_sector="1" value="NUM_DISK_SECTORS-1." what="Update Primary Header with BackupGPT Header Location."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="32" filename="DISK" physical_partition_number="0" size_in_bytes="8" start_sector="1" value="NUM_DISK_SECTORS-1." what="Update Primary Header with BackupGPT Header Location."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="24" filename="gpt_backup0.bin" physical_partition_number="0" size_in_bytes="8" start_sector="32" value="NUM_DISK_SECTORS-1." what="Update Backup Header with CurrentLBA."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="24" filename="DISK" physical_partition_number="0" size_in_bytes="8" start_sector="NUM_DISK_SECTORS-1." value="NUM_DISK_SECTORS-1." what="Update Backup Header with CurrentLBA."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="72" filename="gpt_backup0.bin" physical_partition_number="0" size_in_bytes="8" start_sector="32" value="NUM_DISK_SECTORS-33." what="Update Backup Header with Partition Array Location."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="72" filename="DISK" physical_partition_number="0" size_in_bytes="8" start_sector="NUM_DISK_SECTORS-1" value="NUM_DISK_SECTORS-33." what="Update Backup Header with Partition Array Location."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="88" filename="gpt_main0.bin" physical_partition_number="0" size_in_bytes="4" start_sector="1" value="CRC32(2,5120)" what="Update Primary Header with CRC of Partition Array."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="88" filename="DISK" physical_partition_number="0" size_in_bytes="4" start_sector="1" value="CRC32(2,5120)" what="Update Primary Header with CRC of Partition Array."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="88" filename="gpt_backup0.bin" physical_partition_number="0" size_in_bytes="4" start_sector="32" value="CRC32(0,5120)" what="Update Backup Header with CRC of Partition Array."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="88" filename="DISK" physical_partition_number="0" size_in_bytes="4" start_sector="NUM_DISK_SECTORS-1." value="CRC32(NUM_DISK_SECTORS-33.,5120)" what="Update Backup Header with CRC of Partition Array."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="16" filename="gpt_main0.bin" physical_partition_number="0" size_in_bytes="4" start_sector="1" value="0" what="Zero Out Header CRC in Primary Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="16" filename="gpt_main0.bin" physical_partition_number="0" size_in_bytes="4" start_sector="1" value="CRC32(1,92)" what="Update Primary Header with CRC of Primary Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="16" filename="DISK" physical_partition_number="0" size_in_bytes="4" start_sector="1" value="0" what="Zero Out Header CRC in Primary Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="16" filename="DISK" physical_partition_number="0" size_in_bytes="4" start_sector="1" value="CRC32(1,92)" what="Update Primary Header with CRC of Primary Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="16" filename="gpt_backup0.bin" physical_partition_number="0" size_in_bytes="4" start_sector="32" value="0" what="Zero Out Header CRC in Backup Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="16" filename="gpt_backup0.bin" physical_partition_number="0" size_in_bytes="4" start_sector="32" value="CRC32(32,92)" what="Update Backup Header with CRC of Backup Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="16" filename="DISK" physical_partition_number="0" size_in_bytes="4" start_sector="NUM_DISK_SECTORS-1." value="0" what="Zero Out Header CRC in Backup Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="16" filename="DISK" physical_partition_number="0" size_in_bytes="4" start_sector="NUM_DISK_SECTORS-1." value="CRC32(NUM_DISK_SECTORS-1.,92)" what="Update Backup Header with CRC of Backup Header."/>
</patches>
Now you see the idea?
Have there been any developments on the Sprint OP7Pro 5g? I was gifted one this holiday and practically have no use for it until bootloader unlock is available.
jthein1989 said:
I started working to get QFIL to work with the Sprint OnePlus 7 Pro 5G as soon as I got the MSMDownloadTool for it.
I accomplished getting the partition manager working, which allows us to flash individual (SIGNED) partitions. We can now try flashing individual international partitions to gain unlocked bootloaders WITHOUT MSM and the need to flash entirely different variants. Plus, 5G users will keep their 5G modems! I need somebody with an international version to join me in TeamView or something, in order to pull the Bootloader and other Partitions.
If another dev here can help me in getting this to work, we could be on the road to bootloader unlocks without SIM unlocks.
Click to expand...
Click to collapse
What would you like from my 7Pro?
I'm running 10.3 though.
Del
I have to give a big shout out and I just want to thank everyone for their hard work on figuring the procedures out for unlocking the bootloader, and flashing the these phones.
The tutorial for unlocking the bootloader for the Sprint Oneplus 7 Pro 5G work flawlessly if you follow the tutoralial:
https://forum.xda-developers.com/on...otloader-unlock-sprint-oneplus-7-pro-t4042145
When I first received my phone I bought off eBay I went ahead and set the phone up and upgraded the phone over OTA to
android OS to v10.0.2. This was so I could use the TWRP for Q (10) during the bootloder unlock setup to fix the issues with it
rebooting back into the bootloader. One thing I did learn during the process that it might try to boot into system and
get stuck on the Sprint 5G boot animation. So to force it to power cycle press (VOLUME UP + POWER) buttons and hold them
until it does reboot and then quickly press and hold the (VOLUME UP + VOLUME DOWN + POWER) buttons to boot back into bootloader and
run the FIX instructions again.
Once the bootloader was unlocked I used this tutorial to cross flash the firmware to the OnePlus 7 Pro 5G European. Then went through
the phone setup process and then installed the Oxegen Updater APK to downloaded the firmware to forced it to update to the latest 10.0.6 firmware by manually installing
it through the System Update under the gear Local update. Tutorial found here:
https://forum.xda-developers.com/oneplus-7-pro/how-to/discussion-oneplus-7-pro-5g-rom-gsi-t4042583
Then I followed the tutorial to installing TWRP for Q (10) and to root installing Magisk:
https://forums.oneplus.com/threads/...magisk-twrp-oneplus-7-pro-android-10.1178410/
I found out during the process of flashing and updating to the Oxegen 10.0.6 European firmware the bootloader had re-locked.
So I had to follow the steps once again to unlock the bootloader and then followed the guide of rooting the Sprint OnePlus 7 Pro
5G.
Now to the part I have run into trouble trying to remove the SIM LOCK on the phone to Sprint:
I tried to follow the tutorial of SIM UNLOCKING the T-Mobile OnePlus 7 Pro:
https://forum.xda-developers.com/oneplus-6t/how-to/guide-sim-unlock-t-mobile-version-type-t3915269
Fist I did back up my phone in TWRP. However, when you run these two fastboot commands from the bootloader it will FAIL:
fastboot erase modemst1
fastboot erase modemst2
The Error messages are:
Erasing 'modemst1' FAILED (remote: 'Erase is not allowed for Critical Partitions')
fastboot: error: Command failed
Erasing 'modemst1' FAILED (remote: 'Erase is not allowed for Critical Partitions')
fastboot: error: Command failed
So after doing some research and running this fastboot command I found out that not everything unlocked:
fastboot oem device-info
And it's output:
(bootloader) Verity mode: true
(bootloader) Device unlocked: true
(bootloader) Device critical unlocked: false
(bootloader) Charger screen enabled: true
(bootloader) enable_dm_verity: true
(bootloader) have_console: false
(bootloader) selinux_type: SELINUX_TYPE_INVALID
(bootloader) boot_mode: NORMAL_MODE
(bootloader) kmemleak_detect: false
(bootloader) force_training: 0
(bootloader) mount_tempfs: 0
(bootloader) op_abl_version: 0x31
(bootloader) cal_rebootcount: 0x31
OKAY [ 0.064s]
Finished. Total time: 0.071s
As you can see the Device critical unlocked is: false. So you cannot write to those partitions.
I tried the fastboot commands:
fastboot flashing unlock_critical
fastboot oem unlock_critical
Both with same message:
FAILED (remote: ' Device already : unlocked!')
fastboot: error: Command failed
I even tried the shell commands to overwrite the two partitions from TWRP and from command prompt using
adb from platform tools:
dd if=/dev/zero of=/dev/block/bootdevice/by-name/modemst1
dd if=/dev/zero of=/dev/block/bootdevice/by-name/modemst2
And it's output:
/system/bin/sh: adb: inaccessible or not found
Modemst1, modemst2 and zero do exist but being bootloader critial locked you still cannot write to the partitions even with root.
So next I looked into using QPST package and erasing the partitions using Partition Manager from QFIL utility but need the firehose
file for SM8150 chipset and the following site does not have it listed:
https://forum.hovatek.com/thread-25696.html
Good tutorial on using the QFIL and updating partition:
https://www.youtube.com/watch?v=MdknZvaTwl4
So finding this thread it was said you extract the firehose file from the MsmDownloadTool OPS file. I tried using the python script github to dump the OPS file
but I could never get crypto to compile correctly on my windows box for python and used another branch said not a WIN32 file error for crypto. Found here:
https://github.com/bkerler/oppo_decrypt
So my question is how do you extract the firehose file from the MsmDownloadTool OPS file so we can possibly enable writing to the critical partitions so you can make other updates
such as modifying the apns-conf.xml because you cannot write to critical partitions even with root privileges.
Thanks in advance for any advice and help!
Hi pulled with oppo_decrypt..
joecowboy said:
I have to give a big shout out and I just want to thank everyone for their hard work on figuring the procedures out for unlocking the bootloader, and flashing the these phones.
The tutorial for unlocking the bootloader for the Sprint Oneplus 7 Pro 5G work flawlessly if you follow the tutoralial:
https://forum.xda-developers.com/on...otloader-unlock-sprint-oneplus-7-pro-t4042145
When I first received my phone I bought off eBay I went ahead and set the phone up and upgraded the phone over OTA to
android OS to v10.0.2. This was so I could use the TWRP for Q (10) during the bootloder unlock setup to fix the issues with it
rebooting back into the bootloader. One thing I did learn during the process that it might try to boot into system and
get stuck on the Sprint 5G boot animation. So to force it to power cycle press (VOLUME UP + POWER) buttons and hold them
until it does reboot and then quickly press and hold the (VOLUME UP + VOLUME DOWN + POWER) buttons to boot back into bootloader and
run the FIX instructions again.
Once the bootloader was unlocked I used this tutorial to cross flash the firmware to the OnePlus 7 Pro 5G European. Then went through
the phone setup process and then installed the Oxegen Updater APK to downloaded the firmware to forced it to update to the latest 10.0.6 firmware by manually installing
it through the System Update under the gear Local update. Tutorial found here:
https://forum.xda-developers.com/oneplus-7-pro/how-to/discussion-oneplus-7-pro-5g-rom-gsi-t4042583
Then I followed the tutorial to installing TWRP for Q (10) and to root installing Magisk:
https://forums.oneplus.com/threads/...magisk-twrp-oneplus-7-pro-android-10.1178410/
I found out during the process of flashing and updating to the Oxegen 10.0.6 European firmware the bootloader had re-locked.
So I had to follow the steps once again to unlock the bootloader and then followed the guide of rooting the Sprint OnePlus 7 Pro
5G.
Now to the part I have run into trouble trying to remove the SIM LOCK on the phone to Sprint:
I tried to follow the tutorial of SIM UNLOCKING the T-Mobile OnePlus 7 Pro:
https://forum.xda-developers.com/oneplus-6t/how-to/guide-sim-unlock-t-mobile-version-type-t3915269
Fist I did back up my phone in TWRP. However, when you run these two fastboot commands from the bootloader it will FAIL:
fastboot erase modemst1
fastboot erase modemst2
The Error messages are:
Erasing 'modemst1' FAILED (remote: 'Erase is not allowed for Critical Partitions')
fastboot: error: Command failed
Erasing 'modemst1' FAILED (remote: 'Erase is not allowed for Critical Partitions')
fastboot: error: Command failed
So after doing some research and running this fastboot command I found out that not everything unlocked:
fastboot oem device-info
And it's output:
(bootloader) Verity mode: true
(bootloader) Device unlocked: true
(bootloader) Device critical unlocked: false
(bootloader) Charger screen enabled: true
(bootloader) enable_dm_verity: true
(bootloader) have_console: false
(bootloader) selinux_type: SELINUX_TYPE_INVALID
(bootloader) boot_mode: NORMAL_MODE
(bootloader) kmemleak_detect: false
(bootloader) force_training: 0
(bootloader) mount_tempfs: 0
(bootloader) op_abl_version: 0x31
(bootloader) cal_rebootcount: 0x31
OKAY [ 0.064s]
Finished. Total time: 0.071s
As you can see the Device critical unlocked is: false. So you cannot write to those partitions.
I tried the fastboot commands:
fastboot flashing unlock_critical
fastboot oem unlock_critical
Both with same message:
FAILED (remote: ' Device already : unlocked!')
fastboot: error: Command failed
I even tried the shell commands to overwrite the two partitions from TWRP and from command prompt using
adb from platform tools:
dd if=/dev/zero of=/dev/block/bootdevice/by-name/modemst1
dd if=/dev/zero of=/dev/block/bootdevice/by-name/modemst2
And it's output:
/system/bin/sh: adb: inaccessible or not found
Modemst1, modemst2 and zero do exist but being bootloader critial locked you still cannot write to the partitions even with root.
So next I looked into using QPST package and erasing the partitions using Partition Manager from QFIL utility but need the firehose
file for SM8150 chipset and the following site does not have it listed:
https://forum.hovatek.com/thread-25696.html
Good tutorial on using the QFIL and updating partition:
So finding this thread it was said you extract the firehose file from the MsmDownloadTool OPS file. I tried using the python script github to dump the OPS file
but I could never get crypto to compile correctly on my windows box for python and used another branch said not a WIN32 file error for crypto. Found here:
https://github.com/bkerler/oppo_decrypt
So my question is how do you extract the firehose file from the MsmDownloadTool OPS file so we can possibly enable writing to the critical partitions so you can make other updates
such as modifying the apns-conf.xml because you cannot write to critical partitions even with root privileges.
Thanks in advance for any advice and help!
Click to expand...
Click to collapse
I pulled the firehose for the T-Mobile. It's uploaded on my sim unlock post
Awesome, I will have to do some more testing! I love this phone. Thank you!
joecowboy said:
Awesome, I will have to do some more testing! I love this phone. Thank you!
Click to expand...
Click to collapse
I have been testing like crazy.i just confurmed the lock is 100% in the modemst1 and modemst2. But they are encrypted so that the sim info has to pass through them .so that if deleted there no way to get the sims to work.we need a programmer this is way over my head.
Related
Hi friends,
The app recommended by BQ "MTK Tool Flash" (SP_Flash_Tool_exe_Linux_v5.1612.00.100.zip) just didn't work for me on my Debian PC. There were always some excuses. So I tried some black command-line magic with fastboot and now I'm with a bricked device.
See ubuntu-android-installation-process-for-bq-aquaris-e4-5-and-e5 link I cannot post...
The good news is, I have installed the TWRP (twrp-3.1.1-0-freezerfhd.img) before I shot myself in the toe. So power + volume up gives me the comforting bluish screen of TWRP.
Question is, how can I bring the lovely device back to life? I wanted to flash official Android on it (which failed - 2.3.0_20170405-1553_bq_aquaris_m10_FHD_-FW.zip) and I'd like to complete that, but if it's a no go, I can go back to Ubuntu.
I have tried installing the image zip from twrp, but it said the image has invalid zip file format!
Thanks a lot for your help
Rob
failures
I've been struggling with this one. So I can switch to the bootloader mode and run fastboot commands. However, when I try to flash the system image I get some funny error:
Code:
sudo fastboot flash system ./system.img
target reported max download size of 134217728 bytes
erasing 'system'...
FAILED (remote: unknown command)
finished. total time: 0.002s
With the flash tool (after fixing all it's complaints) I'm stuck with a timeout on detecting the USB port (while fastboot works just fine)
Code:
Connecting to BROM...
Scanning USB port...
Search usb, timeout set as 3600000 ms
And with TWRP as mentioned earlier:
Code:
Invalid zip file format
I read the stock rom can be adjusted somehow to allow TWRP to flash it but I'm quite like what...? Android kitchen doesn't list my device as supported.
progress
Aha! This got us further:
Code:
sudo fastboot flash system -u -S 1G ./system.img
Which means do not erase the partition upfront, and sparse the file at max 1 GB.
Code:
sudo fastboot flash userdata -u -S 1G ./userdata.img
sudo fastboot flash boot -u -S 1G ./boot.img
sudo fastboot reboot
Now device is "powered by ubuntu" and stuck there... not sure what's happening
S now I tried flashing some more exotic partitions and the device is completely dead. I hope BQ can help...
undead
Wow, so BQ contacted me right away with a hard reset procedure. The key bit of information I must have overlooked somewhere is that for the flash tool to detect the device, the device must be plugged in while it's off and while the tool is waiting. We're now "powered by android" and system is ready to use. Oh my... thanks BQ
[WIP]Dissecting the bootloader aka: get rid of annoying "Your device is corrupt"
This is WIP (work in progress) ... posting this as a separate thread to get other people involved so we can try to get rid of the annoying "Your device is corrupt" thing.
On the back of my thread on the splash screen (see https://forum.xda-developers.com/oneplus-6t/development/tool-splash-screen-modification-t3874158), @AnoopKumar and I started checking the bootloader.
The bootloader is in the partition called: abl_a (and/or abl_b) depending on whether you boot from A or B slot.
(https://forum.xda-developers.com/showpost.php?p=78409574&postcount=28)
All below is on Linux ... I am not a Windows guru ...
Take a raw dump of the abl_a partition. Reboot into TWRP, once there do: "adb shell".
Code:
> adb shell
# dd if=/dev/block/bootdevice/by-name/abl_b of=/sdcard/img.abl_a
# <ctrl-D>
> adb pull /sdcard/img.abl_a
You will now have the dump of the bootloader partition in the file
Then, use "binwalk" to see what is inside the abl_a image:
Code:
> binwalk -e img.abl_a
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 ELF, 32-bit LSB executable, ARM, version 1 (SYSV)
4488 0x1188 Certificate in DER format (x509 v3), header length: 4, sequence length: 1279
5771 0x168B Certificate in DER format (x509 v3), header length: 4, sequence length: 1133
6908 0x1AFC Certificate in DER format (x509 v3), header length: 4, sequence length: 1149
12408 0x3078 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 487624 bytes
I am thinking that bytes 0...4487 is the real bootloader code, so:
Code:
> head --bytes=4488 img.abl_b > abc
> file abc
abc: ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, corrupted section header size
Not sure why it says "corrupt section header size".
Then check the detail of the ELF file:
Code:
> readelf abc
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: ARM
Version: 0x1
Entry point address: 0x9fa00000
Start of program headers: 52 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 3
Size of section headers: 0 (bytes)
Number of section headers: 0
Section header string table index: 0
There are no sections in this file.
There are no sections to group in this file.
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
NULL 0x000000 0x00000000 0x00000000 0x00094 0x00000 0
NULL 0x001000 0x9fa30000 0x9fa30000 0x01988 0x02000 0x1000
LOAD 0x003000 0x9fa00000 0x9fa00000 0x30000 0x30000 RWE 0x1000
There is no dynamic section in this file.
There are no relocations in this file.
Dynamic symbol information is not available for displaying symbols.
No version information found in this file.
Elf file type is EXEC (Executable file)
Entry point 0x9fa00000
There are 3 program headers, starting at offset 52
The bootloader binary code is in the LOAD segment
More to follow later ... have to catch some sleep now ...
foobar66 said:
This is WIP (work in progress) ... posting this as a separate thread to get other people involved so we can try to get rid of the annoying "Your device is corrupt" thing.
On the back of my thread on the splash screen (see https://forum.xda-developers.com/oneplus-6t/development/tool-splash-screen-modification-t3874158), @AnoopKumar and I started checking the bootloader.
The bootloader is in the partition called: abl_a (and/or abl_b) depending on whether you boot from A or B slot.
(https://forum.xda-developers.com/showpost.php?p=78409574&postcount=28)
All below is on Linux ... I am not a Windows guru ...
Take a raw dump of the abl_a partition. Reboot into TWRP, once there do: "adb shell".
You will now have the dump of the bootloader partition in the file
Then, use "binwalk" to see what is inside the abl_a image:
I am thinking that bytes 0...4487 is the real bootloader code, so:
Not sure why it says "corrupt section header size".
Then check the detail of the ELF file:
The bootloader binary code is in the LOAD segment
More to follow later ... have to catch some sleep now ...
Click to expand...
Click to collapse
Wow! Excited to see this! Thanks
It doesn't matter if you find it.
I don't think you can flash a modified BL partition and have the device boot.
This is part of secure boot. The notice will always be there with an unlocked BL.
It's on all devices that have ARM trust zone and secure boot, if they run Android.
This is part of Google's requirements.
foobar66 said:
This is WIP (work in progress) ... posting this as a separate thread to get other people involved so we can try to get rid of the annoying "Your device is corrupt" thing.
On the back of my thread on the splash screen (see https://forum.xda-developers.com/oneplus-6t/development/tool-splash-screen-modification-t3874158), @AnoopKumar and I started checking the bootloader.
The bootloader is in the partition called: abl_a (and/or abl_b) depending on whether you boot from A or B slot.
(https://forum.xda-developers.com/showpost.php?p=78409574&postcount=28)
All below is on Linux ... I am not a Windows guru ...
Take a raw dump of the abl_a partition. Reboot into TWRP, once there do: "adb shell".
Code:
> adb shell
# dd if=/dev/block/bootdevice/by-name/abl_b of=/sdcard/img.abl_a
# <ctrl-D>
> adb pull /sdcard/img.abl_a
You will now have the dump of the bootloader partition in the file
Then, use "binwalk" to see what is inside the abl_a image:
Code:
> binwalk -e img.abl_a
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 ELF, 32-bit LSB executable, ARM, version 1 (SYSV)
4488 0x1188 Certificate in DER format (x509 v3), header length: 4, sequence length: 1279
5771 0x168B Certificate in DER format (x509 v3), header length: 4, sequence length: 1133
6908 0x1AFC Certificate in DER format (x509 v3), header length: 4, sequence length: 1149
12408 0x3078 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 487624 bytes
I am thinking that bytes 0...4487 is the real bootloader code, so:
Code:
> head --bytes=4488 img.abl_b > abc
> file abc
abc: ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, corrupted section header size
Not sure why it says "corrupt section header size".
Then check the detail of the ELF file:
Code:
> readelf abc
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: ARM
Version: 0x1
Entry point address: 0x9fa00000
Start of program headers: 52 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 3
Size of section headers: 0 (bytes)
Number of section headers: 0
Section header string table index: 0
There are no sections in this file.
There are no sections to group in this file.
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
NULL 0x000000 0x00000000 0x00000000 0x00094 0x00000 0
NULL 0x001000 0x9fa30000 0x9fa30000 0x01988 0x02000 0x1000
LOAD 0x003000 0x9fa00000 0x9fa00000 0x30000 0x30000 RWE 0x1000
There is no dynamic section in this file.
There are no relocations in this file.
Dynamic symbol information is not available for displaying symbols.
No version information found in this file.
Elf file type is EXEC (Executable file)
Entry point 0x9fa00000
There are 3 program headers, starting at offset 52
The bootloader binary code is in the LOAD segment
More to follow later ... have to catch some sleep now ...
Click to expand...
Click to collapse
Good job, if needed i can help with the checking
tech_head said:
It doesn't matter if you find it.
I don't think you can flash a modified BL partition and have the device boot.
This is part of secure boot. The notice will always be there with an unlocked BL.
It's on all devices that have ARM trust zone and secure boot, if they run Android.
This is part of Google's requirements.
Click to expand...
Click to collapse
abl.img is not the bootloader i guess.
tech_head said:
It doesn't matter if you find it.
I don't think you can flash a modified BL partition and have the device boot.
This is part of secure boot. The notice will always be there with an unlocked BL.
It's on all devices that have ARM trust zone and secure boot, if they run Android.
This is part of Google's requirements.
Click to expand...
Click to collapse
On other devices they've been able to swap this image with another one to "hide" the message, to "get rid of it".
Would we sweet if we could get rid of the unlocked bootloader message too.
dennisbednarz said:
Would we sweet if we could get rid of the unlocked bootloader message too.
Click to expand...
Click to collapse
+1
U guys should talk [email protected] We had this issue of broken verity with the essential phone and he came up with a redboot.img that u flash and it bootloops the phone and fixes verity. It keeps bootlooping till.it fixes it, then u flash a proper kernel and you are good. Cuz as It stands one can only resolve this properly with the tool
jacksummers said:
U guys should talk [email protected] We had this issue of broken verity with the essential phone and he came up with a redboot.img that u flash and it bootloops the phone and fixes verity. It keeps bootlooping till.it fixes it, then u flash a proper kernel and you are good. Cuz as It stands one can only resolve this properly with the tool
Click to expand...
Click to collapse
Different issue.
They are not trying to get rid of the red warning but the yellow warning for an unlocked BL.
On this phone, if you have a "red" warning you use the MSMDownload tool and go back factory including locking the BL.
This is a different case.
Well ... bad luck ... I tried to change abl_b and reflash it ... phone is sort of *dead* now.
Does no longer boot at all.
However, when I plug it into the PC, I can see:
Code:
> lsusb
Bus 001 Device 034: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)
And then:
Code:
> dmesg
[ 9395.999112] usb 1-1: new high-speed USB device number 34 using xhci_hcd
[ 9396.149376] usb 1-1: New USB device found, idVendor=05c6, idProduct=9008
[ 9396.149380] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 9396.149383] usb 1-1: Product: QUSB_BULK_CID:0402_SN:33B9DDAC
[ 9396.149386] usb 1-1: Manufacturer: Qualcomm CDMA Technologies MSM
[ 9396.150184] qcserial 1-1:1.0: Qualcomm USB modem converter detected
[ 9396.150372] usb 1-1: Qualcomm USB modem converter now attached to ttyUSB0
So it is not completely *dead* but in some sort of Qualcomm low level mode. I found some info here: https://together.jolla.com/question...ss-modem-any-chance-to-bring-it-back-to-life/ but did not make any progress yet.
EDIT: looking at MsmDownloadTool to debrick the phone ...
foobar66 said:
Well ... bad luck ... I tried to change abl_b and reflash it ... phone is sort of *dead* now.
Does no longer boot at all.
However, when I plug it into the PC, I can see:
Code:
> lsusb
Bus 001 Device 034: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)
And then:
Code:
> dmesg
[ 9395.999112] usb 1-1: new high-speed USB device number 34 using xhci_hcd
[ 9396.149376] usb 1-1: New USB device found, idVendor=05c6, idProduct=9008
[ 9396.149380] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 9396.149383] usb 1-1: Product: QUSB_BULK_CID:0402_SN:33B9DDAC
[ 9396.149386] usb 1-1: Manufacturer: Qualcomm CDMA Technologies MSM
[ 9396.150184] qcserial 1-1:1.0: Qualcomm USB modem converter detected
[ 9396.150372] usb 1-1: Qualcomm USB modem converter now attached to ttyUSB0
So it is not completely *dead* but in some sort of Qualcomm low level mode. I found some info here: https://together.jolla.com/question...ss-modem-any-chance-to-bring-it-back-to-life/ but did not make any progress yet.
EDIT: looking at MsmDownloadTool to debrick the phone ...
Click to expand...
Click to collapse
Use this https://forum.xda-developers.com/oneplus-6t/how-to/tool-6t-msmdownloadtool-v4-0-oos-9-0-5-t3867448
Should try for several times with instruction here
Question - when does device show red warning? When u disable dm verity?
I unlocked and rooted but only had yellow warning, but when i installed aosp gsi i had a red warning. Once of the step to install the rom was flashing vbmeta and disabling dm verity.
patelparth120595 said:
Question - when does device show red warning? When u disable dm verity?
I unlocked and rooted but only had yellow warning, but when i installed aosp gsi i had a red warning. Once of the step to install the rom was flashing vbmeta and disabling dm verity.
Click to expand...
Click to collapse
Disabled dm-verity caused red warning, i guess.
---------- Post added at 10:01 AM ---------- Previous post was at 09:58 AM ----------
foobar66 said:
Well ... bad luck ... I tried to change abl_b and reflash it ... phone is sort of *dead* now.
Does no longer boot at all.
However, when I plug it into the PC, I can see:
And then:
So it is not completely *dead* but in some sort of Qualcomm low level mode. I found some info here: https://together.jolla.com/question...ss-modem-any-chance-to-bring-it-back-to-life/ but did not make any progress yet.
EDIT: looking at MsmDownloadTool to debrick the phone ...
Click to expand...
Click to collapse
Edited abl.img ? and flashed via recovery/fastboot ?
AnoopKumar said:
Edited abl.img ? and flashed via recovery/fastboot ?
Click to expand...
Click to collapse
No, just flashed using dd command in TWRP shell.
foobar66 said:
No, just flashed using dd command in TWRP shell.
Click to expand...
Click to collapse
Phone still dead ?
OK ... I managed to recover my phone !
A windows PC with the MSM program did the trick.
I am now back to stock 9.0.5
foobar66 said:
OK ... I managed to recover my phone !
A windows PC with the MSM program did the trick.
I am now back to stock 9.0.5
Click to expand...
Click to collapse
I assume that, there is nothing to do with the abl.img. Only thing we can do with it is change the default strings to a song lyric or something. abl.img is the uefi firmware i guess. Bootloader is using the images stored in the logo partition.
Gsi's flash without breaking verity if u flash to both slots. And totally format. Fastboot -w. The phone sees any changes to partitions as corruption and breaks verity, hence red warning.. if someone would be inclined to talk to invisiblek from the essential threads, he could tell u of a fix. The solution is not in abl. It's in the stock boot.img. if I had more time, I would help
---------- Post added at 02:52 PM ---------- Previous post was at 02:51 PM ----------
tech_head said:
Different issue.
They are not trying to get rid of the red warning but the yellow warning for an unlocked BL.
On this phone, if you have a "red" warning you use the MSMDownload tool and go back factory including locking the BL.
This is a different case.
Click to expand...
Click to collapse
No, they are talking about breaking verity also. Seems to be both messages, but more recently the broken verity message. Which there is two types, one u can boot from, one u cannot.
jacksummers said:
U guys should talk [email protected] We had this issue of broken verity with the essential phone and he came up with a redboot.img that u flash and it bootloops the phone and fixes verity. It keeps bootlooping till.it fixes it, then u flash a proper kernel and you are good. Cuz as It stands one can only resolve this properly with the tool
Click to expand...
Click to collapse
I would love that idea. That would be really nice to have on our device
To go back to Sprint stock use this:
Sprint Restore:
https://forum.xda-developers.com/oneplus-7-pro/how-to/sprint-msmdownloadtool-unbrick-t3989841
Crossflashing to European 5G (GM1920):
Outdated method (REQUIRED BOOTLOADER UNLOCK):
Pie
(to set APNs on Sprint, go to *#*#4636#*#* and set the network mode to "LTE/CDMA/UMTS auto (PRL)" , then set your APNs and reboot.)
Input Sprint APNs:
Name: Sprint LTE
APN: x.ispsn
MMSC: http://mms.sprintpcs.com
MMS proxy: oap7.sprintpcs.com
MMS port: 80
APN type: default,mms,supl,hipri,ims,cbs,ia
Protocol/Roaming Protocol: IPv4/IPv6
Flash this in Magisk to enable VoLTE on Sprint:
https://github.com/edgd1er/voenabler/archive/master.zip
If you update to a newer Pie build, you will need to reflash your modem from Sprint, here's a link: http://www.mediafire.com/file/x5g69dx5q64tibk/modem.img/file
OTA updates are fully functional.
The missing information in "About Phone" is normal and does not affect the function of the phone.
If Sprint is your carrier and you update to 10, you will lose APN access for the time being. (Though, humorously, the modem has been unified as of 10 and doesn't need to be reflashed after 10)
10
(Not recommend for Sprint users right now, as there are issues with APNs, GSM/NON SPRINT CARRIERS ARE FINE!)
*Modem has been unified so, you don't need to reflash the Sprint modem after update as of 10.0.4*
Aside from any potential Google SafetyNet updates that break SafetyPatch., this build works perfectly.
"About Phone" is still missing information.
How to flash (applies to conversion and stock restore):
Unlock your bootloader as per:
https://forum.xda-developers.com/on...otloader-unlock-sprint-oneplus-7-pro-t4042145
Follow these steps in order or you will have to MSM restore to stock and try again
Run TWRPadb.bat first
Format Data after the successful flashing of TWRPadb.bat
Reboot bootloader
Run fastbootimages.bat
Reboot
NEW LOCKED BOOTLOADER METHOD: 04/07/2020 (FULL SAFETYNET PASS):
Download the conversion tool HERE
CONVERSION INSTRUCITONS:
Unplug and power off the phone COMPLETELY
Open the MSM download tool
Uncheck SHA256 check
Connect your USB cable to your PC
Hold Volume DOWN and UP at the same time.
While holding those keys, insert the USB.
Keep holding those keys, click 'Enum' in the tool.
Click start.
Wait about 5-10 minutes, setup over Wifi, OTA to 10, PROFIT!
Code:
[LIST]
[*] [COLOR="red"][COLOR="red"][B]*Modem will not work at first, setup over wifi and OTA to Android 10, it has been unified so, you just need to update to 10.0.5*[/B][/COLOR][/COLOR]
[*] Not recommend for Sprint customers right now, as there are issues with APNs.
[INDENT][INDENT][B][U][COLOR="Red"]**GSM/NON-SPRINT CARRIERS WORK FINE!**[/COLOR][/U][/B][/INDENT][/INDENT]
[*] "About Phone" is still missing information.
[/LIST]
Code:
Q. HELP! I HAVE NO SIGNAL AFTER CROSSFLASH!
A. Connect to wifi and update to Android 10 via OTA.
Q. Can I use a custom ROM built for OnePlus 7 Pro:
A. Not recommend as they have major issues, ROMs are coming!
Q. Can I crossflash to international non 5G and get dual SIM?
A.
[URL="https://forum.xda-developers.com/oneplus-7-pro/how-to/port-oxygen-os-beta-oneplus-7-pro-5g-t4075597"]See here for Open Beta 11[/URL]
Credits:
@nickman529
(Testing and flashing everything I told him to without question, and uploading the flash zips and writing the bats for me because my internet is way too slow)
@mauronofrio (for building us TWRP)
@Some_Random_Username(moral support and lots of OnePlus knowledge)
And lots of others in our test community!
Donations are also welcome, see my signature for way to donate or my PayPal is:
http://PayPal.me/windows8user
Screenshots:
(Reserved)
Magisk ROM should work with the unlocked Sprint phone. I've only tested xXx NoLimits but as long as these magisk ROMs don't interfere with much you should be good to go.
lreyes said:
Magisk ROM should work with the unlocked Sprint phone. I've only tested xXx NoLimits but as long as these magisk ROMs don't interfere with much you should be good to go.
Click to expand...
Click to collapse
Do you mean bootloader unlocked? Or sim unlock?
nickman529 said:
Do you mean bootloader unlocked? Or sim unlock?
Click to expand...
Click to collapse
Bootloader of course
Whoareyou said:
Bootloader of course
Click to expand...
Click to collapse
Do we have a twrp flashable modem?
*Due to differences in the metadata of recovery flashable zips, in order to install ROMs you need to extract the payload.bin and flash in fastboot*
Click to expand...
Click to collapse
Whats the flash command for this? reboot to recovery after and flash twrp and magisk?
nickman529 said:
Whats the flash command for this? reboot to recovery after and flash twrp and magisk?
Click to expand...
Click to collapse
To install a 7 Pro (non-5G) ROM on the 7 Pro 5G:
Use this tool to extract the payload.bin from inside the rom.zip, use fastboot to manually flash each image
https://github.com/cyxx/extract_android_ota_payload
fastboot -w flash system system.img
fastboot flash vendor_b(/a) vendor.img
fastboot flash dtbo_b(/a) dtbo.img
fastboot flash boot_b(/a) boot.img
fastboot --disable-verity --disable-verification flash vbmera_b(/a) vbmeta.img
fastboot boot twrp.img
Mount /system and /vendor IN TWRP
adb pull /system/system/build.prop build.prop.system
adb pull /vendor/build.prop build.prop.vendor
Open each build.prop and change this line in both or whichever it appears:
Code:
persist.radio.multisim.config=dsds
to
Code:
persist.radio.multisim.config=ssss
adb push build.prop.system /system/system/build.prop
adb push build.prop.vendor /vendor/build.prop
flash twrp from: https://dl.twrp.me/guacamole/twrp-installer-3.3.1-4-guacamole.zip.html
Reboot
Can't give you a 100% guarantee that every ROM will boot or function properly, but that is how I got Lineage 16 going somewhat well.
Whoareyou said:
To install a 7 Pro (non-5G) ROM on the 7 Pro 5G:
Use this tool to extract the payload.bin from inside the rom.zip, use fastboot to manually flash each image
https://github.com/cyxx/extract_android_ota_payload
fastboot -w flash system system.img
fastboot flash vendor_b(/a) vendor.img
fastboot flash dtbo_b(/a) dtbo.img
fastboot flash boot_b(/a) boot.img
fastboot --disable-verity --disable-verification flash vbmera_b(/a) vbmeta.img
fastboot boot twrp.img
Mount /system and /vendor IN TWRP
adb pull /system/system/build.prop build.prop.system
adb pull /vendor/build.prop build.prop.vendor
Open each build.prop and change this line in both or whichever it appears:
Code:
persist.radio.multisim.config=dsds
to
Code:
persist.radio.multisim.config=ssss
adb push build.prop.system /system/system/build.prop
adb push build.prop.vendor /vendor/build.prop
flash twrp from: https://dl.twrp.me/guacamole/twrp-installer-3.3.1-4-guacamole.zip.html
Reboot
Can't give you a 100% guarantee that every ROM will boot or function properly, but that is how I got Lineage 16 going somewhat well.
Click to expand...
Click to collapse
Okay cool, good info. i was going to try RR or Havoc and see what i could get working. Do you need to reflash sprint modem as well?
EDIT: Also should I flash to my active or inactive slot?
nickman529 said:
To install a 7 Pro (non-5G) ROM on the 7 Pro 5G:
Use this tool to extract the payload.bin from inside the rom.zip, use fastboot to manually flash each image
https://github.com/cyxx/extract_android_ota_payload
fastboot -w flash system system.img
fastboot flash vendor_b(/a) vendor.img
fastboot flash dtbo_b(/a) dtbo.img
fastboot flash boot_b(/a) boot.img
fastboot --disable-verity --disable-verification flash vbmera_b(/a) vbmeta.img
fastboot boot twrp.img
Mount /system and /vendor IN TWRP
adb pull /system/system/build.prop build.prop.system
adb pull /vendor/build.prop build.prop.vendor
Open each build.prop and change this line in both or whichever it appears:
to
Okay cool, good info. i was going to try RR or Havoc and see what i could get working. Do you need to reflash sprint modem as well?
EDIT: Also should I flash to my active or inactive slot?
Click to expand...
Click to collapse
Just your active slot, and no, you only need to flash the modem if you flash a different modem.img (like flashing the euro oos build)
C:\Users\remstar\Downloads\extract_android_ota_payload-master\extract_android_ot
a_payload-master>extract_android_ota_payload.py havocop7p.zip /tmp/
Extracting 'payload.bin' from OTA file...
Extracting 'boot.img'
Traceback (most recent call last):
File "C:\Users\remstar\Downloads\extract_android_ota_payload-master\extract_an
droid_ota_payload-master\extract_android_ota_payload.py", line 142, in <module>
main(filename, output_dir)
File "C:\Users\remstar\Downloads\extract_android_ota_payload-master\extract_an
droid_ota_payload-master\extract_android_ota_payload.py", line 121, in main
parse_payload(payload, p, out_f)
File "C:\Users\remstar\Downloads\extract_android_ota_payload-master\extract_an
droid_ota_payload-master\extract_android_ota_payload.py", line 95, in parse_payl
oad
r = decompress_payload('xzcat', data, e.num_blocks * BLOCK_SIZE, operation.d
ata_sha256_hash)
File "C:\Users\remstar\Downloads\extract_android_ota_payload-master\extract_an
droid_ota_payload-master\extract_android_ota_payload.py", line 78, in decompress
_payload
p = subprocess.Popen([command, '-'], stdout=subprocess.PIPE, stdin=subproces
s.PIPE)
File "C:\Users\remstar\AppData\Local\Programs\Python\Python38\lib\subprocess.p
y", line 854, in __init__
self._execute_child(args, executable, preexec_fn, close_fds,
File "C:\Users\remstar\AppData\Local\Programs\Python\Python38\lib\subprocess.p
y", line 1307, in _execute_child
hp, ht, pid, tid = _winapi.CreateProcess(executable, args,
FileNotFoundError: [WinError 2] The system cannot find the file specified
C:\Users\remstar\Downloads\extract_android_ota_payload-master\extract_android_ot
a_payload-master>extract_android_ota_payload.py havocop7p.zip /tmp/
Extracting 'payload.bin' from OTA file...
Extracting 'boot.img'
Traceback (most recent call last):
File "C:\Users\remstar\Downloads\extract_android_ota_payload-master\extract_an
droid_ota_payload-master\extract_android_ota_payload.py", line 142, in <module>
main(filename, output_dir)
File "C:\Users\remstar\Downloads\extract_android_ota_payload-master\extract_an
droid_ota_payload-master\extract_android_ota_payload.py", line 121, in main
parse_payload(payload, p, out_f)
File "C:\Users\remstar\Downloads\extract_android_ota_payload-master\extract_an
droid_ota_payload-master\extract_android_ota_payload.py", line 95, in parse_payl
oad
r = decompress_payload('xzcat', data, e.num_blocks * BLOCK_SIZE, operation.d
ata_sha256_hash)
File "C:\Users\remstar\Downloads\extract_android_ota_payload-master\extract_an
droid_ota_payload-master\extract_android_ota_payload.py", line 78, in decompress
_payload
p = subprocess.Popen([command, '-'], stdout=subprocess.PIPE, stdin=subproces
s.PIPE)
File "C:\Users\remstar\AppData\Local\Programs\Python\Python38\lib\subprocess.p
y", line 854, in __init__
self._execute_child(args, executable, preexec_fn, close_fds,
File "C:\Users\remstar\AppData\Local\Programs\Python\Python38\lib\subprocess.p
y", line 1307, in _execute_child
hp, ht, pid, tid = _winapi.CreateProcess(executable, args,
FileNotFoundError: [WinError 2] The system cannot find the file specified
EDIT: solved, bad dependancies
---------- Post added at 11:48 AM ---------- Previous post was at 11:17 AM ----------
I'm now getting "invalid sparse file format at header magi"
nickman529 said:
C:\Users\remstar\Downloads\extract_android_ota_payload-master\extract_android_ot
a_payload-master>extract_android_ota_payload.py havocop7p.zip /tmp/
Extracting 'payload.bin' from OTA file...
Extracting 'boot.img'
Traceback (most recent call last):
File "C:\Users\remstar\Downloads\extract_android_ota_payload-master\extract_an
droid_ota_payload-master\extract_android_ota_payload.py", line 142, in <module>
main(filename, output_dir)
File "C:\Users\remstar\Downloads\extract_android_ota_payload-master\extract_an
droid_ota_payload-master\extract_android_ota_payload.py", line 121, in main
parse_payload(payload, p, out_f)
File "C:\Users\remstar\Downloads\extract_android_ota_payload-master\extract_an
droid_ota_payload-master\extract_android_ota_payload.py", line 95, in parse_payl
oad
r = decompress_payload('xzcat', data, e.num_blocks * BLOCK_SIZE, operation.d
ata_sha256_hash)
File "C:\Users\remstar\Downloads\extract_android_ota_payload-master\extract_an
droid_ota_payload-master\extract_android_ota_payload.py", line 78, in decompress
_payload
p = subprocess.Popen([command, '-'], stdout=subprocess.PIPE, stdin=subproces
s.PIPE)
File "C:\Users\remstar\AppData\Local\Programs\Python\Python38\lib\subprocess.p
y", line 854, in __init__
self._execute_child(args, executable, preexec_fn, close_fds,
File "C:\Users\remstar\AppData\Local\Programs\Python\Python38\lib\subprocess.p
y", line 1307, in _execute_child
hp, ht, pid, tid = _winapi.CreateProcess(executable, args,
FileNotFoundError: [WinError 2] The system cannot find the file specified
C:\Users\remstar\Downloads\extract_android_ota_payload-master\extract_android_ot
a_payload-master>extract_android_ota_payload.py havocop7p.zip /tmp/
Extracting 'payload.bin' from OTA file...
Extracting 'boot.img'
Traceback (most recent call last):
File "C:\Users\remstar\Downloads\extract_android_ota_payload-master\extract_an
droid_ota_payload-master\extract_android_ota_payload.py", line 142, in <module>
main(filename, output_dir)
File "C:\Users\remstar\Downloads\extract_android_ota_payload-master\extract_an
droid_ota_payload-master\extract_android_ota_payload.py", line 121, in main
parse_payload(payload, p, out_f)
File "C:\Users\remstar\Downloads\extract_android_ota_payload-master\extract_an
droid_ota_payload-master\extract_android_ota_payload.py", line 95, in parse_payl
oad
r = decompress_payload('xzcat', data, e.num_blocks * BLOCK_SIZE, operation.d
ata_sha256_hash)
File "C:\Users\remstar\Downloads\extract_android_ota_payload-master\extract_an
droid_ota_payload-master\extract_android_ota_payload.py", line 78, in decompress
_payload
p = subprocess.Popen([command, '-'], stdout=subprocess.PIPE, stdin=subproces
s.PIPE)
File "C:\Users\remstar\AppData\Local\Programs\Python\Python38\lib\subprocess.p
y", line 854, in __init__
self._execute_child(args, executable, preexec_fn, close_fds,
File "C:\Users\remstar\AppData\Local\Programs\Python\Python38\lib\subprocess.p
y", line 1307, in _execute_child
hp, ht, pid, tid = _winapi.CreateProcess(executable, args,
FileNotFoundError: [WinError 2] The system cannot find the file specified
EDIT: solved, bad dependancies
---------- Post added at 11:48 AM ---------- Previous post was at 11:17 AM ----------
I'm now getting "invalid sparse file format at header magi"
Click to expand...
Click to collapse
That's not an error, it's normal when flashing system and I think vendor
Whoareyou said:
That's not an error, it's normal when flashing system and I think vendor
Click to expand...
Click to collapse
Even though I tried to flash and nothing happened? No change in phone and it still reboot to oos
nickman529 said:
Even though I tried to flash and nothing happened? No change in phone and it still reboot to oos
Click to expand...
Click to collapse
You need to let it flash everything.
Don't cancel it or unplug or interrupt it.
Flash all the images it extracted
Whoareyou said:
You need to let it flash everything.
Don't cancel it or unplug or interrupt it.
Flash all the images it extracted
Click to expand...
Click to collapse
Okay. Will fastboot show any indication of flashing. And why did it reboot to OOS even after I cancelled the flash. I thought it failed
nickman529 said:
Okay. Will fastboot show any indication of flashing. And why did it reboot to OOS even after I cancelled the flash. I thought it failed
Click to expand...
Click to collapse
No the only indication will be in the command prompt, because it didn't wipe the system or start anything, you canceled it before it even sent the image
Whoareyou said:
No the only indication will be in the command prompt, because it didn't wipe the system or start anything, you canceled it before it even sent the image
Click to expand...
Click to collapse
I understand. I'm sorry haha. This is my first a/b device and I'm still figuring everything out
Whoareyou said:
No the only indication will be in the command prompt, because it didn't wipe the system or start anything, you canceled it before it even sent the image
Click to expand...
Click to collapse
flashed all. now twrp wont boot up
---------- Post added at 01:57 PM ---------- Previous post was at 01:21 PM ----------
Well i got havoc Q based to boot up and run smooth but no mobile signal
Update, got havoc pie flashed. couldnt boot twrp at all. just goes to a black screen. swapped to slot b and it booted twrp. flashed installer. swapped slots. no luck. currently trying flashing havoc with a known good twrp on slot b
Sorry, my English very bad. I have Mi A2 with bootloop. Bootloader locked. I tried to flash three different firmwares using MiFlash, but was getting one error. it 1st image.
Later it seems I changed my MiFlash version and got another error, this is the second image. What do these errors mean?
Me_gusta_98 said:
Sorry, my English very bad. I have Mi A2 with bootloop. Bootloader locked. I tried to flash three different firmwares using MiFlash, but was getting one error. it 1st image.
Later it seems I changed my MiFlash version and got another error, this is the second image. What do these errors mean?
Click to expand...
Click to collapse
Don't know what that means but 'ack' should refer to "android common kernels".
I found a few videos searching for "Android Ack count don't match". Maybe you could try their solutions / methods.
User699 said:
Don't know what that means but 'ack' should refer to "android common kernels".
I found a few videos searching for "Android Ack count don't match". Maybe you could try their solutions / methods.
Click to expand...
Click to collapse
I saw it, there Indians install the beta version of MiFlash and everything is fine. But the beta version does not work for me, it does not see the file "flash_all.bat"
Me_gusta_98 said:
I saw it, there Indians install the beta version of MiFlash and everything is fine. But the beta version does not work for me, it does not see the file "flash_all.bat"
Click to expand...
Click to collapse
Maybe try an older (beta) version. It could be a problem in the current release which didn't occur in prior releases.
I have the same problem with a brand new Mi A2
Stuck at the androidone bootlogo.
Entering fastboot works without problems.
Flashing results in this error: FAILED (remote: 'Error flashing partition : Write Protected')
No matter which slot is used.
Unlocking via fastboot tells me that everything is already unlocked.
Booting the twrp image from fastboot gets stuck at the twrp logo.
This also happens with the patched twrp_4pda version.
This [GUIDE] Flashing ROMs with TWRP black screen post seemed helpful and adb shell works.
But sending commands like twrp wipe cache results in:
TWRP does not appear to be running. Waiting for TWRP to start . . .
Code:
fastboot --set-active=b
fastboot flash boot_b twrp.img
fastboot --set-active=a
fastboot flash boot_a twrp.img
fastboot flashing unlock
fastboot flashing unlock_critical
fastboot oem unlock
fastboot boot twrp.img
adb shell
twrp wipe cache
Entering EDL mode via fastboot works without problems.
I installed the qualcomm 9008 drivers (windows 10 driver signature verification had to be disabled) and the phone in edl mode appears.
Downloaded the Mi A2 global fastboot rom
I tried all miflash versions (2015 to 2018 and beta) ... they had various bugs
XiaoMiFlash.Config --> rename to XiaoMiFlash.exe.Config
generate "Log" folder
place rom files inside miflash folder ... avoid any long/special path names
In the end they all start flashing and fail with "no Binary dump" or "ACK count don't match".
I also tried a different PC, different USB cable and fastboot on linux.
Is there anything else that could be done or is time to consider a hardware failure (broken emmc ...?) ?
#### update ###
fastboot format userdata
.... works and writes something without error
fastboot format cache / fastboot erase cache
... FAILED (remote: 'Error flashing partition : Write Protected')
I was able to get into stock recovery (hold VolUp+Power --> "no command" --> hold again).
wipe data / factory reset --> getting stuck forever on "wiping data..." screen
Apply Update from ADB --> adb sideload miui.zip also gets stuck forever
calling fastboot -w results in:
Spoiler: error code
Erasing 'userdata' OKAY [ 0.081s]
mke2fs 1.46.2 (28-Feb-2021)
Creating filesystem with 4652023 4k blocks and 1163264 inodes
Filesystem UUID: 969bf7be-a1e1-11ec-9ff1-f15f995f2a7c
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
Sending 'userdata' (180 KB) OKAY [ 0.011s]
Writing 'userdata' OKAY [ 0.000s]
Erasing 'cache' OKAY [ 0.002s]
mke2fs 1.46.2 (28-Feb-2021)
Creating filesystem with 65536 4k blocks and 65536 inodes
Filesystem UUID: 96ab61ae-a1e1-11ec-aed9-d92ea3a1e9cc
Superblock backups stored on blocks:
32768
Allocating group tables: done
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
Sending 'cache' (56 KB) FAILED (remote: 'Error: Last flash failed : Write Protected')
fastboot: error: Command failed
I f****d up.
Hi everyone. I may have bitten more than I can chew. I'm trying to install a custom ROM to my recently unlocked Redmi Note 10 Pro. It's crDroid in case that's necessary.
I did a lot of things but I forgot most of them. Here's what I remember doing:
Connected my phone to my Linux computer.
Go into fastboot modevia the following command:
Code:
adb reboot bootloader
Use TWRP by running this in a terminal:
Code:
fastboot boot twrp.img
Went in to the wipe option in TWRP and do a complete factory reset and format data.
Pushed the custom ROM file to /sdcard.
Attempted to install the zip file via TWRP.
Got an error code. Forgot the code and I didn't take note of it. (Please make fun of me).
Attempted to reboot TWRP recovery by going to Reboot > Recovery
Reached stock MIUI Recovery.
And here I am.
I can only access MIUI Recovery 5.0 and fastboot mode, both by pressing the right buttons on the device.
I don't know what a bricked device is, but it sure does feel like my device is one.
Is there a way to solve this?
zepolyerf said:
I f****d up.
Hi everyone. I may have bitten more than I can chew. I'm trying to install a custom ROM to my recently unlocked Redmi Note 10 Pro. It's crDroid in case that's necessary.
I did a lot of things but I forgot most of them. Here's what I remember doing:
Connected my phone to my Linux computer.
Go into fastboot modevia the following command:
Code:
adb reboot bootloader
Use TWRP by running this in a terminal:
Code:
fastboot boot twrp.img
Went in to the wipe option in TWRP and do a complete factory reset and format data.
Pushed the custom ROM file to /sdcard.
Attempted to install the zip file via TWRP.
Got an error code. Forgot the code and I didn't take note of it. (Please make fun of me).
Attempted to reboot TWRP recovery by going to Reboot > Recovery
Reached stock MIUI Recovery.
And here I am.
I can only access MIUI Recovery 5.0 and fastboot mode, both by pressing the right buttons on the device.
I don't know what a bricked device is, but it sure does feel like my device is one.
Is there a way to solve this?
Click to expand...
Click to collapse
Drivers installed?
Hi! How can I check if drivers are installed? I'm on Linux, if that matters.
Your device isn't bricked until you can do absolutely nothing with it. Start by reflashing the factory firmware; this should get your device running again.
You should also still be able to boot TWRP just like you did. What ROM were you trying to use?
V0latyle said:
Your device isn't bricked until you can do absolutely nothing with it. Start by reflashing the factory firmware; this should get your device running again.
You should also still be able to boot TWRP just like you did. What ROM were you trying to use?
Click to expand...
Click to collapse
That's good to hear.
I'm trying to make another attempt to boot to TWRP. I'm currently in fastboot mode: running fastboot -l devices shows this:
Code:
f8b471a6 fastboot
usb:1-5
I tried to following official TWRP instructions to flash it. Ran fastboot flash recovery twrp.img and all I get is <waiting for device> as a response after running the command in the terminal.
I unplug the cable, then plug it back in to the computer, then this is what I got:
Code:
Sending 'recovery' (131072 KB) FAILED (Write to device failed (Device or resource busy))
fastboot: error: Command failed
Any ideas on how to get around this?
zepolyerf said:
That's good to hear.
I'm trying to make another attempt to boot to TWRP. I'm currently in fastboot mode: running fastboot -l devices shows this:
Code:
f8b471a6 fastboot
usb:1-5
I tried to following official TWRP instructions to flash it. Ran fastboot flash recovery twrp.img and all I get is <waiting for device> as a response after running the command in the terminal.
I unplug the cable, then plug it back in to the computer, then this is what I got:
Code:
Sending 'recovery' (131072 KB) FAILED (Write to device failed (Device or resource busy))
fastboot: error: Command failed
Any ideas on how to get around this?
Click to expand...
Click to collapse
Your device might not have a recovery partition; in A/B partition layout devices, recovery lives in the boot image.
A bit of an explanation:
When you use fastboot boot <image> you're telling the device to load the image you're sending - so if you use fastboot boot twrp.img you're telling it to load the TWRP.img on your computer. This is what you should be using if you want to boot TWRP.
When you use fastboot flash <partition> <image> you're telling bootloader to flash the specified partition with the specified image. So, if you used fastboot flash boot twrp.img, bootloader will overwrite /boot with the TWRP image...meaning the device will only boot into TWRP.
As for why the device would only boot into stock recovery after you flashed the custom ROM, I suspect that it didn't flash the kernel, or otherwise may have corrupted the boot image. So, when the device tries to start the kernel, it failed and just boots into recovery instead.
What should I do at this point if I can't do fasboot boot <image> or fastboot flash <parition> <image> because of the <waiting for device> thing I get everytime I run those commands?
zepolyerf said:
What should I do at this point if I can't do fasboot boot <image> or fastboot flash <parition> <image> because of the <waiting for device> thing I get everytime I run those commands?
Click to expand...
Click to collapse
Reboot to bootloader. If you're currently in recovery mode, cancel the command (Ctrl+C) and use adb reboot bootloader. If you're currently in bootloader but it's not responding, just use the button combo to force a reset.
Remember, you can only use fastboot commands in bootloader mode. If you're in recovery, you can only use some ADB commands, but in this case, I don't think that will be much help.
This is just soft brick. A hard brick means no life in the device as well. In your case, you can still access recovery and fastboot. You can either use MiFlash and use fastboot to flash the stock rom (your choice if you want to relock the bootloader or not) or flash miui recovery rom directly in the custom recovery.
If I remember correctly too, crDroid requires it's provided recovery instead of TWRP so maybe that's why the installation failed.
I went into fastboot mode by pressing Vol Down + Power buttons.
Plugged the phone in to my Linux machine. Have VirtualBox recognize my device.
Opened MiFlash tool. Selected the flash rom from Xiaomi's site. Got an Antirollback error. Here's the logs:
Code:
[4:41:24 AM]:lsusb path:"C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\fh_loader\lsusb.exe"
[4:41:25 AM]:GetScriptDevices
[4:41:28 AM]:add device f8b471a6 index 0
[4:41:48 AM]:lsusb path:"C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\fh_loader\lsusb.exe"
[4:41:48 AM]:GetScriptDevices
[4:41:51 AM]:FlashingDevice.flashDeviceList.Remove f8b471a6
[4:41:51 AM]:add device f8b471a6 index 0
[4:41:51 AM]:Thread start,thread id 11,thread name f8b471a6
[4:41:51 AM]:start process id 4212 name cmd
[4:49:16 AM]:lsusb path:"C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\fh_loader\lsusb.exe"
[4:49:16 AM]:GetScriptDevices
[4:49:16 AM]:add device f8b471a6 index 1
[4:49:24 AM]:lsusb path:"C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\fh_loader\lsusb.exe"
[4:49:24 AM]:GetScriptDevices
[4:49:24 AM]:FlashingDevice.flashDeviceList.Remove f8b471a6
[4:49:24 AM]:add device f8b471a6 index 1
[4:49:24 AM]:Thread start,thread id 12,thread name f8b471a6
[4:49:24 AM]:start process id 1704 name cmd
[4:49:25 AM]:Thread stopped, thread id 12, thread name f8b471a6
[4:51:22 AM]:lsusb path:"C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\fh_loader\lsusb.exe"
[4:51:23 AM]:GetScriptDevices
[4:51:23 AM]:FlashingDevice.flashDeviceList.Remove f8b471a6
[4:51:23 AM]:add device f8b471a6 index 1
[4:51:23 AM]:Thread start,thread id 19,thread name f8b471a6
[4:51:23 AM]:start process id 3400 name cmd
[4:52:26 AM]:GetUserInfo
[4:52:39 AM]:authentication edl error:Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
[4:56:31 AM]:lsusb path:"C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\fh_loader\lsusb.exe"
[4:56:31 AM]:GetScriptDevices
[6:00:17 AM]:open RegistryKey Software\XiaoMi\MiFlash\
[6:00:18 AM]:driver oem5.inf exists,uninstall,reuslt True,GetLastWin32Error
[6:00:19 AM]:install driver C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Google\Driver\android_winusb.inf to C:\Windows\INF\oem5.inf,result True,GetLastWin32Error
[6:00:19 AM]:set RegistryKey value:android_winusb.inf--oem5.inf
[6:00:19 AM]:mkdir "C:\Users\IEUser\.android"
[6:00:19 AM]:output:A subdirectory or file C:\Users\IEUser\.android already exists.
[6:00:19 AM]: echo 0x2717 >>"C:\Users\IEUser\.android\adb_usb.ini"
[6:00:19 AM]:output:
[6:00:19 AM]:open RegistryKey Software\XiaoMi\MiFlash\
[6:00:19 AM]:install driver C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Nvidia\Driver\NvidiaUsb.inf to ,result False,GetLastWin32Error Unknown error (0xe000022f)
[6:00:19 AM]:open RegistryKey Software\XiaoMi\MiFlash\
[6:00:20 AM]:install driver C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Microsoft\Driver\tetherxp.inf to ,result False,GetLastWin32Error Unknown error (0xe000022f)
[6:00:20 AM]:open RegistryKey Software\XiaoMi\MiFlash\
[6:00:21 AM]:install driver C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Microsoft\Driver\wpdmtphw.inf to ,result False,GetLastWin32Error Unknown error (0xe000022f)
[6:00:21 AM]:open RegistryKey Software\XiaoMi\MiFlash\
[6:00:21 AM]:driver oem6.inf exists,uninstall,reuslt True,GetLastWin32Error
[6:00:22 AM]:install driver C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\Driver\qcser.inf to C:\Windows\INF\oem6.inf,result True,GetLastWin32Error
[6:00:22 AM]:set RegistryKey value:qcser.inf--oem6.inf
[6:01:33 AM]:lsusb path:"C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\fh_loader\lsusb.exe"
[6:01:34 AM]:GetScriptDevices
[6:01:34 AM]:add device f8b471a6 index 1
[6:01:55 AM]:lsusb path:"C:\Users\IEUser\Downloads\MiFlash\MiFlash2020-3-14-0\Source\ThirdParty\Qualcomm\fh_loader\lsusb.exe"
[6:01:55 AM]:GetScriptDevices
[6:01:55 AM]:FlashingDevice.flashDeviceList.Remove f8b471a6
[6:01:55 AM]:add device f8b471a6 index 1
[6:01:55 AM]:Thread start,thread id 12,thread name f8b471a6
[6:01:55 AM]:start process id 6280 name cmd
[6:01:56 AM]:Thread stopped, thread id 12, thread name f8b471a6
Any idea on what to do next?
BigChungus321 said:
This is just soft brick. A hard brick means no life in the device as well. In your case, you can still access recovery and fastboot. You can either use MiFlash and use fastboot to flash the stock rom (your choice if you want to relock the bootloader or not) or flash miui recovery rom directly in the custom recovery.
If I remember correctly too, crDroid requires it's provided recovery instead of TWRP so maybe that's why the installation failed.
Click to expand...
Click to collapse
It might as well be a brick haha. I must be dumb (very likely) or there's just not a lot of clear and comprehensive resources out there to fix this kind of thing.
Ahh anti roll back error is pretty simple to fix, you just have to remove the check from the .bat files, there are tutorials on YT that can help, after that reflash stock rom in MiFlash.
If you're worried about anti roll back, don't worry, ARB value for the device has been 3 so far so it's safe to downgrade. Goodluck
Seeing a ton of Bricked Notes on here this last week, Y`all making me nervous about doing anything with mine lol
I faced this problem in linux got around it with usb 2.0 interface doesn't worked with usb 3.0 and above but my device was different when I got this recovery flash waiting problem. Also try to updated the platform tools.
So the solution was to entirely ditch Linux and use Windows to play with fastboot and adb commands via the terminal.
I don't understand why it worked when I did it on Windows when I was using the same platform tools on Linux. Oh well.