Database Develop

[Q] DS7 stuck on setup wizard

Hi,
I'm using a TMobile 4G DS7 in Europe (no SIM card); last week as I restarted it (battery was very low) I started receiving error messages (Email app has stopped unexpectedly, then Gmail and you name it...) and was sent back to the setup wizard.The DS7 was running on the original setup, no OS upgrade had been done.
I tried a factory reboot which didn't change anything.
I started reading this forum and tried the 3 options which are described
1- updating with a 306 .pkg file on the SDCard
the following takes place
Booting kernel recovery Image
Blue text
Finding update package
Opening update package
Verifying update package
Install modem error . System will upgrade again. (90% bar)
Screen turns black then reboots
and back to square one !
Trying other packages results in an error message, process stops at verifying update package .
2- Fastboot mode
I downloaded and installed the drivers
I put DS7 in fastboot mode and get the fwg :
Username : cmbuild hostname : ***** buildnumber : ******
Build on Mar 11 2011 17:19:36
Starting Fastboot USB download protocol
On PC I go to the directory where the fastboot.exe is stored .
When I type < Fastboot devices>
I get <? fastboot> which seems to indicate that no device is identified ( under Config panel in Windows I can see that the device is recognized as an Android device) ....
3- NVFlash mode
I put the DS7 in NVFlash mode connected it to my PC . The config panel showed there was a prob (yellow triangle). I installed the driver .... and now the device does not even appear when I go Config panel / System
So I get nowhere under any of the 3 options ; can I just throw away my DS7 or is there still some hope ? things I haven't done correctly ?
Any help suggestion would be most appreciated.
Thx in advance to whoever wil read this thread.
FG

the ???? Device under fastboot is normal
ONce you put the device into NVFlash mode and you install the drivers, open up Device Manager and look under the USB section, you should see something about Nvidia recovery mode.

giveen said:
the ???? Device under fastboot is normal
ONce you put the device into NVFlash mode and you install the drivers, open up Device Manager and look under the USB section, you should see something about Nvidia recovery mode.
Click to expand...
Click to collapse
You're right. I flashed everything went all right but after "pinbooting" no change still stuck.

FGMareil said:
You're right. I flashed everything went all right but after "pinbooting" no change still stuck.
Click to expand...
Click to collapse
You might be in read-only mode, which can only be fixed by Dell

giveen said:
You might be in read-only mode, which can only be fixed by Dell
Click to expand...
Click to collapse
The OP stated that the battery was low which is one reason some have claimed to cause this.

[Workshop] Unbrick fully bricked I9070

Hi,
I'm launching this thread to work on an unbrick procedure for fully bricked I9070/P without JTAG or Riffbox (same as Adam Outler, TheBeano, Odia etc... 's project "let's save some bricks")
Reminder : fully bricked = no download/recovery mode, no display, not charging, not going to recovery with a 301k Ohm jig.
I have a fully bricked I9070P and a fully functionnal I8090 (same processor).
Based on the sources and tools for the U8500 that were disclosed in january, I've managed to make my dead phone and my PC talk "a bit" together (under Windows with the VSIW tool, and under linux with recompiling the "flashkit" tools): when plugged in and inserting the battery, the tool sees the terminal, gets its serial number and various data and fails while trying to send and execute a boot file because the terminal closes the USB port.
I've managed to get a certain degree of communication with the "riff" tool (open source) of the Snowball project too (the dev board based on a U9500).
Based on this half successes, I'm pretty sure we are close to a clean solution to revive a fully bricked terminal without soldering JTAG.
Here are the main docs I've read so far :
* most posts from the threads "let's save some bricks" and "fun with resistors"
* the reference documents of the I9070 (Samsung_GT-I9070_Galaxy_S_Advance_Galaxy_S_II_Lite_service_manual.rar)
* the reference manual of the U9500 (http://www.calao-systems.com/reposi...X/DATASHEETS/AP9500_reference_manual_rev1.pdf)
* TSU6111 datasheet from TI (the USB/UART switch the 9070 is using, cf the service manual -> Lite Schematics -> u-USB SW IC part)
* lots of docs from the "flashkit" sources
My setup :
* a fully bricked I9070P
* a fully working I8190P
* an 8GB SDCard
* a Windows/Linux workstation (Ubuntu 12.04LTS + Android compiling environment + disclosed sources)
* terminal emulators
* a Prolific cable (PL2303) (any USB to TTL adapter would do it, you can buy one for 3$ as Arduino accessory, or reuse a Nokia DKU 5 -see hackaday website for a link). Take care with Prolifics : they don't work under Windows 8 with the last driver, you have to use the version before, Google is your friend)
* a set of resistors
* a multimeter
* libusb win32 drivers setup, see sourceforge (use the tool included in the drivers package to generate the right .inf file for the U8500 (or use 04CC and 8500)
Here are my conclusions so far :
* based on the Snowball docs and the U9500 spec, we don't seem to have any need to modify anything (resistors) on the mainboard to change boot sequence. The dev board does not have any switch for that and my dead I9070 and working I8190 exibit the same behaviour at bootup : the appear as a "U8500 USB ROM" for a seconds and disconnect when going on farther in the boot sequence.
Moreover, the fact that I managed to have my dead phone talk with the flashtool confort me in the fact that we are almost done.
* I have *not* managed to get any output on my terminal with my Prolific cable plugged in with a 630kOhm resistor on the pins 4 and 5. My resistor setup might be good because it make my working I8190 boot when I plug it in.
But I'm not sure of my RX/TX setup, I have crossed the RX/TX of the phone and the ones of the Prolific but I might have been wrong identifying the pins of my modified USB plug (D+ and D-).
But I'm sure the RX and TX wires of my Prolific are the right ones : when I connect them together (nullmodem configuration), the characters typed on my terminal are displayed.
So the main issue is : how can we have the dead phone keep the USB port open and not close it after 2 seconds?
My assumption is that it is always probing different boot methods (UART, USB, MMC etc) and then attempts to boot normaly from eMMC.
I don't know which part of the bootchain sequence I've garbaged on my I9070: IBL, PBL, SBL, PARAM? Managing to get any debug output on my console would greatly help me.
Has any of you tried to achieve something similar? If yes, could you post your setup and results?
Let's save some bricks another time!

any progress
flentus said:
Hi,
I'm launching this thread to work on an unbrick procedure for fully bricked I9070/P without JTAG or Riffbox (same as Adam Outler, TheBeano, Odia etc... 's project "let's save some bricks")
Reminder : fully bricked = no download/recovery mode, no display, not charging, not going to recovery with a 301k Ohm jig.
I have a fully bricked I9070P and a fully functionnal I8090 (same processor).
Based on the sources and tools for the U8500 that were disclosed in january, I've managed to make my dead phone and my PC talk "a bit" together (under Windows with the VSIW tool, and under linux with recompiling the "flashkit" tools): when plugged in and inserting the battery, the tool sees the terminal, gets its serial number and various data and fails while trying to send and execute a boot file because the terminal closes the USB port.
I've managed to get a certain degree of communication with the "riff" tool (open source) of the Snowball project too (the dev board based on a U9500).
Based on this half successes, I'm pretty sure we are close to a clean solution to revive a fully bricked terminal without soldering JTAG.
Here are the main docs I've read so far :
* most posts from the threads "let's save some bricks" and "fun with resistors"
* the reference documents of the I9070 (Samsung_GT-I9070_Galaxy_S_Advance_Galaxy_S_II_Lite_service_manual.rar)
* the reference manual of the U9500 (http://www.calao-systems.com/reposi...X/DATASHEETS/AP9500_reference_manual_rev1.pdf)
* TSU6111 datasheet from TI (the USB/UART switch the 9070 is using, cf the service manual -> Lite Schematics -> u-USB SW IC part)
* lots of docs from the "flashkit" sources
My setup :
* a fully bricked I9070P
* a fully working I8190P
* an 8GB SDCard
* a Windows/Linux workstation (Ubuntu 12.04LTS + Android compiling environment + disclosed sources)
* terminal emulators
* a Prolific cable (PL2303) (any USB to TTL adapter would do it, you can buy one for 3$ as Arduino accessory, or reuse a Nokia DKU 5 -see hackaday website for a link). Take care with Prolifics : they don't work under Windows 8 with the last driver, you have to use the version before, Google is your friend)
* a set of resistors
* a multimeter
* libusb win32 drivers setup, see sourceforge (use the tool included in the drivers package to generate the right .inf file for the U8500 (or use 04CC and 8500)
Here are my conclusions so far :
* based on the Snowball docs and the U9500 spec, we don't seem to have any need to modify anything (resistors) on the mainboard to change boot sequence. The dev board does not have any switch for that and my dead I9070 and working I8190 exibit the same behaviour at bootup : the appear as a "U8500 USB ROM" for a seconds and disconnect when going on farther in the boot sequence.
Moreover, the fact that I managed to have my dead phone talk with the flashtool confort me in the fact that we are almost done.
* I have *not* managed to get any output on my terminal with my Prolific cable plugged in with a 630kOhm resistor on the pins 4 and 5. My resistor setup might be good because it make my working I8190 boot when I plug it in.
But I'm not sure of my RX/TX setup, I have crossed the RX/TX of the phone and the ones of the Prolific but I might have been wrong identifying the pins of my modified USB plug (D+ and D-).
But I'm sure the RX and TX wires of my Prolific are the right ones : when I connect them together (nullmodem configuration), the characters typed on my terminal are displayed.
So the main issue is : how can we have the dead phone keep the USB port open and not close it after 2 seconds?
My assumption is that it is always probing different boot methods (UART, USB, MMC etc) and then attempts to boot normaly from eMMC.
I don't know which part of the bootchain sequence I've garbaged on my I9070: IBL, PBL, SBL, PARAM? Managing to get any debug output on my console would greatly help me.
Has any of you tried to achieve something similar? If yes, could you post your setup and results?
Let's save some bricks another time!
Click to expand...
Click to collapse
dude did you find any solution??same problem here

up up this thread.... i'm also experiencing with my s3 mini i8190 continuously disconnecting libusb-win32 driver... my phone is at deadboot and unable to resurrect with RIFFBOX...

neilPD_07 said:
up up this thread.... i'm also experiencing with my s3 mini i8190 continuously disconnecting libusb-win32 driver... my phone is at deadboot and unable to resurrect with RIFFBOX...
Click to expand...
Click to collapse
Mebay u have dead mini USB port in SIII mini ?
Sent from my GT-I9070 using Tapatalk

Hi guys,
I had a little time playing with this, but I have good news :
I modified the default profile used for the flashtool backend to "ADL boot" : my "dead" phone now stays connected to the USB and is reported as "started" by the flashtool CLI ("flash-tool get_connected_equipments") however, when I try some "active" flash-tool CLI commands, the backend crashes.
As I was running it either in windows 8.1 64 bits or Linux in a VM, their might have some bad interactions with the OS on the one hand and the USB port forwarding on the other hand (there was issues with the LCD and LCM drivers in Windows, I grabbed the 64 bits ones from VSIW...).
-> I have to test on a 32 bit Windows.
Good to read to understand further (extracted from flash-tool-backend.html file) :
Note : ME stands for mobile equipment, "boot indication" can take the following values : ADL, ALT, Normal, Production, Programming : set into the config files pointed by the .mesp file)
Boot process description
When the peripheral boot sequence starts, the ME sends an asic id to the connected PC tool. The PC tool then answers with a boot indication. If normal, "ADL" or "production" is sent as boot indication; this means that the x-loader will start the binary software stored at the corresponding location in the boot image (based on the location stated by the TOC). If programming is used as boot indication, the PC will send a completely new set of boot code to the ME. This is used when a loader is downloaded during service mode startup via the Flash Tool Backend. When the normal boot indication is sent, Flash Tool backend sends no more data and the ME is booted with the binary software stored in the place where the normal software is stored according to the TOC.
The ADL boot scenario works like this:
1. Flash Tool Backend receives asic id
2. Boot indication ADL is sent
3. Flash tool backend starts LCD and LCM and waits for a loader startup message.
The loader is stored at the ADL location of the boot image (this is supported by the assemble tool).
I think I'd have to assemble the correct bootloader to enable "profile-STE_DBX500_flashloader.prfl" profile to work (we are missing corresponding loader.ldr loader). It would enable the use of the "LoaderCommunication"
I think I have all the pieces and the docs (we even have the certificates to sign it !): just need time and a better GFAF (Girlfriend acceptance factor).
The guys who managed to unbrick some Qualcomm based devices might be of a huge help, they would be much more efficient than I can be... I any of you have time to drive them around here, do not hesitate!
Enjoy!

flentus said:
Hi guys,
I had a little time playing with this, but I have good news :
I modified the default profile used for the flashtool backend to "ADL boot" : my "dead" phone now stays connected to the USB and is reported as "started" by the flashtool CLI ("flash-tool get_connected_equipments") however, when I try some "active" flash-tool CLI commands, the backend crashes.
As I was running it either in windows 8.1 64 bits or Linux in a VM, their might have some bad interactions with the OS on the one hand and the USB port forwarding on the other hand (there was issues with the LCD and LCM drivers in Windows, I grabbed the 64 bits ones from VSIW...).
-> I have to test on a 32 bit Windows.
Good to read to understand further (extracted from flash-tool-backend.html file) :
Note : ME stands for mobile equipment, "boot indication" can take the following values : ADL, ALT, Normal, Production, Programming : set into the config files pointed by the .mesp file)
Boot process description
When the peripheral boot sequence starts, the ME sends an asic id to the connected PC tool. The PC tool then answers with a boot indication. If normal, "ADL" or "production" is sent as boot indication; this means that the x-loader will start the binary software stored at the corresponding location in the boot image (based on the location stated by the TOC). If programming is used as boot indication, the PC will send a completely new set of boot code to the ME. This is used when a loader is downloaded during service mode startup via the Flash Tool Backend. When the normal boot indication is sent, Flash Tool backend sends no more data and the ME is booted with the binary software stored in the place where the normal software is stored according to the TOC.
The ADL boot scenario works like this:
1. Flash Tool Backend receives asic id
2. Boot indication ADL is sent
3. Flash tool backend starts LCD and LCM and waits for a loader startup message.
The loader is stored at the ADL location of the boot image (this is supported by the assemble tool).
I think I'd have to assemble the correct bootloader to enable "profile-STE_DBX500_flashloader.prfl" profile to work (we are missing corresponding loader.ldr loader). It would enable the use of the "LoaderCommunication"
I think I have all the pieces and the docs (we even have the certificates to sign it !): just need time and a better GFAF (Girlfriend acceptance factor).
The guys who managed to unbrick some Qualcomm based devices might be of a huge help, they would be much more efficient than I can be... I any of you have time to drive them around here, do not hesitate!
Enjoy!
Click to expand...
Click to collapse
Any good updates & tested solution sir? I'm still waiting for a big solution for this kind of problem... TIA

Hi !
well, I'm almost done with the bootloaders: I have a loader.ldr compiled + 2 bin.
I've reset my dev. env. to an Ubuntu 10.04 according to a .doc I found in the sources (search for "*.doc", you will find "getting_Started_with_Android_and_Linux.doc"): I now have far less compilation errors, but I'm still struggling to get the full compilation process just right. For eg. I had to remove the "alsactrl" component due to dependency issues I've not been able to solve.
As already stated, I'm far from being a dev. expert so it takes me a lot of time to acheive the right compilation.
I would highly need the help of s/b who is fluent with Android compilation/dev env.: first it would be necessary to establish how to merge correctly the disclosed sources with Google's sources + the open sources from Samsung (kernel + system) (we have duplicates here as the kernel is also available in the disclosed sources, but both are different releases).
As already stated, given the few spare tile I have and without the help of the right people this will take me ~4 months+ to have this unbrick done (if I face no deadlock).
So, if you want this faster: get the right guys on the forum (from the "dev" branches) and drag them here so we can go forward much faste!

Hi!
So, I think I'm getting close: I now have the boot files build procedure working (+kernel and sytem, but I don't need those).
When I try to boot my phone with those boot files using the "flasher -tXXXX -X0,normal.bin" command, it seems that they are rejected as the phone connects and disconnects (boot loop on the iRom startup, I believe).
So, now I really need to have some kind of debug console setup to understand what's going on (cause of rejection, like signature problem etc...):
I've been working blindly up to now hopping that the software would work "off the shelves"... it never does
I'll have to try to understand how the "trigger UART" parameter of flashkit backend works and what is it intended to (I'll have to read the code for that as I've never seen any explanation about it anywhere in the docs). I don't figure out how this could work as on the backend GUI it lists the host PC's serial ports...
Another option would be to have my FTDI debug setup working. Maybe it's not "another option" but is required if the "trigger UART" is just enabling UART debug on the phone and requires a debug cable to read these debug data. My problem in that case would be how to have USB *and* UART on the same port... unless all this is designed for dev targets that have 2 USB ports as the Calao's u8500 targets. In that case, i'd have to find something smarter
As usual, if someone with knownledge on all this is willing to help: wave your hand, I'd happy to share my researches and go forward much faster. But I really feel I'm alone on this (even if I know that there will be tons of leechers when/if I manage to have this work
That's life on XDA!

Nice nice
flentus said:
Hi!
So, I think I'm getting close: I now have the boot files build procedure working (+kernel and sytem, but I don't need those).
When I try to boot my phone with those boot files using the "flasher -tXXXX -X0,normal.bin" command, it seems that they are rejected as the phone connects and disconnects (boot loop on the iRom startup, I believe).
So, now I really need to have some kind of debug console setup to understand what's going on (cause of rejection, like signature problem etc...):
I've been working blindly up to now hopping that the software would work "off the shelves"... it never does
I'll have to try to understand how the "trigger UART" parameter of flashkit backend works and what is it intended to (I'll have to read the code for that as I've never seen any explanation about it anywhere in the docs). I don't figure out how this could work as on the backend GUI it lists the host PC's serial ports...
Another option would be to have my FTDI debug setup working. Maybe it's not "another option" but is required if the "trigger UART" is just enabling UART debug on the phone and requires a debug cable to read these debug data. My problem in that case would be how to have USB *and* UART on the same port... unless all this is designed for dev targets that have 2 USB ports as the Calao's u8500 targets. In that case, i'd have to find something smarter
As usual, if someone with knownledge on all this is willing to help: wave your hand, I'd happy to share my researches and go forward much faster. But I really feel I'm alone on this (even if I know that there will be tons of leechers when/if I manage to have this work
That's life on XDA!
Click to expand...
Click to collapse
U R great man..UP UP UP :good::good::good:

use UART debug on USB
This will help me, I'll test it on my working S3 mini (same proc and very similar HW)... when I have time...
-> this will validate my UART debug setup : http://forum.xda-developers.com/showthread.php?t=2100809

ok, UART debug up and partially running on my SIII mini: debug messages displayed on terminal but keystrokes do not reach the phone, this is secondary for me at the moment, I may have a bad contact somewhere.
Tested on my dead I9070: no display, so the Xloader on my eMMC is garbaged (or Xloader UART debug is disabled, but this is less likely).
As expected, I now have to figure out how to have flashloader boot files upload *and* debug working together to understand what's wrong with my compiled boot files. I think the "trigger UART" thing is a good track, but I'm really puzzled by how to have the USB *and* the UART setup at the same time.
I fear to fry something by having phone D+/D- connected to USB port of the PC and connected at the same time to my Prolific TxD/RxD + 5V VCC connected to PC USB... sounds like a bad thing.
Another track would be USB debug I see in some parts of the code, but I don't know how to read the debug from there, more code to inspect...

got it~
---------- Post added at 02:03 PM ---------- Previous post was at 01:22 PM ----------
I also have a fully bricked I9070( not I9070P).I`m waiting for your good news.Thanks first.

I received this PM, I believe it can be useful for others experimenting with it
flentus said:
Ola Paul,
I contact you on an advise from Cocafe.
I launched a while ago the thread "[Workshop] Unbrick fully bricked I9070" (http://forum.xda-developers.com/showthread.php?t=2701363)
I'm looking for help to acheive the task as I don't have very much time to spend on it due to huge work I have this year.
Would you be ok to participate if you have a little spare time and interest in it?
I think I'm very close to the solution, and this would help a lot of 9070 owners (and maybe SIII mini and Sony too).
As explained in my thread, I have difficulties getting the disclosed sources to build correctly up to the end when integrated with Google SDK. As a result the "finalizing" scripts (that gather the binaries and tidy the "out" directory) don't execute: I end up with a large mess and STE tools don't work out of the box. I have to gather the pieces one by one to have them run which is very time consuming and error prone.
I can say that the recovery process won't need any kind of soldering, wiring or whatever: just a regular USB cable and the right sofware.
The disclosed sources contain everything we need: PBL/SBL sources, signing tool+certificates, the software to talk to the iROM + various documentation.
The problem is just a question of assembling the pieces...
My idea is to assemble an Xloader (PBL) + Uboot (SBL) + recovery and boot from that to execute recovery.
The "flashkit" tool enables this process, I quote the docs: "If 'programming' boot indication is used as boot indication, the PC will send a completely new set of boot code to the ME. This is used when a loader is downloaded during service mode startup via the Flash Tool Backend.".
Tell me if you wish to help me, or if you know someone who has competencies and would wish to!
I speek average spanish if you prefer to exchange in this language.
Regards
Click to expand...
Click to collapse
I am sorry for pointing this out, STE tools wont work ever on i9070, the reason being that we do not have a STE bootloader, heck, most of the low level stuff do not resemble the ST-Ericsson Montblanc development board. You can't even change the bootloader arguments, you can only add to them (the way I first enabled SELinux), the Samsung Bootloader version that we have may be not as restrictive as others, but Sonys bootloader resembles more to STE's than ours.
The only way you may found how to restore it is accessing the JTAG mode (something that is determined only if JTAG is connected and recognized) and depends solely on the emergency bootloader (if that exists, because I am not sure how the device powers on without PBL), the "seconds" of power you get on the USB is the device looking for JTAG.
The "disclosed" sources are for ST-Ericsson devices
Something you should do, is analyze the structures of /dev/block/mmcblk0p10, which contains our partition table (GUID Partition Table - GPT).
Simple way of doing it, you have to do dd if=/dev/block/mmcblk0p10 of=/sdcard/janice.pit on terminal emulator, this is ROM agnostic, because the structures are the same on both stock and any custom ROM. Of course, that is from a working device, I'll do that and drop it here later since I am working on something else right now, and thanks diegoch for discovering this.
Anyway, as diego pointed to me, our partition table is like this.
PIT, CSPSA, EFS, MODEM fs, SBL, SBL2, PARAM, IPL modem, MODEM, Kernel, Kernel2, system, data, cache, preload, fota, sdcard
This is the correct order I believe, since basically, when you use ODIN and use a PIT file, the partition table gets rewritten according to whatever is on that .pit file. So PIT is basically the GPT partition table; obviously SBL is the Samsung bootloader, and SBL2 I believe it's either stage 2.5 or a backup of the first.
So, no clue by going the STE way, something familiar here.
So, I may say something good at the end, see if the i9100 guys ever did it, and go from there, since our device is largely based around i9100 (Galaxy S II)

Hi Paul,
thanks for your contribution.
A few replies/questions :
* you state that Montblanc dev board and I9070 are completly different: isn't the aim of dev dev board to be close to ME while adding extra connectors to ease debug and interfacing for prototyping? Calao dev board looks very close to I9070: I have compared the schematics and component list: they look very very much alike. For me, NovaThor U8500 plateform consists of a DB8500 SoC, a Mali 400, a built-in modem + chips for USB, audio and SIM operations.
So, to me, I may be wrong, at least the processor (u8500), PLL, eMMC, SDRAM, UART + several low level controlers should be the same. As we are trying to work at such level (just trying to get the basic system to boot to just enable eMMC write), don't we have a chance to manage to have those work (maybe with adressing adaptation, those might be tough)?
* I can't agree with you that "the "seconds" of power you get on the USB is the device looking for JTAG.": on boot time, even without trashed PBL, the ME connects to USB properly with vendor/ID=04cc/8500, and sends its ASIC ID (displayed on PC screen). As stated earlier in the thread, I manage to send some commands and receive response from the ME in this state using STE tools (flashkit_cli, sending commands threw flashkit_backend).
It's definetly not any JTAG stuffs. JTAG on the I9070 is accessible on the mainboard via dedicated pads, you can locate using the light schematics provided in the "Service manual" package.
This early boot behaviour is documented in the "flash-tool-backend.html" document (available in s-4.1_vendor_st-ericsson.tar in ./s-4.1_vendor_st-ericsson/vendor/st-ericsson/tools/platform/flash_kit/flash_tool_backend/com.stericsson.sdk.backend.build/doc):
Boot process description
When the peripheral boot sequence starts, the ME sends an asic id to the connected PC tool.
The PC tool then answers with a boot indication.
- If normal, ADL or production is sent as boot indication; this means that the x-loader will start the binary software stored at the corresponding location in the boot image (based on the location stated by the TOC).
- If programming is used as boot indication, the PC will send a completely new set of boot code to the ME. This is used when a loader is downloaded during service mode startup via the Flash Tool Backend.
- When the normal boot indication is sent, Flash Tool backend sends no more data and the ME is booted with the binary software stored in the place where the normal software is stored according to the TOC.
The ADL boot scenario works like this:
1. Flash Tool Backend receives asic id
2. Boot indication ADL is sent
3. Flash tool backend starts LCD and LCM and waits for a loader startup message.
The loader is stored at the ADL location of the boot image (this is supported by the assemble tool).
* If I understand well, as we don't have the sources for the bootloader, your proposal is to grab one from a working device.
That sounds a really good idea!
Here is the complete partition table/PIT of the I9070 (recovered by someone with a Riff box from a GB archive, if I remember well):
(copy/paste it in a traditional editor and add padding to recover the table).
Partition number Filename in archive Name in PIT starting offset HEX Size in bytes HEX
MBR, GPT 0 20000
STE_boot.bin TOC ISSW XLOADER 20000 60000
mmcblk0p10 GT-I9070P_EUR_XX_8G.pit PIT 80000 100000
mmcblk0p6 cspsa.img CSPSA FS 180000 180000
EMPTY 300000 100000
mmcblk0p7 EFS.img EFS 400000 A00000
mmcblk0p2 modemfs.img MODEM FS E00000 100000
mem_init.bin STE MEM INIT 1E00000 80000
power_management.bin PWR MGT 1E80000 80000
mmcblk0p14 normal.bin SBL 1F00000 200000
mmcblk0p16 normal2.bin SBL_2 2100000 200000
mmcblk0p1 param.lfs PARAM 2300000 1000000
mmcblk0p12 ipl.bin IPL MODEM 3300000 200000
mmcblk0p13 modem.bin MODEM 3500000 1000000
mmcblk0p15 kernel.bin KERNEL 4500000 1000000
mmcblk0p17 kernel2.bin KERNEL2 5500000 1000000
mmcblk0p3 system.img SYSTEM 6500000 26400000
mmcblk0p5 userdata.img DATAFS 2C900000 80000000
mmcblk0p4 cache.img CACHEFS AC900000 13200000
mmcblk0p9 hidden.img HIDDEN BFB00000 14000000
mmcblk0p11 ssgtest.img FOTA D3B00000 3200000
mmcblk0p8 ums.rfs UMS D6D00000 FAA00000
--> PBL corresponds to "TOC ISSW XLOADER" (STE_boot.bin in the flash archive) and SLB to normal.bin. So basically we have our boot files. We can extract them from the GB flash archive or from a ROM dump (I have dd'ed every partitions from 2 different I9070P + a full recovery dump from a 9070 provided by Riff box support files I found once I don't remember where).
So, if I have time one of theses days, I'll try to build a flash archive based on these files and try to boot from STE tools on it using "programming" as boot indication.
* Using the knowledge of the I9100 (Galaxy S II): I'm afraid this is a very different hardware, I9100 uses an Exynos 4210, so I hardly see what we could use from there... Could you give us some more advise on that idea?
Regards

Hi!
I had no time working on this for a while: extremely busy at work.
Maybe this weekend...
@cocafe: I've read you know how to extract the initramfs from the kernel, modify, repack, and reflash it. I'll need to do that to modify the "on boot" section of the init.rc to launch the recovery from standard boot. Could you drop me here the command lines to do that? Thanks in advance!

This looks by far the most advanced research into bringing back a hard bricked i9070.
@flentus Did you manage to upload a new bootloader?

Hi,
had to time at all to play with this for a loooong time.
I have grabed a few new phones so me 9070 is now burried deep into a drawer but I really wish to finish this one day because I feel I'm very close to something.
If anybody would like to take over this, feel free, I can provide support for the stuff I have understood (and remember of...)
Regards

How To Unbricked A Hard Bricked Phone [ Moto X ]

How To UnBrick A Hard Bricked Moto X​
Hii , First of all I wanna thanks to this awesome scrpit by @s5610 who brought my phone from dead to alive , I think i am the first guy to unbricked the hardbricked phone using this script lol , My phone was hardbricked because i was testing my kernel and entered wrong path in partition due to which i got hard bricked i was worried for my phone , Service Center was asking for 7k in Indian Rupees , i was hopeless then i gave a try to this method , followed all steps written here and then finally i entered to fastboot menu of 30.B7 Kitkat As i was using 30.B7 Bootloader earlier and then i flashed My gpt.bin and S-partition and flashed my stock rom voilla !! and my phone booted the aim was to share this post was this method was on page 42 and only less guys have seen this post , so i created a new thread regarding this
All Credits Goes to - @s5610​
s5610 said:
Unbricking Guide for any Moto X Gen 1 (wire trick)​
Download, and unpack supplied zip to any disk, C: or D:, in root folder. Install driver by launching Qusb.drv.inst.msi, then open Windows' Device Manager, and see if you got "Qualcomm HS-USB QDLoader 9008" device (it is "QHSUSB_DLOAD" without driver installed) located in "COM & LPT ports" section.
If yes, you see it, go to software part below. If it's not there, a full disassemble of the phone is needed to get close to back side of motherboard (google for "iFixit Teardown Moto X Guide" for step-by-step instruction).
So, when you are inside, disconnect the battery first. No need to pull it out, it's glued. Now get to back side of motherboard, and very very gently gain access to the lower left corner of ARM+DRAM shield (see picture). I've done it with Stanley knife. Also you can use miniature nippers - but very carefuly! Once you get access to inner space of shield, use tiny wire to short special pin to the ground (see picture), then connect USB cable, and in the moment when you see "QHSUSB_DLOAD" device (or "Qualcomm HS-USB QDLoader 9008" if driver is installed) pop out in Windows' Device Manager, quickly remove the wire. The goal is to have "Qualcomm HS-USB QDLoader 9008" in "COM & LPT ports" section of Device Manager. If it is achieved, we are done with hardware, and move on to soft part.
Now software part. Go to unzipped C:\Python27 folder, launch bat-file, and wait until finish:
RUN_blank_bootloader_flash.bat
(if you got error like "No data read from USB..." etc, just skip to next step)
Next launch either
- .Boot_KK_4.4.2_B4.exe,
or .Boot_KK_4.4.4_B7.exe,
or .Boot_LP_5.0.2_BC.exe,
or .Boot_LP_5.1.0_BD.exe,
or .Boot_LP_5.1.0_BE.exe
- depends on Android version your phone has last time. If you don't know what you need, begin with first one.
Wait 10 seconds, then launch next bat-file, and wait until finish:
RUN_moto_x_bootloader_flash.bat
Phone should go into fastboot mode! If it doesn't, repeat previous step trying higher version. But don't try to flash BC, BD, and BE, if you didn't install Lollipop on this phone!
OK. Disconnect the USB cable, connect the battery, connect again USB cable (fastboot don't work, if don't see battery). Launch next bat-file:
RUN_gpt.bin_flash.bat
The phone will get in fastboot, ready to be flashed by appropriate firmware. If it is official RSD (SBF), delete from xml strings consisting gpt.bin and motoboot.img for safe flashing.
...
Download link: http://www.mediafire.com/download/3e38rr3wy28s071/Moto.X.Unbrick.zip
This guide was brought to you by s5610
Links that this guide is based on (where I took files and general idea):
http://forum.xda-developers.com/droid-ultra/general/droid-ultra-maxx-brick-recovery-t2830806
http://forum.xda-developers.com/mot...-moto-x-t2629057[/url[/QUOTE][/QUOTE][/QUOTE]
Click to expand...
Click to collapse
Click to expand...
Click to collapse
Click to expand...
Click to collapse

Not sure if additional thread is necessary )
UPDATED
The best resurrection method for Moto X is here.

Can Someone re-upload that file? Thanx!

Please upload the mediafire link...
Plz plz.. I have bricked my phone. It seems that this procedure will work for me. Please upload and save my life.

even i have bricked my moto x...need a working download link..please.

https://drive.google.com/file/d/0B3EDzuzDCakzdWxHa2RWVDJhRXc/view?usp=sharing

Cannot install qsub.drv.inst.msi on my windows 10...says failed to attribute and failed to delete qcusbser.sys.

Thanks

Can we write the full firmware through Qload 9008 mode ???

HI I have a question. I bricked my gf's phone while trying to unlock the bootloader and I am not able to turn the phone on. Only positive feedback is that when I plug it in to the computer, I can hear a notification on my computer. I followed your guide. I can see the "Qualcomm HS-USB QDLoader 9008" device (it is "QHSUSB_DLOAD" without driver installed) located in "COM & LPT ports" section.
Then I followed your software instructions. When I run the RUN_blank_bootloader_flash.bat, I get the following
Code:
Starting qflash!
Executing command qflash.exe -com3 -ramload MPRG8960.hex -mbn 33 MSM8960_bootloa
der_singleimage.bin -v -o
Motorola qflash Utility version 1.3
qflash - com3 is an invalid port
Invalid COM port enteredBlank flashing successful
Device will now enumerate in fastboot mode
Then, I followed the rest of the instructions by trying each .Boot .exe and waitng 10 seconds and finally with RUN_moto_x_bootloader_flash
but I am getting the following error.
Code:
C:\Users\cxx\Desktop\Python27>python qdload.py MPRG8960.bin -ptf _boot\partiti
ons.txt -pt
QDLoad utility version 1.2 (c) VBlack 2014
Found TTY port: com3
Traceback (most recent call last):
File "qdload.py", line 815, in <module>
main()
File "qdload.py", line 762, in main
tty = openTTY(args.ttyPort)
File "qdload.py", line 174, in openTTY
tty = serial.Serial(port=tty_path, baudrate=115200)
File "C:\Python27\lib\site-packages\serial\serialwin32.py", line 38, in __init
__
SerialBase.__init__(self, *args, **kwargs)
File "C:\Python27\lib\site-packages\serial\serialutil.py", line 282, in __init
__
self.open()
File "C:\Python27\lib\site-packages\serial\serialwin32.py", line 66, in open
raise SerialException("could not open port %r: %r" % (self.portstr, ctypes.W
inError()))
serial.serialutil.SerialException: could not open port 'com3': WindowsError(2, '
The system cannot find the file specified.')
C:\Users\cxx\Desktop\Python27>pause
Press any key to continue . . .
please help.
Thanks.

Device Shows As USB Input
Hey all,
I'm having trouble getting my Windows 7 machine to recognize my XT862 as a QHSUSB device. Windows does recognize it, just as a "USB Input Device" -- very generic, I know -- so I don't think I have to do any motherboard hacks (and I sure hope not!). However, as it won't let me update the driver either, so I can't do anything. Also, when I plug it into my Mac, it does pop up as a Qualcomm Composite Device. Since something's obviously still ticking, where did I go wrong?
Thanks

shengslogar said:
Hey all,
I'm having trouble getting my Windows 7 machine to recognize my XT862 as a QHSUSB device. Windows does recognize it, just as a "USB Input Device" -- very generic, I know -- so I don't think I have to do any motherboard hacks (and I sure hope not!). However, as it won't let me update the driver either, so I can't do anything. Also, when I plug it into my Mac, it does pop up as a Qualcomm Composite Device. Since something's obviously still ticking, where did I go wrong?
Thanks
Click to expand...
Click to collapse
Put it on a charger for 5-6 hrs and see if that will help.I had this same problem but on a Moto G and charging it up helped.

liveroy said:
Put it on a charger for 5-6 hrs and see if that will help.I had this same problem but on a Moto G and charging it up helped.
Click to expand...
Click to collapse
Will do! I think I did try charging it awhile ago, but I'll give it another shot.

can my phone be unbricked?? here is the error log:
RAMLOADER VERSION: PBL_DloadVER2.0
------------------------------------------------------
DEVICE INFORMATION:
------------------------------------------------------
Version : 0x8
Min Version : 0x1
Max Write Size: 0x600
Model : 0x90
Device Size : 0
Description : Intel 28F400BX-TL or Intel 28F400BV-TL
------------------------------------------------------
Using passed in packet size, changing from 0x600 -> 0x600
EXTENDED_LINEAR_ADDRESS_REC @ 0x2a000000
Write 65536 bytes @ 0x2a000000
100EXTENDED_LINEAR_ADDRESS_REC @ 0x2a010000
Write 11840 bytes @ 0x2a010000
100START_LINEAR_ADDRESS_REC @ 0x2a000000
EOF_REC
Sleeping for 3s
sdl_hello() - Invalid response: 7e030003331b7e
sdl_hello() - This is a NAK response from ROM code, which means the device has
een reset back to blank flash mode. Usually this is caused by power supply issu
s. Please try again with battery eliminator if it persists
Unexpected target reset, bailing out after 2 retries

I am trying to install the drivers and it will show up as qhsusb_dload for about 5 seconds then reverts back to Relink HS USB QDloader 9008. Should i try the wire trick? It will say that the Qhsusb drivers are installed but always changes.

Bricked teclast x98 air III??

Hi!
I accidentally installed the 2.05 bios in the mirek flasher on my teclast x98 air III m5c5 now i just get stuck at the chinese letters boot screen och some green battery?!
I can get into DnX mode and Bios menu but when i try to flash the pad again the mirek flasher wont recognize the unit.
I also tried to unbrick the unit through this thread (http://forum.xda-developers.com/x98-air/help/unbrick-bios-softbrick-withouth-eeprom-t3285054/page4) butall i get when trying that in dnx mode is the handle 344 error??
So basically what i need is the program that Ionioni had in that thread but now removed.
Please help
thanks in advance

There WAS (is) other universal unbrick tool from ionioni!
http://forum.xda-developers.com/x98-air/help/baytrail-dnx-mode-bios-flashing-tool-t3295105
I dont know what happened, why it had to be deleted, I have not got this tool.

someone maybe have this tool and update it?

Yep, I got it. I will post it asap.
*****UPDATE*******
Here you can download it flash_bios_dnx_v3 : https://drive.google.com/open?id=0B1EG-i0pY3FINlYyT3E1ekZwOHc
I didn't try it yet, I used ionioni's other tool (C5J8 bios restore).
IT IS YOUR RESPONSIBILITY!!! I have no answers to you.
Instructions:
Baytrail DNX mode BIOS flashing tool
what:
this is an EFI exclusive application (aka what runs on your BIOS chip). the name says it
should work on ALL Baytrail (did not tried other SoC but could be that works there too)
why:
some are having issues in using kernel based tools so this will work for them (hopefully)
how:
1. unzip in some folder (there are only 2 files in the zip, the efi loader and an additional tool)
2. place your bios in this same folder and IMPORTANT run the md5add tool on your bios file (md5add.exe your_bios_file your_signed_bios_file). the tool simply takes the original bios file, computes the md5 for it and then concatenates those two producing the output file. i could have left the bios file pushed to the tab "unsigned" yet it's better this way (so that you are SURE that the file that will be flashed is identical and no bits have been lost corrupted during the fastboot pushing etc). you can check with a hex editor, it only adds 16 bytes (the md5 hash) at the end. if you will try to push an 'unsigned' bios it will NOT accept it!
3. start in dnx mode and input:
fastboot flash osloader bios_flasher.efi
fastboot boot your_signed_bios_file
now wait and read the screen... everything goes AUTOMATICALLY
it seems that on some Baytrail devices (x98?) after the Intel flasher finishes writing the new bios it hangs (on my tab i never experienced that) yet i have owners of x98 that did have the hang. because of this the next verify operation will never start and the tab will hang... if such a case nothing much you can be done, but force a power off (in all the cases experiencing hangs the bios was flashed ok). the verify operation is not so much important (i never had a failed verify operation in past, moreover the flashing is done while in EFI/BIOS stage so nothing can interrupt it in order to mess the writes)
risks... of course there are (but i would say a less than flashing from windows or android)... but since you need to use this i guess it's either this or a flash programmer
ps. goes without saying ... WHAT bios file YOU will use is your responsibility so make sure you use a correct one for your tab model or you might HARD-BRICK!!!... this tool just takes it and writes it on your device!

Reset or re-flash uefi after wrong modifications

Hi all!
I have an asus memo pad me176cx. I did some stuff with it and now it seems bricked, but not fully (as I hope...).
But I am not very experienced user with android, so I have a few adjacent questions to define myself in root concepts.
On general - I tried to install debian linux on my tablet. Looking ahead - i managed to run installer. But in order...
My actions before i got brick.
I got an issue similar to this one after updates. There i saw that tablet has a kind of uefi. And i decided to run debian. Prepared usb-installer, connected that one and keyboard via OTG by hub(i have one with led indicator). I pressed F2 and power button on tablet, and saw uefi. There did boot override -> UEFI jet flash. And debian installer ran succesfully.
But after about a minute on-hub led becomes dark, as did flash led. Kbd was not working. At that moment i was on network config step and decided to reboot tablet. Power button about 10sec - and all over again. But after a while - same issue. It would not be nice if flash comes down while packages copying - I thought. And... Of cause boot into uefi to search some otg-power-options (btw i got same behaviour with otg in uefi and was forced to make changes quickly or reboot).
I don`t remember what option exactly i changed, but i have only hw buttons on tablet working. No otg at all (led is always dark now, no flash none kbd works), no touchscreen (i have twrp installed and checked there).
Finally, what works.
I can press vol+ - vol- - pwr, then see "Fastboot startnig... #1 #2 #3" on display - and get into some mode, called DNX (as i googled).
Code:
fastboot devices
shows my tablet. But i can flash only osloader partition. Other way - error, unsupported operation. Also i can command
Code:
fastboot boot droidboot.img
and get into bootloader. This case at the bottom of screen shown "Waiting for fastboot cmd...". But
Code:
fastboot devices
shows notheng. Any other fastboot commands stuck on "wating for any device...". But with vol-buttons i can choose recovery mode, then press power and get into twrp and look on "Swipe to allow filesystem modification". But as far as touchscreen dows not work (as otg-keyboard) - i can`t do anything else. adbd seems not started yet, as
Code:
adb devices
shows nothing (or micro-usb plug simply disabled with uefi). And that is all, i can`t do anything else...
In fine, my questions are:
Mode started by "vol+ - vol- - pwr" - does it DNX or fastboot? How to find out what commnds i can run there? (At the moment I know 2 only: flash osloader and boot). Why flash ESP, erase, even get [some_var] does not work here? Is there a way to re-flash or reset uefi settings from this mode?
Or any other ways to reset uefi? (as possible without microwave...)
Also, what difference between osloader and bootloader? I suggest that osloader is a partition and bootloader is a program placed in that partition. But what exactly i do with command "fastboot flash osloader efilinux.efi"?
Sorry for lot of text, but I actualy don`t know how this modes called and got confused. Any help would be appriciated.
Anyway, thanks a lot!

mk3pq28 said:
I don`t remember what option exactly i changed, but i have only hw buttons on tablet working. No otg at all (led is always dark now, no flash none kbd works), no touchscreen (i have twrp installed and checked there).
Click to expand...
Click to collapse
I think I've seen some option that changes the way USB OTG is set up. By changing it you have probably disabled USB OTG entirely now... :/
mk3pq28 said:
Mode started by "vol+ - vol- - pwr" - does it DNX or fastboot?
Click to expand...
Click to collapse
DNX
mk3pq28 said:
How to find out what commnds i can run there? (At the moment I know 2 only: flash osloader and boot). Why flash ESP, erase, even get [some_var] does not work here?
Click to expand...
Click to collapse
DNX is not a full fastboot implementation. It runs in the firmware, somewhere during early UEFI initialization. It's mostly designed for recovery when the (Android) bootloader is no longer working. The two commands you know are the only ones I'm aware of, sorry :/
mk3pq28 said:
Is there a way to re-flash or reset uefi settings from this mode?
Or any other ways to reset uefi? (as possible without microwave...)
Click to expand...
Click to collapse
I can imagine that it is possible but I have to admit that I don't know how. For example there is Intel® Platform Flash Tool Lite that allows re-flashing pretty much all of the device, but I'm not sure where you'd get the factory files. At the moment, I don't have any suggestions how to solve your problem... :/
mk3pq28 said:
Also, what difference between osloader and bootloader? I suggest that osloader is a partition and bootloader is a program placed in that partition. But what exactly i do with command "fastboot flash osloader efilinux.efi"?
Click to expand...
Click to collapse
osloader refers to the EFI application that is started. efilinux.efi is an Android bootloader for UEFI. In this case it's not actually written persistently somewhere, it is just loaded into RAM and then executed.

lambdadroid,
first of all - thanks a lot for your participating!
So, after your clarification I made a few suggestions.
lambdadroid said:
I can imagine that it is possible but I have to admit that I don't know how. For example there is Intel® Platform Flash Tool Lite that allows re-flashing pretty much all of the device, but I'm not sure where you'd get the factory files.
Click to expand...
Click to collapse
First one. I installed it and downloaded service firmware. Flash tool found my tablet and showed some info:
Plaform: Intel Corporation
Hardware: Intel Android AD
Status: DNX_OS
Connected on port: 0/1 (number of usb port, i think)
DnX SN: Baytrail<some>
Then i selected service firmware and flash tool showed me flash.xml in "flash file" field. Everything looks normal at the moment, until i pressed flash)
The only one record appeared in log below: "Failed to reboot the device. Flash failed". And i don`t know someshing else i can make here.
I am new here and can`t post links to outside, but i googled some more meaningful examples of log by my error. And as i understood chain of commands - flash tool does exactly same as i did. I.e. flashes osloader in dnx mode, then boots in fastboot and flashes another partitions there. Correct me if i`m wrong but it does not seems for my case, unfortunately
And the second one, more complex.
I had googled a lot about uefi and it`s settings location. I found out that "settings" made in uefi are stored in memory called NVRAM. It is non-volatile and can not be reset by battery disconnected (yes, i tried that, ofc). But there should be a flag called NVRAM_IS_VALID. And once it gets disabled - uefi is forced to reset all the settings to defaults next boot time. I`m not sure, but looks like my solution!
And I can suggest two ways of setting this flag.
lambdadroid said:
osloader refers to the EFI application that is started. efilinux.efi is an Android bootloader for UEFI.
Click to expand...
Click to collapse
First one - uefi shell. If i can replace bootloader, may it be a shell? I downloaded one from github (a link should be here ) but have no success yet. It`s size about 930kb, but my working one bootloader - is 2mb. And when i make flash - nothing happens:
Code:
# fastboot flash osloader Shell.efi
target didn't report max-download-size
sending 'osloader' (929 KB)...
Nothing more. Maybe there should be some special kind of uefi-shell for android? Or I can`t flash nothing but bootloder into osloader partition at all? But even if i`m succeed - i`m not sure that uefi would not disable otg before shell get running.
So my second and the last sugesstion. It`s fully theoretical, but... I need to write a custom efi app (.efi files are kind of applications for uefi, written in c, right?) that would be flashed into osloader and should disable NVRAM_IS_VALID flag (ohh, does that flag exists at all?...). Does it possible?
Anyway, thanks a lot for any help!

mk3pq28 said:
I installed it and downloaded service firmware. Flash tool found my tablet and showed some info:
Plaform: Intel Corporation
Hardware: Intel Android AD
Status: DNX_OS
Connected on port: 0/1 (number of usb port, i think)
DnX SN: Baytrail<some>
Then i selected service firmware and flash tool showed me flash.xml in "flash file" field. Everything looks normal at the moment, until i pressed flash)
The only one record appeared in log below: "Failed to reboot the device. Flash failed". And i don`t know someshing else i can make here.
I am new here and can`t post links to outside, but i googled some more meaningful examples of log by my error. And as i understood chain of commands - flash tool does exactly same as i did. I.e. flashes osloader in dnx mode, then boots in fastboot and flashes another partitions there. Correct me if i`m wrong but it does not seems for my case, unfortunately
Click to expand...
Click to collapse
Okay, yeah, that's very well possible. I've never used that tool and don't know what it does.
mk3pq28 said:
I had googled a lot about uefi and it`s settings location. I found out that "settings" made in uefi are stored in memory called NVRAM. It is non-volatile and can not be reset by battery disconnected (yes, i tried that, ofc). But there should be a flag called NVRAM_IS_VALID. And once it gets disabled - uefi is forced to reset all the settings to defaults next boot time. I`m not sure, but looks like my solution!
Click to expand...
Click to collapse
It makes sense that the settings are stored in the NVRAM. But that's about all I can comment on; I'm not sure if that flag exists on this tablet or even if it will reset to the correct results.
mk3pq28 said:
uefi shell. If i can replace bootloader, may it be a shell? I downloaded one from github (a link should be here ) but have no success yet. It`s size about 930kb, but my working one bootloader - is 2mb. And when i make flash - nothing happens:
Code:
# fastboot flash osloader Shell.efi
target didn't report max-download-size
sending 'osloader' (929 KB)...
Nothing more. Maybe there should be some special kind of uefi-shell for android? Or I can`t flash nothing but bootloder into osloader partition at all? But even if i`m succeed - i`m not sure that uefi would not disable otg before shell get running.
Click to expand...
Click to collapse
You may need to run "fastboot boot droidboot.img" (or any other image) too to have Fastboot run the EFI application. The Shell application will then likely ignore the additional boot image. However, as you mention, I believe that OTG will get disabled before the shell is running. The UEFI shell application is no different from the UEFI Setup as far as OTG is concerned. So if you are unable to enter the setup with F2 then the UEFI shell will probably not work either. So even if the Shell starts, I doubt that you will be able to run commands.
And no, there is no special kind of UEFI Shell for Android. This is all unrelated to Android actually.
mk3pq28 said:
It`s fully theoretical, but... I need to write a custom efi app (.efi files are kind of applications for uefi, written in c, right?) that would be flashed into osloader and should disable NVRAM_IS_VALID flag (ohh, does that flag exists at all?...). Does it possible?
Click to expand...
Click to collapse
That's actually something I considered suggesting yesterday. I decided against it because it's obviously not trivial and I'm not sure if EFI applications can actually access that flag or BIOS settings in general... However, I can assist you with how to write EFI applications in general. They are usually written in C and then compiled using some funky compiler flags and tools to .efi.
An example for a very simple EFI application is "bootstrap.efi" that is used in me176c-boot. The source for it is available at https://github.com/me176c-dev/me176c-boot/tree/master/bootstrap
In me176c-boot it runs as first EFI application and checks if the tablet was booted due to charger insertion; if yes then it sets an EFI variable. I'm not sure if the flag you mention is exposed as an EFI variable. However, persistent EFI variables are also stored in the NVRAM, so that might be something to look at. It's built using Meson (see meson.build). The build script might be of help to you.

lambdadroid said:
That's actually something I considered suggesting yesterday. I decided against it because it's obviously not trivial and I'm not sure if EFI applications can actually access that flag or BIOS settings in general...
Click to expand...
Click to collapse
But I don`t see any other kind of solution.
lambdadroid said:
It makes sense that the settings are stored in the NVRAM. But that's about all I can comment on; I'm not sure if that flag exists on this tablet or even if it will reset to the correct results.
Click to expand...
Click to collapse
I think it won`t get worse anyway, so...
Thanks a lot for your general information about efi. I took that and was able to get started. I did some experiments and had interesting results. Little notice - i`m on debian.
At first
I had installed gnu-efi and mason. Also googled "Hello world" in efi-style. I still cant post links to outside but the code is below. Looking ahead - had no result with one Print because it was closed very fast so i added a loop.
Code:
#include <efi.h>
#include <efilib.h>
EFI_STATUS
EFIAPI
efi_main (EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *SystemTable)
{
InitializeLib(ImageHandle, SystemTable);
for (int i = 0; i < 5000; ++i)
{
Print(L"B It works!!!\r\n");
}
return EFI_SUCCESS;
}
Looks simple.
Also i took your meson.build and replaced file names with mine. But i got a few conpilation errors so i had removed some keys from target. Here it is:
Code:
project('tutorial', 'c')
arch = host_machine.cpu_family()
efi_include_dir = '/usr/include/efi'
efi_include = include_directories(
efi_include_dir,
join_paths(efi_include_dir, arch),
is_system: true
)
efi_lds = '/usr/lib/elf_' + arch + '_efi.lds'
efi_crt = '/usr/lib/crt0-efi-' + arch + '.o'
bootstrap_lib = shared_library('bootstrap',
'hello_efi.c',
include_directories: [efi_include],
objects: [efi_crt],
link_args: [
'-T', efi_lds,
'-nostdlib',
'-z', 'nocombreloc',
'-Wl,-Bsymbolic',
'-lefi', '-lgnuefi'
]
)
objcopy = find_program('objcopy')
custom_target('bootstrap.efi',
output: 'bootstrap.efi',
input: bootstrap_lib,
command: [objcopy,
'--target=efi-app-' + arch,
'-j', '.text',
'-j', '.sdata',
'-j', '.data',
'-j', '.dynamic',
'-j', '.dynsym',
'-j', '.rel',
'-j', '.rela',
'-j', '.reloc',
'@[email protected]', '@[email protected]'
],
install: true,
install_dir: ''
)
hello_efi.c contains source code from above.
This is my first meson build so if yoy see some obvious mistakes or excess options - i would be much appreciated if you point on them.
At second
I created builddir, commanded "meson" and "ninja" and got such output:
Code:
[1/3] Compiling c object '[email protected]/hello_efi.c.o'
../hello_efi.c: In function ‘efi_main’:
../hello_efi.c:13:9: warning: passing argument 1 of ‘Print’ from incompatible pointer type [-Wincompatible-pointer-types]
Print(L"B It works!!!\r\n");
^~~~~~~~~~~~~~~~~~~~
In file included from ../hello_efi.c:2:0:
/usr/include/efi/efilib.h:404:1: note: expected ‘CHAR16 * {aka short unsigned int *}’ but argument is of type ‘int *’
Print (
^~~~~
[3/3] 'Generating bootstrap.efi with a custom command.'
I am not very familiar with C and can`t get rid of warning to print my message properly. As far as Print requires CHAR16 pointer only first symbol is printed. How to properly get and array of CHAR16 from "a string"?
Anyway, it`s a bite of success.
And at third, final
I was very happy and connected tab (in DNX, ofc) with pc and commaned: "fastboot flash osloader bootstrap.efi".
Code:
target didn't report max-download-size
sending 'osloader' (44 KB)...
And nothing more. Command is still running untill tablet reboot. But!
I have another ont efilinux.efi was downloaded from somewhere. And it flashes correctly! The only difference is on size: 44KB vs 2MB.
I did some research with dd-util and found one interesting thing. It is allowed to flash osloader partition in dnx mode with completely any binary data within (nearly) 1MB .. 20MB. In this case "fastboot flash osloader ..." says OK twice and finishes properly.
So, my flow after compilation have a such look (2057216 - is a size of my working example efilinux.efi)
Code:
$ dd if=/dev/zero of=container.efi count=2057216 iflag=count_bytes
$ dd if=bootstrap.efi of=container.efi conv=nocreat,notrunc
# fastboot flash osloader container.efi
# fastboot boot droidboot.img
... and i have a char 'B' on screen printed 5000 times. I think it`s another one bite of success
But i can`t find any docs for efi.h (efilib.h). Which capabilities they provides? What is set of functinos?
There is another example with
Code:
uefi_call_wrapper(ST->ConOut->OutputString, 2, ST->ConOut, L"Hello World!\n");"
but it is not obvious how to work with uefi services in this way.
I googled that most of uefi settings are stored in "Setup" variable. I think it may be useful at least to print them. But don`t know how, yet.
I will google it further but in general i don`t know what is the next step should be.

Also i have an idea to use such trick to flash efi-shell. But didn`t tried yet.

mk3pq28 said:
At first
I had installed gnu-efi and mason. Also googled "Hello world" in efi-style. I still cant post links to outside but the code is below. Looking ahead - had no result with one Print because it was closed very fast so i added a loop.
Code:
#include <efi.h>
#include <efilib.h>
EFI_STATUS
EFIAPI
efi_main (EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *SystemTable)
{
InitializeLib(ImageHandle, SystemTable);
for (int i = 0; i < 5000; ++i)
{
Print(L"B It works!!!\r\n");
}
return EFI_SUCCESS;
}
Looks simple.
Also i took your meson.build and replaced file names with mine. But i got a few conpilation errors so i had removed some keys from target. Here it is:
Code:
project('tutorial', 'c')
arch = host_machine.cpu_family()
efi_include_dir = '/usr/include/efi'
efi_include = include_directories(
efi_include_dir,
join_paths(efi_include_dir, arch),
is_system: true
)
efi_lds = '/usr/lib/elf_' + arch + '_efi.lds'
efi_crt = '/usr/lib/crt0-efi-' + arch + '.o'
bootstrap_lib = shared_library('bootstrap',
'hello_efi.c',
include_directories: [efi_include],
objects: [efi_crt],
link_args: [
'-T', efi_lds,
'-nostdlib',
'-z', 'nocombreloc',
'-Wl,-Bsymbolic',
'-lefi', '-lgnuefi'
]
)
objcopy = find_program('objcopy')
custom_target('bootstrap.efi',
output: 'bootstrap.efi',
input: bootstrap_lib,
command: [objcopy,
'--target=efi-app-' + arch,
'-j', '.text',
'-j', '.sdata',
'-j', '.data',
'-j', '.dynamic',
'-j', '.dynsym',
'-j', '.rel',
'-j', '.rela',
'-j', '.reloc',
'@[email protected]', '@[email protected]'
],
install: true,
install_dir: ''
)
hello_efi.c contains source code from above.
This is my first meson build so if yoy see some obvious mistakes or excess options - i would be much appreciated if you point on them.
At second
I created builddir, commanded "meson" and "ninja" and got such output:
Code:
[1/3] Compiling c object '[email protected]/hello_efi.c.o'
../hello_efi.c: In function ‘efi_main’:
../hello_efi.c:13:9: warning: passing argument 1 of ‘Print’ from incompatible pointer type [-Wincompatible-pointer-types]
Print(L"B It works!!!\r\n");
^~~~~~~~~~~~~~~~~~~~
In file included from ../hello_efi.c:2:0:
/usr/include/efi/efilib.h:404:1: note: expected ‘CHAR16 * {aka short unsigned int *}’ but argument is of type ‘int *’
Print (
^~~~~
[3/3] 'Generating bootstrap.efi with a custom command.'
I am not very familiar with C and can`t get rid of warning to print my message properly. As far as Print requires CHAR16 pointer only first symbol is printed. How to properly get and array of CHAR16 from "a string"?
Anyway, it`s a bite of success.
Click to expand...
Click to collapse
I believe the compiler argument that avoids this error is -fshort-wchar, but you seem to have removed all c_args: https://github.com/me176c-dev/me176c-boot/blob/master/bootstrap/meson.build#L33 All of these compiler arguments have a purpose, can you check which one is causing errors exactly and post the error here?
mk3pq28 said:
And at third, final
I was very happy and connected tab (in DNX, ofc) with pc and commaned: "fastboot flash osloader bootstrap.efi".
Code:
target didn't report max-download-size
sending 'osloader' (44 KB)...
And nothing more. Command is still running untill tablet reboot. But!
I have another ont efilinux.efi was downloaded from somewhere. And it flashes correctly! The only difference is on size: 44KB vs 2MB.
I did some research with dd-util and found one interesting thing. It is allowed to flash osloader partition in dnx mode with completely any binary data within (nearly) 1MB .. 20MB. In this case "fastboot flash osloader ..." says OK twice and finishes properly.
So, my flow after compilation have a such look (2057216 - is a size of my working example efilinux.efi)
Code:
$ dd if=/dev/zero of=container.efi count=2057216 iflag=count_bytes
$ dd if=bootstrap.efi of=container.efi conv=nocreat,notrunc
# fastboot flash osloader container.efi
# fastboot boot droidboot.img
Click to expand...
Click to collapse
That's weird, the size shouldn't matter at all. But it doesn't really matter, as long as it works.
mk3pq28 said:
But i can`t find any docs for efi.h (efilib.h). Which capabilities they provides? What is set of functinos?
There is another example with
Code:
uefi_call_wrapper(ST->ConOut->OutputString, 2, ST->ConOut, L"Hello World!\n");"
but it is not obvious how to work with uefi services in this way.
I googled that most of uefi settings are stored in "Setup" variable. I think it may be useful at least to print them. But don`t know how, yet.
I will google it further but in general i don`t know what is the next step should be.
Click to expand...
Click to collapse
Generally, the interface exposed by gnu-efi is according to the UEFI specification: http://www.uefi.org/sites/default/files/resources/UEFI Spec 2_7_A Sept 6.pdf
In there you can find a list of protocols you can use, e.g. search for the "OutputString" method used above.
uefi_call_wrapper is an implementation detail of gnu-efi, but basically it's uefi_call_wrapper(<method>, <number of parameters>, <parameters...>).
The main remaining question, and the one I can't really help you with is how you can reset your BIOS settings using the UEFI application API. Maybe something to look at first would be the "Variable Services" (see UEFI specification). Maybe you can change one of the EFI variables to restore the default BIOS settings.

lambdadroid said:
I believe the compiler argument that avoids this error is -fshort-wchar, but you seem to have removed all c_args: https://github.com/me176c-dev/me176c-boot/blob/master/bootstrap/meson.build#L33 All of these compiler arguments have a purpose, can you check which one is causing errors exactly and post the error here?
Click to expand...
Click to collapse
Yes, this key removed warning. Thanks.
lambdadroid said:
Generally, the interface exposed by gnu-efi is according to the UEFI specification: http://www.uefi.org/sites/default/files/resources/UEFI Spec 2_7_A Sept 6.pdf
In there you can find a list of protocols you can use, e.g. search for the "OutputString" method used above.
Click to expand...
Click to collapse
Exactly one i`m looking for. Thanks again!
Unfortunately there is nothing about NVRAM_IS_VALID there.
But there is a function called "ResetSystem()" (p.269). It should reset the entire platform as written in doc.
My code:
Code:
#include <efi.h>
#include <efilib.h>
EFI_STATUS
EFIAPI
#define SLEEP 100
efi_main (EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *SystemTable)
{
InitializeLib(ImageHandle, SystemTable);
for (int i = 0; i < SLEEP; ++i)
{
Print(L"It works!!! #%d", i);
uefi_call_wrapper(ST->ConOut->OutputString, 2, ST->ConOut, L"\r\n");
}
int res = uefi_call_wrapper(RT->ResetSystem, 4, EfiResetCold, EFI_SUCCESS, 0, NULL);
for (int i = 0; i < SLEEP; ++i) Print(L"%d\r\n", res);
return EFI_SUCCESS;
}
}
Yes, i`d noticed that "The ResetSystem() function does not return".
But i`m not sure that i call it properly.
When i run the code above - it prints the message 100 times, then screen blinks and the next message appears: "EFILINUX ERROR [start_boot_logic:498] No valid target found.
Fallbacking to MOS" in about 3 sec. Looks like there no reboot in this case because of the intel logo is not shown. I have no system on my tablet, but it`s another story.
The main point is there is no black screen with intel logo for about 15-20 sec as in case of normal boot.
In addition i tried to change call with:
Code:
uefi_call_wrapper(RT->ResetSystem, 4, L"Wrong_argument", EFI_SUCCESS, 0, NULL)
and it prints "968832152" return code. Does it fail somewhere before ResetSystem() or exactly inside?
So am i calling this function correctly?

mk3pq28 said:
Yes, this key removed warning. Thanks.
Exactly one i`m looking for. Thanks again!
Unfortunately there is nothing about NVRAM_IS_VALID there.
But there is a function called "ResetSystem()" (p.269). It should reset the entire platform as written in doc.
My code:
Code:
#include <efi.h>
#include <efilib.h>
EFI_STATUS
EFIAPI
#define SLEEP 100
efi_main (EFI_HANDLE ImageHandle, EFI_SYSTEM_TABLE *SystemTable)
{
InitializeLib(ImageHandle, SystemTable);
for (int i = 0; i < SLEEP; ++i)
{
Print(L"It works!!! #%d", i);
uefi_call_wrapper(ST->ConOut->OutputString, 2, ST->ConOut, L"\r\n");
}
int res = uefi_call_wrapper(RT->ResetSystem, 4, EfiResetCold, EFI_SUCCESS, 0, NULL);
for (int i = 0; i < SLEEP; ++i) Print(L"%d\r\n", res);
return EFI_SUCCESS;
}
}
Yes, i`d noticed that "The ResetSystem() function does not return".
But i`m not sure that i call it properly.
When i run the code above - it prints the message 100 times, then screen blinks and the next message appears: "EFILINUX ERROR [start_boot_logic:498] No valid target found.
Fallbacking to MOS" in about 3 sec. Looks like there no reboot in this case because of the intel logo is not shown. I have no system on my tablet, but it`s another story.
The main point is there is no black screen with intel logo for about 15-20 sec as in case of normal boot.
In addition i tried to change call with:
Code:
uefi_call_wrapper(RT->ResetSystem, 4, L"Wrong_argument", EFI_SUCCESS, 0, NULL)
and it prints "968832152" return code. Does it fail somewhere before ResetSystem() or exactly inside?
So am i calling this function correctly?
Click to expand...
Click to collapse
I'm afraid ResetSystem() is not what you are looking for: ResetSystem() is only used to reboot the system, it does not "reset" any settings. So the screen flashes and you see that message because the tablet is restarted normally. (The bootloader you are using displays an error if you reboot without setting a "reboot target").
So you need to find some other method, or entirely different solution unfortunately. I just did a bit of research myself, but unfortunately didn't find anything of help..