GM 4G Dont work second sim after brick. Please help me! - Android One (Second-Generation) General

Hi, i have GM 4G Dual. My phone was bricked, i download LUZ59F_DUOS.zip and flashed. But phone became single sim. Text in about phone: General Mobile 4G. How fix it? Please help me.
forum.one-teams.com/Konu-TOOL-HardbrickFix-General-Mobile-4G-QFIL-HardBrick-Tool
Sorry for my english, i used translator.

Just flash non-hlos.bin for dual
I've already pulled for one-team forum

nhmanas said:
Just flash non-hlos.bin for dual
I've already pulled for one-team forum
Click to expand...
Click to collapse
I flashed CM 13 Recover SW QFIL (Wileyfox Swift) for dual sim work, later i found Dual Sim QFIL Firmware (GM 4G Dual), now it is impossible to install the LUZ59F_DUOS and Dual Sim QFIL Firmware (GM 4G Dual). But CM 13 Recover SW QFIL (Wileyfox Swift) flasing successfully. I used normal and modified cable. How fix it? Please help!!!
QFIL Log:
HTML:
Validating Application Configuration
Load APP Configuration
COM:-1
SAHARA:True
SAHARA:C:\Users\XXX\Downloads\Compressed\SW\main\prog_emmc_firehose_8916.mbn
SEARCHPATH:C:\Users\XXX\Downloads\Compressed\SW\main
RAWPROGRAM:
rawprogram_upgrade.xml
PATCH:
patch0.xml
ACKRAWDATAEVERYNUMPACKETS:False
ACKRAWDATAEVERYNUMPACKETS:100
MAXPAYLOADSIZETOTARGETINBYTES:False
MAXPAYLOADSIZETOTARGETINBYTES:49152
DEVICETYPE:eMMC
PLATFORM:8x26
READBACKMODE:0
RESETAFTERDOWNLOAD:False
MAXDIGESTTABLESIZE:8192
SWITCHTOFIREHOSETIMEOUT:30
RESETTIMEOUT:200
RESETDELAYTIME:2
FLATBUILDPATH:C:\
FLATBUILDFORCEOVERRIDE:True
QCNPATH:C:\Temp\00000000.qcn
QCNAUTOBACKUPRESTORE:False
SPCCODE:000000
ENABLEMULTISIM:True
Load ARG Configuration
Process Index:0
Validating Download Configuration
Image Search Path: C:\Users\XXX\Downloads\Compressed\SW\main
RAWPROGRAM file path: C:\Users\XXX\Downloads\Compressed\SW\main\rawprogram_upgrade.xml
PATCH file path:C:\Users\XXX\Downloads\Compressed\SW\main\patch0.xml
Programmer Path:C:\Users\XXX\Downloads\Compressed\SW\main\prog_emmc_firehose_8916.mbn
Image Search Path: C:\Users\XXX\Downloads\Compressed\SW\main
RAWPROGRAM file path: C:\Users\XXX\Downloads\Compressed\SW\main\rawprogram_upgrade.xml
PATCH file path:C:\Users\XXX\Downloads\Compressed\SW\main\patch0.xml
Start Download
Program Path:C:\Users\XXX\Downloads\Compressed\SW\main\prog_emmc_firehose_8916.mbn
COM Port number:4
Sahara Connecting ...
Sahara Version:2
Start Sending Programmer
Download Fail:Unable to download Flash Programmer using Sahara Protocol
Download Fail:Sahara FailSahara Fail
Finish Download

TigOne said:
I flashed CM 13 Recover SW QFIL (Wileyfox Swift) for dual sim work, later i found Dual Sim QFIL Firmware (GM 4G Dual), now it is impossible to install the LUZ59F_DUOS and Dual Sim QFIL Firmware (GM 4G Dual). But CM 13 Recover SW QFIL (Wileyfox Swift) flasing successfully. I used normal and modified cable. How fix it? Please help!!!
QFIL Log:
HTML:
Validating Application Configuration
Load APP Configuration
COM:-1
SAHARA:True
SAHARA:C:\Users\XXX\Downloads\Compressed\SW\main\prog_emmc_firehose_8916.mbn
SEARCHPATH:C:\Users\XXX\Downloads\Compressed\SW\main
RAWPROGRAM:
rawprogram_upgrade.xml
PATCH:
patch0.xml
ACKRAWDATAEVERYNUMPACKETS:False
ACKRAWDATAEVERYNUMPACKETS:100
MAXPAYLOADSIZETOTARGETINBYTES:False
MAXPAYLOADSIZETOTARGETINBYTES:49152
DEVICETYPE:eMMC
PLATFORM:8x26
READBACKMODE:0
RESETAFTERDOWNLOAD:False
MAXDIGESTTABLESIZE:8192
SWITCHTOFIREHOSETIMEOUT:30
RESETTIMEOUT:200
RESETDELAYTIME:2
FLATBUILDPATH:C:\
FLATBUILDFORCEOVERRIDE:True
QCNPATH:C:\Temp\00000000.qcn
QCNAUTOBACKUPRESTORE:False
SPCCODE:000000
ENABLEMULTISIM:True
Load ARG Configuration
Process Index:0
Validating Download Configuration
Image Search Path: C:\Users\XXX\Downloads\Compressed\SW\main
RAWPROGRAM file path: C:\Users\XXX\Downloads\Compressed\SW\main\rawprogram_upgrade.xml
PATCH file path:C:\Users\XXX\Downloads\Compressed\SW\main\patch0.xml
Programmer Path:C:\Users\XXX\Downloads\Compressed\SW\main\prog_emmc_firehose_8916.mbn
Image Search Path: C:\Users\XXX\Downloads\Compressed\SW\main
RAWPROGRAM file path: C:\Users\XXX\Downloads\Compressed\SW\main\rawprogram_upgrade.xml
PATCH file path:C:\Users\XXX\Downloads\Compressed\SW\main\patch0.xml
Start Download
Program Path:C:\Users\XXX\Downloads\Compressed\SW\main\prog_emmc_firehose_8916.mbn
COM Port number:4
Sahara Connecting ...
Sahara Version:2
Start Sending Programmer
Download Fail:Unable to download Flash Programmer using Sahara Protocol
Download Fail:Sahara FailSahara Fail
Finish Download
Click to expand...
Click to collapse
well pal.. I don't understand a thing.. I see that you are Turkish. PM me in Turkish. We are not allowed to use any other language but English on xda forums.

nhmanas said:
well pal.. I don't understand a thing.. I see that you are Turkish. PM me in Turkish. We are not allowed to use any other language but English on xda forums.
Click to expand...
Click to collapse
You can make a copy of the system, for the HDD RAW Copy or eMMC Raw Tool? Please share me!

TigOne said:
You can make a copy of the system, for the HDD RAW Copy or eMMC Raw Tool? Please share me!
Click to expand...
Click to collapse
the link for CM 13 Recover SW QFIL is not working, can you post it again. I have a wileyfox swift that is bricked

Related

Phone Platform ID Modification

Looks like the WPRT has corrupted my Platform ID. It is reported by Thor2 as:
Nokia MSM8974..2..2.
When I check the FFU file of the recovery download:
Nokia.MSM8974.P6039
So, 2 questions:
1) Does anyone know how to update/modify the phones Platform ID?
2) Does anyone know where a Lumia Icon RM-927 hex file can be found?
dumper_gumper said:
Looks like the WPRT has corrupted my Platform ID. It is reported by Thor2 as:
Nokia MSM8974..2..2.
When I check the FFU file of the recovery download:
Nokia.MSM8974.P6039
So, 2 questions:
1) Does anyone know how to update/modify the phones Platform ID?
2) Does anyone know where a Lumia Icon RM-927 hex file can be found?
Click to expand...
Click to collapse
Hi, I have the exact problem did you manage to solve it?????
My phone is Lumia 1520 RM-940, and I have tried everything humanly possible to fix it but i couldn't.
The phone is bricked and no rom will ever flash on it because of the wrong platform ID error
guys if anyone has any idea how to either skip the id check or change a platform id of the rom to match the corrupted one or any other solution. then please help.
Thanks in advance
oke lol
dumper_gumper said:
Looks like the WPRT has corrupted my Platform ID. It is reported by Thor2 as:
Nokia MSM8974..2..2.
When I check the FFU file of the recovery download:
Nokia.MSM8974.P6039
So, 2 questions:
1) Does anyone know how to update/modify the phones Platform ID?
2) Does anyone know where a Lumia Icon RM-927 hex file can be found?
Click to expand...
Click to collapse
ekhader said:
Hi, I have the exact problem did you manage to solve it?????
My phone is Lumia 1520 RM-940, and I have tried everything humanly possible to fix it but i couldn't.
The phone is bricked and no rom will ever flash on it because of the wrong platform ID error
Click to expand...
Click to collapse
Are you using the updated tool and what mode is your phone in? These were downloaded directly from the WPRT which has been rebranded and updated to Windows Device Recovery Tool. If you are stuck with Emergency Download mode QHUSB_DLOAD/QHUSB_BULK then use Emergency payload cmd
Code:
thor2 -mode emergency -hexfile MPRG8974_fh.ede -edfile RM927_fh.edp
or
Code:
thor2 -mode emergency -hexfile MPRG8974_fh.ede -edfile RM940_fh.edp
Or just try using the updated tool if you haven't already
tonbonz said:
Are you using the updated tool and what mode is your phone in? These were downloaded directly from the WPRT which has been rebranded and updated to Windows Device Recovery Tool. If you are stuck with Emergency Download mode QHUSB_DLOAD/QHUSB_BULK then use Emergency payload cmd
Code:
thor2 -mode emergency -hexfile MPRG8974_fh.ede -edfile RM927_fh.edp
or
Code:
thor2 -mode emergency -hexfile MPRG8974_fh.ede -edfile RM940_fh.edp
Or just try using the updated tool if you haven't already
Click to expand...
Click to collapse
Hi,
Thanks for replying,
Yes I am using the latest tool and the device is in flash mode so its not stuck in the emergency mode.
the problem is that the recovery tool changed the device Platform ID from : Nokia.MSM8974.P6081_ATT.2.2 -----> Nokia.MSM8974..2.2
so after this change everytime i try to flash it gives the error : Platform Id Check failed, even though i am using the official and correct version of the firmware.
I have tried so many things to bypass this check but they all failed.
I wonder if the emergency flashing of the device was the cause of changing the Platform ID, I am not sure how the tool even managed to change the device Platform ID, and thinking is there anyway i can return the original platform ID ???
and by the way the attached files you posted for RM-940 they are corrupted or something winRar couldn't extract them.
-Thanks
ekhader said:
Hi,
Thanks for replying,
Yes I am using the latest tool and the device is in flash mode so its not stuck in the emergency mode.
the problem is that the recovery tool changed the device Platform ID from : Nokia.MSM8974.P6081_ATT.2.2 -----> Nokia.MSM8974..2.2
so after this change everytime i try to flash it gives the error : Platform Id Check failed, even though i am using the official and correct version of the firmware.
I have tried so many things to bypass this check but they all failed.
I wonder if the emergency flashing of the device was the cause of changing the Platform ID, I am not sure how the tool even managed to change the device Platform ID, and thinking is there anyway i can return the original platform ID ???
and by the way the attached files you posted for RM-940 they are corrupted or something winRar couldn't extract them.
-Thanks
Click to expand...
Click to collapse
Fixed corrupt zip....Thank you!!! Are you in UEFI flash mode (thunderbolt/gear symbol) or Nokia flash? What tool are you using to flash? See if thor2, WP Image Designer, or ffutool recognize the device the same. I used WPID to flash ffu downloaded from navifirm after emergency flash because Recovery Tool kept getting corrupt ffu file. If all else fails you can try hard reset using power and volume button combos.
tonbonz said:
Fixed corrupt zip....Thank you!!! Are you in UEFI flash mode (thunderbolt/gear symbol) or Nokia flash? What tool are you using to flash? See if thor2, WP Image Designer, or ffutool recognize the device the same. I used WPID to flash ffu downloaded from navifirm after emergency flash because Recovery Tool kept getting corrupt ffu file. If all else fails you can try hard reset using power and volume button combos.
Click to expand...
Click to collapse
Yes the device is in UEFI flash mode, but its completely dead bricked no screen showing no hard or soft reset, nothing showing on the device no vibration no power off/on.
the only way i communicate with the device is through the usb and thor2.exe
I tried to use the ffutool but it won't detect the phone, and neither would the WPID. even though the Nokia NSU and WDRT do detect the device. Is there a special thing should be done so the ffutool could detect the device?
I even made a modified version of the FFUClient/FFuComponent.dll to flash device and changed the usb code detection but still I couldn't get it to work.
BTW the RM-940_firehose.zip you uploaded is still corrupted, i would be happy to try it out and see if this has any effect on the Platform ID of the device.
ekhader said:
Yes the device is in UEFI flash mode, but its completely dead bricked no screen showing no hard or soft reset, nothing showing on the device no vibration no power off/on.
the only way i communicate with the device is through the usb and thor2.exe
I tried to use the ffutool but it won't detect the phone, and neither would the WPID. even though the Nokia NSU and WDRT do detect the device. Is there a special thing should be done so the ffutool could detect the device?
I even made a modified version of the FFUClient/FFuComponent.dll to flash device and changed the usb code detection but still I couldn't get it to work.
BTW the RM-940_firehose.zip you uploaded is still corrupted, i would be happy to try it out and see if this has any effect on the Platform ID of the device.
Click to expand...
Click to collapse
Hmmm... I can download and unzip it fine with 7zip. Try this... http://1drv.ms/1HjO1Gs Can you restore the PLAT.bin from dump using
Code:
thor2 -mode uefiflash -partitionname PLAT -partitionimagefile "PLAT.bin"
If it's in UEFI Flash mode both WPID and FFUTool should detect it. In device manager what is the device description and what is the Hardware ID ?
tonbonz said:
Hmmm... I can download and unzip it fine with 7zip. Try this... Can you restore the PLAT.bin from dump using
Code:
thor2 -mode uefiflash -partitionname PLAT -partitionimagefile "PLAT.bin"
If it's in UEFI Flash mode both WPID and FFUTool should detect it. In device manager what is the device description and what is the Hardware ID ?
Click to expand...
Click to collapse
Thanks i got the files now from one drive but no improvement, and Yes the device is in flash mode the USB driver is "NOKIA BOOTMGR2".
when i try to restore the PLAT.bin i get this error:
Code:
C:\Program Files (x86)\Microsoft Care Suite\Windows Device Recovery Tool>thor2 -mode uefiflash -partitionname PLAT -partitionimagefile c:\dump\PLAT.bin
THOR2 1.8.2.18
Built for Windows @ 13:36:46 Jun 16 2015
Thor2 is running on Windows of version 6.2
thor2 -mode uefiflash -partitionname PLAT -partitionimagefile c:\dump\PLAT.bin
Process started Tue Nov 24 14:35:06 2015
Debugging enabled for partitionimageflash
Initiating flash of partition image operations
WinUSB in use.
Using programming of partition image method
isDeviceInNcsdMode
isDeviceInNcsdMode is false
Detecting UEFI responder
HELLO success
Lumia Flash detected
Protocol version 2.29 Implementation version 2.52
Disable timeouts
Get flashing parameters
Lumia Flash detected
Protocol version 2.29 Implementation version 2.52
Size of one transfer is 2363392
MMOS RAM support: 0
Size of buffer is 2359296
Number of eMMC sectors: 30535680
Platform ID of device: Nokia.MSM8974..2.2
Async protocol version: 01
Security info:
Platform secure boot enabled
Secure FFU enabled
JTAG eFuse blown
RDC not found
Authentication not done
UEFI secure boot enabled
SHK enabled
Device supports FFU protocols: 0031
Subblock ID 32
getGpt failed. Error code 12 h
Cannot flash partition image. Write the RDC into the device or use open/RnD HW & SW
Operation took about 0.00 seconds.
THOR2_ERROR_UEFI_RDC_OR_AUTHENTICATION_REQUIRED
THOR2 1.8.2.18 exited with error code 84214 (0x148F6)
and when i try to flash this what i get:
Code:
C:\Program Files (x86)\Microsoft Care Suite\Windows Device Recovery Tool>thor2 -mode uefiflash -ffufile c:\ProgramData\M
icrosoft\Packages\Products\RM-940\RM940_02540.00019.14484.37028_RETAIL_prod_signed_200_01ACB8_ATT-US.ffu
THOR2 1.8.2.18
Built for Windows @ 13:36:46 Jun 16 2015
Thor2 is running on Windows of version 6.2
thor2 -mode uefiflash -ffufile c:\ProgramData\Microsoft\Packages\Products\RM-940\RM940_02540.00019.14484.37028_RETAIL_pr
od_signed_200_01ACB8_ATT-US.ffu
Process started Tue Nov 24 14:15:13 2015
Debugging enabled for uefiflash
Initiating FFU flash operation
WinUSB in use.
isDeviceInNcsdMode
isDeviceInNcsdMode is false
Device mode 6 Uefi mode
[THOR2_flash_state] Pre-programming operations
Disable timeouts
Get flashing parameters
Lumia Flash detected
Protocol version 2.29 Implementation version 2.52
Size of one transfer is 2363392
MMOS RAM support: 0
Size of buffer is 2359296
Number of eMMC sectors: 30535680
Platform ID of device: Nokia.MSM8974..2.2
Async protocol version: 01
Security info:
Platform secure boot enabled
Secure FFU enabled
JTAG eFuse blown
RDC not found
Authentication not done
UEFI secure boot enabled
SHK enabled
Device supports FFU protocols: 0031
Subblock ID 32
[THOR2_flash_state] Device programming started
Using secure flash method
CoreProgrammer version 2015.06.10.001.
Start programming signed ffu file c:\ProgramData\Microsoft\Packages\Products\RM-940\RM940_02540.00019.14484.37028_RETAIL
_prod_signed_200_01ACB8_ATT-US.ffu
FfuReader version is 2015061501
Send FlashApp write parameter: 0x4d544f00
Perform handshake with UEFI...
Flash app: Protocol Version 2.29 Implementation Version 2.52
Unknown sub block detected. Skip...
DevicePlatformInfo: Nokia.MSM8974..2.2
Unknown sub block detected. Skip...
Unknown sub block detected. Skip...
Supported protocol versions bitmap is 31
Secure FFU sync version 1 supported.
Secure FFU async version 1 supported.
Secure FFU sync version 2 supported.
Secure FFU async version 2 supported.
Secure FFU async version 3 supported.
CRC header v. 1
CRC align bytes. 4
Get CID of the device...
Get EMMC size of the device...
Emmc size in sectors: 30535680
CID: Samsung, Size 14910 MB
Start charging...
Requested write param 0x43485247 is not supported by this flash app version.
Start charging... DONE. Status = 0
ConnSpeedEcho: Elapsed= 0.165000, EchoSpeed= 40.91, Transferred= 7077918 bytes
Get security Status...
Security Status:
Platform secure boot is enabled.
Secure eFUSE is enabled.
JTAG is disabled.
RDC is missing from the device.
Authentication is not done.
UEFI secure boot is enabled.
Secondary HW key exists.
Get RKH of the device...
RKH of the device is 3774964A7E6AC7EF7D428DDC0C0EAD71640B0D8DD3BFC3829110AF2D8ED68D7C
Get ISSW Version...
Get ISSW Version, SKIPPED!
Get system memory size...
Size of system mem: 2097152 KB
Read antitheft status...
Requested read param 0x41545250 is not supported by this flash app version.
Send backup to RAM req...
Clearing the backup GPT...SKIPPED!
Successfully parsed FFU file. Header size: 0x000e0000, Payload size: 0x0000000067bc0000, Chunk size: 0x00020000, Header
offset: 0x00000000, Payload offset: 0x00000000000e0000
RKH match between device and FFU file!
Option: Skip CRC32 check in use
Start sending header data...
FlashApp returned reported error in SecureFlashResp!
Status: 0x1304, Specifier: 0x00000000
FA_ERR_FFU_STR_HDR_INVALID_PLATFORM_ID
Send of FFU header failed!
[IN] programSecureFfuFile. Closing c:\ProgramData\Microsoft\Packages\Products\RM-940\RM940_02540.00019.14484.37028_RETAI
L_prod_signed_200_01ACB8_ATT-US.ffu
programming operation failed!
0xFA001304: Platform ID check fails. Reason(s): The FFU file is not meant for this product. The platform ID of image doe
s not match with platform ID of the device.
Operation took about 0.00 seconds.
THOR2_ERROR_FA_FFU_STR_HDR_INVALID_PLATFORM_ID
THOR2 1.8.2.18 exited with error code -100658428 (0xFA001304)
Any Ideas?
ekhader said:
Thanks i got the files now from one drive but no improvement, and Yes the device is in flash mode the USB driver is "NOKIA BOOTMGR2".
when i try to restore the PLAT.bin i get this error:
Code:
C:\Program Files (x86)\Microsoft Care Suite\Windows Device Recovery Tool>thor2 -mode uefiflash -partitionname PLAT -partitionimagefile c:\dump\PLAT.bin
THOR2 1.8.2.18
Built for Windows @ 13:36:46 Jun 16 2015
Thor2 is running on Windows of version 6.2
thor2 -mode uefiflash -partitionname PLAT -partitionimagefile c:\dump\PLAT.bin
Process started Tue Nov 24 14:35:06 2015
Debugging enabled for partitionimageflash
Initiating flash of partition image operations
WinUSB in use.
Using programming of partition image method
isDeviceInNcsdMode
isDeviceInNcsdMode is false
Detecting UEFI responder
HELLO success
Lumia Flash detected
Protocol version 2.29 Implementation version 2.52
Disable timeouts
Get flashing parameters
Lumia Flash detected
Protocol version 2.29 Implementation version 2.52
Size of one transfer is 2363392
MMOS RAM support: 0
Size of buffer is 2359296
Number of eMMC sectors: 30535680
Platform ID of device: Nokia.MSM8974..2.2
Async protocol version: 01
Security info:
Platform secure boot enabled
Secure FFU enabled
JTAG eFuse blown
RDC not found
Authentication not done
UEFI secure boot enabled
SHK enabled
Device supports FFU protocols: 0031
Subblock ID 32
getGpt failed. Error code 12 h
Cannot flash partition image. Write the RDC into the device or use open/RnD HW & SW
Operation took about 0.00 seconds.
THOR2_ERROR_UEFI_RDC_OR_AUTHENTICATION_REQUIRED
THOR2 1.8.2.18 exited with error code 84214 (0x148F6)
Any Ideas?
Click to expand...
Click to collapse
Get GPT failed so maybe try this...
Code:
thor2 -mode uefiflash -startsector 0 -imagefile "gpt.bin"
tonbonz said:
Get GPT failed so maybe try this...
Code:
thor2 -mode uefiflash -startsector 0 -imagefile "gpt.bin"
Click to expand...
Click to collapse
hi, Unfortunately this didn't work as well , i get this error:
Code:
C:\Program Files (x86)\Microsoft Care Suite\Windows Device Recovery Tool>thor2 -mode uefiflash -startsector 0 -imagefile
C:\dump\GPT.bin
THOR2 1.8.2.18
Built for Windows @ 13:36:46 Jun 16 2015
Thor2 is running on Windows of version 6.2
thor2 -mode uefiflash -startsector 0 -imagefile C:\dump\GPT.bin
Process started Wed Nov 25 12:49:09 2015
Debugging enabled for imageflash
Initiating flash of image file operations
WinUSB in use.
Using programming of image method
isDeviceInNcsdMode
isDeviceInNcsdMode is false
Detecting UEFI responder
HELLO success
Lumia Flash detected
Protocol version 2.29 Implementation version 2.52
Disable timeouts
Get flashing parameters
Lumia Flash detected
Protocol version 2.29 Implementation version 2.52
Size of one transfer is 2363392
MMOS RAM support: 0
Size of buffer is 2359296
Number of eMMC sectors: 30535680
Platform ID of device: Nokia.MSM8974..2.2
Async protocol version: 01
Security info:
Platform secure boot enabled
Secure FFU enabled
JTAG eFuse blown
RDC not found
Authentication not done
UEFI secure boot enabled
SHK enabled
Device supports FFU protocols: 0031
Subblock ID 32
Cannot flash partition image. Write the RDC into the device or use open/RnD HW & SW
Operation took about 0.00 seconds.
THOR2_ERROR_UEFI_RDC_OR_AUTHENTICATION_REQUIRED
THOR2 1.8.2.18 exited with error code 84214 (0x148F6)
is there a way to restore the Platform ID of the device? I am trying to see if i can find where is the check code in the assembly code of thor2.exe but I am not that good in assembly I wonder if there is anyone who tried to skip the check code in the assembly of the thor2.exe
ekhader said:
hi, Unfortunately this didn't work as well
is there a way to restore the Platform ID of the device? I am trying to see if i can find where is the check code in the assembly code of thor2.exe but I am not that good in assembly I wonder if there is anyone who tried to skip the check code in the assembly of the thor2.exe
Click to expand...
Click to collapse
Possibly the Samsung EMMC on Lumia device bug??? Maybe check with
@Kaptaiin and his thread on flashing Lumia phones or try @Heathcliff74 and his thread here http://forum.xda-developers.com/windows-phone-8/development/windows-phone-internals-unlock-t3257483
tonbonz said:
Possibly the Samsung EMMC on Lumia device bug??? Maybe check with
@Kaptaiin and his thread on flashing Lumia phones or try @Heathcliff74 and his thread here http://forum.xda-developers.com/windows-phone-8/development/windows-phone-internals-unlock-t3257483
Click to expand...
Click to collapse
Thanks alot for your help, I have checked out the HeathCliff tool it seems it has potential but unfortunately it does not support lumia 1520 yet
this Microsoft damn tool broke the phone beyond fixing. I wish if @Heathcliff74 could give his opinion about this problem.
Wait to L1520 support, for now, dump partitions from any compatible FFU with WPInternals and keep them until that time.
Any updates here? I'm stuck in exactly the same place. Thanks!
RM892_fh.edp end MPRG8960_fh.ede
nokia lumia 630
ekhader said:
hi, Unfortunately this didn't work as well , i get this error:
Code:
C:\Program Files (x86)\Microsoft Care Suite\Windows Device Recovery Tool>thor2 -mode uefiflash -startsector 0 -imagefile
C:\dump\GPT.bin
THOR2 1.8.2.18
Built for Windows @ 13:36:46 Jun 16 2015
Thor2 is running on Windows of version 6.2
thor2 -mode uefiflash -startsector 0 -imagefile C:\dump\GPT.bin
Process started Wed Nov 25 12:49:09 2015
Debugging enabled for imageflash
Initiating flash of image file operations
WinUSB in use.
Using programming of image method
isDeviceInNcsdMode
isDeviceInNcsdMode is false
Detecting UEFI responder
HELLO success
Lumia Flash detected
Protocol version 2.29 Implementation version 2.52
Disable timeouts
Get flashing parameters
Lumia Flash detected
Protocol version 2.29 Implementation version 2.52
Size of one transfer is 2363392
MMOS RAM support: 0
Size of buffer is 2359296
Number of eMMC sectors: 30535680
Platform ID of device: Nokia.MSM8974..2.2
Async protocol version: 01
Security info:
Platform secure boot enabled
Secure FFU enabled
JTAG eFuse blown
RDC not found
Authentication not done
UEFI secure boot enabled
SHK enabled
Device supports FFU protocols: 0031
Subblock ID 32
Cannot flash partition image. Write the RDC into the device or use open/RnD HW & SW
Operation took about 0.00 seconds.
THOR2_ERROR_UEFI_RDC_OR_AUTHENTICATION_REQUIRED
THOR2 1.8.2.18 exited with error code 84214 (0x148F6)
is there a way to restore the Platform ID of the device? I am trying to see if i can find where is the check code in the assembly code of thor2.exe but I am not that good in assembly I wonder if there is anyone who tried to skip the check code in the assembly of the thor2.exe
Click to expand...
Click to collapse
marcio-msa said:
RM892_fh.edp end MPRG8960_fh.ede
Click to expand...
Click to collapse
Hello People, I have a big problem, my nokia Phone model: Lumia 630 Dual SIM
PackageTitle: RM-978 VAR EURO DE CV
Product Code: 059V9G7
ManufacturerHardwareModel: RM-978
Last Firmware: 02040.00021.15235.50004
After I put a new firmware (unfortunately not the right one 059v506 mala) and now it does not turn on. What can i do in the pc it does not connect does not vibrate and just died
Rockies19 said:
Any updates here? I'm stuck in exactly the same place. Thanks!
Click to expand...
Click to collapse
Any update on Lumia 1520 RM-940 issue discussed above. Mine is ATT US 32gb version.
I am stuck in same place. The phone is bricked and no rom will ever flash on it because of the wrong platform ID error.
Phone is UEFI flash mode (connected via WinUSB) with Platform ID of the device being reported as "PlatformInfo is Nokia.MSM8974..2.2".
vdenduluri said:
Any update on Lumia 1520 RM-940 issue discussed above. Mine is ATT US 32gb version.
I am stuck in same place. The phone is bricked and no rom will ever flash on it because of the wrong platform ID error.
Phone is UEFI flash mode (connected via WinUSB) with Platform ID of the device being reported as "PlatformInfo is Nokia.MSM8974..2.2".
Click to expand...
Click to collapse
And has anyone tried to download plat.bin in bulk storage mode using emmcrawtool, a tool where you can load any partition. However, you can use the Windows device repair tool to run the command
Code:
thor2 -mode fbreader-ffufile "C:\ storage location \xxx.ffu" -dump_partitions -filedir D:\dump (the dump may be different
), performs the dump of all partitions of the firmware
Nokia.MSM8974..2.2 this bootloader you can flash firmware from rm-938, not blocked under ATT, by the following command
Code:
thor2 -mode uefiflash -ffufile "C:\storage location \xxx.ffu" -productcodeupdate "product code from rm-938" -skip_flash
and
Code:
thor2 -mode uefiflash -ffufile "C:\storage location \xxx.ffu"
Same Problem
The same thing happened with my lumia 435 after I accidentally format the emmc, it would be possible to create a new emergency file (MPRG8x12_fh.ede in my case) so that after installed the device enter the data storage mode to restore the partition PLAT and UEFI?

ZTE Axon A2016 brick

Please, help! I have a total zte axon brick on my hands... Windows recognizes it only like qualcomm HS-USB QDloader 9008. I've tried Qfil programm and msm9894download tool, but have no success.
Qfil output such as:
COM Port number:5
Sahara Connecting ...
Sahara Version:2
Start Sending Programmer
Sending Programmer Finished
Switch To FireHose
Max Payload Size to Target:49152 Bytes
Device Type:eMMC
Platform:8x26
Disable Ack Raw Data Every N Packets
Ack Raw Data:False
Skip Write:False
Always Validate:False
Use Verbose:False
COM Port number:5
Sending NOP
NOP: Fail Code: 10
Unable to send FireHose NOP, Device is not in Firehose mode !
Download Fail:System.Exception: Failed to send Firehose NOP to the phone.
at QC.QMSLPhone.Phone.QPHONEMS_FireHoseNOP()
at QC.SwDownloadDLL.SwDownload.FireHoseDownloadImage(Boolean bResetPhone, List`1 rawprogramFilesList, List`1 patchFilesList, Single& fImageSizeInMB, Single& fThroughput)
Download Fail:FireHose Fail FireHose Fail
Finish Download
I'll appreciate any help in my situation!
P.S. Sorry if my english is not right, it's not my native language.
P.S.S As far, as I undestend after reading a lot of guides, I need one of files - MPRG8994.hex or MPRG8994.mbn. Can anyone know where I can get them?
saardukar said:
Please, help! I have a total zte axon brick on my hands... Windows recognizes it only like qualcomm HS-USB QDloader 9008. I've tried Qfil programm and msm9894download tool, but have no success.
Qfil output such as:
COM Port number:5
Sahara Connecting ...
Sahara Version:2
Start Sending Programmer
Sending Programmer Finished
Switch To FireHose
Max Payload Size to Target:49152 Bytes
Device Type:eMMC
Platform:8x26
Disable Ack Raw Data Every N Packets
Ack Raw Data:False
Skip Write:False
Always Validate:False
Use Verbose:False
COM Port number:5
Sending NOP
NOP: Fail Code: 10
Unable to send FireHose NOP, Device is not in Firehose mode !
Download Fail:System.Exception: Failed to send Firehose NOP to the phone.
at QC.QMSLPhone.Phone.QPHONEMS_FireHoseNOP()
at QC.SwDownloadDLL.SwDownload.FireHoseDownloadImage(Boolean bResetPhone, List`1 rawprogramFilesList, List`1 patchFilesList, Single& fImageSizeInMB, Single& fThroughput)
Download Fail:FireHose Fail FireHose Fail
Finish Download
I'll appreciate any help in my situation!
P.S. Sorry if my english is not right, it's not my native language.
P.S.S As far, as I undestend after reading a lot of guides, I need one of files - MPRG8994.hex or MPRG8994.mbn. Can anyone know where I can get them?
Click to expand...
Click to collapse
Have you tried to go into recovery mode and install any rom from there?
Crazyhat said:
Have you tried to go into recovery mode and install any rom from there?
Click to expand...
Click to collapse
Recovery is not available. Nether fastboot or adb.

Bricked Samsung S8 (TMO version) showing Qualcomm HS-USB QDloader 9008

Guys need help....I recently bought a Samsung S8 (t-mobile version) without knowing much of its history thinking it had a deeply discharged battery, but after a good 10 hrs on the charger it still won't turn on, no LEDs, no vibration, nothing, a complete black screen so it will NOT boot into recovery or download mode. However, it does seem to take a charge as the back side does get a bit warm when charged. When plugged into the PC (Win 10) it does not get recognized under My PC but I hear the USB plug-in chime and under the Device Manager, I get "Qualcomm HS-USB QDloader 9008" on COM port 3. From what I've found online, seems like I will need the original S8's complete eMMC image and load it onto the sdcard and recover it that way, even if it's possible.
Can anyone help/guide me in the proper direction? Really hoping to recover this device. This might even help others who may have or will brick their S8's. Thanks a lot in advance
taj786 said:
Guys need help....I recently bought a Samsung S8 (t-mobile version) without knowing much of its history thinking it had a deeply discharged battery, but after a good 10 hrs on the charger it still won't turn on, no LEDs, no vibration, nothing, a complete black screen so it will NOT boot into recovery or download mode. However, it does seem to take a charge as the back side does get a bit warm when charged. When plugged into the PC (Win 10) it does not get recognized under My PC but I hear the USB plug-in chime and under the Device Manager, I get "Qualcomm HS-USB QDloader 9008" on COM port 3. From what I've found online, seems like I will need the original S8's complete eMMC image and load it onto the sdcard and recover it that way, even if it's possible.
Can anyone help/guide me in the proper direction? Really hoping to recover this device. This might even help others who may have or will brick their S8's. Thanks a lot in advance
Click to expand...
Click to collapse
This thread may be old, but for now, the only option you have is getting a replacement. I had that qualcomm HS-USB composite identity on my hard bricked lg g stylo and i couldn't do anything about it but get it replaced.
taj786 said:
Guys need help....I recently bought a Samsung S8 (t-mobile version) without knowing much of its history thinking it had a deeply discharged battery, but after a good 10 hrs on the charger it still won't turn on, no LEDs, no vibration, nothing, a complete black screen so it will NOT boot into recovery or download mode. However, it does seem to take a charge as the back side does get a bit warm when charged. When plugged into the PC (Win 10) it does not get recognized under My PC but I hear the USB plug-in chime and under the Device Manager, I get "Qualcomm HS-USB QDloader 9008" on COM port 3. From what I've found online, seems like I will need the original S8's complete eMMC image and load it onto the sdcard and recover it that way, even if it's possible.
Can anyone help/guide me in the proper direction? Really hoping to recover this device. This might even help others who may have or will brick their S8's. Thanks a lot in advance
Click to expand...
Click to collapse
If this is still an issue you face PM me and i will help you unbrick the device!
TimelessPWN said:
If this is still an issue you face PM me and i will help you unbrick the device!
Click to expand...
Click to collapse
I'm ready to help for unbrick my S8
I have the same exact hard brick on my S8, did you guys ever figure out a solution?
TimelessPWN said:
If this is still an issue you face PM me and i will help you unbrick the device!
Click to expand...
Click to collapse
I have the same error, could you solve it?
did you get it fixed? I think TimelessPWN would have used EDL mode.
mweinbach said:
did you get it fixed? I think TimelessPWN would have used EDL mode.
Click to expand...
Click to collapse
I have not fixed it ye, i need help.
FUBUKY said:
I have not fixed it ye, i need help.
Click to expand...
Click to collapse
ok. from what i am reading, you have a hard brick. that QDloader 9008 is EDL mode. the EDL files that we got from QUALCOMM must be sent to you, and you have to run a QUALCOMM software and apply those files through EDL. I currently have the files but I am not 100% sure how to use them. I recommend contacting https://www.facebook.com/GSMCHEN.up for help. he 100% can.
mweinbach said:
did you get it fixed? I think TimelessPWN would have used EDL mode.
Click to expand...
Click to collapse
FUBUKY said:
I have not fixed it ye, i need help.
Click to expand...
Click to collapse
mweinbach said:
ok. from what i am reading, you have a hard brick. that QDloader 9008 is EDL mode. the EDL files that we got from QUALCOMM must be sent to you, and you have to run a QUALCOMM software and apply those files through EDL. I currently have the files but I am not 100% sure how to use them. I recommend contacting for help. he 100% can.
Click to expand...
Click to collapse
thx man, i am retry repair.
mweinbach said:
ok. from what i am reading, you have a hard brick. that QDloader 9008 is EDL mode. the EDL files that we got from QUALCOMM must be sent to you, and you have to run a QUALCOMM software and apply those files through EDL. I currently have the files but I am not 100% sure how to use them. I recommend contacting https://www.facebook.com/GSMCHEN.up for help. he 100% can.
Click to expand...
Click to collapse
Do you mind sharing the files sir? I have this issue and need the files please
Regards,
.:112:.
Sent from my SM-G928T using Tapatalk
stuntman112 said:
Do you mind sharing the files sir? I have this issue and need the files please
Regards,
.:112:.
Sent from my SM-G928T using Tapatalk
Click to expand...
Click to collapse
I have been told not to. Sorry.
I hope soon a solution comes out, while I continue with my brick.
GSMCHEN apparently can repair them, but you have not answered my messages.
I found the files needed. Will upload a link tonight
Sent from my SM-G928T using Tapatalk
stuntman112 said:
I found the files needed. Will upload a link tonight
Sent from my SM-G928T using Tapatalk
Click to expand...
Click to collapse
thank you very much, I hope the link to try to unbrick my s8 +
Some of the files are in plain sight at AFH. The developer has all the required QCOM tools at the link.
Prog_UFS_Firehose_8998_ddr.elf file:
https://androidfilehost.com/?fid=961840155545585810
Notice it is UFS storage, not EMMC so make sure you have the latest QPST software. Thanks to the developer (hazmat) for the prog file but i believe we will need others also such as .XML's
Messed around with it for a little but didnt figure it out. Hopefully this is a start to dead boot repair for the SM-G955..The Dream2 awakes..
Sent from my SM-G928T using Tapatalk
stuntman112 said:
Some of the files are in plain sight at AFH. The developer has all the required QCOM tools at the link.
Prog_UFS_Firehose_8998_ddr.elf file:
https://androidfilehost.com/?fid=961840155545585810
Notice it is UFS storage, not EMMC so make sure you have the latest QPST software. Thanks to the developer (hazmat) for the prog file but i believe we will need others also such as .XML's
Messed around with it for a little but didnt figure it out. Hopefully this is a start to dead boot repair for the SM-G955..The Dream2 awakes..
Sent from my SM-G928T using Tapatalk
Click to expand...
Click to collapse
without the xml files it does not help us.
I had already tried it, the xml files that it has shared (hazmat) are from xiaomi.
mweinbach said:
I have been told not to. Sorry.
Click to expand...
Click to collapse
That's the right thing to do,
Anyway, we have to protect these documents, right
Could not get the device un bricked. Thanks GSM CHEN for help. Possible CPU hardware problem. Seems stuck in EDL
LOG
Programmer Path:C:\Users\User1\Desktop\nhlos\common\tools\emergency_download\prog_ufs_firehose_8998_ddr.elf
Image Search Path: C:\Users\User1\Desktop\nhlos\common\tools\emergency_download
RAWPROGRAM file path: C:\Users\User1\Desktop\nhlos\common\tools\emergency_download\rawprogram0.xml
PATCH file path:C:\Users\User1\Desktop\nhlos\common\tools\emergency_download\patch0.xml
Start Download
Program Path:C:\Users\User1\Desktop\nhlos\common\tools\emergency_download\prog_ufs_firehose_8998_ddr.elf
***** Working Folder:C:\Users\User1\AppData\Roaming\Qualcomm\QFIL\COMPORT_11
Binary build date: Oct 31 2016 @ 22:51:05
QSAHARASERVER CALLED LIKE THIS: 'C:\Program Files (x86)\Qualcomm\QPST\bin\QSaharaServer.ex'Current working dir: C:\Users\User1\AppData\Roaming\Qualcomm\QFIL\COMPORT_11
Sahara mappings:
2: amss.mbn
6: apps.mbn
8: dsp1.mbn
10: dbl.mbn
11: osbl.mbn
12: dsp2.mbn
16: efs1.mbn
17: efs2.mbn
20: efs3.mbn
21: sbl1.mbn
22: sbl2.mbn
23: rpm.mbn
25: tz.mbn
28: dsp3.mbn
29: acdb.mbn
30: wdt.mbn
31: mba.mbn
13: C:\Users\User1\Desktop\nhlos\common\tools\emergency_download\prog_ufs_firehose_8998_ddr.elf
11:44:18: Requested ID 13, file: "C:\Users\User1\Desktop\nhlos\common\tools\emergency_download\prog_ufs_firehose_8998_ddr.elf"
11:44:18: 599432 bytes transferred in 0.172000 seconds (3.3236MBps)
11:44:18: File transferred successfully
11:44:18: Sahara protocol completed
Sending Programmer Finished
Switch To FireHose
Wait for 3 seconds...
Max Payload Size to Target:49152 Bytes
Device Type:UFS
Platform:8x26
Disable Ack Raw Data Every N Packets
Skip Write:False
Always Validate:False
Use Verbose:False
***** Working Folder:C:\Users\User1\AppData\Roaming\Qualcomm\QFIL\COMPORT_11
Base Version: 16.10.28.15.28
Binary build date: Oct 31 2016 @ 22:51:02
Incremental Build version: 16.10.31.22.51.02
11:44:22: INFO: FH_LOADER WAS CALLED EXACTLY LIKE THIS
************************************************
C:\Program Files (x86)\Qualcomm\QPST\bin\fh_loader.exe --port=\\.\COM11 --sendxml=rawprogram0.xml --search_path=C:\Users\User1\Desktop\nhlos\common\tools\emergency_download --noprompt --showpercentagecomplete --zlpawarehost=1 --memoryname=ufs
************************************************
11:44:22: INFO: Current working dir (cwd): C:\Users\User1\AppData\Roaming\Qualcomm\QFIL\COMPORT_11\
11:44:22: INFO: Showing network mappings to allow debugging
11:44:22: INFO:
11:44:22: INFO: Trying to store 'rawprogram0.xml' in string table
11:44:22: INFO: Looking for file 'rawprogram0.xml'
11:44:22: INFO: User wants to talk to port '\\.\COM11'
11:44:22: INFO: Took 0.00000000 seconds to open port
11:44:22: INFO: Sorting TAGS to ensure order is <configure>,<erase>, others, <patch>,<power>
11:44:22: INFO: If you don't want this, use --dontsorttags
11:44:22: INFO: Looking for file 'gpt_main0.bin'
11:44:22: INFO: Looking for file 'gpt_backup0.bin'
11:44:22: INFO:
Total to be tansferd with <program> or <read> is 44.00 KB
11:44:22: INFO: Sending <configure>
11:44:22: INFO: TARGET SAID: 'Binary build date: Jun 1 2017 @ 14:29:30'
11:44:22: INFO: TARGET SAID: 'Chip serial num: 4294967295 (0xffffffff)'
11:44:22: INFO: TARGET SAID: 'Supported Functions: program configure nop firmwarewrite patch setbootablestoragedrive ufs emmc power benchmark read getstorageinfo getsha256digest erase peek poke '
11:44:22: INFO: TARGET SAID: 'Calling usb_al_bulk_set_zlp_mode(TRUE) since ZlpAwareHost='1''
11:44:22: INFO: fh.attrs.MaxPayloadSizeToTargetInBytes = 1048576
11:44:22: INFO: fh.attrs.MaxPayloadSizeToTargetInBytesSupported = 1048576
11:44:22: INFO: In handleProgram('gpt_main0.bin')
11:44:22: INFO: Looking for file 'gpt_main0.bin'
11:44:22: INFO: =======================================================
11:44:22: INFO: {<program> FILE: 'C:\Users\User1\Desktop\nhlos\common\tools\emergency_download\gpt_main0.bin'}
11:44:22: INFO: {<program> (24.00 KB) 6 sectors needed at location 0 on LUN 0}
11:44:22: INFO: =======================================================
11:44:22: INFO: TARGET SAID: 'ERROR: Failed to initialize (open whole lun) UFS Device slot 0 partition 0'
11:44:22: INFO: TARGET SAID: 'ERROR: ufs_open_error_code 0 :: 0x27c'
11:44:22: INFO: TARGET SAID: 'ERROR: last ufs_open_error_code 16 :: 0x27c'
11:44:22: INFO: TARGET SAID: 'ERROR: Failed to open the device 3 slot 0 partition 0'
11:44:22: INFO: TARGET SAID: 'INFO: Device type 3, slot 0, partition 0, error 0'
11:44:22: INFO: TARGET SAID: 'WARN: Get Info failed to open 3 slot 0, partition 0, error 0'
11:44:22: INFO: TARGET SAID: 'storage_device_get_num_partition_sectors FAILED!'
11:44:22: INFO: TARGET SAID: 'parseSectorValue could not handle start_sector value'
_____
| ___|
| |__ _ __ _ __ ___ _ __
| __| '__| '__/ _ \| '__|
| |__| | | | | (_) | |
\____/_| |_| \___/|_|
11:44:22: {ERROR: program FAILED - Please see log}
Writing log to 'C:\Users\User1\AppData\Roaming\Qualcomm\QFIL\COMPORT_11\port_trace.txt', might take a minute
Log is 'C:\Users\User1\AppData\Roaming\Qualcomm\QFIL\COMPORT_11\port_trace.txt'
Download Fail:FireHose Fail:FHLoader Failrocess fail
Finish Download
Sent from my SM-G928T using Tapatalk
a me has not helped me yet.

Honor play hard brick

my phone stuck at erecovery mode . i did flash it with new rom using the dc phoenix but it turn out failed.
here is the progress :
Build number: :COR-L29 9.0.0.193(SP53C636E2R1P12)
Model: COR-L29
Battery state: 4885mv
OEM lock state info:
FB LockState: LOCKED
USER LockState: LOCKED
OEM get bootinfo:
locked
Process identifier:18080917
Getting build number...
Getting base version...
Getting cust version...
Getting preload version...
Erasing ver .. .
File size: 5,037,310,948 bytes
Current version(CURVER): CORC00B000
Writing rescue_recovery_kernel partition
rescue_recovery_kernel partition UPDATE ...OK
Writing rescue_recovery_ramdisk partition
rescue_recovery_ramdisk partition UPDATE ...OK
Writing rescue_recovery_vendor partition
rescue_recovery_vendor partition UPDATE ...OK
USB Device REMOVAL
Type: @OEM83.inf,%tplinkfastboot%;Android Bootloader Interface
VidPid: VID_18D1&PID_D00D
Instance id: 5&118960b2&0&2
Looking for device in upgrade mode...
USB Device INSERTION
Type: @OEM148.inf,%busfilter.devicedesc%;USB Composite Device
VidPid: VID_12D1&PID_107E
Instance id: 5&118960b2&0&2
COM11: DBAdapter Reserved Interface (COM11)
COM12: Android Adapter PCUI (COM12)
8/29/2019 3:56:10 PM Starting to write device in UPGRADE mode...
Device found: XTX7N18830004739
8/29/2019 3:56:38 PM start to write update file
File to update: UPDATE_SD.APP
File size: 5,037,310,948 bytes
Current version(CURVER): CORC00B000
Process identifier:18080974
Validating file...
Looking for attached port...
Preparing to write...
Writing file 1 of 43: SHA256RSA...OK
Writing file 2 of 43: CRC...OK
Writing file 3 of 43: CURVER...OK
Writing file 4 of 43: VERLIST...
Error downloading file 4 of 43
Error writing software
8/29/2019 3:57:16 PM Writing device finished with ERROR
anyone can help me with this ?

QFIL Partition Manager Working!

I started working to get QFIL to work with the Sprint OnePlus 7 Pro 5G as soon as I got the MSMDownloadTool for it.
I accomplished getting the partition manager working, which allows us to flash individual (SIGNED) partitions. We can now try flashing individual international partitions to gain unlocked bootloaders WITHOUT MSM and the need to flash entirely different variants. Plus, 5G users will keep their 5G modems! I need somebody with an international version to join me in TeamView or something, in order to pull the Bootloader and other Partitions.
If another dev here can help me in getting this to work, we could be on the road to bootloader unlocks without SIM unlocks.
jthein1989 said:
I started working to get QFIL to work with the Sprint OnePlus 7 Pro 5G as soon as I got the MSMDownloadTool for it.
I accomplished getting the partition manager working, which allows us to flash individual (SIGNED) partitions. We can now try flashing individual international partitions to gain unlocked bootloaders WITHOUT MSM and the need to flash entirely different variants. Plus, 5G users will keep their 5G modems! I need somebody with an international version to join me in TeamView or something, in order to pull the Bootloader and other Partitions.
If another dev here can help me in getting this to work, we could be on the road to bootloader unlocks without SIM unlocks.
Click to expand...
Click to collapse
Wow, you did it?
I saw the first thread you made where you were talking about extracting .xml files and firehose from OPS file for OP7P 5G for single partition backup/restore via qfil, but oneplus didn't provide you msm tool for 5g variant because "they didn't have it" (which is a lie, becuse if you watch a video from linus tech tips on how he visited oneplus quality test thing back in oneplus 6t days, you would have seen a section where they use THE SAME TOOL, in the firmware flashing section)
Could you provide a full list of files you got from .ops file? Did you get everything that is needed for flashing?
It would be nice if you could do something like this for oneplus 7 pro regular one, so we don't have to have our phones factory reset and BL locked after msm tool flash.
jthein1989 said:
I started working to get QFIL to work with the Sprint OnePlus 7 Pro 5G as soon as I got the MSMDownloadTool for it.
Click to expand...
Click to collapse
I've gotten to around the same point as you have, however I'm having a little bit a trouble getting QFIL to flash a partition. I think it has to do with me missing the proper rawprogram and patch0 XML files. Did you need these at all? If so, how did you obtain them? Appreciate the effort by the way, this ain't easy stuff.
---------- Post added at 09:46 PM ---------- Previous post was at 09:42 PM ----------
Xenos7 said:
Wow, you did it?
I saw the first thread you made where you were talking about extracting .xml files and firehose from OPS file for OP7P 5G for single partition backup/restore via qfil, but oneplus didn't provide you msm tool for 5g variant because "they didn't have it" (which is a lie, becuse if you watch a video from linus tech tips on how he visited oneplus quality test thing back in oneplus 6t days, you would have seen a section where they use THE SAME TOOL, in the firmware flashing section)
Could you provide a full list of files you got from .ops file? Did you get everything that is needed for flashing?
It would be nice if you could do something like this for oneplus 7 pro regular one, so we don't have to have our phones factory reset and BL locked after msm tool flash.
Click to expand...
Click to collapse
He was actually able to obtain the MSM tool from OnePlus. There's a thread on this forum for the download somewhere.
I've also been able to somewhat decrypt and extract files from OPS, but all I was able to obtain was the Firehose binary and an XML file, which contains program and patch commands. There's more to extract but I'm not completely sure how he did it to be honest.
Xenos7 said:
Wow, you did it?
I saw the first thread you made where you were talking about extracting .xml files and firehose from OPS file for OP7P 5G for single partition backup/restore via qfil, but oneplus didn't provide you msm tool for 5g variant because "they didn't have it" (which is a lie, becuse if you watch a video from linus tech tips on how he visited oneplus quality test thing back in oneplus 6t days, you would have seen a section where they use THE SAME TOOL, in the firmware flashing section)
Could you provide a full list of files you got from .ops file? Did you get everything that is needed for flashing?
It would be nice if you could do something like this for oneplus 7 pro regular one, so we don't have to have our phones factory reset and BL locked after msm tool flash.
Click to expand...
Click to collapse
I finally got the MSM for the Sprint variant. You can find that in my other post.
It's actually quite easy to pull partitions from the phone. As a matter of fact you can use both QFIL or MSM to do it. I haven't created a guide to do it through QFIL, yet... You can find my MSM guide in my Sprint MSM post.
To flash through QFIL you use partition manager to read and write individual partitions because the xmls aren't needed, partition manager maps out the UFS through Sahara.
And I must state. DO NOT use provision xmls to download, only to open Partition Manager.
You can only decrypt the firehose and provisioning xml from ops, not the partitions unfortunately. But you can pull every partition through MSM if you really want them. In my personal opinion, you only need a couple really. Except in the case of 5G phones, you need more for those.
Guy50570 said:
I've gotten to around the same point as you have, however I'm having a little bit a trouble getting QFIL to flash a partition. I think it has to do with me missing the proper rawprogram and patch0 XML files. Did you need these at all? If so, how did you obtain them? Appreciate the effort by the way, this ain't easy stuff.
---------- Post added at 09:46 PM ---------- Previous post was at 09:42 PM ----------
He was actually able to obtain the MSM tool from OnePlus. There's a thread on this forum for the download somewhere.
I've also been able to somewhat decrypt and extract files from OPS, but all I was able to obtain was the Firehose binary and an XML file, which contains program and patch commands. There's more to extract but I'm not completely sure how he did it to be honest.
Click to expand...
Click to collapse
You shouldn't need the RawProgram or Patch XMLs to write through partition manager. The partition manager already knows where they are located.
Provisioning XMLs are used by QFIL to map out LUNs, which are just virtual drives on the UFS. RawProgram and Patch XMLs are used by QFIL to map the partitions in the LUNs. Which in this case aren't needed. (MSMDownloadTool maps both LUNs and Partitions, but doesn't have the ability to flash single partitions).
Edit: Sorry, I didn't see the other question. In order to get RawProgram and Patch XMLs, you have to decrypt the GPT partitions. I have the scripts to make them, but it's a headache, and they shouldn't be needed.
jthein1989 said:
You shouldn't need the RawProgram or Patch XMLs to write through partition manager. The partition manager already knows where they are located.
Provisioning XMLs are used by QFIL to map out LUNs, which are just virtual drives on the UFS. RawProgram and Patch XMLs are used by QFIL to map the partitions in the LUNs. Which in this case aren't needed. (MSMDownloadTool maps both LUNs and Partitions, but doesn't have the ability to flash single partitions).
Edit: Sorry, I didn't see the other question. In order to get RawProgram and Patch XMLs, you have to decrypt the GPT partitions. I have the scripts to make them, but it's a headache, and they shouldn't be needed.
Click to expand...
Click to collapse
So those 2 xmls are generated from PrimaryGPT and BackupGPT, and they are used to generate partition table of the device, and to point qfil to which partitions to flash different images correct?
If that's the case then it's logical they are not needed for single partition flashing.
Single partition flashing is done with only using sahara comunication with the device (and firehose?) correct?
And what is counted in as a "signed" image for flashing. Can we just take a dd of an image and flash it with qfil later, or do we need to use msm tool readback to do so? Those should be fine right?
If not then only ones which should work are ones in .ops, and there is a little bit of a problem when it comes to obtaining them.
Edit: When I said what is counted in as signed, dd or msm dump, I meant if they are unchanged, and all official, will they still be counted as signed, or recognized as official?
Xenos7 said:
So those 2 xmls are generated from PrimaryGPT and BackupGPT, and they are used to generate partition table of the device, and to point qfil to which partitions to flash different images correct?
If that's the case then it's logical they are not needed for single partition flashing.
Single partition flashing is done with only using sahara comunication with the device (and firehose?) correct?
And what is counted in as a "signed" image for flashing. Can we just take a dd of an image and flash it with qfil later, or do we need to use msm tool readback to do so? Those should be fine right?
If not then only ones which should work are ones in .ops, and there is a little bit of a problem when it comes to obtaining them.
Click to expand...
Click to collapse
You bring up a great point. I'm not sure if you can write partitions gained from MSM's ReadBack functionality in QFIL? I'm sure, no I'm positive you can write partitions read from QFIL though. I'm not aware of any way to extract partitions from an ops in order to even attempt to write them.
That is why I needed somebody with an unlocked phone to ReadBack through MSM or Read from QFIL their partitions. In order to attempt to write them individually through QFIL.
jthein1989 said:
You shouldn't need the RawProgram or Patch XMLs to write through partition manager. The partition manager already knows where they are located.
Provisioning XMLs are used by QFIL to map out LUNs, which are just virtual drives on the UFS. RawProgram and Patch XMLs are used by QFIL to map the partitions in the LUNs. Which in this case aren't needed. (MSMDownloadTool maps both LUNs and Partitions, but doesn't have the ability to flash single partitions).
Edit: Sorry, I didn't see the other question. In order to get RawProgram and Patch XMLs, you have to decrypt the GPT partitions. I have the scripts to make them, but it's a headache, and they shouldn't be needed.
Click to expand...
Click to collapse
Hm, I see. Wonder why I'm getting this error then.
Code:
09:42:54: {ERROR: program FAILED - Please see log}
Writing log to 'C:\Users\{username}\AppData\Roaming\Qualcomm\QFIL\COMPORT_5\port_trace.txt', might take a minute
Log is 'C:\Users\{username}\AppData\Roaming\Qualcomm\QFIL\COMPORT_5\port_trace.txt'
Send Image Fail:FireHose Fail:FHLoader Fail:Process fail
Finish Send Image
Everything else before this point seems to work just fine so, slightly confused here as to what I need.
Guy50570 said:
Hm, I see. Wonder why I'm getting this error then.
Everything else before this point seems to work just fine so, slightly confused here as to what I need.
Click to expand...
Click to collapse
I will try to look. Sundays are a busy day for me. I'll let you know.
jthein1989 said:
I will try to look. Sundays are a busy day for me. I'll let you know.
Click to expand...
Click to collapse
Hey, no worries, I'm not in any rush, just trying to help out the best I can.
Any update?
Flashing a single partition is not hard, you do need the payload and the patch both xml, not to mention loader,
Below is an example from a ZTE: Zmax Pro:
rawprogram0.xml
Code:
<?xml version="1.0" ?>
<data>
<!--NOTE: This is an ** Autogenerated file **-->
<!--NOTE: Sector size is 512bytes-->
<program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="recovery.img" label="recovery" num_partition_sectors="98304" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="49152.0" sparse="false" start_byte_hex="0x15000000" start_sector="688128"/>
</data>
patch0.xml:
Code:
<?xml version="1.0" ?>
<patches>
<!--NOTE: This is an ** Autogenerated file **-->
<!--NOTE: Patching is in little endian format, i.e. 0xAABBCCDD will look like DD CC BB AA in the file or on disk-->
<!--NOTE: This file is used by Trace32 - So make sure to add decimals, i.e. 0x10-10=0, *but* 0x10-10.=6.-->
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="168" filename="gpt_main0.bin" physical_partition_number="0" size_in_bytes="8" start_sector="11" value="NUM_DISK_SECTORS-34." what="Update last partition 38 'userdata' with actual size in Primary Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="168" filename="DISK" physical_partition_number="0" size_in_bytes="8" start_sector="11" value="NUM_DISK_SECTORS-34." what="Update last partition 38 'userdata' with actual size in Primary Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="168" filename="gpt_backup0.bin" physical_partition_number="0" size_in_bytes="8" start_sector="9" value="NUM_DISK_SECTORS-34." what="Update last partition 38 'userdata' with actual size in Backup Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="168" filename="DISK" physical_partition_number="0" size_in_bytes="8" start_sector="NUM_DISK_SECTORS-24." value="NUM_DISK_SECTORS-34." what="Update last partition 38 'userdata' with actual size in Backup Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="48" filename="gpt_main0.bin" physical_partition_number="0" size_in_bytes="8" start_sector="1" value="NUM_DISK_SECTORS-34." what="Update Primary Header with LastUseableLBA."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="48" filename="DISK" physical_partition_number="0" size_in_bytes="8" start_sector="1" value="NUM_DISK_SECTORS-34." what="Update Primary Header with LastUseableLBA."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="48" filename="gpt_backup0.bin" physical_partition_number="0" size_in_bytes="8" start_sector="32" value="NUM_DISK_SECTORS-34." what="Update Backup Header with LastUseableLBA."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="48" filename="DISK" physical_partition_number="0" size_in_bytes="8" start_sector="NUM_DISK_SECTORS-1." value="NUM_DISK_SECTORS-34." what="Update Backup Header with LastUseableLBA."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="32" filename="gpt_main0.bin" physical_partition_number="0" size_in_bytes="8" start_sector="1" value="NUM_DISK_SECTORS-1." what="Update Primary Header with BackupGPT Header Location."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="32" filename="DISK" physical_partition_number="0" size_in_bytes="8" start_sector="1" value="NUM_DISK_SECTORS-1." what="Update Primary Header with BackupGPT Header Location."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="24" filename="gpt_backup0.bin" physical_partition_number="0" size_in_bytes="8" start_sector="32" value="NUM_DISK_SECTORS-1." what="Update Backup Header with CurrentLBA."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="24" filename="DISK" physical_partition_number="0" size_in_bytes="8" start_sector="NUM_DISK_SECTORS-1." value="NUM_DISK_SECTORS-1." what="Update Backup Header with CurrentLBA."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="72" filename="gpt_backup0.bin" physical_partition_number="0" size_in_bytes="8" start_sector="32" value="NUM_DISK_SECTORS-33." what="Update Backup Header with Partition Array Location."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="72" filename="DISK" physical_partition_number="0" size_in_bytes="8" start_sector="NUM_DISK_SECTORS-1" value="NUM_DISK_SECTORS-33." what="Update Backup Header with Partition Array Location."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="88" filename="gpt_main0.bin" physical_partition_number="0" size_in_bytes="4" start_sector="1" value="CRC32(2,5120)" what="Update Primary Header with CRC of Partition Array."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="88" filename="DISK" physical_partition_number="0" size_in_bytes="4" start_sector="1" value="CRC32(2,5120)" what="Update Primary Header with CRC of Partition Array."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="88" filename="gpt_backup0.bin" physical_partition_number="0" size_in_bytes="4" start_sector="32" value="CRC32(0,5120)" what="Update Backup Header with CRC of Partition Array."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="88" filename="DISK" physical_partition_number="0" size_in_bytes="4" start_sector="NUM_DISK_SECTORS-1." value="CRC32(NUM_DISK_SECTORS-33.,5120)" what="Update Backup Header with CRC of Partition Array."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="16" filename="gpt_main0.bin" physical_partition_number="0" size_in_bytes="4" start_sector="1" value="0" what="Zero Out Header CRC in Primary Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="16" filename="gpt_main0.bin" physical_partition_number="0" size_in_bytes="4" start_sector="1" value="CRC32(1,92)" what="Update Primary Header with CRC of Primary Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="16" filename="DISK" physical_partition_number="0" size_in_bytes="4" start_sector="1" value="0" what="Zero Out Header CRC in Primary Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="16" filename="DISK" physical_partition_number="0" size_in_bytes="4" start_sector="1" value="CRC32(1,92)" what="Update Primary Header with CRC of Primary Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="16" filename="gpt_backup0.bin" physical_partition_number="0" size_in_bytes="4" start_sector="32" value="0" what="Zero Out Header CRC in Backup Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="16" filename="gpt_backup0.bin" physical_partition_number="0" size_in_bytes="4" start_sector="32" value="CRC32(32,92)" what="Update Backup Header with CRC of Backup Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="16" filename="DISK" physical_partition_number="0" size_in_bytes="4" start_sector="NUM_DISK_SECTORS-1." value="0" what="Zero Out Header CRC in Backup Header."/>
<patch SECTOR_SIZE_IN_BYTES="512" byte_offset="16" filename="DISK" physical_partition_number="0" size_in_bytes="4" start_sector="NUM_DISK_SECTORS-1." value="CRC32(NUM_DISK_SECTORS-1.,92)" what="Update Backup Header with CRC of Backup Header."/>
</patches>
Now you see the idea?
Have there been any developments on the Sprint OP7Pro 5g? I was gifted one this holiday and practically have no use for it until bootloader unlock is available.
jthein1989 said:
I started working to get QFIL to work with the Sprint OnePlus 7 Pro 5G as soon as I got the MSMDownloadTool for it.
I accomplished getting the partition manager working, which allows us to flash individual (SIGNED) partitions. We can now try flashing individual international partitions to gain unlocked bootloaders WITHOUT MSM and the need to flash entirely different variants. Plus, 5G users will keep their 5G modems! I need somebody with an international version to join me in TeamView or something, in order to pull the Bootloader and other Partitions.
If another dev here can help me in getting this to work, we could be on the road to bootloader unlocks without SIM unlocks.
Click to expand...
Click to collapse
What would you like from my 7Pro?
I'm running 10.3 though.
Del
I have to give a big shout out and I just want to thank everyone for their hard work on figuring the procedures out for unlocking the bootloader, and flashing the these phones.
The tutorial for unlocking the bootloader for the Sprint Oneplus 7 Pro 5G work flawlessly if you follow the tutoralial:
https://forum.xda-developers.com/on...otloader-unlock-sprint-oneplus-7-pro-t4042145
When I first received my phone I bought off eBay I went ahead and set the phone up and upgraded the phone over OTA to
android OS to v10.0.2. This was so I could use the TWRP for Q (10) during the bootloder unlock setup to fix the issues with it
rebooting back into the bootloader. One thing I did learn during the process that it might try to boot into system and
get stuck on the Sprint 5G boot animation. So to force it to power cycle press (VOLUME UP + POWER) buttons and hold them
until it does reboot and then quickly press and hold the (VOLUME UP + VOLUME DOWN + POWER) buttons to boot back into bootloader and
run the FIX instructions again.
Once the bootloader was unlocked I used this tutorial to cross flash the firmware to the OnePlus 7 Pro 5G European. Then went through
the phone setup process and then installed the Oxegen Updater APK to downloaded the firmware to forced it to update to the latest 10.0.6 firmware by manually installing
it through the System Update under the gear Local update. Tutorial found here:
https://forum.xda-developers.com/oneplus-7-pro/how-to/discussion-oneplus-7-pro-5g-rom-gsi-t4042583
Then I followed the tutorial to installing TWRP for Q (10) and to root installing Magisk:
https://forums.oneplus.com/threads/...magisk-twrp-oneplus-7-pro-android-10.1178410/
I found out during the process of flashing and updating to the Oxegen 10.0.6 European firmware the bootloader had re-locked.
So I had to follow the steps once again to unlock the bootloader and then followed the guide of rooting the Sprint OnePlus 7 Pro
5G.
Now to the part I have run into trouble trying to remove the SIM LOCK on the phone to Sprint:
I tried to follow the tutorial of SIM UNLOCKING the T-Mobile OnePlus 7 Pro:
https://forum.xda-developers.com/oneplus-6t/how-to/guide-sim-unlock-t-mobile-version-type-t3915269
Fist I did back up my phone in TWRP. However, when you run these two fastboot commands from the bootloader it will FAIL:
fastboot erase modemst1
fastboot erase modemst2
The Error messages are:
Erasing 'modemst1' FAILED (remote: 'Erase is not allowed for Critical Partitions')
fastboot: error: Command failed
Erasing 'modemst1' FAILED (remote: 'Erase is not allowed for Critical Partitions')
fastboot: error: Command failed
So after doing some research and running this fastboot command I found out that not everything unlocked:
fastboot oem device-info
And it's output:
(bootloader) Verity mode: true
(bootloader) Device unlocked: true
(bootloader) Device critical unlocked: false
(bootloader) Charger screen enabled: true
(bootloader) enable_dm_verity: true
(bootloader) have_console: false
(bootloader) selinux_type: SELINUX_TYPE_INVALID
(bootloader) boot_mode: NORMAL_MODE
(bootloader) kmemleak_detect: false
(bootloader) force_training: 0
(bootloader) mount_tempfs: 0
(bootloader) op_abl_version: 0x31
(bootloader) cal_rebootcount: 0x31
OKAY [ 0.064s]
Finished. Total time: 0.071s
As you can see the Device critical unlocked is: false. So you cannot write to those partitions.
I tried the fastboot commands:
fastboot flashing unlock_critical
fastboot oem unlock_critical
Both with same message:
FAILED (remote: ' Device already : unlocked!')
fastboot: error: Command failed
I even tried the shell commands to overwrite the two partitions from TWRP and from command prompt using
adb from platform tools:
dd if=/dev/zero of=/dev/block/bootdevice/by-name/modemst1
dd if=/dev/zero of=/dev/block/bootdevice/by-name/modemst2
And it's output:
/system/bin/sh: adb: inaccessible or not found
Modemst1, modemst2 and zero do exist but being bootloader critial locked you still cannot write to the partitions even with root.
So next I looked into using QPST package and erasing the partitions using Partition Manager from QFIL utility but need the firehose
file for SM8150 chipset and the following site does not have it listed:
https://forum.hovatek.com/thread-25696.html
Good tutorial on using the QFIL and updating partition:
https://www.youtube.com/watch?v=MdknZvaTwl4
So finding this thread it was said you extract the firehose file from the MsmDownloadTool OPS file. I tried using the python script github to dump the OPS file
but I could never get crypto to compile correctly on my windows box for python and used another branch said not a WIN32 file error for crypto. Found here:
https://github.com/bkerler/oppo_decrypt
So my question is how do you extract the firehose file from the MsmDownloadTool OPS file so we can possibly enable writing to the critical partitions so you can make other updates
such as modifying the apns-conf.xml because you cannot write to critical partitions even with root privileges.
Thanks in advance for any advice and help!
Hi pulled with oppo_decrypt..
joecowboy said:
I have to give a big shout out and I just want to thank everyone for their hard work on figuring the procedures out for unlocking the bootloader, and flashing the these phones.
The tutorial for unlocking the bootloader for the Sprint Oneplus 7 Pro 5G work flawlessly if you follow the tutoralial:
https://forum.xda-developers.com/on...otloader-unlock-sprint-oneplus-7-pro-t4042145
When I first received my phone I bought off eBay I went ahead and set the phone up and upgraded the phone over OTA to
android OS to v10.0.2. This was so I could use the TWRP for Q (10) during the bootloder unlock setup to fix the issues with it
rebooting back into the bootloader. One thing I did learn during the process that it might try to boot into system and
get stuck on the Sprint 5G boot animation. So to force it to power cycle press (VOLUME UP + POWER) buttons and hold them
until it does reboot and then quickly press and hold the (VOLUME UP + VOLUME DOWN + POWER) buttons to boot back into bootloader and
run the FIX instructions again.
Once the bootloader was unlocked I used this tutorial to cross flash the firmware to the OnePlus 7 Pro 5G European. Then went through
the phone setup process and then installed the Oxegen Updater APK to downloaded the firmware to forced it to update to the latest 10.0.6 firmware by manually installing
it through the System Update under the gear Local update. Tutorial found here:
https://forum.xda-developers.com/oneplus-7-pro/how-to/discussion-oneplus-7-pro-5g-rom-gsi-t4042583
Then I followed the tutorial to installing TWRP for Q (10) and to root installing Magisk:
https://forums.oneplus.com/threads/...magisk-twrp-oneplus-7-pro-android-10.1178410/
I found out during the process of flashing and updating to the Oxegen 10.0.6 European firmware the bootloader had re-locked.
So I had to follow the steps once again to unlock the bootloader and then followed the guide of rooting the Sprint OnePlus 7 Pro
5G.
Now to the part I have run into trouble trying to remove the SIM LOCK on the phone to Sprint:
I tried to follow the tutorial of SIM UNLOCKING the T-Mobile OnePlus 7 Pro:
https://forum.xda-developers.com/oneplus-6t/how-to/guide-sim-unlock-t-mobile-version-type-t3915269
Fist I did back up my phone in TWRP. However, when you run these two fastboot commands from the bootloader it will FAIL:
fastboot erase modemst1
fastboot erase modemst2
The Error messages are:
Erasing 'modemst1' FAILED (remote: 'Erase is not allowed for Critical Partitions')
fastboot: error: Command failed
Erasing 'modemst1' FAILED (remote: 'Erase is not allowed for Critical Partitions')
fastboot: error: Command failed
So after doing some research and running this fastboot command I found out that not everything unlocked:
fastboot oem device-info
And it's output:
(bootloader) Verity mode: true
(bootloader) Device unlocked: true
(bootloader) Device critical unlocked: false
(bootloader) Charger screen enabled: true
(bootloader) enable_dm_verity: true
(bootloader) have_console: false
(bootloader) selinux_type: SELINUX_TYPE_INVALID
(bootloader) boot_mode: NORMAL_MODE
(bootloader) kmemleak_detect: false
(bootloader) force_training: 0
(bootloader) mount_tempfs: 0
(bootloader) op_abl_version: 0x31
(bootloader) cal_rebootcount: 0x31
OKAY [ 0.064s]
Finished. Total time: 0.071s
As you can see the Device critical unlocked is: false. So you cannot write to those partitions.
I tried the fastboot commands:
fastboot flashing unlock_critical
fastboot oem unlock_critical
Both with same message:
FAILED (remote: ' Device already : unlocked!')
fastboot: error: Command failed
I even tried the shell commands to overwrite the two partitions from TWRP and from command prompt using
adb from platform tools:
dd if=/dev/zero of=/dev/block/bootdevice/by-name/modemst1
dd if=/dev/zero of=/dev/block/bootdevice/by-name/modemst2
And it's output:
/system/bin/sh: adb: inaccessible or not found
Modemst1, modemst2 and zero do exist but being bootloader critial locked you still cannot write to the partitions even with root.
So next I looked into using QPST package and erasing the partitions using Partition Manager from QFIL utility but need the firehose
file for SM8150 chipset and the following site does not have it listed:
https://forum.hovatek.com/thread-25696.html
Good tutorial on using the QFIL and updating partition:
So finding this thread it was said you extract the firehose file from the MsmDownloadTool OPS file. I tried using the python script github to dump the OPS file
but I could never get crypto to compile correctly on my windows box for python and used another branch said not a WIN32 file error for crypto. Found here:
https://github.com/bkerler/oppo_decrypt
So my question is how do you extract the firehose file from the MsmDownloadTool OPS file so we can possibly enable writing to the critical partitions so you can make other updates
such as modifying the apns-conf.xml because you cannot write to critical partitions even with root privileges.
Thanks in advance for any advice and help!
Click to expand...
Click to collapse
I pulled the firehose for the T-Mobile. It's uploaded on my sim unlock post
Awesome, I will have to do some more testing! I love this phone. Thank you!
joecowboy said:
Awesome, I will have to do some more testing! I love this phone. Thank you!
Click to expand...
Click to collapse
I have been testing like crazy.i just confurmed the lock is 100% in the modemst1 and modemst2. But they are encrypted so that the sim info has to pass through them .so that if deleted there no way to get the sims to work.we need a programmer this is way over my head.

Categories

Resources