Database Users

Bricked? Blinking Orange Lights / Vibrates 3 times on boot (black screen)

MyTouch 4G (not slide)
wiki.cyanogenmod.com/wiki/TMobile_myTouch_4G:_Full_Update_Guide
I'm following the above guide. I got down to the command "reboot". When I try to boot, it's simply a black screen, it vibrates 3 times and i have orange blinking LED light. No screen at all. The md#1 is different and the md#2 and md#3 matched - I did that part correctly.
Trying a few random things,
volume up + boot does the same thing.
Volume down + boot = solid green light, vibrate 5 times.
Other single button + power combinations do nothing.
Man I'm terrified .. I hope you guys can help. I don't see what I did wrong!
I also saw someone say something about volume up + power .. but my volume up button randomly doesn't work (I had to get a volume app to turn up the volume -- volume down works fine).
My log is below:
Code:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\android-sdk-windows\platform-tools>adb push busybox /data/local/tmp/
2485 KB/s (1926944 bytes in 0.757s)
C:\android-sdk-windows\platform-tools>adb push gfree /data/local/tmp/
2630 KB/s (716548 bytes in 0.266s)
C:\android-sdk-windows\platform-tools>adb push hboot-eng.img /data/local/tmp/
2908 KB/s (1048576 bytes in 0.352s)
C:\android-sdk-windows\platform-tools>adb push psneuter /data/local/tmp/
2632 KB/s (557962 bytes in 0.207s)
C:\android-sdk-windows\platform-tools>adb push recovery-clockwork-3.0.2.4-glacie
r.img /data/local/tmp/recovery.img
2676 KB/s (4599808 bytes in 1.678s)
C:\android-sdk-windows\platform-tools>adb push root_psn /data/local/tmp/
68 KB/s (564 bytes in 0.008s)
C:\android-sdk-windows\platform-tools>adb push su /sdcard/
failed to copy 'su' to '/sdcard//su': Permission denied
C:\android-sdk-windows\platform-tools>
C:\android-sdk-windows\platform-tools>adb push su /sdcard/
309 KB/s (26324 bytes in 0.083s)
C:\android-sdk-windows\platform-tools>adb push Superuser.apk /sdcard/
2487 KB/s (196120 bytes in 0.077s)
C:\android-sdk-windows\platform-tools>adb shell
$ chmod 755 /data/local/tmp/*
chmod 755 /data/local/tmp/*
$ /data/local/tmp/psneuter
/data/local/tmp/psneuter
C:\android-sdk-windows\platform-tools>adb shell
# cd /data/local/tmp
cd /data/local/tmp
# ./busybox md5sum /dev/block/mmcblk0p18
./busybox md5sum /dev/block/mmcblk0p18
d7495d459761996eabc88bb9fdb21f5a /dev/block/mmcblk0p18
# ./gfree -f -b hboot-eng.img -y recovery.img
./gfree -f -b hboot-eng.img -y recovery.img
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
--hboot set. hboot image hboot-eng.img will be installed in partition 18
--recovery set. recovery image recovery.img will be installed in partition 21
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.32.21-g899d047
New .modinfo section size: 204
Attempting to power cycle eMMC... OK.
Write protect was successfully disabled.
Searching for mmc_blk_issue_rq symbol...
- Address: c02a63a4, type: t, name: mmc_blk_issue_rq, module: N/A
Kernel map base: 0xc02a6000
Kernel memory mapped to 0x40002000
Searching for brq filter...
- Address: 0xc02a63a4 + 0x34c
- 0x2a000012 -> 0xea000012
Backing up current partition 18 and installing specified hboot image...
Backing up partition /dev/block/mmcblk0p18 to /sdcard/part18backup-1309694691.bi
n ...
Writing image hboot-eng.img to partition /dev/block/mmcblk0p18 ...
Backing up current partition 21 and installing specified recovery image...
Backing up partition /dev/block/mmcblk0p21 to /sdcard/part21backup-1309694691.bi
n ...
Writing image recovery.img to partition /dev/block/mmcblk0p21 ...
Backing up current partition 7 and patching it...
Backing up partition /dev/block/mmcblk0p7 to /sdcard/part7backup-1309694691.bin
...
patching secu_flag: 0
Done.
# ./root_psn
./root_psn
# sync
sync
# ./busybox md5sum hboot-eng.img
./busybox md5sum hboot-eng.img
df4fd77f44993eb05a4732210d2eddc6 hboot-eng.img
# ./busybox md5sum /dev/block/mmcblk0p18
./busybox md5sum /dev/block/mmcblk0p18
df4fd77f44993eb05a4732210d2eddc6 /dev/block/mmcblk0p18
# reboot
reboot
C:\android-sdk-windows\platform-tools>adb shell
error: device not found
C:\android-sdk-windows\platform-tools>

Chronei said:
MyTouch 4G (not slide)
wiki.cyanogenmod.com/wiki/TMobile_myTouch_4G:_Full_Update_Guide
I'm following the above guide. I got down to the command "reboot". When I try to boot, it's simply a black screen, it vibrates 3 times and i have orange blinking LED light. No screen at all. The md#1 is different and the md#2 and md#3 matched - I did that part correctly.
Trying a few random things,
volume up + boot does the same thing.
Volume down + boot = solid green light, vibrate 5 times.
Other single button + power combinations do nothing.
Man I'm terrified .. I hope you guys can help. I don't see what I did wrong!
I also saw someone say something about volume up + power .. but my volume up button randomly doesn't work (I had to get a volume app to turn up the volume -- volume down works fine).
My log is below:
Code:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\android-sdk-windows\platform-tools>adb push busybox /data/local/tmp/
2485 KB/s (1926944 bytes in 0.757s)
C:\android-sdk-windows\platform-tools>adb push gfree /data/local/tmp/
2630 KB/s (716548 bytes in 0.266s)
C:\android-sdk-windows\platform-tools>adb push hboot-eng.img /data/local/tmp/
2908 KB/s (1048576 bytes in 0.352s)
C:\android-sdk-windows\platform-tools>adb push psneuter /data/local/tmp/
2632 KB/s (557962 bytes in 0.207s)
C:\android-sdk-windows\platform-tools>adb push recovery-clockwork-3.0.2.4-glacie
r.img /data/local/tmp/recovery.img
2676 KB/s (4599808 bytes in 1.678s)
C:\android-sdk-windows\platform-tools>adb push root_psn /data/local/tmp/
68 KB/s (564 bytes in 0.008s)
C:\android-sdk-windows\platform-tools>adb push su /sdcard/
failed to copy 'su' to '/sdcard//su': Permission denied
C:\android-sdk-windows\platform-tools>
C:\android-sdk-windows\platform-tools>adb push su /sdcard/
309 KB/s (26324 bytes in 0.083s)
C:\android-sdk-windows\platform-tools>adb push Superuser.apk /sdcard/
2487 KB/s (196120 bytes in 0.077s)
C:\android-sdk-windows\platform-tools>adb shell
$ chmod 755 /data/local/tmp/*
chmod 755 /data/local/tmp/*
$ /data/local/tmp/psneuter
/data/local/tmp/psneuter
C:\android-sdk-windows\platform-tools>adb shell
# cd /data/local/tmp
cd /data/local/tmp
# ./busybox md5sum /dev/block/mmcblk0p18
./busybox md5sum /dev/block/mmcblk0p18
d7495d459761996eabc88bb9fdb21f5a /dev/block/mmcblk0p18
# ./gfree -f -b hboot-eng.img -y recovery.img
./gfree -f -b hboot-eng.img -y recovery.img
--secu_flag off set
--cid set. CID will be changed to: 11111111
--sim_unlock. SIMLOCK will be removed
--hboot set. hboot image hboot-eng.img will be installed in partition 18
--recovery set. recovery image recovery.img will be installed in partition 21
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.32.21-g899d047
New .modinfo section size: 204
Attempting to power cycle eMMC... OK.
Write protect was successfully disabled.
Searching for mmc_blk_issue_rq symbol...
- Address: c02a63a4, type: t, name: mmc_blk_issue_rq, module: N/A
Kernel map base: 0xc02a6000
Kernel memory mapped to 0x40002000
Searching for brq filter...
- Address: 0xc02a63a4 + 0x34c
- 0x2a000012 -> 0xea000012
Backing up current partition 18 and installing specified hboot image...
Backing up partition /dev/block/mmcblk0p18 to /sdcard/part18backup-1309694691.bi
n ...
Writing image hboot-eng.img to partition /dev/block/mmcblk0p18 ...
Backing up current partition 21 and installing specified recovery image...
Backing up partition /dev/block/mmcblk0p21 to /sdcard/part21backup-1309694691.bi
n ...
Writing image recovery.img to partition /dev/block/mmcblk0p21 ...
Backing up current partition 7 and patching it...
Backing up partition /dev/block/mmcblk0p7 to /sdcard/part7backup-1309694691.bin
...
patching secu_flag: 0
Done.
# ./root_psn
./root_psn
# sync
sync
# ./busybox md5sum hboot-eng.img
./busybox md5sum hboot-eng.img
df4fd77f44993eb05a4732210d2eddc6 hboot-eng.img
# ./busybox md5sum /dev/block/mmcblk0p18
./busybox md5sum /dev/block/mmcblk0p18
df4fd77f44993eb05a4732210d2eddc6 /dev/block/mmcblk0p18
# reboot
reboot
C:\android-sdk-windows\platform-tools>adb shell
error: device not found
C:\android-sdk-windows\platform-tools>
Click to expand...
Click to collapse
if you hold volume down and power it will do something else other than send you to bootloader. so yeah to get to recovery is to hold + volume and power then use the volume buttons to move up or down in the menu and use power button to select it.

Crap.. I can't hold volume up + power because my volume up button has never functioned. Ahhh... what now

Chronei said:
Crap.. I can't hold volume up + power because my volume up button has never functioned. Ahhh... what now
Click to expand...
Click to collapse
Try holding volume down + power
Sent from my My Touch 4G using XDA Premium App

@Chronei were you able to solve the problems you were experiencing, a friend of mine os having the same problem with their mytouch. Your assistance would be greatly appreciated.

No sorry. Htc support to screw me too, worst service ever. Better of getting used from ebay

Try taking battery out for an hour or so. Do you have ADB on your PC? Will adb recognize your device?
Sent from my customized mt4g using XDA premium

Some of it resolved, the rest compounded
Ok sooo for all the vets on here try to cut me some slack. I just started tinkering with androids about a month ago. Friend had a bricked one and I made it a goal to unbrick it. Got some good information here and was able to and since then im looking for broken ones to play with.
This one I bought from a neighbor for 20 bucks, he thought it was water damaged or hardware damage. Battery was completely drained but, the water sensors in tact so first thing I did was set it on a long charge. When I plugged it in you could feel little vibrations from it running but not a single light to indicate.
After the charge I removed it from the plug and pulled the battery out and let it sit for10 minutes went ahead and downloaded all the drivers and sdk tools it would use while waiting. Plugged it into the computer and sure enough drivers start reading, the red light on the track on the bottom was blinking, and the orange light was solid at top right. Well that's all great but, it still would not show any type of screen whatsoever nad I started noticing the vibrations when you hit the buttons.
One thing I am thinking is the phone vibrating is likle a computers post. It is being blocked form using lights and sound to function so vibrates instead. At any rate I started playing with button combinations and looked up what the hboot would look like. I managed after a couple of tries to get it to do a restore with the PD15 img on the cd card. This time the phone would load up but, the screen was like a splash of color, think of the white screen that's supposed to come b efore the Hboot and its that but rainbow colored.
This out of pure luck turned out to be an easy fix, I hit the power and home button at the same time as I slide out the keyboard and it was like a brand new phone again! Well that lasted about a day.
I got confident and wanted to throw the CM10 on it, followed the instructions but after the flash it was getting stuck at the logo page, and this was a compelte freeze because it was not even picked up by the computer.
So based on all these findings I am assuming this probably was on a soft brick and somehow I just managed to do the right steps to get out of it only now I don't think I will be able to. I have tried for hours to count the number of ups and then enter or downs or lefts to navigate through CWM without visual. I have gotten it to restore once think but, that one time it went to a boot loop. I twisted the keyboard a lttle and it came out but froze.
Reboot and now I am back to square 1 with the vibrations and trying to somehow clear everything to restore. I am pretty confident if I could at least see when its booting or giving an error I could find the resolution to it. For those of you who have just had the first smptoms here is what you can do to get out of it.
Download the stock image PD1img.zip put this on your sd card and plug it in.
Hold volume down and power for 3 seconds and you should notice a light go off or the phone vibrate.
Press volume down TWO times, then press the power button. Wait a little bit and if nothing happens press the power button again. Sit back and enjoy
This should factory reset your phone.
If anyone has any suggestions on how I can do a wipe of cwm and restore from there please let me know. Even a place with screen shots of every 5.5.0.4 option would probably hlp so I know what I am looking at clearer.
---------- Post added at 10:15 AM ---------- Previous post was at 10:11 AM ----------
treddleman said:
Ok sooo for all the vets on here try to cut me some slack. I just started tinkering with androids about a month ago. Friend had a bricked one and I made it a goal to unbrick it. Got some good information here and was able to and since then im looking for broken ones to play with.
This one I bought from a neighbor for 20 bucks, he thought it was water damaged or hardware damage. Battery was completely drained but, the water sensors in tact so first thing I did was set it on a long charge. When I plugged it in you could feel little vibrations from it running but not a single light to indicate.
After the charge I removed it from the plug and pulled the battery out and let it sit for10 minutes went ahead and downloaded all the drivers and sdk tools it would use while waiting. Plugged it into the computer and sure enough drivers start reading, the red light on the track on the bottom was blinking, and the orange light was solid at top right. Well that's all great but, it still would not show any type of screen whatsoever nad I started noticing the vibrations when you hit the buttons.
One thing I am thinking is the phone vibrating is likle a computers post. It is being blocked form using lights and sound to function so vibrates instead. At any rate I started playing with button combinations and looked up what the hboot would look like. I managed after a couple of tries to get it to do a restore with the PD15 img on the cd card. This time the phone would load up but, the screen was like a splash of color, think of the white screen that's supposed to come b efore the Hboot and its that but rainbow colored.
This out of pure luck turned out to be an easy fix, I hit the power and home button at the same time as I slide out the keyboard and it was like a brand new phone again! Well that lasted about a day.
I got confident and wanted to throw the CM10 on it, followed the instructions but after the flash it was getting stuck at the logo page, and this was a compelte freeze because it was not even picked up by the computer.
So based on all these findings I am assuming this probably was on a soft brick and somehow I just managed to do the right steps to get out of it only now I don't think I will be able to. I have tried for hours to count the number of ups and then enter or downs or lefts to navigate through CWM without visual. I have gotten it to restore once think but, that one time it went to a boot loop. I twisted the keyboard a lttle and it came out but froze.
Reboot and now I am back to square 1 with the vibrations and trying to somehow clear everything to restore. I am pretty confident if I could at least see when its booting or giving an error I could find the resolution to it. For those of you who have just had the first smptoms here is what you can do to get out of it.
Download the stock image PD1img.zip put this on your sd card and plug it in.
Hold volume down and power for 3 seconds and you should notice a light go off or the phone vibrate.
Press volume down TWO times, then press the power button. Wait a little bit and if nothing happens press the power button again. Sit back and enjoy
This should factory reset your phone.
If anyone has any suggestions on how I can do a wipe of cwm and restore from there please let me know. Even a place with screen shots of every 5.5.0.4 option would probably hlp so I know what I am looking at clearer.
Click to expand...
Click to collapse
Sorry I didn't realize I put in that much detail guys ill try to keep it straight to the point next time.

where can i found the stock image PD1img.zip?
treddleman said:
Ok sooo for all the vets on here try to cut me some slack. I just started tinkering with androids about a month ago. Friend had a bricked one and I made it a goal to unbrick it. Got some good information here and was able to and since then im looking for broken ones to play with.
This one I bought from a neighbor for 20 bucks, he thought it was water damaged or hardware damage. Battery was completely drained but, the water sensors in tact so first thing I did was set it on a long charge. When I plugged it in you could feel little vibrations from it running but not a single light to indicate.
After the charge I removed it from the plug and pulled the battery out and let it sit for10 minutes went ahead and downloaded all the drivers and sdk tools it would use while waiting. Plugged it into the computer and sure enough drivers start reading, the red light on the track on the bottom was blinking, and the orange light was solid at top right. Well that's all great but, it still would not show any type of screen whatsoever nad I started noticing the vibrations when you hit the buttons.
One thing I am thinking is the phone vibrating is likle a computers post. It is being blocked form using lights and sound to function so vibrates instead. At any rate I started playing with button combinations and looked up what the hboot would look like. I managed after a couple of tries to get it to do a restore with the PD15 img on the cd card. This time the phone would load up but, the screen was like a splash of color, think of the white screen that's supposed to come b efore the Hboot and its that but rainbow colored.
This out of pure luck turned out to be an easy fix, I hit the power and home button at the same time as I slide out the keyboard and it was like a brand new phone again! Well that lasted about a day.
I got confident and wanted to throw the CM10 on it, followed the instructions but after the flash it was getting stuck at the logo page, and this was a compelte freeze because it was not even picked up by the computer.
So based on all these findings I am assuming this probably was on a soft brick and somehow I just managed to do the right steps to get out of it only now I don't think I will be able to. I have tried for hours to count the number of ups and then enter or downs or lefts to navigate through CWM without visual. I have gotten it to restore once think but, that one time it went to a boot loop. I twisted the keyboard a lttle and it came out but froze.
Reboot and now I am back to square 1 with the vibrations and trying to somehow clear everything to restore. I am pretty confident if I could at least see when its booting or giving an error I could find the resolution to it. For those of you who have just had the first smptoms here is what you can do to get out of it.
Download the stock image PD1img.zip put this on your sd card and plug it in.
Hold volume down and power for 3 seconds and you should notice a light go off or the phone vibrate.
Press volume down TWO times, then press the power button. Wait a little bit and if nothing happens press the power button again. Sit back and enjoy
This should factory reset your phone.
If anyone has any suggestions on how I can do a wipe of cwm and restore from there please let me know. Even a place with screen shots of every 5.5.0.4 option would probably hlp so I know what I am looking at clearer.
---------- Post added at 10:15 AM ---------- Previous post was at 10:11 AM ----------
Sorry I didn't realize I put in that much detail guys ill try to keep it straight to the point next time.
Click to expand...
Click to collapse
where can i found the stock image PD1img.zip?

Please i need your help, am havin dis same problem wit my phone and my volume up button ain't working

jhimpz21.21 said:
where can i found the stock image PD1img.zip?
Click to expand...
Click to collapse
http://d-h.st/PoM
Thats 2.2.1 I Think....

One of my batteries took a dump last week while I was using the phone and I thought it bricked cuz would turn on the led and only vibrate. So I left it overnight no battery then put an extra one when I woke up and worked no problem
Sent from my GT-P3110 using xda app-developers app

[Q] Restore the S-ON Fail [Solved]

Hello, (Solved)
I would like to restore the S-ON for Warranty. I have sucessfully install the official ROM and Bootloader but I can't S-ON.
I have try :
adb push psneuter /data/local/tmp/psneuter
adb shell chmod 777 /data/local/tmp/psneuter
adb shell /data/local/tmp/psneuter
adb shell
adb push gfree /data/local/tmp/gfree
adb shell chmod 777 /data/local/tmp/gfree
/data/local/tmp/gfree -r /sdcard/part7backup-1308605970.bin
sync
All seem to be ok but when I reboot the phone it's always S-OFF
I have try with but same problem
/data/local/tmp/gfree -s on -c ORANG202
sync
PS : The log
# /data/local/tmp/gfree -r /sdcard/part7backup-1308605970.bin
/data/local/tmp/gfree -r /sdcard/part7backup-1308605970.bin
--restore set. Partition 7 will be restored from file: /sdcard/part7backup-13086
05970.bin
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.32.21-g132894e
New .modinfo section size: 204
Attempting to power cycle eMMC... OK.
Write protect was successfully disabled.
Searching for mmc_blk_issue_rq symbol...
- Address: c02adc44, type: t, name: mmc_blk_issue_rq, module: N/A
Kernel map base: 0xc02ad000
Kernel memory mapped to 0x40002000
Searching for brq filter...
- Address: 0xc02adc44 + 0x34c
- ***WARNING***: Found fuzzy match for brq filter, but conditional branch isn't
. (0xea000012)
Backing up current partition 7 and restoring specified backup...
Backing up partition /dev/block/mmcblk0p7 to /sdcard/part7backup-1312490872.bin
...
Writing image /sdcard/part7backup-1308605970.bin to partition /dev/block/mmcblk0
p7 ...
Done.
# sync
sync
#
Click to expand...
Click to collapse
Guifort
PS : I have the rom : Orange_FR-B2B_1.85.73.2
Thanks

Solved downgrade to 1.34 and that is ok

[Q] Please help I can not restore S-On!

Hi All,
I have been following the guide: http://forum.xda-developers.com/wiki/HTC_Vision#Restoring_the_backup_of_partition_7
To restore S-On on a Desire Z. I have tried both restoring the original image and using the S-On command as follows:
# ./gfree -s on
./gfree -s on
--secu_flag on set
Section header entry size: 40
Number of section headers: 44
Total section header table size: 1760
Section header file offset: 0x000138b4 (80052)
Section index for section name string table: 41
String table offset: 0x000136fb (79611)
Searching for .modinfo section...
- Section[16]: .modinfo
-- offset: 0x00000a14 (2580)
-- size: 0x000000cc (204)
Kernel release: 2.6.32.21-g6e170e7
New .modinfo section size: 204
Attempting to power cycle eMMC... OK.
Write protect was successfully disabled.
Searching for mmc_blk_issue_rq symbol...
- Address: c02adc1c, type: t, name: mmc_blk_issue_rq, module: N/A
Kernel map base: 0xc02ad000
Kernel memory mapped to 0x40002000
Searching for brq filter...
- Address: 0xc02adc1c + 0x34c
- 0x2a000012 -> 0xea000012
Backing up current partition 7 and patching it...
Backing up partition /dev/block/mmcblk0p7 to /sdcard/part7backup-315968429.bin .
..
patching secu_flag: 1
Done.
# sync
sync
# reboot
reboot
Despite this the status is still S-OFF
Please can someone help!

What is your rom version/build number?
what is your baseband version?
-Nipqer

Nipqer said:
What is your rom version/build number?
what is your baseband version?
-Nipqer
Click to expand...
Click to collapse
It was on cyanogenmod but it was giving me errors trying to restore it, so I flashed an official RUU:
ROM/ Build Number:1.82.405.1 CL317545 release-keys
Baseband: 12.28e.60.140fU_26.04.02.17_M2
Thanks

You need to run misc_version and downgrade to a 1.32 firmware, with radio 26.03.xx.xx to change back to S-ON
-Nipqer

Secure boot error (demigod crash handler)

Hey all. So I bricked my phone.
first i have root phone using stump root on stock 4.4.2 then I flashed official lolipop 5.0 firmware using LG Flash tool... It's been bricked from yesterday... HELP NEEDED!
When I plug it into my computer, it's recognizable via COMPORT Only... "LGE Comport" So today I tried ubuntu and I got a line on my phone that says "fastboot: processing commands" I thought that was good so I went ahead and got the things I need for ubuntu and followed a guide: http://forum.xda-developers.com/showthread.php?t=2582142
Heres what I got:
When I do the /dev/sd* mine shows:
[email protected]:~# ls /dev/sd*
/dev/sda /dev/sda1 /dev/sda2 /dev/sda3 /dev/sda5 /dev/sda6 So using what I got I moved onto the next step gdisk -l /dev/sdb I got:
[email protected]:~# gdisk -l /dev/sdb
GPT fdisk (gdisk) version 0.8.8
Problem opening /dev/sdb for reading! Error is 2.
The specified file does not exist! So since mine showed "sda" and not "sdb" I tried it with the highest number I had (6) with sda. I got:
[email protected]:~# gdisk -l /dev/sda6
GPT fdisk (gdisk) version 0.8.8
Partition table scan:
MBR: not present
BSD: not present
APM: not present
GPT: not present
Creating new GPT entries.
Disk /dev/sda6: 147367936 sectors, 70.3 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): 914599DB-77C6-4F8A-87B9-7DD5A240D111
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 147367902
Partitions will be aligned on 2048-sector boundaries
Total free space is 147367869 sectors (70.3 GiB)
Click to expand...
Click to collapse
Number Start (sector) End (sector) Size Code Name
I am so lost and I don't know what I'm doing wrong and I don't know what else to do. All the guides I've found online, have not done me any good. So again, I don't know what I'm doing wrong.
Can someone please please please help me.
Thanks in advance!

asadnow2k said:
Thanks in advance!
Click to expand...
Click to collapse
You should try to repair your download mode by following this guide. If you succeed, you should be able to go back to stock trough KDZ or TOT method.

Tried no luck

asadnow2k said:
Tried no luck
Click to expand...
Click to collapse
Have you tried @somboons method (http://forum.xda-developers.com/lg-g2/development/tools-srk-tool-useful-toos-lg-root-twrp-t3079076) ?

yes tried everything no luck

[BOOTLOADER] Analysis

Brief synopsis
Bootloader unlock isn't likely. Amazon provide the facility to unlock the bootloader, but there is no way of getting the key.
The program which is locking the bootloader appears to be specific to MediaTek and Amazon, therefore, there isn't any source code.
The partitions with an Android bootimg header are all signed with two Amazon certificates. This includes the Little Kernel (LK) and the kernel itself.
The preloader is custom built for Amazon. The preloader doesn't respond to SP Flash Tool because it's constantly in a reboot loop when in 'META mode'. I presume it's intentional; a different version can however be installed (See 'However...').
However...
@bibikalka has found some strings in tz.img refering to a bootloader unlock. There is an amzn_unlock_verify function in lk too.
There must be a is a way to get the preloader to work properly with SP Flash Tool. However, this won't allow you custom ROMs, just reinstall Amazon's software. The software installed is still verified during the boot process. See this unbrick guide to install a different preloader. The preloader is not signed or checked by the boot process.
There is a small chance some part of the boot process could be fooled.
Downgrade potential
An anti-rollback program appears to have been built in to the bootloader which prevents any attempt at downgrading the software on the device. This is rather irritating, and means that downgrading is almost impossible. Only the preloader seems to be unaffected by this anti-rollback system – so, if you attempted to downgrade, and caused your device to become bricked, then you can restore the version you left.
Note that I vaguely reference to the preloader, uboot and lk collectively as 'the bootloader'.
Original post
I previously had downloaded the 5.0.1 and 5.1.1 LK versions, and thought, why not run these through binwalk?
For the old, 5.0.1 bootloader, putting lk.bin through binwalk gave:
Code:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
204256 0x31DE0 SHA256 hash constants, little endian
292292 0x475C4 Android bootimg, kernel size: 0 bytes, kernel addr: 0x5D73255B, ramdisk size: 1869570592 bytes, ramdisk addr: 0x6D692074, product name: ""
330144 0x509A0 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
330752 0x50C00 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
334248 0x519A8 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
339912 0x52FC8 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
341028 0x53424 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
350360 0x55898 Unix path: /mnt/build/workspace/fireos-release_500-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/
351732 0x55DF4 Certificate in DER format (x509 v3), header length: 4, sequence length: 1067
353656 0x56578 Certificate in DER format (x509 v3), header length: 4, sequence length: 1069
369736 0x5A448 CRC32 polynomial table, little endian
397548 0x610EC LZMA compressed data, properties: 0x91, dictionary size: 33554432 bytes, uncompressed size: 134217728 bytes
Whilst the 5.1.1 bootloader's lk.bin gave:
Code:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
204960 0x320A0 SHA256 hash constants, little endian
293720 0x47B58 Android bootimg, kernel size: 0 bytes, kernel addr: 0x5D73255B, ramdisk size: 1869570592 bytes, ramdisk addr: 0x6D692074, product name: ""
332024 0x510F8 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/cry
332628 0x51354 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/mem
336096 0x520E0 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/asn
341712 0x536D0 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/evp
342820 0x53B24 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/obj
352064 0x55F40 Unix path: /mnt/build/workspace/fireos-ship_511-patch-build/bootable/bootloader/ufbl-features/project/../features/common_openssl/crypto/x50
353420 0x5648C Certificate in DER format (x509 v3), header length: 4, sequence length: 1067
355344 0x56C10 Certificate in DER format (x509 v3), header length: 4, sequence length: 1069
371656 0x5ABC8 CRC32 polynomial table, little endian
So there you go! The bootloader uses OpenSSL to check the partition against two DER format certificates. Ignore the LZMA header for now; binwalk thinks almost everything is LZMA compressed.

Can you run binwalk with -e and post the 5.1.1 certs here

benwaffle said:
Can you run binwalk with -e and post the 5.1.1 certs here
Click to expand...
Click to collapse
Look at the thread about the 5.1.1 lk.bin in this forum and download the binary so you can run binwalk on it yourself.
Here is the lk.bin file, zipped. You can try and run '-e' on this binary.
The extracted certificates appear to contain format strings for decompression/compression error and debug messages. It doesn't look right. But the top of the files are valid certificate headers (or appear to be to the untrained eye).
Thanks @benwaffle.

Good effort!
I shall note that Amazon must have a way to un-brick the devices with MTK tools, they would not swap motherboards in order to revive them ...
The problem with the public MTK tools that it's even impossible to create a scatter file automatically (read only operation), meaning that the formats are such that MTK tools don't understand:
http://forum.xda-developers.com/fire-hd/help/mtk-tools-people-hopeless-bricks-t3139784
There is also an attempt to look at which partitions change when 5.0.1 goes to 5.1.1, and frankly, it's not many places to hide (only a couple of partitions):
http://forum.xda-developers.com/amazon-fire/help/understand-5-1-1-bootloader-bricking-fix-t3301991
On Fire 2014 I also looked at the strings within the bootloaders, and they had some interesting stuff regarding unlocking:
http://forum.xda-developers.com/showpost.php?p=61288384&postcount=57
I wonder if it's possible to patch the very first thing that boots (preloader), and have it pass the unlocking flags around ? Or is preloader also encrypted fully ?

bibikalka said:
Good effort!
I shall note that Amazon must have a way to un-brick the devices with MTK tools, they would not swap motherboards in order to revive them ...
The problem with the public MTK tools that it's even impossible to create a scatter file automatically (read only operation), meaning that the formats are such that MTK tools don't understand:
http://forum.xda-developers.com/fire-hd/help/mtk-tools-people-hopeless-bricks-t3139784
There is also an attempt to look at which partitions change when 5.0.1 goes to 5.1.1, and frankly, it's not many places to hide (only a couple of partitions):
http://forum.xda-developers.com/amazon-fire/help/understand-5-1-1-bootloader-bricking-fix-t3301991
On Fire 2014 I also looked at the strings within the bootloaders, and they had some interesting stuff regarding unlocking:
http://forum.xda-developers.com/showpost.php?p=61288384&postcount=57
I wonder if it's possible to patch the very first thing that boots (preloader), and have it pass the unlocking flags around ? Or is preloader also encrypted fully ?
Click to expand...
Click to collapse
Thanks @bibikalka!
Yes – Amazon must have a way of flashing firmware. I wonder if there is a JTAG header on the board as well. The Fire HD 6 had a 'JDEBUG' port, as seen in iFixit's teardown photographs: https://www.ifixit.com/Teardown/Kindle+Fire+HD+6+Teardown/29815#s70239
There might be a bootloader unlock then! It might need someone to decompile uboot to see how to trigger the unlock.
I've only managed to get the preloader_prod.img at this moment in time (I haven't taken preloader.img off). The SHA256 hash starts at around 95% (117KB out of 121KB) of the file, according to binwalk.

Hi,
I'm sorry to shatter hopes for bootloader rollback, but I was looking at the strings in preloader_prod.img and found this:
Code:
$ strings images/preloader_prod.img | grep -i rollback
[ANTI-ROLLBACK] Processing anti-rollback data
[ANTI-ROLLBACK] Failed to read block 0
[ANTI-ROLLBACK] PL: %x TEE: %x LK: %x
[ANTI-ROLLBACK] Need to update version
[ANTI-ROLLBACK] Invalid checksum!
[ANTI-ROLLBACK] Checksum validated
[ANTI-ROLLBACK] PL version mismatch!
[ANTI-ROLLBACK] L: %x R: %x
[ANTI-ROLLBACK] Updating PL version
[ANTI-ROLLBACK] TEE version mismatch!
[ANTI-ROLLBACK] Updating TEE version
[ANTI-ROLLBACK] LK version mismatch!
[ANTI-ROLLBACK] Updating LK version
[ANTI-ROLLBACK] All checks passed
[ANTI-ROLLBACK] Updating RPMB block...
[ANTI-ROLLBACK] Unable to update RPMB block (wc)
[ANTI-ROLLBACK] Unable to update RPMB block (write)
[ANTI-ROLLBACK] RPMB block updated
[RPMB] Failed to initialize anti-rollback block
[RPMB] Anti-rollback block initialized
[RPMB] Valid anti-rollback block exists
[ANTI-ROLLBACK] Invalid anti-rollback state, skipping
There is more stuff when looking for rpmb...
A little bit of googling leads to: https://docs.google.com/viewer?url=patentimages.storage.googleapis.com/pdfs/US20140250290.pdf
This doesn't look good at all
These strings might give a bit hope:
Code:
[RPMB] Invalid magic, re-creating...
[RTC] clear rpmb program mode flag in rtc register
So something could be stored in the realtime clock and the device might recover if the RPMB block gets destroyed. I can't find any mention of OTP or fuses in the image.
EDIT: It seems rpmb can be accessed through /dev/block/mmcblk0rpmb. I've uploaded mine (5.0.1) to: http://bork.cs.fau.de/~michael/fire/
It seems to only contain a few ones and many zeroes.
It would be interesting to get the rpmb of a 5.1.1 device to compare:
Code:
$ adb shell
[email protected]:/ $ su
[email protected]:/ # dd if=/dev/block/mmcblk0rpmb of=/sdcard/rpmb.bin
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.093 secs (5637505 bytes/sec)
I would not advise trying to flash the 5.0.1 rpmb to a 5.1.1 device!
Regards,
Michael

stargo said:
Hi,
I'm sorry to shatter hopes for bootloader rollback, but I was looking at the strings in preloader_prod.img and found this:
Code:
$ strings images/preloader_prod.img | grep -i rollback
[ANTI-ROLLBACK] Processing anti-rollback data
[ANTI-ROLLBACK] Failed to read block 0
[ANTI-ROLLBACK] PL: %x TEE: %x LK: %x
[ANTI-ROLLBACK] Need to update version
[ANTI-ROLLBACK] Invalid checksum!
[ANTI-ROLLBACK] Checksum validated
[ANTI-ROLLBACK] PL version mismatch!
[ANTI-ROLLBACK] L: %x R: %x
[ANTI-ROLLBACK] Updating PL version
[ANTI-ROLLBACK] TEE version mismatch!
[ANTI-ROLLBACK] Updating TEE version
[ANTI-ROLLBACK] LK version mismatch!
[ANTI-ROLLBACK] Updating LK version
[ANTI-ROLLBACK] All checks passed
[ANTI-ROLLBACK] Updating RPMB block...
[ANTI-ROLLBACK] Unable to update RPMB block (wc)
[ANTI-ROLLBACK] Unable to update RPMB block (write)
[ANTI-ROLLBACK] RPMB block updated
[RPMB] Failed to initialize anti-rollback block
[RPMB] Anti-rollback block initialized
[RPMB] Valid anti-rollback block exists
[ANTI-ROLLBACK] Invalid anti-rollback state, skipping
There is more stuff when looking for rpmb...
A little bit of googling leads to: https://docs.google.com/viewer?url=patentimages.storage.googleapis.com/pdfs/US20140250290.pdf
This doesn't look good at all
These strings might give a bit hope:
Code:
[RPMB] Invalid magic, re-creating...
[RTC] clear rpmb program mode flag in rtc register
So something could be stored in the realtime clock and the device might recover if the RPMB block gets destroyed. I can't find any mention of OTP or fuses in the image.
EDIT: It seems rpmb can be accessed through /dev/block/mmcblk0rpmb. I've uploaded mine (5.0.1) to: http://bork.cs.fau.de/~michael/fire/
It seems to only contain a few ones and many zeroes.
It would be interesting to get the rpmb of a 5.1.1 device to compare:
Code:
$ adb shell
[email protected]:/ $ su
[email protected]:/ # dd if=/dev/block/mmcblk0rpmb of=/sdcard/rpmb.bin
1024+0 records in
1024+0 records out
524288 bytes transferred in 0.093 secs (5637505 bytes/sec)
I would not advise trying to flash the 5.0.1 rpmb to a 5.1.1 device!
Regards,
Michael
Click to expand...
Click to collapse
How interesting. Thanks @stargo! I've updated the OP accordingly to your findings. Yes, it seems more complex than previously thought. I'll upload my 5.1.1 rpmb binary soon.

Hi there! As se en within I read mtk is a very hard platform to work with, because they are very closed, and they hardly ever release any source, so most Roms are ports of a similar decide. I'll have a search for a device with this same soc to ser if i can come back with related info. That's why I'm surprised we have cm here!