Related
Hi All,
Unfortunately as a new user I can't post this in the Dev forum. So I'll put it here for now and perhaps can move it later.
I'm wanting to tinker with uboot on the Iconia. Ideally what I'm hoping to achieve is;
A versatile and usable port of uboot to the iconia complete with documentation (both how to get/build as well as use) and binary files available for download.
1) uboot to replace the default bootloader or the existing kernel image in flash and have the uboot able to load the standard kernel image from the system partition.
2) To have uboot able to run an interactive shell, either over USB or on the local console with a USB keyboard.
3) A boot menu would be nice with control by builtin buttons.
For my build box I'm using the current Debian with GCC 4.1 available
Anyway, if any anyone can help at all please fell free to respond. It is my intention to update this thread as I go, documenting the journey and ultimately publishing the results with how to info.
Tonight I will edit this with a better outline (more verbose) of what I'm attempting to do and some info regarding what my build env is and what info I already have.
Hope to create something useful here for everyone.
Owen.
OK. I'm still checking things out... eppeP, did you get anywhere with the SBK? if not uboot will just have to replace the android kernel and maybe be patched so it can load it from the system partition instead. One guy (lost the thread) said he had to mod the patch to get it to complile, but didn't say how.
As far as a boot menu goes, I'm thinking of a script that will search the boot folder of all mountable volumes and present a menu, much like the Apple boot selector does. Still don't know if its possible though and is somewhat secondry issue anyhow.
Can anyone give info on uboot env storage. also I need to know the partition layout for the internal MMC (got a good idea already but need to be sure and whats the partition layout?)
Have you talked to sp3dev and sc3k? Ive been followng the native linux thread and i believe they are trying to do just that. They would be your best source of help i think
Thanx gh123man,
Yep, I've seen good & exiting posts from sp3dev, muromec and hexeh about this stuff. Unfortunately I can't post in the dev threads cause I'm new to xda forum.
I was kinda hoping they might spot this thread and respond
Sounds like fun, I might be interested in helping.
So far I've been looking into generating the SBK, decrypting BCT/EBT and are just about to start looking at the partition format (there seems to already be some code for this, so that should not take long to get an idea of). So I guess unless I find something more interesting, trying to pick apart the bootloader to get a better understanding of that part might come soon anyway.
Would anyone be willing and able to create a dump of a clean Windows 10 for Phones system image and share it with me? I searched around in the installation for non-supported devices threads, but did not see a reference to anything.
An FFU image extracted from the updater would also work, thanks in advance!
Why is that?
I see.
But at least it's possible, even if not very probable.
Although, we should check if we can use WinRAR, since it's possible to edit the images without breaking the signiture.
Assuming we have a signed image.
Not possible. There are many threads trying to achieve what you're hoping to do with cabs and such, and it's not possible when the bootloaders are signed and damn near everything in the system requires a signed cert.
But how does that prevent us from opening and modifying them with WinRAR?
Even if we can't boot the new files, it's still a step.
So open it with WinRAR, if possible.
At least to get an idea of the structure of the OTA, that peice of information may help us form an idea as to at least part of the structure of the system.
It's better to have (theoretical) partial read access, than no access at all.
feherneoh said:
FFU is not OTA
Click to expand...
Click to collapse
Alright, but can you open it inside WinRAR?
Now we're talking, what we need now is someone to examine the partitions and their layouts.
Unfortunately , I'm not at that level but at least I can understand these things, so I would like to hear the results.
Is anyone exporting the partitions yet?
Unfortunately, I don't know the partition layout in Windows 10 Mobile, but perhaps they should all be exported and examined?
Not for myself, however I had thought that it may help others attempting to port Windows 10 Mobile in the future.
you can try to download MI4 rom
http://en.miui.com/thread-189556-1-1.html
Hello All,
First let me say thanks to all XDA Developers, and without this forum I would still be a pleb when it comes to unbricking. :highfive:
The link to QPST: androidbrick.com/download/latest-qpst-2-7-build-422-425-430-437-qfil-qualcomm-flasher/
(Sorry, I haven't passed 10 posts yet, so you have to manually enter into the address bar)
I came to this forum seeking answers to unbrick my hardbricked Note 4, and after many hours of heartbreak and headache, I have come across a tool called QPST.
This tool is used by Qualcomm, and if you read carefully through the accompanying documentation, you will find some interesting stamps - such as "Confidential" etc.
While I am no expert in the use of QPST, from my own incomplete research I am convinced this tool can be used on any device which sports a Qualcomm chipset (Snapdragon etc.) to unbrick it from certain death.
I have not yet succeeded with my attempts at unbricking, but it is now only a matter of time and kind people pointing me in the right directions. :fingers-crossed:
I am looking for the right files to go in the "phone image" and "boot image" lines in the QPST Software Download program.
I hope we can all see the opportunity this tool represents and spread the word among the greater community, not just developers.
Edit:
Using Software Download:
Phone image files will have a .hex extension and I do not believe they can be found on sammobile. I still haven't found the right one.
Boot image files: I still don't know what they will look like. Likely a .hex file.
Using QFIL:
I suspect all these files can be acquired from a service ROM (whatever a service ROM is - I don't think it is a ROM for android as I know them). I am not completely sure of this however.
Using the flat build option will let you select the programmer. It will have a file name like:
prog_emmc_firehoseXXXX.mbn
(Replace XXXX with the correct numbers for your snapdragon. I don't know what the right ones for the Snapdragon 805 are, but I strongly suspect 8084, with a remote possibility of 8064. Edit: I don't know, don't take my word.
There are posts for other phones on XDA, I don't know if they use the 805 chipset or if the files are compatible.) <--- If anyone wants to research, feel free. Team efforts make a big job seem easy! Please post your results!
Accompanying your firehose file will be a bunch of other files in the same folder.
You will need two .xml files to go with the above (usually in the same folder), which will look like as follows:
rawprogram0XXXX.xml (here XXXX denotes some numbering system which will be determined by the internal memory of the device eg 16GB, 32GB, 64GB. I saw an example for a OnePlus One which had rawprogram0_64G.xml.
I'm NOT 100% SURE on this numbering system, as elsewhere on XDA I have come across different file names!
Here's the truncated link: androidbrick.com/ultimate-qualcomm-snapdragon-unbrick-guide-snapdragons-are-unbrickable-qhsusb_dload_qpst_qfil/)
patch0.xml
When I find the above, I will post or hassle an admin to post, as these will likely unbrick any Snapdragon 805. Happy hunting!
Here's a truncated link to XproZayd's thread, where a different avenue is explored (and where I got my idea about the 8084 number for firehose -- Remember, I could be wrong!)
forum.xda-developers.com/note-4/help/unbrick-samsung-galaxy-note-4-sm-n910w8-t3249970
This thread is for discussing QPST and how to use it - if you have a hard bricked phone I am not able to help at this stage. However, should anybody find / 'acquire' the right files to use with QPST, we will all benefit.
What made your device hard brick
Sent from my SM-N910G using Tapatalk
Mistake 1: I bought the phone with the known problem of a USB port not working.
Mistake 2: I bought a replacement USB board and replaced it myself, after which the fun and games began. The one time the screen did light up I got an error message about mmc read fail and could not boot.
Mistake 3: Like a fool, I pulled the battery. Now I have a hard bricked / useless Note 4.
Unless the mmc is physically damaged (which I refuse to believe) the phone should be salvageable from its hard brick state. Provided I can find the right files to go with QPST.
Edit:
I have tried contacting Qualcomm to get the files, who have pointed out that they are proprietary to the licensee, ie Samsung. Here's the e-mail below.
Any information other than what is listed on our website (URL listed below for your reference) is Proprietary to Licensees.
However, the following link should help you with the information you're looking for:
http://www.mydragonboard.org
Alternatively, we recommend you follow-up with a vendor that carries this product and seek their feedback on your technical questions.
Please note, Qualcomm is the technology provider, not a manufacturer of consumer products and therefore we are unable to answer your product specific question. We hope this direction helps.
Thank you for your inquiry,
Qualcomm Technologies Inc.
can you explain to me everything that is happening?
i got my note 4 hardbricked from......
i really dont know
i was modifying my phone but then it would not boot
AlexanderDAB said:
can you explain to me everything that is happening?
i got my note 4 hardbricked from......
i really dont know
i was modifying my phone but then it would not boot
Click to expand...
Click to collapse
Is it going in download mode or recovery ?
What were you exactly flashing ?
Is it detected in pc as qhsb loader ?
Is the splash screen GALAXY NOTE 4 showing up ?
Sent from my SM-N910G
Update:
So far I have contacted Qualcomm, Intrinsyc (they sell Snapdragon development boards), and a Samsung retail outlet.
All have come back as a negative - the closest I could get was the Samsung retail outlet where a dude used to work in the repair centre and had access to the files then.
Unfortunately, Samsung revoked his permissions now that he only works in a retail outlet.
He knew what I was talking about, but due to Samsung and their encryption etc, he couldn't provide me with the files.
C_dog_1 said:
Mistake 1: I bought the phone with the known problem of a USB port not working.
Mistake 2: I bought a replacement USB board and replaced it myself, after which the fun and games began. The one time the screen did light up I got an error message about mmc read fail and could not boot.
Mistake 3: Like a fool, I pulled the battery. Now I have a hard bricked / useless Note 4.
Unless the mmc is physically damaged (which I refuse to believe) the phone should be salvageable from its hard brick state. Provided I can find the right files to go with QPST.
Edit:
I have tried contacting Qualcomm to get the files, who have pointed out that they are proprietary to the licensee, ie Samsung. Here's the e-mail below.
Any information other than what is listed on our website (URL listed below for your reference) is Proprietary to Licensees.
However, the following link should help you with the information you're looking for:
http://www.mydragonboard.org
Alternatively, we recommend you follow-up with a vendor that carries this product and seek their feedback on your technical questions.
Please note, Qualcomm is the technology provider, not a manufacturer of consumer products and therefore we are unable to answer your product specific question. We hope this direction helps.
Thank you for your inquiry,
Qualcomm Technologies Inc.
Click to expand...
Click to collapse
I have the same problem and also looking for a solution. I will contribute to this post as I find something.
There is a similar post here:
http://forum.xda-developers.com/note-4/help/unbrick-samsung-galaxy-note-4-sm-n910w8-t3249970
---------- Post added at 07:10 PM ---------- Previous post was at 06:30 PM ----------
Try this manual.
http://dl-1.va.us.xda-developers.co....rar?key=yrJPiZgu63c6RxNIbU_xVA&ts=1474829412
I've found it earlier today but haven't had a chance to try it yet.
Says the file is gone
Sent from my SM-N930W8 using XDA Labs
It's just the pdf and .pit that i used here: http://forum.xda-developers.com/note-4/help/hard-brick-phone-off-long-help-fellow-t3468792
yashthemw said:
Is it going in download mode or recovery ?
What were you exactly flashing ?
Is it detected in pc as qhsb loader ?
Is the splash screen GALAXY NOTE 4 showing up ?
Sent from my SM-N910G
Click to expand...
Click to collapse
it won't boot at all
i was messing around with the system on the factory binary firmware
yes, it is
nope, it will not boot
i have same problem does any one sucess with this process ?
Hey guys, i successfully created a Debrick.img for note 4 , used my own functional note 4 to create one .
http://forum.xda-developers.com/showthread.php?t=3488114
Don't forget to Press thanks .
Reporting Via N910G.
yashthemw said:
Hey guys, i successfully created a Debrick.img for note 4 , used my own functional note 4 to create one .
http://forum.xda-developers.com/showthread.php?t=3488114
Don't forget to Press thanks .
Reporting Via N910G.
Click to expand...
Click to collapse
can you get me a dude with an AT&T note 4?
same boat with my N910F
C_dog_1 said:
Hello All,
First let me say thanks to all XDA Developers, and without this forum I would still be a pleb when it comes to unbricking. :highfive:
The link to QPST: androidbrick.com/download/latest-qpst-2-7-build-422-425-430-437-qfil-qualcomm-flasher/
(Sorry, I haven't passed 10 posts yet, so you have to manually enter into the address bar)
I came to this forum seeking answers to unbrick my hardbricked Note 4, and after many hours of heartbreak and headache, I have come across a tool called QPST.
This tool is used by Qualcomm, and if you read carefully through the accompanying documentation, you will find some interesting stamps - such as "Confidential" etc.
While I am no expert in the use of QPST, from my own incomplete research I am convinced this tool can be used on any device which sports a Qualcomm chipset (Snapdragon etc.) to unbrick it from certain death.
I have not yet succeeded with my attempts at unbricking, but it is now only a matter of time and kind people pointing me in the right directions. :fingers-crossed:
I am looking for the right files to go in the "phone image" and "boot image" lines in the QPST Software Download program.
I hope we can all see the opportunity this tool represents and spread the word among the greater community, not just developers.
Edit:
Using Software Download:
Phone image files will have a .hex extension and I do not believe they can be found on sammobile. I still haven't found the right one.
Boot image files: I still don't know what they will look like. Likely a .hex file.
Using QFIL:
I suspect all these files can be acquired from a service ROM (whatever a service ROM is - I don't think it is a ROM for android as I know them). I am not completely sure of this however.
Using the flat build option will let you select the programmer. It will have a file name like:
prog_emmc_firehoseXXXX.mbn
(Replace XXXX with the correct numbers for your snapdragon. I don't know what the right ones for the Snapdragon 805 are, but I strongly suspect 8084, with a remote possibility of 8064. Edit: I don't know, don't take my word.
There are posts for other phones on XDA, I don't know if they use the 805 chipset or if the files are compatible.) <--- If anyone wants to research, feel free. Team efforts make a big job seem easy! Please post your results!
Accompanying your firehose file will be a bunch of other files in the same folder.
You will need two .xml files to go with the above (usually in the same folder), which will look like as follows:
rawprogram0XXXX.xml (here XXXX denotes some numbering system which will be determined by the internal memory of the device eg 16GB, 32GB, 64GB. I saw an example for a OnePlus One which had rawprogram0_64G.xml.
I'm NOT 100% SURE on this numbering system, as elsewhere on XDA I have come across different file names!
Here's the truncated link: androidbrick.com/ultimate-qualcomm-snapdragon-unbrick-guide-snapdragons-are-unbrickable-qhsusb_dload_qpst_qfil/)
patch0.xml
When I find the above, I will post or hassle an admin to post, as these will likely unbrick any Snapdragon 805. Happy hunting!
Here's a truncated link to XproZayd's thread, where a different avenue is explored (and where I got my idea about the 8084 number for firehose -- Remember, I could be wrong!)
forum.xda-developers.com/note-4/help/unbrick-samsung-galaxy-note-4-sm-n910w8-t3249970
This thread is for discussing QPST and how to use it - if you have a hard bricked phone I am not able to help at this stage. However, should anybody find / 'acquire' the right files to use with QPST, we will all benefit.
Click to expand...
Click to collapse
Im in the same boat with my NOTE 4 N910F. Totally blacked out but still picking it up on the PC with QFIL files have found some files but there not the right phone I think.
so fails to load with SAHARA.
cannot find firehose for 910F. Wish someone could solve this one and then publish it all. someone will eventually but QFIL will unbrick all Qualcomm provided you can make the files.
Let me know if you or anyone does. cheers
Lofhario said:
Im in the same boat with my NOTE 4 N910F. Totally blacked out but still picking it up on the PC with QFIL files have found some files but there not the right phone I think.
so fails to load with SAHARA.
cannot find firehose for 910F. Wish someone could solve this one and then publish it all. someone will eventually but QFIL will unbrick all Qualcomm provided you can make the files.
Let me know if you or anyone does. cheers
Click to expand...
Click to collapse
https://forum.xda-developers.com/showthread.php?t=3488114
Tried this?
Reporting Via N910G.
Hi, got a Phicomm Energy M+ (E551). It turned off as the battery was empty, so I charged it overnight.
But:
-Switching it on only shows the phicomm logo
-Trying to enter recovery, shows phicomm logo for a second and then the screen stays lit. Nothing else happens.
-On Windows 7 device manager shows it as "RELINK HS-USB QDLoader 9008 (Com3)" (VOL Up+VOL Down + Power)
-fastboot/adb wont find it
-I tried this http://www.droidsavvy.com/unbrick-qualcomm-mobiles/
I dont have a emmc backup but an unzipped Stock ROM of the E551L which support told me to use. (put on SD card and reboot into recovery, but I cant get into recovery)
Hence I use the unzipped ROM with the Qualcomm FLasher :S (http://na.phicomm.info/release/E551L...TA package.zip)
-It starts the process but then says "Failed to enter EDL" (Emergency) mode
Another thing I stumbled across is :
E551L has Qualcomm MSM8916 and Android 4.4.2
E551M has Qualcomm MSM8915 and Android 4.4.4
Will I have to quire a deepflash cable or am I missing something here ?
yashthemw said:
Hey guys, i successfully created a Debrick.img for note 4 , used my own functional note 4 to create one .
http://forum.xda-developers.com/showthread.php?t=3488114
Don't forget to Press thanks .
Click to expand...
Click to collapse
tried but not working
waiting for other solution
Hello and thank you to anyone that can point me in the right direction.
I was recently given a Note 3 from a friend and for whatever reason it will not detect any SD card. The SD cards are fine and work in my other Android phones, Windows computers and anything else. So aside from that, is there any way to unlock the bootloader on this phone without the use of an SD card? All the methods I've come across mention one is needed. Thanks.
NM. I think I found what I was looking for here.
riotstarter said:
NM. I think I found what I was looking for here.
Click to expand...
Click to collapse
Possibly* a lesser-effort way - same thread, but here.
I say "possibly" because you didn't state which OS release was on the phone. (I can assume MI9->NC4, OB6, or OF1 as you must be rooted. NJ6, NK1, and PL1 are - as of this time - problematic for easy rooting).
There were some dependencies of the exploit code on OS version due to the location of the "CID" value moving around inside the kernel volatile filesystem /sys. You might have to take account of that in building/modding the code. (Either that or just get rid of the CID check if you know that you have a 0x15 eMMC chip device). Unfortunately, you need to thoroughly read about the first 350 posts in that thread to completely understand the discoveries that were made.
Anyway, some pointers to version compatibility are here.
* @beaups code is very straightforward. (@donc113 's mods of that code have the correct binary patching blob for the SM-N900V - beaups's github code was for the AT&T version of the phone) You probably will have more troubles setting up a toolchain than actually modding or compiling the code if you go that route.
good luck.
ps good to see someone in here that's not afraid of a compiler
bftb0 said:
Possibly* a lesser-effort way - same thread, but here.
I say "possibly" because you didn't state which OS release was on the phone. (I can assume MI9->NC4, OB6, or OF1 as you must be rooted. NJ6, NK1, and PL1 are - as of this time - problematic for easy rooting).
There were some dependencies of the exploit code on OS version due to the location of the "CID" value moving around inside the kernel volatile filesystem /sys. You might have to take account of that in building/modding the code. (Either that or just get rid of the CID check if you know that you have a 0x15 eMMC chip device). Unfortunately, you need to thoroughly read about the first 350 posts in that thread to completely understand the discoveries that were made.
Anyway, some pointers to version compatibility are here.
* @beaups code is very straightforward. (@donc113 's mods of that code have the correct binary patching blob for the SM-N900V - beaups's github code was for the AT&T version of the phone) You probably will have more troubles setting up a toolchain than actually modding or compiling the code if you go that route.
good luck.
ps good to see someone in here that's not afraid of a compiler
Click to expand...
Click to collapse
Thanks I appreciate the response. Yes I am on OF1 with a 0x15 chip. I've downloaded donc113's file and Android SDK/NDK. Does donc113's mod of the code already include what I'd be needing the SDK/NDK for? I'm definitely not afraid of trying something unfamiliar, I just want to ensure I'm doing it right. I'll do some more digging and see if I can figure things out a little more.
riotstarter said:
Does donc113's mod of the code already include what I'd be needing the SDK/NDK for?
Click to expand...
Click to collapse
Should be. Really the only thing you should check to see is if the path in /sys to the CID file on your OF1 phone is one of the paths that he is checking for. You can use the "strings" command for that.
OK, I just downloaded his code and did that ("strings" command). Here are the paths he is searching:
Code:
/sys/devices/msm_sdcc.1/mmc_host/mmc0/mmc0:0001/cid
/sys/devices/platform/msm_sdcc.1/mmc_host/mmc0/mmc0:0001/cid
/sys/class/mmc_host/mmc0/mmc0:0001/cid
/sys/devices/msm_sdcc.1/mmc_host/mmc1/mmc1:0001/cid
If OF1 uses one of these, then you don't even need to compile anything, just run the binary.**
**there is a brutal form of "avoid compiling" hackery where you simply perform a binary edit of an executable file in order to change a constant value in the code such as a string. So long as the replacement string is shorter than the original, you can just replace the string and null-pad the unused length (as strings are assumed to be null-terminated in C). For example, if there was a pathname in a .bss or .rodata segment such as
Code:
/foo/original/path/filenameX
/bar/replacement/myname\0\0\0\0\0
this works so long as the replacement string's bytelength is less than or equal to the length of the original string. (And the code is not performing a signing or other integrity check of itself.)
Only to be used when you don't have the code to be compiled or emergencies such as when you are in a hurry LOL.
(Obviously you can not shorten or lengthen the file at all doing this: all the byte offsets in the file must remain unchanged).
https://forum.xda-developers.com/showthread.php?p=71448959
Sent from my SM-N900V using Tapatalk
Am on Sm-n900v (Rooted)
Android 5.0
0B6.
Want to unlock bootloader but need some strict instructions
Idk if this is anything of value, I extracted the OTACERTS.zip from /system/etc/security/ folder, and copied it to my home directory.
releasekey.x509: Apparently I could add it to user certificates?
It has SHA-256 & SHA-1 fingerprints, as well as a serial number and it's a Google certificate, which I strangely don't see in the trusted certs.
ALSO the Pixel 2 XL for Verizon is entirely encrypted using Roman coding.
I've been poking around the root system with Ubuntu and termux for awhile, to see if there's any sort of possibility of bypass Verizon's UEFI bootloader.
It's possible that by dual booting both the Pixel 2 XL and windows and running a few scripts while making a new boot config file and running couple more scripts, could bypass the bootloader via throwing it in a bootloop, to which the rescue system would kick in after awhile to ask us, the users, for a pin number before it kills itself. Idk if it changes much, but I found the Verizon SIM pin to be 1234, and changed it to 0666, and I've noticed a lot of the xml files show my new pin number.
.
.
.
This is all just prowling through code and Google itself that I've found this info.
If it's useless, I'll delete my post but I'm hoping someone that knows something about these things and could use this information.
I'm a total noob at coding, and hacking in general but I've been learning things because I cannot stand not being in control of my entire phone.
Idk tho, maybe it's pointless ?
Could be something there. It's nice find. Been awhile since someone has found a fresh idea on this regardless of the outcome.
Edit: Just remembered that the otacert.zip is just the public key that matches Google's private key, which we don't have
Huh, so the fact that we can obtain this key is a step forward? I read somewhere that it's used to sign OTA updates.
I'm doing more key digging and seeing what comes out of it as well.
Well maybe not totally pointless. But it is half of what is used to sign an ota. This is a good explanation of what is going on with release signing:
https://source.android.com/devices/tech/ota/sign_builds