[Tutorial] AC8227L head units - how to unlock the bootloader - Android Head-Units

If you have one of these 8227L units that doesn't have any physical buttons, and you've tried to unlock your bootloader, you may have given up in frustration when the on-screen instructions say, press volume down to continue...
If you have one of the units that does have physical buttons, your process will be similar but much simpler, as you won't have to take your unit apart, so you can follow along with this tutorial after that portion is done.
Disclaimer: If you don't have physical buttons on your unit, you're going to have to dismantle it and potentially do some soldering to get through this. The points in question are tiny and if you permanently short them or apply too much heat and lift a pad, you could get stuck with a unit that's permanently muted or just bricked altogether. You have been warned about the risks, and I am not responsible for any damage you may incur!
Here's how it's done.
Prerequisites:
8227L unit with no physical buttons
Phillips screwdriver
Comfort with soldering on fairly small stuff
(You might get by without having to do any soldering, but if you can solder, you'll have an easier time)
PC of some type, probably a laptop if you want to do this inside a vehicle
adb and fastboot installed - there are plenty of tutorials on this elsewhere on these forums
It is possible to root these things without unlocking the bootloader, so if your device happens to be
rooted already, note that you'll be able to skip the adb portion entirely by installing a reboot utility
from the play store that allows you to just reboot the device to bootloader mode, but you'll still need to
use fastboot over USB.
If you need to bring the unit inside to get to a computer, you'll need a 12v power supply of some type
USB A male to male cable - that's just a cable with a "full size" usb plug on both ends - You can just chop up two old USB cables and splice them back together by matching the colors of the inner wires to make your own if need be.
We're going to be disassembling the unit, so obviously you'll want to completely disconnect it first.
On the backside of the unit there is a Phillips head screw at each corner, go ahead and pull those out and put them someplace safe.
Once you remove those screws, the back of the unit is loose, but don't just pull up on it! It's still connected to the board, which is connected to the screen assembly by some fragile ribbon cables, and you don't want to tear those! The cables attach towards the bottom of the screen, so tilt the back of the unit away from the screen top side first, opening it like a book. This will reveal the three ribbon cables we need to disconnect. They connect into three plastic connectors (They're called ZIF or Zero Insertion Force connectors) attached to the board that can also be fragile, so take care with this next step. On the back side of each connector, the side away from the ribbon cable is a little plastic "flap," usually black in color. Take your fingernail or a plastic spudger, or a toothpick or something (non-metallic preferably) and get underneath that and flip it upwards. The flap should stay in the connector and just hinge open. Once this is done, the ribbon cable itself should come out easily. If you have to apply any pressure to get it out, you don't have it unlocked and you will damage something, so make sure you've got it unlocked before you go pulling on the ribbon cables.
With the ribbon cables disconnected, the screen assembly can be set to the side for the time being. We now have access to the front side of the board, but what we need is on the other side, so we'll have to remove it completely from the housing. There will be 4 or 5 more Phillips screws to remove, depending on your model. Once you get those out, you can pull the board free and flip it over. We're looking for 5 small copper pads exposed on the surface of the mainboard, in the area of the CPU, RAM and NAND/EMMC memory chips. I have attached an image that I borrowed from elsewhere on these forums, because I don't have a unit opened up right now and didn't want to take one apart just to take some pictures.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
In the image I attached, you're looking for the points marked 1 and 2. The caption on the image suggests they connect to Volume Up, but on every unit I've seen these points connect to Volume Down. Your mileage may vary. The layout of these points can vary from model to model, but they're always in this area. On all the models I have seen, two of these points are slightly larger than the rest, and those are the two we're concerned with for now. You may here this referred to as the "test point," but in fact these points simply expose access to Home, Back, Volume Up and Volume Down. Of the two bigger points, one of them will be ground. (If you know your way around a multimeter you can verify which one by checking for continuity to ground elsewhere on the board, but it's really not important for our current purposes which is which.) The next part will be much, much easier if you can handle soldering on stuff this size. We need to have access to momentarily short the two bigger points. The one that isn't ground is volume down, and making a connection between the two sends a Volume Down key press. (If you have identified which is ground you can access Home, Back and Volume Up by shorting it to the three smaller points) At first, I thought I'd just be able to touch the two points with a
screwdriver to accomplish this, but I never ended up getting that to work. If your unit is a bit different than mine, you may have more luck with that. But in my case, I needed to tin both points (that simply means to apply fresh solder to them) and attach a small wire to one of them. (The jumper wires that come with an Arduino work great for this if you have any of those laying around, otherwise just use a really small wire of some kind.) This jumper wire is going to function as our "volume down" button for the next part. These are also the same points you will need to access if you ever manage to brick your unit and need to get access to the "backup" pre-loader.
Now that we have our "button" in place, we're going to need to connect the ribbon cables for the screen back to the board, power the unit up and get connected via adb. There are two different usb cables that come with the unit. One of them has a 6 pin connector and one has a 4 pin connector. You want to use the one with the 4 pins. At this point you've got to handle the unit with the board exposed, power running through it, and those ribbon cables connected. It should go without saying that you need to be very careful. Don't tear any ribbon cables, and don't let your jumper wire accidentally short out against anything as you turn the unit over to use the screen.
If your unit has a physical volume down button, you can follow along from here and just ignore all the horrific parts about running the unit with the guts hanging out and jumper wires and all that scary stuff.
Once the unit powers on, you'll probably notice that it's not detected by the PC right away. That's because these units default to usb host mode, so they can mount your flash drive or whatever you may store music on and plug into them. So we're going to have to go to the "factory" settings menu. This is the one that asks for a password when you try to go into it. For most units it's 8888, but I have seen a few where the password is 1111. Once you're into the factory settings menu, towards the bottom you should see USB options. Open that menu, and click on "Other" towards the bottom left. On the next screen, tap the "usb mode" option, and you should get a popup where you can toggle between "host" and "device" mode. Device mode may be already selected, but go ahead and click it anyway. After this, you should be able to get a connection over adb. Try entering the command "adb devices" from your command line, and you should see your unit identifed by it's serial number. If it says "offline", go back to the factory settings menu, toggle it to host mode once and then back to device. If you're seeing "unauthorized" there are some pre-requisite steps you're missing. They are covered extensively on these forums and elsewhere, so if you need to find them immediately just search these forums or google for "adb tutorial mediatek device" and you'll find about a dozen walkthroughs. All we need from here is to be able to ender the command:
Code:
adb reboot bootloader
Once you get that done, your device should reboot to the boot logo screen, but it will stay on that screen and display the words "FASTBOOT MODE" Back to the command line of your PC, you can enter the command:
Code:
fastboot devices
to verify that you have a connection. If you're still with me at this point and you're able to communicate with the bootloader through fastboot, enter the command:
Code:
fastboot oem unlock
At this point, the instructions on the screen of your unit will warn you about how Santa Claus won't bring you any presents if you unlock your bootloader, and prompt you to press Volume Down if you really want to proceed. At this point you'll need to use that jumper wire to make the connection we prepared previously to execute the Volume Down entry. You may have to hold it in place for a couple of seconds, but eventually you should get a confirmation that your bootloader has been unlocked! Now, power the unit off, disconnect your jumper wire, and reverse the disassembly process to put it back together. One thing to keep in mind, if you're attempting to flash a new firmware and it comes with a locked bootloader, you'll have to repeat this proces, so if you can get away with it, don't flash the LK partition.

threadreaper said:
If you have one of these 8227L units that doesn't have any physical buttons, and you've tried to unlock your bootloader, you may have given up in frustration when the on-screen instructions say, press volume down to continue...
If you have one of the units that does have physical buttons, your process will be similar but much simpler, as you won't have to take your unit apart, so you can follow along with this tutorial after that portion is done.
Disclaimer: If you don't have physical buttons on your unit, you're going to have to dismantle it and potentially do some soldering to get through this. The points in question are tiny and if you permanently short them or apply too much heat and lift a pad, you could get stuck with a unit that's permanently muted or just bricked altogether. You have been warned about the risks, and I am not responsible for any damage you may incur!
Here's how it's done.
Prerequisites:
8227L unit with no physical buttons
Phillips screwdriver
Comfort with soldering on fairly small stuff
(You might get by without having to do any soldering, but if you can solder, you'll have an easier time)
PC of some type, probably a laptop if you want to do this inside a vehicle
adb and fastboot installed - there are plenty of tutorials on this elsewhere on these forums
It is possible to root these things without unlocking the bootloader, so if your device happens to be
rooted already, note that you'll be able to skip the adb portion entirely by installing a reboot utility
from the play store that allows you to just reboot the device to bootloader mode, but you'll still need to
use fastboot over USB.
If you need to bring the unit inside to get to a computer, you'll need a 12v power supply of some type
USB A male to male cable - that's just a cable with a "full size" usb plug on both ends - You can just chop up two old USB cables and splice them back together by matching the colors of the inner wires to make your own if need be.
We're going to be disassembling the unit, so obviously you'll want to completely disconnect it first.
On the backside of the unit there is a Phillips head screw at each corner, go ahead and pull those out and put them someplace safe.
Once you remove those screws, the back of the unit is loose, but don't just pull up on it! It's still connected to the board, which is connected to the screen assembly by some fragile ribbon cables, and you don't want to tear those! The cables attach towards the bottom of the screen, so tilt the back of the unit away from the screen top side first, opening it like a book. This will reveal the three ribbon cables we need to disconnect. They connect into three plastic connectors (They're called ZIF or Zero Insertion Force connectors) attached to the board that can also be fragile, so take care with this next step. On the back side of each connector, the side away from the ribbon cable is a little plastic "flap," usually black in color. Take your fingernail or a plastic spudger, or a toothpick or something (non-metallic preferably) and get underneath that and flip it upwards. The flap should stay in the connector and just hinge open. Once this is done, the ribbon cable itself should come out easily. If you have to apply any pressure to get it out, you don't have it unlocked and you will damage something, so make sure you've got it unlocked before you go pulling on the ribbon cables.
With the ribbon cables disconnected, the screen assembly can be set to the side for the time being. We now have access to the front side of the board, but what we need is on the other side, so we'll have to remove it completely from the housing. There will be 4 or 5 more Phillips screws to remove, depending on your model. Once you get those out, you can pull the board free and flip it over. We're looking for 5 small copper pads exposed on the surface of the mainboard, in the area of the CPU, RAM and NAND/EMMC memory chips. I have attached an image that I borrowed from elsewhere on these forums, because I don't have a unit opened up right now and didn't want to take one apart just to take some pictures.
In the image I attached, you're looking for the points marked 1 and 2. The caption on the image suggests they connect to Volume Up, but on every unit I've seen these points connect to Volume Down. Your mileage may vary. The layout of these points can vary from model to model, but they're always in this area. On all the models I have seen, two of these points are slightly larger than the rest, and those are the two we're concerned with for now. You may here this referred to as the "test point," but in fact these points simply expose access to Home, Back, Volume Up and Volume Down. Of the two bigger points, one of them will be ground. (If you know your way around a multimeter you can verify which one by checking for continuity to ground elsewhere on the board, but it's really not important for our current purposes which is which.) The next part will be much, much easier if you can handle soldering on stuff this size. We need to have access to momentarily short the two bigger points. The one that isn't ground is volume down, and making a connection between the two sends a Volume Down key press. (If you have identified which is ground you can access Home, Back and Volume Up by shorting it to the three smaller points) At first, I thought I'd just be able to touch the two points with a
screwdriver to accomplish this, but I never ended up getting that to work. If your unit is a bit different than mine, you may have more luck with that. But in my case, I needed to tin both points (that simply means to apply fresh solder to them) and attach a small wire to one of them. (The jumper wires that come with an Arduino work great for this if you have any of those laying around, otherwise just use a really small wire of some kind.) This jumper wire is going to function as our "volume down" button for the next part. These are also the same points you will need to access if you ever manage to brick your unit and need to get access to the "backup" pre-loader.
Now that we have our "button" in place, we're going to need to connect the ribbon cables for the screen back to the board, power the unit up and get connected via adb. There are two different usb cables that come with the unit. One of them has a 6 pin connector and one has a 4 pin connector. You want to use the one with the 4 pins. At this point you've got to handle the unit with the board exposed, power running through it, and those ribbon cables connected. It should go without saying that you need to be very careful. Don't tear any ribbon cables, and don't let your jumper wire accidentally short out against anything as you turn the unit over to use the screen.
If your unit has a physical volume down button, you can follow along from here and just ignore all the horrific parts about running the unit with the guts hanging out and jumper wires and all that scary stuff.
Once the unit powers on, you'll probably notice that it's not detected by the PC right away. That's because these units default to usb host mode, so they can mount your flash drive or whatever you may store music on and plug into them. So we're going to have to go to the "factory" settings menu. This is the one that asks for a password when you try to go into it. For most units it's 8888, but I have seen a few where the password is 1111. Once you're into the factory settings menu, towards the bottom you should see USB options. Open that menu, and click on "Other" towards the bottom left. On the next screen, tap the "usb mode" option, and you should get a popup where you can toggle between "host" and "device" mode. Device mode may be already selected, but go ahead and click it anyway. After this, you should be able to get a connection over adb. Try entering the command "adb devices" from your command line, and you should see your unit identifed by it's serial number. If it says "offline", go back to the factory settings menu, toggle it to host mode once and then back to device. If you're seeing "unauthorized" there are some pre-requisite steps you're missing. They are covered extensively on these forums and elsewhere, so if you need to find them immediately just search these forums or google for "adb tutorial mediatek device" and you'll find about a dozen walkthroughs. All we need from here is to be able to ender the command:
Code:
adb reboot bootloader
Once you get that done, your device should reboot to the boot logo screen, but it will stay on that screen and display the words "FASTBOOT MODE" Back to the command line of your PC, you can enter the command:
Code:
fastboot devices
to verify that you have a connection. If you're still with me at this point and you're able to communicate with the bootloader through fastboot, enter the command:
Code:
fastboot oem unlock
At this point, the instructions on the screen of your unit will warn you about how Santa Claus won't bring you any presents if you unlock your bootloader, and prompt you to press Volume Down if you really want to proceed. At this point you'll need to use that jumper wire to make the connection we prepared previously to execute the Volume Down entry. You may have to hold it in place for a couple of seconds, but eventually you should get a confirmation that your bootloader has been unlocked! Now, power the unit off, disconnect your jumper wire, and reverse the disassembly process to put it back together. One thing to keep in mind, if you're attempting to flash a new firmware and it comes with a locked bootloader, you'll have to repeat this proces, so if you can get away with it, don't flash the LK partition.
Click to expand...
Click to collapse
This is very useful, thanks! However it doesn't cover bricked devices, which I think many people would be interested in fixing. For example, what can be done with these techniques on a damaged unit? Can it be restored from say an accidental wipe from SP Flash tools?

Thanks for the feedback, and to answer your question, yes, there is a way to recover a bricked device utilizing these internal points, even if the memory has been completely wiped.
It's actually something I'm planning to do a tutorial on. Ironically, it was one of the first things I had to learn. Having never owned any device with a MediaTek chipset in it before, I wasn't familiar with how they worked. So before attempting to do any sort of modification to my brand new unit, I hit up these very forums looking for information on how to do a full system backup. The post I ended up stumbling across actually led to me "bricking" my own unit. In hindsight, and having learned a lot about these units since that day, I now realize that I was misunderstanding the instructions, but I feel like it was perhaps poorly worded. One thing that has always existed in the Android modding community (and to be fair, most others like it) is a real lack of comprehensive, completely newbie friendly tutorials/documentation. The fact is, by the time most of us have gained enough knowledge to actually write a tutorial, the basic operations seem so trivial that they hardly warrant the effort of writing a tutorial. It's easy to forget that most of us once needed those tutorials ourselves. So, as long as my ambition keeps up, my goal is to do a whole series of tutorials, as detailed as I can think to make them.
I have another one that I'm working on right now that has ended up taking longer to put together than I anticipated, but once it's finished and I've worked the bugs out of the software I'm releasing to go along with it, I will move the brick recovery tutorial to the top of the list! If you're in need of assistance right now, feel free to ask questions via PM. I'd rather not take this thread off topic.

threadreaper said:
Thanks for the feedback, and to answer your question, yes, there is a way to recover a bricked device utilizing these internal points, even if the memory has been completely wiped.
It's actually something I'm planning to do a tutorial on. Ironically, it was one of the first things I had to learn. Having never owned any device with a MediaTek chipset in it before, I wasn't familiar with how they worked. So before attempting to do any sort of modification to my brand new unit, I hit up these very forums looking for information on how to do a full system backup. The post I ended up stumbling across actually led to me "bricking" my own unit. In hindsight, and having learned a lot about these units since that day, I now realize that I was misunderstanding the instructions, but I feel like it was perhaps poorly worded. One thing that has always existed in the Android modding community (and to be fair, most others like it) is a real lack of comprehensive, completely newbie friendly tutorials/documentation. The fact is, by the time most of us have gained enough knowledge to actually write a tutorial, the basic operations seem so trivial that they hardly warrant the effort of writing a tutorial. It's easy to forget that most of us once needed those tutorials ourselves. So, as long as my ambition keeps up, my goal is to do a whole series of tutorials, as detailed as I can think to make them.
I have another one that I'm working on right now that has ended up taking longer to put together than I anticipated, but once it's finished and I've worked the bugs out of the software I'm releasing to go along with it, I will move the brick recovery tutorial to the top of the list! If you're in need of assistance right now, feel free to ask questions via PM. I'd rather not take this thread off topic.
Click to expand...
Click to collapse
This is excellent news and I look forward to those tutorials! my current MediaTek unit is still in the car (currently looking to buy a proper MTCD/MTCE unit to run Malaysk) so I will be able to play around with my old one and hopefully learn more about how these things work. I bought soldering kit and built an appropriate power source (12V 5A AC/DC adapter), so now I'm good to go

iceblue1980 said:
This is excellent news and I look forward to those tutorials! my current MediaTek unit is still in the car (currently looking to buy a proper MTCD/MTCE unit to run Malaysk) so I will be able to play around with my old one and hopefully learn more about how these things work. I bought soldering kit and built an appropriate power source (12V 5A AC/DC adapter), so now I'm good to go
Click to expand...
Click to collapse
Tutorial has been posted, you can follow the link in my signature.

Hey, just got mtk device with 2gb ram and 16gb storage, I wonder if I can use all the files from this forum or 4pda with my device?
Second, how can I create a full backup of this device ?
Sent from my MI 9 using Tapatalk

zetlaw01 said:
Hey, just got mtk device with 2gb ram and 16gb storage, I wonder if I can use all the files from this forum or 4pda with my device?
Second, how can I create a full backup of this device ?
Sent from my MI 9 using Tapatalk
Click to expand...
Click to collapse
I'm planning to do a comprehensive backup tutorial very soon, probably in the next day or two. The answer to your first question is no! Not every rom dump you find is going to be compatible with your device. In general I have found that if a rom dump comes with a scatter file and that scatter file is identical to the scatter file from your stock backup, then you're usually safe to flash it, but there may be exceptions to that rule, so always have a backup before you flash anything. While all of these units are based on the same SoC, they can have different amplifiers, radio chips, etc, and you could find yourself with a ROM that boots, but has no audio for example.

Thanks, I managed to take the backup and also use wwr to create my own Scatter file
Using that I flash twrp and rooted my device.
Sent from my MI 9 using Tapatalk

I´m trying to install twrp. I successfully unlock the bootloader and finally flash twrp, but now can´t access to recovery. System says: " Orange state your device has been unlocked and can't be trusted Your device will boot in 5 secods" when reboot recovery mode.
Any ideas?

Thank you very much.
Hi @threadreaper,
I have memory dump of my radio 9218c_0005_v004, 8227l. I do have the scatter file too. It was working perfectly fine and I rooted it too.
But while I was modified the build.prop to get the multiwindow feature as mentioned in one of threads related to 8227l and rebooted my system. It went into bootloop.
I tried to flash a rooted another firmware for my device which I had never flashed earlier. I used to scatter file mentioned in the same rooted firmware zip. Everything finished well in the SP tools with success and I rebooted the radio but It still didn't come up. Just a black screen. Is it because I flashed preloader with the wrong scatter file?
Now problem is, when I try to connect radio with PC, PC is not able to detect it. It's not even appearing for 2 seconds in the Device manager.
I have the backup and everything. and can restore it back. but it should be detected. What can be gone wrong here?
1. Did that rooted firmware contain wrong preloader/scatter file? Should I have skipped preloader and used my scatter file?
what are the solutions so that PC detects it back as a preloader?

amit_coolcampus said:
Thank you very much for the tutorial. My android unit is not detected in SP tools. When I reboot the radio, It appears in Device manage as MTK USB for 2 seconds and disappears. Is it because bootloader is locked? Will the problem resolve after unlocking the bootloader.
Just wanted to check if you have prepared to recover the bricked devices using this method.
My unit is working but I would love to have a Plan B ready.
Click to expand...
Click to collapse
Yup! Check the link in my signature for a tutorial on recovering from a brick!
For your device to be used with SP-flashtool you need to connect the device (fully powered down) via usb AFTER you start an operation in SP-flashtool. The preloader will shut down after 2 seconds if it doesn't receive a signal indicating it's connected to a flash device, so that's the behavior you're seeing. Basically you need to have SP-flashtools prepared to send this signal to the preloader before your connect your device.

dickinson said:
I´m trying to install twrp. I successfully unlock the bootloader and finally flash twrp, but now can´t access to recovery. System says: " Orange state your device has been unlocked and can't be trusted Your device will boot in 5 secods" when reboot recovery mode.
Any ideas?
Click to expand...
Click to collapse
I haven't come across anything like this before... What brand/model is your device?

threadreaper said:
Yup! Check the link in my signature for a tutorial on recovering from a brick!
For your device to be used with SP-flashtool you need to connect the device (fully powered down) via usb AFTER you start an operation in SP-flashtool. The preloader will shut down after 2 seconds if it doesn't receive a signal indicating it's connected to a flash device, so that's the behavior you're seeing. Basically you need to have SP-flashtools prepared to send this signal to the preloader before your connect your device.
Click to expand...
Click to collapse
Aaah. ... I see. Now I get it. I'll give one more try and will get back to you. Thank you very much

threadreaper said:
I haven't come across anything like this before... What brand/model is your device?
Click to expand...
Click to collapse
Finally I´ve solved this problem. My model is 9213 with a 9260 board , firm 8.1 (Oreo real) YT9213AJ_00011_V001_20200718_0 . Orange´s state happens when bootloader is unlocked . I only need flash a new twrp version for Oreo system. Twrp3.4.0 ( previous versions don´t work) and locked my unit again. It´s working now and can access to recovery
Note: in this version I only can connect to spflahTool with a male-male usb without ground pin (only 3 wires) and external 12v supply

Woohooo!
I was able to detect my radio in sp flash tools.
1. Created a preloader backup.
2. Created a rom_0 backup. Just one clarification required. Can you please tell me what should be the last address(length) so that it includes everything. I have put start address of BMTpool as the total length of backup so that includes whole userdata partition.
So start address- 0x0
Total length - 0x738A80000
Can you confirm if this should have everything to restore in case of any mishappening?

Thank you so much @threadreaper,
I was able to get it detected and take a full backup, but something wrong happened after I rooted and tried to update the build.prop file in the system folder. Can you please help. Here is the brief:
I have memory dump of my radio 9218c_0005_v004, 8227l. I do have the scatter file too. It was working perfectly fine and I rooted it too.
But when I modified the build.prop to get the multiwindow feature as mentioned in one of threads related to 8227l and rebooted my system. It went into bootloop.
I tried to flash a rooted another firmware for my device which I had never flashed earlier. I used to scatter file mentioned in the same rooted firmware zip. Everything finished well in the SP tools with success and I rebooted the radio but It still didn't come up. Just a black screen. Is it because I flashed wrong preloader with the wrong scatter file?
Now problem is, when I try to connect radio with PC, PC is not able to detect it. It's not even appearing for 2 seconds in the Device manager.
I have the backup and everything. and can restore it back. but it should be detected in the first place. What can be gone wrong here?
1. Did that rooted firmware contain wrong preloader/scatter file? Should I have skipped preloader and used my scatter file?
Is the only solution left to read memory in Flash tool by using test point?
threadreaper said:
Yup! Check the link in my signature for a tutorial on recovering from a brick!
For your device to be used with SP-flashtool you need to connect the device (fully powered down) via usb AFTER you start an operation in SP-flashtool. The preloader will shut down after 2 seconds if it doesn't receive a signal indicating it's connected to a flash device, so that's the behavior you're seeing. Basically you need to have SP-flashtools prepared to send this signal to the preloader before your connect your device.
Click to expand...
Click to collapse

iceblue1980 said:
This is excellent news and I look forward to those tutorials! my current MediaTek unit is still in the car (currently looking to buy a proper MTCD/MTCE unit to run Malaysk) so I will be able to play around with my old one and hopefully learn more about how these things work. I bought soldering kit and built an appropriate power source (12V 5A AC/DC adapter), so now I'm good to go
Click to expand...
Click to collapse
How did you create that 12v adapter. I am interested to make one, it's really painful to sit in the vehicle and do everything.
I am also looking to buy 4 Pin connector for USB.

amit_coolcampus said:
Thank you so much @threadreaper,
I was able to get it detected and take a full backup, but something wrong happened after I rooted and tried to update the build.prop file in the system folder. Can you please help. Here is the brief:
I have memory dump of my radio 9218c_0005_v004, 8227l. I do have the scatter file too. It was working perfectly fine and I rooted it too.
But when I modified the build.prop to get the multiwindow feature as mentioned in one of threads related to 8227l and rebooted my system. It went into bootloop.
I tried to flash a rooted another firmware for my device which I had never flashed earlier. I used to scatter file mentioned in the same rooted firmware zip. Everything finished well in the SP tools with success and I rebooted the radio but It still didn't come up. Just a black screen. Is it because I flashed wrong preloader with the wrong scatter file?
Now problem is, when I try to connect radio with PC, PC is not able to detect it. It's not even appearing for 2 seconds in the Device manager.
I have the backup and everything. and can restore it back. but it should be detected in the first place. What can be gone wrong here?
1. Did that rooted firmware contain wrong preloader/scatter file? Should I have skipped preloader and used my scatter file?
Is the only solution left to read memory in Flash tool by using test point?
Click to expand...
Click to collapse
Yes. If you have flashed the wrong preloader to your device, you will have to recover from test-point. Never flash a backup with a scatter file that doesn't exactly match your existing scatter file.

amit_coolcampus said:
How did you create that 12v adapter. I am interested to make one, it's really painful to sit in the vehicle and do everything.
I am also looking to buy 4 Pin connector for USB.
Click to expand...
Click to collapse
It really doesn't take much. I have run a few different versions of these head units just fine off of a 12V/2A "wall wart" type power supply. Just cut the end off, check polarity (carefully!) with a multimeter while it's plugged in and then wire it up just like you would with 12V in a vehicle.

threadreaper said:
Yes. If you have flashed the wrong preloader to your device, you will have to recover from test-point. Never flash a backup with a scatter file that doesn't exactly match your existing scatter file.
Click to expand...
Click to collapse
Two confirmations sir:
Got it. So the scatter file which I created from the stock backup has to be used always, no matter if I flash back any other ROM?
One more question. When I flashed TWRP recommend for my radio. It got flashed and I was I able to install supersu by flashing and boot up the system. But when I tried to take backup of system, data and cache via recovery, after half of the backup process, twrp started turning into different colors like a distorted screen and touch stopped working (screenshot attached) and system rebooted normally without finishing the backup. It happened the same second time also. So is it something like - we can't take backup of radio from the twrp. Can it only be backed up & restore back from sp flash tools?

Related

[Q] Fastboot OEM unlock without USB cable?

I had a problem with my Nexus One's usb port, the pins got bent, and so I sent it into HTC for repair. Well they told me it would cost $250, and that it wouldn't be covered because they suspected user damage. (I never dropped it, my cables just stopped working and I noticed the pins were bent, so I don't think it's anything I did wrong).
Anyways, so I decided not to repair the phone, and I would just hook up a wireless charging system from the Palm Pre and transfer all my data using wifi.
Well, when I got my phone back, HTC was nice enough to relock the bootloader for me, so now I can't install cyanogen, and I can't unlock the bootloader because I can't get a USB cable to work.
Is there anyway to unlock the bootloader without a USB cable? Any help would be appreciated.
I would try adb wireless (on the market) or SSH into the phone
Edit: which, these only make sense (and I doubt either work) if you still have root, which is probably not the case
Yea you can connect ADB over WiFi - but you need the cable (or root privelges) to switch to wifi mode. You can try of them one-click root apps, then get the adb wifi widget.
I ended up getting a USB cable to work if I held it at the right angle, so I got the fastboot unlock, couldn't send a recovery firmware, but I was able to use ADB to send the files over and do a manual root, and then put a recovery on the phone. So I have resolved my problem. Next time I would be sure to not do any updates if they ship the phone with 2.2 on it.
I believe that they use a standard microUSB receptacle, which can be removed and a new one can be soldered, for a fraction of the repair price. Moreover, with tiny screwdrivers you might be able to actually correct the misaligned connector pieces.
Jack_R1 said:
I believe that they use a standard microUSB receptacle, which can be removed and a new one can be soldered, for a fraction of the repair price. Moreover, with tiny screwdrivers you might be able to actually correct the misaligned connector pieces.
Click to expand...
Click to collapse
Problem is that the leads that actually make the contact have probably popped off of the ceramic part that they are normally glued to.
This will make it very hard to actually use the cable without bending the contact leads backwards into the case.
That happened to me once with an older phone.

[SOLVED] Bricked i9500

Pretty sure I already know the answer to this question, but just on the off chance anyone has any ideas
The power button failed and got stuck pressed in, causing the constant rebooting, removed the power button, and the phone worked again using the quick battery replace trick to power it up
Decided to flash a new ROM to it because something had messed up with the one that it was running and WiFi stopped working, apps wouldn't install
Firmware upgrade with ODIN failed and left the phone with the error of Firmware encountered an issue, recover using KIES etc etc
The phone boots directly to that error when USB is connected
We don't have a power button, I bought two, and attempted to solder one on today, after two hours I admitted defeat, it's just too tiny, and my soldering iron too big
One of the contacts on the board seems to have come off with the button too, so doesn't look like we can fix that, so basically this is an S4 without a power button, stuck on the firmware error screen
I've tried holding Volume Down & Home while connecting USB, but it still just boots to the error screen
No Download mode, No Power button, Stuck on the firmware error screen, and KIES says GT-I9500 can not be initialized when I try to run the firmware recovery program
Is she dead, or can anyone think of a method I've missed to at least get this thing back up and running a ROM again?
Thanks
When I encountered that issues I simply flashed a bootloader with odin.
Problem is, you need to get into download mode.
GDReaper said:
When I encountered that issues I simply flashed a bootloader with odin.
Problem is, you need to get into download mode.
Click to expand...
Click to collapse
Yep, and there lies my problem, without a power button, I can't get into download mode
Pretty sure it's dead, but because I know it's not really dead (If it had a power button) it makes me not want to give up just yet
That, and it's my brothers phone he's asked me to try and fix
Hi @*Detection* have you tried a usb jig?
It will force the phone into download mode even from a powered off state.
AFAIK it works on any/every Samsung device....
And about the contact on the board.....There *is* possibly a workaround.....
If you live near a Maplin store, you can get some electrically conductive 'silver' paint that you can use to repaint the contact and possibly even electrically bond that side of the power button (a steady hand and a very fine artists paintbrush is all that's needed)......
http://www.maplin.co.uk/p/electrically-conductive-silver-paint-n36ba
http://i.imgur.com/rVnFwJM.jpg
keithross39 said:
Hi @*Detection* have you tried a usb jig?
It will force the phone into download mode even from a powered off state.
AFAIK it works on any/every Samsung device....
And about the contact on the board.....There *is* possibly a workaround.....
If you live near a Maplin store, you can get some electrically conductive 'silver' paint that you can use to repaint the contact and possibly even electrically bond that side of the power button (a steady hand and a very fine artists paintbrush is all that's needed)......
http://www.maplin.co.uk/p/electrically-conductive-silver-paint-n36ba
http://i.imgur.com/rVnFwJM.jpg
Click to expand...
Click to collapse
Nice thinking about the Jig, I'd completely forgotten there was such a thing cheers, I`ll see if I have a 300K Ohm resistor, if not I`ll probably just buy the Jig pre-made
Not sure about the contact repair, even if I managed it, I can't solder a new button on anyway, the contact was there originally, but after 2 hours and 2 new buttons, it was gone, must have come off with one of the buttons when I de-soldered it
Watched endless videos of people soldering them on, and it looks simple, loads of room, but in reality it is not, and there is no room at all
EDIT - Decided to just order a Jig, no doubt it will come in handy in the future too
http://www.ebay.co.uk/itm/151494728184
Cheers Keith, I`ll update once it arrives
*Detection* said:
Nice thinking about the Jig, I'd completely forgotten there was such a thing cheers, I`ll see if I have a 300K Ohm resistor, if not I`ll probably just buy the Jig pre-made
Not sure about the contact repair, even if I managed it, I can't solder a new button on anyway, the contact was there originally, but after 2 hours and 2 new buttons, it was gone, must have come off with one of the buttons when I de-soldered it
Watched endless videos of people soldering them on, and it looks simple, loads of room, but in reality it is not, and there is no room at all
EDIT - Decided to just order a Jig, no doubt it will come in handy in the future too
http://www.ebay.co.uk/itm/151494728184
Cheers Keith, I`ll update once it arrives
Click to expand...
Click to collapse
I doubt you'll need to solder the button ribbon to the layer of dried paint (I wouldn't expect to be able to anyway).....My thinking was......
If the paint adheres to the circuit board, then by definition, anything that is put on top of it will adhere to it too.....
So, paint a layer onto the circuit board, let it dry, then paint another layer on top, put the ribbon in place and allow it to dry.....
In theory, that *should* electrically bond the ribbon in place without the need to solder it. It won't be physically as strong a bond as a solder bond, but it will be electrically sound.
Edit.....ignore my reference to a ribbon, (I'd assumed the button was similar to the S2) just found out its mounted directly to the motherboard......
A 'blob' of superglue gel (somewhere away from the contacts) will hold the button firmly in place. Then simply painting the connections instead of soldering them is all that's needed.
http://i.imgur.com/rVnFwJM.jpg
keithross39 said:
I doubt you'll need to solder the button ribbon to the layer of dried paint (I wouldn't expect to be able to anyway).....My thinking was......
If the paint adheres to the circuit board, then by definition, anything that is put on top of it will adhere to it too.....
So, paint a layer onto the circuit board, let it dry, then paint another layer on top, put the ribbon in place and allow it to dry.....
In theory, that *should* electrically bond the ribbon in place without the need to solder it. It won't be physically as strong a bond as a solder bond, but it will be electrically sound.
http://i.imgur.com/rVnFwJM.jpg
Click to expand...
Click to collapse
It's not a ribbon, it's a 4mm x 2mm button, with 5 solder points, 3 for power contacts at the back, and 2 for mounting it to the board
Leaving about a half mm gap between shorting them all together, and getting it right
Basically impossible with what I have to solder with
This image is about 2-3x bigger (On the non zoomed part) than the physical size
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
*Detection* said:
It's not a ribbon, it's a 4mm x 2mm button, with 5 solder points, 3 for power contacts at the back, and 2 for mounting it to the board
Leaving about a half mm gap between shorting them all together, and getting it right
Basically impossible with what I have to solder with
This image is about 2-3x bigger (On the non zoomed part) than the physical size
Click to expand...
Click to collapse
Yeah, just figured that out....see my post above.....
And the edit....forget the superglue....those 2 solder points negate the need for that....
http://i.imgur.com/rVnFwJM.jpg
This is the actual button on my finger
And pretty close to actual size
*Detection* said:
This is the actual button on my finger
Click to expand...
Click to collapse
Lol....yeah, I know, they're tiny....that's why I suggested the paint.....much easier than soldering (I've had to do something similar myself.....hardwired headphone socket).....
http://i.imgur.com/rVnFwJM.jpg
Don't think paint would hold up to the constant and possibly rough button pressing, even the two front mount solder points are next to impossible to solder without it shorting the two rear side connectors
Just far too small (See my edited image of actual size)
And my soldering iron is a PoS, solder didn't want to stick to it unless I scraped it down to the bare metal with a stanley blade, and as soon as flux touched it, it stopped the solder sticking to it again
Need to buy a new one really
EDIT - I have a load of old electronics lying around, any idea what would be most likely to have a 300 ohm resister in it?, so far everything just seems to have caps.
Yes I'm impatient, Jig isn't coming till Tuesday
You could try soldering 2 small cables to the power connectors, might not be as difficult to solder on as the power button, at least you could work with that to get into download mode.
And if you cant find a 300ohm resistor, you can make your own.
https://www.youtube.com/watch?v=VPVoY1QROMg
Backe888 said:
You could try soldering 2 small cables to the power connectors, might not be as difficult to solder on as the power button, at least you could work with that to get into download mode.
And if you cant find a 300ohm resistor, you can make your own.
https://www.youtube.com/watch?v=VPVoY1QROMg
Click to expand...
Click to collapse
lol, nah I don't think I could be bothered to make my own resistor
Tried soldering a single strand of wire from an old 12v cable to each connector, but they just kept coming off, the part needed to solder to is just too small
You think the power button is tiny, the solder points are a 10th the size, if that
OK, so it got the better of me and I went out and bought some 300k ohm resistors, and some 100k ohm too
Took a MicroUSB cable apart, but I'm met with 2 pins on one side, which are both grounded and connected together
And 4 pins on the other side, one of which is also ground, Black
The video says I should have 2 pins on one side, and 3 on the other
Every single combination of pins using the Jig/Resistors does nothing
I've Multimeter tested the resistors and they are 300k Ohm, same with 3x 100k together
Any ideas?
I've now destroyed 2 USB cables and have 4 pins on one side of the 2nd cable too, and none on the other side
This guide over on the S2 forum
http://forum.xda-developers.com/showthread.php?t=1604707
gives step by step instructions on how to make one.
http://i.imgur.com/rVnFwJM.jpg
I've managed it, I had to take the entire MicroUSB jack to pieces, turn the pins upside down so I actually had a connection to the ID pin, which neither of the MicroUSB cables had the correct way around, and then I could Jig it with the resistors
Flashed TWRP, working, now downloading a stock ROM
Hopefully it doesn't brick it again, a stock ROM for the i9500 is what bricked it in the first place, flashing recovery unbricks it, so it's recovery that's killing it
Not sure why a stock i9500 ROM is bricking an i9500 yet
Cheers for the Jig reminder Keith, appreciate it
*Detection* said:
I've managed it, I had to take the entire MicroUSB jack to pieces, turn the pins upside down so I actually had a connection to the ID pin, which neither of the MicroUSB cables had the correct way around, and then I could Jig it with the resistors
Flashed TWRP, working, now downloading a stock ROM
Hopefully it doesn't brick it again, a stock ROM for the i9500 is what bricked it in the first place, flashing recovery unbricks it, so it's recovery that's killing it
Not sure why a stock i9500 ROM is bricking an i9500 yet
Cheers for the Jig reminder Keith, appreciate it
Click to expand...
Click to collapse
How are you accessing recovery? Have you got usb debugging enabled so that you can use ADB commands? It *might* simply be that the lack of data wipe is all that's stopping the device from booting post flash.
http://i.imgur.com/rVnFwJM.jpg
---------- Post added at 11:06 PM ---------- Previous post was at 10:59 PM ----------
For info, and possibly some extra help, I've found a website full of engineer/repair firmwares. From what I understand, they completely erase any trace of a pre existing OS when flashed (instead of overwriting as in a normal firmware flash)
These firmwares *should* negate the need to data wipe after flashing......
http://www.tsar3000.com/Joomla/inde...ader-csc-pit-files&catid=55:samsung&Itemid=82
http://i.imgur.com/rVnFwJM.jpg
keithross39 said:
How are you accessing recovery? Have you got usb debugging enabled so that you can use ADB commands? It *might* simply be that the lack of data wipe is all that's stopping the device from booting post flash.
http://i.imgur.com/rVnFwJM.jpg
---------- Post added at 11:06 PM ---------- Previous post was at 10:59 PM ----------
For info, and possibly some extra help, I've found a website full of engineer/repair firmwares. From what I understand, they completely erase any trace of a pre existing OS when flashed (instead of overwriting as in a normal firmware flash)
These firmwares *should* negate the need to data wipe after flashing......
http://www.tsar3000.com/Joomla/inde...ader-csc-pit-files&catid=55:samsung&Itemid=82
http://i.imgur.com/rVnFwJM.jpg
Click to expand...
Click to collapse
Thanks, downloading one of them now, I can access download mode with my Jig fairly easily now, and yes, I used adb reboot recovery to get back into TWRP, but the stock ROM already installed gave a security warning about unauthorised changes, and then flashed stock recovery back on boot
So I've worked out by flashing TWRP with ODIN, Auto reboot enabled, reboots straight into TWRP each time it's flashed, so I have a method to access recovery too now
PITA having no power button though
Recovery firmware flashed a treat, cheers, running stock 5.0.1 nice and smooth
adb reboot bootloader just reboots the phone into Android, got to use the Jig for download mode, gonna root tomorrow, and then I can install something like Quick Boot for that
Jobs a good'n, cheers bud
No problem fella....glad I could help....
http://i.imgur.com/rVnFwJM.jpg

Removing phone cover?

So I find myself with a bricked R4P, fastboot only, no EDL and locked bootloader. Tried every piece of deep flash cable advice I can find, to no avail.
Opening the phone up for the testpoints it is then, but I have no idea how to get in to detach the back cover from the rest of the phone. I have phone maintenance tools like nylon spudgers, but the gap between the phone and the cover is so tiny they won't go in, no matter the angle or amount of force i use (mostly trying around the USB port). I've managed to (unintentionally!) unstick the screen from the rest of the phone without even trying, but can't get anywhere with the back cover
Anyone here familiar with opening up an R4P and can offer some advice on how to go about it?
Edit: Forgot to mention, the bottom screws and sim tray have been removed.
Look HERE and good luck.
I just did the same thing today. I also did the same thing as you, I was somewhat thinking it was the screen but there was only one way to find out. I had to use quite a bit of force and go over it many times with plastic tools. I started to pry it up slightly and put guitar picks in, that worked alright. I got a metal tool and pryed it up a bit, then used it to work around the outside.
I'd hear sounds when I could get the tools in, not sure if it was the plastic bit bending inwards below the metal cover or if it was breaking the seal. I was going slowly to be careful. It might be noticeable when I put it back together, I'm not sure.
I saw a video where the one guy used his fingernail to pry it apart in like 30 seconds. I feel he has already taken it apart.
I tried hitting the test points and it wasn't coming up under the COM ports for me. Nothing I have done has had it show under COM ports (maybe EDL would have worked, it didn't on a few computers and VMs that I used). I will try again tomorrow.
Edit: Other videos made it seem super simple also. Admittedly I don't have tons of experience taking unibody phones apart but it seemed harder than the videos implied. Others may have some technique tips.
I'm not sure if it's mentioned anywhere but I think the three screws to the cage are Phillips 00, it what worked for me at least.
spkprs said:
Look HERE and good luck.
Click to expand...
Click to collapse
This method is what exactly i have done. and i use a bit force, as in the Video he use an instrument which i have lack.
---------- Post added at 12:37 PM ---------- Previous post was at 12:35 PM ----------
thegreatbmn said:
So I find myself with a bricked R4P, fastboot only, no EDL and locked bootloader. Tried every piece of deep flash cable advice I can find, to no avail.
Opening the phone up for the testpoints it is then, but I have no idea how to get in to detach the back cover from the rest of the phone. I have phone maintenance tools like nylon spudgers, but the gap between the phone and the cover is so tiny they won't go in, no matter the angle or amount of force i use (mostly trying around the USB port). I've managed to (unintentionally!) unstick the screen from the rest of the phone without even trying, but can't get anywhere with the back cover
Anyone here familiar with opening up an R4P and can offer some advice on how to go about it?
Edit: Forgot to mention, the bottom screws and sim tray have been removed.
Click to expand...
Click to collapse
If you haven't open yet then Use the Chinese Recovery Method as its work fine For me.
Thanks so much guys.
@Pyro00 - I've just gotten 9008, so here's exactly what happened, hopefully it'll help you out:
Have the battery well charged
Boot into fastboot mode (Power+VolDown)
Have the phone connected to the PC
Type "fastboot reboot" into a command window where fastboot is available (e.g. "c:\program files (x86)\minimal adb and fastboot", if you have that installed), but don't submit yet
Short (and hold) the two testpoints (to the left of the left-side battery connector, just above the battery)
Submit the fastboot command - phone will "power on" vibrate briefly, then do nothing - you'll be familiar with it I don't think it matters how long you wait as this point, as long as you give it a few seconds
Release the testpoints - the phone will power on vibrate again
Quickly (I'm not sure of the timing) short the testpoints again. The PC should immediately recognise the phone as 9008.

[HARD-UNBRICK][EDL Cable DIY] Unbricking a HARD-bricked ZenFone5 LIVE (QUALCOMM)

Hello, First time post, moderate time lurker
---------------------------------------------------------------------------------------------------------------------------
Disclaimer:
I'm just recently learning tampering with android and been pretty obsessed with achieving my personal goal on mine.
With that being said I AM NOT a professional, I am merely posting this guide because I have not yet seen this specific method I used to un-brick my phone, but it does borrow from other similar concepts.
I will probably have limited followup capability and expertise, and everything is AT YOUR OWN RISK, not only do you risk your phone being damaged beyond repair, not just a brick but scrap metal, you also risk anything you connect it to if you are not careful. YOU HAVE BEEN WARNED.
Also, this guide may apply to multiple models of Qualcomm phones (Research first if it applies to yours), but was performed on a ZenFone 5 >-LIVE-< not a regular ZenFone 5, its being posted here due to lack of my phone model on the forum. Do not assume that everything that works on a live will work on a regular, I have found they are VASTLY different and only similar in name.
---------------------------------------------------------------------------------------------------------------------------
Symptoms:
Very Hard-Bricked ZenFone 5 Live, due to attempting to hex edit the boot-loader
(I've already learned my lesson, save your lectures)
The indication that your phone is actually a HARD brick, is that it will not appear to turn on at all, and when connected to a PC will show something along the line of Diagnostics 900E on the COM Port devices section of your device manager
For anyone whose poked at it at the Qualcomm level, you will notice a few things wrong
-It never goes it 9008 QDL mode on its own
-It rejects any kind of memory diagnostics(which is a miniature requirement before a flash by automation) with ACK ERROR FROM DEVICE: NAK_MEMORY_DEBUG_NOT_SUPPORTED
or will report IMAGE_TYPE_INVALID, even when selecting the correct firmware
and lastly you get timeout/phone wait errors, header/reply reads "0" or if you try to manually connect with the QSaharaServer it will only reply to Hello Prompts/commands then reset, and anything else gives unknown command received: 4 or "0", also manual PUTTY connections to it via TELNET over COM port also results in a mass overload of "0"s being sent to PUTTY en-masse and only "0"s can be sent.
If your phone is still able to get to your boot loader or has any other functionality I would suggest looking into alternatives than following this guide first.
---------------------------------------------------------------------------------------------------------------------------
Tools Needed:
- Hard-Bricked QUALCOMM phone
(this will not work if it does not have Qualcomm firmware, I.E. Sahara, Firehose, etc.)
- USB-C cable
(or whichever cable applies to your phone, this was however performed using a -c cable)
- Wire cutting/stripping/joining tools ; soldering is optional ;
I personally used: Box cutter blade, Knife, Scissors, pliers, and a lighter
- Qualcomm flashing software, QPST or QFIL, and Qualcomm Drivers ;
whichever you're used to, if you're new to Qualcomm tools I recommend a standalone version of QFIL, google it, they aren't too hard to find (and I'm too new and don't wanna risk posting links to bad sites)
Also the drivers for Qualcomm specifically ARE REQUIRED
if you found the correct ones you should have a folder in program files (x86)/Qualcomm Incorporated
Google these too, not too hard to find, too many risky links, I'm not a pro.
- Phones Firmware - QUALCOMM LEVEL
this is not your regular ROM with boot.img,system.img, etc.
Qualcomm level firmware will look more like Firehose_8917.mdn, Rawprogram.xml, Patch0.xml
these can be tough to find for some people
If you're lucky your phones regular OTA/Firmware downloads will also contain these, for others its a standard ROM without them. You may need to google fu around for them but do make sure you're using the correct Qualcomm firmware for your phone/msm, or you may risk putting your phone into perma-brick.
- Optional - USB Hub with surge protection ;
Due to the electrical danger of this guide, I highly recommend a USB Hub with surge protection capability, I just so happened to have one laying around, it is optional, but HIGHLY recommended, I believe mine saved my phone/PC during this procedure at least once.
- Optional - Stock Factory ROM
Just to make sure to clear out whatever caused the brick in the first place, I supposed you could flash whatever else works for you if you still have an unlocked boot-loader, somehow, after the flash, heck I don't even know if there's a system left in there to boot into if you try skipping altogether, either way, highly recommend an OEM stock regular flash after the Qualcomm flash.
---------------------------------------------------------------------------------------------------------------------------
Verify phones condition:
First off, your phone should be pretty bricked, if you're this far. Make sure its not DEAD DEAD though. Plugging it into a PC should give at least an unknown device, Qualcomm 900E COM port device, or some kind of life, plugging it in (and maybe holding power + down vol, or up if a different model) indicates a flashing LED.
If there is sign of life, proceed ; if not your phone may have physical/electrical damage and prepare for the worst and consider a new phone.
---------------------------------------------------------------------------------------------------------------------------
We begin the real work at the cable
-Why? (can skip if you dont wanna know whats going on in the software)
The phone is locked-down by the highest level boot-loader (PBL i think?), its name as of this guide, Sahara.
When Sahara security is triggered it locks down the secondary bootloader, Firehose. With Firehose on lockdown it cannot load the usual oem-bootloader you see, or your custom if you have one. This is probably a security feature to try to force would-be thieves to not be able to unlock the phone without bringing it to a service dealer. Or possibly to thwart would be phone moders who can't figure out whats going on and cash in on a voided warranty and a simple flash work labor fee for their techs, or new phone purchase.
Either way, Qualcomm has a backdoor, and the backdoor is in the USB cable.
---------------------------------------------------------------------------------------------------------------------------
Cable work
-Begin Guide
Begin by stripping the sleeving off a section of the USB-C cable, I recommend somewhere in the middle, and a few 3-5 inches worth to give yourself play room, if you're experienced with cable modding then do whatever s comfortable to have room to switch a wire to another, though that's not necessarily accurate on what the next steps are. Keep in mind there is a entire secondary sleeve of tin wire mesh braiding so it can get messy and you need that isolated from other wires.
Once you have your section of stripped wire, examine wires for what type you have
(to my surprise and delayed my work 6 hours of research was the absence of a black wire.)
You will either have:
Red, White, Green Black wires ; including Tin shielding mesh, and possibly a nylon core
OR
Red, White, Green; including Tin shielding mesh, and possibly a nylon core
If yours was like mine, the black wire is actually a mesh of copper wires mixed in with the tin mesh, in this case treat the tin outer mesh like the black wire, which makes things difficult to work with, but very doable still. Just be careful not to fully sever the copper strands mixed in too much, you need at least some of them in-tact to some degree
Next cut the green wire, and strip the tips down a good amount, enough where you can twist it by hand (1/8" or so?)
if you have a black wire do the same and skip the next tin mesh step.
---------------------------------------------------------------------------------------------------------------------------
Tin mesh wire-
If you have a tin mesh, things get a little dicey but it worked for me,
the tin mesh surrounds the cable entirely in a tubular braid pattern
it is impossible to work with in this state
therefore ~1/2 of it needs to be severed in order to craft it from a shielding braid, into a makeshift wire
tip, the thin insulation sleeving separating the wires from the shield when pulled peels the shielding off the wires nicely after the mesh is cut in one spot (severing point a-b on the cable), though bunches it up, this does make it easier to cut it half though, rather than poking and pulling at it by hand.
once you're able to separate it from the rest of the wires, twist the mesh into a wire form, due to its rough tin spike nature it holds in shape quite nicely
The key on the tin mesh type though is to examine it for the copper strands hidden within and do not severe too many of them, the shielding will be disconnected from point a-b on the cable but still the copper wires need to not be mutilated.
once you have your mesh in wire cable form on both ends proceed
---------------------------------------------------------------------------------------------------------------------------
Cable work Pt. 2
At this point you should have:
Green wire, cut and tips stripped
Black wire, the same as green, if it applies
Mesh shield crafted into a wire, if it applies
(either the black wire or mesh are required, but NOT BOTH)
- From here-on the tin wire mesh is effectively the black wire, if it applies, and thus will be refereed interchangeably to as such unless otherwise specified-
Take your black wires, twist them together and secure them
you must make sure of 4 things
1 - Obviously, the copper of the wire is in contact
2 - they do not accidentally become disconnected and can withstand at least some force before separating
3 - However, they must remain QUITE EXPOSED, you need the bare wire to be somewhat accessible for later steps
If you're experienced you can do this your own way after reviewing the next steps, but these wires must be able to connect and disconnect at will without unplugging the USB cable itself
4 - Make sure the wires are in such a configuration that they can reach the green wire, but stay - 100% ISOLATED FROM EVERYTHING ELSE- (oh if you have a black wire, this INCLUDES THE SHIELDING, NO BLACK ON TIN)
If you fail to practice safety first you risk frying your phone, and whatever else you connect it to, I.E. your 10k Gaming PC, anything you fry you are responsible for and I disclaim any responsibility for your actions, even if you follow this guide accurately you're still at your own risk.
Next do the same to the green wire
---------------------------------------------------------------------------------------------------------------------------
Cable Work Pt. 3
- Pre-EDL "Deep Flash"
at this point, if you've followed the cable instructions your EDL "Deep Flash" Cable is actually complete
you may be asking yourself why? all you did was strip wires and reconnect them
the trick is actually, that you've provided one cable to cross-talk to another temporarily
to prep for the EDL "Deep Flash" command initiation one more step is needed though
you must connect the exposed and completed green wire, to the black wire
this however MUST be temporary, you must be able to separate these wires, safely, and without disconnecting the USB device.
For example in my build I bent my twisted makeshift tin black wire into a u-shape that just barley held onto the green wires copper, and could be removed with a simple tug
Depending on the internals of your wire and how rugged they are this may work for you
however if you have an actual black wire in yours, or your material is more "rubbery" and less rigid you may need to find your own method, maybe stick them both on duck-tape crossing wires or something
Still you get the idea though, cross the green and black wire, but in a temporary fashion.
Finished Product (This is post-EDL command, with the green wire pulled)
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
---------------------------------------------------------------------------------------------------------------------------
Testing and Driver preparation
At this point were good to go for a deep flash, but I would recommend testing before plugging it into a PC
(you can fry a PC through a USB port btw)
I recommend testing your setup with a USB adapter on a power outlet or a powered USB hub (preferable surge protected and not connected to your PC for now)
If your cable works, you should get a flashing LED
More-so now than if you didn't before, because sometimes the LED won't light when in Firehose mode, but only Sahara. If you didn't have an LED before... they its a maybe... use a multi-meter to make sure you have live connections and no shorts? if you have a flashing LED though you're golden, or should be.
Also, you want to make sure you're PC is prepped for the flash with the Qualcomm drivers, QPST/QFIL software, and your phones correct Qualcomm Level Firmware, in my case Its a Firehose_xxxx.mdn rawprogram.xml patch0.xml files.
Looking at the software though, depending on your model you may end up using a .hex file as well?
-this guide is more about the EDL cable and less about the software, many guides exist for those so if you need more info go looking for those. I'm posting this as this specific method of EDL cable I couldn't find anywhere, this is not a complete a-b guide, just the most crucial part of recovery for peoples hard bricked Qualcomm phones. -
---------------------------------------------------------------------------------------------------------------------------
The Deep Flash
Here comes the risky part, risking a PC
I've already warned you 2-3 times so whatever happens, you are responsible for.
Connect the phone with the PC, preferably through a surge protected USB HUB, or directly if you're desperate and brave/suicidal.
You should get NO CONNECTION indication from the PC, nothing in device manager, no USB connected audio blips, nothing. The only thing that should happen is the LED will flash on your phone. This is good.
Wait for about 10-20 seconds, you do not want to jump the gun or you will have to reset your wires.
after 10-20 seconds, execute your wire release / pull method on the green & black wire, separating them, but making sure their own connections don't get severed in the process.
If success, you will get a connection blip from the PC and if you have QUALCOMM DRIVERS in stalled you will see the fabled 9008 QDL loader install on its own without having to force it through device manager.
If you get 900E still, try again. if you can't get 9008 without forcing it something is wrong, either your phone has actually been in Firehose the whole time or there is a different method for your phone, or the cables are mismatched on the wire, or some other issue.
---------------------------------------------------------------------------------------------------------------------------
Successful 9008 EDL Deep flash
- A footnote for those familiar with Qualcomm already
Nice having 9008 on its own without going through device manager isnt it? ( for those experienced with Qualcomm already lol)
This is a proper QDL Deep flash and the way its meant to be loaded on these drivers.
If you had issues with QPST/QFIL before, proceed as normal if you're familiar with the process, the rest of the guide will briefly touch up on that. Just be careful not to sever the connection mid-flash, the Firehose firmware flash is much quicker than a ROM flash, so it won't be long if you already know what you're doing.
I recommend either safe-proofing your cable or switching to a UN-modified one ASAP to minimize risk to your equipment.
God-speed.
---------------------------------------------------------------------------------------------------------------------------
Qualcomm Flashing
- For those new to Firehose/Sahara
As mentioned previously this is not a Qualcomm software guide
This stuff is shrouded in mystery and proprietary hush hush so not a-lot is known and depending on what you got can be quite confusing to understand.
If you're new to Qualcomm software i previously recommenced QFIL, so that's what i will briefly touch, if you got QPST you're on your own.
(though usually QPST has QFIL included in SOME builds just fyi, if so you can continue following but you will ONLY be using QFIL using this guide, ignore all other tools in the package)
When you load QFIL, you will most likely be in "Meta" mode, this is not what we want, hit the radio bubble for "flat build" if you're missing these bubbles you may be on an ancient version of it and I recommend finding a more up to date version.
Next you must specify your programmer, this is going to be your eMMC_Firehose_XXXX.mbn file
(XXXX is your phones snapdragon MSN #, look it up on qualcomm snapdragon spec sheets if you need to)
I've only worked with my Zenfone 5 Live with this software, so eMMC_Firehose is all I know, if you find that your phone uses .hex or any other format aside from .mbn's or .xml's then I recommend you stop here and find a Qualcomm flashing guide for your specific phone, but try to keep your phone connected IF ITS SAFE TO DO SO (I.E. no risk of cat/pet attacks, children, liquids, living thing contact, etc.) , otherwise if you disconnect your phone you will need to re-perform the deep flash sequence from before.
Next click "Load XML"
this will prompt you to load both your rawprogram.xml and patch0.xml (one after the other)
Then click download.
This process took my phone about 20 seconds, its very quick
once this is complete reboot your phone with its "special reboot" key combo, whatever it is for your phone.
For mine its Vol down + power
if all goes well, you should have your good old fashioned OEM boot-loader
to make sure that whatever caused Sahara to lock-down your phone is gone, proceed to flash a factory/stock ROM to your phone. If you've made it this far I assume you either already have one on hand or found it while looking for you Qualcomm firmware.
And your phone is back from the dead.
Praise the sun!
---------------------------------------------------------------------------------------------------------------------------
FIN!
P.S. -
While waiting for your phone to flash your factory stock ROM I recommend listening to
Korn - Another Brick In The Wall (Pink Floyd Cover)
P.S.S -
I am continuing my research on brute forcing the unlock on this device, ZenFone 5 LIVE
if you have any information to share, please PM me for anything you can share or if you would like to collaborate on this project.
If you found this guide helpful and you want to show your appreciation share your feedback!
Also I wouldn't mind any donations, I am a paycheck to paycheck sweatshop callcenter tech. Link in my profile
- Sources for this methods inspiration -
club.lenovo (china)
User:
francescotagliam**te
en.miui -
Users:
[email protected]
mitch002
id post links, but i am forbidden as a new member.
Wonderful!
Hey @Leomaxwell973 , thank you for the tutorial.
I used your method, along with the one here: https://forum.xda-developers.com/t/...ight-turns-on-for-a-second-using-edl.4228641/
My phone came back to life, and I have to thank you, really.

Brick android headunit

Hi all, I flashed a firmware on my headunit through sp flash tool and then my unit is bricked, no power no light only black and not detected in pc. I can not find any rom or preloader for my android head unit. I think only solution is test point. Can anyone tell where are the test point on my motherboard.
Yugmn3 said:
Hi all, I flashed a firmware on my headunit through sp flash tool and then my unit is bricked, no power no light only black and not detected in pc. I can not find any rom or preloader for my android head unit. I think only solution is test point. Can anyone tell where are the test point on my motherboard.
Click to expand...
Click to collapse
Try this brand new guide
iceblue1980 said:
Try this brand new guide
Click to expand...
Click to collapse
Thanks for reaponse but motherboard of my HU is different. I can not find test point.
Yugmn3 said:
Thanks for reaponse but motherboard of my HU is different. I can not find test point.
Click to expand...
Click to collapse
As this is a MediaTek head unit, I can try to help you find them. I've taken a high resolution screenshot that you can use as reference:
On your motherboard, look for 2 golden circle pads labeled:
KPROW1 (stands for KeyPad Row 1) - and is the Vol+ pad
EN1 (stands for Encoder 1) - Selection + Vol+ pad
They should be next to each other and can be placed anywhere on the motherboard but I would start by looking around your CPU (it has white thermal paste applied to it on your picture), moving on to RAM and NAND/EMMC memory chips.
Follow my video guide on first making sure that there is a led light turning on when you connect your motherboard to a powered USB source (laptop etc). Then make sure your MediaTek drivers are correctly installed. I'm releasing a video guide on that in coming days but for now, refer to any of my Super MOD threads to access the best drivers and also the driver installation guide itself.
Alternatively, you can take a few high resolution pictures of your motherboard (after you cleaned it from stickers, paste etc), so that I can see every part of it clearly - and i'll try to identify the test points.
Thanks. I will try to send you high resolution photos.
iceblue1980 said:
As this is a MediaTek head unit, I can try to help you find them. I've taken a high resolution screenshot that you can use as reference:
View attachment 5417495
On your motherboard, look for 2 golden circle pads labeled:
KPROW1 (stands for KeyPad Row 1) - and is the Vol+ pad
EN1 (stands for Encoder 1) - Selection + Vol+ pad
View attachment 5417497
They should be next to each other and can be placed anywhere on the motherboard but I would start by looking around your CPU (it has white thermal paste applied to it on your picture), moving on to RAM and NAND/EMMC memory chips.
Follow my video guide on first making sure that there is a led light turning on when you connect your motherboard to a powered USB source (laptop etc). Then make sure your MediaTek drivers are correctly installed. I'm releasing a video guide on that in coming days but for now, refer to any of my Super MOD threads to access the best drivers and also the driver installation guide itself.
Alternatively, you can take a few high resolution pictures of your motherboard (after you cleaned it from stickers, paste etc), so that I can see every part of it clearly - and i'll try to identify the test points.
Click to expand...
Click to collapse
These are the photos of my headunit. Also one more problem that the speaker output of my HU is only mono. No stereo sound no good DSP overall bad quality of sound. Any suggestion for this.
iceblue1980 said:
As this is a MediaTek head unit, I can try to help you find them. I've taken a high resolution screenshot that you can use as reference:
View attachment 5417495
On your motherboard, look for 2 golden circle pads labeled:
KPROW1 (stands for KeyPad Row 1) - and is the Vol+ pad
EN1 (stands for Encoder 1) - Selection + Vol+ pad
View attachment 5417497
They should be next to each other and can be placed anywhere on the motherboard but I would start by looking around your CPU (it has white thermal paste applied to it on your picture), moving on to RAM and NAND/EMMC memory chips.
Follow my video guide on first making sure that there is a led light turning on when you connect your motherboard to a powered USB source (laptop etc). Then make sure your MediaTek drivers are correctly installed. I'm releasing a video guide on that in coming days but for now, refer to any of my Super MOD threads to access the best drivers and also the driver installation guide itself.
Alternatively, you can take a few high resolution pictures of your motherboard (after you cleaned it from stickers, paste etc), so that I can see every part of it clearly - and i'll try to identify the test points.
Click to expand...
Click to collapse
can you show me where the test point on my board sir? please help me..
denin84 said:
can you show me where the test point on my board sir? please help me..
Click to expand...
Click to collapse
Sorry, but your pictures are of insufficient resolution so I will use this picture to show you:
The process of activating the 'download mode' is much different that from YT921- models, so if you want to use my video guide, make sure to apply the "Test Point part" specific to your head unit (the rest of the video guide will mostly apply to you as well):
Install the correct MediaTek drivers on to your Windows computer
Prepare your SP Flash Tools for "WRITE MEMORY" operation
Connect your head unit to your computer via USB cable
In SP Flash Tool, click "START"
Power on your head unit by connecting it to a 12V 5A+ power supply
'Short' the test point in the picture to GROUND
Without releasing the 'short', take out and then re-insert the USB cable into your computer
Once the flashing starts, you can release the test points
When you upload a firmware or memory dump after this, you will not need to activate test points again
Original source - 4PDA ZXDZ-01 thread.
Yugmn3 said:
These are the photos of my headunit. Also one more problem that the speaker output of my HU is only mono. No stereo sound no good DSP overall bad quality of sound. Any suggestion for this.
Click to expand...
Click to collapse
Sorry but this isn't a universal head unit I've ever seen, nor is there any information available on the Internet.
iceblue1980 said:
As this is a MediaTek head unit, I can try to help you find them. I've taken a high resolution screenshot that you can use as reference:
View attachment 5417495
On your motherboard, look for 2 golden circle pads labeled:
KPROW1 (stands for KeyPad Row 1) - and is the Vol+ pad
EN1 (stands for Encoder 1) - Selection + Vol+ pad
View attachment 5417497
They should be next to each other and can be placed anywhere on the motherboard but I would start by looking around your CPU (it has white thermal paste applied to it on your picture), moving on to RAM and NAND/EMMC memory chips.
Follow my video guide on first making sure that there is a led light turning on when you connect your motherboard to a powered USB source (laptop etc). Then make sure your MediaTek drivers are correctly installed. I'm releasing a video guide on that in coming days but for now, refer to any of my Super MOD threads to access the best drivers and also the driver installation guide itself.
Alternatively, you can take a few high resolution pictures of your motherboard (after you cleaned it from stickers, paste etc), so that I can see every part of it clearly - and i'll try to identify the test points.
Click to expand...
Click to collapse
can you show me where the test point on my board sir? please help me
iceblue1980 said:
Sorry, but your pictures are of insufficient resolution so I will use this picture to show you:
View attachment 5418209
The process of activating the 'download mode' is much different that from YT921- models, so if you want to use my video guide, make sure to apply the "Test Point part" specific to your head unit (the rest of the video guide will mostly apply to you as well):
Install the correct MediaTek drivers on to your Windows computer
Prepare your SP Flash Tools for "WRITE MEMORY" operation
Connect your head unit to your computer via USB cable
In SP Flash Tool, click "START"
Power on your head unit by connecting it to a 12V 5A+ power supply
'Short' the test point in the picture to GROUND
Without releasing the 'short', take out and then re-insert the USB cable into your computer
Once the flashing starts, you can release the test points
When you upload a firmware or memory dump after this, you will not need to activate test points again
Original source - 4PDA ZXDZ-01 thread.
Click to expand...
Click to collapse
okay I will try your method.. thanks very much sir.. I hope my head unit problem resolved
Its ok. I try myself. one more problem that the speaker output of my HU is only mono. No stereo sound no good DSP overall bad quality of sound. Any suggestion for this.
Yugmn3 said:
Its ok. I try myself. one more problem that the speaker output of my HU is only mono. No stereo sound no good DSP overall bad quality of sound. Any suggestion for this.
Click to expand...
Click to collapse
The reasons can be many. Hardware or software. Did the sound work before?
No. Always mono since i bought it.
I checked the board and I think sound processor ic(cd3313E0) is made in china. This gives wrost sound no good bass no stereo. I try to hookup an external ic. But i can not find the path that carry the left and right channel inputs in the ic.
Yugmn3 said:
I checked the board and I think sound processor ic(cd3313E0) is made in china. This gives wrost sound no good bass no stereo. I try to hookup an external ic. But i can not find the path that carry the left and right channel inputs in the ic.
Click to expand...
Click to collapse
Actually, I would start with checking if the sound is still mono/bad from the RCA outputs. You can connect them to an external amplifier or even a headphone amp, just to check. If the sound is good, then it's likely your onboard amplifier:
If the sound is still bad, then yes, it could be the audio processing chip.
Have you considered just changing the head unit? You can get one for around $60 if you're tight on cash. Just make sure to get the right type if you want to utilise any of my software mods.
Alternatively, you can get a fully modded Android Head Unit from here. But you can also fully mod it yourself when it comes to hardware.
Yes i try to connect with external amp but the sound is mono. And i bought the HU around 186$. I try with changing the hardware. But firstly i want to revive the unit.
Yugmn3 said:
Yes i try to connect with external amp but the sound is mono. And i bought the HU around 186$. I try with changing the hardware. But firstly i want to revive the unit.
Click to expand...
Click to collapse
If it's still within warranty, why not just return it? As for reviving it, how did you brick it in the first place?
No it is not in warranty. I accidently flash the wrong rom with preloader and forget to backup. I can not find any specific rom for my HU, so try one by one every rom which i downloaded. But first priority is finding the test points.
Yugmn3 said:
No it is not in warranty. I accidently flash the wrong rom with preloader and forget to backup. I can not find any specific rom for my HU, so try one by one every rom which i downloaded. But first priority is finding the test points.
Click to expand...
Click to collapse
Oh, I see. Sorry to hear that but let me save you a lot of time.
Finding the Test Points will be a challenge as this is a non-standard, non-universal unit but even if you do miraculously find them without damaging the head unit, you will not be able to restore it as you don't have a backup of your native preloader.
If you had a universal head unit, there would be a minor chance of using someone else's backup but in this case, unless you find someone with the exact same device, down to firmware and MCU version, your undertaking will fail.
Yes you are right. There is no chance to recover my HU . On the russian site i saw many HU that looks like mine so i hope that i can recover. Thanks for quick response.

Categories

Resources