Database Users

Droid Ultra (possible Maxx) brick recovery

I want to post my findings here. It could be useful for developers playing with bootloaders, and for users who accidentally break their Droid.
DISCLAIMER: I am not responsible for any damage, caused to your phone, when you did something using information from this thread. Be extremely careful shorting any pins (and to do at YOUR OWN RISK)
There is two types of bricked device (by bricked I mean no fastboot available):
1. Device does not boot up, but responding to USB VIDID = 05c6:9008 = QHSUSB_DLOAD mode
This is qualcomm standard emergency download mode. This device become serial port (it is required drivers for Windows), and could be flashed with special protocol.
Attached is package which successfully recover Droid Ultra.
Once you see device with VIDID = 05c6:9008 = QHSUSB_DLOAD, you should run this command:
python qdload.py MPRG8960_MOTO.bin -ptf _ultra/partitions.txt
after this you should be able to use fastboot to flash desired official image back.
Tested on Windows, drivers for QHSUSB_DLOAD now included into package, serial port auto detection added, same command use. For both windows and linux you should have Python >= 2.6 installed, and PySerial installed.
2. Device not responding to USB, but start responding after battery disconnect (you need to disassemble your phone) as VIDID = 05c6:f006 = Qualcomm modem mode.
In most cases this mean that you has HARD bricked device. I still could not provide soft way to switch from this mode to QHSUSB_DLOAD mode, so currently with this situation you has only one possibility - is to find pin, which will force device to QHSUSB_DLOAD mode. For droid Ultra (and I believe Maxx) you could find this pin marked on picture attached. On my picture you could see, that I remove shield completely, but you could reach this pin by opening shield cup only. This is the shield near display connector. This pin should be grounded to force QHSUSB_DLOAD mode. Once you see device with VIDID = 05c6:9008 - STOP shorting pin to ground and follow unbrick 1 procedure.
If you not stopping SHORT ping to gound, you may have issues with uploading images in step 1 !!!
This both unbrick tested on Droid Ultra, but I assume it should work on Droid Maxx as well (I include _maxx folder with files for maxx).
Instruction to generate partitions.txt from working phone (Note you could have different name instead of mmcblk0):
1. adb shell dd if=/dev/block/mmcblk0 of=/sdcard/pt.bin bs=1024 count=10
2. adb pull /sdcard/pt.bin .
3. ./gpt_parser.py pt.bin > partitions.txt
Edit: Split package into 5 packages: 1. Image files for MAXX, 2 Image files for ULTRA, 3. Loader .bin for Motorola_8960 4. Window drivers for QHSUSB_DLOAD mode, 5. qdload.py script
qdload.py script updated to V1.2 with lot of usefull info printed.
move gpt_parser.py script to main post

VBlack said:
I want to post my findings here. It could be useful for developers playing with bootloaders, and for users who accidentally break their Droid.
DISCLAIMER: I am not responsible for any damage, caused to your phone, when you did something using information from this thread.
There is two types of bricked device (by bricked I mean no fastboot available):
1. Device does not boot up, but responding to USB VIDID = 05c6:9008 = QHSUSB_DLOAD mode
This is qualcomm standard emergency download mode. This device become serial port (it is required drivers for Windows), and could be flashed with special protocol.
Attached is package which successfully recover Droid Ultra.
Once you see device with VIDID = 05c6:9008 = QHSUSB_DLOAD, you should run this command:
python qdload.py MPRG8960.bin _ultra/partitions.txt
after this you should be able to use fastboot to flash desired official image back.
I didn't test it on Windows, but it could work, you just need to specify COM port, by additional parameter to qdload.py:
python qdload.py -tty COM10 MPRG8960.bin _ultra/partitions.txt
2. Device not responding to USB, but start responding after battery disconnect (you need to disassemble your phone) as VIDID = 05c6:f006 = Qualcomm modem mode.
In most cases this mean that you has HARD bricked device. I still could not provide soft way to switch from this mode to QHSUSB_DLOAD mode, so currently with this situation you has only one possibility - is to find pin, which will force device to QHSUSB_DLOAD mode. For droid Ultra (and I believe Maxx) you could find this pin marked on picture attached. On my picture you could see, that I remove shield completely, but you could reach this pin by opening shield cup only. This is the shield near display connector. This pin should be grounded to force QHSUSB_DLOAD mode. Once you see device with VIDID = 05c6:9008 - follow unbrick 1 procedure.
This both unbrick tested on Droid Ultra, but I assume it should work on Droid Maxx as well (I include _maxx folder with files for maxx).
Click to expand...
Click to collapse
WOW! Nice job, bud.
I would normally ask you to add a disclaimer to be extremely careful shorting any pins (and to do at YOUR OWN RISK), but anyone who needs to do this is already in a pickle, and their device useless.
Great work, impressive.

samwathegreat said:
WOW! Nice job, bud.
I would normally ask you to add a disclaimer to be extremely careful shorting any pins (and to do at YOUR OWN RISK), but anyone who needs to do this is already in a pickle, and their device useless.
Great work, impressive.
Click to expand...
Click to collapse
Done, I also add note about stop shorting this pin to ground once you get to QDL MODE, since it will cause eMMC instability, and may forbid to flash images.
Add: Package repacked with drivers for windows and updated version of qdload.py with windows serial port auto detection.

VBlack said:
I want to post my findings here. It could be useful for developers playing with bootloaders, and for users who accidentally break their Droid.
DISCLAIMER: I am not responsible for any damage, caused to your phone, when you did something using information from this thread. Be extremely careful shorting any pins (and to do at YOUR OWN RISK)
There is two types of bricked device (by bricked I mean no fastboot available):
1. Device does not boot up, but responding to USB VIDID = 05c6:9008 = QHSUSB_DLOAD mode
This is qualcomm standard emergency download mode. This device become serial port (it is required drivers for Windows), and could be flashed with special protocol.
Attached is package which successfully recover Droid Ultra.
Once you see device with VIDID = 05c6:9008 = QHSUSB_DLOAD, you should run this command:
python qdload.py MPRG8960.bin _ultra/partitions.txt
after this you should be able to use fastboot to flash desired official image back.
I didn't test it on Windows, but it could work, you just need to specify COM port, by additional parameter to qdload.py:
python qdload.py -tty COM10 MPRG8960.bin _ultra/partitions.txt
Tested on Windows, drivers for QHSUSB_DLOAD now included into package, serial port auto detection added, same command use. For both windows and linux you should have Python >= 2.6 installed, and PySerial installed.
2. Device not responding to USB, but start responding after battery disconnect (you need to disassemble your phone) as VIDID = 05c6:f006 = Qualcomm modem mode.
In most cases this mean that you has HARD bricked device. I still could not provide soft way to switch from this mode to QHSUSB_DLOAD mode, so currently with this situation you has only one possibility - is to find pin, which will force device to QHSUSB_DLOAD mode. For droid Ultra (and I believe Maxx) you could find this pin marked on picture attached. On my picture you could see, that I remove shield completely, but you could reach this pin by opening shield cup only. This is the shield near display connector. This pin should be grounded to force QHSUSB_DLOAD mode. Once you see device with VIDID = 05c6:9008 - STOP shorting pin to ground and follow unbrick 1 procedure.
If you not stopping SHORT ping to gound, you may have issues with uploading images in step 1 !!!
This both unbrick tested on Droid Ultra, but I assume it should work on Droid Maxx as well (I include _maxx folder with files for maxx).
Click to expand...
Click to collapse
This is great!! Mind if i add it here? With proper credits of course? Or quote you?
http://forum.xda-developers.com/moto-x/general/how-to-resurrecting-bricked-moto-x-t2629057

Sure, no problem, but you need your own set of files for moto x (could be obtained from fastboot oficial image), and partitions.txt.
partitions.txt you could obtain using following instruction from working phone:
1. adb shell dd if=/dev/block/mmcblk0 of=/sdcard/pt.bin bs=1024 count=10
2. adb pull /sdcard/pt.bin .
3. ./gpt_parser.py pt.bin > partitions.txt
Edit: gpt_parser moved to main post.

VBlack said:
I want to post my findings here. It could be useful for developers playing with bootloaders, and for users who accidentally break their Droid.
DISCLAIMER: I am not responsible for any damage, caused to your phone, when you did something using information from this thread. Be extremely careful shorting any pins (and to do at YOUR OWN RISK)
There is two types of bricked device (by bricked I mean no fastboot available):
1. Device does not boot up, but responding to USB VIDID = 05c6:9008 = QHSUSB_DLOAD mode
This is qualcomm standard emergency download mode. This device become serial port (it is required drivers for Windows), and could be flashed with special protocol.
Attached is package which successfully recover Droid Ultra.
Once you see device with VIDID = 05c6:9008 = QHSUSB_DLOAD, you should run this command:
python qdload.py MPRG8960.bin _ultra/partitions.txt
after this you should be able to use fastboot to flash desired official image back.
I didn't test it on Windows, but it could work, you just need to specify COM port, by additional parameter to qdload.py:
python qdload.py -tty COM10 MPRG8960.bin _ultra/partitions.txt
Tested on Windows, drivers for QHSUSB_DLOAD now included into package, serial port auto detection added, same command use. For both windows and linux you should have Python >= 2.6 installed, and PySerial installed.
2. Device not responding to USB, but start responding after battery disconnect (you need to disassemble your phone) as VIDID = 05c6:f006 = Qualcomm modem mode.
In most cases this mean that you has HARD bricked device. I still could not provide soft way to switch from this mode to QHSUSB_DLOAD mode, so currently with this situation you has only one possibility - is to find pin, which will force device to QHSUSB_DLOAD mode. For droid Ultra (and I believe Maxx) you could find this pin marked on picture attached. On my picture you could see, that I remove shield completely, but you could reach this pin by opening shield cup only. This is the shield near display connector. This pin should be grounded to force QHSUSB_DLOAD mode. Once you see device with VIDID = 05c6:9008 - STOP shorting pin to ground and follow unbrick 1 procedure.
If you not stopping SHORT ping to gound, you may have issues with uploading images in step 1 !!!
This both unbrick tested on Droid Ultra, but I assume it should work on Droid Maxx as well (I include _maxx folder with files for maxx).
Click to expand...
Click to collapse
this should be stickied for all of android. while i realize your methods were device specific, i'm guessing there are enough similarities in your situation that it can be applied globally.

640k said:
this should be stickied for all of android. while i realize your methods were device specific, i'm guessing there are enough similarities in your situation that it can be applied globally.
Click to expand...
Click to collapse
It is Qualcomm specific. Most of current Qualcomm chips has emergency download mode. the only problem is to have proper load file MPRG8960.bin is for 8960 chips family, and looks like Motorola specific (maybe I'm wrong). So for sure not all Android device could use this, but most Qualcomm device should be fine, you just need model specific set of files, which, for example, Motorola provides with fastboot flashable images.

good points and good observations. this thread definitely shouldn't get buried in a single (aging) device. there's good info here.

I don't know if it is a problem, but I used this script to try and unbrick my phone.
When running as #1 as you state above, there is a "finished with errors" after the script. So I looked at it and saw that "MPRG8960.bin" was going to be pushed to the phone and the next line states "File not found "MPRG8960.bin." Looking at the files, the file it was looking for was named "MPRG8960_MOTO.bin," so I changed it to the file it was looking for and it worked great.
I'm a noob when it comes to the guts of programming and utilities, but it's something I spotted and figured I would let you know.

This seems really promising for my bricked xt907...

HamBone625 said:
This seems really promising for my bricked xt907...
Click to expand...
Click to collapse
Op has no fix files for the M, they have never been leaked.

HamBone625 said:
This seems really promising for my bricked xt907...
Click to expand...
Click to collapse
Since XT907 use same Qualcomm chip MSM8960 - you could try to use this utility, but first you need to obtain partitions.txt from working XT907 according to instructions.
Files needed you could take from latest firmware package (sbl1.mbn, sbl2.mbn, sbl3.mbn, tz.mbn, rpm.mbn, emmc_appsboot.mbn is aboot.mbn)

MOTO X
Hi. Can somebody post the partitions.txt for the moto X? please
To get the partition.txt from a working moto X it has to be root?
thanks

When I execute the script on my Droid Mini, with their proper partitions txt file and the MBN files from the ULTRA, I got this:
QDLoad utility version 1.2 (c) VBlack 2014
Found TTY port: com64
Requesting Params...
Params:
Version: 8
Min version: 1
Max write size: 1536 (0x00000600)
Model: 144
Device size: Invalid or unrecognized Flash device, or Flash device progr
amming not supported by this implementation
Device type: Intel 28F400BX-TL or Intel 28F400BV-TL
Requesting SoftwareVersion...
Version: PBL_DloadVER2.0
Requesting SerialNumber...
Serial number: 00,00,48,03
Requesting HW Id...
HW Id: 00,00,48,03,e1,10,7e,00
Requesting PublicKey...
PublicKey: 39,c4,ee,3e,b5,be,eb,87,8e,2f,e3,b8,53,4d,14,6f,91,ca,fd,bb,94,2a,0d
,aa,d0,1e,b0,87,62,d4,b9,b8
Uploading file 'MPRG8960_MOTO.bin' to addr 0x2a000000...
Executing...
Found TTY port: com64
Sending MAGIC ...
QCOM fast download protocol targ:
Version: 7
Compatible version 2
Maximum block size 1024 (0x00000400)
Base address of Flash 0x00000000
Flash: eMMC
Window size: 30
Number of sectors: 128
First sector size: 2097152 (0x00200000)
Feature bits: 09
Sending secureMode...
Sending openMulti ...
LOG: Open multi failed, unknown error
ERROR: 0x00000007: Open multi failed, unknown error
Sending SBL Reset...
Done, with errors!!!

Where I can get the MBN files for a Droid Mini?

Hi, you could try to find it inside one of official (fastboot) package for empty flashing like in Ultra package. It fails in very strange place - I will look at it on Monday.
Sent from my XT1080 using Tapatalk

VBlack said:
Hi, you could try to find it inside one of official (fastboot) package for empty flashing like in Ultra package. It fails in very strange place - I will look at it on Monday.
Sent from my XT1080 using Tapatalk
Click to expand...
Click to collapse
I tried the MBN files from a 4.4 fastboot from an Ultra and from the Droid Mini too, but i'm getting this errors, I don't know what's wrong or what I'm doing worng.
My phone powers up and can enter to fastboot, but it fails to boot, when i use "fastboot reboot" it reboot to QHSUSB_DLOAD... but well, something is wrong,,,

HELP
When i do the third step yo obtain partitions.txt (./gpt_parser.py pt.bin > partitions.txt)
i got a message
can't create partitions.txt: Read-only file system
any help?

C:\droid_ultra>python qdload.py MPRG8960_MOTO.bin -ptf _ultra/partitions.txt
'python' is not recognized as an internal or external command,
operable program or batch file.

BUZZAPT said:
When i do the third step yo obtain partitions.txt (./gpt_parser.py pt.bin > partitions.txt)
i got a message
can't create partitions.txt: Read-only file system
any help?
Click to expand...
Click to collapse
You should execute it on PC in writable folder.
Sent from my XT1080 using Tapatalk

Nexus 6P not recognized via adb devices on Mac

Hi everyone,
I have a Nexus 6P which simply refuses to connect via USB on my Mac (i.e. it doesn't show up as a valid device under adb devices or via Android File Transfer). I believe it was working at some point but it seems to have stopped now. Might be worth noting, I did try connecting it to my car's charger a few months ago but had the worst time with it, it would charge and disconnect every few seconds (may or may not be relevant in this case as it pertains to the USB). I tried a different charger and it works fine with it though.
I have tried a lot of different things (which I'll list below) but have had no luck getting my Nexus 6P being recognized as a device when I connect it to my Mac (or any other). I do have the Developer settings enabled and I am able to switch to MTP but I never get the prompt to change USB mode. Anytime I connect my device, adb devices doesn't list it at all. I tried ADB File transfer as well and that also says "Please connect your device".
Here are some of the things I have tried so far:
1. Used different cables - no luck
2. Used a different mac - no luck
3. Tried a different Nexus 6P with my cable, it works fine (so it is not a cable issue)
4. Tried a different Nexus 6P with my mac, it works fine (so my Mac seems to be OK too)
5. Restarted in recovery mode - no luck
6. Tried removing a bunch of apps in case there was something conflicting - no luck so far
7. Chatted up Google support - They couldn't tell me much outside of the last option - Factory Reset - I have been holding off on that since I want to be able to transfer my files out first but I really want to avoid having to try that before exhausting all other options. They did offer to replace with a refurb'ed device but I had to decline that.
I did create a bug report dump using the device to see if anything interesting showed up and the only thing noticeable there is an exception related to USB. I am putting that info here in case it is useful in helping with this.
Code:
DUMP OF SERVICE usb:
USB Manager State:
USB Device State:
mCurrentFunctions: mtp,adb
mCurrentFunctionsApplied: true
mConnected: false
mConfigured: false
mUsbDataUnlocked: false
mCurrentAccessory: null
Kernel state: DISCONNECTED
Kernel function list: mtp,ffs
USB Debugging State:
Connected to adbd: true
Last key received: null
User keys:
IOException: java.io.FileNotFoundException: /data/misc/adb/adb_keys: open failed: ENOENT (No such file or directory)
System keys:
IOException: java.io.FileNotFoundException: /adb_keys: open failed: ENOENT (No such file or directory)
USB Host State:
USB Port State:
otg_default: port=UsbPort{id=otg_default, supportedModes=dual}, status=UsbPortStatus{connected=true, currentMode=ufp, currentPowerRole=sink, currentDataRole=device, supportedRoleCombinations=[source:host, sink:device]}, canChangeMode=true, canChangePowerRole=false, canChangeDataRole=false
USB Audio Devices:
USB MIDI Devices:
Settings for user 0:
Device permissions:
Accessory permissions:
Device preferences:
Accessory preferences:
Any help here is really appreciated! Thanks

desimunda42 said:
Code:
USB Debugging State:
Connected to adbd: true
Last key received: null
User keys:
IOException: java.io.FileNotFoundException: /data/misc/adb/adb_keys: open failed: ENOENT (No such file or directory)
System keys:
IOException: java.io.FileNotFoundException: /adb_keys: open failed: ENOENT (No such file or directory)
Click to expand...
Click to collapse
That seems suspicious. Was this taken while the phone was connected to your mac?
Here's my phone's dump while NOT connected to a computer
Code:
USB Manager State:
USB Device State:
mCurrentFunctions: mtp,adb
mCurrentFunctionsApplied: true
mConnected: false
mConfigured: false
mUsbDataUnlocked: false
mCurrentAccessory: null
Kernel state: DISCONNECTED
Kernel function list: mtp,ffs
USB Debugging State:
Connected to adbd: true
[COLOR="red"] Last key received: blahblahblahblah (not null)
User keys: blahblahblahblah (no exception)
[/COLOR] System keys:
IOException: java.io.FileNotFoundException: /adb_keys: open failed: ENOENT (No such file or directory)
Here it is when connected to computer
Code:
DUMP OF SERVICE usb:
USB Manager State:
USB Device State:
mCurrentFunctions: mtp,adb
mCurrentFunctionsApplied: true
[COLOR="red"] mConnected: true
mConfigured: true
[/COLOR] mUsbDataUnlocked: false
mCurrentAccessory: null
[COLOR="red"] Kernel state: CONFIGURED
[/COLOR] Kernel function list: mtp,ffs
USB Debugging State:
Connected to adbd: true
[COLOR="Red"] Last key received: blahblahblahblah (not null)
User keys: blahblahblahblah (no exception)
[/COLOR] System keys:
IOException: java.io.FileNotFoundException: /adb_keys: open failed: ENOENT (No such file or directory)
Are you on a custom rom? Do you get an authorization prompt if you call "adb device" after doing "Revoke USB debugging authorizations" from Develop options?

adotkdotjh said:
That seems suspicious. Was this taken while the phone was connected to your mac?
Are you on a custom rom? Do you get an authorization prompt if you call "adb device" after doing "Revoke USB debugging authorizations" from Develop options?
Click to expand...
Click to collapse
I wasn't connected to my Mac at the time I pulled the report (I confirmed by repeating it just now and still get that 'FileNotFoundException" in the logs for USB device. I don't have a custom rom, I have the standard OEM from the Google Store and didn't do anything else with it.
Also, I did revoke the USB debugging auth multiple times and inspite of that I never get any prompt when I connect.
I also got the report while connected to the Mac and am still seeing the same exception:
Code:
DUMP OF SERVICE usb:
USB Manager State:
USB Device State:
mCurrentFunctions: mtp,adb
mCurrentFunctionsApplied: true
mConnected: false
mConfigured: false
mUsbDataUnlocked: false
mCurrentAccessory: null
Kernel state: DISCONNECTED
Kernel function list: mtp,ffs
USB Debugging State:
Connected to adbd: true
Last key received: null
User keys:
IOException: java.io.FileNotFoundException: /data/misc/adb/adb_keys: open failed: ENOENT (No such file or directory)
System keys:
IOException: java.io.FileNotFoundException: /adb_keys: open failed: ENOENT (No such file or directory)
USB Host State:
USB Port State:
otg_default: port=UsbPort{id=otg_default, supportedModes=dual}, status=UsbPortStatus{connected=true, currentMode=ufp, currentPowerRole=sink, currentDataRole=device, supportedRoleCombinations=[source:host, sink:device]}, canChangeMode=true, canChangePowerRole=false, canChangeDataRole=false
USB Audio Devices:
USB MIDI Devices:
Settings for user 0:
Device permissions:
Accessory permissions:
Device preferences:
Accessory preferences:

desimunda42 said:
Hi everyone,
I have a Nexus 6P which simply refuses to connect via USB on my Mac (i.e. it doesn't show up as a valid device under adb devices or via Android File Transfer). I believe it was working at some point but it seems to have stopped now. Might be worth noting, I did try connecting it to my car's charger a few months ago but had the worst time with it, it would charge and disconnect every few seconds (may or may not be relevant in this case as it pertains to the USB). I tried a different charger and it works fine with it though.
I have tried a lot of different things (which I'll list below) but have had no luck getting my Nexus 6P being recognized as a device when I connect it to my Mac (or any other). I do have the Developer settings enabled and I am able to switch to MTP but I never get the prompt to change USB mode. Anytime I connect my device, adb devices doesn't list it at all. I tried ADB File transfer as well and that also says "Please connect your device".
Here are some of the things I have tried so far:
1. Used different cables - no luck
2. Used a different mac - no luck
3. Tried a different Nexus 6P with my cable, it works fine (so it is not a cable issue)
4. Tried a different Nexus 6P with my mac, it works fine (so my Mac seems to be OK too)
5. Restarted in recovery mode - no luck
6. Tried removing a bunch of apps in case there was something conflicting - no luck so far
7. Chatted up Google support - They couldn't tell me much outside of the last option - Factory Reset - I have been holding off on that since I want to be able to transfer my files out first but I really want to avoid having to try that before exhausting all other options. They did offer to replace with a refurb'ed device but I had to decline that.
I did create a bug report dump using the device to see if anything interesting showed up and the only thing noticeable there is an exception related to USB. I am putting that info here in case it is useful in helping with this.
Code:
DUMP OF SERVICE usb:
USB Manager State:
USB Device State:
mCurrentFunctions: mtp,adb
mCurrentFunctionsApplied: true
mConnected: false
mConfigured: false
mUsbDataUnlocked: false
mCurrentAccessory: null
Kernel state: DISCONNECTED
Kernel function list: mtp,ffs
USB Debugging State:
Connected to adbd: true
Last key received: null
User keys:
IOException: java.io.FileNotFoundException: /data/misc/adb/adb_keys: open failed: ENOENT (No such file or directory)
System keys:
IOException: java.io.FileNotFoundException: /adb_keys: open failed: ENOENT (No such file or directory)
USB Host State:
USB Port State:
otg_default: port=UsbPort{id=otg_default, supportedModes=dual}, status=UsbPortStatus{connected=true, currentMode=ufp, currentPowerRole=sink, currentDataRole=device, supportedRoleCombinations=[source:host, sink:device]}, canChangeMode=true, canChangePowerRole=false, canChangeDataRole=false
USB Audio Devices:
USB MIDI Devices:
Settings for user 0:
Device permissions:
Accessory permissions:
Device preferences:
Accessory preferences:
Any help here is really appreciated! Thanks
Click to expand...
Click to collapse
I usually only get the key prompt for ADB authorzation when I connect my device and type "adb devices"..... If worse comes to worse, You can restore your phone to factory settings without wiping your sd card. Then you could test that option with compromising your data. Just flash each image from the archive yourself when restoring the firmware as opposed to using the flash-all scipt, or resetting the phone from settings... DO NOT flash the "userdata.img" included in the factory firmware archive or issue the command "fastboot format userdata" during the restore process and all of your files will be fine. This may be an option as long as fastboot is still functional on your device. Ive come across so many different devices in so many different conditions over the years, as long as the device could power on and the usb port was functional, fasboot has worked time and time again.
PS adb on Mac can be a bit tricky especially if this is the first time youre attempting to o install and use it. Unless you set the correct enviornment variables during the install process, you will oly be able to access adb from inside the folder that its stored in on your mac. Youll have to pull up your terminal and and direct it to the folder containing adb and fastboot. Its usually ina a folder called "platform-tools" Which can be found in the dictory in whch you installed the Android SDK or SDK Tools packages... Now that I think about it, you have to download adb from the SDK package I just mentioned. After doing so, youll find the platform tools folder and it should contain what you need. As long as java is correctly installed on your mac then everything should work once you issue the "adb devices" command in a terminal session thats points at the "platform-tools" folder. YOU ALSO HAVE TO HAVE JDK INSTALLED in order for it to work with your device. I just looked at what you posted and it looks like youred missing JDK"...
If you havent done any of this yet the thats the problem. If everything I just typed seems confusing then you can try this which explains everything you need to do to set up adb a whole lot better than my attempt above lol buts its going to take some time to accomplish https://seo-michael.co.uk/how-to-setup-adb-on-os-x/
or
You can also install and configure adb a whole lot easier by issuing the following commands from within your mac terminal.... (This will install Brew on your Mac, if you arent familiar with what it is, Its a software distrobution platform. Sort of like git hub and linux software repos. When in doubt, do a little reading first. It'll solve all your problems....
-Install Brew - Copy and paste this command into a mac terminal and follow the prompts that show up.
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
-Once that finishes, next use this command
brew update && brew cask install java
-Once that is complete enter this last command
brew install android-platform-tools
Those 3 commands will do 99 percent of the work. When its done just find the platform tools folder and go from there. Hope this helps.

Sass86oh said:
PS adb on Mac can be a bit tricky especially if this is the first time youre attempting to o install and use it. Unless you set the correct enviornment variables during the install process, you will oly be able to access adb from inside the folder that its stored in on your mac. Youll have to pull up your terminal and and direct it to the folder containing adb and fastboot. Its usually ina a folder called "platform-tools" Which can be found in the dictory in whch you installed the Android SDK or SDK Tools packages... Now that I think about it, you have to download adb from the SDK package I just mentioned. After doing so, youll find the platform tools folder and it should contain what you need. As long as java is correctly installed on your mac then everything should work once you issue the "adb devices" command in a terminal session thats points at the "platform-tools" folder. YOU ALSO HAVE TO HAVE JDK INSTALLED in order for it to work with your device. I just looked at what you posted and it looks like youred missing JDK"...
Click to expand...
Click to collapse
He says he already tried adb devices which didn't list anything. That tells me adb is configured correctly. Otherwise it should've given errors. Plus, he also said another Nexus 6P worked on the same mac.

adotkdotjh said:
He says he already tried adb devices which didn't list anything. That tells me adb is configured correctly. Otherwise it should've given errors. Plus, he also said another Nexus 6P worked on the same mac.
Click to expand...
Click to collapse
Yep
Sass86oh said:
I usually only get the key prompt for ADB authorzation when I connect my device and type "adb devices"..... If worse comes to worse, You can restore your phone to factory settings without wiping your sd card. Then you could test that option with compromising your data. Just flash each image from the archive yourself when restoring the firmware as opposed to using the flash-all scipt, or resetting the phone from settings... DO NOT flash the "userdata.img" included in the factory firmware archive or issue the command "fastboot format userdata" during the restore process and all of your files will be fine. This may be an option as long as fastboot is still functional on your device. Ive come across so many different devices in so many different conditions over the years, as long as the device could power on and the usb port was functional, fasboot has worked time and time again.
PS adb on Mac can be a bit tricky especially if this is the first time youre attempting to o install and use it. Unless you set the correct enviornment variables during the install process, you will oly be able to access adb from inside the folder that its stored in on your mac.
Click to expand...
Click to collapse
Thanks for the detailed steps but like adotkdotjh mentioned, I already have a working adb (and it worked fine with a different Nexus 6P on the same mac). How would 'fastboot' work if the computer does not even see my device under list of devices? I've never done any image flashing before so that would be quite an unfamiliar territory but I'd be willing to explore. Where would I get these image files and how do I issue the command to the device while it is not being recognized? Thanks

desimunda42 said:
Yep
Thanks for the detailed steps but like adotkdotjh mentioned, I already have a working adb (and it worked fine with a different Nexus 6P on the same mac). How would 'fastboot' work if the computer does not even see my device under list of devices? I've never done any image flashing before so that would be quite an unfamiliar territory but I'd be willing to explore. Where would I get these image files and how do I issue the command to the device while it is not being recognized? Thanks
Click to expand...
Click to collapse
Fastboot (also refered to as "download mode") is a tool used to essentially reprogram your device in the event that you are unable to enter into recovery mode in oreder to fix whatever issue your device is having. Android devices have 3 working modes, normal function, recovery mode, and fastboot. Number one is obvious, recovery allows you to completely reset your device without using a computer if every other measure youve tried hasn't worked. When you use this feature everything on your device is erased and your phone is completely restored to factory settings. Its convienet becuase not everyone is computer savvy and its to the point. But say you were updating (system update) your phone and accidently dropped it causing the battery to fall out and the device to shut off in the middle of the update process. What will most likely happen is the system partition will become corrupt, causing the phone to stick at the initial boot screen. Usually if that happens you can still access recovery mode and just reset but if for some reason that didnt work you would go to the manufacturers website and download the latest firmware for your device. You put the phone into fastboot mode by holding volume down and then pressing and holding the power button at the same time (while the phone is off).The process varies bydevice, If done correctly you will see on your screen a bunch of info along with Andy (the Android) chillin with his hatch open. You connect your phone to your computer and as long as your computer is set up correctly with adb and fastboot, you now have the abailty to reprogram (flash) your device using a series of commands that are issued from either the command line (windows) or terminal (linux/mac).
YOUR BOOTLOADER NEEDS TO BE UNLOCKED BEFORE CONTINUING. IF YOU DONT SEE A LITTLE LOCK AT THE BOTTOM OF YOUR DEVICE UNDER THE GOOGLE LOGO WHEN YOU FIRST TURN IT ON THEN YOU NEED TO GO TO SETTINGS, ABOUT DEVICE, FIND BUILD NUMBER AND TAP IT RAPIDLY UNTIL YOU SEE A MESSAGE POP UP SAYING YOU UNLOCKED DEVELOPER OPTIONS. GO BACK TO THE SETTINGS MENU AND SELEC DEVELOPER OPTIONS WHICH SHOULD NOW BE THERE AND INSIDE THERES AN OPTION CALLED "ALLOW OEM UNLOCKING" TURN IT ON. AND CONTINUE
Eextract the firmware archive you downloaded which will produce a folder containing 2 ".img files" files, another ".tar" archive, and some script files that you can use to make the process pretty much automated.
There are two of them, one for Windows (flash-all.bat) and one for Linux and Mac (flash-all.sh)....
Open the folder that was extracted from the firmware archive... Hold shift then right click a blank area in the folder. Select "open command prompt here" (Windows)
or
Type in terminal : cd ~/downloads/xxx where "xxx" is the name of the folder that was extracted but make sure that folder is moved to your "downloads" directory first
Then type the following commands:
IF YOU HAVENT UNLOCkED YOUR BOOTLOADER BEFORE THEN THIS IS WHERE YOU WILL NEED TO:
For Mac/Linux type: ./fastboot flashing unlock **Make sure you use the ./ or the command wont be recognized**
For Windows type: fastboot flashing unlock
Select yes on the phone when it asks if youre sure..... BAM, unlocked bootloader.
Your phone is completely free of restrections if you want to install custom firmware now. If not you can relock it after flashing the stock firmare by enterning fastboot mode again and typing
fastboot flashing lock or ./fastboot flashing lock (mac/linux).....
Now we can proceed with flashing the device...
For Windows: flash-all.bat and hit enter. The computer will do the rest.
Linux/Mac: ./flash-all.sh Make sure you use the ./ or the command wont be recognized.
If youre feeling brave you can do the entire process yourself by extracting the files in that second archive that was produced and flash each of them individually using a series of command in a specific order.
The 2nd extracted archive will give you a folder with five .img files
boot.img
cache.img
system.img
recovery.img
userdata.img ***** DO NOT FLASH THIS IMAGE. FORGET ITS EVEN THERE****
Take all five and move them to the original folder that was extracted. There are 2 other .img files that were extracted from the first archive also like I mentioned above, one that says "BOOTLOADER.xxx.xx.img" and one that says "RADIO.xxx.xxx.img"... Rename RADIO.xxx.xxx.img to | radio.img |and the other to| bootloader.img |ALL LOWER CASE keep them in that folder along with the other five. Now you should have 7 total image files in one folder. (Its smart to use the folder that your command prompt or terminal was opened in, if you decide to use a different folder then you have to direct each fastboot command to the folder where the .img file is located.
from the command line you flash each img individually with the following commands.....
(Mac/Linux need to include ./ before every fastboot command begins like this: ./fastboot or it wont work.
fastboot flash bootloader bootloader.img
fastboot reboot-bootloader (phone will reboot then go back into fastboot mode, dont worry should only take seconds)
fastboot flash radio radio.img
fastboot reboot-bootloader (reboots again)
fastboot flash boot boot.img
fastboot erase cache
fastboot flash cache cache.img
fastboot flash recovery recovery.img
fastboot flash system system.img
fastboot flash vendor vendor.img
fastboot format userdata (this command takes place of the "userdata.img" file I told you to forget about)
fastboot reboot
As long as you see action on the screen and a "complete" after every command then youre in business. If you get an error check your spelling. THE COMMAND LINE IS CASE SENSETIVE. You might type the correct words but if one letter is capital the command wont work. If theres an extra space between words then the command wont work so check everything. Safe rule: Everything should be in lower case letters with 1 space after every word.... THIS S*** MATTERS
Its not as hard as it seems if you arent familiar with the process, but its also not something to mess with unless youve done your homework. Read up on it, there are so many good posts and people in here so you'll be able to find everything you need without any issue.
Fastboot can also be used to install a custom recovery like TWRP which would then allow you to install custom firmware (roms) on your device as long as theres support for it. Nexus devices are built for that very reason! They tend to have a huge selection of development within the Android community. They come with Android as Google intended it to be! No extra BS.... And its wicked easy to unlock the bootloader. That is why they are, in my opinion, the best Android devices available. But someone who doesnt really care much for things like modding and installing custom firmware might see the Nexus as plain device which lacks the bells and whistles included in other devices. Which is ok! I personally love the simplicity of pure Android and the whole philosophy behind the Nexus Program. To each is own! If you need anything else send me a message!

Have not read it all on here lol install this on your Mac https://www.android.com/filetransfer/ and see if it sees you 6p make sure you plug in them change from charging to file transfer on the phone then exit out of the app and reboot that will tell you if your Mac sees your phone

[FIX][LUMIA]Dead Phone,Bricked bootloader,infinite boot loop,Boot Failed etc.

Hello all lumia owners ,with the release of windows phone internals there is a great rush to unlock bootloader and install custom rim.
In previous post I have posted about unlocking bootloader and enabling root access but what if you have bricked your lumia?
In That case Please read this thread and fix your lumia.
Lumia can be bricked by bad updating phone or disconnection in update or something else it might also be bricked by flashing custom Rom.
REQUIREMENTS
1.Windows Device Recovery Tool (WDRT)- Get it here
2.FFU image for your phone.(Larger than 1gb)(If you have custom rom then skip ffu image and jump to method 2) - check here
3.Drivers (Installed with WDRT)
Instruction
Method 1
1.Install WDRT and run it.
2.Dont Connect your phone, just click on I can''t find my device button.
3.Let it to Search for a Device.
4.Connect your device via USB cable.
4.Start Up your lumia by pressing power button.
5.If it is not starting,Struck on logo,or just a boot loop it can be read by WDRT.
6.WDRT will show device with unknown manufacturer, o's version etc.
7.Dont Flash software with it Just close it.
8.Go to http://www.lumiafirmware.com/info and read all instruction and follow it to manual flash flu file.
9.Wait Until all is done and reply if this fixed your lumia.
Method 2 (Easy)
If you didn bricked your device in flashing or unlocking bootloader then Its better to jump out method 1 as it is more easy for you.
Or if you have custom rom for your phone and not want to download full original ffu then stay here.
1. Install Windows device recovery tool.
2. Go to :
For 32bit window.
C:\Program Files (x86)\Microsoft Care Suite\Windows Device Recovery Tool
For 64bit window.
C:\Program Files\Microsoft Care Suite\Windows Device Recovery Tool
Or whatever install folder you selected.
3. Hold shift and right click on your mouse and click open command windows here.
4. Paste thor2 -mode uefiflash -ffufile " " in cmd and click enter.(This will start searching your phone)
4. Press And Hold Poweroff + Lower Volume Button (Dont release it if your phone turn on automatically)(Especially in Bootloop).
5. Connect your phone to PC ( of course using USB cable).
6. if it detect Your device it will take you to Flash Screen (Ignore errors as it appear becuase in ffu location we take " " and its completely normal.)
7. Run Windowsphone internals and now it will detect your phone in flash mode.
8. Now you can Flash Custom rom (if bootloader unlocked) or just flash stock ffu image (dont need unlocked bootloader.)
Done
I will try to find more and more method to fix brick lumia until then this method is best or just send device to service center if this didn't fixed.

Greetings;
the *.ffu file won't be found at: http://www.lumiafirmware.com/info (for most devices).
That's some misleading website info; copied to several tutorials.
Reference: "Tutorial: Unbrick Lumia Devices"
Considering your System drive is " C: "
Open: C:\Program Data\Microsoft\Packages\Products\RM-<Number>
* Where <Number> will be your device release model number.
Note: You can check Code & Release Model Number on the back of your phone by removing your battery.
Inside that folder you can see that you have some required files to recover your device from Bricked states.
i.e: the *.ffu file.

Hi,
My phone crashed during the bootloader unlock process. I think My hex codes were not in sync with the ffu.
Now my PC does not detect the phone enither does it vibrates or shows any activity on the screen.
When I tried the above methods, I get the following error message.
C:\Program Files (x86)\Microsoft Care Suite\Windows Device Recovery Tool>thor2 -mode uefiflash -ffufile " "
THOR2 1.8.2.18
Built for Windows @ 13:36:46 Jun 16 2015
Thor2 is running on Windows of version 6.2
thor2 -mode uefiflash -ffufile
Process started Sat Jun 17 05:30:45 2017
Logging to file C:\Users\siddh\AppData\Local\Temp\thor2_win_20170617053045_ThreadId-10580.log
Debugging enabled for uefiflash
Initiating FFU flash operation
WinUSB in use.
Operation took about 1 minute, 0 seconds.
THOR2_ERROR_NO_DEVICE_WITHIN_TIMEOUT
THOR2 1.8.2.18 exited with error code 84003 (0x14823)
Is there any way I can create a temporary bus between the phone and that thor utility to send a bootloader handshake?

Hi,
My phone crashed during the bootloader unlock process. I think My hex codes were not in sync with the ffu.
Now my PC does not detect the phone enither does it vibrates or shows any activity on the screen.
When I tried the above methods, I get the following error message.
C:\Program Files (x86)\Microsoft Care Suite\Windows Device Recovery Tool>thor2 -mode uefiflash -ffufile " "
THOR2 1.8.2.18
Built for Windows @ 13:36:46 Jun 16 2015
Thor2 is running on Windows of version 6.2
thor2 -mode uefiflash -ffufile
Process started Sat Jun 17 05:30:45 2017
Logging to file C:\Users\siddh\AppData\Local\Temp\thor2_win_201706 17053045_ThreadId-10580.log
Debugging enabled for uefiflash
Initiating FFU flash operation
WinUSB in use.
Operation took about 1 minute, 0 seconds.
THOR2_ERROR_NO_DEVICE_WITHIN_TIMEOUT
THOR2 1.8.2.18 exited with error code 84003 (0x14823)
what i do now? is that any way to recreat my lumia phone?

swapnilnaikwadi said:
Hi,
My phone crashed during the bootloader unlock process. I think My hex codes were not in sync with the ffu.
Now my PC does not detect the phone enither does it vibrates or shows any activity on the screen.
When I tried the above methods, I get the following error message.
C:\Program Files (x86)\Microsoft Care Suite\Windows Device Recovery Tool>thor2 -mode uefiflash -ffufile " "
THOR2 1.8.2.18
Built for Windows @ 13:36:46 Jun 16 2015
Thor2 is running on Windows of version 6.2
thor2 -mode uefiflash -ffufile
Process started Sat Jun 17 05:30:45 2017
Logging to file C:\Users\siddh\AppData\Local\Temp\thor2_win_201706 17053045_ThreadId-10580.log
Debugging enabled for uefiflash
Initiating FFU flash operation
WinUSB in use.
Operation took about 1 minute, 0 seconds.
THOR2_ERROR_NO_DEVICE_WITHIN_TIMEOUT
THOR2 1.8.2.18 exited with error code 84003 (0x14823)
what i do now? is that any way to recreat my lumia phone?
Click to expand...
Click to collapse
Same problem? did you find a solution?

YOU ARE THE MAN.
my 930 was bricked by wpinternals misuse and this simple guide fixed it!!
my nokia was completely dead, and you sir, saved my 930 with this recommended guide!!

rgxHost said:
Greetings;
the *.ffu file won't be found at: http://www.lumiafirmware.com/info (for most devices).
That's some misleading website info; copied to several tutorials.
Reference: "Tutorial: Unbrick Lumia Devices"
Considering your System drive is " C: "
Open: C:\Program Data\Microsoft\Packages\Products\RM-<Number>
* Where <Number> will be your device release model number.
Note: You can check Code & Release Model Number on the back of your phone by removing your battery.
Inside that folder you can see that you have some required files to recover your device from Bricked states.
i.e: the *.ffu file.
Click to expand...
Click to collapse
if it is possible to recover data from a damaged lumia, I do not want to lose data

Greetings; using Nokia firmware tool will reset your device to factory settings (on mine, reverts back to windows 8).
Best regards;

Hi all, i have a bricked lumia 1320 with samsung emmc. When i power it on, it says: unable to find boot options
This problem started when i downgraded from windows 10 mobile to lumia denim using WDRT. The flashing procedure went well and, at reboot, the error message appeared on screen.
i've tried with thor2, windows phone internals, WDRT to unbrick the device but i failed. Do you have other suggestions? I read that exists a way to restore the device using jtag or atf box but i don't want to buy a 100$ peripheral for a one-time procedure

I made a program that unbricks your device, recovers from QHSUSB_DLOAD, QHUSB_DLOAD.
It's called...
Windows Phone Unbrick Tool (WPUT)
It comes with an installer.
NOTE:
1. You should enter the license key that is provided in the License Agreement section (for checking that you are not a bot, so don't use autoinstaller!
2. You must download your emergency HEX and MBN files from lumiafirmware.com
3. You must specify the correct path to the HEX/MBN files otherwise the program will fail!
4. If the unbricking succeeds remove your battery from your device for 1 minute and put it back on
5. Charge the device for at least 30 minutes before turning it on!
6. Reflash your device with Windows Device Recovery Tool.
Download it here
b i t . l y / 2 O Y Q Z V R
(REMOVE THE SPACES)

gmirz2005 said:
I made a program that unbricks your device, recovers from QHSUSB_DLOAD, QHUSB_DLOAD.
It's called...
Windows Phone Unbrick Tool (WPUT)
It comes with an installer.
NOTE:
1. You should enter the license key that is provided in the License Agreement section (for checking that you are not a bot, so don't use autoinstaller!
2. You must download your emergency HEX and MBN files from lumiafirmware.com
3. You must specify the correct path to the HEX/MBN files otherwise the program will fail!
4. If the unbricking succeeds remove your battery from your device for 1 minute and put it back on
5. Charge the device for at least 30 minutes before turning it on!
6. Reflash your device with Windows Device Recovery Tool.
Download it here
b i t . l y / 2 O Y Q Z V R
Click to expand...
Click to collapse
Hi!
My lumia 635 has no .mbn and .hex extension files at lumiafirmwaredotcom, but .edp and .ede files.
I tried both but not working, runs 20seconds and "err connection not found"
My lumia when connected at usb is recognized as unkown device, dont know what do anymore

nhtmd2 said:
Hi!
My lumia 635 has no .mbn and .hex extension files at lumiafirmwaredotcom, but .edp and .ede files.
I tried both but not working, runs 20seconds and "err connection not found"
My lumia when connected at usb is recognized as unkown device, dont know what do anymore
Click to expand...
Click to collapse
OK, so what you need to do now is, to remove the battery of your phone and connect it to the computer.
As I am seeing the log of the program, it says that the device is not detected.
So try removing your battery, connect it to your computer, wait until the computer successfully installs the QH-USB Dloader driver.
Firstly, try repairing your phone by doing the following steps:
1. start CMD as administrator
2.type cd C:\Program Files (x86)\Microsoft Care Suite\Windows Device Recovery Tool
or if your pc is 32 bit OS, then type C:\Program Files\Microsoft Care Suite\Windows Device Recovery Tool
3.now type the following thor2 -mode emergency -protocol sahara -hexfile edefile.ede -edfile edpfile.edp
4. do it for 5 times
5. disconnect the device
6. insert the battery
7. connect it to wall charger
8. wait 10 minutes, for it to charge
9. connect the device to PC
10. if the device shows the red flash screen, then you are good to go
11. if not, then remove the device from computer, disconnect the battery, reconnect the device to computer, launch WDRT
12. click My Device Is Not Detected
13. click LUMIA
14. if your device has been detected, it will be shown in WDRT (if not then retry the steps from 1 to 7 for several times)
15. click your device
16. wait until the device recovers from Emergency State
17. wait until your device reflashes
18. enjoy!
NOTE: All data is already lost and cannot be recovered as Windows Phones use secure erase, and no data recovery tool will be able to get the files back
SO FINGERS CROSSED TO ONEDRIVE BACKUP YOUR PHOTOS/VIDEOS and ELSE!

gmirz2005 said:
OK, so what you need to do now is, to remove the battery of your phone and connect it to the computer.
As I am seeing the log of the program, it says that the device is not detected.
So try removing your battery, connect it to your computer, wait until the computer successfully installs the QH-USB Dloader driver.
Firstly, try repairing your phone by doing the following steps:
1. start CMD as administrator
2.type cd C:\Program Files (x86)\Microsoft Care Suite\Windows Device Recovery Tool
or if your pc is 32 bit OS, then type C:\Program Files\Microsoft Care Suite\Windows Device Recovery Tool
3.now type the following thor2 -mode emergency -protocol sahara -hexfile edefile.ede -edfile edpfile.edp
4. do it for 5 times
5. disconnect the device
6. insert the battery
7. connect it to wall charger
8. wait 10 minutes, for it to charge
9. connect the device to PC
10. if the device shows the red flash screen, then you are good to go
11. if not, then remove the device from computer, disconnect the battery, reconnect the device to computer, launch WDRT
12. click My Device Is Not Detected
13. click LUMIA
14. if your device has been detected, it will be shown in WDRT (if not then retry the steps from 1 to 7 for several times)
15. click your device
16. wait until the device recovers from Emergency State
17. wait until your device reflashes
18. enjoy!
NOTE: All data is already lost and cannot be recovered as Windows Phones use secure erase, and no data recovery tool will be able to get the files back
SO FINGERS CROSSED TO ONEDRIVE BACKUP YOUR PHOTOS/VIDEOS and ELSE!
Click to expand...
Click to collapse
Oh man ty very much for your answer, im gonna try it out tomorrow night and come back here to give u feedback!
Sorry for the double quote here and in the other post.
Fingers crossed, thanks!

nhtmd2 said:
Oh man ty very much for your answer, im gonna try it out tomorrow night and come back here to give u feedback!
Sorry for the double quote here and in the other post.
Fingers crossed, thanks!
Click to expand...
Click to collapse
got it!
Waiting!...
Hope it works

I have a Nokia Lumia 1020 completely unresponsive buttons and screen, except for the Windows LED logo that lights up briefly when I plug it in. It is running wp8.1 and it doesn't have a removable battery

Any help would be greatly appreciated. I honestly don't mind if it needs to be completely wiped. I mostly just use it for the camera.

ChrisWilke said:
Any help would be greatly appreciated. I honestly don't mind if it needs to be completely wiped. I mostly just use it for the camera.
Click to expand...
Click to collapse
Try leaving your phone charging for 1 day.
After that connect it to WDRT (Windows Device Recovery Tool)
And start reflashing the software.
NOTE: If the WDRT doesn't detect it, try holdin POWER and VOLUME DOWN buttons for 15 secs, it will trigger a power-cycle.

https://forum.xda-developers.com/windows-phone-8/development/unbrick-dead-boot-lumia-jtag-t3872885

Does anybody know how to use this thor2 command?
Device authentication:
thor2 -mode rnd -do_authentication -sdauthenticationtype production -skip_com_scan -skip_gpt_check [-server saisec001.europe.nokia.com] [-securesessionfile mysession.sessionid]"
Click to expand...
Click to collapse

gmirz2005 said:
I made a program that unbricks your device, recovers from QHSUSB_DLOAD, QHUSB_DLOAD.
It's called...
Windows Phone Unbrick Tool (WPUT)
It comes with an installer.
NOTE:
1. You should enter the license key that is provided in the License Agreement section (for checking that you are not a bot, so don't use autoinstaller!
2. You must download your emergency HEX and MBN files from lumiafirmware.com
3. You must specify the correct path to the HEX/MBN files otherwise the program will fail!
4. If the unbricking succeeds remove your battery from your device for 1 minute and put it back on
5. Charge the device for at least 30 minutes before turning it on!
6. Reflash your device with Windows Device Recovery Tool.
Download it here
b i t . l y / 2 O Y Q Z V R
(REMOVE THE SPACES)
Click to expand...
Click to collapse
Thanks for your gr8 efforts - However How to find Hex and MBN files - how to identify and from where to download - can make life easy - please help i have - i have Lumia 532 - Product 059w980 - RM-1031

Fire 8 HD 2018 boots into diagnostic mode only

I have been helping a friend to fix his Fire 8 HD 2018.
This device only boots into Diagnostic Mode with a table showing various values. Specifically
FATPSN = Invalid
Abnormal battery status = AUT
See attached image.
Any way out of this problem?
https://drive.google.com/file/d/1wrT31f-xhus-vtIP_BojSLgxv4mH4q41/view?usp=sharing
UPDATE: Problem solved. See Post #10.

I can't see the image

https://drive.google.com/file/d/1wrT31f-xhus-vtIP_BojSLgxv4mH4q41/view?usp=sharing
Hope this image works.

Just guessing, Abnormal Battery Status = AUT could mean Abnormal Upper Temperature. This is because temperature shows 310.
Any view?

I have swap the battery and the problem still persists.
It is unlikely that both the original and replaced batteries are faulty simultanously.
Thus I would deduce that either the battery checking sensor (if any) is faulty or the firmware is corrupted.
Interestingly, the replacement battery still continues to be charged up while this device is connected to a USB charger.

drdtyc said:
I have swap the battery and the problem still persists.
It is unlikely that both the original and replaced batteries are faulty simultanously.
Thus I would deduce that either the battery checking sensor (if any) is faulty or the firmware is corrupted.
Interestingly, the replacement battery still continues to be charged up while this device is connected to a USB charger.
Click to expand...
Click to collapse
How does the PC recognizes the tab while it's in that mode? (VID/PID).

Rortiz2 said:
How does the PC recognizes the tab while it's in that mode? (VID/PID).
Click to expand...
Click to collapse
Left the replacement battery to charge for a few hours.
Now battery status is back to normal. But the warning AUT still flashes as before. It can normal boot into this particular dignostic screen only as shown in the above attached image.
Powered it down and tried rebooting into fastboot mode. Voila! The tablet is now in fastboot mode waiting for further input from my computer.
I was thinking of flashing it with the latest FireOS 6.3.1.5 and then see how it goes. What adb command can I use? Is it "sudo adb sideload <image file name>"?
Please advise.

After playing with the device for awhile, here are my findings:
1. Press Power button to boot
It only boots into Diagnostic Mode (see image in Post#1)
2. Press Volume Up and Power buttons to boot
It boots into Recovery Mode and stay there for about 20 seconds.
Then automatically switches to Normal Boot.
Going back to the Diagnostic Mode screen (see image in Post #1)
3. Press Volume Up and Power buttons to boot
It boots into Fastboot Mode and stay there waiting indefinitely.
4. Tried to softbrick the device by following this thread by k4y0z for Fire karnak.
The terminal showed the following.
$ sudo ./bootrom-step.sh
[2020-06-15 10:55:09.828365] Waiting for bootrom
[2020-06-15 10:55:19.682090] Found port = /dev/ttyACM0
[2020-06-15 10:55:19.721626] Handshake
* * * If you have a short attached, remove it now * * *
* * * Press Enter to continue * * *
Traceback (most recent call last):
File "main.py", line 213, in <module>
main()
File "main.py", line 111, in main
load_payload(dev, "../brom-payload/build/payload.bin")
File "/amonet-karnak-v3.0.1/amonet/modules/load_payload.py", line 99, in load_payload
dev.write32(0x10007008, 0x1971) # low-level watchdog kick
File "/amonet-karnak-v3.0.1/amonet/modules/common.py", line 160, in write32
self.check(self.dev.read(2), b'\x00\x01') # arg check
File "/amonet-karnak-v3.0.1/amonet/modules/common.py", line 87, in check
raise RuntimeError("ERROR: Serial protocol mismatch")
RuntimeError: ERROR: Serial protocol mismatch
^Z
[2]+ Stopped sudo ./bootrom-step.sh
Click to expand...
Click to collapse
Is there anything to correct the Serial protocal mismatch above?
5. Tried to shorting contact and hard bricking the device by following this thread by k4y0z for Fire karnak.
The terminal showed the following.
$ sudo systemctl stop ModemManager
$ sudo systemctl disable ModemManager
$ sudo ./bootrom-step.sh
[2020-06-15 11:17:09.613717] Waiting for bootrom
[2020-06-15 11:17:47.845559] Found port = /dev/ttyACM3
[2020-06-15 11:17:47.846549] Handshake
^Z
[5]+ Stopped sudo ./bootrom-step.sh
Click to expand...
Click to collapse
Is there anything else I can try?
All suggestions are welcome.

Rortiz2 said:
How does the PC recognizes the tab while it's in that mode? (VID/PID).
Click to expand...
Click to collapse
I overlooked your question. Apologies!
I connected my Linux laptop to the device already booted up in Diagnostic Mode.
In a terminal on the laptop, lusbs showed the following:
$ lusbs
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 005: ID 05c8:022a Cheng Uei Precision Industry Co., Ltd (Foxlink) HP Webcam
Bus 001 Device 004: ID 0bda:b00b Realtek Semiconductor Corp. Bluetooth Radio
Bus 001 Device 003: ID 0bda:0177 Realtek Semiconductor Corp. USB2.0-CRW
Bus 001 Device 002: ID 046d:c52b Logitech, Inc. Unifying Receiver
Bus 001 Device 033: ID 1949:0230 Lab126, Inc. Fire
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Click to expand...
Click to collapse
I presume ID 1949:0230 Lab126, Inc. Fire is this Fire 8HD
What else I may try?

FINAL UPDATE:
Followed this thread to short the CLK contact and hard-brick the device after opening the back cover. The main trick is to use the sharp tips of a metallic tweezer to ensure the shorting is well performed. Otherwise, the script bootrom-step.sh simply stuck without further progress. Thus the bootloader of the device has been unlocked and TWRP has been installed successfully.
Now I have flashed Lineage OS 14.1 on this karnak device and it runs very smoothly. Problem solved in the end.

same problem on HD8(2017)
hello, I also meet this problem on my hd8 2017(we are not the same device ),my device stuck in diagnostic mode and the status shows AFT. I dont know how to boot to system .I have already tried adb reboot recovery and adb reboot system .but It didnt work .just reboot to diagnostic mode again!Have you solved the problem now?If you get a way ,please help me !thanks !:crying::crying:

[Deleted]

[Deleted]

Venvalur said:
Sorry for the extremely late reply. This "abnormal battery status" is normal, it's the same as the diags of the kindles, so you've lost money and time replacing your battery. Also, to keep this in the same reply, how did you or your friend got into diagnostics mode in the karnak? Because this firmware could be used to software downgrade kindles with OS 6.3.1.2+!!! No need to open the tab!!! Sadly no one asked you to extract the .bin of diags firmware, and I'm pretty sure you don't have it anymore. If you have any information please share, this is getting good.
Click to expand...
Click to collapse
Just noticed your comment to my old post.
That device which booted into diagnostics mode only was passed by a guy to me for fixing. I gathered he bought a lot of several pre-owned devices from eBay that also included this peculiar device. In the end, I could not boot it into FireOS. But I could unlock its bootloader, flash twrp recovery and installed LOS 14.1 on it. He was very happy about the somewhat unexpected outcome when I returned to him a fully working karnak running LOS 14.1. Needless to say, I did not extract the .bin of diags firmware. Sorry!

[EXPLOIT] [BOOTLOADER] Mediatek based LG K10 2017 M250 bootloader secure boot bypass.

Hello.
I managed to bypass secure boot on LG K10 M250E (should also work on other versions like M250 M250N etc.)
See https://github.com/arturkow2000/lgk10exploit
This repository contains LK exploit capable of booting unsigned system and tools for reading/writing from/to device.
For instructions check README.md in repository.

Hi and sorry for the inconvenience, I am happy that you finally managed to make this exploit to this device which unfortunately I no longer have. But can this exploit be ported to other devices or is it just for this device?

XRed_CubeX said:
Hi and sorry for the inconvenience, I am happy that you finally managed to make this exploit to this device which unfortunately I no longer have. But can this exploit be ported to other devices or is it just for this device?
Click to expand...
Click to collapse
Exploit is only for this device.
However this repository also contains tools that can aid in creating exploits for other Mediatek based devices and tools that can read/write device memory, these should work most mt6755 devices as long as they can bypass preloader/bootrom security.
If you have any MT6755/MT6750 (should also work for MT6795/MT6797) device you can try using these tools as replacement for SP Flash Tool.

OficerX said:
Exploit is only for this device.
However this repository also contains tools that can aid in creating exploits for other Mediatek based devices and tools that can read/write device memory, these should work most mt6755 devices as long as they can bypass preloader/bootrom security.
If you have any MT6755/MT6750 (should also work for MT6795/MT6797) device you can try using these tools as replacement for SP Flash Tool.
Click to expand...
Click to collapse
I can flash partitions only in preloader mode with SP flash tool or with root with Android, however my problem is on an MT6737, which also has fastboot but not an unlockable bootloader and I would like to try to port it

See these:
https://github.com/xyzz/amonet
https://github.com/amonet-kamakiri/kamakiri
https://forum.xda-developers.com/hd...fire-hd-8-2018-downgrade-unlock-root-t3894256
And these leeks:
https://gitlab.com/mt6797/vendor
https://gitlab.com/MT6795/vendor
Exploit works by crafting boot image that on load overrides LK data with payload, it works because mboot_android_load_bootimg does not check if it overlaps.
https://gitlab.com/MT6795/vendor/-/...otloader/lk/platform/mt6795/load_image.c#L811
Probably your device is vulnerable in same way.
See here how to craft boot image
https://github.com/arturkow2000/lgk10exploit/blob/master/microloader/inject_microloader_nougat.py
and here
https://github.com/amonet-kamakiri/kamakiri/blob/master/microloader/inject_microloader.py
At the beginning you could set inject_addr to some invalid address like 0x0 or 0xFFFFFFFF to trigger crash, LK will print all registers and stack pointer.
Do you have access to UART or some other way to get logs from crashed LK?

OficerX said:
See these:
https://github.com/xyzz/amonet
https://github.com/amonet-kamakiri/kamakiri
https://forum.xda-developers.com/hd...fire-hd-8-2018-downgrade-unlock-root-t3894256
And these leeks:
https://gitlab.com/mt6797/vendor
https://gitlab.com/MT6795/vendor
Exploit works by crafting boot image that on load overrides LK data with payload, it works because mboot_android_load_bootimg does not check if it overlaps.
https://gitlab.com/MT6795/vendor/-/...otloader/lk/platform/mt6795/load_image.c#L811
Probably your device is vulnerable in same way.
See here how to craft boot image
https://github.com/arturkow2000/lgk10exploit/blob/master/microloader/inject_microloader_nougat.py
and here
https://github.com/amonet-kamakiri/kamakiri/blob/master/microloader/inject_microloader.py
At the beginning you could set inject_addr to some invalid address like 0x0 or 0xFFFFFFFF to trigger crash, LK will print all registers and stack pointer.
Do you have access to UART or some other way to get logs from crashed LK?
Click to expand...
Click to collapse
No, because I don't know how to solder, if there is no alternative to the UART I first try on another device to see if I can solder well.

Some devices expose UART over USB, see this: https://wiki.postmarketos.org/wiki/Serial_debugging
it may help.
If not try crashing LK, your device after reboot may show logs.
In my device when LK crashes after reboot it enters DemiGod Crash Handler which shows all relevant information.
Alternatively you may try porting this:
https://github.com/arturkow2000/lgk...9bc63f1ad7e0a5f3aeba1d1/plib/__init__.py#L421
This does temporary unlock lasting till reboot but it will allow you to run tampered LK.
Then you can redirect dprintf() calls in exception handler to video_printf().
This temporary unlock method uses gcpu to bypass BootROM range checks (bootrom checks memory address/length you read/write).
And then writes two magic values:
0x3B6C243C at 0x102080
0xF843E0A at 0x00102084
This causes preloader to ignore EFUSE state and turn Secure Boot off.
See amonet thread I linked in previous post, @xyz` described there how to disable range checks.
Use this to dump BootROM https://github.com/arturkow2000/lgk...9bc63f1ad7e0a5f3aeba1d1/plib/__init__.py#L455

XRed_CubeX said:
No, because I don't know how to solder, if there is no alternative to the UART I first try on another device to see if I can solder well.
Click to expand...
Click to collapse
No soldering, just pressure. It depends the device of course...
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
http://cxzstuff.blogspot.com/2017/02/making-connections-ainol-crystal-dual.html

CXZa said:
No soldering, just pressure. It depends the device of course...
http://cxzstuff.blogspot.com/2017/02/making-connections-ainol-crystal-dual.html
Click to expand...
Click to collapse
No, forgive me but what is that? Pliers? How does it work?

XRed_CubeX said:
No, forgive me but what is that? Pliers? How does it work?
Click to expand...
Click to collapse
Yep. Pliers have rubber bands (not showing) to keep them closed holding those wires made out of copper paper clips. Visit the link to see bigger pics.

OficerX said:
Some devices expose UART over USB, see this: https://wiki.postmarketos.org/wiki/Serial_debugging
it may help.
If not try crashing LK, your device after reboot may show logs.
In my device when LK crashes after reboot it enters DemiGod Crash Handler which shows all relevant information.
Alternatively you may try porting this:
https://github.com/arturkow2000/lgk...9bc63f1ad7e0a5f3aeba1d1/plib/__init__.py#L421
This does temporary unlock lasting till reboot but it will allow you to run tampered LK.
Then you can redirect dprintf() calls in exception handler to video_printf().
This temporary unlock method uses gcpu to bypass BootROM range checks (bootrom checks memory address/length you read/write).
And then writes two magic values:
0x3B6C243C at 0x102080
0xF843E0A at 0x00102084
This causes preloader to ignore EFUSE state and turn Secure Boot off.
See amonet thread I linked in previous post, @xyz` described there how to disable range checks.
Use this to dump BootROM https://github.com/arturkow2000/lgk...9bc63f1ad7e0a5f3aeba1d1/plib/__init__.py#L455
Click to expand...
Click to collapse
OK, I managed to get the brom payload with the help of a friend of mine, however what do you mean by "Tampered LK"?
How can I modify this LK and boot it with this brom-payload?

XRed_CubeX said:
OK, I managed to get the brom payload with the help of a friend of mine, however what do you mean by "Tampered LK"?
How can I modify this LK and boot it with this brom-payload?
Click to expand...
Click to collapse
XRed_CubeX said:
OK, I managed to get the brom payload with the help of a friend of mine, however what do you mean by "Tampered LK"?
How can I modify this LK and boot it with this brom-payload?
Click to expand...
Click to collapse
https://drive.google.com/file/d/158G2a-xX_I3USwlIbxGw0mMUKsO_TaYU/view?usp=sharing
Use these strings to find video_printf
then look for references to "undefined abort, halting", "data abort", "prefetch abort", "unhandled syscall".
these are directly followed by call dprintf, change them to call video_printf
https://drive.google.com/file/d/1xCKjLaXFYoGimKmoeQojRtHRI9ZBhSGB/view?usp=sharing
Next call (here sub_4601C90C) is to function that dump registers and stack contents.
https://drive.google.com/file/d/1iLNVs-ntfjW33UhHWslRP8jSWWNPYS16/view?usp=sharing
Change all dprintf calls to video_printf.
Flash exploit and patched lk then reboot.
Your device should boot into directly into bootrom, then run unlock procedure, your device should resume booting and proceed to loading LK from.
Device after leaving bootrom should enter for a moment into preloader download, so before flashing anything you can use pl.py --identify command to check if SBC, SLA and DAA are all off to check if unlocking works.

OficerX said:
https://drive.google.com/file/d/158G2a-xX_I3USwlIbxGw0mMUKsO_TaYU/view?usp=sharing
Use these strings to find video_printf
then look for references to "undefined abort, halting", "data abort", "prefetch abort", "unhandled syscall".
these are directly followed by call dprintf, change them to call video_printf
https://drive.google.com/file/d/1xCKjLaXFYoGimKmoeQojRtHRI9ZBhSGB/view?usp=sharing
Next call (here sub_4601C90C) is to function that dump registers and stack contents.
https://drive.google.com/file/d/1iLNVs-ntfjW33UhHWslRP8jSWWNPYS16/view?usp=sharing
Change all dprintf calls to video_printf.
Flash exploit and patched lk then reboot.
Your device should boot into directly into bootrom, then run unlock procedure, your device should resume booting and proceed to loading LK from.
Device after leaving bootrom should enter for a moment into preloader download, so before flashing anything you can use pl.py --identify command to check if SBC, SLA and DAA are all off to check if unlocking works.
Click to expand...
Click to collapse
Correct me if I'm wrong but the addresses to change the secure boot are the same right?

OficerX said:
https://drive.google.com/file/d/158G2a-xX_I3USwlIbxGw0mMUKsO_TaYU/view?usp=sharing
Use these strings to find video_printf
then look for references to "undefined abort, halting", "data abort", "prefetch abort", "unhandled syscall".
these are directly followed by call dprintf, change them to call video_printf
https://drive.google.com/file/d/1xCKjLaXFYoGimKmoeQojRtHRI9ZBhSGB/view?usp=sharing
Next call (here sub_4601C90C) is to function that dump registers and stack contents.
https://drive.google.com/file/d/1iLNVs-ntfjW33UhHWslRP8jSWWNPYS16/view?usp=sharing
Change all dprintf calls to video_printf.
Flash exploit and patched lk then reboot.
Your device should boot into directly into bootrom, then run unlock procedure, your device should resume booting and proceed to loading LK from.
Device after leaving bootrom should enter for a moment into preloader download, so before flashing anything you can use pl.py --identify command to check if SBC, SLA and DAA are all off to check if unlocking works.
Click to expand...
Click to collapse
Hey,
Could you check those links? The second and the last one aren't working and I'd like to see how the function that dumps registers looks like (as reference).
Thanks :good:

XRed_CubeX said:
Correct me if I'm wrong but the addresses to change the secure boot are the same right?
Click to expand...
Click to collapse
I'm 99% sure they are, I found this while reversing seclib from MT6535, it turned out these addresses are valid for my SOC, your SOC is very similar to my and MT6535, so I think should correct.
But you can find it by looking for reads from 0x10206060 (efuses).
See here
https://drive.google.com/file/d/19kqoLTT0nKR7vmf9AwwHOy6ihKjqEoNo/view?usp=sharing
As you can see it checks for these values and if they match it disables secure boot.
https://drive.google.com/file/d/19ITt5NV9EZggnFjfbUmf_cp5WCPBG_m_/view?usp=sharing
https://drive.google.com/file/d/1JeBjTOwTOjdjBTZkQmaP22edgZEKPiBE/view?usp=sharing
Rortiz2 said:
Hey,
Could you check those links? The second and the last one aren't working and I'd like to see how the function that dumps registers looks like (as reference).
Thanks :good:
Click to expand...
Click to collapse
Oops, forgot to set permissions, now it's working.

OficerX said:
I'm 99% sure they are, I found this while reversing seclib from MT6535, it turned out these addresses are valid for my SOC, your SOC is very similar to my and MT6535, so I think should correct.
But you can find it by looking for reads from 0x10206060 (efuses).
See here
https://drive.google.com/file/d/19kqoLTT0nKR7vmf9AwwHOy6ihKjqEoNo/view?usp=sharing
As you can see it checks for these values and if they match it disables secure boot.
https://drive.google.com/file/d/19ITt5NV9EZggnFjfbUmf_cp5WCPBG_m_/view?usp=sharing
https://drive.google.com/file/d/1JeBjTOwTOjdjBTZkQmaP22edgZEKPiBE/view?usp=sharing
Oops, forgot to set permissions, now it's working.
Click to expand...
Click to collapse
Thanks you!
BTW, secure boot addresses are different for mt8163:

OficerX said:
Some devices expose UART over USB, see this: https://wiki.postmarketos.org/wiki/Serial_debugging
it may help.
If not try crashing LK, your device after reboot may show logs.
In my device when LK crashes after reboot it enters DemiGod Crash Handler which shows all relevant information.
Alternatively you may try porting this:
https://github.com/arturkow2000/lgk...9bc63f1ad7e0a5f3aeba1d1/plib/__init__.py#L421
This does temporary unlock lasting till reboot but it will allow you to run tampered LK.
Then you can redirect dprintf() calls in exception handler to video_printf().
This temporary unlock method uses gcpu to bypass BootROM range checks (bootrom checks memory address/length you read/write).
And then writes two magic values:
0x3B6C243C at 0x102080
0xF843E0A at 0x00102084
This causes preloader to ignore EFUSE state and turn Secure Boot off.
See amonet thread I linked in previous post, @xyz` described there how to disable range checks.
Use this to dump BootROM https://github.com/arturkow2000/lgk...9bc63f1ad7e0a5f3aeba1d1/plib/__init__.py#L455
Click to expand...
Click to collapse
Hi, I think that the option to modify the LK and modify the printf will take some time for now because unfortunately I don't have the knowledge and skills in using such a powerful tool as ida pro, another option that I you had advised, the UART via micro USB, it is not the first time I hear it and once I have already tried to build a UART with a micro usb cable but unfortunately I have not obtained any logs from the devices and I think I have built it wrong , I'll probably get a pre-made one from a shopping site. A friend of mine advised me not to use the microusb cable because it "probably" doesn't get the logs from a crashed LK.
So I ask you that you are probably sure or you have tried it, but UART via microusb is a good option?
From fastboot if I do "fastboot oem p2u on", fastboot responds and confirms so I can be sure my device supports UART. If anything you have any tips or tutorials to build a uart cable correctly?
My UART adapter is a CP2102, okay?
(P.S: My micro usb connector doesn't have a wire ID, ONLY D+, D- and GND and VCC)
(P.S2o you have any tips or tutorials to disassemble the binary well in ARM)

XRed_CubeX said:
Hi, I think that the option to modify the LK and modify the printf will take some time for now because unfortunately I don't have the knowledge and skills in using such a powerful tool as ida pro, another option that I you had advised, the UART via micro USB, it is not the first time I hear it and once I have already tried to build a UART with a micro usb cable but unfortunately I have not obtained any logs from the devices and I think I have built it wrong , I'll probably get a pre-made one from a shopping site. A friend of mine advised me not to use the microusb cable because it "probably" doesn't get the logs from a crashed LK.
So I ask you that you are probably sure or you have tried it, but UART via microusb is a good option?
From fastboot if I do "fastboot oem p2u on", fastboot responds and confirms so I can be sure my device supports UART. If anything you have any tips or tutorials to build a uart cable correctly?
My UART adapter is a CP2102, okay?
(P.S: My micro usb connector doesn't have a wire ID, ONLY D+, D- and GND and VCC)
(P.S2o you have any tips or tutorials to disassemble the binary well in ARM)
Click to expand...
Click to collapse
On my device at first I was booting modified LK, it was very slow process, at one point I couldn't move further, I had working exploit running my payload but I couldn't make it boot Linux (later it turned out that it did not load DTB, I added call to bldr_load_dtb and it worked then), device was just hanging.
I updated to Oreo, LG added crash handler so I did'nt have to boot patched LK anymore and this significantly sped up everything.
I could'nt use UART because LG disabled it.
When device boots preloader checks whether proper cable is connected and either switches USB into UART or leaves it as it is, but in my case this feature was disabled at compile time.
You can check in linux source in usb phy driver code that performs mode switch and then check if preloader or LK has it.
P.S. Now I have partially working UART, I enable it in payload (see microloader/linuxboot), it works (TX voltage goes high to ~3.3V), but I cannot get output till Linux boots, I still need to figure it out.
This won't help you in making exploit but can help later during kernel development.
If you won't get UART working then I think that patching LK is all you have left.

OficerX said:
On my device at first I was booting modified LK, it was very slow process, at one point I couldn't move further, I had working exploit running my payload but I couldn't make it boot Linux (later it turned out that it did not load DTB, I added call to bldr_load_dtb and it worked then), device was just hanging.
I updated to Oreo, LG added crash handler so I did'nt have to boot patched LK anymore and this significantly sped up everything.
I could'nt use UART because LG disabled it.
When device boots preloader checks whether proper cable is connected and either switches USB into UART or leaves it as it is, but in my case this feature was disabled at compile time.
You can check in linux source in usb phy driver code that performs mode switch and then check if preloader or LK has it.
P.S. Now I have partially working UART, I enable it in payload (see microloader/linuxboot), it works (TX voltage goes high to ~3.3V), but I cannot get output till Linux boots, I still need to figure it out.
This won't help you in making exploit but can help later during kernel development.
If you won't get UART working then I think that patching LK is all you have left.
Click to expand...
Click to collapse
Maybe you need to patch the cmdline? I don't know, I'm just throwing some ideas.

Rortiz2 said:
Maybe you need to patch the cmdline? I don't know, I'm just throwing some ideas.
Click to expand...
Click to collapse
I already did that, UART works in Linux, it doesn't work in LK, it's enabled but there is no output, I need it to get working as early in boot process as possible to debug 64 bit kernel (for it's not booting at all)
My UART driver must faulty.
I turned in Linux most stuff related usb, gpio, clocks into no-op and UART is still working.
Right now i'm porting TWRP, but whem I finish it I will try again with uart.