Better Mobile App

mtd kernel driver hacks?

Hi devs,
Are you aware of any work (for other Android phones, for instance), where an altered mtd kernel driver was used to allow (raw) root access anyplace within flash memory? (For example, maybe a raw pseudo-partition which overlaps all the other partitions?) The stock mtd driver creates devices in the kernel device tree only for specific partition slices (boot, system, recovery, data, cache) - for obvious safety and security reasons.
After all these months, I stumbled across this tonight
Code:
C:\foo>fastboot oem listpartition
...
INFO[radio]:(OTHER) block start=0, size=332 (42496 KB)
INFO[hboot]:(RAW) block start=333, size=6 (768 KB)
INFO[misc3]:(RAW) block start=339, size=2 (256 KB)
INFO[mfg]:(RAW) block start=341, size=2 (256 KB)
INFO[sp1]:(RAW) block start=343, size=6 (768 KB)
INFO[misc2]:(RAW) block start=349, size=3 (384 KB)
INFO[mfg2]:(RAW) block start=352, size=3 (384 KB)
INFO[recovery]:(RAW) block start=355, size=40 (5120 KB)
INFO[boot]:(RAW) block start=395, size=20 (2560 KB)
INFO[system]:(YAFFS) block start=415, size=1360 (179520 KB)
INFO[cache]:(YAFFS) block start=1775, size=1040 (137280 KB)
INFO[userdata]:(YAFFS) block start=2815, size=1276 (168432 KB)
INFO[misc]:(RAW) block start=4091, size=5 (640 KB)
INFO[microp]:(OTHER) block start=0, size=0 (0 KB)
INFO[nv]:(OTHER) block start=0, size=0 (0 KB)
INFO[tp-melfas]:(OTHER) block start=0, size=0 (0 KB)
OKAY [ 0.071s]
finished. total time: 0.071s
I had never seen references in the Eris forums to the misc3, mfg, sp1, misc2, or mfg2 partitions - I suppose one or more are for boot images. Maybe interesting to boot a kernel image that had access to them, and have a peek at them?
bftb0

You are venturing into an area that is slightly beyond my current level of understanding. (Although we can all learn more.)
Is this even close to what you are looking for?
http://forum.xda-developers.com/showthread.php?t=754805
I'm thinking not, since they appear to be resizing the existing partitions, which doesn't seem to be quite what you are looking for.

I was asking about this a while back to see if anyone was able to get read access to the splash1 (i'm guessing sp1) partition so we could dump the REAL original splash screen for people that needed to go back to full stock. This was basically the only thing that is left out of going to stock since the "original" boot image that I had used for the android skateboards in my post about changing the boot logo was just a resized version I found online somewhere which is slightly bigger than the original if you look closely. I had some info laying around somewhere but it was definitely something about people modifying the mtd drivers in the kernel to get this done.
Without the modified drivers there is no way to do a FULL nand dump at this point.

gnarlyc said:
You are venturing into an area that is slightly beyond my current level of understanding. (Although we can all learn more.)
Is this even close to what you are looking for?
http://forum.xda-developers.com/showthread.php?t=754805
I'm thinking not, since they appear to be resizing the existing partitions, which doesn't seem to be quite what you are looking for.
Click to expand...
Click to collapse
Well, I'd seen that before - but THANK YOU - your post encouraged me to do a better job of searching, and I came up with this:
http://forum.xda-developers.com/showthread.php?t=542688
[SIZE=+2]Awesome![/SIZE] It appears that no mtd kernel hack is needed - as long the Eris kernels we are using accept those parameters (obviously, a little additional work is needed to get the offsets correct for the Eris).
I knew that partitions could be resized - but I wasn't aware that you could add new partition definitions. If it works for the Eris, then cool. (I have to say - the G1/G2/Hero devs surely have turned over a lot of stones that have helped us.)
bftb0

Mohahahhahahahaaha (rubbing hands together deviously). I smell either some interesting development or at least some interesting information coming out of this.

It's working.
More details later.

Flash Memory Map for the Eris:
Code:
PARTITION START END SIZE(1KB) SIZE(128KB) NOTES
radio 0x00000000 - 0x02980000 42,496 332 (3)
- gap! - 0x02980000 - 0x029a0000 128 1 (3)
hboot 0x029a0000 - 0x02a60000 768 6 (2)
misc3 0x02a60000 - 0x02aa0000 256 2 (5)
mfg 0x02aa0000 - 0x02ae0000 256 2 (6)
sp1 0x02ae0000 - 0x02ba0000 768 6 (4)
misc2 0x02ba0000 - 0x02c00000 384 3 (4)
mfg2 0x02c00000 - 0x02c60000 384 3 (4)
recovery 0x02c60000 - 0x03160000 5,120 40
boot 0x03160000 - 0x033e0000 2,560 20
system 0x033e0000 - 0x0dde0000 174,080 1360
cache 0x0dde0000 - 0x15fe0000 133,120 1040
userdata 0x15fe0000 - 0x1ff60000 163,328 1276
misc 0x1ff60000 - 0x20000000 640 5
( You can verify the above on your own phone with a combination of examining /proc/mtd, "dmesg" output immediately after the boot, and output of "fastboot oem listpartition" )
(1) Note all partitions are aligned to a 128-KB boundary (0x20000 - 18 bits)
Presumably this is why "fastboot oem listpartition" reports sizes in this unit
(2) Hboot images from HTC for the Eris have always been exactly 512 KB. Slack space is here,
but I found nothing but 0xFF's in the slack area.
(3) Attempting to dump the from this partition produces many, many error messages of the form:
mtd: MEMGETBADBLOCK returned -1 at 0x02940000 (errno=5)
mtd: MEMGETBADBLOCK returned -1 at 0x02960000 (errno=5)
(4) On my phone, dumps of partitions "sp1", "mfg2" and "misc2" produced un-interesting data blobs: all 0xFF's
Note that I have never flashed a custom boot splashscreen.
(5) Nearly "empty" - bytes not 0x00 or 0xFF are all string data (including CID)
(6) Contains "interesting" string data (including handset ID, manufacturing date, etc) and other binary data. Performing interesting handset operations and then recapturing a partition dump (before/after) and performing a binary diff could reveal strategic locations.
[SIZE=+1]HOW-TO[/SIZE]
Most people have absolutely no business doing this - you have been warned.
Under no circumstances should you hand-type any of these addresses; a simple typo could lead to disaster.
Code:
fastboot -c " mtdparts=msm_nand:[email protected](misc),[email protected](recovery),[email protected](boot),[email protected](system),[email protected](cache),[email protected](userdata) " boot recovery-RA-Eris-v1.6.2.img
will produce the standard kernel partition mappings. Note the leading and trailing spaces in the quoted string - and that the order of appearance is critically important
You may append one or more** of the following, separated with commas as shown in the above (standard mapping) command.
[email protected](radio)
[email protected](hboot)
[email protected](misc3)
[email protected](mfg)
[email protected](sp1)
[email protected](misc2)
[email protected](mfg2)
** I performed individual boots adding only one non-standard partition, and can not guarantee that a disaster will not result if you try to append more than one - or all of them - in one boot.
You can verify the additional partitions have been kanged into the kernel's device tree with
adb shell cat /proc/mtd
and may dump individual partitions via the command "dump_image" (provided by Amon_RA in /sbin), as in the following example:
mount /sdcard
dump_image mfg /sdcard/part.mfg.img
bftb0

If you just want to dump a specific Eris flash memory partition(s) off your phone, there is an even easier method. (Doh!)
Prerequisites:
- 1.49.2000 S-OFF bootloader is installed on your Eris.
- working device drivers on PC and fastboot utility
Steps:
1) Connect via USB to your PC and put phone in FASTBOOT mode (Power up with Send+End)
2) Get the partition names listing using
Code:
fastboot oem listpartition
3) Using the following fastboot syntax, plug in the desired partition name (PNAME):
Code:
fastboot oem saveprt2sd PNAME -n PNAME.bin -a
for example, the "sp1" partition:
Code:
$ fastboot oem saveprt2sd sp1 -n sp1.bin -a
... INFOSaveImageToSD partition file name:sp1
INFOSaveImageToSD output file name:sp1.bin
INFOCmd5 CMD_TIMEOUT
INFOsdcc_poll_status(): i=21
INFOCmd5 polling status timed out
INFOSD: CMD5 fail, rc=2 ..
INFOSD 2.0
INFOHC card
INFO Searching free data sectors....
INFO [SAVE2SD] 131072 bytes saved.
INFO [SAVE2SD] 262144 bytes saved.
INFO [SAVE2SD] 393216 bytes saved.
INFO [SAVE2SD] 524288 bytes saved.
INFO [SAVE2SD] 655360 bytes saved.
INFO [SAVE2SD] 786432 bytes saved.
INFO [SAVE2SD] Done.
OKAY [ 1.728s]
finished. total time: 1.728s
Yep, it really is that simple.
bftb0

p768 only omaap mode !!

hi 4 all i have p768 y try to root but pc stuck and need restar after this phone only detect with omaap mode no power on no enter swupgrade mode nothing only omap pls aony one can help me with this phone ???

waltercell said:
hi 4 all i have p768 y try to root but pc stuck and need restar after this phone only detect with omaap mode no power on no enter swupgrade mode nothing only omap pls aony one can help me with this phone ???
Click to expand...
Click to collapse
there's a new routing method for our device... it's a simple to use app that does everything for you... follow the link forum.xda-developers.com/showthread.php?t=2338816

Swag-Mo said:
there's a new routing method for our device... it's a simple to use app that does everything for you... follow the link forum.xda-developers.com/showthread.php?t=2338816
Click to expand...
Click to collapse
thks brow 4 u reply but my phone dont power on more only detect omap mode i need repair firts

pls any can help me pls

waltercell said:
pls any can help me pls
Click to expand...
Click to collapse
use fastboot to flash ics xloader and uboot, put your phone into s/w upgrade mode(steps 1-5)
, try original lg tool
http://forum.xda-developers.com/showpost.php?p=39879519&postcount=10 or offline method to restore your phone

thhks y try now and post result

y try but now stuck on wait devices

waltercell said:
y try but now stuck on wait devices
Click to expand...
Click to collapse
try running it as an admin

Lelus said:
try running it as an admin
Click to expand...
Click to collapse
hi lelus y try wiht admin but same in 1 stage detect phone noormal rum soft but in 2 stage say waiting devica
ECHO está desativado.
Plug USB cable
wait 4 seconds and put battery back in.
waiting for OMAP44xx device...
Device descriptor:
bLength = 18
bDescriptorType = 1
bcdUSB = 528
bDeviceClass = 255
bDeviceSubClass = 255
bDeviceProtocol = 255
bMaxPacketSize0 = 64
idVendor = 451
idProduct = D00F
bcdDevice = 0
iManufacturer = 33
iProduct = 37
iSerialNumber = 0
bNumConfigurations = 1
reading ASIC ID
usb_write 4
usb_read 81
[*] read 0 bytes
NumOfSubblocks: 0x5
Subblock ID: 0x1
Subblock Size: 0x5
CH enabled: 0x7
ROM revision: 0x4
Checksum Subblock: 0x15
CHIP: 4430
IDEN: 8ba4bd0df0e467ec6459c7ecba88a3b048caa854
MPKH: 5f4092eccddf90fa43f546adf89508b31b9c74795e9516194c0ea6412fdcb7f6
CRC0: 9c669ad9
CRC1: 682adccf
sending 2ndstage to target... f0030002
usb_write 4
usb_write 4
wait 5-lelelel...
[*] msg size = 4
usb_write 21552
[*] data size = 21552
usb_close
Reopen usb...
Device descriptor:
bLength = 18
bDescriptorType = 1
bcdUSB = 528
bDeviceClass = 255
bDeviceSubClass = 255
bDeviceProtocol = 255
bMaxPacketSize0 = 64
idVendor = 451
idProduct = D00F
bcdDevice = 0
iManufacturer = 33
iProduct = 37
iSerialNumber = 0
bNumConfigurations = 1
waiting for 2ndstage response...
usb_read 4
usb read = aabbccdd
accepted 2ndstage response
sending image to target...
size = 246272
usb_write 4
usb_write 246272
** Done **
< waiting for device >

plss dont forgett me >crying:

waltercell said:
plss dont forgett me >crying:
Click to expand...
Click to collapse
Try different computer or are you familiar with Linux ?

Lelus said:
Try different computer or are you familiar with Linux ?
Click to expand...
Click to collapse
i dont have linux onyl xp and w7
pls is posible send to phone this Rooted_CWM_BACKUP_P768_V10A_by_BaLiSTa in this mode :

waltercell said:
i dont have linux onyl xp and w7
pls is posible send to phone this Rooted_CWM_BACKUP_P768_V10A_by_BaLiSTa in this mode :
Click to expand...
Click to collapse
When it says waiting for device, have you tried unplugging and plugging back in quickly?

jlirgg said:
When it says waiting for device, have you tried unplugging and plugging back in quickly?
Click to expand...
Click to collapse
yep y try unplugg and plug again but nothin pc no detect phone anything mode but i f take outo battery and put again find omap again

Did you install the omap4 driver twice?
Open an elevated command prompt and type
Code:
SET DEVMGR_SHOW_NONPRESENT_DEVICES=1
devmgmt.msc
Then open the Device Manager and see if you have the omap4 driver installed twice (in two locations)
Note: In Device Manager click the View tab and select Show hidden devices
If you don't see the omap driver installed twice, do this
Select the "other devices" and start deleting/uninstalling all of the devices you find here
Once you have uninstalled all of the unknown drivers you found, run the start.bat again.
Now go back to device manager and find the new unknown/other device created and install the omap4430 like you did the first time.
After you have done all this, rerun the start.bat and hopefully it will work for you.
Another thing, If you do see the omap driver installed twice, then it has to be your timing when you enter the battery. Keep trying different times to enter the battery
example. First try this, DON'T WAIT 5 sec ENTER THE BATTERY lol
Then try
wait 1 second and enter battery, if that doesn't work wait 2 seconds and etc.
Good luck

Try with xp
Sent from my LG-P760 using Tapatalk 4 Beta

hi thks 4 u times >) well in device manage show only omap driver but after 2 seconds disconect and conect again omap no show any driver with lg mobile only omap
here pics

waltercell said:
hi thks 4 u times >) well in device manage show only omap driver but after 2 seconds disconect and conect again omap no show any driver with lg mobile only omap
here pics
Click to expand...
Click to collapse
Okay tell me everything you did. It seems like you are missing a step or two. Did you do this?
and if you did, did you uninstall all of the "other devices"
As of right now, just tell me step by step of everything you did.
Update
sorry i forgot to give you an important step, you need to type devmgmt.msc after you type SET DEVMGR_SHOW_NONPRESENT_DEVICES=1
So sorry I forgot i have my system setup so I don't have to enter it every time
I added a Environment Variable inside advance system settings, you don't have to do this part

first many thks kuma82 4 u time
but friend i think is no pc or drivers because i try with 6 pc diferent lol yep i goo to my friend hode and try i have other p768 work noormally and all succes problem is in my phone

Sorry to hear it's just your phone. ;(
Sent from my LG-P769 using xda app-developers app

CWM recovery mode : P769 v20f

Hi,
Need some help please.
Unlocked bootloader. Jellybean P769 V20F.
CWM is installed from what i can see from below.
:\Users\rj\Desktop\L769\fastboot\fastboot\yours>fastboot devices
09145AF61202200E fastboot
C:\Users\rj\Desktop\L769\fastboot\fastboot\yours>cd c:\android
c:\Android>fastboot flash recovery recovery-clockwork-touch-6.0.3.1-p760.img
sending 'recovery' (5898 KB)...
OKAY [ 3.036s]
writing 'recovery'...
OKAY [ 1.019s]
finished. total time: 4.063s
But i cannot get int recovery by pressing the key cominbation vol up+home+pwer. Phone just reboots
Thanks much!

ADB reboot recovery
So it tried adb reboot recovery. Boots into recovery. But the screen is upside down. I need to use a mirror to read the commands on the screen properly.
Interestingly screen is normal in regular mode
Touch is working.
Still wondering why key combination to boot into recovery is not working.??????
Thanks:fingers-crossed:
thankyouxda said:
Hi,
Need some help please.
Click to expand...
Click to collapse

Install busybox
Sent from my Nexus 7 using xda premium

you flashed the p760 recovery, you need the p769
http://forum.xda-developers.com/showpost.php?p=44300426&postcount=358
the key combination for twrp at boot is vol (-) + home + power (release power when lg logo appears)
the key combination for cwm is either vol up or down + plus the other two.
Another thing, fix the inverted lg logo (that's if you haven't done so already)
http://forum.xda-developers.com/showpost.php?p=44161955&postcount=310

Hi Kuma82,Thank you.
I'll try the 769 recovery you linked.and report.
Re: inverted logo. This is to fix Inverted logo in fastboot correct?, I do see inverted logo when i fastboot otherwise not.
Thanks!
---------------------------------------------------------------------------------------------------------------------------
Also jezus. Thanks for busybox suggestion. installed but didn't help in this case so far.
kuma82 said:
you flashed the p760 recovery, you need the p769
Another thing, fix the inverted lg logo (that's if you haven't done so already)
http://forum.xda-developers.com/showpost.php?p=44161955&postcount=310
Click to expand...
Click to collapse

Fastboot is suppose to be inverted. You must already be on the 20f u-boot, you don't need that zip.
CM 10.1 P769

1)Installled CWM and now the screen is not mirrored anymore. Thanks
Key combination to boot into recovery still not working. Phone gets to LG then splash screen comes and then shuts off.
ADB reboot recovery works though. Any ideas about why keycombo not working? Not sure if it is worth the time
2)TWRP installed. Works great. Key combination works. Guess i will keep TWRP
Thanks!
kuma82 said:
Fastboot is suppose to be inverted. You must already be on the 20f u-boot, you don't need that zip.
CM 10.1 P769
Click to expand...
Click to collapse

thankyouxda said:
1)Installled CWM and now the screen is not mirrored anymore. Thanks
Key combination to boot into recovery still not working. Phone gets to LG then splash screen comes and then shuts off.
ADB reboot recovery works though. Any ideas about why keycombo not working? Not sure if it is worth the time
2)TWRP installed. Works great. Key combination works. Guess i will keep TWRP
Thanks!
Click to expand...
Click to collapse
key combination o]n 20f uboot is "vol-" and "home"
never mind

Hellooo Lelus :laugh:
Thanks for dropping by. U have made life easier for a lot of L9 users.:good:
Respect!!
Lelus said:
key combination o]n 20f uboot is "vol-" and "home"
never mind
Click to expand...
Click to collapse

thankyouxda said:
Hi,
Need some help please.
Unlocked bootloader. Jellybean P769 V20F.
!
Click to expand...
Click to collapse
Hi! I am new to unlocking bootloaders. Can you pllease tell me how you unlocked your bootloader?

Hi.
Need some help please.
Sorry for my english, but don't say good English and writing by google translator.
I am new to the forum, but I've read tens of posts.
He writes here, because I have a similar problem.
I have a LG L9 P769 phone purchased in the USA. My soft it: T-Mobile V20f.kdz
For several days'm trying to install the Bootloader & CWM Recovery. But I can't run it.
I decided so to install TWRP, the same as "thankyouxda", because I can see that at him he is acting.
But after the installation and the restart I receive the LG screen with the Security Error.
I recovered the phone with UpTestEX_BY_BRIDE_ 2014 program, but still I don't have Bootloader & CWM Recovery.
What am I doing wrong?!
Any program that installs Recovery at normal operating your phone and waiting for 50 minutes for me does not work. Everyone is only restarting my phone.
Only this method applies:
I run phone C/W Update (Vol Up + plug USB cable). I install the drivers and I type this command:
Code:
Plug USB cable
wait 4 seconds and put battery back in.
waiting for OMAP44xx device...
Device descriptor:
bLength = 18
bDescriptorType = 1
bcdUSB = 528
bDeviceClass = 255
bDeviceSubClass = 255
bDeviceProtocol = 255
bMaxPacketSize0 = 64
idVendor = 451
idProduct = D00F
bcdDevice = 0
iManufacturer = 33
iProduct = 37
iSerialNumber = 0
bNumConfigurations = 1
reading ASIC ID
usb_write 4
usb_read 81[*] read 0 bytes
NumOfSubblocks: 0x5
Subblock ID: 0x1
Subblock Size: 0x5
CH enabled: 0x7
ROM revision: 0x4
Checksum Subblock: 0x15
CHIP: 4430
IDEN: 9ed4cae7db55647eff3ed3cc853e28ece762f077
MPKH: 5f4092eccddf90fa43f546adf89508b31b9c74795e9516194c0ea6412fdcb7f6
CRC0: 9c669ad9
CRC1: 682adccf
sending 2ndstage to target... f0030002
usb_write 4
usb_write 4
wait 5-lelelel...
[*] msg size = 4
usb_write 21552[*] data size = 21552
usb_close
Reopen usb...
Device descriptor:
bLength = 18
bDescriptorType = 1
bcdUSB = 528
bDeviceClass = 255
bDeviceSubClass = 255
bDeviceProtocol = 255
bMaxPacketSize0 = 64
idVendor = 451
idProduct = D00F
bcdDevice = 0
iManufacturer = 33
iProduct = 37
iSerialNumber = 0
bNumConfigurations = 1
waiting for 2ndstage response...
usb_read 4
usb read = aabbccdd
accepted 2ndstage response
sending image to target...
size = 246272
usb_write 4
usb_write 246272
** Done **
Microsoft Windows [Wersja 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Wszelkie prawa zastrzeżone.
C:\fastboot\yours>
I have a mirror screen LG.
Now he is writing the command:
Code:
C:\fastboot\yours>fastboot devices
014FBECB02002010 fastboot
C:\fastboot\yours>fastboot flash recovery recovery.img
sending 'recovery' (6786 KB)...
OKAY [ 3.536s]
writing 'recovery'...
OKAY [ 1.756s]
finished. total time: 5.292s
C:\fastboot\yours>
But CWM does not start, any combination of the phone keys. I tried to install different cwm.img
So I downloaded the TWRP-769.zip, unpacked, moved twrp.img file to the directory of fastboot and I type:
Code:
C:\fastboot\yours>fastboot flash recovery twrp.img
.......
I'm sorry, but I did with this copy, but it looks like the CWM and writes OKEY, finished ...
It seemed, however, that everything went well. But the installed file is probably too large (10 240 kB)!?
Other CWM.img that I tried to install took only 6 500 - 6 900 kB.
What am I doing wrong that after reboot the phone getting the LG Security Error?
1) Should I install busyboox at first?
2) Should I install 20f_u-boot.zip first, to the mirror screen LG? How does it install?
3) What is the META-INF directory, and if it is needed for installation twrp.img?
Very much please help me.

thankyouxda said:
1)Installled CWM and now the screen is not mirrored anymore. Thanks
Key combination to boot into recovery still not working. Phone gets to LG then splash screen comes and then shuts off.
ADB reboot recovery works though. Any ideas about why keycombo not working? Not sure if it is worth the time
2)TWRP installed. Works great. Key combination works. Guess i will keep TWRP
Thanks!
Click to expand...
Click to collapse
In case anyone still has issue with key combo booting into cwm you must release volume up at vibrate on lg logo but keep holding the power and menu keys.

I guess I'll repeat it for the umpteenth time. You need to unlock the bootloader.
Sent from my LG-P769 using XDA Premium 4 mobile app

EDL TEST PINS MOTO G9 POWER

I'm looking to pinout both test pins. I bought this phone a few days ago. I unlocked it with TWRP, I looked at the possibilities. I made a mistake with TWRP by switching the system to sideload B (I chose between A and B) and the system refused to start. I do not have access to the bootloader with the buttons. I only enter QDLoader HS-USB Driver mode working. I read the instructions on how to make a blank flash. I took the 18 files out of the phone and made a new blank flash for this model - moto g9 power / but in the end it gives me an error. Now I'm looking for a solution. - "C: \ Documents and Settings \ Administrator \ Desktop \ MOTO G9 POWER blankflash \ Blankflash for G9 POWER>. \ Qboot.exe blank-flash Motorola qboot utility version 3.86 [0.000] Opening device: \\. \ COM4 [0.000] Detecting device [0.000] ... cpu.id = 333 (0x14d) [0.000] ... cpu.sn = 2936128399 (0xaf01c38f) [0.000] Opening singleimage [0.000] Loading package [0.000] ... filename = pkg.xml [0.000] Loading programmer [0.000] ... filename = programmer.elf [0.000] Sending programmer [0.156] Handling things over to programmer [0.156] Identifying CPU version [0.156] Waiting for firehose to get ready [3.297] ... SM_KAMORTA_H 1.0 [3.297] Determining target secure state [3.297] ... secure = yes [3.375] Configuring device ... [3.391] Flashing GPT ... [3.391] Flashing partition with gpt.bin [3.406] Initializing storage [3,484] ... blksz = 512 [37.016] Re-initializing storage ... [37.016] Initializing storage [37328] Flashing bootloader ... [37.344] Flashing abl_a with abl.elf [37.344] partition abl_a not found! [37.359] ERROR: do_package () -> do_recipe () -> do_flash () -> pt_find () -> not found [37.375] Check qboot_log.txt for more details [37.375] Total time: 37.375s FAILED: qb_flash_singleimage () -> do_package () -> do_recipe () -> do_flash () -> pt_find () -> not found "the last message puzzles me. I want to transfer the system to sideload A again, so I have to reset the device firmly. Are there people familiar with the possibilities?
2 I built a blankflash for the Moto G8
1 How To Blank Flash & Fix/Repair Hard Bricked Motorola Devices/Moto G8+|Tutorial Get It Working Again - YouTube
Version Bootloader MBM-3.O-cebu retail 232f3ba894-201209
motostockrom.com/motorola-moto-g9-power-xt2091-3
I'm looking to pinout both test pins.

Have you tried using LMSA?
It recovered a dead phone for me once.
Rescue and Smart Assistant (LMSA)
Also, I too once accidentally switched slot to B, and system didn't boot. However, I was able to get into fastboot mode and switch by entering the command to switch slots.

https://support.lenovo.com/bg/en/downloads/ds101291 i saw this but my computer is 32 bit / i am looking for the program qualcomm edl mode flash tool or something like Axon10Pro_ (More) _EDL_Tools_v1.1d because i want to make active a siteloader because i saw that this can be done not so difficult otherwise for edl pinout I saw how it works and no problem

man88nam said:
https://support.lenovo.com/bg/en/downloads/ds101291 i saw this but my computer is 32 bit / i am looking for the program qualcomm edl mode flash tool or something like Axon10Pro_ (More) _EDL_Tools_v1.1d because i want to make active a siteloader because i saw that this can be done not so difficult otherwise for edl pinout I saw how it works and no problem
Click to expand...
Click to collapse
qualcomm edl mode flash tool / Axon10Pro_ (More) _EDL_Tools_v1.1d

In those .XML files, can you delete the line that says "abl" and try again?

I will do, but these files can be downloaded according to the instructions on how to make closed files extracted from the phone itself
https://www.reddit.com/r/MotoG/comments/k73n66
I downloaded from the bootloader 18 files that are original, this is in connection with blank flash, where in the end there is an error, because eight made active "B" sector instead of A

I removed the ABL file from the XML, but the error remains, plus the message for a missing ABL file ELF
[ 37.297] file abl.elf not found in singleimage.bin!
[ 37.297] ERROR: do_package()->do_recipe()->do_flash()->not found
[ 37.297] Check qboot_log.txt for more details
[ 37.297] Total time: 37.297s
I'm just looking for an EDL program that works similar to this command line Set Bootable Partition- Slot A / run_AB-partition-swap - but here it wants some text file for the presence of a port, port_trace.txt

I'm sorry, I can't help further here. Even though the active slot is B, the partition abl_a should exist and should be flashable regardless. It looks as though there isn't such a partition at all, which I don't even know how that happened.
The tool which you are using is correct, it's doing its job properly. Are you sure you have the right firmware version and software channel? Because bootloader.img differ depending on the firmware version and the carrier. I'd also suggest downloading from https://mirrors.lolinet.com/firmware/moto/cebu/official/, instead of the link you mentioned, motostockroms.
Also, try asking in this Telegram group: https://t.me/lolinet. There are people on there who are more knowledgeable, maybe they can help.
After trying the firmware image from lolinet and trying the process again with that firmware, I'd try to get into bootloader mode once again through power buttons, and if that doesn't work, send the phone into the service center.

Motorola_Moto_G9_Power_XT2091-3_RETUK_CEBU_RETAIL_QZC30.Q4-22-57_10_by_(motostockrom.com) With the TWRP program I chose with active slot B / I don't know if it deleted the content from slot A of the bootloader. By the way, I downloaded the original product firmware XT2091-3 according to the instructions for this, which I get when I try blank flash / I have no idea what to do, so I'm looking for a program "qualcomm edl mode flash tool" and I constantly get Indian sites with dangerous behavior.
I thank you for your time

Hey,
Today I found EDL points for Moto G9 power. Infact im also facing firmware issue.
I accidentally locked bootloader with stockrom again trying to unlock but not working.
Causing No valid OS to boot.
if i try unlock again showing message like " enable OEM unlocking in developer options"
unfortunately not podsible. But still waiting for proper EDL flash tool.
feel free to guide if any one got resolution.

Hard bricked Moto G8 Power by flashing TWRP to recovery slots

I bricked my phone (XT2041-1 "sofiar") by flashing an unnoficial build of TWRP 3.5.0 downloaded from a Telegram channel by doing:
$ fastboot flash recovery_a twrp-3.5.0-0-rav-sofia.img
$ fastboot flash recovery_b twrp-3.5.0-0-rav-sofia.img
$ fastboot reboot recovery
Since then, my phone is hard bricked - won't boot, recognized on Linux in EDL Mode only (i.e. ID 05c6:9008).
I got the latest official stock firmware, named SOFIAR_RETAIL_11_RPES31.Q4U-47-35-12_subsidy-DEFAULT_regulatory-DEFAULT_CFC.xml.zip, from lolinet, and in its contents there's boot.img and recovery.img (among others).
I have qdl on my Arch Linux, and am wondering whether I can use it to flash the stock recovery image back to both slots and get my phone booting again.
How should I approach it?
P.s. I also got a blankflash from https://forum.xda-developers.com/t/...equest-solicitud-blankflash-g8-power.4431193/ that is supposed to get the phone working again, but am unsure whether using it will cause loss of data.
I absolutely cannot lose any data from internal storage.
Any help appreciated. Thanks in advance.

Ok, now we're rolling...
First things first. Motorola sucks because they only give you restricted Firehose loaders.
That means of the 70-odd partitions that you have you can only read/write about 1/3 of them using EDL.
If you post your Firehose loader I can tell you which ones you can read/write.
Second, are you sure that the only damage you did was by writing recovery_a and recovery_b?
And you're on Linux, *sad face*.
I was disassembling the Motorola Firehose for my Moto G (2021) and I discovered that they have more reboot options than stock.
There's reset-to-edl and reset-to-fastboot.
I've added those options to my edl.exe (in the sig) this morning. You need to download the very latest.
What may have happened is that you wrote a bad recovery which may have set the boot option in the BCB or misc.
Since the recovery is good enough to be recognized as an image but not good enough to reset this boot option you're stuck.
Your first recourse is flashing a proper recovery.
I'm not sure whether "blank flash" tries to wipe everything. In any case I wouldn't risk it.
Your first try should be to fix the broken things, not everything.
Yes, any edl client that supports ad-hoc xml should be able to get you to fastboot but I'll only answer for my code.
I've tested it.
Code:
C:\>edl /lwhatever.bin
C:\>edl /zf
C:\>fastboot flash recovery_a good_recovery.img
C:\>fastboot flash recovery_b good_recovery.img
C:\>fastboot reboot

I admit to not properly understand what a firehose loader is. :x
Second, are you sure that the only damage you did was by writing recovery_a and recovery_b?
Click to expand...
Click to collapse
Yes, 100%.
So, for now, I should try booting Windows, installing the 9008 driver and following your instructions... Will let you know how it goes.
Thanks a lot.

marc.2377 said:
I admit to not properly understand what a firehose loader is. :x
Click to expand...
Click to collapse
A Firehose loader is a replacement xbl/sbl secondary loader that has special sauce added to it to make it interactive.
It is not to be confused with a Windows driver (which, in this case is Zadig, as per the instructions on my web page).
In this case, your Firehose loader is packed in singleimage.bin in the RPE here: https://mirrors.lolinet.com/firmware/motorola/sofiar/blankflash/
I extracted it for you. I renamed it sofiar.bin
The extension name does not matter.
Code:
C:\>edl /lsofiar.bin
That's slash-ell-sofiar.bin
Edit: And yes, your Firehose loader has the reset-to-fastboot.

Right, thanks for the explanation. I figured that was programmer.elf from my files.
Ok, I got as far as:
> edl /l
Found EDL 9008
Serial: 69cccc95
HWID: 0010a0e102e80000, QC: 0010a0e1, OEM: 02e8, Model: 0000
Hash: 974359c4290cac7f-9f0dc9a802815b5e-2b376b7a7c1be92c-1e816b5287f18610
> edl /lsofiar.bin
Found EDL 9008
Resetting Sahara
Serial: 69cccc95
HWID: 0010a0e102e80000, QC: 0010a0e1, OEM: 02e8, Model: 0000
Hash: 974359c4290cac7f-9f0dc9a802815b5e-2b376b7a7c1be92c-1e816b5287f18610
Sending sofiar.bin 100% Ok
Waiting for Firehose... Ok
> edl.exe /zf
Found EDL 9008
Requesting reset to fastboot... Ok
But it doesn't boot to fastboot.
It seems to me that your tool, edl could be used to write the recovery partition directly, no?
I tried this:
> edl /w /precovery_a recovery.img
Found EDL 9008
Configuring... Ok
Requesting GPT 0 header... Ok, receiving... Ok, requesting entries... Ok, receiving... Ok
Requesting write recovery.img...
<log value="ERROR: range restricted: lun=0, start_sector=1591552, num_sectors=131072" />
Nope
P.s. curiously, the file I downloaded from https://raw.githubusercontent.com/b...a/0010a0e102e80000_974359c4290cac7f_fhprg.bin wasn't accepted as a valid firehose loader file.
Edit: nevermind. Had to restart the phone.
I believe that's an older loader, anyway.
How shall I proceed?

marc.2377 said:
But it doesn't boot to fastboot.
Click to expand...
Click to collapse
Hmm, the screen stays black?
Is it still in EDL mode or some other mode?
Does Windows "bong" when you pull the USB cable?
It's possible that this goes to a fastboot without a screen?
Try holding various buttons, both by long power button reset and /zf
marc.2377 said:
It seems to me that your tool, edl could be used to write the recovery partition directly, no?
Click to expand...
Click to collapse
Yes, it could if Motorola wasn't such a pain with the "range restricted".
They've really clamped down (that other file you mentioned is the same):
Code:
qcomview /r sofiar.bin
Addr LUN Start Count
------ --- -------- --------
007f10 0 0 256
007f28 0 256 78336
007f40 0 1609948 512
007f58 0 1610496 512
007f70 1 1 1
You can do this to see which partitions this means:
Code:
C:\>edl /lsofiar.bin
C:\>edl /g
I have a feeling that the Motorola "Blankflash" stuff writes something to those 3 areas that allow it to write everything.
But it probably wipes the userdata.
I'm not an expert on their tools.
Tell me what the GPT says (you only need to quote stuff in the area of that table).
Edit: It looks like in the multi GB zip there are two "instruction" files, flashfile.xml and servicefile.xml
They are mostly the same except that flashfile will wipe userdata!

Curious. The partition table is as follows:
Code:
Found EDL 9008
Configuring... Ok
Requesting GPT 0 header... Ok, receiving... Ok, requesting entries... Ok, receiving... Ok
# Name Start Count Type
-- ---------------- ---------- ---------- --------------------
1 xbl_a 256 9216 Inactive
2 xbl_b 9472 9216 Bootloader
3 tz_a 18688 8192 Inactive
4 tz_b 26880 8192 TrustZone
5 rpm_a 35072 1024 Inactive
6 rpm_b 36096 1024 Resource/power mgmt
7 hyp_a 37120 1024 Inactive
8 hyp_b 38144 1024 Hypervisor
9 devcfg_a 39168 256 Inactive
10 devcfg_b 39424 256 Device config
11 xbl_config_a 39680 256 Inactive
12 xbl_config_b 39936 256 Boot config
13 abl_a 40192 2048 Inactive
14 abl_b 42240 2048 Android bootloader
15 uefisecapp_a 44288 4096 Inactive
16 uefisecapp_b 48384 4096 be8a7e08
17 qupfw_a 52480 160 Inactive
18 qupfw_b 52736 160 QUP firmware
19 cmnlib_a 52992 1024 Inactive
20 cmnlib64_a 54016 1024 Inactive
21 cmnlib_b 55040 1024 Common lib
22 cmnlib64_b 56064 1024 Common lib64
23 keymaster_a 57088 1024 Inactive
24 keymaster_b 58112 1024 Key master
25 storsec_a 59136 256 Inactive
26 storsec_b 59392 256 Store secure
27 spunvm 59648 16384 Spun VM
28 uefivarstore 76032 1024 165bd6bc
29 multiimgoem_a 77056 64 Inactive
30 multiimgoem_b 77120 64 e126a436
31 multiimgqti_a 77184 64 Inactive
32 multiimgqti_b 77248 64 846c6f05
33 prov_a 77312 512 Inactive
34 prov_b 77824 512 d05e0fc0
35 modem_a 78336 368640 Inactive
36 modem_b 446976 368640 FAT32
37 fsc 815616 256 FSC
38 ssd 815872 16 Secure SW download
39 dsp_a 816128 65536 Inactive
40 dsp_b 881664 65536 DSP
41 ddr 947200 2048 DDR
42 utags 949248 1024 1dd40d18
43 utagsBackup 950272 1024 c490f39c
44 modemst1 951296 8192 Modem ST1
45 modemst2 959488 8192 Modem ST2
46 fsg_a 967680 49152 Inactive
47 fsg_b 1016832 49152 Modem storage
48 persist 1065984 65536 Persist
49 prodpersist 1131520 16384 Persist
50 frp 1147904 1024 FRP
51 cid 1148928 256 459abd04
52 carrier 1149184 32768 c63d32d8
53 metadata 1181952 32768 988a98c9
54 kpan 1214720 16384 56465e10
55 boot_a 1231104 131072 Inactive
56 boot_b 1362176 131072 Boot
57 dtbo_a 1493248 49152 Inactive
58 dtbo_b 1542400 49152 DTBO
59 recovery_a 1591552 131072 Inactive
60 recovery_b 1722624 131072 Recovery
61 misc 1853696 2048 Misc
62 logfs 1855744 16384 Log FS
63 apdp 1872128 512 APDP
64 msadp 1872640 512 MSADP
65 dpo 1873152 2 DPO
66 devinfo 1873160 8 Device info
67 bluetooth_a 1873168 9216 Inactive
68 bluetooth_b 1882384 9216 Bluetooth
69 logo_a 1891600 66848 Inactive
70 logo_b 1958448 66848 Splash
71 vbmeta_a 2025296 128 Inactive
72 vbmeta_b 2025424 128 Verified Boot meta
73 padA 2025552 6064 Empty
74 hw 2031616 16384 b2d77ec0
75 padB 2048000 16384 Empty
76 sp 2064384 16384 40aef62a
77 padC 2080768 16384 Empty
78 padD 2097152 32768 Empty
79 super 2129920 16973824 System
80 userdata 19103744 103038943 User data
Doesn't seem to match the output of qcomview.
Also, the file 0010a0e102e80000_974359c4290cac7f_fhprg.bin lists the following codenames:
Code:
QCA6390
QCS605
SA8150
SDA670
SDA845
SDA855
SDA855A
SDA865
SDC830
SDM450
SDM670
SDM830
SDM845
SDM855
SDM855A
SDM1000
SDX24
SDX24M
SDX55
SM6150
SM6150P
SM7150
SM7150P
SM_NICOBAR
While programmer.elf (same as sofiar.bin that you uploaded) lists, additionally, QCM_NICOBAR and QCS_NICOBAR.
I wonder whether this is actually the correct file for me...
Btw, before attempting any further writing strategies, I confess to being interested in pulling userdata. As I understand the real decryption key is stored in the TEE functionality of the chipset and such an image would be unreadable for me, except if I were to restore it later.
With your tool I got the "range restricted" for edl /r /puserdata parts\userdata.img /t too.

Code:
Addr LUN Start Count
------ --- -------- --------
007f10 0 0 256 - GPT
007f28 0 256 78336 - xbl_a to prov_b
007f40 0 1609948 512 - ??? random spot in recovery_a
007f58 0 1610496 512 - ??? random spot in recovery_a
007f70 1 1 1
So, basically, you have free read/write access to partions 1 to 34
Reading is always safe.
Also, you're on the B slot.
So why does reboot to fastboot fail?
It could be that it was never implemented correctly in this Firehose
It could be that this Firehose is not for your device
It could be that xbl and/or abl was damaged somehow
I'd do some checking, xbl_b and abl_b to start with.
Read 'em then compare them to the xbl and abl you have in your big packages.
Code:
C:\>edl /lsofiar.bin
C:\>edl /r /t /pxbl_b xblb.img
C:\>edl /r /t /pabl_b ablb.img
The /t will copy these ELF files only as big as they need to be (not all the blank space).
OTOH, they will enlarge to an exact number of 512 byte sector.
So they could be 511 bytes bigger than what comes out of that package.
If things are wacky, try without /t, but they'll be padded with all the zeroes in the partition.
If those files aren't in the big package, here's ones I extracted from the blankflash.
Check 'em all.

Also, it's possible that somehow the slots got switched.
While you're at it, look at xbl_a and abl_a also.

Hey, thanks for the continued efforts to help me. Sorry for absence for the past days, real life caugh in ^^
I'm glad to report that, amidst some binary checking and all that, I managed to resuscitate my phone using the blankflash strategy, after carefully revising it.
Strangely, it seems that TWRP got installed in the boot partition, such as that "normal boot" kept entering TWRP, despite I having flashed the stock recovery images to both recovery slots. I'll detail this all later.
At this point my phone is on and I backed up what I needed, and have been using it. A few strange glitches are present, i.e. battery charging is acting weird. I plan on doing a clean flashing of the stock ROM soon. Maybe I should take the opportunity to study how to make a fully working port of the latest LineageOS for this device, too.
Will get back within a few days with a detailed report of the endeavour

marc.2377 said:
Will get back within a few days with a detailed report of the endeavour
Click to expand...
Click to collapse
I'm looking forward to hearing how you got EDL mode working.
I bricked XT2041-3 Sofiar (downgrade to A10) and am stuck trying the phone to succeed at qboot blank-flash, but it hangs (on linux):
Code:
< waiting for device >
Motorola qboot utility version 3.86
[ 0.000] Opening device: /dev/ttyUSB0
[ 0.000] Detecting device
[ 0.002] ...cpu.id = 266 (0x10a)
[ 0.002] ...cpu.sn = 3773339940 (0xe0e89924)
[ 0.002] Opening singleimage
[ 0.002] Loading package
[ 0.004] ...filename = pkg.xml
[ 0.005] Loading programmer
[ 0.005] ...filename = programmer.elf
[ 0.005] Sending programmer
[ 0.178] Handling things over to programmer
[ 0.178] Identifying CPU version
[ 0.178] Waiting for firehose to get ready
With --debug=2 there can be seen some parsing errors in xmls being passed for about 13 more seconds. On Windows VM phone is recognized as a single QDLoader 9008 device, but qboot fails after half a minute with IO Errors. Is this even EDL mode?
A tried without luck Renate's edl tool. edl.exe /lsingleimage.bin:
Code:
Found EDL 9008
Could not open device
I was growing increasingly desperate, so I opened the phone and played with EDL points according to
MatiasLopezxD. No combination of vol-, power, shorting points, plugging usb seem to make a difference. I must be missing something simple.
Any help would be appreciated.

@ybea: Quick answer for now - I got into EDL mode by holding down VolDown+Power for about 8-10 seconds. Let me know if it works for you. What's your output for lsusb?

Same as yours - ID 05c6:9008 (Qualcomm, Inc. Gobi Wireless Modem (QDL mode)). It reconnects after pressing power for 9 seconds (with or without vol-), nothing new.

Try restarting it into EDL mode while it's plugged. I found that to be necessary sometimes.
Edit: Btw, I don't remember why exactly, but I only had success running the blankflash from Windows. Linux didn't do the magic, nor a Windows VM with USB redirection...

marc.2377 said:
Edit: Btw, I don't remember why exactly, but I only had success running the blankflash from Windows. Linux didn't do the magic, nor a Windows VM with USB redirection...
Click to expand...
Click to collapse
That was it! I didn't event try it on the metal, because Motorola driver installer and uninstaller crash for me for some reason. Should be straightforward from now.
Thank you so much. You saved the day.

ybea said:
A tried without luck Renate's edl tool. edl.exe /lsingleimage.bin
Click to expand...
Click to collapse
Sorry. edl.exe uses the generic Zadig (i.e. WinUsb) driver).
If you have the Qualcomm driver loaded it's stealing the poor WinUsb interface and forcing it into some bogus virtual com port.
Also, singleimage is Motorola's completely morally bankrupt idea of packing stuff in a file.
It is not a Firehose loader, although it contains one.
Add to all your miseries, Motorola is crap and releases only restricted Firehose loaders.
If you're still stuck, ship me the "single-and-totally-bogus.bin" and I'll extract the Firehose loader for you.
Better poke me or I won't see it.

No longer stuck. The problem for me was neither VM USB passthrough nor blankflash tools for linux did work, although both showed proper EDL mode. It seems it only works on native Windows. Thanks for your interest.