Better Mobile App

Flash H901 kdz to get bootloader unlocked, will it works?

As far as i know, someone in a china forum said that he had unlocked the F600S' bootloader successfully.
He first flashed a pre-rooted 5.0 TOT and change the build.prop to h901. Then, he flashed h901 6.0 kdz to his phone and the bootloader became h901 version.
Therefore, he could unlock the bootloader simply by entering "fastboot oem unlock", flashing H901's recovery and rooted the phone.
Some users said this method works but some said didn't and even bricked their phones into "Qualcomm HS-USB QDLoader 9008" mode.
I open this thread for raising attention and investigate whether this method really works or not, but please, DO NOT intend to perform this method unless it was proved to be safe.
If you can read Chinese, here is the source (please remove this link if it violates xda's rules):
http://bbs.gfan.com/android-8325666-1-1.html

i recommend, don't... unless u needed to do that then go

I was attempting something like this awhile back. But I wasn't using the normal build.prop. There is one hiding in /cust/open_com_ds/cust_open_hk.prop that I assumed was what the LGUP program used to check vs the one in /system but apparently I was mistaken. Theoretically there isn't anything hardware wise different between the H901 and the H961N besides the dual sim. Those that don't use dual sim might try this. Otherwise I would wait. If there are any people out there that can make kdz's then all it takes is one person to do it right then everyone else can benefit. I might go ahead and try for shizas and googles.

DarkestSpawn said:
I was attempting something like this awhile back. But I wasn't using the normal build.prop. There is one hiding in /cust/open_com_ds/cust_open_hk.prop that I assumed was what the LGUP program used to check vs the one in /system but apparently I was mistaken. Theoretically there isn't anything hardware wise different between the H901 and the H961N besides the dual sim. Those that don't use dual sim might try this. Otherwise I would wait. If there are any people out there that can make kdz's then all it takes is one person to do it right then everyone else can benefit. I might go ahead and try for shizas and googles.
Click to expand...
Click to collapse
Thanks for your reply. According to the source, those people changed their build.prop as below in order to flash h901's kdz:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
By the way, as a H961N user, I also wonder that whether it works on dual sim model. Can we flash the modem and related apps separately in order to make dual sim working if bootloader has unlocked?

If memory serves correctly, Yes with an unlocked bootloader you could adb flash modem *BLAHBLAHBLAH* but idk how that works with dual sim phones.
I honestly get aggravated when I see certain users that say they make TOT or KDZ files when really they took it from other sites that aren't English and say they made it. If that was the case they would make a KDZ with stock everything for the device its for but replace the bootloader to the version from H901 and every LG v10 would be bootloader unlockable but somehow they are too busy or working on other TOTs and kdzs... Assinine lies. Sorry had to throw my two cents out there.
I'm so glad I didn't do this attempt yet. Just remembered I gave my backup phone away so I have nothing to fall back on if this fails. If no one tries this before I get it back I will try.

DarkestSpawn said:
I was attempting something like this awhile back. But I wasn't using the normal build.prop. There is one hiding in /cust/open_com_ds/cust_open_hk.prop that I assumed was what the LGUP program used to check vs the one in /system but apparently I was mistaken. Theoretically there isn't anything hardware wise different between the H901 and the H961N besides the dual sim. Those that don't use dual sim might try this. Otherwise I would wait. If there are any people out there that can make kdz's then all it takes is one person to do it right then everyone else can benefit. I might go ahead and try for shizas and googles.
Click to expand...
Click to collapse
Even though many of the pieces are the same, there could well be some fairly significant differences hardware-wise between the H901 and H961N. The two that I know are really close are the H961N (Hong Kong) and H962, if the kernel sources are identical then there isn't much difference between the two.
On the flip side though, there could be enough similarity to flash the H901's bootloader onto another device. The bootloader wouldn't need to worry about how any of the radio bits work, just avoid touching them.
DarkestSpawn said:
I'm so glad I didn't do this attempt yet. Just remembered I gave my backup phone away so I have nothing to fall back on if this fails. If no one tries this before I get it back I will try.
Click to expand...
Click to collapse
Please do report if you do this. Anyone else out there who is reading, we'd love to hear from you if you try this. While I hope you succeed, failure could well occur. Could you report what device you're thinking of trying this on?
There is a tool from Qualcomm which can allow you to write to the flash before the device boots. If your try fails, that tool could be used to write back what is "supposed" to be there and hopefully you won't have a complete brick. A simpler solution might be to use that tool to simply overwrite your device's bootloader with the H901 bootloader. Note there are 2 copies of the bootloader on the H962 and likely other devices and you'd need to get both. I imagine there are several, but here is one tool for extracting the KDZ files (my goal is to be able to construct modified KDZ files, but I haven't analyzed things enough yet, will likely take some time).
EDIT: What look to be the bootloader areas in the H901, H961N and H962 KDZ files appear to be at the same offsets and the same sizes. I cannot be certain, but this might very well be a workable strategy.
EDIT2: If someone does this, it may be helpful to know which H901BK firmware version you use. The known KDZ file is for 20c, so it may be handy to keep links to that. Once you've done the process, it would be helpful for you to dump copies of all the block devices on the phone. Knowing which one(s) have changed could lead us to how LG's bootloader marks a device as unlocked, leading to easier methods of unlocking (hmm, really need a binary diff utility).

emdroidle said:
Even though many of the pieces are the same, there could well be some fairly significant differences hardware-wise between the H901 and H961N. The two that I know are really close are the H961N (Hong Kong) and H962, if the kernel sources are identical then there isn't much difference between the two.
On the flip side though, there could be enough similarity to flash the H901's bootloader onto another device. The bootloader wouldn't need to worry about how any of the radio bits work, just avoid touching them.
Please do report if you do this. Anyone else out there who is reading, we'd love to hear from you if you try this. While I hope you succeed, failure could well occur. Could you report what device you're thinking of trying this on?
There is a tool from Qualcomm which can allow you to write to the flash before the device boots. If your try fails, that tool could be used to write back what is "supposed" to be there and hopefully you won't have a complete brick. A simpler solution might be to use that tool to simply overwrite your device's bootloader with the H901 bootloader. Note there are 2 copies of the bootloader on the H962 and likely other devices and you'd need to get both. I imagine there are several, but here is one tool for extracting the KDZ files (my goal is to be able to construct modified KDZ files, but I haven't analyzed things enough yet, will likely take some time).
EDIT: What look to be the bootloader areas in the H901, H961N and H962 KDZ files appear to be at the same offsets and the same sizes. I cannot be certain, but this might very well be a workable strategy.
EDIT2: If someone does this, it may be helpful to know which H901BK firmware version you use. The known KDZ file is for 20c, so it may be handy to keep links to that. Once you've done the process, it would be helpful for you to dump copies of all the block devices on the phone. Knowing which one(s) have changed could lead us to how LG's bootloader marks a device as unlocked, leading to easier methods of unlocking (hmm, really need a binary diff utility).
Click to expand...
Click to collapse
I think the only worry of trying this method is a complete hard brick. As you have mentioned, any qualcomm phone has a recovery mode and i guess it should be the "Qualcomm HS-USB QDLoader 9008" mode.
I have searched some information and turn out there are two 9008 mode. It depends on whether the phone messed with Qualcomm’s stuffs, if not, then the phone will enter the "new 9008 mode" and it can let you recover the phone easily by a backup emmc image. If it is, then the phone will enter the "old 9008 mode" and it required specific files and "programmer", however, file suitable for msm8992 hasn't been discovered. Therefore, if this method brick the phone into old 9008 mode, no solution at all.
The information i have refered to, don't know if it is correct:
http://www.droidsavvy.com/unbrick-qualcomm-mobiles/
EDIT: The ro.expect.recovery_id should be "0x9260d50f08bef4a761309001fe20e5ab59508e78000000000000000000000000" (if you try it, double check by yourself)
some people said that they bricked the phone because of typing it incorrectly, but i don't know whether it is true or not

I have asked the people who bricked their phones from trying this method. It seems that they really made a typo on ro.expect.recovery_id and cause brick.
Also, i am pretty sure that those phones have gotten into the "old 9008 mode", therefore, "rawprogram0.xml, patch0.xml and prog_emmc_firehose_8992.mbn" are required for using QPST the fix the hard brick.
However, no suitable prog_emmc_firehose_8992.mbn for V10 has been discovered on the internet (even for the G4).

Personally, I injected the H901 aboot into an H962 DZ and flashed it onto my device a few months ago.
Long story made short, it was completely bricked, even without 9008 mode. I recommend you guys to be cautious with this method.
Edit: As I can understand Chinese, I'm currently looking into the tutorial.

ivangundampc said:
I think the only worry of trying this method is a complete hard brick. As you have mentioned, any qualcomm phone has a recovery mode and i guess it should be the "Qualcomm HS-USB QDLoader 9008" mode.
I have searched some information and turn out there are two 9008 mode. It depends on whether the phone messed with Qualcomm’s stuffs, if not, then the phone will enter the "new 9008 mode" and it can let you recover the phone easily by a backup emmc image. If it is, then the phone will enter the "old 9008 mode" and it required specific files and "programmer", however, file suitable for msm8992 hasn't been discovered. Therefore, if this method brick the phone into old 9008 mode, no solution at all.
The information i have refered to, don't know if it is correct:
http://www.droidsavvy.com/unbrick-qualcomm-mobiles/
Click to expand...
Click to collapse
Useful, though I cannot speak to the reliability of that information. A different source has a tool they say comes from Qualcomm, which may be more reliable with newer devices. Please note, this is a source of claims, I don't know how reliable they are (they also don't provide much detail on the limits of the tool).
WillyPillow said:
Personally, I injected the H901 aboot into an H962 DZ and flashed it onto my device a few months ago.
Long story made short, it was completely bricked, even without 9008 mode. I recommend you guys to be cautious with this method.
Edit: As I can understand Chinese, I'm currently looking into the tutorial.
Click to expand...
Click to collapse
I look forward to more detail/reports from that tutorial. Exact details would be invaluable.
I hoped that would work, but I feared the above possibility. The problem is which portions of the flash image sign which other portions of the image, and how many different keys does LG use? Your observation seems to suggest either the key used for signing the H901 aboot was not honored by the rest of the H962 firmware, or the key used for signing the H962 kernel wasn't honored by the non-unlocked H901 aboot (or both).
If the former case, then which are the pieces prior to aboot and can only those pieces be transplanted from a H901 while still preserving the dual-SIM functionality of the H962 (and H961N)? If the latter case, then I suspect you merely need to run a H901 kernel long enough to unlock the bootloader, then you can put back the H962 kernel and run that with the unlocked bootloader.
The other question is, which portions of the data unlock the bootloader? Is it a small change to the aboot portion? Is it changes elsewhere? Can those changes be isolated from the rest of the H901 firmware?
Just in case you didn't notice, I've got lots of questions. I hope I can figure out answers to some, but others I may not be able to answer. I'm currently targeting the kdztools portion.

@emdroidle
TBH I don't see anything not mentioned already. Basically the process is just
Flash 5.1 rooted -> modify build.prop -> flash H901 KDZ
Personally, I'm not going to do more risky experiments since I already RMA'd my last hard brick
Also, you might want to use IDA to take a look at aboot, which is basically an ELF binary. I had been doing that, but stopped after the brick.

WillyPillow said:
@emdroidle
TBH I don't see anything not mentioned already. Basically the process is just
Flash 5.1 rooted -> modify build.prop -> flash H901 KDZ
Personally, I'm not going to do more risky experiments since I already RMA'd my last hard brick
Also, you might want to use IDA to take a look at aboot, which is basically an ELF binary. I had been doing that, but stopped after the brick.
Click to expand...
Click to collapse
I understand. You're in a better position since LG will honor the warranty on your H962. They're a bit tougher if you get one outside Taiwan.
I was fearing we would have to take that approach. Worse, it looks like the firmware updates change aboot, which suggests settling on one version and trying to crack that is best. I wanted to try Plasma, but IDA is likely far enough ahead to beat Plasma. I'm just glad IDA has a Linux version.

WillyPillow said:
Personally, I injected the H901 aboot into an H962 DZ and flashed it onto my device a few months ago.
Long story made short, it was completely bricked, even without 9008 mode. I recommend you guys to be cautious with this method.
Click to expand...
Click to collapse
After some thought, I realized I should ask for some detail about the failed process you used for this. Did you flash both the aboot and abootbak slices? (/dev/mmcblock0p9 and /dev/mmcblock0p15 if I recall correctly)
If you flashed only aboot and ended up bricked, this seems to suggest it did in fact successfully execute the H901BK aboot, but the aboot decided the signature on boot was incorrect and halted. In this scenario if the portion before aboot had decided aboot had a bad signature, then it should have restored abootbak, which likely would have successfully booted the H962 kernel.
If you flashed both aboot and abootbak, this suggests the portion before aboot decided aboot's signature was wrong and it halted there. This doesn't rule out it successfully executing aboot and aboot deciding boot had the wrong signature, but it makes that less likely.
Hate to say it, but flashing only aboot doesn't really give us much information on the likelihood of flashing a full H901BK image onto a H962 being successful or not. The problem is there could be signatures in many places and any one of those could fail yet reproducing the original scenario would work perfectly.

emdroidle said:
After some thought, I realized I should ask for some detail about the failed process you used for this. Did you flash both the aboot and abootbak slices? (/dev/mmcblock0p9 and /dev/mmcblock0p15 if I recall correctly)
If you flashed only aboot and ended up bricked, this seems to suggest it did in fact successfully execute the H901BK aboot, but the aboot decided the signature on boot was incorrect and halted. In this scenario if the portion before aboot had decided aboot had a bad signature, then it should have restored abootbak, which likely would have successfully booted the H962 kernel.
If you flashed both aboot and abootbak, this suggests the portion before aboot decided aboot's signature was wrong and it halted there. This doesn't rule out it successfully executing aboot and aboot deciding boot had the wrong signature, but it makes that less likely.
Hate to say it, but flashing only aboot doesn't really give us much information on the likelihood of flashing a full H901BK image onto a H962 being successful or not. The problem is there could be signatures in many places and any one of those could fail yet reproducing the original scenario would work perfectly.
Click to expand...
Click to collapse
Hmm, I've never thought this deep. I was just like "Sxxt, my phone bricked! Must be a bad signature somwhere..." and stopped messing around with it
To answer your question, I only flashed aboot, without anything else. And for the details of the brick, you can't even see the "powered by Android" bootloader screen. The device just viberates if you want to turn it on. The only way to make the screen display something is remove the battery and connect it to a computer, for which a "no battery" icon is showed. So my guess then was the aboot signature was invalidated. But now you reminded me the existance of abootbak...
I'll do some research and thinking right now

WillyPillow said:
Hmm, I've never thought this deep. I was just like "Sxxt, my phone bricked! Must be a bad signature somwhere..." and stopped messing around with it
To answer your question, I only flashed aboot, without anything else. And for the details of the brick, you can't even see the "powered by Android" bootloader screen. The device just viberates if you want to turn it on. The only way to make the screen display something is remove the battery and connect it to a computer, for which a "no battery" icon is showed. So my guess then was the aboot signature was invalidated. But now you reminded me the existance of abootbak...
I'll do some research and thinking right now
Click to expand...
Click to collapse
Well, i think that you have bricked your phone into the "Qualcomm HS-USB QDLoader 9008" mode
The phone should be able to fix if you can see "Qualcomm MMC Storage USB Device" in "Devices Manager" when the phone is connecting to the computer.

WillyPillow said:
Hmm, I've never thought this deep. I was just like "Sxxt, my phone bricked! Must be a bad signature somwhere..." and stopped messing around with it
Click to expand...
Click to collapse
I was thinking about it, since I would very much like to somehow unlock the bootloader. While this way may or may not be tweaked to work, it does sound plausible. Analyzing failures can be very valuable.
WillyPillow said:
To answer your question, I only flashed aboot, without anything else. And for the details of the brick, you can't even see the "powered by Android" bootloader screen. The device just viberates if you want to turn it on. The only way to make the screen display something is remove the battery and connect it to a computer, for which a "no battery" icon is showed. So my guess then was the aboot signature was invalidated. But now you reminded me the existance of abootbak...
Click to expand...
Click to collapse
So this may suggest aboot successfully executed, but found a mismatched signature and halted. At which point, flashing the H901BK aboot and boot may be enough to make this work. This may though also require the H901BK recovery image. I do not know where the unlock process actually does its magic, so part of it could be in recovery.
I'd love to hear if you can get it to be successful.

Two threads relevant to this topic have shown up.
First, apparently someone somehow managed to accidentally flash a H901 firmware onto a H960A. That person was looking for help with restoring their device, but it leaves me hopeful this method could in fact work on other devices. Most likely you'd end up with a mix of some portions of the flash being copied from a H901 and some from whatever your phone is normally supposed to run, but this does confirm it is possible to run H901 firmware on other devices.
Second, a method has been found to recover devices from Qualcomm 9008 mode. This is big news since it greatly lessens the danger of a bad flash. Problem is it requires root on the phone to generate the initial image, though I suspect the images produced by my kdztools may well work for the job too.

I very much want to unlock the bootloader of my device, so I'm still doing research trying to estimate how plausible this method is. At this point there are enough reports of wrong V10 device images not being fatal to other V10-type devices for me to consider this method "likely".
Examining KDZ files for several devices, there is quite a bit of overlap between device images. There are 9 slices though which seem to warrant special attention based upon them having backup copies. These are named "sbl1", "pmic", "hyp", "tz", "rpm", "aboot", "sdi", and "raw_resources".
My guess is install a H901 image, do `fastboot oem unlock` and then you can copy everything aside these slices from your original device. My concern is these may need to remain the H901 versions in order to remain unlocked (unless all V10 devices share the unlock method, which may or may not be the case).
It may also work to use my KDZ Tools to copy the PrimaryGPT and BackupGPT areas from the target device onto a H901 image, at which point the process could be done without even needing a factory reset!
I'm pretty sure "sbl1"/"sbl1bak" are the first-stage bootloader. All the others aside from "raw_resources" look to be ELF executables.
Open request to Qualcomm here, could you please make your chips either alternate between trying to boot off of "sbl1" and "sbl1bak" (a single MRAM or PCRAM cell should take too much space, should it?), or else make them randomly choose between booting off them upon power-on? Too often one or the other gets corrupted in such a way that booting fails, but either isn't so corrupt to trigger them to try the backup, or else the primary is so badly damaged it is unable to try the backup. Alternating (and passing to the Linux kernel which one it successfully booted off of!) would greatly increase the chances of successful recovery without specialized tools.

Wiki + Likelyhood evaluation
Having examined the situation enough, I'm pretty sure this method should work. Experimentation though is risky.
I'm now working on creating 2 software tools for this project. One is a simple tool to remark the device a KDZ is for. This is pretty simple and the reports are, once this is done LGUP will happily flash a KDZ onto other devices. The second goal is a tool for modifying the GPT afterwords. While the H901 has a GPT similar to other V10s, it isn't quite identical. Of major note, many other devices have a /cust partition which has some extra software.
These two tools may actually be unnecessary. My KDZ Tools expose all of the data in an inconvenient, but workable format. The KDZ Tools can also be used to replace the GPT for the H901 with a GPT from another device, and they also expose the areas which mark which device a KDZ is for. Problem with using the KDZ Tools for this is there is what looks to be an extra checksum, and I've got no idea whether it covers the GPT (I hope not, but...).
I'm now looking to create the above two tools on GitHub, the LGE Tools. Alas, what may be more valuable is the Wiki on GitHub. I've got speculative instructions a little ways from the top. Towards the bottom I've got a list of which areas you'd need to restore from your original device. I guess I'm a bit unsure of "persist", the content is identical for my device, but the differing timestamps might trigger a flag that something has happened.
Hopefully we can get some testers who can risk needing to RMA their devices (I hope they don't need to, but this IS risky).

emdroidle said:
Having examined the situation enough, I'm pretty sure this method should work. Experimentation though is risky.
I'm now working on creating 2 software tools for this project. One is a simple tool to remark the device a KDZ is for. This is pretty simple and the reports are, once this is done LGUP will happily flash a KDZ onto other devices. The second goal is a tool for modifying the GPT afterwords. While the H901 has a GPT similar to other V10s, it isn't quite identical. Of major note, many other devices have a /cust partition which has some extra software.
These two tools may actually be unnecessary. My KDZ Tools expose all of the data in an inconvenient, but workable format. The KDZ Tools can also be used to replace the GPT for the H901 with a GPT from another device, and they also expose the areas which mark which device a KDZ is for. Problem with using the KDZ Tools for this is there is what looks to be an extra checksum, and I've got no idea whether it covers the GPT (I hope not, but...).
I'm now looking to create the above two tools on GitHub, the LGE Tools. Alas, what may be more valuable is the Wiki on GitHub. I've got speculative instructions a little ways from the top. Towards the bottom I've got a list of which areas you'd need to restore from your original device. I guess I'm a bit unsure of "persist", the content is identical for my device, but the differing timestamps might trigger a flag that something has happened.
Hopefully we can get some testers who can risk needing to RMA their devices (I hope they don't need to, but this IS risky).
Click to expand...
Click to collapse
Wow, i am very surprised that you are still working on this method! You have really paid a lot of effort on it!
After taking a look on your works, i really think that this method may really works to help us to unlock the bootloader.
In fact, the T-Mobile variant of both G5 and V20 have bootloader unlocked and so other version of G5 and V20 may also be able to unlock their booloader through a method like this, therefore, I think we should be able to draw more attention (more devs?) on studying this method.

Search of the file .mbn for QPSP. For H932 - to restore bricks. Through qualcomm 9008

Search of the file .mbn for QPSP. For H932 - to restore bricks. Through qualcomm 9008. Or any help on getting out of the state of a brick.

B0PoH said:
Search of the file .mbn for QPSP. For H932 - to restore bricks. Through qualcomm 9008. Or any help on getting out of the state of a brick.
Click to expand...
Click to collapse
this file not exist .
you need a flashing box like octoplus... to boot the phone , take it to a repair shop.

Thanks for the answer. Is octoplus in a nutshell or how to restore using octoplus? There, too, I need the mbn file as far as I understand.

ufs8998 use .elf file
I tried to search for a long time. Finally, end with the box.

sandking707 said:
ufs8998 use .elf file
I tried to search for a long time. Finally, end with the box.
Click to expand...
Click to collapse
Thanks for the answer and not tell me where to download ??

sandking707 said:
ufs8998 use .elf file
I tried to search for a long time. Finally, end with the box.
Click to expand...
Click to collapse
B0PoH said:
Thanks for the answer and not tell me where to download ??
Click to expand...
Click to collapse
He said he never found a place to download and used Octopus box instead.

ChazzMatt said:
He said he never found a place to download and used Octopus box instead.
Click to expand...
Click to collapse
I have Octoplus, but it sews only in a Download mod. Perhaps the new version has the ability to sew flash memory. Who can flash the phone remotely on Octoplus??

B0PoH said:
I have Octoplus, but it sews only in a Download mod. Perhaps the new version has the ability to sew flash memory. Who can flash the phone remotely on Octoplus??
Click to expand...
Click to collapse
you need octopus with box not the cracked one because you must disassemble the phone and connect the cable.

Maybe someone already has a dump file from lg v30 h932 T-mobile if there is, please contact me. After searching for solutions, there were two possible solutions. The phone and port 9008 sees XiaoMiFlash but you need to correctly convert the KDZ file to XiaoMiFlash format. The second is still looking for a nbm file that can sew QPSP. Or options for converting KDZ to nmb. Who has a tutorial on flashing the phone through octoplus and connecting via cable to JTAG?

@runningnak3d is the expert. Maybe he may have some insight.
I hope you don't me mentioning you here Brian.
----Aakash

I don't know of any T-Mobile firehoses that have leaked... not just the H932, but ANY LG T-Mobile phone. Since T-Mobile uses their own RSA cert for signing, and the firehose is signed just like the firmware, there is less of a chance of it leaking.
Now with that said, if Octopus can flash an H932 in EDL mode (9008), then they got the firehose from somewhere. However, those douche nozzles encrypt the firehose, and you need one of their boxes to use it. I have contemplated buying one, and then sniffing the USB traffic to obtain the decrypted firehoses for every phone that I can get my hands on. You should never have to pay for something that they got from a leaked source.
-- Brian

B0PoH said:
Maybe someone already has a dump file from lg v30 h932 T-mobile if there is, please contact me. After searching for solutions, there were two possible solutions. The phone and port 9008 sees XiaoMiFlash but you need to correctly convert the KDZ file to XiaoMiFlash format. The second is still looking for a nbm file that can sew QPSP. Or options for converting KDZ to nmb. Who has a tutorial on flashing the phone through octoplus and connecting via cable to JTAG?[/QUOT]
How to backup dump file from working LG v30 and flash it on "9008 bricked phone". (I have two v300L phones. One is working another one is hard bricked)
Click to expand...
Click to collapse

[OP7TPRO TMO 5G][OOS 11.0.1.5 HD61CB] Unbrick tool to restore your device to OxygenOS

Disclaimer: By attempting any of the processes listed in this thread you accept full responsibility for your actions. I will not be held responsible if your device stops working, catches fire, or turns into a hipster and claims to have been modified before it was cool.
Hi everyone, similar to the previous threads for
OP3, OP3T, OP5, OP5T, OP6, OP6T, OP7, OP7PRO, regular OP7T, T-Mobile OP7T and regular OP7TPRO here are the EDL packages (also known as MSM tools or unbrick tools) that can revive a bricked OnePlus 7T Pro 5G McLaren bought from T-Mobile.
They can also be used to rollback your phone to a previous release of OOS if for some reason you want to go back to an older firmware
It will only work with 5G T-Mobile variant HD1925
You can download the following versions:
ANDROID 10:
10.0.13 HD61CB
10.0.16 HD61CB
10.0.19 HD61CB
10.0.27 HD61CB
10.0.34 HD61CB
10.0.35 HD61CB
10.0.36 HD61CB
10.0.39 HD61CB
10.0.40 HD61CB
10.0.41 HD61CB
10.0.42 HD61CB
Mirror for first and last MSMs: https://onepluscommunityserver.com/
ANDROID 11:
11.0.1.5 HD61CB
Mirror for first and last MSMs: https://onepluscommunityserver.com/
Instructions:
Launch MsmDownloadTool V4.0.exe.
Specific to 10.0.27 and up
On the login prompt select "Other" in the dropdown menu and click on Next.
Wait a few seconds until main window shows up.
Click on Target button and select T-MO if it hasn't been automatically.
Power your device off.
Maintain volume up and volume down keys to get into Qualcomm EDL mode.
Plug your device to your computer using stock OnePlus cable.
Click on Enum to be sure your device is detected and press Start.
Wait ~300 seconds.
Enjoy your brand new device.
FAQ:
Will this fix OTAs I couldn't receive after unlocking bootloader?
Yes. Mind it will however wipe all of your internal storage and relock bootloader automatically (but you shouldn't have to reapply for an unlock token if your bootloader was unlocked previously).
Does this work on Mac or on Linux?
Unfortunately no, tool is Windows only. You should need at least Windows 7.
Why is my antivirus freaking out when unzipping the archive or running the tool?
In an effort to protect reverse engineering from being done (and by extension prevent conversion process like it was done on 6T and 7Pro), OnePlus now use VM Protect V3 in their MSM tools. As this tries to detect debug environment, this is seen as malicious behaviour by some antivirus.
My device isn't detected when I click on "Enum" button
Go to device manager and make sure your phone shows up as QDLOADER 9008.
If it shows up as QHUSB_BULK, it means Qualcomm driver wasn't installed automatically by Windows Update. Download the latest one from Microsoft website at http://download.windowsupdate.com/c..._fba473728483260906ba044af3c063e309e6259d.cab (source https://www.catalog.update.microsof...updateid=8ee52ba0-bdef-4009-88cf-335a678dd67a ) and install it manually by right clicking on QHUSB_BULK and selecting "Update driver software" and "Browse my computer for driver software" to where you downloaded CAB file.
MSM tool is stuck on "Param pre-processing"
Ensure you're using the Qualcomm drivers linked above.
MSM tool is stuck on "Sahara communication failed"
Unplug your phone, get in fastboot mode, turn off phone, wait 15 secondes and get back in Qualcomm EDL mode. You can also try using a USB 2.0 port instead of a 3.0 one.
What is SMT Download mode?
Just don't try to unlock that mode, it will wipe your IMEI and your Widevine certificate if you use it.
How can I fix "SMT config not found" error?
Please refer to https://forum.xda-developers.com/showpost.php?p=83448961&postcount=61, all credits to @Shadow12347 for finding it out.
Credits:
@omariscal1019 for getting 10.0.27 version from OnePlus
@a63548 for getting 10.0.19 version from OnePlus
An anonymous user for unblocking situation with OnePlus CS (they kept sending package meant for 7T T-Mobile)
@jhofseth for decryption of 10.0.19 tool
@xian1243 and @omariscal1019 for testing 10.0.13 version, @twinnfamous for testing 10.0.13 and 10.0.16 versions, @ntzrmtthihu777 for testing 10.0.13 , 10.0.16 and 10.0.19 versions, @DanDroidOS for testing 10.0.19 version, and @me2151 for testing 11.0.1.5 version.
@Titokhan for being a friend and providing inspiration in writing
@headsh0t95 for being a friend and suggesting me to request an access to upload files on AndroidFileHost now one year ago for my previous threads
@AndroidFileHost for the hosting
OnePlus for the device and OS

Related: [HD1925] [OP7TPROTMO] reserve.img dumps OTA fixer from @ntzrmtthihu777 for folks that want to get OTAs if they unlock their phone after using MSM tool

Woooooo!!! Let's hope it's the real deal. Downloading now so I can root in a bit

It's real and was tested extensively. We also used them to complete our reserve.img collection.

Nice work! I refuse to go any further than bootloader unlocking until I had a tested MSM recovery. Can't tell you how many times those saved my butt with previous 1+ phones.

I apologise in advance, but I do not see a link for the msm tool to flash zips in this post ? Can someone please link a copy of the correct msm tool so we can download it, please and thank you if there is a adb command that I'd have to run instead of msm tool please help me by listing a small guide of how to do it thanks

Excuse my lack of knowledge on the subject. Is this what we've been waiting for? I'm guessing no or very little experimenting was being done because nobody wanted to destroy their phone. But if I understanding correctly this will work like the one for the 6T only difference is we can't flash a global firmware (for the moment) if you royally f**k up this will save you. With this tool it should make experimenting with the device a lot less of an issue?

Justingaribay7 said:
I apologise in advance, but I do not see a link for the msm tool to flash zips in this post ? Can someone please link a copy of the correct msm tool so we can download it, please and thank you if there is a adb command that I'd have to run instead of msm tool please help me by listing a small guide of how to do it thanks
Click to expand...
Click to collapse
There's a button that has them all listed. There's three versions.
Joe199799 said:
Excuse my lack of knowledge on the subject. Is this what we've been waiting for? I'm guessing no or very little experimenting was being done because nobody wanted to destroy their phone. But if I understanding correctly this will work like the one for the 6T only difference is we can't flash a global firmware (for the moment) if you royally f**k up this will save you. With this tool it should make experimenting with the device a lot less of an issue?
Click to expand...
Click to collapse
More or less, but there simply is no global firmware for us to
convert to for this device (they could create one, I suppose).
This tool will fix just about any sort of brick we may encounter
during normal experimentation.

ntzrmtthihu777 said:
There's a button that has them all listed. There's three versions.
More or less, but there simply is no global firmware for us to
convert to for this device (they could create one, I suppose).
This tool will fix just about any sort of brick we may encounter
during normal experimentation.
Click to expand...
Click to collapse
I guessing there's a strong possibility of a global conversion hindering 5G?
I'm just glad there's a tool available to people that want to modify their phones and don't end up with a 900$ paperweight in the event something goes wrong.

Damn, I can't believe I didn't even think about unzipping the whole file lol figured it was just the phone firmware on those links , because there was only software versions listed haha thanks for your help guys! figured it out, download whatever version you want to flash, unzip file accordingly, all the proper files you'll need will be in the extracted folder install directions above, thanks again!!!

You sir are a lifesaver! I was having too many issues with my phone after some of the tweaks, and was stuck on the .16 software version. Now I'm updated to .19 and ready to break the phone again!

One plus 7T 5G Mclaren pro T-Mobile
OMG, I just used this tool and it worked. I can't believe it. Thank you so much. I thought my device was toasted.

Any chance of updating the post to include the latest update 10.0.25?

adit07 said:
Any chance of updating the post to include the latest update 10.0.25?
Click to expand...
Click to collapse
Might happen, might not.
If it doesn't happen this however won't be an issue as you can rollback anyway by using.
Mind that I don't make these tools so don't have any control on how they could be updated

What if you connect your phone and it does not even show up as the bulk driver in device manager. I have literally bricked it to the point that only edl mode shows up. Can anyone please show me the light?

djohnson1618 said:
What if you connect your phone and it does not even show up as the bulk driver in device manager. I have literally bricked it to the point that only edl mode shows up. Can anyone please show me the light?
Click to expand...
Click to collapse
While booting up the phone hold I believe volume up and plug it in while doing that it should just remain on a black screen after that open msmtool and see if it's connected if it is then do what you would normally do for msmtool. It took me a couple of tries to get it to recognize with this phone compared to my 6T

Lost
Does anyone know what it should say once I press Enum

djohnson1618 said:
Does anyone know what it should say once I press Enum
Click to expand...
Click to collapse
Read the OP carefully.

So My One Plus One 7t Pro Mclaren edition (TMO) is bricked beyond belief. It only reboots into Fastboot mode. From CMD when ADB devices command is typed in it says no devices found. When I look in device manager when connected it says Android Bootloader Interface it does not show any of the drivers to update. I tried using MSM. My phone does not make a connection. Can anyone offer any assistance to help me get this phone back and working? Or am I just stuck with an expensive paperweight.

djohnson1618 said:
So My One Plus One 7t Pro Mclaren edition (TMO) is bricked beyond belief. It only reboots into Fastboot mode. From CMD when ADB devices command is typed in it says no devices found. When I look in device manager when connected it says Android Bootloader Interface it does not show any of the drivers to update. I tried using MSM. My phone does not make a connection. Can anyone offer any assistance to help me get this phone back and working? Or am I just stuck with an expensive paperweight.
Click to expand...
Click to collapse
As said in the OP, you need to turn your device off and enter in Qualcomm EDL mode.
Maintain power button until your device screen goes off, wait 20 seconds, maintain volume up and down keys, plug your device to your computer using OnePlus original cable and use MSM tool.

General Bootloader unlock token for T-Mobile variant now available

Just a quick heads-up.
unlock token - OnePlus (United States)
www.oneplus.com
By the way, to root without readily available stock firmware, first unlock bootloader, then boot a pre-rooted GSI with DSU Sideloader, pull stock boot partition from there, and finally patch/flash it. This applies to the Open variant as well.

AndyYan said:
Just a quick heads-up.
unlock token - OnePlus (United States)
www.oneplus.com
By the way, to root without readily available stock firmware, first unlock bootloader, then boot a pre-rooted GSI with DSU Sideloader, pull stock boot partition from there, and finally patch/flash it. This applies to the Open variant as well.
Click to expand...
Click to collapse
Tried to unlock but apparentpy my device only has 7 digits in the serial number which keeps me from being able to use the website to request the unlock code.
I used the debloat script I found on n200 threads to get oem unlock on option. T-Mobile variant

PsYk0n4uT said:
Tried to unlock but apparentpy my device only has 7 digits in the serial number which keeps me from being able to use the website to request the unlock code.
I used the debloat script I found on n200 threads to get oem unlock on option. T-Mobile variant
Click to expand...
Click to collapse
Try prepending 0s?

Well. I was thinking that doing that would make the unlock token they give me different from what the phone would be expecting

PsYk0n4uT said:
Well. I was thinking that doing that would make the unlock token they give me different from what the phone would be expecting
Click to expand...
Click to collapse
Tried adding zero on front and back of serial it just tells me invalid serial

PsYk0n4uT said:
Tried adding zero on front and back of serial it just tells me invalid serial
Click to expand...
Click to collapse
Chatting with OnePlus hasn't yielded anything so far

Just a tip, because in my infinite forgetfulness I wasted an hour last night trying to figure out why I was getting the error, fastboot could not open target HAL.
Remember that you must request the unlock code from fastboot, not fastbootd. Which is what you will boot into if you issue adb reboot fastboot.
So here's a quick step by step.
1.Enable usb debugging. 2. Connect your device and allow access for the computer. My device asks if I want it to charge or transfer files. Select transfer files/Android auto and then use adb start-server. May have to unplug the USB cable and reconnect. Select "always allow this device/PC".
3. Issue "adb devices" to make sure your connected.it should list your device by it's serial number. If not then try unplugging the device and revoke adb authorizations in dev options and toggle USB debugging off and back on, may even need to reboot the device to get it to connect after doing this.
4. If your device is listed under devices go ahead and issue "adb reboot fastboot"
5. Once rebooted issue "fastboot devices" and make sure the device is listed again.(If not listed make sure you have your driver's installed correctly and fastboot is installed correctly, may need to install Android SDK into same folder as fastboot)
6.You can select English or whatever language if you want but it doesn't seem necessary.You are in fastbootd mode you will see if you DO select a language.
So from here issue"fastboot reboot bootloader" device will reboot and you will have scrollable option at the top beginning with a big green START at the top. This is regular fastboot And where you wanna be to get your unlock code for submitting to Oppo for your unlock token.
7. Issue "fastboot oem get_unlock_code"
8. It should return the info you need, you will also need your IMEI number when submitting so be sure to copy that down.
you can copy and paste the unlock code into notepad or Word and delete out the extra stuff so your left with just the two lines of your unlock code as one single contiguous string of numbers.
8. Go to the link listed by OP and submit the required info. And wait for what seems like forever.
ADB/Fastboot commands-quick recap.
1. adb reboot fastboot
2. fastboot reboot bootloader
3. fastboot oem get_unlock_code

PsYk0n4uT said:
ADB/Fastboot commands-quick recap.
1. adb reboot fastboot
2. fastboot reboot bootloader
3. fastboot oem get_unlock_code
Click to expand...
Click to collapse
Simply "adb reboot bootloader". You won't need fastbootd until GSIs (which I already did ofc).

Thanks, definitely a quicker way to get to fastboot. I guess I wasn't sure if you could reboot directly. Seems maybe I was confusing an older device where you had to reboot to fastboot then "fastboot reboot fastboot" to get to fastbootd for a whole different reason.
This one goes directly to fastbootd when you "adb reboot fastboot"
Nice catch.

with this particular model in scope, what do either of you guys suggest I do if I have gottne the age old bricked message "destroyed boot/recovery image"".. I've tried the MSMTool route and cna't get it to register under Device Manager with the Qualcomm drivers.. It's highly upsetting..

I'm not really sure to be honest, this is my first OnePlus device and just trying to contribute anything I can to get the N20 section up and going as I make progress with the device.
Just a quick search though turns up this and maybe it could be of use if you can still access the bootloader.
the current image(boot/recovery) have been destroyed
I updated my oneplus 8t to KB2005_11.C.11 (OOS 12 ) by first booting to twrp-3.6.1_11-0-kebab.img and then flashed the KB2005_11_C_OTA_1100_all_362b9b_10100001.zip. After the upgrade I had no mobile data on t-mobile and had Volte instead of 5g...
forum.xda-developers.com
Someone mentions extracting the boot.img from stock image and flashing it. I would imagine it should work for you if the stock firmware can be found and circumstances are similar. Maybe at least a start. Wish I could be of more help, maybe someone else can chime in that knows more.
Try Linux, maybe a live dist. if your on a windows machine that won't recognize it just to get it into a state that you can work with it again.
Just an idea, I don't want to steer you wrong as i still have a lot to learn

DrScrad said:
with this particular model in scope, what do either of you guys suggest I do if I have gottne the age old bricked message "destroyed boot/recovery image"".. I've tried the MSMTool route and cna't get it to register under Device Manager with the Qualcomm drivers.. It's highly upsettinghav
Click to expand...
Click to collapse
DrScrad said:
with this particular model in scope, what do either of you guys suggest I do if I have gottne the age old bricked message "destroyed boot/recovery image"".. I've tried the MSMTool route and cna't get it to register under Device Manager with the Qualcomm drivers.. It's highly upsetting..
Click to expand...
Click to collapse
I want to try and help but I'm so new it's sketchy I don't want to say something and get bashed

Please feel free to comment. Don't worry about the trolls. We would love to have you to be part of this conversation. If you have suggestions just post them, and if your unsure about anything just mention that you are. It's a great way to learn. Don't worry about negative feedback, take it as constructive criticism. You may find that the feedback can clear up many questions and/or misconceptions. You never know how your dialogue with other members could help someone else in the future. These forums are here to document all of it just for that purpose. We are all here to learn or help others who want to learn. Though this account is only a year old I have been around these forums on and off for many years and I learn something each and every time I come in search of wisdom. I'm by no means an expert but I find that others benefit from my questions and answer just as much as I have over the years.

Fyi according to a recently made friend who also had the 7 digit serial issue, they were told by OnePlus their dev team is working on an OTA update that will resolve the serial number issues. I'm not sure how that's going to work but I saw the email between them and Oppo support

I guess this must be a widespread issue that they feel is cheaper to invest the amount of money it takes for r&d to come up with a fix than it was to replace a few devices or attempt to do remote repairs.
But this also makes me wonder what avenue they will take to correct the issue.
Also I wonder if someone with the right skillset could gather enough bootloader unlock codes along with the unlock tokens, serial, IMEI, pcba etc.. maybe the algorithm their using to generate the codes could be broken. I'm no crypto expert or math genius either, but if we have the variables to the equation minus one but have the answer, isn't this pretty simple almost pre-algebra?
I mean I guess their not worried about enough people being brave enough to give out sensitive info like that. But maybe Im just ignorant of the complexity of these algorithms.
64 digit key on one end

T-Mobile bought sprint and they have T-Mobile sims no. But I understand that sprint is still a somewhat seperate company (tried to buy a T-Mobile phone and it would not activate on my sprint account. So I bought this from the sprint side of the T-Mobile site so I knew it would work but I assume this is a sprint phone and not a T-Mobile phone so this method would not work.
Can anyone confirm this?

PsYk0n4uT said:
Please feel free to comment. Don't worry about the trolls. We would love to have you to be part of this conversation. If you have suggestions just post them, and if your unsure about anything just mention that you are. It's a great way to learn. Don't worry about negative feedback, take it as constructive criticism. You may find that the feedback can clear up many questions and/or misconceptions. You never know how your dialogue with other members could help someone else in the future. These forums are here to document all of it just for that purpose. We are all here to learn or help others who want to learn. Though this account is only a year old I have been around these forums on and off for many years and I learn something each and every time I come in search of wisdom. I'm by no means an expert but I find that others benefit from my questions and answer just as much as I have over the years.
Click to expand...
Click to collapse
okay peep theres a way i put my oneplus into efu mode, hold both vol up and down then put usb c in continue to hold u should hear PC recognize it

So, before i do it, would deleting the modemst1/modemst2 partitions still let me bypass the t-mobile sim lock and let me unlock the phone like it did on the old oneplus phones?

Flashed a patched boot.img and lost modems. Anyone willing to post the modems? Are they device specific like a device partition?

Sim locked and trying to recover. No radios are working

Question This is just a theory but...

How possible would it be to change a slot from A to B using an edl tool like https://github.com/bkerler/edl ? How would this be used? or, for example, what command should be used? Are there any other methods of application? just including an EDL method? Because simply stating android has two slots one may be bricked and deleted of info and another may have a working slot and yes (I am ware fastboot can do this) but this is for those who cannot access it on a certain slot.

oneplushypergaming said:
How possible would it be to change a slot from A to B using an edl tool like https://github.com/bkerler/edl ? How would this be used? or, for example, what command should be used? Are there any other methods of application? just including an EDL method? Because simply stating android has two slots one may be bricked and deleted of info and another may have a working slot and yes (I am ware fastboot can do this) but this is for those who cannot access it on a certain slot.
Click to expand...
Click to collapse
If you're asking specifically about the 10T the answer is no. Authentication is required to use EDL on this device and bkerler's implementation doesn't support this kind of authentication. However, if you had a device with unprotected EDL mode you could theoretically alter the current slot if it's saved on a disk partition.

TheNewHEROBRINE said:
If you're asking specifically about the 10T the answer is no. Authentication is required to use EDL on this device and bkerler's implementation doesn't support this kind of authentication. However, if you had a device with unprotected EDL mode you could theoretically alter the current slot if it's saved on a disk partition.
Click to expand...
Click to collapse
I see. So, in other words, it is simply impossible for any user to obtain it without authentication, which sucks a lot. It's unfortunate to see such a dependable company resort to this, even though they claim to be very user-friendly. can't argue with their pricing though, it was never about pricing for me. It was always about "if you break it, you can fix it in a single click, but all that has changed. thank you for your support.

oneplushypergaming said:
How possible would it be to change a slot from A to B using an edl tool like https://github.com/bkerler/edl ? How would this be used? or, for example, what command should be used? Are there any other methods of application? just including an EDL method? Because simply stating android has two slots one may be bricked and deleted of info and another may have a working slot and yes (I am ware fastboot can do this) but this is for those who cannot access it on a certain slot.
Click to expand...
Click to collapse
You don't know how to use that guy's tool there's many people who have made videos about it I suggest you go watch your video on it and tools not that complicated but it is complex if you don't have prior tech skill

AkayamiShurui said:
You don't know how to use that guy's tool there's many people who have made videos about it I suggest you go watch your video on it and tools not that complicated but it is complex if you don't have prior tech skill
Click to expand...
Click to collapse
I've used this tool on phones like the Oneplus 7t, motorola g8 power, LG velvet and 7Pro, as well as other msm tools, and I'm very intimately acquainted with 9008 I understand how to utilize it. I was only inquiring if it could be used on the 10t.

Which slot is active is saved in the misc partition, beyond the usual reboot command.
I've not yet had an A/B device, so I can't say more.
With non-A/B you can erase the misc partition without a problem.
I don't know how bad it would be if you erased misc on an A/B.
I presume that it would default to A?

Renate said:
Which slot is active is saved in the misc partition, beyond the usual reboot command.
I've not yet had an A/B device, so I can't say more.
With non-A/B you can erase the misc partition without a problem.
I don't know how bad it would be if you erased misc on an A/B.
I presume that it would default to A?
Click to expand...
Click to collapse
well.. you'd think that would happen because it's the most logical way to put it, but in my experience, whenever the partition is erased, it always stays on the slot, leaving the overall device bricked sadly, or depending on what in the misc is erased, you may just be lucky to get boot loops or booted into a constant bootloader, which can fortunately be solved by fastboot enhanced. at least for oneplus devices and by fast boot you can just simply switch to the desired working slot.