Better Mobile App

N9006 MTK 6572 rom need have bricked device

I flashed a wrong rom, and now have phone N9006 mtk 6572 bricked, it gives this error now , dont turn on and connection takes few second,,
it gives this error now
Flash files count is :12
Action : Firmware update.
Selected Samsung Clone: Note 3 Clone(MT6572)
Phone must be off with battery inside.
Please insert USB cable now...
Detected : MTK USB Port (COM21)
Phone detected...Please wait
Sending DA agent, please wait...
Connect error: S_FT_ENABLE_DRAM_FAIL
Error connect phone, aborting.
All done.
I didnt make backup my fault, before that I read the info of phone which was stuck at logo, the info read via volcano box is this, can some one give a backup or any rom to at least revive this phone,
Version: V3.8
SN:xxxxxxxxxxx
Port:COM57
After format or Flash you have to press & hold power button for at least 1.30 mins.
Note for win7 users :
Start your Win 7 64bit with F8 key and choose 'Disable Driver Signature Enforcement'.
After that the spd drivers will have the ability to be loaded.
Available Ports:COM1 COM3 COM8 COM9 COM57
Current Port:COM57
Analysis of USB port,Please insert phone USB cable.
Connecting...
CPU TYPE:MT6572
Hardware version:CA01
Software version:0000
Boot downloading complete!
EMMC_ID:0x45010053454D3034472805A6827A513B
EMMC_PRODUCT_NAME: SAMSUNG :0x53454D303447
EMMC_BOOT1_SIZE: 0x00200000
EMMC_BOOT2_SIZE: 0x00200000
EMMC_PRMB_SIZE: 0x00200000
EMMC_GP1_SIZE: 0x00000000
EMMC_GP2_SIZE: 0x00000000
EMMC_GP3_SIZE: 0x00000000
EMMC_GP4_SIZE: 0x00000000
EMMC_USER_SIZE: 0x0EC000000(3.69 G)
Analysis of system files...
PRELOADER: addr:0x000000 --length:0x880000
MBR: addr:0x880000 --length:0x080000
EBR1: addr:0x900000 --length:0x080000
PRO_INFO: addr:0x980000 --length:0x300000
NVRAM: addr:0xC80000 --length:0x500000
PROTECT_F: addr:0x1180000 --length:0xA00000
PROTECT_S: addr:0x1B80000 --length:0xA00000
SECCFG: addr:0x2580000 --length:0x020000
UBOOT: addr:0x25A0000 --length:0x060000
BOOTIMG: addr:0x2600000 --length:0x600000
RECOVERY: addr:0x2C00000 --length:0x600000
SEC_RO: addr:0x3200000 --length:0x040000
MISC: addr:0x3240000 --length:0x080000
LOGO: addr:0x32C0000 --length:0x300000
EXPDB: addr:0x35C0000 --length:0xA00000
ANDROID: addr:0x3FC0000 --length:0x28A00000
CACHE: addr:0x2C9C0000 --length:0x17800000
USRDATA: addr:0x441C0000 --length:0x52C00000
FAT: addr:0x96DC0000 --length:0x54340000
BMTPOOL: addr:0xFFFF00A8 --length:0x000000
Format addr:0x481C0000 --Format length:0x4EC00000
>>Read phone information success.
these are the info , so please can some one help me urgently thankyou.
bcnboy

P760 Brick. Only fastboot work (example by omap4boot-for_optimus-v1.21)

Hi.
Similar problem like here: http://forum.xda-developers.com/showthread.php?t=2334337
I am fighting with this phone two days.
In the first phase ( 18h ago) i connected by omap4boot and tried this - http://forum.xda-developers.com/showpost.php?p=39732470&postcount=20
next i did all wipes, i tried by cwm install this rom - u2_v20o_signed_022314_123556.zip
I thought all is good, but ofc still was logo LG.
Anyone LG FLash tool didnt work (i will explain it with screens after, when will can run into S/W mode)
I tried this http://forum.xda-developers.com/showthread.php?t=2292828
and i had very weird error:
Device descriptor:
bLength = 18
bDescriptorType = 1
bcdUSB = 528
bDeviceClass = 255
bDeviceSubClass = 255
bDeviceProtocol = 255
bMaxPacketSize0 = 64
idVendor = 451
idProduct = D00F
bcdDevice = 0
iManufacturer = 33
iProduct = 37
iSerialNumber = 0
bNumConfigurations = 1
reading ASIC ID
usb_write 4
usb_read 81
[*] read 0 bytes
NumOfSubblocks: 0x5
Subblock ID: 0x1
Subblock Size: 0x5
CH enabled: 0x7
ROM revision: 0x4
Checksum Subblock: 0x15
CHIP: 4430
IDEN: b1a3cecb3e5a097ee4d9313e2070f8863ca117f3
MPKH: 5f4092eccddf90fa43f546adf89508b31b9c74795e9516194c0ea6412fdcb7f6
CRC0: 9c669ad9
CRC1: 682adccf
sending 2ndstage to target... f0030002
usb_write 4
usb_write 4
wait 5-lelelel...
[*] msg size = 4
usb_write 21552
[*] data size = 21552
usb_close
Reopen usb...
Device descriptor:
bLength = 18
bDescriptorType = 1
bcdUSB = 528
bDeviceClass = 255
bDeviceSubClass = 255
bDeviceProtocol = 255
bMaxPacketSize0 = 64
idVendor = 451
idProduct = D00F
bcdDevice = 0
iManufacturer = 33
iProduct = 37
iSerialNumber = 0
bNumConfigurations = 1
waiting for 2ndstage response...
usb_read 4
usb read = aabbccdd
accepted 2ndstage response
sending image to target...
size = 246272
usb_write 4
usb_write 246272
** Done **
< waiting for device >
sending 'x-loader' (384 KB)...
OKAY [ 0.204s]
writing 'x-loader'...
OKAY [ 2.845s]
finished. total time: 3.050s
sending 'u-boot' (1024 KB)...
FAILED (status read failed (Too many links))
finished. total time: 107.422s
Done
Click to expand...
Click to collapse
Then i tried all ideas, which came to my head.
(Relock bootloader http://forum.xda-developers.com/showthread.php?p=44580559
p760-twrp-2.6.1-recovery.img
and much other, which i didnt remember...)
Finaly phone is bricking.
Any advices?
Edit:
Yesterday battery had 4.01 V, today has 3.7. I will try charge tomorrow.

Guys, what when i-loaded u-boot, x-loader after like i flashed JB rom by CWM ?
It can explain my current situation?
Look:
It are partiton for JB
View attachment 3762143
It are partition for ICS
View attachment 3762144
So i should now load some loader and boot file from JB?
Can U help me, pls?

I downloaded ICS stock rom. Exctracted it.
I made x-loader from file 0-gpt1.img. (256LBA-1023LBA). It is exactly same what file p1ics760.bin from fastboot by Lelus http://forum.xda-developers.com/showthread.php?t=2292828 )
once again i tried:
fastboot flash x-loader
fastboot flash u-boot
fastboot flash boot
fastboot flash recovery
All files are original from ICS stock rom.
No result.....
works only fastboot mode by software fastboot by Lelus.
Srsly this topic is so boring?
Edit:
Hm... u-boot file from here http://forum.xda-developers.com/showpost.php?p=39732470&postcount=20
is different from mine... x-loader is same like i wrote early...

It weird:
In Fastboot by Lelus - if i use any option between 2 and 7 - i get:
sending 'u-boot' (1024 KB)...
FAILED (status read failed (Too many links))
finished. total time: 107.422s
So i replaced file:
\fastboot\xu\p2ics760.bin
for original stock u-boot (in second try i replaced u-boot from this link http://forum.xda-developers.com/showpost.php?p=39732470&postcount=20)
(original p2ics760.bin i renamed to p2ics760.bin.old and u-boot.img i renamed to p2ics760.bin
and still is error - Too many links
But when i use:
fastboot flash u-boot u-boot.img - it hasn't error. It is same file!
Maybe the operation is successful, but in real it doesen't change anything? Is it possible?

Groszexxx said:
It weird:
In Fastboot by Lelus - if i use any option between 2 and 7 - i get:
sending 'u-boot' (1024 KB)...
FAILED (status read failed (Too many links))
finished. total time: 107.422s
So i replaced file:
\fastboot\xu\p2ics760.bin
for original stock u-boot (in second try i replaced u-boot from this link http://forum.xda-developers.com/showpost.php?p=39732470&postcount=20)
(original p2ics760.bin i renamed to p2ics760.bin.old and u-boot.img i renamed to p2ics760.bin
and still is error - Too many links
But when i use:
fastboot flash u-boot u-boot.img - it hasn't error. It is same file!
Maybe the operation is successful, but in real it doesen't change anything? Is it possible?
Click to expand...
Click to collapse
If you can enter in lelus fastboot, then flash a recovery wipe partitions and then with the recovery flash a rom....

My english is such bad or u didnt read the all posts? .
I flashed recovery partition much time. Telefon still is dead. Stock recovery, CWM, TWRP.
If I could flash recovery and after could "instal" rom - then it would not be problem .

Groszexxx said:
My english is such bad or u didnt read the all posts? .
I flashed recovery partition much time. Telefon still is dead. Stock recovery, CWM, TWRP.
If I could flash recovery and after could "instal" rom - then it would not be problem .
Click to expand...
Click to collapse
Then, If your L9 doesn't boot, it could be beacause a "IC power Cristal" or other hardware issue like EMM break (Eprom). In some case a box like http://octopusbox.com can solve the problem or in other case extract a log file with the exact issue details

A dead block of flash will produce CRC errors after or during the flash process and random lockups or reboots during operation. And if the fastboot problem strikes, you can issue commands via ADB, but after the necessary reboot there will be the PnP sound loop. If the phone is in Charge-only mode, ADB commands will be ignored, you can issue them, but **** happens.
Was there any positive feedback for the flash commands?

puntoazul said:
Then, If your L9 doesn't boot, it could be beacause a "IC power Cristal" or other hardware issue like EMM break (Eprom). In some case a box like http://octopusbox.com can solve the problem or in other case extract a log file with the exact issue details
Click to expand...
Click to collapse
It can be true. I received similar diagnosis about corrupt emmc. Anyway - for me it is possible but very unlikely (Ofc i havent experience).
lecorbusier said:
A dead block of flash will produce CRC errors after or during the flash process and random lockups or reboots during operation. And if the fastboot problem strikes, you can issue commands via ADB, but after the necessary reboot there will be the PnP sound loop. If the phone is in Charge-only mode, ADB commands will be ignored, you can issue them, but **** happens.
Was there any positive feedback for the flash commands?
Click to expand...
Click to collapse
Maybe i will show it on screens:
I run Fastboot by Lelus and set 2 option.
View attachment 3765116
And i get error:
View attachment 3765119
When i run fastboot by Lelus and set option 1 and type:
fastboot flash recovery 'filename'
View attachment 3765117

EHh, Finaly i think theory with emmc corrupt is are confirming.... after 30-40x flashed now i get one new and one very common error:
View attachment 3765322
View attachment 3765324
I am so sad! . But anyway, i am feeling much better when i know what is wrong with phone.

U-boot gets sent to the phone's RAM, but writing to its appropiate partition fails utterly. That is not necessarily hardware related. And nothing I've seen before. Either the partition got damaged or deleted, or it's in F2FS format. Artas' CM11 uses F2FS, EdwinMoqs CM13 as an option, and TWRP from 2.8.x can format partitions with F2FS.
But D/L mode is almost indestructible, only a bit tricky to invoke. And requires LG drivers. Even if the phone is no longer getting recognized by LG drivers and LG software because of a custom rom, when in D/L mode the LG driver should install a virtual COM port and the LG flash tool should now recognize the phone. Ihad difficulties flashing a KDZ file with LG Fladh Tool 2014,but the tool from the LG site, getting the stock rom directly from the server, works reliably, but it's best to flash twice in a row. If the phone auto-reboots into launcher, it's a success. If you see LG's stock recovery after the flash, flash another time.

Ok. if you run this command: "fastboot flash u-boot u-boot.img" (assuming that the u-boot.img file is for your l9 model), and result is cannot write in partition then EMMC is break (95% probability)
---------- Post added at 09:16 AM ---------- Previous post was at 09:13 AM ----------
lecorbusier said:
U-boot gets sent to the phone's RAM, but writing to its appropiate partition fails utterly. That is not necessarily hardware related. And nothing I've seen before. Either the partition got damaged or deleted, or it's in F2FS format. Artas' CM11 uses F2FS, EdwinMoqs CM13 as an option, and TWRP from 2.8.x can format partitions with F2FS.
But D/L mode is almost indestructible, only a bit tricky to invoke. And requires LG drivers. Even if the phone is no longer getting recognized by LG drivers and LG software because of a custom rom, when in D/L mode the LG driver should install a virtual COM port and the LG flash tool should now recognize the phone. Ihad difficulties flashing a KDZ file with LG Fladh Tool 2014,but the tool from the LG site, getting the stock rom directly from the server, works reliably, but it's best to flash twice in a row. If the phone auto-reboots into launcher, it's a success. If you see LG's stock recovery after the flash, flash another time.
Click to expand...
Click to collapse
Could be... perhaps if use Lg flash tool 2014 in emergency mode... (5% probability but is more than nothing) i hope @Groszexxx can revive his device

and if i was you... i try this... (see attach)

Yes, i talked about octoplus with someone, who has it. I never had anyone box . It is not my job . I was only curious what is it with phone my friend. I spend much hours on this issue. Anyway, i dont regret.
I will send phone to someone, who can flash it by some box like octoplus or jtag.
Thanks for lecorbusier post. I read much post, but this one is new for me.
So - time saying goodbye .
Maybe i will inform what will be next, maybe not ;p. We will see .
Thanks for all!

Note 8 N950U QDL9008 / EDL Mode - Unbrick Rom is HERE

This is not for soft bricked devices.
This is for hard bricked devices that cant go into recovery or download mode.
This is for devices on the Version 2 Bootloader like samfail v2 or any normal V2 bootloader.
It may work on other bootloader versions with some modification.
If you have a hard bricked device let me know and I will help you test this.
I don't want to just post the files and have people cause bricks by flashing this to non-v2 bootloaders.
People with other versions of the bootloader and a bricked device let me know and we will test some things.
If you need this let me know and we will do some testing.

How to Unbrick
First you need to install the drivers for QDL.
Option A is to install QPST.
I think then the drivers will automatically install in windows when you connect a device in edl mode.
Or you can manually choose the driver to install if you know how.
I will upload both.
Get the device in EDL mode.
It might go automaticall (hopefully).
If not you need a EDL Cabel or Deep Flash Cable.
Theres instruction around how to make one.
After device is in edl mode and connected to the computer open windows device manager.
Under Ports you should see .
https://photos.app.goo.gl/ibD8KYy9GVQFvJheA
I doubt you will see Portable Devices. I have it because of a special sd card.
After you see Qualcomm-HS-USB QDloader under ports your ready to unbrick.
Copy the N950U2 FOLDER TO C:\ ON YOUR COMPUTER.
Open command prompt as administrator.
In search bar in windows type cmd
Right click on command prompt and run as administrator.
cd to the n950u folder
Code:
cd c:\N950U2
https://photos.app.goo.gl/VzJjwsU6NWLdyDCc6
type
Code:
N950U2_Recovery.bat
You should get this window.
https://photos.app.goo.gl/F7hcuPCCqrci9A1KA
type the com port of your edl device and hit enter.
Be sure to copy the log in the terminal window and save it to share with us later.
Heres the files.
https://www.mediafire.com/file/9bb4vgx1kmir4gz/QPST.2.7.472_2018.zip/file
https://www.mediafire.com/file/eo9wcbtdle1xsc8/Qualcomm_Drivers_QDLoader.zip/file
https://www.mediafire.com/file/dfzy3zo8ibrh1p7/Unbrick-Samsung-Qualcom-9008-Files.zip/file
After the flash completes the phone should boot to download mode.
If not try to boot it to download mode.
Look at secure boot status and all of that when you boot to download mode.
If you dont see it power the device off then reboot into download mode again.
Were looking for any change in the bootloader status.
Maybe the edl bootloader is unlocked.
After that its just normal flash by ODIN back to whater you were on.
PLEASE REPORT BACK YOUR EXPERIENCE WHEN YOU DO THIS.
Note I had screenshots but there not showing. Ill try to fix them. Just Click the links for now.

link not working
can you redo the link for the last download please

lilbowza1985 said:
can you redo the link for the last download please
Click to expand...
Click to collapse
All links are working for me.
If you are going to flash the EDL let me know.
I would be grateful to help you see what the state of the edl bootloader is.
Possibly unlockable!!

Please update to BL v5 if possible.
Hey I just gave it a shot to the steps and it did not work. I think maybe because my n8 has a higher BL version, I think v5 actually. Thanks for the post. Hope you could help out updating the recovery to a BL v5. Here are the logs I got.
Input Port Number[1~300,x:Exit]:10
10
Start Recovery.
emmcdl.exe -p COM10 -f prog_ufs_firehose_8998_ddr.elf -MemoryName ufs -SetActivePartition 1 -x rawprogram0.xml -x rawprogram1.xml -x rawprogram2.xml -x rawprogram3.xml
Version 2.10
Downloading flash programmer: prog_ufs_firehose_8998_ddr.elf
Successfully open flash programmer to write: prog_ufs_firehose_8998_ddr.elf
Expecting SAHARA_END_TRANSFER but found: 0
!!!!!!!! WARNING: Flash programmer failed to load trying to continue !!!!!!!!!


Programming UFS device using SECTOR_SIZE=4096
<?xml version = "1.0" ?><data><configure MemoryName="ufs" ZLPAwareHost="1" SkipStorageInit="0" SkipWrite="0" MaxPayloadSizeToTargetInBytes="1048576"/></data>

ERROR: No response to configure packet
Status: 21 The device is not ready.
Finish!!

I got the same error,
I got the same error.......

Can i use this for g892u rev 3

BigCountry907 said:
All links are working for me.
If you are going to flash the EDL let me know.
I would be grateful to help you see what the state of the edl bootloader is.
Possibly unlockable!!
Click to expand...
Click to collapse
my phone cant turn on,i cant go to recovery mode and download mode,what i must do?
plz help

qban-it-solution said:
Hey I just gave it a shot to the steps and it did not work. I think maybe because my n8 has a higher BL version, I think v5 actually. Thanks for the post. Hope you could help out updating the recovery to a BL v5. Here are the logs I got.
Input Port Number[1~300,x:Exit]:10
10
Start Recovery.
emmcdl.exe -p COM10 -f prog_ufs_firehose_8998_ddr.elf -MemoryName ufs -SetActivePartition 1 -x rawprogram0.xml -x rawprogram1.xml -x rawprogram2.xml -x rawprogram3.xml
Version 2.10
Downloading flash programmer: prog_ufs_firehose_8998_ddr.elf
Successfully open flash programmer to write: prog_ufs_firehose_8998_ddr.elf
Expecting SAHARA_END_TRANSFER but found: 0
!!!!!!!! WARNING: Flash programmer failed to load trying to continue !!!!!!!!!


Programming UFS device using SECTOR_SIZE=4096
<?xml version = "1.0" ?><data><configure MemoryName="ufs" ZLPAwareHost="1" SkipStorageInit="0" SkipWrite="0" MaxPayloadSizeToTargetInBytes="1048576"/></data>

ERROR: No response to configure packet
Status: 21 The device is not ready.
Finish!!
Click to expand...
Click to collapse
i have same problem..

Note 8 Bricked after using COMBINATION_FA71_N950USQU5ARJ1_CL13942288_QB203914 89_REV00
seansha said:
i have same problem..
Click to expand...
Click to collapse
Did you get an answer? I can't find a firmware that will work! I'm totally bricked
I flashed this:
COMBINATION_FA71_N950USQU5ARJ1_CL13942288_QB20391489_REV00_user_mid_noship_MULTI_CERT.tar
And i was bricked after.

m4r20 said:
Did you get an answer? I can't find a firmware that will work! I'm totally bricked
I flashed this:
COMBINATION_FA71_N950USQU5ARJ1_CL13942288_QB20391489_REV00_user_mid_noship_MULTI_CERT.tar
And i was bricked after.
Click to expand...
Click to collapse
I am having the same problem and I was working off of the guide to install EDL and Root the Phone Here: https://forum.xda-developers.com/galaxy-note-8/development/root-t3942403
I have been searching for a way to resolve the same behavior and found this post. I noticed the original Guide I followed did not have me install any Qualcomm drivers, I am HOPING to do so using the ones provided here may fix things.
I am also not really happy with the CMD script they used in both this and the other method, it makes the process harder by using a setp to pause at the end instead of a pause or something obvious and by setting the max lines on the CONsole to 40 which over-flowed my screen, so I had to comment it out. Also not sure why they didn't just list the ports in a menu and have you choose or try to guess for you based off how they get it. But thats just somme griping.
I am HOPINNG that the FACTORY BINARY >>>>>> screen I get to in my phone is "EDL" it's unclear to me from the info on these sites, rooting guides have continued to become less clear over the years assuming everyone knows every step like the back of their hands.

im stuck here too. its like I have no bootloader, and I cant flash. no download mode, no recovery. No light when I plug it in to charge...just upload mode. the phone was on BL 6.

Bricked here as well...Same error with failed to load flash programmer..Still stabbing at it with no results as of yet.

please keep me in the loop
Surgeman said:
Bricked here as well...Same error with failed to load flash programmer..Still stabbing at it with no results as of yet.
Click to expand...
Click to collapse

A lot of people don't listen or read anything and @BigCountry907 specifically said this is for bootloader version 2 and it might work for others with "SOME MODIFICATION" but anyone with common sense would know this isn't going to work on version 5 of the bootloader!!

MrMike2182 said:
A lot of people don't listen or read anything and @BigCountry907 specifically said this is for bootloader version 2 and it might work for others with "SOME MODIFICATION" but anyone with common sense would know this isn't going to work on version 5 of the bootloader!!
Click to expand...
Click to collapse
I beg the differ....I have actually got it to flash using the old bootloader jig for the older Notes..But it won't repair the eMMC portion...

@MrMike
Check PM
Sent from my SM-N975U using Tapatalk

My phone is currently the same. If only I could get into edl mode, it would be fixed. But I don't know how to get into edl mode using only hardware

Can I ask a question. A HOW TO exactly would be awesome. Ok I have Sm-N950U running 7.1.1 you know with the 80% only battery. All runs great. Its the Snapdragon version. HOW can I get it back to before I got it this way. Before I did all this it had.. I forget V6..somthing.
Or can you point me to somewhere that really explains this. Getting it to 7.1.1 seem easy vs now trying to get it back.
Thanks

Hi @BigCountry907, i used your method n950u2 with QFIL on my n950w (N950WVLS7DTA1) by enter EDL mode, but got no luck.
Below is the log of QFIL:
Binary build date: Oct 31 2016 @ 22:51:05
QSAHARASERVER CALLED LIKE THIS: 'C:\Program Files (x86)\Qualcomm\QPST\bin\QSaharaServer.ex'Current working dir: C:\Users\KN\AppData\Roaming\Qualcomm\QFIL\COMPORT_6
Sahara mappings:
2: amss.mbn
6: apps.mbn
8: dsp1.mbn
10: dbl.mbn
11: osbl.mbn
12: dsp2.mbn
16: efs1.mbn
17: efs2.mbn
20: efs3.mbn
21: sbl1.mbn
22: sbl2.mbn
23: rpm.mbn
25: tz.mbn
28: dsp3.mbn
29: acdb.mbn
30: wdt.mbn
31: mba.mbn
13: C:\temp\n950w\UnbrickQC-9008\N950U2\prog_ufs_firehose_8998_ddr.elf
21:19:39: ERROR: function: sahara_rx_data:237 Unable to read packet header. Only read 0 bytes.
21:19:39: ERROR: function: sahara_main:924 Sahara protocol error
21:19:39: ERROR: function: main:303 Uploading Image using Sahara protocol failed
Download Fail:Sahara Fail:QSaharaServer Failrocess fail
Finish Download
I also tried with eMMC Dongle app but no luck also.
Loading GUID Partition Table
EMPTY SKIPPING
=> it's mean the main partition is corrupted
Would you mind help me by teaching me the correct way to booting from sdcard then repartition the main Qualcomm’s memory?
The problem of brick: i messed up the Qualcomm’s partition while playing around with "boot.img dqmdbg.img.ext4 storsec.mbn msadp.mbn apdp.mbn sec.dat recovery.img NON-HLOS.bin xbl.elf tz.mbn abl.elf bksecapp.mbn keymaster.mbn cmnlib64.mbn rpm.mbn hyp.mbn cmnlib.mbn devcfg.mbn pmic.elf adspso.bin modem.bin" then flash with Oddin via BL slot.
Many thanks and best regards!

iplay 7t (sc9832e processor) root / unlock bootloader suggestions

Recently purchased an iplay 7t after reading the xda review. This is replacing an LG v400 tablet that I had rooted. I updated the iplay to build T701_V1.20_20191112, enabled developer options, enabled oem unlock bootloader, found the corresponding firmware pac, installed magisk and used it to patch boot.img. So far so good.
I entered fastboot, then I attempted to flash the modified boot.img and was told:
Code:
target didn't report max-download-size
sending 'boot' (18584 KB)...
OKAY [ 0.593s]
writing 'boot'...
FAILED (remote: Flashing Lock Flag is locked. Please unlock it first!)
finished. total time: 0.608s
I tried various options to unlock the bootloader:
Code:
> fastboot getvar unlocked
unlocked:
finished. total time: -0.000s
> fastboot oem unlock
...
FAILED (remote: unknown cmd.)
finished. total time: -0.000s
> fastboot oem unlock-go
...
FAILED (remote: unknown cmd.)
finished. total time: 0.002s
> fastboot flashing get_unlock_ability
...
FAILED (remote: Not implement.)
finished. total time: -0.000s
> fastboot flashing unlock
...
FAILED (remote: Not implemet.)
finished. total time: -0.000s
> fastboot flashing unlock_critical
...
FAILED (remote: Not implement.)
finished. total time: 0.016s
> fastboot flashing unlock_bootloader
fastboot: usage: unknown 'flashing' command unlock_bootloader
> fastboot flashing unlock_bootloader_nonce
fastboot: usage: unknown 'flashing' command unlock_bootloader_nonce
Okay ... fine. I fired up SPD Research tool and attempted to use it to flash the modified boot.img. It transfers the image and then times out.
As a sanity check I used SPD Research tool to flash the original boot.img and that worked fine.
I'll note the modified image is smaller than the original, however padding the modified image with zeros to the same size didn't seem to help. Using SPD Research tool to flash the padded image still timed out.
I am looking to open a request up on the Alldocube support site (currently their registration form is giving me an error), in the meantime ... suggestions? Has anyone successfully flashed a modified boot.img on this device / rooted this device?

in the "developer option" on your phone, you should enable the "allow unlock bootloader" option.

DR.Doyle said:
in the "developer option" on your phone, you should enable the "allow unlock bootloader" option.
Click to expand...
Click to collapse
Yes ... I have that enabled.

Okay I was able to unlock the bootloader by using the procedure documented for the Qin 2 Pro. With the bootloader unlocked on reboot the device notes:
Code:
INFO: LOCK FLAG IS : UNLOCKED!!!
followed by:
Code:
WARNING: LOCK FLAG IS : UNLOCKED, SKIP VERIFY!!!
Using fastboot I can now reflash the stock vbmeta and the stock recovery without any problems and the stock recovery boots fine.
Also if I re-sign the stock recovery, then I can't flash it (fastboot flash hangs) until I've flashed a modified vbmeta containing the new public key for the re-signed recovery. Meaning flashing vbmeta is "working".
All this seems like I'm on the right track.
However attempting to boot into the re-signed stock recovery results in:
Code:
INFO: LOCK FLAG IS : UNLOCKED!!!
followed by the device hanging (without displaying the WARNING message) so there is still something that's unhappy.
Any thoughts on how to get to the point that I can flash a useable re-signed stock recovery? If I can get that to work, then I should be in good shape to install magisk.

jwehle said:
Okay I was able to unlock the bootloader by using the procedure documented for the Qin 2 Pro. With the bootloader unlocked on reboot the device notes:
Code:
INFO: LOCK FLAG IS : UNLOCKED!!!
followed by:
Code:
WARNING: LOCK FLAG IS : UNLOCKED, SKIP VERIFY!!!
Using fastboot I can now reflash the stock vbmeta and the stock recovery without any problems and the stock recovery boots fine.
Also if I re-sign the stock recovery, then I can't flash it (fastboot flash hangs) until I've flashed a modified vbmeta containing the new public key for the re-signed recovery. Meaning flashing vbmeta is "working".
All this seems like I'm on the right track.
However attempting to boot into the re-signed stock recovery results in:
Code:
INFO: LOCK FLAG IS : UNLOCKED!!!
followed by the device hanging (without displaying the WARNING message) so there is still something that's unhappy.
Any thoughts on how to get to the point that I can flash a useable re-signed stock recovery? If I can get that to work, then I should be in good shape to install magisk.
Click to expand...
Click to collapse
Dear jwehle:
good job, i have also modify the pac firmware file which based on chinese vesion firmware:T701-1101-vbmetapri-vennofbe-systemnore-recpri01.pac
What's modified:
1.resgin the vbmeta img
2.delete fbe Force encryption in vendor partitions
3.delete the script in system.img to prevent factory recovery restore
4.modify recovery.img to a magisk build-in recovery
please use SPD_Research_Tool to flash the pac,change the android os language from chinese to english ,install magiskmanager app ,and the use adb command (adb reboot recovery)to let tablet reboot to recovery.
after tablet reboot to android os again ,open magiskmanager app,you can see the magisk can get root authority .
how to change language from chinese to english,please see attach png file.
Considering that the Android os you are using is in English version(including Google services),according to the modification points above, you can try to use the vbmeta and recovery (built in magisk) modified by your own signature , and then delete the fbe Force encryption、 recovery restoration in the system and vendor images , then use the SPD_Research_Tool to package the imgs into a pac image, flash the pac image, install the magiskmanager app, and use the adb command to restart the machine into recovery mode, so you can use magisk to get root permissions.
twrp egg:https://mega.nz/#!YZ9VDZbT!1ptlOI6g3FS_ES-cLGhLy9ybGtdHQ8vzVHaasAXglXo
and last thanks PeterCxy on xda 、the other masters sifu on 4pda agian.

wangyiling said:
Dear jwehle:
good job, i have also modify the pac firmware file which based on chinese vesion firmware:T701-1101-vbmetapri-vennofbe-systemnore-recpri01.pac
What's modified:
1.resgin the vbmeta img
2.delete fbe Force encryption in vendor partitions
3.delete the script in system.img to prevent factory recovery restore
4.modify recovery.img to a magisk build-in recovery.
Click to expand...
Click to collapse
Thanks for supplying the modified PAC and for explaining the changes.
Your PAC seemed to work fine and now that I have a better understanding
of things I should be able build my own PAC when I have a chance.
Your time and effort in explaining things is appreciated.

What's the significance of removing the encryption for the vendor partitions?

jwehle said:
What's the significance of removing the encryption for the vendor partitions?
Click to expand...
Click to collapse
the vendor img in my pac，just use ext4 format.i have use simg2img convert the oringin vendor img to ext4 format,and modify the fstab file in vendor/etc folder.
fstab.sp9832e_1h10：
Code:
/dev/block/platform/soc/soc:ap-ahb/20600000.sdio/by-name/userdata /data f2fs noatime,nosuid,nodev,discard,inline_xattr,inline_data wait,check,[COLOR="DarkOrange"]fileencryption[/COLOR]=aes-256-xts,reservedsize=128M
/dev/block/platform/soc/soc:ap-ahb/20600000.sdio/by-name/userdata /data ext4 noatime,nosuid,nodev,nomblk_io_submit,noauto_da_alloc wait,check,[COLOR="darkorange"]fileencryption[/COLOR]=aes-256-xts
---------->
Code:
/dev/block/platform/soc/soc:ap-ahb/20600000.sdio/by-name/userdata /data f2fs noatime,nosuid,nodev,discard,inline_xattr,inline_data wait,check,[COLOR="darkorange"]encryptable[/COLOR]=aes-256-xts,reservedsize=128M
/dev/block/platform/soc/soc:ap-ahb/20600000.sdio/by-name/userdata /data ext4 noatime,nosuid,nodev,nomblk_io_submit,noauto_da_alloc wait,check,[COLOR="darkorange"]encryptable[/COLOR]=aes-256-xts

wangyiling said:
the vendor img in my pac，just use ext4 format.i have use simg2img convert the oringin vendor img to ext4 format,and modify the fstab file in vendor/etc folder.
Click to expand...
Click to collapse
Actually, I was more curious as to why it was necessary / desirable to remove the encryption from the vendor partitions.

jwehle said:
Actually, I was more curious as to why it was necessary / desirable to remove the encryption from the vendor partitions.
Click to expand...
Click to collapse
Just for twrp to read the data partition, convenient for personal use。

It looks like the issue on this tablet is similar to what the magisk documentation mentions regarding the new Samsung tablets. Meaning after the bootloader is unlocked when rooting you should flash newly signed versions of the following:
Code:
vbmeta
boot
recovery
What was happening is when the system started normally it saw that recovery image had been modified so it checked if the boot image was the factory standard image. Since I hadn't touched the boot image the OS went ahead and attempted to replace the recovery image I flashed with a standard recovery image generated on the fly from the factory standard boot image. This caused a soft-brick when I rebooted into recovery since that recovery image wasn't signed using the public key specified by my replacement vbmeta.
By also flashing a newly signed boot image because the signature is different from what's it knows about the system no longer attempts to use it to refresh the recovery image.
Here's an outline of what I did to successfully root the device:
Use the Qin 2 Pro instructions / tools to unlock the boot loader.
Flash the appropriate factory standard firmware to establish a know starting point. I used iplay7t(T701)-Android9.0-ALLDOCUBE-191112 from the Alldocube web site.
Use SPD Rsearch Tool to extract vbmeta-sign.img, boot.img, and recovery.img.
Use avbtool (with the below patch) to extract the public keys from vbmeta-sign.img like so:
Code:
avbtool info_image --image vbmeta-sign.img.
Use make (with the below makefile) to sign vbmeta, boot, and recovery using a new key.
Flashed vbmeta, boot, and recovery.
Booted into recovery, saw that it worked, and did a factory reset.
Used magisk to patch recovery.img in the normal fashion, signed the patched recovery using the new key, and flashed the patched recovery.
Proceed to finish installing magisk in the normal fashion.
Notes:
rsa4096_vbmeta.pem is the private key mentioned in the Qin 2 Pro article.
The dhtbsign-vbmeta command is basically the dhtb signing python script from Qin 2 Pro article.
Here's the trival patch for avbtool to dump the public keys.
Code:
--- avbtool 2020-02-22 22:11:55.107787032 -0500
+++ avbtool.dumpkeys 2020-02-22 22:15:36.046283077 -0500
@@ -1657,6 +1657,10 @@ class AvbChainPartitionDescriptor(AvbDes
Arguments:
o: The object to write the output to.
"""
+ kfd = open(self.partition_name, "w");
+ kfd.write(self.public_key);
+ kfd.close();
+
o.write(' Chain Partition descriptor:\n')
o.write(' Partition Name: {}\n'.format(self.partition_name))
o.write(' Rollback Index Location: {}\n'.format(
Here's the makefile I used for signing the images.
Code:
all: boot-sign.img recovery-sign.img vbmeta-sign.img
vbmeta-sign.img: Makefile avb4096_pkmd.bin keys/*
avbtool make_vbmeta_image --output vbmeta.img --padding_size 16384 \
--key ../rsa4096_vbmeta.pem --algorithm SHA256_RSA4096 --flag 0 \
--chain_partition boot:1:avb4096_pkmd.bin \
--chain_partition system:3:keys/system \
--chain_partition vendor:4:keys/vendor \
--chain_partition product:10:keys/product \
--chain_partition dtbo:9:keys/dtbo \
--chain_partition recovery:2:avb4096_pkmd.bin \
--chain_partition l_modem:5:keys/l_modem \
--chain_partition l_ldsp:6:keys/l_ldsp \
--chain_partition l_gdsp:7:keys/l_gdsp \
--chain_partition pm_sys:8:keys/pm_sys \
--chain_partition dtb:11:keys/dtb
dhtbsign-vbmeta vbmeta.img vbmeta-sign.img
@rm -f vbmeta.img
avb4096_pkmd.bin: avb4096.pem
avbtool extract_public_key --key avb4096.pem --output avb4096_pkmd.bin
avb4096.pem:
openssl genrsa -out avb4096.pem 4096
boot-sign.img: boot.img avb4096.pem
cp boot.img boot-sign.img
avbtool add_hash_footer --image boot-sign.img \
--partition_name boot --partition_size 36700160 \
--key avb4096.pem --algorithm SHA256_RSA4096
recovery-sign.img: recovery.img avb4096.pem
cp recovery.img recovery-sign.img
avbtool add_hash_footer --image recovery-sign.img \
--partition_name recovery --partition_size 36700160 \
--key avb4096.pem --algorithm SHA256_RSA4096

@ jwehle，Very grateful for your detailed sharing

Did you have any trouble getting the tablet to populate the fastboot devices list?
I have USB drivers installed and can view the tablet's internal storage when it's not in fastboot mode. She's plugged directly into the mobo and I've tried two cables.
When in fastboot mode, it comes up in the Windows Device Manager as fastboot Gadget and drivers are apparently not available. I've tried using Zadig to feed it a driver of some kind, but still nothing.

MissAyako said:
Did you have any trouble getting the tablet to populate the fastboot devices list?
I have USB drivers installed and can view the tablet's internal storage when it's not in fastboot mode. She's plugged directly into the mobo and I've tried two cables.
When in fastboot mode, it comes up in the Windows Device Manager as fastboot Gadget and drivers are apparently not available. I've tried using Zadig to feed it a driver of some kind, but still nothing.
Click to expand...
Click to collapse
Seems the issue was with Windows. I thought I would be able to get the unlock token with Windows and then use WSL to do the rest of the signing, but apparently not.
Luckily I had an old laptop lying around. I threw Linux Mint on it and it worked just fine.
It didn't seem to work just using a live USB; I had to install Linux to the hard disk, but YMMV.

jwehle said:
It looks like the issue on this tablet is similar to what the magisk documentation mentions regarding the new Samsung tablets. Meaning after the bootloader is unlocked when rooting you should flash newly signed versions of the following:
Click to expand...
Click to collapse
This was wonderful, thank you! I've added some of my own notes below as an experience of what I encountered when attempting this process myself (spoiler'd because it is a lot).
I do not have enough post count to add links, but titles to the relevant articles has been added.
Follow steps in Article "Guide: How to Unlock Xiaomi Qin 2 (Pro) and Install Custom ROMs" from step 1 to (and including) step 10 (Unlocking section).
Notes:
- A Linux PC is necessary.
- You'll have to mark the "fastboot" file from the "Android_device_unlock.rar" archive as executable (chmod +x).
- Run the "fastboot" file as root.
- Getting the "SPD Research Tool" to pick up the tablet and not let the tablet try to move to either the charging
screen or the bootlogo is difficult, but do-able. Press and hold Power+Vol_Up and release when Windows does its
USB device detected chime.
- Flashing takes a few minutes (I think around 300 seconds).
- The SPD Research Tool extracts the PAC file contents into a folder. Grab the system images from there.
- The "avbtool" is available to be cloned via git from Google's repo
- The avbtool is a python script that is patched with three lines of code at line 1776:
Code:
kfd = open(self.partition_name, "w");
kfd.write(self.public_key);
kfd.close();
- When you use the patched avbtool on the vbmeta-sign.img file you copied (avbtool info_image --image vbmeta-sign.img)
it will produce several partitions with relative public keys that need to be stored in separate files for the next step.
The contents of the files are simply the public key and the partition name as the file name. Store the files in a folder named "keys".
- When creating the makefile, ensure that proper indentation is used. The code segment below is properly formatted (hopefully). If you get make errors, remove and re-indent the lines.
- If your "rsa4096_vbmeta.pem" keyfile is not placed alongside the makefile, ensure the --key flag points to this file.
- The makefile exists in the same directory as the system images.
- I had to insert local paths to the avbtool, as it was not installed to the system PATH.
- The dhtbsign-vbmeta.py command is located below. Make sure to mark this as executable as well.
Everything else is rather straightforward.
# makefile
Code:
all: boot-sign.img recovery-sign.img vbmeta-sign.img
vbmeta-sign.img: makefile avb4096_pkmd.bin keys/*
avbtool make_vbmeta_image --output vbmeta.img --padding_size 16384 \
--key rsa4096_vbmeta.pem --algorithm SHA256_RSA4096 --flag 0 \
--chain_partition boot:1:avb4096_pkmd.bin \
--chain_partition system:3:keys/system \
--chain_partition vendor:4:keys/vendor \
--chain_partition product:10:keys/product \
--chain_partition dtbo:9:keys/dtbo \
--chain_partition recovery:2:avb4096_pkmd.bin \
--chain_partition l_modem:5:keys/l_modem \
--chain_partition l_ldsp:6:keys/l_ldsp \
--chain_partition l_gdsp:7:keys/l_gdsp \
--chain_partition pm_sys:8:keys/pm_sys \
--chain_partition dtb:11:keys/dtb
./dhtbsign-vbmeta.py vbmeta.img vbmeta-sign.img
@rm -f vbmeta.img
avb4096_pkmd.bin: avb4096.pem
avbtool extract_public_key --key avb4096.pem --output avb4096_pkmd.bin
avb4096.pem:
openssl genrsa -out avb4096.pem 4096
boot-sign.img: boot.img avb4096.pem
cp boot.img boot-sign.img
avbtool add_hash_footer --image boot-sign.img \
--partition_name boot --partition_size 36700160 \
--key avb4096.pem --algorithm SHA256_RSA4096
recovery-sign.img: recovery.img avb4096.pem
cp recovery.img recovery-sign.img
# dhtbsign-vbmeta.py file (from "How I Unlocked Xiaomi Qin 2 Pro and Installed Phh GSI")
Code:
#!/usr/bin/env python
import hashlib
import sys
f = open(sys.argv[1], "rb")
b = f.read()
sha = hashlib.sha256(b).digest()
f.close()
f = open("vbmeta_signed.img", "wb")
f.write(b)
f.seek(1048576 - 512)
f.write(b'\x44\x48\x54\x42\x01\x00\x00\x00')
f.write(sha)
f.write(b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00')
f.seek(1048576 - 1)
f.write(b'\x00')
f.close()

wuxianlin has build a twrp device for T701.
i think this will be a help .

Help me
Sir help pliz same problem my device ,same chipset , Symphony i95 ,pliz sir modify my pac file pliz....

wangyiling said:
Dear jwehle:
good job, i have also modify the pac firmware file which based on chinese vesion firmware:T701-1101-vbmetapri-vennofbe-systemnore-recpri01.pac
What's modified:
1.resgin the vbmeta img
2.delete fbe Force encryption in vendor partitions
3.delete the script in system.img to prevent factory recovery restore
4.modify recovery.img to a magisk build-in recovery
please use SPD_Research_Tool to flash the pac,change the android os language from chinese to english ,install magiskmanager app ,and the use adb command (adb reboot recovery)to let tablet reboot to recovery.
after tablet reboot to android os again ,open magiskmanager app,you can see the magisk can get root authority .
how to change language from chinese to english,please see attach png file.
Considering that the Android os you are using is in English version(including Google services),according to the modification points above, you can try to use the vbmeta and recovery (built in magisk) modified by your own signature , and then delete the fbe Force encryption、 recovery restoration in the system and vendor images , then use the SPD_Research_Tool to package the imgs into a pac image, flash the pac image, install the magiskmanager app, and use the adb command to restart the machine into recovery mode, so you can use magisk to get root permissions.
twrp egg:https://mega.nz/#!YZ9VDZbT!1ptlOI6g3FS_ES-cLGhLy9ybGtdHQ8vzVHaasAXglXo
and last thanks PeterCxy on xda 、the other masters sifu on 4pda agian.
Click to expand...
Click to collapse
can i just flash the pac without unlocking the bootloader.
thanks in advances

hidroela said:
can i just flash the pac without unlocking the bootloader.
thanks in advances
Click to expand...
Click to collapse
yes,just falsh pac

wangyiling said:
yes,just falsh pac
Click to expand...
Click to collapse
i did unlocked the bootloader and flash the pac and follow the instructions for magisk to work, but after a third reboot Root was gone.
i don't know what I am missing.

Question Bootloop after C10 update

Hey,
I've recently updated my Nord 2 from A21 to C10. Phone was unlocked and rooted, so after having reflashed the original boot.img, I forced the installation of the official OTA through TWRP. I had to set ro.commonsoft.ota=OP515BL1 to make it work. After the installation, TWRP failed to mount /system, but that didn't surprised me. I checked that the boot partition has been well flashed.
Now every time I try to power on the phone, it directly tries to run into recovery mode. However it fails and start again and again...
Maybe the system tries to install the OTA using the original recovery, which of course fails, and because of an unknown reason, it doesn't reboot to system.
Because of the last update, fastboot is not accessible anymore using vol -, and BROM mode is not accessible using vol + / vol -.
I tried to crash the preloader using mtkclient but it didn't work.
I tried to use META mode to switch to fastboot, but preloader only answers "READY" (instead of "READYTOOBTSAF"), and nothing changes.
I try to reverse engineer preloader and lk but it's something new for me. META mode code is still present in the preloader, so I don't understand what's wrong with it. Maybe disabled by default on USB...
Does anyone has a solution to boot into BROM mode or make META mode work ?
Or maybe I could find DA authentication files somewhere ?

@Petitoto can you share a bit about how you got the meta command running?
I'm in a similar situation with a Nord 2T. While mtkclient can get some info out of the preloader, meta never seems to connect.
Code:
mtk gettargetconfig
Preloader - Status: Waiting for PreLoader VCOM, please connect mobile
Port - Device detected :)
Preloader - CPU: MT6893(Dimensity 1200)
Preloader - HW version: 0x0
Preloader - WDT: 0x10007000
Preloader - Uart: 0x11002000
Preloader - Brom payload addr: 0x100a00
Preloader - DA payload addr: 0x201000
Preloader - CQ_DMA addr: 0x10212000
Preloader - Var1: 0xa
Preloader - Disabling Watchdog...
Preloader - HW code: 0x950
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Preloader - Get Target info
Preloader - HW subcode: 0x8a00
Preloader - HW Ver: 0xca00
Preloader - SW Ver: 0x0
Main - Getting target info...
Preloader - Target config: 0x5
Preloader - SBC enabled: True
Preloader - SLA enabled: False
Preloader - DAA enabled: True
Preloader - SWJTAG enabled: True
Preloader - EPP_PARAM at 0x600 after EMMC_BOOT/SDMMC_BOOT: False
Preloader - Root cert required: False
Preloader - Mem read auth: False
Preloader - Mem write auth: False
Preloader - Cmd 0xC8 blocked: False
Code:
mtk meta FASTBOOT
META - Status: Waiting for PreLoader VCOM, please connect mobile
META - Hint:
Power off the phone before connecting.
For preloader mode, don't press any hw button and connect usb.
...........
META - Hint:
Power off the phone before connecting.
For preloader mode, don't press any hw button and connect usb.
...........
META - Hint:
Power off the phone before connecting.
For preloader mode, don't press any hw button and connect usb.

Hey @Beanow,
I have the same gettargetconfig output, which indicates that the phone is not in BROM mode but stuck in preloader. Trying to interact with the preloader always lead to error because of the DAA (DAA_SIG_VERIFY_FAILED for example).
I have the same issue with mtkclient and meta mode. You can use the following modified mtk-bootseq.py:
py mtk-bootseq.py FASTBOOT COMXX (or python3 mtk-bootseq.py FASTBOOT /dev/ttyACMXX on linux).
Python:
import sys
import time
from serial import Serial
BOOTSEQ = bytes(sys.argv[1], "ascii")
DEVICE = sys.argv[2]
CONFIRM = b"READY" + BOOTSEQ[::-1]
while True:
try:
s = Serial(DEVICE, 115200, timeout=0.1)
print(".\n[+] Device detected")
break
except OSError as e:
sys.stdout.write("."); sys.stdout.flush()
time.sleep(0.1)
print("<-", s.read(256))
def send(bytes):
s.write(bytes)
print("->", str(bytes))
resp = s.read(256)
print("<-", str(resp))
return resp
resp = b''
while resp != CONFIRM:
resp = send(BOOTSEQ)
print("[+] Boot sequence sent")
On another device, it works and I get:
Code:
...............................
[+] Device detected
<- b'READYREADYREADYREADYREADY'
-> b'FASTBOOT'
<- b'READYTOOBTSAF'
[+] Boot sequence sent
However, on my Nord 2, I get:
Code:
...........................................
[+] Device detected
<- b'READYREADYREADYREADYREADY'
-> b'FASTBOOT'
<- b'READY'
-> b'FASTBOOT'
<- b''
-> b'FASTBOOT'
<- b''
Then the next s.write() is hanging.
I get the same result for any other boot mode. However, the code is still present in the preloader.
I unfolded my phone to try to find a test point. I tried all golden points but I only found:
- a point which loads preloader (and not BROM...) in the same way vol + / - do (in red in the picture)
- a point which boots the phone but without Android and OnePlus pictures (what's that ??) (in green)
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I don't know how test point is handled: if that's the role of preloader, it may have been disabled by the update (as the BROM and fastboot). We may need to find the DAT0 point of the eMMC to short it and prevent the BROM to find the preloader, making it to go in EDL mode. However, I think that this point isn't exposed, and I won't disassemble my phone further without beeing sure of success...

Thank you so much for the work so far!
Unfortunately I get no response at all on the Nord 2T.
Code:
.......................................
[+] Device detected
<- b''
-> b'FASTBOOT'
<- b''
-> b'FASTBOOT'
Traceback (most recent call last):
File "/media/droid-work/mtkclient/mtk-bootseq.py", line 31, in <module>
resp = send(BOOTSEQ)
File "/media/droid-work/mtkclient/mtk-bootseq.py", line 24, in send
resp = s.read(256)
File "/usr/lib/python3.10/site-packages/pyserial-3.5-py3.10.egg/serial/serialposix.py", line 595, in read
raise SerialException(
serial.serialutil.SerialException: device reports readiness to read but returned no data (device disconnected or multiple access on port?)
How did you connect to the device that you're getting these responses?
In my case, I need to use vol+, vol- and power, like mtkclient, or the ttyACM0 won't exist.
(I've got udevadm monitor up, watching for the usb/tty to be added)

Indeed, you need to run into preloader using vol +, vol -
Maybe a driver / python module issue. I've got similar issues on my linux. Try on windows or try to reinstall drivers.
It should work at least for the first answer. Else it means that your preloader doesn't send any data, which is not the case as mtkclient works.

I also tried a different baud, because a pl_lk log from oplusreserve2 partition suggested it may be used. No luck though. Note, this was a very old log I saved early on. Definitely not reflective of latest Nord 2T update.
Code:
[PLFM] boot_tag size = 0x0
BOOT_TAG_VERSION: 0
BOOT_REASON: 0
BOOT_MODE: 0
META_COM TYPE: 0
META_COM ID: 0
META_COM PORT: 285220864
META LOG DISABLE: 0
FAST META GPIO: 5906
LOG_COM PORT: 285220864
LOG_COM BAUD: 921600
LOG_COM EN: 1
LOG_COM SWITCH: 0
MEM_NUM: 2
MEM_SIZE: 0xAE7B
MEM_SIZE: 0xAE8D
I guess I'll try windows then

Code:
python mtk-bootseq.py FASTBOOT COM4
...................................................................................................................................
[+] Device detected
<- b''
-> b'FASTBOOT'
<- b''
-> b'FASTBOOT'
<- b''
-> b'FASTBOOT'
<- b''
Windows looks to behave similar. Though windows wouldn't take the MTK VCOM driver, so this is win10 default serial, in a VM over USB passthrough.

So, same result not in a VM. Though specifically with powershell I got the same output as you did.
Code:
...........................................
[+] Device detected
<- b'READYREADYREADYREADYREADY'
-> b'FASTBOOT'
<- b'READY'
-> b'FASTBOOT'
<- b''
-> b'FASTBOOT'
<- b''

This is really a helpfull post for us. I've already a oneplus nord 2 phn,from this post i know the more information about this phn.

Thank you so much.

@Beanow So same results...
It's weird that it doesn't work on Linux. Maybe an issue related to pyserial or connection settings.
What's preventing the device to be detected by mtkclient is line 54 in mtkclient/Library/meta.py: and cdc.pid == 0x2000 should be removed. So you can try to switch to fastboot using mtkclient on Linux, but with my Nord2 I get the same results as mtk-bootseq.py on Windows

Petitoto said:
@Beanow So same results...
It's weird that it doesn't work on Linux. Maybe an issue related to pyserial or connection settings.
What's preventing the device to be detected by mtkclient is line 54 in mtkclient/Library/meta.py: and cdc.pid == 0x2000 should be removed. So you can try to switch to fastboot using mtkclient on Linux, but with my Nord2 I get the same results as mtk-bootseq.py on Windows
Click to expand...
Click to collapse
Thanks for this. No need to switch to windows anymore, to use mtk client.

Petitoto said:
It's weird that it doesn't work on Linux. Maybe an issue related to pyserial or connection settings.
Click to expand...
Click to collapse
Is it 'not working' though? It's also weird to me that I had the same output as Linux using Windows' cmd, while there was READY spam in powershell. Same drivers, same python, same libraries, but different output?
I suspect that it might be a timing issue. Maybe the serial console doesn't care about or wait for input at all. And just spams READY a few times. It would be a matter of how fast the connection is established.
Perhaps as well there's a different subsystem sending commands to the 'meta' environment and the READY spam means it's processing those commands rather than whatever we're sending.
All theories, but I would find it really hard to believe there's a problem with Linux drivers / libraries for something as basic as a UART/serial console over USB.

Petitoto said:
@Beanow So same results...
It's weird that it doesn't work on Linux. Maybe an issue related to pyserial or connection settings.
What's preventing the device to be detected by mtkclient is line 54 in mtkclient/Library/meta.py: and cdc.pid == 0x2000 should be removed. So you can try to switch to fastboot using mtkclient on Linux, but with my Nord2 I get the same results as mtk-bootseq.py on Windows
Click to expand...
Click to collapse
I also suspected this PID check and tried to log the else cases, but never reaches those for me.
So removing the check didn't help for mtkclients' meta commands.

Is it 'not working' though? It's also weird to me that I had the same output as Linux using Windows' cmd, while there was READY spam in powershell. Same drivers, same python, same libraries, but different output?
Click to expand...
Click to collapse
Differents results when using cmd and powershell? There is really no reason for that. Unless it's not the same Python environment, with different pyserial for eg. I have issues to run mtk-bootseq on Linux, but always the same output on Windows' cmd.
I suspect that it might be a timing issue. Maybe the serial console doesn't care about or wait for input at all. And just spams READY a few times. It would be a matter of how fast the connection is established.
Click to expand...
Click to collapse
Maybe. On linux, I can get different results depending on baud rate, timeout (and luck?). If there is an issue related to the connection, it might explain why the preloader doesn't answer as expected. But as other commands (like mtk gettargetconfig, but also manually handshaking connections and gathering informations in pyserial) work well, I tend to think it's just disabled.
Perhaps as well there's a different subsystem sending commands to the 'meta' environment and the READY spam means it's processing those commands rather than whatever we're sending.
Click to expand...
Click to collapse
I don't really know how it works. The code is still present in the preloader. However this functionnality is not always enabled. Maybe reversing the preloader more or analysing the log you provided on Github might help to determine whether or not it is enabled. Moreover, even if we manage to switch to fastboot, if the bootloader has been fully disabled, we may face the issue of the preloader trying to run into a non existant fastboot. Maybe the FACTFACT mode may help to reset the device, but I don't really know a lot about this mode.
So removing the check didn't help for mtkclients' meta commands.
Click to expand...
Click to collapse
Once you removed this check, if you print the data sent by the preloader, you'll get the multiple "READY" like mtk-bootseq on Windows. Moreover, I can switch to fastboot using this command on another MTK device.

Dear Sir,
Do you have any method to recover my phone as the figure show?
Thank You