Showing posts with label Tips-Tricks. Show all posts
Showing posts with label Tips-Tricks. Show all posts

Monday, July 3, 2023

Rollback Nokia 8.1 to Android 10 from Android 11 without unlocking bootloder. Needs EDL (emergency download mode)

I updated Nokia 8.1 from Pie to Android 10 and then to Android 11. Pie was good for network because Android 10 made network connection weaker and less stable then Pie. Android 11 is the most worse Android ever released. I started hating it and was desperate to get rid of it. It was slow and didn't offered me worth more than Android 10. For security 11 is better but performance is poor. Finally after 7-10 days of effort gave me success in rolling back Nokia 8.1 to Android 10.


I never unlocked bootloader of my phone and i tried lots of methods and apps and all failed. I then started going deep into the process of how this flashing apps actually worked. I cracked it and i flashed Android 10 431A stock ROM. Before i start the whole process it is critical to understand the basics. I will describe the required details even normal PC user can understand.


Just like PC where we have hard disk which contains OS phones/tablets have solid state storage. The storage that is present in SSD, Pendrive etc.  The storage is split into multiple parts called partitions. Its like C, D, E etc drives of windows. If you are Linux user you will understand the phone storage much better than Windows users. Partitions are important because the files of each partitions doesn't interfere with other files of other partition. Example D drive has multimedia data and if full will not effect C drive which contains OS. If you fill media in C drive it will affect the OS.


Now coming to Phone storage & partitions. Nokia has eMMC storage. There is also UFS storage on many other devices. Knowing this storage type is critical before flashing ROM. Nokia 8.1 is powered by Qualcomm Snapdragon 710 chip. This is another critical information needed for flashing stock rom.


Now coming directly to the flashing process. You need below things and conditions to achieve flashing of rom.


  • Phone in EDL mode. This is another big topic which varies from device to device. I will only write about Nokia 8.1. You can try EDL cables if it works. I opened the back cover of phone and shorted the TEST POINTS to enter into EDL mode. You can search internet for same its easily available how to do it.
  • Qualcomm 9008 driver. Nokia USB driver. You can also download OST tool 6.2.8 which contains all the drivers Or download driver separately.
  • QPST/QFIL (QPST_2.7.496) tool with firehose file. Firehose file is specific to a chip. I will share relevant files which are smaller in size here. Firehose file is available insize stock roms.
  • Any C type cable with fast charging capability. This means cable must be able to handle 18W power which Nokia 8.1 adapter delivers. Also try to flip type c side of port horizontally because sometimes one side does not work.
  • USB 2.0 port
  • Windows 7/8/10. Probably 11 which i have not tested.
  • Global Stock ROM PNX-431A-0-00WW-B01. Search internet to get this rom.
  • "nb0 tools FIH Mobile v3.4.exe" tool to extract NB0 rom file.

 

Now before proceeding to flash process lets understand what these tools do.


NOTE: click on images to see them in bigger size.


Qualcomm EDL mode works with 2 communication protocols. Sahara mode and Firehose mode. Sahara mode allows user to send Firehose file to the device during EDL mode. This file understands how to communicate with device in emergency download mode. One thing to understand is during flashing process DOWNLOAD means to actually upload data to device. Device will download something not us!. This causes confusion among users who are doing it first time.

Firehose protocol works with XML format. It understands XML language and accepts file sent with xml configuration. Firehose only knows to write data to eMMC/UFS storage. Using which we write files on eMMC.


Now install the drivers, QPST, QFIL tool. Verify if drivers are installed. Turn off phone, remove battery connector from motherboard, short the test points with clip, connect phone to PC. Start device manager and check PORTS section. If you can see Qualcomm 9008 COM port everything is setup and ready to flash device. Go to QFIL tool configuration and set settings like below image.

 




The stock rom which you have download contains NB0 file. Which is extracted using nb0 tool. Run QFIL in admin mode and it should show like below.

 


 
 
 

Some critical notes -

- Enter into EDL mode just before taking upload/download actions using QFIL tool. EDL mode can stop responding if not utilized quickly.

- Load firehose file from extracted ROM folder into QFIL. If connected in EDL mode QFIL -> Tools -> Partition Manager will be available. Enter into partition manager. Here you can see partitions of eMMC.

- MAKE BACKUP of your eMMC partitions VERY CAREFULLY. If you lost mfd, fbo etc partitions forget your device will work again because you will need these partitions in any conditions to turn on phone. Below images shows all partitions.









- Left click on a partition then right click on it. DO NOT DIRECTLY right click because this will not select the partition your mouse is over. It will select whole disk or first partition. Click manage partitions and read image. This will create a file like below in %APPDATA%/qualcomm or QPST directory. Look at logs in QFIL where file has been extracted. Collect all partitions and save somewhere.

ReadData_emmc_Lun0_0x828_Len1024_DT_****.bin. DT is followed by date of dump. 0x???? part tell the start location of partition and Len tell length of the partition.


I am warning you again. The above step is more important than anything else in this guide. Don't blame me if your device stops starting again. Try to delete MFD partition and your device will not boot. Delete FDP partition and you will see "Your device is corrupt..... press power button to shutdown.... shutdown in 30 seconds". FDP partition holds data to verify device. MAKE BACKUP OF EVERY PARTITION. You can ignore system, vendor, userdata but this will erase your devices present state. MAKE BACKUP of every partition if possible because you can later write them back into emmc to get your phone back into the exact condition it is now. Read button copies the partition into you PC, load button writes partition into phone.


After making backup lets proceed to preparing ROM to flash. Before writing rom lets understand what these flashing tools actually do. Below is extra information. For quick flashing go to section FLASHING ROM below.


The flashing tools like OST tool, Nokia service tool and other tools simply use sahara, firehose protocols provided by Qualcomm. They use fh_loader.exe file to write data to emmc. The login process, account verification etc all extra stuff they have added to make money from their tool. You can do flashing process from command line itself with just QPST/QFIL.QFIL must be run from within QPST installation folder. Many times QFIL doesn't work when run from its own separate package without QPST.


The first thing these tools do is send firehose programmer file to device using Sahara mode. Its done by this command -

QSaharaServer.exe -p \\.\COM4 -s 13:C:\LogData\OST\Data\PNX-0-6210-prog_firehose_lite.elf

 

This is what OST tool does. -p tells the com port. -s tells the firehose programmer file. After this you are ready to use fh_loader.exe to write data to eMMC (OR UFS).


NOTE:

if your bootloader is unlocked then these commands and tools are not needed. fastboot mode also does the same job. fastboot handles editing of the partitions.

After sahara has sent firehose file fh_loader can write partitions. A big xml file rawprogram0.xml is sent to fh_loader. It reads it and verifies the xml and starts sending the data according to xml file. What we have to do is edit this xml file to send all the partitions at once.


OST etc tools use default raw program xml to write service abl/xbl bootloaders and then use fastboot to flash partitions. This is where flashing fails when bootloader is locked. You can various errors like Error = SE_ERR_ADB_CMD_GET_FAIL_RESULT (0xC6DA), Error 0x0c3be uploading image using sahara protocol failed. These are all due to locked bootloader or other restrictions.


FLASHING ROM:

 

Go to extracted ROM folder and create a new file "rawprogram0_RECOVER_431A.xml" and paste below into it.


<?xml version="1.0" ?>
<data>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-xbl.elf" label="xbl_a" num_partition_sectors="7168" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="3584.0" sparse="false" start_byte_hex="0x4000000" start_sector="131072"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-xbl.elf" label="xbl_b" num_partition_sectors="7168" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="3584.0" sparse="false" start_byte_hex="0x4380000" start_sector="138240"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-xbl_config.elf" label="xbl_config_a" num_partition_sectors="256" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="128.0" sparse="false" start_byte_hex="0xb000000" start_sector="360448"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-xbl_config.elf" label="xbl_config_b" num_partition_sectors="256" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="128.0" sparse="false" start_byte_hex="0xb020000" start_sector="360704"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-tz.mbn" label="tz_a" num_partition_sectors="4096" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="2048.0" sparse="false" start_byte_hex="0xc000000" start_sector="393216"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-tz.mbn" label="tz_b" num_partition_sectors="4096" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="2048.0" sparse="false" start_byte_hex="0xc200000" start_sector="397312"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-aop.mbn" label="aop_a" num_partition_sectors="1024" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="512.0" sparse="false" start_byte_hex="0xc400000" start_sector="401408"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-aop.mbn" label="aop_b" num_partition_sectors="1024" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="512.0" sparse="false" start_byte_hex="0x10000000" start_sector="524288"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-hyp.mbn" label="hyp_a" num_partition_sectors="1024" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="512.0" sparse="false" start_byte_hex="0x14000000" start_sector="655360"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-hyp.mbn" label="hyp_b" num_partition_sectors="1024" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="512.0" sparse="false" start_byte_hex="0x14080000" start_sector="656384"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-keymaster64.mbn" label="keymaster_a" num_partition_sectors="1024" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="512.0" sparse="false" start_byte_hex="0x14300000" start_sector="661504"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-keymaster64.mbn" label="keymaster_b" num_partition_sectors="1024" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="512.0" sparse="false" start_byte_hex="0x14380000" start_sector="662528"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-cmnlib.mbn" label="cmnlib_a" num_partition_sectors="1024" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="512.0" sparse="false" start_byte_hex="0x14400000" start_sector="663552"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-cmnlib64.mbn" label="cmnlib64_a" num_partition_sectors="1024" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="512.0" sparse="false" start_byte_hex="0x14480000" start_sector="664576"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-cmnlib.mbn" label="cmnlib_b" num_partition_sectors="1024" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="512.0" sparse="false" start_byte_hex="0x14500000" start_sector="665600"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-cmnlib64.mbn" label="cmnlib64_b" num_partition_sectors="1024" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="512.0" sparse="false" start_byte_hex="0x14580000" start_sector="666624"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-NON-HLOS.bin" label="modem_a" num_partition_sectors="266240" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="133120.0" sparse="false" start_byte_hex="0x14600000" start_sector="667648"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-NON-HLOS.bin" label="modem_b" num_partition_sectors="266240" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="133120.0" sparse="false" start_byte_hex="0x1c800000" start_sector="933888"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-dspso.bin" label="dsp_a" num_partition_sectors="65536" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="32768.0" sparse="false" start_byte_hex="0x24a00000" start_sector="1200128"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-dspso.bin" label="dsp_b" num_partition_sectors="65536" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="32768.0" sparse="false" start_byte_hex="0x26a00000" start_sector="1265664"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-abl.elf" label="abl_a" num_partition_sectors="2048" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="1024.0" sparse="false" start_byte_hex="0x28a00000" start_sector="1331200"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-abl.elf" label="abl_b" num_partition_sectors="2048" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="1024.0" sparse="false" start_byte_hex="0x28b00000" start_sector="1333248"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-logfs_ufs_8mb.bin" label="logfs" num_partition_sectors="16384" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="8192.0" sparse="false" start_byte_hex="0x34000000" start_sector="1703936"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-BTFM.bin" label="bluetooth_a" num_partition_sectors="2048" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="1024.0" sparse="false" start_byte_hex="0x38104000" start_sector="1837088"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-BTFM.bin" label="bluetooth_b" num_partition_sectors="2048" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="1024.0" sparse="false" start_byte_hex="0x38204000" start_sector="1839136"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-00WW-dtbo.img" label="dtbo_a" num_partition_sectors="16384" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="8192.0" sparse="false" start_byte_hex="0x3c022000" start_sector="1966352"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-00WW-dtbo.img" label="dtbo_b" num_partition_sectors="16384" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="8192.0" sparse="false" start_byte_hex="0x3c822000" start_sector="1982736"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-persist.img" label="persist" num_partition_sectors="65536" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="32768.0" sparse="false" start_byte_hex="0x3d426000" start_sector="2007344"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-00WW-010-keyinfo.img" label="keystore" num_partition_sectors="1024" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="512.0" sparse="false" start_byte_hex="0x3f526000" start_sector="2074928"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-devcfg.mbn" label="devcfg_a" num_partition_sectors="256" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="128.0" sparse="false" start_byte_hex="0x3f5a6000" start_sector="2075952"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-devcfg.mbn" label="devcfg_b" num_partition_sectors="256" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="128.0" sparse="false" start_byte_hex="0x3f5c6000" start_sector="2076208"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-qupv3fw.elf" label="qupfw_a" num_partition_sectors="128" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="64.0" sparse="false" start_byte_hex="0x3f5e6000" start_sector="2076464"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-qupv3fw.elf" label="qupfw_b" num_partition_sectors="128" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="64.0" sparse="false" start_byte_hex="0x3f5f6000" start_sector="2076592"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-storsec.mbn" label="storsec_a" num_partition_sectors="256" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="128.0" sparse="false" start_byte_hex="0x43886000" start_sector="2212912"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-storsec.mbn" label="storsec_b" num_partition_sectors="256" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="128.0" sparse="false" start_byte_hex="0x438a6000" start_sector="2213168"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-00WW-vbmeta.img" label="vbmeta_a" num_partition_sectors="128" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="64.0" sparse="false" start_byte_hex="0x4c000000" start_sector="2490368"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-00WW-vbmeta.img" label="vbmeta_b" num_partition_sectors="128" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="64.0" sparse="false" start_byte_hex="0x4c010000" start_sector="2490496"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-0010-0001-hidden.img.ext4" label="hidden_a" num_partition_sectors="81920" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="40960.0" sparse="false" start_byte_hex="0x50000000" start_sector="2621440"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-0010-0001-hidden.img.ext4" label="hidden_b" num_partition_sectors="81920" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="40960.0" sparse="false" start_byte_hex="0x52800000" start_sector="2703360"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-00WW-030-cda.img" label="cda_a" num_partition_sectors="16384" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="8192.0" sparse="false" start_byte_hex="0x55000000" start_sector="2785280"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-00WW-030-cda.img" label="cda_b" num_partition_sectors="16384" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="8192.0" sparse="false" start_byte_hex="0x55800000" start_sector="2801664"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="systeminfo.img" label="systeminfo_a" num_partition_sectors="512" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="256.0" sparse="false" start_byte_hex="0x56000000" start_sector="2818048"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="systeminfo.img" label="systeminfo_b" num_partition_sectors="512" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="256.0" sparse="false" start_byte_hex="0x56040000" start_sector="2818560"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-00WW-030-splash.img" label="splash_a" num_partition_sectors="65536" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="32768.0" sparse="false" start_byte_hex="0x56080000" start_sector="2819072"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-00WW-030-splash.img" label="splash_b" num_partition_sectors="65536" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="32768.0" sparse="false" start_byte_hex="0x58080000" start_sector="2884608"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-00WW-030-multi-splash.img" label="zplash_a" num_partition_sectors="8192" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="4096.0" sparse="false" start_byte_hex="0x5a080000" start_sector="2950144"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-00WW-030-multi-splash.img" label="zplash_b" num_partition_sectors="8192" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="4096.0" sparse="false" start_byte_hex="0x5a480000" start_sector="2958336"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-NV-default.mbn" label="nvdef_a" num_partition_sectors="8192" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="4096.0" sparse="false" start_byte_hex="0x5a880000" start_sector="2966528"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-NV-default.mbn" label="nvdef_b" num_partition_sectors="8192" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="4096.0" sparse="false" start_byte_hex="0x5ac80000" start_sector="2974720"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-00WW-001-sutinfo.img" label="sutinfo" num_partition_sectors="8" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="4.0" sparse="false" start_byte_hex="0x5b080000" start_sector="2982912"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-00WW-boot.img" label="boot_a" num_partition_sectors="131072" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="65536.0" sparse="false" start_byte_hex="0x5e081000" start_sector="3081224"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-00WW-boot.img" label="boot_b" num_partition_sectors="131072" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="65536.0" sparse="false" start_byte_hex="0x62081000" start_sector="3212296"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-00WW-system.img" label="system_a" num_partition_sectors="6291456" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="3145728.0" sparse="true" start_byte_hex="0x66081000" start_sector="3343368"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-00WW-system_other.img" label="system_b" num_partition_sectors="6291456" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="3145728.0" sparse="true" start_byte_hex="0x126081000" start_sector="9634824"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-00WW-vendor.img" label="vendor_a" num_partition_sectors="1572864" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="786432.0" sparse="true" start_byte_hex="0x1e8000000" start_sector="15990784"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-00WW-vendor.img" label="vendor_b" num_partition_sectors="1572864" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="786432.0" sparse="true" start_byte_hex="0x218000000" start_sector="17563648"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="" label="userdata" num_partition_sectors="0" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="0" sparse="true" start_byte_hex="0x248000000" start_sector="19136512"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-gpt_main0.bin" label="PrimaryGPT" num_partition_sectors="34" partofsingleimage="true" physical_partition_number="0" readbackverify="false" size_in_KB="17.0" sparse="false" start_byte_hex="0x0" start_sector="0"/>
  <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="PNX-0-431A-gpt_backup0.bin" label="BackupGPT" num_partition_sectors="33" partofsingleimage="true" physical_partition_number="0" readbackverify="false" size_in_KB="16.5" sparse="false" start_byte_hex="(512*NUM_DISK_SECTORS)-16896." start_sector="NUM_DISK_SECTORS-33."/>
</data>

 

 

Flash process:

  • Start QFIL in admin mode. Switch to flat build.
  • Select firehose programmer path "PNX-0-431A-prog_firehose_lite.elf" present inside extracted rom dir. Load XML -> (All files *.* mode) -> load rawprogram0_RECOVER_431A.xml, then do same for patch0.xml. patch is already present in rom dir.
  • Connect phone in EDL mode. Port will be shown in QFIL. If not then select port from select port button.
  • Press download button. Flashing will start. It will takes 5-10+ minutes to write the rom.
  •  Re-enter EDL mode by unplugging usb. Start partition manager and erase userdata. Click userdata then right click userdata and erase it. Same can be done from Phone by entering recovery mode. Turn off phone, press UP button then power for few seconds. When device starts release power button but keep UP pressed. When dead android robot icon is seen press power then press UP. Wipe cache and userdata. Reboot.

 

In case you are seeing "Your device is corrupt. It cannot be trusted. Press button to continue". You should enable dm-verity enforcing. Search internet for multiple ways to do it. e.g. https://forum.xda-developers.com/t/guide-fix-dm-verity-is-not-enforcing-when-trying-to-boot-error.3898526/



If everything has been done as written you must be having a good backup of device to get back into your initial condition and a working Android 10 on your device. I did it and i am enjoying Android 10.



CRITICAL information for experimentation:

Always verify if a file which has to be written into device is sparse or not. elf, mbn etc are raw and not sparse. IMG  files can and cannot be sparse. Sparse means post processed raw image to reduce size or other purpose. Always use sparse="true" in rawprogram xml when not sure. fh_laoder will test and tell itself when download button is pressed. However best way verify xml and data is to try to create xml digest. Its present in tools section in QFIL.



Wednesday, October 5, 2022

Remove pattern lock or pin from Motorola etc Androids.

My phone was locked by a kid who forgot the password and i was not able to log into device. I was stuck at pin input screen. The recovery mode was also showing empty with a dead robot and "no command" screen.


IMPORTANT:

This is not the only way to remove pin, pattern lock. It only shows information for those who understand fastboot, adb etc stuff. Below is only required when OEM unlock is not set from developer options. This also removes all user data. However ways to keep user data exist and still remove password but that is not intention of this article.

 

Before reading further you must read following subjects/methods to understand any further. Its not useful to re-write existing things again and again.

 

- Install adb on you OS.

- How to boot into fastboot mode on your device.

- Knowing more about your device.


Th device was secured using google account and "OEM Unlock" option was also not set from developers options!. While doing ./fastboot getvar all from shell returned following info. [I_REMOVED_IT] shows text i have removed to prevent showing personal IDs.


./fastboot getvar all > info.txt
(bootloader) version: 0.5
(bootloader) version-bootloader: (removed)
(bootloader) product: sanders
(bootloader) board: sanders
(bootloader) secure: yes
(bootloader) hwrev: P4
(bootloader) radio: 2
(bootloader) storage-type: emmc
(bootloader) emmc: 64GB SAMSUNG RC14MB RV=08 PV=07 FV=0000000000000007
(bootloader) ram: 4GB SAMSUNG LP3 DIE=8Gb M5=01 M6=05 M7=00 M8=5F
(bootloader) cpu: MSM8953
(bootloader) serialno: [I_REMOVED_IT]
(bootloader) cid: 0x0032
(bootloader) channelid: 0xc0
(bootloader) uid:[I_REMOVED_IT]
(bootloader) securestate: oem_locked
(bootloader) iswarrantyvoid: no
(bootloader) max-download-size: 534773760
(bootloader) reason: Reboot mode set to fastboot
(bootloader) imei: [I_REMOVED_IT]
(bootloader) meid:
(bootloader) date: 11-16-2017
(bootloader) sku: (removed)
(bootloader) carrier_sku:
(bootloader) battid: [I_REMOVED_IT]
(bootloader) iccid:
(bootloader) cust_md5:
(bootloader) max-sparse-size: 268435456
(bootloader) current-time: "Thu Jan  1  2:36:19 UTC 1970"
(bootloader) ro.build.fingerprint[0]: motorola/sanders_n/sanders_n:8.1.0
(bootloader) ro.build.fingerprint[1]: (removed)
(bootloader) ro.build.fingerprint[2]: -keys
(bootloader) poweroffalarm: 0
(bootloader) ro.build.version.full[0]: Blur_Version.2*****.12.sanders.re
(bootloader) ro.build.version.full[1]: tail.en.US
(bootloader) ro.build.version.qcom: ******removed*******
(bootloader) version-baseband: M8953_52.61.07.98R SANDERS_INDIADSDS_CUST
(bootloader) kernel.version[0]: Linux version 3.18.71-perf (hud
(bootloader) kernel.version[1]: soncm@ilclbld57) (gcc version 4.9.x 2015
(bootloader) kernel.version[2]: 0123 (prerelease) (GCC) ) #1 SMP PREEMPT
(bootloader) kernel.version[3]:  Tue Aug 13 15:23:08 CDT 2019
(bootloader) sbl1.git: git=MBM-NG-VC2.12-0-g698fb2f
(bootloader) rpm.git: git=92e5e21-dirty
(bootloader) tz.git: git=d95e83f
(bootloader) devcfg.git: git=d95e83f
(bootloader) keymaster.git: git=d95e83f
(bootloader) cmnlib.git: git=d95e83f
(bootloader) cmnlib64.git: git=d95e83f
(bootloader) prov.git: git=d95e83f
(bootloader) aboot.git: git=MBM-NG-VC2.12-0-g07ff23c
(bootloader) frp-state: protected (144)
(bootloader) ro.carrier: retin
(bootloader) current-slot:
(bootloader) slot-suffixes: _a
(bootloader) slot-count: 1
(bootloader) slot-successful:_a: INVALID
(bootloader) slot-successful:_b: INVALID
(bootloader) slot-bootable:_a: INVALID
(bootloader) slot-bootable:_b: INVALID
(bootloader) slot-retry-count:_a: unknown
(bootloader) slot-retry-count:_b: unknown


In this result securestate: oem_locked shows oem is locked. Bootloader was locked and to unlock it i created motorola id and requested UNLOCK KEY. However the unlock key was also not enough. After getting unlock key i tried to unlock -


fastboot oem unlock [MY_UNLOCK_KEY]
(bootloader) WARNING: This command erases all user data.
(bootloader) Please re-run this command to continue.
OKAY [  0.000s]
Finished. Total time: 0.000s

fastboot oem unlock [MY_UNLOCK_KEY]
(bootloader) Check 'Allow OEM Unlock' in Android Settings > Developer
(bootloader) Options
OKAY [  0.016s]
Finished. Total time: 0.016s


"(bootloader) Check 'Allow OEM Unlock' in Android Settings". One simple solution to this is erase user data. WARNING: It will wipe out all data. 


Run following commands to erase user data when recovery mode doesn't  show any options.


fastboot oem fb_mode_set

fastboot erase cache

fastboot erase userdata        [THIS PART DELETES USER DATA]

fastboot oem fb_mode_clear


reboot. More data can be erased above or simply find the relevant file to erase the PIN or PATTERN lock related information.

 

The device will be reset and if it was protected using Google account then SAME account will be required to login again otherwise device won't start for new users. Internet is NEEDED after reboot.

Wednesday, June 15, 2022

Why privacy is almost a hoax in internet world

If you use 20 apps and 19 of them do not show ads and only 1 shows ads. That 1 app itself is enough to give your device information to the ads network. The privacy thing is kind of hoax. However the data like photos etc which some app handles has its own privacy policy. If they keep little thumbs of the pics in their server they must tell the users. Lots of companies do not do that. This is hidden reality. An example https://www.upguard.com/blog/biggest-data-breaches.


Many times server getting hacked is an internal job and the data is sold on dark web etc places. This is old technique to sell user data and make cash. However the subject of this post is about how much privacy is there even if companies have strict policies. As example below tells why device info is shared due to just 1 app. Even if no app shares device info just browsing internet does it. The websites collect data and they do fingerprinting, cookies etc techniques to identify unique systems. The threat of data being shared for misused is not from small apps but big companies which make such apps.


Take example of apps like Truecaller. How did they collect so much information about phone numbers? Did they release the app without any beginning database?

Privacy is hoax and the best way to deal with this rampant user data misuse is providing false information. Sincere users provide their details to social media sites and sites breach the trust and sell the data.


Many users have myth of using VPN apps for privacy. VPN apps are the very first place to loose your private data. A VPN app opens a HTTPS site in proxy and can see what it is then sending it to end user. Where is privacy? Can you really trust VPN for sharing private data like password etc. 



TIPs:


- Sometimes people share their login id and password at same place. Like sharing both in a chat. This is highly unsafe. Share ID by mail, share password by message. Split the information. Many think this level of security is too much or time waste until some loss occurs.

- Use personal encryption utilities. Share data in encrypted form and end person gets the data and decrypts it. Do not rely on the encryption of the service provider.

- Many users click banking related images in phone. Phones are highly sensitive than PCs regarding privacy. Having saved bank details in images, text files in storage. Its better to use sandboxed/encrypted folders, personally customized apps if possible etc.

 - Keep extra accounts for not so important things like entertainment services etc. Do not use main/primary email, phone for registering to these types of services. use personal/primary accounts for banking only.


Friday, January 4, 2019

Way for Android emulators or similar apps to write to storage with NO WRITE permission.

I was playing NES games with Android NES.emu emulator but its internal filemanager was not able to pick internal storage for saving states.

There was setting to save states to same location of ROM. This failed due to no permission. The solution is to create a "<PackageName>/files" directory inside the top of that storage.

Example:

Any Android app has default write access to Android/data/<packagename>

In my case it was /storage/emulated/0/Android/data/com.vapps.NesEmu2/files.

So i created same layout of folders in my external SDCARD where roms were. Like this :


/storage/0000-0000/Android/data/com.vapps.NesEmu2

This location had write permission and the app was able to save states there. Using the same method we can allow Android apps to save files to removable storage WITHOUT write permission. This is a good workaround when internal memory is low or filemanager simply cannot go to internal storage.

Before doing anything we must first find the package name and create thatnamed folder inside "Android/data" of any storage. Package finder apps can be found on playstore.

Thursday, March 9, 2017

JPG Image size reducer. How to reduce jpg to desired size without changing resolution on PC and Android?

When we click a photo it contains lot of colors which our eyes cannot differentiate. Higher colors means higher image size and with evolving camera chips images are getting bigger and bigger in size. There are many methods to reduce photo size. Lets look at some methods of reducing image size.


I recently backup my images on Google drive. The images were bigger in size and were in GBs in size which i reduced to ~700MB (deleted few repeated images). Among size reduction methods most of us reduce the image resolution i.e. number of pixels are reduced. For example Full HD images are reduced to qHD or 720p. But i didn't reduced the number of pixels but number of colors!


This is already a reduced image of size ~900KB. I captured this image in my garden in 2016 summer using my Nubia Z9 mini phone. Its already reduced in size to load faster on website.



Original: 942KB


 Half resolution: 711KB





Reduced Colors: 268KB



Looking at images its clear that reducing number of colors has greater size reduction than reducing resolution only. Do check the images by downloading them and zoom. Decide yourself which one is better!


Now coming to the tools used for size reduction. Without taking much time below are some tools to reduce size of jpg.

  • ImageMagick's convert tool. This s a commandline tool which can reduce jpg size to desired size. Example: convert -define jpeg:extent=500kb nubia_bks_camera.jpg out.jpg. This will reduce original image to ~500KB without changing resolution.
  • jpegoptim: this tool is same as imagemagick with desired jpg size.
  • IrfanView. This is a windows only GUI software which can reduce jpg files to desired size.

I have created my own Android app which can do above size reduction and is very easy to work with. Here is the link to my app Jpg Image Size Reducer: https://play.google.com/store/apps/details?id=org.greh.imagesizereducer. A quick usage example of this app is you share your selfie which is 2MB and want to reduce size quickly without editing the image. Share it with any image app and select jpg image size reducer and reduce to whatever % or KB and then share the copy to wherever you want!. It can also reduce many files in batch. Its also an image converter and can convert non-jpg files to jpg and reduce its size.



The software above reduce number of colors which reduces size of image even more than reducing size does. However Using both methods can give very small size images. Reducing total colors to few thousand or hundreds can be noticed easily by zooming. Another method to reduce image size is to change image mode to INDEXED from RGB. Indexed mode means all colors are collected at a place/table and index/position of a color from table is used. This can reduce size. However this is not always better.

Thursday, November 19, 2009

Convert your text files into images

Open your text files with IrfanView and save as image.

I always use IrfanView and GIMP for all my photo works. If you haven't tried them then please give one. ;-)

Thursday, October 23, 2008

I recovered my quickly erased CDRW.

Happened in 2006 August.
I had a CDRW which was the only source for my all projects as my hdd was crashed. I tried to find many software on net, found forensic sites but they were charging much money. Being a student, i wasn't able to produce that amount then i decided to search for software based recovery.

I found Isobuster, that wasn't capable of quick erased CDRW's data recovery. But i found a good software - Back2Life. I tried to recover the cd, using "force RW mode".
Hah! it recovered the table but wasn't recovering data as it was a demo version and limited to 64KB file recovery. It must have burned some part on the CDRW. I was disappointed b/c i had very less time, only few days to go. Then my mind lightened an idea and i again used Isobuster, hey! it recovered my data and i successfully saved my all projects. I know it could also help many of you.

That's why we say: Problem occurred for one person but gave solution to many.
Tip: Use back2life version > 2.3 and then use Isobuster.
Now TestDisk is my favorite data recovery program, it now offers optical media recovery.

Sunday, December 16, 2007

Rescue tip - copy locked files.

How to copy locked files in windows?
Disclaimer: This information is for rescue / educational purpose only! I can't be held responsible for any damage occurred due to it's use. BTW it has rescued many systems!
Recovery tools can be used to copy the locked files as they don't deal with the file handles, they have full access to the disk. I have successfully copied SAM from Windows which said to be an impossible task!