FORUMS
Remove All Ads from XDA

[R&D][UNBRICKING] - Thread for trying to solve the OTA brick problem

283 posts
Thanks Meter: 307
 
By fuser-invent, Senior Member on 25th May 2015, 03:00 AM
Post Reply Email Thread
Intro

Someone contacted me because of my work unbricking Amlogic tablets and sent me their bricked Nexus 7 2013 32GB Wifi version tablet. I have the same tablet and I’ve been exploring unbricking options and looking at the devices. I have not found a solution yet but I have found a lot of interesting things. I worked on several models of Ainol's AML8726-MX SoC tablets and unbricked them in from various states, including having no signs of life and jumping some pins on the nand chip to get it recognized by the computer. Some tablets had similar problems to the Nexus when the bootloader was corrupted from a bad flash. The internal memory showed as zero in TWRP and the tablets wouldn't boot into the system. Checking debug logs showed the memory chip was not initializing. The Ainol tablets don't have a bootloader with a GUI but they did have a external SD card slot, so the tablet could boot from the SD card and run a "rescue flash". If that didn't work, Amlogic also had low-level USB Burning software to write to the tablet, although special files were needed and flashing was tricky.

I don’t know if we will be able to fix the Nexus tablets with this problem or if they are even fixable with the tools available but I’m providing all this information because I’m working on the problem in my spare time and maybe other people want to experiment with their bricked devices as well. There are a couple obvious routes to explore, one being Qualcomm's QPST and QFIL software, as well as other similar software programs for these chips, like the BoardDiag Tool. Another option is try and boot the tablet from a "rescue card" like I used for the Ainol tablets but to do it through an On-The-Go cable. Even if we don't unbrick any tablets, if anything, at least this thread might provide some documentation on the Nexus 7 2013 that doesn’t seem to be available elsewhere. I’ll keep updating this thread with new info and links to drivers, software, documentation and relevant websites. I’ll post what I’ve updated into the “Updates to this thread” section.

The problem

OTA update bricks device and we get one of the following scenarios:
  • Users can enter fastboot but can not flash, format or erase anything. Trying to start the device or boot into recovery gets stuck on the Google screen with the lock icon.
  • Same as above but when entering a recovery like TWRP, device hangs on the TWRP logo screen.
  • Users can not enter fastboot. Plugging the device into the computer shows QHSUSB_DLOAD in the device manager
  • Users can not enter fastboot. Plugging the device into the computer shows Qualcomm HS-USB QDLoader 9008 in the device manager
  • Users can not enter fastboot. Plugging the device into the computer shows Qualcomm HS-USB Diagnostics 9006 in the device manager
  • In 9006 mode the storage shows as Qualcomm MMC Storage USB Device in the Device Manager
---

Trying to flash or format in fastboot returns the following error:

Code:
FAILED <status read failed <Too many links>>
I’ve figured out a way to boot into TWRP and have started collecting logs and other information about the problem. I’ve also figured out the majority of fastboot oem commands which I’ll list below. The device is not initializing the MMC card when it starts up. In dmesg we can see the error:

Code:
mmc0: error -110 whilst initialising MMC card
Where on a working device we see:

Code:
mmc0: new HS200 MMC card at address 0001
mmcblk0: mmc0:0001 MMC32G 28.8 GiB
In the TWRP log we see:

Code:
E: Could not mount /data and unable to find crypto footer.
E: Unable to mount ‘/data’
E: Unable to recreate /data/media folder.
Updating partition details…
E: Unable to mount ‘/system’
E: Unable to mount ‘/data’
E: Unable to mount ‘/cache’
...done
E: Unable to mount storage
E: Unable to mount /data/media during GUI startup
E: Unable to mount ‘/cache’
Full SELinux support is present.
E: Unable to mount ‘/cache’
E: Unable to set emmc bootloader message.
E: Unable to mount ‘/cache’
E: Unable to mount /data/media/TWRP/ .twrps when trying to read settings file.
E: Unable to mount ‘/data’
MTP Enabled
Trying to wipe partitions or flash in TWRP fails because the card isn’t mounted at all and the partition table isn’t being read. Everything is running in the RAM and the only filesystems mounted are rootfs, tmpfs, devpts, proc, sysfs, selinuxfs and tmpfs.

Checking the partition table in fastboot using “fastboot oem gpt-info” does return the same results as a working device though. When booting into TWRP we can see “Nexus 7” as an MTP device but there is nothing on it. In Qualcomm’s 9006 Diagnostics mode we can see the device under disk drives in the device manager as Qualcomm MMC Storage USB Device but it doesn’t show up in Qualcomm’s 9008 Download mode. In disk management we can see it as an Unknown 28.81 GB Unallocated Disk. We can see the same thing in MiniTool Partition Wizard but neither Windows or MiniTool can initialize or format the disk. In HDD Raw Copy Tool the device shows as Qualcomm MMC Storage with a capacity of 30.93 GB. I was unable to write a RAW image of mmcblk0.img using HDD Raw Copy Tool, getting the error “Write Error occured at offset 0 (1)”.

My Working Theory

Looking at both the most recent reports of the OTA brick and past reports, it seems like the problem occurs when there is a bootloader update packaged in with the firmware update. It is possible that the eMMC chip is fried because we've seen bugs in the past but I'm working on the assumption that it is not since the chip is recognized, shows the correct capacity and gets registered it in by the kernel. We can also see that persistent_ram has an uncorrectable error in the header and no valid data in the buffer. This could mean a bad eMMC chip but it could also mean the parts of the bootloader are gone or corrupt. It could also mean the GPT is bad.

We can also see that the device is always booting into ttyHSL0 mode which is the UART Serial Console mode for debugging. I don't know a lot about Qualcomm architecture but I do know that there are several modes including diagnostics, download and emergency download mode. It's possible that the tablet is stuck in one of these modes. I read though some Qualcomm documents and it mentions using the NPRGxxxx.hex file to flash your device but it also mentions that, if the chipset supports it, changing the name of the NPRGxxxx.hex file to eNPRGxxxx.hex "allows you to download new images to a mobile device that has an empty or currupt flash device." That function was implemented in 2008 though and I'm unsure if the implementation has changed at all.

Getting Started

I’m not going to cover any of the basics like installing ADB and Fastboot on your computer. This thread is intended for people who already have a working knowledge of using these tools and want to try and work on the bricking problem. If you are don’t have that knowledge and would still like to experiment with your bricked device you can find lots of tutorials on XDA on how to install and use ADB and Fastboot.

I will mention a couple of things I ran into though. Since I hadn't been working on tablets for a while I wasn't able to use ADB in TWRP at first. I noticed that it only worked if I disabled MTP in the TWRP menu. However, updating the Android SDK solved this problem and the updated drivers allow both an MTP and ADB connected at the same time.

There may also be times when you need to disable Windows Driver Signature Verification to be able to install unsigned drivers. Here is a link showing how to do it temporarily. There is also a way to disable it permanently which I think is to run the Command Prompt as Admin and type:

Code:
bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS
bcdedit -set TESTSIGNING ON
Lastly, you'll probably want to stop Windows from automatically installing drivers for new hardware. You can do that by right clicking on your computer and then going to "properties -> advanced system settings -> hardware -> device installation settings -> no let me choose what to do -> never install driver software from windows update". There are also guides with screenshots on how to do this if you Google it.

---

We can get into a recovery like TWRP by using the fastboot command:

Code:
fastboot boot twrp.img
If booting into recovery fails and the you get stuck on the TWRP logo screen then go back to the bootloader and use the fastboot command:

Code:
fastboot oem reset-dev_info
---

To enter Qualcomm HS-USB QDLoader 9008 “download mode” you can hold down all three hardware buttons when the device is powered off and plugged in. You can also power down the device, hold the Vol+ and the Vol- buttons and then plug in the device. To enter Qualcomm HS-USB Diagnostics 9006 “diagnostic mode” you can press the power button repeatedly then wait around 30 seconds and see if it connects in the device manager. I don’t know what the speed you are supposed to press the button is but it seems to take at least 10 presses, sometimes more. You’ll have to test it out until you get used to doing it.

Tasks

Want to help out? Here are some things I'm working on. There's a good deal of research to do, so even if you don't have a working device you can help. If you have a device that you've totally given up on and are pretty much going to throw out but can still get into the bootloader, test those fastboot oem erase_ commands before tossing the tablet. It will be fastboot oem erase_"partition name". An example is fastboot oem erase_aboot. Just run through them and write down which ones work and which ones don't.
  • If someone with a bricked tablet has UART off in the bootloader and can boot into TWRP, please check "adb shell cat /proc/cmdline" and tell me if "console=ttyHSL0,115200,n8" is in the commandline. You can check if UART is on or off in the bootloader by using "fastboot getvar all".
  • Look into other APQ8064 devices to see if files relevant to QPST work. There is a list of devices below that have the same SoC but not the 1AA or FLO tag at the end. Its possible some of these files might work well enough to at least get the memory recognized.
  • Pull partition table from a working device and format it in partition.bin or partition.mbn for use in QPST.
  • Try to write partitions pulled from working device back to the tablet in fastboot.
  • Format partitions from a working device as .mbn files for QPST.
  • Pull first few raw GB from a bricked tablet and examine it to see if there is data present. If there is then it might mean that those partitions are corrupted and we can focus on writing working partitions back to those location. Try with RAW copy tool and with dd.
  • Testing QPST software to resurrect the device. Will need more files first, need to structure them as .xml files necessary for the software.
  • Test "fastboot oem erase_" on other partitions.
  • Test "fastboot flash" of partitions that aren't normally included in a firmware update, like sb1.img, rpm.img, aboot.img, etc.
General Device Info

Here is a spreadsheet with all the partition info that I've pulled and sorted.

The Nexus 7 2013 is an APQ8064 1AA/FLO Snapdragon 600 series device that is advertised as a S4 Pro. The APQ8064–1AA is the WiFi version and APQ8064-FLO is the LTE version. The ASUS MeMO Pad FHD 10 ME302KL LTE also has the same SoC according to wiki. The platform board is listed as MSM8960 in most of the code.

Here are other devices with an APQ8064 soc but aren't listed as 1AA or FLO:
  • LG Optimus G
  • MDP / T
  • Xiaomi MI-2
  • Pantech Vega R3
  • Sharp Aquos Phone Zeta SH-02E
  • Oppo Find 5
  • Asus MeMO pad 10 LTE
  • Asus padfone 2
  • HTC J Butterfly
  • HTC Droid DNA
  • Nexus 4
  • HTC Butterfly
  • ZTE Nubia Z5
  • ZTE Nubia Z5 Mini
  • ZTE Grand S
  • Sony Xperia Z
  • Xperia ZL Sony
  • Sony Xperia ZR
  • Fujitsu Arrows S
  • Sony Xperia Tablet Z
  • LG Optimus GJ

Nexus 7 2013 Tablet’s Vendor ID is 18d1 and Hexidecimal Syntax is 0x18D1 (used in fastboot). The USB device ID's for different connections are:
  • Qualcomm HS-USB Diagnostics 9006 (COM3) - USB\VID_05C6&PID_9006&MI_00
  • Qualcomm HS-USB Diagnostics 9008 (COM4) - USB\VID_05C6&PID_9008
  • Android Bootloader Interface - USB\VID_18D1&PID_4EE0
  • Android ADB Interface - USB\VID_18D1&PID_D002

Serial Numbers I've seen are:
  • Bricked Device - SERIAL NUMBER 2143658709BADCFE ← According to HDD Raw Copy Tool
  • Bricked Device - SERIAL NUMBER 049973d5 ← According to adb get-serialno

Dumps, Unpacked Partitions and Other Files

Here is a link to a MediaFire folder with various files. So far I have:

Unpacked the 4.04 Bootloader
aboot.img
bootloader.img
rpm.img
sbl1.img
sbl2.img
sbl3.img
tz.img

Pulled all partitions from HDD Raw Copy Backup of a working device
aboot.img
abootb.img
boot.img
DDR.im
first_131071_sectors.img
fsg.img
m9kefs.img
m9kefs2.img
m9kefs3.img
m9kefsc.img
metadata.img
misc.img
modemst1.img
modemst2.img
pad.img
radio.img
recovery.img
rpm.img
rpmb.img
sbl1.img
sbl2.img
sbl2b.img
sbl3.img
sbl3b.img
ssd.img
tz.img
tzb.img

QPST Memory Debug Dump from a bricked device
CODERAM.BIN
CPU_REG.BIN
CPU0_WDT.BIN
CPU1_WDT.BIN
CPU2_WDT.BIN
CPU3_WDT.BIN
EBICS0.BIN
ETB_ERR.BIN
ETB_REG.BIN
IMEM_A.BIN
IMEM_C.BIN
load.cmm
LPASS.BIN
MM_IMEM.BIN
PMIC_PON.BIN
RPM_MSG.BIN
RPM_WDT.BIN
RST_STAT.BIN
SPS_BUFF.BIN
SPS_PIPE.BIN
SPS_RAM.BIN

Unpacked Radio partition from a working device
ACDB.MBN
APPS.MBN
DSP1.MBN
DSP2.MBN
DSP3.MBN
EFS1.MBN
EFS2.MBN
EFS3.MBN
MDM_ACDB.IMG
RPM.MBN
SBL1.MBN
SBL2.MBN
The Following 21 Users Say Thank You to fuser-invent For This Useful Post: [ View ] Gift fuser-invent Ad-Free
 
 
25th May 2015, 03:01 AM |#2  
fuser-invent's Avatar
OP Senior Member
Flag Vermont
Thanks Meter: 307
 
Donate to Me
More
Fastboot Commands
Click To Show Content for examples of each commands usage, partitions that are excepted by a command and additional info.

Regular fastboot commands

Code:
fastboot update
Code:
fastboot update update.img

Code:
fastboot flashall
Code:
fastboot flash
Code:
fastboot flash aboot aboot.img ?
fastboot flash bootloader bootloader.img
fastboot flash rpm rpm.img ?
fastboot flash sbl1 sbl1.img ?
fastboot flash sbl2 sbl2.img ?
fastboot flash sbl3 sbl3.img ?
fastboot flash tz tz.img ?
fastboot flash boot boot.img
fastboot flash cache cache.img
fastboot flash recovery recovery.img
fastboot flash system system.img
fastboot flash userdata userdata.img

Code:
fastboot erase
Code:
fastboot erase all
fastboot erase boot
fastboot erase cache
fastboot erase recovery
fastboot erase system
fastboot erase userdata

Code:
fastboot format
Code:
fastboot format boot
fastboot format cache
fastboot format recovery
fastboot format system
fastboot format userdata
Example of advanced functions:
Code:
fastboot format cache:ext4:0x0000000023000000 cache
(hex value for 587202560 bytes (= 587 MB / 573440 don’t know what this value is but it equals a hex value of 008c000)
Code:
fastboot format cache:0x0000000023000000 cache
(skips fs type and uses default)


Code:
fastboot getvar
Code:
fastboot getvar all
fastboot getvar version-bootloader
fastboot getvar version-baseband
fastboot getvar version-hardware
fastboot getvar ersion-cdma
fastboot getvar variant
fastboot getvar serialno
fastboot getvar product
fastboot getvar secure_boot
fastboot getvar lock_state
fastboot getvar project
fastboot getvar off-mode-charge
fastboot getvar uart-on
fastboot getvar partition-type:<partition name>
fastboot getvar partition-size:<partition name>

Code:
fastboot continue
Code:
fastboot boot
Code:
fastboot boot recovery.img
fastboot boot boot.img
fastboot boot bootloader.img
Example of advanced functions:
Code:
fastboot boot <kernel> [ <ramdisk> [ <second> ] ]
Examples of booting the kernel and ramdisk:
Code:
fastboot boot zImage boot.img-ramdisk.cpio.gz
fastboot -c *cmdline* boot zImage boot.img-ramdisk.cpio.gz

Code:
fastboot flash:raw boot
Same command format as the advanced "fastboot boot" command:
Code:
fastboot flash:raw boot <kernel> [ <ramdisk> [ <second> ] ]
fastboot flash:raw boot zImage boot.img-ramdisk.cpio.gz

Code:
fastboot devices
fastboot continue
fastboot reboot
fastboot reboot-bootloader
fastboot help
Regular fastboot options that might be useful

-c <cmdline> override kernel commandline
Add -c followed by a kernel command. If more than one kernel command is in the line then they should have parenthesis around them like this "console=ttyHSL0,115200,n8 androidboot.hardware=flo". This is used for the "fastboot boot" command to boot into a kernel with different commandline parameters. Here are the kernel commandlines listed in /proc/cmdline:
Code:
console=ttyHSL0,115200,n8 androidboot.hardware=flo user_debug=31 msm_rtb.filter=0x3F ehci-hcd.park=3 androidboot.emmc=true androidboot.serialno=049973d5 bootreason=PowerKey fuse_info=Y ddr_vendor=hynix androidboot.baseband=apq asustek.hw_rev=rev_e androidboot.bootloader=FLO-04.04

-i <vendor id> specify a custom USB vendor id
Add -i and then the vendor id you want to use. The Nexus 7 vendor id is 18d1 and Hexidecimal Syntax is 0x18D1. Fastboot wants the Hex value:
Code:
-i 0x18D1

-b <base_addr> specify a custom kernel base address.
I haven't done this in long enough that I've forgotten how to use it. The default is 0x10000000 and the BOARD_KERNEL_BASE is listed as 0x80200000 in the Nexus code.

-n <page size> specify the nand page size.
The default value is 2048. Add -n and then the value you want to use:
Code:
-n 2048

-S <size>[K|M|G] automatically sparse files greater than size. 0 to disable.
I've never used this. If anyone has any insight, let me know.


fastboot oem commands
I extracted the aboot.img and used Notepad++ to look at the commands. I’m not sure what the variables are for some of them but I’m working on testing some things out. This is how how I figured out “fastboot oem reset-dev_info” would allow “fastboot boot twrp.img” though.

Code:
fastboot oem unlock
fastboot oem lock
fastboot oem device-info
fastboot oem memtest_
fastboot oem gpt-info
fastboot oem fuse_blow
fastboot oem check-fuse
fastboot oem reset-dev_info
Code:
fastboot oem erase_
Usage is erase_<partition name>. I've only tested it on persist so far. I'm assuming this is for partitions that aren't supported by the regular "fastboot erase" command.
Code:
fastboot oem erase_persist

Code:
fastboot oem off-mode-charge 1
fastboot oem off-mode charge 0
fastboot oem uart-on
fastboot oem uart-off
The Following 8 Users Say Thank You to fuser-invent For This Useful Post: [ View ] Gift fuser-invent Ad-Free
25th May 2015, 03:01 AM |#3  
fuser-invent's Avatar
OP Senior Member
Flag Vermont
Thanks Meter: 307
 
Donate to Me
More
Links
Drivers and Software
Links to relevant threads
The Following 3 Users Say Thank You to fuser-invent For This Useful Post: [ View ] Gift fuser-invent Ad-Free
25th May 2015, 03:01 AM |#4  
fuser-invent's Avatar
OP Senior Member
Flag Vermont
Thanks Meter: 307
 
Donate to Me
More
Logs
All logs posted to Pastebin.

Fastboot LogsADB Logs
The Following 4 Users Say Thank You to fuser-invent For This Useful Post: [ View ] Gift fuser-invent Ad-Free
25th May 2015, 03:01 AM |#5  
fuser-invent's Avatar
OP Senior Member
Flag Vermont
Thanks Meter: 307
 
Donate to Me
More
Updates to this thread
1/24/2015
- Added a link to a spreadsheet with partition info to the original post under "General Info".
- Added a section to the original post for files. Added a link to a MediaFire folder with QPST memory debug of a bricked device as well as dumped and unpacked partitions from a working device. Listed all files in each folder.
- Added another build of the QPST software to the MediaFire folder.
- Edited "Tasks" in original post.

6/01/2015
- Added info on how to pull a full raw backup of a working Nexus 7.
- Added all fastboot and adb logs I have.
- Added more documents to the MediaFire folder.

05/28/2015
- Added a working theory to the initial post.

05/26/2015
- Added more info to the Intro section and the Problem section.
- Formatted the Fastboot Command section differently.

05/25/2015
- Added links to drivers, software and relevant websites.
- Added Qualcomm Documents to the links section.
- Added info about driver installation to the Getting Started section.
- Added a list of other APQ8064 devices.
- Reformatting some things to look better. I'll keep working on it.

05/24/2015
- Initial Post
The Following 2 Users Say Thank You to fuser-invent For This Useful Post: [ View ] Gift fuser-invent Ad-Free
25th May 2015, 04:29 AM |#6  
fuser-invent's Avatar
OP Senior Member
Flag Vermont
Thanks Meter: 307
 
Donate to Me
More
Reserved
Reserved for if there is ever a solution.
The Following 2 Users Say Thank You to fuser-invent For This Useful Post: [ View ] Gift fuser-invent Ad-Free
29th May 2015, 05:14 AM |#7  
fuser-invent's Avatar
OP Senior Member
Flag Vermont
Thanks Meter: 307
 
Donate to Me
More
I extracted all the partitions in RAW format today. I'll add some more detailed info here in the near future on how I did it but I used software called DiskInternals Linux Reader.

-----

Update: The info on how to make a full RAW backup of the entire device without having an external SD card to save it to can be found in this thread. I made some adjustments for the Nexus 7 and I did it all in Cygwin.

To make device backup in Cygwin and TWRP open a terminal and do this:

Code:
adb forward tcp:5555 tcp:5555
adb shell
/sbin/busybox nc -l -p 5555 -e /sbin/busybox dd if=/dev/block/mmcblk0
Then open a second Cygwin Terminal and do this:

Code:
adb forward tcp:5555 tcp:5555
cd /nexus
nc 127.0.0.1 5555 | pv -i 0.5 > mmcblk0.img
You can then mount the image you pulled with DiskInternals Linux Reader. It will show you all of the individual partitions, all of the unllocated gaps between partitions and some info about each one. You can open the EXT4 partitions like /system to explore them and you can also open the radio.img and see everything inside. You can then save all the partitions as individual images. This method doesn't work with the bricked tablet. I'm building a spreadsheet with info on all the partitions.
The Following User Says Thank You to fuser-invent For This Useful Post: [ View ] Gift fuser-invent Ad-Free
29th May 2015, 05:36 AM |#8  
Member
Thanks Meter: 18
 
More
Quote:
Originally Posted by fuser-invent

I extracted all the partitions in RAW format today. I'll add some more detailed info here in the near future on how I did it but I used software called DiskInternals Linux Reader.

From a working or an OTA-bricked device?
The Following User Says Thank You to MattG987 For This Useful Post: [ View ] Gift MattG987 Ad-Free
29th May 2015, 05:53 AM |#9  
fuser-invent's Avatar
OP Senior Member
Flag Vermont
Thanks Meter: 307
 
Donate to Me
More
Quote:
Originally Posted by MattG987

From a working or an OTA-bricked device?

I pulled them all from a working device so I can try to write them back to the bricked device but also so I can try and make the flash programming files for use in QFIL. On another note the bricked devices can show up in the Windows file manager as a single small partitions with a list of files. I found out today that those files are the contents of the radio partition. I have a folder with those files from a bricked and working device now and I'll do a hex comparison to see if they are still all intact on the bricked device. That also means the FAT partition at the very beginning of the eMMC chip is still there and working, so the whole chip isn't "dead".
The Following 4 Users Say Thank You to fuser-invent For This Useful Post: [ View ] Gift fuser-invent Ad-Free
21st November 2015, 11:49 PM |#10  
Junior Member
Thanks Meter: 0
 
More
Hi fuser-invent,

Thank you for your job.
Do you have any solution to write a stock rom to flash memory ?
Lollipop OTA bricked my Nexus 7 2013. Several people reporting this problem.
I can't unlock bootloader and adb sideload not work.

Thanks.
22nd November 2015, 06:42 PM |#11  
fuser-invent's Avatar
OP Senior Member
Flag Vermont
Thanks Meter: 307
 
Donate to Me
More
Quote:
Originally Posted by yodtc

Hi fuser-invent,



Thank you for your job.

Do you have any solution to write a stock rom to flash memory ?

Lollipop OTA bricked my Nexus 7 2013. Several people reporting this problem.

I can't unlock bootloader and adb sideload not work.



Thanks.


Still working on it but my job suddenly got really, really busy. Hoping to get back into it after the holiday rush. I wish there were other people trying to work on this problem too though.


Sent from my iPhone using Tapatalk
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes