[GUIDE]How to reboot to EDL from fastboot

Are you able to reboot to EDL mode with this method?

  • Yes

    Votes: 248 43.1%
  • No

    Votes: 187 32.5%
  • Have no EDL mode in my device

    Votes: 141 24.5%

  • Total voters
    576
Search This thread

emuzychenko

Senior Member
Mar 31, 2016
51
218
55
Novosibirsk
Most Qualcomm-based Android PDAs support emergency download (EDL) mode allowing to unbrick device, unlock bootloader or modify protected device parameters. If ADB interface is accessible, "adb reboot edl" can be used to reboot to EDL mode.

Many bricked PDAs cannot be booted with full ADB support while FastBoot mode is accessible. But if bootloader is locked, there is no way to flash a partition or boot an image.

Some firmwares support rebooting to EDL in Android Bootloader aboot module (the "reboot-edl" command) but fastboot utility doesn't recognize "reboot-edl" in the command line and refuses to sent the command to the device.

Since FastBoot command protocol is simple and text-based, it is enough to send a packet containing "reboot-edl" text over USB. The simplest way to do that is to patch Windows fastboot.exe file, replacing "reboot-bootloader" text with "reboot-edl". As "reboot-bootloader" string is found in the command line, fastboot.exe sends the same constant string to the device. So if "reboot-bootloader" is replaced with "reboot-edl", you can specify "reboot-edl" in the command line and the same text will be sent to the device.

In the attached example, the mentioned string is located at offset 2685c.

I occasionally locked bootloader in my unlocked/rooted Xiaomi Redmi Note 3 Pro (Snapdragon) so it could boot to FastBoot or Diagnostic 900E modes. Tried to swich from 900E to 9008 with QPST but it reported unspecified error.

Analyzing aboot (emmc_appsboot.mbn), found that it supports "reboot-edl" so the only remaining thing was to find a way to send it to the bootloader.

With the attached fastboot.exe, successfully rebooted to EDL mode (9008) and re-flashed proper partition images.

Of course, patched version does not support "reboot-bootloader" command because it has been replaced by "reboot-edl".

There also is a detailed guide.
 

Attachments

  • fastboot_edl.7z
    135 KB · Views: 925,602
Last edited:

emuzychenko

Senior Member
Mar 31, 2016
51
218
55
Novosibirsk
Who has no success with this method, please upload somewhere (or post URL to an existing file) the image file of your "aboot" partition from FastBoot firmware, I will try to analyze them. For Redmi Note 3 Pro, image file is named "emmc_appsboot.mbn". If your FastBoot firmware contains a batch file that calls fastboot.exe, the appropriate image file name can be found there.
 

emuzychenko

Senior Member
Mar 31, 2016
51
218
55
Novosibirsk
can't get it work on xiaomi mi max
Your bootloader supports the following oem commands in FastBoot mode:

oem unlock
oem lock
oem edl
oem device-info
oem enable-charger-screen
oem disable-charger-screen
oem off-mode-charge
oem poweroff
oem select-display-panel

So "oem edl" should switch the phone to EDL mode (any fastboot.exe will support that).

Additionally, "oem poweroff" should power the phone off.
 

emuzychenko

Senior Member
Mar 31, 2016
51
218
55
Novosibirsk
Checked Mi 4c, Mi 5 and Mi Max bootloaders - all of them support "oem edl" to switch to EDL mode. Looks like a kind of "protection" is implemented in RN3P bootloader that supports only "reboot-edl" command.
 

anil4523

Member
Aug 31, 2011
35
0
Ahmedabad
emmc_appsboot.mbn file from Fastboot firmware of 7.3.5.0 MAAMIDD Global Stable of Mi 5 - https://mega.nz/#!OUZ1QaoI!EIgsKTOn6PQZ236pluhHmVRQ5D9HCKWeNRfzqgFbkgM

This will support all of that mentioned by @emuzychenko

Untitled.jpg

But it is mentioned that edl is blocked in 7.3.x.x firmware, so how to check whether edl is working or not ??

Thanks
 

Top Liked Posts

  • There are no posts matching your filters.
  • 183
    Most Qualcomm-based Android PDAs support emergency download (EDL) mode allowing to unbrick device, unlock bootloader or modify protected device parameters. If ADB interface is accessible, "adb reboot edl" can be used to reboot to EDL mode.

    Many bricked PDAs cannot be booted with full ADB support while FastBoot mode is accessible. But if bootloader is locked, there is no way to flash a partition or boot an image.

    Some firmwares support rebooting to EDL in Android Bootloader aboot module (the "reboot-edl" command) but fastboot utility doesn't recognize "reboot-edl" in the command line and refuses to sent the command to the device.

    Since FastBoot command protocol is simple and text-based, it is enough to send a packet containing "reboot-edl" text over USB. The simplest way to do that is to patch Windows fastboot.exe file, replacing "reboot-bootloader" text with "reboot-edl". As "reboot-bootloader" string is found in the command line, fastboot.exe sends the same constant string to the device. So if "reboot-bootloader" is replaced with "reboot-edl", you can specify "reboot-edl" in the command line and the same text will be sent to the device.

    In the attached example, the mentioned string is located at offset 2685c.

    I occasionally locked bootloader in my unlocked/rooted Xiaomi Redmi Note 3 Pro (Snapdragon) so it could boot to FastBoot or Diagnostic 900E modes. Tried to swich from 900E to 9008 with QPST but it reported unspecified error.

    Analyzing aboot (emmc_appsboot.mbn), found that it supports "reboot-edl" so the only remaining thing was to find a way to send it to the bootloader.

    With the attached fastboot.exe, successfully rebooted to EDL mode (9008) and re-flashed proper partition images.

    Of course, patched version does not support "reboot-bootloader" command because it has been replaced by "reboot-edl".

    There also is a detailed guide.
    4
    Works perfectly for me :)
    4
    can't get it work on xiaomi mi max
    Your bootloader supports the following oem commands in FastBoot mode:

    oem unlock
    oem lock
    oem edl
    oem device-info
    oem enable-charger-screen
    oem disable-charger-screen
    oem off-mode-charge
    oem poweroff
    oem select-display-panel

    So "oem edl" should switch the phone to EDL mode (any fastboot.exe will support that).

    Additionally, "oem poweroff" should power the phone off.
    3
    How do you analyze aboot to know which commands in fastboot mode is supported? IDA?
    There is no need to disassemble the code. Looking on aboot_fastboot_register_commands function in aboot.c, you can see there is a command table starting from "flash:" and "erase:". So just open binary module in a hex viewer, search for "flash:" and you will see the command table.
    2
    How you know I was talking about YUPHORIA :333
    Thanks for the heads up :33

    Its your signature... & we may crossed path before in YU forums.
    @HampTheToker

    Asus doesn't provide any reboot to EDL option. Available options are:
    • reboot
    • reboot-bootloader
    • preflash
    • oem reboot-recovery
    • oem device-info
    • oem get_build_version
    • oem disable-charger-mode
    • oem enable-charger-mode
    • oem select-display-panel
    • oem adb_enable
    • oem adb_enable_cts
    • oem partition-test

    You may take a look in the discussion in this thread.