I have tried several times and the result does not change, I will tell you roughly what happened with this dap, I acquired it at a fairly low price still being used (now I am beginning to suspect) and it worked well for months, however months ago and a half when I started the quarantine I had a very hectic week and I forgot to charge it for several days until it completely drains the battery, I put it to charge and when I try to turn it on I no longer pass the Android screen, my first instinct was to connect it to the pc but did not recognize it and panic, however I had already had a small lock on a cell phone and decided to access the recovery mode and did not succeed either, I followed part of your thread to download the processor drivers and little by little I have brought it to the point where it already allows me to enter fastboot mode and recovery, however this mode does not perform any action, the recovery mode shows me the message: "E: cant Open / dev / block / platform / msm_sdcc.1 / by-name / m isc (permission denied) I don't know if that can tell you what happens to my dap
Any help on Pioneer XDP-300R bootloop ?
- Thread starter grogcw
- Start date
I have tried several times and the result does not change, I will tell you roughly what happened with this dap, I acquired it at a fairly low price still being used (now I am beginning to suspect) and it worked well for months, however months ago and a half when I started the quarantine I had a very hectic week and I forgot to charge it for several days until it completely drains the battery, I put it to charge and when I try to turn it on I no longer pass the Android screen, my first instinct was to connect it to the pc but did not recognize it and panic, however I had already had a small lock on a cell phone and decided to access the recovery mode and did not succeed either, I followed part of your thread to download the processor drivers and little by little I have brought it to the point where it already allows me to enter fastboot mode and recovery, however this mode does not perform any action, the recovery mode shows me the message: "E: cant Open / dev / block / platform / msm_sdcc.1 / by-name / m isc (permission denied) I don't know if that can tell you what happens to my dap
Ok. If you can enter recovery, did you try to clear user data and cache ? (Just ignore the warning, it's normal)
I already tried it and according to the dap it does it however in the end it launches the message that I told you and when you restart the device it is as if you had not done anything
I'm confident that it does what it's told, it's just that there's a problem occuring during boot phase.
Well, unless you get the oem to unlock and re-flash boot / aboot, you're basically stuck (welcome to the community).
Keep expecting, there might be a solution, I (or any hacker with will and free time) just have to figure it out.
Well, unless you get the oem to unlock and re-flash boot / aboot, you're basically stuck (welcome to the community).
Keep expecting, there might be a solution, I (or any hacker with will and free time) just have to figure it out.
Thank you very much for your time, and the help you gave me will be pending in case someone manages to solve the problem, I hope I do not have to resort to Pioneer technical service because at least here in Mexico City the quarantine will be very long and i wish i could get my dap back sooner.
regards
....and not to brag about it, but I already contacted every pioneer support, even at high level in japan's headquarters, and either they don't know the product (or third party repair company doesn't), or they don't want to upload the original rom, so....you can relax on this particular subject, job has already been done, no-one will help.
hi there,
I have 300R locked and when I try unlock oem I got DENIED error message.
Is there any way to unlock my player?
Daniel
Hi !
The only way to unlock OEM that I know (at that time) is by accessing the developper's settings in Android, so if your device is bootable, you can proceed there.
We don't have the magic key to enable it via fastboot as for now, and probably never will unless we fully reverse engineer the whole aboot/boot.img.
You can try to do as #32 and boot from a "distant" know good boot.img and then unlock your bootloader if your device won't start.
Hope that helps !
Cheers !
Edit : You can unlock it by force, see #51
Last edited:
I write this post as I'm currently investigating this path...
I recently banged my head against my device and by decompiling/extracting stuff I've found that one of the device's recovery key is also in the aboot.img as a certificate.
That means that if I don't mis-read everything and that this theory is right, I COULD be able to make a recovery flashable zip, signed by the original certificate, thus being able to write to /cache, /data, /sdcard, /boot and /recovey.
/system is read-only according to the recovery fstab file, but if I can write to boot and recovery, it's a little step to have a flashable TWRP recovery, which can write to /system, and we already have stock images of it.
The procedure for a bricked device could then be :
...resulting a stock and OEM unlocked device.
If anyone is willing to assist me, I'd be glad as I quite don't fully understand how to make a flashable zip at this time.
Don't loose hope, and wish me luck !
Cheers !
-----------------------------------------------------------------------
Edit : the key is 2048 bits long, so no-one at the moment can crack it. Back to square 1.
I recently banged my head against my device and by decompiling/extracting stuff I've found that one of the device's recovery key is also in the aboot.img as a certificate.
That means that if I don't mis-read everything and that this theory is right, I COULD be able to make a recovery flashable zip, signed by the original certificate, thus being able to write to /cache, /data, /sdcard, /boot and /recovey.
/system is read-only according to the recovery fstab file, but if I can write to boot and recovery, it's a little step to have a flashable TWRP recovery, which can write to /system, and we already have stock images of it.
The procedure for a bricked device could then be :
Code:
- Boot to Recovey (Power + Next Track)
- Flash the signed Boot+TWRP signed zip
- Reboot to TWRP
- Write a stock System backup
- Reboot to System
- Use developers options to unlock the Bootloader
- Fastboot flash sotck recovery.img...resulting a stock and OEM unlocked device.
If anyone is willing to assist me, I'd be glad as I quite don't fully understand how to make a flashable zip at this time.
Don't loose hope, and wish me luck !
Cheers !
-----------------------------------------------------------------------
Edit : the key is 2048 bits long, so no-one at the moment can crack it. Back to square 1.
Last edited:
After yesterday fails on certificate's path, and with some more research, I've found that there's an adb enable command accessible via fastboot.
Now, I don't know how adb is accessible, we'll have to figure this out, but if/when the device is accessible, it's also opened to privilege escalation via dirtycow (CVE-2016-5195).
I successfully built, run and escalated on my device while having adb enabled in system.
Now for the fun part : I'm looking a way to get SELinux to enforce or permissive and/or have a fully functional root in order to patch the aboot's partition bits to force OEM unlock (I already have the bits' address).
It may be a few days until I achieve this.
Cheers !
Code:
fastboot oem adb_enable 1
fastboot oem data:r AdbEnable //to chack that the variable is set (should be 1)Now, I don't know how adb is accessible, we'll have to figure this out, but if/when the device is accessible, it's also opened to privilege escalation via dirtycow (CVE-2016-5195).
I successfully built, run and escalated on my device while having adb enabled in system.
Now for the fun part : I'm looking a way to get SELinux to enforce or permissive and/or have a fully functional root in order to patch the aboot's partition bits to force OEM unlock (I already have the bits' address).
It may be a few days until I achieve this.
Cheers !
Last edited:
Guys, I have THE SOLUTION (which is outrageously simple), 3 years after, even if I'm quite sure I tested this a long time ago...oh well...
In order to unlock your bootloader....YOU HAVE TO FORCE IT !
then you can
to checkif your device is unlocked.
The reply SHOULD be
...then...all you have to do is....
You might want to flash ABOOT, BOOT, SYSTEM and RECOVERY (STOCK or TWRP) partitions in order to recover the full usage of your device.
Examples :
That's it.
In order to have a fully unlocked device, when your device is repaired, GO to developper's options, enable OEM unlocking, reboot to fastboot mode and ask nicely...
Unless it doesn't work for you, I'm retiring of this thread and I'll tryin a near future to port LineageOS with DACs support (don't quote me on that).
F to Pioneer and Onkyo for their ****ty support and policy on not releasing ROMs.
Cheers !
In order to unlock your bootloader....YOU HAVE TO FORCE IT !
Code:
fastboot oem unlock forcethen you can
Code:
fastboot oem device-infoto check
The reply SHOULD be
Code:
(bootloader) Device unlocked: true
(bootloader) FRP unlock: false...then...all you have to do is....
Code:
fastboot flash <partition> <image>You might want to flash ABOOT, BOOT, SYSTEM and RECOVERY (STOCK or TWRP) partitions in order to recover the full usage of your device.
Examples :
Code:
Windows : fastboot.exe flash aboot C:\Users\<myname>\Desktop\aboot-dev_true-frp_true
MacOS : fastboot flash boot /Users/<myname>/Downloads/good_boot.img
Linux : fastboot flash system /home/<myname>/Downloads/system.ext4.winThat's it.
In order to have a fully unlocked device, when your device is repaired, GO to developper's options, enable OEM unlocking, reboot to fastboot mode and ask nicely...
Code:
fastboot oem unlockUnless it doesn't work for you, I'm retiring of this thread and I'll try
F to Pioneer and Onkyo for their ****ty support and policy on not releasing ROMs.
Cheers !
Last edited:
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
2Onkyo dp-x1 rom on Pioneer xdp300r.
Hello
I found on the Chinese site an older version of software for onkyo dp-x1 reworked by someone from root and I managed to upload it. It worked my dap came back to life. Then the system automatically downloaded the latest software version, I made root again and everything works as it should. the difference is now the yellow font color, the onkyo player and the name in the system call dp-x1. The rest is exactly the same as the pioneer.
If someone wants I can insert a link to the page with this software. There are two versions of this software 1.26 and 1.28.
I installed the first one and everything worked without a problem.
Then you can automatically download the latest version.
greetings1Hi !
I've attempted to deal with the devil by trying to root my Pioneer XDP-300R resulting in a bootloop problem (device is stuck on "Powered by Android" screen).
I attempted to flash a boot.img for a Onkyo DX-P1 (which is the same firmware), and still I haven't progressed.
No firmware, update or imgs are provided on Pioneer's website.
I still have access to fastboot (OEM is LOCKED, so I can't boot TWRP and such) in bootloader mode and adb push (no shell) in recovery mode.
Do you guys have any idea how to sort it out ?
Edit :
I managed to make my device go into Qualcomm's emergency download mode.
Here's how to :
1 - Make sure the device is completely off and unplugged from USB.
2 - Install QPST V2.7.474 (not enough posts to share url, but I can PM it).
3 - Install QDLoader Drivers (same as #2).
4 - Simply press and hold the "Play" button while connecting it to your computer, the device manager should see a "Qualcomm 9008 port" listed in Ports while the player's screen stays black.
5 - Do the Carlton (important step !)
Now, if anyone possessing a FUNCTIONAL AND ROOTED Pioneer XDP-300r is reading this and willing to help, can you get in touch with me ?
Together, we could manage to save all the other devices from soft-bricking.
All I would need from you is some time, hard disk space and patience to sort it out.
Please <insert_your_name_here>, you're my only hope !
Edit #2 :
Thanks to minotauri's great help, we managed to get a FULL rom backup, split the partitions to files and generate all the files needed for QFIL.
ErrOzz has been given access to this, hoping that he'll try it out soon.
If that works, I'll link you the files and write the walkthrough to bring you DAP back to life.
minotauri's contributions are not in rest tho, he managed to also successfuly patch TWRP for the device, so anyone can securely flash things from there now.
For anyone reading this thread : you're not the only one who screwed things up, we did too but we might have the cure. Hang in there !1Hi !
From the edl / qdload 9008 state, you can't afaik.
Here's how I think you can :
1 - Unplug your device from USB and power it off from whatever state it is.
2 - Power it on pressing Power + Previous button (keep holding, you should be "stuck" on the penguin logo).
3 - Connect your USB.
4 - Check that you have a Android ADB Device in your device manager (install drivers manually if you have an Unknown device).
5 - Grab any fastboot from the internet if you don't already have it (I'll PM you my gdrive, it's there for exemple).
6 - From CMD, go to fastboot directory. (cd <my_folder_with_fastboot>).
7 - Type in : fastboot devices
If fastboot sees your device, you're on the good path, else, check your driver / connection / reboot to fastboot "penguin" state.
8 - Type in : fastboot oem device-info
If it replies
(bootloader) Device unlocked: true
among others, you're in a good, good way, else, you're screwed by now, but we are working on it.
9 - If all the precedent are fulfilled type :
fastboot flash boot <my_boot_image.img>
10 - Mandatory Carlton.
I hope you'll be in the right path all the way, if you're stuck somewhere or if your bootloader is locked, please let me know.
Cheers !
