When bricked, the LED is off ( and occasionally has a faint orange colour), as is the rest of the device. No signs of life at all
[UNBRICK] HTC Unbricking Project
- Thread starter dexter93
- Start date
somebody interest
This solution only for EMMC can be reader by linux, but if sbl2.nhb have error, EMMC cannot be reader by linux, but it's still "QDLoader Mode", I think it's can be fixed by QPST. But I don't know how to do it?
somebody interest can be here "http://xdaforums.com/showthread.php?t=1989001" , I guess it's new project for unbrick.
This solution only for EMMC can be reader by linux, but if sbl2.nhb have error, EMMC cannot be reader by linux, but it's still "QDLoader Mode", I think it's can be fixed by QPST. But I don't know how to do it?
somebody interest can be here "http://xdaforums.com/showthread.php?t=1989001" , I guess it's new project for unbrick.
Get in touch with this guy. He successfully unbricked his gnote: http://xdaforums.com/showthread.php?t=1914359
Sprint sgs3 brick assistance?
I got a sgs3 that's bricked while trying to return to stock with odin, im assuming it must have been the wrong file..
But any ways, i resurrected a htc one x using help from one of the guys on here...it was pretty intense
i had to boot in to linux and do a buch of stuff but it actually worked!!
The htc one x was completely dead....hard bricked for sure....
So the question is whats the difference between the sprint s3 and the htc one x....
Or basically is there a way to revive it, or only jtag?
I got a sgs3 that's bricked while trying to return to stock with odin, im assuming it must have been the wrong file..
But any ways, i resurrected a htc one x using help from one of the guys on here...it was pretty intense
i had to boot in to linux and do a buch of stuff but it actually worked!!
The htc one x was completely dead....hard bricked for sure....
So the question is whats the difference between the sprint s3 and the htc one x....
Or basically is there a way to revive it, or only jtag?
Here is what I did. I was having some problems and reflashing the rom didn't seem to help. I decided to format all partions (except SD) in 4EXT recovery, flashed Elegancia rom. The phone booted the screen was on and then went dead. I cannot access bootloader, no vibration, no LEDs no sign of life except for QHSUSB_DNLOAD when connected to Windows machine. I've tried to discover device using terminal on mac, no success. I don't know what category my brick device fell into.
I guess I should be looking for a service center with JTAG connector (RIFF).
Do I need to have fully installed version of Ubuntu or tryUbuntu with CD works just fine? Also is it possible to test connection with a working phone?
I guess I should be looking for a service center with JTAG connector (RIFF).
Do I need to have fully installed version of Ubuntu or tryUbuntu with CD works just fine? Also is it possible to test connection with a working phone?
Thank you for such a prompt reply. Should I be able to using your guide discover a fully working unit? I am not sure if it is linux that I haven't install and simply run it from cd Rom or my brick isn't compatible with this guide.
I tried and it doesn't discover my device when I execute the script. I am trying to eliminate the pc hardware. Should a fully working unit be discovarable as well?
Has there been a confirmation? Touchpads and Samsungs on 8660 have been fixed with this method.
I believe there is still some work left to be done, as the method is not final.
I managed to bring my unit back to life. I've tried everything but I wasn't able to discover my device with Linux box. I no longer have rework access to BGA rework station, so I've used heat gun method (normally wouldn't recommend it as there are way to many 0201 components that will flow all over the place). No go.
I have tried wire jump method and shorted two pins(one at a time) to ground (SD card shield) and then shorted the two pins with paper clip for quite some time with the battery on, then connected to Windows XP 32bit with not battery, SD, SIM and noticed the device wasn't discovered. Disconnected put the battery back in, powered on and booted normaly with Elegancia ROM. I hope it continues to work and I don't have to use my backup Sensation.
It looks like my unit was stuck in DLOAD mode and hboot was totally fine as I haven't recoved it, unless HTC made a backdoor.
I have tried wire jump method and shorted two pins(one at a time) to ground (SD card shield) and then shorted the two pins with paper clip for quite some time with the battery on, then connected to Windows XP 32bit with not battery, SD, SIM and noticed the device wasn't discovered. Disconnected put the battery back in, powered on and booted normaly with Elegancia ROM. I hope it continues to work and I don't have to use my backup Sensation.
It looks like my unit was stuck in DLOAD mode and hboot was totally fine as I haven't recoved it, unless HTC made a backdoor.
Does this work for the Doubleshot?
I'm curious if this would be the right method for unbricking a doubleshot. I'm not sure my device is bricked, cause the battery died, and apparently CWM won't allow it to charge if it's off. :'( So I still have to find out, but that won't happen until my extra batteries & charger arrive... Anyway, just checking.
-Thanks
I'm curious if this would be the right method for unbricking a doubleshot. I'm not sure my device is bricked, cause the battery died, and apparently CWM won't allow it to charge if it's off. :'( So I still have to find out, but that won't happen until my extra batteries & charger arrive... Anyway, just checking.
-Thanks
Hi All,
It's come to my attention that not all the hexloaders are the same for the 8660, ive seen different behavior in the wild from the two different loaders i have,
I've attached them in case anyone want to try. I renamed them based on the strings found inside, each one has a different build.
Also it seems that the SBL1 of the loader can be jammed and then controled more than we knew, the emmcrecover tool only make a small amount of use of this loader, and it's triggered on every boot, not just when the bootloaders fail. I am trying to get my hands on the proof and copies of the loaders source via a contact in china.
Also in the spirit of sharing, i've also attached a few tools for digging into the partitions, any one who has used util-linux or util-linux-ng will know the tools, all i've done is compiled them statically for arm (arm5 but runs on arm5 to 11).
I hope this will further the work done here.
I suggest all users who have a copy of the various hex files floating around just run the linux command strings on the file and note it's build details
example below
Code:
darkspr1te@devbox:~/Downloads/Samsung/hexloaders$ strings M8660AAABQNLGM313142-EMMCBLD.HEX | grep "jos_bus\.c"
*D:\Builds\M8660AAABQNLGM313142\modem_proc\core\wiredconnectivity\hsusb\core\src\jos\jos_bus.cthe tools i've included are
lsblk
sfdisk
partx
blkid
I've found these tools to be very handy in my current work, sfdisk most of all, in my debrick system it's able to create a complete partition table on the device while in SD card mode (8660_msmimage) from a previous copy, I dd's null over the entire partition beforehand so that now partition table info was left.
a quick
cat part-e160l-.txt | sfdisk /dev/sdb
and i had my partition, no messing with partition0.bin or the like.
/offtopic
I am also currently working on a program that will grab copies of the table, loaders (currently only samsung with root) but i hope to expand that support and include a export to QPST option as I have almost nailed down the .xml format (key is the partition name assigns it's type, not it's LABEL)
But first, I have to finish learning Java and my Pascal/COBOL background keeps getting in the way.
:laugh:
darkspr1te
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
167We are proud to announce that the Sensation is now UNbrickable. Users with the QHSUSB_DLOAD issue can now fully recover their phones and get them fully functional.
Note: This will fix only devices which were bricked by turning S ON. And bricks caused by a damaged hboot via interrupted OTA update/RUU flash on a S-ON device. Any devices bricked with other ways are currently *not* supported. We are working on it
The "core" of the unbricking project dev team:
MOVZX
RussianBear
Fuses
Dexter93
Testing stuff and irc support:
globatron
Deceptivechaos
dburgd84
Snake_skw
Other stuff:
dmcb123
xIndirect
Hawke84
Thanks to trevE, xHausx and the rest of the evo3d team that gave us the basic info to work on and made us curious to see if we could get something out of it. Also thanks to ief and his team @revolutionary for helping us understand the bootloaders better. We should also not forget to thank cxb01 of malshenzu.com and xda members arthurire and untrueparadox who helped in translation.82Prerequisites
- a linux box/live cd with automount disabled and without unity
- the appropriate package for the device
- the latest RUU for your device
- a device bricked by writing security flag 3 with an unsigned hboot, or caused by a damaged hboot via interrupted OTA update/RUU flash on a S-ON device
- a usb cable
- some basic linux experience
- patience
DISCLAIMER: We do NOT guarantee that this method will work for you, or that it is flawless. We are also not responsible if your phone is completely dead after the procedure, or your house burns down because your phone exploded. You are doing this in YOUR OWN RISK.
InstructionsDetailed video on the process. Thanks kgs1992
- Boot the linux box and download the appropriate package for the device.
WARNING: IT IS DEVICE SPECIFIC. DO NOT USE THE XE VERSION ON A 4G/ORIGINAL SENSATION AND VICE VERSA - Extract the package in the home directory
- Open up a terminal
- Remove SIM, microSD card and battery and connect the device using the USB cable. This procedure must be done without battery
- Detect the device using the script provided. Type this in the terminal
You should get something like sdX. We are interested on that "X"Code:./brickdetect.sh - Unplug the usb cable from the device
- Backup the hboot currently in the phone by using this command. Plug the device in ONLY when asked to
Replace the "X" with the letter the script gave youCode:sudo ./emmc_recover --backup b_hboot.img --device /dev/sdX12 - Follow the on-screen instructions from emmc_recover
- Hexdump the b_hboot to check the hboot version
The output should be like this:Code:hexdump -C b_hboot.img |less
This is the typical hex of a hboot. We are interested to check if that is the hboot partition and if it is, to get to know the version. In this case it is 1.17Code:00000000 05 00 00 00 03 00 00 00 00 00 00 00 00 00 10 40 |...............@| 00000010 d8 fc 0f 00 d8 fb 0f 00 d8 fb 1f 40 00 01 00 00 |...........@....| 00000020 d8 fc 1f 40 00 00 00 00 12 00 00 ea 31 2e 31 37 |...@........[B]1.17[/B]| 00000030 2e 31 31 31 31 00 00 00 38 32 36 30 20 53 50 4c |.1111...8260 SPL| 00000040 00 00 00 00 00 f0 20 e3 53 48 49 50 00 00 00 00 |...... .SHIP....| 00000050 00 f0 20 e3 00 f0 20 e3 48 42 4f 4f 54 2d 38 32 |.. ... .HBOOT-82| 00000060 36 30 00 00 00 f0 20 e3 39 32 65 35 33 37 31 30 |60.... .92e53710| - If in the above step you failed to identify the hboot, unplug all devices connected to that pc, reboot and try again
- Unplug the device
- Check again it is the right version, because if you do a mistake here, you won't be able to go back
You can only flash the same version as the one in the device.
!!!!!DO NOT ATTEMPT TO FLASH ANOTHER VERSION OR DOWNGRADE!!!IT HAS BEEN PROVEN FATAL!!!! - Flash the hboot on the device. Replace "V.VV" with hboot version (eg. 1.17, 1.18, 1.19, 1.20, 1.23, 1.27) and "X" with the one you got from the detect script. Plug the device in ONLY when asked to
Code:sudo ./emmc_recover --flash pyrV.VV.nb0 --device /dev/sdX12 --backupafter hboot_f.nb0 - Follow the on-screen instructions from emmc_recover. A successful flash should have this output:
Code:511+1 records in 511+1 records out 1047808 bytes(1.0 MB) copied - Unplug the device, put SIM, microSD card and battery in and power on
- Congratulations, the device is unbricked.
- FLASH THE RUU IMMEDIATELY AFTER RECOVERING!! The device will be unstable after the recovery if you don't flash it.
Notes on the procedure:
- If the device doesn't power on, get a copy of the hboot_f.nb0 and b_hboot.img (should be located in the home directory) and contact us
- The connection between the device and the pc will be unstable, and will time out. You have to be quick when doing the above, specially while flashing. If the connection times out don't panic, just unplug and replug the device
- Unity and automount are known to cause issues in ubuntu 11.04 and 11.10. We recommend getting rid of both, or use a 12.04, or 10.04/.10 liveCD
- USB3 ports do not work properly. Please plug the device in a USB2 port
- The liveCD provided has autoount enabled. please disable it
- How to disable automount on ubuntu
Code:
gsettings set org.gnome.desktop.media-handling automount false
Downloads
For Sensation and Sensation 4G:
32bit version MD5: 859cf1c8f4cc96a9c911ecf696579e6f
64bit version MD5: d160e90234999a0f8e5ed632d3a2bb4e
For Sensation XE:
32bit version MD5: dec2309cc06dbc01398a4a49f8ae13cf
64bit version MD5: de677136626fe2e096f0a7f48e438978
Don't have a linux distro installed on your pc? We highly recommend this livecd
18It is unbelievable how many writesecureflag bricked devices there are in this world!!
I write this little tool to help people to unbrick those phones. It also helps unbrick those phones that can be in emmc_mode only few seconds. It uses dd to flash images into device.
In this guide I will assume that hboot is causing that brick and hboot is at /dev/sdb12 when emmc_mode enabled phone is connected.
What you need:
1) Bricked sensation
2) Linux, If you want to use windows you have to wait that somebody makes emmc_mode stable. If you don't have Linux installed, some Live-cd should be fine.
3) signed hboot from original rom you are using
4) This little tool called emmc_recover
5) Figure out what will be correct device node when phone is in emmc_mode
It is usually /dev/sda /dev/sdb /dev/sdc etc.
With this tool you can reflash any partition you want. SO BE CAREFUL.
There are few options in this tool:
Code:emmc_recovery 0.1 usage: emmc_recovery [OPTIONS] -h | --help: display this help -b | --backup -f | --flash -d | --device
How to use it (You have to root):
1) First BACKUP partition
This will backup current sensation hboot into file backupfile.img.Code:./emmc_recover --backup backupfile.img --device /dev/sdb12
2) Check that this really is correct partition
It should be something like this for hbootCode:hexdump -C backupfile.img |less
3) If backup was successfull, flash new hbootCode:00000000 05 00 00 00 03 00 00 00 00 00 00 00 00 00 10 40 |...............@| 00000010 d8 fc 0f 00 d8 fb 0f 00 d8 fb 1f 40 00 01 00 00 |...........@....| 00000020 d8 fc 1f 40 00 00 00 00 12 00 00 ea 31 2e 31 38 |...@........1.18| 00000030 2e 30 30 30 30 00 00 00 38 32 36 30 20 53 50 4c |.0000...8260 SPL| 00000040 00 00 00 00 00 f0 20 e3 53 48 49 50 00 00 00 00 |...... .SHIP....| 00000050 00 f0 20 e3 00 f0 20 e3 48 42 4f 4f 54 2d 38 32 |.. ... .HBOOT-82| 00000060 36 30 00 00 00 f0 20 e3 39 64 32 34 31 32 33 66 |60.... .9d24123f|
4) Done.Code:./emmc_recover --flash hboot_xxxx.xxx.xx.xx.xx.nb0 --device /dev/sdb12
Below are usual output from tool:
Code:emmc_recovery 0.1 Messing up with device /dev/sdb12, ARE YOU SURE? (CTRL+C if not) Flashing image file is hboot_xxxx.xxx.xx.xx.xx.nb0 Device is /dev/sdb12 Press ENTER if everything is correct, CTRL+C if not Connect device into emmc partition mode NOW Waiting device /dev/sdb12....... Foundit! 512+0 records in 512+0 records out 1048576 bytes (1.0 MB) copied, 0.740003 s, 1.4 MB/s Return code is 0
Connect device into computer when you see line.
Code:Waiting device /dev/sdb12.......
Not before!!
NOTE: There may be bugs present....11awesome!
any people that know chinese, we need your help:
a chinese forum where a member posted a guide on how to de-brick a phone (zte u960) from qhsusb_mode:
http://bbs.malshenzu.com/read-htm-tid-38591-page-1.html
http://bbs.malshenzu.com/read-htm-tid-41957-page-1.html ( Sales MultiDL tool guide)
they use an additional tool (Sales MultiDL) that backs up alot of .mbn and .img files that we don't have (yet), so i'm not sure if we can pull those files out of the phone manually, or what?
translation per untrueparadox:
1. choose program mode
2. select the .hex and .mbn files from the included package
3. load the .xml included in the package
____ the path to xml file will show here
4. after selecting everything, click download to revive the brick
the files they used to flash:
anyone knows Chinese (google chrome translator is ok for basic understanding, but nothing more than that)?
i did pm the op of those threads to see what he thinks.11Oh my God...
Dude... Looks like I have my God besides Me... And my heart is now crying (really)...
MY PHONE IS NOW ON!! IT COULD BE TURNED ON AGAIN!!
Thanks God! I really need a beer, I'm going to go now for a celebration...
PS: I will write tutorials to resurrect the bootloader as soon as possible...
Thanks XDA Dev... And now I'm sure we'll be able too so ressurrect any phone with MSM8260/MSM8660 including EVO 3D...
