• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

How To Guide [ADVANCED] [UNTESTED] Possible Fix - MSM Errors (Sahara, Param info, etc)

Search This thread

WARNING: THE FOLLOWING IS FOR INFORMATIONAL PURPOSES ONLY AND MAY FURTHER DAMAGE YOUR DEVICE. EXERCISE EXTREME CAUTION. USE ONLY AS A LAST RESORT.


This was tested with a Global OnePlus 9 LE2115

Overview


So I was encountering an error with MSM Download Tool that would show "Sahara communication failed" after about 18 seconds. This resulted in me being 100% unable to recover my device with MSM as it was continuously rebooting into EDL mode with no possibility of entering fastboot.

After much research, I stumbled upon a solution completely by accident. I was able to fix the issue by utilizing the following tools:

Qualcomm Sahara Tools - https://github.com/bkerler/edl
Oppo/OnePlus Decryption Tools - https://github.com/bkerler/oppo_decrypt

You need:

- Latest version of Python 3
- C/C++ build tools (gcc, Visual Studio, XCode) to build pip dependencies
- Dependencies installed using pip as specified in README.md of each repo
- Linux or macOS (Windows untested)
- *.ops file from your corresponding MSM Download Tool package

Process


Follow the instructions contained within the README of the above repos to download all files and install dependencies before continuing.


Use opscrypto.py to extract the ops file you obtained earlier.

This results in a directory full of the decrypted contents of the update image (a collection of bin, img, and other files):

Code:
$ ./opscrypto.py decrypt lemonade_xxxx.ops

This creates an extract directory containing the decrypted files

The wl subcommand for edl.py can then be used to write the aforementioned partitions.

The documentation describes the command thusly:

Code:
./edl.py wl dumps --memory=ufs >> to write all files from "dumps" folder to according partitions to flash and try to autodetect lun

I ran the command on the extract directory that was previously decrypted.

Additionally, I had to explicitly specify the OP9 EDL loader as well as specify that the flash memory was UFS and not EMMC:

Code:
$ sudo ./edl.py wl extract --memory=ufs --loader=Loaders/oneplus/0000000000514d67_a26bc25799770106_fhprg_op9.bin

This output was produced:

Code:
main - Using loader Loaders/oneplus/0000000000514d67_a26bc25799770106_fhprg_op9.bin ...
main - Waiting for the device
...............
.main - Device detected :)
main - Mode detected: sahara
Device is in EDL mode .. continuing.
sahara -
------------------------
HWID:              <CLIPPED>
CPU detected:      "lahaina"
PK_HASH:           <CLIPPED>
Serial:            <CLIPPED>

sahara - Uploading loader Loaders/oneplus/0000000000514d67_a26bc25799770106_fhprg_op9.bin ...
Successfully uploaded programmer :)
firehose - Chip serial num: <CLIPPED>
firehose - Supported Functions: program,read,nop,patch,configure,setbootablestoragedrive,erase,power,firmwarewrite,getstorageinfo,benchmark,emmc,ufs,fixgpt,getsha256digest
firehose -
firehose_client - Target detected: lahaina
firehose - TargetName=
firehose - MemoryName=UFS
firehose - Version=
firehose_client - Supported functions:
-----------------
program,read,nop,patch,configure,setbootablestoragedrive,erase,power,firmwarewrite,getstorageinfo,benchmark,emmc,ufs,fixgpt,getsha256digest
firehose -
Reading from physical partition 0, sector 8, sectors 1
Progress: |██████████████████████████████████████████████████| 100.0% Complete
Progress: |██████████████████████████████████████████████████| 100.0% Complete
oneplus - Oneplus protection with prjid 19825 detected
Writing ./param.bin to partition param.
firehose -
Writing to physical partition 0, sector 8, sectors 256
Writing ./persist.img to partition persist.
firehose -
Writing to physical partition 0, sector 2056, sectors 8192
Writing ./misc.bin to partition misc.
firehose -
Writing to physical partition 0, sector 10248, sectors 256
Writing ./frp.bin to partition frp.
firehose -
Writing to physical partition 0, sector 10632, sectors 128
Writing ./carrier.img to partition carrier.
QCSparse - Sparse Format detected. Using unpacked image.
firehose -
Writing to physical partition 0, sector 18440, sectors 12288
Writing ./opluslog.img to partition opluslog.
QCSparse - Sparse Format detected. Using unpacked image.
firehose -
Writing to physical partition 0, sector 34824, sectors 65536
Writing ./metadata.img to partition metadata.
firehose -
Writing to physical partition 0, sector 108616, sectors 4096
Writing ./super.img to partition super.
QCSparse - Sparse Format detected. Using unpacked image.
firehose -
Writing to physical partition 0, sector 145480, sectors 1
Writing ./userdata.img to partition userdata.
QCSparse - Sparse Format detected. Using unpacked image.
firehose -
Writing to physical partition 0, sector 2877512, sectors 2105
Writing ./ocdt.bin to partition ocdt.
firehose -
Writing to physical partition 3, sector 576, sectors 32
Writing ./oplusreserve2.img to partition oplusreserve2.
QCSparse - Sparse Format detected. Using unpacked image.
firehose -
Writing to physical partition 4, sector 6, sectors 32768
Writing ./devinfo.bin to partition devinfo.
firehose -
Writing to physical partition 4, sector 722224, sectors 1
Writing ./apdp.mbn to partition apdp.
firehose -
Writing to physical partition 4, sector 722481, sectors 4
Writing ./storsec.mbn to partition storsec.
firehose -
Writing to physical partition 4, sector 817779, sectors 6
Writing ./mdcompress.mbn to partition mdcompress.
firehose -
Writing to physical partition 4, sector 826302, sectors 12
Writing ./spunvm.bin to partition spunvm.
firehose -
Writing to physical partition 4, sector 831486, sectors 87
Writing ./rtice.mbn to partition rtice.
firehose -
Writing to physical partition 4, sector 839678, sectors 65
Writing ./abl_log.bin to partition abl_log.
firehose -
Writing to physical partition 4, sector 839870, sectors 4048
Writing ./android_log.bin to partition android_log.
firehose -
Writing to physical partition 4, sector 847966, sectors 4048
Writing ./qsee_log.bin to partition qsee_log.
firehose -
Writing to physical partition 4, sector 852014, sectors 4048
Writing ./hyp_log.bin to partition hyp_log.
firehose -
Writing to physical partition 4, sector 856062, sectors 4048

Conclusion

After performing the above on a macOS device, the device successfully flashed in MSM on Windows 11.

I rebooted the device prior to attempting to flash after performing the above steps.

Addendum

This isn't a foolproof guide and may not even work for your device or may even damage it further.

The process described above is somewhat advanced and very much undocumented and unsupported/unofficial/hacky.


I cannot vouch for the quality, security or effectiveness of the tools linked above.

I'm putting this out there in hopes it helps others and to gather more information about how MSM Download Tool and EDL mode actually work.

Please let me know if this solves any issues with MSM and I can potentially produce a guide if this method is proven safe.

Firehose appears to be an executable elf file that is ran on the device, which then parses settings.xml and provision_*.xml contained within the ops file.

These files appear to contain the directives that allow MSM to recover bricked devices.

MSM appears to transmit these XML files to the firehose executable after loading it on the device.

These files reference the stock images, partition sizes, names, and extents that firehose then uses to provision the device.

Since firehose is simply an elf file that appears to rely on some preexisting data to be present on the device, some bricks may cause firehose to fail due to corruption of certain partitions.

Producing errors such as:

- Device mismatch
- Param preload error
- Sahara communication failure
- Waiting for device
- Waiting for COM port

The partitions shown in the output log appear to not be touched by MSM prior to sending firehose to the device, suggesting that it assumes they have been untouched.

Therefore, firehose may throw an error or fail to run entirely when attempting to recover some devices, even when using the correct MSM tool and drivers.

Despite being contained in the ops file, MSM doesn't appear to touch these partitions in its default Upgrade Mode.

That functionality may be locked behind more advanced modes such as SMT Download Mode, however, that mode is well known for causing more issues than it solves.

The tools above are open source reverse engineering tools that can do some rudimentary communication with OnePlus devices in EDL mode by utilizing a custom firehose binary (known as the "loader").

These appear to permit operations not possible with MSM's default behavior.

I was only able to get the edl.py tool to work on macOS.

I was unable to get this tool (edl.py) to work in Windows. It threw various libusb related errors despite using zadig as directed.

I observed that writing to any partition that was part of A/B dynamic partitioning would report that it was written successfully but in reality would only write 1 sector of the provided file.

However, a handful of other partitions appear to be writable, ones that typically can't be written to/aren't written with fastbootd or OTA side loading.

My IMEI and Serial Number were fully intact after flashing.
 
Last edited:
Bruh my pro was in that constant reboot state. Buss laugh if this is a Tually a fix for that

Hopefully it is. I'm curious to see if it works for others. I stumbled upon this right as I had given up and submitted a ticket to OnePlus.

At which point they said there's nothing to do and the device needed repaired.

So hopefully this is a reliable fix for devices that are super-bricked, because it saved me from having to send my device in.
 
  • Like
Reactions: avid_droid

Jessp4046

Member
Jul 4, 2017
14
2
35
OnePlus 8
OnePlus 9
Op9 was there all except I could always get to fastboot by pressing all buttons and hold until off and back on fb ,also several times monfrios all in one would read it dump and could reboot to fastboot .lol thanks again mon ,and I do some dumb junk to mine trying to get 5g on att all the time eventually I may need this .thanks in advanced for your efforts and interest .
 
Op9 was there all except I could always get to fastboot by pressing all buttons and hold until off and back on fb ,also several times monfrios all in one would read it dump and could reboot to fastboot .lol thanks again mon ,and I do some dumb junk to mine trying to get 5g on att all the time eventually I may need this .thanks in advanced for your efforts and interest .
This may be a solution to a problem that isn't all that widespread.

I found myself in this situation after flashing an Android 12 GSI to my device which involved mucking around with stuff I probably shouldn't have touched.

I've used MSM many times while experimenting but this time I really messed up and was out of options.

Amazingly, I stumbled across the tools above and was able to bumble my way to a solution. This took me about 4 days to resolve as the device refused to enter fastboot.
 
This may be a solution to a problem that isn't all that widespread.

I found myself in this situation after flashing an Android 12 GSI to my device which involved mucking around with stuff I probably shouldn't have touched.

I've used MSM many times while experimenting but this time I really messed up and was out of options.

Amazingly, I stumbled across the tools above and was able to bumble my way to a solution. This took me about 4 days to resolve as the device refused to enter fastboot.
This is exactly what cause mine to loop. I tried flashing a 12 GSI lol
 

flameteam

Senior Member
Nov 8, 2012
144
22
S.O.S
I m waiting here
op9.png
 
Looks like you're trying to do a full dump of LUN 0 into a single bin file. LUN 0 contains a large chunk of data as it houses the super partition and the userdata partition.

I would recommend using the r subcommand to dump individual partitions or just use rl which will dump your whole device while neatly separating each partition into individual files.

To see exactly what each LUN is comprised of, you can use the printgpt command:

Code:
./edl.py printgpt --memory=ufs

Given that you're running in a VM, your I/O speeds are likely much lower.

I recommend at least booting into a Linux Live USB to do this.

If security is a concern, at a minimum I would recommend vfio passthrough via QEMU to pass your entire USB controller through from a Linux host.

IMO, virtualizing the USB connection will kill your throughput and put you at risk of data corruption.
 
Last edited:
Feb 27, 2015
25
4
I have tried everything to get my Global one plus 9 back up and running again … monster what I do with drivers I get this error on msm tool . As you can see my phone is detected in tool but can put go past this point . I do not have access to download or fast or mode . Last steps I took was through this thread ——https://forum.xda-developers.com/t/fastboot-rom-pc-required-op9-stock-oos-11-2-2-2aa.4275727/—— and reached 1/2 way point (waiting on device) and now I can’t get oos back on phone .. does anyone have any tips or knowledge they can guide me to get my phone working with msm tool ? Much appreciated
0231FA25-D873-446E-892F-0457A12F2834.jpeg
 
Feb 27, 2015
25
4
Thanks shooter7889 , got past the SMT error by setting date back 2 years on laptop and turning Wi-Fi off. Now i am getting the Sahara error after 18 sec and if I toggle use lite firehouse i get the PARAM error after 8 sec. I have tried to follow steps on the READ ME section (advanced GitHub page )but i dont have any experience with the process as shown. Is it possible to get a easy step guide that can be put together to get past the Sahara error? for us less advanced members? Anything helps at this point. phone is a brick , only thing i can get into is EDL mode .
 

flameteam

Senior Member
Nov 8, 2012
144
22
S.O.S
Thanks shooter7889 , got past the SMT error by setting date back 2 years on laptop and turning Wi-Fi off. Now i am getting the Sahara error after 18 sec and if I toggle use lite firehouse i get the PARAM error after 8 sec. I have tried to follow steps on the READ ME section (advanced GitHub page )but i dont have any experience with the process as shown. Is it possible to get a easy step guide that can be put together to get past the Sahara error? for us less advanced members? Anything helps at this point. phone is a brick , only thing i can get into is EDL mode .
Mate what's your device model ? If you device model LE2113 flash https://androidfilehost.com/?fid=2188818919693804750 9pro eu msm rom. and after ınstallation flash op9 https://drive.google.com/drive/folders/1R_j8sML_46YrTp1HGfpS6zrAUeFl8uJU?usp=sharing
 

audalics

Member
Jun 24, 2021
31
31
Nexus 6
Samsung Galaxy S10 5G
This is a great resource to have, nice work. I'll give it a go if I ever hit that state again. I've only had success using the pro msm tools up to this point for some reason with lite firehose when I get the Sahara or param info device not match error. Once I've lite msmed with the pro tool, I can normal msm with the nonpro tool, just like flame team mentioned
 

Top Liked Posts

  • There are no posts matching your filters.
  • 6

    WARNING: THE FOLLOWING IS FOR INFORMATIONAL PURPOSES ONLY AND MAY FURTHER DAMAGE YOUR DEVICE. EXERCISE EXTREME CAUTION. USE ONLY AS A LAST RESORT.


    This was tested with a Global OnePlus 9 LE2115

    Overview


    So I was encountering an error with MSM Download Tool that would show "Sahara communication failed" after about 18 seconds. This resulted in me being 100% unable to recover my device with MSM as it was continuously rebooting into EDL mode with no possibility of entering fastboot.

    After much research, I stumbled upon a solution completely by accident. I was able to fix the issue by utilizing the following tools:

    Qualcomm Sahara Tools - https://github.com/bkerler/edl
    Oppo/OnePlus Decryption Tools - https://github.com/bkerler/oppo_decrypt

    You need:

    - Latest version of Python 3
    - C/C++ build tools (gcc, Visual Studio, XCode) to build pip dependencies
    - Dependencies installed using pip as specified in README.md of each repo
    - Linux or macOS (Windows untested)
    - *.ops file from your corresponding MSM Download Tool package

    Process


    Follow the instructions contained within the README of the above repos to download all files and install dependencies before continuing.


    Use opscrypto.py to extract the ops file you obtained earlier.

    This results in a directory full of the decrypted contents of the update image (a collection of bin, img, and other files):

    Code:
    $ ./opscrypto.py decrypt lemonade_xxxx.ops

    This creates an extract directory containing the decrypted files

    The wl subcommand for edl.py can then be used to write the aforementioned partitions.

    The documentation describes the command thusly:

    Code:
    ./edl.py wl dumps --memory=ufs >> to write all files from "dumps" folder to according partitions to flash and try to autodetect lun

    I ran the command on the extract directory that was previously decrypted.

    Additionally, I had to explicitly specify the OP9 EDL loader as well as specify that the flash memory was UFS and not EMMC:

    Code:
    $ sudo ./edl.py wl extract --memory=ufs --loader=Loaders/oneplus/0000000000514d67_a26bc25799770106_fhprg_op9.bin

    This output was produced:

    Code:
    main - Using loader Loaders/oneplus/0000000000514d67_a26bc25799770106_fhprg_op9.bin ...
    main - Waiting for the device
    ...............
    .main - Device detected :)
    main - Mode detected: sahara
    Device is in EDL mode .. continuing.
    sahara -
    ------------------------
    HWID:              <CLIPPED>
    CPU detected:      "lahaina"
    PK_HASH:           <CLIPPED>
    Serial:            <CLIPPED>
    
    sahara - Uploading loader Loaders/oneplus/0000000000514d67_a26bc25799770106_fhprg_op9.bin ...
    Successfully uploaded programmer :)
    firehose - Chip serial num: <CLIPPED>
    firehose - Supported Functions: program,read,nop,patch,configure,setbootablestoragedrive,erase,power,firmwarewrite,getstorageinfo,benchmark,emmc,ufs,fixgpt,getsha256digest
    firehose -
    firehose_client - Target detected: lahaina
    firehose - TargetName=
    firehose - MemoryName=UFS
    firehose - Version=
    firehose_client - Supported functions:
    -----------------
    program,read,nop,patch,configure,setbootablestoragedrive,erase,power,firmwarewrite,getstorageinfo,benchmark,emmc,ufs,fixgpt,getsha256digest
    firehose -
    Reading from physical partition 0, sector 8, sectors 1
    Progress: |██████████████████████████████████████████████████| 100.0% Complete
    Progress: |██████████████████████████████████████████████████| 100.0% Complete
    oneplus - Oneplus protection with prjid 19825 detected
    Writing ./param.bin to partition param.
    firehose -
    Writing to physical partition 0, sector 8, sectors 256
    Writing ./persist.img to partition persist.
    firehose -
    Writing to physical partition 0, sector 2056, sectors 8192
    Writing ./misc.bin to partition misc.
    firehose -
    Writing to physical partition 0, sector 10248, sectors 256
    Writing ./frp.bin to partition frp.
    firehose -
    Writing to physical partition 0, sector 10632, sectors 128
    Writing ./carrier.img to partition carrier.
    QCSparse - Sparse Format detected. Using unpacked image.
    firehose -
    Writing to physical partition 0, sector 18440, sectors 12288
    Writing ./opluslog.img to partition opluslog.
    QCSparse - Sparse Format detected. Using unpacked image.
    firehose -
    Writing to physical partition 0, sector 34824, sectors 65536
    Writing ./metadata.img to partition metadata.
    firehose -
    Writing to physical partition 0, sector 108616, sectors 4096
    Writing ./super.img to partition super.
    QCSparse - Sparse Format detected. Using unpacked image.
    firehose -
    Writing to physical partition 0, sector 145480, sectors 1
    Writing ./userdata.img to partition userdata.
    QCSparse - Sparse Format detected. Using unpacked image.
    firehose -
    Writing to physical partition 0, sector 2877512, sectors 2105
    Writing ./ocdt.bin to partition ocdt.
    firehose -
    Writing to physical partition 3, sector 576, sectors 32
    Writing ./oplusreserve2.img to partition oplusreserve2.
    QCSparse - Sparse Format detected. Using unpacked image.
    firehose -
    Writing to physical partition 4, sector 6, sectors 32768
    Writing ./devinfo.bin to partition devinfo.
    firehose -
    Writing to physical partition 4, sector 722224, sectors 1
    Writing ./apdp.mbn to partition apdp.
    firehose -
    Writing to physical partition 4, sector 722481, sectors 4
    Writing ./storsec.mbn to partition storsec.
    firehose -
    Writing to physical partition 4, sector 817779, sectors 6
    Writing ./mdcompress.mbn to partition mdcompress.
    firehose -
    Writing to physical partition 4, sector 826302, sectors 12
    Writing ./spunvm.bin to partition spunvm.
    firehose -
    Writing to physical partition 4, sector 831486, sectors 87
    Writing ./rtice.mbn to partition rtice.
    firehose -
    Writing to physical partition 4, sector 839678, sectors 65
    Writing ./abl_log.bin to partition abl_log.
    firehose -
    Writing to physical partition 4, sector 839870, sectors 4048
    Writing ./android_log.bin to partition android_log.
    firehose -
    Writing to physical partition 4, sector 847966, sectors 4048
    Writing ./qsee_log.bin to partition qsee_log.
    firehose -
    Writing to physical partition 4, sector 852014, sectors 4048
    Writing ./hyp_log.bin to partition hyp_log.
    firehose -
    Writing to physical partition 4, sector 856062, sectors 4048

    Conclusion

    After performing the above on a macOS device, the device successfully flashed in MSM on Windows 11.

    I rebooted the device prior to attempting to flash after performing the above steps.

    Addendum

    This isn't a foolproof guide and may not even work for your device or may even damage it further.

    The process described above is somewhat advanced and very much undocumented and unsupported/unofficial/hacky.


    I cannot vouch for the quality, security or effectiveness of the tools linked above.

    I'm putting this out there in hopes it helps others and to gather more information about how MSM Download Tool and EDL mode actually work.

    Please let me know if this solves any issues with MSM and I can potentially produce a guide if this method is proven safe.

    Firehose appears to be an executable elf file that is ran on the device, which then parses settings.xml and provision_*.xml contained within the ops file.

    These files appear to contain the directives that allow MSM to recover bricked devices.

    MSM appears to transmit these XML files to the firehose executable after loading it on the device.

    These files reference the stock images, partition sizes, names, and extents that firehose then uses to provision the device.

    Since firehose is simply an elf file that appears to rely on some preexisting data to be present on the device, some bricks may cause firehose to fail due to corruption of certain partitions.

    Producing errors such as:

    - Device mismatch
    - Param preload error
    - Sahara communication failure
    - Waiting for device
    - Waiting for COM port

    The partitions shown in the output log appear to not be touched by MSM prior to sending firehose to the device, suggesting that it assumes they have been untouched.

    Therefore, firehose may throw an error or fail to run entirely when attempting to recover some devices, even when using the correct MSM tool and drivers.

    Despite being contained in the ops file, MSM doesn't appear to touch these partitions in its default Upgrade Mode.

    That functionality may be locked behind more advanced modes such as SMT Download Mode, however, that mode is well known for causing more issues than it solves.

    The tools above are open source reverse engineering tools that can do some rudimentary communication with OnePlus devices in EDL mode by utilizing a custom firehose binary (known as the "loader").

    These appear to permit operations not possible with MSM's default behavior.

    I was only able to get the edl.py tool to work on macOS.

    I was unable to get this tool (edl.py) to work in Windows. It threw various libusb related errors despite using zadig as directed.

    I observed that writing to any partition that was part of A/B dynamic partitioning would report that it was written successfully but in reality would only write 1 sector of the provided file.

    However, a handful of other partitions appear to be writable, ones that typically can't be written to/aren't written with fastbootd or OTA side loading.

    My IMEI and Serial Number were fully intact after flashing.
    1
    Bruh my pro was in that constant reboot state. Buss laugh if this is a Tually a fix for that

    Hopefully it is. I'm curious to see if it works for others. I stumbled upon this right as I had given up and submitted a ticket to OnePlus.

    At which point they said there's nothing to do and the device needed repaired.

    So hopefully this is a reliable fix for devices that are super-bricked, because it saved me from having to send my device in.
    1
    This is exactly what cause mine to loop. I tried flashing a 12 GSI lol

    I was actually able to get the GSI to boot, albeit with no cellular, fingerprint, etc. OP9 claims to be treble-compliant in the props but methinks that's a total lie.