[BOUNTY] MSM with T-Mobile firmware for 5G McLaren (hotdogg)

Search This thread

LLStarks

Senior Member
Jun 1, 2012
1,936
1,149
This is a long-shot but essential if we're going to mess around with this phone with any degree of confidence or YOLO. Without this, there is no experimenting with global non-5G 7T Pro roms and partitions. The MSM for the OP7 Pro 5G for EE and Sprint never leaked, but that was a low-key phone. Let's do better with the T-Mobile McLaren.

Your mission is simple: Obtain the MSMDownloadTool and ops file (usually packaged together in a password-protected rar). You need that package and the password. These are device specific. Don't really care how the files are ultimately delivered as long as there's no encryption. Any info about the file or URL (e.g. https://s3.amazonaws.com/oneplussupport/...) is welcome.

I hate bounties or the thought of enforcing one, but expect donations if you succeed and avail yourself. Anonymity is also acceptable.

If you happen to find something we don't expect like global firmware for this phone, there's a separate bounty thread for that. I doubt it exists.

Relevant codenames and identifiers for our device:
HD1925
hotdogg
oneplus7tpronroxygen
HD61CB
 
Last edited:
  • Like
Reactions: jhofseth

jhofseth

Senior Member
Feb 27, 2016
474
282
Seattle, Washington
I think @ddggttff3 asked them for this and they wouldn't send it to him for some reason. Maybe they misunderstood what he was asking for? A stock MSM image is just stock, so it doesn't make sense to not release it on XDA. It seems wasteful for a company to have to do extra remote recovery sessions when simply releasing a stock MSM image on XDA could save a company extra time and money. :)
 

jhofseth

Senior Member
Feb 27, 2016
474
282
Seattle, Washington
I also asked OnePlus https://www.oneplus.com/support/contact for a MSM image for the OnePlus 7T Pro 5G McLaren, since it's critical for safe development. In my case, they did not say no, they just gave me a boilerplate response of, "About your concern we would like to inform you that we will take this as feedback and pass it along to our developer team so that this update can be rectified in the upcoming updates in the near future." They emailed me again asking for a further response and I haven't replied yet, because that second email was more obviously automated and did not have a name like the first one did. I think they could possibly let a tech post it to XDA, etc., if convinced by someone with experience like a XDA Recognized Developer. :)
 

tserv95

Senior Member
Mar 1, 2015
125
52
I also asked OnePlus https://www.oneplus.com/support/contact for a MSM image for the OnePlus 7T Pro 5G McLaren, since it's critical for safe development. In my case, they did not say no, they just gave me a boilerplate response of, "About your concern we would like to inform you that we will take this as feedback and pass it along to our developer team so that this update can be rectified in the upcoming updates in the near future." They emailed me again asking for a further response and I haven't replied yet, because that second email was more obviously automated and did not have a name like the first one did. I think they could possibly let a tech post it to XDA, etc., if convinced by someone with experience like a XDA Recognized Developer. :)

I just got off a chat with an agent and they tell me I'll get a remote session with their technical team in 24-48 hours I'm gonna do my best to get the image/ password for you guys
 

ntzrmtthihu777

Senior Member
May 17, 2015
126
74
Barring actually getting the MSM I may have a method of recovery using fastboot and friends. However, I need the help of
a hotdogg owner with stock firmware & unlocked bootloader. The method is non-destructive (aside from the unlocking nuking
your data); just requires you to use fastboot to boot a twrp image and use adb to pull a partition (its 15gb, so to make it faster
you may want to use a real usb-c 3.0 cable; I don't think the orange one that comes with it is) and unpack it with a tool
called 'lpunpack' (unfortunately I don't know how to build it outside of an aosp/lineageos/grapheneos tree yet).
 
Last edited:

tserv95

Senior Member
Mar 1, 2015
125
52
bad news, after waiting for days for a response from Oneplus, I decided to phone them. They state that after speaking to the remote support team, they cannot even help us. As they apparently don't have the images for the T-Mobile firmware either/ firmware for the Mclaren edition. This is a big bummer as until they (if they for that matter) release the firmware on support site we have no way of really recovering a bricked device and any firmware flashing is gonna be very dangerous to attempt. So yeah.. really regretting buying a T-Mobile variant Oneplus phone atm.
 
  • Like
Reactions: jhofseth

jhofseth

Senior Member
Feb 27, 2016
474
282
Seattle, Washington
bad news, after waiting for days for a response from Oneplus, I decided to phone them. They state that after speaking to the remote support team, they cannot even help us. As they apparently don't have the images for the T-Mobile firmware either/ firmware for the Mclaren edition. This is a big bummer as until they (if they for that matter) release the firmware on support site we have no way of really recovering a bricked device and any firmware flashing is gonna be very dangerous to attempt. So yeah.. really regretting buying a T-Mobile variant Oneplus phone atm.

So, does T-Mobile flash the final firmware after OnePlus ships it to the US or something? If the firmware isn't finally flashed until it gets to the US, then that might make sense; but, if not, someone there could either be mistaken or less than truthful.

---------- Post added at 11:24 AM ---------- Previous post was at 10:54 AM ----------

Maybe this will be a good avenue for us? https://twitter.com/tmobilehelp
 

ntzrmtthihu777

Senior Member
May 17, 2015
126
74
bad news, after waiting for days for a response from Oneplus, I decided to phone them. They state that after speaking to the remote support team, they cannot even help us. As they apparently don't have the images for the T-Mobile firmware either/ firmware for the Mclaren edition. This is a big bummer as until they (if they for that matter) release the firmware on support site we have no way of really recovering a bricked device and any firmware flashing is gonna be very dangerous to attempt. So yeah.. really regretting buying a T-Mobile variant Oneplus phone atm.

Do you currently have one in an unflashed (to anything other than stock), unlocked state? If so I can probably guide you through how we can get a sort of
flashable stock image (flashed over fastboot). Hit me up if you are in that situation (sim unlocked, bootloader unlocked, and otherwise stock firmware).

---------- Post added at 11:50 AM ---------- Previous post was at 11:27 AM ----------

So, does T-Mobile flash the final firmware after OnePlus ships it to the US or something? If the firmware isn't finally flashed until it gets to the US, then that might make sense; but, if not, someone there could either be mistaken or less than truthful.

---------- Post added at 11:24 AM ---------- Previous post was at 10:54 AM ----------

Maybe this will be a good avenue for us? https://twitter.com/tmobilehelp

Quite possible. I don't recall offhand but I believe mine came to me with version 10.0.14, and after 'recovering' from
flashing an experimental lineageos build on mine I ended up on version 10.0.13, which may be sort of the last common
ancestor for all the variants, and its now unable to OTA (it wants to go to 10.0.16, but as an incremental update it
can only jump versions 'in the correct order').
 

a63548

Senior Member
Apr 6, 2009
395
360
Google Pixel 6 Pro
Barring actually getting the MSM I may have a method of recovery using fastboot and friends. However, I need the help of
a hotdogg owner with stock firmware & unlocked bootloader. The method is non-destructive (aside from the unlocking nuking
your data); just requires you to use fastboot to boot a twrp image and use adb to pull a partition (its 15gb, so to make it faster
you may want to use a real usb-c 3.0 cable; I don't think the orange one that comes with it is) and unpack it with a tool
called 'lpunpack' (unfortunately I don't know how to build it outside of an aosp/lineageos/grapheneos tree yet).

Getting my device tomorrow, but will obviously have to get it sim unlocked first, then wait the week for the OnePlus token to unlock the bootloader. But once I am at that point, I would happily do this if it could possibly lead to an alternate fastboot recovery method if no one is able to get the MSM tool. Obviously if anyone else can do this before I am able to, please do :)
 

jhofseth

Senior Member
Feb 27, 2016
474
282
Seattle, Washington
Do you currently have one in an unflashed (to anything other than stock), unlocked state? If so I can probably guide you through how we can get a sort of
flashable stock image (flashed over fastboot). Hit me up if you are in that situation (sim unlocked, bootloader unlocked, and otherwise stock firmware).

I was wondering what particular device was mounted root, so I did: cat /proc/mounts
Apparently, / is /dev/block/dm-8
 

Attachments

  • Untitled.png
    Untitled.png
    147.1 KB · Views: 256
Last edited:

jhofseth

Senior Member
Feb 27, 2016
474
282
Seattle, Washington
This is why TWRP is taking so long for Android 10: https://twrp.me/site/update/2019/10/23/twrp-and-android-10.html

"Android 10 also introduces a new dynamic partitioning system. Instead of having a dedicated system partition and a dedicated vendor partition, etc. Android 10 uses a super partition. I like to think of the super partition as a partition that contains a bunch of smaller partitions. One of the side effects of this dynamic partition system is that Google has chosen to use a form of the ext4 file system that is for all intents and purposes, read-only. This choice means that even if you wanted to, you can't easily mount and modify the system partition. We haven't really discussed this with other developers yet, but it may impact your ability to do things like install Gapps. In addition, the dynamic partition model means that eventually, we should probably provide you, the user, some GUI driven tools in TWRP to allow you to manage the dynamic partitions that are on the super partition." @Dees_Troy
 
Last edited:

ntzrmtthihu777

Senior Member
May 17, 2015
126
74
I was wondering what particular device was mounted root, so I did: cat /proc/mounts
Apparently, / is /dev/block/dm-8
Yeah, but / is not terribly important compared to /system, /vendor, and /product (it is important tho)
Yeah, but twrp is not incredibly essential to the backup/restore process I've theorized about (still not sure about how it would work
in practice), just needed to get something to boot with root available without actually changing the stock firmware (by installing
magisk and such) in order to be able to pull the stock data.

---------- Post added at 12:38 PM ---------- Previous post was at 12:35 PM ----------

"Android 10 also introduces a new dynamic partitioning system. Instead of having a dedicated system partition and a dedicated vendor partition, etc. Android 10 uses a super partition. I like to think of the super partition as a partition that contains a bunch of smaller partitions. One of the side effects of this dynamic partition system is that Google has chosen to use a form of the ext4 file system that is for all intents and purposes, read-only. This choice means that even if you wanted to, you can't easily mount and modify the system partition. We haven't really discussed this with other developers yet, but it may impact your ability to do things like install Gapps. In addition, the dynamic partition model means that eventually, we should probably provide you, the user, some GUI driven tools in TWRP to allow you to manage the dynamic partitions that are on the super partition." @Dees_Troy
Yeah. This super partition is what I'm interested in. Once you copy it from the device (using adb pull /dev/block/.../super super.img)
you can extract it into its subpartitions using lpunpack. I believe one would be able to flash its subpartitions using fastboot in order
to recover from either a bad flash or a bad restore (like I and another user have, which left us on 10.0.13).
 

ntzrmtthihu777

Senior Member
May 17, 2015
126
74
/dev/block/bootdevice/by-name/super
I made an image of super and file info reads 14.0 GiB (15,032,385,536).
That super.img compresses down to about 4.6 GiB in a regular zip file.


https://source.android.com/devices/tech/ota/dynamic_partitions/implement

Nice, nice. Yeah. that's to be expected. I think with that file I and dandroid would be able to restore our phones, assuming
that's stock firmware. Potentially others. Do you have a reliable means to share the file, if you're willing to? Per the link you
posted it contains no userdata so it should be safe to share.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 5
    I think I found how to activate Dual SIM on TMO firmware (and 5G Radio on Global Firmware)

    Will create a new thread soon...
    4
    Is it possible for someone to pull all these partitions?
    aop.img
    bluetooth.img
    boot.img
    dsp.img
    dtbo.img
    LOGO.img
    modem.img
    oem_stanvbk.img
    qupfw.img
    storsec.img
    multiimgoem.img
    uefisecapp.img
    recovery.img
    vbmeta.img
    vbmeta_system.img
    opproduct.img
    system.img
    vendor.img
    product.img

    The super.img method isn't working for me:(
    https://drive.google.com/open?id=1J5_igi3ekdHM-nXT72wKyfHK9pxfI0gc
    SHA1 of flash.zip: 1573fb5d6daf63005f54673469b27603c8676131

    Android security patch level
    November 1, 2019
    Manual below, also included flash-all.bat and flash-all.sh , etc., in the zipped flash folder; I haven't tested the two scripts yet, so please let me know if they need edits. If anyone was going to use Google's files, I would recommend copying extracted content to the same folder as the images (or cut/pasting extracted images vice-versa).
    (note: fastboot -w wipes userdata; this avoids errors, but please have a backup of important files first)
    Starting in bootloader is OK for all partitions except super; it has to reboot into userspace to flash the super partition without forcing, because of dynamic partitioning. Thats why the command fastboot reboot fastboot.
    fastboot -w
    fastboot flash aop_a aop_a.img
    fastboot flash aop_b aop_b.img
    fastboot flash bluetooth_a bluetooth_a.img
    fastboot flash bluetooth_b bluetooth_b.img
    fastboot flash boot_a boot_a.img
    fastboot flash boot_b boot_b.img
    fastboot flash dsp_a dsp_a.img
    fastboot flash dsp_b dsp_b.img
    fastboot flash dtbo_a dtbo_a.img
    fastboot flash dtbo_b dtbo_b.img
    fastboot flash LOGO_a LOGO_a.img
    fastboot flash LOGO_b LOGO_b.img
    fastboot flash modem_a modem_a.img
    fastboot flash modem_b modem_b.img
    fastboot flash oem_stanvbk oem_stanvbk.img
    fastboot flash qupfw_a qupfw_a.img
    fastboot flash qupfw_b qupfw_b.img
    fastboot flash storsec_a storsec_a.img
    fastboot flash storsec_b storsec_b.img
    fastboot flash multiimgoem_a multiimgoem_a.img
    fastboot flash multiimgoem_b multiimgoem_b.img
    fastboot flash uefisecapp_a uefisecapp_a.img
    fastboot flash uefisecapp_b uefisecapp_b.img
    fastboot flash recovery_a recovery_a.img
    fastboot flash recovery_b recovery_b.img
    fastboot --disable-verity flash vbmeta_a vbmeta_a.img
    fastboot --disable-verity flash vbmeta_b vbmeta_b.img
    fastboot --disable-verity flash vbmeta_system_a vbmeta_system_a.img
    fastboot --disable-verity flash vbmeta_system_b vbmeta_system_b.img
    fastboot reboot fastboot
    fastboot --set-active=b
    fastboot flash super super.img


    (If your logo_a.img and logo_b.img are not LOGO_A.img and LOGO_B.img (i.e., if the images are lower-case), then use fastboot flash LOGO_A logo_a.img and fastboot flash LOGO_b logo_b.img; this has been corrected, and only matters if downloaded before corrected.)
    3
    I also asked OnePlus https://www.oneplus.com/support/contact for a MSM image for the OnePlus 7T Pro 5G McLaren, since it's critical for safe development. In my case, they did not say no, they just gave me a boilerplate response of, "About your concern we would like to inform you that we will take this as feedback and pass it along to our developer team so that this update can be rectified in the upcoming updates in the near future." They emailed me again asking for a further response and I haven't replied yet, because that second email was more obviously automated and did not have a name like the first one did. I think they could possibly let a tech post it to XDA, etc., if convinced by someone with experience like a XDA Recognized Developer. :)

    I just got off a chat with an agent and they tell me I'll get a remote session with their technical team in 24-48 hours I'm gonna do my best to get the image/ password for you guys
    3
    I would like to create a hybrid super.img with Global 7T Pro img & 5G 7T Pro img. (maybe keeping modem/vendor/kernel from 5G) It should be possible.

    I can't compile lpunpack. (Ubuntu 18.10) Still can't extract super.img for individual images... and what about repack? (in order to create hybrid super.img)

    Has anyone been able to get that super.img extracted?:confused:

    I get this error every time!
    [email protected]:~/Firmware_extractor$ ./extractor.sh firmware.zip
    Create Temp and out dir
    Extracting firmware on: /home/eosdev/Firmware_extractor/out
    ./extractor.sh: line 168: gawk: command not found
    ./extractor.sh: line 207: gawk: command not found

    As much as I love(d) arch (currently a gentooist) thats the exact type of distro
    that binaries floating around the web are not going to work for forever. You
    can build your own lpunpack, which will definitely work on your system, but
    I don't know how to do that outside of using the lineageos/etc build tree
    yet, however.

    In my case, I just want a clean hybrid img in order to activate the dual sim function. That's all I want, the TMO firmware is perfectly fine... (and replace boot/shutdown animations with original McLaren bootanimations) This super.img pull procedure and the ability to push/restore it back is a huge step forward for our McLaren 5G. At least there is a bit of light the end of the tunnel. (even without the damn MSM Tool)

    @ntzrmtthihu777 Can you post the super.img extracted... at least that way we can flash images individually. (and test replacing/swapping images)

    Also... you do have a 7T Pro too? lol... You have the full kit required... lol (we also need the 7T Pro images... lol)

    Just renamed the super.zip to firmware.zip. Installed gawk and still nothing, no error but empty output folder:(

    Don't rename to .zip. Keep the .img file (super.img) and run:

    Code:
    [email protected]:~/Desktop/oneplus/Firmware_extractor-master/tools/Linux/bin$ ./lpunpack super.img

    inside the bin directory "bin" (that's where lpunpack is located)

    see screenshot...

    and of course make sure you installed all the packages:


    Code:
    sudo -i

    Code:
    apt install unace unrar zip unzip p7zip-full p7zip-rar sharutils rar uudeview mpack arj cabextract file-roller

    Code:
    apt install liblzma-dev python-pip brotli lz4

    Code:
    pip install backports.lzma protobuf pycrypto

    Code:
    apt install gawk
    2
    Barring actually getting the MSM I may have a method of recovery using fastboot and friends. However, I need the help of
    a hotdogg owner with stock firmware & unlocked bootloader. The method is non-destructive (aside from the unlocking nuking
    your data); just requires you to use fastboot to boot a twrp image and use adb to pull a partition (its 15gb, so to make it faster
    you may want to use a real usb-c 3.0 cable; I don't think the orange one that comes with it is) and unpack it with a tool
    called 'lpunpack' (unfortunately I don't know how to build it outside of an aosp/lineageos/grapheneos tree yet).