(Dev) Motorola unbrick tool

[WoKoschekk]

@Renate @mark332 I've researched this topic a little more: As we all know the EDL mode is implemented by the PBL (primary bootloader, part of SoC ROM Code). The PBL verifies the digitally-signed SBL/XBL and loads it into internal memory. If verification fails it boots into EDL mode and we need the correct programmer.elf for communication.
But it's very interesting that the mentioned verification process of the SBL/XBL is used to authenticate the programmer.elf, too. Both have the same signature. Going further you will see that even the whole structure of the programmer.elf (up to a certain point) is almost the same as the SBL/XBL. So, it seems that the programmer.elf is a shortened and modified binary derived from the SBL/XBL.

@mark332 For the Moto G6 Plus / XT1926 (evert) your tool loads the programmer.elf within >21.bin< which also can be found in the blankflash.zip for Pie builds on mirrors.lolinet.com. I know from my own experience that the programmer.elf isn't able to communicate with the device. I don't know why it was published and who provided that file. But it's the only file signed with test keys instead of OEM keys. When I was using your tool I replaced the programmer.elf with a working one of https://github.com/bkerler/edl.
During my research the last hours I found out that this programmer.elf from github.com (MD5 matches) is also used in the blankflash.zip for Oreo builds (see link above). I attached it in case you would like to fix the bug.

• Snapdragon: SDM662
• Codename: BENGAL
• MSM number: ?

Qualcomm changed the designation of their boards (for only some SoCs or all upcoming ones...?) and either called them SDM??? or MSM????.

 

[Renate]

But it's very interesting that the mentioned verification process of the SBL/XBL is used to authenticate the programmer.elf, too.

Well, yeah. All ELF files in partitions are hashed and signed.
Firehose loaders are special xbls. There's a lot of housekeeping to get things going. You need to have your device charge in EDL mode too. So Firehose loaders are just xbl with something extra.
On my device you can check all these:

 1  xbl         elf64
 2  xblbak      elf64
 3  tz          elf64
 4  rpm         elf32
 5  hyp         elf64
 6  pmic        elf64
13  keymaster   elf64
14  cmnlib      elf32
15  cmnlib64    elf64
16  mdtpsecapp  elf32
20  abl         elf32
40  devcfg      elf64
44  storsec     elf32

C:\>qcomview /f xbl
f8ab2052 6358c4fa 4cef96d7 8c45180d c3db75e8 f24051ad 624448c1 34b4e861

C:\>qcomview /f abl
f8ab2052 6358c4fa 4cef96d7 8c45180d c3db75e8 f24051ad 624448c1 34b4e861

C:\>qcomview /f hyp
f8ab2052 6358c4fa 4cef96d7 8c45180d c3db75e8 f24051ad 624448c1 34b4e861

C:\>qcomview /f devcfg
f8ab2052 6358c4fa 4cef96d7 8c45180d c3db75e8 f24051ad 624448c1 34b4e861

C:\>qcomview /f cmnlib64
f8ab2052 6358c4fa 4cef96d7 8c45180d c3db75e8 f24051ad 624448c1 34b4e861

Qualcomm changed the designation of their boards (for only some SoCs or all upcoming ones...?) and either called them SDM??? or MSM????

Yes, but there are some known by both. MSM numbers seem specific, SDM seems more like series.

 

[WoKoschekk]

Yes, but there are some known by both. MSM numbers seem specific, SDM seems more like series.

No, either MSM or SDM. https://en.wikipedia.org/wiki/List_of_Qualcomm_Snapdragon_systems_on_chips

Well, yeah. All ELF files in partitions are hashed and signed.
Firehose loaders are special xbls.

of course they are all signed, I didn't say they weren't either. but due to the fact that programmer.elf files are a special kind of XBL, things are different: not only the supported boards/SoCs are crucial to find the right programmer.elf. It's mandatory to have the corresponding bootloader version installed.

 

[Renate]

No, either MSM or SDM. https://en.wikipedia.org/wiki/List_of_Qualcomm_Snapdragon_systems_on_chips

You can see even by that that Snapdragon numbers cover multiple MSM, later the SDM numbers are unique.
MSM8952 and SDM617

It's mandatory to have the corresponding bootloader version installed.

Well, yeah. There are cases of people blowing stuff up because they loaded the wrong xbl.
The PBL has no idea what is connected to the SoC.
So the xbl has to do most of the work setting clocks, pinctl, pin muxes, regulators, DDR timing, all that stuff.
Since the Firehose loader replaces the xbl it has to do all that stuff too.

 

[mark332]

@Renate @mark332 I have done a little more research on this topic: As we all know EDL mode is implemented by PBL (primary bootloader, part of Is implemented SoC ROM code). PBL verifies the digitally signed SBL/XBL and loads it into the internal memory. If verification fails it boots into EDL mode and we need the correct programmer for communication.
But it is very interesting that the mentioned verification process of SBL/XBL is used to certify programmers as well. Both have the same signature. Going further you will see that the whole structure of Programmer.elf (up to a certain point) is also almost the same as SBL/XBL. So, it looks like programmer.elf is a truncated and modified binary derived from SBL/XBL.

@mark332 Your tool for Moto G6 Plus / XT1926 (Avert) loads programmer.elf in >21.bin< which is also found in blankflash.zip for Pi builds on mirrors May go. www.lolinet.com . I know from my experience that programmer.elf is not able to communicate with the device. I don't know why it was published and who provided that file. But this is the only file signed with test keys instead of OEM keys. I replaced programmer.elf with the one from https://github.com/bkerler/edl when I was using your tool.
During my research in the last hours I found out that this programmer.elf from github.com (MD5 matches) is also used in blankflash.zip for Oreo builds (see link above). I've attached it if you want to fix the bug.


Qualcomm changed the designation of their boards (only for some SoCs or all upcoming ones...?) and either called them SDM??? or msm????

yes yes, a modified version of xbl is firehose,

 

[jody2k]

Hello is there any chance to support the motorola moto X40 EDL mode? I screwed up and now I can't get into developer options anymore to "OEM unlock". Can't flash to other firmware currently without a unlocked bootloader, firmware is broken and doesn't boot up. The lenovo rescue and smart assistant can't unbrick my phone either

 

[Sam_11]

Hi,
is there a chance to add a Moto Z3 (Verizon) XT1929-17 to the supported devices?

 

[DivineSEnse]

Mark, this is Great! IF I only could figure out how to get my g31 into brom mode... i guess test points but which ones? Does battery/no battery connected affect it?

 

[xdafan2015]

@mark332 First of all thank you for developing this tool.

I am here with a Motorola Moto G41 that I was very happy with until Motorola rolled out their Android 12 update which broke some things.
Like the VPN menu and functionality disappearing and incoming SMS messages not getting delivered to me.

So I decided to downgrade to Android 11. Now that caused my phone to bootloop 2-3 times (Motorola logo to black screen to reboot) and then it hardbricked.
Tried the recommended procedure of holding down Volume + and - when plugging into the computer. I did that but nothing gets detected. Your tool sits there
waiting for a signal from the phone to do its thing but it is completely DEAD. Black screen, no reaction anywhere to buttonpresses .... nothing.

Have had the phone for about a week and all I wanted was to downgrade to Android 11 to restore functionality...

Is there ANY way for me to get this phone to turn on enough to go to Fastboot mode?

If "Testpoints" is the only route to go (as the guy with the G31 mentions) how can I get to them in that case?
And which ones to short in that case?

Any help is much appreciated!

//XDAFan

 

[pedrogiordano]

hi folks ,

my razr 2019 bricked after update to android 11.
somebody can help me , i try rsa from lenovo motorola, i try to flas stock rook , blanck room , and some tools and i didn´t get sucess to repair.
somebody can help me??

the getvar all is

(bootloader) kernel: uefi
(bootloader) version-bootloader: MBM-3.0-olson_retail-ea5f90093b6-220105
(bootloader) product: olson
(bootloader) board: olson
(bootloader) secure: yes
(bootloader) hwrev: PVT
(bootloader) radio: NA
(bootloader) storage-type: UFS
(bootloader) emmc: N/A
(bootloader) ufs: 128GB SAMSUNG KM2V7001CM-B706 FV=0800 WB=0
(bootloader) ram: 6GB SAMSUNG LP4x DIE=16Gb M5-M8=01 06 10 12
(bootloader) cpu: SDM710 1.1
(bootloader) serialno: ***************
(bootloader) cid: 0x0032
(bootloader) channelid: 0x19
(bootloader) uid: ****************
(bootloader) token: inactive
(bootloader) securestate: oem_locked
(bootloader) factory-modes: disabled
(bootloader) verity-state: enforcing (0)
(bootloader) iswarrantyvoid: no
(bootloader) max-download-size: 805306368
(bootloader) reason: Reboot mode set to fastboot
(bootloader) imei: *******************
(bootloader) imei2:
(bootloader) meid:
(bootloader) date: 03-17-2022
(bootloader) sku: XT2000-2
(bootloader) carrier_sku: XT2000-2
(bootloader) battid:
(bootloader) battery-voltage: 4356
(bootloader) iccid:
(bootloader) cust_md5:
(bootloader) max-sparse-size: 268435456
(bootloader) poweroffalarm: 0
(bootloader) ro.carrier: retbr
(bootloader) ro.build.fingerprint[0]: motorola/olson/olson:11/RPVS31.Q2-
(bootloader) ro.build.fingerprint[1]: 62-7-11-9/753a0:user/release-keys
(bootloader) ro.build.version.qcom: LA.UM.9.8.r1-03800-SDM710.0
(bootloader) version-baseband: M710_13.611.03.47R ONS_ROW
(bootloader) kernel.version[0]: Linux version 4.9.227-perf+ ([email protected]
(bootloader) kernel.version[1]: oid-build) (clang version 10.0.7 for And
(bootloader) kernel.version[2]: roid NDK) #1 SMP PREEMPT Wed Jan 5 19:21
(bootloader) kernel.version[3]: :49 EST 2022
(bootloader) git:xbl: MBM-3.0-olson_retail-c7ed0cea4-220105
(bootloader) git:xbl_config: MBM-3.0-olson_retail-c7ed0cea4-220105
(bootloader) git:aop: MBM-3.0-olson_retail-0baa958-220105
(bootloader) git:tz: MBM-3.0-olson_retail-108f307d-220105
(bootloader) git:hyp: MBM-3.0-olson_retail-108f307d-220105
(bootloader) git:devcfg: MBM-3.0-olson_retail-108f307d-220105
(bootloader) git:cmnlib: MBM-3.0-olson_retail-108f307d-220105
(bootloader) git:cmnlib64: MBM-3.0-olson_retail-108f307d-220105
(bootloader) git:keymaster: MBM-3.0-olson_retail-108f307d-220105
(bootloader) git:storsec: MBM-3.0-olson_retail-108f307d-220105
(bootloader) gitrov: MBM-3.0-olson_retail-108f307d-220105
(bootloader) git:abl: MBM-3.0-olson_retail-ea5f90093b6-220105
(bootloader) git:qupfw: MBM-3.0-olson_retail-4cfc7a9-220105
(bootloader) frp-state: protected (77)
(bootloader) current-slot: a
(bootloader) running-bl-slot: _a/_a
(bootloader) running-boot-lun: 2
(bootloader) slot-count: 2
(bootloader) slot-successful:_a: no
(bootloader) slot-successful:_b: no
(bootloader) slot-unbootable:_a: no
(bootloader) slot-unbootable:_b: no
(bootloader) slot-retry-count:_a: 7
(bootloader) slot-retry-count:_b: 0
(bootloader) logical-block-size: 0x1000
(bootloader) erase-block-size: 0x1000
(bootloader) is-userspace: no

 

[boybkol]

Is there a way to include motorola edge 2022 in the list of supported devices? Thanks in advance.

 

[FritzSM]

@mark332 First of all thank you for developing this tool.

I am here with a Motorola Moto G41 that I was very happy with until Motorola rolled out their Android 12 update which broke some things.
Like the VPN menu and functionality disappearing and incoming SMS messages not getting delivered to me.

So I decided to downgrade to Android 11. Now that caused my phone to bootloop 2-3 times (Motorola logo to black screen to reboot) and then it hardbricked.
Tried the recommended procedure of holding down Volume + and - when plugging into the computer. I did that but nothing gets detected. Your tool sits there
waiting for a signal from the phone to do its thing but it is completely DEAD. Black screen, no reaction anywhere to buttonpresses .... nothing.

Have had the phone for about a week and all I wanted was to downgrade to Android 11 to restore functionality...

Is there ANY way for me to get this phone to turn on enough to go to Fastboot mode?

If "Testpoints" is the only route to go (as the guy with the G31 mentions) how can I get to them in that case?
And which ones to short in that case?

Any help is much appreciated!

//XDAFan

Same here, with a G31... Looking up for any advices...

 

[xdafan2015]

Same here, with a G31... Looking up for any advices...

Hello FritzSM!

What I know so far is that the problems that I started experiencing begun after I updated the phone to Android 12 as part of the process of getting Magisk on it. Unlocking the bootloader, patching the boot.bin file and all that good stuff. And the thing that triggers the issues seen with Android 12 (on Motorola phones) is apparently when you Factory Reset the phone AFTER updating the phone from A11-A12.

Sure Android 12 is ugly as sin, but if everything had kept on working properly It'd been fine. However I saw the VPN functionality (and menu!) disappear from the phone. SMS messages stopped coming in etc.

I did not manage to get the phone back to life after attempting to flash Android 11 to it. And I did check that I had the correct version for the exact phone that I have before doing so. Even so something went wrong. Currently I have the phone sent in to service (under warranty) and waiting to hear back if they'll replace it or give me my money back for it.

If I can get a replacement and that replacement comes with Android 11 then there are ways to stop it from updating to Android 12 after Magisk is in place. If I get my money back then I will buy a Samsung model instead. They have the Odin tool for flashing ROMs, recovery etc etc and has never failed me. And it is easy to get the stock ROM images from a good source. Not so easy with Motorola/Lenovo.

I've now had exactly two Motorola/Lenovo devices so far and those are the only two that I have bricked. Never had a Samsung die on me like this ever.

 

[pedrogiordano]

Run fastboot getvar all and post your output here.

(bootloader) kernel: uefi
(bootloader) version-bootloader: MBM-3.0-olson_retail-ea5f90093b6-220105
(bootloader) product: olson
(bootloader) board: olson
(bootloader) secure: yes
(bootloader) hwrev: PVT
(bootloader) radio: NA
(bootloader) storage-type: UFS
(bootloader) emmc: N/A
(bootloader) ufs: 128GB SAMSUNG KM2V7001CM-B706 FV=0800 WB=0
(bootloader) ram: 6GB SAMSUNG LP4x DIE=16Gb M5-M8=01 06 10 12
(bootloader) cpu: SDM710 1.1
(bootloader) serialno: ***************
(bootloader) cid: 0x0032
(bootloader) channelid: 0x19
(bootloader) uid: ****************
(bootloader) token: inactive
(bootloader) securestate: oem_locked
(bootloader) factory-modes: disabled
(bootloader) verity-state: enforcing (0)
(bootloader) iswarrantyvoid: no
(bootloader) max-download-size: 805306368
(bootloader) reason: Reboot mode set to fastboot
(bootloader) imei: *******************
(bootloader) imei2:
(bootloader) meid:
(bootloader) date: 03-17-2022
(bootloader) sku: XT2000-2
(bootloader) carrier_sku: XT2000-2
(bootloader) battid:
(bootloader) battery-voltage: 4356
(bootloader) iccid:
(bootloader) cust_md5:
(bootloader) max-sparse-size: 268435456
(bootloader) poweroffalarm: 0
(bootloader) ro.carrier: retbr
(bootloader) ro.build.fingerprint[0]: motorola/olson/olson:11/RPVS31.Q2-
(bootloader) ro.build.fingerprint[1]: 62-7-11-9/753a0:user/release-keys
(bootloader) ro.build.version.qcom: LA.UM.9.8.r1-03800-SDM710.0
(bootloader) version-baseband: M710_13.611.03.47R ONS_ROW
(bootloader) kernel.version[0]: Linux version 4.9.227-perf+ ([email protected]
(bootloader) kernel.version[1]: oid-build) (clang version 10.0.7 for And
(bootloader) kernel.version[2]: roid NDK) #1 SMP PREEMPT Wed Jan 5 19:21
(bootloader) kernel.version[3]: :49 EST 2022
(bootloader) git:xbl: MBM-3.0-olson_retail-c7ed0cea4-220105
(bootloader) git:xbl_config: MBM-3.0-olson_retail-c7ed0cea4-220105
(bootloader) git:aop: MBM-3.0-olson_retail-0baa958-220105
(bootloader) git:tz: MBM-3.0-olson_retail-108f307d-220105
(bootloader) git:hyp: MBM-3.0-olson_retail-108f307d-220105
(bootloader) git:devcfg: MBM-3.0-olson_retail-108f307d-220105
(bootloader) git:cmnlib: MBM-3.0-olson_retail-108f307d-220105
(bootloader) git:cmnlib64: MBM-3.0-olson_retail-108f307d-220105
(bootloader) git:keymaster: MBM-3.0-olson_retail-108f307d-220105
(bootloader) git:storsec: MBM-3.0-olson_retail-108f307d-220105
(bootloader) gitrov: MBM-3.0-olson_retail-108f307d-220105
(bootloader) git:abl: MBM-3.0-olson_retail-ea5f90093b6-220105
(bootloader) git:qupfw: MBM-3.0-olson_retail-4cfc7a9-220105
(bootloader) frp-state: protected (77)
(bootloader) current-slot: a
(bootloader) running-bl-slot: _a/_a
(bootloader) running-boot-lun: 2
(bootloader) slot-count: 2
(bootloader) slot-successful:_a: no
(bootloader) slot-successful:_b: no
(bootloader) slot-unbootable:_a: no
(bootloader) slot-unbootable:_b: no
(bootloader) slot-retry-count:_a: 7
(bootloader) slot-retry-count:_b: 0
(bootloader) logical-block-size: 0x1000
(bootloader) erase-block-size: 0x1000
(bootloader) is-userspace: no

 

[WoKoschekk]

(bootloader) kernel: uefi

?

 

[pedrogiordano]

what i got to do?

?

 

[WoKoschekk]

what i got to do?

For what? I don't see any question.

 

[FritzSM]

Hello FritzSM!

What I know so far is that the problems that I started experiencing begun after I updated the phone to Android 12 as part of the process of getting Magisk on it. Unlocking the bootloader, patching the boot.bin file and all that good stuff. And the thing that triggers the issues seen with Android 12 (on Motorola phones) is apparently when you Factory Reset the phone AFTER updating the phone from A11-A12.

Sure Android 12 is ugly as sin, but if everything had kept on working properly It'd been fine. However I saw the VPN functionality (and menu!) disappear from the phone. SMS messages stopped coming in etc.

I did not manage to get the phone back to life after attempting to flash Android 11 to it. And I did check that I had the correct version for the exact phone that I have before doing so. Even so something went wrong. Currently I have the phone sent in to service (under warranty) and waiting to hear back if they'll replace it or give me my money back for it.

If I can get a replacement and that replacement comes with Android 11 then there are ways to stop it from updating to Android 12 after Magisk is in place. If I get my money back then I will buy a Samsung model instead. They have the Odin tool for flashing ROMs, recovery etc etc and has never failed me. And it is easy to get the stock ROM images from a good source. Not so easy with Motorola/Lenovo.

I've now had exactly two Motorola/Lenovo devices so far and those are the only two that I have bricked. Never had a Samsung die on me like this ever.

Fo me, looks like it is more a Mediatek problem, them a Moto problem... Qualcomm Snapdragon is much more common and well understood... purchasing a G52 to replace the G31.... and run from Mediatek ones..

And keep looking for a solution for the dead Mediatek... maybe someone more skilled find the path... there are a lot of G31 and G41 in the same situation.

 

[xdafan2015]

Fo me, looks like it is more a Mediatek problem, them a Moto problem... Qualcomm Snapdragon is much more common and well understood... purchasing a G52 to replace the G31.... and run from Mediatek ones..

And keep looking for a solution for the dead Mediatek... maybe someone more skilled find the path... there are a lot of G31 and G41 in the same situation.

Now that you mention it I think that's it. Both the Lenovo/Motorola devices I have bricked had the Mediatek chipset.
Could be that is the reason why it was so "easy" to hard brick. I will definitely do my research for which chipset is used in X phone or tablet in the future.

The thing though is that the G31/41 with Magisk installed and rooted was PERFECT for my needs.
I don't want to spend any crazy amounts of money anymore on a smartphone. I just want something that is nice enough and works and does what I need it to do.

Still haven't heard back from service center about the G41 what will happen but yeah. Qualcomm over Mediatek any day.

 

[pedrogiordano]

For what? I don't see any question.































My phone is stuck in motorola logo and don't iniciate. I try lrsa , black rom , Ota, and the unbrick tool and nothing resolves this problem