[GUIDE] Lenovo Yoga Tab 3 Plus LTE Hard Unbrick Guide

Search This thread

Quallenauge

Inactive Recognized Developer
May 10, 2012
269
598
Code:
/*
 * We are not responsible for bricked devices, dead SD cards,
 * thermonuclear war, or you getting fired because the alarm app failed. Please
 * do some research if you have any concerns about features included in this ROM
 * before flashing it! YOU are choosing to make these modifications.
 */

Preamble
Since I try to port Oreo to the Lenovo Yoga YTX703L I flashed and erased some partitions to get RIL working.
Maybe I mixed the partitions from one release with an another release. And after that, I rebooted the tablet.
The result was the following. The tablet power led turns on, -no vibration-, ~20 secs pause, restart (led turns off...delay...turns on).
Key combinations doesn't worked, so no recovery or even fastboot was possible. Also I weren't able to get into the deep recovery mode (HS-USB QDLoader 9008) via Power, Vol+ and Vol-.
I thought it is only a matter of time and the device would be reset into a stable state overnight - it wasn't. :(
Next day I thought, I have nothing to loose.....open it up.
There is an service manuel located here: YOGA TAB 3 Plus Hardware Maintenance Manual
After that I disconnected the battery and analyze the board layout about serial console, jtag or simple test points. I read, that eMMC "reset test points" are located near the eMMC. So I looked at two points near the eMMC and tried to shorten them. After reconnecting the battery, the device doesn't boots from the eMMC but goes into the HS-USB QDLoader 9008 loader. I saw them inside linux via lsusb command and dmesg log.
After that, I thought "...everything fine. Just flash a recovery into it". It wasn't that easy :( QFIL, Sahara, programmer...all new things to learn. The hardest thing was to learn, the programmer is device specific.
I found some russian forums, where the problem was discussed see around here. At this time, there where no solution available. So I took a mainboard change into account, but then after loooong search I found a matching one here. Thanks GD_Mekail92. You saved my tablet from trashing it!!!!! :victory:
So then I looked at the great HowTo from BigCountry907 and tried his spreadsheet.
Since I had a full backup of an other device, I ended up to generate the needed partitions from the image via sgdisk command. I was a little bit nervous, but after the programmer was accepted by the device I was happy. The remaining flash process where done really fast, since I don't flashed userdata and system - I really wanted only to go into fastboot mode the recovery the tablet by the usual images at the net (Multiflash), that flying around.

Prepare an image
This steps create an full image of the mmc storage (only sectors which are accessable via linux, since eMMC can have hidden sectors).
  1. Insert a SDCard 64GByte
  2. Boot into TWRP
  3. Mount the sdcard via TWRP
  4. Perform the following command:
    Code:
    dd if=/dev/block/mmcblk0 of=/sdcard1/mmcblk0.img bs=2M
  5. Umount the sdcard via TWRP after the copy process is done

Extract partitions and prepare flash instruction file "rawboot.xml"
  • Download the attached file and extract it. The location is called "work folder" in further references.
    This archive contains the emmc firehose programmer ( prog_emmc_firehose_8976_lite.mbn ) for the tablet as well a prepared patch0.xml which is needed for the flash process.
    Also it contains some scripts to extract the partitions from the image and generate the flash instruction file (rawprogram_upgrade.xml).
  • Copy the image into the "work folder".
  • Now run the script to extract the partitions.
    Code:
    ./genExtractPartitions.sh >extractPartitions.sh
  • Open the file extractPartitions.sh in an editor and verify, which partitions should be extracted from the image. E.g. you usually don't want do extract cache and userdata.
    Code:
    #!/bin/bash
    set -v
    rm -rf img
    mkdir img
    dd if=mmcblk0.img of=img/modem skip=131072 count=172032
    dd if=mmcblk0.img of=img/fsc skip=393216 count=2
    dd if=mmcblk0.img of=img/ssd skip=393218 count=16
    dd if=mmcblk0.img of=img/sbl1 skip=393234 count=1024
    dd if=mmcblk0.img of=img/sbl1bak skip=394258 count=1024
    dd if=mmcblk0.img of=img/rpm skip=395282 count=1024
    dd if=mmcblk0.img of=img/rpmbak skip=396306 count=1024
    dd if=mmcblk0.img of=img/tz skip=397330 count=4096
    dd if=mmcblk0.img of=img/tzbak skip=401426 count=4096
    dd if=mmcblk0.img of=img/devcfg skip=405522 count=512
    dd if=mmcblk0.img of=img/devcfgbak skip=406034 count=512
    dd if=mmcblk0.img of=img/dsp skip=406546 count=32768
    dd if=mmcblk0.img of=img/modemst1 skip=439314 count=3072
    dd if=mmcblk0.img of=img/modemst2 skip=442386 count=3072
    dd if=mmcblk0.img of=img/DDR skip=524288 count=64
    dd if=mmcblk0.img of=img/fsg skip=524352 count=3072
    dd if=mmcblk0.img of=img/sec skip=527424 count=32
    dd if=mmcblk0.img of=img/splash skip=655360 count=22528
    dd if=mmcblk0.img of=img/aboot skip=786432 count=2048
    dd if=mmcblk0.img of=img/abootbak skip=788480 count=2048
    dd if=mmcblk0.img of=img/boot skip=790528 count=131072
    dd if=mmcblk0.img of=img/recovery skip=921600 count=131072
    dd if=mmcblk0.img of=img/devinfo skip=1052672 count=2048
    dd if=mmcblk0.img of=img/userstore skip=1179648 count=65536
    dd if=mmcblk0.img of=img/system skip=1310720 count=7340032
    #dd if=mmcblk0.img of=img/cache skip=8650752 count=524288
    dd if=mmcblk0.img of=img/persist skip=9175040 count=65536
    dd if=mmcblk0.img of=img/misc skip=9240576 count=2048
    dd if=mmcblk0.img of=img/keystore skip=9242624 count=1024
    dd if=mmcblk0.img of=img/config skip=9243648 count=64
    dd if=mmcblk0.img of=img/oem skip=9243712 count=131072
    dd if=mmcblk0.img of=img/limits skip=9437184 count=64
    dd if=mmcblk0.img of=img/mota skip=9568256 count=1024
    dd if=mmcblk0.img of=img/dip skip=9569280 count=2048
    dd if=mmcblk0.img of=img/mdtp skip=9571328 count=65536
    dd if=mmcblk0.img of=img/syscfg skip=9636864 count=1024
    dd if=mmcblk0.img of=img/mcfg skip=9637888 count=8192
    dd if=mmcblk0.img of=img/cmnlib skip=9699328 count=768
    dd if=mmcblk0.img of=img/cmnlibbak skip=9700096 count=768
    dd if=mmcblk0.img of=img/cmnlib64 skip=9700864 count=768
    dd if=mmcblk0.img of=img/cmnlib64bak skip=9701632 count=768
    dd if=mmcblk0.img of=img/keymaster skip=9702400 count=512
    dd if=mmcblk0.img of=img/keymasterbak skip=9702912 count=512
    dd if=mmcblk0.img of=img/apdp skip=9830400 count=512
    dd if=mmcblk0.img of=img/msadp skip=9830912 count=512
    dd if=mmcblk0.img of=img/dpo skip=9831424 count=16
    dd if=mmcblk0.img of=img/userencrypt skip=9831440 count=2048
    dd if=mmcblk0.img of=img/countrycode skip=9833488 count=12288
    #dd if=mmcblk0.img of=img/userdata skip=9845776 count=51225551
  • After that, run the script to extract the partitions into the img folder (which is deleted/re-created by the script).
    Code:
    bash extractPartitions.sh
    Now all needed partition files should be inside the img folder
  • Copy programmer and patch0.xml into the img folder.
    Code:
    cp -v res/* img/
  • Now generate the rawprogram file:
    Code:
    ./genRawProgram.sh >img/rawprogram_upgrade.xml
  • Open the file img/rawprogram_upgrade.xml in an editor and comment out the paritions, which are left out within the extractPartitions.sh script. Otherwise QFIL can't find the partition file to flash.
    Code:
    <?xml version="1.0" ?>
    <data>
      <!--NOTE: This is an ** Autogenerated file **-->
      <!--NOTE: Sector size is 512bytes-->
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="gpt_main0.bin" label="PrimaryGPT" num_partition_sectors="34" physical_partition_number="0" size_in_KB="17.0" sparse="false" start_byte_hex="0x0" start_sector="0" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="gpt_backup0.bin" label="BackupGPT" num_partition_sectors="33" physical_partition_number="0" size_in_KB="16.5" sparse="false" start_byte_hex="(512*NUM_DISK_SECTORS)-16896." start_sector="NUM_DISK_SECTORS-33." />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="modem" label="modem" num_partition_sectors="172032" physical_partition_number="0" size_in_KB="86016.0" sparse="false" start_byte_hex="0x4000000" start_sector="131072" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="fsc" label="fsc" num_partition_sectors="2" physical_partition_number="0" size_in_KB="1.0" sparse="false" start_byte_hex="0xc000000" start_sector="393216" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="ssd" label="ssd" num_partition_sectors="16" physical_partition_number="0" size_in_KB="8.0" sparse="false" start_byte_hex="0xc000400" start_sector="393218" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="sbl1" label="sbl1" num_partition_sectors="1024" physical_partition_number="0" size_in_KB="512.0" sparse="false" start_byte_hex="0xc002400" start_sector="393234" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="sbl1bak" label="sbl1bak" num_partition_sectors="1024" physical_partition_number="0" size_in_KB="512.0" sparse="false" start_byte_hex="0xc082400" start_sector="394258" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="rpm" label="rpm" num_partition_sectors="1024" physical_partition_number="0" size_in_KB="512.0" sparse="false" start_byte_hex="0xc102400" start_sector="395282" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="rpmbak" label="rpmbak" num_partition_sectors="1024" physical_partition_number="0" size_in_KB="512.0" sparse="false" start_byte_hex="0xc182400" start_sector="396306" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="tz" label="tz" num_partition_sectors="4096" physical_partition_number="0" size_in_KB="2048.0" sparse="false" start_byte_hex="0xc202400" start_sector="397330" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="tzbak" label="tzbak" num_partition_sectors="4096" physical_partition_number="0" size_in_KB="2048.0" sparse="false" start_byte_hex="0xc402400" start_sector="401426" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="devcfg" label="devcfg" num_partition_sectors="512" physical_partition_number="0" size_in_KB="256.0" sparse="false" start_byte_hex="0xc602400" start_sector="405522" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="devcfgbak" label="devcfgbak" num_partition_sectors="512" physical_partition_number="0" size_in_KB="256.0" sparse="false" start_byte_hex="0xc642400" start_sector="406034" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="dsp" label="dsp" num_partition_sectors="32768" physical_partition_number="0" size_in_KB="16384.0" sparse="false" start_byte_hex="0xc682400" start_sector="406546" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="modemst1" label="modemst1" num_partition_sectors="3072" physical_partition_number="0" size_in_KB="1536.0" sparse="false" start_byte_hex="0xd682400" start_sector="439314" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="modemst2" label="modemst2" num_partition_sectors="3072" physical_partition_number="0" size_in_KB="1536.0" sparse="false" start_byte_hex="0xd802400" start_sector="442386" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="DDR" label="DDR" num_partition_sectors="64" physical_partition_number="0" size_in_KB="32.0" sparse="false" start_byte_hex="0x10000000" start_sector="524288" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="fsg" label="fsg" num_partition_sectors="3072" physical_partition_number="0" size_in_KB="1536.0" sparse="false" start_byte_hex="0x10008000" start_sector="524352" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="sec" label="sec" num_partition_sectors="32" physical_partition_number="0" size_in_KB="16.0" sparse="false" start_byte_hex="0x10188000" start_sector="527424" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="splash" label="splash" num_partition_sectors="22528" physical_partition_number="0" size_in_KB="11264.0" sparse="false" start_byte_hex="0x14000000" start_sector="655360" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="aboot" label="aboot" num_partition_sectors="2048" physical_partition_number="0" size_in_KB="1024.0" sparse="false" start_byte_hex="0x18000000" start_sector="786432" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="abootbak" label="abootbak" num_partition_sectors="2048" physical_partition_number="0" size_in_KB="1024.0" sparse="false" start_byte_hex="0x18100000" start_sector="788480" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="boot" label="boot" num_partition_sectors="131072" physical_partition_number="0" size_in_KB="65536.0" sparse="false" start_byte_hex="0x18200000" start_sector="790528" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="recovery" label="recovery" num_partition_sectors="131072" physical_partition_number="0" size_in_KB="65536.0" sparse="false" start_byte_hex="0x1c200000" start_sector="921600" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="devinfo" label="devinfo" num_partition_sectors="2048" physical_partition_number="0" size_in_KB="1024.0" sparse="false" start_byte_hex="0x20200000" start_sector="1052672" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="userstore" label="userstore" num_partition_sectors="65536" physical_partition_number="0" size_in_KB="32768.0" sparse="false" start_byte_hex="0x24000000" start_sector="1179648" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="system" label="system" num_partition_sectors="7340032" physical_partition_number="0" size_in_KB="3670016.0" sparse="false" start_byte_hex="0x28000000" start_sector="1310720" />
    <!-- <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="cache" label="cache" num_partition_sectors="524288" physical_partition_number="0" size_in_KB="262144.0" sparse="false" start_byte_hex="0x108000000" start_sector="8650752" /> -->
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="persist" label="persist" num_partition_sectors="65536" physical_partition_number="0" size_in_KB="32768.0" sparse="false" start_byte_hex="0x118000000" start_sector="9175040" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="misc" label="misc" num_partition_sectors="2048" physical_partition_number="0" size_in_KB="1024.0" sparse="false" start_byte_hex="0x11a000000" start_sector="9240576" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="keystore" label="keystore" num_partition_sectors="1024" physical_partition_number="0" size_in_KB="512.0" sparse="false" start_byte_hex="0x11a100000" start_sector="9242624" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="config" label="config" num_partition_sectors="64" physical_partition_number="0" size_in_KB="32.0" sparse="false" start_byte_hex="0x11a180000" start_sector="9243648" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="oem" label="oem" num_partition_sectors="131072" physical_partition_number="0" size_in_KB="65536.0" sparse="false" start_byte_hex="0x11a188000" start_sector="9243712" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="limits" label="limits" num_partition_sectors="64" physical_partition_number="0" size_in_KB="32.0" sparse="false" start_byte_hex="0x120000000" start_sector="9437184" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="mota" label="mota" num_partition_sectors="1024" physical_partition_number="0" size_in_KB="512.0" sparse="false" start_byte_hex="0x124000000" start_sector="9568256" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="dip" label="dip" num_partition_sectors="2048" physical_partition_number="0" size_in_KB="1024.0" sparse="false" start_byte_hex="0x124080000" start_sector="9569280" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="mdtp" label="mdtp" num_partition_sectors="65536" physical_partition_number="0" size_in_KB="32768.0" sparse="false" start_byte_hex="0x124180000" start_sector="9571328" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="syscfg" label="syscfg" num_partition_sectors="1024" physical_partition_number="0" size_in_KB="512.0" sparse="false" start_byte_hex="0x126180000" start_sector="9636864" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="mcfg" label="mcfg" num_partition_sectors="8192" physical_partition_number="0" size_in_KB="4096.0" sparse="false" start_byte_hex="0x126200000" start_sector="9637888" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="cmnlib" label="cmnlib" num_partition_sectors="768" physical_partition_number="0" size_in_KB="384.0" sparse="false" start_byte_hex="0x128000000" start_sector="9699328" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="cmnlibbak" label="cmnlibbak" num_partition_sectors="768" physical_partition_number="0" size_in_KB="384.0" sparse="false" start_byte_hex="0x128060000" start_sector="9700096" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="cmnlib64" label="cmnlib64" num_partition_sectors="768" physical_partition_number="0" size_in_KB="384.0" sparse="false" start_byte_hex="0x1280c0000" start_sector="9700864" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="cmnlib64bak" label="cmnlib64bak" num_partition_sectors="768" physical_partition_number="0" size_in_KB="384.0" sparse="false" start_byte_hex="0x128120000" start_sector="9701632" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="keymaster" label="keymaster" num_partition_sectors="512" physical_partition_number="0" size_in_KB="256.0" sparse="false" start_byte_hex="0x128180000" start_sector="9702400" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="keymasterbak" label="keymasterbak" num_partition_sectors="512" physical_partition_number="0" size_in_KB="256.0" sparse="false" start_byte_hex="0x1281c0000" start_sector="9702912" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="apdp" label="apdp" num_partition_sectors="512" physical_partition_number="0" size_in_KB="256.0" sparse="false" start_byte_hex="0x12c000000" start_sector="9830400" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="msadp" label="msadp" num_partition_sectors="512" physical_partition_number="0" size_in_KB="256.0" sparse="false" start_byte_hex="0x12c040000" start_sector="9830912" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="dpo" label="dpo" num_partition_sectors="16" physical_partition_number="0" size_in_KB="8.0" sparse="false" start_byte_hex="0x12c080000" start_sector="9831424" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="userencrypt" label="userencrypt" num_partition_sectors="2048" physical_partition_number="0" size_in_KB="1024.0" sparse="false" start_byte_hex="0x12c082000" start_sector="9831440" />
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="countrycode" label="countrycode" num_partition_sectors="12288" physical_partition_number="0" size_in_KB="6144.0" sparse="false" start_byte_hex="0x12c182000" start_sector="9833488" />
    <!--
    <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="userdata" label="userdata" num_partition_sectors="51225551" physical_partition_number="0" size_in_KB="25612775.0" sparse="false" start_byte_hex="0x12c782000" start_sector="9845776" /> -->
    </data>

Prepare device
As precondition, try to turn off device.
(Note: In my situation this wasn't possible, but since it resets itself after ~20 seconds the second method worked for me also.)

Then try this
Press PowerOn and Vol+ and Vol- at the same time (Display and PowerLED remains black / off ).

Only in case you aren't able to reach the EDL by the method above (please try that several times first!) you have to open your device and
shortcut the TP pins at the mainboard (see attached picture for details) and press PowerOn.
After the device is available as
Code:
ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)
release PowerOn button and remove the shortcut.

Flash it
The use of QFIL is described many times in detail, also here at XDA. Have a look at: [HowTo] Flash a stock ROM by m_atze
The following steps summaries the process:
  • Open QFIL.
  • Select the programmer
  • Select XML to configure patch0.xml and rawprogram_upgrade.xml
  • Press download and follow the log window
  • After the process is done, reset the device via PowerOn button long press ~10 seconds
  • Go into recovery mode and format the data partition.
  • Done

Firmware without special partitions
If you flashed a wrong version of the tablet, there exists a chance to return it to life with the QFIL method and the partitions of the firmwares that are flying around.
I created some files with the current firmware:

X703 L
YT-X703L_S000963_171111_ROW.7z

The F Tablet isn't supported right now, since there is no programmer available.

Note: I had to format my data partition to prevent a bootloop.

Does this help @killman?
 

Attachments

  • Mainboard.jpg
    Mainboard.jpg
    302.9 KB · Views: 842
  • createBackup.tar.gz
    117.3 KB · Views: 214
Last edited:

DerEineDa

Senior Member
Aug 3, 2010
522
421
Wow, thanks! This reduces my anxiety when flashing critical partitions :)

Are you sure that you need to flash RIL related partitions for Oreo? I don't have an LTE device, so I can't know, but this seems... drastic.
 

Quallenauge

Inactive Recognized Developer
May 10, 2012
269
598
Wow, thanks! This reduces my anxiety when flashing critical partitions :)

Are you sure that you need to flash RIL related partitions for Oreo? I don't have an LTE device, so I can't know, but this seems... drastic.
But think about an backup dd - image of the device you use !

I don't think, that re-flashing these partitions is neccessary.
I tried it, because it didn't work on oreo dev build. The I switched back to the stock firmware and realised that it also doesn't work. So I tried to repair it with reflashing the modemst1/modemst2 partitions (and others). But maybe my device has an fault, so the effort was for nothing.
 

Quallenauge

Inactive Recognized Developer
May 10, 2012
269
598
Thanks! Excellent work. Installation this firmware through QFIL will allow of work
fastboot even if system won't be started? Enough what the fastboot mode would appear, all the rest isn't important.

Yes. At first you have to set the device into the recovery mode. After that you can flash the image. For convenience I created a image with all available partitions from the roms, that flying around. So after that, you have the same result (I think). You can also modify the rawboot XML file and only flash sbl1 aboot. Maybe this is sufficient for a fastboot recovery. But I see no benefit when it is intended to flashing the rom anyways.

Good luck :) !

I tested it on a L device.
 

killmans

New member
Feb 17, 2018
4
0
thanks for your great work, but i have tablet 703f flashed with firmware for 703L version. i have QDloader 9008. i tried to flash with your's version for 703F, but it didn't work .. i attached log file
Code:
Validating Application Configuration
Load APP Configuration
COM:-1
PBLDOWNLOADPROTOCOL:0
PROGRAMMER:True
PROGRAMMER:D:\YT-X703F_S000963_171111_ROW\YT-X703F_S000963_171111_ROW\Images\prog_emmc_firehose_8976_lite.mbn
RESETSAHARASTATEEMACHINE:False
SEARCHPATH:D:\YT-X703F_S000963_171111_ROW\YT-X703F_S000963_171111_ROW\Images
RAWPROGRAM:
rawprogram_upgrade.xml
PATCH:
patch0.xml
ACKRAWDATAEVERYNUMPACKETS:False
ACKRAWDATAEVERYNUMPACKETS:100
MAXPAYLOADSIZETOTARGETINBYTES:False
MAXPAYLOADSIZETOTARGETINBYTES:49152
DEVICETYPE:eMMC
PLATFORM:8x26
VALIDATIONMODE:0
RESETAFTERDOWNLOAD:False
MAXDIGESTTABLESIZE:8192
SWITCHTOFIREHOSETIMEOUT:30
RESETTIMEOUT:200
RESETDELAYTIME:2
FLATBUILDPATH:C:\
FLATBUILDFORCEOVERRIDE:True
QCNPATH:C:\Temp\00000000.qcn
QCNAUTOBACKUPRESTORE:False
SPCCODE:000000
ENABLEMULTISIM:False
AUTOPRESERVEPARTITIONS:False
PARTITIONPRESERVEMODE:0
PRESERVEDPARTITIONS:0
PRESERVEDPARTITIONS:
ERASEALL:False
Load ARG Configuration
Validating Download Configuration
Image Search Path: D:\YT-X703F_S000963_171111_ROW\YT-X703F_S000963_171111_ROW\Images
RAWPROGRAM file path: D:\YT-X703F_S000963_171111_ROW\YT-X703F_S000963_171111_ROW\Images\rawprogram_upgrade.xml
PATCH file path:D:\YT-X703F_S000963_171111_ROW\YT-X703F_S000963_171111_ROW\Images\patch0.xml
Programmer Path:D:\YT-X703F_S000963_171111_ROW\YT-X703F_S000963_171111_ROW\Images\prog_emmc_firehose_8976_lite.mbn
Process Index:1
Start Download
Program Path:D:\YT-X703F_S000963_171111_ROW\YT-X703F_S000963_171111_ROW\Images\prog_emmc_firehose_8976_lite.mbn
***** Working Folder:C:\Users\users\AppData\Roaming\Qualcomm\QFIL\COMPORT_6
Binary build date: Oct 31 2016 @ 22:51:05
QSAHARASERVER CALLED LIKE THIS: 'C:\Program Files (x86)\Qualcomm\QPST\bin\QSaharaServer.ex'Current working dir: C:\Users\users\AppData\Roaming\Qualcomm\QFIL\COMPORT_6
Sahara mappings:
2: amss.mbn
6: apps.mbn
8: dsp1.mbn
10: dbl.mbn
11: osbl.mbn
12: dsp2.mbn
16: efs1.mbn
17: efs2.mbn
20: efs3.mbn
21: sbl1.mbn
22: sbl2.mbn
23: rpm.mbn
25: tz.mbn
28: dsp3.mbn
29: acdb.mbn
30: wdt.mbn
31: mba.mbn
13: D:\YT-X703F_S000963_171111_ROW\YT-X703F_S000963_171111_ROW\Images\prog_emmc_firehose_8976_lite.mbn
18:35:07: ERROR: function: sahara_rx_data:237 Unable to read packet header. Only read 0 bytes.
18:35:07: ERROR: function: sahara_main:924 Sahara protocol error
18:35:07: ERROR: function: main:303 Uploading  Image using Sahara protocol failed
Download Fail:Sahara Fail:QSaharaServer Fail:Process fail
Finish Download
 

Quallenauge

Inactive Recognized Developer
May 10, 2012
269
598
thanks for your great work, but i have tablet 703f flashed with firmware for 703L version. i have QDloader 9008. i tried to flash with your's version for 703F, but it didn't work .. i attached log file
Code:
Validating Application Configuration
Load APP Configuration
COM:-1
PBLDOWNLOADPROTOCOL:0
PROGRAMMER:True
PROGRAMMER:D:\YT-X703F_S000963_171111_ROW\YT-X703F_S000963_171111_ROW\Images\prog_emmc_firehose_8976_lite.mbn
RESETSAHARASTATEEMACHINE:False
SEARCHPATH:D:\YT-X703F_S000963_171111_ROW\YT-X703F_S000963_171111_ROW\Images
RAWPROGRAM:
rawprogram_upgrade.xml
PATCH:
patch0.xml
ACKRAWDATAEVERYNUMPACKETS:False
ACKRAWDATAEVERYNUMPACKETS:100
MAXPAYLOADSIZETOTARGETINBYTES:False
MAXPAYLOADSIZETOTARGETINBYTES:49152
DEVICETYPE:eMMC
PLATFORM:8x26
VALIDATIONMODE:0
RESETAFTERDOWNLOAD:False
MAXDIGESTTABLESIZE:8192
SWITCHTOFIREHOSETIMEOUT:30
RESETTIMEOUT:200
RESETDELAYTIME:2
FLATBUILDPATH:C:\
FLATBUILDFORCEOVERRIDE:True
QCNPATH:C:\Temp\00000000.qcn
QCNAUTOBACKUPRESTORE:False
SPCCODE:000000
ENABLEMULTISIM:False
AUTOPRESERVEPARTITIONS:False
PARTITIONPRESERVEMODE:0
PRESERVEDPARTITIONS:0
PRESERVEDPARTITIONS:
ERASEALL:False
Load ARG Configuration
Validating Download Configuration
Image Search Path: D:\YT-X703F_S000963_171111_ROW\YT-X703F_S000963_171111_ROW\Images
RAWPROGRAM file path: D:\YT-X703F_S000963_171111_ROW\YT-X703F_S000963_171111_ROW\Images\rawprogram_upgrade.xml
PATCH file path:D:\YT-X703F_S000963_171111_ROW\YT-X703F_S000963_171111_ROW\Images\patch0.xml
Programmer Path:D:\YT-X703F_S000963_171111_ROW\YT-X703F_S000963_171111_ROW\Images\prog_emmc_firehose_8976_lite.mbn
Process Index:1
Start Download
Program Path:D:\YT-X703F_S000963_171111_ROW\YT-X703F_S000963_171111_ROW\Images\prog_emmc_firehose_8976_lite.mbn
***** Working Folder:C:\Users\users\AppData\Roaming\Qualcomm\QFIL\COMPORT_6
Binary build date: Oct 31 2016 @ 22:51:05
QSAHARASERVER CALLED LIKE THIS: 'C:\Program Files (x86)\Qualcomm\QPST\bin\QSaharaServer.ex'Current working dir: C:\Users\users\AppData\Roaming\Qualcomm\QFIL\COMPORT_6
Sahara mappings:
2: amss.mbn
6: apps.mbn
8: dsp1.mbn
10: dbl.mbn
11: osbl.mbn
12: dsp2.mbn
16: efs1.mbn
17: efs2.mbn
20: efs3.mbn
21: sbl1.mbn
22: sbl2.mbn
23: rpm.mbn
25: tz.mbn
28: dsp3.mbn
29: acdb.mbn
30: wdt.mbn
31: mba.mbn
13: D:\YT-X703F_S000963_171111_ROW\YT-X703F_S000963_171111_ROW\Images\prog_emmc_firehose_8976_lite.mbn
18:35:07: ERROR: function: sahara_rx_data:237 Unable to read packet header. Only read 0 bytes.
18:35:07: ERROR: function: sahara_main:924 Sahara protocol error
18:35:07: ERROR: function: main:303 Uploading  Image using Sahara protocol failed
Download Fail:Sahara Fail:QSaharaServer Fail:Process fail
Finish Download

Can you please try another QFIL version or another PC? Seems there are issues with that version? I searched for "Sahara protocol error" and found some matches.
Also I tested on a Windows 10 system.
 

killmans

New member
Feb 17, 2018
4
0
Can you please try another QFIL version or another PC? Seems there are issues with that version? I searched for "Sahara protocol error" and found some matches.
Also I tested on a Windows 10 system.

so what was held:
1. port change, computer change (Win 10)
2. win 7
3. Change of drivers (different) change Qfil
4. absurd - shortening the path to the folder
all this did not bring any results .. the mistake is the same - in the Sahara
 

Quallenauge

Inactive Recognized Developer
May 10, 2012
269
598
so what was held:
1. port change, computer change (Win 10)
2. win 7
3. Change of drivers (different) change Qfil
4. absurd - shortening the path to the folder
all this did not bring any results .. the mistake is the same - in the Sahara

Silly question....you are in 9008 mode right?
Does the device stay in this mode for long or does it perform a reset after a (short) while ?
For my L device the flash process is stable. Can you please try another firehose flasher (which is incompatible to this device), just to see if there are differences in the error log output.
Maybe the flasher is wrong (altoght the signature is right :-/ )

I tried following versions:
QPST.2.7.460
QPST.2.7.437
 
Last edited:

killmans

New member
Feb 17, 2018
4
0
Silly question....you are in 9008 mode right?
Does the device stay in this mode for long or does it perform a reset after a (short) while ?

device all the time in 9008 mode, turn on(tablet generally) plugging in the cable from the battery (I dismantled the tablet) After power-on, he immediately enters the 9008th
 
Last edited:

Quallenauge

Inactive Recognized Developer
May 10, 2012
269
598
device all the time in 9008 mode, turn on(tablet generally) plugging in the cable from the battery (I dismantled the tablet) After power-on, he immediately enters the 9008th

That's sad :(
Seriosly, I'm curious what's the problem is.
/* ironic
Can you please buy a L tablet and can you try to flash it via QFIL ;) ? So we can check if it is device related or not.
*/
Maybe you can try to shortcut the pins, I marked at the picture.
Also, for linux there is a sahara utility https://github.com/openpst/sahara available. I never uploaded a file with it, but I used it to check the emmc programmer.
  • Select a port
  • Press connect
  • Select programmer in file dialog, which opens after that.

--> In case the GUI asks for the patch.xml the programmer is right.
 
  • Like
Reactions: schasch

killmans

New member
Feb 17, 2018
4
0
That's sad :(
Seriosly, I'm curious what's the problem is.
/* ironic
Can you please buy a L tablet and can you try to flash it via QFIL ;) ? So we can check if it is device related or not.
*/
Maybe you can try to shortcut the pins, I marked at the picture.
Also, for linux there is a sahara utility https://github.com/openpst/sahara available. I never uploaded a file with it, but I used it to check the emmc programmer.
  • Select a port
  • Press connect
  • Select programmer in file dialog, which opens after that.

--> In case the GUI asks for the patch.xml the programmer is right.


i'm really sad :(
after connecting to the tablet, he asked 52 bytes from the image 0x0D - EHOSTDL After selecting firehose response: no response from device
 

c7x43t

New member
Jun 15, 2018
1
0
Hello,
how do I create mmcblk0.img when I can't boot into TWRP? (my device [ Lenovo Yoga Tab 3 Plus LTE ] is also hardbricked, no recovery or fastboot)
Is rawprogram_upgrade.xml device specific or only model specific. If the latter please share the xml.
Thanks.
 

Quallenauge

Inactive Recognized Developer
May 10, 2012
269
598
Hello,
how do I create mmcblk0.img when I can't boot into TWRP? (my device [ Lenovo Yoga Tab 3 Plus LTE ] is also hardbricked, no recovery or fastboot)
Is rawprogram_upgrade.xml device specific or only model specific. If the latter please share the xml.
Thanks.

If no fastboot at all comes up, you can use my pre-assembled image from the first page. Look at the section:
Firmware without special partitions
you'll find a link there. This file basically contains all what is needed to bring up the device.

Best regards.
 
  • Like
Reactions: schasch

Komplexa

Member
Aug 4, 2019
6
0
Flashing successful but situation unchanged

Thank you very much for your detailed post. I own an unfortunately bricked Yoga Tab 3 Plus (LTE). It boots up to the Lenovo logo and stays there. Even recovery isn't accessible. I shortened the pins and managed to flash using QFIL with the files you kindly provided. Flashing completes without errors according to QFIL unfortunately when I try to reboot into recovery mode to wipe data as you suggested I encounter the old problem of booting blocked at Lenovo logo, no recovery possible.
Would it help to flash an alternative recovery partition with TWRP or alike? Could you provide the corresponding image file if you have it? Do you have other suggestions?
Thanks in advance!
 

vladimiroltean

Senior Member
Apr 9, 2016
382
344
Thank you very much for your detailed post. I own an unfortunately bricked Yoga Tab 3 Plus (LTE). It boots up to the Lenovo logo and stays there. Even recovery isn't accessible. I shortened the pins and managed to flash using QFIL with the files you kindly provided. Flashing completes without errors according to QFIL unfortunately when I try to reboot into recovery mode to wipe data as you suggested I encounter the old problem of booting blocked at Lenovo logo, no recovery possible.
Would it help to flash an alternative recovery partition with TWRP or alike? Could you provide the corresponding image file if you have it? Do you have other suggestions?
Thanks in advance!

It's not bricked if it boots to the Lenovo logo! That's the bootloader! You risked the integrity of your own device for no reason.
Hint: google "fastboot".
 

Komplexa

Member
Aug 4, 2019
6
0
Thank you very much for your suggestion. Unfortunately I can't seem to access fastboot mode by combination of power and volume bottom and adb or fastboot don't even recognize the device. (I would never have risked the integrity of the system if I saw another way.)
Do you have any suggestion for me?
Once again: thank you very much, your help is greatly appreciated!
 

vladimiroltean

Senior Member
Apr 9, 2016
382
344
Thank you very much for your suggestion. Unfortunately I can't seem to access fastboot mode by combination of power and volume bottom and adb or fastboot don't even recognize the device. (I would never have risked the integrity of the system if I saw another way.)
Do you have any suggestion for me?
Once again: thank you very much, your help is greatly appreciated!

Have you ever really used fastboot before, or are you "just saying" (thinking it's the same as adb, as you seem to be)?
What USB vendor ID and device ID does the device present itself to the OS as, when connected to the PC and booted with the "volume up" key pressed?
 

Top Liked Posts

  • There are no posts matching your filters.
  • 5
    Code:
    /*
     * We are not responsible for bricked devices, dead SD cards,
     * thermonuclear war, or you getting fired because the alarm app failed. Please
     * do some research if you have any concerns about features included in this ROM
     * before flashing it! YOU are choosing to make these modifications.
     */

    Preamble
    Since I try to port Oreo to the Lenovo Yoga YTX703L I flashed and erased some partitions to get RIL working.
    Maybe I mixed the partitions from one release with an another release. And after that, I rebooted the tablet.
    The result was the following. The tablet power led turns on, -no vibration-, ~20 secs pause, restart (led turns off...delay...turns on).
    Key combinations doesn't worked, so no recovery or even fastboot was possible. Also I weren't able to get into the deep recovery mode (HS-USB QDLoader 9008) via Power, Vol+ and Vol-.
    I thought it is only a matter of time and the device would be reset into a stable state overnight - it wasn't. :(
    Next day I thought, I have nothing to loose.....open it up.
    There is an service manuel located here: YOGA TAB 3 Plus Hardware Maintenance Manual
    After that I disconnected the battery and analyze the board layout about serial console, jtag or simple test points. I read, that eMMC "reset test points" are located near the eMMC. So I looked at two points near the eMMC and tried to shorten them. After reconnecting the battery, the device doesn't boots from the eMMC but goes into the HS-USB QDLoader 9008 loader. I saw them inside linux via lsusb command and dmesg log.
    After that, I thought "...everything fine. Just flash a recovery into it". It wasn't that easy :( QFIL, Sahara, programmer...all new things to learn. The hardest thing was to learn, the programmer is device specific.
    I found some russian forums, where the problem was discussed see around here. At this time, there where no solution available. So I took a mainboard change into account, but then after loooong search I found a matching one here. Thanks GD_Mekail92. You saved my tablet from trashing it!!!!! :victory:
    So then I looked at the great HowTo from BigCountry907 and tried his spreadsheet.
    Since I had a full backup of an other device, I ended up to generate the needed partitions from the image via sgdisk command. I was a little bit nervous, but after the programmer was accepted by the device I was happy. The remaining flash process where done really fast, since I don't flashed userdata and system - I really wanted only to go into fastboot mode the recovery the tablet by the usual images at the net (Multiflash), that flying around.

    Prepare an image
    This steps create an full image of the mmc storage (only sectors which are accessable via linux, since eMMC can have hidden sectors).
    1. Insert a SDCard 64GByte
    2. Boot into TWRP
    3. Mount the sdcard via TWRP
    4. Perform the following command:
      Code:
      dd if=/dev/block/mmcblk0 of=/sdcard1/mmcblk0.img bs=2M
    5. Umount the sdcard via TWRP after the copy process is done

    Extract partitions and prepare flash instruction file "rawboot.xml"
    • Download the attached file and extract it. The location is called "work folder" in further references.
      This archive contains the emmc firehose programmer ( prog_emmc_firehose_8976_lite.mbn ) for the tablet as well a prepared patch0.xml which is needed for the flash process.
      Also it contains some scripts to extract the partitions from the image and generate the flash instruction file (rawprogram_upgrade.xml).
    • Copy the image into the "work folder".
    • Now run the script to extract the partitions.
      Code:
      ./genExtractPartitions.sh >extractPartitions.sh
    • Open the file extractPartitions.sh in an editor and verify, which partitions should be extracted from the image. E.g. you usually don't want do extract cache and userdata.
      Code:
      #!/bin/bash
      set -v
      rm -rf img
      mkdir img
      dd if=mmcblk0.img of=img/modem skip=131072 count=172032
      dd if=mmcblk0.img of=img/fsc skip=393216 count=2
      dd if=mmcblk0.img of=img/ssd skip=393218 count=16
      dd if=mmcblk0.img of=img/sbl1 skip=393234 count=1024
      dd if=mmcblk0.img of=img/sbl1bak skip=394258 count=1024
      dd if=mmcblk0.img of=img/rpm skip=395282 count=1024
      dd if=mmcblk0.img of=img/rpmbak skip=396306 count=1024
      dd if=mmcblk0.img of=img/tz skip=397330 count=4096
      dd if=mmcblk0.img of=img/tzbak skip=401426 count=4096
      dd if=mmcblk0.img of=img/devcfg skip=405522 count=512
      dd if=mmcblk0.img of=img/devcfgbak skip=406034 count=512
      dd if=mmcblk0.img of=img/dsp skip=406546 count=32768
      dd if=mmcblk0.img of=img/modemst1 skip=439314 count=3072
      dd if=mmcblk0.img of=img/modemst2 skip=442386 count=3072
      dd if=mmcblk0.img of=img/DDR skip=524288 count=64
      dd if=mmcblk0.img of=img/fsg skip=524352 count=3072
      dd if=mmcblk0.img of=img/sec skip=527424 count=32
      dd if=mmcblk0.img of=img/splash skip=655360 count=22528
      dd if=mmcblk0.img of=img/aboot skip=786432 count=2048
      dd if=mmcblk0.img of=img/abootbak skip=788480 count=2048
      dd if=mmcblk0.img of=img/boot skip=790528 count=131072
      dd if=mmcblk0.img of=img/recovery skip=921600 count=131072
      dd if=mmcblk0.img of=img/devinfo skip=1052672 count=2048
      dd if=mmcblk0.img of=img/userstore skip=1179648 count=65536
      dd if=mmcblk0.img of=img/system skip=1310720 count=7340032
      #dd if=mmcblk0.img of=img/cache skip=8650752 count=524288
      dd if=mmcblk0.img of=img/persist skip=9175040 count=65536
      dd if=mmcblk0.img of=img/misc skip=9240576 count=2048
      dd if=mmcblk0.img of=img/keystore skip=9242624 count=1024
      dd if=mmcblk0.img of=img/config skip=9243648 count=64
      dd if=mmcblk0.img of=img/oem skip=9243712 count=131072
      dd if=mmcblk0.img of=img/limits skip=9437184 count=64
      dd if=mmcblk0.img of=img/mota skip=9568256 count=1024
      dd if=mmcblk0.img of=img/dip skip=9569280 count=2048
      dd if=mmcblk0.img of=img/mdtp skip=9571328 count=65536
      dd if=mmcblk0.img of=img/syscfg skip=9636864 count=1024
      dd if=mmcblk0.img of=img/mcfg skip=9637888 count=8192
      dd if=mmcblk0.img of=img/cmnlib skip=9699328 count=768
      dd if=mmcblk0.img of=img/cmnlibbak skip=9700096 count=768
      dd if=mmcblk0.img of=img/cmnlib64 skip=9700864 count=768
      dd if=mmcblk0.img of=img/cmnlib64bak skip=9701632 count=768
      dd if=mmcblk0.img of=img/keymaster skip=9702400 count=512
      dd if=mmcblk0.img of=img/keymasterbak skip=9702912 count=512
      dd if=mmcblk0.img of=img/apdp skip=9830400 count=512
      dd if=mmcblk0.img of=img/msadp skip=9830912 count=512
      dd if=mmcblk0.img of=img/dpo skip=9831424 count=16
      dd if=mmcblk0.img of=img/userencrypt skip=9831440 count=2048
      dd if=mmcblk0.img of=img/countrycode skip=9833488 count=12288
      #dd if=mmcblk0.img of=img/userdata skip=9845776 count=51225551
    • After that, run the script to extract the partitions into the img folder (which is deleted/re-created by the script).
      Code:
      bash extractPartitions.sh
      Now all needed partition files should be inside the img folder
    • Copy programmer and patch0.xml into the img folder.
      Code:
      cp -v res/* img/
    • Now generate the rawprogram file:
      Code:
      ./genRawProgram.sh >img/rawprogram_upgrade.xml
    • Open the file img/rawprogram_upgrade.xml in an editor and comment out the paritions, which are left out within the extractPartitions.sh script. Otherwise QFIL can't find the partition file to flash.
      Code:
      <?xml version="1.0" ?>
      <data>
        <!--NOTE: This is an ** Autogenerated file **-->
        <!--NOTE: Sector size is 512bytes-->
        <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="gpt_main0.bin" label="PrimaryGPT" num_partition_sectors="34" physical_partition_number="0" size_in_KB="17.0" sparse="false" start_byte_hex="0x0" start_sector="0" />
        <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="gpt_backup0.bin" label="BackupGPT" num_partition_sectors="33" physical_partition_number="0" size_in_KB="16.5" sparse="false" start_byte_hex="(512*NUM_DISK_SECTORS)-16896." start_sector="NUM_DISK_SECTORS-33." />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="modem" label="modem" num_partition_sectors="172032" physical_partition_number="0" size_in_KB="86016.0" sparse="false" start_byte_hex="0x4000000" start_sector="131072" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="fsc" label="fsc" num_partition_sectors="2" physical_partition_number="0" size_in_KB="1.0" sparse="false" start_byte_hex="0xc000000" start_sector="393216" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="ssd" label="ssd" num_partition_sectors="16" physical_partition_number="0" size_in_KB="8.0" sparse="false" start_byte_hex="0xc000400" start_sector="393218" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="sbl1" label="sbl1" num_partition_sectors="1024" physical_partition_number="0" size_in_KB="512.0" sparse="false" start_byte_hex="0xc002400" start_sector="393234" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="sbl1bak" label="sbl1bak" num_partition_sectors="1024" physical_partition_number="0" size_in_KB="512.0" sparse="false" start_byte_hex="0xc082400" start_sector="394258" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="rpm" label="rpm" num_partition_sectors="1024" physical_partition_number="0" size_in_KB="512.0" sparse="false" start_byte_hex="0xc102400" start_sector="395282" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="rpmbak" label="rpmbak" num_partition_sectors="1024" physical_partition_number="0" size_in_KB="512.0" sparse="false" start_byte_hex="0xc182400" start_sector="396306" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="tz" label="tz" num_partition_sectors="4096" physical_partition_number="0" size_in_KB="2048.0" sparse="false" start_byte_hex="0xc202400" start_sector="397330" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="tzbak" label="tzbak" num_partition_sectors="4096" physical_partition_number="0" size_in_KB="2048.0" sparse="false" start_byte_hex="0xc402400" start_sector="401426" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="devcfg" label="devcfg" num_partition_sectors="512" physical_partition_number="0" size_in_KB="256.0" sparse="false" start_byte_hex="0xc602400" start_sector="405522" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="devcfgbak" label="devcfgbak" num_partition_sectors="512" physical_partition_number="0" size_in_KB="256.0" sparse="false" start_byte_hex="0xc642400" start_sector="406034" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="dsp" label="dsp" num_partition_sectors="32768" physical_partition_number="0" size_in_KB="16384.0" sparse="false" start_byte_hex="0xc682400" start_sector="406546" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="modemst1" label="modemst1" num_partition_sectors="3072" physical_partition_number="0" size_in_KB="1536.0" sparse="false" start_byte_hex="0xd682400" start_sector="439314" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="modemst2" label="modemst2" num_partition_sectors="3072" physical_partition_number="0" size_in_KB="1536.0" sparse="false" start_byte_hex="0xd802400" start_sector="442386" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="DDR" label="DDR" num_partition_sectors="64" physical_partition_number="0" size_in_KB="32.0" sparse="false" start_byte_hex="0x10000000" start_sector="524288" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="fsg" label="fsg" num_partition_sectors="3072" physical_partition_number="0" size_in_KB="1536.0" sparse="false" start_byte_hex="0x10008000" start_sector="524352" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="sec" label="sec" num_partition_sectors="32" physical_partition_number="0" size_in_KB="16.0" sparse="false" start_byte_hex="0x10188000" start_sector="527424" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="splash" label="splash" num_partition_sectors="22528" physical_partition_number="0" size_in_KB="11264.0" sparse="false" start_byte_hex="0x14000000" start_sector="655360" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="aboot" label="aboot" num_partition_sectors="2048" physical_partition_number="0" size_in_KB="1024.0" sparse="false" start_byte_hex="0x18000000" start_sector="786432" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="abootbak" label="abootbak" num_partition_sectors="2048" physical_partition_number="0" size_in_KB="1024.0" sparse="false" start_byte_hex="0x18100000" start_sector="788480" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="boot" label="boot" num_partition_sectors="131072" physical_partition_number="0" size_in_KB="65536.0" sparse="false" start_byte_hex="0x18200000" start_sector="790528" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="recovery" label="recovery" num_partition_sectors="131072" physical_partition_number="0" size_in_KB="65536.0" sparse="false" start_byte_hex="0x1c200000" start_sector="921600" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="devinfo" label="devinfo" num_partition_sectors="2048" physical_partition_number="0" size_in_KB="1024.0" sparse="false" start_byte_hex="0x20200000" start_sector="1052672" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="userstore" label="userstore" num_partition_sectors="65536" physical_partition_number="0" size_in_KB="32768.0" sparse="false" start_byte_hex="0x24000000" start_sector="1179648" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="system" label="system" num_partition_sectors="7340032" physical_partition_number="0" size_in_KB="3670016.0" sparse="false" start_byte_hex="0x28000000" start_sector="1310720" />
      <!-- <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="cache" label="cache" num_partition_sectors="524288" physical_partition_number="0" size_in_KB="262144.0" sparse="false" start_byte_hex="0x108000000" start_sector="8650752" /> -->
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="persist" label="persist" num_partition_sectors="65536" physical_partition_number="0" size_in_KB="32768.0" sparse="false" start_byte_hex="0x118000000" start_sector="9175040" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="misc" label="misc" num_partition_sectors="2048" physical_partition_number="0" size_in_KB="1024.0" sparse="false" start_byte_hex="0x11a000000" start_sector="9240576" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="keystore" label="keystore" num_partition_sectors="1024" physical_partition_number="0" size_in_KB="512.0" sparse="false" start_byte_hex="0x11a100000" start_sector="9242624" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="config" label="config" num_partition_sectors="64" physical_partition_number="0" size_in_KB="32.0" sparse="false" start_byte_hex="0x11a180000" start_sector="9243648" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="oem" label="oem" num_partition_sectors="131072" physical_partition_number="0" size_in_KB="65536.0" sparse="false" start_byte_hex="0x11a188000" start_sector="9243712" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="limits" label="limits" num_partition_sectors="64" physical_partition_number="0" size_in_KB="32.0" sparse="false" start_byte_hex="0x120000000" start_sector="9437184" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="mota" label="mota" num_partition_sectors="1024" physical_partition_number="0" size_in_KB="512.0" sparse="false" start_byte_hex="0x124000000" start_sector="9568256" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="dip" label="dip" num_partition_sectors="2048" physical_partition_number="0" size_in_KB="1024.0" sparse="false" start_byte_hex="0x124080000" start_sector="9569280" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="mdtp" label="mdtp" num_partition_sectors="65536" physical_partition_number="0" size_in_KB="32768.0" sparse="false" start_byte_hex="0x124180000" start_sector="9571328" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="syscfg" label="syscfg" num_partition_sectors="1024" physical_partition_number="0" size_in_KB="512.0" sparse="false" start_byte_hex="0x126180000" start_sector="9636864" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="mcfg" label="mcfg" num_partition_sectors="8192" physical_partition_number="0" size_in_KB="4096.0" sparse="false" start_byte_hex="0x126200000" start_sector="9637888" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="cmnlib" label="cmnlib" num_partition_sectors="768" physical_partition_number="0" size_in_KB="384.0" sparse="false" start_byte_hex="0x128000000" start_sector="9699328" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="cmnlibbak" label="cmnlibbak" num_partition_sectors="768" physical_partition_number="0" size_in_KB="384.0" sparse="false" start_byte_hex="0x128060000" start_sector="9700096" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="cmnlib64" label="cmnlib64" num_partition_sectors="768" physical_partition_number="0" size_in_KB="384.0" sparse="false" start_byte_hex="0x1280c0000" start_sector="9700864" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="cmnlib64bak" label="cmnlib64bak" num_partition_sectors="768" physical_partition_number="0" size_in_KB="384.0" sparse="false" start_byte_hex="0x128120000" start_sector="9701632" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="keymaster" label="keymaster" num_partition_sectors="512" physical_partition_number="0" size_in_KB="256.0" sparse="false" start_byte_hex="0x128180000" start_sector="9702400" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="keymasterbak" label="keymasterbak" num_partition_sectors="512" physical_partition_number="0" size_in_KB="256.0" sparse="false" start_byte_hex="0x1281c0000" start_sector="9702912" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="apdp" label="apdp" num_partition_sectors="512" physical_partition_number="0" size_in_KB="256.0" sparse="false" start_byte_hex="0x12c000000" start_sector="9830400" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="msadp" label="msadp" num_partition_sectors="512" physical_partition_number="0" size_in_KB="256.0" sparse="false" start_byte_hex="0x12c040000" start_sector="9830912" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="dpo" label="dpo" num_partition_sectors="16" physical_partition_number="0" size_in_KB="8.0" sparse="false" start_byte_hex="0x12c080000" start_sector="9831424" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="userencrypt" label="userencrypt" num_partition_sectors="2048" physical_partition_number="0" size_in_KB="1024.0" sparse="false" start_byte_hex="0x12c082000" start_sector="9831440" />
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="countrycode" label="countrycode" num_partition_sectors="12288" physical_partition_number="0" size_in_KB="6144.0" sparse="false" start_byte_hex="0x12c182000" start_sector="9833488" />
      <!--
      <program SECTOR_SIZE_IN_BYTES="512" file_sector_offset="0" filename="userdata" label="userdata" num_partition_sectors="51225551" physical_partition_number="0" size_in_KB="25612775.0" sparse="false" start_byte_hex="0x12c782000" start_sector="9845776" /> -->
      </data>

    Prepare device
    As precondition, try to turn off device.
    (Note: In my situation this wasn't possible, but since it resets itself after ~20 seconds the second method worked for me also.)

    Then try this
    Press PowerOn and Vol+ and Vol- at the same time (Display and PowerLED remains black / off ).

    Only in case you aren't able to reach the EDL by the method above (please try that several times first!) you have to open your device and
    shortcut the TP pins at the mainboard (see attached picture for details) and press PowerOn.
    After the device is available as
    Code:
    ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)
    release PowerOn button and remove the shortcut.

    Flash it
    The use of QFIL is described many times in detail, also here at XDA. Have a look at: [HowTo] Flash a stock ROM by m_atze
    The following steps summaries the process:
    • Open QFIL.
    • Select the programmer
    • Select XML to configure patch0.xml and rawprogram_upgrade.xml
    • Press download and follow the log window
    • After the process is done, reset the device via PowerOn button long press ~10 seconds
    • Go into recovery mode and format the data partition.
    • Done

    Firmware without special partitions
    If you flashed a wrong version of the tablet, there exists a chance to return it to life with the QFIL method and the partitions of the firmwares that are flying around.
    I created some files with the current firmware:

    X703 L
    YT-X703L_S000963_171111_ROW.7z

    The F Tablet isn't supported right now, since there is no programmer available.

    Note: I had to format my data partition to prevent a bootloop.

    Does this help @killman?
    2
    Wow, thanks! This reduces my anxiety when flashing critical partitions :)

    Are you sure that you need to flash RIL related partitions for Oreo? I don't have an LTE device, so I can't know, but this seems... drastic.
    But think about an backup dd - image of the device you use !

    I don't think, that re-flashing these partitions is neccessary.
    I tried it, because it didn't work on oreo dev build. The I switched back to the stock firmware and realised that it also doesn't work. So I tried to repair it with reflashing the modemst1/modemst2 partitions (and others). But maybe my device has an fault, so the effort was for nothing.
    1
    Added some precompiled firmware images to be flashed via the QFIL method.
    1
    device all the time in 9008 mode, turn on(tablet generally) plugging in the cable from the battery (I dismantled the tablet) After power-on, he immediately enters the 9008th

    That's sad :(
    Seriosly, I'm curious what's the problem is.
    /* ironic
    Can you please buy a L tablet and can you try to flash it via QFIL ;) ? So we can check if it is device related or not.
    */
    Maybe you can try to shortcut the pins, I marked at the picture.
    Also, for linux there is a sahara utility https://github.com/openpst/sahara available. I never uploaded a file with it, but I used it to check the emmc programmer.
    • Select a port
    • Press connect
    • Select programmer in file dialog, which opens after that.

    --> In case the GUI asks for the patch.xml the programmer is right.
    1
    Hello,
    how do I create mmcblk0.img when I can't boot into TWRP? (my device [ Lenovo Yoga Tab 3 Plus LTE ] is also hardbricked, no recovery or fastboot)
    Is rawprogram_upgrade.xml device specific or only model specific. If the latter please share the xml.
    Thanks.

    If no fastboot at all comes up, you can use my pre-assembled image from the first page. Look at the section:
    Firmware without special partitions
    you'll find a link there. This file basically contains all what is needed to bring up the device.

    Best regards.