• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

Is it bricked? Cannot flash stock Android to remove ArcaneOS

Search This thread

VladkoM

Member
Feb 21, 2014
9
2
Podgorica
Well,done
I pay 25€ on local developer and wait 2hours
20210715_123222.jpg
20210717_231114.jpg
 

fler_tb

Member
Apr 12, 2012
23
4
Trebinje
Until now i got 4 of ArcaneOS Pixels 4a and can confirm that 2/4 successfully unlocked by (fastboot flashing unlock) command. After that I flash stock Android, than relock bootloader and those two phones works perfect. But last two exactly same as previous do not accept command which i mentioned. So I think i was lucky with first two, 'cause maybe they forgot to disable oem unlock 😄
 

paulCIA

Member
Apr 16, 2015
14
8
New York
It's possible that some have a custom bootloader installed that disables oem unlock and flashing commands by fastboot. If these are regular off-the-shelf 4a's (ie, they don't have some kind of hardware lock on the firmware or EDL mode, and I'm guessing they don't since after all "someone" already got this far with custom firmware), it should be possible to use the qualcomm developer tools (QFIL or QPST) to overwrite the firmware with stock and re-enable flashing and unlock from EDL mode. (Fair Warning: also possible to hard brick it entirely so that it won't power on at all, so be very careful and don't do this on any devices you can't afford to lose entirely, though frankly considering who created this particular ROM you're probably better off with a hard brick than this ROM anyway)

For that you'd need the firehose programmer binary and a stock firmware image to flash. If they are the same hardware you should be able to use the tool to dump the firmware from a working one and download it to the rest once you have the firehose programmer. Unfortunately I'm not sure which one you need for the Pixel 4a, but, it may be the same one as for other 730g chipset devices (SM7150 is the product sku so something like prog_xxxx_firehose_sm7150.bin). See for example, this guide or maybe this, or a lot of other guides on this forum. Those aren't specifically for the 4a, and I'm not sure one exists, but it's probably very similar to the process for other Pixels and especially HTC Pixels (I have successfully done it on a LG-made pixel 2 xl, if I had a 4a I'd give it a shot, mayb I can get one of these on a discount :p Though again, not sure I want one considering whence they came!
 
Last edited:

nomesrjp

Senior Member
May 16, 2015
96
40
51
Los Angeles
It's possible that some have a custom bootloader installed that disables oem unlock and flashing commands by fastboot. If these are regular off-the-shelf 4a's (ie, they don't have some kind of hardware lock on the firmware or EDL mode, and I'm guessing they don't since after all "someone" already got this far with custom firmware), it should be possible to use the qualcomm developer tools (QFIL or QPST) to overwrite the firmware with stock and re-enable flashing and unlock from EDL mode. (Fair Warning: also possible to hard brick it entirely so that it won't power on at all, so be very careful and don't do this on any devices you can't afford to lose entirely, though frankly considering who created this particular ROM you're probably better off with a hard brick than this ROM anyway)

For that you'd need the firehose programmer binary and a stock firmware image to flash. If they are the same hardware you should be able to use the tool to dump the firmware from a working one and download it to the rest once you have the firehose programmer. Unfortunately I'm not sure which one you need for the Pixel 4a, but, it may be the same one as for other 730g chipset devices (SM7150 is the product sku so something like prog_xxxx_firehose_sm7150.bin). See for example, this guide or maybe this, or a lot of other guides on this forum. Those aren't specifically for the 4a, and I'm not sure one exists, but it's probably very similar to the process for other Pixels and especially HTC Pixels (I have successfully done it on a LG-made pixel 2 xl, if I had a 4a I'd give it a shot, mayb I can get one of these on a discount :p Though again, not sure I want one considering whence they came!
Thanks for the information, useful. Does anyone know where I might find the correct Qualcomm firehose for the SM7150, or my best approach to extract the firmware from a functioning Pixel4a?
 

rawk1

New member
Jul 22, 2013
2
0
Google Nexus 5
LG Nexus 5X
Got one of these today and its seems someone has had a go already and managed to "no command' the recovery and rescue mode. Fastboot unlock commands don't work on mine either, infact besides fastboot reboot, all commands either fail or not allowed while locked.

Only half a day into trying but not looking like a fun job.
 

nomesrjp

Senior Member
May 16, 2015
96
40
51
Los Angeles
The information below might be of use for those attempting this exercise. I still think there are components missing to bring about a full recovery, such as the xml files needed by QPST (rawprogram* and patch0), but maybe wrong. I don't have a PC ATM, so I'm not able to attempt this.
- Pixel 4a Snapdragon 730G SM7150
h**ps://en.wikipedia.org/wiki/List_of_Qualcomm_Snapdragon_processors#Snapdragon_720G/730/730G/732G_(2019/20)

- Multiboot binary firmware image (MBN) - This file contains the binary data for a device's memory partitions
h**ps://forum.xda-developers.com/t/flashed-pixel-4a-with-pixel-5-image-by-mistake.4267097/post-85315189
h**ps://www.gadgetsdr.com/all-qualcomm-prog-emmc-firehose-programmer-file-download/

- Qualcomm Emergency Download mode (EDL) - for me the typical fastboot commands didn't work (fastboot edl, fastboot reboot-edl, etc), using fastboot version 31.0.3-7562133. I wasn't able to find strings related to edl which is likely why. As such, the following guides might assist (I'm unsure if they're applicable to sunfish). From what I gather the binary below is patched to allow for reboot-edl.
h**ps://forum.xda-developers.com/t/guide-tool-reboot-to-edl-mode-from-fastboot-no-more-test-point-method-kenzo.3398718/
h**ps://www.ytechb.com/how-to-boot-into-edl-mode-android/
h**ps://github.com/bkerler/edl

- Qualcomm Product Support Tools (QPST) & Qualcomm Flash Image Loader (QFIL) - I believe the latest versions are QPST v2.7 Build 496 Qfil 2021 & QFIL v2.0.3.5
h**ps://www.androidbrick.com/download/
 
  • Like
Reactions: wireroot

wireroot

Member
Jan 3, 2019
33
15
[...] I still think there are components missing to bring about a full recovery, such as the xml files needed by QPST (rawprogram* and patch0) [...]
Fortunately I'm currently not in the situation where I need to revive my phone, but I was wandering the same when reading tutorials about this topic. In those tutorials they always use 3 files (as you have stated): the mbn, the rawprogram and the patch file. In one of the links you have posted the question about the last 2 files is raised:

Zuke Beug said:
where rawprogram0.xml and patch0.xml for msm8940?

which is answered

gadgetsdoctor said:
All file is mbn file …not qcn file. that’s why you can’t find rawprog.xml

I am not sure if I understand the answer correctly: Are the rawprogram and the patch files not needed since an mbn file is used? Then why do the tutorials always require the triplet?
 

shaitan667

Senior Member
Aug 28, 2008
78
7
i9100
I found some of these for sale for low prices, so purchased three of them due to the success I had last time using the GrapheneOS web installer bootloader unlock.

However this time round I haven't had any success :(

I'll keep scouring the net and researching, will post here with any relevant findings.

If anyone has anything they would like me to try, please let me know. The more people working on getting these back to normal functioning states the better.

Pixel
 

shaitan667

Senior Member
Aug 28, 2008
78
7
i9100

David B.

Senior Member
Mar 25, 2016
325
66
Happy to do so if instructions can be provided on how to extract the firmware
I think if you use the GrapheneOS installer tool you mentioned here to unlock the bootloader, you should be able to do it. I would suggest trying to use the GrapheneOS tool to unlock the bootloader (don't do anything else with it though). After that, I would suggest live booting TWRP using `fastboot boot YourTwrpImage.img` (don't flash it to the phone's recovery partition since you won't be able to get the ArcaneOS recovery back if you do!).

After that, try using the instructions here under the "This is How to Make Complete / Full BACKUP with TWRP" to take a backup of the phone. I believe those instructions would also include the recovery image in the backup, but it would still be a good idea to explicitly take one in case I am wrong, the instructions for explicitly taking a backup of the recovery are available in the terminal commands here.

After doing all that, reboot into ArcaneOS and copy the images you made off the SD card to your computer! Anyone who wants to then try ArcaneOS on their devices should be able to write the images to their device as long as it is the same phone and give ArcaneOS a try for themselves!

Needless to say, without having an ArcaneOS to try this on, I cannot promise that any of this would actually work, but it's worth a shot! One other thing I should mention here is that using this method to save off a copy of the image would retain any encryption on the device if any was used, so you would want to make sure that any passcodes you use on the device would be something that you are comfortable with sharing.

Additionally, it would be a good idea to share the commands that you used for taking the backup images. Output from the `dd` utility which is used for this can be passed through gzip for example to compress it further, but as a result, anyone who wants to use the image would need to know that so they can decompress it.
 

David B.

Senior Member
Mar 25, 2016
325
66

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    any idea to boott in edl mode
    Power off, disconnect phone.
    Press and hold volume + and -
    Now connect phone, hold buttons till your pc peeps second time. Phone display should stay black/off. In device management on pc you should see the phone.
    1
    No way to turn on developer mode or enable OEM unlocking. Anybody got this to work?
  • 4
    Ok... sorry for the delay. Yes, I can confirm the speculation going around... I accidentally bought an AN0M phone. And yes, I was fortunate enough to sell it again (and got most of my money back)... to a reporter at vice.com. And, BTW, I have bought myself another Pixel 4a... this time it is working properly.

    Some background points before I finally figured out exactly what I had in my possession...
    - Being unable to unlock/reset this phone, I started looking at my firewall logs to see what activity this phone was generating. I noticed the following:
    - regular HTTPS requests to arcane.one. I couldn't find anything useful on or about that site.
    - occasional HTTPS requests to time.grapheneos.org. This leads me to believe that ArcaneOS might be forked from GrapheneOS.
    - intermittent HTTPS requests to anom.one. I couldn't find anything useful on or about that site, however the word anom led me to discover the joint FBI/AFP operation that had just hit the news a few days earlier.
    - Now suspecting I had an An0m phone, I checked the calculator app... and yes, it loaded straight into the AN0M logon screen.
    - At this point, I panicked and thought I could get into trouble if this device was being tracked... so I rang the police and described my situation. They said to take it to my local police station. I call my local station (being in a small rural town, it is usually unmanned) and was advised to contact the AFP (Australia Federal Police), since it was their operation to begin with.
    - I called the AFP, explained again what had happened. The nice lady I spoke to confirmed that their activity with Operation Ironside had just finished and that, yes, they had supplied such phones to some of their informants. I left them my contact details and the details of the Gumtree seller who I purchased this phone from. I was hoping that maybe he would be a person of interest to the AFP, and that I would get some measure of payback for him scamming me in the first place.
    - I waited a week, the AFP did not call back... so I sold the phone to vice.com, who had already contacted me about this thread.
    - It occurs to me now why "ArcaneOS" was practically unheard of in the googleverse (until a few weeks ago). This was a state sponsored development and, of course, it was in the best interest of law enforcement authorities to keep the normally open-source Android code hidden to prevent this phone being tinkered with and the true purpose of this OS and app being discovered.

    To everyone that helped and suggested ideas to restore this phone to normal... thankyou. Although nothing we tried worked in the end, I still appreciate the community assistance here.

    To everyone that has contacted me directly to ask how to fix their Pixel phone... sorry, I cannot help you.

    I suspect it would still be possible to restore this phone... you'd just need to know the right commands to do it. By that I mean, I assume the developers probably changed the normal fastboot commands to some other arbitrary words; something that would allow them to test, develop and repeatedly re-flash their phones, yet prevent us from doing likewise.

    EDIT: I've added a photo of the AN0M logon screen. I did not see this originally and the calculator app was not available when I took my original set of photos... at that time I had recently done a factory reset on the phone. However, after some time a message popped up saying that Calculator was "Updated by your admin"... which seemed strange to me at the time, as this was not supposed to be a managed device.
    4
    If anyone else gets a phone running ArcaneOS, send me a message :)

    Also, you're famous, OP: https://www.vice.com/en/article/n7b4gg/anom-phone-arcaneos-fbi-backdoor

    3
    I recently purchased a used Pixel 4a, and I now understand why the seller was offering such good price for it and why he refused to respond to me now I have it. This phone has ArcanseOS 10 installed, which has only 3 apps installed... Setting, Clock and Calculator. There is no Play Store app, no Phone app, nothing.

    The only useful reference to ArcaneOS I can find in the Googleverse is this one... https://translate.google.com.au/tra...rueck-flashen.973774.html&prev=search&pto=aue where the OP describes his troubles with a Pixel 3. Through the rough translation, I see similar issues... can't enable developer mode, can't unlock bootloader, can't sideload apps.

    Some random observations about this phone/OS...
    - The phone is in good condition. I used the supplied pin code to unlock it and did a factory reset. Have done basic config with my Google Account, etc.
    - In Settings > About Phone - the build number is not shown. I cannot tap on the build number 7 times to enable Developer Mode. I have tried tapping everything in About Phone 7+ times, but I have not been able to enable Developer Mode.
    - When the phone powers on, the first thing shown is a message like "Your device is loading a differennt operating system".
    - The installed OS is ArcaneOS 10. The system updater says that ArcaneOS 11 is available for download (but I don't want to do that in case it makes this thing even harder to fix).
    - I tried sideloading open_gapps and a random developer shortcut app I found, but I can't seem to get them to load.

    I'm no expert at this, so I've tried various commands that I found and got some of these results...
    (note: some details, esp path names, have been edit for brevity)

    >adb devices List of devices attached 09241JEC228869 sideload >adb shell error: closed >adb sideload open_gapps-arm64-10.0-stock-20210518.zip adb: sideload connection failed: no devices/emulators found adb: trying pre-KitKat sideload method... adb: pre-KitKat sideload connection failed: no devices/emulators found >adb sideload "by4a.setedit22_2018.10.31-18_minAPI11(arm64-v8a,armeabi-v7a,x86,x86_64)(nodpi)_apkmirror.com.apk" serving: 'by4a.setedit22_2018.10.31-18_minAPI11(arm64-v8a,armeabi-v7a,x86,x86_64)(nodpi)_apkmirror.com.apk' (~47%) adb: failed to read command: No error >adb shell settings put global development_settings_enabled 1 error: closed >adb root adb: unable to connect for root: closed >adb shell error: closed

    >fastboot --version fastboot version 31.0.2-7242960 >fastboot devices 09241JEC228869 fastboot >fastboot flash bootloader sunfish-rq2a.210505.002\bootloader-sunfish-s5-0.3-7062598.img Sending 'bootloader' (8357 KB) FAILED (remote: 'Download is not allowed on locked devices') fastboot: error: Command failed >fastboot flashing unlock FAILED (remote: 'Unrecognized command flashing unlock') fastboot: error: Command failed

    Any suggestions on how to unlock this device? Then I can flash it and restore it back to stock.

    Thanks

    PS. Please do not say "tap build number 7 times to enable Developer Mode/options". If you believe this is the solution, please re-read this post, and the linked/German post, then describe a different way of doing that task that doesn't rely on the build number being visible.
    3
    Thankyou for everyone's help with the unusual phone. I am no longer in possession of it and, for the time being, am unable to provide further details. I do have an interesting update to share, however I have made a commitment to keep this quiet for the time being. Once I have approval to tell you what I have recently learnt, I will...
    2
    Looks like you had an "Anom Phone"


    Might now be able to sell it for triple the price due to novelty