• XDA Forums have been migrated to XenForo. We are aware of several issues including missing threads, logins not working, and more. To discuss, use this thread.
  • If you are experiencing issues logging in, we migrated and software and made it more secure. We recommend trying to reset your password.

[PROJECT] Real Unbrick for hard-bricked Moto Z Play (addison)

Bobernator

New member
Nov 23, 2016
29
17
0
Łódź
Welcome everyone!

This project has started, becouse we need real solution for the problem. The problem of hard bricked Moto devices. It is like a curse.
When my device bricked I have done solid research, I have gathered many informations and files essential to revive my cellphone but 5 years experience of linux, rooting, compiling kernels and roms weren't enough to make it work.

But nevermind. I am even more determinated and I am asking ALL of You guys here to help me. Together we will come to solution.
Here is what I got, happy reading :cool: :


DICTIONARY:
PBL - Primary bootloader of the chip - this is like BIOS for phone so it checks chip for damage and problems and then it tries to load SBL but if SBL is corrupted or checksum doesn't match, PBL invokes Qualcomm HS-USB QDLoader 9008 emergency mode. PBL is hard flashed into SoC and can't be corrupted by firmware.
SBL - Second stage bootloader wich is more advanced than PBL. It initializes phone hardware and ABOOT.
ABOOT - Application bootloader (HBOOT). You probably know this one well. Android botloader.

Full mmcblk0 backup - Backup of whole phone flash storage byto to byte.
blankflash - method of repairing msm phones in 9008 state
programmer.mbn - Special type of software programmer that is being sent to chip in Qualcomm 9008 emergency mode. There it comunicates with pc via firehose protocol. Each phone has set of their own programmers, they are unique to phone and other programmers don't work. These programmers are signed so tampering it results in not working one.

firehose protocol - it is used to tell programmer what operations it must do on chip.
singleimage.bin - this package contains instructions for programmer and set of files it need (for example to replace)
gpt_main0.bin - Partition layout
rawprogram0.xml - instructions for programmer
patch0.xml - I don't know yet

STAR.exe - Application for managing and editing contents of singleimage.bin aka blankflash files
QPST - Flash tool from Qualcomm it basic function is to handle blank-flashing in a better way, also it allows for in-depth debugging of the process
Qualcom Premium Tool - Program made by Mppg Myanmar that is capable of making unlocking bootloader, OEM locks, making backup/restore of chip firmware, handling blank-flashing in VERY specific way (creating instructions for programmer), reading eMMC structure from firmware (can generate gpt layout so very useful!!!), modyfing FW and removing Xiaomi account. It also contains ALL programmers


for more:
https://forum.xda-developers.com/android/general/info-android-device-partitions-basic-t3586565
https://alephsecurity.com/
https://github.com/alephsecurity/firehorse
https://github.com/aravindvnair99/Motorola-Moto-E-XT1022-condor-unbrick


INFO:
1. What causes the brick
I bet 100$ that you hard-bricked your Moto Z Play by installing OTA updates after downgrading firmware. This is only known reason for me at the time of writing this. There is most probable reason why it happens, look:

There are two most common chips on which smartphones are built - Qualcomm and Mediatek. While Mediatek chips are "modification friendly" and simple, Qualcomm chips are somewhat more advanced and have many features that can be enabled or disabled during prorammming in factory. One of them is PBL signature checking. During programming of your phone, proper signatures of SBL are written to it. When someone tries to override default SBL with the new one, it checksums are compared with that stored. If they match, new one is flashed, if not, then update does not happen.

Ok, but what it has to do with brick?!
I explain:
1. You decide to downgrade your firmware
2. During flashing, everything goes "well" (Phone boots), but trully update is partial:
FW in chip is (obviously) more recent that the one you downgrade to, and SBL signature is different (updated), so when it is compared to the signature of SBL from FW you want to flash, it don't match. That don't rise error and flashing continues. Only partition that stays untouched is bootloader, but all other partitions get replaced by those in FW zip. SBL is still compatible with the new partition offsets and partition layout overall so phone functions normally.
3 When OTA is executed, it checks the version of currently installed firware. The most reliabe way to do it is to check checksum of SBL which is pretty logical becouse it's checksum is like "fingerprint" of firmware. Normally, if it would detect the old firmware, OTA would be stopped, but newer SBL tricks it and OTA installs anyway.

4 Results are horrible, becouse OTA does not check GPT table and flashes partitions in bad sectors, corrupting FW.
This causes bootloader to go into Qualcomm HS-USB QDLoader 9008 safe mode.

5 Viola! Hard brick!


2. How to fix it?
That is jolly good question! What we have to do is to reflash full chip firmware. Suprisingly I see some solutions, but those need to be developed:

A) SD-BOOT

It turns out that our fancy chip can probably boot from SD-CARD! The procedure works like this:
- When chip starts, one of the very first things it does is loading the memory, so it can actually work. The trick, is that chip loads it from specific disk, marked with exact name (I don't remember which, but I will do research). Speccially repared SD-CARD can appear with that name, so chip boots from it, not from internal memory. (This trick is proved to work on this model)

How to do it?

- Get full dd of working phone - it must be phone with the SAME chip and very likely the same model
- flash it to SD-CARD of 32GB or more, class 10 speed or higher, directly to card, not partition
- put card in phone, turn it on and wait
- you should see HBOOT
- select fastboot and flash new FW via it
- viola!

!!!THIS IS COMPLICATED PROCEDURE, I WILL MAKE DETAILED THREAD SOON, BUT FOLLOW IT ONLY IF YOU KNOW WHAT ARE YOU DOING!!!

B) FIREHOSE/SAHARA ATTACK
This could be achieved by sending payload via Firehose programmer that would allow to break verification of SBL or somehow allow SBL to be flashed. Now, PBL blocks attempts to update SBL. I have thesis that it is becouse PBL do not allows for SBL downgrade, so it's version must be higher, but we try to flash same version of SBL so it doesn't work. That thesis needs confirmation.

C) CRAFT BLANKFLASH
This would be last resort. It will work for sure, but this method needs knowledge and I don't know if it is doable.

STEP 1: Get white-listed blankflash checksums from OTA (we would need to reverse engineer those)
STEP 2: Break hash
STEP 3: Craft blankflash with needed hash
STEP 4: Flash

NEVER USE BLANKFLASH (ATTENTION!)
DO NOT try any blankflash files. They can make situation a lot worse and even physically (!) dmage your phone.

D) JTAG

Medusa Box etc.

E) Qualcomm Premium Tool

This can even work, but it is untested and there is a slight chance that can worsen state of phone (needs confirming).
The tool is very advanced and I need to gather info about usage, so very probable to be a good solution if we will learn how to use it!

E) METHOD 7

Interesting method from this guy: (7th option, I have contacted him if it is compatibile)
https://github.com/aravindvnair99/Motorola-Moto-E-XT1022-condor-unbrick/blob/master/Unbrick%20methods.md


3. DOWNLOAD
(Links will be aded *soon*)


XDA:DevDB Information
Unbrick Developement for Moto Z Play (addison) Full-Brick, Tool/Utility for the Moto Z Play

Contributors
Bobernator, Stayn, Artim_96, Camarda

Version Information
Status: Nightly

Created 2019-05-04
Last Updated 2019-05-14
 
Last edited:

Stayn

New member
Sep 6, 2016
286
1,009
0
21
Barquisimeto
I really hope we can get a fully working detailed method to unbrick this device, I'll follow this project and try to help what I can, my phone isn't bricked but I think that an unbrick guide is absolutely necessary.

By the way, did you tried the Qualcomm Board Diag method? Before the Moto Z Play I had a LG G3 and got it hard-bricked and my pc would recognize it as "Qualcomm HS-USB QDLoader 9008" too, using the Board Diag method I got to erase completely the emmc and flash each partition manually, that got it back to life again, of course theres a requirement and it's the AP Chipset files. I don't know if you already tried so you tell me :)
 
  • Like
Reactions: jotateg

Bobernator

New member
Nov 23, 2016
29
17
0
Łódź
I really hope we can get a fully working detailed method to unbrick this device, I'll follow this project and try to help what I can, my phone isn't bricked but I think that an unbrick guide is absolutely necessary.

By the way, did you tried the Qualcomm Board Diag method? Before the Moto Z Play I had a LG G3 and got it hard-bricked and my pc would recognize it as "Qualcomm HS-USB QDLoader 9008" too, using the Board Diag method I got to erase completely the emmc and flash each partition manually, that got it back to life again, of course theres a requirement and it's the AP Chipset files. I don't know if you already tried so you tell me :)
Hi! Really nice to read that :). I didn't tried it but i will chec k it out in a while. Sorry for not responding immediatelly but this will change from now, I have XDA app so I stay updated.
 
  • Like
Reactions: jotateg

Bobernator

New member
Nov 23, 2016
29
17
0
Łódź
Have you seen this post? There's apparently a new Oreo blankflash https://forum.xda-developers.com/showpost.php?p=79514510&postcount=419
Website is legit, sounds like something good, but i will byte-compare it to my other blank flashes in collection. Maby it will worsen state of my device but I will try it.

Ps. I am working on a download section!!!

EDIT: DO NOT TRY IT YET. As you can see in the link this has been uploaded 2 days ago. Post has 1 day, so this is suspicous as hell.
 
Last edited:

echo92

New member
Jan 1, 2017
3,730
1,987
0
Plymouth
Website is legit, sounds like something good, but i will byte-compare it to my other blank flashes in collection. Maby it will worsen state of my device but I will try it.

Ps. I am working on a download section!!!

EDIT: DO NOT TRY IT YET. As you can see in the link this has been uploaded 2 days ago. Post has 1 day, so this is suspicous as hell.
I understand the reason to be suspicious, since there's also no way to verify the origin of this blankflash. Also, is there a OPNS27.76-12-22-10 firmware? I thought OPNS27.76-12-22-9 was the last build?
 

Bobernator

New member
Nov 23, 2016
29
17
0
Łódź
That blankflash looks like it worked - seems your device is in fastboot mode despite the photo angle.
Yes, it worked! But do not make misteake and after you flash blankflash do not flash full firmware. Instead flash only recovery - TWRP and make backup of modemst1, modemst2 and FSG partitions, so you can revert your IMEI. After that full flash android 8 FW
 

echo92

New member
Jan 1, 2017
3,730
1,987
0
Plymouth
Yes, it worked! But do not make misteake and after you flash blankflash do not flash full firmware. Instead flash only recovery - TWRP and make backup of modemst1, modemst2 and FSG partitions, so you can revert your IMEI. After that full flash android 8 FW
Can you see your recovery partition with the dummy bootloader from the blankflash? Do you have to flash the GPT/bootloader from firmware first?
 

Stayn

New member
Sep 6, 2016
286
1,009
0
21
Barquisimeto
Well, this is nuts @Bobernator, I'm really happy we have an unbrick method.

If MTP is still working, you can flash the file I attached to this post to automatically backup the required partitions, this can also be helpful in case anyone wants a full IMEI Backup, also, I tried this step:

fastboot flash fsg mmcblk0p29_fsg_backup
fastboot flash modemst1 mmcblk0p27_modemst1_backup
fastboot flash modemst2 mmcblk0p28_modemst2_backup
and it gives me permission denied when flashing modemst1 and modemst2, I think we should flash modem NON-HLOS.bin and erase modemst1 and modemst2, if you agree I'll update the zip I made to backup NON-HLOS.bin instead of modemst1 and modemst2 :)
 

Attachments

  • Like
Reactions: Bobernator

echo92

New member
Jan 1, 2017
3,730
1,987
0
Plymouth
Quick question, is it worth mentioning only to perform steps 12 and 13 (flashing your FSG and modemst backups) if your device has no signal/IMEI issues after flashing the Oreo firmware? Just wondering since the firmware flash and subsequent boot may correctly rebuild the modemst files...
 
Last edited:

Stayn

New member
Sep 6, 2016
286
1,009
0
21
Barquisimeto
Quick question, is it worth mentioning only to perform steps 12 and 13 (flashing your FSG and modemst backups) if your device has no signal/IMEI issues after flashing the Oreo firmware? Just wondering since the firmware flash and subsequent boot may correctly rebuilt the modemst files...
I don't know for sure but a backup is always recommended and more if it is the IMEI, then, you can flash all partitions and then before restoring the backup boot into the system and check by yourself if you're getting signal and its working... :good:
 
  • Like
Reactions: echo92

echo92

New member
Jan 1, 2017
3,730
1,987
0
Plymouth
I don't know for sure but a backup is always recommended and more if it is the IMEI, then, you can flash all partitions and then before restoring the backup boot into the system and check by yourself if you're getting signal and its working... :good:
Yup, an IMEI backup is always useful :) Just wanted to ask since it's not pointed out in the opening post's guide to check your IMEI/signal before committing to step 12/13. If it's working, no need for those two steps!
 

Bobernator

New member
Nov 23, 2016
29
17
0
Łódź
@echo92 I forgotten about IMEI totally so I can't tell you, but I can't confirm that's safe to flash gpt and bootloader from OREO fw (8.0). I did this way and everthing is working. Even OTA updates to most recent witouth problems! Here are the proofs (language is "Polish" if you want to translate):
 

Attachments

Last edited:

Bobernator

New member
Nov 23, 2016
29
17
0
Łódź
Well, this is nuts @Bobernator, I'm really happy we have an unbrick method.

If MTP is still working, you can flash the file I attached to this post to automatically backup the required partitions, this can also be helpful in case anyone wants a full IMEI Backup, also, I tried this step:



and it gives me permission denied when flashing modemst1 and modemst2, I think we should flash modem NON-HLOS.bin and erase modemst1 and modemst2, if you agree I'll update the zip I made to backup NON-HLOS.bin instead of modemst1 and modemst2 :)
I really appreciate this! Thanks!

If you update your ZIP, I will attach it into the project today, and I will try to find out solution for you, becouse it looks if you can't restore IMEI now (correct me if I am wrong)
 

Stayn

New member
Sep 6, 2016
286
1,009
0
21
Barquisimeto
I really appreciate this! Thanks!

If you update your ZIP, I will attach it into the project today, and I will try to find out solution for you, becouse it looks if you can't restore IMEI now (correct me if I am wrong)
Don't worry about the IMEI, I got it again after flashing my fsg backup, modem and erasing modemst1 and modemst2, now the problem is that on every ROM I get everytime a popup "com.android.phone" has stopped, till I remove the sim card, what could this be? This isn't my main phone so I'm not worried at all but this could happen to someone else
 

Takx

New member
Oct 24, 2012
30
0
0
Hello Guys,

I have the exact same problem. All started here with a changed screen that after update to 8 stopped working, so I did downgrade to 7, and the touch as back, than it started doing the OTA updates and I (dumb enough) accepted it, and now I have a bricked device.

***EDIT***

Now I could get access to the bootloader again, the flash blank worked but it had a catch, if I just executed the bat, it would not work, I had to open a CMD with admin rights, go to the folder and run the bat from there.

***EDIT 2***

So restored bootloader, and booted just like before it was corrupted, now it keeps asking for update, and I disabled it on the "Developer Menu", is that enough? Will not play with updates on this device anymore, android 7.1.1 with 2017 security updates will do it.

***EDIT 3***

Now I have a Mobile Network problem, it does recognize the SIM Chip, but won't get network access, I didn't backup before doing the Blank Flash, but it was not showing on the system before (because the downgrade from 8 to 6, and them upgrade to 7), is there a way to recover it or fix this no network registration possible?
 
Last edited:
Our Apps
Get our official app! (coming soon)
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone