Sonim XP8 (Root?)

Search This thread

PsyberEMT

Senior Member
Jan 19, 2007
150
20
Atlanta
Has anyone managed to capture the XP8 Android 10 update from Verizon? I recently picked up an unlocked AT&T branded XP8. Works fine with my VZW SIM, APNs are correct. Apparently AT&T loaded a proprietary software update application and it isn't hitting VZW's update server to get their latest update.
 
  • Like
Reactions: portsample

joshnet3

Member
Apr 9, 2021
8
0
Has anyone managed to capture the XP8 Android 10 update from Verizon? I recently picked up an unlocked AT&T branded XP8. Works fine with my VZW SIM, APNs are correct. Apparently AT&T loaded a proprietary software update application and it isn't hitting VZW's update server to get their latest update.
Maybe we can help each other? I have a Verizon XP8 with the Android 10 update. I've run into a problem however in that I can't seem to pull the ROM off it to have access to the boot.img to root it. I tried the EDM method with QSaharaServer but my computer says that it cannot execute the program because it is invalid. I downloaded it from the link in this forum unless something had changed. I would be more than happy to provide the ROM to you if I could just get it off the phone myself. If you know how to walk me through that to make it happen or help me trouble shoot, it's all yours!
 

PsyberEMT

Senior Member
Jan 19, 2007
150
20
Atlanta
Maybe we can help each other? I have a Verizon XP8 with the Android 10 update. I've run into a problem however in that I can't seem to pull the ROM off it to have access to the boot.img to root it. I tried the EDM method with QSaharaServer but my computer says that it cannot execute the program because it is invalid. I downloaded it from the link in this forum unless something had changed. I would be more than happy to provide the ROM to you if I could just get it off the phone myself. If you know how to walk me through that to make it happen or help me trouble shoot, it's all yours!

Sure! I sent you a PM.
 
Jan 18, 2016
15
2
sim unlocked

1.Install Sonim XP8 Software update tool
2.Copy testlogin.txt to main program directory
3. Add following entry to hosts file
sonimexperiance.com 127.0.0.1
4. Launch app and login with Username 1 Password 1

testlogin.txt

{"status":"success","message":"1 successfully logged in","name":"1","activetabs":["sim_lock","download_tool","qcn_backup_restore"],"carriers":["00"],"multi_carrier":true,"phone_model":["8A"],"edl_user":"Yes","emc":"Yes","carrier_list":{"00":"Generic","10":"AT&T","11":"Bell","12":"Telus","13":"Sasktel","14":"Harris","15":"Verizon","16":"Ecom","17":"NAM","18":"Rogers","19":"T-Mobile","20":"EU Generic","21":"MSI","22":"CISCO","23":"NAM Public Safety","24":"Vodafone Global","25":"Orange","26":"Southern Linc","27":"OPTIO","28":"India","29":"SPRINT","30":"JVCK","31":"AUSTRALIA","32":"ACG","33":"CSPHIRE","34":"US-Cellular","multi_carrier":"Multi Carrier"}}
is it sonimexperience or experiance?
 

joshnet3

Member
Apr 9, 2021
8
0
Let me know if you have any success with that, the magisk method doesnt quite work on my telus android 10 either. The boot img would be boot_a.img?
I had success with Magisk root. Ended up using command line to pull boot.img's although Qfil also pulled images and then loaded them back up. My biggest issue was the QSaharaServer fail which did not occur if I loaded it within seconds of plugging the phone in in EDL mode. Wait longer and it will fail every time. Magisk had no issues.
 

PsyberEMT

Senior Member
Jan 19, 2007
150
20
Atlanta
For those who lost their IMEI and baseband as a result of flashing...were you ever able to get it back?

I took backups before flashing but inadvertently overwrote that backup with another after flashing a VZW Android 10 backup, hosing my modem and losing IMEI / baseband. Was able to get wifi back by returning to the ATT 8.1 image, but IMEI is toast.
 

otbtechoutlet

New member
May 12, 2021
4
0
Anyone have a fix for this issue after flashing? It says "Encryption Unsuccessful: Encryption was unsuccessful and can't complete..." and reboots itself.

It had a bootloop error to begin with.
 

SpectralUA

Member
Sep 21, 2010
12
1

otbtechoutlet

You may factory reset via recovery. Format data\cache then system will reencrypt.


Anyone can share xp8 qcn from Sprint unit? Tried from firmwares posted, but have "no sim, null imei" error. Original one losted with incorrect flashing, have no backup.
Also need dump of Android 10 updated phone. Im outside of US so unable to pull network upgrade.
If anyone can share the data please respond. I can get the binary from your phone myself if you agree. It will be enough to connect the phone to the PC, press a couple of buttons and give me access. No confidential information will be collected or leaked, i am only interested in firmware\system files from Sonim.
 

otbtechoutlet

New member
May 12, 2021
4
0

otbtechoutlet

You may factory reset via recovery. Format data\cache then system will reencrypt.


Anyone can share xp8 qcn from Sprint unit? Tried from firmwares posted, but have "no sim, null imei" error. Original one losted with incorrect flashing, have no backup.
Also need dump of Android 10 updated phone. Im outside of US so unable to pull network upgrade.
If anyone can share the data please respond. I can get the binary from your phone myself if you agree. It will be enough to connect the phone to the PC, press a couple of buttons and give me access. No confidential information will be collected or leaked, i am only interested in firmware\system files from Sonim.

I tried this but the phone booted up with the same result. There was no option to format data\cache. I've tried installing TWRP by flashing the modfified boot file earlier in this thread but the phone did not accept it. Is the phone bricked for good?
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Has anyone managed to capture the XP8 Android 10 update from Verizon? I recently picked up an unlocked AT&T branded XP8. Works fine with my VZW SIM, APNs are correct. Apparently AT&T loaded a proprietary software update application and it isn't hitting VZW's update server to get their latest update.
  • 6
    Enjoy!

    XP8 Android Root Theory - DEBUG or Magisk over EDL
    EDL is a must since Fastboot cannot be unlocked initially from standard "user" builds.

    One option is flash a userdebug image (below) allowing for adb root, fastboot unlocking, and other useful features.
    or
    Without unlocking the bootloader - Similar flashing methods remain valid when standard magisk powered root is desired. This method allows preservation of all current system data aside from boot.img. All is covered since Magisk works with AVB and we have EDL as a flashing alternative. Please see Android Boot Flow > LOCKED Devices with Custom Root of Trust for more information.

    Recommend method ..
    It's up to you.. If you want OTA updates and your planning to use root apps then go with Magisk. As of today we have current debug images available and I personally prefer isolated adb root access only however future availability of updated Debug images cannot be guaranteed.

    Disclaimer
    -Devices with locked bootloaders will display a custom OS warning at boot
    -Tested on AT&T branded devices only - please provide system dump for validation on other builds
    -I have not identified any JTAG procedures and I can not help if you hard brick your device!
    -This guide only touches boot_a and should be relatively safe since boot_b remains unmodified. I'm pretty sure this is enough to restore the original boot.img to boot_a under a failure scenario.. But I'm not really qualified enough to say definitively either.
    -Take great caution - this is raw emmc access and critical system data! You are proceeding at your own risk!

    Magisk Root

    Step 1 - Pull Boot.img
    We need to pull the boot.img in order to feed it to magisk later for patching. It's also good to keep on hand for if/when you need to restore for any reason.
    1. Create an XML file with the data below
    Code:
    <?xml version="1.0"?>
    <data>
    <program start_sector="262144" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="131072" label="boot_a" filename="boot.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    </data>
    2. Boot to EDL mode and load firehose programmer
    Code:
    QSaharaServer.exe -p \\.\COM<#> -s 13:prog_emmc_ufs_firehose_Sdm660_ddr.elf
    3. Backup boot.img using the following command
    Code:
    fh_loader.exe  --convertprogram2read --port=\\.\COM<#> --sendxml=<xmlfile.xml> --lun=0  --memoryname=emmc --noprompt --reset
    Or visit the XP8 carrier firmware thread for full system backup steps.
    https://forum.xda-developers.com/showpost.php?p=80465045&postcount=6

    Step 2 - Magisk Patch
    1. ADB push boot.img /storage/self/primary/Download/
    2. Install Magisk Manager and apply patch to boot.img
    2a. Download from https://forum.xda-developers.com/apps/magisk/official-magisk-v7-universal-systemless-t3473445
    2b. Extract and run adb install magisk.apk
    2c. Open Magisk app and apply patch to boot.img
    3. ADB pull /storage/self/primary/Download/magisk_patched.img

    Step 3 - Restore
    1. Change the filename attribute in the XML to reflect newly created magisk_patched.img as shown below
    Code:
    <?xml version="1.0"?>
    <data>
    <program start_sector="262144" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="131072" label="boot_a" filename="magisk_patched.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    </data>
    2. Boot back into EDL mode and load firehose programmer
    Code:
    QSaharaServer.exe -p \\.\COM<#> -s 13:prog_emmc_ufs_firehose_Sdm660_ddr.elf
    3. Apply magisk_patched.img using the following command
    Code:
    fh_loader.exe --port=\\.\COM<#> --sendxml=<xmlfile.xml> --lun=0  --memoryname=emmc --noprompt --reset

    USERDEBUG Flash

    Step 1 - Backup
    1. Boot to EDL mode and load firehose programmer
    2. Generate rawprogram0.xml - Run GPTConsole <COM Number>
    Example: GPTConsole 19
    3. Initiate backup
    Code:
    fh_loader.exe --port=\\.\COM<#> --convertprogram2read --sendxml=rawprogram0.xml --lun=0  --memoryname=emmc --noprompt --reset
    4. Wipe all partitions
    Code:
    fh_loader.exe --port=\\.\COM<#> --convertprogram2read --sendxml=erase.xml --lun=0  --memoryname=emmc --noprompt --reset
    5. Restore new image
    Code:
    fh_loader.exe --port=\\.\COM<#> --sendxml=rawprogram0.xml --lun=0  --memoryname=emmc --noprompt --reset --search_path=<extracted image file directory>
    // rawprogram0_unsparse.xml for some images

    Images and OTA Files

    Full 8.1 System Image
    XP8A_ATT_user_8A.0.5-11-8.1.0-10.54.00
    XP8A_ATT-user-8A.0.5-10-8.1.0-10.49.00

    USERDEBUG Images
    XP8A_ATT_userdebug_8A.0.5-11-8.1.0-10.54.00
    XP8A_ACG-userdebug-8A.0.0-00-7.1.1-32.00.12
    XP8A_USC-userdebug-8A.0.0-00-7.1.1-34.00.10
    (ATT 7.1 pending upload. Please check back or use other links available further in thread.)

    OTA Updates
    XP8_ATT_user_N10.01.75-O10.49.00
    XP8_ATT_user_O10.49.00-O10.54.00
    XP8_TEL_user_N12.00.24-O12.23.00

    Flash Tools - programmer (elf) file provided by eleotk!
    XP8 Drivers

    Firmware Carrier Codes
    Code:
        None = 0,
        ATT = 10
        Bell = 11
        Telus = 12
        Sasktel = 13
        Harris = 14
        Verizon = 15
        Ecom = 16
        NAM = 17
        Rogers = 18
        T_Mobile = 19
        EU_Generic = 20
        MSI = 21
        CISCO = 22
        NAM_Public_Safety = 23
        Vodafone_Global = 24
        Orange = 25
        Southern_Linc = 26
        OPTIO = 27
        India = 28
        SPRINT = 29
        JVCK = 30
        AUS = 31
        ACG = 32
        CSPIRE = 33
        USC = 34
        SB = 35
        Multi = 99

    Automatic OTA without AT&T service:
    Purchase a blank AT&T SIM card ($5)
    Start online prepaid activation - complete pages 1 & 2
    **SIM Card is now partially active without funding - do not complete page 3 (payment)***
    *#*#368378#*#* > Clear UI > Check for updates in settings

    XP5s
    Sprint Image: XP5SA.0.2-03-7.1.2-29.03.00
    Works the same. Tested with unmodified Sprint firmware. Like most other apps, the Magisk manager app is unusable since the XP5s has no touch screen - I had to patch the boot image on another device. You can plug in a USB mouse however the cursor does not seem to invoke in-app tap's.

    Need to use the appropriate Firehose loader (prog_emmc_firehose_8920.mbn) and replace the boot image location according to the XP5s GPT (start_sector="790528").
    3
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Sonim XP8 is officially Rooted with TWRP
    replace downloaded boot.img with your boot.img in firmware folder from the link below
    tested on android 7x-8x USERDEBUG builds.
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    =======================================================================
    Bugs -
    cant flash system.img
    wipe/format data wipes phone completely
    ive tested both functions its the way this phone is setup its pretty weird.

    =======================================================================
    Updates -
    will be working on figuring out how to build a custom OS
    any help would be greatly appreciated

    =======================================================================
    NEW LINK with sonim flash tool , boot.img , magisk , and no verity
    I dont ! take any credit for the mentioned applications just the
    TWRP port
    ==========
    Thank you to all who kept this thread in motion lets keep it going !!
    ========================================================================
    ADB -
    adb reboot
    bootloader - takes you to fastboot where you can select recovery mode
    adb reboot
    edl - takes you to flash mode.
    adb reboot recovery doesnt work !
    ========================================================================


    NEW LINK - GDRIVE
    3
    Hey guys, been a while and I'm glad to share some updates with the community!

    Main post here has been updated according to the progress made in the previous posts. Much thanks to everyone for providing early debug images, files, and knowledge!

    Updates
    - Torrent file hosting moved to Android FIle Host
    - Current 8.1.0 AT&T Debug image uploaded
    - 8.1.0 Debug image verified to retain dm-verity! At least on current AT&T builds.
    - Additional factory images uploaded
    - All basic flash tools, elf files, drivers, and GPTConsole executable uploaded
    - More images will be uploaded in the following days. Ran out of time to upload everything tonight.

    Full Android File Host Repository - Here

    We continue to welcome new images for the file collection.
    2
    ATT XP8 backup, rooting, and wifi hotspot

    Rooted an ATT (carrier unlocked) Sonim XP8 this afternoon and enabled wifi hotspot on the device. Below are notes. These are compiled mostly from XDA posts by Smokeyou. Kudos for his efforts and posts. Thanks also to Sergsinger for his PDA forum posts .Wifi hotspot adjustment by RJGlenn. Feel free to PM me with corrections, additions, and clarifications. This is a work in progress

    Instructions below assume lap/desktop OS is recent MS Windows.
    Pre-install:
    1.) Download and install "Flash Tools" from https://androidfilehost.com/?fid=4349826312261641937
    This compressed archive contains,
    fh_loader.exe GPTConsole.exe prog_emmc_firehose_8920.mbn
    prog_emmc_ufs_firehose_Sdm660_ddr.elf
    QC.QMSLPhone.dll
    QMSL_MSVC10R.dll
    QSaharaServer.exe
    SubSysSwDownload.DLL
    Download the FlashTools archive and unpack it to C:\ drive.

    2.) Download Android Debug Bridge (ADB) from here, https://developer.android.com/studio/releases/platform-tools.
    Install ADB on your desktop. Update Windows PATH, (life is short).

    3.) Download and install QDLoader HS-USB Driver.zip from here, https://androidfilehost.com/?fid=24459283995295983
    In the installation menu, always click "Next" and do not select anything else. Reboot your PC.

    4.) Download and install "XP8 drivers" from here, https://www.androidfilehost.com/?fid=4349826312261641909

    5.) Secure copies of Magisk.zip and MagiskManager.apk for installation on Android device. Website is https://github.com/topjohnwu/Magisk

    6.) On your Sonim XP8 handset, enable developer settings and,
    -allow OEM (bootloader) unlocking,
    -allow USB debugging,
    -allow verify apps over USB, and
    -download and install Root Browser Classic (JRummy apps).

    PHASE I.) BACKUP YOUR ROM-
    1.) Put the smartphone in EDL (Emergency Download) mode. Phone can be put into EDL manually by turning it off, then hold down both Volume buttons and press the Power button: Sonim will appear, then screen will go blank. Phone is now in EDL mode. Another option is via ADB. Open a command prompt window by right-clicking in an empty space while holding the Shift key on the keyboard, then select "open command window here" type in, "adb reboot edl". Connect the phone to the PC, the phone will be identified as " Qualcomm HS-USB QDLoader 9008" in the Device Manager, under Ports (COM and LPT). Remember the port number (COM) displayed here to which the phone is connected. This is very important.

    2. Create a backup. In the unpacked FlashTools folder, on an empty space, right-click while holding the Shift key on the keyboard and select "open command window here". Execute the following commands:
    2a.) "QSaharaServer.exe -p \\. \ COM<X> -s 13: prog_emmc_ufs_firehose_Sdm660_ddr.elf"
    <X> is the port number your phone is connected to, becomes COM1 or COM2 (hard brackets go away)

    2b.) Create a backup XML file named "backup.xml". This grabs much of the ROM for a backup. Contents of this .xml are:
    <?xml version="1.0"?>
    <!--NOTE: This is an ** Autogenerated file **-->
    <!--NOTE: Sector size is 512bytes-->
    <data>
    <program start_sector="24286840" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="2048" label="abl_a" filename="abl_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="24288888" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="2048" label="abl_b" filename="abl_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="131072" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="7168" label="xbl_a" filename="xbl_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="138240" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="7168" label="xbl_b" filename="xbl_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="145408" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="8192" label="tz_a" filename="tz_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="153600" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="8192" label="tz_b" filename="tz_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="161792" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="1024" label="rpm_a" filename="rpm_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="162816" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="1024" label="rpm_b" filename="rpm_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="163840" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="1024" label="hyp_a" filename="hyp_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="164864" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="1024" label="hyp_b" filename="hyp_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="165888" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="1024" label="pmic_a" filename="pmic_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="166912" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="1024" label="pmic_b" filename="pmic_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="24294024" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="66848" label="splash" filename="splash.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="23592960" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="2048" label="keymaster_a" filename="keymaster_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="23595008" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="2048" label="keymaster_b" filename="keymaster_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="23597056" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="2048" label="cmnlib_a" filename="cmnlib_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="23599104" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="2048" label="cmnlib64_a" filename="cmnlib64_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="23601152" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="2048" label="cmnlib_b" filename="cmnlib_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="23603200" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="2048" label="cmnlib64_b" filename="cmnlib64_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="23605248" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="8192" label="mdtpsecapp_a" filename="mdtpsecapp_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="23613440" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="8192" label="mdtpsecapp_b" filename="mdtpsecapp_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="23621632" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="65536" label="mdtp_a" filename="mdtp_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="23687168" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="65536" label="mdtp_b" filename="mdtp_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="23752704" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="225280" label="modem_a" filename="modem_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="23977984" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="225280" label="modem_b" filename="modem_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="393216" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="131072" label="boot_b" filename="boot_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="262144" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="131072" label="boot_a" filename="boot_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="24718360" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="2048" label="devcfg_a" filename="devcfg_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="24720408" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="2048" label="devcfg_b" filename="devcfg_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="524288" sparse="true" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="8388608" label="system_a" filename="system_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="8912896" sparse="true" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="8388608" label="system_b" filename="system_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="21495808" sparse="true" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="1048576" label="oem_a" filename="oem_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="22544384" sparse="true" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="1048576" label="oem_b" filename="oem_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="17301504" sparse="true" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="2097152" label="vendor_a" filename="vendor_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="19398656" sparse="true" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="2097152" label="vendor_b" filename="vendor_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    </data>

    2c.) Enter this in a terminal window to create the backup, "fh_loader.exe --convertprogram2read --port=\\.\COM<X> --sendxml=backup.xml" .
    <X> is the port number your phone is connected to, becomes COM1 or COM2 (hard brackets go away).
    Note: To restore the backup, execute the commands: "QSaharaServer.exe -p \\. \ COM<X> -s 13: prog_emmc_ufs_firehose_Sdm660_ddr.elf",
    and "fh_loader.exe --port = \\. \ COM <X> --sendxml = Backup.xml"
    Remember <X> is the port number,to which your phone is connected!

    PHASE II.) ESTABLISHING ROOT. This is done via MagiskManager and boot patching.
    1.) Pull Boot.img. We need a copy of the stock boot image for MagiskManager to patch. It's also good to keep a backup copy of the stock boot image on hand should you need to restore for any reason.
    1a.) Create an XML file named "bootbackup.xml" in C:\FlashTools using below code. This will create a backup of boot_a from the Sonim XP8 and save it as "backup_boot.img" in C:\FlashTools.

    <?xml version="1.0"?>
    <data>
    <program start_sector="262144" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="131072" label="boot_a" filename="backup_boot.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    </data>

    1b.) Boot to EDL mode using methods in Phase I, step 1. Remember the COM port in use. Run the following commands.
    A) Load the firehose programmer, "QSaharaServer.exe -p \\.\COM<X> -s 13:prog_emmc_ufs_firehose_Sdm660_ddr.elf"
    Remember <X> is the port number,to which your phone is connected.
    B) Run the bootbackup.xml file to create backup_boot.img in C:\FlashTools using the following command.
    "fh_loader.exe --convertprogram2read --port=\\.\COM<X> --sendxml=bootbackup.xml --lun=0 --memoryname=emmc --noprompt --reset"

    2.) Magisk Manager and boot patch
    2a.) Transfer "backup_boot.img" to /downloads on the device. MagiskManager will access it here and modify it.
    Do this by using Android Debug Bridge (ADB) thus: "adb push C:\FlashTools\backup_boot.img /storage/self/primary/Download/". Note device is NOT in EDL mode.
    2b.) On the handset, install magiskmanager.apk. Do this either via ADB, or put the .apk file on the device sdcard, browse to it using RootBrowser, and install.
    2c.) Open MagiskManager application, follow presented instructions and apply patch to backup_boot.img in device /downloads directory.
    2d.) Run, "ADB pull /storage/self/primary/Download/magisk_patched.img". File should be in whatever directory command was called from (C:\FlashTools\magisk_patched.img).

    3.) Apply patched boot.img to device operating system by pushing a copy of magisk_patched.img to the device and overwriting boot_a with it as follows,
    3a.) Create an XML file named "magiskoverwrite.xml"
    <?xml version="1.0"?>
    <data>
    <program start_sector="262144" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="131072" label="boot_a" filename="magisk_patched.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    </data>

    3b.) Boot back into EDL mode and load firehose programmer, "QSaharaServer.exe -p \\.\COM<#> -s 13:prog_emmc_ufs_firehose_Sdm660_ddr.elf"
    3c.) Apply magisk_patched.img using the following command, "fh_loader.exe --port=\\.\COM<#> --sendxml=magiskoverwrite.xml --lun=0 --memoryname=emmc --noprompt --reset"

    Post install notes: Phone asked for password upon reboot following completion of step 3. Screenlock pin did not resolve this.
    Did factory reset. Reinstalling MagiskManager.apk from copy on device sdcard, followed by "install" in the application, granted root privileges.

    Phase III.) ENABLING WIFI HOTSPOT.
    1.) Download and install Root Browser Classic (JRummy apps). Open Root Browser Classic and browse to /system/build.prop. Open with a text editor. Scroll down to "#property to enable entitlement check". Change att.service.entitlement= from "true" to "false". Below this add "net.tethering.noprovisioning=true". Hit save. Close the text editor, then reboot the phone.
    2
    Enjoy!

    XP8 Android Root Theory - DEBUG or Magisk over EDL
    EDL is a must since Fastboot cannot be unlocked initially from standard "user" builds.

    One option is flash a userdebug image (below) allowing for adb root, fastboot unlocking, and other useful features.
    or
    Without unlocking the bootloader - Similar flashing methods remain valid when standard magisk powered root is desired. This method allows preservation of all current system data aside from boot.img. All is covered since Magisk works with AVB and we have EDL as a flashing alternative. Please see Android Boot Flow > LOCKED Devices with Custom Root of Trust for more information.

    Recommend method ..
    It's up to you.. If you want OTA updates and your planning to use root apps then go with Magisk. As of today we have current debug images available and I personally prefer isolated adb root access only however future availability of updated Debug images cannot be guaranteed.

    Disclaimer
    -Devices with locked bootloaders will display a custom OS warning at boot
    -Tested on AT&T branded devices only - please provide system dump for validation on other builds
    -I have not identified any JTAG procedures and I can not help if you hard brick your device!
    -This guide only touches boot_a and should be relatively safe since boot_b remains unmodified. I'm pretty sure this is enough to restore the original boot.img to boot_a under a failure scenario.. But I'm not really qualified enough to say definitively either.
    -Take great caution - this is raw emmc access and critical system data! You are proceeding at your own risk!

    Magisk Root

    Step 1 - Pull Boot.img
    We need to pull the boot.img in order to feed it to magisk later for patching. It's also good to keep on hand for if/when you need to restore for any reason.
    1. Create an XML file with the data below
    Code:
    <?xml version="1.0"?>
    <data>
    <program start_sector="262144" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="131072" label="boot_a" filename="boot.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    </data>
    2. Boot to EDL mode and load firehose programmer
    Code:
    QSaharaServer.exe -p \\.\COM<#> -s 13:prog_emmc_ufs_firehose_Sdm660_ddr.elf
    3. Backup boot.img using the following command
    Code:
    fh_loader.exe  --convertprogram2read --port=\\.\COM<#> --sendxml=<xmlfile.xml> --lun=0  --memoryname=emmc --noprompt --reset
    Or visit the XP8 carrier firmware thread for full system backup steps.
    https://forum.xda-developers.com/showpost.php?p=80465045&postcount=6

    Step 2 - Magisk Patch
    1. ADB push boot.img /storage/self/primary/Download/
    2. Install Magisk Manager and apply patch to boot.img
    2a. Download from https://forum.xda-developers.com/apps/magisk/official-magisk-v7-universal-systemless-t3473445
    2b. Extract and run adb install magisk.apk
    2c. Open Magisk app and apply patch to boot.img
    3. ADB pull /storage/self/primary/Download/magisk_patched.img

    Step 3 - Restore
    1. Change the filename attribute in the XML to reflect newly created magisk_patched.img as shown below
    Code:
    <?xml version="1.0"?>
    <data>
    <program start_sector="262144" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="131072" label="boot_a" filename="magisk_patched.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    </data>
    2. Boot back into EDL mode and load firehose programmer
    Code:
    QSaharaServer.exe -p \\.\COM<#> -s 13:prog_emmc_ufs_firehose_Sdm660_ddr.elf
    3. Apply magisk_patched.img using the following command
    Code:
    fh_loader.exe --port=\\.\COM<#> --sendxml=<xmlfile.xml> --lun=0  --memoryname=emmc --noprompt --reset

    USERDEBUG Flash

    Step 1 - Backup
    1. Boot to EDL mode and load firehose programmer
    2. Generate rawprogram0.xml - Run GPTConsole <COM Number>
    Example: GPTConsole 19
    3. Initiate backup
    Code:
    fh_loader.exe --port=\\.\COM<#> --convertprogram2read --sendxml=rawprogram0.xml --lun=0  --memoryname=emmc --noprompt --reset
    4. Wipe all partitions
    Code:
    fh_loader.exe --port=\\.\COM<#> --convertprogram2read --sendxml=erase.xml --lun=0  --memoryname=emmc --noprompt --reset
    5. Restore new image
    Code:
    fh_loader.exe --port=\\.\COM<#> --sendxml=rawprogram0.xml --lun=0  --memoryname=emmc --noprompt --reset --search_path=<extracted image file directory>
    // rawprogram0_unsparse.xml for some images

    Images and OTA Files

    Full 8.1 System Image
    XP8A_ATT_user_8A.0.5-11-8.1.0-10.54.00
    XP8A_ATT-user-8A.0.5-10-8.1.0-10.49.00

    USERDEBUG Images
    XP8A_ATT_userdebug_8A.0.5-11-8.1.0-10.54.00
    XP8A_ACG-userdebug-8A.0.0-00-7.1.1-32.00.12
    XP8A_USC-userdebug-8A.0.0-00-7.1.1-34.00.10
    (ATT 7.1 pending upload. Please check back or use other links available further in thread.)

    OTA Updates
    XP8_ATT_user_N10.01.75-O10.49.00
    XP8_ATT_user_O10.49.00-O10.54.00
    XP8_TEL_user_N12.00.24-O12.23.00

    Flash Tools - programmer (elf) file provided by eleotk!
    XP8 Drivers

    Firmware Carrier Codes
    Code:
        None = 0,
        ATT = 10
        Bell = 11
        Telus = 12
        Sasktel = 13
        Harris = 14
        Verizon = 15
        Ecom = 16
        NAM = 17
        Rogers = 18
        T_Mobile = 19
        EU_Generic = 20
        MSI = 21
        CISCO = 22
        NAM_Public_Safety = 23
        Vodafone_Global = 24
        Orange = 25
        Southern_Linc = 26
        OPTIO = 27
        India = 28
        SPRINT = 29
        JVCK = 30
        AUS = 31
        ACG = 32
        CSPIRE = 33
        USC = 34
        SB = 35
        Multi = 99

    Automatic OTA without AT&T service:
    Purchase a blank AT&T SIM card ($5)
    Start online prepaid activation - complete pages 1 & 2
    **SIM Card is now partially active without funding - do not complete page 3 (payment)***
    *#*#368378#*#* > Clear UI > Check for updates in settings

    XP5s
    Sprint Image: XP5SA.0.2-03-7.1.2-29.03.00
    Works the same. Tested with unmodified Sprint firmware. Like most other apps, the Magisk manager app is unusable since the XP5s has no touch screen - I had to patch the boot image on another device. You can plug in a USB mouse however the cursor does not seem to invoke in-app tap's.

    Need to use the appropriate Firehose loader (prog_emmc_firehose_8920.mbn) and replace the boot image location according to the XP5s GPT (start_sector="790528").
    Good morning everyone took me days to figure out how to flash this device with a userdebug build I have created a TWRP recovery with magisk patched built in from port tutorials on youtube ported from a nokia 7 8.1 build it works the only thing is partitions aren't fully mapped out I'm no developer more of a tinkerer I can upload the boot image I find it easier to flash with the sonim XP8 tool the goal was to create a recovery and change the boot image as I do on most of my devices it boots TWRP we have a working TWRP just needs some tlc anyone up for the task ? We are one step closer to a custom rom I can also upload a video for proof currently on ATT user debug build from the android file host backup
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone