Sonim XP8 (Root?)

Search This thread

glhydroco

Member
Oct 19, 2020
33
3
Fastboot?? there is no fast boot in the link that I sent. Xombiex uses fast boot for his method, but you do not need fast boot, you can use QFIL with powershell that is how the link that I send does it.
 

glhydroco

Member
Oct 19, 2020
33
3
First you open QFIL then select flat build with the right programmer 660 file this is in the flashtools files. then with the partition manager open in qfil you will open powershell where you want the backup saved and you type in the commands ...

--port=\\.\COM8 --search_path=D:\path\to\your\dump --convertprogram2read --sendimage=full_dump.bin --start_sector=0 --lun=0 --num_sectors=122142687 --noprompt --showpercentagecomplete --zlpawarehost=1 --memoryname=emmc
 

glhydroco

Member
Oct 19, 2020
33
3
replacing COM8 with your active com port

you can remove the "--search_path=D:\path\to\your\dump" if you loaded the powershell from where you want the backup to be saved.

Then wait for the process to complete

You can use 7-Zip archiver to open this dump and extract any partition you want.
 

Xombiex

Senior Member
Jan 29, 2022
56
18
35
Many thanks for your fast answer and your work !

I'm eager ton get my hands on the Android 10 firmware !
For working dual SIM need unbranded firmware like european ,american versión not work and sometimes no signal Even phone it's unlocked , has a bug on signal
 

enderwap_and

Member
Nov 28, 2022
17
6
With the help of Xombiex, i;ve tried many many times to find a proper combination for ATT phones. What i have found so far (btw, i paid even some money for some image from Europe). So, let's start:
- if you have a Sonim XP8 ATT unlocked and you flash and write also modemst1 modem st2 and fsg you are.... [email protected]#ked. Why? because the best that you can achive is Android 8.1 with both sims working and apn thethring. this setup is ACHIVED ONLY by using SONIM 8.1 archive from xombiex (is actually an archive from russia with manipulated baseband). To go even deeper, actually, you need from that archive only the baseband (which i have the feeling that is patched - files that you need modem_a and modem_b). Whriting these partitions on any 8.1 image will achive network signal. If you use 8.1 image from Xombiex will achive also dual sim. BUT these modems files - version: MPSS.AT.2.3.c8-1.137255.1.138439.1-GEN-180420-1925 - will not allow you to upgrade to Android 10 (if you image is OTA enabled, then OTA is downloaded on phone and fails on install).
If you have have android 10 and modify the modem_a and modem_b with Xombiex version, then the phone will not start (EDL is the way to recover).
So, as conclusion - any other modem file is not going to show you signal. you will see maybe 2 sims but no signal. i have the funny feeling that somehow, when you overwrite the modemst1, st2 and fsg you lose the unlock. Since the lock requires the baseband to send the prompt to insert unlock code, then new baseband maybe cannot handle this (maybe was customized for ATT?).
Also with Xombiex modema and b there is a drawback in dual sim configuration: if SIM one is active in LTE/UMTS/GSM (europe), then SIM 2 will see ONLY GSM and UMTS but only US bands. In Europe, there are few operators that use GSM and UMTS 2G/3G bands).
also, THERE IS NO WAY BACK if you flashed modemst1 and modemst2. even QCN backup seems that is skipping this flag for unlock.
Now, if you get ahold of a image from EU for Global SONIM and you are on ATT proceed with caution. NEVERflash modemst1, mdemst2 and fsg! I am following some forum in 4pda - russia and i know that the guys found a way how to "homebrew" an image of Android 10 with "patched baseband" BUT they are not sharing it. Only with money and only in russia face2face. Aparently, there is a big business in Russia and they are having "exclusive" service to unlock dual sim on ATT phones with Android 10 (trust me, i tried even to buy it only for me, no way).

So, this is my experience with an ATT that i messed up big time. Currently i am having 8.1 with dual sim (living in Europe the second sim is.... sort of used due to band restriction).
Also, please note that i have tried the following:
- QCN restore from similar phone (btw, if somebody has an ATT phone unlocked with 8.1 - original, single sim, please share modemst1, modemst2, fsg, and full QCN backup...- if i will succede to upgrade to 10 i will share my findings here)
- for second sim band issue - i;ve tried *#....4636. code and select different combinations / bands, etc. Nothing worked.
- i even played with EFS explorer, QPST software programming different bands - no luck.

So, as a conclusion and hint for other that like to "poke around" - modem a and modem b from Xombiex russian immage seems to be patched but limited to Android 8.1. Dual Sim full functionality and APN enabled is controleld by Android itself and here it seems that the most clean version (of ATT ****) is still the russian version share by Xombiex.

Cheers mates and happy debugging. I am tired, so for now, i am going to enjoy my phone :)
 

portsample

Senior Member
May 13, 2009
116
33
With the help of Xombiex, i;ve tried many many times to find a proper combination for ATT phones. What i have found so far (btw, i paid even some money for some image from Europe). So, let's start:
- if you have a Sonim XP8 ATT unlocked and you flash and write also modemst1 modem st2 and fsg you are.... [email protected]#ked. Why? because the best that you can achive is Android 8.1 with both sims working and apn thethring. this setup is ACHIVED ONLY by using SONIM 8.1 archive from xombiex (is actually an archive from russia with manipulated baseband). To go even deeper, actually, you need from that archive only the baseband (which i have the feeling that is patched - files that you need modem_a and modem_b). Whriting these partitions on any 8.1 image will achive network signal. If you use 8.1 image from Xombiex will achive also dual sim. BUT these modems files - version: MPSS.AT.2.3.c8-1.137255.1.138439.1-GEN-180420-1925 - will not allow you to upgrade to Android 10 (if you image is OTA enabled, then OTA is downloaded on phone and fails on install).
If you have have android 10 and modify the modem_a and modem_b with Xombiex version, then the phone will not start (EDL is the way to recover).
So, as conclusion - any other modem file is not going to show you signal. you will see maybe 2 sims but no signal. i have the funny feeling that somehow, when you overwrite the modemst1, st2 and fsg you lose the unlock. Since the lock requires the baseband to send the prompt to insert unlock code, then new baseband maybe cannot handle this (maybe was customized for ATT?).
Also with Xombiex modema and b there is a drawback in dual sim configuration: if SIM one is active in LTE/UMTS/GSM (europe), then SIM 2 will see ONLY GSM and UMTS but only US bands. In Europe, there are few operators that use GSM and UMTS 2G/3G bands).
also, THERE IS NO WAY BACK if you flashed modemst1 and modemst2. even QCN backup seems that is skipping this flag for unlock.
Now, if you get ahold of a image from EU for Global SONIM and you are on ATT proceed with caution. NEVERflash modemst1, mdemst2 and fsg! I am following some forum in 4pda - russia and i know that the guys found a way how to "homebrew" an image of Android 10 with "patched baseband" BUT they are not sharing it. Only with money and only in russia face2face. Aparently, there is a big business in Russia and they are having "exclusive" service to unlock dual sim on ATT phones with Android 10 (trust me, i tried even to buy it only for me, no way).

So, this is my experience with an ATT that i messed up big time. Currently i am having 8.1 with dual sim (living in Europe the second sim is.... sort of used due to band restriction).
Also, please note that i have tried the following:
- QCN restore from similar phone (btw, if somebody has an ATT phone unlocked with 8.1 - original, single sim, please share modemst1, modemst2, fsg, and full QCN backup...- if i will succede to upgrade to 10 i will share my findings here)
- for second sim band issue - i;ve tried *#....4636. code and select different combinations / bands, etc. Nothing worked.
- i even played with EFS explorer, QPST software programming different bands - no luck.

So, as a conclusion and hint for other that like to "poke around" - modem a and modem b from Xombiex russian immage seems to be patched but limited to Android 8.1. Dual Sim full functionality and APN enabled is controleld by Android itself and here it seems that the most clean version (of ATT ****) is still the russian version share by Xombiex.

Cheers mates and happy debugging. I am tired, so for now, i am going to enjoy my phone :)
Your hard work and research is highly appreciated. Thanks for posting.
 

glhydroco

Member
Oct 19, 2020
33
3
With the help of Xombiex, i;ve tried many many times to find a proper combination for ATT phones. What i have found so far (btw, i paid even some money for some image from Europe). So, let's start:
- if you have a Sonim XP8 ATT unlocked and you flash and write also modemst1 modem st2 and fsg you are.... [email protected]#ked. Why? because the best that you can achive is Android 8.1 with both sims working and apn thethring. this setup is ACHIVED ONLY by using SONIM 8.1 archive from xombiex (is actually an archive from russia with manipulated baseband). To go even deeper, actually, you need from that archive only the baseband (which i have the feeling that is patched - files that you need modem_a and modem_b). Whriting these partitions on any 8.1 image will achive network signal. If you use 8.1 image from Xombiex will achive also dual sim. BUT these modems files - version: MPSS.AT.2.3.c8-1.137255.1.138439.1-GEN-180420-1925 - will not allow you to upgrade to Android 10 (if you image is OTA enabled, then OTA is downloaded on phone and fails on install).
If you have have android 10 and modify the modem_a and modem_b with Xombiex version, then the phone will not start (EDL is the way to recover).
So, as conclusion - any other modem file is not going to show you signal. you will see maybe 2 sims but no signal. i have the funny feeling that somehow, when you overwrite the modemst1, st2 and fsg you lose the unlock. Since the lock requires the baseband to send the prompt to insert unlock code, then new baseband maybe cannot handle this (maybe was customized for ATT?).
Also with Xombiex modema and b there is a drawback in dual sim configuration: if SIM one is active in LTE/UMTS/GSM (europe), then SIM 2 will see ONLY GSM and UMTS but only US bands. In Europe, there are few operators that use GSM and UMTS 2G/3G bands).
also, THERE IS NO WAY BACK if you flashed modemst1 and modemst2. even QCN backup seems that is skipping this flag for unlock.
Now, if you get ahold of a image from EU for Global SONIM and you are on ATT proceed with caution. NEVERflash modemst1, mdemst2 and fsg! I am following some forum in 4pda - russia and i know that the guys found a way how to "homebrew" an image of Android 10 with "patched baseband" BUT they are not sharing it. Only with money and only in russia face2face. Aparently, there is a big business in Russia and they are having "exclusive" service to unlock dual sim on ATT phones with Android 10 (trust me, i tried even to buy it only for me, no way).

So, this is my experience with an ATT that i messed up big time. Currently i am having 8.1 with dual sim (living in Europe the second sim is.... sort of used due to band restriction).
Also, please note that i have tried the following:
- QCN restore from similar phone (btw, if somebody has an ATT phone unlocked with 8.1 - original, single sim, please share modemst1, modemst2, fsg, and full QCN backup...- if i will succede to upgrade to 10 i will share my findings here)
- for second sim band issue - i;ve tried *#....4636. code and select different combinations / bands, etc. Nothing worked.
- i even played with EFS explorer, QPST software programming different bands - no luck.

So, as a conclusion and hint for other that like to "poke around" - modem a and modem b from Xombiex russian immage seems to be patched but limited to Android 8.1. Dual Sim full functionality and APN enabled is controleld by Android itself and here it seems that the most clean version (of ATT ****) is still the russian version share by Xombiex.

Cheers mates and happy debugging. I am tired, so for now, i am going to enjoy my phone :)
Also note with this Dual Sim 8.1 Wifi calling does not work with ATT sim card.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2

    if you have chimera just restore
    1
    Tomorrow upload modify firmware ,i'm back from fuxk..ING omicron so i'm fine now
  • 6
    Enjoy!

    XP8 Android Root Theory - DEBUG or Magisk over EDL
    EDL is a must since Fastboot cannot be unlocked initially from standard "user" builds.

    One option is flash a userdebug image (below) allowing for adb root, fastboot unlocking, and other useful features.
    or
    Without unlocking the bootloader - Similar flashing methods remain valid when standard magisk powered root is desired. This method allows preservation of all current system data aside from boot.img. All is covered since Magisk works with AVB and we have EDL as a flashing alternative. Please see Android Boot Flow > LOCKED Devices with Custom Root of Trust for more information.

    Recommend method ..
    It's up to you.. If you want OTA updates and your planning to use root apps then go with Magisk. As of today we have current debug images available and I personally prefer isolated adb root access only however future availability of updated Debug images cannot be guaranteed.

    Disclaimer
    -Devices with locked bootloaders will display a custom OS warning at boot
    -Tested on AT&T branded devices only - please provide system dump for validation on other builds
    -I have not identified any JTAG procedures and I can not help if you hard brick your device!
    -This guide only touches boot_a and should be relatively safe since boot_b remains unmodified. I'm pretty sure this is enough to restore the original boot.img to boot_a under a failure scenario.. But I'm not really qualified enough to say definitively either.
    -Take great caution - this is raw emmc access and critical system data! You are proceeding at your own risk!

    Magisk Root

    Step 1 - Pull Boot.img
    We need to pull the boot.img in order to feed it to magisk later for patching. It's also good to keep on hand for if/when you need to restore for any reason.
    1. Create an XML file with the data below
    Code:
    <?xml version="1.0"?>
    <data>
    <program start_sector="262144" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="131072" label="boot_a" filename="boot.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    </data>
    2. Boot to EDL mode and load firehose programmer
    Code:
    QSaharaServer.exe -p \\.\COM<#> -s 13:prog_emmc_ufs_firehose_Sdm660_ddr.elf
    3. Backup boot.img using the following command
    Code:
    fh_loader.exe  --convertprogram2read --port=\\.\COM<#> --sendxml=<xmlfile.xml> --lun=0  --memoryname=emmc --noprompt --reset
    Or visit the XP8 carrier firmware thread for full system backup steps.
    https://forum.xda-developers.com/showpost.php?p=80465045&postcount=6

    Step 2 - Magisk Patch
    1. ADB push boot.img /storage/self/primary/Download/
    2. Install Magisk Manager and apply patch to boot.img
    2a. Download from https://forum.xda-developers.com/apps/magisk/official-magisk-v7-universal-systemless-t3473445
    2b. Extract and run adb install magisk.apk
    2c. Open Magisk app and apply patch to boot.img
    3. ADB pull /storage/self/primary/Download/magisk_patched.img

    Step 3 - Restore
    1. Change the filename attribute in the XML to reflect newly created magisk_patched.img as shown below
    Code:
    <?xml version="1.0"?>
    <data>
    <program start_sector="262144" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="131072" label="boot_a" filename="magisk_patched.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    </data>
    2. Boot back into EDL mode and load firehose programmer
    Code:
    QSaharaServer.exe -p \\.\COM<#> -s 13:prog_emmc_ufs_firehose_Sdm660_ddr.elf
    3. Apply magisk_patched.img using the following command
    Code:
    fh_loader.exe --port=\\.\COM<#> --sendxml=<xmlfile.xml> --lun=0  --memoryname=emmc --noprompt --reset

    USERDEBUG Flash

    Step 1 - Backup
    1. Boot to EDL mode and load firehose programmer
    2. Generate rawprogram0.xml - Run GPTConsole <COM Number>
    Example: GPTConsole 19
    3. Initiate backup
    Code:
    fh_loader.exe --port=\\.\COM<#> --convertprogram2read --sendxml=rawprogram0.xml --lun=0  --memoryname=emmc --noprompt --reset
    4. Wipe all partitions
    Code:
    fh_loader.exe --port=\\.\COM<#> --convertprogram2read --sendxml=erase.xml --lun=0  --memoryname=emmc --noprompt --reset
    5. Restore new image
    Code:
    fh_loader.exe --port=\\.\COM<#> --sendxml=rawprogram0.xml --lun=0  --memoryname=emmc --noprompt --reset --search_path=<extracted image file directory>
    // rawprogram0_unsparse.xml for some images

    Images and OTA Files

    Full 8.1 System Image
    XP8A_ATT_user_8A.0.5-11-8.1.0-10.54.00
    XP8A_ATT-user-8A.0.5-10-8.1.0-10.49.00

    USERDEBUG Images
    XP8A_ATT_userdebug_8A.0.5-11-8.1.0-10.54.00
    XP8A_ACG-userdebug-8A.0.0-00-7.1.1-32.00.12
    XP8A_USC-userdebug-8A.0.0-00-7.1.1-34.00.10
    (ATT 7.1 pending upload. Please check back or use other links available further in thread.)

    OTA Updates
    XP8_ATT_user_N10.01.75-O10.49.00
    XP8_ATT_user_O10.49.00-O10.54.00
    XP8_TEL_user_N12.00.24-O12.23.00

    Flash Tools - programmer (elf) file provided by eleotk!
    XP8 Drivers

    Firmware Carrier Codes
    Code:
        None = 0,
        ATT = 10
        Bell = 11
        Telus = 12
        Sasktel = 13
        Harris = 14
        Verizon = 15
        Ecom = 16
        NAM = 17
        Rogers = 18
        T_Mobile = 19
        EU_Generic = 20
        MSI = 21
        CISCO = 22
        NAM_Public_Safety = 23
        Vodafone_Global = 24
        Orange = 25
        Southern_Linc = 26
        OPTIO = 27
        India = 28
        SPRINT = 29
        JVCK = 30
        AUS = 31
        ACG = 32
        CSPIRE = 33
        USC = 34
        SB = 35
        Multi = 99

    Automatic OTA without AT&T service:
    Purchase a blank AT&T SIM card ($5)
    Start online prepaid activation - complete pages 1 & 2
    **SIM Card is now partially active without funding - do not complete page 3 (payment)***
    *#*#368378#*#* > Clear UI > Check for updates in settings

    XP5s
    Sprint Image: XP5SA.0.2-03-7.1.2-29.03.00
    Works the same. Tested with unmodified Sprint firmware. Like most other apps, the Magisk manager app is unusable since the XP5s has no touch screen - I had to patch the boot image on another device. You can plug in a USB mouse however the cursor does not seem to invoke in-app tap's.

    Need to use the appropriate Firehose loader (prog_emmc_firehose_8920.mbn) and replace the boot image location according to the XP5s GPT (start_sector="790528").
    4
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Sonim XP8 is officially Rooted with TWRP
    replace downloaded boot.img with your boot.img in firmware folder from the link below
    tested on android 7x-8x USERDEBUG builds.
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    =======================================================================
    Bugs -
    cant flash system.img
    wipe/format data wipes phone completely
    ive tested both functions its the way this phone is setup its pretty weird.

    =======================================================================
    Updates -
    will be working on figuring out how to build a custom OS
    any help would be greatly appreciated

    =======================================================================
    NEW LINK with sonim flash tool , boot.img , magisk , and no verity
    I dont ! take any credit for the mentioned applications just the
    TWRP port
    ==========
    Thank you to all who kept this thread in motion lets keep it going !!
    ========================================================================
    ADB -
    adb reboot
    bootloader - takes you to fastboot where you can select recovery mode
    adb reboot
    edl - takes you to flash mode.
    adb reboot recovery doesnt work !
    ========================================================================


    NEW LINK - GDRIVE
    3
    After flash some devices stuck on logo. Just make factory reset,any help can ask me
    3
    Hey guys, been a while and I'm glad to share some updates with the community!

    Main post here has been updated according to the progress made in the previous posts. Much thanks to everyone for providing early debug images, files, and knowledge!

    Updates
    - Torrent file hosting moved to Android FIle Host
    - Current 8.1.0 AT&T Debug image uploaded
    - 8.1.0 Debug image verified to retain dm-verity! At least on current AT&T builds.
    - Additional factory images uploaded
    - All basic flash tools, elf files, drivers, and GPTConsole executable uploaded
    - More images will be uploaded in the following days. Ran out of time to upload everything tonight.

    Full Android File Host Repository - Here

    We continue to welcome new images for the file collection.
    2
    ATT XP8 backup, rooting, and wifi hotspot

    Rooted an ATT (carrier unlocked) Sonim XP8 this afternoon and enabled wifi hotspot on the device. Below are notes. These are compiled mostly from XDA posts by Smokeyou. Kudos for his efforts and posts. Thanks also to Sergsinger for his PDA forum posts .Wifi hotspot adjustment by RJGlenn. Feel free to PM me with corrections, additions, and clarifications. This is a work in progress

    Instructions below assume lap/desktop OS is recent MS Windows.
    Pre-install:
    1.) Download and install "Flash Tools" from https://androidfilehost.com/?fid=4349826312261641937
    This compressed archive contains,
    fh_loader.exe GPTConsole.exe prog_emmc_firehose_8920.mbn
    prog_emmc_ufs_firehose_Sdm660_ddr.elf
    QC.QMSLPhone.dll
    QMSL_MSVC10R.dll
    QSaharaServer.exe
    SubSysSwDownload.DLL
    Download the FlashTools archive and unpack it to C:\ drive.

    2.) Download Android Debug Bridge (ADB) from here, https://developer.android.com/studio/releases/platform-tools.
    Install ADB on your desktop. Update Windows PATH, (life is short).

    3.) Download and install QDLoader HS-USB Driver.zip from here, https://androidfilehost.com/?fid=24459283995295983
    In the installation menu, always click "Next" and do not select anything else. Reboot your PC.

    4.) Download and install "XP8 drivers" from here, https://www.androidfilehost.com/?fid=4349826312261641909

    5.) Secure copies of Magisk.zip and MagiskManager.apk for installation on Android device. Website is https://github.com/topjohnwu/Magisk

    6.) On your Sonim XP8 handset, enable developer settings and,
    -allow OEM (bootloader) unlocking,
    -allow USB debugging,
    -allow verify apps over USB, and
    -download and install Root Browser Classic (JRummy apps).

    PHASE I.) BACKUP YOUR ROM-
    1.) Put the smartphone in EDL (Emergency Download) mode. Phone can be put into EDL manually by turning it off, then hold down both Volume buttons and press the Power button: Sonim will appear, then screen will go blank. Phone is now in EDL mode. Another option is via ADB. Open a command prompt window by right-clicking in an empty space while holding the Shift key on the keyboard, then select "open command window here" type in, "adb reboot edl". Connect the phone to the PC, the phone will be identified as " Qualcomm HS-USB QDLoader 9008" in the Device Manager, under Ports (COM and LPT). Remember the port number (COM) displayed here to which the phone is connected. This is very important.

    2. Create a backup. In the unpacked FlashTools folder, on an empty space, right-click while holding the Shift key on the keyboard and select "open command window here". Execute the following commands:
    2a.) "QSaharaServer.exe -p \\. \ COM<X> -s 13: prog_emmc_ufs_firehose_Sdm660_ddr.elf"
    <X> is the port number your phone is connected to, becomes COM1 or COM2 (hard brackets go away)

    2b.) Create a backup XML file named "backup.xml". This grabs much of the ROM for a backup. Contents of this .xml are:
    <?xml version="1.0"?>
    <!--NOTE: This is an ** Autogenerated file **-->
    <!--NOTE: Sector size is 512bytes-->
    <data>
    <program start_sector="24286840" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="2048" label="abl_a" filename="abl_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="24288888" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="2048" label="abl_b" filename="abl_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="131072" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="7168" label="xbl_a" filename="xbl_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="138240" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="7168" label="xbl_b" filename="xbl_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="145408" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="8192" label="tz_a" filename="tz_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="153600" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="8192" label="tz_b" filename="tz_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="161792" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="1024" label="rpm_a" filename="rpm_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="162816" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="1024" label="rpm_b" filename="rpm_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="163840" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="1024" label="hyp_a" filename="hyp_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="164864" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="1024" label="hyp_b" filename="hyp_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="165888" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="1024" label="pmic_a" filename="pmic_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="166912" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="1024" label="pmic_b" filename="pmic_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="24294024" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="66848" label="splash" filename="splash.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="23592960" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="2048" label="keymaster_a" filename="keymaster_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="23595008" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="2048" label="keymaster_b" filename="keymaster_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="23597056" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="2048" label="cmnlib_a" filename="cmnlib_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="23599104" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="2048" label="cmnlib64_a" filename="cmnlib64_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="23601152" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="2048" label="cmnlib_b" filename="cmnlib_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="23603200" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="2048" label="cmnlib64_b" filename="cmnlib64_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="23605248" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="8192" label="mdtpsecapp_a" filename="mdtpsecapp_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="23613440" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="8192" label="mdtpsecapp_b" filename="mdtpsecapp_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="23621632" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="65536" label="mdtp_a" filename="mdtp_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="23687168" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="65536" label="mdtp_b" filename="mdtp_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="23752704" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="225280" label="modem_a" filename="modem_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="23977984" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="225280" label="modem_b" filename="modem_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="393216" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="131072" label="boot_b" filename="boot_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="262144" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="131072" label="boot_a" filename="boot_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="24718360" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="2048" label="devcfg_a" filename="devcfg_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="24720408" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="2048" label="devcfg_b" filename="devcfg_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="524288" sparse="true" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="8388608" label="system_a" filename="system_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="8912896" sparse="true" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="8388608" label="system_b" filename="system_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="21495808" sparse="true" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="1048576" label="oem_a" filename="oem_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="22544384" sparse="true" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="1048576" label="oem_b" filename="oem_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="17301504" sparse="true" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="2097152" label="vendor_a" filename="vendor_a.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    <program start_sector="19398656" sparse="true" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="2097152" label="vendor_b" filename="vendor_b.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    </data>

    2c.) Enter this in a terminal window to create the backup, "fh_loader.exe --convertprogram2read --port=\\.\COM<X> --sendxml=backup.xml" .
    <X> is the port number your phone is connected to, becomes COM1 or COM2 (hard brackets go away).
    Note: To restore the backup, execute the commands: "QSaharaServer.exe -p \\. \ COM<X> -s 13: prog_emmc_ufs_firehose_Sdm660_ddr.elf",
    and "fh_loader.exe --port = \\. \ COM <X> --sendxml = Backup.xml"
    Remember <X> is the port number,to which your phone is connected!

    PHASE II.) ESTABLISHING ROOT. This is done via MagiskManager and boot patching.
    1.) Pull Boot.img. We need a copy of the stock boot image for MagiskManager to patch. It's also good to keep a backup copy of the stock boot image on hand should you need to restore for any reason.
    1a.) Create an XML file named "bootbackup.xml" in C:\FlashTools using below code. This will create a backup of boot_a from the Sonim XP8 and save it as "backup_boot.img" in C:\FlashTools.

    <?xml version="1.0"?>
    <data>
    <program start_sector="262144" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="131072" label="boot_a" filename="backup_boot.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    </data>

    1b.) Boot to EDL mode using methods in Phase I, step 1. Remember the COM port in use. Run the following commands.
    A) Load the firehose programmer, "QSaharaServer.exe -p \\.\COM<X> -s 13:prog_emmc_ufs_firehose_Sdm660_ddr.elf"
    Remember <X> is the port number,to which your phone is connected.
    B) Run the bootbackup.xml file to create backup_boot.img in C:\FlashTools using the following command.
    "fh_loader.exe --convertprogram2read --port=\\.\COM<X> --sendxml=bootbackup.xml --lun=0 --memoryname=emmc --noprompt --reset"

    2.) Magisk Manager and boot patch
    2a.) Transfer "backup_boot.img" to /downloads on the device. MagiskManager will access it here and modify it.
    Do this by using Android Debug Bridge (ADB) thus: "adb push C:\FlashTools\backup_boot.img /storage/self/primary/Download/". Note device is NOT in EDL mode.
    2b.) On the handset, install magiskmanager.apk. Do this either via ADB, or put the .apk file on the device sdcard, browse to it using RootBrowser, and install.
    2c.) Open MagiskManager application, follow presented instructions and apply patch to backup_boot.img in device /downloads directory.
    2d.) Run, "ADB pull /storage/self/primary/Download/magisk_patched.img". File should be in whatever directory command was called from (C:\FlashTools\magisk_patched.img).

    3.) Apply patched boot.img to device operating system by pushing a copy of magisk_patched.img to the device and overwriting boot_a with it as follows,
    3a.) Create an XML file named "magiskoverwrite.xml"
    <?xml version="1.0"?>
    <data>
    <program start_sector="262144" sparse="false" readbackverify="false" physical_partition_number="0" partofsingleimage="false" num_partition_sectors="131072" label="boot_a" filename="magisk_patched.img" file_sector_offset="0" SECTOR_SIZE_IN_BYTES="512"/>
    </data>

    3b.) Boot back into EDL mode and load firehose programmer, "QSaharaServer.exe -p \\.\COM<#> -s 13:prog_emmc_ufs_firehose_Sdm660_ddr.elf"
    3c.) Apply magisk_patched.img using the following command, "fh_loader.exe --port=\\.\COM<#> --sendxml=magiskoverwrite.xml --lun=0 --memoryname=emmc --noprompt --reset"

    Post install notes: Phone asked for password upon reboot following completion of step 3. Screenlock pin did not resolve this.
    Did factory reset. Reinstalling MagiskManager.apk from copy on device sdcard, followed by "install" in the application, granted root privileges.

    Phase III.) ENABLING WIFI HOTSPOT.
    1.) Download and install Root Browser Classic (JRummy apps). Open Root Browser Classic and browse to /system/build.prop. Open with a text editor. Scroll down to "#property to enable entitlement check". Change att.service.entitlement= from "true" to "false". Below this add "net.tethering.noprovisioning=true". Hit save. Close the text editor, then reboot the phone.