Topics

Try this.  The download links seem to work (I am not knowledgable on any of this)... https://web.archive.org/web/20200406195436/http://files.nwwn.com/android/pro1/factory.html

Well, the problem is, that the bootloader is locked. Therefore the files sent to the device can't be written. e.g. QX1000_user_20200825231445_dd49dd0dd1>fastboot flash mdtpsecapp_a mdtpsecapp.mbn Warning: skip copying mdtpsecapp_a image avb footer (mdtpsecapp_a partition size: 0, mdtpsecapp_a image size: 1078864). Sending 'mdtpsecapp_a' (1053 KB) OKAY [ 0.030s] Writing 'mdtpsecapp_a' FAILED (remote: 'Flashing is not allowed in Lock State') fastboot: error: Command failed Manually unlocking it, isn't also allowed: QX1000_user_20200825231445_dd49dd0dd1>fastboot flashing unlock FAILED (remote: 'Flashing Unlock is not allowed ') fastboot: error: Command failed   The device got flashed with a wrong image file. Now it's required to dive a little bit deeper into it.   There was this thread by the user "tdm": http://community.fxtec.com/topic/2559-factory-restore-tool/   Seems to be exactly what I'm searching for but nearly everything in this thread and his linked website are down.   Possibly this edl tool could work, too: https://github.com/bkerler/edl Mentioned here in the PosrmarketOS wiki it should have the firehose binary for the device but I can't find a specific one in the repo: https://wiki.postmarketos.org/wiki/F(x)tec_Pro1X_(fxtec-qx1050)/Hacking Only the generic qualcomm/factory/sdm835...   I can get the device into 0x900E but not 0x9008. Therefore it should be semi-bricked and must be opened by me...   EDIT: I was able to dump the memory with the edl tool:   edl | Qualcomm Sahara / Firehose Client V3.62 (c) B.Kerler 2018-2025. edl | main - Trying with no loader given ... edl | main - Waiting for the device edl | main - Device detected :) edl | sahara - Protocol version: 2, Version supported: 1 edl | main - Mode detected: sahara edl | Device is in memory dump mode, dumping memory edl | Reading 64-Bit partition from 0x85e9b480 with length of 0x6c0 edl | OCIMEM.BIN(OCIMEM): Offset 0x14680000, Length 0x40000, SavePref 0x1 edl | CODERAM.BIN(RPM Code RAM region): Offset 0x200000, Length 0x28000, SavePref 0x1 edl | DATARAM.BIN(RPM Data RAM region): Offset 0x290000, Length 0x14000, SavePref 0x1 edl | MSGRAM.BIN(RPM MSG RAM region): Offset 0x778000, Length 0x7000, SavePref 0x1 edl | KMSG.txt(KMSG region): Offset 0xac17e00c, Length 0x3fff4, SavePref 0x1 edl | device_info.txt(device info region): Offset 0xac1ff00c, Length 0xff4, SavePref 0x1 edl | PMSG.bin(PMSG region): Offset 0xac1bf00c, Length 0x3fff4, SavePref 0x1 edl | IPA_IRAM.BIN(IPA IRAM region): Offset 0x1e60000, Length 0x4000, SavePref 0x1 edl | IPA_DRAM.BIN(IPA DRAM region): Offset 0x1e64000, Length 0x3f00, SavePref 0x1 edl | IPA_SRAM.BIN(IPA SRAM region): Offset 0x1e47000, Length 0x2000, SavePref 0x1 edl | IPA_HRAM.BIN(IPA HRAM region): Offset 0x1e4a000, Length 0x9f00, SavePref 0x1 edl | IPA_MBOX.BIN(IPA MBOX region): Offset 0x1e72000, Length 0x100, SavePref 0x1 edl | IPA_UCS.BIN(IPA UCS region): Offset 0x1e08000, Length 0x4000, SavePref 0x1 edl | IPA_DICT.BIN(IPA DICT region): Offset 0x1e5c000, Length 0x3000, SavePref 0x1 edl | IPA_GSI1.BIN(IPA GSI1 region): Offset 0x1e04000, Length 0x4000, SavePref 0x1 edl | PMIC_PON.BIN(Pmic PON stat): Offset 0x85e9bc98, Length 0x8, SavePref 0x1 edl | PMON_HIS.BIN(PM PON HIST ): Offset 0x85e9bca0, Length 0xd4, SavePref 0x1 edl | RST_STAT.BIN(Reset Status Region): Offset 0x85e9bc88, Length 0x4, SavePref 0x1 edl | RST_STAT2.BIN(Reset Status #2): Offset 0x85e9bc8c, Length 0x8, SavePref 0x1 edl | DDR_DATA.BIN(DDR Training Data): Offset 0x85e98a68, Length 0x2000, SavePref 0x1 edl | PIMEM.BIN(PIMEM region): Offset 0x1c000000, Length 0x400000, SavePref 0x1 edl | PART_BIN.BIN(Part Bin info): Offset 0x85e9bc80, Length 0x8, SavePref 0x1 edl | DDRCS0_0.BIN( DDR CS0 part0 Memo): Offset 0x40000000, Length 0x80000000, SavePref 0x1 edl | DDRCS0_1.BIN( DDR CS0 part1 Memo): Offset 0xc0000000, Length 0x40000000, SavePref 0x1 edl | DDRCS1_0.BIN( DDR CS1 part0 Memo): Offset 0x100000000, Length 0x80000000, SavePref 0x1 edl | DDRCS1_1.BIN( DDR CS1 part1 Memo): Offset 0x180000000, Length 0x40000000, SavePref 0x1 edl | load.cmm(CMM Script): Offset 0x85e9aa70, Length 0x7e4, SavePref 0x2 edl | Dumping OCIMEM.BIN(OCIMEM) at 0x14680000, length 0x40000 Progress: |██████████████████████████████████████████████████| 100.0% Complete Progress: |██████████████████████████████████████████████████| 100.0% Complete ...   So the device gets detected but the problem persists that I can't get into 9008 mode. I've opened the device and tried to short DP (D+) and GND (see the attached image) before plugging in the phone.   Unfortunetely, that doesn't do the trick. Still:   lsusb Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 001 Device 002: ID 05c6:900e Qualcomm, Inc. QUSB__BULK Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub   Any ideas?

I use fastboot for flashing pro1/QX1000 just fine. Why does it not work for yours? I have no idea on the edl file. Will check if I got one downloaded somewhere, but i doubt it. 

Yes, I already tried them but most of them are for flashing with fastboot and that's no oppurtunity for this device. The required files (firehose_progammer.edl) are missing. Maybe I could use a Firehose file from a different device which uses the same CPU (SD835)?

Have you tried following the guide linked by my initial post pinned in here?