dattel 0 Posted Friday at 12:01 PM Share Posted Friday at 12:01 PM Hello guys, I have a bricked QX1000 (Pro1) which I'm trying to reflash but I can't find any files regarding the flashing with QFIL. Would be a shame if it can't be done. QFIL and Windows is not a must. Every method or opportunity would be helpful. The biggets problem seems to be to get the required files. There is also this "Factory Restore Tool" which someone reuploaded last year but the image is missing. Therefore I'm not able to get further... Thanks in advance, Dattel Quote Link to post Share on other sites
EskeRahn 5,598 Posted Saturday at 11:18 AM Share Posted Saturday at 11:18 AM Have you tried following the guide linked by my initial post pinned in here? 1 Quote Link to post Share on other sites
dattel 0 Posted yesterday at 12:03 AM Author Share Posted yesterday at 12:03 AM (edited) 12 hours ago, EskeRahn said: Have you tried following the guide linked by my initial post pinned in here? Yes, I already tried them but most of them are for flashing with fastboot and that's no oppurtunity for this device. The required files (firehose_progammer.edl) are missing. Maybe I could use a Firehose file from a different device which uses the same CPU (SD835)? Edited yesterday at 12:04 AM by dattel 1 Quote Link to post Share on other sites
EskeRahn 5,598 Posted 21 hours ago Share Posted 21 hours ago I use fastboot for flashing pro1/QX1000 just fine. Why does it not work for yours? I have no idea on the edl file. Will check if I got one downloaded somewhere, but i doubt it. 1 Quote Link to post Share on other sites
dattel 0 Posted 16 hours ago Author Share Posted 16 hours ago (edited) 8 hours ago, EskeRahn said: I use fastboot for flashing pro1/QX1000 just fine. Why does it not work for yours? I have no idea on the edl file. Will check if I got one downloaded somewhere, but i doubt it. Well, the problem is, that the bootloader is locked. Therefore the files sent to the device can't be written. e.g. QX1000_user_20200825231445_dd49dd0dd1>fastboot flash mdtpsecapp_a mdtpsecapp.mbn Warning: skip copying mdtpsecapp_a image avb footer (mdtpsecapp_a partition size: 0, mdtpsecapp_a image size: 1078864). Sending 'mdtpsecapp_a' (1053 KB) OKAY [ 0.030s] Writing 'mdtpsecapp_a' FAILED (remote: 'Flashing is not allowed in Lock State') fastboot: error: Command failed Manually unlocking it, isn't also allowed: QX1000_user_20200825231445_dd49dd0dd1>fastboot flashing unlock FAILED (remote: 'Flashing Unlock is not allowed ') fastboot: error: Command failed The device got flashed with a wrong image file. Now it's required to dive a little bit deeper into it. There was this thread by the user "tdm":http://community.fxtec.com/topic/2559-factory-restore-tool/ Seems to be exactly what I'm searching for but nearly everything in this thread and his linked website are down. Possibly this edl tool could work, too:https://github.com/bkerler/edl Mentioned here in the PosrmarketOS wiki it should have the firehose binary for the device but I can't find a specific one in the repo: https://wiki.postmarketos.org/wiki/F(x)tec_Pro1X_(fxtec-qx1050)/Hacking Only the generic qualcomm/factory/sdm835... I can get the device into 0x900E but not 0x9008. Therefore it should be semi-bricked and must be opened by me... EDIT: I was able to dump the memory with the edl tool: edl | Qualcomm Sahara / Firehose Client V3.62 (c) B.Kerler 2018-2025. edl | main - Trying with no loader given ... edl | main - Waiting for the device edl | main - Device detected :) edl | sahara - Protocol version: 2, Version supported: 1 edl | main - Mode detected: sahara edl | Device is in memory dump mode, dumping memory edl | Reading 64-Bit partition from 0x85e9b480 with length of 0x6c0 edl | OCIMEM.BIN(OCIMEM): Offset 0x14680000, Length 0x40000, SavePref 0x1 edl | CODERAM.BIN(RPM Code RAM region): Offset 0x200000, Length 0x28000, SavePref 0x1 edl | DATARAM.BIN(RPM Data RAM region): Offset 0x290000, Length 0x14000, SavePref 0x1 edl | MSGRAM.BIN(RPM MSG RAM region): Offset 0x778000, Length 0x7000, SavePref 0x1 edl | KMSG.txt(KMSG region): Offset 0xac17e00c, Length 0x3fff4, SavePref 0x1 edl | device_info.txt(device info region): Offset 0xac1ff00c, Length 0xff4, SavePref 0x1 edl | PMSG.bin(PMSG region): Offset 0xac1bf00c, Length 0x3fff4, SavePref 0x1 edl | IPA_IRAM.BIN(IPA IRAM region): Offset 0x1e60000, Length 0x4000, SavePref 0x1 edl | IPA_DRAM.BIN(IPA DRAM region): Offset 0x1e64000, Length 0x3f00, SavePref 0x1 edl | IPA_SRAM.BIN(IPA SRAM region): Offset 0x1e47000, Length 0x2000, SavePref 0x1 edl | IPA_HRAM.BIN(IPA HRAM region): Offset 0x1e4a000, Length 0x9f00, SavePref 0x1 edl | IPA_MBOX.BIN(IPA MBOX region): Offset 0x1e72000, Length 0x100, SavePref 0x1 edl | IPA_UCS.BIN(IPA UCS region): Offset 0x1e08000, Length 0x4000, SavePref 0x1 edl | IPA_DICT.BIN(IPA DICT region): Offset 0x1e5c000, Length 0x3000, SavePref 0x1 edl | IPA_GSI1.BIN(IPA GSI1 region): Offset 0x1e04000, Length 0x4000, SavePref 0x1 edl | PMIC_PON.BIN(Pmic PON stat): Offset 0x85e9bc98, Length 0x8, SavePref 0x1 edl | PMON_HIS.BIN(PM PON HIST ): Offset 0x85e9bca0, Length 0xd4, SavePref 0x1 edl | RST_STAT.BIN(Reset Status Region): Offset 0x85e9bc88, Length 0x4, SavePref 0x1 edl | RST_STAT2.BIN(Reset Status #2): Offset 0x85e9bc8c, Length 0x8, SavePref 0x1 edl | DDR_DATA.BIN(DDR Training Data): Offset 0x85e98a68, Length 0x2000, SavePref 0x1 edl | PIMEM.BIN(PIMEM region): Offset 0x1c000000, Length 0x400000, SavePref 0x1 edl | PART_BIN.BIN(Part Bin info): Offset 0x85e9bc80, Length 0x8, SavePref 0x1 edl | DDRCS0_0.BIN( DDR CS0 part0 Memo): Offset 0x40000000, Length 0x80000000, SavePref 0x1 edl | DDRCS0_1.BIN( DDR CS0 part1 Memo): Offset 0xc0000000, Length 0x40000000, SavePref 0x1 edl | DDRCS1_0.BIN( DDR CS1 part0 Memo): Offset 0x100000000, Length 0x80000000, SavePref 0x1 edl | DDRCS1_1.BIN( DDR CS1 part1 Memo): Offset 0x180000000, Length 0x40000000, SavePref 0x1 edl | load.cmm(CMM Script): Offset 0x85e9aa70, Length 0x7e4, SavePref 0x2 edl | Dumping OCIMEM.BIN(OCIMEM) at 0x14680000, length 0x40000 Progress: |██████████████████████████████████████████████████| 100.0% Complete Progress: |██████████████████████████████████████████████████| 100.0% Complete ... So the device gets detected but the problem persists that I can't get into 9008 mode. I've opened the device and tried to short DP (D+) and GND (see the attached image) before plugging in the phone. Unfortunetely, that doesn't do the trick. Still: lsusb Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 001 Device 002: ID 05c6:900e Qualcomm, Inc. QUSB__BULK Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Any ideas? Edited 13 hours ago by dattel Quote Link to post Share on other sites
Hook 3,306 Posted 1 hour ago Share Posted 1 hour ago Try this. The download links seem to work (I am not knowledgable on any of this)... https://web.archive.org/web/20200406195436/http://files.nwwn.com/android/pro1/factory.html Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.