Fixing a Nexus 5X - and learning it’s impossible.
UPDATE SEPTEMBER 9TH, 2021 - Hello all! I have recently found my Nexus 5X I used in this blog, and I will continue to find a way to fix this bootloop. I will post a new update once I have successfully gotten it to work.
ORIGINAL POST:
In late 2015, Google announced the Nexus 5X and the Nexus 6P, the last Nexus-branded devices in their lineup. I switched from my iPhone 6, which I was rocking when it was announced, so I could give Android a try. It all blew me away. Android Marshmallow was quick and responsive and free of all the bugs I encountered in Lollipop, introduced “Now on Tap” (My FAVORITE feature of 6.0), and more. I used the 5X until Apple announced the iPhone 8 and 8 Plus, the second glass backed iPhones equipped with the fastest Phone SoC, the A11 Bionic. I was reluctant to get rid of this phone, as I grew too close with Android, and I was getting started with learning about the internals. In the end, I sold it for $150, and put that money towards an iPhone 8 Plus, which I acquired in January 2018.
I was on and off for a while, with iOS and Android, and when the iPhone XS and XR were announced, it blew my mind away, with the bigger phone costing less (the hell?), and every phone equipped with the Apple A12 Bionic - The fastest smartphone SoC ever. With a new architecture (ARMv8.3-A), and more security features that I was dying to test. I traded in my iPhone for the XR, and played around with it. Turns out it had Pointer Authentication Codes, something I loathed but then was grateful Apple added it. I decided to pick up another 5X in Feb. 2019, and started poking around and finding lots of vulnerabilities. One day, the 5X was in an infinite bootloop. I was angry, but quickly realized that this was easily fixable and happens to lots of people with the 808.
This is a blogpost documenting my successes and failures in repairing the 5X, and how I came to the conclusion that fixing this was going to take more than a young iOS hacker and a keyboard to accomplish.
ORIGINAL POST:
In late 2015, Google announced the Nexus 5X and the Nexus 6P, the last Nexus-branded devices in their lineup. I switched from my iPhone 6, which I was rocking when it was announced, so I could give Android a try. It all blew me away. Android Marshmallow was quick and responsive and free of all the bugs I encountered in Lollipop, introduced “Now on Tap” (My FAVORITE feature of 6.0), and more. I used the 5X until Apple announced the iPhone 8 and 8 Plus, the second glass backed iPhones equipped with the fastest Phone SoC, the A11 Bionic. I was reluctant to get rid of this phone, as I grew too close with Android, and I was getting started with learning about the internals. In the end, I sold it for $150, and put that money towards an iPhone 8 Plus, which I acquired in January 2018.
I was on and off for a while, with iOS and Android, and when the iPhone XS and XR were announced, it blew my mind away, with the bigger phone costing less (the hell?), and every phone equipped with the Apple A12 Bionic - The fastest smartphone SoC ever. With a new architecture (ARMv8.3-A), and more security features that I was dying to test. I traded in my iPhone for the XR, and played around with it. Turns out it had Pointer Authentication Codes, something I loathed but then was grateful Apple added it. I decided to pick up another 5X in Feb. 2019, and started poking around and finding lots of vulnerabilities. One day, the 5X was in an infinite bootloop. I was angry, but quickly realized that this was easily fixable and happens to lots of people with the 808.
This is a blogpost documenting my successes and failures in repairing the 5X, and how I came to the conclusion that fixing this was going to take more than a young iOS hacker and a keyboard to accomplish.
Fixing the Bootloop
Fixing the bootloop took a lot of research and questions to accomplish. First, we need to talk about why the 5X, as well as many other 808 devices, bootlooped.
The Qualcomm Snapdragon 808 processor is a System on a chip created by Qualcomm. It utilizes a concept in the smartphone CPU market known as "big.LITTLE", which combines cores with different clock speeds. This chip has two high-performance Cortex-A57s, clocked up to 2.0GHz. These chips also have two low-performance and power saving chips known as the Cortex-A53 cores, clocked up to 1.5GHz.
These bootloop issues rose from the big cluster of the SoC - where the high performance chips lay. The general idea that we have is the Qualcomm rushed these chips out - leaving some broken.
This leaves me scrambling to create something to stop the bootloop - I did not want to use a pre-made tool, as I wanted as much customization and the minimal threat of getting bricked. I had to understand and go about the best way of doing this. I was looking for possible fixes in the software (looking at Fuchsia and attempting to spot any clue - I didn't use google for this because I wanted this to be fun). I then learned that disabling the two high-performing cores would fix the bootloop. So I went about doing that manually and flashing it with a modified TWRP.
It fixed the bootloop, damn right. But I got excited too quick, because the phone died.
The Qualcomm Snapdragon 808 processor is a System on a chip created by Qualcomm. It utilizes a concept in the smartphone CPU market known as "big.LITTLE", which combines cores with different clock speeds. This chip has two high-performance Cortex-A57s, clocked up to 2.0GHz. These chips also have two low-performance and power saving chips known as the Cortex-A53 cores, clocked up to 1.5GHz.
These bootloop issues rose from the big cluster of the SoC - where the high performance chips lay. The general idea that we have is the Qualcomm rushed these chips out - leaving some broken.
This leaves me scrambling to create something to stop the bootloop - I did not want to use a pre-made tool, as I wanted as much customization and the minimal threat of getting bricked. I had to understand and go about the best way of doing this. I was looking for possible fixes in the software (looking at Fuchsia and attempting to spot any clue - I didn't use google for this because I wanted this to be fun). I then learned that disabling the two high-performing cores would fix the bootloop. So I went about doing that manually and flashing it with a modified TWRP.
It fixed the bootloop, damn right. But I got excited too quick, because the phone died.
Qualcomm QDLoader Mode
MSM chips have something called EDL - "Emergency Download Mode" - embedded in the Primary Bootloader. I was studying this well before my phone bootlooped. You know if your phone is in EDL if it shows up in Device manager as "Qualcomm HS-USB 9008 COM4" (last number refers to the port). Because the Primary Bootloader is ROM, the EDL is not able to be damaged by software. EDL needs an OEM-signed programmer - typically a .mbn file. The programmer acts as a secondary bootloader. I decided to dig more into this, and flashing different programmers for the MSM8992 variant - AKA the 808. In my research, I determined that commands are passed through USB with XML. There are many, including one that instructs the programmer to flash a new secondary bootloader.
However, Google has not released their Nexus 5X programmer. We may be waiting a long time, or until I get the urge to solder a new eMMC.**For the record, This may happen on your MSM8994 device - the 810 chip, or the Nexus 6P and other devices. DO NOT FRET, Google leaked their programmer. You are safe.**
However, Google has not released their Nexus 5X programmer. We may be waiting a long time, or until I get the urge to solder a new eMMC.**For the record, This may happen on your MSM8994 device - the 810 chip, or the Nexus 6P and other devices. DO NOT FRET, Google leaked their programmer. You are safe.**
Conclusions and Credits
I want to give my biggest thanks. This is the first blogpost that I have completed and published. I started blogging to teach more and share my vast knowledge about how systems and computers work, and I'll continue doing this.
I learned a lot about Android and Qualcomm through this crazy adventure. I learned more about how EDL works as well as more about the Qualcomm bootchain/boot process, which was amazingly informative and deeply insightful.
Please follow me on twitter @TotallyNotNero for blog updates, behind the scenes, and random retweets of stuff I find funny. Contact me on discord @TotallyNotNero#0420 for any questions.
I learned a lot about Android and Qualcomm through this crazy adventure. I learned more about how EDL works as well as more about the Qualcomm bootchain/boot process, which was amazingly informative and deeply insightful.
Please follow me on twitter @TotallyNotNero for blog updates, behind the scenes, and random retweets of stuff I find funny. Contact me on discord @TotallyNotNero#0420 for any questions.
From User's Server xD
ReplyDelete