Bootloader is locked. OEM unlocking is off. /e/ is installed and won't boot. Am I out of luck?

Hi,

I have a Motorola Moto G 5G Plus, model code XT2075-3. I was glad to try out /e/ on it as it’s supported and I bought it with the purpose of running /e/.

This is the first time I’m flashing a custom rom. I follow the guide provided to install /e/, allowing the bootloader to be unlocked in the system settings, unlocking the bootloader, flashing recovery, going into the /e/ recovery and side-loading… all is well.

I run the system, all is well, I setup things nicely.

Then I reboot and I still see the message about how the system isn’t protected on the bootloader level. “Huh. Let’s correct that.” I go back to system settings, disallow unlocking the bootloader, and it tells me the system needs to be rebooted to re-enable the safety features. Reboot, still I get the message about how the bootloader isn’t locked. Ok, let’s lock the bootloader! And so I do. A reboot later and…

“No valid operating system could be found. The device will not boot.” Uh oh. So I begin to sweat bullets. I look around, find it’s possible to flash a stock firmware without unlocking the bootloader, and so I try through fastboot, to no avail.

Now my phone boots to fastboot by itself, according to the bootloader log because “UTAG bootmode configured as fastboot”. Trying to use any option of fastboot (Start, Recovery Mode, Restart Bootloader…) sends it back to fastboot. I suppose this is a Recovery thing…

Trying to boot a stock recovery.img without flashing it doesn’t seem to work either.

In hindsight, keeping the option to unlock the bootloader again would have been a saving grace. However hindsight being 20/20 as always…

So the bootloader is locked, can’t be unlocked with the code anymore, and there’s no recovery mode accessible. Are there any options left for it, or did my ignorance make it an unrecoverable paperweight?

This is not my primary device, I can do pretty much what I want with it and there’s no important data or contact list on it, so I’m at no risk if I cannot get it back in working condition. I understood the risks and this is of course squarely on me. If there’s however a way to get it back to at least stock, that’d be awesome!

Best regards,
Awilen.

Regain your privacy! Adopt /e/ the unGoogled mobile OS and online services

Motos have a EDL boot mode to force flash. Search xda for “hard brick” and moto edl, maybe there’s something for you

I’ve been looking into this solution too, and yeah XDA is a gold mine. Just learned about it after making the post.

As it stands the only menu I can access is fastboot and “fastboot reboot edl” doesn’t do anything (edl is an “unknown target”). So I’m looking into the test point(s), but it seems this has yet to be documented too. Apparently discovering the points shouldn’t be too much of an issue (conspicuous test pads, one at ~1.8V and the other to ground) so I guess it’s device teardown time! (I’m actually excited here!)

I guess this is common knowledge among custom ROM enjoyers, however I believe a short warning of not relocking the bootloader at the end of the various beginner-friendly guides would go a long way. The way I went about relocking it felt natural, I was in Android so I naturally disabled OEM unlocking there since it was readily available and it said that it would reactivate all security features, then seeing it not locked up still as I got the warning on boot, I went to fastboot to lock it up… for good.

I hope this is heard as constructive criticism rather than an ill-intended jab at anyone who wrote those guides. They are concise and achieve the desired result, but any bit of polish to round the edges, to avoid common ignorant actions beginners do, especially for a system that wants itself beginner-friendly to install to increase adoption, would be a betterment in my opinion.

Install /e/ on a Motorola Moto G 5G Plus / Motorola One 5G - “nairo” says:

"Tip: To suggest changes to this install guide documentation, please visit the Moto G 5G Plus / Motorola One 5G specific topic on our community forum."

You are in at the deep end for a first timer with custom ROM.

Some pointers of more key words from the shallow end

Qualcomm SM7250 Snapdragon 765G.

In over simplified terms I might say that fastboot offers “low level” flashing as we see in the /e/ instructions.

EDL offers the opportunity to go in with a full intrusion.

Again over simplified, the soft bricked state where fastboot will not work might be called “EDL state”. Qualcomm also has “medium intrusion” methods. This is the brand name for the tool for a different phone HS-USB QDLoader Driver.

I think you are right to look at it like this – I would be looking to try to find the batch of tools referred to as “Drivers” for this device. Motorola support forums should provide some pointers for a full flash of the manufactures ROM using these (proprietary?) “Drivers” method.

Valid criticism, if there is no warning banner there should be one. The flashing guides follow template blocks, one addition can apply to all guides per includes. A change is either proposed to the repo on the /e/ gitlab or at Lineage. The best place to warn would be right at the dev options. Thats the settings repo. On mobile I cant dig the repo links up quickly but can add them later

I am familiar with JTAG-based flashing (I already had to program a JTAG bit-banger on a STM32 µcontroller for another µcontroller I didn’t have a flashing device for, it was very satisfying to debug that and get the target µc working) so I guess an EDL mode “Loader” does something akin to JTAG-based flashing on a memory device, an eMMC perhaps.

I found a pack full of MBN or MNB (can’t remember which right now) loaders for Qualcomm devices to use with edl tools. This line here will come in handy at some point. Thanks! (I’ll still double-check though, kind of a “trust, but verify” situation.)

I have much to learn still about EDL. I don’t want to end up doing something like corrupting that somehow, if that’s at all possible. (Edit: so I found out that boot.img is actually only for Android and that it gets called after the SBL as the third boot code in the bootchain, so there’s very little reason to believe the EDL can get corrupted in any way by using Loaders, Sahara and Firehose to flash a stock firmware.)

I have tried using Lenovo’s Rescue program. According to the Bootloader logs, the Rescue program tries to fastboot flash, which is forbidden by the bootloader, thus it fails. I suspect this is not what you are referring to with “Drivers”.

That was my thought process too. I don’t believe this to be a warning specifically for the “Moto G 5G Plus guide”, so suggesting this change in the specific topic on the forum as suggested by AnotherElk, while this is very much what’s recommended in the guide, made little sense to me. Not to dismiss you entirely, AnotherElk, I’m sure there’s a similar process to get a change inserted at a higher level.

Edit: just found out “fastboot oem qcom-on” is a thing and apparently enables the Qualcomm EDL mode… except since fastboot is launched and the bootloader is locked the command of course fails.

Please be aware that I do not have the device or significant Moto experience. I did not want to pass a wrong link. From what you already said you will take this link only as a pointer.

I picked up your SOC from Info about Motorola Moto G 5G Plus / Motorola One 5G - nairo but I have not yet fully understood the variants around this device (for example, Moto G 5G Plus vs Motorola One 5G); this will be essential is locating your correct method.

Items which seem to be copies of proprietary tools have to be used with extremely good research first – please don’t rely on a stranger like me.

This link seems to be THE_SORT_OF method I would be researching now. (This is for an XT2075-2 while I think you have XT2073-3)

• Motorola One 5G XT2075-2 Stock ROM Firmware (Flash File)

The variants are based on carriers as far as I understand. There is at least a Chinese variant, an AT&T variant, a European variant, among others.

The XT2075-2 is the AT&T variant. One of its hardware peculiarity is the absence of mmWave 5G antenna because apparently the US or at least AT&T doesn’t use mmWave 5G. There is one teardown video on YT showing where the antenna would be and isn’t.

I own the XT2075-3 variant, for Europe. I have already downloaded the stock firmware zip file for it specifically, twice actually, once myself, the other the Lenovo Rescue software downloaded it, and “we” happened to not download the exact same file, which doesn’t give me confidence in my choice. Here are the filenames:

• XT2075-3_NAIRO_RETEU_11_RPNS31.Q4U-39-27-9-2-8_subsidy-DEFAULT_regulatory-DEFAULT_CFC.xml (the one I downloaded)
• NAIRO_RETAIL_RPNS31.Q4U_39_27_9_2_9_subsidy_DEFAULT_regulatory_DEFAULT_CFC.xml (the one the tool downloaded)

It seems the tool downloaded a version that’s just one minor revision number ahead from the one I downloaded. I just re-checked what the Lenovo tool detected and here some addtional info:

• Processor: SM_SAIPAN 2.0
• Android Version: 10 (although the version installed by /e/ is R so 11?)
• Current version: QPN30.33-40
• Fingerprint: motorola/nairo_retaile/nairo:10/QPN30.33-40/8e31a:user/release-keys
• Fsg version: NAIRO_EMLADSDS_CUST
• Ro.carrier: reteu

Just in case, I believe the correct link for my device from the website you linked would be this one Motorola Moto G 5G Plus XT2075-3-DS Stock ROM Firmware (Flash File) Do note, I am positive I own the Dual-Sim model, however, once again the filename is different and the revision number is just way behind. Come on…

I’ve been scouring search engines and have yet to find anyone who documented the EDL test points on this device. I’m ready to remove the backplate and try the test points, heatgun, voltmeter and adhesive on hand. I still need to find a 1k to 2k ohm resistor to try bridging likely test pads without destroying anything… Hopefully there aren’t many test pads so it shouldn’t take that long. And hey, let’s say I pull through, that’ll be my first contribution to the community!

Hi @Awilen.
It’s really hard to find information about the inner workings of Motorola Moto G 5G Plus XT2075. Have already read and tried this Moto G 5G Plus XT2075 Flash File Firmware SD765 10.0?
Good luck

I absolutely agree. The XDA forum on this particular device is rather thin to boot.

I’m working on it. Along the way the guide instructs to go into EDL mode, and non-intrusive ways to get there don’t actually get there on my device, that’s why I need to open it and find the test points, and I have yet to.

Thanks!

Huh. I kept going and stumbled upon another model that looks similar but is not exactly the same internally: the Moto Edge S / G100. Unfortunately in the thread I found, one of the posters asserts there’s no EDL test point… Further research required.

The thread in question: Question - Who knows how to short the test points to enter the Qualcomm EDL flash mode | XDA Forums

My device in pictures:
https://fcc.report/FCC-ID/IHDT56ZC3/4764581.pdf

Edit: I’ve learned about the existence of “deep flash cables”, apparently most often used for Xiaomi phones. Should I just try that before opening up my Moto?

Even with a 9008 Deep Flash Mode Cable, the battery of the defective device must be removed!

The EDL Pin Out / Test Points are often tiny. With wrong pin selection the short circuit danger is not to be underestimated. A deep flash cable can therefore be a great help.

My accompanying description states: “Take out the battery of the defective device. Connect the device to the computer via USB. Press and hold the cable switch button for about 8 seconds. This will install the driver and the computer will recognize the device connected to the USB port.” Then a service ROM or stock Android must be flashed.

Thank you for the warning. I’ll keep that in mind. On my shopping list now: isopropyl alcohol to help weaken the battery’s glue. I’ve already had to pry a battery out of a Moto G5S, let’s say I won’t ever be reusing it due to bending it even just a bit.

I’ve already shorted wrong pins by mistake on a 1500€ PCB, my boss back then wasn’t impressed… ahah.

Edit: it kinda hit me, removing the battery connector should be enough, no need to pry it out and risk bending it. I guess the words “must be removed” tripped me into thinking about unglueing it.

Edit2: backside is open, I stabbed it with a multimeter, black on a TH via, only one test point shows 1.8V in the middle of the visible side of the motherboard with no visible counterpart to bridge, that should be the internal power supply, there’s one point at the bottom showing 1.5V but it’s close to the screen and bottom daughterboard flexible flat cable connectors so it could be another VRM output voltage for one of them. The rest of the pads show 0V.

Edit3: I think I’m on track for… something. I have found this https://github.com/bkerler/edl/issues/87 and among the replies a photo of a connector pads (connector being missing) contains the EDL test points. I look at my phone and find a similar (albeit longer) set of connector pads with the missing connector, and a trace that goes from the 1.8V point to the middle of the connector pads. I think I need better tools at that point, my eyes can’t make out the traces exactly (and there are vias) and I’m not ready to stab contacts this small with my large probes.

Here’s a photo of the connector pads of my device (sorry for the slanted pic), annotated with the voltages found on the test points

XT2075-3 Connector pads750×750 136 KB

Yes, my wording is unfortunate. Of course, it’s sufficient to simply break the circuit between the battery and the motherboard by disconnecting the battery cable.

So I’ve been wondering. What about after EDL mode is available?

Seems like I need a firehose programmer to load onto the device to do pretty much anything, right? This is firmware territory and we have some stuff to setup like communication to the eMMC and maybe that’s not taken care of by the PBL before entering EDL mode, and there’s no documentation on such things, right?

Edit: am I correct in thinking that a blank-flash procedure with the “unbrick” qboot software I found in the link below will disable the flash protection bit in EDL mode and allow flashing a stock firmware in fastboot mode afterward?

Edit2: I wanted to know where fastboot was residing as I didn’t want a bricked phone without fastboot or a firehose (apparently there’s no firehose that leaked for my device) after blanking the flash, and I found out fastboot is part of the Android Bootloader (ABOOT) which is not part of the usual flashing process, so there’s no reason blanking the flash should make fastboot disappear.

Received my resistors, tested the points with a 470 ohm resistor several times, to no avail. Checked the 0v side of the resistor, it got pulled to 1.785v so I assume it’s right, it connects to a transistor with infinite resistance on the other side, so to a chip.

What I did is keep the phone off, bridge the test points with the resistor, then plug the USB from my PC. The phone keeps trying to boot normally, or send it back to fastboot should fb_mode be set through the “fastboot oem fb_mode_on” command. Did I do it right?

There are also the command “fastboot oem qcom-on” and “fastboot oem qcom-off”, I hope those aren’t needed to enable EDL mode, as using them fails too.

I am getting desperate here I’ll try other test points with the 1.8v point, there’s no reason it must be those two points I mentioned, but it’s getting awfully grim. I hope I won’t have to test individual IC pads.

Hi @Awilen, Take a look at this thread:

location-of-edl-points-in-Moto_g5_plus1080×2340 318 KB

Thanks a lot @anon29344687, however you linked a thread about the “Moto G5 Plus” model number XT168x (x in 4 to 7) released in 2017 , I own the “Moto G 5G Plus” model number XT2075-3 released in 2020. It is not applicable to my device.

Edit: tried another approach and “patched” fastboot to send the command “reboot-edl” to check if it was at all possible. Managed to get “fastboot reboot edl” working, bootloader logs show “cmd: reboot-edl” for a split second, then it goes to blackscreen, reboots normally and shows the “No OS!” error screen. Holding the VolDown key during the process reboots to fastboot. Holding any other key and combinations of them shows the “No OS!” error screen.

I have something different happening when my device’s battery is removed and the USB is plugged: the top LED blinks once and then the phone tries to boot. If the screen is connected, the phone shuts down due to lack of power (2.5W isn’t enough…), however it stays on if there’s no screen.

Does that ring any bell?