AOSP Xperia 1 IV XQ-CT54 - Switch to Partition "B" hard-brickes device

[floloescher]

Platform: Nagara
Device: XQ-CT54
Kernel version: latest provided
Android version: 13
Software binaries version: latest

Previously working on
From my point of view, this has never worked before.

Description
After building official AOSP for Sony Xperia 1 IV (following the build guide) flashing the (successfully built) image on the phone via fastboot flash leads to a fully bricked device if flashed to partition "B". (Active Partition "A"). Phone does not boot anymore and is not visible in ADB devices after the flash.

The image itself is not the problem. If flashed to partition "A" specifically (like: fastboot flash oem_a odm.img), the image boots and AOSP is ready to use with the same image.

If the AOSP built-in updater is used to flash the device (no full image flash via fastboot, but using an OTA) while the device is active in partition A, partition B is required to use.

Therefore: The main problem is: Partition B seems to be broken on the phones (tested it with 2 Xperia 1 IV XQ-CT54 and setting it active bricks the device completely. No (known) way to recover the device.

Symptoms
If partition is switched from A to B the device is completely dead. Hard-Bricked.

How to reproduce
Build AOSP according to Build Guide. Flash AOSP on Partition A. Everything works. Flash the same build on Partition B and change active partition to B. Device is bricked.

Additional context
Logcat attached. AOSP built-in updater confirmes successful flash of the image to partition B, but after reboot command device is completely dead. Timestamp: 01-07 14:23:42.709 1185 1185 I update_engine: [INFO:update_attempter_android.cc(580)] Update successfully applied, waiting to reboot.

logcat_Sony_XperiaIV_OTA_does_not_reboot.txt

[inf265]

What a timing, had the same 2 days ago with my Xperia 1 IV. Is there any way to access the PINs for serial communication in order to debug where the phone hangs ?

[bartcubbins]

You can’t even get into fastboot/flashmode?

[floloescher]

No. No reaction of the phone at all.
No vibration while keeping power button pressed.
No LED light at all.
No reaction while connecting to Linux PC and keeping Power - up pressed.

2 phones completely bricked.

Maybe UART Ports could give some indication, but the thread regarding this bug report was not answered by Sony.

[bartcubbins]

hm, this shouldn't happen. I'll make a build and try to reproduce

[floloescher]

Thanks. But be aware that the phone is non-usable afterwards. Happy to provide you with any info you need.

[bartcubbins]

I took the following steps and my device is still alive. It seems the reason lies elsewhere...

Spoiler

[pavel@home-pc android-13]$ fastboot flashall
--------------------------------------------
Bootloader Version...: 8450-0001_X_Boot_SM8450_LA2.0_T_112
Baseband Version.....: 64.1.A.0.996
Serial Number........: QV770WCDEC
--------------------------------------------
Checking 'product'                                 OKAY [  0.003s]
Setting current slot to 'a'                        OKAY [  0.008s]
Sending 'boot_a' (98304 KB)                        OKAY [  2.490s]
Writing 'boot_a'                                   OKAY [  0.420s]
Sending 'dtbo' (24576 KB)                          OKAY [  0.624s]
Writing 'dtbo'                                     OKAY [  0.103s]
Sending 'recovery' (102400 KB)                     OKAY [  2.541s]
Writing 'recovery'                                 OKAY [  0.423s]
Sending 'vbmeta' (8 KB)                            OKAY [  0.004s]
Writing 'vbmeta'                                   OKAY [  0.004s]
Sending 'vbmeta_system' (4 KB)                     OKAY [  0.009s]
Writing 'vbmeta_system'                            OKAY [  0.004s]
Sending 'vendor_boot' (98304 KB)                   OKAY [  2.460s]
Writing 'vendor_boot'                              OKAY [  0.389s]
Rebooting into fastboot                            OKAY [  0.003s]
< waiting for any device >
Sending 'super' (4 KB)                             OKAY [  0.033s]
Updating super partition                           OKAY [  0.034s]
Resizing 'product_a'                               OKAY [  0.005s]
Resizing 'system_a'                                OKAY [  0.005s]
Resizing 'system_ext_a'                            OKAY [  0.004s]
Resizing 'system_b'                                OKAY [  0.004s]
Resizing 'vendor_a'                                OKAY [  0.004s]
Resizing 'vendor_b'                                OKAY [  0.004s]
Resizing 'product_a'                               OKAY [  0.004s]
Sending sparse 'product_a' 1/2 (262140 KB)         OKAY [  6.903s]
Writing 'product_a'                                OKAY [  0.350s]
Sending sparse 'product_a' 2/2 (14256 KB)          OKAY [  0.377s]
Writing 'product_a'                                OKAY [  0.054s]
Resizing 'system_a'                                OKAY [  0.003s]
Sending sparse 'system_a' 1/4 (262140 KB)          OKAY [  6.776s]
Writing 'system_a'                                 OKAY [  0.348s]
Sending sparse 'system_a' 2/4 (262140 KB)          OKAY [  6.783s]
Writing 'system_a'                                 OKAY [  0.325s]
Sending sparse 'system_a' 3/4 (262140 KB)          OKAY [  6.749s]
Writing 'system_a'                                 OKAY [  0.419s]
Sending sparse 'system_a' 4/4 (88896 KB)           OKAY [  2.270s]
Writing 'system_a'                                 OKAY [  0.142s]
Resizing 'system_ext_a'                            OKAY [  0.004s]
Sending sparse 'system_ext_a' 1/2 (262140 KB)      OKAY [  6.884s]
Writing 'system_ext_a'                             OKAY [  0.346s]
Sending sparse 'system_ext_a' 2/2 (148796 KB)      OKAY [  3.851s]
Writing 'system_ext_a'                             OKAY [  0.201s]
Resizing 'vendor_a'                                OKAY [  0.005s]
Sending 'vendor_a' (126864 KB)                     OKAY [  3.343s]
Writing 'vendor_a'                                 OKAY [  0.270s]
Rebooting                                          OKAY [  0.000s]
Finished. Total time: 71.460s
[pavel@home-pc android-13]$ adb reboot bootloader
[pavel@home-pc android-13]$ fastboot --set-active=b
Setting current slot to 'b'                        OKAY [  0.010s]
Finished. Total time: 0.014s
[pavel@home-pc android-13]$ fastboot flashall
--------------------------------------------
Bootloader Version...: 8450-0001_X_Boot_SM8450_LA2.0_T_112
Baseband Version.....: 64.1.A.0.996
Serial Number........: QV770WCDEC
--------------------------------------------
Checking 'product'                                 OKAY [  0.003s]
Setting current slot to 'b'                        OKAY [  0.001s]
Sending 'boot_b' (98304 KB)                        OKAY [  2.435s]
Writing 'boot_b'                                   OKAY [  0.402s]
Sending 'dtbo' (24576 KB)                          OKAY [  0.597s]
Writing 'dtbo'                                     OKAY [  0.098s]
Sending 'recovery' (102400 KB)                     OKAY [  2.496s]
Writing 'recovery'                                 OKAY [  0.436s]
Sending 'vbmeta' (8 KB)                            OKAY [  0.004s]
Writing 'vbmeta'                                   OKAY [  0.005s]
Sending 'vbmeta_system' (4 KB)                     OKAY [  0.007s]
Writing 'vbmeta_system'                            OKAY [  0.006s]
Sending 'vendor_boot' (98304 KB)                   OKAY [  2.378s]
Writing 'vendor_boot'                              OKAY [  0.410s]
Rebooting into fastboot                            OKAY [  0.003s]
< waiting for any device >
Sending 'super' (4 KB)                             OKAY [  0.000s]
Updating super partition                           OKAY [  0.029s]
Resizing 'product_b'                               OKAY [  0.005s]
Resizing 'system_b'                                OKAY [  0.005s]
Resizing 'system_ext_b'                            OKAY [  0.005s]
Resizing 'system_a'                                OKAY [  0.007s]
Resizing 'vendor_b'                                OKAY [  0.004s]
Resizing 'vendor_a'                                OKAY [  0.004s]
Resizing 'product_b'                               OKAY [  0.004s]
Sending sparse 'product_b' 1/2 (262140 KB)         OKAY [  6.674s]
Writing 'product_b'                                OKAY [  0.354s]
Sending sparse 'product_b' 2/2 (14256 KB)          OKAY [  0.359s]
Writing 'product_b'                                OKAY [  0.049s]
Resizing 'system_b'                                OKAY [  0.003s]
Sending sparse 'system_b' 1/4 (262140 KB)          OKAY [  6.655s]
Writing 'system_b'                                 OKAY [  0.333s]
Sending sparse 'system_b' 2/4 (262140 KB)          OKAY [  6.677s]
Writing 'system_b'                                 OKAY [  0.323s]
Sending sparse 'system_b' 3/4 (262140 KB)          OKAY [  6.688s]
Writing 'system_b'                                 OKAY [  0.440s]
Sending sparse 'system_b' 4/4 (88896 KB)           OKAY [  2.242s]
Writing 'system_b'                                 OKAY [  0.118s]
Resizing 'system_ext_b'                            OKAY [  0.004s]
Sending sparse 'system_ext_b' 1/2 (262140 KB)      OKAY [  6.634s]
Writing 'system_ext_b'                             OKAY [  0.335s]
Sending sparse 'system_ext_b' 2/2 (148796 KB)      OKAY [  3.755s]
Writing 'system_ext_b'                             OKAY [  0.221s]
Resizing 'vendor_b'                                OKAY [  0.003s]
Sending 'vendor_b' (126864 KB)                     OKAY [  3.202s]
Writing 'vendor_b'                                 OKAY [  0.192s]
Rebooting                                          OKAY [  0.000s]
Finished. Total time: 69.727s
[pavel@home-pc android-13]$ adb shell getprop ro.boot.slot_suffix
_b

[floloescher]

Check. Will compare the steps and come back. Thanks.

[bartcubbins]

But my build is based on the 5.15 kernel. I'll rebuild it using a prebuilt 5.10 kernel and try again

[floloescher]

Okay. I was using the prebuilt 5.10 kernel.

Thanks!

[inf265]

Hi bartcubbins,
I have the impression something with the bootloader is wrong. What is the md5sum of yours ? Mine is
97cfc1b71c5eaf86ecc12754f99e0d8c ./out/target/product/pdx223/boot.img.
Do you know how to connect to serial port. I've read that is was possible on earlier sony phones via PINs on the sdcard. I tried without success.
Cheers

[bartcubbins]

boot.img is not a bootloader. This is the partition that contains the Linux kernel and ramdisk.
https://source.android.com/docs/core/architecture/partitions/generic-boot
its md5sum is different after each compilation. On Sony devices the bootloader cannot be flashed via fastboot

UART pinout is the same as on previous devices.
https://developer.sony.com/open-source/aosp-on-xperia-open-devices/guides/access-uart-ports
Unfortunately, I have not yet been able to get an output from it. The trick I did on < Mk IV devices does not work. You can read about it here #799 (comment)

[inf265]

Ahh thought there's some magic and bootloader is put into boot.img somehow since I didn't find it and I did not see abl_a or abl_b partition. But that makes sense when you say I cannot flash it. Anyway newflasher flashes it with an original image:

Found boot_delivery.xml in boot folder.
openat(AT_FDCWD, "./boot/boot_delivery.xml", O_RDONLY) = 3
 - Boot delivery version: 8450-0001
 - Verifying if boot delivery match with device...
      searching for: PLATFORM_ID="001870E1";PLF_ROOT_HASH="CE738EFA78393FA07CAE66C2DCA711449BC36B3AB78734713A7FB08527E7DAAEEE1833BFD6EEDB2ABD968FBA981B5B35"
      Found bootdelivery match: COMMERCIAL_001870E1
      TA file: PDX223_XBootConfig_MiscTA.ta

Processing ./boot/PDX223_XBootConfig_MiscTA.ta
openat(AT_FDCWD, "./boot/PDX223_XBootConfig_MiscTA.ta", O_RDONLY) = 3
 - Partition: 2
 - Unit: 84F (2127)
 - Unit size: 0x59
      download:00000059
      OKAY.
      Write-TA:2:2127
      OKAY.
 - Unit: 8FD (2301)
 - Unit size: 0x1
      download:00000001
      OKAY.
      Write-TA:2:2301
      OKAY.
      SIN file: bootloader_X_BOOT_SM8450_LA1_0_S_42_X-FLASH-ALL-6348.sin

Processing bootloader_X_BOOT_SM8450_LA1_0_S_42_X-FLASH-ALL-6348.sin
openat(AT_FDCWD, "./boot/bootloader_X_BOOT_SM8450_LA1_0_S_42_X-FLASH-ALL-6348.sin", O_RDONLY) = 3
 - setting up inflate...
openat(AT_FDCWD, "./boot/bootloader_X_BOOT_SM8450_LA1_0_S_42_X-FLASH-ALL-6348.sin", O_RDONLY) = 3
openat(AT_FDCWD, "./boot/converted.file", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 4
 - infflating, please wait...

 - inflate returned: 0
 - gzpipe: ok.
 - gunziped ok.
openat(AT_FDCWD, "./boot/converted.file", O_RDONLY) = 3
 - Extracting from bootloader_X_BOOT_SM8450_LA1_0_S_42_X-FLASH-ALL-6348.sin
 - Extracting signature bootloader.cms
openat(AT_FDCWD, "./boot/bootloader.cms", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 4
openat(AT_FDCWD, "./boot/bootloader.cms", O_RDONLY) = 4
 - Uploading signature ./boot/bootloader.cms
      download:00000896
openat(AT_FDCWD, "./boot/bootloader.cms", O_RDONLY) = 4
      OKAY.
      signature
      OKAY.
 - Extracting sparse chunk bootloader.000
openat(AT_FDCWD, "./boot/bootloader.000", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 4
openat(AT_FDCWD, "./boot/bootloader.000", O_RDONLY) = 4
 - Uploading sparse chunk ./boot/bootloader.000
      download:00b5f000
openat(AT_FDCWD, "./boot/bootloader.000", O_RDONLY) = 4
      OKAY.
      Partition: bootloader have slot: yes
      erase:bootloader_a
      OKAY.
      flash:bootloader_a
      OKAY.
 - End of bootloader_X_BOOT_SM8450_LA1_0_S_42_X-FLASH-ALL-6348.sin

[inf265]

Is it possible that the bootloader is still locked for B partition ?
In munjeni/newflasher#29 they mention a phrase: "Regarding the bootloader itself, which is reason munjeni/newflasher#1, on the Tama platform, the first release has a bad bug regarding slot B: this will be unable to boot a custom kernel image due to signature verification failing (the OEM unlock state is respected only on slot A in this case!)."

[inf265]

I was able with a small hack in newsflasher to flash B partition on a new phone with it. Now the phone is not bricked any more but is in a boot loop after the SONY logo

[bartcubbins]

I understand what is happening to your devices, you have a more recent version of the bootloader on one of the slots and after switching to a slot with an older version, very bad things happen that turn your device into a brick. In the current situation, I can only advise you to make sure that both slots have the same version of the bootloader.

Regarding the new flasher, most likely it only flashes the active slot (need to look at the source code to confirm).

[inf265]

Hi Pavel, yes indeed I had the same impression. I have another new device here and did the follow, not bricked any more:
To pin it down, I flashed the official image FW_Customized_CN_64.0.F.19.10 to the phone using newflasher. The phone can boot into android from partition A. (Ihave a chinese phone here)
Then I modified newflasher a bit (newflasher does not flash all files to both partitions, especially the bootloader only to the current slot. so I modified in newflasher current_slot to B) to flash also the bootloader to partition B (in fact all files but also bootloader). I guess this is what was missing or wrong and the device therefore bricked up in the past.
This automatically then activates B partition and boots into partition B, but leads to a boot loop with the SONY logo.
Then I went again into flashmode and flashed the device again with official image FW_Customized_CN_64.0.F.19.10 and the newflasher the original version (without my hack) to B partition.
Still boot loop in the SONY logo. When I go into fastboot mode and set the active partition to A it boots up into android. When I set back to B it is in the bootloop.
[I also tried when B partition is active to lock it again and unlock it. The commands were successful but still in boot loop.]
Any ideas ?

[bartcubbins]

I'll try something when I have time and get back to you with an answer

[bartcubbins]

I've built otapackage and successfully installed it on each slot, so the problem is probably on your customization side. I'll take a look at the provided log in the very first message and point out a possible problem.
And I also recommend you to update your device at least to 64.1.*. Flash the stock to the first slot, change the slot to another and flash again to avoid possible problems with version mismatches

[floloescher]

Hi Pavel, this is awesome to hear.

We still are not successful and stuck in a bootloop (on Partition B - Partition A works fine).

Could you please provide us the exact setup for the official AOSP build as provided by Sony for the Xperia 1 Mk 4?

I am looking for:
XQ-CT54 or CT72?
Official Rom to start from? 64.1.xxx? on both partitions?
Kernel Version? (We were taking the prebuilt 5.10 kernel)
Bootloader Version?
Which version of the OEM.img?
Maybe some screenshot of the Flashed partitions and if necessary a certain order.

This would help us a lot - thanks!

PS.
I guess, if we manage to boot from Partition B, also the OTA should work

[inf265]

Where can I download a 64.1.xxx stock rom to flash to both partitions ?

[jerpelea]

64.1.A.0.857 is available in flashtool

[bartcubbins]

Use Sony flash tool (Emma) or if you want to use third-party software, you can download the firmware using XperiFirm.

Flash the first slot, then change it to another with fastboot --set-active=(a/b) and flash again.
Flash your device with AOSP using the command fastboot flashall or similar. Flash the ODM image.
Try to boot, if the device boots, make an otapackage, reboot into recovery and try to flash it using adb sideload aosp_*.zip. Check whether the device boots or not. If the device boots, check the current active slot.
Please note that the ODM is always located in slot _a fstab.nagara
This is a real partition, which means that even after switching the slot it will still be used.