I finally figured out how the BigStorage ROM works.
At locations 7E32h & 211E32Eh (in the sd-card dump) the size of the Storage folder is defined. (atleast in the 1.11wwe I'm using. In other rom's the locations might differ a bit)
In the original rom those locations both contain 80 00 (notation is least significant byte first),
which means the size of the storage is 00800000h (= 8 MB)
The Storage is followed by the Ext_ROM of 01300000h (= 19 MB)
Finaly there's a piece of 00080000h (0.5 MB) which is unused.
So if you want to use all that space for your Storage-folder, the size of that folder would be 800000h+1300000h+80000h = 01B80000h
This means the value at locations 7E32h & 211E32Eh should be B8 01. (which is exactly the same value as you'll find in the Anansky-roms)
The only thing you have to do to get BigStorage, is to change those 2 values.
Because after you have flashed such a patched rom back, upon booting it for the first time, it notices that the Storage folder is wrong, so it starts to format it.
During this time the phone seems to hang at the splashscreen, but after 5 minutes or so, it continues and displays the screen alignment wizard.
So the easiest way to get big storage is:
1. dump current rom to SD-card
2. put the SD-card in a Cardreader
2a. optionally copy the rom to your pc, for backup purposes
3. use a DiskEditor straight on the SD-card to change 80 00 into B8 01 at locations 7E32h & 211E32Eh
4. put the SD-card back in your phone and flash it back.
5. hard-reset and wait a couple of minutes
Thank you This solves the ntrw problem on writing image to card. What I can say more errors in ntrw during writing are made because of partial block at the end, if image is a multiply of 256kB blocks than there are no error message in this case flash image shoud have exactly 64MB
Good work DrChain!!!
But it's important to mention that the indicated locations to make the changes (7E32h & 211E32Eh) are not the same ones in all the versions of ROM.
Greetings :wink:
So, the key point is how to locate where the 2 location should be modified to "b8 01". Could you please show me some hints?
I just have my O2 mini upgraded to 1.12.00WWE and would like to modify it to bigstorage, thanks a lot!!
palmVer said:
So, the key point is how to locate where the 2 location should be modified to "b8 01". Could you please show me some hints?
I just have my O2 mini upgraded to 1.12.00WWE and would like to modify it to bigstorage, thanks a lot!!
Click to expand...
Click to collapse
You need to do a search for "00 00 80 00", unfortunalty you'll find it a lot.
The first place should be a couple of pages above "KERN.pdb" (= a couple lines beneath "Update_TAD_From_Kernel_Charging"
The second place should be a couple of lines above "PSMFSD.pdb"
Hope it helps
Success in Creating BigStorage ROM for Chinese 1.11 version
I used a simple method
- search for 02 00 00 80 00 20 20 00 00 and there are only two locations.
Thanks to the insights from Anansky, MKS, DrChair, ... and I managed to create the BigStorage ROM for Dopod 818 in Chinese.
I changed 80 00 to b8 01 at locations 00007e4a and 01fc232e.
The above search method applies to other ROM versions as well. I have tried it successfully with English versions of O2 mini, i-mate JAM and T-mobile.
nice work guys .....
I like the idea of hacking for BigStorage, but I don't like other stuff being forced on me at the same time (boot pic). So for me this is rather cool. Thanks!
What to hack next?
which DiskEditor you have used?
Tnks,
Ale
DrChair said:
palmVer said:
So, the key point is how to locate where the 2 location should be modified to "b8 01". Could you please show me some hints?
I just have my O2 mini upgraded to 1.12.00WWE and would like to modify it to bigstorage, thanks a lot!!
Click to expand...
Click to collapse
You need to do a search for "00 00 80 00", unfortunalty you'll find it a lot.
The first place should be a couple of pages above "KERN.pdb" (= a couple lines beneath "Update_TAD_From_Kernel_Charging"
The second place should be a couple of lines above "PSMFSD.pdb"
Hope it helps
Click to expand...
Click to collapse
Here was what I did:
1/ Flash my O2 to 1.12 using the official released ROM
2/ Dump the OS to my SD card (256MB), ntrw to my PC
3/ Use HEX editor to locate the "80 00" at 7e32 and 211e32e and modified them to "b8 01", ntrw back to my SD (256MB)
4/ start PPC in bootloader mode with SD card inserted.... after a few seconds, screen showed "ROM size isn't enough"....
Any idea where went wrong?
Thanks.
Re: Success in Creating BigStorage ROM for Chinese 1.11 vers
Just recognize it's a bit difference between DrChair's and Talents' quoted method:
DrChair: looking for 80 00 and change it to b8 01
Talent: looking for 08 00 and change it to b8 01
Clarification from 2 gentlemen please
DrChair said:
You need to do a search for "00 00 80 00", unfortunalty you'll find it a lot.
The first place should be a couple of pages above "KERN.pdb" (= a couple lines beneath "Update_TAD_From_Kernel_Charging"
The second place should be a couple of lines above "PSMFSD.pdb"
Hope it helps
Click to expand...
Click to collapse
Talents said:
I used a simple method
- search for 02 00 00 08 00 20 20 00 00 and there are only two locations.
Thanks to the insights from Anansky, MKS, DrChair, ... and I managed to create the BigStorage ROM for Dopod 818 in Chinese.
I changed 08 00 to b8 01 at locations 00007e4a and 01fc232e.
The above search method applies to other ROM versions as well. I have tried it successfully with English versions of O2 mini, i-mate JAM and T-mobile.
Click to expand...
Click to collapse
My apologies - it should have been changing 80 00 to b8 01.
Talents said:
My apologies - it should have been changing 80 00 to b8 01.
Click to expand...
Click to collapse
Finally, I got it. I tried the same image using different PC and card reader, it works!!
Thanks a lot.
Nice...
Is it possible to create a small ext_rom (~5MB) and the other space to storage? This would be nice to create our own ext_rom without loosing any space.
How to make your own ext_rom from DrChair (thaks!)
I recently managed to make my own ExtROM for my Magician.
A short howto:
1. First dump your rom to a SD-card, using the well know method.
2. Next get the rom to your pc, using ntrw
3. Using a Hex-editor, copy 2BC019C (HEX) till 3EC019C (HEX) to a file.
4. Mount that file as a virtual Harddisk (I use the virtualdisk-plugin for total commander)
5. Modify your ExtROM on that Virtualdisk.
6. Umount the Virtualdisk.
7. paste the contents of the (modified) file back into the rom-file, at precicly the same position and save it under a different name.
8. put the modified rom back onto your SD-card, using ntrw.
9. Flash your Magician, with the new rom.
Have fun with your modified ExtRom
Click to expand...
Click to collapse
What do you think?
Pam
Sorry!
i have found the right post.
http://forum.xda-developers.com/viewtopic.php?p=127612#127612
Sorry, but can someone explain to me how I am supposed to search for these 2 locations?
I have Hex Editor, but I can't seem to locate them.
I have no idea on what I'm doing.
Thanks.
Could the reason why I'm having difficulty with locating the 2 locations is because I am trying to locate them on the file which is stored on my PC as opposed to the file on the SD card?
I can't actually access the file on the SD as each time I do so, it keeps asking me if I want to format it.
jian said:
Could the reason why I'm having difficulty with locating the 2 locations is because I am trying to locate them on the file which is stored on my PC as opposed to the file on the SD card?
I can't actually access the file on the SD as each time I do so, it keeps asking me if I want to format it.
Click to expand...
Click to collapse
1/ use romupdate.exe to dump the ROM to the SD card
2/ place the SD in a external card reader, and use ntrw.exe to dump the ROM image in the SD to your PC (ie. execute the "ntrw read filename.nb1 x:" command in your PC, where filename.nb1 would be the ROM image file, and x is your SD card reader drive)
3/ use Hex Editor to open the filename.nb1 in your PC
4/ use the FIND function to locate "02 00 00 80 00 20 20 00 00" and change it to "02 00 00 b8 01 20 20 00 00"
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
5/ save the file as "filename_new.nb1" and execute "ntrw write filename_new.nb1 x:"
6/ put the SD card back to your PPC, start bootloader mode... wait... press Power button.... wait... 100% flashed with checksum error .... soft reset .... wait for several minute at splashscreen.... done!
Thanks!
This is actually what I'm doing but I am still unable to locate the two locations.
Can you reload the image? I can;t see it.
Thanks again
OK, think I've done it.
Was searching in the ASCII field!
Thanks for your help!
Related
This is a work in progress and I think I'll need some help...
I was trying to figure out how to mod the splash screen, but have a few questions.
I found the splash screen in the 8.2.3.9 firmware, but haven't found it yet elsewhere. And it has changed with the 8.4.4.11 firmware and I can't track where the changes are coming from.
In the 8239 firmware, I unpacked the blob, split the LNX and SOS partitions, and gunziped the ramdisks. There is an .rle file in there, which turns out to be some version of a headerless run length encoded file. Or maybe all rle files are headerless? Whichever it is, they sure talk funny.
I converted it to a .bmp and it appears to be the splash screen. It's upside-down and in the 556 format, which is how I would expect the splash screen to be.
There are also some battery indicators that I never saw on my TF, so I wonder if the splash screen is a red herring?
I converted the files to jpg, but left the peculiar orientation.
So the questions at large:
1) was there a different splash screen before the 8.2.3.9 firmware?
2) where is the splash screen stored?
3) how did the splash screen get updated in the 8.4.4.11 version?
4) Is the nvidia tag just superimposed? If it's just a 'patch' then it will be a needle in a haystack to find the right pattern- where should we look?
5) or maybe forget looking and just figure out how/where the splash screen gets loaded. In full format, it should be 2.1 MB
6) does the TF leave the splash screen "compressed" and just inflate it at boot time? It seems to load up too quickly.
Here's the run down on what I did.
blobby booty tools
https://github.com/AndroidRoot
I used a different split_boot tool, but I assume it should be the same result.
The file format of the rle file is as follows: Data are ordered in 4 byte sets. 2 bytes for the count and 2 bytes for the data. Read the count and data, and write the data x times, based on the count. The count is little endian, so the first byte of the count is the least significant. For example, 02 00 AA BB would represent AABB AABB, and 02 01 AB AB would be ABAB repeated 258 times. If you do it correctly, the resulting file should be 2,048,000 bytes long. Toss on a header for a 1280x800 556 BMP file and it will pop up.
I'm not a programmer, so this script might be rough. I wrote it by google'ing stuff on the internet.
Code:
#!/usr/bin/env python
import os
bytes = os.path.getsize('EeePad_bootup_first_page.rle')
print(bytes)
in_file = open('EeePad_bootup_first_page.rle', mode='rb')
out_file = open('eeepad.bmp', mode='ab')
while bytes > 0:
loop1 = int(in_file.read(1).encode('hex'),16)
loop2 = int(in_file.read(1).encode('hex'),16)
data = in_file.read(2)
loop = loop2 * 256 + loop1
print(bytes,loop,loop1,loop2,data)
while loop > 0:
out_file.write(data)
loop -= 1
bytes -= 4
in_file.close()
out_file.close()
70 byte header for the BMP file- paste it at the head of the bmp file
Code:
42 4D 46 40 1F 00 00 00 00 00 46 00 00 00 38 00 00 00 00 05 00 00 20 03 00 00 01 00 10 00 03 00 00 00 00 40 1F 00 13 0B 00 00 13 0B 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 E0 07 00 00 1F 00 00 00 00 00 00 00
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Lastly, maybe someone has already figured out how to mod the splash screen, but I've only seen boot animations, not the actual splash image. Then again, I haven't flashed too many roms on the TF yet.
I've combed most of this forum and i havent seen this yet,this would be an awesome mod.
Interesting about the battery meter, since the Transformer doesn't seem to like charging while it's powered off. Perhaps they were planning on not adding the annoying 'turns on as soon as you plug it in" feature and they changed their minds?
Either way, to be honest I'm fine just modding the bootanimation.zip since the first splash screen only last about a second under normal circumstances.
Shawn_230 said:
Interesting about the battery meter, since the Transformer doesn't seem to like charging while it's powered off. Perhaps they were planning on not adding the annoying 'turns on as soon as you plug it in" feature and they changed their minds?
Either way, to be honest I'm fine just modding the bootanimation.zip since the first splash screen only last about a second under normal circumstances.
Click to expand...
Click to collapse
Yes i'd like to see more boot animations,s6261 is pumping them out here hes taking requests also.
On the Viewsonic Gtablet, another TegraII device, the splashscreen was in its own partition, typically 6 or 7. The only thing on that partition was a raw bmp, and taking a dump of the partition with nvflash and opening the resulting file in paint revealed the splashscreen. No idea what it would be like on the TF, but I wouldn't be suprised if it was a lot more complicated.
I've read somewhere that the rle file is a raw image file. Try open it via Photoshop or Gimp
2) where is the splash screen stored?
Click to expand...
Click to collapse
I'm no expert, but I think the splash image reside in the bootloader(EBT/partition4). EBT in 8.4.4.11 updates is larger than previous version.
Q: Anybody know how to extract the EBT.img file. I've succesfully the extract the blob via blobtools.
whirleyes said:
I've read somewhere that the rle file is a raw image file. Try open it via Photoshop or Gimp
Click to expand...
Click to collapse
Gimp 2.6 doesn't recognize the format, but I would guess that it needs a header. Besides, I already read the file.
whirleyes said:
I'm no expert, but I think the splash image reside in the bootloader(EBT/partition4). EBT in 8.4.4.11 updates is larger than previous version.
Q: Anybody know how to extract the EBT.img file. I've succesfully the extract the blob via blobtools.
Click to expand...
Click to collapse
The EBT blob in the 8.4.4.11 is 1.5M, which is too small to be a whole bmp, but maybe it just patches the existing boot screen. It is bigger than the previous updates, which are both around 920K.
I thought that partition 4 was encrypted? I think there might be a second key, but nvflash is a new one for me.
I can see, based on the MD5 hash that the EBT partition pulled via nvflash is unchanged between 8.2.3.9 and 8.4.4.5, but it changes in 8.4.4.11. Not sure what the changes are?
The BCT, EBT, LNX, pulled via nvflash, all change between 8.2.3.9/8.4.4.5 and 8.4.4.11. and are all big enough to hold a boot screen. LNX is unpackable with Android! magic and doesn't have anything interesting. EBT seems to be largely empty space. Would any of these partitions be compressed or compressed by nvflash?
I'm sure the splash is inside the bootloader(EBT)
8.2.3.9 bootloader.bin is around 920k, while 8.4.4.12 bootloader.bin is around 955k.These files is extracted from the blob.
flashing them via nvflash confirm it. LNX partition has nothing to do with it.
whirleyes said:
I'm sure the splash is inside the bootloader(EBT)
8.2.3.9 bootloader.bin is around 920k, while 8.4.4.12 bootloader.bin is around 955k.These files is extracted from the blob.
flashing them via nvflash confirm it. LNX partition has nothing to do with it.
Click to expand...
Click to collapse
It is stored in the bootloader.bin file - blob.EBT
Roach2010 said:
It is stored in the bootloader.bin file - blob.EBT
Click to expand...
Click to collapse
So how is it stored? The bootloader files are too small to hold the whole image and I don't see anything that looks like the .rle file.
I'm guessing it's encoded some other way. In theory, if we can figure out how it's stored, we can mod the bootloader and then reload it to change the boot screen. Do you think that will work?
gee one said:
So how is it stored? The bootloader files are too small to hold the whole image and I don't see anything that looks like the .rle file.
I'm guessing it's encoded some other way. In theory, if we can figure out how it's stored, we can mod the bootloader and then reload it to change the boot screen. Do you think that will work?
Click to expand...
Click to collapse
I was thinking it must be compressed. I have compared the hex of the two bootloaders from 8.4.4.5 and 8.4.4.11 and tbh I couldn't make much sense of them but by flashing each of these as blobs I was able to switch back and forth between the splash images.
Yup, I did that too, although I had a brick in between
The rle file is already compressed and seems to make a lot of sense for a boot time image- it will load faster than reading the raw data and doesn't take much to decompress.
I think the image is in some form of rle format, but it's either cyphered or obscured in some way. Do you know if the bootloader signed or hashed?
The ends of the files are fairly similar- start there and work backwards about 43,000 bytes, give or take.
That area looks about right to me for cyphered rle data.
Awesome, I was just thinking about this some time ago. Tried to emulate a splashscreen here, but a "legit" mod would be great.
To do this you will need an Hexadecimal editor and have root access to your phone.
FIRST MAKE A BACKUP OF EFS PARTITION!USE GOOGLE FOR HOW-TO
Steps:
1. Make a full backup of the /efs folder
2. Get the nv_data.bin file located in /efs
3. Open it with an hexa editor (like WinHex)
4. Go to line 181460 and modify from 01 00 00 00 00 to 00 00 00 00 00
5. Copy the modified nv_data.bin file into /efs
6. Set the appropiate owner user and group doing chown 1001.1001 nv_data.bin
7. Remove the nv_data.bin.md5 file
8. Reboot your phone
9. Enjoy!!
LOCKED
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
UNLOCKED
ADB commands:
# su
# cd /efs
# cp /sdcard/nv_data.bin /efs/nv_data.bin
# rm nv_data.bin.md5
# chown 1001.1001 nv_data.bin
# reboot
To check it you can do *#7465625# and verify that Network Lock is [OFF]
I hope it can be useful for you.
I AM NOT RESPONSIBLE IF U SCREW UP UR PHONE....IF U DONT DO THIS CORRECTLY,U WILL SCREW UP UR /EFS PARTITION AND YOU WOULD NOT BE ABLE TO USE NETWORK!!
Hi,
this method doesn't work.
The main problem is that this file doesn't exist in I9001.
This method is similar if it is not the same that the one used for I9000 (I'm not sure if is the same address in the file)
Regards
sugggus said:
Hi,
this method doesn't work.
The main problem is that this file doesn't exist in I9001.
This method is similar if it is not the same that the one used for I9000 (I'm not sure if is the same address in the file)
Regards
Click to expand...
Click to collapse
ok...can u attach your /efs folder and pm me?
i am pretty sure all android phones have these files
which files u dont have?
Yep... file nv_data.bin doesn't exist on 9001. Made search on whole phone.
sh!t happens..........................
ok,so any "similar file"?
Hi Sakindia,
this is what I see:
- .files
.dj550 (folder)
empty
.jck12 (folder)
empty
.ssh01 (folder)
empty
keystr (file)
- lost+found (folder)
empty
Ther are 2 folders, the first one has 3 empty folders and one file (keystr) and the second one is empty.
Any solution for us?
Regards
this is /efs partition,right?strange............
sakindia123 said:
this is /efs partition,right?strange............
Click to expand...
Click to collapse
Hi,
yes, this is the /efs folder.
regards
has anyone tried any app?since this doesnt work,thats the last resort
Hi,confirm that it does not work on my phone.
file nv_data.bin doesn't exist
sakindia123 said:
has anyone tried any app?since this doesnt work,thats the last resort
Click to expand...
Click to collapse
hi sakindia, wise forum people, any alternative?
i have root and i9001XXKP4, european Vodafone lock (Spain).
Have been searching and trying out all the free apps available in the market, incl. sgs2 apps. Nothing works.
SGS unlock complains about a busy box error, but i think it just cant find the i9000 file its looking for.
Having to pay for IMEI unlock feels like a defeat... i'm finding out too late that the i9001 is a bit of an unsupported niche thing, i guess.
Hope someone comes up with something!!! Cheers
sakindia123 said:
To do this you will need an Hexadecimal editor and have root access to your phone.
FIRST MAKE A BACKUP OF EFS PARTITION!USE GOOGLE FOR HOW-TO
Steps:
1. Make a full backup of the /efs folder
2. Get the nv_data.bin file located in /efs
3. Open it with an hexa editor (like WinHex)
4. Go to line 181460 and modify from 01 00 00 00 00 to 00 00 00 00 00
5. Copy the modified nv_data.bin file into /efs
6. Set the appropiate owner user and group doing chown 1001.1001 nv_data.bin
7. Remove the nv_data.bin.md5 file
8. Reboot your phone
9. Enjoy!!
LOCKED
UNLOCKED
ADB commands:
# su
# cd /efs
# cp /sdcard/nv_data.bin /efs/nv_data.bin
# rm nv_data.bin.md5
# chown 1001.1001 nv_data.bin
# reboot
[...]
Click to expand...
Click to collapse
# cp /sdcard/nv_data.bin /efs/nv_data.bin
Really ???
eBug said:
# cp /sdcard/nv_data.bin /efs/nv_data.bin
Really ???
Click to expand...
Click to collapse
oops...my bad
thanks
...could you be a bit more clear? what is the problem with the instructions? thanks in advance.
senor_coconut said:
...could you be a bit more clear? what is the problem with the instructions? thanks in advance.
Click to expand...
Click to collapse
it doesnt matter really since this method doesnt work.....i9001 doesnt have that file!
Hi,we are awaiting a new method..........
sakindia123 said:
it doesnt matter really since this method doesnt work.....i9001 doesnt have that file!
Click to expand...
Click to collapse
Or we don't see it.
promi said:
Or we don't see it.
Click to expand...
Click to collapse
As u say maybe it`s hidden
Try to root your phone and install ES File Explorer from Market.
Maybe u will find it
I know that root is needed to access /efs.
I just stated that maybe this file is hidden somewhere.
EFS doesn't exist in I9001
The problem is that despsite you are toot and you can navigate through this folder, it seems to be almost empty and the NV_DATA.bin is not found inside.
Regards
To begin with, you need a hex editor, HxD - Freeware Hex Editor is a great editor and it is very small(less than an MB). Then you need a baseband to edit, you need to locate the file named ' appsboot.mbn '.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
That file contains the partition tables, remember this tutorial is about editing the partition tables not extending your physical memory.
So, lets get cracking. Open HxD from programs and open the appsboot.mbn file, now press F3 and search for ' cache ' and press F3 until you see something like this
.
As you can see the highlighted section of the picture
,
there are a few repetitions of ' F0 F0 F0 F0 xx ' multiple times, you are concerned with only the first two /system and /cache partitions respectively.
Remember, you don't need to specify the partition size for /data as it is done automatically when you flash the baseband.
Now back to the hex editing part, once you've decided how much space(in MBs only) you wanna allocate to /system and /cache use this link to Convert hex/dec and select the two digits after the F0 F0 F0 F0 like in this pic
and type the hex number for example in the screenshot B4 in hex equals 180 in decimal, which means /system is allocated 180 MB of space and do the same with Cache, I would recommend allocating 10 MB to it as you hardly ever use it. Then flash the baseband like you normally do through Fastboot.
If you have any doubts ask me and I will do my best to clear things to you. Click Thanks if I helped you, doesn't cost anything
Anil_Sharma said:
To begin with, you need a hex editor, HxD - Freeware Hex Editor is a great editor and it is very small(less than an MB). Then you need a baseband to edit, you need to locate the file named ' appsboot.mbn '.
That file contains the partition tables, remember this tutorial is about editing the partition tables not extending your physical memory.
So, lets get cracking. Open HxD from programs and open the appsboot.mbn file, now press F3 and search for ' cache ' and press F3 until you see something like this
.
As you can see the highlighted section of the picture
,
there are a few repetitions of ' F0 F0 F0 F0 xx ' multiple times, you are concerned with only the first two /system and /cache partitions respectively.
Remember, you don't need to specify the partition size for /data as it is done automatically when you flash the baseband.
Now back to the hex editing part, once you've decided how much space(in MBs only) you wanna allocate to /system and /cache use this link to Convert hex/dec and select the two digits after the F0 F0 F0 F0 like in this pic
and type the hex number for example in the screenshot B4 in hex equals 180 in decimal, which means /system is allocated 180 MB of space and do the same with Cache, I would recommend allocating 10 MB to it as you hardly ever use it. Then flash the baseband like you normally do through Fastboot.
If you have any doubts ask me and I will do my best to clear things to you. Click Thanks if I helped you, doesn't cost anything
Click to expand...
Click to collapse
Thanks ws waiting fr this frm a long tym
Great Guide keep going on...........
@everyone instead of quoting whole OP ..
you can just type @op
The Droid Master said:
Great Guide keep going on...........
Click to expand...
Click to collapse
Usb diagnostics port change next Too many people fall for that
AMAZING GUIDE.... BLOWN MY MIND OFF !!!! :laugh:
good
TWRP 3.2.2 Unofficial Port
ZTE Blade A521
(Qualcomm MSM8909)
Greetings everyone at XDA. I'm very happy to tell you that I managed to make my first working port of TWRP for the ZTE Blade A521 (a.k.a P809F10), with a Qualcomm MSM8909 chipset. This device had been forgotten in the developers' scene due to the fact that there was no possible way to unlock its bootloader, leaving this phone with no rooting or development possibilities. However, thanks to the developer alexenferman's post:Bootloader Unlocking on older Qualcomm ZTE Devices, /Devinfo partition modificationIt is now possible to permanently unlock its bootloader and therefore,flash unsigned images. Thus, i'm glad to now show you this unofficial port of mine to this old and forgotten device. As this device's sources are still not released by ZTE, it is not possible to compile TWRP or ROMS from source, only ports available. Still watiing for them thougt.
Download:
UniTouch/ZTE-Blade-A521-P809F10-TWRP-3.2.2-Unofficial-
First release of the unofficial port of TWRP fo this device - UniTouch/ZTE-Blade-A521-P809F10-TWRP-3.2.2-Unofficial-
github.com
Installacion Requisites:
Unlocked Bootloader (Check alexenferman's post: https://forum.xda-developers.com/t/...vices-devinfo-partition-modification.4100897/)
PC with ADB Installed (and Drivers)
Qualcomm QDLoader 9008 Drivers installed
MSM8909 Firehose Programmer Collection (https://github.com/programmer-collection/zte)
QPST Tool (Latest Version) (Not portable)
HxD-Hex Editor
Magisk Patched Boot Image (Attached to this post)
TWRP Recovery file
Brain and WIll
IMPORTANT: Prior to this procedure, you must make sure your device is the one listed here, as there are two available versions of it. There's a Mediatek ZTE Blade A521, and there's a Qualcomm version, to which this post refers. (You can check this on Settings>About Phone). Also, make sure your device's Android version is 7.1.1. and that it matchs this fingerprint: ATT_MX_BA521_V1.0
Otherwise, I'm not sure it will work. If you dont match the fingerprint, but you match the device, you might be able to unlock bootloader and flash the recovery, but you wont be able to use the attached patched Boot Image, and thus, maybe the recovery wont work, as this device has dm_verity on boot, and it has to be patched for the recovery to fully boot. If you dont want to use my atttached boot image, you can patch your stock boot image yourself and flash it with QFIL.
DISCLAIMER: I´m not responsible for whatever you may do to your phone. Everything you do with these instruccions is under your own responsibility.
Procedure:
First of all, you need to unlock this device's bootloader. You can follow the posted method above, but for more detailed instruccions (and considering there's no development for this device at all) ,I decided to show you how myself. If you already did this, you can jump straight to step
Unlocking ZTE Blade A521's Bootloader
On the phone, get to the Developer Options and enable OEM Unlock. ( Tick 5 times on Build number on Settings>About phone. Now go to Settings>Advanced Settings>Developer Options>OEM Unlock). Also enable USB Debugging. Done this, connect the device to PC.
Now you have to open QFIL tool and ADB Terminal to continue. (by this time, you should have installed all required tools and drivers for this to work. QFIL Portable tool wont work, as it wont recognize the device. It has to be the installable Software of QPST.) On QFIL, tick Flat Build , and select the Firehose programmer you downloaded before (zte-master\BLADEA521\prog_emmc_firehose_8909.mbn). With this tool opened and the device plugged in on the pc, send these commands on ADB:
adb devices
adb reboot edl
The phone will turn off and a red LED will turn on in the device. Now, quickly check if QFIL Tool detected the phone, and click on Tools>Partition Manager, then click OK. ( This last procedure has to be done fast, as the phone will turn EDL Mode off after 30 seconds) After some seconds. if you did it all right, it should show something like this:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Now do right click on the devinfo partition and only select Manage Partition Data. It will show this:
Now click on Read Data and wait for it to finish. Do not unplug the device, and DO NOT click on Close yet. Now get to the file created in the directory stated on the log (Mostly %appdata%/Roaming/Qualcomm/QFIL/) and right click on such file, then open it with HxD Editor. It has to show this:
As stated in alexenferman's post, you must edit some numbers in this file. If you want more info about what you are doing, check the original post. (https://forum.xda-developers.com/t/...vices-devinfo-partition-modification.4100897/)
Edit this (At the first line):
41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
to this:
41 4E 44 52 4F 49 44 2D 42 4F 4F 54 21 00 00 00
01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
After that, save the file, go back to QFIL and click on Load Image. Select the file you just edited. then click on Close, Close again, then OK. The device will boot normally now. Do not unplug the device yet. When the phone has fully booted, send "adb reboot edl" command again, and follow the stated procedure until you get to the partition manager. There, right click on the Recovery partition, (Make sure you are actually clicking on the Recovery partition, as it could happen that you are managing another partition). Click on Load Image, and select the TWRP Recovery image. After flash finished, Click on Close, DO NOT CLOSE PARTITION MANAGER YET. Now, do right click on the Boot partition, Load Image and flash the patched boot image attached (or you can also flash your own patched boot image). Done this, click on Close, Close again and then click on OK.
Now you have to remove the phone's battery and press Volume Up + Power until phone turns on. If TWRP shows up, you are done . If it didnt show up, check if you followed every direction stated above. If you have problems please let me now in the comments.
This Recovery is unofficial, and thus, it might have bugs and issues. If you find one, please state it below.
Special Thanks to TwrpBuilder for his port of TWRP to the ZTE Maven 3, from wich this port was made.
Enjoy
Thanks for your contribution
I use the QUIL to flash the Chinese version to International version but at the end the serial number is found to be changed to 0123456789ABCDEF, is there anyway that I can change this to the original serial number please?
Thank you.
I have same situation on my J706F,
same as gary, I also use the QFIL to flash the Chinese version to International version,
before I found Serial Number restore to 123456789ABCDEF, I found screen auto rotate failed and bluetooth unavailable to pair with other devices,
auto rotate and bluetooth can be fix when reflash presist.img, solved.
latest problem is Serial Number(123456789ABCDEF), wifi & bluetooth MAC address shows 00:00:00:00:00:00:00:00
I think dump QCN, modify and flash back can get back my Serial Number, But I don't know the address in QCN belong to Serial Number, Any idea or instruction? please~
SN is in NV_item 2497
Spoiler: pic
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
You see changed SN (by me, my true SN is HA1C.....). KRXX - country Korea.
You can change this two parameters with NV-items_reader_writer.
Thanks~f1tm0t, I will try NV items reader writer
besides, do you have idea where is wifi MAC and bluetooth MAC?
or after write back Serial Number both MAC address will show up?
f1tm0t said:
SN is in NV_item 2497
Spoiler: pic
View attachment 5517023
You see changed SN (by me, my true SN is HA1C.....). KRXX - country Korea.
You can change this two parameters with NV-items_reader_writer.
Click to expand...
Click to collapse
auston, I don't know, don't have experience with WF and BT MAC's
I' trying to let my J706F into FFBM and successfully connection through COM and get address 2497(0x09C1)
but only shows:
[NV items]
[Complete items - 0, Items size - 128]
02497 (0x09C1) - Inactive item
Any idea about this? wrong setting on NV_items?
You can try flash my. SN must appear.
f1tm0t, thanks, due to my 2497 dump result is empty (inactivate item), I afraid write back may cause other problem, I'm stop to trying resume serial number on my J706F(until now no critical issue be found even serial number lost),thank you for your information and help~
@auston it looks like you are using NV_items_reader_writer, did you try to backup qcn file with QFIL and then open it with QCNView?
MAC Address is NV item 4678
Bluetooth address 447
MrCrayon said:
@auston it looks like you are using NV_items_reader_writer, did you try to backup qcn file with QFIL and then open it with QCNView?
Click to expand...
Click to collapse
MrCrayon, Yes, I has been into FFBM and dump QCN, and checked content of 2497(DEC, 9C1 in HEX), but can't identify the serial number 123456789ABCDEF as well, So I give up to write back(avoid unexpected issue)As your suggestion, I checked the address 4678 & 447 in DEC, seems both of 447 & 4678 are FF FF FF FF FF.....But the wifi & bluetooth MAC address show on my J706F is 00:00:00:00:00:00
@auston if all your sensible information is already wiped out, serial number, Mac address etc. you could try to upload your qcn file and I can have a look at it.
Be aware I do not know if there is something else you should keep private so you do it at your own risk.
I think I know what you are doing wrong, NV Item 447 does not mean offset 447 in the file.
My bluetooth address is in Item 447 but if I open qcn file with an HEX editor the address is 0x5138.
As I suggested open your qcn with QCNView just to see the data.
Hi,
can anyone please provide me with an a backup of QCN file?
I missed to back up mine and it looks like I have erased this while flashing. "Erase all data was checked ..." my fault
MrCrayon, sorry for late response, the screen capture I dumped QCN for address 0x5138 look like as below,as you mentioned, NV item 477 mapping with QCN address 0x5138, how about Serial Number and wifi MAC in QCN?
Besides, I can get wifi MAC through my wifi AP, seems just display problem on J706F
But bluetooth is failed to pair before, after I write presist.img at fastboot mode become functional even MAC shows 00:00:00:00:00:00 on J706F
@auston since Android 11 (or maybe before) MAC address is randomized, so maybe that's why it's working but I say it would still be better to have the correct one set.
Disclaimer: I did not try this myself since I had no need to do it
To restore values I would change with hex editor, save file and reopen with QCNView to see if it's saved in the right place.
Make sure to have plenty of backups of your qcn file and you are inserting changes in place and not adding.
I'll be able to check later to give you more details for the addresses.
f1tm0t said:
SN is in NV_item 2497
Spoiler: pic
View attachment 5517023
You see changed SN (by me, my true SN is HA1C.....). KRXX - country Korea.
You can change this two parameters with NV-items_reader_writer.
Click to expand...
Click to collapse
I was able to recover my SN, thank you very much
I checked in my two tablets with Global ROM and the addresses are the same but the QCN I had backed up when I received a tablet with chinese rom has slightly different addresses but the preceding bits are the same.
Bluetooth Address starts at 0x5138 and it's preceeded by 88 00 01 00 BF 01 00 00, need to insert as hexadecimal values like AA AA AA AA AA AA.
MAC Address (repeated four times) starts at:
0x84C0 preceded by 88 00 01 00 46 12 00 00
0x8548 preceded by 88 00 01 00 46 12 01 00
0x85D0 preceded by 88 00 01 00 46 12 02 00
0x8658 preceded by 88 00 01 00 46 12 03 00
Same format as Bluetooh address all
SN starts at: 0x891E
8 ascii letters followed by:
00 00 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4E 58 58
where 43 4E 58 58 is CNXX, if you change region it will change here.
I have J606F which cannot dump NV item 2497, how can I push back my serial number?
ong14 said:
I have J606F which cannot dump NV item 2497, how can I push back my serial number?
Click to expand...
Click to collapse
You could try to export QCN file and open it with QCNView, look for NV_FACTORY_DATA, then you'll have to find where to edit the file to reinsert the Serial Number.
Or you can ask someone else with J606F to check where the serial number is located.