SamSung I9300 (S3 GSM) baseband analysis - Android Software/Hacking General [Developers Only]

I am not sure if this is the right place, mostly because I dont know how someone else would categorize this info. Mods exist for a reason, today that reason might be to move this to the correct place
According to google some is new info some is old.
I dumped /dev/block/mmcblk0p7 which appears to be the baseband firmware. It is not compressed or encrypted but rather appears to be a filesystem of some sort.
I have identified that they are using RTOS.com's threadX and traceX.
I identified a zip file which indicates the authors used IBM Rational ClearCase
I identified another zip file which is a process trace, attached here for convenience.
There is a file that appears to be a DES encrypted with mcrypt 2.2 (not compatible with 2.4). 56 bit key so it should not take terribly long to brute force. As I still do not have a firm grasp on the structure of the 32M disk dump I do not know where the key might be. I also do not have an idle system with sufficient capacity to deal with this in a timely fashion. Anyone got some FPGAs from the old bitcoin days?
There are probably some additional things I will eventually find. I have to go away for a few days so I wont be able to work on this until I return. I am going to look through threadX to see if that sheds light on the file format (they have a free demo download). The only other thing I can think of off the top of my head is that maybe the chip itself expects a specific filesystem.
Maybe this post will spur some people to start looking into it more (or publish what they have if they have looked into it).

I have done further digging.
Firmware header - first 512 bytes
Name ... about 0xD is the offset for that section ... about 0x15 is the size of that section
PSI - start at 0x1000 length 0xE000
EBL - start at 0xF000 length 0x019000
MAIN - start at 0x28000 length 0x9D7800
SECPAC - start at 0x9FF800 length 0x800
NV - starts at 0 length 200000 (its from /efs/nv_data.bin)
It becomes easy to see where the start and size offsets are in the header as well. This also tells me the chip is set to little endian mode (arm 11 based). There is still some data I do not know what it does.
I got a bunch of false positives from binwalk suggesting there is LZMA compressed data. None of it validated.
Baseband file XXELLA
Target File MD5 Checksum
ebl e68042d611aef558dc525009e03d2e50
main 99e7aa119c684b1b569dcc1ec867112a
nv_data.bin 5707f4f934b4ad2a4ee4a7530b92073d
psiram 7e3fe83c24c7e1a6b9110cd68e7564e6
secpac 91cb74b48e35f0f6d61f298d841af59a
MAIN is the only one that had anything at all.
gzip compressed data, was "config_spec.txt", from NTFS filesystem (NT), last modified: Fri Dec 21 21:02:29 2012
mcrypt 2.2 encrypted data, algorithm: DES, mode: CBC, keymode: MD5 hash
Zip archive data, at least v2.0 to extract, compressed size: 37806, uncompressed size: 200962, name: "trace.dec"
config_spec.txt just says "No ClearCase Config Spec available"
trace_dec.zip is attached above
the mcrypted file is being brute forced, slowly ... very slowly. 1 core on a busy system. I will likely abort it because it is not going to finish in a reasonable time.
512 bytes of the disk image
Code:
00000000 50 53 49 52 41 4d 00 00 00 00 00 00 00 10 00 00 |PSIRAM..........|
00000010 00 00 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 |................|
00000020 45 42 4c 00 00 00 00 00 00 00 00 00 00 f0 00 00 |EBL.............|
00000030 00 00 00 60 00 90 01 00 00 00 00 00 00 00 00 00 |...`............|
00000040 4d 41 49 4e 00 00 00 00 00 00 00 00 00 80 02 00 |MAIN............|
00000050 00 00 30 60 00 78 9d 00 00 00 00 00 00 00 00 00 |..0`.x..........|
00000060 53 45 43 50 41 43 4b 00 00 00 00 00 00 f8 9f 00 |SECPACK.........|
00000070 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 |................|
00000080 4e 56 00 00 00 00 00 00 00 00 00 00 00 00 a0 00 |NV..............|
00000090 00 00 e8 60 00 00 20 00 00 00 00 00 00 00 00 00 |...`.. .........|
[rest is null]
00000200

reserved

Related

Extended ROM customization

Hi,
I'm trying to customize my extended rom before applying it to my Magician. I've downloaded latest WWE rom from FTP site, and extracted all files to a temp folder. I then used xda3nbftool -t -x ms_.nbf to decrypt the ExtRom file. After that, i used a HEX editor to cut the first 128 bytes and generate a "main" part to try and open it in Winimage, but so far without sucess (I'm using ITSME procedure).
Can someone help me trying to find out what i'm doing wrong?
Many thanks.
megalore said:
Hi,
I then used xda3nbftool -t -x ms_.nbf to decrypt the ExtRom file.
Can someone help me trying to find out what i'm doing wrong?
Click to expand...
Click to collapse
The most recent versions of the updates are in a different format:
check here...
Ok, thanks.
I've tried with the perl script you mentioned, but i can't seem to get a readable file on winimage. I used the following command line:
decode.pl ms_.nbf -f 0xEBFE904D
However, the header (.hdr) is perfectly readable in hexedit, so i assume the "encryption" key is correct.
Am i doing something wrong? :roll:
megalore said:
Ok, thanks.
However, the header (.hdr) is perfectly readable in hexedit, so i assume the "encryption" key is correct.
Click to expand...
Click to collapse
That's because the header is not XOR "encrypted".
Try with: decode.pl ms_.nbf -f 0x4D90FEEB
not a developer
hi, i am not a developer and i got to the point where i have the decode.pl from the link in wiki.xda-developers.com... i dont know if that is correct so far, but i dont know how to get this a) from my computer onto the phone and b) if i can then change the windows language from german to english!?
Hi iDG,
Thanks for your reply. I've tried with the key you sent, but still can't mount the FAT16 part in WinImage.
Where do you get those keys? Are they extracted from the encoded file, and from what position?
Thanks.
megalore said:
Hi iDG,
Thanks for your reply. I've tried with the key you sent, but still can't mount the FAT16 part in WinImage. Where do you get those keys? Are they extracted from the encoded file, and from what position?
Click to expand...
Click to collapse
The "key" is the first dword of the unencrypted file. It can be obtained from a SD dump. The value seem to be constant (I've tried several versions).
Can you tell me what version are you trying to decode, so I can do the same here to see what happens?
I'm using WWE_11200_550_11200 from shipped_ROMS on XDA ftp site.
megalore said:
I'm using WWE_11200_550_11200 from shipped_ROMS on XDA ftp site.
Click to expand...
Click to collapse
Works fine here. That's the hexdump of the beginning of the DECODED file:
Code:
00000000 eb fe 90 4d 53 57 49 4e 34 2e 31 00 02 04 01 00 |...MSWIN4.1.....|
00000010 01 00 02 00 98 f8 26 00 26 00 01 00 00 00 00 00 |......&.&.......|
00000020 00 00 00 00 80 00 29 2d 00 f1 07 20 20 20 20 20 |......)-... |
00000030 20 20 20 20 20 20 46 41 54 31 36 20 20 20 00 00 | FAT16 ..|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000001b0 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 |................|
000001c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|
00000200 f8 ff ff ff 03 00 04 00 05 00 06 00 07 00 08 00 |................|
00000210 ff ff 0a 00 0b 00 ff ff 0d 00 0e 00 ff ff ff ff |................|
00000220 11 00 12 00 13 00 14 00 15 00 16 00 17 00 18 00 |................|
00000230 19 00 1a 00 1b 00 1c 00 1d 00 1e 00 1f 00 20 00 |.............. .|
00000240 21 00 22 00 23 00 24 00 25 00 26 00 27 00 28 00 |!.".#.$.%.&.'.(.|
00000250 29 00 2a 00 2b 00 2c 00 2d 00 2e 00 2f 00 30 00 |).*.+.,.-.../.0.|
00000260 31 00 32 00 33 00 34 00 35 00 36 00 37 00 38 00 |1.2.3.4.5.6.7.8.|
00000270 39 00 3a 00 3b 00 3c 00 3d 00 3e 00 3f 00 40 00 |9.:.;.<.=.>[email protected]|
00000280 41 00 42 00 43 00 44 00 45 00 46 00 47 00 48 00 |A.B.C.D.E.F.G.H.|
00000290 49 00 4a 00 4b 00 4c 00 4d 00 4e 00 4f 00 50 00 |I.J.K.L.M.N.O.P.|
Check with the results on your side, to see if there's something wrong with the perl script...
Yes, thats what i get too. But WinImage shows no files inside it. I don't think its WinImage problem, because if i use alpine_ext_rom_tool (yes, it works!) from the Alpine forum, i get a similar decoded file which opens right on WinImage. If only the encoding part worked fine...
megalore said:
Yes, thats what i get too. But WinImage shows no files inside it. I don't think its WinImage problem, because if i use alpine_ext_rom_tool (yes, it works!) from the Alpine forum, i get a similar decoded file which opens right on WinImage. If only the encoding part worked fine...
Click to expand...
Click to collapse
I've checked all the fields in the boot sector and everything matches corretcly. The decoded file is a prefectly valid FAT16 volume. The only quirck I can find is that the boot sector declares the disk to be 0x9800 blocks long whereas the file is actually 0xa000 blocks long.
The space for the Ext_ROM in the flash is really 0x9800 blocks long
You could try to cut the file to be 0x1300000 bytes long to see if winimage likes it.
megalore,
if you know the checksum generation for the magician ext_roms then I'd be quite happy to generate a tool similar to the alpine tool - most of the code will be the same.
Although I thought the magician ext roms could be decoded/encoded using itsme's tool?
Bal
Guys,
if it's anything like the alpine ext roms, then the last part consists of two splash screens (nb format).
hope that helps
The Ext_ROM image on the magician only contains the actual FAT16 filesystem. The boot splash image is in a separate space in the flash.
The only tool I know of is the xda3nbf which does not work with the newer (base64-like) rom headers.
The checksum algorithm is, as far as I can tell, unknown.
HI IDG,
hmmmm, that's interesting - maybe I'm confused .... but
If you take the ms_.nbf file from MA_DT_WWE_DutchRetail_11200_550_11200_Ship.exe and extract the header and fat16 image (well what I think is the fat16 part).
The I end up with an fat16 image of size 20,709,376bytes. If from this I extract 0x1300000 - 0x137FFFF and 0x1380000 - 0x13BFFFF and load these into nb_image_converter_859_418.exe as nb files ....
The first is a blank white image and the second is a "Qtek Keep the world in one" cityscape ....
Perhaps the tool you guys use to extract the fat16 image drops this part?
bal666 said:
hmmmm, that's interesting - maybe I'm confused .... but
If you take the ms_.nbf file from MA_DT_WWE_DutchRetail_11200_550_11200_Ship.exe and extract the header and fat16 image (well what I think is the fat16 part).
The I end up with an fat16 image of size 20,709,376bytes. If from this I extract 0x1300000 - 0x137FFFF and 0x1380000 - 0x13BFFFF and load these into nb_image_converter_859_418.exe as nb files ....
Click to expand...
Click to collapse
Yep You're right!
I've never noticed that but the same thing happens for every ms_.nba I have. When I first examined the fat16 part, I did notice the extra data, but being 0xff the content of an erased flash memory, I didn't bother to check further. This makes sense, because the bootsplash image is in fact right after the Ext_ROM, inside the flash.
I've never removed the "excess" data from the ms_.nba because MacOSX does not seem to care. Maybe WinImage does.
Magician ext rom tool
Hi iDG,
yeah weird isn't it? I've just recently noticed it myself - so will start extracting it out separately.
Anyway, Megalore ...
I've attached a tool for the magician similar to the alpine version which allows you to decode and encode extended roms.
It's a bit of a hack at the moment - you'll find some of the message still talk about the alpine, but the mechanics should be fine (I should have a disclaimer about how it could destroy your machine here ... but I'm sure you've already considered that!!!).
For instructions on usage, see the alpine post http://forum.xda-developers.com/viewtopic.php?t=31106&sid=e011e42bce14ded5bf594c1c0484b1bc
Have fun!
PS This retains the splash screens, but "Extra Drive Creator Pro" ignores them ... not sure about winimage - but I'll add that functionality if you have problems.
Thanks bal666!!
Don't worry about the disclaimer, i think we all know the risks, otherwise we wouldn't be here in this forum...
I'll give it a try as soon as i can, and let you know how it turn out.
Thanks guys!
It worked flawlessly. I can now customize my Magician ExtROM without any hassles.
Great Work!!!
Hi Megalore,
that's good news! I'm glad it worked - I'll try to fix the "alpine" messages when I have a chance.
Have fun
Bal

[UPG][12.04.07]Free HTC Touch Unlocking. Simple. As promised[ONLINE]

Hi Friends,
Sincere apologies for not being able to reply your posts & PM's as I have been keeping very busy for the past 3 months.
Since I was on my 1-week vacation, I thought of working on your problems, and have come up with the updated version of this tool. Hope it resolves all your issues.
You would not get any annoying pop-up with this tool now, only the one that has your unlock code...
Steps :
1. Copy 'Cert_SPCS.cab' on your phone & install(run).
2. Copy 'EnableRapi.cab' on your phone & install(run).
3. Establish an Activesync connection with your phone.
4. Unzip the zip file & Run 'Unlock_Touch.exe' on your PC. ( New Unlocker)
5. File 'unlock_code.txt' thus generated will have your unlock code( Eight-digit number).Ignore any other digits if generated.
I HAVE BROKEN THE LCD OF MY HTC TOUCH SO HAVE COME DOWN TO MY NOKIA 6600. INCONVENEINCE, IF ANY; IS REGRETTED.
Cheers,
rishi2504.
You could sponsor me a beer( LCD Screen for my broken Touch) by donating to my Paypal ID - [email protected], if you like this solution...
great. thanks for sharing specially coming from the author itself.
doesnt work
MEBSY said:
doesnt work
Click to expand...
Click to collapse
... why? ...
Do you also have a solution for the herald ? also cid unlocking?
Congrats rishi2504!
Just a few comments about your unlocker:
1) Unlocker needs itsutils.dll and pdocread.exe in folder c:\unlocker otherwise it doesn't work
2) device needs to be RAPI unlocked first
3) unlocker reads 8 bytes starting at offset 0xfc of BK1C, this will work on most touch devices, but not on all, see example output:
Here it will work:
Code:
000000d0 33 37 32 33 30 30 34 30 34 00 00 00 33 35 35 31 |372300404...3551|
000000e0 31 31 31 31 31 31 31 31 31 31 31 00 00 00 00 00 |11111111111.....|
000000f0 00 00 00 00 00 00 00 00 00 00 00 00 37 32 31 32 |............7212|
00000100 36 31 33 32 00 00 00 00 00 00 00 00 32 34 00 00 |6132........24..|
00000110 00 00 00 00 00 00 00 00 00 00 00 00 30 30 31 30 |............0010|
Here it will not work, the unlock code is at a different offset:
Code:
000000d0 00 00 00 00 34 30 42 46 42 37 32 34 30 35 35 35 |....40BFB7240555|
000000e0 36 00 00 00 33 35 35 30 30 30 30 30 30 30 30 30 |6...355000000000|
000000f0 30 30 30 00 00 00 00 0f 00 00 00 00 00 00 00 00 |000.............|
00000100 00 00 00 00 34 30 35 34 31 37 31 34 00 00 00 00 |....40541714....|
00000110 00 00 00 00 32 34 00 00 00 00 00 00 00 00 00 00 |....24..........|
To fix this I suggest dumping 20 bytes starting at offset 0xf8
pof said:
Congrats rishi2504!
Just a few comments about your unlocker:
1) Unlocker needs itsutils.dll and pdocread.exe in folder c:\unlocker otherwise it doesn't work
It should'nt really happen coz I have attached these two with the utility...lemme check that...
2) device needs to be RAPI unlocked first
Correct...I forgot to mention about that....
3) unlocker reads 8 bytes starting at offset 0xfc of BK1C, this will work on most touch devices, but not on all, see example output:
Here it will work:
Code:
000000d0 33 37 32 33 30 30 34 30 34 00 00 00 33 35 35 31 |372300404...3551|
000000e0 31 31 31 31 31 31 31 31 31 31 31 00 00 00 00 00 |11111111111.....|
000000f0 00 00 00 00 00 00 00 00 00 00 00 00 37 32 31 32 |............7212|
00000100 36 31 33 32 00 00 00 00 00 00 00 00 32 34 00 00 |6132........24..|
00000110 00 00 00 00 00 00 00 00 00 00 00 00 30 30 31 30 |............0010|
Here it will not work, the unlock code is at a different offset:
Code:
000000d0 00 00 00 00 34 30 42 46 42 37 32 34 30 35 35 35 |....40BFB7240555|
000000e0 36 00 00 00 33 35 35 30 30 30 30 30 30 30 30 30 |6...355000000000|
000000f0 30 30 30 00 00 00 00 0f 00 00 00 00 00 00 00 00 |000.............|
00000100 00 00 00 00 34 30 35 34 31 37 31 34 00 00 00 00 |....40541714....|
00000110 00 00 00 00 32 34 00 00 00 00 00 00 00 00 00 00 |....24..........|
To fix this I suggest dumping 20 bytes starting at offset 0xf8
Click to expand...
Click to collapse
Correct again...but I tested it on the Indian ones, and found no reason why it shud'nt work on other versions...thanks for the suggestion...appreciated....!! This forum thrives on experts like you !! )
Will update the instructions and post the updated unlocker..
cheers,
rishi2504
Update : Corrected version is posted now along with RAPI Unlocking files.
i am going to give it a try
after putting itsutils.dll in windows(mobile) dir and pdocread.exe in the C:/unlocker folder it worked just fine
http://wiki.xda-developers.com/index.php?pagename=XdaUtils
Thanks Thanks Thanks
Special thanks to rishi2504 and pof
Works perfect on my MDA Touch
Thanks a lot...
Worked fine for me. Cheers.
Thanks, finally using my Vodafone simcard on my MDA Touch
worked like a freeking charm!
if i'd were gay (or you a women) i'd give you a thousand kisses!
hey rishi.. ur my hero
i followed the instructions but the notepad generated contains nothing...
just blank file....i have the itsutils.dll file needed and the pcdocread.exe..
whats do you think is wrong?.... i dont know what network it is locked to....
any suggestions???
i am getting an error message as follows
"Application created with unregistered version of Quick Batch File Compiler."
The note pad generated is blank.
please help
rgds
SS
same here with orange fr as network... Any ideas ?
Hey Rishi. I guess I am in a fix now. The notepad file created named code contains nothing.
AL also tried the other method, the one given earlier but the unlock code did not chage. I mean it is the same as it was before me running the process.
Please dear help me out
Rajeev
rajismine said:
Hey Rishi. I guess I am in a fix now. The notepad file created named code contains nothing.
AL also tried the other method, the one given earlier but the unlock code did not chage. I mean it is the same as it was before me running the process.
Please dear help me out
Rajeev
Click to expand...
Click to collapse
i had the same but after coppy itsutils.dll ( http://wiki.xda-developers.com/index...ename=XdaUtilsin ) to your windows dir on your mobile phone and pdocread.exe in the C:/unlocker folder (where you extracted Elf_Unlocker.zip ) on your pc it worked just fine
with the earlyer unlocker i had the same problem as you did. The imei en unlock code did not change.
Dont forget to run Cert_SPCS.cab (1ST) and then EnableRapi.cab (2end)
good luck
Hey Dear
which is the windows mobile directory. PLease help yaar
Dont forget to run Cert_SPCS.cab (1ST) and then EnableRapi.cab (2end)
good luck[/QUOTE]
Hey How to run these files. I just copied them to "Mobile Device" folder in my computer and it extracted something. Is it what you mean by running???

[Q] CWM can't mount partitions

Hi,
I have a problem with an Asus TF700T. I had Clockworkmod Recovery installed and tried using it to flash Cyanogenmod. The flash failed and since then, CWM can't mount /data, /system or any other partition from the internal flash memory. I've then used fastboot to flash a new version of CWM, but also the new version (6.0.4.7) can't mount the partitions.
I fear the partition table of /dev/block/mmcblk0 may have been damaged, but recovery works fine. I have access to CWM, adb and fastboot.
Is there a way to fix the partition table or some other way of making the partitions mountable?
I used adb shell for some diagnostics:
cat /proc/partitions
major minor #blocks name
179 0 62087168 mmcblk0
179 32 4096 mmcblk0boot1
179 16 4096 mmcblk0boot0
179 48 15558144 mmcblk1
179 49 15554048 mmcblk1p1
After a reboot (with a half installed Cyanogenmod) somehow, the output is:~ # cat /proc/partitions, but CWM still can't mount /data, /system, etc...
major minor #blocks name
179 0 62087168 mmcblk0
179 1 786432 mmcblk0p1
179 2 438272 mmcblk0p2
179 3 2048 mmcblk0p3
179 4 835584 mmcblk0p4
179 5 5120 mmcblk0p5
179 6 512 mmcblk0p6
179 7 5120 mmcblk0p7
179 8 59976192 mmcblk0p8
179 9 8192 mmcblk0p9
179 10 8192 mmcblk0p10
179 32 4096 mmcblk0boot1
179 16 4096 mmcblk0boot0
179 48 15558144 mmcblk1
179 49 15554048 mmcblk1p1
Output of dmesg| grep mmc
Code:
dmesg|grep mmc
<5>[ 0.000000] Kernel command line: tegra_wdt.heartbeat=30 tegraid=30.1.3.0.0 [email protected] commchip_id=0 vmalloc=768M androidboot.serialno=015d29955e54260c androidboot.commchip_id=0 video=tegrafb no_console_suspend=1 console=ttyS0,115200n8 debug_uartport=lsport,0 usbcore.old_scheme_first=1 [email protected] [email protected] core_edp_mv=0 audio_codec=wm8903 board_info=245:0:fc:a6:29 tegraboot=sdmmc gpt gpt_sector=124174335 modem_id=0 android.kerneltype=recovery androidboot.productid=0x04 androidboot.carrier=wifi-only
<6>[ 0.805791] print_constraints: fixed_reg_en_3v3_emmc: 3300 mV normal standby
<6>[ 0.805974] set_supply: fixed_reg_en_3v3_emmc: supplied by fixed_reg_en_3v3_sys
<6>[ 3.640685] [mmc]:sdhci_tegra_probe:1152 mmc0: built_in 1
<4>[ 3.642707] mmc0: Invalid maximum block size, assuming 512 bytes
<6>[ 3.642994] mmc0: no vmmc regulator found
<7>[ 3.644267] Registered led device: mmc0::
<6>[ 3.646836] [mmc]:mmc_schedule_delayed_work:84 mmc0: delay 0
<6>[ 3.646987] mmc0: SDHCI controller on sdhci-tegra.3 [sdhci-tegra.3] using ADMA
<4>[ 3.648498] mmc1: Invalid maximum block size, assuming 512 bytes
<6>[ 3.648779] mmc1: no vmmc regulator found
<7>[ 3.650058] Registered led device: mmc1::
<6>[ 3.652575] [mmc]:mmc_schedule_delayed_work:84 mmc1: delay 0
<6>[ 3.652723] mmc1: SDHCI controller on sdhci-tegra.2 [sdhci-tegra.2] using ADMA
<6>[ 3.653397] [mmc]:sdhci_tegra_probe:1099 mmc2: non-built_in 0
<4>[ 3.656192] mmc2: Invalid maximum block size, assuming 512 bytes
<6>[ 3.656475] mmc2: no vmmc regulator found
<7>[ 3.657758] Registered led device: mmc2::
<6>[ 3.660210] [mmc]:mmc_schedule_delayed_work:84 mmc2: delay 0
<6>[ 3.660469] mmc2: SDHCI controller on sdhci-tegra.0 [sdhci-tegra.0] using ADMA
<6>[ 3.761658] [mmc]:mmc_decode_cid:118 prv: 0x6f, manfid: 0x90
<6>[ 3.773320] [mmc]:mmc_read_ext_csd:365 Boot Block Expose, boot size of mmc0 is 8388608
<6>[ 3.775552] mmc0: new high speed DDR MMC card at address 0001
<6>[ 3.776088] mmcblk mmc0:0001: Card claimed for testing.
<6>[ 3.776781] mmcblk0: mmc0:0001 HYNIX 59.2 GiB
<6>[ 3.777369] mmcblk0boot0: mmc0:0001 HYNIX partition 1 4.00 MiB
<6>[ 3.778074] mmcblk0boot1: mmc0:0001 HYNIX partition 2 4.00 MiB
<6>[ 3.794728] mmcblk0: p1 p2 p3 p4 p5 p6 p7 p8 p9 p10
<6>[ 3.808067] mmcblk0boot1: unknown partition table
<6>[ 3.812871] mmcblk0boot0: unknown partition table
<6>[ 3.815515] [mmc]:mmc_rescan_try_freq:2010 mmc0: eMMC completed
<4>[ 4.042757] mmc2: host does not support reading read-only switch. assuming write-enable.
<6>[ 4.046107] mmc2: new high speed SDHC card at address e624
<6>[ 4.046532] mmcblk mmc2:e624: Card claimed for testing.
<6>[ 4.047366] mmcblk1: mmc2:e624 SU16G 14.8 GiB
<6>[ 4.058056] mmcblk1: p1
<6>[ 4.058913] [mmc]:mmc_rescan_try_freq:2006 mmc2: SD completed
<6>[ 4.996531] [mmc]:mmc_schedule_delayed_work:84 mmc1: delay 0
<4>[ 5.052746] mmc1 clock request: 50000KHz. currently 48000KHz
<6>[ 5.054371] mmc1: new high speed SDIO card at address 0001
<6>[ 5.062845] [mmc]:mmc_rescan_try_freq:2002 mmc1: sdio completed
<6>[ 7.693501] EXT4-fs (mmcblk0p2): mounted filesystem with ordered data mode. Opts: (null)
<7>[ 7.693580] SELinux: initialized (dev mmcblk0p2, type ext4), uses xattr
Can someone please shed some light on this? Thank you very much!
giza1928 said:
major minor #blocks name
179 0 62087168 mmcblk0
179 1 786432 mmcblk0p1
179 2 438272 mmcblk0p2
179 3 2048 mmcblk0p3
179 4 835584 mmcblk0p4
179 5 5120 mmcblk0p5
179 6 512 mmcblk0p6
179 7 5120 mmcblk0p7
179 8 59976192 mmcblk0p8
179 9 8192 mmcblk0p9
179 10 8192 mmcblk0p10
179 32 4096 mmcblk0boot1
179 16 4096 mmcblk0boot0
179 48 15558144 mmcblk1
179 49 15554048 mmcblk1p1
...
<6>[ 3.794728] mmcblk0: p1 p2 p3 p4 p5 p6 p7 p8 p9 p10
Click to expand...
Click to collapse
That looks quite correct. What happens when you try to mount /data manually?
mount -t ext4 /dev/block/mmcblk0p8 /data
Click to expand...
Click to collapse
_that said:
That looks quite correct. What happens when you try to mount /data manually?
Click to expand...
Click to collapse
Thanks, good idea. But unfortunately, the error message isn't very detailed:
Code:
mount -t ext4 /dev/block/mmcblk0p8 /data
mount: mounting /dev/block/mmcblk0p8 on /data failed: Invalid argument
I also tried to check the filesystem with e2fsck:
Code:
~ # e2fsck /dev/block/mmcblk0p8
e2fsck 1.41.14 (22-Dec-2010)
e2fsck: Superblock invalid, trying backup blocks...
e2fsck: Bad magic number in super-block while trying to open /dev/block/mmcblk0p8
The superblock could not be read or does not describe a correct ext2
filesystem. If the device is valid and it really contains an ext2
filesystem (and not swap or ufs or something else), then the superblock
is corrupt, and you might try running e2fsck with an alternate superblock:
e2fsck -b 8193 <device>
giza1928 said:
Thanks, good idea. But unfortunately, the error message isn't very detailed:
Code:
mount -t ext4 /dev/block/mmcblk0p8 /data
mount: mounting /dev/block/mmcblk0p8 on /data failed: Invalid argument
Click to expand...
Click to collapse
Is there any message in dmesg after trying this?
What do you get from "hexdump -C -n 2048 /dev/block/mmcblk0p8"?
_that said:
Is there any message in dmesg after trying this?
What do you get from "hexdump -C -n 2048 /dev/block/mmcblk0p8"?
Click to expand...
Click to collapse
No, no messages in dmesg after the mount command, only updates like this:
Code:
<4>[ 81.890682] cpu ext_temperature=26
The output from the hexdump command:
Code:
~ # hexdump -C -n 2048 /dev/block/mmcblk0p8
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000800
giza1928 said:
The output from the hexdump command:
Code:
~ # hexdump -C -n 2048 /dev/block/mmcblk0p8
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000800
Click to expand...
Click to collapse
Funny. Normally the superblock should start at offset 0x400. Yours appears to have gotten wiped.
Try the same command on mmcblk0p1, mmcblk0p2, mmcblk0p3, mmcblk0p5 and post the results just to find out what's going on.
_that said:
Funny. Normally the superblock should start at offset 0x400. Yours appears to have gotten wiped.
Try the same command on mmcblk0p1, mmcblk0p2, mmcblk0p3, mmcblk0p5 and post the results just to find out what's going on.
Click to expand...
Click to collapse
p1:
Code:
hexdump -C -n 2048 /dev/block/mmcblk0p1
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000400 00 c0 00 00 00 00 03 00 00 00 00 00 95 ce 01 00 |................|
00000410 d2 b9 00 00 00 00 00 00 02 00 00 00 02 00 00 00 |................|
00000420 00 80 00 00 00 80 00 00 00 20 00 00 38 e3 78 53 |......... ..8.xS|
00000430 38 e3 78 53 05 00 ff ff 53 ef 01 00 02 00 00 00 |8.xS....S.......|
00000440 d2 aa 78 53 00 00 00 00 00 00 00 00 01 00 00 00 |..xS............|
00000450 00 00 00 00 0b 00 00 00 00 01 00 00 1c 00 00 00 |................|
00000460 42 00 00 00 13 00 00 00 57 f8 f4 bc ab f4 65 5f |B.......W.....e_|
00000470 bf 67 94 6f c0 f9 f2 5b 00 00 00 00 00 00 00 00 |.g.o...[........|
00000480 00 00 00 00 00 00 00 00 2f 73 79 73 74 65 6d 00 |......../system.|
00000490 e8 0a 29 c0 00 9c a6 c7 b0 ca b7 c6 00 00 00 00 |..).............|
000004a0 48 b4 54 c7 e0 a3 58 c6 fc fd e0 c6 c8 fd e0 c6 |H.T...X.........|
000004b0 fc 7e 12 c0 80 f3 1a c0 e4 fd e0 c6 74 f3 1a c0 |.~..........t...|
000004c0 bc c7 7c c0 00 9c a6 c7 00 00 00 00 00 00 2f 00 |..|.........../.|
000004d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000004e0 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000004f0 00 00 00 00 00 00 00 00 00 00 00 00 02 01 20 00 |.............. .|
00000500 00 00 00 00 00 00 00 00 00 00 00 00 0a f3 01 00 |................|
00000510 03 00 00 00 00 00 00 00 00 00 00 00 00 0c 00 00 |................|
00000520 33 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |3...............|
00000530 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000550 00 00 00 00 00 00 00 00 00 00 00 00 1c 00 1c 00 |................|
00000560 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000570 00 00 00 00 00 00 00 00 ec 83 04 00 00 00 00 00 |................|
00000580 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000800
p2:
Code:
~ # hexdump -C -n 2048 /dev/block/mmcblk0p2
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000400 00 6b 00 00 00 ac 01 00 00 00 00 00 86 86 01 00 |.k..............|
00000410 dc 6a 00 00 00 00 00 00 02 00 00 00 02 00 00 00 |.j..............|
00000420 00 80 00 00 00 80 00 00 c0 1a 00 00 f3 eb 78 53 |..............xS|
00000430 f3 eb 78 53 08 00 ff ff 53 ef 01 00 02 00 00 00 |..xS....S.......|
00000440 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 |................|
00000450 00 00 00 00 0b 00 00 00 00 01 00 00 1c 00 00 00 |................|
00000460 46 00 00 00 13 00 00 00 57 f8 f4 bc ab f4 65 5f |F.......W.....e_|
00000470 bf 67 94 6f c0 f9 f2 5b 00 00 00 00 00 00 00 00 |.g.o...[........|
00000480 00 00 00 00 00 00 00 00 2f 63 61 63 68 65 00 e8 |......../cache..|
00000490 0a 29 c0 c0 dd d6 c6 88 d3 b8 c6 00 00 00 00 b8 |.)..............|
000004a0 eb b8 c6 20 cb 81 c7 fc dd da c6 c8 dd da c6 fc |... ............|
000004b0 7e 12 c0 80 f3 1a c0 e4 dd da c6 74 f3 1a c0 bc |~..........t....|
000004c0 c7 7c c0 c0 dd d6 c6 d8 00 00 00 00 00 00 1f 00 |.|..............|
000004d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000004e0 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000004f0 00 00 00 00 00 00 00 00 00 00 00 00 02 01 20 00 |.............. .|
00000500 00 00 00 00 00 00 00 00 00 00 00 00 0a f3 01 00 |................|
00000510 03 00 00 00 00 00 00 00 00 00 00 00 b0 06 00 00 |................|
00000520 cf 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000530 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000550 00 00 00 00 00 00 00 00 00 00 00 00 1c 00 1c 00 |................|
00000560 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000570 00 00 00 00 00 00 00 00 ec 18 00 00 00 00 00 00 |................|
00000580 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000800
p3:
Code:
~ # hexdump -C -n 2048 /dev/block/mmcblk0p3
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000800
p5:
Code:
~ # hexdump -C -n 2048 /dev/block/mmcblk0p5
00000000 eb 58 90 42 53 44 20 20 34 2e 34 00 02 08 20 00 |.X.BSD 4.4... .|
00000010 02 00 00 00 28 f0 00 00 10 00 04 00 00 00 00 00 |....(...........|
00000020 00 00 00 00 0a 00 00 00 00 00 00 00 02 00 00 00 |................|
00000030 01 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 00 00 29 d2 07 38 a4 4e 4f 20 4e 41 4d 45 20 20 |..)..8.NO NAME |
00000050 20 20 46 41 54 33 32 20 20 20 fa 31 c0 8e d0 bc | FAT32 .1....|
00000060 00 7c fb 8e d8 e8 00 00 5e 83 c6 19 bb 07 00 fc |.|......^.......|
00000070 ac 84 c0 74 06 b4 0e cd 10 eb f5 30 e4 cd 16 cd |...t.......0....|
00000080 19 0d 0a 4e 6f 6e 2d 73 79 73 74 65 6d 20 64 69 |...Non-system di|
00000090 73 6b 0d 0a 50 72 65 73 73 20 61 6e 79 20 6b 65 |sk..Press any ke|
000000a0 79 20 74 6f 20 72 65 62 6f 6f 74 0d 0a 00 00 00 |y to reboot.....|
000000b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|
00000200 52 52 61 41 00 00 00 00 00 00 00 00 00 00 00 00 |RRaA............|
00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000003e0 00 00 00 00 72 72 41 61 ff ff ff ff 0d 00 00 00 |....rrAa........|
000003f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|
00000400 eb 58 90 42 53 44 20 20 34 2e 34 00 02 08 20 00 |.X.BSD 4.4... .|
00000410 02 00 00 00 28 f0 00 00 10 00 04 00 00 00 00 00 |....(...........|
00000420 00 00 00 00 0a 00 00 00 00 00 00 00 02 00 00 00 |................|
00000430 01 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000440 00 00 29 d2 07 38 a4 4e 4f 20 4e 41 4d 45 20 20 |..)..8.NO NAME |
00000450 20 20 46 41 54 33 32 20 20 20 fa 31 c0 8e d0 bc | FAT32 .1....|
00000460 00 7c fb 8e d8 e8 00 00 5e 83 c6 19 bb 07 00 fc |.|......^.......|
00000470 ac 84 c0 74 06 b4 0e cd 10 eb f5 30 e4 cd 16 cd |...t.......0....|
00000480 19 0d 0a 4e 6f 6e 2d 73 79 73 74 65 6d 20 64 69 |...Non-system di|
00000490 73 6b 0d 0a 50 72 65 73 73 20 61 6e 79 20 6b 65 |sk..Press any ke|
000004a0 79 20 74 6f 20 72 65 62 6f 6f 74 0d 0a 00 00 00 |y to reboot.....|
000004b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000005f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|
00000600 52 52 61 41 00 00 00 00 00 00 00 00 00 00 00 00 |RRaA............|
00000610 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000007e0 00 00 00 00 72 72 41 61 ff ff ff ff 02 00 00 00 |....rrAa........|
000007f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|
00000800
Thanks already for your help, to be honest I have no clue what I'm looking at. Are those the first 2048 bits of each partition?
giza1928 said:
Thanks already for your help, to be honest I have no clue what I'm looking at. Are those the first 2048 bits of each partition?
Click to expand...
Click to collapse
Yes. All other partitions except /data look normal - p1 is /system, p2 is /cache, p3 is the bootloader command partition which is usually empty, p5 contains device configuration in a FAT32 filesystem.
Try formatting /data from the recovery, then reinstall your ROM (which will format and fill /system).
_that said:
Yes. All other partitions except /data look normal - p1 is /system, p2 is /cache, p3 is the bootloader command partition which is usually empty, p5 contains device configuration in a FAT32 filesystem.
Try formatting /data from the recovery, then reinstall your ROM (which will format and fill /system).
Click to expand...
Click to collapse
Ok, do you mean the format command I can select in recovery? Because it says:
Code:
Formatting /data...
Error mounting /data!
Skipping format...
Done.
But can I maybe use mke2fs or something similar to format /dev/mmcblk0p8? If so, could you tell me what options I should use?
Thanks
giza1928 said:
Ok, do you mean the format command I can select in recovery? Because it says:
Code:
Formatting /data...
Error mounting /data!
Skipping format...
Done.
Click to expand...
Click to collapse
I have no experience with CWM; apparently it sucks.
giza1928 said:
But can I maybe use mke2fs or something similar to format /dev/mmcblk0p8? If so, could you tell me what options I should use?
Click to expand...
Click to collapse
Code:
make_ext4fs /dev/block/mmcblk0p8
should do it. Assuming that CWM ships with a make_ext4fs binary.
_that said:
I have no experience with CWM; apparently it sucks.
Code:
make_ext4fs /dev/block/mmcblk0p8
should do it. Assuming that CWM ships with a make_ext4fs binary.
Click to expand...
Click to collapse
Thanks, that worked! CWM does ship with make_ext4fs, I flashed Cyanogenmod and it booted successfully! :victory:
I figured I would post my experience with a sudden bootloop. My tf700t was unlocked and rooted a very long time ago and I've used a few ROM's since doing that. First was CROMI-x then Cyanogenmod 11 nightlies then CROMBi-kk and then I switched to ZOMBI-x.
I installed Zombi-x using F2FS file system and never had any issues except for the usual mind numbing lag from the horrible IO issues.
So just last night (12/21/2014) my tablet froze with a light grey screen and about 10 seconds later it rebooted, but it kept rebooting over and over. I tried cold booting, but that didn't help, so I booted into CWM (ver. 6.0.4.7) and tried to do a wipe data/system reset, but the tablet would just reboot part way through. I tried formatting the /data partition directly but it caused the tablet to reboot as well. So a few other posts around the interwebs led me to the conclusion that I needed to get rid of clockworkmod and switch to TWRP.
Thankfully I was able to connect to the tablet using fastboot, but only in Linux. (my Win7 PC saw that something was there, but it wouldn't let me install the driver)(http://lifehacker.com/the-easiest-way-to-install-androids-adb-and-fastboot-to-1586992378) So I installed TWRP 2.8.3.0 and used it to do a complete wipe. It started the format but had several errors about not being able to mount /data and then it said it was formatting Data using ext4fs. I've read that it should only take 5 minutes or so, so you can imagine my worry when 5 minutes past and then 10 and so on until it finished up after a little over 30 minutes, so if it's just sitting there, there's a good chance it is actually doing something, so leave it be for awhile and don't forget to check your battery, you don't want your tab to shut off suddenly!
I reinstalled CROMBi-kk and let it boot. Much to my surprise it booted and the resulting performance was nothing short of shocking!
So far this thing is running like it NEVER has before! The lag so far is so much less than ever and things open and close very quickly!
So without any surprise here, I won't be using F2FS anymore for fear I'll have corruption on the internal storage again! Thankfully TWRP came through for me. So if your tf700 is bootlooping and you still have fastboot, try installing the latest TWRP, it may just make the difference between a functioning tablet and a brick!
Viking8 said:
So I installed TWRP 2.8.3.0 and used it to do a complete wipe. It started the format but had several errors about not being able to mount /data and then it said it was formatting Data using ext4fs. I've read that it should only take 5 minutes or so, so you can imagine my worry when 5 minutes past and then 10 and so on until it finished up after a little over 30 minutes, so if it's just sitting there, there's a good chance it is actually doing something, so leave it be for awhile and don't forget to check your battery, you don't want your tab to shut off suddenly!
I reinstalled CROMBi-kk and let it boot. Much to my surprise it booted and the resulting performance was nothing short of shocking!
So far this thing is running like it NEVER has before! The lag so far is so much less than ever and things open and close very quickly!
Click to expand...
Click to collapse
The long time it takes for formatting and the performance gains are actually related. Creating the filesystem takes probably less than 5 minutes, but then the recovery does a "trim" on the free blocks - telling the eMMC that it may discard the data in these blocks and erase them. Erasing flash memory is slow. But following write requests by the booted ROM will be much faster because they can be written directly without prior erasing and shuffling data around.
_that said:
The long time it takes for formatting and the performance gains are actually related. Creating the filesystem takes probably less than 5 minutes, but then the recovery does a "trim" on the free blocks - telling the eMMC that it may discard the data in these blocks and erase them. Erasing flash memory is slow. But following write requests by the booted ROM will be much faster because they can be written directly without prior erasing and shuffling data around.
Click to expand...
Click to collapse
So the performance boost after formatting /data is temporary until the emmc again has to shuffle data around when it gets write requests?
I thought f2fs was supposed to take care of that?
berndblb said:
So the performance boost after formatting /data is temporary until the emmc again has to shuffle data around when it gets write requests?
I thought f2fs was supposed to take care of that?
Click to expand...
Click to collapse
Using f2fs should increase the time until the eMMC has to shuffle data around because it does less random writes. But when all blocks have been written once, something must be erased to rewrite more. The permanent solution is to run fstrim regularly (I've seen some comments in the Android source code that runs it automatically from time to time) or to mount with the discard option, and to leave a reasonable amount of space free (10 to 15%).
_that said:
Using f2fs should increase the time until the eMMC has to shuffle data around because it does less random writes. But when all blocks have been written once, something must be erased to rewrite more. The permanent solution is to run fstrim regularly (I've seen some comments in the Android source code that runs it automatically from time to time) or to mount with the discard option, and to leave a reasonable amount of space free (10 to 15%).
Click to expand...
Click to collapse
Enlightening as always! Happy Holidays to you and your family!
[emoji319] [emoji319] [emoji318] [emoji319] [emoji319]
It doesn't seem that lagfix can trim /data formated to f2fs.
Sent from my TF700T using Tapatalk

[NB1-Collision] [Alternate method] How to unlock the bootloader of Nokia 8.1 (X7)

WARNING: Overall procedure requires disassembly and you will lose warranty definitely!
I'm not responsible for bricking or damaging your device! It's not meant for average users at all!
You can consider import Nokia X7 from China for test subject, as it's cheaper than Nokia 8.1.
Let me tell you how HMD Nokia Android devices detect if the unlock key valid.
A standalone partition, mfd stores the Serial Number and IMEI/MEID/MAC address that will be used for bootloader checking.
It will check if your IMEI1 and SN in mfd partition valid for the unlock key instead of NVRAM.
To unlock the phone, you need a Nokia 8 NB1 (at least you need to know it's IMEI1 and SN) and an unlock key requested from HMD officially. If you don't have, please ask one from a Nokia 8 user that successfully requested unlock key. I'm not going to provide my unlock key and IMEI/SN.
Our theory of unlock the bootloader is:
1. Hack the mfd partition with the identification of Nokia 8.
2. Flash the unlock key for Nokia 8 to Nokia 8.1 (X7).
3. Restore mfd partition.
This method is unusable on Nokia 3.1 / 5.1 or Plus and Nokia 1 Plus, although MediaTek models are easier to hack with SP Flash Tool.
Click to expand...
Click to collapse
I guess HMD will block this method soon by changing the public key like before (ProjectCode add 1 or 2), and you can't request unlock key again if lost, so please keep your unlock key at safe place.
Click to expand...
Click to collapse
Let's get started.
Step 1: Download stock firmware or just firehose file from fih-firmware.hikaricalyx.com/hmd_en.html#pnx
You'll need the firehose file from it. I strongly recommend you to use the firehose file from "OSTLA_X7-OTA-Repair_002" package for faster procedure.
Step 2: dump mfd partition
To dump mfd partition, you can either trigger your phone to Qualcomm EDL mode by wire trick or use eMMC programmer, which is too hardcore to be mentioned.
After you remove the back cover, you can find these two points easily. Power off your phone, use tweezers or a wire to short them, and connect it to PC. Position is posted as attachment below. If you did right, the phone will boot to Qualcomm EDL mode and you can remove the tweezers or wire.
Now use QFIL, load the firehose file in stock firmware. To dump the mfd partition, use the partition manager in QFIL, and right click on the mfd partition, properties, then click "read". Dumped mfd partition is located at %AppData%\Qualcomm\QFIL\COMPORT_XX .
Step 3: Use Hex Editor to change IMEI and SN written in mfd partition
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 44 66 4D 5F 00 00 00 00 09 00 00 00 73 77 69 64 DfM_........swid
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 70 72 6F 64 75 63 74 69 64 00 00 00 00 00 00 00 productid.......
00000070 50 4E 58 47 41 4D 30 31 32 33 34 35 36 37 38 39 PNXGAM0123456789
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000B0 10 00 00 00 62 74 5F 6D 61 63 00 00 00 00 00 00 ....bt_mac......
000000C0 00 00 00 00 xx xx xx xx xx xx xx xx xx xx xx xx ....xxxxxxxxxxxx
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000100 00 00 00 00 0C 00 00 00 77 69 66 69 5F 6D 61 63 ........wifi_mac
00000110 00 00 00 00 00 00 00 00 xx xx xx xx xx xx xx xx ........xxxxxxxx
00000120 xx xx xx xx 00 00 00 00 00 00 00 00 00 00 00 00 xxxx............
00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000150 00 00 00 00 00 00 00 00 0C 00 00 00 69 6D 65 69 ............imei
00000160 5F 31 00 00 00 00 00 00 00 00 00 00 33 35 36 39 _1..............
00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
For Nokia 8.1 / X7, IMEI1/IMEI2 aren't written in mfd partition at all, but we can write it as we want.
Note, hacking mfd partition will not change your IMEI in NVRAM, which is illegal. It will only change the IMEI that will verify the unlock key under fastboot mode. As it's not written at all, I can assume HMD Global isn't willing to unlock the Nokia 8.1 / X7 from the beginning.
The position of IMEI1 starts from offset 0x0000016C. I assume the IMEI and SN of your Nokia 8 are 123456789012347 and NB1GAD2780012345, which I needn't to mention where to find.
Here's the modified mfd partition:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 44 66 4D 5F 00 00 00 00 09 00 00 00 73 77 69 64 DfM_........swid
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 70 72 6F 64 75 63 74 69 64 00 00 00 00 00 00 00 productid.......
00000070 4E 42 31 47 41 44 32 37 38 30 30 31 32 33 34 35 NB1GAD2780012345
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000B0 10 00 00 00 62 74 5F 6D 61 63 00 00 00 00 00 00 ....bt_mac......
000000C0 00 00 00 00 xx xx xx xx xx xx xx xx xx xx xx xx ....xxxxxxxxxxxx
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000100 00 00 00 00 0C 00 00 00 77 69 66 69 5F 6D 61 63 ........wifi_mac
00000110 00 00 00 00 00 00 00 00 xx xx xx xx xx xx xx xx ........xxxxxxxx
00000120 xx xx xx xx 00 00 00 00 00 00 00 00 00 00 00 00 xxxx............
00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000150 00 00 00 00 00 00 00 00 0C 00 00 00 69 6D 65 69 ............imei
00000160 5F 31 00 00 00 00 00 00 00 00 00 00 31 32 33 34 _1..........1234
00000170 35 36 37 38 39 30 31 32 33 34 37 00 00 00 00 00 56789012347.....
Save it to another place, and please keep your original mfd partition for us to restore.
Step 4: Write back the mfd partition and unlock the bootloader
Use QFIL to write back the mfd partition by either Partition Manager or writing your own rawprogram0.xml, which I needn't to mention here.
After mfd partition written back, please perform force reboot by pressing both volume up key and power key. Then boot your phone to fastboot mode by any method you're familiar with. You still can't replace the cover back yet.
Now flash the unlock key for Nokia 8 to it:
Code:
fastboot flash unlock unlock.key
fastboot flashing unlock
Under Android 9 bootloader, "fastboot flashing unlock_critical" command will be treated as "fastboot flashing unlock", so you can't perform critical unlock, unless you downgrade the bootloader part (abl, xbl, xbl_config and tz partitions) to PNX-124F firmware, which you can find in the PNX-124F-0-00CN-B05 stock firmware.
Then confirm bootloader unlock on the phone as usual.
Step 5: Restore mfd partition
To prevent strange issues, you still need to restore your original mfd partition under Qualcomm EDL mode, which I needn't to mention how to do.
After that, you may replace the back cover and phone rooting / custom rom installation is allowed.
That covers the whole bootloader unlock theory. Since it uses the unlock key from Nokia 8 and I tricked the phone as Nokia 8, I called the unlock method "NB1-Collision". However, I can clearly see HMD is still not prepared for bootloader unlock.
Because even bootloader is unlocked, retail device still doesn't allow us to flash any partitions as we want.
When flashing a partition, it will tell us "Flashing is not rooted for fused device". When trying to perform temporarily boot under fastboot mode with retail abl, it will tell us "Unknown command", and same "Flashing is not rooted for fused device" error under service abl.
So the next step is how can we hack the fuse status to disable - this is up to yours.
As for how can I unlock and root the phone without disassembly, it's paid method that I can't disclose here.
hikari_calyx said:
As for how can I unlock and root the phone without disassembly, it's paid method that I can't disclose here.
Click to expand...
Click to collapse
And how much, if not secret?
luiszevs said:
And how much, if not secret?
Click to expand...
Click to collapse
$12 for unlocking Nokia X7 / 8.1 / 9 PureView. As for where to request, this can't be mentioned here - Google is always your best friend.
hikari_calyx said:
...Google is always your best friend.
Click to expand...
Click to collapse
wow,really ? :laugh: ,you wrote " it's paid method " , I asked "how much" , not "how" . You answered, thank you, I will think, do I need unlock & root? while everything suits me ...
luiszevs said:
wow,really ? :laugh: ,you wrote " it's paid method " , I asked "how much" , not "how" . You answered, thank you, I will think, do I need unlock & root? while everything suits me ...
Click to expand...
Click to collapse
XDA, everything should be free.. who is charging ??
light.apps said:
XDA, everything should be free.. who is charging ??
Click to expand...
Click to collapse
Hikari ofcourse
Again, search the web.
Even if we unlock is there twrp available?
Aftab_khatri said:
Even if we unlock is there twrp available?
Click to expand...
Click to collapse
is twrp not available??
Later today I will be receiving the Nokia 8.1, an Android One phone. I want to have the boot loader unlocked, and run LineageOS. Does anyone know if it can be done? I really would want the phone to be google free. I am not a developer, so will be needing help from someone trustworthy.
wrp2015 said:
Later today I will be receiving the Nokia 8.1, an Android One phone. I want to have the boot loader unlocked, and run LineageOS. Does anyone know if it can be done? I really would want the phone to be google free. I am not a developer, so will be needing help from someone trustworthy.
Click to expand...
Click to collapse
No, the BL can't be unlocked right now. As you can see on XDA, there's no custom rom for Nokia 8.1 / Nokia X7.
nickyip123 said:
No, the BL can't be unlocked right now. As you can see on XDA, there's no custom rom for Nokia 8.1 / Nokia X7.
Click to expand...
Click to collapse
Would it still be possible to install another "launcher" on this phone, so the "ask google" bar will be hidden on the home screen?
Ofcourse. Lawnchair for example. Change settings to hide Google
nickyip123 said:
No, the BL can't be unlocked right now. As you can see on XDA, there's no custom rom for Nokia 8.1 / Nokia X7.
Click to expand...
Click to collapse
Thank you for your response. Since the phone is brand new and I haven't even unpacked it, I am ready to send it back for a refund. Is there a phone that has similar specs and approximate price (300 euro) as the Nokia 8.1 that I could run LineageOS on?
A good speaker and large screen are some of the things important to me. I do not do any gaming.
I am located in the Netherlands, Europe. Is it an easy process to install LOS (I am not an expert in these things and my schedule is overfull as is), or will I need to find someone who is willing to do it for me for a fee? In the latter case, where would I go?
Is it recommended for lay men to run LOS on their phones, as when something goes wrong they won't know what to do?

[GUIDE] How to eliminate the slot of an A/B device (pre-Android 10) into Aonly device

This guide should be generic for all of Qualcomm A/B devices came with Android 9 or older out of box - in other words, devices with "super" partition are not applicable.
For some reason, if you prefer custom ROM rather than stock, or you want to get more storage space especially for 32GB or fewer devices, this should be a good start point.
I have never tested MediaTek or Unisoc devices, but for Qualcomm devices, this should work properly.
The point is, simply rename, eliminate and resize partitions so it will behave like A-only devices.
Devices with AVB1 need to repurpose these partitions:
Code:
boot_a -> boot
boot_b -> recovery
modem_a -> modem
modem_b -> (whatever you want)
bluetooth_a -> bluetooth
bluetooth_b -> (whatever you want)
dsp_a -> dsp
dsp_b -> dsp
mdtp_a -> mdtp
mdtp_b -> (whatever you want)
system_a -> system
vendor_a -> vendor
system_b -> (eliminated)
vendor_b -> (eliminated)
userdata -> enlarged
Devices with AVB2 need to repurpose these partitions additionally:
Code:
dtbo_a -> dtbo
dtbo_b -> (whatever you want)
vbmeta_a -> vbmeta
vbmeta_b -> (whatever you want)
MediaTek and Unisoc devices may have few more different partitions, may need to take care of them individually.
Few OEMs may have minor differences on few partitions - for example, HTC renamed modem to radio.
I know there's one device with such paranoid partition layout, that is Blackberry Key 2 (BBF100). I was wondering if using such paranoid partition layout on other A/B devices will make it behave like A-only devices, and the answer is yes.
To readers who want to check partition table of Blackberry Key 2, please unhide following content.
Code:
Sector size (logical): 512 bytes
Disk identifier (GUID): 85AF7333-4C28-063E-1A0A-A25F7F0A55C7
Partition table holds up to 80 entries
Main partition table begins at sector 2 and ends at sector 21
First usable sector is 34, last usable sector is 122142686
Partitions will be aligned on 8-sector boundaries
Total free space is 27642 sectors (13.5 MiB)
Number Start (sector) End (sector) Size Code Name
1 40 16383 8.0 MiB FFFF padding0
2 16384 18431 1024.0 KiB FFFF traceability
3 18432 32767 7.0 MiB FFFF padding1
4 32768 40959 4.0 MiB A02A fsg
5 40960 43007 1024.0 KiB FFFF dip
6 43008 43015 4.0 KiB A021 devinfo
7 43016 43527 256.0 KiB A022 apdp
8 43528 44039 256.0 KiB A023 msadp
9 44040 44041 1024 bytes A024 dpo
10 44048 110895 32.6 MiB FFFF splash
11 110896 110903 4.0 KiB A040 limits
12 110904 112951 1024.0 KiB FFFF toolsfv
13 112952 114999 1024.0 KiB A01A ddr
14 115000 115031 16.0 KiB A01D sec
15 115032 115287 128.0 KiB FFFF storsec
16 115288 123479 4.0 MiB FFFF tunning
17 123480 123983 252.0 KiB FFFF prdid
18 123984 124487 252.0 KiB FFFF boardid
19 124488 124615 64.0 KiB FFFF vbmeta
20 124616 126663 1024.0 KiB FFFF bluetooth
21 126664 159431 16.0 MiB FFFF dsp
22 159432 224967 32.0 MiB FFFF mdtp
23 224968 356039 64.0 MiB A036 boot
24 356040 581319 110.0 MiB 0700 modem
25 581320 581327 4.0 KiB FFFF bootsig
26 581328 589823 4.1 MiB FFFF padding2
27 589824 596991 3.5 MiB A012 xbl_a
28 596992 605183 4.0 MiB A016 tz_a
29 605184 606207 512.0 KiB A018 rpm_a
30 606208 607231 512.0 KiB A017 hyp_a
31 607232 608255 512.0 KiB A01E pmic_a
32 608256 610303 1024.0 KiB FFFF keymaster_a
33 610304 612351 1024.0 KiB FFFF cmnlib_a
34 612352 614399 1024.0 KiB FFFF cmnlib64_a
35 614400 622591 4.0 MiB FFFF mdtpsecapp_a
36 622592 624639 1024.0 KiB FFFF devcfg_a
37 624640 626687 1024.0 KiB FFFF abl_a
38 626688 638975 6.0 MiB FFFF padding3
39 638976 646143 3.5 MiB FFFF xbl_b
40 646144 654335 4.0 MiB FFFF tz_b
41 654336 655359 512.0 KiB FFFF rpm_b
42 655360 656383 512.0 KiB FFFF hyp_b
43 656384 657407 512.0 KiB FFFF pmic_b
44 657408 659455 1024.0 KiB FFFF keymaster_b
45 659456 661503 1024.0 KiB FFFF cmnlib_b
46 661504 663551 1024.0 KiB FFFF cmnlib64_b
47 663552 671743 4.0 MiB FFFF mdtpsecapp_b
48 671744 673791 1024.0 KiB FFFF devcfg_b
49 673792 675839 1024.0 KiB FFFF abl_b
50 688128 704511 8.0 MiB FFFF logfs
51 704512 704513 1024 bytes A029 fsc
52 704520 704535 8.0 KiB A02C ssd
53 704536 770071 32.0 MiB A026 persist
54 770072 772119 1024.0 KiB A01F misc
55 772120 773143 512.0 KiB A02D keystore
56 773144 774167 512.0 KiB FFFF frp
57 774168 905231 64.0 MiB A025 recovery
58 905232 905239 4.0 KiB FFFF recoverysig
59 905240 946199 20.0 MiB FFFF hdcp
60 946200 1048599 50.0 MiB FFFF oempersist
61 1048600 1179671 64.0 MiB FFFF logdump
62 1179672 1183767 2.0 MiB FFFF sti
63 1183768 1445911 128.0 MiB A01C rawdump
64 1445912 1454103 4.0 MiB A027 modemst1
65 1454104 1462295 4.0 MiB A028 modemst2
66 1462296 1462807 256.0 KiB FFFF perm
67 1462808 1463319 256.0 KiB FFFF nvuser
68 1463320 1465367 1024.0 KiB FFFF metadata
69 1465368 1498135 16.0 MiB FFFF rcause
70 1498136 1522711 12.0 MiB FFFF bcota
71 1522712 1524759 1024.0 KiB FFFF blog
72 1524760 1565719 20.0 MiB FFFF bbpersist
73 1572864 9142271 3.6 GiB FFFF system
74 9142272 10780671 800.0 MiB FFFF vendor
75 10780672 13033471 1.1 GiB FFFF oem
76 13041664 15138815 1024.0 MiB A039 cache
77 15138816 122142686 51.0 GiB A03A userdata
Now let's get started with the modding procedure.
Step 1: Get the gpt_both0.bin
This can be found from your stock firmware. If it doesn't exist, you have to dump it. Take the phone with eMMC storage for example:
Code:
dd if=/dev/block/mmcblk0 of=/storage/emulated/0/gpt_both0.bin bs=512 count=67
For devices with UFS storage, you have to get gpt_both0.bin - gpt_both5.bin from stock firmware or dump from /dev/block/sda ~ /dev/block/sdf.
If it's dumped from the phone, save it to a safe place to ensure we can restore partition table anytime we want.
Step 2: Hack the gpt_both0.bin (or gpt_both*.bin for UFS storage) - rename partitions
Make a copy of the gpt_both0.bin and use Hex Editor to open the gpt_both0.bin.
The actual partition table is separated into 2 parts, one is main partition table, another is backup.
main partition table is located between these offsets: 0x400~0x43FF
backup partition table is located between these offsets: 0x4400~0x83FF
As contents of 0x400~0x43FF and 0x4400~0x83FF are identical, we just need to edit the content between 0x400~0x43FF, then copy what we have done between 0x400~0x43FF and overwrite into 0x4400~0x83FF.
Every 0x7F content between 0x400~0x43FF is information of a partition. Take this for example:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 D4 6C 03 77 D5 03 BB 42 8E D1 37 E5 A8 8B AA 34 Ôl.wÕ.»BŽÑ7娋ª4
00000010 E7 1F 76 6E 50 DA DC 52 E6 6E 63 D4 6C 4D 06 C5 ç.vnPÚÜRæncÔlM.Å
00000020 00 10 10 00 00 00 00 00 FF 0F 12 00 00 00 00 00 ........ÿ.......
00000030 00 00 00 00 00 00 00 00 62 00 6F 00 6F 00 74 00 ........b.o.o.t.
00000040 5F 00 62 00 00 00 00 00 00 00 00 00 00 00 00 00 _.b.............
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0~0x1F - GUID of the partition.
0x20~0x27 - Begin offset in reversed order. The unit is KiB. In this case, the begin offset is 0x0000000000101000.
0x28~0x2F - End offset in reversed order. In this case, the end offset is 0x0000000000120FFF.
0x38~0x7F - Partition label. Every character of the partition label need to be separated with 0x00.
Always remember to use the calculator came with BASE-N function (including Windows Calculator and many high-end scientific calculator) to calculate the length of partitions, so we can resize in the next step.
In this part, we will need to rename few partitions.
Take the boot_a and boot_b partitions for example. Just simply rename the partition label.
Before:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00001D80 86 7F 11 20 85 E9 57 43 B9 EE 37 4B C1 D8 48 7D †.. …éWC¹î7KÁØH}
00001D90 12 B0 CE 25 F6 D5 85 67 BC 87 81 4E 99 D2 CD 24 .°Î%öÕ…g¼‡.N™ÒÍ$
00001DA0 00 10 0E 00 00 00 00 00 FF 0F 10 00 00 00 00 00 ........ÿ.......
00001DB0 00 00 00 00 00 00 00 00 62 00 6F 00 6F 00 74 00 ........b.o.o.t.
00001DC0 5F 00 61 00 00 00 00 00 00 00 00 00 00 00 00 00 _.a.............
00001DD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00001DE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00001DF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00001E00 D4 6C 03 77 D5 03 BB 42 8E D1 37 E5 A8 8B AA 34 Ôl.wÕ.»BŽÑ7娋ª4
00001E10 E7 1F 76 6E 50 DA DC 52 E6 6E 63 D4 6C 4D 06 C5 ç.vnPÚÜRæncÔlM.Å
00001E20 00 10 10 00 00 00 00 00 FF 0F 12 00 00 00 00 00 ........ÿ.......
00001E30 00 00 00 00 00 00 00 00 62 00 6F 00 6F 00 74 00 ........b.o.o.t.
00001E40 5F 00 62 00 00 00 00 00 00 00 00 00 00 00 00 00 _.b.............
00001E50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00001E60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00001E70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
After:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00001D80 86 7F 11 20 85 E9 57 43 B9 EE 37 4B C1 D8 48 7D †.. …éWC¹î7KÁØH}
00001D90 12 B0 CE 25 F6 D5 85 67 BC 87 81 4E 99 D2 CD 24 .°Î%öÕ…g¼‡.N™ÒÍ$
00001DA0 00 10 0E 00 00 00 00 00 FF 0F 10 00 00 00 00 00 ........ÿ.......
00001DB0 00 00 00 00 00 00 00 00 62 00 6F 00 6F 00 74 00 ........b.o.o.t.
00001DC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00001DD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00001DE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00001DF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00001E00 D4 6C 03 77 D5 03 BB 42 8E D1 37 E5 A8 8B AA 34 Ôl.wÕ.»BŽÑ7娋ª4
00001E10 E7 1F 76 6E 50 DA DC 52 E6 6E 63 D4 6C 4D 06 C5 ç.vnPÚÜRæncÔlM.Å
00001E20 00 10 10 00 00 00 00 00 FF 0F 12 00 00 00 00 00 ........ÿ.......
00001E30 00 00 00 00 00 00 00 00 72 00 65 00 63 00 6F 00 ........r.e.c.o.
00001E40 76 00 65 00 72 00 79 00 00 00 00 00 00 00 00 00 v.e.r.y.........
00001E50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00001E60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00001E70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
As for modem_a and modem_b, here's what I did. You should do the same for bluetooth, dsp and mdtp partitions.
Before:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000800 A2 A0 D0 EB E5 B9 33 44 87 C0 68 B6 B7 26 99 C7 ¢*Ðëå¹3D‡Àh¶·&™Ç
00000810 2B 1D C0 46 24 90 83 B6 96 0B B5 1F 35 4B 61 FF +.ÀF$.ƒ¶–.µ.5Kaÿ
00000820 00 10 02 00 00 00 00 00 FF 7F 05 00 00 00 00 00 ........ÿ.......
00000830 00 00 00 00 00 00 00 10 6D 00 6F 00 64 00 65 00 ........m.o.d.e.
00000840 6D 00 5F 00 61 00 00 00 00 00 00 00 00 00 00 00 m._.a...........
00000850 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000860 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000880 D4 6C 03 77 D5 03 BB 42 8E D1 37 E5 A8 8B AA 34 Ôl.wÕ.»BŽÑ7娋ª4
00000890 E7 52 D4 C9 31 F9 55 9D F6 A4 56 78 36 07 85 99 çRÔÉ1ùU.ö¤Vx6.…™
000008A0 00 80 05 00 00 00 00 00 FF EF 08 00 00 00 00 00 .€......ÿï......
000008B0 00 00 00 00 00 00 00 10 6D 00 6F 00 64 00 65 00 ........m.o.d.e.
000008C0 6D 00 5F 00 62 00 00 00 00 00 00 00 00 00 00 00 m._.b...........
000008D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000008E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000008F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
After:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000800 A2 A0 D0 EB E5 B9 33 44 87 C0 68 B6 B7 26 99 C7 ¢*Ðëå¹3D‡Àh¶·&™Ç
00000810 2B 1D C0 46 24 90 83 B6 96 0B B5 1F 35 4B 61 FF +.ÀF$.ƒ¶–.µ.5Kaÿ
00000820 00 10 02 00 00 00 00 00 FF 7F 05 00 00 00 00 00 ........ÿ.......
00000830 00 00 00 00 00 00 00 10 6D 00 6F 00 64 00 65 00 ........m.o.d.e.
00000840 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 m...............
00000850 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000860 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000870 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000880 D4 6C 03 77 D5 03 BB 42 8E D1 37 E5 A8 8B AA 34 Ôl.wÕ.»BŽÑ7娋ª4
00000890 E7 52 D4 C9 31 F9 55 9D F6 A4 56 78 36 07 85 99 çRÔÉ1ùU.ö¤Vx6.…™
000008A0 00 80 05 00 00 00 00 00 FF EF 08 00 00 00 00 00 .€......ÿï......
000008B0 00 00 00 00 00 00 00 10 65 00 6C 00 69 00 6D 00 ........e.l.i.m.
000008C0 69 00 6E 00 61 00 74 00 65 00 64 00 5F 00 6D 00 i.n.a.t.e.d._.m.
000008D0 6F 00 64 00 65 00 6D 00 5F 00 62 00 00 00 00 00 o.d.e.m._.b.....
000008E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000008F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
For devices with AVB2 enabled, you should know how to repurpose dtbo and vbmeta partitions.
Step 3: Eliminate system_b, vendor_b, and repurpose remaining partitions
This depends on how your phone originally partitioned. In many cases for devices with eMMC storage, system_a, system_b, vendor_a, vendor_b and userdata are 5 last partitions of the phone.
Take this one for example. Before:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00002C00 11 B0 D7 97 DA 54 35 48 B3 C4 91 7A D6 E7 3D 74 .°×—ÚT5H³Ä‘zÖç=t
00002C10 42 C8 9A 2C 46 11 33 9D C7 90 B8 74 F4 FC F6 4B BÈš,F.3.Ç.¸tôüöK
00002C20 18 EC 1F 00 00 00 00 00 17 EC 6F 00 00 00 00 00 .ì.......ìo.....
00002C30 00 00 00 00 00 00 00 00 73 00 79 00 73 00 74 00 ........s.y.s.t.
00002C40 65 00 6D 00 5F 00 61 00 00 00 00 00 00 00 00 00 e.m._.a.........
00002C50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002C60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002C70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002C80 D4 6C 03 77 D5 03 BB 42 8E D1 37 E5 A8 8B AA 34 Ôl.wÕ.»BŽÑ7娋ª4
00002C90 D2 4C 63 24 6E 37 13 6F 57 5B 73 4A B3 8A 93 EC ÒLc$n7.oW[sJ³Š“ì
00002CA0 18 EC 6F 00 00 00 00 00 17 EC BF 00 00 00 00 00 .ìo......ì¿.....
00002CB0 00 00 00 00 00 00 00 00 73 00 79 00 73 00 74 00 ........s.y.s.t.
00002CC0 65 00 6D 00 5F 00 62 00 00 00 00 00 00 00 00 00 e.m._.b.........
00002CD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002CE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002CF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002D00 11 B0 D7 97 DA 54 35 48 B3 C4 91 7A D6 E7 3D 74 .°×—ÚT5H³Ä‘zÖç=t
00002D10 87 4C 96 DB C8 A9 3F 76 E8 BF FF 62 5B A4 42 20 ‡L–ÛÈ©?vè¿ÿb[¤B
00002D20 00 00 C0 00 00 00 00 00 FF FF CF 00 00 00 00 00 ..À.....ÿÿÏ.....
00002D30 00 00 00 00 00 00 00 10 76 00 65 00 6E 00 64 00 ........v.e.n.d.
00002D40 6F 00 72 00 5F 00 61 00 00 00 00 00 00 00 00 00 o.r._.a.........
00002D50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002D60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002D70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002D80 D4 6C 03 77 D5 03 BB 42 8E D1 37 E5 A8 8B AA 34 Ôl.wÕ.»BŽÑ7娋ª4
00002D90 21 A8 AB 40 79 5E 89 16 78 16 A6 B6 17 D7 EA 01 !¨«@y^‰.x.¦¶.×ê.
00002DA0 00 00 D0 00 00 00 00 00 FF FF DF 00 00 00 00 00 ..Ð.....ÿÿß.....
00002DB0 00 00 00 00 00 00 00 10 76 00 65 00 6E 00 64 00 ........v.e.n.d.
00002DC0 6F 00 72 00 5F 00 62 00 00 00 00 00 00 00 00 00 o.r._.b.........
00002DD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002DE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002DF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002E00 E6 E7 81 1B 0D F5 9B 41 A7 39 2A EE F8 DA 33 35 æç...õ›A§9*îøÚ35
00002E10 9C 19 0C DB 03 B2 D8 DB 79 62 74 EB F6 88 6D C7 œ..Û.²ØÛybtëöˆmÇ
00002E20 00 00 E0 00 00 00 00 00 FF FF DF 00 00 00 00 00 ..à.....ÿÿß.....
00002E30 00 00 00 00 00 00 00 00 75 00 73 00 65 00 72 00 ........u.s.e.r.
00002E40 64 00 61 00 74 00 61 00 00 00 00 00 00 00 00 00 d.a.t.a.........
00002E50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002E60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002E70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
We need to move 0x2D00~0x2D7F to 0x2C80~0x2CFF, and 0x2E00~0x2E7F to 0x2D00~0x2D7F, then fill 0x2D80~2E70 with 0x00.
And of course, rename system_a to system, vendor_a to vendor.
And here's the result:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00002C00 11 B0 D7 97 DA 54 35 48 B3 C4 91 7A D6 E7 3D 74 .°×—ÚT5H³Ä‘zÖç=t
00002C10 42 C8 9A 2C 46 11 33 9D C7 90 B8 74 F4 FC F6 4B BÈš,F.3.Ç.¸tôüöK
00002C20 18 EC 1F 00 00 00 00 00 17 EC 6F 00 00 00 00 00 .ì.......ìo.....
00002C30 00 00 00 00 00 00 00 00 73 00 79 00 73 00 74 00 ........s.y.s.t.
00002C40 65 00 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 e.m.............
00002C50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002C60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002C70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002C80 11 B0 D7 97 DA 54 35 48 B3 C4 91 7A D6 E7 3D 74 .°×—ÚT5H³Ä‘zÖç=t
00002C90 87 4C 96 DB C8 A9 3F 76 E8 BF FF 62 5B A4 42 20 ‡L–ÛÈ©?vè¿ÿb[¤B
00002CA0 00 00 C0 00 00 00 00 00 FF FF CF 00 00 00 00 00 ..À.....ÿÿÏ.....
00002CB0 00 00 00 00 00 00 00 10 76 00 65 00 6E 00 64 00 ........v.e.n.d.
00002CC0 6F 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 o.r.............
00002CD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002CE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002CF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002D00 E6 E7 81 1B 0D F5 9B 41 A7 39 2A EE F8 DA 33 35 æç...õ›A§9*îøÚ35
00002D10 9C 19 0C DB 03 B2 D8 DB 79 62 74 EB F6 88 6D C7 œ..Û.²ØÛybtëöˆmÇ
00002D20 00 00 E0 00 00 00 00 00 FF FF DF 00 00 00 00 00 ..à.....ÿÿß.....
00002D30 00 00 00 00 00 00 00 00 75 00 73 00 65 00 72 00 ........u.s.e.r.
00002D40 64 00 61 00 74 00 61 00 00 00 00 00 00 00 00 00 d.a.t.a.........
00002D50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002D60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002D70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002D80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002D90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002DA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002DB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002DC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002DD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002DE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002DF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002E00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002E10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002E20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002E30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002E40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002E50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002E60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002E70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
You might have noticed, there're two huge gaps between system and vendor, vendor and userdata, so we need to edit the offset of vendor and userdata to eliminate the huge gaps.
In this case, the end offset of system partition is 0x00000000006FEC17. Therefore, the begin offset of vendor partition should be at least 0x00000000006FEC18. Just take note.
The original offset of vendor partition is 0x0000000000C00000~0x0000000000CFFFFF. It's not hard to get the length of vendor partition is 0xFFFFF.
With the help of calculator, we can get the new end offset of vendor partition is 0x00000000007FEC17.
As for userdata partition, the begin offset need to be at least 0x00000000007FEC18, but for end offset need to be the same to vendor partition. Therefore, bootloader will use allocate all of remaining storage space to userdata.
(This is for the most of cases, if userdata is the last partition of your phone)
Now we get new offset of vendor and userdata partition:
vendor: 0x00000000006FEC18~0x00000000007FEC17
userdata: 0x00000000007FEC18~0x00000000007FEC17
Input them into the partition table.
So the result is:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00002C00 11 B0 D7 97 DA 54 35 48 B3 C4 91 7A D6 E7 3D 74 .°×—ÚT5H³Ä‘zÖç=t
00002C10 42 C8 9A 2C 46 11 33 9D C7 90 B8 74 F4 FC F6 4B BÈš,F.3.Ç.¸tôüöK
00002C20 18 EC 1F 00 00 00 00 00 17 EC 6F 00 00 00 00 00 .ì.......ìo.....
00002C30 00 00 00 00 00 00 00 00 73 00 79 00 73 00 74 00 ........s.y.s.t.
00002C40 65 00 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 e.m.............
00002C50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002C60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002C70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002C80 11 B0 D7 97 DA 54 35 48 B3 C4 91 7A D6 E7 3D 74 .°×—ÚT5H³Ä‘zÖç=t
00002C90 87 4C 96 DB C8 A9 3F 76 E8 BF FF 62 5B A4 42 20 ‡L–ÛÈ©?vè¿ÿb[¤B
00002CA0 18 EC 6F 00 00 00 00 00 17 EC 7F 00 00 00 00 00 .ìo......ì......
00002CB0 00 00 00 00 00 00 00 10 76 00 65 00 6E 00 64 00 ........v.e.n.d.
00002CC0 6F 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 o.r.............
00002CD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002CE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002CF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002D00 E6 E7 81 1B 0D F5 9B 41 A7 39 2A EE F8 DA 33 35 æç...õ›A§9*îøÚ35
00002D10 9C 19 0C DB 03 B2 D8 DB 79 62 74 EB F6 88 6D C7 œ..Û.²ØÛybtëöˆmÇ
00002D20 7F EC 18 00 00 00 00 00 7F EC 17 00 00 00 00 00 .ì.......ì......
00002D30 00 00 00 00 00 00 00 00 75 00 73 00 65 00 72 00 ........u.s.e.r.
00002D40 64 00 61 00 74 00 61 00 00 00 00 00 00 00 00 00 d.a.t.a.........
00002D50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002D60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002D70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002D80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002D90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002DA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002DB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002DC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002DD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002DE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002DF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002E00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002E10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002E20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002E30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002E40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002E50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002E60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002E70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Step 4: Copy what we have done to backup partition table, and save it as "gpt_main0.mod.bin"
Pretty simple. Copy the content between 0x400~0x43FF and overwrite it from 0x4400, so the backup partition table will get the same result.
Now save it as "gpt_main0.mod.bin".
Step 5: Flash it to your phone and check result
This may require your phone get critical unlocked (fastboot flashing unlock_critical).
Before you flash, you can use this command to check what are the partitions originally be:
For macOS / Linux distro:
Code:
fastboot getvar all|grep partition-size
For Windows:
Code:
fastboot getvar all 2>&1|findstr partition-size
Flash it with this command:
Code:
fastboot flash partition /path/to/gpt_main0.mod.bin
fastboot reboot-bootloader
For devices with UFS storage (take partition table of lun3 for example):
Code:
fastboot flash partition:3 /path/to/gpt_main3.mod.bin
fastboot reboot-bootloader
After that, you can use this command to check the result:
For macOS / Linux distro:
Code:
fastboot getvar all|grep partition-size
For Windows:
Code:
fastboot getvar all 2>&1|findstr partition-size
If values changed to what you have expected (unit is bytes), then the modification is successful.
From what I have tested, flash existing TWRP to recovery partition and boot it with recovery mode combination key will make the phone boot to TWRP successfully, and it can still mount system/vendor partitions - no modifications need to be done.
However, the phone will not boot with unmodified boot image, may need to modify fstab and init.rc to ensure it will boot on such environment, and this is up to developers.
If you only want to minimalize the system_b and vendor_b for maximum compatibility, then you cannot rename partitions, only resize can be done. You can allocate at least 1KiB for system_b and vendor_b to gain extra storage spaces for userdata.
Click to expand...
Click to collapse
That wraps up the entire guide, and I hope it could be helpful for custom ROM development.
Reserved #1
Reserved #2
What device(s) have you tested this on?
MishaalRahman said:
What device(s) have you tested this on?
Click to expand...
Click to collapse
Nokia 6.1 Plus, a.k.a Nokia X6 in China.
In theory this will also work on Nokia 6.1, Nokia 7, Nokia 7 Plus and Nokia 7.1.
I have never tested devices with UFS storage yet.

Categories

Resources