Develop Bugs

[REF] bml* partition layout

LAYOUT MAPPING COMPLETE! THANKS EVERYONE!​
based on XXJF5 stock 2.1#1
256 KB -- bml1, contain boot.bin (262144 bytes), Primary Boot Loader (low-level hardware initialization)
256 KB -- bml2, contains PIT file first 512 bytes
10240 KB -- bml3 /dev/block/stl3 /efs
1280 KB -- bml4 contain Sbl.bin (1310720 bytes) Secondary Boot Loader (loads the Linux kernel and passes the necessary arguments)
1280KB -- bml5 contains Secondary Boot Loader (for recovery, ect)
5120KB -- bml6 param.lfs /mnt/.lfs j4fs
7680KB -- bml7 contain zImage and initramfs
7680KB -- bml8 empty
293376KB -- bml9 factoryfs.rfs ( /system RFS Partition) /dev/block/stl9
137216KB -- bml10 dbdata.rfs ( /dbdata RFS Partition) /dev/block/stl10
35840KB -- bml11 cache.rfs ( /cache RFS Partition) /dev/block/stl11
12800KB -- bml12 modem.bin

Hello husq510
Thanks for this infos, i'll follow this thread closely because i'm looking for the place where ServiceMode settings are stored.

anyone tried writing to the bml directly?

husq510 said:
bash-3.2# ls -al /dev/block/bml*
1280 KB -- bml4 kernel (zImage)
293376KB -- bml9 factoryfs.rfs ( /system RFS Partition)
Click to expand...
Click to collapse
interesting. so ive dd the bml4 and bml9 of optus australia stock 19000DTJF3. now anyone want to point me in the direction of creating an odin package out of it.

i whoner .... how can bml4 be the zImage? bml4=1.2MB, zImage=5.8MB ?? also if it should just contain the kernel without initram, it's still about 2.6MB? any idea?

jodue said:
i whoner .... how can bml4 be the zImage? bml4=1.2MB, zImage=5.8MB ?? also if it should just contain the kernel without initram, it's still about 2.6MB? any idea?
Click to expand...
Click to collapse
you are right, cant be. then kernel must be in some other bml place, seems bml7.
gandalf:~/Desktop/android/bml ackie$ grep "booting the kernel" *
Binary file bml7.dump matches
gandalf:~/Desktop/android/bml ackie$ hexdump -n 128 bml7.dump | grep "e1a0 0000 e1a0"
0000000 0000 e1a0 0000 e1a0 0000 e1a0 0000 e1a0
0000020 0002 ea00 [2818 016f] [0000 0000] [a510 005b] <- zimage magic number 0x016F2818, start at 0x0, end at 0x005b10a5
0000030 7001 e1a0 8002 e1a0 2000 e10f 0003 e312
0000040 0001 1a00 0017 e3a0 3456 ef12 2000 e10f
0000050 20c0 e382 f002 e121 0000 0000 0000 0000
0000060 00d0 e28f 307e e890 0001 e050 000a 0a00
0000070 5000 e085 6000 e086 c000 e08c 2000 e082
0000080
Offset into zImage Value Description
0x24 0x016F2818 Magic number used to identify this is an ARM Linux zImage
0x28 start address The address the zImage starts at
0x2C end address The address the zImage ends at
so if you start at 0x0 of bml7 and read untill offset inside 0x2c for XXJF5 is 0x005b10a5 you have your zImage.

husq510 said:
so if you start at 0x0 of bml7 and read untill offset inside 0x2c for XXJF5 is 0x005b10a5 you have your zImage.
Click to expand...
Click to collapse
so is it safe to assume after 0x005b10a5 is the ram disk?

Hello Folks.
I found some interesting bits in bml12.
"Service Mode" datas strings are in it, like show these example :
Code:
strings ./bml12 | grep Diamond
[SND] TurnON UtaAudioModifyHf(prev_Diamond_mode:0x%x)
`[SND]DiamondVoice_GetMode : path = 0x%x, Diamond_mode = 0x%x
`[SND]DiamondVoice_GetMode : Diamond_mode = 0x%x
[SND]DiamondVoiceTXcfgMSG
`[SND] DiamondVoice_RxInit : DiamondVoice_Mode_v = 0x%x
Diamond Solution
[9] Diamond Solution
[SND]DiamondVoice_Config : DiamondVoice_Mode_v = 0x%x, Diamond_mode= 0x%x
strings ./bml12 | grep DEBUG
MN_GPS_DEBUG_INFO_CNF
GPS_DEBUG_INFO_CNF
[1] DEBUG SCREEN
[2] DEBUG INFO
DEBUG INFO
DEBUG MSG 115200
DEBUG MSG SETTING FAIL
DEBUG MSG 921600
DEBUG MSG ON
DEBUG MSG OFF
AUDIO_LIB_DSP_DEBUG_GRP1
AUDIO_LIB_DSP_DEBUG_GRP2
AUDIO_LIB_DSP_DEBUG_GRP3
AUDIO_LIB_DSP_DEBUG_GRP4
AUDIO_LIB_DSP_DEBUG_GRP5
AUD_LIB_DSP_DEBUG
IPC_MISC_PHONE_DEBUG
IPC_MISC_DEBUG_LEVEL
IPC_SVC_DEBUG_DUMP
IPC_SVC_DEBUG_STRING

And I found my IMEI number in bml3
edit :
+ some MAC hardware address too (but not the Wifi one)
+ the HW Version : MP 0.800
I guess that bml3 is device-specific.
But I don't know if it's the source of specific values or just contains copy of hardware-related data.
In the first case, modifying bml3 would allow to change IMEI or other sensitive values ^^

nonato said:
so is it safe to assume after 0x005b10a5 is the ram disk?
Click to expand...
Click to collapse
nope, to extract the ram disk, u hv to find the magic number of gz and extract the gzip image out... i was able to get the directory listing of the ramdisk but not the content..
the other problem is after u get the ramdisk and do any modifications, u hv to reverse the process.. not an easy job but if anyone found a solution, please share.
anyone try writing to the bml directly? dd doesnt seem to work
anyway, its possible to extract the image and use odin to flash after tar but if can write to bml directly, clockworkmod can effectively backup/restore the kernel.. (just a thought)

raspdeep said:
nope, to extract the ram disk, u hv to find the magic number of gz and extract the gzip image out... i was able to get the directory listing of the ramdisk but not the content..
the other problem is after u get the ramdisk and do any modifications, u hv to reverse the process.. not an easy job but if anyone found a solution, please share.
anyone try writing to the bml directly? dd doesnt seem to work
anyway, its possible to extract the image and use odin to flash after tar but if can write to bml directly, clockworkmod can effectively backup/restore the kernel.. (just a thought)
Click to expand...
Click to collapse
No, you cant write directly to bml.
Data write to a sector involves following sequence of low-level flash operations:
1. Block copy for back-up
2. Block erase
3. Copy back for non-modified pages
4. Writing the sector data to the modified page
These sequences of operations are not atomic, so a write request to this block device driver is prone to data corruption. For this reason, read-only file systems such as CRAMFS are adequate to run on top of this block device driver.

use this small script to extract your current zImage:
offset=`dd if=/dev/block/bml7 bs=1 skip=44 count=4 2>/dev/null| hexdump -e '1/4 "%d"' -e '"\n"'`
echo $offset
dd if=/dev/block/bml7 bs=1 count=$offset of=/sdcard/zImage_backup

husq510 said:
use this small script to extract your current zImage:
Click to expand...
Click to collapse
nice, thanks for sharing that!

i just extracted initramfs from bml7, file attached, unzip and cpio -i
some file differs from leshak:
modules/dpram.ko
modules/multipdp.ko
modules/dhd.ko
modules/stgloc
initramfs/init.rc
.info/rootfs.info
default.prop
init.smdkc110.sh
sbin/recovery
sbin/init

how do u extract this?
gunzip -c initrd-cpio.zip | cpio -i does not work.. gave errors

how did you dump and make the zip file you have attached?
thanks,
husq510 said:
i just extracted initramfs from bml7, file attached, unzip and cpio -i
some file differs from leshak:
modules/dpram.ko
modules/multipdp.ko
modules/dhd.ko
modules/stgloc
initramfs/init.rc
.info/rootfs.info
default.prop
init.smdkc110.sh
sbin/recovery
sbin/init
Click to expand...
Click to collapse

raspdeep said:
how do u extract this?
gunzip -c initrd-cpio.zip | cpio -i does not work.. gave errors
Click to expand...
Click to collapse
[email protected] you have to use unzip instead gzip, cuz forum dislike .gz format, so I had to use standard zip.
mkdir initramfs
mv initrd-cpio.zip initramfs
cd initramfs
unzip initrd-cpio.zio
cat initrd.cpio | cpio -i --no-absolute-filenames

Hey, did somebody already tried to dump one or some bml partitions and restore them later ?
I guess this could be the ultimate backup tool.

I took a look into this and found that
bml2 : PIT file is here
bml5 : Sbl.bin is here
I opened it with a Hexeditor and compared with things from the firmware.
My device is running on JP3, froyo, at the moment.

thanks i will update first post. layout mapping is complete now!

Your own logo.img in param.lfs

Hello,
I wanna share some information about param.lfs. As some people I tried to study this file. I tried to port j4fs driver to linux, but with no success yet.
But I have something. For those ROM-makers who want to insert their own logo right in the file for flashing it as a part of a ROM you can do the following:
1. Prepare your jpeg file, process it through jpeg optimizer (like xat.com JPEG optimizer). Size must not exceed 3FD1(HEX), or 16337Bytes. 480x800, 72dpi
2. Load this file (jpeg) in a HEX editor (WinHex) and copy it as a block
3. Load param.lfs
4. Overwrite two blocks in param.lfs by your image (just paste block in overwrite mode). First one - from offset B4000, second one - from 7F000. To double check - overwritten blocks should start with FF D8
That's all. Tar param.lfs as it used to do: tar -H ustar -с param.lfs > param.tar
and flash it via odin as PDA, or add to firmware then. You will obtain your own logo.jpg and logo_kor.jpg in /mnt/.lfs
So, you don't need to use special scripts to change splash-screen (mount .lfs and copy your logo.img into it). It will work with any kernel. Even on stock firmware you may have your own bootlogo.
Caution: Be careful. If you make something wrong, phone won't boot, because param.lfs is used by bootloader. At least /mnt/.lfs will be empty.
You may have black screen. Anyway you will be able to enter in 3-button mode to flash stock param.lfs back.
Of course that won't change bootlogo with yellow triangle because it "resides" in sbl.bin and very dangerous to be changed.
P.S. I was going to write a patch script, but decided not to do that.
Cheers

As a newbye, I found that very interesting to read
Thank you
1.
My original logo is 18.100 bytes and wonder if 3BB0(HEX) limit is accurate :/ :\ - while $B4000-$7F000=217.088 bytes
2.
On my param.lfs image, I searched for "FFD8 FFE0" and found other position for the JFIF files
Complete signature seems to be
"FFD8 FFE0"
"0010 4A46 4946 0001" for "..JFIF.."
3.
Linux support for j4fs would be great
4.
I wanted to know how to deal such a special "behaviour" into param.lfs partition: we can create files but not overwritten files...
Code:
[alpha] adb shell
$ su
# mount -o remount,rw -t j4fs /dev/block/stl6 /mnt/.lfs
# mount | grep ".lfs"
/dev/block/mmcblk0p4 on /mnt/.lfs type j4fs (rw,relatime)
#
# cd /mnt/.lfs
# rm -f logo.jpg
rm: can't remove 'logo.jpg': Operation not permitted
# echo "1. Impossible to delete logo.jpg"
1. Impossible to delete logo.jpg
#
# cp /mnt/sdcard/logo.jpg /mnt/.lfs/logo0.jpg
# ls -l /mnt/.lfs/logo0.jpg
-rwxrwxrwx 1 root root 19524 Jan 1 1970 /mnt/.lfs/logo0.jpg
# echo "2. copy onto /mnt/.lfs/ is possible"
2. copy onto /mnt/.lfs/ is possible
#
# cp -f logo0.jpg logo.jpg
cp: can't create 'logo.jpg': File exists
# echo "3. copy onto logo.jpg is impossible"
3. copy onto logo.jpg is impossible
#
# chattr -i logo.jpg
chattr: reading flags on logo.jpg: Not a typewriter
# rm -f logo.jpg
rm: can't remove 'logo.jpg': Operation not permitted
# exit
$ exit
[alpha] echo "Really strange for a file system ?"
Really strange for a file system ?
Is there a simple way to delete logo.jpg ?

Ivan_Belarus said:
Caution: Be careful. If you make something wrong, phone won't boot, because param.lfs is used by bootloader. At least /mnt/.lfs will be empty. You may have black screen. Anyway you will be able to enter in 3-button mode to flash stock param.lfs back.
Click to expand...
Click to collapse
First of all, thanks for sharing the info.
I tried it, no dice. Seems B4000 in the param.lfs I'm using (KI8) isn't the beginning of a JPEG. Tried other addresses that start with FF D8, with and w/o Exif, to no avail. All I have is an empty .lfs folder (as you said) and a boot message saying "logo.jpg" draw failed, but it boots eventually.
What am I missing?
TIA
param.lfs I'm using: http://www.mediafire.com/file/jw0x36z04fvp4eg/param.lfs
EDIT:
Wow! It took me a couple of hours, but I've finally found it in that param.lfs (XWKI8)!!!
In XWKI8 logo.jpg starts @ 7D800. Don't go beyond the length of the file you have already (in XWKI8, +/-15K), otherwise you'll get the "draw failed" boot error and an empty /mnt/.lfs - in this case, just reflash the stock param.lfs and you'll be ok.
Works great! I can sleep now!
Once more, thx a bunch Ivan_Belarus for sharing the info!
cheers!!!

geekmarc said:
1.My original logo is 18.100 bytes and wonder if 3BB0(HEX) limit is accurate :/ :\ - while $B4000-$7F000=217.088 bytes
2.On my param.lfs image, I searched for "FFD8 FFE0" and found other position for the JFIF files
Complete signature seems to be
"FFD8 FFE0"
"0010 4A46 4946 0001" for "..JFIF.."
4.I wanted to know how to deal such a special "behaviour" into param.lfs partition: we can create files but not overwritten files...
Is there a simple way to delete logo.jpg ?
Click to expand...
Click to collapse
1. Wrong operation. I have given the offsets only: for logo.jpg and logo_kor.jpg. I you want full addressing they are: B4000-B7FCF. It comes to 3FCF+2=3FD1. The second one is: 7F000-839B2. It comes to 49B2+2=49B4. (I've written 3BB0 - sorry I looked at my own block size. Fixed)
2. Yep, the jpeg header is bigger than word FF D8. You can google for jpeg header. But main two bytes are FF D8. The end is marked by FF D9. There are many jpeg files inside. I provided offsets for two ones.
4. You may look at Init.V scripts of Siyah kernel for example (/sbin/siyah/imports.sh)- there you may find all the commands for replace logo.jpg
I attached my original param.lfs (unchanged). I used it without problems on KI8
Heh, I didnt compare different param.lfs but now I see that there are different builds of param.lfs (thnx to rizdroid). So, I guess we're able to locate quickly the required offsets via block sizes and names. We need to find two blocks of size 3FD1 (starts with FF D8, ends with FF D9) and 49B4. They will be logo.jpg and logo_kor.jpg images. Before these blocks (about -7E1) you can find text 'logo.jpg' and 'logo_kor.jpg' accordingly. Don't try to locate them only by name!

someone help me out here... im trying to do this for the galaxy nexus but whenever i open my param.lfs file in a hex editor all i get is 0's theres nothing in it

Ivan_Belarus said:
1. Wrong operation. I have given the offsets only: for logo.jpg and logo_kor.jpg. I you want full addressing they are: B4000-B7FCF. It comes to 3FCF+2=3FD1. The second one is: 7F000-839B2. It comes to 49B2+2=49B4. (I've written 3BB0 - sorry I looked at my own block size. Fixed)
2. Yep, the jpeg header is bigger than word FF D8. You can google for jpeg header. But main two bytes are FF D8. The end is marked by FF D9. There are many jpeg files inside. I provided offsets for two ones.
4. You may look at Init.V scripts of Siyah kernel for example (/sbin/siyah/imports.sh)- there you may find all the commands for replace logo.jpg
I attached my original param.lfs (unchanged). I used it without problems on KI8
Heh, I didnt compare different param.lfs but now I see that there are different builds of param.lfs (thnx to rizdroid). So, I guess we're able to locate quickly the required offsets via block sizes and names. We need to find two blocks of size 3FD1 (starts with FF D8, ends with FF D9) and 49B4. They will be logo.jpg and logo_kor.jpg images. Before these blocks (about -7E1) you can find text 'logo.jpg' and 'logo_kor.jpg' accordingly. Don't try to locate them only by name!
Click to expand...
Click to collapse
WOOOOOOOOOOOOOOOOOOO !!!!! YEAH !!!!!! :good::good::good::victory::victory::victory:
@Ivan_Belarus, Thank you very much for the guide and help !!!!!
I was stack with that process of HEXing the param.lfs you provided because the image i made is SMALLER then 16337Bytes.
So I solved the "'logo.jpg' draw failed" problem I got ( becuase I changed only part of logo.jpg ) by filling "20" ( hex value ) all the cells between after my image FF D9 ( not included) and the original logo.jpg END ( FF D9 included ) as you wrote in your post: 1st jpg end is at B7FCF and the second is at 839B2.
I used the param.rar you provided.
To be clearer, for an example, let say I got this original param.lfs HEX segment:
Code:
[COLOR="red"]FFD8[/COLOR]FFE100184578EE55184D5331DA8831930800450007[COLOR="red"]FFD9[/COLOR]
But the image i want to implant is SMALLER , so it starts with "FFD8" and ends EARLIER with "FFD9" like:
Code:
[COLOR="red"]FFD8[/COLOR]FFE1008374597335734753745[COLOR="red"]FFD9[/COLOR]
So, I need to change param.lfs HEX segment so that it will include "20" after my image "FFD9":
Code:
[COLOR="red"]FFD8[/COLOR]FFE1008374597335734753745[COLOR="red"]FFD9[/COLOR][U][COLOR="Blue"]202020202020202020[/COLOR][/U]
About the need to TAR the param.lfs, because i'm on windows I used 7zip, so no need for linux of any sort.

rizdroid said:
First of all, thanks for sharing the info.
I tried it, no dice. Seems B4000 in the param.lfs I'm using (KI8) isn't the beginning of a JPEG. Tried other addresses that start with FF D8, with and w/o Exif, to no avail. All I have is an empty .lfs folder (as you said) and a boot message saying "logo.jpg" draw failed, but it boots eventually.
What am I missing?
TIA
param.lfs I'm using: http://www.mediafire.com/file/jw0x36z04fvp4eg/param.lfs
EDIT:
Wow! It took me a couple of hours, but I've finally found it in that param.lfs (XWKI8)!!!
In XWKI8 logo.jpg starts @ 7D800. Don't go beyond the length of the file you have already (in XWKI8, +/-15K), otherwise you'll get the "draw failed" boot error and an empty /mnt/.lfs - in this case, just reflash the stock param.lfs and you'll be ok.
Works great! I can sleep now!
Once more, thx a bunch Ivan_Belarus for sharing the info!
cheers!!!
Click to expand...
Click to collapse
Sorry to resurrect a REALLY old thread, but how did you manage to flash PARAM partition. It is in my .pit file from heimdall, but when I flash the partition, I simply see the old bootscreen.

hackintosh5 said:
Sorry to resurrect a REALLY old thread, but (...) .
Click to expand...
Click to collapse
It is OK to ask questions even if the thread is sooo old
But unfortunately I can't help you.

Iluvatar2000 said:
It is OK to ask questions even if the thread is sooo old
But unfortunately I can't help you.
Click to expand...
Click to collapse
Its fine! Thanks for your time!

Alcatel 960C/ One Touch Authority

Has anyone created a clockworkmod for this? This phone can be rooted, thru two apps, poot, and ministro(Qt). It still has gingerbread 2.3.6, and I need clockworkmod, or the source code, to use clockworkmod's builder. It is the cdma variant of the alcatel 995(which is gsm). can anyone point me in the right direction?

Source Code
I have it rooted, with adb insecure running, to see everything. My bootloader seems to be locked, and the recovery is unknown, with limited options. I can do most things, except change roms, wipe data, or cache in recovery. I would like to be directed to good repository.

reggjoo said:
I have it rooted, with adb insecure running, to see everything. My bootloader seems to be locked, and the recovery is unknown, with limited options. I can do most things, except change roms, wipe data, or cache in recovery. I would like to be directed to good repository.
Click to expand...
Click to collapse
how did you get it rooted?

rooting alcatel authority (960c)
squidbutt said:
how did you get it rooted?
Click to expand...
Click to collapse
First make sure you have USB Debugging checked and your allowing instalation of unknown sources
DL these from the play store:
Minstro2
Superuser
DL poot.apk: View attachment poot.zip
Run poot, click yes to download the extra librarys, click "click here to poot" you will need to restart the phone when it prompts. You should be rooted now :good:
You can DL ES File Explorer(from play store) and in the settings check: Root Explorer, Up to Root and Mount File System. Now you can manage all the files on your phone but be careful of what you delete, some of the stock apk's are very hard to recover if you delete them.
Hope this helps

Download superuser first
Download superuser first, you won't be able to run it until the phone's rooted. after it's rooted, it will work. This way, seems to stop a problem, when you go thru the steps to root. Some people had a error. If you plan to open the /data, /system, or dalvik cache, on your computer, install chainfire's adb insecure. These folders don't open without this, on a computer.

I have the kernel source here, they have it released on SourceForge I'm guessing you're right saying the bootloader is locked.
Here's some information I've found on the partitions:
mmcblk0 Internal Memory
mmcblk0p1 Mounted using VFAT Contains files pertaining to FOTA (FOTA partition?)
mmcblk0p2 500 blocks ?
mmcblk0p3 1500 blocks ?
mmcblk0p4 1 BLOCK ?
mmcblk0p5 1000 blocks ?
mmcblk0p6 2000 blocks ?
mmcblk0p7 3072 blocks ?
mmcblk0p8 5120 blocks Possible Recovery*
mmcblk0p9 7000 blocks ?
mmcblk0p10 3027 blocks ?
mmcblk0p11 3072 blocks ?
mmcblk0p12 5120 blocks ?
mmcblk0p13 1500 blocks ?
mmcblk0p14 8192 blocks Mounts to /persist
mmcblk0p15 5120 blocks?
mmcblk0p16 1024 blocks?
mmcblk0p17 409600 blocks, Mounts to /system
mmcblk0p18 307200 blocks, Mounts to /cache
mmcblk0p19 892928 blocks, Mounts to /data
mmcblk0p20 122880 blocks, partition appears empty with a sting at the bottom of it reading ANDROID-BOOT!
mmcblk1 SD Card
mmcblk1p1 SD Card Partition
build.prop (Alltel phone):
build.prop
Source Code:
SourceForge Download Link
* In a recent patch I have found, the following code was in the install-recovery.sh file:
Code:
#!/system/bin/sh
if ! applypatch -c EMMC:/dev/block/mmcblk0p15:2048:afbffa74556cd8e77ef7e1a9d0964d9a2bd446b8; then
log -t recovery "Installing new recovery image"
applypatch EMMC:/dev/block/mmcblk0p8:4055040:9411e1fd06dfb3d8da4d1924162caf9e292ea652 EMMC:/dev/block/mmcblk0p15 20270fc8f6c8fca7dae0af5ce0928b589bd6b405 4296704 9411e1fd06dfb3d8da4d1924162caf9e292ea652:/system/recovery-from-boot.p
else
log -t recovery "Recovery image already installed"
fi
Any other information needed?
I'll look into getting a recovery working, but this is by no means a promise.
EDIT:
Something interesting:
The build.prop says the phone has a MSM7630_SURF board, and the Huawei U8800 has the same board, but not quite the same specs:
960C:
480x800
Multitouch
1400 Mhz CPU Sapdragon
512 MB RAM / 2048 MB ROM
Micro SD, 32 GB
3G
U8800:
480x800
Multitouch
800 Mhz CPU Snapdragon
512 MB RAM / 2048 MB ROM
Micro SD, 32 GB
AT&T has a 3g version
I'm betting these two are compatible, and the files I found contain some boot information.
Update:
I found the recovery.fstab for the U8800, doesn't look quite right does it:
Code:
# mount point fstype device [device2]
/boot mtd boot
/cache yaffs2 cache
/data yaffs2 userdata
/misc mtd misc
/recovery mtd recovery
/sdcard vfat /dev/block/mmcblk0p1 /dev/block/mmcblk0
/system yaffs2 system
I'm not sure how exactly to make this resemble the above partition table...
Update:
More information:
U-boot seems to support this board? Maybe this is good?
http://lists.denx.de/pipermail/u-boot/2012-February/118168.html
Also if anyone else wants to take a stab at this, by all means. I'm having trouble getting the tools set up, but if someone with a little more experince wants to that would be great.

Haven't seen this
aldude999 said:
I have the kernel source here, they have it released on SourceForge I'm guessing you're right saying the bootloader is locked.
Here's some information I've found on the partitions:
mmcblk0 Internal Memory
mmcblk0p1 Mounted using VFAT Contains files pertaining to FOTA (FOTA partition?)
mmcblk0p2 500 blocks ?
mmcblk0p3 1500 blocks ?
mmcblk0p4 1 BLOCK ?
mmcblk0p5 1000 blocks ?
mmcblk0p6 2000 blocks ?
mmcblk0p7 3072 blocks ?
mmcblk0p8 5120 blocks Possible Recovery*
mmcblk0p9 7000 blocks ?
mmcblk0p10 3027 blocks ?
mmcblk0p11 3072 blocks ?
mmcblk0p12 5120 blocks ?
mmcblk0p13 1500 blocks ?
mmcblk0p14 8192 blocks Mounts to /persist
mmcblk0p15 5120 blocks?
mmcblk0p16 1024 blocks?
mmcblk0p17 409600 blocks, Mounts to /system
mmcblk0p18 307200 blocks, Mounts to /cache
mmcblk0p19 892928 blocks, Mounts to /data
mmcblk0p20 122880 blocks, partition appears empty with a sting at the bottom of it reading ANDROID-BOOT!
mmcblk1 SD Card
mmcblk1p1 SD Card Partition
build.prop (Alltel phone):
build.prop
Source Code:
SourceForge Download Link
* In a recent patch I have found, the following code was in the install-recovery.sh file:
Code:
#!/system/bin/sh
if ! applypatch -c EMMC:/dev/block/mmcblk0p15:2048:afbffa74556cd8e77ef7e1a9d0964d9a2bd446b8; then
log -t recovery "Installing new recovery image"
applypatch EMMC:/dev/block/mmcblk0p8:4055040:9411e1fd06dfb3d8da4d1924162caf9e292ea652 EMMC:/dev/block/mmcblk0p15 20270fc8f6c8fca7dae0af5ce0928b589bd6b405 4296704 9411e1fd06dfb3d8da4d1924162caf9e292ea652:/system/recovery-from-boot.p
else
log -t recovery "Recovery image already installed"
fi
Any other information needed?
I'll look into getting a recovery working, but this is by no means a promise.
EDIT:
Something interesting:
The build.prop says the phone has a MSM7630_SURF board, and the Huawei U8800 has the same board, but not quite the same specs:
960C:
480x800
Multitouch
1400 Mhz CPU Sapdragon
512 MB RAM / 2048 MB ROM
Micro SD, 32 GB
3G
U8800:
480x800
Multitouch
800 Mhz CPU Snapdragon
512 MB RAM / 2048 MB ROM
Micro SD, 32 GB
AT&T has a 3g version
I'm betting these two are compatible, and the files I found contain some boot information.
Update:
I found the recovery.fstab for the U8800, doesn't look quite right does it:
Code:
# mount point fstype device [device2]
/boot mtd boot
/cache yaffs2 cache
/data yaffs2 userdata
/misc mtd misc
/recovery mtd recovery
/sdcard vfat /dev/block/mmcblk0p1 /dev/block/mmcblk0
/system yaffs2 system
I'm not sure how exactly to make this resemble the above partition table...
Update:
More information:
U-boot seems to support this board? Maybe this is good?
http://lists.denx.de/pipermail/u-boot/2012-February/118168.html
Also if anyone else wants to take a stab at this, by all means. I'm having trouble getting the tools set up, but if someone with a little more experince wants to that would be great.
Click to expand...
Click to collapse
Hello, I haven't looked into this thread for a while. I see that you have some info for these blocks. that I couldn't get. I tried using root explorer, to look into some files, and they couldn't load, and tried to use too much memory, just to attempt to open, which, my phone said it was low on memory. Hate gingerbread, and kwansi choi( maker of this rom), This phone could easily handle a later os.
The usb ID's, are "Device 007: ID 1bbb:9018" .

USB ID's
The usb ID's are 1bbb/9018 . I built a clockworkmod File, and the status is ok, but it still won't flash, because of the bootloader.

reggjoo said:
The usb ID's are 1bbb/9018 . I built a clockworkmod File, and the status is ok, but it still won't flash, because of the bootloader.
Click to expand...
Click to collapse
I noticed that:
mmcblk0p15
mmcblk0p12
mmcblk0p8
all have the same number of blocks.
The FOTA code shows
applypatch EMMC:/dev/block/mmcblk0p8:4055040:9411e1fd06dfb3d8da4d1924162caf9e292ea652 EMMC:/dev/block/mmcblk0p15 20270fc8f6c8fca7dae0af5ce0928b589bd6b405 4296704 9411e1fd06dfb3d8da4d1924162caf9e292ea652:/system/recovery-from-boot.p
Click to expand...
Click to collapse
applypatch useage is as follows:
applypatch [-b <bonus-file>] <src-file> <tgt-file> <tgt-sha1> <tgt-size> [<src-sha1>:<patch> ...]
or applypatch -c <file> [<sha1> ...]
or applypatch -s <bytes>
or applypatch -l
Click to expand...
Click to collapse
Apply patch from blk8 to blk15.
So maybe I was mistaken with what I thought was the partition. Blk8 seems to be where fota grabs it's updated partition from?
This shows that blk15 may actually be the recovery partition. Still useless unless the bootloader can be worked on.

Battery terminals
As we know, if the battery is out, the phone will do nothing( unlike my old huawei, it didn't matter). I wondered if that was the reason why, it's so hard to unlock it. I think the bootloader has been set up to not respond to attempts. The bootloader condition treats the phone as if there's no power to it(?) . I found out that the middle terminals, of the battery contacts, will power the phone, if they're connected, but only for a few seconds.
Maybe there's some code that's unknown, or procedure. The phone doesn't respond to fastboot commands, and I can't enable it(function), on it. In the default.prop file, I see that ro.secure, is 1. Whenever I try to change it to 0( in rewritable mode), it never takes. So this is a little info.

reggjoo said:
The bootloader condition treats the phone as if there's no power to it(?)
Click to expand...
Click to collapse
You know, it's interesting that you mention that. I remember watching a Ben Heck episode, and on an Xbox 360 controller keypad, he had to open it up and connect power to the PIC chip manually. It almost makes me wonder if there's possibly a jumper of some sort on the motherboard somewhere that when connected allows writing? It would be an extremely long shot, I'm even pretty sure that it's the exact board in the Huawei but it's weird that fastboot can't be entered. I've heard that their drivers might be messed up (maybe even on purpose) that could keep you from using fastboot.

aldude999 said:
You know, it's interesting that you mention that. I remember watching a Ben Heck episode, and on an Xbox 360 controller keypad, he had to open it up and connect power to the PIC chip manually. It almost makes me wonder if there's possibly a jumper of some sort on the motherboard somewhere that when connected allows writing? It would be an extremely long shot, I'm even pretty sure that it's the exact board in the Huawei but it's weird that fastboot can't be entered. I've heard that their drivers might be messed up (maybe even on purpose) that could keep you from using fastboot.
Click to expand...
Click to collapse
Yes, I think alcatel's a little shady. I use a dual boot pc, and I found out, using the lsusb command, that the usb id's were different, than what the id's were for the supposedly official usb drivers. Sent them a msg, and they said I was wrong( can't be wrong if everything works!). They take no responsibility for their hardware, and I let people know, every chance I get, whenever I see a review of a phone from them. I found out the id's were wrong, when, before I even rooted it, I installed their onetouchmanager, and it couldn't find my phone( what! out the box!). That's not the way you do things.

Bringing 960C Back To Life!!!
Did anyone ever find a ROM that's compatible with the 960C? I recently found one floating around a storage unit and, naturally, I immediately rooted it only to find out that no one ever bothered developing a custom ROM.
I'm sure if an official ROM was never created specifically for the 960C, it's definitely not gonna happen at this point. I'm thinking that the only hope for the 960C is if it was similar enough to a more popular phone that HAS a custom ROM, maybe someone, somewhere, was successful in modding it just enough to make it compatible with the 960C...
During my research/investigation into a ROM, there was at least one (*HERE*) forum post mentioning someone attempting to mod an existing ROM (for a more popular phone) to make it compatible but it seems that everyone lost interest back in 2013...

thealexday said:
Did anyone ever find a ROM that's compatible with the 960C? I recently found one floating around a storage unit and, naturally, I immediately rooted it only to find out that no one ever bothered developing a custom ROM.
I'm sure if an official ROM was never created specifically for the 960C, it's definitely not gonna happen at this point. I'm thinking that the only hope for the 960C is if it was similar enough to a more popular phone that HAS a custom ROM, maybe someone, somewhere, was successful in modding it just enough to make it compatible with the 960C...
During my research/investigation into a ROM, there was at least one (*HERE*) forum post mentioning someone attempting to mod an existing ROM (for a more popular phone) to make it compatible but it seems that everyone lost interest back in 2013...
Click to expand...
Click to collapse
I still am using my 960c. I wouldn't mind finding the original stock rom or finding out how to upgrade to a newer android version. Currently running version 2.3.6
Too bad I don't know much about modding save for rooting and flashing. I gather there are still some of us here who really like our 960c phones otherwise.

Teclast X70 3G SoFIA Atom x3-C3130 Quad Core 7 Inch Android 4.4 Tablet PC IPS Screen

The Teclast X70 3G SoFIA Atom x3-C3130 Quad Core 7 Inch Android 4.4 Tablet is a very cheap tablet with some pretty good specifications, lets have a look on these here:
- Android 4.4 OS
- 7 inch 1024x600 IPS capacitive touch screen
- SoFIA Atom x3-C3130 Quad Core Max 1.8GHz
- 512MB LPDDR2 RAM and 4GB EMMC
- Support Bluetooth/WIFI/GPS/OTG/3G Phone Call function
- Front 0.3MP + Rear 2.0MP camera
- 187*113*8.9mm and 270g
What I especially like about it is the very cool slim design. Typical for other cheap tablets is that they are normally bulky and cheaplooking. But not the Teclast X70, it still looks really nice.
It should come with preinstalled Youtube/Facebook/Twitter/MSN/Android market/Skype/Calculator/Google Mail/Google maps/iReader/Quick Office. And support audio types like MP3/WMA/FLAC/OGG/AAC/WAV/APE.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

Great device, How about battery life?

Battery life sucks, at least on mine, the 2nd available Intel Atom x3 AKA SoFIA on the market but what more can you ask for; an approx USD 79 Android device from Intel...
Been hunting & trying to root this sucker, nothing seems to work ATM & i found the Flash Tool/ USB driver/ Firmware for X70 here mirrored here just in case it disappear... Updates : Found quite a few more here...
More info...
Hacking
After some hex editing, X70 recovery.fls can be unpack, at least there are some leads as adb command only list out its path but not its partition name, this means custom recoveries such as PhilZ Touch or TWRP is possible... Updates : The included FlsTool won't repack it back to the correct fls format...
Intel SoFIA uses 2ndbootloader
Code:
[COLOR="blue"]mkbootimg[/COLOR]
usage: mkbootimg
--kernel <filename>
--ramdisk <filename>
[ [COLOR="Blue"]--second <2ndbootloader-filename>[/COLOR] ]
[ --cmdline <kernel-commandline> ]
[ --board <boardname> ]
[ --base <address> ]
[ --pagesize <pagesize> ]
-o|--output <filename>
Use osm0sis's AIK or Carliv's CIK to unpack/ repack... :good:
adb shell ls -l /dev/block/platform/soc0/e0000000.noc/by-name
Code:
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID001 -> /dev/block/mmcblk0p2
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID022 -> /dev/block/mmcblk0p7
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID068 -> /dev/block/mmcblk0p8
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID069 -> /dev/block/mmcblk0p11
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID070 -> /dev/block/mmcblk0p9
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID071 -> /dev/block/mmcblk0p3
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID074 -> /dev/block/mmcblk0p12
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID076 -> /dev/block/mmcblk0p10
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID115 -> /dev/block/mmcblk0p1
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID118 -> /dev/block/mmcblk0p5
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID119 -> /dev/block/mmcblk0p4
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID120 -> /dev/block/mmcblk0p6
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID121 -> /dev/block/mmcblk0p13
recovery.fstab
Code:
#
# Copyright (C) 2013 Intel Mobile Communications GmbH
#
# Sec Class: Intel Confidential (IC)
#
# Android fstab file.
#<src> <mnt_point> <type> <mnt_flags and options> <fs_mgr_flags>
# The filesystem that contains the filesystem checker binary (typically /system) cannot
# specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK
#
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID068 /system ext4 defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID069 /data ext4 defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID070 /cache ext4 defaults defaults
/dev/block/mmcblk1p1 /sdcard vfat defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID076 /nvm_fs_partition ext4 defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID074 /misc emmc defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID071 /boot emmc defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID119 /recovery emmc defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID120 /recoverym emmc defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID001 /mobilevisor emmc defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID013 /splash_screen emmc defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID115 /mvconfig emmc defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID118 /secvm emmc defaults defaults
fstab.sofia3g
Code:
#
# Copyright (C) 2013 Intel Mobile Communications GmbH
#
# Sec Class: Intel Confidential (IC)
#
# Android fstab file.
#<src> <mnt_point> <type> <mnt_flags and options> <fs_mgr_flags>
# The filesystem that contains the filesystem checker binary (typically /system) cannot
# specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK
#
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID068 /system ext4 ro wait
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID069 /data ext4 nosuid,journal_async_commit,nodev,nodiratime,noatime,noauto_da_alloc,discard,data=ordered wait,encryptable=footer
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID070 /cache ext4 nosuid,nodev wait
/devices/soc0/e0000000.noc/ef010000.l2_noc/e1000000.ahb_per/e1400000.sd/mmc_host/mmc1 auto vfat defaults voldmanaged=sdcard1:auto,noemulatedsd
/devices/soc0/e0000000.noc/ef010000.l2_noc/e2000000.ahb_per/e2100000.usb/usb1 auto auto defaults voldmanaged=usbdisk:auto
#/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID076 /nvm_fs_partition ext4 nosuid,nodev,data=journal wait,check
To reboot to stock 3e recovery
With the device at power off state, USB cable unplug, press & hold Volume Up, now press & hold Power button & it'll vibrate once then let go Power. Keep on holding Volume Up until you see the boot logo then let go & it boots up the stock 3e recovery.
To reboot to fastboot
There is no button combination to boot to fastboot however with the adb command -> adb reboot fastboot, you can boot to fastboot with correct adb driver installed at all the 3 modes...
At fully booted up Android OS
Even while the device at off-state ! (Charger init)
And the unknown Safe mode
There is no Intel Droidboot only distorted yellow screen but fastboot command works.
fastboot
fastboot getvar all
Code:
(bootloader) version-baseband: 23569
(bootloader) version-bootloader: 1525.100_M1S1
(bootloader) product: SF_3G
(bootloader) secure: NO
(bootloader) [COLOR="Blue"]unlocked: [B]NO[/B][/COLOR]
(bootloader) off-mode-charge: 1
(bootloader) ========== parition type ==========
(bootloader) system parition type: ext4
(bootloader) userdata parition type: ext4
(bootloader) cache parition type: ext4
(bootloader) radio parition type: raw
(bootloader) dsp parition type: raw
(bootloader) hypervisor parition type: raw
(bootloader) boot parition type: raw
(bootloader) recovery parition type: raw
(bootloader) splash parition type: raw
(bootloader) mvconfig parition type: raw
(bootloader) secvm parition type: raw
(bootloader) prg parition type: raw
(bootloader) psi parition type: raw
(bootloader) slb parition type: raw
(bootloader) nvm parition type: raw
(bootloader) ucode_patch parition type: raw
(bootloader) ===================================
(bootloader) ========== parition size ==========
(bootloader) system parition size: 0x40000000
(bootloader) userdata parition size: 0x4b960000
(bootloader) cache parition size: 0x40000000
(bootloader) radio parition size: 0x0
(bootloader) dsp parition size: 0x0
(bootloader) hypervisor parition size: 0x100000
(bootloader) boot parition size: 0x1080000
(bootloader) recovery parition size: 0x1180000
(bootloader) splash parition size: 0xa80000
(bootloader) mvconfig parition size: 0x80000
(bootloader) secvm parition size: 0x400800
(bootloader) prg parition size: 0x800
(bootloader) psi parition size: 0x20000
(bootloader) slb parition size: 0x100800
(bootloader) nvm parition size: 0x180000
(bootloader) ucode_patch parition size: 0x3800
(bootloader) ===================================
(bootloader) max-download-size: 0x38fff00
all:
finished. total time: 0.215s
fastboot oem unlock
Code:
...
(bootloader) Unlocking the bootloader means the following:
(bootloader) All user data will be deleted
(bootloader) Any securely stored data will be inaccessible
(bootloader) Warranty will be void
(bootloader) After unlocking you have to execute
(bootloader) > fastboot format userdata
(bootloader) > fastboot format cache
(bootloader) or carry out a factory reset from recovery
(bootloader) To confirm the unlock, please execute the command
(bootloader) > fastboot oem unlock confirm
OKAY [ 0.050s]
finished. total time: 0.050s
i don't intend to unlock mine yet as it will be getting LP update soon or i won't be able to update it, i donno... Initial look at the Flash Tool, tutorial, it seems SoFIA devices should be unbrickable & should be upgradable too, in spite of unlocked bootloader & rooting however i wouldn't want to risk it...
Updates : fastboot flash recovery twrp-recovery.img doesn't work... Flashing the Firmware doesn't overwrite the bootloader, it will remain unlock if you have unlocked it, fastboot oem lock doesn't work...
Unknown PTEST mode
To boot to PTEST mode => With the device at power off state, USB cable unplug, press & hold both Volume Up + Down, now press & hold Power button & it'll vibrate once then let go Power. Keep on holding both volume button until you see boot logo then let go & it boots up to a screen that says...
Code:
Press volume up or down key to exit PTEST Mode
Now plug-in USB cable to PC
Unknown device at Device Manager
For adb, you can use google adb driver
One of the CDC is Intel USB, use the one included in the Flash USB Driver folder
i've tried alot of CDC driver, non-worked, except for MediaTek CDC driver that i have, seems compatible, attach below CDC.zip...
All the drivers needed for Flash Tool to work are installed
As the device i own is not X70, i only tried the upload, seems to be working except for a compatible ebl.fls is needed for a successful upload...
Final Note
Use this guide at your own risk !
Unknown Safe mode
With the device at power off state, USB cable unplug, press & hold Volume Down, now press & hold Power button & it'll vibrate once then let go Power. Keep on holding Volume Down until it boots up
View attachment 3417538
Safe mode at the bottom left corner
Manage to unpack X70 system.img too...
Updates
Hmm, Chuwi Vi7 seems to be the exact clone, wonder if the firmware can be used on X70 or mine... Not compatible... Even X70 system.img won't boot on mine...
Further digging, its a single SIM device C3230 with better spec...
Cross-comparison
Found a few more X3...
Vido M7S
Onda V719 3Gs
Digma Plane 7.7
4good T700i
mediacom smartpad iPro 3G
iBall Slide Brillante
BLUEING S706
Updates - 08-Aug-2015
Found out my device is in fact actually an oem of X70 & damn Intel for making such cheap device while you can't even use fastboot to install custom recoveries to root it...
Updates : Hmm, it seems to be an oem of an oem, found it on default.prop...
There seems to be some headers needed to boot up the recovery, found out the included FlashTool has a back-end DOS program that can unpack & extract image parts from the FLS file.
Code:
[COLOR="Blue"]FlsTool -x recovery.fls[/COLOR]
FlsTool v.1.20
[Loading] recovery.fls (Fls2)
[Extract] 13905 recovery/meta.json
[Extract] 844 recovery/recovery.fls_inj_PSI_ver.txt
[Extract] 914 recovery/recovery.fls_inj_EBL_ver.txt
[Extract] 64320 recovery/recovery.fls_inj_PSI.bin
[Extract] 144084 recovery/recovery.fls_inj_EBL.bin
[Extract] 2048 recovery/recovery.fls_ID0_CUST_SecureBlock.bin
[Extract] 617168 recovery/recovery.fls_ID0_CUST_LoadMap0.bin
[Extract] 32430 recovery/recovery.fls_ID0_CUST_LoadMap1.bin
[Extract] 7786496 recovery/[COLOR="Blue"]recovery.fls_ID0_CUST_LoadMap2.bin[/COLOR]
recovery.fls_ID0_CUST_LoadMap2.bin is the stock 3e recovery.img
Need to figure out the correct way to repack the stock 3e recovery.fls & when it boots then will try it out on the ported TWRP, hopefully it boots too...
In the mean time, i have also contacted Intel, hopefully they'll respond or we'll have to figured ourselves how to repack custom recoveries so that it'll boot on our device to root it or wait for exploit root software to work on our SoFIA x3 device... Updates : They never respond...
Anyone wants to explore then here is the Guide, FlashTool & Firmware for my device... Not compatible for X70
Updates - 10-Aug-2015
Feedback from our Russian counterpart seems true that X70 recovery partition size is only 8MB only, no custom recoveries would fit except old version !
Code:
FlsTool v.1.20
This tool can do several different operations of FLS files.
Use the 'Action' option to select to required operation.
Actions:
-p [ --pack ] Packing multiple FLS files into one
-i [ --inject ] Inject NVM, Certificates or Security into FLS file
-x [ --extract ] Extract all image parts from the FLS file(s)
--extract-fls Extract embedded files from the FLS file(s)
--extract-prg Extract PRG file
-b [ --to-bin ] Convert a single Hex file to binary file
--hex-to-fls Create an Fls from a Prg file
--sign Formerly known as FlsSign
--to-fls2 [ arg ] Force output file format to Fls2
--to-fls3 [ arg ] Force output file format to Fls3
-d [ --dump ] Dump the meta data of an FLS file.
--sec-pack Dump all SecPack data of an FLS file.
HexToFls options:
--prg arg Choose a PRG file to create the Fls from
--psi arg Add a PSI to the Fls file (replaces if '-r' option)
--ebl arg Add an EBL to the Fls file (replaces if '-r' option)
--meta arg Inject any meta file to the Fls file (Equal to --version or -v in HexToFls)
--xml arg Add an XML file to the Fls file (replaces if '-r' option)
--zip arg Add a ZIP file to the Fls file (replaces if '-r' option)
--script arg Add a Script file to the Fls file (replaces if '-r' option)
--tag arg Specifies the memory region tag to insert the input file (replaces if '-r' option)
Inject options:
-n [ --nvm-path ] arg Path to the NVM input files
Generic Options:
-o [ --output ] arg Output path
-r [ --replace ] [ arg ] Defaults to replace when trying to add a section which is already existing
-v [ --verbose ] [ arg ] Set verbosity
--prompt [ arg ] Prompt before quitting
--version Show the version of this tool
-h [ --help ] Show command line help
Please specify an input file
Code:
FlsTool -d recovery.fls > partlist.txt
Code:
{
"addr": "0x1CC00000",
"length": "[COLOR="Blue"]0x00800000[/COLOR]",
"class": "Cust",
"tag": "RECOVERY:3#77",
"options": [ ],
},
recovery partition size of 0x00800000 in decimal is 8388608 = 8MB only...
X70 Flash Tool Driver Installation & firmware download
Typically, installing the Intel USB driver that comes with the firmware will work ( right-click it & Run as Administrator ) & if it doesn't then follow below guide.
With the device at power off state, USB cable unplug, open Device Manager, plugin the USB cable & an unknown device will appear, quickly double-click it & manually install the FlashUSB.inf included in the FlashUSB_Driver folder.
To download the firmware successfully, follow the guide that comes with it.
Again : Use at your own risk
Great product interview/ review by armdevices.net
Updates
Hmm, even Asus Zenpad 7.0 uses the x3 too AKA SoFIA but with better spec, the Z170 series & Z370 series
Updates - 17-08-2015 Finally, got ROOT access
Use FlsTool to download the x70-unsecured-boot.fls then most of the existing exploit rooting software will work, i think...
Updates
WARNING : For heaven sack's, noobs & newbies, pls READ EVERYTHING FIRST before hands on ! On & off, i got just too many pm regarding brick devices... There is only one post so pls read it, unlock your bootloader first before flashing the unsecured boot fls...
If you're using JOI then use JOI-unsecured-boot.fls...
Updates
Feedback seems some are not able to root with existing exploit rooting software, fyi, i manually root mine using adb commands then unroot & only tried iroot/ vroot & it works so i presume Kingo, Baidu & others will work too... Try giving the exploit software a helping hand first before using it...
Code:
adb root
adb remount
Updates - 23-08-2015 Since many still couldn't root it...
i'll share my manual rooting script here...
On Linux
Code:
adb root
sh root.bat
[COLOR="blue"]OR[/COLOR]
chmod 777 root.bat
./root.bat
On Windows
Code:
adb root
root.bat
[COLOR="blue"]OR[/COLOR]
Double-click root.bat
If you don't have a working adb then use the one from here... :good:
What to do once you got ROOT :good:
Install Xposed Installer => XDA :good:
Install GravityBox [KK] => XDA => youtube overviews & tutorials :good:
[GUIDE] Extreme Battery Life Thread ( Greenify+Amplify+Power Nap ) :good:
More info here, enjoy your New Custom ROM with Extreme Battery Life :laugh:
Must have Modules
More Modules
All Modules
Updates - 07-09-2015
Got just too many miss call, i can hardly hear it so i purchase this inexpensive mini bluetooth speaker strap to my sling bag & problem solved... :laugh:
Updates - 09-09-2015 => 4pda users IMEI problem
i've already told you guys here that i'm not able to login b'cos of that site super unreasonable Russian captcha but still nobody post reply here...
i wouldn't even bother to reply when i saw his thread here while the previous user ask exactly the same problem & he don't even bother to reply with the solution that he had...
Funny though, i don't have such IMEI problem after so many flashing on my X70 clone...
Possible other Solutions
Xposed IMEI Changer
Repair imei number in android => On x3, to check IMEI No. is *#06#
Others possible solutions
Updates
Thanks to Invisibot for sharing his findings & solutions for IMEI... :good: Mirrored here the software & the manual just in case it disappear
Updated JOI 7 lite unsecured boot.fls - 13-09-2015
i can't believe oem actually disabled the swap partition until i unpack Chuwi vi7 & discovered how it is enabled...
Huge apks now start up almost immediately though it takes quiet awhile for the OS to stabilize after every reboot but i guess its worth it as apps are more responsive after that...
Updated X70 unsecured boot.fls with swap enabled - 15-09-2015
Added X70 C6F9 unsecured boot.fls with swap enabled - 24-09-2015
X70 C5F9 => 512MB RAM
X70 C6F9 => 1GB RAM
Updates - 2016
Refer to here for TWRP & flash SuperSU to ROOT...

I don't want to be rude, but what's the point in starting a thread for a device, list some official specs but no hands-on? This routine (hunt for thanks or OP threads?) just creates parallel threads on the forum for the same device. I mean, the next person who actually owns or have access to the device and wants to post a real review of it might not want to post it here. That person might want to be the OP for that thread.

MacArthur67 said:
I don't want to be rude, but what's the point in starting a thread for a device, list some official specs but no hands-on? This routine (hunt for thanks or OP threads?) just creates parallel threads on the forum for the same device. I mean, the next person who actually owns or have access to the device and wants to post a real review of it might not want to post it here. That person might want to be the OP for that thread.
Click to expand...
Click to collapse
Well, I actually truly planned to get the device when I created the topic, but changed my mind. If you check my profile and other posts, you would notice that I actually always post a hands-on or review also in my posts if I get the device.
Anyone that actually got the device and want to add a review, can just contact me and I will put in up in post #1 - so no! its not a problem at all.
Parallel threads are not allowed in here, so anyone creating a thread for this, should actually first check if there is an existing one.
There is no real advantage of being a OP for at thread (other than I have a lot of work also answering questions like yours now). If I for instance post your review in #1, I would also write the credits/name for the review so they can thank you and not me.

s7yler said:
Well, I actually truly planned to get the device when I created the topic, but changed my mind. If you check my profile and other posts, you would notice that I actually always post a hands-on or review also in my posts if I get the device.
Anyone that actually got the device and want to add a review, can just contact me and I will put in up in post #1 - so no! its not a problem at all.
Parallel threads are not allowed in here, so anyone creating a thread for this, should actually first check if there is an existing one.
There is no real advantage of being a OP for at thread (other than I have a lot of work also answering questions like yours now). If I for instance post your review in #1, I would also write the credits/name for the review so they can thank you and not me.
Click to expand...
Click to collapse
Yes I know that parallel threads are against the forum rules but a thread with only a news about a forthcoming device is not a real thread on a developer forum. It shouldn't be allowed in the first place in my opinion. This is not a news site/forum so what's the point in just echoing here what you have read in a press release on some other site? If people can read your echo here they can also read the original news where you found it. You seem to mass produce short and very trivial reviews of various devices from some reason and then you always leave the thread more or less. It's very counterproductive on a developer site and it's about time that someone tell you that. I'm just sorry it had to be me. Next time at least wait until you have the device or let people with a real interest in the device start the thread and write the review. You don't need to be an Einstein to understand that on a developer forum it would be a great advantage if the OP of a tread has a real interest in the device the thread is all about. Your interest seems to be something completely different that I can't really figure out, but in any case it's counterproductive on a developer forum. Peace!

MacArthur67 said:
Yes I know that parallel threads are against the forum rules but a thread with only a news about a forthcoming device is not a real thread on a developer forum. It shouldn't be allowed in the first place in my opinion. This is not a news site/forum so what's the point in just echoing here what you have read in a press release on some other site? If people can read your echo here they can also read the original news where you found it. You seem to mass produce short and very trivial reviews of various devices from some reason and then you always leave the thread more or less. It's very counterproductive on a developer site and it's about time that someone tell you that. I'm just sorry it had to be me. Next time at least wait until you have the device or let people with a real interest in the device start the thread and write the review. You don't need to be an Einstein to understand that on a developer forum it would be a great advantage if the OP of a tread has a real interest in the device the thread is all about. Your interest seems to be something completely different that I can't really figure out, but in any case it's counterproductive on a developer forum. Peace!
Click to expand...
Click to collapse
"If people can read your echo here they can also read the original news where you found it"
No not always, I get info directly from the manufactures sometimes. And sometimes I write texts myself. That you can't read somewhere else. Of course it is not always so, depends on the info/news and devices. I love phones and tablets, and that's why I like to be a news poster. If I don't post, someone else would do.
You seem to mass produce short and very trivial reviews of various devices from some reason and then you always leave the thread more or less
No, I follow every single thread I make (else I would probably also not answer in this old thread here now) and if people have real interest in the device I also answer or follow up with news. If people ask something already answered I don't reply, that's right. Else I could spend the whole day answering questions from people. And I would say on 80% of the threads I make, I also always follow up with a full video review of the device.
Next time at least wait until you have the device or let people with a real interest in the device start the thread and write the review.
Doesn't work that way, as the manufactures already post info before the device is released. And many want info as soon it is possible, not 1 month after when the device already is old again.
a great advantage if the OP of a tread has a real interest in the device
Well, it is not really up to you to judge if I have real interest in a device or not. If I am going to test it I will have real interest in it. But some devices are more interesting than others, also after they have been received.
I don't see anything bad in creating threads that can gather people around a device. In these people can help, discuss & develop the device. I see that in my Elephone P8000 thread, my Jiayu S3 thread and UMI ZERO thread, for some devices like for example the UMI IRON it doesn't happen but that's not really my fault. I personally still love the phone.
And PS. I'm from Denmark, so you should really try to be a little more nice to one from your neighbouring country.

Teclast 3G x70
Hello freinds
Please could someone help me, because i am very stuck with the problem and no one over the internet doesnt know how to help me.
My tablet Teclast 3G x70 suddenly become dead and I have luck to repair it by reflashing procedure, but the IMEI has been lost
Please maybe somebody know how to repair it, because I have already tried everything I know...
Thank you

You guy always said already tried everything, what actually have you tried, list out everything so its easier to trouble-shoot & to narrow things down...
First of all, did you guys even read the included guide/ tutorial, i flash so many times on my X70 clone, never even once loose the IMEI, try rebooting to stock 3e recovery & do a Factory Reset or using fastboot to do that, that should reset everything back to normal ...
Code:
adb reboot fastboot
fastboot format userdata
fastboot format cache
Refer to here for more IMEI repair info....

to : yuweng TECLAST X70 3G
Hello dear friend Yuweng
I come from 4 PDA forum you must be aware of.
And there is no one can resolve this issue.
First of all I want to thank you for the ROOTING guide - I get root with your help
And about IMEI : i have tried everything you advise to do to recover IMEI
I think it is maybe impossible to recover IMEI because it is INTEL platform like Google Nexus for example (need special hardware to recover IMEI)
Thank you

Your username ends with il then only i try 012.net.il then only realize it... :laugh: All Android OS comes from Google so this means all Android devices are more or less the same, i guess its just a corrupted partition or file missing that causes this IMEI issues, same as many Android devices are experiencing...
Ok, try below command, give me a download link to it & i'll make a comparison to see which file is missing...
Code:
adb shell su -c "ls -R" > myx70.txt
After that, try to follow exactly as the FlashTool_E2 guide to download the firmware all over again, one of the pdf stated single-threaded download mode, multi-threaded download mode, try & see if that makes a different.... :fingers-crossed: Russian translated version here...
Updates
Hmm, that pdf stated 15 firmware files, that means modem.fls, mvconfig.fls & thread.fls is missing, wonder if that causes the IMEI to disappear...
[email protected] said:
Hello dear friend Yuweng
I come from 4 PDA forum you must be aware of.
And there is no one can resolve this issue.
First of all I want to thank you for the ROOTING guide - I get root with your help
And about IMEI : i have tried everything you advise to do to recover IMEI
I think it is maybe impossible to recover IMEI because it is INTEL platform like Google Nexus for example (need special hardware to recover IMEI)
Thank you
Click to expand...
Click to collapse

to : yuweng TECLAST X70 3G
Helo again dear friend
It is very nice you still support this thread
I did get the file myx70.txt you need
Please check it, Thank you

to : yuweng TECLAST X70 3G
Helo again dear friend
It is very nice you still support this thread
I did get the file myx70.txt you need
https://www.mediafire.com/?0iskyl3hazaketo
Please check it, Thank you
By the way it is some softwareprogram I have been informed in that can do everything including restoring IMEI
But I cant use it bacause it is in CHINESE
it called Rabbit Root and it is web page is: http://www.7to.cn/#

When i ask you to do a Factory Reset using the stock 3e recovery & you said you did it but your myx70.txt says otherwise... Few files missing, seems like it is not initialize properly...
Code:
./data/media/0:
91 WireLess
Alarms
Android
AppGame
DCIM
Download
GOLauncherEX
GoStore
MIUI
Mihome
Movies
Music
Notifications
Pada
Pictures
Podcasts
Ringtones
XPOSED IMEI Changer_1.3_apk-dl.com.apk
baidu
com.91.channel.repository
dianxin
libs
mgyun
nd
system
system.info
tencent
tmp
xutils
To reboot to stock 3e recovery
With the device at power off state, USB cable unplug, press & hold Volume Up, now press & hold Power button & it'll vibrate once then let go Power. Keep on holding Volume Up until you see the boot logo then let go & it'll boots up the stock 3e recovery.
Click to expand...
Click to collapse
Press the power button once & you'll see the stock 3e recovery menu
Use the volume down key to go to wipe data/ factory reset & press power button
Use the volume down key to go to Yes -- delete all user data & press power button
Do the same for cache partition
reboot system now
* Manually format the internal sdcard as well if Factory Reset doesn't remove it
That software you pointed out, the IMEI repair is for MTK devices only.
Updates
Check with dAverk how he did it, every detail like where he got the firmware from, the step by step that he took on flashing the firmware, this will narrow things down as why IMEI is lost on you guy's x70 & not him... i believe if you guys follow his steps exactly, you should be able to get the IMEI working again... :fingers-crossed:
Firmware flashing bricks the device, Factory Reset corrupts the IMEI was a thing in the past ( Jellybean/ ICS/ GB issues ), it shouldn't happened on KitKat/ Lollipop devices, i believe...

OK I have reflashed this tablet with all FIRMWARES i have found on this forums
I cant get to Boot Menu ( Power ON+Volume UP) - tablet continue to load and nothing happens
And the ADB command doesnt help
adb reboot fastboot
fastboot format userdata
fastboot format cache
The tablet reboots and I get GREEN screen
https://www.mediafire.com/?0pkb7pk89d8c33s

What have you done to yourself, that green screen is the fastboot screen, you'll need adb driver & fastboot.exe for it to work...
i already mentioned, be specific, all FIRMWARES, which one ? JOI, X70 from geekbuying or chinagadgetsreviews & etc, may be they are all different, i donno, i didn't download all to check if they are identical, may be thats the cause of your green screen problem & IMEI problem ?
This is a General not Development thread, i don't intend to start a new one, i shouldn't even be sharing these infos here...
Warnings : Use this guide at your own risk ! For Developers ONLY
These infos are the results of spending many hours with FlsTool( linux version ) & flstool.exe
Code:
./FlsTool -x recovery.fls
./FlsTool --extract-prg recovery.fls
./FlsTool -x system.fls
./FlsTool --extract-prg system.fls
./FlsTool -x mvconfig_smp.fls
./FlsTool --extract-prg mvconfig_smp.fls
./FlsTool -x mobilevisor.fls
./FlsTool --extract-prg mobilevisor.fls
After unpack, these individual fls files contains PRG, EBL, PSI, meta files & the actual Android img file or binary files. Each of these extracted files, PRG, EBL, PSI, meta files are identical.
When you use dd command to backup these partition, it is not an Android image file nor a fls file & a dd restore with either the dd backed up or the fls file won't boot or work correctly
Eg.
Code:
adb shell su -c "dd if=/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID119 of=storage/sdcard1/recovery.img"
adb shell su -c "dd if=storage/sdcard1/recovery.img of=/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID119"
[COLOR="blue"]OR[/COLOR]
adb shell su -c "dd if=storage/sdcard1/recovery.[COLOR="Blue"]fls[/COLOR] of=/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID119"
[COLOR="blue"]OR[/COLOR]
fastboot flash recovery recovery.img
fastboot flash recovery recovery.[COLOR="blue"]fls[/COLOR]
[COLOR="blue"]OR[/COLOR]
fastboot flash system system.img
fastboot flash system system.[COLOR="blue"]fls[/COLOR]
When Hex edit/ compare those files, they are totally different. Eg. dd backed up recovery.img with recovery.fls is not the same.
The recovery.fls when unpack has three different regions, i think the existing FlsTool version 1.20 has bugs, it doesn't repack it back to the correct format.
recovery.fls_ID0_CUST_LoadMap0.bin is identical to mobilevisor.fls_ID0_CODE_LoadMap0.bin
recovery.fls_ID0_CUST_LoadMap1.bin is identical to mvconfig_smp.fls_ID0_CUST_LoadMap0.bin
recovery.fls_ID0_CUST_LoadMap2.bin is the actual Android recovery.img that can be unpack with AIK or CIK as already explained on this post here
Even if it works, custom recoveries such as PhilZ Touch or TWRP which is also using the dd command for backups, will not be able restore it correctly as it is not a fls file or an Android image file.
As for the boot.fls, what i did was change the default.prop & repack it back.
Code:
ro.secure=1 [COLOR="Blue"]<= Change to [B]0[/B][/COLOR]
ro.allow.mock.location=0 [COLOR="blue"]<= Change to [B]1[/B][/COLOR]
ro.debuggable=0 [COLOR="blue"]<= Change to [B]1[/B][/COLOR]
ro.adb.secure=1 [COLOR="Blue"]<= Change to [B]0[/B][/COLOR]
Unpack boot.fls
Code:
./FlsTool -x boot.fls
./FlsTool --extract-prg boot.fls
After unpack/ repack with AIK, copy image-new.img to the same folder.
Repack boot.fls
Code:
./FlsTool --psi boot/boot.fls_inj_PSI.bin --prg boot_0.fls --ebl boot/boot.fls_inj_EBL.bin image-new.img --tag BOOT_IMG -o new-boot.fls
After this, any exploit rooting software should work.
Found two new link for X70 (C6F9) -Android4.4.4-V1.05-5726 may be this one will solved the IMEI issues, i donno...
Source 1
Source 2
Conclusion : You can't do much on Intel x3 but to bug your device manufacturer to release the firmware then only rooting is possible otherwise forget it, its file system is not regular Android image, use the device as it is or you'll brick it in doing so...
4Good T700i 3G users
Since you guys confirmed X70 firmware can be downloaded successfully & the camera doesn't work after that, meaning the firmware is almost compatible except for the camera driver.
Since 4Good doesn't release the firmware, the correct way is to create an ebl.fls file, upload the boot.bin then port an unsecured-boot.fls & root it...
Code:
./FlsTool -x boot.fls
./FlsTool --extract-prg boot.fls
./FlsTool --hex-to-fls boot/boot.fls_inj_EBL.bin --prg boot_0.fls --psi boot/boot.fls_inj_PSI.bin --tag BOOT_IMG -o ebl.fls
View attachment 3475319
View attachment 3475321
Hex edit boot.bin & extract the boot.img( look for the header ANDROID! ), with above mentioned technique to make an unsecured boot.fls, unlock the bootloader, download this unsecured boot.fls then root it & the firmware stays as stock with both camera working.
View attachment 3475504
Or upload the boot.bin & i'll port an unsecured-boot.fls for you guys...
View attachment C5F9-ebl.fls.zip
View attachment C6F9-ebl.fls.zip
Or after rooting, copy all 4Good camera *.so files, flash x70 system.fls ONLY then manually use any ROOT Explorer to copy back these 4Good camera *.so files over & both cameras should work on 4Good after a reboot...
Theoretically, you can also dd the system.img, mount it, make changes then repack it back to fls file but then again, these files will be huge & i don't even know whether it works, never try that...
Code:
adb shell su -c "dd if=/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID068 of=storage/sdcard1/system.img"
adb pull storage/sdcard1/system.img
mkdir sys
sudo mount -t ext4 -o loop system.img sys/
Do whatever you want with the files & folders at [COLOR="Blue"]sys/[/COLOR]
sudo ./make_ext4fs -s -l 1024M -a system new.img sys/
sudo umount sys
./FlsTool --prg system_0.fls --ebl system/system.fls_inj_EBL.bin --psi system/system.fls_inj_PSI.bin new.img --tag SYSTEM -o new-system.fls
Download it with FlashTool_E2
Updates - Nov 2015
Thanks to benderit for sharing his detailed findings & how-tos for backing up/ creating a restored boot.img/ system.img via fastboot for x3 devices without FlashTool_E2 ROM... :good:
Updates - Jan 2016
Refer to here on how to create system.img on Win OS & using fastboot to flash it... :good:
Updates
The adb command adb shell ls -l /dev/block/platform/soc0/e0000000.noc/by-name correspond to recovery.fstab as shared on this post here EXCEPT for ImcPartID022 & ImcPartID121.
Hex editing the partition ImcPartID121 show that it is empty while ImcPartID022 shows there are some data inside it, i cannot tell whether its the bootloader or the IMEI info.
Those that lost their IMEI can use below command to backup & check whether there is data in it or its empty( all zero ). If its empty means the IMEI info might be at this partition...
Code:
adb shell su -c "dd if=/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID022 of=storage/sdcard1/ImcPartID022.img"
adb pull storage/sdcard1/ImcPartID022.img

To yuweng
Everything seems to be OK. And now after a week of try I finally understand that it was not worth trying. Because it finally become clear that it is nothing to do with IMEI. Very good yuweng.
It is seems that actually no one know how to resolve it.
And what is about trying different firmwares?
I just don't understand how would it help.
And about that all android systems are similar it also mistake.
If you want to restore IMEI on Nexus 4 you need special equipment.

The reason for your case i guess is everyone is new on your side, as the saying too many cooks spoil the broth...
Fyi, my previous device, the MTK, bcos of one Russian DEV shared his findings, thousands of users save hundreds of dollars each.... :good:
Bcos of one DEV shared his unpack/ repack script, i discovered that MTKs ROM can ported over to hundreds if not thousands of similar devices...
And Yes, i've also seen many that says they will never use PhilZ Touch or TWRP ever again bcos it corrupts their device, the reason for this is bcos no DEV is working on that device & end users just blindly installing it & complaining after that... The same at 4pda, few that swear to throw away their X70 too... :laugh: We need more DEVs to look into it then it will become a better Android device...
OT : And Yes, you can actually port 4Good firmware to work on X70 & vice-versa, when DEVs starts to work on it, if there is one, bcos it is an exact clone while mine is different, i donno, may be the newer X70 (C6F9) is compatible, i didn't try it...
Port means identify & taking parts of the firmware from other similar device & make it work on yours while flashing the whole firmware will normally leads to a brick device...

at now we tried flash 7 block of mmc (because we found many diffs in this block) from working device on dead[imei] - but nothing happens. Try work with whole mmc.

it seems that InvisiBot have already made the discovery... :good:
Haven't took a deep look at InvisiBot's findings yet, but found out my device is indeed an exact clone of x70 (C6F9), first flash the recovery.fls, got a landscape 3e stock recovery instead of the original portrait, then proceed to flash the system.fls, everything works except for bluetooth & wifi, last flash the boot.fls & now i got x70 (C6F9) ROM fully working on my device... :laugh:
i guess intel/ Teclast must have made some improvement to libhoudini, overall, it performs better than the original stock ROM with Xposed installed & with zram enabled ...
Updates
Guys, as i've always mentioned it on my other threads, users always feedback it doesn't work, pls describe every little steps that you took, it will be easier to trouble-shoot, narrow things down & solve your problems....
According to InvisiBot, he began experiment by Hex editing partition ImcPartID022 & that bricks his x70 & in doing so he found out there is a hidden feature that you can still download by holding the Power button for 10 seconds then release it & FlashTool_E2 will automatically start to download on your brick device, this mean intel x3 is truly unbrickable... :good:
Thats where he discovered that you guys use the erase whole flash at FlashTool_E2 & that erases the IMEI info, luckily he manage to get his IMEI back...
View attachment 3478674
WARNING : Never use both the erase whole flash option, it will delete your IMEI info ! You guys with the IMEI problem never even once mentioned that...
Conclusion
Indeed the partition ImcPartID022 contains both the IMEI info, device serial number & adb command => adb devices serial no. which is the same as SIM 1, good job InvisiBot... :good:
Code:
[COLOR="blue"]Setttings[/COLOR] => [COLOR="blue"]About tablet [/COLOR]=> [COLOR="blue"]Status [/COLOR]=> [COLOR="blue"]SIM 1[/COLOR]/ [COLOR="blue"]SIM 2[/COLOR]
On my x70 clone or shall i say an actual x70 (C6F9) rebrand, the offset is at different location.
Device serial no => 0x1AAC8
SIM 1 => 0x24360
SIM 2 => 0x2436C
adb command => adb devices serial no => 0x2549C
So do make a backup of partition ImcPartID022, this is the only partition that FlashTool_E2 cannot restore if you brick it.
Attention to InvisiBot
Since you said you're making a How-to Guide i'm not going to spoil the soup... :laugh: Don't forget to make one in English Language for sharing with XDA member here too... :good:
Attach below is my empty IMEI for your R&D, i think it should be the same as X70 C6F9...
View attachment EMPTY-C6F9-IMEI.zip
Search for the reference text as below
#IMEI01#
#IMEI02#
#ADB-SN#
##INTEL-X3-S/N## <= This is the 16 digit alphanumeric Serial number display at Settings => SIM1/ SIM2
Updates - Restore invalid IMEI
For those who lost their IMEI, you can try this Thanks to Invisibot & buxbux for the link... :good:
Don't ask me how-to, i've never loose my IMEI before so i donno how to use it, you'll have to find that out yourself...

Vernee Apollo Discoveries

I wanted to create a thread so as to report any unique findings from the internet realm and my own discoveries surrounding the Vernee Apollo Phone. The aim is to bring resources together to encourage development and to release utilities and roms.
Please post your own discoveries and updates!!!
This is NOT a "Vernee Apollo Lite" nor a "Vernee Apollo X" thread even though some information maybe relevant.
Device Name and Specs
Vernee Apollo.
Device Model =K15TA_A
Official Product Website
Official Product Forum
http://www.devicespecifications.com/
Vernee Apollo - Antutu Benchmark v6.2.7.
Score 92,235.
3D: 19159
UX: 38097
CPU: 27535
RAM: 7444
Helio X25 MT6797 Family System on a Chip (SoC) Comparison
Vernee Apollo deploys a X25 MT6797T.
https://en.wikipedia.org/wiki/MediaTek#Octa-_and_deca-core
https://www.mediatek.com/products/smartphones/mt6797-helio-x20
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
ADB and FASTBOOT Modes
The Vernee Apollo's bootloader supports Fastboot. The Recovery mode supports the Android Debugging Bridge (ADB) . To access, perform the button sequence below. A menu will appear allowing you to cycle through option to either boot into the recovery partitio,n or to start the Fastboot service.
ADB service is also available also within the Android desktop if you enable USB Debugging in the revealed developers settings menu. You will most likely need to accept a signed key issued from the managing computer for the service to communicate!
Accessing Bootloader Menu
Buttons: [Top-Volume] + [Power-Button] for 8 Seconds.
When the phone is shutdown, hold both buttons at same time from for 8 seconds. The Bootloader menu will appear and then release buttons.
Using Bootloader Menu
Button: [Top-Volume] = Cycle selection.
Button: [Bottom-Volume] = Choose selected item.
With the high screen resolution it maybe hard to see the text-options. There should be three;
1. Recovery, (Boot into Recovery partition with ADB.)
2. Fastboot, (Start Fastboot server.)
3. Normal. (Proceed to boot normally.)
Using Recovery Mode and Menu
When you boot the Recovery partition you will be meet with a failed Android icon on the stock Vernee release rom. ADB will be accessible from here. Note: The Recover menu will cause the ADB server to fail. If you want to display the recovery menu options then perform the following during the failed Android icon screen.
Buttons: [Top-Volume] + [Power-Button] pulsing till the menu appears.
Fastboot
If you plan to develop on your Apollo or to install future community roms then it's advisable to unlock your storage partitions. Unlocking will allow you to change partitions but doing so will void software warranty clauses, and in the process scrub all your personal data from the phone so it's best to do it before installing personal content.
To unlock the phone issue the following command through Fastboot. You will be asked to confirm.
Code:
fastboot oem unlock
Engineering Mode
Enter the following phone number in Android desktop
Code:
Dial *#*#3646633#*#*
Phone Test Options
Alternatively there is a phone test mode available at low level with less options. Whilst the phone is shutdown, press the following.
Buttons: [Bottom-Volume] + [Power-Button] for 8 Seconds.
A test menu will appear and is in simplified Chinese.
SIMS
If your phone is not receiving data over 4G or 3G, Google on another computer "apn" "YOURMOBILEPHONEPROVIDER" "YOURNATION". Example;
Code:
"apn" "vodafone" "uk"
You should find links to technical settings for your data provider's access. Then enter them in by navigating to;
Settings>More>Mobile network settings>Access point names>CLICK-YOUR-LOCKED-ON-PROVIDER>THEN-CONFIRM-SETTINGS
USB
Device USB Coding
Code:
System Mode:
ID 0e8d:201d MediaTek Inc.
ADB Mode:
ID 0e8d:2008 MediaTek Inc.
Fastboot Mode
ID 0bb4:0c01 HTC (High Tech Computer Corp.) Dream / ADP1 / G1 / Magic / Tattoo
Microsoft Windows VCOM Drivers
On Microsoft systems you will need to have drivers installed so as to communicate with the Mediatek phone.
MediaTek DA USB VCOM (Android) Driver 3.0.1504.0 for Windows 7/Windows 8.1
MediaTek DA USB VCOM (Android) Driver 3.0.1504.0 for Windows 10
UART Ability?
I haven't opened the phone yet but if anyone does please capture images of the circuit board. If there are UART pins on the board it may have a root shell piped to the interface. A UART (universal asynchronous receiver/transmitter) in this sense is a device that couples serial communications port to USB to run a terminal over.
Vernee Official Rom Images & "Over The Air" Updates
Official Product Downloads/Support
VerneeX25_Recovery_OriginalStock_v1p0 (Thx to Relief66)
Download (2016-12) ROM "full_k15ta_a-ota-1482441792.zip"
Download (2017-01) ROM "full_k15ta_a-ota-1484567521.zip" (Creating .img from .dat files works!)
Download (2017-07) ROM "full_k15ta_a-ota-1499861676.zip"
Download (2017-07) OTA Patch "20170712201130-OTA.rar"
Note: "20170712201130-OTA.rar" is only designed to update "full_k15ta_a-ota-1482441792.zip" image.
Flashing Partitions
There are three main ways to flash;
1. using "Smart Phone Flash Tool",
2. Fastboot flash command,
3. via internal software like a root bash shell or routine from recovery.
Partition Table
Code:
system logical drive = 2621.44MB [= 2684354560 bytes = 5242880 x 512blocks]
recovery logical drive = 16.384MB
Scatter file from OTA
----------------------------
preloader 0x0
pgpt 0x0
recovery 0x8000
para 0x1008000
custom 0x1088000
expdb 0x13c88000
frp 0x14688000
nvcfg 0x14788000
nvdata 0x14f88000
metadata 0x16f88000
protect1 0x18f88000
protect2 0x19788000
seccfg 0x1a000000
oemkeystore 0x1a800000
proinfo 0x1aa00000
md1img 0x1ad00000
md1dsp 0x1c500000
md1arm7 0x1c900000
md3img 0x1cc00000
scp1 0x1d100000
scp2 0x1d200000
nvram 0x1d300000
lk 0x1d800000
lk2 0x1d880000
boot 0x1d900000
logo 0x1e900000
tee1 0x1f100000
tee2 0x1f600000
keystore 0x1fb00000
system 0x20800000
cache 0xc0800000
userdata 0xdb000000
flashinfo 0xFFFF0080
sgpt 0xFFFF0000
recovery.fstab
------------------
# mount point fstype device [device2]
/boot emmc boot
/cache ext4 /dev/block/mmcblk0p4
/data ext4 /dev/block/mmcblk0p5
/misc emmc misc
/recovery emmc recovery
/sdcard vfat /dev/block/mmcblk0p6
/system ext4 /dev/block/mmcblk0p3
live fstab via "cat /fstab.mt6797"
------------------------------------------
# 1 "vendor/mediatek/proprietary/hardware/fstab/mt6797/fstab.in"
# 1 "<built-in>"
# 1 "<命令行>"
# 1 "vendor/mediatek/proprietary/hardware/fstab/mt6797/fstab.in"
# 20 "vendor/mediatek/proprietary/hardware/fstab/mt6797/fstab.in"
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/system /system ext4 ro wait
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/userdata /data ext4 noatime,nosuid,nodev,noauto_da_alloc,discard wait,check,resize,encryptable=/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/metadata,
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/cache /cache ext4 noatime,nosuid,nodev,noauto_da_alloc,discard wait,check
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/protect1 /protect_f ext4 noatime,nosuid,nodev,noauto_da_alloc,commit=1,nodelalloc wait,check,formattable
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/protect2 /protect_s ext4 noatime,nosuid,nodev,noauto_da_alloc,commit=1,nodelalloc wait,check,formattable
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/nvdata /nvdata ext4 noatime,nosuid,nodev,noauto_da_alloc,discard wait,check,formattable
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/nvcfg /nvcfg ext4 noatime,nosuid,nodev,noauto_da_alloc,commit=1,nodelalloc wait,check,formattable
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/custom /custom ext4 ro wait
/devices/mtk-msdc.0/11230000.msdc0* auto vfat defaults voldmanaged=sdcard0:auto
/devices/mtk-msdc.0/11240000.msdc1* auto auto defaults voldmanaged=sdcard1:auto,encryptable=userdata
/devices/soc/11270000.usb3_xhci* auto vfat defaults voldmanaged=usbotg:auto
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/frp /persistent emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/nvram /nvram emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/proinfo /proinfo emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/lk /bootloader emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/lk2 /bootloader2 emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/para /misc emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/boot /boot emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/recovery /recovery emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/logo /logo emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/expdb /expdb emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/seccfg /seccfg emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/tee1 /tee1 emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/tee2 /tee2 emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/scp1 /scp1 emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/scp2 /scp2 emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/md1img /md1img emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/md1dsp /md1dsp emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/md1arm7 /md1arm7 emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/md3img /md3img emmc defaults defaults
Raw block partition label and user/group
-----------------------------------------------------
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/proinfo u:object_r:nvram_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/nvram u:object_r:nvram_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/nvdata u:object_r:nvdata_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/frp u:object_r:frp_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/expdb u:object_r:expdb_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/misc2 u:object_r:misc2_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/logo u:object_r:logo_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/para u:object_r:para_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/tee1 u:object_r:tee_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/tee2 u:object_r:tee_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/seccfg u:object_r:seccfg_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/userdata u:object_r:userdata_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/cache u:object_r:cache_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/recovery u:object_r:recovery_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/protect1 u:object_r:protect1_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/protect2 u:object_r:protect2_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/keystore u:object_r:keystore_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/oemkeystore u:object_r:oemkeystore_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/boot u:object_r:boot_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/persist u:object_r:persist_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/system u:object_r:system_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/nvcfg u:object_r:nvcfg_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/md1img u:object_r:md_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/md1dsp u:object_r:dsp_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/md1arm7 u:object_r:md_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/md3img u:object_r:md_block_device:s0
On my rooted phone I can check the UUID of the partitions. (You may need BusyBox installed to use blkid command!).
Code:
adb shell
su
blkid
displays;
Code:
/dev/block/loop0: LABEL="iAmCdRom" TYPE="iso9660"
/dev/block/loop1: UUID="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" TYPE="ext4"
/dev/block/zram0: TYPE="swap"
/dev/block/mmcblk0p3: LABEL="custom" UUID="0f1095f4-0ece-e656-b6ac-e2ce104d5722" TYPE="ext4"
/dev/block/mmcblk0p6: UUID="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" TYPE="ext4"
/dev/block/mmcblk0p7: UUID="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" TYPE="ext4"
/dev/block/mmcblk0p9: UUID="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" TYPE="ext4"
/dev/block/mmcblk0p10: UUID="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" TYPE="ext4"
/dev/block/mmcblk0p28: LABEL="system" UUID="da594c53-9beb-f85c-85c5-cedf76546f7a" TYPE="ext4"
/dev/block/mmcblk0p29: UUID="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" TYPE="ext4"
/dev/block/mmcblk0p30: UUID="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" TYPE="ext4"
/dev/block/mmcblk1p1: UUID="0508-0E13" TYPE="vfat"
Modifying Partitions
Modify partitions often means Users hacking the commercial roms and that means extracting out the important files to work with. The most important blocks are the system-partition which holds the operating system, then the recovery-partition which pole vaults Users with low level tools and abilities, like startup phone root powers. Noting many modern phone root modes, deploy on the recovery-partition rather than modify the system-partition, so as to retain full compatibility and retention of abilities, when conducting "Over the Air" / OTA updates from the manufacturer.
There are two popular platforms to hack on. 1. on native Linux including the phone itself, and 2. on a Microsoft Windows platform with Linux style utilities.
To ready a partition, to then modify it, and to then save it for flashing has many steps. One should obtain the manufacturer's rom or OTA update, to seek out the latest images and files to utilise.
In this example of hacking an official rom, we will be using "full_k15ta_a-ota-1484567521.zip". Utility executables are readily available in repositories related to your Linux distribution, like AUR on Archlinux.
Linux - ACCESSING SYSTEM IMAGE TO MODIFY
1.) Extract the zip file to a new folder. The directory should be something like this structure.
Code:
.../tinysys-scp.bin
.../logo.bin
.../lk.bin
.../md1rom.img
.../system.patch.dat
.../type.txt
.../custom.new.dat
.../custom
.../custom/cip-build.prop
.../custom/app-res
.../custom/app-res/quicksearchbox-res
.../custom/app-res/quicksearchbox-res/quicksearchbox-res.apk
.../custom/app-res/android-res
.../custom/app-res/android-res/android-res.apk
.../custom/app-res/browser-res
.../custom/app-res/browser-res/browser-res.apk
.../custom/app-res/launcher3-res
.../custom/app-res/launcher3-res/launcher3-res.apk
.../custom/media
.../custom/media/audio
.../custom/media/audio/notifications
.../custom/media/audio/notifications/Leaf.ogg
.../custom/media/audio/notifications/Pure.ogg
.../custom/media/audio/notifications/Triumph.ogg
.../custom/media/audio/notifications/Vernee_n002.ogg
.../custom/media/audio/notifications/The_time_tunne.ogg
.../custom/media/audio/notifications/Jump.ogg
.../custom/media/audio/notifications/Whisper.ogg
.../custom/media/audio/notifications/Vernee_n001.ogg
.../custom/media/audio/notifications/Cuckoo.ogg
.../custom/media/audio/notifications/Cleverer.ogg
.../custom/media/audio/notifications/Meteor.ogg
.../custom/media/audio/notifications/Bongo.ogg
.../custom/media/audio/notifications/Ripples.ogg
.../custom/media/audio/notifications/Whistle.ogg
.../custom/media/audio/notifications/Gift.ogg
.../custom/media/audio/alarms
.../custom/media/audio/alarms/ClassicAlarm.ogg
.../custom/media/audio/alarms/Waltz.ogg
.../custom/media/audio/alarms/Vernee_a001.ogg
.../custom/media/audio/alarms/GoodLuck.ogg
.../custom/media/audio/alarms/Foredawn.ogg
.../custom/media/audio/alarms/Vernee_a002.ogg
.../custom/media/audio/alarms/MorningSunShine.ogg
.../custom/media/audio/alarms/Walking_in_the_rain.ogg
.../custom/media/audio/ringtones
.../custom/media/audio/ringtones/Call_of_love.ogg
.../custom/media/audio/ringtones/Spring.ogg
.../custom/media/audio/ringtones/New_life.ogg
.../custom/media/audio/ringtones/Menuet.ogg
.../custom/media/audio/ringtones/Vernee_r004.ogg
.../custom/media/audio/ringtones/Heartbeat.ogg
.../custom/media/audio/ringtones/Vernee_r005.ogg
.../custom/media/audio/ringtones/Technology.ogg
.../custom/media/audio/ringtones/Longing.ogg
.../custom/media/audio/ringtones/Vernee_r002.ogg
.../custom/media/audio/ringtones/Vernee_r003.ogg
.../custom/media/audio/ringtones/Westlake.ogg
.../custom/media/audio/ringtones/Vernee_r001.ogg
.../custom/media/audio/ringtones/Progress.ogg
.../custom/media/audio/ringtones/Journey.ogg
.../custom/media/audio/ringtones/GuitarPop.ogg
.../custom/media/audio/ringtones/Cloud.ogg
.../custom/media/audio/ringtones/Capriccioso.ogg
.../custom/media/audio/ringtones/IceWorldPiano.ogg
.../custom/plugin
.../custom/plugin/FwkPlugin
.../custom/plugin/FwkPlugin/FwkPlugin.mpinfo
.../custom/plugin/FwkPlugin/FwkPlugin.apk
.../custom/plugin/Signatures
.../custom/plugin/Signatures/mplugin_guard.xml
.../custom/etc
.../custom/etc/resources.xml
.../custom/bootani
.../custom/bootani/shutanimation.zip
.../custom/bootani/bootanimation.zip
.../custom/customprop
.../custom/customprop/custom.prop
.../system.new.dat
.../custom.patch.dat
.../md1arm7.img
.../md3rom.img
.../preloader_k15ta_a.bin
.../md1dsp.img
.../scatter.txt
.../custom.transfer.list
.../file_contexts
.../boot.img
.../META-INF
.../META-INF/CERT.SF
.../META-INF/MANIFEST.MF
.../META-INF/CERT.RSA
.../META-INF/com
.../META-INF/com/android
.../META-INF/com/android/metadata
.../META-INF/com/android/otacert
.../META-INF/com/google
.../META-INF/com/google/android
.../META-INF/com/google/android/update-binary
.../META-INF/com/google/android/updater-script
.../trustzone.bin
.../system.transfer.list
.../sdat2img.py
2.) the images we are looking for are either the system-partition or the recovery-partition to modify. In this case there is only the system and it's held in the file "system.new.dat", a 1.6 gigabyte file. We know from the partition tables above that the system-partition is 2.6GB wide, so this image is either compressed or short. Most partitions deployed on Android for updating are compressed in what's called a sparse format.
We need to uncompress any sparse file before we can work with it or mount it, but the issue in this case is the image is also in "dat" structure, which means we need to unsparse using structured data held in "system.transfer.list". Here we use "sdat2img" executable to create the file "system_fullsize.img";
Code:
sdat2img system.transfer.list system.new.dat system_fullsize.img
Alternatively if the file was not a dat format, we could simply unsparse using;
Code:
simg2img system.img system_fullsize.img
3.) Now that we have the full image we can mount it as a file-system to tinker with it. Example of making a mount point and mounting it;
Code:
sudo mkdir /system
sudo mount -t ext4 -o loop ./system_fullsize.img /system/
You can now modify the image simply by changing the files in the directory mounted on. After changes you can save out and attempting to flash it back to the phone for your custom system.
Linux - CAPTURING THE MOUNT BACK TO AN IMAGE FILE
1.) After we have modified the mounted system-partition we need to save it back out for flashing if you want to see your changes live on the phone.
Labelling (If desired). We can name the mount to enforce block-labels. In this case the loop device was "loop0" used to mount the image. (Check which loop-device was used when performing this. eg: lsblk) Here we are going to label it "system"..
Code:
e2label /dev/loop0 system
It maybe important to set the partition UUID the same as the manufacturer uses so the the mounting process finds the correct partition to mount at boot. We know the system partitions UUID from the above discovery details;
Code:
UUID="da594c53-9beb-f85c-85c5-cedf76546f7a"
We can set the mounted image's UUID to suit the original before creating a new;
Code:
sudo tune2fs /dev/loop0 -U da594c53-9beb-f85c-85c5-cedf76546f7a
Here we capture out the device to an "ext4" format file-system image. The length option, being 2684354560 bytes. Labelling option "-a" with name "system".
Code:
sudo make_ext4fs -s -l 2684354560 -a system system_modded.img /system/
2.) To flash your image, Android's recent "fastboot" utility will allow for unsparse and sparsed images to be flashed. I have broken down the fastboot process into each step.
CAUTION: fastboot writes over your phone's partition blocks. If you are not skilled in this area of computing them research "fastboot" before use.
Note: current I have not found out why this process is incompatible with Vernee Apollo. The images I write back are not operational even though they flash properly. My hunch is that I may need to enforce an ISO/image UUID the same as the manufacturers, but I haven't tested this yet.
Code:
fastboot -w
fastboot format system
fastboot flash system ./system_modded.img
If we want to sparse the file before flashing;
Code:
img2simg system_modded.img system_modded_sparse.img
If we want to create a sparse dat structured image;
Code:
img2sdat ./system_modded.img
Linux - ACCESSING RECOVER IMAGE TO MODIFY
An Android recovery image is really three items in one image. There is a compressed kernel (zImage) used to run a recovery system, a ramdisk (initrd.img), and configuration file. The ramdisk "initrd.img" holds the operating system files used by the recovery kernel. Note the bootimage partition/image is a similar structure to a recovery-image.
If you need a similar development community then the Xiaomi Redmi Pro is a similar phone due to its Mediatek Helio x25 but it uses a different cameras, screen and sensors. Modifying and tweaking settings in their recovery images can work on your Vernee Apollo X25.
To extract the sub held files (bootimg.cfg, zImage, initrd.img);
Code:
abootimg -x recovery.img
To unpack a ramdisk "initrd.img";
Code:
mkdir initrd
cd initrd
sudo zcat ../initrd.img | cpio -idmv
To pack files whilst in your ramdisk directory ''/initrd";
Code:
find . | cpio -o -H newc | gzip > ../newramdisk.cpio.gz
To pack back up components into a recovery rom;
Code:
abootimg --create recovery_new.img -f bootimg.cfg -k zImage -r initrd.img
Alternatively;
Code:
mkbootimg --cmdline 'no_console_suspend=1 console=null' --kernel ./zImage --ramdisk ./newramdisk.cpio.gz -o recovery_new.img
Software
Chainfire SuperSU Release Announcement
F-Droid. Alternative App Store for public domain software.
.

Known Recovery Image Developers
Cleopatra Bianchi
https://forum.xda-developers.com/general/rooting-roms/vernee-apollo-helio-x25-twrp-root-t3554788
Known ROM Developers
Cleopatra Bianchi
https://forum.xda-developers.com/general/rooting-roms/vernee-apollo-helio-x25-roms-fix-t3561019
Vernee Apollo X25 General Resource Sites
http://www.needrom.com/ Vernee/ApolloX25
.

Hardware
Protective Covers
Silicone and more rigid covers are becoming available for the Vernee Apollo. Make sure you don't get a Lite version as it wont fit.
Those looking for more range and are willing to mod, the Lenovo K5 Note is very similar in dimensions to the Apollo X25, but the headphone jack, volume and power buttons are slightly off. Modding a K5 Note case will require cutting holes for the headphone jack, buttons, speaker holes, and possibly for the flash. Clear covers will allow the flash to work. Make sure the camera and finger scanner is a complete open section on any K5 cover!
https://www.aliexpress.com/item/Ver...-Shell-Back-Cover-For-Vernee/32799796884.html

TWRP Vernee Apollo Helio X25
Cleopatra Bianchi said:
Click to expand...
Click to collapse
http://bbs.vernee.cc/forum.php?mod=viewthread&tid=1721&extra=page%3D1

Cleopatra Bianchi said:
http://bbs.vernee.cc/forum.php?mod=viewthread&tid=1721&extra=page%3D1
Click to expand...
Click to collapse
I left it up to you to post. I hope people comment on what they think. I'm working on my own images so I can't install others at the moment to give an opinion. Readers please note I can't verify the security on this share. Do not take any compromising actions.
I'm super busy so not sure when I will have my own solutions.

How I wish I had more knowledge. This piece of Hw (Raw Hw?) has a lot of potential, but lacks interest of any developer adapt/adopt it....
The conditions are there (lets hope the owners free the code, as they have done with its small brother), and let's hope there are enough and good drivers for the chosen Hw.
Just to encourage your efforts.
Regards

I agree
lots of good hardware and poor software...I hope in this community

At the moment I found these "bad" things about this phone:
1) you can't choose to view the battery percentage in the upper bar
2) you have to set the APN manually or you can't use internet
3) you can't turn volume up or down if the screen is switched off

I've kind of hit a wall with modding the system image to root it. The system images I produce are just not compatible with flashing. They flash but no desktop runs on the phone. Tried both sparse and raws. and I've got the partition size correct. Mount point is set properly to "system" and they're ext4 images.
I'm building Chainfire's version of ext4_utils, specifically the make_ext4fs util. If that doesn't work then I'll build Google's version. Long process as you need SELinux headers which takes ages to install. There maybe a bug in older versions that's causing the trouble. Other thoughts, there maybe a different padding method or bit plane for storing file system nodes. I may need SELinux builds of executables just to get the job done as I did notice in a hex.diff that the original image has SELinux stamps in it. I need more investigation to know why that's so.
It would be nice if Cleopatra Bianchi chimed in if She knows the issue or has even been down this road before, so to speak.

Hi, E8
Do not know even if this could be valuable, but the sources of the lite version are there. I suppose they are taking the same engineering approaches with the big brother... or not...
but would check
Regards

jrotaetxe said:
Hi, E8
Do not know even if this could be valuable, but the sources of the lite version are there. I suppose they are taking the same engineering approaches with the big brother... or not...
but would check
Regards
Click to expand...
Click to collapse
I'll look into it as the scripts may indicate the process to image creation. Cheers.

TWRP and ROOT - successfully tested !
https://forum.xda-developers.com/general/rooting-roms/vernee-apollo-helio-x25-twrp-root-t3554788

Such a cool phone, but sending it back. Doesn't work with US carriers

Stock firmware in Flash Tool
Cleopatra Bianchi said:
TWRP and ROOT - successfully tested !
https://forum.xda-developers.com/general/rooting-roms/vernee-apollo-helio-x25-twrp-root-t3554788
Click to expand...
Click to collapse
I look forward to flash the stock firmware in Flash Tool. I foolishly made a phone of brick, all backups lost.

stock firmware
myextasy said:
I look forward to flash the stock firmware in Flash Tool. I foolishly made a phone of brick, all backups lost.
Click to expand...
Click to collapse
A working stock firmware will be here very soon.
Please be patient, I am working on that.

Cleopatra Bianchi said:
A working stock firmware will be here very soon.
Please be patient, I am working on that.
Click to expand...
Click to collapse
Anyway to unlock bands to get it working in US ???

myextasy said:
I look forward to flash the stock firmware in Flash Tool. I foolishly made a phone of brick, all backups lost.
Click to expand...
Click to collapse
You can easily restore the phone using the official zip rom. Place it on a micro sdcard and install via the Bootloader menu. Instructions are on the forst comment on how to get to the bootloader menu and then recovery. If you're destroyed your recovery partition but still have fastboot access then you can use the system image within the official rom to flash the system partition with a bit of modifications.
I've been super busy so I haven't had the time to work on my own version of the TWRP Recovery.

How can I find the drivers ? When I google search I only find the one for Apollo lite

Do not believe you can "unlock" US bands, as they differ from EU/ASIA system.
Anyway, trying is (almost) free. The worst thing can happen is a brick
Regards