Develop Bugs

[REF] bml* partition layout

LAYOUT MAPPING COMPLETE! THANKS EVERYONE!​
based on XXJF5 stock 2.1#1
256 KB -- bml1, contain boot.bin (262144 bytes), Primary Boot Loader (low-level hardware initialization)
256 KB -- bml2, contains PIT file first 512 bytes
10240 KB -- bml3 /dev/block/stl3 /efs
1280 KB -- bml4 contain Sbl.bin (1310720 bytes) Secondary Boot Loader (loads the Linux kernel and passes the necessary arguments)
1280KB -- bml5 contains Secondary Boot Loader (for recovery, ect)
5120KB -- bml6 param.lfs /mnt/.lfs j4fs
7680KB -- bml7 contain zImage and initramfs
7680KB -- bml8 empty
293376KB -- bml9 factoryfs.rfs ( /system RFS Partition) /dev/block/stl9
137216KB -- bml10 dbdata.rfs ( /dbdata RFS Partition) /dev/block/stl10
35840KB -- bml11 cache.rfs ( /cache RFS Partition) /dev/block/stl11
12800KB -- bml12 modem.bin

Hello husq510
Thanks for this infos, i'll follow this thread closely because i'm looking for the place where ServiceMode settings are stored.

anyone tried writing to the bml directly?

husq510 said:
bash-3.2# ls -al /dev/block/bml*
1280 KB -- bml4 kernel (zImage)
293376KB -- bml9 factoryfs.rfs ( /system RFS Partition)
Click to expand...
Click to collapse
interesting. so ive dd the bml4 and bml9 of optus australia stock 19000DTJF3. now anyone want to point me in the direction of creating an odin package out of it.

i whoner .... how can bml4 be the zImage? bml4=1.2MB, zImage=5.8MB ?? also if it should just contain the kernel without initram, it's still about 2.6MB? any idea?

jodue said:
i whoner .... how can bml4 be the zImage? bml4=1.2MB, zImage=5.8MB ?? also if it should just contain the kernel without initram, it's still about 2.6MB? any idea?
Click to expand...
Click to collapse
you are right, cant be. then kernel must be in some other bml place, seems bml7.
gandalf:~/Desktop/android/bml ackie$ grep "booting the kernel" *
Binary file bml7.dump matches
gandalf:~/Desktop/android/bml ackie$ hexdump -n 128 bml7.dump | grep "e1a0 0000 e1a0"
0000000 0000 e1a0 0000 e1a0 0000 e1a0 0000 e1a0
0000020 0002 ea00 [2818 016f] [0000 0000] [a510 005b] <- zimage magic number 0x016F2818, start at 0x0, end at 0x005b10a5
0000030 7001 e1a0 8002 e1a0 2000 e10f 0003 e312
0000040 0001 1a00 0017 e3a0 3456 ef12 2000 e10f
0000050 20c0 e382 f002 e121 0000 0000 0000 0000
0000060 00d0 e28f 307e e890 0001 e050 000a 0a00
0000070 5000 e085 6000 e086 c000 e08c 2000 e082
0000080
Offset into zImage Value Description
0x24 0x016F2818 Magic number used to identify this is an ARM Linux zImage
0x28 start address The address the zImage starts at
0x2C end address The address the zImage ends at
so if you start at 0x0 of bml7 and read untill offset inside 0x2c for XXJF5 is 0x005b10a5 you have your zImage.

husq510 said:
so if you start at 0x0 of bml7 and read untill offset inside 0x2c for XXJF5 is 0x005b10a5 you have your zImage.
Click to expand...
Click to collapse
so is it safe to assume after 0x005b10a5 is the ram disk?

Hello Folks.
I found some interesting bits in bml12.
"Service Mode" datas strings are in it, like show these example :
Code:
strings ./bml12 | grep Diamond
[SND] TurnON UtaAudioModifyHf(prev_Diamond_mode:0x%x)
`[SND]DiamondVoice_GetMode : path = 0x%x, Diamond_mode = 0x%x
`[SND]DiamondVoice_GetMode : Diamond_mode = 0x%x
[SND]DiamondVoiceTXcfgMSG
`[SND] DiamondVoice_RxInit : DiamondVoice_Mode_v = 0x%x
Diamond Solution
[9] Diamond Solution
[SND]DiamondVoice_Config : DiamondVoice_Mode_v = 0x%x, Diamond_mode= 0x%x
strings ./bml12 | grep DEBUG
MN_GPS_DEBUG_INFO_CNF
GPS_DEBUG_INFO_CNF
[1] DEBUG SCREEN
[2] DEBUG INFO
DEBUG INFO
DEBUG MSG 115200
DEBUG MSG SETTING FAIL
DEBUG MSG 921600
DEBUG MSG ON
DEBUG MSG OFF
AUDIO_LIB_DSP_DEBUG_GRP1
AUDIO_LIB_DSP_DEBUG_GRP2
AUDIO_LIB_DSP_DEBUG_GRP3
AUDIO_LIB_DSP_DEBUG_GRP4
AUDIO_LIB_DSP_DEBUG_GRP5
AUD_LIB_DSP_DEBUG
IPC_MISC_PHONE_DEBUG
IPC_MISC_DEBUG_LEVEL
IPC_SVC_DEBUG_DUMP
IPC_SVC_DEBUG_STRING

And I found my IMEI number in bml3
edit :
+ some MAC hardware address too (but not the Wifi one)
+ the HW Version : MP 0.800
I guess that bml3 is device-specific.
But I don't know if it's the source of specific values or just contains copy of hardware-related data.
In the first case, modifying bml3 would allow to change IMEI or other sensitive values ^^

nonato said:
so is it safe to assume after 0x005b10a5 is the ram disk?
Click to expand...
Click to collapse
nope, to extract the ram disk, u hv to find the magic number of gz and extract the gzip image out... i was able to get the directory listing of the ramdisk but not the content..
the other problem is after u get the ramdisk and do any modifications, u hv to reverse the process.. not an easy job but if anyone found a solution, please share.
anyone try writing to the bml directly? dd doesnt seem to work
anyway, its possible to extract the image and use odin to flash after tar but if can write to bml directly, clockworkmod can effectively backup/restore the kernel.. (just a thought)

raspdeep said:
nope, to extract the ram disk, u hv to find the magic number of gz and extract the gzip image out... i was able to get the directory listing of the ramdisk but not the content..
the other problem is after u get the ramdisk and do any modifications, u hv to reverse the process.. not an easy job but if anyone found a solution, please share.
anyone try writing to the bml directly? dd doesnt seem to work
anyway, its possible to extract the image and use odin to flash after tar but if can write to bml directly, clockworkmod can effectively backup/restore the kernel.. (just a thought)
Click to expand...
Click to collapse
No, you cant write directly to bml.
Data write to a sector involves following sequence of low-level flash operations:
1. Block copy for back-up
2. Block erase
3. Copy back for non-modified pages
4. Writing the sector data to the modified page
These sequences of operations are not atomic, so a write request to this block device driver is prone to data corruption. For this reason, read-only file systems such as CRAMFS are adequate to run on top of this block device driver.

use this small script to extract your current zImage:
offset=`dd if=/dev/block/bml7 bs=1 skip=44 count=4 2>/dev/null| hexdump -e '1/4 "%d"' -e '"\n"'`
echo $offset
dd if=/dev/block/bml7 bs=1 count=$offset of=/sdcard/zImage_backup

husq510 said:
use this small script to extract your current zImage:
Click to expand...
Click to collapse
nice, thanks for sharing that!

i just extracted initramfs from bml7, file attached, unzip and cpio -i
some file differs from leshak:
modules/dpram.ko
modules/multipdp.ko
modules/dhd.ko
modules/stgloc
initramfs/init.rc
.info/rootfs.info
default.prop
init.smdkc110.sh
sbin/recovery
sbin/init

how do u extract this?
gunzip -c initrd-cpio.zip | cpio -i does not work.. gave errors

how did you dump and make the zip file you have attached?
thanks,
husq510 said:
i just extracted initramfs from bml7, file attached, unzip and cpio -i
some file differs from leshak:
modules/dpram.ko
modules/multipdp.ko
modules/dhd.ko
modules/stgloc
initramfs/init.rc
.info/rootfs.info
default.prop
init.smdkc110.sh
sbin/recovery
sbin/init
Click to expand...
Click to collapse

raspdeep said:
how do u extract this?
gunzip -c initrd-cpio.zip | cpio -i does not work.. gave errors
Click to expand...
Click to collapse
[email protected] you have to use unzip instead gzip, cuz forum dislike .gz format, so I had to use standard zip.
mkdir initramfs
mv initrd-cpio.zip initramfs
cd initramfs
unzip initrd-cpio.zio
cat initrd.cpio | cpio -i --no-absolute-filenames

Hey, did somebody already tried to dump one or some bml partitions and restore them later ?
I guess this could be the ultimate backup tool.

I took a look into this and found that
bml2 : PIT file is here
bml5 : Sbl.bin is here
I opened it with a Hexeditor and compared with things from the firmware.
My device is running on JP3, froyo, at the moment.

thanks i will update first post. layout mapping is complete now!

Teclast X70 3G SoFIA Atom x3-C3130 Quad Core 7 Inch Android 4.4 Tablet PC IPS Screen

The Teclast X70 3G SoFIA Atom x3-C3130 Quad Core 7 Inch Android 4.4 Tablet is a very cheap tablet with some pretty good specifications, lets have a look on these here:
- Android 4.4 OS
- 7 inch 1024x600 IPS capacitive touch screen
- SoFIA Atom x3-C3130 Quad Core Max 1.8GHz
- 512MB LPDDR2 RAM and 4GB EMMC
- Support Bluetooth/WIFI/GPS/OTG/3G Phone Call function
- Front 0.3MP + Rear 2.0MP camera
- 187*113*8.9mm and 270g
What I especially like about it is the very cool slim design. Typical for other cheap tablets is that they are normally bulky and cheaplooking. But not the Teclast X70, it still looks really nice.
It should come with preinstalled Youtube/Facebook/Twitter/MSN/Android market/Skype/Calculator/Google Mail/Google maps/iReader/Quick Office. And support audio types like MP3/WMA/FLAC/OGG/AAC/WAV/APE.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

Great device, How about battery life?

Battery life sucks, at least on mine, the 2nd available Intel Atom x3 AKA SoFIA on the market but what more can you ask for; an approx USD 79 Android device from Intel...
Been hunting & trying to root this sucker, nothing seems to work ATM & i found the Flash Tool/ USB driver/ Firmware for X70 here mirrored here just in case it disappear... Updates : Found quite a few more here...
More info...
Hacking
After some hex editing, X70 recovery.fls can be unpack, at least there are some leads as adb command only list out its path but not its partition name, this means custom recoveries such as PhilZ Touch or TWRP is possible... Updates : The included FlsTool won't repack it back to the correct fls format...
Intel SoFIA uses 2ndbootloader
Code:
[COLOR="blue"]mkbootimg[/COLOR]
usage: mkbootimg
--kernel <filename>
--ramdisk <filename>
[ [COLOR="Blue"]--second <2ndbootloader-filename>[/COLOR] ]
[ --cmdline <kernel-commandline> ]
[ --board <boardname> ]
[ --base <address> ]
[ --pagesize <pagesize> ]
-o|--output <filename>
Use osm0sis's AIK or Carliv's CIK to unpack/ repack... :good:
adb shell ls -l /dev/block/platform/soc0/e0000000.noc/by-name
Code:
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID001 -> /dev/block/mmcblk0p2
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID022 -> /dev/block/mmcblk0p7
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID068 -> /dev/block/mmcblk0p8
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID069 -> /dev/block/mmcblk0p11
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID070 -> /dev/block/mmcblk0p9
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID071 -> /dev/block/mmcblk0p3
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID074 -> /dev/block/mmcblk0p12
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID076 -> /dev/block/mmcblk0p10
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID115 -> /dev/block/mmcblk0p1
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID118 -> /dev/block/mmcblk0p5
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID119 -> /dev/block/mmcblk0p4
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID120 -> /dev/block/mmcblk0p6
lrwxrwxrwx root root 2015-07-17 10:39 ImcPartID121 -> /dev/block/mmcblk0p13
recovery.fstab
Code:
#
# Copyright (C) 2013 Intel Mobile Communications GmbH
#
# Sec Class: Intel Confidential (IC)
#
# Android fstab file.
#<src> <mnt_point> <type> <mnt_flags and options> <fs_mgr_flags>
# The filesystem that contains the filesystem checker binary (typically /system) cannot
# specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK
#
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID068 /system ext4 defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID069 /data ext4 defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID070 /cache ext4 defaults defaults
/dev/block/mmcblk1p1 /sdcard vfat defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID076 /nvm_fs_partition ext4 defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID074 /misc emmc defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID071 /boot emmc defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID119 /recovery emmc defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID120 /recoverym emmc defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID001 /mobilevisor emmc defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID013 /splash_screen emmc defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID115 /mvconfig emmc defaults defaults
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID118 /secvm emmc defaults defaults
fstab.sofia3g
Code:
#
# Copyright (C) 2013 Intel Mobile Communications GmbH
#
# Sec Class: Intel Confidential (IC)
#
# Android fstab file.
#<src> <mnt_point> <type> <mnt_flags and options> <fs_mgr_flags>
# The filesystem that contains the filesystem checker binary (typically /system) cannot
# specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK
#
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID068 /system ext4 ro wait
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID069 /data ext4 nosuid,journal_async_commit,nodev,nodiratime,noatime,noauto_da_alloc,discard,data=ordered wait,encryptable=footer
/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID070 /cache ext4 nosuid,nodev wait
/devices/soc0/e0000000.noc/ef010000.l2_noc/e1000000.ahb_per/e1400000.sd/mmc_host/mmc1 auto vfat defaults voldmanaged=sdcard1:auto,noemulatedsd
/devices/soc0/e0000000.noc/ef010000.l2_noc/e2000000.ahb_per/e2100000.usb/usb1 auto auto defaults voldmanaged=usbdisk:auto
#/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID076 /nvm_fs_partition ext4 nosuid,nodev,data=journal wait,check
To reboot to stock 3e recovery
With the device at power off state, USB cable unplug, press & hold Volume Up, now press & hold Power button & it'll vibrate once then let go Power. Keep on holding Volume Up until you see the boot logo then let go & it boots up the stock 3e recovery.
To reboot to fastboot
There is no button combination to boot to fastboot however with the adb command -> adb reboot fastboot, you can boot to fastboot with correct adb driver installed at all the 3 modes...
At fully booted up Android OS
Even while the device at off-state ! (Charger init)
And the unknown Safe mode
There is no Intel Droidboot only distorted yellow screen but fastboot command works.
fastboot
fastboot getvar all
Code:
(bootloader) version-baseband: 23569
(bootloader) version-bootloader: 1525.100_M1S1
(bootloader) product: SF_3G
(bootloader) secure: NO
(bootloader) [COLOR="Blue"]unlocked: [B]NO[/B][/COLOR]
(bootloader) off-mode-charge: 1
(bootloader) ========== parition type ==========
(bootloader) system parition type: ext4
(bootloader) userdata parition type: ext4
(bootloader) cache parition type: ext4
(bootloader) radio parition type: raw
(bootloader) dsp parition type: raw
(bootloader) hypervisor parition type: raw
(bootloader) boot parition type: raw
(bootloader) recovery parition type: raw
(bootloader) splash parition type: raw
(bootloader) mvconfig parition type: raw
(bootloader) secvm parition type: raw
(bootloader) prg parition type: raw
(bootloader) psi parition type: raw
(bootloader) slb parition type: raw
(bootloader) nvm parition type: raw
(bootloader) ucode_patch parition type: raw
(bootloader) ===================================
(bootloader) ========== parition size ==========
(bootloader) system parition size: 0x40000000
(bootloader) userdata parition size: 0x4b960000
(bootloader) cache parition size: 0x40000000
(bootloader) radio parition size: 0x0
(bootloader) dsp parition size: 0x0
(bootloader) hypervisor parition size: 0x100000
(bootloader) boot parition size: 0x1080000
(bootloader) recovery parition size: 0x1180000
(bootloader) splash parition size: 0xa80000
(bootloader) mvconfig parition size: 0x80000
(bootloader) secvm parition size: 0x400800
(bootloader) prg parition size: 0x800
(bootloader) psi parition size: 0x20000
(bootloader) slb parition size: 0x100800
(bootloader) nvm parition size: 0x180000
(bootloader) ucode_patch parition size: 0x3800
(bootloader) ===================================
(bootloader) max-download-size: 0x38fff00
all:
finished. total time: 0.215s
fastboot oem unlock
Code:
...
(bootloader) Unlocking the bootloader means the following:
(bootloader) All user data will be deleted
(bootloader) Any securely stored data will be inaccessible
(bootloader) Warranty will be void
(bootloader) After unlocking you have to execute
(bootloader) > fastboot format userdata
(bootloader) > fastboot format cache
(bootloader) or carry out a factory reset from recovery
(bootloader) To confirm the unlock, please execute the command
(bootloader) > fastboot oem unlock confirm
OKAY [ 0.050s]
finished. total time: 0.050s
i don't intend to unlock mine yet as it will be getting LP update soon or i won't be able to update it, i donno... Initial look at the Flash Tool, tutorial, it seems SoFIA devices should be unbrickable & should be upgradable too, in spite of unlocked bootloader & rooting however i wouldn't want to risk it...
Updates : fastboot flash recovery twrp-recovery.img doesn't work... Flashing the Firmware doesn't overwrite the bootloader, it will remain unlock if you have unlocked it, fastboot oem lock doesn't work...
Unknown PTEST mode
To boot to PTEST mode => With the device at power off state, USB cable unplug, press & hold both Volume Up + Down, now press & hold Power button & it'll vibrate once then let go Power. Keep on holding both volume button until you see boot logo then let go & it boots up to a screen that says...
Code:
Press volume up or down key to exit PTEST Mode
Now plug-in USB cable to PC
Unknown device at Device Manager
For adb, you can use google adb driver
One of the CDC is Intel USB, use the one included in the Flash USB Driver folder
i've tried alot of CDC driver, non-worked, except for MediaTek CDC driver that i have, seems compatible, attach below CDC.zip...
All the drivers needed for Flash Tool to work are installed
As the device i own is not X70, i only tried the upload, seems to be working except for a compatible ebl.fls is needed for a successful upload...
Final Note
Use this guide at your own risk !
Unknown Safe mode
With the device at power off state, USB cable unplug, press & hold Volume Down, now press & hold Power button & it'll vibrate once then let go Power. Keep on holding Volume Down until it boots up
View attachment 3417538
Safe mode at the bottom left corner
Manage to unpack X70 system.img too...
Updates
Hmm, Chuwi Vi7 seems to be the exact clone, wonder if the firmware can be used on X70 or mine... Not compatible... Even X70 system.img won't boot on mine...
Further digging, its a single SIM device C3230 with better spec...
Cross-comparison
Found a few more X3...
Vido M7S
Onda V719 3Gs
Digma Plane 7.7
4good T700i
mediacom smartpad iPro 3G
iBall Slide Brillante
BLUEING S706
Updates - 08-Aug-2015
Found out my device is in fact actually an oem of X70 & damn Intel for making such cheap device while you can't even use fastboot to install custom recoveries to root it...
Updates : Hmm, it seems to be an oem of an oem, found it on default.prop...
There seems to be some headers needed to boot up the recovery, found out the included FlashTool has a back-end DOS program that can unpack & extract image parts from the FLS file.
Code:
[COLOR="Blue"]FlsTool -x recovery.fls[/COLOR]
FlsTool v.1.20
[Loading] recovery.fls (Fls2)
[Extract] 13905 recovery/meta.json
[Extract] 844 recovery/recovery.fls_inj_PSI_ver.txt
[Extract] 914 recovery/recovery.fls_inj_EBL_ver.txt
[Extract] 64320 recovery/recovery.fls_inj_PSI.bin
[Extract] 144084 recovery/recovery.fls_inj_EBL.bin
[Extract] 2048 recovery/recovery.fls_ID0_CUST_SecureBlock.bin
[Extract] 617168 recovery/recovery.fls_ID0_CUST_LoadMap0.bin
[Extract] 32430 recovery/recovery.fls_ID0_CUST_LoadMap1.bin
[Extract] 7786496 recovery/[COLOR="Blue"]recovery.fls_ID0_CUST_LoadMap2.bin[/COLOR]
recovery.fls_ID0_CUST_LoadMap2.bin is the stock 3e recovery.img
Need to figure out the correct way to repack the stock 3e recovery.fls & when it boots then will try it out on the ported TWRP, hopefully it boots too...
In the mean time, i have also contacted Intel, hopefully they'll respond or we'll have to figured ourselves how to repack custom recoveries so that it'll boot on our device to root it or wait for exploit root software to work on our SoFIA x3 device... Updates : They never respond...
Anyone wants to explore then here is the Guide, FlashTool & Firmware for my device... Not compatible for X70
Updates - 10-Aug-2015
Feedback from our Russian counterpart seems true that X70 recovery partition size is only 8MB only, no custom recoveries would fit except old version !
Code:
FlsTool v.1.20
This tool can do several different operations of FLS files.
Use the 'Action' option to select to required operation.
Actions:
-p [ --pack ] Packing multiple FLS files into one
-i [ --inject ] Inject NVM, Certificates or Security into FLS file
-x [ --extract ] Extract all image parts from the FLS file(s)
--extract-fls Extract embedded files from the FLS file(s)
--extract-prg Extract PRG file
-b [ --to-bin ] Convert a single Hex file to binary file
--hex-to-fls Create an Fls from a Prg file
--sign Formerly known as FlsSign
--to-fls2 [ arg ] Force output file format to Fls2
--to-fls3 [ arg ] Force output file format to Fls3
-d [ --dump ] Dump the meta data of an FLS file.
--sec-pack Dump all SecPack data of an FLS file.
HexToFls options:
--prg arg Choose a PRG file to create the Fls from
--psi arg Add a PSI to the Fls file (replaces if '-r' option)
--ebl arg Add an EBL to the Fls file (replaces if '-r' option)
--meta arg Inject any meta file to the Fls file (Equal to --version or -v in HexToFls)
--xml arg Add an XML file to the Fls file (replaces if '-r' option)
--zip arg Add a ZIP file to the Fls file (replaces if '-r' option)
--script arg Add a Script file to the Fls file (replaces if '-r' option)
--tag arg Specifies the memory region tag to insert the input file (replaces if '-r' option)
Inject options:
-n [ --nvm-path ] arg Path to the NVM input files
Generic Options:
-o [ --output ] arg Output path
-r [ --replace ] [ arg ] Defaults to replace when trying to add a section which is already existing
-v [ --verbose ] [ arg ] Set verbosity
--prompt [ arg ] Prompt before quitting
--version Show the version of this tool
-h [ --help ] Show command line help
Please specify an input file
Code:
FlsTool -d recovery.fls > partlist.txt
Code:
{
"addr": "0x1CC00000",
"length": "[COLOR="Blue"]0x00800000[/COLOR]",
"class": "Cust",
"tag": "RECOVERY:3#77",
"options": [ ],
},
recovery partition size of 0x00800000 in decimal is 8388608 = 8MB only...
X70 Flash Tool Driver Installation & firmware download
Typically, installing the Intel USB driver that comes with the firmware will work ( right-click it & Run as Administrator ) & if it doesn't then follow below guide.
With the device at power off state, USB cable unplug, open Device Manager, plugin the USB cable & an unknown device will appear, quickly double-click it & manually install the FlashUSB.inf included in the FlashUSB_Driver folder.
To download the firmware successfully, follow the guide that comes with it.
Again : Use at your own risk
Great product interview/ review by armdevices.net
Updates
Hmm, even Asus Zenpad 7.0 uses the x3 too AKA SoFIA but with better spec, the Z170 series & Z370 series
Updates - 17-08-2015 Finally, got ROOT access
Use FlsTool to download the x70-unsecured-boot.fls then most of the existing exploit rooting software will work, i think...
Updates
WARNING : For heaven sack's, noobs & newbies, pls READ EVERYTHING FIRST before hands on ! On & off, i got just too many pm regarding brick devices... There is only one post so pls read it, unlock your bootloader first before flashing the unsecured boot fls...
If you're using JOI then use JOI-unsecured-boot.fls...
Updates
Feedback seems some are not able to root with existing exploit rooting software, fyi, i manually root mine using adb commands then unroot & only tried iroot/ vroot & it works so i presume Kingo, Baidu & others will work too... Try giving the exploit software a helping hand first before using it...
Code:
adb root
adb remount
Updates - 23-08-2015 Since many still couldn't root it...
i'll share my manual rooting script here...
On Linux
Code:
adb root
sh root.bat
[COLOR="blue"]OR[/COLOR]
chmod 777 root.bat
./root.bat
On Windows
Code:
adb root
root.bat
[COLOR="blue"]OR[/COLOR]
Double-click root.bat
If you don't have a working adb then use the one from here... :good:
What to do once you got ROOT :good:
Install Xposed Installer => XDA :good:
Install GravityBox [KK] => XDA => youtube overviews & tutorials :good:
[GUIDE] Extreme Battery Life Thread ( Greenify+Amplify+Power Nap ) :good:
More info here, enjoy your New Custom ROM with Extreme Battery Life :laugh:
Must have Modules
More Modules
All Modules
Updates - 07-09-2015
Got just too many miss call, i can hardly hear it so i purchase this inexpensive mini bluetooth speaker strap to my sling bag & problem solved... :laugh:
Updates - 09-09-2015 => 4pda users IMEI problem
i've already told you guys here that i'm not able to login b'cos of that site super unreasonable Russian captcha but still nobody post reply here...
i wouldn't even bother to reply when i saw his thread here while the previous user ask exactly the same problem & he don't even bother to reply with the solution that he had...
Funny though, i don't have such IMEI problem after so many flashing on my X70 clone...
Possible other Solutions
Xposed IMEI Changer
Repair imei number in android => On x3, to check IMEI No. is *#06#
Others possible solutions
Updates
Thanks to Invisibot for sharing his findings & solutions for IMEI... :good: Mirrored here the software & the manual just in case it disappear
Updated JOI 7 lite unsecured boot.fls - 13-09-2015
i can't believe oem actually disabled the swap partition until i unpack Chuwi vi7 & discovered how it is enabled...
Huge apks now start up almost immediately though it takes quiet awhile for the OS to stabilize after every reboot but i guess its worth it as apps are more responsive after that...
Updated X70 unsecured boot.fls with swap enabled - 15-09-2015
Added X70 C6F9 unsecured boot.fls with swap enabled - 24-09-2015
X70 C5F9 => 512MB RAM
X70 C6F9 => 1GB RAM
Updates - 2016
Refer to here for TWRP & flash SuperSU to ROOT...

I don't want to be rude, but what's the point in starting a thread for a device, list some official specs but no hands-on? This routine (hunt for thanks or OP threads?) just creates parallel threads on the forum for the same device. I mean, the next person who actually owns or have access to the device and wants to post a real review of it might not want to post it here. That person might want to be the OP for that thread.

MacArthur67 said:
I don't want to be rude, but what's the point in starting a thread for a device, list some official specs but no hands-on? This routine (hunt for thanks or OP threads?) just creates parallel threads on the forum for the same device. I mean, the next person who actually owns or have access to the device and wants to post a real review of it might not want to post it here. That person might want to be the OP for that thread.
Click to expand...
Click to collapse
Well, I actually truly planned to get the device when I created the topic, but changed my mind. If you check my profile and other posts, you would notice that I actually always post a hands-on or review also in my posts if I get the device.
Anyone that actually got the device and want to add a review, can just contact me and I will put in up in post #1 - so no! its not a problem at all.
Parallel threads are not allowed in here, so anyone creating a thread for this, should actually first check if there is an existing one.
There is no real advantage of being a OP for at thread (other than I have a lot of work also answering questions like yours now). If I for instance post your review in #1, I would also write the credits/name for the review so they can thank you and not me.

s7yler said:
Well, I actually truly planned to get the device when I created the topic, but changed my mind. If you check my profile and other posts, you would notice that I actually always post a hands-on or review also in my posts if I get the device.
Anyone that actually got the device and want to add a review, can just contact me and I will put in up in post #1 - so no! its not a problem at all.
Parallel threads are not allowed in here, so anyone creating a thread for this, should actually first check if there is an existing one.
There is no real advantage of being a OP for at thread (other than I have a lot of work also answering questions like yours now). If I for instance post your review in #1, I would also write the credits/name for the review so they can thank you and not me.
Click to expand...
Click to collapse
Yes I know that parallel threads are against the forum rules but a thread with only a news about a forthcoming device is not a real thread on a developer forum. It shouldn't be allowed in the first place in my opinion. This is not a news site/forum so what's the point in just echoing here what you have read in a press release on some other site? If people can read your echo here they can also read the original news where you found it. You seem to mass produce short and very trivial reviews of various devices from some reason and then you always leave the thread more or less. It's very counterproductive on a developer site and it's about time that someone tell you that. I'm just sorry it had to be me. Next time at least wait until you have the device or let people with a real interest in the device start the thread and write the review. You don't need to be an Einstein to understand that on a developer forum it would be a great advantage if the OP of a tread has a real interest in the device the thread is all about. Your interest seems to be something completely different that I can't really figure out, but in any case it's counterproductive on a developer forum. Peace!

MacArthur67 said:
Yes I know that parallel threads are against the forum rules but a thread with only a news about a forthcoming device is not a real thread on a developer forum. It shouldn't be allowed in the first place in my opinion. This is not a news site/forum so what's the point in just echoing here what you have read in a press release on some other site? If people can read your echo here they can also read the original news where you found it. You seem to mass produce short and very trivial reviews of various devices from some reason and then you always leave the thread more or less. It's very counterproductive on a developer site and it's about time that someone tell you that. I'm just sorry it had to be me. Next time at least wait until you have the device or let people with a real interest in the device start the thread and write the review. You don't need to be an Einstein to understand that on a developer forum it would be a great advantage if the OP of a tread has a real interest in the device the thread is all about. Your interest seems to be something completely different that I can't really figure out, but in any case it's counterproductive on a developer forum. Peace!
Click to expand...
Click to collapse
"If people can read your echo here they can also read the original news where you found it"
No not always, I get info directly from the manufactures sometimes. And sometimes I write texts myself. That you can't read somewhere else. Of course it is not always so, depends on the info/news and devices. I love phones and tablets, and that's why I like to be a news poster. If I don't post, someone else would do.
You seem to mass produce short and very trivial reviews of various devices from some reason and then you always leave the thread more or less
No, I follow every single thread I make (else I would probably also not answer in this old thread here now) and if people have real interest in the device I also answer or follow up with news. If people ask something already answered I don't reply, that's right. Else I could spend the whole day answering questions from people. And I would say on 80% of the threads I make, I also always follow up with a full video review of the device.
Next time at least wait until you have the device or let people with a real interest in the device start the thread and write the review.
Doesn't work that way, as the manufactures already post info before the device is released. And many want info as soon it is possible, not 1 month after when the device already is old again.
a great advantage if the OP of a tread has a real interest in the device
Well, it is not really up to you to judge if I have real interest in a device or not. If I am going to test it I will have real interest in it. But some devices are more interesting than others, also after they have been received.
I don't see anything bad in creating threads that can gather people around a device. In these people can help, discuss & develop the device. I see that in my Elephone P8000 thread, my Jiayu S3 thread and UMI ZERO thread, for some devices like for example the UMI IRON it doesn't happen but that's not really my fault. I personally still love the phone.
And PS. I'm from Denmark, so you should really try to be a little more nice to one from your neighbouring country.

Teclast 3G x70
Hello freinds
Please could someone help me, because i am very stuck with the problem and no one over the internet doesnt know how to help me.
My tablet Teclast 3G x70 suddenly become dead and I have luck to repair it by reflashing procedure, but the IMEI has been lost
Please maybe somebody know how to repair it, because I have already tried everything I know...
Thank you

You guy always said already tried everything, what actually have you tried, list out everything so its easier to trouble-shoot & to narrow things down...
First of all, did you guys even read the included guide/ tutorial, i flash so many times on my X70 clone, never even once loose the IMEI, try rebooting to stock 3e recovery & do a Factory Reset or using fastboot to do that, that should reset everything back to normal ...
Code:
adb reboot fastboot
fastboot format userdata
fastboot format cache
Refer to here for more IMEI repair info....

to : yuweng TECLAST X70 3G
Hello dear friend Yuweng
I come from 4 PDA forum you must be aware of.
And there is no one can resolve this issue.
First of all I want to thank you for the ROOTING guide - I get root with your help
And about IMEI : i have tried everything you advise to do to recover IMEI
I think it is maybe impossible to recover IMEI because it is INTEL platform like Google Nexus for example (need special hardware to recover IMEI)
Thank you

Your username ends with il then only i try 012.net.il then only realize it... :laugh: All Android OS comes from Google so this means all Android devices are more or less the same, i guess its just a corrupted partition or file missing that causes this IMEI issues, same as many Android devices are experiencing...
Ok, try below command, give me a download link to it & i'll make a comparison to see which file is missing...
Code:
adb shell su -c "ls -R" > myx70.txt
After that, try to follow exactly as the FlashTool_E2 guide to download the firmware all over again, one of the pdf stated single-threaded download mode, multi-threaded download mode, try & see if that makes a different.... :fingers-crossed: Russian translated version here...
Updates
Hmm, that pdf stated 15 firmware files, that means modem.fls, mvconfig.fls & thread.fls is missing, wonder if that causes the IMEI to disappear...
[email protected] said:
Hello dear friend Yuweng
I come from 4 PDA forum you must be aware of.
And there is no one can resolve this issue.
First of all I want to thank you for the ROOTING guide - I get root with your help
And about IMEI : i have tried everything you advise to do to recover IMEI
I think it is maybe impossible to recover IMEI because it is INTEL platform like Google Nexus for example (need special hardware to recover IMEI)
Thank you
Click to expand...
Click to collapse

to : yuweng TECLAST X70 3G
Helo again dear friend
It is very nice you still support this thread
I did get the file myx70.txt you need
Please check it, Thank you

to : yuweng TECLAST X70 3G
Helo again dear friend
It is very nice you still support this thread
I did get the file myx70.txt you need
https://www.mediafire.com/?0iskyl3hazaketo
Please check it, Thank you
By the way it is some softwareprogram I have been informed in that can do everything including restoring IMEI
But I cant use it bacause it is in CHINESE
it called Rabbit Root and it is web page is: http://www.7to.cn/#

When i ask you to do a Factory Reset using the stock 3e recovery & you said you did it but your myx70.txt says otherwise... Few files missing, seems like it is not initialize properly...
Code:
./data/media/0:
91 WireLess
Alarms
Android
AppGame
DCIM
Download
GOLauncherEX
GoStore
MIUI
Mihome
Movies
Music
Notifications
Pada
Pictures
Podcasts
Ringtones
XPOSED IMEI Changer_1.3_apk-dl.com.apk
baidu
com.91.channel.repository
dianxin
libs
mgyun
nd
system
system.info
tencent
tmp
xutils
To reboot to stock 3e recovery
With the device at power off state, USB cable unplug, press & hold Volume Up, now press & hold Power button & it'll vibrate once then let go Power. Keep on holding Volume Up until you see the boot logo then let go & it'll boots up the stock 3e recovery.
Click to expand...
Click to collapse
Press the power button once & you'll see the stock 3e recovery menu
Use the volume down key to go to wipe data/ factory reset & press power button
Use the volume down key to go to Yes -- delete all user data & press power button
Do the same for cache partition
reboot system now
* Manually format the internal sdcard as well if Factory Reset doesn't remove it
That software you pointed out, the IMEI repair is for MTK devices only.
Updates
Check with dAverk how he did it, every detail like where he got the firmware from, the step by step that he took on flashing the firmware, this will narrow things down as why IMEI is lost on you guy's x70 & not him... i believe if you guys follow his steps exactly, you should be able to get the IMEI working again... :fingers-crossed:
Firmware flashing bricks the device, Factory Reset corrupts the IMEI was a thing in the past ( Jellybean/ ICS/ GB issues ), it shouldn't happened on KitKat/ Lollipop devices, i believe...

OK I have reflashed this tablet with all FIRMWARES i have found on this forums
I cant get to Boot Menu ( Power ON+Volume UP) - tablet continue to load and nothing happens
And the ADB command doesnt help
adb reboot fastboot
fastboot format userdata
fastboot format cache
The tablet reboots and I get GREEN screen
https://www.mediafire.com/?0pkb7pk89d8c33s

What have you done to yourself, that green screen is the fastboot screen, you'll need adb driver & fastboot.exe for it to work...
i already mentioned, be specific, all FIRMWARES, which one ? JOI, X70 from geekbuying or chinagadgetsreviews & etc, may be they are all different, i donno, i didn't download all to check if they are identical, may be thats the cause of your green screen problem & IMEI problem ?
This is a General not Development thread, i don't intend to start a new one, i shouldn't even be sharing these infos here...
Warnings : Use this guide at your own risk ! For Developers ONLY
These infos are the results of spending many hours with FlsTool( linux version ) & flstool.exe
Code:
./FlsTool -x recovery.fls
./FlsTool --extract-prg recovery.fls
./FlsTool -x system.fls
./FlsTool --extract-prg system.fls
./FlsTool -x mvconfig_smp.fls
./FlsTool --extract-prg mvconfig_smp.fls
./FlsTool -x mobilevisor.fls
./FlsTool --extract-prg mobilevisor.fls
After unpack, these individual fls files contains PRG, EBL, PSI, meta files & the actual Android img file or binary files. Each of these extracted files, PRG, EBL, PSI, meta files are identical.
When you use dd command to backup these partition, it is not an Android image file nor a fls file & a dd restore with either the dd backed up or the fls file won't boot or work correctly
Eg.
Code:
adb shell su -c "dd if=/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID119 of=storage/sdcard1/recovery.img"
adb shell su -c "dd if=storage/sdcard1/recovery.img of=/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID119"
[COLOR="blue"]OR[/COLOR]
adb shell su -c "dd if=storage/sdcard1/recovery.[COLOR="Blue"]fls[/COLOR] of=/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID119"
[COLOR="blue"]OR[/COLOR]
fastboot flash recovery recovery.img
fastboot flash recovery recovery.[COLOR="blue"]fls[/COLOR]
[COLOR="blue"]OR[/COLOR]
fastboot flash system system.img
fastboot flash system system.[COLOR="blue"]fls[/COLOR]
When Hex edit/ compare those files, they are totally different. Eg. dd backed up recovery.img with recovery.fls is not the same.
The recovery.fls when unpack has three different regions, i think the existing FlsTool version 1.20 has bugs, it doesn't repack it back to the correct format.
recovery.fls_ID0_CUST_LoadMap0.bin is identical to mobilevisor.fls_ID0_CODE_LoadMap0.bin
recovery.fls_ID0_CUST_LoadMap1.bin is identical to mvconfig_smp.fls_ID0_CUST_LoadMap0.bin
recovery.fls_ID0_CUST_LoadMap2.bin is the actual Android recovery.img that can be unpack with AIK or CIK as already explained on this post here
Even if it works, custom recoveries such as PhilZ Touch or TWRP which is also using the dd command for backups, will not be able restore it correctly as it is not a fls file or an Android image file.
As for the boot.fls, what i did was change the default.prop & repack it back.
Code:
ro.secure=1 [COLOR="Blue"]<= Change to [B]0[/B][/COLOR]
ro.allow.mock.location=0 [COLOR="blue"]<= Change to [B]1[/B][/COLOR]
ro.debuggable=0 [COLOR="blue"]<= Change to [B]1[/B][/COLOR]
ro.adb.secure=1 [COLOR="Blue"]<= Change to [B]0[/B][/COLOR]
Unpack boot.fls
Code:
./FlsTool -x boot.fls
./FlsTool --extract-prg boot.fls
After unpack/ repack with AIK, copy image-new.img to the same folder.
Repack boot.fls
Code:
./FlsTool --psi boot/boot.fls_inj_PSI.bin --prg boot_0.fls --ebl boot/boot.fls_inj_EBL.bin image-new.img --tag BOOT_IMG -o new-boot.fls
After this, any exploit rooting software should work.
Found two new link for X70 (C6F9) -Android4.4.4-V1.05-5726 may be this one will solved the IMEI issues, i donno...
Source 1
Source 2
Conclusion : You can't do much on Intel x3 but to bug your device manufacturer to release the firmware then only rooting is possible otherwise forget it, its file system is not regular Android image, use the device as it is or you'll brick it in doing so...
4Good T700i 3G users
Since you guys confirmed X70 firmware can be downloaded successfully & the camera doesn't work after that, meaning the firmware is almost compatible except for the camera driver.
Since 4Good doesn't release the firmware, the correct way is to create an ebl.fls file, upload the boot.bin then port an unsecured-boot.fls & root it...
Code:
./FlsTool -x boot.fls
./FlsTool --extract-prg boot.fls
./FlsTool --hex-to-fls boot/boot.fls_inj_EBL.bin --prg boot_0.fls --psi boot/boot.fls_inj_PSI.bin --tag BOOT_IMG -o ebl.fls
View attachment 3475319
View attachment 3475321
Hex edit boot.bin & extract the boot.img( look for the header ANDROID! ), with above mentioned technique to make an unsecured boot.fls, unlock the bootloader, download this unsecured boot.fls then root it & the firmware stays as stock with both camera working.
View attachment 3475504
Or upload the boot.bin & i'll port an unsecured-boot.fls for you guys...
View attachment C5F9-ebl.fls.zip
View attachment C6F9-ebl.fls.zip
Or after rooting, copy all 4Good camera *.so files, flash x70 system.fls ONLY then manually use any ROOT Explorer to copy back these 4Good camera *.so files over & both cameras should work on 4Good after a reboot...
Theoretically, you can also dd the system.img, mount it, make changes then repack it back to fls file but then again, these files will be huge & i don't even know whether it works, never try that...
Code:
adb shell su -c "dd if=/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID068 of=storage/sdcard1/system.img"
adb pull storage/sdcard1/system.img
mkdir sys
sudo mount -t ext4 -o loop system.img sys/
Do whatever you want with the files & folders at [COLOR="Blue"]sys/[/COLOR]
sudo ./make_ext4fs -s -l 1024M -a system new.img sys/
sudo umount sys
./FlsTool --prg system_0.fls --ebl system/system.fls_inj_EBL.bin --psi system/system.fls_inj_PSI.bin new.img --tag SYSTEM -o new-system.fls
Download it with FlashTool_E2
Updates - Nov 2015
Thanks to benderit for sharing his detailed findings & how-tos for backing up/ creating a restored boot.img/ system.img via fastboot for x3 devices without FlashTool_E2 ROM... :good:
Updates - Jan 2016
Refer to here on how to create system.img on Win OS & using fastboot to flash it... :good:
Updates
The adb command adb shell ls -l /dev/block/platform/soc0/e0000000.noc/by-name correspond to recovery.fstab as shared on this post here EXCEPT for ImcPartID022 & ImcPartID121.
Hex editing the partition ImcPartID121 show that it is empty while ImcPartID022 shows there are some data inside it, i cannot tell whether its the bootloader or the IMEI info.
Those that lost their IMEI can use below command to backup & check whether there is data in it or its empty( all zero ). If its empty means the IMEI info might be at this partition...
Code:
adb shell su -c "dd if=/dev/block/platform/soc0/e0000000.noc/by-name/ImcPartID022 of=storage/sdcard1/ImcPartID022.img"
adb pull storage/sdcard1/ImcPartID022.img

To yuweng
Everything seems to be OK. And now after a week of try I finally understand that it was not worth trying. Because it finally become clear that it is nothing to do with IMEI. Very good yuweng.
It is seems that actually no one know how to resolve it.
And what is about trying different firmwares?
I just don't understand how would it help.
And about that all android systems are similar it also mistake.
If you want to restore IMEI on Nexus 4 you need special equipment.

The reason for your case i guess is everyone is new on your side, as the saying too many cooks spoil the broth...
Fyi, my previous device, the MTK, bcos of one Russian DEV shared his findings, thousands of users save hundreds of dollars each.... :good:
Bcos of one DEV shared his unpack/ repack script, i discovered that MTKs ROM can ported over to hundreds if not thousands of similar devices...
And Yes, i've also seen many that says they will never use PhilZ Touch or TWRP ever again bcos it corrupts their device, the reason for this is bcos no DEV is working on that device & end users just blindly installing it & complaining after that... The same at 4pda, few that swear to throw away their X70 too... :laugh: We need more DEVs to look into it then it will become a better Android device...
OT : And Yes, you can actually port 4Good firmware to work on X70 & vice-versa, when DEVs starts to work on it, if there is one, bcos it is an exact clone while mine is different, i donno, may be the newer X70 (C6F9) is compatible, i didn't try it...
Port means identify & taking parts of the firmware from other similar device & make it work on yours while flashing the whole firmware will normally leads to a brick device...

at now we tried flash 7 block of mmc (because we found many diffs in this block) from working device on dead[imei] - but nothing happens. Try work with whole mmc.

it seems that InvisiBot have already made the discovery... :good:
Haven't took a deep look at InvisiBot's findings yet, but found out my device is indeed an exact clone of x70 (C6F9), first flash the recovery.fls, got a landscape 3e stock recovery instead of the original portrait, then proceed to flash the system.fls, everything works except for bluetooth & wifi, last flash the boot.fls & now i got x70 (C6F9) ROM fully working on my device... :laugh:
i guess intel/ Teclast must have made some improvement to libhoudini, overall, it performs better than the original stock ROM with Xposed installed & with zram enabled ...
Updates
Guys, as i've always mentioned it on my other threads, users always feedback it doesn't work, pls describe every little steps that you took, it will be easier to trouble-shoot, narrow things down & solve your problems....
According to InvisiBot, he began experiment by Hex editing partition ImcPartID022 & that bricks his x70 & in doing so he found out there is a hidden feature that you can still download by holding the Power button for 10 seconds then release it & FlashTool_E2 will automatically start to download on your brick device, this mean intel x3 is truly unbrickable... :good:
Thats where he discovered that you guys use the erase whole flash at FlashTool_E2 & that erases the IMEI info, luckily he manage to get his IMEI back...
View attachment 3478674
WARNING : Never use both the erase whole flash option, it will delete your IMEI info ! You guys with the IMEI problem never even once mentioned that...
Conclusion
Indeed the partition ImcPartID022 contains both the IMEI info, device serial number & adb command => adb devices serial no. which is the same as SIM 1, good job InvisiBot... :good:
Code:
[COLOR="blue"]Setttings[/COLOR] => [COLOR="blue"]About tablet [/COLOR]=> [COLOR="blue"]Status [/COLOR]=> [COLOR="blue"]SIM 1[/COLOR]/ [COLOR="blue"]SIM 2[/COLOR]
On my x70 clone or shall i say an actual x70 (C6F9) rebrand, the offset is at different location.
Device serial no => 0x1AAC8
SIM 1 => 0x24360
SIM 2 => 0x2436C
adb command => adb devices serial no => 0x2549C
So do make a backup of partition ImcPartID022, this is the only partition that FlashTool_E2 cannot restore if you brick it.
Attention to InvisiBot
Since you said you're making a How-to Guide i'm not going to spoil the soup... :laugh: Don't forget to make one in English Language for sharing with XDA member here too... :good:
Attach below is my empty IMEI for your R&D, i think it should be the same as X70 C6F9...
View attachment EMPTY-C6F9-IMEI.zip
Search for the reference text as below
#IMEI01#
#IMEI02#
#ADB-SN#
##INTEL-X3-S/N## <= This is the 16 digit alphanumeric Serial number display at Settings => SIM1/ SIM2
Updates - Restore invalid IMEI
For those who lost their IMEI, you can try this Thanks to Invisibot & buxbux for the link... :good:
Don't ask me how-to, i've never loose my IMEI before so i donno how to use it, you'll have to find that out yourself...

[How to] Determine dd Parameters For All LG G4 Models

[How to] determine dd parameters for all LG G4 models
IMPORTANT:
Only for advanced users!
You are an advanced user if you know exactly what you are doing.
You are an advanced user if you know what to do if something went wrong.
You are NOT an advanced user if you know how to do copy+paste.
You can bring your smartphone into a state, so it no longer works.
I am not responsible for anything. The following instructions are only suggestions.
Hello,
everyone knows how to root the LG G4 with the "low effort root" method.
They copied the system partition to an ".img" file, rooted it and copied it back to the "system" partition.
Many users wonder how to get the right parameters for the "dd" commands.
Please read the complete guide and be sure that you understand it until you execute a command!
Information:
Code:
dd if=/inputfile bs=8192 count=12345 of=/outputfile
if = Input File
of = Output File
bs = Blocksize in bytes (default is 512 - to increase copy speed use multiple of 512 e.g. 8192)
count = how many blocks
skip = skip blocks before start reading
seek = skip blocks before start writing
more info: http://man7.org/linux/man-pages/man1/dd.1.html
There are different models of the LG G4 on the market.
We know that the system partition is different depending on the model of the G4.
As an example I will show you how to calculate the parameters for the LG G4 H815 (International Model).
What you need:
Windows with Send_Command.exe
Instructions:
At first we need to know where the "system" partition starts (first sector) and how big it is (partition size).
I used the first method to find these values. But I recommend the second method because it's easier.
First method (difficult method, extracting the GPT and using "gdisk" in linux to read the partition info)
What you need:
Linux with "gdisk" installed
Instructions:
Put your smartphone to "Download Mode" and connect it to the Send_Command.exe command prompt.
We need to copy the partition table to the internal storage.
The partition table of GPT (GUID Partition Table) has a size of 16384 bytes and starts at LBA2.
Each LBA has a size of 512 bytes. Because we start at LBA0 we need to add 1024 bytes.
In summary 16384 + 1024 = 17408 (bytes).
Execute the following command:
Code:
dd if=/dev/block/mmcblk0 bs=1 count=17408 of=/data/media/0/gpt_backup.img
Enter "LEAVE" to restart your phone.
You will find the (very small) file "gpt_backup.img" on your internal storage.
Switch to Linux:
Copy the file to your Linux and open the terminal. Then type this:
Code:
gdisk /yourpath/gpt_backup.img
Some warnings will occur. Ignore them.
You will see:
Code:
Command (? for help):
Enter "p" and hit "enter".
You will get a list of the partitions.
Scroll up a bit and check that you see:
"Logical sector size: 512 bytes"
Scroll down and look for the "system" partition.
You will find a line similar to this:
Code:
47 884736 9363455 4.0GiB FFFF system
Now you know the number of the "system" partition is "47".
You will see:
Code:
Command (? for help):
Type "i" and hit "enter".
You will be asked the partition number.
Enter it and hit "enter".
You will see something conatining lines similar to this:
Code:
First sector: 884736
Last sector: 9363455
Partition size: 8478720
Partition name: 'system'
We need the values from "First sector" and "Partition size".
Second method (easier method, just using "adb shell" to read the partition info)
What you need:
adb shell
usb debugging enabled
To get the "logical sector size" use:
cat /sys/block/mmcblk0/queue/logical_block_size
It should be 512
smason said:
To find in any smartphone the offset and the size of /system:
$ adb shell
[email protected]:/ $ ls -la /dev/block/bootdevice/by-name/system
ls -la /dev/block/bootdevice/by-name/system
lrwxrwxrwx root root 2015-01-02 10:50 system -> /dev/block/mmcblk0p47
[email protected]:/ $ cd /sys/block/mmcblk0/mmcblk0p47
cd /sys/block/mmcblk0/mmcblk0p47
[email protected]:/sys/block/mmcblk0/mmcblk0p47 $ cat start
cat start
884736
[email protected]:/sys/block/mmcblk0/mmcblk0p47 $ cat size
cat size
8478720
[email protected]:/sys/block/mmcblk0/mmcblk0p47 $
so:
offset = 512 * 884736 = 452984832
partition size = 512 * 8478720 = 4341104640
Cheers!
Click to expand...
Click to collapse
So "first sector" is the value from "cat start" (884736).
The "partiton size" is the value from "cat size" (8478720).
Now the mathematics (using the values from above):
Logical sector size = 512 (I never saw something different on LG G4 smartphones)
Assuming bs=8192
skip and seek: "First sector" * "Logical sector size" / bs
884736 * 512 / 8192 = 55296
count: "Partition size" * "Logical sector size" / bs
8478720 * 512 / 8192 = 529920
That was an example for the H815 (International Model).
Use your own values to calulate the "dd" parameters!
Back to Windows:
Put your smartphone to "Download Mode" and connect it to the Send_Command.exe command prompt.
Now you can copy your "system" partition to "system.img" with the following command:
Code:
dd if=/dev/block/mmcblk0 bs=8192 skip=55296 count=529920 of=/data/media/0/system.img
Replace the values with the ones you calculated for your model!
Now you could copy the "system.img" to your Linux and root it or do everything else you want.
Important: Do NOT delete the original "system.img" from your internal storage as long as you are not 100% sure your G4 is stable.
If your modifications don't work, you can copy back the original "system" partition (with "dd").
To copy the modified "system_changed.img" back to the "system" partition use the following command:
Code:
dd if=/data/media/0/system_changed.img bs=8192 seek=55296 count=529920 of=/dev/block/mmcblk0
Replace the values with the ones you calculated for your model!
Important: Be sure to use "skip" when reading and "seek" when writing.
The "dd" command should take about a minute.
Did the instructions help you?
Please give a "Thanks!"
Thank you

Hi,
thanks for this great post.
I just have one question. With your formulas and using 8K block size, I get a floating point number as result. So I used a block size of 4K instead, and I get an even number. This seems better to me so I went with it, as I believe smaller block sizes are always ok?
I'm just wondering one thing which seems not right to me. My system partition is reported to be 2.5GB:
Partition number (1-42): 39
Partition GUID code: EBD0A0A2-B9E5-4433-87C0-68B6B72699C7 (Microsoft basic data)
Partition unique GUID: A8725BAA-9E45-B2F8-8FA3-8C972F60F0CF
First sector: 836608 (at 408.5 MiB)
Last sector: 6074573 (at 2.9 GiB)
Partition size: 5237966 sectors (2.5 GiB)
Attribute flags: 1000000000000000
Partition name: 'system'
So with the formulas:
FACTOR 512 / 4096 = 0.125
skip and seek: "First sector" * "Logical sector size" / bs
836608 *FACTOR = 104576
count: "Partition size" * "Logical sector size" / bs
8478720 * FACTOR = 1059840
If I now run the dd command:
dd if=/dev/block/mmcblk0 bs=4096 skip=104576 count=1059840 of=/storage/external_SD/system.img
I get a file system.img which is 4096 MB. Should it not be 2.5GB as my original system partition?
If I use bs=512 (the default) and type
dd if=/dev/block/mmcblk0 bs=512 skip=836608 count=8478720 of=/storage/external_SD/system.img
I get a system.img of the right size (bit over 2.5GB).
I think the block size to use for "skip" is to be specified with the option ibs=XXX, not bs=XXX which only applies to "count" (according to man dd). I tried the ibs option, but the command then just doesn't work on Send_Command.exe. It doesn't even print an error but simply returns immediately.
Cheers
Jen

Hi,
which phone do you have?
Your calculation seems wrong. It's ok to use BS with 4k. I could be a bit slower then 8k, but that doesn't matter.
BUT: Look at your "count" value. Your partition size is 5237966. You used 8478720 (the value from my G4(H815EU) example). Thats wrong!!!
How to calculate with 1k and your values:
bs=1024
skip=836608*512/1024=418304
count=5237966*512/1024=2618983
Please check my calulation!!!
It's interesting, that the Send_Command shell has access to your external sd card...
I think the block size to use for "skip" is to be specified with the option ibs=XXX, not bs=XXX which only applies to "count" (according to man dd).
Click to expand...
Click to collapse
No. "bs" is the right parameter.
If you use "bs" it sets "ibs" and "obs" to the value of "bs".
Just do "dd --help" on a linux system for more details.

Hi Dominik,
oh my, how embarrassing I actually did take the wrong value from the example you posted. I used my value (the 5237966) for calculating the parameters with bs=8K, and got a floating value, so tried 4K instead... and the wrong value must have snug in. Oups.
I also get floating value on 4K now that you've pointed my mistake out:
5237966 * 512/4096= 654745.75
If I rounded this up, would this not mean that I copy a tiny bit of the next partition on the image? And if I then use the image to restore, would I not run the risk to damage something in the following partition?
Anyway, it's not a huge drama as I can just use bs=512 and it works.
Yes I have access to the SD card, the image also has copied there successfully. I was also surprised because I read in the forums that it's not possible.
I found it out with the "df" command, as the SD was listed there. I needed to use it because there's no room on my internal storage (it's a ridiculous 8GB on the LG H735) to store the image there.
My system partition is only 2.5GB so I don't think I have to reformat, but you are right it would be better to use ext4.

Ok
I removed my information about formatting the sd card.
You dont't have to format it. FAT32 is ok.
So you can use your sd card on systems which don't support ext4 too.

I have the LG G4S (H735). It's unusable without rooting as it only has 8GB internal memory. That's why I'm trying to root it now.

jen.magnolis said:
I have the LG G4S (H735). It's unusable without rooting as it only has 8GB internal memory. That's why I'm trying to root it now.
Click to expand...
Click to collapse
Ok, good luck.
Please open a new thread if you have questions about rooting your phone.
Or is there already one? Maybe these?
http://forum.xda-developers.com/g4/help/rooting-lg-h735-g4-beat-t3192491
http://forum.xda-developers.com/g4/general/lg-g4s-world-root-lg-devices-t3231759/page7
Oh. Just saw that you are already there

dominik-p said:
Ok, good luck.
Please open a new thread if you have questions about rooting your phone.
Or is there already one? Maybe these?
http://forum.xda-developers.com/g4/help/rooting-lg-h735-g4-beat-t3192491
http://forum.xda-developers.com/g4/general/lg-g4s-world-root-lg-devices-t3231759/page7
Oh. Just saw that you are already there
Click to expand...
Click to collapse
I just created a new thread too to focus on the particular problem I have:
http://forum.xda-developers.com/g4/general/rooting-lg-g4s-h735-t3243549

this guide helped in dumping boot and recovery partitions.
thank you very much sir! i successfully dumped my boot and recovery partition using dd in my mediatek device by following your guide.

sparksthedev said:
thank you very much sir! i successfully dumped my boot and recovery partition using dd in my mediatek device by following your guide.
Click to expand...
Click to collapse
Congratulations
Did you use the first (more komplex) oder the second method for your device?
I saw that you had problems in this thread:
http://forum.xda-developers.com/showthread.php?p=65907557#post65907557
And you wrote a guide for MTK devices here:
http://forum.xda-developers.com/general/general/guide-dumping-boot-img-recovery-img-t3339530
This doesn't work with the LG G4, but I think it will help many others.
Thank you

My sister asked me to root her phone. It seems more complicated than anything I did in the past (HTC Wildfire, Galaxy Core Plus, Xperia M4A).
I tried this tutorial and it kinda worked, but I can't mount image I got, so it's useless (image, not tutorial!).
Phone is LG-H736 (Beat). I got this result in gdisk:
Code:
Partition number (1-42): 39
Partition GUID code: EBD0A0A2-B9E5-4433-87C0-68B6B72699C7 (Microsoft basic data)
Partition unique GUID: A9520AE6-ABC6-F107-E8FE-B37C4C30CB77
First sector: 836608 (at 408.5 MiB)
Last sector: 6074573 (at 2.9 GiB)
Partition size: 5237966 sectors (2.5 GiB)
Attribute flags: 1000000000000000
Partition name: 'system'
The 8K bs gave me floating point result, so I used 0,5K.
So the dd command were:
Code:
dd if=/dev/block/mmcblk0 bs=512 skip=836608 count=5237966 of=/storage/external_SD/system.img
BTW, I had access to SDCard and I didn't need to open ports...
EDIT: I got the system.img. The problem was I haven't got enough space on SD card.
But now I bricked it...
https://forum.xda-developers.com/g4/help/softbricked-g4-beat-lg-h735-t3959237

Guide[Linux][Windows]: Migrate to SSD/HDD of any size, only for SATV Pro

Code:
[B][I][COLOR="Red"][SIZE="3"]I am not responsible for bricked devices, dead HDDs, animals
activist campaigns, or any H/W damage caused by you following these
directions. YOU are choosing to make these modificiations, and
you, yourself take responsibility for doing these modifications
to your device.
You can do serious H/W damage to your SATV or even your computer
by doing any of this. So, you have been warned! [/SIZE][/COLOR][/I][/B]
First of all, you should pay your thanks to @Luxferro for mapping out the entire partition array, and building the chart that does all the calculations for using another disk size.
He also proved that it was indeed possible to modify your GPT header to another sized drive.
None of this would have been possible, if it was not for him.
Also thanks to @Tilator for initiating his thread, and proving it was possible to swap your HDD for something else.
1. Preparations and disassembling the SATV
Well, to begin with you should have a working linux environment set up. This can easily be a live CD/DVD/USB. Or you can do it from a virtual environment. You can use DD for Windows now, follow guide as normally.
You should have a hex editor with CRC32 calculating capabilities. I recommend HxD:
https://mh-nexus.de/en/downloads.php?product=HxD
Yes, that is for Windows, I use Linux for all the writing/dumping, but I prefer my Windows hex editor.
It's worth to know, that your device should be bootloader unlocked, and preferably newly factory reset.
Also, an autotool has been made now to do this GPT header edit. See post #3.
Then you can go open up the SATV by prying off the bottom of the casing. I managed to do this with my fingernails. A small plastic pry tool can be used as well.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Then you remove the 2 wire sets from the plugs to give more working room. There is 2 sets of tape holding the wires and the HDD in place as well.
There is (on mine at least) just one screw with a small bracket holding the HDD in place, you will need a T6 driver to remove it.
Gently lift the black latch/lock on the connector to the secondary board, then the FCC connector will be easily out.
Then it is just a matter of gently loosening the adhesive on the FCC strip from the HDD and pull out the SATA connector.
With the HDD out, you will have to connect it to your Linux setup somehow. I used an enclosure with a USB3 connection.
With the HDD recognized in the computer, the time has now come to clone you HDD.
You could as well use the bin files Tilator has provided, but if you want your own genuine Netflix ESN, you should use your own.
If you want to use DD for Windows, please continue the guide from post #2. After finishing that part, come back to this post and skip to the hex editing part.
2. Dumping the data from the SATV SSHD
In a terminal window you start by listing the drives:
Code:
sudo -s
fdisk -l
This is to determine which drive you are working with. Remember that the DD command does't care which drive you specify, it will destroy your main drive if you ask it to.
The you continue by dumping the first 6899870 blocks of data to a bin file:
Code:
dd if=/dev/sd[B]X[/B] of=firstpart.bin count=6899870
This will give you a raw image file of all the partitions up until the /data partition which is better left out (it will come later).
Then continue by dumping the last 5120 bytes of data which contains the partition array and the GPT header:
Code:
dd if=/dev/sd[B]X[/B] bs=512 skip=976773158 of=lastpart.bin
EDIT: 26th August 2016, @anchung.chen has experimented with aligning the partitions to Advanced Format 4096 byte sectors (4K alignment). This supposedly gives better performance especially on SSD drives.
It's worth to know that this most likely breaks the OTA updates, as they might write partitions on block level rather than on a file level. OTA updates seems to be working.
Also, anchung.chen has had problems unlocking the bootloader on the 4K aligned disk.
@ahmed68
Reports that TWRP doesn't work well when trying to flash SuperSU.
Please see follow these steps to write the bin files with 4K alignment:
Start by downloading the ELF executable programmed by anchung.chen from this post:
http://forum.xda-developers.com/showpost.php?p=68300570&postcount=44
Patch the lastpart.bin the following way (2TB disk size):
Code:
./shield_pro_new_disk_gpt_calculator-0.3 lastpart.bin [B]2000398934016[/B] lastpart4k.bin
This will recalculate the GPT header to match the 2TB disk, but also rewrite the partition array.
Then continue by writing the firstpart.bin in 2 steps instead of just one:
Code:
if=firstpart.bin of=/dev/sd[B]X[/B] bs=512 count=69888
Code:
dd if=firstpart.bin of=/dev/sd[B]X[/B] bs=512 skip=69790 seek=69888 count=6830080
These 3 steps effectively moves the partitions 16-32 to match 4K alignment structure.
And finish off by writing the lastpart4k.bin:
Code:
dd if=lastpart4k.bin of=/dev/sda[B]X[/B] bs=512 seek=[B]3907029158[/B]
This completes the guide, no more steps needed.
You can now disconnect your HDD. These 2 files also counts as a backup of your SATV (not with settings as userdata was not copied).
Now connect your new SSD in the enclosure.
You can easily start by writing the firstpart.bin:
Code:
dd if=firstpart.bin of=/dev/sd[B]X[/B]
3. Hex-editing the partition array and the GPT header
In your linux terminal load up the block count (called sectors in linux language) of the new drive:
Code:
fdisk -l
A 2 TB disk should have a total block count of 3907029168, but a smaller disk would have a smaller block count, so use fdisk -l to determine this.
Or if you use DD for Windows you have the output from dd --list to work with.
The lastpart.bin must be edited before we can write it on the new disk.
So use the spreadsheet provided by @Luxferro in this post:
http://forum.xda-developers.com/showpost.php?p=67996717&postcount=189
In the column at the buttom right that says disk size, you change the value to match you new disk. In this example for the 2TB it should be 2000398934016 (bytes). This value should be taken from fdisk -l as well.
Now it gets a little hairy!
In the spreadsheet you should start with the buttom value marked out in purple under the row called "Last LBA". This should be E8E0888E:
Open up lastpart.bin in HxD and navigate to offset 00000FA8. There you should find the 4 bytes 0E 60 38 3A illustrated in this picture:
This value is in a format called reverse byte ordering, so to put in your new calculated value, you will have to arrange it like this: 8E 88 E0 E8. Input that value instead of the bytes already there like this picture:
While we are in this particular position in the lastpart.bin we might as well do the CRC32 of the partition array.
Now make a selection containing the 64 bytes or 4 empty lines underneath the line having UDA written in ASCII, and all the way to the top of the file, offset 00000000 to 00000FF0 like in this picture:
In the drop-down menu, choose Analyzis->Checksums and generate a CRC-32 checksum (Not checksum-32).
It will come up in the buttom screen of HxD, and should read 6B CF E5 7D
Navigate to the buttom of the file which contains the GPT header. It should start with an ANSI text reading "EFI PART".
In offset 00001258 you should find the value of the original CRC-32 value containing the bytes 0E 02 C5 DC.
Replace this, again reversing the bytes from your newly calculated CRC-32 value like this: 7D E5 CF 6B:
Now we are actually almost finished! In the spreadsheet all the way to the right, you will find 4 hexadecimal values marked in purple.
First is the position of the GPT header, and the second is the position of the backup GPT header. Since there is only 1 on the SATV, these values are both the same.
Write them into the GPT header on offset 00001218, and 00001220, again reversing the bytes like illustrated in the picture:
Same goes for offset 00001230, Last Usable LBA, and offset 00001248, Starting LBA of array of partition entries.
This brings us to the last thing on the table, the CRC32 of the GPT header itself.
The CRC is located on offset 00001210 and should have the bytes 46 C9 88 78 already there.
Just write 00 00 00 00 to blank them out:
Now make a selection of the GPT header containing the beginning of the header, and to the last written byte before all the zeroes:
In the drop-down menu, choose Analyzis->Checksums and generate a CRC-32 checksum (Not checksum-32).
It will come up in the buttom screen of HxD, and should read 46 9F 24 38
Again, write it instead of the 4 bytes with zeroes reversed like this:
This completes the matter, now just save your work in HxD and write it to the end of your drive.
To do this we need the total block count from the HDD that you fetched in the beginning of the guide from the fdisk -l output, should be 3907029168
The lastpart.bin is 5120 bytes which is the same as 10 blocks of 512 byte length.
So, 3907029168 minus 10 is 3907029158 and put into your DD-line like this:
Code:
dd if=lastpart.bin of=/dev/sda[B]X[/B] bs=512 seek=[B]3907029158[/B]
Or like this if you use DD for Windows:
Code:
dd if=lastpart.bin of=\\?\Device\Harddisk[B]X[/B]\Partition0 bs=512 seek=[B]3907029158[/B]
4. Assembling SATV and finishing up
Now at last, put in your new disk in the SATV and assemble everything back together.
If it doesn't boot in the first try, you could try another cold boot (give it 15 min.).
If that won't do it, you might have to wipe the DATA partition from the fastboot menu.
To cold boot into fastboot, follow this (taken from "http://developer.download.nvidia.com/mobile/shield/ROM/SHIELD_ATV/OTA-1.1/HowTo-Flash-Recovery-Image.txt"):
Code:
HW method:
- Disconnect power cable
- Insert USB OTG cable and make sure to connect other end to a host PC
- Connect power cable to SHIELD
- Quickly start pressing power button for ~3 seconds
- Do not hold the button and connect power supply afterwards
- HDMI TV should be always connected to SHIELD
And format the /DATA partition from fastboot like this:
Code:
fastboot format FS:EXT4 /data
Or do a fastboot oem unlock of the SATV.
Hopefully you will now have a SATV with an upgraded SSD/HDD!

DD for Windows part
Guide for Windows, using dd for Windows by John Newbigin
Download the dd utility from: http://www.chrysocome.net//dd
Code:
[SIZE="4"]
[COLOR="Red"]
WARNING! Using DD for Windows from a command prompt with administrator privileges is DANGEROUS!
If you specify your Windows drive as output file/device, it WILL destroy the partition!
[/COLOR]
[/SIZE]
Code:
[B][I][COLOR="Red"][SIZE="3"]I am not responsible for bricked devices, dead HDDs, animals
activist campaigns, or any H/W damage caused by you following these
directions. YOU are choosing to make these modificiations, and
you, yourself take responsibility for doing these modifications
to your device.
You can do serious H/W damage to your SATV or even your computer
by doing any of this. So, you have been warned! [/SIZE][/COLOR][/I][/B]
So, I used a Windows 10 Pro environment to test this. I think any Windows version based on the NT architecture will be working.
Extract the dd.exe and as the path you want to extract to, use this: "%USERPROFILE%\AppData\Local\Microsoft\WindowsApps"
This gives you the ability to use DD system wide.
Plug in the HDD from your SATV. The disk will be unreadable to Windows as it has no known filesystem. Windows might pop up asking you to format the drive. You MUST ignore that, and press cancel!
Open up a command prompt with administrator privileges. You can do this with Windows key+X to bring up a menu, then choose Command Prompt (administrator).
Navigate to a folder where you want to work from. It doesn't matter where, as you just have to have space enough to store the bin files.
If you need a refreshment in navigating the commnd prompt, you can read up on it here:
http://www.pcstats.com/articleview.cfm?articleid=1723&page=3
Now, run the command
Code:
dd --list
This gives you a lot of information. It even gives you the total byte count of your harddisk drives.
Navigate a little up to locate the right disk:
In this example I didn't use my SATV HDD, but another 750GB HDD I had lying around. The SATV SSHD will have a size of 500107862016 bytes.
Be careful that you choose the right drive to work on, and you also have to find the one that has the device string "\\?\Device\HarddiskX\Partition0".
And X will have to be equivalent to the harddisk number that Windows has assigned to your device.
The you continue by dumping the first 6899870 blocks of data to a bin file:
Code:
dd if=\\?\Device\Harddisk[B]X[/B]\Partition0 of=firstpart.bin count=6899870
This will give you a raw image file of all the partitions up until the /data partition which is better left out (it will come later).
Then continue by dumping the last 5120 bytes of data which contains the partition array and the GPT header:
Code:
dd if=\\?\Device\Harddisk[B]X[/B]\Partition0 of=lastpart.bin skip=976773158 bs=512
You can now disconnect your HDD. These 2 files also counts as a backup of your SATV (not with user settings, data partition was not copied).
Now connect your new SSD in the enclosure. Use dd --list again to determine the right disk to use, and please be careful not to mix up your Windows drive or another drive which contains important data.
You can easily start by writing the firstpart.bin:
Code:
dd if=firstpart.bin of=\\?\Device\Harddisk[B]X[/B]\Partition0
Please continue the rest of the guide in first post.

Hi All:
Thank Luxferro, Tilator and hallydamaster for your hard works, so we could replace the SSHD on shield-pro-tv with any SSD or HHD.
I wrote a small program to do all calculations and generate the new lastpart.bin directly.
usage : ./shield_pro_new_disk_gpt_calculator Input_bin_file New_disk_size_in_byte Output_bin_file
It is for 64-bit Linux PC. Any comments are welcome. And if you like, the source code will be opened.
Well, I think it is quite straightforward to use it. This program just generates the modified lastpart.bin from your original lastpart.bin and disk size (byte) of new SSD/HHD which you will migrate to.
For example of hallydamaster guide, the new 2TB disk has 2000398934016 bytes and 3907029168 sectors. Then
Using following command to generate the correct lastpart.bin for the new 2TB disk.
Code:
./shield_pro_new_disk_gpt_calculator lastpart.bin 2000398934016 new_lastpart.bin
Using following command to write the correct lastpart.bin to the new 2TB disk.
Code:
sudo dd if=new_lastpart.bin of=/dev/sdX bs=512 seek=3907029158

Thanks for the guide.
Does anyone know the performance penalty for using a regular 2TB HDD?

anchung.chen said:
Hi All:
Thank to Luxferro, Tilator and hallydamaster hard works, so we could replace the SSHD on shield-pro-tv with any SSD or HHD.
I wrote a small program to do all calculations and generate the new lastpart.bin directly.
usage : ./shield_pro_new_disk_gpt_calculator input_bin_file disk_size_in_byte output_bin_file
It is for 64-bit Linux PC. Any comments are welcome. And if you like, the source code will be opened.
Click to expand...
Click to collapse
Well, I suppose we have the guide for educational purposes then!
Please, tell something about how to use it.

tech3475 said:
Thanks for the guide.
Does anyone know the performance penalty for using a regular 2TB HDD?
Click to expand...
Click to collapse
I know that another user here @ahmed68 just did his with a SATV, AFAIK.
I don't think it was an SSD atleast.

hallydamaster said:
Well, I suppose we have the guide for educational purposes then!
Please, tell something about how to use it.
Click to expand...
Click to collapse
Well, I think it is quite straightforward to use it. This program just generates the modified lastpart.bin from your original lastpart.bin and disk size (byte) of new SSD/HHD which you will migrate to.
For example of your guide, the new 2TB disk has 2000398934016 bytes and 3907029168 sectors. Then
Using following command to generate the correct lastpart.bin for the new 2TB disk.
Code:
./shield_pro_new_disk_gpt_calculator lastpart.bin 2000398934016 new_lastpart.bin
Using following command to write the correct lastpart.bin to the new 2TB disk.
Code:
sudo dd if=new_lastpart.bin of=/dev/sdX bs=512 seek=3907029158

anchung.chen said:
Hi All:
Thank Luxferro, Tilator and hallydamaster for your hard works, so we could replace the SSHD on shield-pro-tv with any SSD or HHD.
I wrote a small program to do all calculations and generate the new lastpart.bin directly.
usage : ./shield_pro_new_disk_gpt_calculator input_bin_file disk_size_in_byte output_bin_file
It is for 64-bit Linux PC. Any comments are welcome. And if you like, the source code will be opened.
Click to expand...
Click to collapse
have any example how to use it or only run in term ./shield_pro_new_disk_gpt_calculator input_bin_file disk_size_in_byte output_bin_file
plz help I wont to gen gpt for 64gb sd card. I have boot.img for sd card and usb only for l4t Ubuntu thanks.

ahmed68 said:
have any example how to use it or only run in term ./shield_pro_new_disk_gpt_calculator input_bin_file disk_size_in_byte output_bin_file
plz help I wont to gen gpt for 64gb sd card. I have boot.img for sd card and usb only for l4t Ubuntu thanks.
Click to expand...
Click to collapse
You are supposed to do:
Code:
./shield_pro_new_disk_gpt_calculator lastpart.bin 68719476736 lastpart64gb.bin
But take the byte value you get from your own fdisk -l output.
Also, if you are going to use this for Linux and not android, I don't think it will work. The GPT layout that the SATV Pro uses is not standard.

hallydamaster said:
You are supposed to do:
Code:
./shield_pro_new_disk_gpt_calculator lastpart.bin 68719476736 lastpart64gb.bin
But take the byte value you get from your own fdisk -l output.
Also, if you are going to use this for Linux and not android, I don't think it will work. The GPT layout that the SATV Pro uses is not standard.
Click to expand...
Click to collapse
hallydamaster thank you for help
now i use the orig. sshd under ubuntu 14.04 L4T 24.1 i wont to make sdcard for linux and sshd for android to use shield in 4k tv android the best .

I think Nvidia should put boot loader and kernel on internal emmc's for both 16GB and 500GB SATVs rather than keeping significantly different ROM versions for 16GB and 500GB SATVs.
It'd save Nvidia and users time by doing so.
It seems much simpler to add HDDs of any size to 16 GB SATV if the HDD cable is available.

yahoo2016 said:
I think Nvidia should put boot loader and kernel on internal emmc's for both 16GB and 500GB SATVs rather than keeping significantly different ROM versions for 16GB and 500GB SATVs.
It'd save Nvidia and users time by doing so.
It seems much simpler to add HDDs of any size to 16 GB SATV if the HDD cable is available.
Click to expand...
Click to collapse
I certainly agree with that, seems they had a brain fart when deciding how to build the pro. Could be great if we could somehow convert the pro version to boot from internal EMMC.

hallydamaster said:
I certainly agree with that, seems they had a brain fart when deciding how to build the pro. Could be great if we could somehow convert the pro version to boot from internal EMMC.
Click to expand...
Click to collapse
I have serial console print out from 16GB SATV:
http://forum.xda-developers.com/showpost.php?p=67973969&postcount=303
I'm wondering what the output would be for SATV Pro when the HDD is disconnected.
If the first stage boot loader (TegraBoot?) is smart enough, it could check emmc for boot loader.

yahoo2016 said:
I have serial console print out from 16GB SATV:
http://forum.xda-developers.com/showpost.php?p=67973969&postcount=303
I'm wondering what the output would be for SATV Pro when the HDD is disconnected.
If the first stage boot loader (TegraBoot?) is smart enough, it could check emmc for boot loader.
Click to expand...
Click to collapse
That's indeed interesting, lot of info in that output!
I'm pretty sure that @Tilator had someone send him a copy of a complete rip of the EMMC from a 16GB SATV.
He then wrote it to the EMMC on the Pro, which is just empty. It didn't boot with it, but I'm not sure if he tried booting it without the HDD in it.
Cloud be interesting to try though.
Unfortunately I don't really have the time to read up on UART and solder wires on my board to try this. :-/
Not for the time being at least.

i will try to flash satv pro from satv and see it must save in emmc , I wont to make sd card like recovery for satv and satv pro I try repack the partition but bot work I need to edit boot.img #include <sys/mount.h>
#include <unistd.h>
#include <linux/reboot.h>
#include <fcntl.h>
extern char **environ;
int main(int argc, char **unused) {
mount("/dev", "/dev", "devtmpfs", 0, NULL);
mount("/dev/mmcblk0", "/dest", "ext4", 0, NULL);
// mount Android system
// mount("/dev/mmcblk0p1", "/mnt", "ext4", 0, NULL);
mount("/dev", "/dest/dev", NULL, MS_BIND, NULL);
chroot("/dest");
chdir("/");
char * const argv[] = { "/sbin/init", NULL };
execve(argv[0], argv, environ);
}
must change mmcblk0 to mmcblk0p1 ,mmcblk1p1 or sda21/32
---------- Post added at 08:40 PM ---------- Previous post was at 08:20 PM ----------
I take this flash.sh from tegra jetson-tx1
flash.sh: Flash the target board.
# flash.sh performs the best in LDK release environment.
#
# Usage: Place the board in recovery mode and run:
#
# flash.sh [options] <target_board> <root_device>
#
# for more detail enter 'flash.sh -h'
#
# Examples:
# ./flash.sh <target_board> mmcblk0p1 - boot <target_board> from eMMC
# ./flash.sh <target_board> mmcblk1p1 - boot <target_board> from SDCARD
# ./flash.sh <target_board> sda1 - boot <target_board> from USB device
# ./flash.sh -N <IPaddr>:/nfsroot <target_board> eth0 - boot <target_board> from NFS
# ./flash.sh -k LNX <target_board> mmcblk1p1 - update <target_board> kernel
# ./flash.sh -k EBT <target_board> mmcblk1p1 - update <target_board> bootloader
can anybody edit the boot.img to
1. mmcblk0p1 for emmc
2. mmcblk1p1 for sdcard
I think its most work

i flash satv pro from satv i now it come not bootable then i will remove hdd and boot to linux when run sudo fdisk -l i see 2 part of hdd first mmcblk0 (emmc) and sdx its sda in android by dd if=/dev/sdx of=firstpart.bin count=6899870
then dd if=firstpart.bin of=/dev/mmcblk0 and dd if=lastpart.bin of=/dev/mmcblk0 bs=512 seek=xxxxx (xxxxx i will take it from fdisk -l -10) then i most to delete boot patition from sda by sudo fdisk /dev/sda21 # input d , w .
now we have a work satv non pro , i need to use ubuntu in emmc and android in sda for that we must make the first boot img for dualOS like (Geekbox Lollipop Lubuntu dualOS)
http://forum.geekbox.tv/viewtopic.php?f=12&t=3198
anybody have any edia plz help.

ahmed68 said:
now we have a work satv non pro
Click to expand...
Click to collapse
You can boot to Android from emmc (mmcblk0) of SATV Pro without HDD?
Does recovery mode work for SATV Pro without HDD?

Is this fix working with the 3.2 update from a few weeks ago? I'd like to duplicate more of my movies onto my SATV Pro now that the Plex Server is installed.

ahmed68 said:
i flash satv pro from satv i now it come not bootable then i will remove hdd and boot to linux when run sudo fdisk -l i see 2 part of hdd first mmcblk0 (emmc) and sdx its sda in android by dd if=/dev/sdx of=firstpart.bin count=6899870
then dd if=firstpart.bin of=/dev/mmcblk0 and dd if=lastpart.bin of=/dev/mmcblk0 bs=512 seek=xxxxx (xxxxx i will take it from fdisk -l -10) then i most to delete boot patition from sda by sudo fdisk /dev/sda21 # input d , w .
now we have a work satv non pro , i need to use ubuntu in emmc and android in sda for that we must make the first boot img for dualOS like (Geekbox Lollipop Lubuntu dualOS)
http://forum.geekbox.tv/viewtopic.php?f=12&t=3198
anybody have any edia plz help.
Click to expand...
Click to collapse
Hi ahmed, can you please clarify if you had it boot without the HDD?
You cloned the HDD partitions onto the EMMC? And then removed the boot partition from the HDD, and then it booted anyway?
revoman said:
Is this fix working with the 3.2 update from a few weeks ago? I'd like to duplicate more of my movies onto my SATV Pro now that the Plex Server is installed.
Click to expand...
Click to collapse
This procedure will just clone your HDD to another disk, this should be totally independant from Android, unless ofcourse Nvidia would do something to break this.

Maybe I'm the only one who would like to put a smaller HD on my shield TV. Can someone tell me if a 128GB SSD is larger enough or the smaller disk is 256GB?
TIA Polve

Vernee Apollo Discoveries

I wanted to create a thread so as to report any unique findings from the internet realm and my own discoveries surrounding the Vernee Apollo Phone. The aim is to bring resources together to encourage development and to release utilities and roms.
Please post your own discoveries and updates!!!
This is NOT a "Vernee Apollo Lite" nor a "Vernee Apollo X" thread even though some information maybe relevant.
Device Name and Specs
Vernee Apollo.
Device Model =K15TA_A
Official Product Website
Official Product Forum
http://www.devicespecifications.com/
Vernee Apollo - Antutu Benchmark v6.2.7.
Score 92,235.
3D: 19159
UX: 38097
CPU: 27535
RAM: 7444
Helio X25 MT6797 Family System on a Chip (SoC) Comparison
Vernee Apollo deploys a X25 MT6797T.
https://en.wikipedia.org/wiki/MediaTek#Octa-_and_deca-core
https://www.mediatek.com/products/smartphones/mt6797-helio-x20
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
ADB and FASTBOOT Modes
The Vernee Apollo's bootloader supports Fastboot. The Recovery mode supports the Android Debugging Bridge (ADB) . To access, perform the button sequence below. A menu will appear allowing you to cycle through option to either boot into the recovery partitio,n or to start the Fastboot service.
ADB service is also available also within the Android desktop if you enable USB Debugging in the revealed developers settings menu. You will most likely need to accept a signed key issued from the managing computer for the service to communicate!
Accessing Bootloader Menu
Buttons: [Top-Volume] + [Power-Button] for 8 Seconds.
When the phone is shutdown, hold both buttons at same time from for 8 seconds. The Bootloader menu will appear and then release buttons.
Using Bootloader Menu
Button: [Top-Volume] = Cycle selection.
Button: [Bottom-Volume] = Choose selected item.
With the high screen resolution it maybe hard to see the text-options. There should be three;
1. Recovery, (Boot into Recovery partition with ADB.)
2. Fastboot, (Start Fastboot server.)
3. Normal. (Proceed to boot normally.)
Using Recovery Mode and Menu
When you boot the Recovery partition you will be meet with a failed Android icon on the stock Vernee release rom. ADB will be accessible from here. Note: The Recover menu will cause the ADB server to fail. If you want to display the recovery menu options then perform the following during the failed Android icon screen.
Buttons: [Top-Volume] + [Power-Button] pulsing till the menu appears.
Fastboot
If you plan to develop on your Apollo or to install future community roms then it's advisable to unlock your storage partitions. Unlocking will allow you to change partitions but doing so will void software warranty clauses, and in the process scrub all your personal data from the phone so it's best to do it before installing personal content.
To unlock the phone issue the following command through Fastboot. You will be asked to confirm.
Code:
fastboot oem unlock
Engineering Mode
Enter the following phone number in Android desktop
Code:
Dial *#*#3646633#*#*
Phone Test Options
Alternatively there is a phone test mode available at low level with less options. Whilst the phone is shutdown, press the following.
Buttons: [Bottom-Volume] + [Power-Button] for 8 Seconds.
A test menu will appear and is in simplified Chinese.
SIMS
If your phone is not receiving data over 4G or 3G, Google on another computer "apn" "YOURMOBILEPHONEPROVIDER" "YOURNATION". Example;
Code:
"apn" "vodafone" "uk"
You should find links to technical settings for your data provider's access. Then enter them in by navigating to;
Settings>More>Mobile network settings>Access point names>CLICK-YOUR-LOCKED-ON-PROVIDER>THEN-CONFIRM-SETTINGS
USB
Device USB Coding
Code:
System Mode:
ID 0e8d:201d MediaTek Inc.
ADB Mode:
ID 0e8d:2008 MediaTek Inc.
Fastboot Mode
ID 0bb4:0c01 HTC (High Tech Computer Corp.) Dream / ADP1 / G1 / Magic / Tattoo
Microsoft Windows VCOM Drivers
On Microsoft systems you will need to have drivers installed so as to communicate with the Mediatek phone.
MediaTek DA USB VCOM (Android) Driver 3.0.1504.0 for Windows 7/Windows 8.1
MediaTek DA USB VCOM (Android) Driver 3.0.1504.0 for Windows 10
UART Ability?
I haven't opened the phone yet but if anyone does please capture images of the circuit board. If there are UART pins on the board it may have a root shell piped to the interface. A UART (universal asynchronous receiver/transmitter) in this sense is a device that couples serial communications port to USB to run a terminal over.
Vernee Official Rom Images & "Over The Air" Updates
Official Product Downloads/Support
VerneeX25_Recovery_OriginalStock_v1p0 (Thx to Relief66)
Download (2016-12) ROM "full_k15ta_a-ota-1482441792.zip"
Download (2017-01) ROM "full_k15ta_a-ota-1484567521.zip" (Creating .img from .dat files works!)
Download (2017-07) ROM "full_k15ta_a-ota-1499861676.zip"
Download (2017-07) OTA Patch "20170712201130-OTA.rar"
Note: "20170712201130-OTA.rar" is only designed to update "full_k15ta_a-ota-1482441792.zip" image.
Flashing Partitions
There are three main ways to flash;
1. using "Smart Phone Flash Tool",
2. Fastboot flash command,
3. via internal software like a root bash shell or routine from recovery.
Partition Table
Code:
system logical drive = 2621.44MB [= 2684354560 bytes = 5242880 x 512blocks]
recovery logical drive = 16.384MB
Scatter file from OTA
----------------------------
preloader 0x0
pgpt 0x0
recovery 0x8000
para 0x1008000
custom 0x1088000
expdb 0x13c88000
frp 0x14688000
nvcfg 0x14788000
nvdata 0x14f88000
metadata 0x16f88000
protect1 0x18f88000
protect2 0x19788000
seccfg 0x1a000000
oemkeystore 0x1a800000
proinfo 0x1aa00000
md1img 0x1ad00000
md1dsp 0x1c500000
md1arm7 0x1c900000
md3img 0x1cc00000
scp1 0x1d100000
scp2 0x1d200000
nvram 0x1d300000
lk 0x1d800000
lk2 0x1d880000
boot 0x1d900000
logo 0x1e900000
tee1 0x1f100000
tee2 0x1f600000
keystore 0x1fb00000
system 0x20800000
cache 0xc0800000
userdata 0xdb000000
flashinfo 0xFFFF0080
sgpt 0xFFFF0000
recovery.fstab
------------------
# mount point fstype device [device2]
/boot emmc boot
/cache ext4 /dev/block/mmcblk0p4
/data ext4 /dev/block/mmcblk0p5
/misc emmc misc
/recovery emmc recovery
/sdcard vfat /dev/block/mmcblk0p6
/system ext4 /dev/block/mmcblk0p3
live fstab via "cat /fstab.mt6797"
------------------------------------------
# 1 "vendor/mediatek/proprietary/hardware/fstab/mt6797/fstab.in"
# 1 "<built-in>"
# 1 "<命令行>"
# 1 "vendor/mediatek/proprietary/hardware/fstab/mt6797/fstab.in"
# 20 "vendor/mediatek/proprietary/hardware/fstab/mt6797/fstab.in"
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/system /system ext4 ro wait
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/userdata /data ext4 noatime,nosuid,nodev,noauto_da_alloc,discard wait,check,resize,encryptable=/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/metadata,
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/cache /cache ext4 noatime,nosuid,nodev,noauto_da_alloc,discard wait,check
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/protect1 /protect_f ext4 noatime,nosuid,nodev,noauto_da_alloc,commit=1,nodelalloc wait,check,formattable
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/protect2 /protect_s ext4 noatime,nosuid,nodev,noauto_da_alloc,commit=1,nodelalloc wait,check,formattable
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/nvdata /nvdata ext4 noatime,nosuid,nodev,noauto_da_alloc,discard wait,check,formattable
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/nvcfg /nvcfg ext4 noatime,nosuid,nodev,noauto_da_alloc,commit=1,nodelalloc wait,check,formattable
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/custom /custom ext4 ro wait
/devices/mtk-msdc.0/11230000.msdc0* auto vfat defaults voldmanaged=sdcard0:auto
/devices/mtk-msdc.0/11240000.msdc1* auto auto defaults voldmanaged=sdcard1:auto,encryptable=userdata
/devices/soc/11270000.usb3_xhci* auto vfat defaults voldmanaged=usbotg:auto
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/frp /persistent emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/nvram /nvram emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/proinfo /proinfo emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/lk /bootloader emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/lk2 /bootloader2 emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/para /misc emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/boot /boot emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/recovery /recovery emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/logo /logo emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/expdb /expdb emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/seccfg /seccfg emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/tee1 /tee1 emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/tee2 /tee2 emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/scp1 /scp1 emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/scp2 /scp2 emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/md1img /md1img emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/md1dsp /md1dsp emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/md1arm7 /md1arm7 emmc defaults defaults
/dev/block/platform/mtk-msdc.0/11230000.msdc0/by-name/md3img /md3img emmc defaults defaults
Raw block partition label and user/group
-----------------------------------------------------
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/proinfo u:object_r:nvram_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/nvram u:object_r:nvram_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/nvdata u:object_r:nvdata_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/frp u:object_r:frp_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/expdb u:object_r:expdb_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/misc2 u:object_r:misc2_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/logo u:object_r:logo_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/para u:object_r:para_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/tee1 u:object_r:tee_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/tee2 u:object_r:tee_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/seccfg u:object_r:seccfg_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/userdata u:object_r:userdata_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/cache u:object_r:cache_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/recovery u:object_r:recovery_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/protect1 u:object_r:protect1_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/protect2 u:object_r:protect2_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/keystore u:object_r:keystore_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/oemkeystore u:object_r:oemkeystore_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/boot u:object_r:boot_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/persist u:object_r:persist_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/system u:object_r:system_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/nvcfg u:object_r:nvcfg_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/md1img u:object_r:md_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/md1dsp u:object_r:dsp_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/md1arm7 u:object_r:md_block_device:s0
/dev/block/platform/mtk-msdc\.0/[0-9]+\.msdc0/by-name/md3img u:object_r:md_block_device:s0
On my rooted phone I can check the UUID of the partitions. (You may need BusyBox installed to use blkid command!).
Code:
adb shell
su
blkid
displays;
Code:
/dev/block/loop0: LABEL="iAmCdRom" TYPE="iso9660"
/dev/block/loop1: UUID="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" TYPE="ext4"
/dev/block/zram0: TYPE="swap"
/dev/block/mmcblk0p3: LABEL="custom" UUID="0f1095f4-0ece-e656-b6ac-e2ce104d5722" TYPE="ext4"
/dev/block/mmcblk0p6: UUID="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" TYPE="ext4"
/dev/block/mmcblk0p7: UUID="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" TYPE="ext4"
/dev/block/mmcblk0p9: UUID="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" TYPE="ext4"
/dev/block/mmcblk0p10: UUID="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" TYPE="ext4"
/dev/block/mmcblk0p28: LABEL="system" UUID="da594c53-9beb-f85c-85c5-cedf76546f7a" TYPE="ext4"
/dev/block/mmcblk0p29: UUID="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" TYPE="ext4"
/dev/block/mmcblk0p30: UUID="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" TYPE="ext4"
/dev/block/mmcblk1p1: UUID="0508-0E13" TYPE="vfat"
Modifying Partitions
Modify partitions often means Users hacking the commercial roms and that means extracting out the important files to work with. The most important blocks are the system-partition which holds the operating system, then the recovery-partition which pole vaults Users with low level tools and abilities, like startup phone root powers. Noting many modern phone root modes, deploy on the recovery-partition rather than modify the system-partition, so as to retain full compatibility and retention of abilities, when conducting "Over the Air" / OTA updates from the manufacturer.
There are two popular platforms to hack on. 1. on native Linux including the phone itself, and 2. on a Microsoft Windows platform with Linux style utilities.
To ready a partition, to then modify it, and to then save it for flashing has many steps. One should obtain the manufacturer's rom or OTA update, to seek out the latest images and files to utilise.
In this example of hacking an official rom, we will be using "full_k15ta_a-ota-1484567521.zip". Utility executables are readily available in repositories related to your Linux distribution, like AUR on Archlinux.
Linux - ACCESSING SYSTEM IMAGE TO MODIFY
1.) Extract the zip file to a new folder. The directory should be something like this structure.
Code:
.../tinysys-scp.bin
.../logo.bin
.../lk.bin
.../md1rom.img
.../system.patch.dat
.../type.txt
.../custom.new.dat
.../custom
.../custom/cip-build.prop
.../custom/app-res
.../custom/app-res/quicksearchbox-res
.../custom/app-res/quicksearchbox-res/quicksearchbox-res.apk
.../custom/app-res/android-res
.../custom/app-res/android-res/android-res.apk
.../custom/app-res/browser-res
.../custom/app-res/browser-res/browser-res.apk
.../custom/app-res/launcher3-res
.../custom/app-res/launcher3-res/launcher3-res.apk
.../custom/media
.../custom/media/audio
.../custom/media/audio/notifications
.../custom/media/audio/notifications/Leaf.ogg
.../custom/media/audio/notifications/Pure.ogg
.../custom/media/audio/notifications/Triumph.ogg
.../custom/media/audio/notifications/Vernee_n002.ogg
.../custom/media/audio/notifications/The_time_tunne.ogg
.../custom/media/audio/notifications/Jump.ogg
.../custom/media/audio/notifications/Whisper.ogg
.../custom/media/audio/notifications/Vernee_n001.ogg
.../custom/media/audio/notifications/Cuckoo.ogg
.../custom/media/audio/notifications/Cleverer.ogg
.../custom/media/audio/notifications/Meteor.ogg
.../custom/media/audio/notifications/Bongo.ogg
.../custom/media/audio/notifications/Ripples.ogg
.../custom/media/audio/notifications/Whistle.ogg
.../custom/media/audio/notifications/Gift.ogg
.../custom/media/audio/alarms
.../custom/media/audio/alarms/ClassicAlarm.ogg
.../custom/media/audio/alarms/Waltz.ogg
.../custom/media/audio/alarms/Vernee_a001.ogg
.../custom/media/audio/alarms/GoodLuck.ogg
.../custom/media/audio/alarms/Foredawn.ogg
.../custom/media/audio/alarms/Vernee_a002.ogg
.../custom/media/audio/alarms/MorningSunShine.ogg
.../custom/media/audio/alarms/Walking_in_the_rain.ogg
.../custom/media/audio/ringtones
.../custom/media/audio/ringtones/Call_of_love.ogg
.../custom/media/audio/ringtones/Spring.ogg
.../custom/media/audio/ringtones/New_life.ogg
.../custom/media/audio/ringtones/Menuet.ogg
.../custom/media/audio/ringtones/Vernee_r004.ogg
.../custom/media/audio/ringtones/Heartbeat.ogg
.../custom/media/audio/ringtones/Vernee_r005.ogg
.../custom/media/audio/ringtones/Technology.ogg
.../custom/media/audio/ringtones/Longing.ogg
.../custom/media/audio/ringtones/Vernee_r002.ogg
.../custom/media/audio/ringtones/Vernee_r003.ogg
.../custom/media/audio/ringtones/Westlake.ogg
.../custom/media/audio/ringtones/Vernee_r001.ogg
.../custom/media/audio/ringtones/Progress.ogg
.../custom/media/audio/ringtones/Journey.ogg
.../custom/media/audio/ringtones/GuitarPop.ogg
.../custom/media/audio/ringtones/Cloud.ogg
.../custom/media/audio/ringtones/Capriccioso.ogg
.../custom/media/audio/ringtones/IceWorldPiano.ogg
.../custom/plugin
.../custom/plugin/FwkPlugin
.../custom/plugin/FwkPlugin/FwkPlugin.mpinfo
.../custom/plugin/FwkPlugin/FwkPlugin.apk
.../custom/plugin/Signatures
.../custom/plugin/Signatures/mplugin_guard.xml
.../custom/etc
.../custom/etc/resources.xml
.../custom/bootani
.../custom/bootani/shutanimation.zip
.../custom/bootani/bootanimation.zip
.../custom/customprop
.../custom/customprop/custom.prop
.../system.new.dat
.../custom.patch.dat
.../md1arm7.img
.../md3rom.img
.../preloader_k15ta_a.bin
.../md1dsp.img
.../scatter.txt
.../custom.transfer.list
.../file_contexts
.../boot.img
.../META-INF
.../META-INF/CERT.SF
.../META-INF/MANIFEST.MF
.../META-INF/CERT.RSA
.../META-INF/com
.../META-INF/com/android
.../META-INF/com/android/metadata
.../META-INF/com/android/otacert
.../META-INF/com/google
.../META-INF/com/google/android
.../META-INF/com/google/android/update-binary
.../META-INF/com/google/android/updater-script
.../trustzone.bin
.../system.transfer.list
.../sdat2img.py
2.) the images we are looking for are either the system-partition or the recovery-partition to modify. In this case there is only the system and it's held in the file "system.new.dat", a 1.6 gigabyte file. We know from the partition tables above that the system-partition is 2.6GB wide, so this image is either compressed or short. Most partitions deployed on Android for updating are compressed in what's called a sparse format.
We need to uncompress any sparse file before we can work with it or mount it, but the issue in this case is the image is also in "dat" structure, which means we need to unsparse using structured data held in "system.transfer.list". Here we use "sdat2img" executable to create the file "system_fullsize.img";
Code:
sdat2img system.transfer.list system.new.dat system_fullsize.img
Alternatively if the file was not a dat format, we could simply unsparse using;
Code:
simg2img system.img system_fullsize.img
3.) Now that we have the full image we can mount it as a file-system to tinker with it. Example of making a mount point and mounting it;
Code:
sudo mkdir /system
sudo mount -t ext4 -o loop ./system_fullsize.img /system/
You can now modify the image simply by changing the files in the directory mounted on. After changes you can save out and attempting to flash it back to the phone for your custom system.
Linux - CAPTURING THE MOUNT BACK TO AN IMAGE FILE
1.) After we have modified the mounted system-partition we need to save it back out for flashing if you want to see your changes live on the phone.
Labelling (If desired). We can name the mount to enforce block-labels. In this case the loop device was "loop0" used to mount the image. (Check which loop-device was used when performing this. eg: lsblk) Here we are going to label it "system"..
Code:
e2label /dev/loop0 system
It maybe important to set the partition UUID the same as the manufacturer uses so the the mounting process finds the correct partition to mount at boot. We know the system partitions UUID from the above discovery details;
Code:
UUID="da594c53-9beb-f85c-85c5-cedf76546f7a"
We can set the mounted image's UUID to suit the original before creating a new;
Code:
sudo tune2fs /dev/loop0 -U da594c53-9beb-f85c-85c5-cedf76546f7a
Here we capture out the device to an "ext4" format file-system image. The length option, being 2684354560 bytes. Labelling option "-a" with name "system".
Code:
sudo make_ext4fs -s -l 2684354560 -a system system_modded.img /system/
2.) To flash your image, Android's recent "fastboot" utility will allow for unsparse and sparsed images to be flashed. I have broken down the fastboot process into each step.
CAUTION: fastboot writes over your phone's partition blocks. If you are not skilled in this area of computing them research "fastboot" before use.
Note: current I have not found out why this process is incompatible with Vernee Apollo. The images I write back are not operational even though they flash properly. My hunch is that I may need to enforce an ISO/image UUID the same as the manufacturers, but I haven't tested this yet.
Code:
fastboot -w
fastboot format system
fastboot flash system ./system_modded.img
If we want to sparse the file before flashing;
Code:
img2simg system_modded.img system_modded_sparse.img
If we want to create a sparse dat structured image;
Code:
img2sdat ./system_modded.img
Linux - ACCESSING RECOVER IMAGE TO MODIFY
An Android recovery image is really three items in one image. There is a compressed kernel (zImage) used to run a recovery system, a ramdisk (initrd.img), and configuration file. The ramdisk "initrd.img" holds the operating system files used by the recovery kernel. Note the bootimage partition/image is a similar structure to a recovery-image.
If you need a similar development community then the Xiaomi Redmi Pro is a similar phone due to its Mediatek Helio x25 but it uses a different cameras, screen and sensors. Modifying and tweaking settings in their recovery images can work on your Vernee Apollo X25.
To extract the sub held files (bootimg.cfg, zImage, initrd.img);
Code:
abootimg -x recovery.img
To unpack a ramdisk "initrd.img";
Code:
mkdir initrd
cd initrd
sudo zcat ../initrd.img | cpio -idmv
To pack files whilst in your ramdisk directory ''/initrd";
Code:
find . | cpio -o -H newc | gzip > ../newramdisk.cpio.gz
To pack back up components into a recovery rom;
Code:
abootimg --create recovery_new.img -f bootimg.cfg -k zImage -r initrd.img
Alternatively;
Code:
mkbootimg --cmdline 'no_console_suspend=1 console=null' --kernel ./zImage --ramdisk ./newramdisk.cpio.gz -o recovery_new.img
Software
Chainfire SuperSU Release Announcement
F-Droid. Alternative App Store for public domain software.
.

Known Recovery Image Developers
Cleopatra Bianchi
https://forum.xda-developers.com/general/rooting-roms/vernee-apollo-helio-x25-twrp-root-t3554788
Known ROM Developers
Cleopatra Bianchi
https://forum.xda-developers.com/general/rooting-roms/vernee-apollo-helio-x25-roms-fix-t3561019
Vernee Apollo X25 General Resource Sites
http://www.needrom.com/ Vernee/ApolloX25
.

Hardware
Protective Covers
Silicone and more rigid covers are becoming available for the Vernee Apollo. Make sure you don't get a Lite version as it wont fit.
Those looking for more range and are willing to mod, the Lenovo K5 Note is very similar in dimensions to the Apollo X25, but the headphone jack, volume and power buttons are slightly off. Modding a K5 Note case will require cutting holes for the headphone jack, buttons, speaker holes, and possibly for the flash. Clear covers will allow the flash to work. Make sure the camera and finger scanner is a complete open section on any K5 cover!
https://www.aliexpress.com/item/Ver...-Shell-Back-Cover-For-Vernee/32799796884.html

TWRP Vernee Apollo Helio X25
Cleopatra Bianchi said:
Click to expand...
Click to collapse
http://bbs.vernee.cc/forum.php?mod=viewthread&tid=1721&extra=page%3D1

Cleopatra Bianchi said:
http://bbs.vernee.cc/forum.php?mod=viewthread&tid=1721&extra=page%3D1
Click to expand...
Click to collapse
I left it up to you to post. I hope people comment on what they think. I'm working on my own images so I can't install others at the moment to give an opinion. Readers please note I can't verify the security on this share. Do not take any compromising actions.
I'm super busy so not sure when I will have my own solutions.

How I wish I had more knowledge. This piece of Hw (Raw Hw?) has a lot of potential, but lacks interest of any developer adapt/adopt it....
The conditions are there (lets hope the owners free the code, as they have done with its small brother), and let's hope there are enough and good drivers for the chosen Hw.
Just to encourage your efforts.
Regards

I agree
lots of good hardware and poor software...I hope in this community

At the moment I found these "bad" things about this phone:
1) you can't choose to view the battery percentage in the upper bar
2) you have to set the APN manually or you can't use internet
3) you can't turn volume up or down if the screen is switched off

I've kind of hit a wall with modding the system image to root it. The system images I produce are just not compatible with flashing. They flash but no desktop runs on the phone. Tried both sparse and raws. and I've got the partition size correct. Mount point is set properly to "system" and they're ext4 images.
I'm building Chainfire's version of ext4_utils, specifically the make_ext4fs util. If that doesn't work then I'll build Google's version. Long process as you need SELinux headers which takes ages to install. There maybe a bug in older versions that's causing the trouble. Other thoughts, there maybe a different padding method or bit plane for storing file system nodes. I may need SELinux builds of executables just to get the job done as I did notice in a hex.diff that the original image has SELinux stamps in it. I need more investigation to know why that's so.
It would be nice if Cleopatra Bianchi chimed in if She knows the issue or has even been down this road before, so to speak.

Hi, E8
Do not know even if this could be valuable, but the sources of the lite version are there. I suppose they are taking the same engineering approaches with the big brother... or not...
but would check
Regards

jrotaetxe said:
Hi, E8
Do not know even if this could be valuable, but the sources of the lite version are there. I suppose they are taking the same engineering approaches with the big brother... or not...
but would check
Regards
Click to expand...
Click to collapse
I'll look into it as the scripts may indicate the process to image creation. Cheers.

TWRP and ROOT - successfully tested !
https://forum.xda-developers.com/general/rooting-roms/vernee-apollo-helio-x25-twrp-root-t3554788

Such a cool phone, but sending it back. Doesn't work with US carriers

Stock firmware in Flash Tool
Cleopatra Bianchi said:
TWRP and ROOT - successfully tested !
https://forum.xda-developers.com/general/rooting-roms/vernee-apollo-helio-x25-twrp-root-t3554788
Click to expand...
Click to collapse
I look forward to flash the stock firmware in Flash Tool. I foolishly made a phone of brick, all backups lost.

stock firmware
myextasy said:
I look forward to flash the stock firmware in Flash Tool. I foolishly made a phone of brick, all backups lost.
Click to expand...
Click to collapse
A working stock firmware will be here very soon.
Please be patient, I am working on that.

Cleopatra Bianchi said:
A working stock firmware will be here very soon.
Please be patient, I am working on that.
Click to expand...
Click to collapse
Anyway to unlock bands to get it working in US ???

myextasy said:
I look forward to flash the stock firmware in Flash Tool. I foolishly made a phone of brick, all backups lost.
Click to expand...
Click to collapse
You can easily restore the phone using the official zip rom. Place it on a micro sdcard and install via the Bootloader menu. Instructions are on the forst comment on how to get to the bootloader menu and then recovery. If you're destroyed your recovery partition but still have fastboot access then you can use the system image within the official rom to flash the system partition with a bit of modifications.
I've been super busy so I haven't had the time to work on my own version of the TWRP Recovery.

How can I find the drivers ? When I google search I only find the one for Apollo lite

Do not believe you can "unlock" US bands, as they differ from EU/ASIA system.
Anyway, trying is (almost) free. The worst thing can happen is a brick
Regards