I figured out how to hack the EBR1 on mediatek MTK6572 to increase userdata by merging the fat and userdata partitions. Unfortunatly, this mod does not change the blocks maps, even when editing the scatter text to match the EBR1 hack mod. Here is the post on how it is done.
http://elizabethswikis.blogspot.com/2014/09/tutorial-how-to-increase-partition-on.html
After much searching, finally found out that the blocks maps are probably setup via preloader.bin, which tells /proc/dumchar_info what the blocks are and sizes. Well now I would like to figure out how to hack the preloader, either the bin or preloader_and_dsp, to edit that sections that it matches up with the modded EBR1. Just can't find any information, looked at the preloader.bin and preloader_and_dsp in hex editor and emacs, but that doesn't help me much, am able to see the section where it tells EBR1, preloader, userdata, android, etc... but can't make out how to change those hex values.
Nobody knows
Well, after much searching as to what could possibly be in the preloader.bin and lk.bin for emmc mtk devices, figure that what it probably is are all the .c files that were put into a .bin using the makefile. Well okay, that is great, even better, everybody knows how to make one, yet, nobody knows how to extract it?
Terminal shell command, strings lk.bin, lets me read what exactly the preloader/bootloader is supposed to do, and where the files are pointed to. So for example, know that there is a meta.c and UART.c inside, to name a few, now I would like to get them out.
That seems a bit hard to believe, why would one want to know how to make something they can't take apart later on for bug fixing?
Refer this tutorial
http://forum.xda-developers.com/showthread.php?t=2596030&page=8
Regards,
Karthick
read the post
Karthickgandhi said:
Refer this tutorial
http://forum.xda-developers.com/showthread.php?t=2596030&page=8
Regards,
Karthick
Click to expand...
Click to collapse
I don't think you entirely read my post or looked at my blog. ANyways,, for anybody who wants to look at the preloader.bin and lk.bin, this can be done in IDA PRO using the arm little endian option. I've been looking at it myself, figured out that if you use the correct rom/ram size and start address, IDA PRO disembles the files. Only thing is, can't figure out what the start address for a ram file would be.
Now that I have figured out how to read those "BIN" files, how can I get them to load so that I can modify the "/proc/dumchar/" to match my "ALREADY HACKED EBR1".
Research and continue your development and make a tutorial for hacking preloader.bin
I have a very basic level knowledge in partitioning etc. Noted now only that the command
--->cat /proc/dumchar_info
doesn't change even after changing the ebr and i have increased the internal app storage memory.
Regards,
Karthick
Preloader.bin
Karthickgandhi said:
Research and continue your development and make a tutorial for hacking preloader.bin
I have a very basic level knowledge in partitioning etc. Noted now only that the command
--->cat /proc/dumchar_info
doesn't change even after changing the ebr and i have increased the internal app storage memory.
Regards,
Karthick
Click to expand...
Click to collapse
The post tells how to repartition the EBR1, as for the preloader.bin, well you can disemble it in IDA pro.
Thing is, I got as far as finding where the partitions are, even figured out how to change the values. After exporting it as a raw binary, well that is where I'm stuck. Ida exports it with a .txt extension, needs to be .bin. How would in linux could I convert that using the dd command for a successful flash, aka:
dd if=preloader.txt of=preloader.bin bs=1 skip=????
If that's a complete one you can use this command
dd if=/path_of_edited_preloader.txt of=/path_for_new_preloader.bin
Dont need to specify bs,skip,etc
Regards,
Karthick
Hacking mtk6572 bootloader
Karthickgandhi said:
If that's a complete one you can use this command
dd if=/path_of_edited_preloader.txt of=/path_for_new_preloader.bin
Dont need to specify bs,skip,etc
Regards,
Karthick
Click to expand...
Click to collapse
I tried that, but it didn't boot when I loaded the modified preloader.bin. Was wondering if it was because:
A. was it because I named it preloader-modified.bin?
B. Is there another place that needs to be modified besided the userdata partition?
The original size is 0x2000000, the full size using the fat and userdata combinded is 0xA7040000. Is there another place that it should be changed? Could not find the fat partition in the preloader.bin, everything except for the FAT size, which is 0x87040000 and the BMPOOL, have to look at that size. When comparing with the dumchar_info & Scatter file, shows all the partition sizes from preloader down to userdata.
Also have a preloader.bin from the manufacturer whree I purchased my phone, that preloader, scatter and EBR1 uses the full userdata no fat size, but the scatter for the other tablet/phone has a fat section with a 0x0 partition size, uses the full userdata and no fat partition. Also, when comparting that preloader with my preloader, same thing, everything right down to the userdata, missing fat and BMPOOL.
Well tomorrow I'll try again, this time doing dd if=preloader.txt of=preloader.bin. The name, preloader-modified.bin may not have worked, since reading through the entire preloader.bin and lk.bin, it directs to flash preloader, uboot, lk < know both are the same, userdata, fat, etc...
bethnesbitt said:
I tried that, but it didn't boot when I loaded the modified preloader.bin. Was wondering if it was because:
A. was it because I named it preloader-modified.bin?
B. Is there another place that needs to be modified besided the userdata partition?
The original size is 0x2000000, the full size using the fat and userdata combinded is 0xA7040000. Is there another place that it should be changed? Could not find the fat partition in the preloader.bin, everything except for the FAT size, which is 0x87040000 and the BMPOOL, have to look at that size. When comparing with the dumchar_info & Scatter file, shows all the partition sizes from preloader down to userdata.
Also have a preloader.bin from the manufacturer whree I purchased my phone, that preloader, scatter and EBR1 uses the full userdata no fat size, but the scatter for the other tablet/phone has a fat section with a 0x0 partition size, uses the full userdata and no fat partition. Also, when comparting that preloader with my preloader, same thing, everything right down to the userdata, missing fat and BMPOOL.
Well tomorrow I'll try again, this time doing dd if=preloader.txt of=preloader.bin. The name, preloader-modified.bin may not have worked, since reading through the entire preloader.bin and lk.bin, it directs to flash preloader, uboot, lk < know both are the same, userdata, fat, etc...
Click to expand...
Click to collapse
Got that working???
decompile bootloader
Karthickgandhi said:
Got that working???
Click to expand...
Click to collapse
No, I have been picking it apart for a few hours a day since trying that method.
The dd if=preloader.txt > preloader.bin didnn't work. Then found out there was a way to just apply the patch to the file, thought cool, tried that didn't work either .
So now I'm thinking it's how I am trying to load it in IDA PRO. If what some reasearch says, it is an arm-eabbi-gcc, not sure if ida is actually supporting that correctly. There are plenty of TUT on how to compile, but nothing about decompiling.
bethnesbitt said:
No, I have been picking it apart for a few hours a day since trying that method.
The dd if=preloader.txt > preloader.bin didnn't work. Then found out there was a way to just apply the patch to the file, thought cool, tried that didn't work either .
So now I'm thinking it's how I am trying to load it in IDA PRO. If what some reasearch says, it is an arm-eabbi-gcc, not sure if ida is actually supporting that correctly. There are plenty of TUT on how to compile, but nothing about decompiling.
Click to expand...
Click to collapse
Nice.... but are you sure that the dumchar_info is associated with preloader? I doubt the pmt(partition management table)
Part_Name Size StartAddr Type MapTo
preloader 0x0000000000600000 0x0000000000000000 2 /dev/misc-sd
mbr 0x0000000000080000 0x0000000000000000 2 /dev/block/mmcblk0
ebr1 0x0000000000080000 0x0000000000080000 2 /dev/block/mmcblk0p1
pmt 0x0000000000400000 0x0000000000100000 2 /dev/block/mmcblk0
pro_info 0x0000000000300000 0x0000000000500000 2 /dev/block/mmcblk0
nvram 0x0000000000500000 0x0000000000800000 2 /dev/block/mmcblk0
protect_f 0x0000000000a00000 0x0000000000d00000 2 /dev/block/mmcblk0p2
protect_s 0x0000000000a00000 0x0000000001700000 2 /dev/block/mmcblk0p3
seccfg 0x0000000000020000 0x0000000002100000 2 /dev/block/mmcblk0
uboot 0x0000000000060000 0x0000000002120000 2 /dev/block/mmcblk0
bootimg 0x0000000000600000 0x0000000002180000 2 /dev/block/mmcblk0
recovery 0x0000000000600000 0x0000000002780000 2 /dev/block/mmcblk0
sec_ro 0x0000000000600000 0x0000000002d80000 2 /dev/block/mmcblk0p4
misc 0x0000000000080000 0x0000000003380000 2 /dev/block/mmcblk0
logo 0x0000000000300000 0x0000000003400000 2 /dev/block/mmcblk0
ebr2 0x0000000000080000 0x0000000003700000 2 /dev/block/mmcblk0
expdb 0x0000000000a00000 0x0000000003780000 2 /dev/block/mmcblk0
android 0x000000002bc00000 0x0000000004180000 2 /dev/block/mmcblk0p5
cache 0x0000000007e00000 0x000000002fd80000 2 /dev/block/mmcblk0p6
usrdata 0x0000000040000000 0x0000000037b80000 2 /dev/block/mmcblk0p7
fat 0x000000006fba0000 0x0000000077b80000 2 /dev/block/mmcblk0p8
bmtpool 0x0000000001500000 0x00000000ff9f00a8 2 /dev/block/mmcblk0
Regards,
Karthick
dumchar
Right now I'm not in linux, so I can't copy and paste so will give a quick summary of what I see when I decompile the preloader.bin.
At the bottom of the preloader in IDA PRO is a list of the partition sizes, everything except for the FAT and BMTPOOL.
It shows, as ascii string, the partition sizes, just giving a bit of what i remember off the top of my head:
0x600000 < preloader
0X600000 < Rom
0x800000 < EBR1
0xA00000
0x1780000 < this is my cache size
0x2000000 < this is my userdata size
ALso the ascii string has
FAT
USERDATA
UBOOT
PRELOADER
BOOT
ANDROIDSYS
Ida isn't disembling it correctly because all the strings should point to an operand, the partition sizes aren't. Today went through though, am trying differant library types using the METAPC option. It took me 2 monts to hack the EBR1, may take my just as long.
Good luck. Don't forget to share if you hit that jackpot. I am trying to increase my recovery partition but facing some problems. Unlike /system or /data partition it cannot be altered by hacking mbr/ebr. U have any idea?
Hey, I have HTC Desire 310 it uses MTK6582 and it has locked bootloader. I think the bootloader has something to do with the preloader, so if you can help me in some way, pls PM me!
Take a look here, it may help http://forum.xda-developers.com/showthread.php?t=1959691
This WILL help with how the partitions and security may be working http://www.uefi.org/specifications
Sent from my B1-730HD using XDA Free mobile app
f*ck
Antagonist42 said:
Take a look here, it may help http://forum.xda-developers.com/showthread.php?t=1959691
This WILL help with how the partitions and security may be working http://www.uefi.org/specifications
Sent from my B1-730HD using XDA Free mobile app
Click to expand...
Click to collapse
doesn't work brother.. idk what is the problem.. This is MTK phone, with locked bootloader by htc.. idk i tried everything and nothing works
boka18 said:
doesn't work brother.. idk what is the problem.. This is MTK phone, with locked bootloader by htc.. idk i tried everything and nothing works
Click to expand...
Click to collapse
What do you mean 'doesn't work'? What was it you're looking for? I'm posting info that may help the thread as to partitions, how they work and what different formats can be used.
Sent from my B1-730HD using XDA Free mobile app
Dissemble preloader.bin - unlock bootloader?
The preloader is the bootloader. After dissembling the preloader.bin, somewhat successfully, in IDA PRO, here is what I see for partitions:
In ida, open the preloader.bin, change the dropdown to ARM little endian, unsure about size for rom and the loading address, tried many different sizes and start address, each time give me a somewhat of a different outcome.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Select Arm Little Endian
Not sure about the Rom Size, did try size for RAM but would not encode. Have tried different sizes for ROM, getting different outputs. Using the loading address as 0x0, which is the linear start address in the scatter for preloader seems to make sense, could be wrong. Beware though, the larger size you try, the laggier your PC will get
Now when the preloader.bin is done loading, go to Edit menu and select all. Now press the letter C on your keyboard for code, choose Analyse and say yes. When done analyzing, you can scroll through the code, it doesn't analyze everything you will see some code that was not analyzed, those are in gold, if you select all that unanalyzed code by pressing shift+arrowdown, then press C it will analyze that code, you may want to go through and do that little cleanup.
Towards the bottom, you will see ASCII text that was decoded, here is what shows for my partitions.
ROM:00017518 dword_17518 DCD 0x201A626, 0 ; DATA XREF: sub_11CC+2o
ROM:00017518 ; ROMff_11D4o
ROM:00017520 DCD dword_600000 <- PRELOADER
ROM:00017524 ALIGN 0x10
ROM:00017530 DCD 0x201A630, 0
ROM:00017538 DCD dword_80000 <-- MBR
ROM:0001753C DCD 0, 0, 0
ROM:00017548 DCD 0x201A634, 0
ROM:00017550 DCD dword_80000 <-- EBR1
ROM:00017554 ALIGN 0x10
ROM:00017560 DCD 0x201A639, 0
ROM:00017568 DCD dword_300000 <-- PRO_INFO
ROM:0001756C DCD 0, 0, 0
ROM:00017578 DCD 0x201A642, 0
ROM:00017580 DCD dword_500000 < -- NVRAM
ROM:00017584 ALIGN 0x10
ROM:00017590 DCD 0x201A648, 0
ROM:00017598 DCD dword_A00000 <-- PROTECT_F
ROM:0001759C DCD 0, 0, 0
ROM:000175A8 DCD 0x201A652, 0
ROM:000175B0 DCD dword_A00000 <-- PROTECT_S
ROM:000175B4 ALIGN 0x10
ROM:000175C0 DCD 0x201A65C, 0
ROM:000175C8 DCD dword_20000 <-- SEFCG
ROM:000175CC DCD 0, 0, 0
ROM:000175D8 DCD 0x201A663, 0
ROM:000175E0 DCD dword_60000 <- UBOOT/LK.BIN
ROM:000175E4 ALIGN 0x10
ROM:000175F0 DCD 0x201A669, 0
ROM:000175F8 DCD dword_600000 < -- BOOTIMG
ROM:000175FC DCD 0, 0, 0
ROM:00017608 DCD 0x201A671, 0
ROM:00017610 DCD dword_600000 <-- RECOVERY
ROM:00017614 ALIGN 0x10
ROM:00017620 DCD 0x201A67A, 0
ROM:00017628 DCD dword_40000 <-- SEC_RO
ROM:0001762C DCD 0, 0, 0
ROM:00017638 DCD 0x201A684, 0
ROM:00017640 DCD dword_80000 < -- MISC
ROM:00017644 ALIGN 0x10
ROM:00017650 DCD 0x201A689, 0
ROM:00017658 DCD dword_300000 <-- LOGO
ROM:0001765C DCD 0, 0, 0
ROM:00017668 DCD 0x201A68E, 0
ROM:00017670 DCD dword_A00000 <-- EXPDB
ROM:00017674 ALIGN 0x10
ROM:00017680 DCD 0x201A694, 0
ROM:00017688 DCD 0x28A00000, 0, 0, 0 < -- ANDROID SYSTEM
ROM:00017698 DCD 0x201A69E, 0
ROM:000176A0 DCD 0x17800000, 0, 0, 0 < -- CACHE
ROM:000176B0 DCD 0x201A6A4, 0
ROM:000176B8 DCD 0x20000000, 0, 0, 0 <-- USERDATA
If you compare that to your scatter, you will see that they match up, right in order per the scatter as well as when you go into:
Code:
adb shell
cat /proc/dumchar_info > /sdcard/dumchar.txt
Katherick, for your question, yes the recovery can be modified, now another option is using a hexdump. Maybe somebody can point us to using hexdump to modify and saving it back to the binary format. First you would have to figure out how to change the value in the preloader.bin of your recovery, not sure if just that ascii value has to be changed, or is there another place. Once you decompile the preloader.bin in IDA, you can see where those ASCII values point to identifiers throughout the code in various spots, except for the partition sizes.
Now, for the ascii, here is a little bit from mine:
Code:
ROM:00013426 aPreloader DCB "PRELOADER",0 ; DATA XREF: sub_DB84+B0o
ROM:00013426 ; ROM:off_DCD0o ...
ROM:00013430 aMbr DCB "MBR",0
ROM:00013434 aEbr1 DCB "EBR1",0
ROM:00013439 aPro_info DCB "PRO_INFO",0
ROM:00013442 aNvram DCB "NVRAM",0
ROM:00013448 aProtect_f DCB "PROTECT_F",0
ROM:00013452 aProtect_s DCB "PROTECT_S",0
ROM:0001345C aSecure DCB "SECURE",0 ; DATA XREF: sub_D7F8+5Co
ROM:0001345C ; ROM:off_D8E8o ...
ROM:00013463 aUboot DCB "UBOOT",0 ; DATA XREF: ROM:000027C8o
ROM:00013463 ; ROM:off_2848o ...
ROM:00013469 aBootimg DCB "BOOTIMG",0 ; DATA XREF: sub_DB84+38o
ROM:00013469 ; ROM:off_DCBCo ...
ROM:00013471 aRecovery DCB "RECOVERY",0 ; DATA XREF: sub_DB84+68o
ROM:00013471 ; ROM:off_DCC4o ...
ROM:0001347A aSecstatic DCB "SECSTATIC",0 ; DATA XREF: sub_DB84+118o
ROM:0001347A ; ROM:off_DCF0o
ROM:00013484 aMisc DCB "MISC",0
ROM:00013489 aLogo_0 DCB "LOGO",0 ; DATA XREF: sub_D544+6Ao
ROM:00013489 ; ROM:off_D61Co ...
ROM:0001348E aExpdb DCB "EXPDB",0
ROM:00013494 aAndsysimg DCB "ANDSYSIMG",0 ; DATA XREF: sub_DB84+112o
ROM:00013494 ; ROM:off_DCECo
ROM:0001349E aCache DCB "CACHE",0 ; DATA XREF: sub_DB84+DEo
ROM:0001349E ; sub_DB84+12Ao ...
ROM:000134A4 aUser DCB "USER",0 ; DATA XREF: sub_DB84+124o
ROM:000134A4 ; ROM:off_DCF8o
ROM:000134A9 aFat DCB "FAT",0
ROM:000134AD aDeviceApcDomai DCB 0xA ; DATA XREF: sub_1208+8o
ROM:000134AD ; ROM:off_130Co
and here is the identifier:
Code:
ROM:0000DCB4 off_DCB4 DCD aUboot - 0xDB8E ; DATA XREF: sub_DB84+4r
ROM:0000DCB4 ; "UBOOT"
ROM:0000DCB8 off_DCB8 DCD aLogo_0 - 0xDBA8 ; DATA XREF: sub_DB84+1Er
ROM:0000DCB8 ; "LOGO"
ROM:0000DCBC off_DCBC DCD aBootimg - 0xDBC0 ; DATA XREF: sub_DB84+36r
ROM:0000DCBC ; "BOOTIMG"
ROM:0000DCC0 off_DCC0 DCD aAndroid - 0xDBD8 ; DATA XREF: sub_DB84+4Er
ROM:0000DCC0 ; "ANDROID"
ROM:0000DCC4 off_DCC4 DCD aRecovery - 0xDBF0 ; DATA XREF: sub_DB84+66r
ROM:0000DCC4 ; "RECOVERY"
ROM:0000DCC8 off_DCC8 DCD aSec_ro - 0xDC08 ; DATA XREF: sub_DB84+7Er
ROM:0000DCC8 ; "SEC_RO"
ROM:0000DCCC off_DCCC DCD aSeccnfg - 0xDC20 ; DATA XREF: sub_DB84+96r
ROM:0000DCCC ; "SECCNFG"
ROM:0000DCD0 off_DCD0 DCD aPreloader - 0xDC38 ; DATA XREF: sub_DB84+AEr
ROM:0000DCD0 ; "PRELOADER"
ROM:0000DCD4 off_DCD4 DCD aUsrdata - 0xDC50 ; DATA XREF: sub_DB84+C6r
ROM:0000DCD4 ; "USRDATA"
ROM:0000DCD8 off_DCD8 DCD aCache - 0xDC66 ; DATA XREF: sub_DB84+DCr
ROM:0000DCD8 ; "CACHE"
ROM:0000DCDC off_DCDC DCD aSPartNameSNotF - 0xDC80 ; DATA XREF: sub_DB84+F2r
ROM:0000DCDC ; "[%s] part name '%s' not found\n"
ROM:0000DCE0 off_DCE0 DCD aLib - 0xDC82 ; DATA XREF: sub_DB84+F6r
ROM:0000DCE0 ; "LIB"
ROM:0000DCE4 off_DCE4 DCD aSec_util_c - 0xDC8E ; DATA XREF: sub_DB84+100r
ROM:0000DCE4 ; "sec_util.c"
ROM:0000DCE8 off_DCE8 DCD a0 - 0xDC90 ; DATA XREF: sub_DB84+102r
ROM:0000DCE8 ; "0"
ROM:0000DCEC off_DCEC DCD aAndsysimg - 0xDC9A ; DATA XREF: sub_DB84:loc_DC94r
ROM:0000DCEC ; "ANDSYSIMG"
ROM:0000DCF0 off_DCF0 DCD aSecstatic - 0xDCA0 ; DATA XREF: sub_DB84:loc_DC9Ar
ROM:0000DCF0 ; "SECSTATIC"
ROM:0000DCF4 off_DCF4 DCD aSecure - 0xDCA6 ; DATA XREF: sub_DB84:loc_DCA0r
ROM:0000DCF4 ; "SECURE"
ROM:0000DCF8 off_DCF8 DCD aUser - 0xDCAC ; DATA XREF: sub_DB84:loc_DCA6r
ROM:0000DCF8 ; "USER"
ROM:0000DCFC off_DCFC DCD aCache - 0xDCB2 ; DATA XREF: sub_DB84:loc_DCACr
ROM:0000DCFC ; "CACHE"
Issue is though, I cannot find the partition sizes the way I can when looking at the ASCII and Identifiers.
Now to change the cache size or any other size, in the ascii where, for example, the cache size of mine is:
ROM:000176A0 DCD 0x17800000, 0, 0, 0
1. Make sure to mouse click on the partition size before going into the hex, this will bring you right to it in hex, where it can be changed.
2. Click on the tab that says HEX View-A and lets say you want to decrease it cut it in half for example: 17800000/2 = BC00000 or 394264576/2= 197132288 which is a hex value of BC00000.
So in the HEx View-A, make sure the size is selected, you want to change 80 17 to 00 BC, it has to be entered from right to left so that the IDA View-A can read it from left to right.
Thing is, I tried a few things:
In on the menu, selecting Edit > export data, and exporting it as raw binary then in terminal
Code:
dd if=preloader.txt > preoader.bin
Did not work
Also tried:
Edit > apply patch > apply patch to input program did not work either, both just caused my tablet to get stuck at the boot logo.
Now this, as mentioned could be possibly because, I am doing the conversion correctly when making the changes, but:
Where is that identifier for the partition sizes, or is there one?
Is IDA decompiling it correctly?
Where is the identifier for FAT?
Where is the partition size for FAT?
Does the reason the EBR1 hack work, per my blog instructions, because there is no partition size for FAT in the bootloader?
Once, just to see what would happen, and it worked, I decreased my cache, this was hard to get the phone to like, but it worked. Next I increased the cache, the phone seemed okay with that hack.
Here are those instructions to modify the EBR1 and increase/decrease cache
Something to bear in mind is CRC32 once you edit something within partition data, I only stumbled on this looking for something else explained a lot and cleared a few things up for me as to why some editing doesn't seem to work.
Try this on Partition info http://www.jonrajewski.com/data/PartitionScheme/Partition_Table_Documentation_Compressed.pdf really useful
Sent from my B1-730HD using XDA Free mobile app
This is going to be a bit incoherent, because I'm just starting out with this stuff, and my issue is not exactly the same as yours. But I **think** that the overlap is so close that perhaps we can help each other. I admit up front that I am going to have to read this entire thread another 5-10 times before I really understand what you know, what you don't know,and what you need/want to know. In the meantime, here is my problem and the bits I think i know:
1. What I have: i have an MT6735M-based phone [it is the "rook" by EE]. I have managed to root this phone by SP-Flash-Tool to manually download TWRP over the stock recovery partition; then I used TWRP to install superuser.apk for this device. In order to do this and not brick anything, I spent a fair amount of time getting a correct scatter file, and I think i have a very accurate one for my phone.
2. My problem: The phone is rooted all right, but the bootloader is still locked. The above rooting with SP Flash Tools was unconcerned with the bootloader lock state. But my understanding is that the bootloader being locked or not is simply a bootloader variable, just as S-on or s-Off is a bootloader variable . My understanding is that the bootloader code is just the partition lk.bin -- but that the variables themselves are stored in nvram.bin. From various threads about other phones, I believe that "all" that the bootloader unlocking and locking recipes just in the end change the stored value of the single toggle variable bootloader:locked. If i can find out where tha variable is stored, I should be able to read-back the nvram parition, change the single long int corresponding to the value of "lock", and download the new nvram.bin to the phone. DO I have a hope of finding these bytes?
3. I can say with some certainty that if you read-back the preloader partition from a MT6735M, you get a file whose first 2048 bytes needs to be discarded to get an imagine you can flash back to the phone.
How to unpack the stripped prleloader bin file is proving very difficult. any clever ideas?
I'm ready for post-sale, so share the software I've used.
After-sales batch unlocking tool
http://miuirom.xiaomi.com/rom/u1106245679/6.5.406.31/miflash_unlock-6.5.406.31.zip
After-sales flashing tools
https://miuirom.xiaomi.com/rom/u1106245679/7.3.422.16/miflash_pro-7.3.422.16.zip
If you want to download the English version, just change the file name accordingly, such as miflash_pro-en-7.3.422.16.zip
The version number in front of the file should also be changed.
If you want to download historical versions
The file MD5 checksum is as follows.
e28210ef1893a1c21f2119aea61859cb miflash_pro-6.3.818.48.zip
11d8a9caf78f6fdb6510b693acbcda76 miflash_pro-6.3.318.42.zip
61facb400974e7e9edae163e181de6ab miflash_pro-6.3.311.41.zip
e5d00d1d1cc2df802aada7f662ec2009 miflash_pro-5.3.1104.39.zip
f75d75a1688572c9e3137cfd6a1005cd miflash_pro-5.3.714.36.zip
fd283a89cae5d51cf01dcb4aa40d9f4f miflash_pro-4.3.1220.29.zip
c1ed6d7c01b43f94aba2ebb2742f66c4 miflash_pro-4.3.1129.28.zip
1bb9ba69cac9708b93ac1f34e8842d9e miflash_pro-4.3.1108.24.zip
ecbbca00b08003bbb26476027b8900ae miflash_pro-4.3.1106.23.zip
0f429dd5e941f15d8b6bfbd285f7705d miflash_pro-3.3.1212.88.zip
64bf82ecc82a6485a05516280263dfa8 miflash_pro-3.3.1112.82.zip
e9d5f36983e3a8aa67d379c2608733b6 miflash_pro-3.3.518.58.zip
If you can't search for the flashing package, use the old version on the line
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Redmi Note 10 Pro China (Chopin) ENG.7z
drive.google.com
SP_Flash_Tool_v5.2208_Win.7z
drive.google.com
Factory flashing package and flashing tool,
if your phone NV data is damaged,
you can use the tool to select all formatted and downloaded,
after brushing in,
you can have a baseband to call and watch videos and so on.
OPPO驱动QcomMtk_Driver_Setup_3.0.9.exe
drive.google.com
https://drive.google.com/file/d/1PBgn1eu-TlmMVW-4GHd7_o8zqtgZG0KD/view?usp=sharing,
https://drive.google.com/file/d/1PPE-KeckPvmYnn-o2lUfZIgKAJkWr4QL/view?usp=sharing,
OPPO通杀最新驱动_V3.0.3.exe
drive.google.com
libusb-win32-devel-filter-1.2.6.0.exe
drive.google.com
Driver and authorization bypass, some have digital signatures and some don't. If you can't use the driver,
please turn on the test mode of your computer or use bat below to turn it on.
Win7 10测试模式.bat
drive.google.com
MauiMETA_v10.1816
This can be written to IMEI MEID, but I did not find the DB file.
After restarting to THE BIT mode, select the third one to successfully connect, but your drive is good.
MauiMETA_v10.1816 .zip
drive.google.com
Brush into other people's backup NV will appear other people's Millet account login page, it is not recommended to operate this way,
if the after-sales think that it is not your mobile phone is not very good.
1-- After replacing the font library, it is necessary to flash the bottom package to repair the font library partition
2-- With clear nv-gcerase firmware and no clear nv-keep firmware. The actual version shall prevail
3--- Fix the problem of string code of the baseband of the brushing machine after brushing a third party
4--- test the various functions of the mobile phone parameter settings
5---- class native system interface experience
6--- clear various account lock screen lock other system lock problems
7--- write nv data port directly after brushing and restarting the system
8--If the consequences caused by improper operation, I and the forum do not assume any responsibility;
9--Before flashing, please ensure that the battery has more than 15% of the power, and ensure that there is no abnormality in the mobile phone and computer during the brushing process, the brushing process will last for 2-10 minutes, please be patient;
10--Any brushing machine has risks, risks need to be borne by themselves, the consequences need to be borne by themselves.
11--IMEI fix idea is to clear the phone nv parameters and then write the nv partition baseband after rewriting the imel.
You can try to back up the NVRAM .bin, use the flashing tool to read back the partition function, and then modify the information in the brush back.
However, I tried to extract the bin file and cannot be extracted, the phone directly modified and found that the data is encrypted, and the nv data can be manually formatted to the specified partition
partition_name: nvram
file_name: NONE
is_download: false
type: NORMAL_ROM
linear_start_addr: 0x38d80000
physical_start_addr: 0x38d80000
partition_size: 0x4000000
partition_name: nvcfg
file_name: NONE
is_download: false
type: EXT4_IMG
linear_start_addr: 0x2d88000
physical_start_addr: 0x2d88000
partition_size: 0x2000000
partition_name: proinfo
file_name: NONE
is_download: false
type: NORMAL_ROM
linear_start_addr: 0x38a00000
physical_start_addr: 0x38a00000
partition_size: 0x300000
partition_name: protect1
file_name: NONE
is_download: false
type: EXT4_IMG
linear_start_addr: 0x12000000
physical_start_addr: 0x12000000
partition_size: 0x800000
partition_name: protect2
file_name: NONE
is_download: false
type: EXT4_IMG
linear_start_addr: 0x12800000
physical_start_addr: 0x12800000
partition_size: 0x800000
Back up these files yourself or someone else's backup file into the following so that you can swipe in, the same file to modify twice because there is an AB partition.
partition_name: nvram
file_name: nvram.bin
is_download: true
type: NORMAL_ROM
linear_start_addr: 0x38d80000
physical_start_addr: 0x38d80000
partition_size: 0x4000000
For example nvram.bin Need to be copied to the firmware image directory
If your computer does not display these programs properly, add the language pack Chinese Simplified china to work.
Bing translation is not very easy to use,
resulting in my always editing errors,
first of all, I will look at it like this,
I hope my sharing can help you something!
After-sales tool English version quick download link,
the old version of their own editing can be,
if the link does not work,
please put your network agent to China!
http://miuirom.xiaomi.com/rom/u1106245679/6.5.406.31/miflash_unlock-en-6.5.406.31.zip
https://miuirom.xiaomi.com/rom/u1106245679/7.3.422.16/miflash_pro-en-7.3.422.16.zip
After downloading,
find a place to save it to prevent the link from becoming invalid,
because I can't save it on Google Cloud Drive for only 5GB!
So far this is the latest software version.
2022/04/28 22:22
QinPengPeng said:
I'm ready for post-sale, so share the software I've used.
After-sales batch unlocking tool
http://miuirom.xiaomi.com/rom/u1106245679/6.5.406.31/miflash_unlock-6.5.406.31.zip
After-sales flashing tools
https://miuirom.xiaomi.com/rom/u1106245679/7.3.422.16/miflash_pro-7.3.422.16.zip
If you want to download the English version, just change the file name accordingly, such as miflash_pro-en-7.3.422.16.zip
The version number in front of the file should also be changed.
If you want to download historical versions
The file MD5 checksum is as follows.
e28210ef1893a1c21f2119aea61859cb miflash_pro-6.3.818.48.zip
11d8a9caf78f6fdb6510b693acbcda76 miflash_pro-6.3.318.42.zip
61facb400974e7e9edae163e181de6ab miflash_pro-6.3.311.41.zip
e5d00d1d1cc2df802aada7f662ec2009 miflash_pro-5.3.1104.39.zip
f75d75a1688572c9e3137cfd6a1005cd miflash_pro-5.3.714.36.zip
fd283a89cae5d51cf01dcb4aa40d9f4f miflash_pro-4.3.1220.29.zip
c1ed6d7c01b43f94aba2ebb2742f66c4 miflash_pro-4.3.1129.28.zip
1bb9ba69cac9708b93ac1f34e8842d9e miflash_pro-4.3.1108.24.zip
ecbbca00b08003bbb26476027b8900ae miflash_pro-4.3.1106.23.zip
0f429dd5e941f15d8b6bfbd285f7705d miflash_pro-3.3.1212.88.zip
64bf82ecc82a6485a05516280263dfa8 miflash_pro-3.3.1112.82.zip
e9d5f36983e3a8aa67d379c2608733b6 miflash_pro-3.3.518.58.zip
If you can't search for the flashing package, use the old version on the line
View attachment 5600563
View attachment 5600589
Redmi Note 10 Pro China (Chopin) ENG.7z
drive.google.com
SP_Flash_Tool_v5.2208_Win.7z
drive.google.com
Factory flashing package and flashing tool,
if your phone NV data is damaged,
you can use the tool to select all formatted and downloaded,
after brushing in,
you can have a baseband to call and watch videos and so on.
View attachment 5600569
OPPO驱动QcomMtk_Driver_Setup_3.0.9.exe
drive.google.com
https://drive.google.com/file/d/1PBgn1eu-TlmMVW-4GHd7_o8zqtgZG0KD/view?usp=sharing,
https://drive.google.com/file/d/1PPE-KeckPvmYnn-o2lUfZIgKAJkWr4QL/view?usp=sharing,
OPPO通杀最新驱动_V3.0.3.exe
drive.google.com
libusb-win32-devel-filter-1.2.6.0.exe
drive.google.com
Driver and authorization bypass, some have digital signatures and some don't. If you can't use the driver,
please turn on the test mode of your computer or use bat below to turn it on.
Win7 10测试模式.bat
drive.google.com
MauiMETA_v10.1816
This can be written to IMEI MEID, but I did not find the DB file.
After restarting to THE BIT mode, select the third one to successfully connect, but your drive is good.
MauiMETA_v10.1816 .zip
drive.google.com
View attachment 5600597
Brush into other people's backup NV will appear other people's Millet account login page, it is not recommended to operate this way,
if the after-sales think that it is not your mobile phone is not very good.
1-- After replacing the font library, it is necessary to flash the bottom package to repair the font library partition
2-- With clear nv-gcerase firmware and no clear nv-keep firmware. The actual version shall prevail
3--- Fix the problem of string code of the baseband of the brushing machine after brushing a third party
4--- test the various functions of the mobile phone parameter settings
5---- class native system interface experience
6--- clear various account lock screen lock other system lock problems
7--- write nv data port directly after brushing and restarting the system
8--If the consequences caused by improper operation, I and the forum do not assume any responsibility;
9--Before flashing, please ensure that the battery has more than 15% of the power, and ensure that there is no abnormality in the mobile phone and computer during the brushing process, the brushing process will last for 2-10 minutes, please be patient;
10--Any brushing machine has risks, risks need to be borne by themselves, the consequences need to be borne by themselves.
11--IMEI fix idea is to clear the phone nv parameters and then write the nv partition baseband after rewriting the imel.
You can try to back up the NVRAM .bin, use the flashing tool to read back the partition function, and then modify the information in the brush back.
However, I tried to extract the bin file and cannot be extracted, the phone directly modified and found that the data is encrypted, and the nv data can be manually formatted to the specified partition
partition_name: nvram
file_name: NONE
is_download: false
type: NORMAL_ROM
linear_start_addr: 0x38d80000
physical_start_addr: 0x38d80000
partition_size: 0x4000000
partition_name: nvcfg
file_name: NONE
is_download: false
type: EXT4_IMG
linear_start_addr: 0x2d88000
physical_start_addr: 0x2d88000
partition_size: 0x2000000
partition_name: proinfo
file_name: NONE
is_download: false
type: NORMAL_ROM
linear_start_addr: 0x38a00000
physical_start_addr: 0x38a00000
partition_size: 0x300000
partition_name: protect1
file_name: NONE
is_download: false
type: EXT4_IMG
linear_start_addr: 0x12000000
physical_start_addr: 0x12000000
partition_size: 0x800000
partition_name: protect2
file_name: NONE
is_download: false
type: EXT4_IMG
linear_start_addr: 0x12800000
physical_start_addr: 0x12800000
partition_size: 0x800000
Back up these files yourself or someone else's backup file into the following so that you can swipe in, the same file to modify twice because there is an AB partition.
partition_name: nvram
file_name: nvram.bin
is_download: true
type: NORMAL_ROM
linear_start_addr: 0x38d80000
physical_start_addr: 0x38d80000
partition_size: 0x4000000
For example nvram.bin Need to be copied to the firmware image directory
View attachment 5600629
If your computer does not display these programs properly, add the language pack Chinese Simplified china to work.
Click to expand...
Click to collapse
what is THE BIT mode ? im not understand but relly thank for your help
Hello, does Poco x3 gt imei repair?
FurkiCan said:
Hello, does Poco x3 gt imei repair?
Click to expand...
Click to collapse
MT6893_Xiaomi_M2104K10AC_Xiaomi_chopin-userdebug 11 RP1A.200720.011 FACTORY-CHOPIN-0709 test-keys_11_2021-02-05.rar
drive.google.com
SN_Writer_Tool_exe_v1.2020.0.0.rar
drive.google.com
Except for which one, everything else can be written!
Ms.fatama said:
what is THE BIT mode ? im not understand but relly thank for your help
Click to expand...
Click to collapse
META Mode,
You can enter this mode with the software!
Where before just the translation software translation is inaccurate!
Hope that helps!
QinPengPeng said:
META Mode,
You can enter this mode with the software!
Where before just the translation software translation is inaccurate!
Hope that helps!
Click to expand...
Click to collapse
its not work with meeee just fial every time
QinPengPeng said:
META Mode,
You can enter this mode with the software!
Where before just the translation software translation is inaccurate!
Hope that helps!
Click to expand...
Click to collapse
md meta evry time fiail
Ms.fatama said:
md meta evry time fiail
Click to expand...
Click to collapse
You can try to extract AP BP files from your phone yourself, with 100% of your own phone can work!
MTKMETAUtility37.exe - Google 云端硬盘
OPPO驱动QcomMtk_Driver_Setup_3.0.9.exe - Google 云端硬盘
libusb-win32-devel-filter-1.2.6.0.exe - Google 云端硬盘
QinPengPeng said:
View attachment 5607077
View attachment 5607079
MT6893_Xiaomi_M2104K10AC_Xiaomi_chopin-userdebug 11 RP1A.200720.011 FACTORY-CHOPIN-0709 test-keys_11_2021-02-05.rar
drive.google.com
SN_Writer_Tool_exe_v1.2020.0.0.rar
drive.google.com
Except for which one, everything else can be written!
Click to expand...
Click to collapse
The Phone Doesn't Brick, Does It?
Any chance you can post a video as proof?
QinPengPeng said:
You can try to extract AP BP files from your phone yourself, with 100% of your own phone can work!
MTKMETAUtility37.exe - Google 云端硬盘
OPPO驱动QcomMtk_Driver_Setup_3.0.9.exe - Google 云端硬盘
libusb-win32-devel-filter-1.2.6.0.exe - Google 云端硬盘
View attachment 5609291
Click to expand...
Click to collapse
why that is happen every time i extract AP md from my dvice what is wrong
QinPengPeng said:
You can try to extract AP BP files from your phone yourself, with 100% of your own phone can work!
MTKMETAUtility37.exe - Google 云端硬盘
OPPO驱动QcomMtk_Driver_Setup_3.0.9.exe - Google 云端硬盘
libusb-win32-devel-filter-1.2.6.0.exe - Google 云端硬盘
View attachment 5609291
Click to expand...
Click to collapse
every time in md meta fail
thats to
Ms.fatama said:
thats to
View attachment 5610617
Click to expand...
Click to collapse
Could you handle it Imei Repair?
no i cant i do not know whhhy
An Update?
Ms.fatama said:
thats to
View attachment 5610617
Click to expand...
Click to collapse
can i ask how you got sn writer to work i can't get it started no matter what or this program right here.
Unfortunately this method doesn't work. It works on Eng rom but when throwing global rom it still says NV Data Corrupted.