well this thread is created by meh to help noobs get root,recovery,roms for ur devices ...
SEARCHED THE WHOLE NET AND GOOGLED BUT STILL CANT GET UR PHONE"Z ROM?? THEN UR AT THE RIGHT PLACE ...
I WILL HELP YOU TO FIND THE CORRECT ROM,RECOVERY FOR YOUR PHONE
ENTER BELOW YOUR PHONES MODEL WITH CORRECT MANUFACTURES ROM AND IL FIND AND GVE YU
HOPE I CAN HELP A LOT OF NOOBS
For Walton Primo H1 [a Chinese rebranded smartphone]
I need help with updating Android version and installing custom ROM. Let me explain in detail.
I have a Chinese made rebranded Android smartphone which is Walton Primo H1. This phone runs on Android 4.1.2 JellyBean. I want to upgrade the version to the latest possible one and want to install a custom ROM so that my experience with the phone gets a little better. But unfortunately there are no ROMs available out there and I don’t expect that there will be any. Is there any possibility of upgrading my Android version/install ROM? If yes then can you suggest me which ROM will be suitable for the phone?
Short specification:
CPU: Quad-core 1.2 GHz Qualcomm Snapdragon S4
GPU: Andreno 203
Rear camera: 8 MP
Front camera: 2 MP
RAM: 1 GB DDR
ROM: 4 GB
Display: 4.7 inch OGS IPS
Resolution: 960 x 540 pixel
Let me know if you need any further information from me.
I posted the same post before in this forum but got no reply. I would highly appreciate your effort if you find me a ROM which may support by device. Thanks in advance.
mehedihasan said:
I need help with updating Android version and installing custom ROM. Let me explain in detail.
I have a Chinese made rebranded Android smartphone which is Walton Primo H1. This phone runs on Android 4.1.2 JellyBean. I want to upgrade the version to the latest possible one and want to install a custom ROM so that my experience with the phone gets a little better. But unfortunately there are no ROMs available out there and I don’t expect that there will be any. Is there any possibility of upgrading my Android version/install ROM? If yes then can you suggest me which ROM will be suitable for the phone?
Short specification:
CPU: Quad-core 1.2 GHz Qualcomm Snapdragon S4
GPU: Andreno 203
Rear camera: 8 MP
Front camera: 2 MP
RAM: 1 GB DDR
ROM: 4 GB
Display: 4.7 inch OGS IPS
Resolution: 960 x 540 pixel
Let me know if you need any further information from me.
I posted the same post before in this forum but got no reply. I would highly appreciate your effort if you find me a ROM which may support by device. Thanks in advance.
Click to expand...
Click to collapse
BRO AT THIS VERY MOMENT ...ONLY ROOT AND CWM ARE AVILABLE FOR Walton Primo H1... IF YU WANT I CAN YU DERE LINK... one of my frnd own dis device... he iz working on PERFORMANCE BASED ROM FOR THIS PHONE...IF HE GETS SUCCEED...HE WIL UPLOAD IT..AND IL INFORM YOU ABOUT THE DETAILS ...hope i help you
Thanks a lot.
siva aggzz said:
BRO AT THIS VERY MOMENT ...ONLY ROOT AND CWM ARE AVILABLE FOR Walton Primo H1... IF YU WANT I CAN YU DERE LINK... one of my frnd own dis device... he iz working on PERFORMANCE BASED ROM FOR THIS PHONE...IF HE GETS SUCCEED...HE WIL UPLOAD IT..AND IL INFORM YOU ABOUT THE DETAILS ...hope i help you
Click to expand...
Click to collapse
At least now I know that there is no suitable ROM for my device and I can stop searching for that. Thanks a lot for the reply.:good:
I did anyhow rooted my device but didn't found any CWM. Please send the link to me.
HTC Desire VC
Dual GSM and CDMA.
Is there any custom JB ROM available?
Already rooted with CWM Recovery
Thanks in advance
mehedihasan said:
At least now I know that there is no suitable ROM for my device and I can stop searching for that. Thanks a lot for the reply.:good:
I did anyhow rooted my device but didn't found any CWM. Please send the link to me.
Click to expand...
Click to collapse
GO TO THIS THREAD..IT CONTAINS THE TUTORIAL ALSO ..
http://forum.xda-developers.com/showthread.php?p=46732931
BEST OF LUCK ...DONT FORGET THE THANKS BUTTON
Would you help me on this one?
I was modding my stock rom of W35. In the updater script, got a bit problem...
it says:
Code:
format("ext4", "EMMC" /dev/block/mmcblk0"", "MTD", "system");
mount("ext4", "EMMC" /dev/block/mmcblk0"", "MTD", "system", "/system");
format("ext4", "EMMC", "/dev/block/mmcblk0p2"", "MTD", "cache");
package_extract_file("check_data_app", "/tmp/check_data_app");
set_perm(0, 0, 0777, "/tmp/check_data_app");
run_program("/tmp/check_data_app");
mount("ext4", "EMMC", "/dev/block/mmcblk0p3", "/data");
package_extract_dir("data", "/data");
set_perm_recursive(1000, 1000, 0771, 0644, "/data/app");
show_progress(0.200000, 20);
mount("ext4", "EMMC", "/dev/block/mmcblk0", "/system");
package_extract_dir("system", "/system");
But cat /proc/Dumchar_info
Code:
[email protected]:/ $ cat /proc/dumchar_info
Part_Name Size StartAddr Type MapTo
preloader 0x0000000000040000 0x0000000000000000 2 /dev/misc-sd
dsp_bl 0x00000000005c0000 0x0000000000040000 2 /dev/misc-sd
mbr 0x0000000000004000 0x0000000000000000 2 /dev/block/mmcblk0
ebr1 0x000000000005c000 0x0000000000004000 2 /dev/block/mmcblk0p1
pmt 0x0000000000400000 0x0000000000060000 2 /dev/block/mmcblk0
nvram 0x0000000000300000 0x0000000000460000 2 /dev/block/mmcblk0
seccfg 0x0000000000020000 0x0000000000760000 2 /dev/block/mmcblk0
uboot 0x0000000000060000 0x0000000000780000 2 /dev/block/mmcblk0
bootimg 0x0000000000600000 0x00000000007e0000 2 /dev/block/mmcblk0
recovery 0x0000000000600000 0x0000000000de0000 2 /dev/block/mmcblk0
sec_ro 0x0000000000600000 0x00000000013e0000 2 /dev/block/mmcblk0p5
misc 0x0000000000060000 0x00000000019e0000 2 /dev/block/mmcblk0
logo 0x0000000000300000 0x0000000001a40000 2 /dev/block/mmcblk0
expdb 0x00000000000a0000 0x0000000001d40000 2 /dev/block/mmcblk0
ebr2 0x0000000000004000 0x0000000001de0000 2 /dev/block/mmcblk0
android 0x0000000025800000 0x0000000001de4000 2 /dev/block/mmcblk0p6
cache 0x000000001ae00000 0x00000000275e4000 2 /dev/block/mmcblk0p2
usrdata 0x0000000032000000 0x00000000423e4000 2 /dev/block/mmcblk0p3
fat 0x000000007221c000 0x00000000743e4000 2 /dev/block/mmcblk0p4
bmtpool 0x0000000000a00000 0x00000000ff9f0050 2 /dev/block/mmcblk0
Part_Name:Partition name you should open;
Size:size of partition
StartAddr:Start Address of partition;
Type:Type of partition(MTD=1,EMMC=2)
MapTo:actual device you operate
and Cat /proc/partitions
Code:
[email protected]:/ $ cat /proc/dumchar_info
Part_Name Size StartAddr Type MapTo
preloader 0x0000000000040000 0x0000000000000000 2 /dev/misc-sd
dsp_bl 0x00000000005c0000 0x0000000000040000 2 /dev/misc-sd
mbr 0x0000000000004000 0x0000000000000000 2 /dev/block/mmcblk0
ebr1 0x000000000005c000 0x0000000000004000 2 /dev/block/mmcblk0p1
pmt 0x0000000000400000 0x0000000000060000 2 /dev/block/mmcblk0
nvram 0x0000000000300000 0x0000000000460000 2 /dev/block/mmcblk0
seccfg 0x0000000000020000 0x0000000000760000 2 /dev/block/mmcblk0
uboot 0x0000000000060000 0x0000000000780000 2 /dev/block/mmcblk0
bootimg 0x0000000000600000 0x00000000007e0000 2 /dev/block/mmcblk0
recovery 0x0000000000600000 0x0000000000de0000 2 /dev/block/mmcblk0
sec_ro 0x0000000000600000 0x00000000013e0000 2 /dev/block/mmcblk0p5
misc 0x0000000000060000 0x00000000019e0000 2 /dev/block/mmcblk0
logo 0x0000000000300000 0x0000000001a40000 2 /dev/block/mmcblk0
expdb 0x00000000000a0000 0x0000000001d40000 2 /dev/block/mmcblk0
ebr2 0x0000000000004000 0x0000000001de0000 2 /dev/block/mmcblk0
android 0x0000000025800000 0x0000000001de4000 2 /dev/block/mmcblk0p6
cache 0x000000001ae00000 0x00000000275e4000 2 /dev/block/mmcblk0p2
usrdata 0x0000000032000000 0x00000000423e4000 2 /dev/block/mmcblk0p3
fat 0x000000007221c000 0x00000000743e4000 2 /dev/block/mmcblk0p4
bmtpool 0x0000000000a00000 0x00000000ff9f0050 2 /dev/block/mmcblk0
Part_Name:Partition name you should open;
Size:size of partition
StartAddr:Start Address of partition;
Type:Type of partition(MTD=1,EMMC=2)
MapTo:actual device you operate
cat /proc/emmc
Code:
[email protected]:/data $ cat /proc/emmc
partno: start_sect nr_sects partition_name
emmc_p1: 00000020 00000002 "ebr1"
emmc_p2: 0013af20 000d6800 "cache"
emmc_p3: 00211f20 0018f800 "usrdata"
emmc_p4: 003a1f20 003910e0 "fat"
emmc_p5: 00009f00 00002800 "sec_ro"
emmc_p6: 0000ef20 0012b800 "android"
Would you like to help me out to determine the blocks that should be erased/formatted? It'll be quite helpful for me to cook one Custom ROM for W35. Any kinda Help is appreciated.
dokie80 said:
HTC Desire VC
Dual GSM and CDMA.
Is there any custom JB ROM available?
Already rooted with CWM Recovery
Thanks in advance
Click to expand...
Click to collapse
no custom roms based on jb are available for ur device..
but custom roms based on ics 4.0.3 are available bro
Abirwebster said:
I was modding my stock rom of W35. In the updater script, got a bit problem...
Would you like to help me out to determine the blocks that should be erased/formatted? It'll be quite helpful for me to cook one Custom ROM for W35. Any kinda Help is appreciated.
Click to expand...
Click to collapse
bro i would like to help yu out..but i m nt much familiar with blocks.. and so updater script... so m sorry
siva aggzz said:
bro i would like to help yu out..but i m nt much familiar with blocks.. and so updater script... so m sorry
Click to expand...
Click to collapse
it's okay,bro!..I've chosen to stick around the forums...
hello, i got some problems with my phone (freezes and restarts, sometime doesnt even want to turn on), so i tought that i need to re-flash soft so i'v download spflash and installed drivers but problem is that my PC doesnt detect my phone when there is no battery inside. When i connect phone to PC by USB cable nothing happens - device manager doesnt show any new device connected, also flash tool cannot start "Download" operation.
My phone is chinese TSD A9300 based on MTK6575
xPOGOx said:
hello, i got some problems with my phone (freezes and restarts, sometime doesnt even want to turn on), so i tought that i need to re-flash soft so i'v download spflash and installed drivers but problem is that my PC doesnt detect my phone when there is no battery inside. When i connect phone to PC by USB cable nothing happens - device manager doesnt show any new device connected, also flash tool cannot start "Download" operation.
My phone is chinese TSD A9300 based on MTK6575
Click to expand...
Click to collapse
Did you install the required drivers ??
SENT FROM MY LAVA IRIS 455 using xda developers app
siva aggzz said:
Did you install the required drivers ??
SENT FROM MY LAVA IRIS 455 using xda developers app
Click to expand...
Click to collapse
i dont think this is rly needed, windows should detect "SOMETHING" and it doesnt
xPOGOx said:
i dont think this is rly needed, windows should detect "SOMETHING" and it doesnt
Click to expand...
Click to collapse
Its needed... Wthout installing drivers... Yu can do nothing
Moreover remove the battery and den plug usb cable ... Ur pc will detect the mt 65xx preloader... But to succesfully let install the preloaders and all ul need the drivers..
Hit thanks instead of saying
siva aggzz said:
Its needed... Wthout installing drivers... Yu can do nothing
Moreover remove the battery and den plug usb cable ... Ur pc will detect the mt 65xx preloader... But to succesfully let install the preloaders and all ul need the drivers..
Hit thanks instead of saying
Click to expand...
Click to collapse
ok, i'll try to explain it one more time
The problem is that my PC does not detect my phone when i connect it without battery. So when phone is not detected i cant even install drivers, because my computer doesnt see any new device.
Try to help-me please!
I'm trying to raise the volume of my bluetooth phone unsuccessful..
This is what i tryed:
First I root my Nexus 4 with stock rom 4.3
I tryed Viper's 4 Android (newest version) with all configurations and modes (including install like user and like system app), nothing works...
I tryed Volume+, same, didnt work. In fact is lowering the volume. I can hear a fast loud volume (less the 1 second when I activate the boost) then back to limited volume :/
Then I install Franco.Kernel last version too. With headphones and speaker, the Franco boost works...
The I tryed everything again, V4A, Volume+ and NOTHING. The bluetooth phone still almost inaudible.
So, i was almost trying this FauxSound and then I read something what looks really bad in his description at play store:
"NOTE: DOES NOT BOOST/CONTROL BLUETOOTH... BLUETOOTH is 100% DIGITAL... THIS APP WILL NOT CHANGE BLUETOOTH VOLUMES OR GAINS!"
What this means? There is NO WAY to boost Bluetooth volume anymore???
I dont know what to do... Is anyway to do this? A really working way to boost the bluetoth phone volume? Or this is not possible?!
Anyone trying the same? Anyone has an Nexus 4 with 4.3 with this working?
Please help-me!
TNX A LOT!
siva aggzz said:
Its needed... Wthout installing drivers... Yu can do nothing
Moreover remove the battery and den plug usb cable ... Ur pc will detect the mt 65xx preloader... But to succesfully let install the preloaders and all ul need the drivers..
Hit thanks instead of saying
Click to expand...
Click to collapse
Take an other USB Port. Sometimes the phones don't like USB 3.0 or hubs. Or an other cable!?
Gesendet von meinem Xperia SP
joke19 said:
Take an other USB Port. Sometimes the phones don't like USB 3.0 or hubs. Or an other cable!?
Gesendet von meinem Xperia SP
Click to expand...
Click to collapse
other cable is the only thing i didnt tried yet, but it works perfectly when while phone is turned on...
xPOGOx said:
ok, i'll try to explain it one more time
The problem is that my PC does not detect my phone when i connect it without battery. So when phone is not detected i cant even install drivers, because my computer doesn't see any new device.
Click to expand...
Click to collapse
bro ... do this things..
first install the drivers... den connect ur device ... den only ur dvce will b detected ... cz mt 6575 devices have this issue ...
foxdanger said:
Try to help-me please!
I'm trying to raise the volume of my bluetooth phone unsuccessful..
This is what i tryed:
First I root my Nexus 4 with stock rom 4.3
I tryed Viper's 4 Android (newest version) with all configurations and modes (including install like user and like system app), nothing works...
I tryed Volume+, same, didnt work. In fact is lowering the volume. I can hear a fast loud volume (less the 1 second when I activate the boost) then back to limited volume :/
Then I install Franco.Kernel last version too. With headphones and speaker, the Franco boost works...
The I tryed everything again, V4A, Volume+ and NOTHING. The bluetooth phone still almost inaudible.
So, i was almost trying this FauxSound and then I read something what looks really bad in his description at play store:
"NOTE: DOES NOT BOOST/CONTROL BLUETOOTH... BLUETOOTH is 100% DIGITAL... THIS APP WILL NOT CHANGE BLUETOOTH VOLUMES OR GAINS!"
What this means? There is NO WAY to boost Bluetooth volume anymore???
I dont know what to do... Is anyway to do this? A really working way to boost the bluetoth phone volume? Or this is not possible?!
Anyone trying the same? Anyone has an Nexus 4 with 4.3 with this working?
Please help-me!
TNX A LOT!
Click to expand...
Click to collapse
bro yu can try this... frst going to engeenering mode den hardware den audio den select every ones volume to 160...
else try chngng the bluetooth ...but i guess the frst option will solve ur problem ...best of luck
Hello.
I recently bought a Chinese Mediatek 'pbablet' phone/tablet combination; running Android 4.2.2 Model: MTK6572.
Due to it being cheap, it was ideal so I thought, for flashing and development, however I maybe wrong.
However I cannot get it into recovery mode. It won't display the menu when holding down volume + and the power button when powering on.
When pressing these two buttons together on start-up, it actually remains a black screen, and it won't turn on after doing this, and I have to keep pressing the tiny reset button on the side of this device every time I attempt to enter recovery, to get it to turn on as normal again.
Pressing and holding volume - and power at the same time on start-up brings up "Factory mode" (in Chinese) and has no options available for flashing/ROM/ functions, except 'testing' the devices' hardware. This phone doesn't have any other physical buttons except power, volume + and -
I am able to successfully enter CWR by flashing it with MTKDroidTools and rebooting into the recovery mode (while powered up and in the android OS) however I still cannot get into CWR or any recovery mode at all while powering up with power and volume +
I just want to be able to enter a recovery mode on this device, to ensure no future issues and doubts upon the unfortunate events of a permanent brick. My idea is to flash this phablet with ParanoidAndroid; or cyanogenmod, and I could try doing this with a software reset, but then what if the ROM is incompatible, and totally bricks it? Then I have no way in hell to revive and reflash, because I can't access the recovery mode anyway.
I have came to the conclusion that it maybe due to the filesystem, potentially due to it's fbifs, that is the cause to no recovery mode, but what if it's ext4, does any of this make a difference.
Is there any way to make this device open the recovery menu while powering it on?
When I attempt to enter recovery mode while powering up with volume +, the device is basically a brick, until I press reset. It doesn't respond at all. The only way to enter recovery menu is by booting into android resetting the device into recovery mode via an app.
What's the deal with this, please can anyone guide me out of this noob pit, and make progress to this issue? Thank you.
Device Info -
Hardware : MT6572
Model : MT6572
Build number : ALPS.JB3.MP.V2.0
Build date UTC : 20131104-123514
Android v : 4.2.2
Baseband v: MOLY.WR8.W1315.MD.WG.MP.V1, 2013/09/18 03:24
Kernel v : 3.4.5 ([email protected]) (gcc version 4.6.x-google 20120106 (prerelease) (GCC) ) #10 SMP Thu Dec 19 09:40:47 CST 2013
Uboot build v : -----
LCD Driver IC : 1-hsd070idw1
Scatter eMMC -
PRELOADER 0x0
MBR 0x600000
EBR1 0x680000
NODL_PRO_INFO 0x700000
NODL_NVRAM 0xa00000
NODL_PROTECT_F 0xf00000
NODL_PROTECT_S 0x1900000
NODL_SECCFG 0x2300000
UBOOT 0x2320000
BOOTIMG 0x2380000
RECOVERY 0x2980000
SEC_RO 0x2f80000
NODL_MISC 0x2fc0000
LOGO 0x3040000
NODL_EXPDB 0x3340000
ANDROID 0x3d40000
CACHE 0x2c740000
USRDATA 0x43f40000
NODL_FAT 0x96b40000
NODL_BMTPOOL 0xffff00a8
preloader 0x0000000000600000 0x0000000000000000 2 /dev/misc-sd
mbr 0x0000000000080000 0x0000000000000000 2 /dev/block/mmcblk0
ebr1 0x0000000000080000 0x0000000000080000 2 /dev/block/mmcblk0p1
pro_info 0x0000000000300000 0x0000000000100000 2 /dev/block/mmcblk0
nvram 0x0000000000500000 0x0000000000400000 2 /dev/block/mmcblk0
protect_f 0x0000000000a00000 0x0000000000900000 2 /dev/block/mmcblk0p2
protect_s 0x0000000000a00000 0x0000000001300000 2 /dev/block/mmcblk0p3
seccfg 0x0000000000020000 0x0000000001d00000 2 /dev/block/mmcblk0
uboot 0x0000000000060000 0x0000000001d20000 2 /dev/block/mmcblk0
bootimg 0x0000000000600000 0x0000000001d80000 2 /dev/block/mmcblk0
recovery 0x0000000000600000 0x0000000002380000 2 /dev/block/mmcblk0
sec_ro 0x0000000000040000 0x0000000002980000 2 /dev/block/mmcblk0
misc 0x0000000000080000 0x00000000029c0000 2 /dev/block/mmcblk0
logo 0x0000000000300000 0x0000000002a40000 2 /dev/block/mmcblk0
expdb 0x0000000000a00000 0x0000000002d40000 2 /dev/block/mmcblk0
android 0x0000000028a00000 0x0000000003740000 2 /dev/block/mmcblk0p4
cache 0x0000000017800000 0x000000002c140000 2 /dev/block/mmcblk0p5
usrdata 0x0000000052c00000 0x0000000043940000 2 /dev/block/mmcblk0p6
fat 0x0000000051440000 0x0000000096540000 2 /dev/block/mmcblk0p7
bmtpool 0x0000000001500000 0x00000000ff9f00a8 2 /dev/block/mmcblk0
Sorry for being such a noob, I don't know if any of this information is useful in the slightest.
device name???
hey tell your device name and brand.. and also do you have backup of your stock rom???
Sakthivel_Subbiah said:
hey tell your device name and brand.. and also do you have backup of your stock rom???
Click to expand...
Click to collapse
Alps MT6572
yes, I managed to backup my stock rom.
Use sp flash tools
Download Sp flash tools. Load scatter file MT6572_Android_scatter_emmc.txt from your backup. Uncheck all options except recovery dont click preloader because if you flash wrong preloader it will brick your device. then click download button and connect your phone without battery via USB now watch for red blue and yellow lines then finally a window with a green circle download ok. now you can remove usb plug and boot your phone into recovery..:good:
Note: You need mtk vcom preloader drivers before using sp flash tools. just connect the phone without battery your computer will detect it automatically and click install drivers automatically
Sakthivel_Subbiah said:
Download Sp flash tools. Load scatter file MT6572_Android_scatter_emmc.txt from your backup. Uncheck all options except recovery dont click preloader because if you flash wrong preloader it will brick your device. then click download button and connect your phone without battery via USB now watch for red blue and yellow lines then finally a window with a green circle download ok. now you can remove usb plug and boot your phone into recovery..:good:
Note: You need mtk vcom preloader drivers before using sp flash tools. just connect the phone without battery your computer will detect it automatically and click install drivers automatically
Click to expand...
Click to collapse
Thank you very much for explaining this solution, but the battery for my device is built in; sealed and I can't take the battery out, so does this mean I can't use SPflash?
CPUzX said:
Thank you very much for explaining this solution, but the battery for my device is built in; sealed and I can't take the battery out, so does this mean I can't use SPflash?
Click to expand...
Click to collapse
If you have reset button on your tab press it and you can connect usb by holding vol up button and releasing it after it is detected by sp flash tool(red bar) if you dont have reset button just switch off and keep it for 5 min and give a try... but make sure that you clicked only the recovery...
if sp flash tools doesnt recogonize your phone, just go into factory mode and keep it a side open minimal adb and fastboot or you can download from this thread http://forum.xda-developers.com/showthread.php?t=2317790 just copy your recovery.img from backup and paste into the folder where minimal adb and fastboot.exe is placed. now open minimal adb and fastboot now connect your phone via usb in factory mode now type:
adb reboot bootloader( now your phone reboots into a black screen)
type fastboot devices and see if there is any device id or name if it shows your device name then type
fastboot flash recovery recovery.img (make sure that you have copied recovery file named recovery.img in same folder)
now flashing will progress after done type fastboot reboot (Now your device will reboot)
then now switch it off again and go into recovery mode!!!
MT6572 teeamge e701
hello, I also have a similar phone to your rom to flash tool you create me, please, I need to restore my phone table. thanks
how did you find a solution to this?
I figured out how to hack the EBR1 on mediatek MTK6572 to increase userdata by merging the fat and userdata partitions. Unfortunatly, this mod does not change the blocks maps, even when editing the scatter text to match the EBR1 hack mod. Here is the post on how it is done.
http://elizabethswikis.blogspot.com/2014/09/tutorial-how-to-increase-partition-on.html
After much searching, finally found out that the blocks maps are probably setup via preloader.bin, which tells /proc/dumchar_info what the blocks are and sizes. Well now I would like to figure out how to hack the preloader, either the bin or preloader_and_dsp, to edit that sections that it matches up with the modded EBR1. Just can't find any information, looked at the preloader.bin and preloader_and_dsp in hex editor and emacs, but that doesn't help me much, am able to see the section where it tells EBR1, preloader, userdata, android, etc... but can't make out how to change those hex values.
Nobody knows
Well, after much searching as to what could possibly be in the preloader.bin and lk.bin for emmc mtk devices, figure that what it probably is are all the .c files that were put into a .bin using the makefile. Well okay, that is great, even better, everybody knows how to make one, yet, nobody knows how to extract it?
Terminal shell command, strings lk.bin, lets me read what exactly the preloader/bootloader is supposed to do, and where the files are pointed to. So for example, know that there is a meta.c and UART.c inside, to name a few, now I would like to get them out.
That seems a bit hard to believe, why would one want to know how to make something they can't take apart later on for bug fixing?
Refer this tutorial
http://forum.xda-developers.com/showthread.php?t=2596030&page=8
Regards,
Karthick
read the post
Karthickgandhi said:
Refer this tutorial
http://forum.xda-developers.com/showthread.php?t=2596030&page=8
Regards,
Karthick
Click to expand...
Click to collapse
I don't think you entirely read my post or looked at my blog. ANyways,, for anybody who wants to look at the preloader.bin and lk.bin, this can be done in IDA PRO using the arm little endian option. I've been looking at it myself, figured out that if you use the correct rom/ram size and start address, IDA PRO disembles the files. Only thing is, can't figure out what the start address for a ram file would be.
Now that I have figured out how to read those "BIN" files, how can I get them to load so that I can modify the "/proc/dumchar/" to match my "ALREADY HACKED EBR1".
Research and continue your development and make a tutorial for hacking preloader.bin
I have a very basic level knowledge in partitioning etc. Noted now only that the command
--->cat /proc/dumchar_info
doesn't change even after changing the ebr and i have increased the internal app storage memory.
Regards,
Karthick
Preloader.bin
Karthickgandhi said:
Research and continue your development and make a tutorial for hacking preloader.bin
I have a very basic level knowledge in partitioning etc. Noted now only that the command
--->cat /proc/dumchar_info
doesn't change even after changing the ebr and i have increased the internal app storage memory.
Regards,
Karthick
Click to expand...
Click to collapse
The post tells how to repartition the EBR1, as for the preloader.bin, well you can disemble it in IDA pro.
Thing is, I got as far as finding where the partitions are, even figured out how to change the values. After exporting it as a raw binary, well that is where I'm stuck. Ida exports it with a .txt extension, needs to be .bin. How would in linux could I convert that using the dd command for a successful flash, aka:
dd if=preloader.txt of=preloader.bin bs=1 skip=????
If that's a complete one you can use this command
dd if=/path_of_edited_preloader.txt of=/path_for_new_preloader.bin
Dont need to specify bs,skip,etc
Regards,
Karthick
Hacking mtk6572 bootloader
Karthickgandhi said:
If that's a complete one you can use this command
dd if=/path_of_edited_preloader.txt of=/path_for_new_preloader.bin
Dont need to specify bs,skip,etc
Regards,
Karthick
Click to expand...
Click to collapse
I tried that, but it didn't boot when I loaded the modified preloader.bin. Was wondering if it was because:
A. was it because I named it preloader-modified.bin?
B. Is there another place that needs to be modified besided the userdata partition?
The original size is 0x2000000, the full size using the fat and userdata combinded is 0xA7040000. Is there another place that it should be changed? Could not find the fat partition in the preloader.bin, everything except for the FAT size, which is 0x87040000 and the BMPOOL, have to look at that size. When comparing with the dumchar_info & Scatter file, shows all the partition sizes from preloader down to userdata.
Also have a preloader.bin from the manufacturer whree I purchased my phone, that preloader, scatter and EBR1 uses the full userdata no fat size, but the scatter for the other tablet/phone has a fat section with a 0x0 partition size, uses the full userdata and no fat partition. Also, when comparting that preloader with my preloader, same thing, everything right down to the userdata, missing fat and BMPOOL.
Well tomorrow I'll try again, this time doing dd if=preloader.txt of=preloader.bin. The name, preloader-modified.bin may not have worked, since reading through the entire preloader.bin and lk.bin, it directs to flash preloader, uboot, lk < know both are the same, userdata, fat, etc...
bethnesbitt said:
I tried that, but it didn't boot when I loaded the modified preloader.bin. Was wondering if it was because:
A. was it because I named it preloader-modified.bin?
B. Is there another place that needs to be modified besided the userdata partition?
The original size is 0x2000000, the full size using the fat and userdata combinded is 0xA7040000. Is there another place that it should be changed? Could not find the fat partition in the preloader.bin, everything except for the FAT size, which is 0x87040000 and the BMPOOL, have to look at that size. When comparing with the dumchar_info & Scatter file, shows all the partition sizes from preloader down to userdata.
Also have a preloader.bin from the manufacturer whree I purchased my phone, that preloader, scatter and EBR1 uses the full userdata no fat size, but the scatter for the other tablet/phone has a fat section with a 0x0 partition size, uses the full userdata and no fat partition. Also, when comparting that preloader with my preloader, same thing, everything right down to the userdata, missing fat and BMPOOL.
Well tomorrow I'll try again, this time doing dd if=preloader.txt of=preloader.bin. The name, preloader-modified.bin may not have worked, since reading through the entire preloader.bin and lk.bin, it directs to flash preloader, uboot, lk < know both are the same, userdata, fat, etc...
Click to expand...
Click to collapse
Got that working???
decompile bootloader
Karthickgandhi said:
Got that working???
Click to expand...
Click to collapse
No, I have been picking it apart for a few hours a day since trying that method.
The dd if=preloader.txt > preloader.bin didnn't work. Then found out there was a way to just apply the patch to the file, thought cool, tried that didn't work either .
So now I'm thinking it's how I am trying to load it in IDA PRO. If what some reasearch says, it is an arm-eabbi-gcc, not sure if ida is actually supporting that correctly. There are plenty of TUT on how to compile, but nothing about decompiling.
bethnesbitt said:
No, I have been picking it apart for a few hours a day since trying that method.
The dd if=preloader.txt > preloader.bin didnn't work. Then found out there was a way to just apply the patch to the file, thought cool, tried that didn't work either .
So now I'm thinking it's how I am trying to load it in IDA PRO. If what some reasearch says, it is an arm-eabbi-gcc, not sure if ida is actually supporting that correctly. There are plenty of TUT on how to compile, but nothing about decompiling.
Click to expand...
Click to collapse
Nice.... but are you sure that the dumchar_info is associated with preloader? I doubt the pmt(partition management table)
Part_Name Size StartAddr Type MapTo
preloader 0x0000000000600000 0x0000000000000000 2 /dev/misc-sd
mbr 0x0000000000080000 0x0000000000000000 2 /dev/block/mmcblk0
ebr1 0x0000000000080000 0x0000000000080000 2 /dev/block/mmcblk0p1
pmt 0x0000000000400000 0x0000000000100000 2 /dev/block/mmcblk0
pro_info 0x0000000000300000 0x0000000000500000 2 /dev/block/mmcblk0
nvram 0x0000000000500000 0x0000000000800000 2 /dev/block/mmcblk0
protect_f 0x0000000000a00000 0x0000000000d00000 2 /dev/block/mmcblk0p2
protect_s 0x0000000000a00000 0x0000000001700000 2 /dev/block/mmcblk0p3
seccfg 0x0000000000020000 0x0000000002100000 2 /dev/block/mmcblk0
uboot 0x0000000000060000 0x0000000002120000 2 /dev/block/mmcblk0
bootimg 0x0000000000600000 0x0000000002180000 2 /dev/block/mmcblk0
recovery 0x0000000000600000 0x0000000002780000 2 /dev/block/mmcblk0
sec_ro 0x0000000000600000 0x0000000002d80000 2 /dev/block/mmcblk0p4
misc 0x0000000000080000 0x0000000003380000 2 /dev/block/mmcblk0
logo 0x0000000000300000 0x0000000003400000 2 /dev/block/mmcblk0
ebr2 0x0000000000080000 0x0000000003700000 2 /dev/block/mmcblk0
expdb 0x0000000000a00000 0x0000000003780000 2 /dev/block/mmcblk0
android 0x000000002bc00000 0x0000000004180000 2 /dev/block/mmcblk0p5
cache 0x0000000007e00000 0x000000002fd80000 2 /dev/block/mmcblk0p6
usrdata 0x0000000040000000 0x0000000037b80000 2 /dev/block/mmcblk0p7
fat 0x000000006fba0000 0x0000000077b80000 2 /dev/block/mmcblk0p8
bmtpool 0x0000000001500000 0x00000000ff9f00a8 2 /dev/block/mmcblk0
Regards,
Karthick
dumchar
Right now I'm not in linux, so I can't copy and paste so will give a quick summary of what I see when I decompile the preloader.bin.
At the bottom of the preloader in IDA PRO is a list of the partition sizes, everything except for the FAT and BMTPOOL.
It shows, as ascii string, the partition sizes, just giving a bit of what i remember off the top of my head:
0x600000 < preloader
0X600000 < Rom
0x800000 < EBR1
0xA00000
0x1780000 < this is my cache size
0x2000000 < this is my userdata size
ALso the ascii string has
FAT
USERDATA
UBOOT
PRELOADER
BOOT
ANDROIDSYS
Ida isn't disembling it correctly because all the strings should point to an operand, the partition sizes aren't. Today went through though, am trying differant library types using the METAPC option. It took me 2 monts to hack the EBR1, may take my just as long.
Good luck. Don't forget to share if you hit that jackpot. I am trying to increase my recovery partition but facing some problems. Unlike /system or /data partition it cannot be altered by hacking mbr/ebr. U have any idea?
Hey, I have HTC Desire 310 it uses MTK6582 and it has locked bootloader. I think the bootloader has something to do with the preloader, so if you can help me in some way, pls PM me!
Take a look here, it may help http://forum.xda-developers.com/showthread.php?t=1959691
This WILL help with how the partitions and security may be working http://www.uefi.org/specifications
Sent from my B1-730HD using XDA Free mobile app
f*ck
Antagonist42 said:
Take a look here, it may help http://forum.xda-developers.com/showthread.php?t=1959691
This WILL help with how the partitions and security may be working http://www.uefi.org/specifications
Sent from my B1-730HD using XDA Free mobile app
Click to expand...
Click to collapse
doesn't work brother.. idk what is the problem.. This is MTK phone, with locked bootloader by htc.. idk i tried everything and nothing works
boka18 said:
doesn't work brother.. idk what is the problem.. This is MTK phone, with locked bootloader by htc.. idk i tried everything and nothing works
Click to expand...
Click to collapse
What do you mean 'doesn't work'? What was it you're looking for? I'm posting info that may help the thread as to partitions, how they work and what different formats can be used.
Sent from my B1-730HD using XDA Free mobile app
Dissemble preloader.bin - unlock bootloader?
The preloader is the bootloader. After dissembling the preloader.bin, somewhat successfully, in IDA PRO, here is what I see for partitions:
In ida, open the preloader.bin, change the dropdown to ARM little endian, unsure about size for rom and the loading address, tried many different sizes and start address, each time give me a somewhat of a different outcome.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Select Arm Little Endian
Not sure about the Rom Size, did try size for RAM but would not encode. Have tried different sizes for ROM, getting different outputs. Using the loading address as 0x0, which is the linear start address in the scatter for preloader seems to make sense, could be wrong. Beware though, the larger size you try, the laggier your PC will get
Now when the preloader.bin is done loading, go to Edit menu and select all. Now press the letter C on your keyboard for code, choose Analyse and say yes. When done analyzing, you can scroll through the code, it doesn't analyze everything you will see some code that was not analyzed, those are in gold, if you select all that unanalyzed code by pressing shift+arrowdown, then press C it will analyze that code, you may want to go through and do that little cleanup.
Towards the bottom, you will see ASCII text that was decoded, here is what shows for my partitions.
ROM:00017518 dword_17518 DCD 0x201A626, 0 ; DATA XREF: sub_11CC+2o
ROM:00017518 ; ROMff_11D4o
ROM:00017520 DCD dword_600000 <- PRELOADER
ROM:00017524 ALIGN 0x10
ROM:00017530 DCD 0x201A630, 0
ROM:00017538 DCD dword_80000 <-- MBR
ROM:0001753C DCD 0, 0, 0
ROM:00017548 DCD 0x201A634, 0
ROM:00017550 DCD dword_80000 <-- EBR1
ROM:00017554 ALIGN 0x10
ROM:00017560 DCD 0x201A639, 0
ROM:00017568 DCD dword_300000 <-- PRO_INFO
ROM:0001756C DCD 0, 0, 0
ROM:00017578 DCD 0x201A642, 0
ROM:00017580 DCD dword_500000 < -- NVRAM
ROM:00017584 ALIGN 0x10
ROM:00017590 DCD 0x201A648, 0
ROM:00017598 DCD dword_A00000 <-- PROTECT_F
ROM:0001759C DCD 0, 0, 0
ROM:000175A8 DCD 0x201A652, 0
ROM:000175B0 DCD dword_A00000 <-- PROTECT_S
ROM:000175B4 ALIGN 0x10
ROM:000175C0 DCD 0x201A65C, 0
ROM:000175C8 DCD dword_20000 <-- SEFCG
ROM:000175CC DCD 0, 0, 0
ROM:000175D8 DCD 0x201A663, 0
ROM:000175E0 DCD dword_60000 <- UBOOT/LK.BIN
ROM:000175E4 ALIGN 0x10
ROM:000175F0 DCD 0x201A669, 0
ROM:000175F8 DCD dword_600000 < -- BOOTIMG
ROM:000175FC DCD 0, 0, 0
ROM:00017608 DCD 0x201A671, 0
ROM:00017610 DCD dword_600000 <-- RECOVERY
ROM:00017614 ALIGN 0x10
ROM:00017620 DCD 0x201A67A, 0
ROM:00017628 DCD dword_40000 <-- SEC_RO
ROM:0001762C DCD 0, 0, 0
ROM:00017638 DCD 0x201A684, 0
ROM:00017640 DCD dword_80000 < -- MISC
ROM:00017644 ALIGN 0x10
ROM:00017650 DCD 0x201A689, 0
ROM:00017658 DCD dword_300000 <-- LOGO
ROM:0001765C DCD 0, 0, 0
ROM:00017668 DCD 0x201A68E, 0
ROM:00017670 DCD dword_A00000 <-- EXPDB
ROM:00017674 ALIGN 0x10
ROM:00017680 DCD 0x201A694, 0
ROM:00017688 DCD 0x28A00000, 0, 0, 0 < -- ANDROID SYSTEM
ROM:00017698 DCD 0x201A69E, 0
ROM:000176A0 DCD 0x17800000, 0, 0, 0 < -- CACHE
ROM:000176B0 DCD 0x201A6A4, 0
ROM:000176B8 DCD 0x20000000, 0, 0, 0 <-- USERDATA
If you compare that to your scatter, you will see that they match up, right in order per the scatter as well as when you go into:
Code:
adb shell
cat /proc/dumchar_info > /sdcard/dumchar.txt
Katherick, for your question, yes the recovery can be modified, now another option is using a hexdump. Maybe somebody can point us to using hexdump to modify and saving it back to the binary format. First you would have to figure out how to change the value in the preloader.bin of your recovery, not sure if just that ascii value has to be changed, or is there another place. Once you decompile the preloader.bin in IDA, you can see where those ASCII values point to identifiers throughout the code in various spots, except for the partition sizes.
Now, for the ascii, here is a little bit from mine:
Code:
ROM:00013426 aPreloader DCB "PRELOADER",0 ; DATA XREF: sub_DB84+B0o
ROM:00013426 ; ROM:off_DCD0o ...
ROM:00013430 aMbr DCB "MBR",0
ROM:00013434 aEbr1 DCB "EBR1",0
ROM:00013439 aPro_info DCB "PRO_INFO",0
ROM:00013442 aNvram DCB "NVRAM",0
ROM:00013448 aProtect_f DCB "PROTECT_F",0
ROM:00013452 aProtect_s DCB "PROTECT_S",0
ROM:0001345C aSecure DCB "SECURE",0 ; DATA XREF: sub_D7F8+5Co
ROM:0001345C ; ROM:off_D8E8o ...
ROM:00013463 aUboot DCB "UBOOT",0 ; DATA XREF: ROM:000027C8o
ROM:00013463 ; ROM:off_2848o ...
ROM:00013469 aBootimg DCB "BOOTIMG",0 ; DATA XREF: sub_DB84+38o
ROM:00013469 ; ROM:off_DCBCo ...
ROM:00013471 aRecovery DCB "RECOVERY",0 ; DATA XREF: sub_DB84+68o
ROM:00013471 ; ROM:off_DCC4o ...
ROM:0001347A aSecstatic DCB "SECSTATIC",0 ; DATA XREF: sub_DB84+118o
ROM:0001347A ; ROM:off_DCF0o
ROM:00013484 aMisc DCB "MISC",0
ROM:00013489 aLogo_0 DCB "LOGO",0 ; DATA XREF: sub_D544+6Ao
ROM:00013489 ; ROM:off_D61Co ...
ROM:0001348E aExpdb DCB "EXPDB",0
ROM:00013494 aAndsysimg DCB "ANDSYSIMG",0 ; DATA XREF: sub_DB84+112o
ROM:00013494 ; ROM:off_DCECo
ROM:0001349E aCache DCB "CACHE",0 ; DATA XREF: sub_DB84+DEo
ROM:0001349E ; sub_DB84+12Ao ...
ROM:000134A4 aUser DCB "USER",0 ; DATA XREF: sub_DB84+124o
ROM:000134A4 ; ROM:off_DCF8o
ROM:000134A9 aFat DCB "FAT",0
ROM:000134AD aDeviceApcDomai DCB 0xA ; DATA XREF: sub_1208+8o
ROM:000134AD ; ROM:off_130Co
and here is the identifier:
Code:
ROM:0000DCB4 off_DCB4 DCD aUboot - 0xDB8E ; DATA XREF: sub_DB84+4r
ROM:0000DCB4 ; "UBOOT"
ROM:0000DCB8 off_DCB8 DCD aLogo_0 - 0xDBA8 ; DATA XREF: sub_DB84+1Er
ROM:0000DCB8 ; "LOGO"
ROM:0000DCBC off_DCBC DCD aBootimg - 0xDBC0 ; DATA XREF: sub_DB84+36r
ROM:0000DCBC ; "BOOTIMG"
ROM:0000DCC0 off_DCC0 DCD aAndroid - 0xDBD8 ; DATA XREF: sub_DB84+4Er
ROM:0000DCC0 ; "ANDROID"
ROM:0000DCC4 off_DCC4 DCD aRecovery - 0xDBF0 ; DATA XREF: sub_DB84+66r
ROM:0000DCC4 ; "RECOVERY"
ROM:0000DCC8 off_DCC8 DCD aSec_ro - 0xDC08 ; DATA XREF: sub_DB84+7Er
ROM:0000DCC8 ; "SEC_RO"
ROM:0000DCCC off_DCCC DCD aSeccnfg - 0xDC20 ; DATA XREF: sub_DB84+96r
ROM:0000DCCC ; "SECCNFG"
ROM:0000DCD0 off_DCD0 DCD aPreloader - 0xDC38 ; DATA XREF: sub_DB84+AEr
ROM:0000DCD0 ; "PRELOADER"
ROM:0000DCD4 off_DCD4 DCD aUsrdata - 0xDC50 ; DATA XREF: sub_DB84+C6r
ROM:0000DCD4 ; "USRDATA"
ROM:0000DCD8 off_DCD8 DCD aCache - 0xDC66 ; DATA XREF: sub_DB84+DCr
ROM:0000DCD8 ; "CACHE"
ROM:0000DCDC off_DCDC DCD aSPartNameSNotF - 0xDC80 ; DATA XREF: sub_DB84+F2r
ROM:0000DCDC ; "[%s] part name '%s' not found\n"
ROM:0000DCE0 off_DCE0 DCD aLib - 0xDC82 ; DATA XREF: sub_DB84+F6r
ROM:0000DCE0 ; "LIB"
ROM:0000DCE4 off_DCE4 DCD aSec_util_c - 0xDC8E ; DATA XREF: sub_DB84+100r
ROM:0000DCE4 ; "sec_util.c"
ROM:0000DCE8 off_DCE8 DCD a0 - 0xDC90 ; DATA XREF: sub_DB84+102r
ROM:0000DCE8 ; "0"
ROM:0000DCEC off_DCEC DCD aAndsysimg - 0xDC9A ; DATA XREF: sub_DB84:loc_DC94r
ROM:0000DCEC ; "ANDSYSIMG"
ROM:0000DCF0 off_DCF0 DCD aSecstatic - 0xDCA0 ; DATA XREF: sub_DB84:loc_DC9Ar
ROM:0000DCF0 ; "SECSTATIC"
ROM:0000DCF4 off_DCF4 DCD aSecure - 0xDCA6 ; DATA XREF: sub_DB84:loc_DCA0r
ROM:0000DCF4 ; "SECURE"
ROM:0000DCF8 off_DCF8 DCD aUser - 0xDCAC ; DATA XREF: sub_DB84:loc_DCA6r
ROM:0000DCF8 ; "USER"
ROM:0000DCFC off_DCFC DCD aCache - 0xDCB2 ; DATA XREF: sub_DB84:loc_DCACr
ROM:0000DCFC ; "CACHE"
Issue is though, I cannot find the partition sizes the way I can when looking at the ASCII and Identifiers.
Now to change the cache size or any other size, in the ascii where, for example, the cache size of mine is:
ROM:000176A0 DCD 0x17800000, 0, 0, 0
1. Make sure to mouse click on the partition size before going into the hex, this will bring you right to it in hex, where it can be changed.
2. Click on the tab that says HEX View-A and lets say you want to decrease it cut it in half for example: 17800000/2 = BC00000 or 394264576/2= 197132288 which is a hex value of BC00000.
So in the HEx View-A, make sure the size is selected, you want to change 80 17 to 00 BC, it has to be entered from right to left so that the IDA View-A can read it from left to right.
Thing is, I tried a few things:
In on the menu, selecting Edit > export data, and exporting it as raw binary then in terminal
Code:
dd if=preloader.txt > preoader.bin
Did not work
Also tried:
Edit > apply patch > apply patch to input program did not work either, both just caused my tablet to get stuck at the boot logo.
Now this, as mentioned could be possibly because, I am doing the conversion correctly when making the changes, but:
Where is that identifier for the partition sizes, or is there one?
Is IDA decompiling it correctly?
Where is the identifier for FAT?
Where is the partition size for FAT?
Does the reason the EBR1 hack work, per my blog instructions, because there is no partition size for FAT in the bootloader?
Once, just to see what would happen, and it worked, I decreased my cache, this was hard to get the phone to like, but it worked. Next I increased the cache, the phone seemed okay with that hack.
Here are those instructions to modify the EBR1 and increase/decrease cache
Something to bear in mind is CRC32 once you edit something within partition data, I only stumbled on this looking for something else explained a lot and cleared a few things up for me as to why some editing doesn't seem to work.
Try this on Partition info http://www.jonrajewski.com/data/PartitionScheme/Partition_Table_Documentation_Compressed.pdf really useful
Sent from my B1-730HD using XDA Free mobile app
This is going to be a bit incoherent, because I'm just starting out with this stuff, and my issue is not exactly the same as yours. But I **think** that the overlap is so close that perhaps we can help each other. I admit up front that I am going to have to read this entire thread another 5-10 times before I really understand what you know, what you don't know,and what you need/want to know. In the meantime, here is my problem and the bits I think i know:
1. What I have: i have an MT6735M-based phone [it is the "rook" by EE]. I have managed to root this phone by SP-Flash-Tool to manually download TWRP over the stock recovery partition; then I used TWRP to install superuser.apk for this device. In order to do this and not brick anything, I spent a fair amount of time getting a correct scatter file, and I think i have a very accurate one for my phone.
2. My problem: The phone is rooted all right, but the bootloader is still locked. The above rooting with SP Flash Tools was unconcerned with the bootloader lock state. But my understanding is that the bootloader being locked or not is simply a bootloader variable, just as S-on or s-Off is a bootloader variable . My understanding is that the bootloader code is just the partition lk.bin -- but that the variables themselves are stored in nvram.bin. From various threads about other phones, I believe that "all" that the bootloader unlocking and locking recipes just in the end change the stored value of the single toggle variable bootloader:locked. If i can find out where tha variable is stored, I should be able to read-back the nvram parition, change the single long int corresponding to the value of "lock", and download the new nvram.bin to the phone. DO I have a hope of finding these bytes?
3. I can say with some certainty that if you read-back the preloader partition from a MT6735M, you get a file whose first 2048 bytes needs to be discarded to get an imagine you can flash back to the phone.
How to unpack the stripped prleloader bin file is proving very difficult. any clever ideas?