I figured out how to hack the EBR1 on mediatek MTK6572 to increase userdata by merging the fat and userdata partitions. Unfortunatly, this mod does not change the blocks maps, even when editing the scatter text to match the EBR1 hack mod. Here is the post on how it is done.
http://elizabethswikis.blogspot.com/2014/09/tutorial-how-to-increase-partition-on.html
After much searching, finally found out that the blocks maps are probably setup via preloader.bin, which tells /proc/dumchar_info what the blocks are and sizes. Well now I would like to figure out how to hack the preloader, either the bin or preloader_and_dsp, to edit that sections that it matches up with the modded EBR1. Just can't find any information, looked at the preloader.bin and preloader_and_dsp in hex editor and emacs, but that doesn't help me much, am able to see the section where it tells EBR1, preloader, userdata, android, etc... but can't make out how to change those hex values.
Nobody knows
Well, after much searching as to what could possibly be in the preloader.bin and lk.bin for emmc mtk devices, figure that what it probably is are all the .c files that were put into a .bin using the makefile. Well okay, that is great, even better, everybody knows how to make one, yet, nobody knows how to extract it?
Terminal shell command, strings lk.bin, lets me read what exactly the preloader/bootloader is supposed to do, and where the files are pointed to. So for example, know that there is a meta.c and UART.c inside, to name a few, now I would like to get them out.
That seems a bit hard to believe, why would one want to know how to make something they can't take apart later on for bug fixing?
Refer this tutorial
http://forum.xda-developers.com/showthread.php?t=2596030&page=8
Regards,
Karthick
read the post
Karthickgandhi said:
Refer this tutorial
http://forum.xda-developers.com/showthread.php?t=2596030&page=8
Regards,
Karthick
Click to expand...
Click to collapse
I don't think you entirely read my post or looked at my blog. ANyways,, for anybody who wants to look at the preloader.bin and lk.bin, this can be done in IDA PRO using the arm little endian option. I've been looking at it myself, figured out that if you use the correct rom/ram size and start address, IDA PRO disembles the files. Only thing is, can't figure out what the start address for a ram file would be.
Now that I have figured out how to read those "BIN" files, how can I get them to load so that I can modify the "/proc/dumchar/" to match my "ALREADY HACKED EBR1".
Research and continue your development and make a tutorial for hacking preloader.bin
I have a very basic level knowledge in partitioning etc. Noted now only that the command
--->cat /proc/dumchar_info
doesn't change even after changing the ebr and i have increased the internal app storage memory.
Regards,
Karthick
Preloader.bin
Karthickgandhi said:
Research and continue your development and make a tutorial for hacking preloader.bin
I have a very basic level knowledge in partitioning etc. Noted now only that the command
--->cat /proc/dumchar_info
doesn't change even after changing the ebr and i have increased the internal app storage memory.
Regards,
Karthick
Click to expand...
Click to collapse
The post tells how to repartition the EBR1, as for the preloader.bin, well you can disemble it in IDA pro.
Thing is, I got as far as finding where the partitions are, even figured out how to change the values. After exporting it as a raw binary, well that is where I'm stuck. Ida exports it with a .txt extension, needs to be .bin. How would in linux could I convert that using the dd command for a successful flash, aka:
dd if=preloader.txt of=preloader.bin bs=1 skip=????
If that's a complete one you can use this command
dd if=/path_of_edited_preloader.txt of=/path_for_new_preloader.bin
Dont need to specify bs,skip,etc
Regards,
Karthick
Hacking mtk6572 bootloader
Karthickgandhi said:
If that's a complete one you can use this command
dd if=/path_of_edited_preloader.txt of=/path_for_new_preloader.bin
Dont need to specify bs,skip,etc
Regards,
Karthick
Click to expand...
Click to collapse
I tried that, but it didn't boot when I loaded the modified preloader.bin. Was wondering if it was because:
A. was it because I named it preloader-modified.bin?
B. Is there another place that needs to be modified besided the userdata partition?
The original size is 0x2000000, the full size using the fat and userdata combinded is 0xA7040000. Is there another place that it should be changed? Could not find the fat partition in the preloader.bin, everything except for the FAT size, which is 0x87040000 and the BMPOOL, have to look at that size. When comparing with the dumchar_info & Scatter file, shows all the partition sizes from preloader down to userdata.
Also have a preloader.bin from the manufacturer whree I purchased my phone, that preloader, scatter and EBR1 uses the full userdata no fat size, but the scatter for the other tablet/phone has a fat section with a 0x0 partition size, uses the full userdata and no fat partition. Also, when comparting that preloader with my preloader, same thing, everything right down to the userdata, missing fat and BMPOOL.
Well tomorrow I'll try again, this time doing dd if=preloader.txt of=preloader.bin. The name, preloader-modified.bin may not have worked, since reading through the entire preloader.bin and lk.bin, it directs to flash preloader, uboot, lk < know both are the same, userdata, fat, etc...
bethnesbitt said:
I tried that, but it didn't boot when I loaded the modified preloader.bin. Was wondering if it was because:
A. was it because I named it preloader-modified.bin?
B. Is there another place that needs to be modified besided the userdata partition?
The original size is 0x2000000, the full size using the fat and userdata combinded is 0xA7040000. Is there another place that it should be changed? Could not find the fat partition in the preloader.bin, everything except for the FAT size, which is 0x87040000 and the BMPOOL, have to look at that size. When comparing with the dumchar_info & Scatter file, shows all the partition sizes from preloader down to userdata.
Also have a preloader.bin from the manufacturer whree I purchased my phone, that preloader, scatter and EBR1 uses the full userdata no fat size, but the scatter for the other tablet/phone has a fat section with a 0x0 partition size, uses the full userdata and no fat partition. Also, when comparting that preloader with my preloader, same thing, everything right down to the userdata, missing fat and BMPOOL.
Well tomorrow I'll try again, this time doing dd if=preloader.txt of=preloader.bin. The name, preloader-modified.bin may not have worked, since reading through the entire preloader.bin and lk.bin, it directs to flash preloader, uboot, lk < know both are the same, userdata, fat, etc...
Click to expand...
Click to collapse
Got that working???
decompile bootloader
Karthickgandhi said:
Got that working???
Click to expand...
Click to collapse
No, I have been picking it apart for a few hours a day since trying that method.
The dd if=preloader.txt > preloader.bin didnn't work. Then found out there was a way to just apply the patch to the file, thought cool, tried that didn't work either .
So now I'm thinking it's how I am trying to load it in IDA PRO. If what some reasearch says, it is an arm-eabbi-gcc, not sure if ida is actually supporting that correctly. There are plenty of TUT on how to compile, but nothing about decompiling.
bethnesbitt said:
No, I have been picking it apart for a few hours a day since trying that method.
The dd if=preloader.txt > preloader.bin didnn't work. Then found out there was a way to just apply the patch to the file, thought cool, tried that didn't work either .
So now I'm thinking it's how I am trying to load it in IDA PRO. If what some reasearch says, it is an arm-eabbi-gcc, not sure if ida is actually supporting that correctly. There are plenty of TUT on how to compile, but nothing about decompiling.
Click to expand...
Click to collapse
Nice.... but are you sure that the dumchar_info is associated with preloader? I doubt the pmt(partition management table)
Part_Name Size StartAddr Type MapTo
preloader 0x0000000000600000 0x0000000000000000 2 /dev/misc-sd
mbr 0x0000000000080000 0x0000000000000000 2 /dev/block/mmcblk0
ebr1 0x0000000000080000 0x0000000000080000 2 /dev/block/mmcblk0p1
pmt 0x0000000000400000 0x0000000000100000 2 /dev/block/mmcblk0
pro_info 0x0000000000300000 0x0000000000500000 2 /dev/block/mmcblk0
nvram 0x0000000000500000 0x0000000000800000 2 /dev/block/mmcblk0
protect_f 0x0000000000a00000 0x0000000000d00000 2 /dev/block/mmcblk0p2
protect_s 0x0000000000a00000 0x0000000001700000 2 /dev/block/mmcblk0p3
seccfg 0x0000000000020000 0x0000000002100000 2 /dev/block/mmcblk0
uboot 0x0000000000060000 0x0000000002120000 2 /dev/block/mmcblk0
bootimg 0x0000000000600000 0x0000000002180000 2 /dev/block/mmcblk0
recovery 0x0000000000600000 0x0000000002780000 2 /dev/block/mmcblk0
sec_ro 0x0000000000600000 0x0000000002d80000 2 /dev/block/mmcblk0p4
misc 0x0000000000080000 0x0000000003380000 2 /dev/block/mmcblk0
logo 0x0000000000300000 0x0000000003400000 2 /dev/block/mmcblk0
ebr2 0x0000000000080000 0x0000000003700000 2 /dev/block/mmcblk0
expdb 0x0000000000a00000 0x0000000003780000 2 /dev/block/mmcblk0
android 0x000000002bc00000 0x0000000004180000 2 /dev/block/mmcblk0p5
cache 0x0000000007e00000 0x000000002fd80000 2 /dev/block/mmcblk0p6
usrdata 0x0000000040000000 0x0000000037b80000 2 /dev/block/mmcblk0p7
fat 0x000000006fba0000 0x0000000077b80000 2 /dev/block/mmcblk0p8
bmtpool 0x0000000001500000 0x00000000ff9f00a8 2 /dev/block/mmcblk0
Regards,
Karthick
dumchar
Right now I'm not in linux, so I can't copy and paste so will give a quick summary of what I see when I decompile the preloader.bin.
At the bottom of the preloader in IDA PRO is a list of the partition sizes, everything except for the FAT and BMTPOOL.
It shows, as ascii string, the partition sizes, just giving a bit of what i remember off the top of my head:
0x600000 < preloader
0X600000 < Rom
0x800000 < EBR1
0xA00000
0x1780000 < this is my cache size
0x2000000 < this is my userdata size
ALso the ascii string has
FAT
USERDATA
UBOOT
PRELOADER
BOOT
ANDROIDSYS
Ida isn't disembling it correctly because all the strings should point to an operand, the partition sizes aren't. Today went through though, am trying differant library types using the METAPC option. It took me 2 monts to hack the EBR1, may take my just as long.
Good luck. Don't forget to share if you hit that jackpot. I am trying to increase my recovery partition but facing some problems. Unlike /system or /data partition it cannot be altered by hacking mbr/ebr. U have any idea?
Hey, I have HTC Desire 310 it uses MTK6582 and it has locked bootloader. I think the bootloader has something to do with the preloader, so if you can help me in some way, pls PM me!
Take a look here, it may help http://forum.xda-developers.com/showthread.php?t=1959691
This WILL help with how the partitions and security may be working http://www.uefi.org/specifications
Sent from my B1-730HD using XDA Free mobile app
f*ck
Antagonist42 said:
Take a look here, it may help http://forum.xda-developers.com/showthread.php?t=1959691
This WILL help with how the partitions and security may be working http://www.uefi.org/specifications
Sent from my B1-730HD using XDA Free mobile app
Click to expand...
Click to collapse
doesn't work brother.. idk what is the problem.. This is MTK phone, with locked bootloader by htc.. idk i tried everything and nothing works
boka18 said:
doesn't work brother.. idk what is the problem.. This is MTK phone, with locked bootloader by htc.. idk i tried everything and nothing works
Click to expand...
Click to collapse
What do you mean 'doesn't work'? What was it you're looking for? I'm posting info that may help the thread as to partitions, how they work and what different formats can be used.
Sent from my B1-730HD using XDA Free mobile app
Dissemble preloader.bin - unlock bootloader?
The preloader is the bootloader. After dissembling the preloader.bin, somewhat successfully, in IDA PRO, here is what I see for partitions:
In ida, open the preloader.bin, change the dropdown to ARM little endian, unsure about size for rom and the loading address, tried many different sizes and start address, each time give me a somewhat of a different outcome.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Select Arm Little Endian
Not sure about the Rom Size, did try size for RAM but would not encode. Have tried different sizes for ROM, getting different outputs. Using the loading address as 0x0, which is the linear start address in the scatter for preloader seems to make sense, could be wrong. Beware though, the larger size you try, the laggier your PC will get
Now when the preloader.bin is done loading, go to Edit menu and select all. Now press the letter C on your keyboard for code, choose Analyse and say yes. When done analyzing, you can scroll through the code, it doesn't analyze everything you will see some code that was not analyzed, those are in gold, if you select all that unanalyzed code by pressing shift+arrowdown, then press C it will analyze that code, you may want to go through and do that little cleanup.
Towards the bottom, you will see ASCII text that was decoded, here is what shows for my partitions.
ROM:00017518 dword_17518 DCD 0x201A626, 0 ; DATA XREF: sub_11CC+2o
ROM:00017518 ; ROMff_11D4o
ROM:00017520 DCD dword_600000 <- PRELOADER
ROM:00017524 ALIGN 0x10
ROM:00017530 DCD 0x201A630, 0
ROM:00017538 DCD dword_80000 <-- MBR
ROM:0001753C DCD 0, 0, 0
ROM:00017548 DCD 0x201A634, 0
ROM:00017550 DCD dword_80000 <-- EBR1
ROM:00017554 ALIGN 0x10
ROM:00017560 DCD 0x201A639, 0
ROM:00017568 DCD dword_300000 <-- PRO_INFO
ROM:0001756C DCD 0, 0, 0
ROM:00017578 DCD 0x201A642, 0
ROM:00017580 DCD dword_500000 < -- NVRAM
ROM:00017584 ALIGN 0x10
ROM:00017590 DCD 0x201A648, 0
ROM:00017598 DCD dword_A00000 <-- PROTECT_F
ROM:0001759C DCD 0, 0, 0
ROM:000175A8 DCD 0x201A652, 0
ROM:000175B0 DCD dword_A00000 <-- PROTECT_S
ROM:000175B4 ALIGN 0x10
ROM:000175C0 DCD 0x201A65C, 0
ROM:000175C8 DCD dword_20000 <-- SEFCG
ROM:000175CC DCD 0, 0, 0
ROM:000175D8 DCD 0x201A663, 0
ROM:000175E0 DCD dword_60000 <- UBOOT/LK.BIN
ROM:000175E4 ALIGN 0x10
ROM:000175F0 DCD 0x201A669, 0
ROM:000175F8 DCD dword_600000 < -- BOOTIMG
ROM:000175FC DCD 0, 0, 0
ROM:00017608 DCD 0x201A671, 0
ROM:00017610 DCD dword_600000 <-- RECOVERY
ROM:00017614 ALIGN 0x10
ROM:00017620 DCD 0x201A67A, 0
ROM:00017628 DCD dword_40000 <-- SEC_RO
ROM:0001762C DCD 0, 0, 0
ROM:00017638 DCD 0x201A684, 0
ROM:00017640 DCD dword_80000 < -- MISC
ROM:00017644 ALIGN 0x10
ROM:00017650 DCD 0x201A689, 0
ROM:00017658 DCD dword_300000 <-- LOGO
ROM:0001765C DCD 0, 0, 0
ROM:00017668 DCD 0x201A68E, 0
ROM:00017670 DCD dword_A00000 <-- EXPDB
ROM:00017674 ALIGN 0x10
ROM:00017680 DCD 0x201A694, 0
ROM:00017688 DCD 0x28A00000, 0, 0, 0 < -- ANDROID SYSTEM
ROM:00017698 DCD 0x201A69E, 0
ROM:000176A0 DCD 0x17800000, 0, 0, 0 < -- CACHE
ROM:000176B0 DCD 0x201A6A4, 0
ROM:000176B8 DCD 0x20000000, 0, 0, 0 <-- USERDATA
If you compare that to your scatter, you will see that they match up, right in order per the scatter as well as when you go into:
Code:
adb shell
cat /proc/dumchar_info > /sdcard/dumchar.txt
Katherick, for your question, yes the recovery can be modified, now another option is using a hexdump. Maybe somebody can point us to using hexdump to modify and saving it back to the binary format. First you would have to figure out how to change the value in the preloader.bin of your recovery, not sure if just that ascii value has to be changed, or is there another place. Once you decompile the preloader.bin in IDA, you can see where those ASCII values point to identifiers throughout the code in various spots, except for the partition sizes.
Now, for the ascii, here is a little bit from mine:
Code:
ROM:00013426 aPreloader DCB "PRELOADER",0 ; DATA XREF: sub_DB84+B0o
ROM:00013426 ; ROM:off_DCD0o ...
ROM:00013430 aMbr DCB "MBR",0
ROM:00013434 aEbr1 DCB "EBR1",0
ROM:00013439 aPro_info DCB "PRO_INFO",0
ROM:00013442 aNvram DCB "NVRAM",0
ROM:00013448 aProtect_f DCB "PROTECT_F",0
ROM:00013452 aProtect_s DCB "PROTECT_S",0
ROM:0001345C aSecure DCB "SECURE",0 ; DATA XREF: sub_D7F8+5Co
ROM:0001345C ; ROM:off_D8E8o ...
ROM:00013463 aUboot DCB "UBOOT",0 ; DATA XREF: ROM:000027C8o
ROM:00013463 ; ROM:off_2848o ...
ROM:00013469 aBootimg DCB "BOOTIMG",0 ; DATA XREF: sub_DB84+38o
ROM:00013469 ; ROM:off_DCBCo ...
ROM:00013471 aRecovery DCB "RECOVERY",0 ; DATA XREF: sub_DB84+68o
ROM:00013471 ; ROM:off_DCC4o ...
ROM:0001347A aSecstatic DCB "SECSTATIC",0 ; DATA XREF: sub_DB84+118o
ROM:0001347A ; ROM:off_DCF0o
ROM:00013484 aMisc DCB "MISC",0
ROM:00013489 aLogo_0 DCB "LOGO",0 ; DATA XREF: sub_D544+6Ao
ROM:00013489 ; ROM:off_D61Co ...
ROM:0001348E aExpdb DCB "EXPDB",0
ROM:00013494 aAndsysimg DCB "ANDSYSIMG",0 ; DATA XREF: sub_DB84+112o
ROM:00013494 ; ROM:off_DCECo
ROM:0001349E aCache DCB "CACHE",0 ; DATA XREF: sub_DB84+DEo
ROM:0001349E ; sub_DB84+12Ao ...
ROM:000134A4 aUser DCB "USER",0 ; DATA XREF: sub_DB84+124o
ROM:000134A4 ; ROM:off_DCF8o
ROM:000134A9 aFat DCB "FAT",0
ROM:000134AD aDeviceApcDomai DCB 0xA ; DATA XREF: sub_1208+8o
ROM:000134AD ; ROM:off_130Co
and here is the identifier:
Code:
ROM:0000DCB4 off_DCB4 DCD aUboot - 0xDB8E ; DATA XREF: sub_DB84+4r
ROM:0000DCB4 ; "UBOOT"
ROM:0000DCB8 off_DCB8 DCD aLogo_0 - 0xDBA8 ; DATA XREF: sub_DB84+1Er
ROM:0000DCB8 ; "LOGO"
ROM:0000DCBC off_DCBC DCD aBootimg - 0xDBC0 ; DATA XREF: sub_DB84+36r
ROM:0000DCBC ; "BOOTIMG"
ROM:0000DCC0 off_DCC0 DCD aAndroid - 0xDBD8 ; DATA XREF: sub_DB84+4Er
ROM:0000DCC0 ; "ANDROID"
ROM:0000DCC4 off_DCC4 DCD aRecovery - 0xDBF0 ; DATA XREF: sub_DB84+66r
ROM:0000DCC4 ; "RECOVERY"
ROM:0000DCC8 off_DCC8 DCD aSec_ro - 0xDC08 ; DATA XREF: sub_DB84+7Er
ROM:0000DCC8 ; "SEC_RO"
ROM:0000DCCC off_DCCC DCD aSeccnfg - 0xDC20 ; DATA XREF: sub_DB84+96r
ROM:0000DCCC ; "SECCNFG"
ROM:0000DCD0 off_DCD0 DCD aPreloader - 0xDC38 ; DATA XREF: sub_DB84+AEr
ROM:0000DCD0 ; "PRELOADER"
ROM:0000DCD4 off_DCD4 DCD aUsrdata - 0xDC50 ; DATA XREF: sub_DB84+C6r
ROM:0000DCD4 ; "USRDATA"
ROM:0000DCD8 off_DCD8 DCD aCache - 0xDC66 ; DATA XREF: sub_DB84+DCr
ROM:0000DCD8 ; "CACHE"
ROM:0000DCDC off_DCDC DCD aSPartNameSNotF - 0xDC80 ; DATA XREF: sub_DB84+F2r
ROM:0000DCDC ; "[%s] part name '%s' not found\n"
ROM:0000DCE0 off_DCE0 DCD aLib - 0xDC82 ; DATA XREF: sub_DB84+F6r
ROM:0000DCE0 ; "LIB"
ROM:0000DCE4 off_DCE4 DCD aSec_util_c - 0xDC8E ; DATA XREF: sub_DB84+100r
ROM:0000DCE4 ; "sec_util.c"
ROM:0000DCE8 off_DCE8 DCD a0 - 0xDC90 ; DATA XREF: sub_DB84+102r
ROM:0000DCE8 ; "0"
ROM:0000DCEC off_DCEC DCD aAndsysimg - 0xDC9A ; DATA XREF: sub_DB84:loc_DC94r
ROM:0000DCEC ; "ANDSYSIMG"
ROM:0000DCF0 off_DCF0 DCD aSecstatic - 0xDCA0 ; DATA XREF: sub_DB84:loc_DC9Ar
ROM:0000DCF0 ; "SECSTATIC"
ROM:0000DCF4 off_DCF4 DCD aSecure - 0xDCA6 ; DATA XREF: sub_DB84:loc_DCA0r
ROM:0000DCF4 ; "SECURE"
ROM:0000DCF8 off_DCF8 DCD aUser - 0xDCAC ; DATA XREF: sub_DB84:loc_DCA6r
ROM:0000DCF8 ; "USER"
ROM:0000DCFC off_DCFC DCD aCache - 0xDCB2 ; DATA XREF: sub_DB84:loc_DCACr
ROM:0000DCFC ; "CACHE"
Issue is though, I cannot find the partition sizes the way I can when looking at the ASCII and Identifiers.
Now to change the cache size or any other size, in the ascii where, for example, the cache size of mine is:
ROM:000176A0 DCD 0x17800000, 0, 0, 0
1. Make sure to mouse click on the partition size before going into the hex, this will bring you right to it in hex, where it can be changed.
2. Click on the tab that says HEX View-A and lets say you want to decrease it cut it in half for example: 17800000/2 = BC00000 or 394264576/2= 197132288 which is a hex value of BC00000.
So in the HEx View-A, make sure the size is selected, you want to change 80 17 to 00 BC, it has to be entered from right to left so that the IDA View-A can read it from left to right.
Thing is, I tried a few things:
In on the menu, selecting Edit > export data, and exporting it as raw binary then in terminal
Code:
dd if=preloader.txt > preoader.bin
Did not work
Also tried:
Edit > apply patch > apply patch to input program did not work either, both just caused my tablet to get stuck at the boot logo.
Now this, as mentioned could be possibly because, I am doing the conversion correctly when making the changes, but:
Where is that identifier for the partition sizes, or is there one?
Is IDA decompiling it correctly?
Where is the identifier for FAT?
Where is the partition size for FAT?
Does the reason the EBR1 hack work, per my blog instructions, because there is no partition size for FAT in the bootloader?
Once, just to see what would happen, and it worked, I decreased my cache, this was hard to get the phone to like, but it worked. Next I increased the cache, the phone seemed okay with that hack.
Here are those instructions to modify the EBR1 and increase/decrease cache
Something to bear in mind is CRC32 once you edit something within partition data, I only stumbled on this looking for something else explained a lot and cleared a few things up for me as to why some editing doesn't seem to work.
Try this on Partition info http://www.jonrajewski.com/data/PartitionScheme/Partition_Table_Documentation_Compressed.pdf really useful
Sent from my B1-730HD using XDA Free mobile app
This is going to be a bit incoherent, because I'm just starting out with this stuff, and my issue is not exactly the same as yours. But I **think** that the overlap is so close that perhaps we can help each other. I admit up front that I am going to have to read this entire thread another 5-10 times before I really understand what you know, what you don't know,and what you need/want to know. In the meantime, here is my problem and the bits I think i know:
1. What I have: i have an MT6735M-based phone [it is the "rook" by EE]. I have managed to root this phone by SP-Flash-Tool to manually download TWRP over the stock recovery partition; then I used TWRP to install superuser.apk for this device. In order to do this and not brick anything, I spent a fair amount of time getting a correct scatter file, and I think i have a very accurate one for my phone.
2. My problem: The phone is rooted all right, but the bootloader is still locked. The above rooting with SP Flash Tools was unconcerned with the bootloader lock state. But my understanding is that the bootloader being locked or not is simply a bootloader variable, just as S-on or s-Off is a bootloader variable . My understanding is that the bootloader code is just the partition lk.bin -- but that the variables themselves are stored in nvram.bin. From various threads about other phones, I believe that "all" that the bootloader unlocking and locking recipes just in the end change the stored value of the single toggle variable bootloader:locked. If i can find out where tha variable is stored, I should be able to read-back the nvram parition, change the single long int corresponding to the value of "lock", and download the new nvram.bin to the phone. DO I have a hope of finding these bytes?
3. I can say with some certainty that if you read-back the preloader partition from a MT6735M, you get a file whose first 2048 bytes needs to be discarded to get an imagine you can flash back to the phone.
How to unpack the stripped prleloader bin file is proving very difficult. any clever ideas?
Hi,
My phone is Doogee X5 which currently has Lollipop 5.1. Doogee has provided an official Marshmallow update on their site and I downloaded it.
I am using SP Flash Tool to flash the ROM, the version is 5.1636.00. The issue here is, it is saying the scatter file is invalid. I even place the SP Flash Tool and the ROM folder in my C drive but in vain. I have attached the scatter file, please take a look.
Can someone help me?
Try a different SP Flash Tool version. Some builds of the tool tend to be picky with scatter files from what I can attest.
blakegriplingph said:
Try a different SP Flash Tool version. Some builds of the tool tend to be picky with scatter files from what I can attest.
Click to expand...
Click to collapse
I just 5 different earlier versions but in vain. Still have this issue. I do not know how other have using it well.
Hmm, strange. The scatter file seems OK, but idk why SPFT would spit it out as invalid. :/ Have you tried using a different dump?
ali20142014 said:
I just 5 different earlier versions but in vain. Still have this issue. I do not know how other have using it well.
Click to expand...
Click to collapse
Hi Ali,
did you find a solution with this "scatter file invalid" error ?
best,
Adri
Hello, got the same problem also here Load Scatter File Invalid Error 8417 my phone is Oppo Yoyo R2001, also already use more 4 types of official ROM still doesnt work.
Hi everybody. I have a Kingzone N5 with 5.1.1
Had the same problem and I tried the following. Hope it works for someone else.
sp tool error 8417
this is not a big problem
Problem with scatter file
Do the following
1. open scatter file in notepad++ , do not use notepad
2. just remove BIRDTOOLMINVER[3.0] line from scatter
3. this is the first line
4. Save file otherwise problem will not be solve out
5. always run notepad++ as administrator otherwise save command not working and problem remaining
6. also use latest sp flash tool
7. Problem gone
8. don't forget to press thanks meter
you can see this video before moderator removing link
happy to share with you
press thanks meter....
Hi, i was trying to flash my vivo 1726 (vivo y85). I tried to load the scatter file but it said invalid
Here is how my scatter file look like
preloader 0x0
pgpt 0x0
boot_para 0x8000
recovery 0x108000
para 0x4108000
expdb 0x4188000
frp 0x5588000
nvcfg 0x5688000
nvdata 0x7688000
backup 0xb688000
survival 0xc088000
reserved 0x10088000
cust 0x10a88000
athena 0x14a88000
metadata 0x1e088000
protect1 0x20088000
protect2 0x20888000
seccfg 0x21800000
persist 0x22000000
sec1 0x25000000
proinfo 0x25200000
efuse 0x25500000
md1img 0x25580000
md1dsp 0x2b980000
spmfw 0x2c980000
scp1 0x2ca80000
scp2 0x2cb80000
sspm_1 0x2cc80000
sspm_2 0x2cd80000
gz1 0x2ce80000
gz2 0x2de80000
nvram 0x2ee80000
lk 0x32e80000
lk2 0x33380000
boot 0x33880000
logo 0x37880000
odmdtbo 0x38080000
tee1 0x39080000
tee2 0x39580000
vendor 0x3a000000
system 0x7a000000
cache 0x17a000000
userdata 0x18a000000
otp 0xFFFF01d8
flashinfo 0xFFFF0080
sgpt 0xFFFF0000
Can anyone help me?
Problem with scatter file
Please do check the firmware..May be problem is in that..If problem is not solved then please share screenshots so can help you..
I have tried this but I am getting stuck when I try to upload the scatter file. It keeps saying Partition so and so should NOT set is_download to true in scatter file Please check. I have tried different versions of the SP Flash Tool but I keep getting the same results. Someone had suggested to editing the scatter file in notepad from true to false bu this did now work either. After editing, the files did not load onto the SP Flash Tool and I failed to proceed. My Phone is a Blu Vivo xi plus.
Hello
I'm having trouble with message 8417. My phone is huawei y600-u20.
please guide me.
Thanks
LimWilliam65 said:
Hi, i was trying to flash my vivo 1726 (vivo y85). I tried to load the scatter file but it said invalid
Here is how my scatter file look like
preloader 0x0
pgpt 0x0
boot_para 0x8000
recovery 0x108000
para 0x4108000
expdb 0x4188000
frp 0x5588000
nvcfg 0x5688000
nvdata 0x7688000
backup 0xb688000
survival 0xc088000
reserved 0x10088000
cust 0x10a88000
athena 0x14a88000
metadata 0x1e088000
protect1 0x20088000
protect2 0x20888000
seccfg 0x21800000
persist 0x22000000
sec1 0x25000000
proinfo 0x25200000
efuse 0x25500000
md1img 0x25580000
md1dsp 0x2b980000
spmfw 0x2c980000
scp1 0x2ca80000
scp2 0x2cb80000
sspm_1 0x2cc80000
sspm_2 0x2cd80000
gz1 0x2ce80000
gz2 0x2de80000
nvram 0x2ee80000
lk 0x32e80000
lk2 0x33380000
boot 0x33880000
logo 0x37880000
odmdtbo 0x38080000
tee1 0x39080000
tee2 0x39580000
vendor 0x3a000000
system 0x7a000000
cache 0x17a000000
userdata 0x18a000000
otp 0xFFFF01d8
flashinfo 0xFFFF0080
sgpt 0xFFFF0000
Can anyone help me?
Click to expand...
Click to collapse
bruh did you found any solution ??
Mod edit - translated by https://www.deepl.com/translator
Hello all.
I have a problem with the MT6750_Android_scatter for the oukitel wp2.
Got this from the original site oukitel.com, but gives the message(invalid scatter file)
Anyone have an idea what the problem is?
******************
Hallo allemaal.
Ik heb een probleem met de MT6750_Android_scatter voor de oukitel wp2.
Heb deze van de orginele site oukitel.com, maar geeft de melding(ongeldige scatter file)
Iemand een idee wat het probleem is ?
Scooby1234- said:
Mod edit - translated by https://www.deepl.com/translator
Hello all.
I have a problem with the MT6750_Android_scatter for the oukitel wp2.
Got this from the original site oukitel.com, but gives the message(invalid scatter file)
Anyone have an idea what the problem is?
******************
Hallo allemaal.
Ik heb een probleem met de MT6750_Android_scatter voor de oukitel wp2.
Heb deze van de orginele site oukitel.com, maar geeft de melding(ongeldige scatter file)
Iemand een idee wat het probleem is ?
Click to expand...
Click to collapse
Hello and good afternoon, @Scooby1234-
Welcome to XDA. I hope you'll always find and get the support you require.
As courtesy I've translated your above post. This is just a friendly reminder that English is the mandatory language! With reference to rule no. 4 of the XDA Forum Rules, please post in English or add at least an English translation to your Dutch posts.
Spoiler: Rule No. 4
4. Use the English language.
We understand that with all the different nationalities, not everyone speaks English well, but please try. If you're really unable to post in English, use an online translator. You're free to include your original message in your own language, below the English translation. (This rule covers your posts, profile entries and signature). You could try :- https://translate.google.com/ or https://www.babelfish.com/ or use one of your choice.
Thanks for your cooperation!
Regards
Oswald Boelcke
Senior Moderator
i am facing same problem in Tecno POVA 2..... it doesn't scatter file . Help me out and also my screen got stuck in the tecno logo while rooting my phone...
PLEASE anyone HELP ME OUT?
[GUIDE] Restore Null SN and locked Bootloader|Wrong ROM flash|Amazfit Pace & Stratos
DON'T INSTALL ANY STOCK ROMWhat is this?
It is guide/tutorial for restoring the serial number and unlocking the bootloader on your Amazfit Pace or Stratos watch.
If you have installed a Pace ROM on your Stratos watch, or a Stratos ROM on your Pace, you lost your serial number and locked the bootloader. If this is your case. you will probably note:
- Null serial number
- Locked bootloader
- Touchscreen not working
- Button/keys not working
- Bootloop
Supported devices
- Amazfit Pace watch: A1602 and A1612 models
- Amazfit 2 Stratos watch: A1609 and A16019 models
Can it be fixed?
Yes, it can. At least if your watch can gain root access over adb.
Requirements
1. Property installed adb drivers
How to check this: Open a CMD.exe or any command window on your PC and type:
Code:
adb devices
Output (or similar)
Code:
List of devices attached
9dee1d33 device
2. Property installed fastboot drivers
How to check this: Open a CMD.exe or any command window on your PC and type:
Code:
adb shell reboot bootloader
fastboot devices
Output (or similar)
Code:
0123456789 fastboot
Reboot with:
Code:
fastboot reboot
3. Root access over adb
How to check this: Open a CMD.exe or any command window on your PC and type:
Code:
adb root
Output (or similar)
Code:
adbd is already running as root
Another way to check root:
Code:
adb root
adb shell
Output (or similar)
Code:
[email protected]:/ #
In both cases, you gained root access over adb, you are good to go.
But if you get something like this:
Code:
adb cannot run as root in production builds
Or
Code:
[email protected]:/ $
You don't have root access over adb which means you can't restore your watch check this post: https://forum.xda-developers.com/t/...fit-pace-stratos.3775998/page-3#post-84352471 by matrixios01
How to restore the watch
In few words:
- Meet the requirements
- Get some data from your watch
- Edit a file which i will provide (misc.img) with previous data
- Restore the edited file (misc.img) to your watch
- Use your original unlock code for unlocking again the bootloader (this step may vary)
- Check that you managed to restore the SN and unlocked the bootloader (this step may vary)
- Install a custom ROM for your device (Pace ROM for Pace watch or Stratos ROM for Stratos watch)
- Check that your watch works fine again
I will post whole method in the next post with all needed steps and commands.
Credits
To this people:
@S3V3N for original backup & restore script
@Neuer_User for all his stuff for Amazfit Pace and Stratos
@Cracklydisc (Nicola Sagliano) for all his stuff for Amazfit Pace and Stratos
@1immortal for all his stuff and support for Amazfit Pace and Stratos
Those two guys that tested first this method with different result
If you like my work, buy me a beer.
Restore method
Restore method
1. Get some data form your watch
Turn on your watch, connect the watch to PC, and open a CMD.exe or any command window.
Code:
adb shell getprop
Output (or similar)
Code:
[dalvik.vm.dex2oat-Xms]: [64m]
[dalvik.vm.dex2oat-Xmx]: [512m]
[dalvik.vm.heapgrowthlimit]: [64m]
.
.
.
[wifi.supplicant_scan_interval]: [360]
[windowsmgr.max_events_per_sec]: [500]
[wlan.driver.status]: [unloaded]
You will get a list with a lot of properties, you may find these properties marked in blue, or use individual command for each parameter:
adb shell getprop ro.bt.bdaddr
Output=A1:B2:C3:00:E5:F6 = This is Bluetooth MAC address. 6 pairs of digits.
adb shell getprop ro.sn.serial_numbers
Output=123456789ABCDE = This is the Serial Number (SN) of your watch, and may be corrupted, but you can find it in the back of your watch as SN xxx.... 14 digits.
adb shell getprop ro.sn.serial_numbers_factory
Output=123456789AB = This is the factory serial number, and may be corrupted also, there is no way to get original one AFAIK and I don't know if it is relevant. 11 digits.
adb shell getprop ro.wifi.wifiaddr
Output=A1:B2:C3:00:E5:FF = This is WiFi MAC address. 6 pairs of digits, and different from Bluetooth address.
Click to expand...
Click to collapse
All the data marked in red, is the data we will use to edit misc.img file in next step.
2. Edit misc.img file
To do this, you will need to install an hexadecimal text editor that works on your PC. As I use a Windows PC, I will use HxD to edit misc.img file. You can download HxD text editor for Windows and the dummy misc.img file from here. A dummy misc.img file is a file which has random data on it.
2.1 Unzip the file, install HxD text editor and run it.
2.2 Chose Open, go to the path where misc.img is, select it and open the file:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
2.3 Ensure that you are using hexadecimal (hex) address visualization:
3. Edit misc.img file with your data
3.1 Serial Number (SN)
Go to memory address 600, and enter your SN on Decoded Text section:
3.2 Bluetooth MAC
Go to memory address 800, and enter your Bluetooth MAC address on Decoded Text section:
3.3 WiFi MAC
Go to memory address A00, and enter your WiFi MAC address on Decoded Text section:
3.4 Factory serial nuember
Go to memory address C00, and enter your factory serial number on Decoded Text section. If you don't have this data, just leave it as it is.
3.5 Save edited misc.img file
Click on Save icon:
4. Now in the unzipped folder you will have the edited misc.img file and a new file named as misc.img.bak which is a backup of misc.img. If you want, you can open misc.img again and check if all your data is correct.
5. Copy misc.img to watch and restore it
Open a CMD.exe or any command window, and go to the path where misc.img is, and copy it to your watch:
Code:
adb push misc.img /sdcard/
Output (or similar)
Code:
1950 KB/s (16777216 bytes in 8.398s)
Restore misc.img on your watch (this is where root is needed):
Code:
adb root
adb shell dd if=/sdcard/misc.img of=/dev/block/platform/jzmmc_v1.2.0/by-name/misc
Output (or similar)
Code:
8193+0 records in
8192+0 records out
4194304 bytes transferred in 0.870 secs (4821039 bytes/sec)
Reboot your watch:
Code:
adb reboot
6. Check the SN
Reboot into fastboot mode:
Code:
adb shell reboot bootloader
Get all data from bootloader:
Code:
fastboot getvar all
Output (or similar)
Code:
.
.
.
(bootloader) serialno: 123456789ABCEF
.
.
(bootloader) unlocked: no
.
.
.
If you get your SN back ((bootloader) serialno: 123456789ABCEF), restoration was successful. But you may get unlocked bootloader result ((bootloader) unlocked: no), and here is where you will use your original unlock code, or request it again using the unlock service you already know.
Code:
fastboot oem unlock your_unlock_code
Output (or similar)
Code:
...
OKAY [ 0.047s]
finished. total time: 0.048s
And check again your bootloader status:
Code:
fastboot getvar all
Output (or similar)
Code:
.
.
.
(bootloader) serialno: 123456789ABCEF
.
.
(bootloader) unlocked: yes
.
.
.
If you get (bootloader) unlocked: yes your bootloader is unlocked again. If you get (bootloader) unlocked: no result, don't worry, it may be unlocked after installing any ROM for your device (this happened to me).
Exit from fastboot mode:
Code:
fastboot reboot
8. Install a ROM for your device
- If you own an Amazfit Pace watch, I suggest you to install any PACEfied ROM (1.2.50h for example) but 1.2.51 version (remember that this version is causing some issues for some users).
- If you own an Amazfit Stratos watch, I suggest you to install any STRATOSfied ROM.
9. Factory Reset
When the ROM is installed, probably it will not boot and will stay in a bootloop in the bootanimation, so you MUST do a Factory Reser in order to make it boot.
Reboot to fastboot mode:
Code:
adb shell reboot bootloader
Erase cache (It will take around 8s):
Code:
fastboot erase cache
Erase data (It will take around 210s):
Code:
fastboot erase data
10. When the Factory Reset finish, check again the status of your bootloader
Code:
fastboot getvar all
Now you should get unlocked bootloader result. If not, use again the unlock code and command.
Exit from fastboot mode:
Code:
fastboot reboot
11. Your watch may be operative now
If everything went right, you managed to recover your bricked/****ed watch. Be ready to pair the watch with Amazfit app and enjoy your watch again!
Thanks for reading.
MIO2
MIO2
MIO3
MIO3
MIO4
MIO4
Hi, Saratoga79
I get the message in point 3:
adb cannot run as root in production builds
and
[email protected]:/ $
No way to recover it
:crying::crying::crying:
Thanks a bunch for doing that mate!
aromanos_76 said:
Hi, Saratoga79
I get the message in point 3:
adb cannot run as root in production builds
and
[email protected]:/ $
No way to recover it
:crying::crying::crying:
Click to expand...
Click to collapse
And how is your bootloader? If you have locked bootloader, there is nothing to do, AFAIK.
What was your problem?
Saratoga79 said:
And how is your bootloader? If you have locked bootloader, there is nothing to do, AFAIK.
What was your problem?
Click to expand...
Click to collapse
I can access to the device (adb devices) and start the fastboot mode.
The strange thing is.... that even the serial no is null, the watch is locked and I've no root permissions...
The watch still working!!! :laugh:
Sorry, I still can't attache images: hxxxs://ibb.co/iDg4zx
Great job Saratoga, I hope this means you got your PACE back up and running!
Great, I just used the info to save my misc.img partition in case something goes wrong.
nhedgehog said:
Great, I just used the info to save my misc.img partition in case something goes wrong.
Click to expand...
Click to collapse
You could also get your own misc.img from watch.
Guess I wasn't specific enought. Thats what I did, saving my own misc.img from watch.
I had a null serial number in my Stratos, then I followed all steps
Now I have a serial number back, however the bottons and touch screen is not working
What do you think could be the problem ?
RENEMX said:
I had a null serial number in my Stratos, then I followed all steps
Now I have a serial number back, however the bottons and touch screen is not working
What do you think could be the problem ?
Click to expand...
Click to collapse
What ROM did you install after restoring your SN?
Thanks Saratoga79 for replying
This is the info: My watch is the Stratos A1609
Smartwatch is connected to Amazfit app, running version: 1.2.44
Something I saw trying to update the version is Using ROM Stratos Everest 2.0.15.0 Multilanguage , Installer V.06 by Saratoga is after checking the unlock is YES
I have tried to change the language BUT after clicking for the installation the message is “I have not installed ROM V0.6
So the problem today is that the touch screen
Below additional information, I hope it helps, any question please let me know.
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot getvar all
(bootloader) version-bootloader: U-Boot 2013.07-00101-g96591b8
(bootloader) version-baseband: N/A
(bootloader) version-hardware: V1.1 20130322
(bootloader) version-cdma: N/A
(bootloader) variant: watch
(bootloader) serialno: 16091814071027
(bootloader) product: watch
(bootloader) secure: no
(bootloader) unlocked: yes
(bootloader) uart-on: NO
(bootloader) partition-size:bootloader: 0x0000
(bootloader) partition-type:bootloader: emmc
(bootloader) partition-size:recovery: 0x1000
(bootloader) partition-type:recovery: emmc
(bootloader) partition-size:boot: 0x2000
(bootloader) partition-type:boot: emmc
(bootloader) partition-size:system: 0x3000
(bootloader) partition-type:system: ext4
(bootloader) partition-size:cache: 0x4000
(bootloader) partition-type:cache: ext4
(bootloader) partition-size:userdata: 0x5000
(bootloader) partition-type:userdata: ext4
(bootloader) max-download-size: 0x4000000
all:
finished. total time: 0.313s
RENEMX said:
Thanks Saratoga79 for replying
This is the info: My watch is the Stratos A1609
Smartwatch is connected to Amazfit app, running version: 1.2.44
Something I saw trying to update the version is Using ROM Stratos Everest 2.0.15.0 Multilanguage , Installer V.06 by Saratoga is after checking the unlock is YES
I have tried to change the language BUT after clicking for the installation the message is “I have not installed ROM V0.6
So the problem today is that the touch screen
Below additional information, I hope it helps, any question please let me know.
C:\Program Files (x86)\Minimal ADB and Fastboot>fastboot getvar all
(bootloader) version-bootloader: U-Boot 2013.07-00101-g96591b8
(bootloader) version-baseband: N/A
(bootloader) version-hardware: V1.1 20130322
(bootloader) version-cdma: N/A
(bootloader) variant: watch
(bootloader) serialno: 16091814071027
(bootloader) product: watch
(bootloader) secure: no
(bootloader) unlocked: yes
(bootloader) uart-on: NO
(bootloader) partition-size:bootloader: 0x0000
(bootloader) partition-type:bootloader: emmc
(bootloader) partition-size:recovery: 0x1000
(bootloader) partition-type:recovery: emmc
(bootloader) partition-size:boot: 0x2000
(bootloader) partition-type:boot: emmc
(bootloader) partition-size:system: 0x3000
(bootloader) partition-type:system: ext4
(bootloader) partition-size:cache: 0x4000
(bootloader) partition-type:cache: ext4
(bootloader) partition-size:userdata: 0x5000
(bootloader) partition-type:userdata: ext4
(bootloader) max-download-size: 0x4000000
all:
finished. total time: 0.313s
Click to expand...
Click to collapse
So you already installed my ROM for your Stratos? Did you get any error? Did you do the Factory reset?
If you still face same issue, maybe you can try installing STRATOSfied.
Otherwise this method, I want to go back to stock, lock my bootloader and use it as a new (I bought as used and the ex-owner installed a ROM and unlock the bootloader), how can i do that?
Thanks
After i fixed the issue of null serial number using your procedure
Then
I used the tool: ROM Everest 2.0.15.0 to change the language however the program cannot recognize my watch as A1609, please see:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The message is the following:
Model detected: A1602 - Amazfit Sports Watch
Version Installed ROM: huanghe -1.2.44
China ROM PACEfied found
ONLY FOR AMAZFIT 2 STRATOS WATCH
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
My watch is stratos A1609 but inside it has running Android PACEfied
So, I have tried to install flash Chinese/English ROM using your tool "Huawmi AMAZFIT Tool" and
Firmware_CN_STRATOS_2.0.7.5.zip
After that there are three options:
a) I want to use already stracted files
b) I want to delete already extracted files and re unpack it
c) I want to stop this process
doing option a) and b) againg I still have Android Pacified and touch screen is not working
Saratoga79 said:
So you already installed my ROM for your Stratos? Did you get any error? Did you do the Factory reset?
If you still face same issue, maybe you can try installing STRATOSfied.
Click to expand...
Click to collapse
I cannot do factory reset becuase touch screen not working
I tried Startosfied but it did not work, and also I tried installing Stratos ROM but it did not work
I think the problem is the hardware is for Stratos but software is Paciefied, what do you think ?
Please read the latest info I sent (previous to this one)