Edit: See Wiki for information on why this can not be accomplished: "summary: 2gb have stuff. other 2gb make phone faster. phone have more faster ram. Phone go faster." (Thanks wrsg)
First, I feel this needs to be in the development section because it's most likely going to require some commands/.zip/custom ROM/whatever to actually be able to use that other 2gb of memory we don't see.
Correct me if I'm wrong but from my understanding, that other 2gb of memory has a backup of STOCK G2 Software (OS/Recovery/etc) and reserved space for updates. Basically meaning memory that's only touched by an OTA or ... gingerbread when that drops.
How would we go about "unlocking" that other half of internal memory? It could be used for apps or possibly even mountable storage (if possible...)
I'm sure this is already a work in progress and I have nothing to offer in the endeavor. Just opening the door for someone to walk through.
If a mod believes this to be in the wrong section, please feel free to move it.
Sent from my T-Mobile G2 using XDA App
philosophics said:
First, I feel this needs to be in the development section because it's most likely going to require some commands/.zip/custom ROM/whatever to actually be able to use that other 2gb of memory we don't see.
Correct me if I'm wrong but from my understanding, that other 2gb of memory has a backup of STOCK G2 Software (OS/Recovery/etc) and reserved space for updates. Basically meaning memory that's only touched by an OTA or ... gingerbread when that drops.
How would we go about "unlocking" that other half of internal memory? It could be used for apps or possibly even mountable storage (if possible...)
I'm sure this is already a work in progress and I have nothing to offer in the endeavor. Just opening the door for someone to walk through.
If a mod believes this to be in the wrong section, please feel free to move it.
Sent from my T-Mobile G2 using XDA App
Click to expand...
Click to collapse
what do you propose?
I believe this thread will be where brains come together. As stated above, I have nothing to offer in the endeavor. Just opening a door for someone to walk through.
When something comes up that works, I will post it in the OP and change the thread title...
Sent from my T-Mobile G2 using XDA App
I think we are getting ahead of ourselves...we need a base/stock rom with su/busybox installed badly! I know the soft bricks are already happening and no one has anything to revert to (that isn't insanely tedious). Besides, nandroid/titanium backup can't fix it every time. I hope someone is working on that first. I'm sure people are looking into accessing the total rom space but if its just partitioned that way... there may be no easy solution. Or at least one that isn't dangerous...
Isn't this supposedly HTC and T-mobile's job!?!
Aren't they supposed to acknowledge this problem already?!
Up until now I have seen NO official words from either HTC or T-mobile. what's up with that? are these guys playing the silence game?
HA!
I just posted same question in "dev question" sticky which has almost no dev questions in it. I believe their may be a barrier to entry to our other 1.9 gigs and that is the actual architecture that our g2 radios live, on the eemc.
Pls feel free to correct me if I am wrong here.
i feel as if the other 2 gigs are partitions that are used for data and cache; jus a thought
s0xpan said:
i feel as if the other 2 gigs are partitions that are used for data and cache; jus a thought
Click to expand...
Click to collapse
all told system, data, and cache 1 gig would be a huge amount. still leaving an unaccounted gig
thats not even taking into account the 512 of rom
haensgn said:
all told system, data, and cache 1 gig would be a huge amount. still leaving an unaccounted gig
thats not even taking into account the 512 of rom
Click to expand...
Click to collapse
true this is true
philosophics said:
Correct me if I'm wrong but from my understanding, that other 2gb of memory has a backup of STOCK G2 Software (OS/Recovery/etc) and reserved space for updates. Basically meaning memory that's only touched by an OTA or ... gingerbread when that drops.
Click to expand...
Click to collapse
I don't think that's been proved, has it, it's just speculation ? i.e. what that extra space is for ?
If anyone has links to proof then of course I'd be very interested, and apologise if I'm wrong.
The "missing" memory might even be unintentional and/or a bug, from what I've seen.
well sir speculation is a part of this whole "think tank" process
nothing needs proof. although if you have any documentation...
From what i saw going through the emmc in 4kbits of code at a time, done by the rooting team. it seems to be part of the architecture but i am waiting for wiser ppl whom have physically cracked this puppy open.
For anyone interested in specifics, you can do some reading here
I believe what you are referring to is the space beyond mmcblk0p28 (on the G2) which begins at block 264551 and ends at block 1048577
reukiodo said:
For anyone interested in specifics, you can do some reading here
Click to expand...
Click to collapse
and also at http://tjworld.net/wiki/Android/HTC/Vision/InstallingCustomOperatingSystem
Though, interestingly I get something a little different when I fdisk -l mmcblk0:
Code:
# busybox fdisk -l /dev/block/mmcblk0
busybox fdisk -l /dev/block/mmcblk0
Warning: deleting partitions after 60
Disk mmcblk0: 2256 MB, 2256535552 bytes
1 heads, 16 sectors/track, 275456 cylinders
Units = cylinders of 16 * 512 = 8192 bytes
Device Boot Start End Blocks Id System
mmcblk0p1 * 1 63 500 4d Unknown
Partition 1 does not end on cylinder boundary
mmcblk0p2 63 71 64 45 Unknown
Partition 2 does not end on cylinder boundary
mmcblk0p3 71 634 4500 46 Unknown
Partition 3 does not end on cylinder boundary
mmcblk0p4 634 1048577 8383544 5 Extended
Partition 4 does not end on cylinder boundary
mmcblk0p5 634 4384 30000 49 Unknown
mmcblk0p6 4384 5946 12500 50 Unknown
mmcblk0p7 5946 6202 2048 51 Unknown
mmcblk0p8 6202 6586 3072 52 Unknown
mmcblk0p9 6586 6842 2048 53 Unknown
mmcblk0p10 6842 6970 1024 54 Unknown
mmcblk0p11 6971 7098 1024 56 Unknown
mmcblk0p12 7099 8192 8751+ 55 Unknown
mmcblk0p13 8193 8577 3072 4a Unknown
mmcblk0p14 8577 8961 3072 4b Unknown
mmcblk0p15 8961 9089 1024 74 Unknown
mmcblk0p16 9089 10208 8957+ 75 Unknown
mmcblk0p17 10209 10240 256 76 Unknown
mmcblk0p18 10241 10369 1024 47 Unknown
mmcblk0p19 10369 10497 1024 34 Unknown
mmcblk0p20 10497 10657 1280 36 Unknown
mmcblk0p21 10657 11744 8701 71 Unknown
mmcblk0p22 11744 12256 4096 48 Unknown
mmcblk0p23 12257 12288 256 73 Unknown
mmcblk0p24 12289 12321 256 31 Unknown
mmcblk0p25 12321 65536 425726+ 83 Linux
mmcblk0p26 65537 235777 1361920+ 83 Linux
mmcblk0p27 235777 261991 209715+ 83 Linux
mmcblk0p28 261991 264551 20480 19 Unknown
mmcblk0p29 634 4384 30000 49 Unknown
mmcblk0p30 4384 5946 12500 50 Unknown
mmcblk0p31 5946 6202 2048 51 Unknown
mmcblk0p32 6202 6586 3072 52 Unknown
mmcblk0p33 6586 6842 2048 53 Unknown
mmcblk0p34 6842 6970 1024 54 Unknown
mmcblk0p35 6971 7098 1024 56 Unknown
mmcblk0p36 7099 8192 8751+ 55 Unknown
mmcblk0p37 8193 8577 3072 4a Unknown
mmcblk0p38 8577 8961 3072 4b Unknown
mmcblk0p39 8961 9089 1024 74 Unknown
mmcblk0p40 9089 10208 8957+ 75 Unknown
mmcblk0p41 10209 10240 256 76 Unknown
mmcblk0p42 10241 10369 1024 47 Unknown
mmcblk0p43 10369 10497 1024 34 Unknown
mmcblk0p44 10497 10657 1280 36 Unknown
mmcblk0p45 10657 11744 8701 71 Unknown
mmcblk0p46 11744 12256 4096 48 Unknown
mmcblk0p47 12257 12288 256 73 Unknown
mmcblk0p48 12289 12321 256 31 Unknown
mmcblk0p49 12321 65536 425726+ 83 Linux
mmcblk0p50 65537 235777 1361920+ 83 Linux
mmcblk0p51 235777 261991 209715+ 83 Linux
mmcblk0p52 261991 264551 20480 19 Unknown
mmcblk0p53 634 4384 30000 49 Unknown
mmcblk0p54 4384 5946 12500 50 Unknown
mmcblk0p55 5946 6202 2048 51 Unknown
mmcblk0p56 6202 6586 3072 52 Unknown
mmcblk0p57 6586 6842 2048 53 Unknown
mmcblk0p58 6842 6970 1024 54 Unknown
mmcblk0p59 6971 7098 1024 56 Unknown
mmcblk0p60 7099 8192 8751+ 55 Unknown
Partition table entries are not in disk order
It looks like my partition table repeats itself, but refers to the same sectors. Does anyone else see this oddity?
cheat sheet:
Code:
adb shell
su
busybox fdisk -l /dev/block/mmcblk0
$ export PATH=/data/local/bin:$PATH
$ su
#busybox fdisk -l /dev/block/mmcblk0
Warning: deleting partitions after 60
Disk /dev/block/mmcblk0: 2332 MB, 2332033024 bytes
1 heads, 16 sectors/track, 284672 cylinders
Units = cylinders of 16 * 512 = 8192 bytes
Device Boot Start End Blocks Id System
/dev/block/mmcblk0p1 * 1 63 500 4d Unknown
Partition 1 does not end on cylinder boundary
/dev/block/mmcblk0p2 63 71 64 45 Unknown
Partition 2 does not end on cylinder boundary
/dev/block/mmcblk0p3 71 634 4500 46 Unknown
Partition 3 does not end on cylinder boundary
/dev/block/mmcblk0p4 634 284672 2272311 5 Extended
Partition 4 does not end on cylinder boundary
/dev/block/mmcblk0p5 634 4384 30000 49 Unknown
/dev/block/mmcblk0p6 4384 5946 12500 50 Unknown
/dev/block/mmcblk0p7 5946 6202 2048 51 Unknown
/dev/block/mmcblk0p8 6202 6586 3072 52 Unknown
/dev/block/mmcblk0p9 6586 6842 2048 53 Unknown
/dev/block/mmcblk0p10 6842 6970 1024 54 Unknown
/dev/block/mmcblk0p11 6971 7098 1024 56 Unknown
/dev/block/mmcblk0p12 7099 8192 8751+ 55 Unknown
/dev/block/mmcblk0p13 8193 8577 3072 4a Unknown
/dev/block/mmcblk0p14 8577 8961 3072 4b Unknown
/dev/block/mmcblk0p15 8961 9089 1024 74 Unknown
/dev/block/mmcblk0p16 9089 10208 8957+ 75 Unknown
/dev/block/mmcblk0p17 10209 10240 256 76 Unknown
/dev/block/mmcblk0p18 10241 10369 1024 47 Unknown
/dev/block/mmcblk0p19 10369 10497 1024 34 Unknown
/dev/block/mmcblk0p20 10497 10657 1280 36 Unknown
/dev/block/mmcblk0p21 10657 11744 8701 71 Unknown
/dev/block/mmcblk0p22 11744 12256 4096 48 Unknown
/dev/block/mmcblk0p23 12257 12288 256 73 Unknown
/dev/block/mmcblk0p24 12289 12544 2047 26 Unknown
/dev/block/mmcblk0p25 12545 83968 571391+ 83 Linux
/dev/block/mmcblk0p26 83969 223616 1117183+ 83 Linux
/dev/block/mmcblk0p27 223617 262016 307199+ 83 Linux
/dev/block/mmcblk0p28 262017 264672 21247+ 19 Unknown
/dev/block/mmcblk0p29 264673 264704 256 23 Unknown
/dev/block/mmcblk0p30 634 4384 30000 49 Unknown
/dev/block/mmcblk0p31 4384 5946 12500 50 Unknown
/dev/block/mmcblk0p32 5946 6202 2048 51 Unknown
/dev/block/mmcblk0p33 6202 6586 3072 52 Unknown
/dev/block/mmcblk0p34 6586 6842 2048 53 Unknown
/dev/block/mmcblk0p35 6842 6970 1024 54 Unknown
/dev/block/mmcblk0p36 6971 7098 1024 56 Unknown
/dev/block/mmcblk0p37 7099 8192 8751+ 55 Unknown
/dev/block/mmcblk0p38 8193 8577 3072 4a Unknown
/dev/block/mmcblk0p39 8577 8961 3072 4b Unknown
/dev/block/mmcblk0p40 8961 9089 1024 74 Unknown
/dev/block/mmcblk0p41 9089 10208 8957+ 75 Unknown
/dev/block/mmcblk0p42 10209 10240 256 76 Unknown
/dev/block/mmcblk0p43 10241 10369 1024 47 Unknown
/dev/block/mmcblk0p44 10369 10497 1024 34 Unknown
/dev/block/mmcblk0p45 10497 10657 1280 36 Unknown
/dev/block/mmcblk0p46 10657 11744 8701 71 Unknown
/dev/block/mmcblk0p47 11744 12256 4096 48 Unknown
/dev/block/mmcblk0p48 12257 12288 256 73 Unknown
/dev/block/mmcblk0p49 12289 12544 2047 26 Unknown
/dev/block/mmcblk0p50 12545 83968 571391+ 83 Linux
/dev/block/mmcblk0p51 83969 223616 1117183+ 83 Linux
/dev/block/mmcblk0p52 223617 262016 307199+ 83 Linux
/dev/block/mmcblk0p53 262017 264672 21247+ 19 Unknown
/dev/block/mmcblk0p54 264673 264704 256 23 Unknown
/dev/block/mmcblk0p55 634 4384 30000 49 Unknown
/dev/block/mmcblk0p56 4384 5946 12500 50 Unknown
/dev/block/mmcblk0p57 5946 6202 2048 51 Unknown
/dev/block/mmcblk0p58 6202 6586 3072 52 Unknown
/dev/block/mmcblk0p59 6586 6842 2048 53 Unknown
/dev/block/mmcblk0p60 6842 6970 1024 54 Unknown
Partition table entries are not in disk order
Sent from my HTC Vision using XDA App
... very, very weird.
It reminds me of some of Samsung's boneheaded decisions on the filesystem in their Galaxy S series. Just some real head-scratchers -- like using a journaled FAT filesystem that blocks on write for some stupid reason.
If you really want to be sleuthy, read the #g2root logs from last night, particularly scotty2's diagnosis.
What's the difference between our memory and the vibrants. What makes it mountable on a computer. I know he have an sd card for pix and stuff.who on earth is gunna use 4 gigs on just apps. It would make sense to be able to use it for pix and downloads
I figure it is there for the huge cache. Is that cache disabled when the phone is rooted?
Anomaly said:
I figure it is there for the huge cache. Is that cache disabled when the phone is rooted?
Click to expand...
Click to collapse
... to what huge cache are you referring?
I was trying this to fix a hard-bricked G2 I just recieved:
http://forum.xda-developers.com/showthread.php?t=2582142
The device is in the following state:
No download mode
No recovery mode
Shows qhsusb_bulk in lsusb -v
I don't know much more about it (e.g. I don't know if it was rooted or what type of ROM was on it).
I need to unplug the battery by removing the back cover to have a chance to reboot it. The first boot after that it shows the LG logo, then a blank screen (back lit but no text).
(UPDATE: Pressing the power button 8 seconds also reboots the phone without having to unplug the battery).
When I wire it up to my Arch Linux computer here is what the command `dmesg` shows:
Code:
[ 3693.728255] usb 1-2: new high-speed USB device number 93 using xhci_hcd
[ 3693.901772] usb 1-2: config 1 has an invalid interface number: 20 but max is 1
[ 3693.901784] usb 1-2: config 1 has no interface number 1
[ 3693.903319] usb-storage 1-2:1.20: USB Mass Storage device detected
[ 3693.903868] scsi host843: usb-storage 1-2:1.20
[ 3694.905067] scsi 843:0:0:0: Direct-Access Qualcomm MMC Storage 1.00 PQ: 0 ANSI: 2
[ 3694.906568] sd 843:0:0:0: [sdb] 30777344 512-byte logical blocks: (15.7 GB/14.6 GiB)
[ 3694.906872] sd 843:0:0:0: [sdb] Write Protect is off
[ 3694.906883] sd 843:0:0:0: [sdb] Mode Sense: 0f 0e 00 00
[ 3694.907373] sd 843:0:0:0: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[ 3694.919101] sdb: sdb1 sdb2 sdb3 sdb4 sdb5 sdb6 sdb7 sdb8 sdb9 sdb10 sdb11 sdb12 sdb13 sdb14 sdb15 sdb16 sdb17 sdb18 sdb19 sdb20 sdb21 sdb22 sdb23 sdb24 sdb25 sdb26 sdb27 sdb28 sdb29 sdb30 sdb31 sdb32 sdb33 sdb34 sdb35 sdb36
[ 3694.923664] sd 843:0:0:0: [sdb] Attached SCSI disk
[ 3695.061360] usb 1-2: USB disconnect, device number 93
[ 3695.065521] sd 843:0:0:0: [sdb] Synchronizing SCSI cache
[ 3695.065552] sd 843:0:0:0: [sdb]
[ 3695.065554] Result: hostbyte=0x01 driverbyte=0x00
[ 3695.065557] sd 843:0:0:0: [sdb] CDB:
[ 3695.065558] cdb[0]=0x28: 28 00
[ 3695.065562] sd 843:0:0:0: [sdb]
[ 3695.065563] Result: hostbyte=0x01 driverbyte=0x00
[ 3695.065565] sd 843:0:0:0: [sdb] CDB:
[ 3695.065566] cdb[0]=0x28:
[ 3695.065567] 00 00 00
[ 3695.065569] 28
[ 3695.065571] 00
[ 3695.065571] 00
[ 3695.065572] 00
[ 3695.065573] 01
[ 3695.065573] 70
[ 3695.065574] 00
[ 3695.065574] 00
[ 3695.065575] 90
[ 3695.065576] 00
[ 3695.065578] end_request: I/O error, dev sdb, sector 368
[ 3695.065579] 80 00 00 f0 00
[ 3695.065582] quiet_error: 134 callbacks suppressed
[ 3695.065583] Buffer I/O error on device sdb, logical block 46
[ 3695.065586] Buffer I/O error on device sdb, logical block 47
[ 3695.065587] Buffer I/O error on device sdb, logical block 48
[ 3695.065589] end_request: I/O error, dev sdb, sector 128
[ 3695.065590] Buffer I/O error on device sdb, logical block 16
[ 3695.065592] Buffer I/O error on device sdb, logical block 49
[ 3695.065594] Buffer I/O error on device sdb, logical block 17
[ 3695.065595] Buffer I/O error on device sdb, logical block 50
[ 3695.065597] Buffer I/O error on device sdb, logical block 51
[ 3695.065598] Buffer I/O error on device sdb, logical block 52
[ 3695.065599] Buffer I/O error on device sdb, logical block 18
[ 3695.065633] sd 843:0:0:0: [sdb]
[ 3695.065636] Result: hostbyte=0x01 driverbyte=0x00
[ 3695.750741] usb 1-2: new high-speed USB device number 94 using xhci_hcd
[ 3695.924146] usb 1-2: config 1 has an invalid interface number: 20 but max is 1
[ 3695.924151] usb 1-2: config 1 has no interface number 1
...
Note the "config 1 has an invalid interface number: 20 but max is 1" error, and all the Buffer I/O errors.
Here is the relevant section of `lsusb -v`
Code:
Bus 001 Device 054: ID 05c6:9006 Qualcomm, Inc.
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass 0
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 64
idVendor 0x05c6 Qualcomm, Inc.
idProduct 0x9006
bcdDevice 0.00
iManufacturer 1 LG Electronics Inc.
iProduct 2 QHSUSB__BULK
iSerial 3 1234567890ABCDEF
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 55
bNumInterfaces 2
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 2mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 255 Vendor Specific Subclass
bInterfaceProtocol 255 Vendor Specific Protocol
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x01 EP 1 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 20
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 8 Mass Storage
bInterfaceSubClass 6 SCSI
bInterfaceProtocol 80 Bulk-Only
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0200 1x 512 bytes
bInterval 0
Device Status: 0x0000
(Bus Powered)
Is there anything that could be done to fix these Buffer I/O errors so I can mount the phone (and continue with the FIX tutorial posted above)?
Anyone able to shed some lights on the meaning of these lines would be of great help in my quest of learning how to unbrick my phone.
Note: when connected to the computer the blank screen goes in a repeating cycle of being back lit for 1 second then no backlights for 1 second. The cycle stops (with backlights) when unplugging the phone.
Hello. I've got exactly the same problem, how you already somehow solved the problem?
NECRO:
same problem on a lg device, any input is appreaciated.
Well like the rest of you I want to unlock and root this device.
I'm sure this is going to be a long road for all of us but I really like this device so personally I will do what i can to help figure out how to unlock and root this thing.
As a single soul this could take months or even a year but with combined efforts of this community I think we can pull it off. We all have our strengths and if we combine them with your help and the help of others it might turn out to be quite easy.
Don't be fooled and believe that fastboot is removed from the bootloader. It is there im sure we just need to figure out how to access it.
On a good note I already have a method to overcome update.zip signing that I developed for the alcatel one touch fierce 2. When using the recovery to flash the phone things actually become simpler. I would expect though that the recovery image is signed as well meaning we dont simply have the ability to flash the recovery. Unless we can unlock the boot loader first.
In reality to do any of this we are going to need temp root. At this time i have no idea how were going to get that but if you can get temp root even just enough to pull a backup from the device that will be a huge step forward.
To do anything useful we need a device backup. Or a update.zip.
If you can find a way to copy the update from this device before it is installed that would be wonderful.
My device already updated so if you have a brand new device that is not updated let us know so we can get our hands on the update.
In the meantime ( Until we get some firmware to reverse engineer ) I will document all the data I can get and how to get it.
The very first thing we need is to know all of the partitions on the device. If I can get the full GPT Partition Table that would be best.
So without further adieu I will start this journey.
Some of my post will be fairly basic to some and very complex to others.
I'm going to start by seeing what all boot modes i can get into.
Then see what I can get with ADB without root permissions.
Map out the partition scheme, and see how much of the security scheme I can determine is in place. All the fun stuff like what files are signed, how the boot chain is verified. I have seen it before where overcoming the initial security mechanism opens up a whole world of possibilities.
Programmers get lazy and to save money if they think your blocked out of a vulnerable area period they may lax on harder to bypass security.
Ok after a day of research and some gleaning of info from my blade x max I have a direction to move in anyway.
The closest device and one of the only devices zte allowed unlocked is the ZTE axom7.
We can study the Axom7 and get some Ideas on what will work on the BladeXMax.
First fastboot is crippled initially.
But this is easily overcome by swapping a few bytes on the right partition.
Thats my theory anyway. I'm in the process of proving it.
After Fastboot receives its prosthetic Limb oem unlock is as simple as 1 command.
Once the bootloader is unlocked the device will allow for a unsigned TWRP to run.
Now of course we need to compile our own TWRP. And then we can root.
Obviously we need the ability to write to this fastboot partition.
And we need to be able to flash TWRP.
Without Root how???
Just like the axon 7. EDL mode.
ZTE seems EDL Mode Friendly.
And the flash programmer (Firehose) is not signed.
Miflash can write partitions on the zte devices.
The only issue right now is we need the files of of the Blade x max.
And the GPT partition table.
Seeing that axom7tool can backup partitions from the axon7 in edl mode.......
Knowing that miflash works.
One of us that knows the protocol of miflash ( saraha ??? )
Can write a tool for linux that uses the same protocol.
Once this tool exists we can backup all the partitions and the GPT without root.
Once i have the files from the blade it should be possible to edit the fastboot partition and un-cripple the Fastboot.
So if any of you know the guys that wrote the axon 7 tool he can help us with a tool.
Other than that were stuck writing the tool ourself.
On a good not the sahara protocol and other edl protocols are very well documented.
If you seriously want in this Blade this is the way to go.
Well my theory about fastboot is correct.
I guess its obvious that versions of the axon 7 fastboot would be different.
The unlocked and the locked fastboot.
I'm going to hexdump and diff all the fastboot images i can find but so far it looks like this.
It seems that ZTE has used the same fastboot partition for a while.
If you boot into recovery on the blade x max and view the recovery log. Last log
You will find a list of all the parttion names on our device.
system
cache
persist
data
sdcard
boot
recovery
misc
aboot
apdp
bluetooth
carrier
cdt
cmnlib
cmnlib64
cryptkey
DDR
devcfg
devcfgbak
devinfo
dip
dpo
dsp
echarge
fastboot
fbop
fingerid
fsc
fsg
hyp
keymaster
keystore
lksecapp
mdtp
modem
msadp
persistent
pmic
reserve
rpm
sbl1
sec
splash
ssd
sti
tz
xbl
xblbak
ztecfg
tmp
Yep you can see we have the fastboot partition.
But the fbop partition is an important important one.
If we look at the updater scripts of the firmware upgrade packages we see.
FROM Partition.xml
<data><program SECTOR_SIZE_IN_BYTES="4096" file_sector_offset="0" filename="fastboot.img" label="fbop" num_partition_sectors="32" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="128.0" sparse="false" start_byte_hex="0x321a8000" start_sector="205224"/></data>
FROM Update Zip
getprop("ro.product.device") == "ailsa_ii" || abort("E3004: This package is for "ailsa_ii" devices; this is a "" + getprop("ro.product.device") + "".");
assert(getprop("ro.product.name") == "P996A01_N");
ui_print("Target: ZTE/P996A01_N/ailsa_ii:7.1.1/NMF26F/20170301.161705:user/release-keys");
show_progress(0.650000, 0);
ui_print("Patching system image unconditionally...");
block_image_update("/dev/block/bootdevice/by-name/system", package_extract_file("system.transfer.list"), "system.new.dat", "system.patch.dat") ||
abort("E1001: Failed to update system image.");
show_progress(0.050000, 5);
package_extract_file("boot.img", "/dev/block/bootdevice/by-name/boot");
package_extract_file("ddr.img", "/dev/block/bootdevice/by-name/ddr");
package_extract_file("keymaster.mbn", "/dev/block/bootdevice/by-name/xblbak");
package_extract_file("lksecapp.mbn", "/dev/block/bootdevice/by-name/lksecapp");
package_extract_file("rpm.mbn", "/dev/block/bootdevice/by-name/rpm");
package_extract_file("tz.mbn", "/dev/block/bootdevice/by-name/tz");
package_extract_file("echarge.img", "/dev/block/bootdevice/by-name/echarge");
package_extract_file("mdtp.img", "/dev/block/bootdevice/by-name/mdtp");
package_extract_file("xbl.elf", "/dev/block/bootdevice/by-name/xbl");
package_extract_file("cmnlib64.mbn", "/dev/block/bootdevice/by-name/cmnlib64");
package_extract_file("adspso.bin", "/dev/block/bootdevice/by-name/dsp");
package_extract_file("recovery.img", "/dev/block/bootdevice/by-name/recovery");
package_extract_file("sec.dat", "/dev/block/bootdevice/by-name/sec");
package_extract_file("NON-HLOS.bin", "/dev/block/bootdevice/by-name/modem");
package_extract_file("pmic.elf", "/dev/block/bootdevice/by-name/pmic");
package_extract_file("devcfg.mbn", "/dev/block/bootdevice/by-name/devcfg");
package_extract_file("emmc_appsboot.mbn", "/dev/block/bootdevice/by-name/aboot");
package_extract_file("fastboot.img", "/dev/block/bootdevice/by-name/fbop");
package_extract_file("splash.img", "/dev/block/bootdevice/by-name/splash");
package_extract_file("hyp.mbn", "/dev/block/bootdevice/by-name/hyp");
package_extract_file("BTFM.bin", "/dev/block/bootdevice/by-name/bluetooth");
package_extract_file("cmnlib.mbn", "/dev/block/bootdevice/by-name/cmnlib");
show_progress(0.200000, 10);
show_progress(0.100000, 10);
format("ext4", "EMMC", "/dev/block/bootdevice/by-name/userdata", "0", "/data");
set_progress(1.000000);
Here we can conclude that the fastboot.img is flashed to the fob partition which is where the flags to enable the full fastboot commands. It's basically a security partition.
Is the Whole Partition different??
Is it just a few bytes difference??
Its actually not much and seeing that this identical partition has been used for several years
We can hope our fastboot image is the same or very similar. But remember it is the fob partition.
Here is the difference.
[email protected]:~$ hexdump -C -v /home/bigcountry907/Desktop/ZTE/FB-UL-EDL/A2017U_FASTBOOT_UNLOCK_EDL/fastboot.img > /home/bigcountry907/Desktop/ZTE/FB-UL-EDL/fbunlck.txt
[email protected]:~$ diff home/bigcountry907/Desktop/ZTE/FB-UL-EDL/fbunlck.txt /home/bigcountry907/Desktop/ZTE/stock/fbstock.txt
diff: home/bigcountry907/Desktop/ZTE/FB-UL-EDL/fbunlck.txt: No such file or directory
[email protected]:~$ hexdump -C -v /home/bigcountry907/Desktop/ZTE/FB-UL-EDL/A2017U_FASTBOOT_UNLOCK_EDL/fastboot.img > /home/bigcountry907/Desktop/ZTE/FB-UL-EDL/fbunlck.txt
[email protected]:~$ diff /home/bigcountry907/Desktop/ZTE/FB-UL-EDL/fbunlck.txt /home/bigcountry907/Desktop/ZTE/stock/fbstock.txt
257c257
< 00001000 01 00 00 00 78 56 34 12 00 00 00 00 01 00 00 00 |....xV4.........|
---
> 00001000 00 00 00 00 78 56 34 12 00 00 00 00 00 00 00 00 |....xV4.........|
579,595c579,595
< 00002420 62 6f 6f 74 02 02 20 00 04 82 01 00 04 e0 4f a3 |boot.. .......O.|
< 00002430 b8 c0 79 df 98 9a ce 8b 47 ed f6 23 61 e8 3e 4d |..y.....G..#a.>M|
< 00002440 7a 43 fc 4b d4 39 60 c5 5a a6 96 ea c0 4d e2 52 |zC.K.9`.Z....M.R|
< 00002450 27 3e b6 d0 21 72 72 c8 59 03 44 90 ff 4a 86 3b |'>..!rr.Y.D..J.;|
< 00002460 29 2c 16 7a 04 2b 36 07 6f 8f 04 8e 35 7c f2 9f |),.z.+6.o...5|..|
< 00002470 cc 29 e5 0b 74 30 e9 0c ec cd 23 4b 19 84 c7 d1 |.)..t0....#K....|
< 00002480 f7 46 9b 7d dc 8b 6b bb 01 d3 f0 0a ab 96 ca 7e |.F.}..k........~|
< 00002490 a2 6e 91 6b d9 38 d6 d6 2e 4f 50 3e 2d 17 55 e3 |.n.k.8...OP>-.U.|
< 000024a0 e5 50 e4 1f dc 03 26 9e e9 22 19 dc 60 e1 0b a0 |.P....&.."..`...|
< 000024b0 b5 06 25 bd e4 08 24 4f 7b dd 42 29 82 55 06 84 |..%...$O{.B).U..|
< 000024c0 a1 5f d7 c1 99 3f 83 30 5d 10 59 5e 9d 2a 31 3f |._...?.0].Y^.*1?|
< 000024d0 f9 87 54 55 1e 82 40 68 5b c8 e4 18 98 80 d1 ec |[email protected][.......|
< 000024e0 df d7 01 d1 ec a5 a2 e4 c1 86 76 63 e0 82 13 35 |..........vc...5|
< 000024f0 61 30 63 d7 cd e8 21 33 73 e9 c4 93 ad 65 68 77 |a0c...!3s....ehw|
< 00002500 3e eb 3e 90 8a bb 8b 07 1b 26 ff d5 0d 37 a4 6c |>.>......&...7.l|
< 00002510 ec c6 69 30 dd 22 1b 9f 69 79 47 69 22 ba 9e c8 |..i0."..iyGi"...|
< 00002520 0c 23 96 f8 cf 66 74 74 11 98 d6 e4 |.#...ftt....|
---
> 00002420 62 6f 6f 74 02 02 20 00 04 82 01 00 a8 e0 dd 69 |boot.. ........i|
> 00002430 5b b2 47 12 bf 74 41 7a 00 37 a0 b8 10 15 d4 4e |[.G..tAz.7.....N|
> 00002440 a6 59 74 9b 7d a4 df 95 eb 3f 1a 29 1c 60 23 7c |.Yt.}....?.).`#||
> 00002450 91 37 2a 07 d3 e9 45 17 ac ac ab a9 ba b4 42 70 |.7*...E.......Bp|
> 00002460 46 5f 67 22 f7 37 1f de 46 f9 67 44 74 d7 26 42 |F_g".7..F.gDt.&B|
> 00002470 49 9c e8 ee 98 78 89 2b b2 1e c3 58 a8 d2 3a 7f |I....x.+...X..:.|
> 00002480 39 7d 22 09 c6 01 c5 0f 95 65 57 1e af 79 d9 d6 |9}"......eW..y..|
> 00002490 8d 99 84 4f 24 ff 55 b2 b0 20 07 00 39 e6 9a 27 |...O$.U.. ..9..'|
> 000024a0 a0 bc 97 dd 27 7d f2 a2 88 b6 b5 53 4a ba 7a 8e |....'}.....SJ.z.|
> 000024b0 65 98 f6 ef 4d 7e 2e 91 01 66 35 9e e1 da 15 c4 |e...M~...f5.....|
> 000024c0 fe a4 d2 26 a1 99 88 a3 55 2f ac 65 71 f8 5f 86 |...&....U/.eq._.|
> 000024d0 a7 79 f8 b5 61 b5 da 2c 7b 89 39 3b ff 45 a3 7f |.y..a..,{.9;.E..|
> 000024e0 dc 92 d5 4e 8b df 68 c0 e9 43 18 7b 60 5a 03 60 |...N..h..C.{`Z.`|
> 000024f0 18 da 96 84 e7 97 a7 09 a9 1a 2d b6 5b d3 d2 f6 |..........-.[...|
> 00002500 c8 33 a2 8f ef 32 5e 6a 45 39 66 b5 a6 a4 35 0f |.3...2^jE9f...5.|
> 00002510 03 0c 9d 57 79 28 43 09 9a 3e 7b 01 8c 6e 66 b2 |...Wy(C..>{..nf.|
> 00002520 1a f3 3d 92 d1 66 91 04 4a 3e 79 69 |..=..f..J>yi|
[email protected]:~$ hexdump -C -v /home/bigcountry907/Desktop/ZTE/Fastboot-UL/fastboot.img > /home/bigcountry907/Desktop/ZTE/Fastboot-UL/fbul2.txt
[email protected]:~$ diff /home/bigcountry907/Desktop/ZTE/FB-UL-EDL/fbunlck.txt /home/bigcountry907/Desktop/ZTE/Fastboot-UL/fbul2.txt
[email protected]:~$
There's definitely more to come but this is enough to think about for now.
Here are all the partition block sizes and labels for the blade x max
30535680 mmcblk0 EMMC CHIP
4096 mmcblk0p1
4096 mmcblk0p2
4096 mmcblk0p3
4096 mmcblk0p4
4096 mmcblk0p5
4096 mmcblk0p6
4096 mmcblk0p7
16384 mmcblk0p8
16384 mmcblk0p9
16384 mmcblk0p10
4096 mmcblk0p11
4096 mmcblk0p12
4096 mmcblk0p13
4096 mmcblk0p14
4096 mmcblk0p15
4096 mmcblk0p16
4096 mmcblk0p17
4096 mmcblk0p18
32768 mmcblk0p19
4096 mmcblk0p20
94208 mmcblk0p21
65536 mmcblk0p22
65536 mmcblk0p23
4096 mmcblk0p24
4096 mmcblk0p25
4096 mmcblk0p26
4096 mmcblk0p27
4096 mmcblk0p28
4096 mmcblk0p29
4096 mmcblk0p30
4096 mmcblk0p31
4096 mmcblk0p32
4096 mmcblk0p33
32768 mmcblk0p34
4096 mmcblk0p35
4096 mmcblk0p36
4096 mmcblk0p37
4096 mmcblk0p38
65536 mmcblk0p39
4096 mmcblk0p40
4096 mmcblk0p41
4096 mmcblk0p42
4096 mmcblk0p43
65536 mmcblk0p44
1048576 mmcblk0p45 cache
5242880 mmcblk0p46 system
23629807 mmcblk0p47 data
4096 mmcblk0rpmb
31166976 mmcblk1 SD CARD
31165935 mmcblk1p1 SD CARD Storage
Old codehead (emphasis on the "old"), and I have this device... unfortunately, it's been updated, so there's not a whole lot I could offer...
With an at least rudimentary how-to provided, though... as long as I can get the device back to square-one, if things go tits-up and it's necessary... bitter experience... not a few Cricket LG G Stylo paperweights at hand... I'l like to offer myself as an alpha-tester for whatever you find out...
Just bought this lovely new home in Albuquerque, and, until a few things settle down, don't have a lot of cash... but I'll offer mine as a test-bed of sorts...
I'm fascinated with the work you are doing, and I really dig this phone for pretty much every reason except Cricket's bullheadedness, and am looking forward to watching you work...
I'm also kinda horrified that, seeing your log dumps upthread, I could actually understand it... can take the boy out of the tech, but some things seem to be stuck in the little grey cells forever.... *chuckle*
My tech chops tended more towards xBASE and Delphi, and still do... was what I learned, along with COBOL and RPig...
Have been trying, over the past few years, to get some C++ and Java under my belt, but it's more important to me to finish my BA in the up coming spring semester, and do UNM School of Law... Renaissance man wanna-be here... *grin*
Just wondering, good madam or sir, what progress you've been able to do... I don't mean to push, as we all have lives away from this forum (at least I do hope so.. *smile*), but, as I love to learn, and now in my 60's, found my Java, C and C++ texts, have downloaded and installed all my preferred tools, and would just really dig seeing some journaling of your progress on this rather fascinating device... more internal RAM than I would have ever expected on a smart phone, and, as such, space is not at such a premium that I'm required to use Apps2SD Pro (although I paid for it), Titanium (although I paid for it), but just damn...
I'm disgusted that Cricket would be so paranoid against their paying customers that they insist on absolute control... just damn...
Sorry... woolgathering on a Friday afternoon, while installing other dev tools... <smile>
Firmware update downloaded
My phone has the firmware downloaded please let me know if there is a way to pull it for R&D
---------- Post added at 03:31 AM ---------- Previous post was at 02:55 AM ----------
This phone just force installed nevermind
Update not installed
I have the update downloaded but not installed. The phone is trying to force update but it can't because my battery is too low, I'll try and leave it that way. Do we have a way to find and extract the update?
Scratch that. Force install starts at 20% battery or so. Accidently over charged haha.
We need to post the way to pull the update
We need to post a way to extract the update so that the next person who has it but it is not installed can pull it for us any help from more experienced individuals would be greatly appreciated
Update ready to dl
Any ideas how to pull it from the phone
If you have an update.zip signing bypass, I could leverage that to get a dump of the partition table.
Z983 Root Method Development
Hello world of XDA,
We want to root this device. Yes? Well, as of right now, 01-27-2018, there is no working method available on the internet. We have to do this ourselves. Ive rooted literally hundereds of phones, but this one, Crickets down played version of the Blade Zmax, re-dubbed Blade XMax Z983..
First, we need the boot loader. I am willing to team up with some people, to make this happen. Any takers?
Has anyone been able to get the last update files, about a week ago i think, off the phone before applying the update. If anyone has those we may be in business, at least further along than we were. That last update was a decent size update, and if it had anything to do with the spectre/meldown patch, that update would have had the partition layout, how the bootloader has been hidden and so on and so fourth. So if anyone was able to grab the update please post here, as the thread creator and a few others seem to know what to do from there.
Can I start by modifying tye system UI apk?
Hey so I've got this device and it's FRP locked. If anybody is willing to work on this still these days (for root, frp, various unlocks, etc) then let's make it happen. Can't say for sure if I'll have the device for very long, but I'm definitely down to try while I have it. Lmk if there's anything I can do to help the progress.
dammi.forza0910 said:
Hello world of XDA,
We want to root this device. Yes? Well, as of right now, 01-27-2018, there is no working method available on the internet. We have to do this ourselves. Ive rooted literally hundereds of phones, but this one, Crickets down played version of the Blade Zmax, re-dubbed Blade XMax Z983..
First, we need the boot loader. I am willing to team up with some people, to make this happen. Any takers?
Click to expand...
Click to collapse
You know how bad I wish I could take you up on this? I just don't have the experience or the knowledge. I'd love to learn but I don't even know where to start.
Okay, so I have successfully copied the boot animation.zip and have attatched it as proof. I believe, i can actuall copy the firmware because I found the file locatiom after an exhausting amount of trial and error with different approaches. Usong Debian (wheezy) ,and a combination of file explores, and modifying apk's through luck patcher, I was able to view the device tree and so on. Anybody willing to guide me to the next step?
Z983 Firmware .img files found and uploaded
Okay, I found the firmware files and when I moved them to my external SD card, they combined automatically and was labled update.zip. This is it guys, help me!
Device Tree
Can anyone let me know if this is helping, or if everyone gave up....?
dammi.forza0910 said:
Okay, I found the firmware files and when I moved them to my external SD card, they combined automatically and was labled update.zip. This is it guys, help me!
Click to expand...
Click to collapse
Downloading the files when I get off work and will look at them as best I can, maybe we can get the bootloader to show up in the recovery, Cricket did something to the flags that bypasses the bootloader, maybe we can reflag and get it to show up again. Good work, hopefully some progress can be made now.
My Z6 pro phone is bricked and EDL mode is available but EDL file (stock ROM) installation is failed by QFIL.
Error message is as below.
09:35:58: DEBUG: XML FILE (141 bytes): CharsInBuffer=141-141=0
-------------------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="ERROR: Read non multiple sector size value from USB 640001 sectsize4096" /></data>
-------------------------------------------------------------------------------------------
Error
09:35:58: INFO: TARGET SAID: 'ERROR: Read non multiple sector size value from USB 640001 sectsize4096'
09:35:58: DEBUG: CharsInBuffer=0 Trying to read from USB 8192 bytes
09:37:50: {ERROR: ReadPort:5915 Could not read from '\\.\COM10', Windows API ReadFile failed! Your device is probably *not* on this port
So I would like to try to check partation status using Qfil partation manager.
In order to have partation information, I need "Fire hose.mbn " file for SD855.
Does anyone have download link?
Or please advice how to solve this error.
Please help.
Sorry everyone.
Z6 pro memory type is UFS.
SO EMMS related application does not work at Z6 pro.
So my question is how to solve QFIL issue that I am facing now.
Error message is as below. (Same as previsous one)
1) EDL mode connection: Succcess
2) China stable pie stock rom for QPST
3) error message is as below.
09:35:58: INFO: Overall to target 8.578 seconds (14.55 MBps)
09:35:58: INFO: {percent files transferred 8.62%}
09:35:58: DEBUG: CharsInBuffer=0 Trying to read from USB 8192 bytes
09:35:58: DEBUG: CHANNEL DATA (141 bytes) <-- TARGET to HOST
09:35:58: DEBUG: CharsInBuffer = 141
09:35:58: DEBUG: printBuffer:6017 PRETTYPRINT Buffer is 141 bytes
09:35:58: DEBUG: printBuffer:6094 3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 <?xml version="1
09:35:58: DEBUG: printBuffer:6094 2E 30 22 20 65 6E 63 6F 64 69 6E 67 3D 22 55 54 .0" encoding="UT
09:35:58: DEBUG: printBuffer:6094 46 2D 38 22 20 3F 3E 0A 3C 64 61 74 61 3E 0A 3C F-8" ?>.<data>.<
09:35:58: DEBUG: printBuffer:6094 6C 6F 67 20 76 61 6C 75 65 3D 22 45 52 52 4F 52 log value="ERROR
09:35:58: DEBUG: printBuffer:6094 3A 20 52 65 61 64 20 6E 6F 6E 20 6D 75 6C 74 69 : Read non multi
09:35:58: DEBUG: printBuffer:6094 70 6C 65 20 73 65 63 74 6F 72 20 73 69 7A 65 20 ple sector size
09:35:58: DEBUG: printBuffer:6094 76 61 6C 75 65 20 66 72 6F 6D 20 55 53 42 20 36 value from USB 6
09:35:58: DEBUG: printBuffer:6094 34 30 30 30 31 20 73 65 63 74 73 69 7A 65 34 30 40001 sectsize40
09:35:58: DEBUG: printBuffer:6094 39 36 22 20 2F 3E 3C 2F 64 61 74 61 3E 96" /></data>
09:35:58: DEBUG: printBuffer:6107
09:35:58: DEBUG: XML FILE (141 bytes): CharsInBuffer=141-141=0
-------------------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8" ?>
<data>
<log value="ERROR: Read non multiple sector size value from USB 640001 sectsize4096" /></data>
-------------------------------------------------------------------------------------------
09:35:58: INFO: TARGET SAID: 'ERROR: Read non multiple sector size value from USB 640001 sectsize4096'
09:35:58: DEBUG: CharsInBuffer=0 Trying to read from USB 8192 bytes
_____
| ___|
| |__ _ __ _ __ ___ _ __
| __| '__| '__/ _ \| '__|
| |__| | | | | (_) | |
\____/_| |_| \___/|_|
09:37:50: {ERROR: ReadPort:5915 Could not read from '\\.\COM10', Windows API ReadFile failed! Your device is probably *not* on this port
Heyyo @TTTSATO, have you tried checking the drivers to ensure you have the 9008 COM drivers installed? Also please make sure you have the correct port selected in the QFIL app and you are following the proper instructions.
[ROM] Lenovo Z6 Pro L78051 QPST | Edl way |
Dear, Since I only support Arabic, I will present the necessary files with the pictures This Files Only For: Lenovo Z6 Pro L78051 Settings > About phone > Technical details > Model > Lenovo L78051 You Can use | Tool All In One | to Force your...
forum.xda-developers.com