Partition layout change

[Guest Krinyo]

On my default 2.1 system there is 76.67 mb wasted on /system. Deleteable apps (cos I refresh/change them from market immediately) office, calculator, google apps like gmail, maps, voice recorder, task manager, etc. So there is more than 80-90 MB of space what freely relocateable to /data. This is my vision of an ultimate Blade... :unsure:

[Guest toxicdog]

I CAN confirm that, Tom G's partition layout WORKS on the hungarian blade :unsure:

Free space on the original t-mobile ROM: 233MB

I'm restoring my Alpha4 backup at the moment.

will post free space after that.

[Guest toxicdog]

yes, its up and running.

Restored my Alpha4 ROM.

I always had about 39-40MB of space on /data, with a lot of programs/games installed. After it, I've got 90MB!

It's awesome! The best hack so far for the blade!

[Guest fonix232]

Wow it's great!

But, doesn't we need a modified kernel to mount the /data properly? Or it only applies the G1, as it has different partition layout?

Also, any hope for dumping those partitions?

These:

ptn 8 name='MIBIB' start=00000000 len=0000000a flags=00000000 type=Modem Writable=Yes

ptn 9 name='QCSBL' start=0000000a len=00000002 flags=00000000 type=Modem Writable=Yes

ptn 10 name='OEMSBL1' start=0000000c len=00000005 flags=00000000 type=Modem Writable=Yes

ptn 11 name='OEMSBL2' start=00000011 len=00000005 flags=00000000 type=Modem Writable=Yes

ptn 12 name='AMSS' start=00000016 len=000000d4 flags=00000000 type=Modem Writable=Yes

ptn 13 name='APPSBL' start=000000ea len=00000003 flags=00000000 type=Modem Writable=Yes

ptn 14 name='FOTA' start=000000ed len=00000002 flags=00000000 type=Modem Writable=Yes

ptn 15 name='EFS2' start=000000ef len=00000060 flags=00000000 type=Modem Writable=Yes

ptn 16 name='APPS' start=0000014f len=00000002 flags=00000000 type=Modem Writable=Yes

ptn 17 name='FTL' start=00000151 len=00000005 flags=00000000 type=Modem Writable=Yes

ptn 18 name='EFS2APPS' start=00000156 len=ffffffff flags=00000000 type=Modem Writable=Yes

As the type field says, these are the MODEM parts of the firmware, telephony partitions, maybe some fixes to these will do the trick and WiFi will not sleep!

[Guest Krinyo]

yes, its up and running.

Cooooooool. :unsure: This was my first idea after we get this low-level ROM update for the hungarian Blades.

Do You have a brief tutorial how manage it? Complete ROM reflash with Tom's modified file?

How look Your partition table after this?

Edited January 2, 2011 by Krinyo

[Guest toxicdog]

Cooooooool. :unsure: This was my first idea after we get this low-level ROM update for the hungarian Blades.

Do You have a brief tutorial how manage it? Complete ROM reflash with Tom's modified file?

How look Your partition table after this?

My partition table is now the same as what Tom G showed us.

First I tried only flashing the resize.zip (unpacked to an image folder on SD card, and boot with volume up), but didn't work that way.

The solution was downloading the 512mb_memory_fix, and overwriting the files with Tom G's resize.zip.

Then followed the memory fix tutorial:

Copied everything to SD card (image folder), turned on phone with volume up and menu button pressed.

Actually, just ran the t-mobile's low level firmware update (thanks fo sly5), with Tom G (thx)'s files.

My phone went back to factory defaults, 2.1 T-mobile ROM, hungarian language by default, so I flashed the clokworkmod recovery, and restored my 2.2 Aplha4 backup file, with the well known method.

I'm uploadig the memory fix with Tom G's files embedded in it, will post the link when completed. Maybe with a HOWTO B)

However, I must warn everybody, it has only been tested by a few people now.

AFAIK, the process can be rewersed with the original t-mobile firmware update.

Edited January 2, 2011 by toxicdog

[Guest fonix232]

My partition table is now the same as what Tom G showed us.

First I tried only flashing the resize.zip (unpacked to an image folder on SD card, and boot with volume up), but didn't work that way.

The solution was downloading the 512mb_memory_fix, and overwriting the files with Tom G's resize.zip.

Then followed the memory fix tutorial:

Copied everything to SD card (image folder), turned on phone with volume up and menu button pressed.

Actually, just ran the t-mobile's low level firmware update (thanks fo sly5), with Tom G (thx)'s files.

My phone went back to factory defaults, 2.1 T-mobile ROM, hungarian language by default, so I flashed the clokworkmod recovery, and restored my 2.2 Aplha4 backup file, with the well known method.

I'm uploadig the memory fix with Tom G's files embedded in it, will post the link when completed. Maybe with a HOWTO :unsure:

However, I must warn everybody, it has only been tested by a few people now.

AFAIK, the process can be rewersed with the original t-mobile firmware update.

Then at least please replace the recovery.img with clockworkmod B)

[Guest toxicdog]

HOWTO - Getting 64mb more ROM space. (for installing apps)

!!WARNING. This process was only tested by a few people here. DO IT AT YOUR OWN RISK I've made this guide only for experienced, pro users for testing purposes!!

!!FIGYELEM. Ezt még csak néhányunknak sikerült kipróbálni. KIZÁRÓLAG SAJÁT FELELŐSSÉGRE!!!

This guide will repartition your Blade's internal memory, so you will get 50mb plus space for installing applications.

for now, ONLY FOR HARDCORE USERS.

Tested to work on 512mb ZTE Blade. Hungarian, T-mobile simlocked.

The current ROM, or anything else doesn't affect the guide.

The files are not my work, I'd like to thank Tom G for the hex edit, and Sly5 for getting the T-Mobile low level firmware update zip, and sharing with us.

1.: optional: do a nandroid backup. Completing this guide will erase ALL your data, and you'll have a hungarian language 2.1 rom.

2.: charge your phone. I cannot even imagine what happens if you interrupt the partitioning process. Your phone wont blow up, but you'll need to get another Blade to charge your battery.

3.: understand all the risks. Your Blade will be simlocked to the hungarian t-mobile network. You NEED to unlock your phone, if you're not hungarian :-)

4.: download this: http://www.2shared.com/file/e9vdb0pa/romsize.html (basically its the t-mobile low level firmware update tool with the hex-edited partition table information file)

5.: create a new dir on your SD card, 'image'. low case. Upack romsize.zip here.

from this point, follow the 512mb memory unlock tutorial:

6.: ensure your battery is not empty, then turn on your phone with menu and volume up buttons pressed.

7.: wait for the process to complete (2mins max.)

8.: enjoy :-)

9.: optional: flash clockworkmod (other tutorial), and restore your backup from step 1.

10.: if you're not a hungarian t-mobile user: unlock your phone (other guide)

What that does?

Your /system partition will be 64mb smaller, thats okay, we dont need that much space for now. Maybe a new rom will be released in the future, with a lot of programs embedded, but for now, it's just unnecessary.

That 64mb goes to your /data partition.

The process can be reversed, if you follow the 512mb memory unlock tutorial.

/don't forget to delete the image dir on your SD before flashing clockworkmod, or you will keep repartitioning instead of entering fastboot interface like me :unsure:/

Edited January 2, 2011 by toxicdog

[Guest toxicdog]

Then at least please replace the recovery.img with clockworkmod :unsure:

Hungarian users, with the default 2.1 t-mobile rom cannot use clockworkmod.

It makes the display go crazy :-)

This is the only reason I don't replace that.

[Guest fonix232]

Hungarian users, with the default 2.1 t-mobile rom cannot use clockworkmod.

It makes the display go crazy :-)

This is the only reason I don't replace that.

Have you tried ClockworkMod 2.5.1.8 by Seb? It works correctly, has the proper display orientation, and the screen does not go crazy :unsure:

What you're talking about is the MCRi Superboot image, what really causes red/blue swap (what was red becomes blue and vice versa) -> screen crazyness.

[Guest toxicdog]

As far as i can see, every IMG file can be replaced in the image folder on SD with your backed up IMGs, and you'll get back your backed up system.

not tested BTW.

This is a huge improvement for ROM cookers.

They can alter the partition table, and switch the boot img, with just a zip file.

I could imagine a new fix.zip with a very very stripped down version of android, clockworkmod, and more space on /data. With a very easy installing procedure, even without clockworkmod.

Actually this thing needs more testers to try the partitioning thing.

Edited January 2, 2011 by toxicdog

[Guest Phoenix Silver]

As far as i can see, every IMG file can be replaced in the image folder on SD with your backed up IMGs, and you'll get back your backed up system.

not tested BTW.

This is a huge improvement for ROM cookers.

They can alter the partition table, and switch the boot img, with just a zip file.

I could imagine a new fix.zip with a very very stripped down version of android, clockworkmod, and more space on /data. With a very easy installing procedure, even without clockworkmod.

i would want to try but i have a question

what is splash.img ? (green android man at start ?)

[Guest Krinyo]

Restoring my backup now, confirmed, hack is working. Thanks for everybody, especially Tom G for the partition hack!!! This low-level hungarian update is a real miracle. :unsure:

[Guest toxicdog]

i would want to try but i have a question

what is splash.img ? (green android man at start ?)

Yes.

I've checked the new partitions with 'df'

2.2 Alpha4: /system: 124mb used, 22mb free

/data: 278mb total :unsure:

[Guest StevenHarperUK]

Nice progress guys;

I see that isambard has started a ROM based on the new low level technique

Have we confirmed that it is easily reversible with the Hungarian clean low level restore?

Also which devices (country's) have we had try this so far?

I will produce a guide when I think that its safe to send new users down this route.

Good work all.

[Guest Tom G]

Wow it's great!

But, doesn't we need a modified kernel to mount the /data properly? Or it only applies the G1, as it has different partition layout?

Also, any hope for dumping those partitions?

These:

ptn 8 name='MIBIB' start=00000000 len=0000000a flags=00000000 type=Modem Writable=Yes

ptn 9 name='QCSBL' start=0000000a len=00000002 flags=00000000 type=Modem Writable=Yes

ptn 10 name='OEMSBL1' start=0000000c len=00000005 flags=00000000 type=Modem Writable=Yes

ptn 11 name='OEMSBL2' start=00000011 len=00000005 flags=00000000 type=Modem Writable=Yes

ptn 12 name='AMSS' start=00000016 len=000000d4 flags=00000000 type=Modem Writable=Yes

ptn 13 name='APPSBL' start=000000ea len=00000003 flags=00000000 type=Modem Writable=Yes

ptn 14 name='FOTA' start=000000ed len=00000002 flags=00000000 type=Modem Writable=Yes

ptn 15 name='EFS2' start=000000ef len=00000060 flags=00000000 type=Modem Writable=Yes

ptn 16 name='APPS' start=0000014f len=00000002 flags=00000000 type=Modem Writable=Yes

ptn 17 name='FTL' start=00000151 len=00000005 flags=00000000 type=Modem Writable=Yes

ptn 18 name='EFS2APPS' start=00000156 len=ffffffff flags=00000000 type=Modem Writable=Yes

As the type field says, these are the MODEM parts of the firmware, telephony partitions, maybe some fixes to these will do the trick and WiFi will not sleep!

Some of them are in the hungarian update. They could all be there, we just don't know whats what.

qcsbl.mbn

oemsbl.mbn

amss.mbn

appsboot.mbn

HOWTO - Getting 50mb more ROM space. (for installing apps)

Its actually 64MB

Nice progress guys;

I see that isambard has started a ROM based on the new low level technique

Have we confirmed that it is easily reversible with the Hungarian clean low level restore?

Also which devices (country's) have we had try this so far?

I will produce a guide when I think that its safe to send new users down this route.

Good work all.

It is definitely reversible. If it works it can be returned to original by using the original appsboot.mbn (the partition_zte.mbn shouldn't really matter, the flasher just won't work right if the wrong one is used).

I would recommend anyone playing with appsboot.mbn be very careful as I think that is what is actually running this flash process, so if it gets broken it could brick the phone, but I can't see how my modification could break it.

I've tested on an Orange UK device. It should work on anything confirmed to work with the Hungarian update.

[Guest StevenHarperUK]

I would recommend anyone playing with appsboot.mbn be very careful as I think that is what is actually running this flash process, so if it gets broken it could brick the phone, but I can't see how my modification could break it.

This bit made me grin :unsure:

Maybe you mean anyone who understands what there doing.

If there is a chance it can brick the phone - then the usual Caution is required.

Your modifications look safe - I am very interested on seeing how the v880 gets on with this method.

Is there any way to get the .mbn files extracted from a clean device - or is that a silly question?

[Guest Tom G]

This bit made me grin :unsure:

Maybe you mean anyone who understands what there doing.

All I did was change some addresses which should only effect the partition table. Anything that could change the functionality of the program could be risky.

Your modifications look safe - I am very interested on seeing how the v880 gets on with this method.

I would like to see the existing layout before anyone tries it. If the modem bits take more space then it could cause problems, but we should be able to make something that works.

I think the kernel outputs the layout in a similar format to the bootloader (with offset in the nand) soon after it starts, so someone might be able to grab it with dmesg. Otherwise someone could use the rs232 output to find the correct offset, or I can provide a modified kernel that can be used to find the offset (only good for finding where the app partitions start in the nand, it won't give any info about the modem partitions).

I remember seeing something about the japanese devices having an extra partition, so if they used this appsboot.mbn that partition will disappear.

Is there any way to get the .mbn files extracted from a clean device - or is that a silly question?

No nice way that I know of, but reading the nand chip directly (eg. soldering wires to it) should work. Depending on what type of chip it is that could be difficult.

If someone wants to send me a broken phone I'll give it a go. I might even pull mine apart one day.

Edited January 2, 2011 by Tom G

[Guest Arr Too]

Is there any way to get the .mbn files extracted from a clean device - or is that a silly question?

It's certainly not a silly question, but it's quite likely there's no way (built-in) to dump the phone to the same sort image. But as we start to understand the format it's possible some clever chap might be able to make something.

I wouldn't recommend any V880 users try this, since it's so low-level and we know there are significant differences. But this sort of thing might actually be the way to get the V880 stuff working on the 'normal' Blades. What we need now is a similar update image for the V880 so we can play spot the difference... Seems unlikely we'll get one, though.

[Guest Arr Too]

A little because I could see when the bootloader output changed (and could see that partition_zte.mbn didn't effect it), but it could all be done without the rs232. The changes can be seen from linux.

Do you mean that you can monitor the bootloader via USB (or some other means)? Or that if the boot is successful then there are logs stored somewhere?

[Guest oh!dougal]

...

Is there any way to get the .mbn files extracted from a clean device - or is that a silly question?

My turn for a silly question.

Doesn't the Hungarian update actually contain everything already?

Surely it should be easier to extract stuff (any stuff) from that (on whatever analysis platform), than to try and get stuff out of the phone - using only the tools on the phone ... ?

Edited January 2, 2011 by oh!dougal

[Guest isambard]

OK. I think i've Found it.

It looks like the partition layout starts at 0xAA70 of appsboot.mbn.

The partition_zte.mbn probably needs to match what is there for the flash process to work correctly.

nice spot! i can see the partition table info in appsboot.mbn at 0xaa70, as you say. i wonder if the partition_zte.mbn is needed at all?

kinda cool that i went to bed and the next morning a new discovery is made! :unsure:

for those that are wondering, the qualcomm unit has 2 embedded ARM processors in it. one runs the radio and the other the applications (android). the amss.mbn is the firmware for the radio processor and the appsboot.mbn is the bootloader for the application CPU.

now that we have the mechanism to load a new appsboot.mbn, in theory we should be able to take full control of the phone and load anything onto it.

Edited January 2, 2011 by isambard

[Guest fonix232]

My turn for a silly question.

Doesn't the Hungarian update actually contain everything already?

Surely it should be easier to extract stuff (any stuff) from that (on whatever analysis platform), than to try and get stuff out of the phone - using only the tools on the phone ... ?

It contains everything, but I guess they aren't the RAW formatted versions, but instead a flash-able version.

[Guest Phoenix Silver]

i'm trying to make an easy way to restore a backuped phone

i have dowloaded fix.zip

replaced the imgs files in with the backup of clock

but ...... i have (jellyfish rom)

# df -h

Filesystem Size Used Available Use% Mounted on

tmpfs 208.3M 12.0K 208.3M 0% /dev

/dev/block/mtdblock5 207.5M 165.9M 41.6M 80% /system

/dev/block/mtdblock6 208.1M 89.4M 118.7M 43% /data

it's this number which worry me

any advice ?

[Guest Tom G]

Do you mean that you can monitor the bootloader via USB (or some other means)? Or that if the boot is successful then there are logs stored somewhere?

It writes to the rs232 port, so you can monitor what its doing through that. I was actually think earlier that by modifying the appsboot.mbn it may be possible to redirect the output somewhere else, but I think it would be beyond my abilities.

My turn for a silly question.

Doesn't the Hungarian update actually contain everything already?

Surely it should be easier to extract stuff (any stuff) from that (on whatever analysis platform), than to try and get stuff out of the phone - using only the tools on the phone ... ?

Not all blades are the same or fully compatible. The Chinese and Japanese devices are known to have some differences and the hungarian update may not work on them.

nice spot! i can see the partition table info in appsboot.mbn at 0xaa70, as you say. i wonder if the partition_zte.mbn is needed at all?

Think about how it flashes the device. If appsboot.mbn is the bit that is doing the flashing, how does it know where to write the new partitions. Its fine when flashing from in recovery or fastboot, but when doing a full flash where appsboot.mbn it self is replaced, how does it know where the other partitions are meant to be. It only knows the partition table hardcoded into it, so when it is replaced it has no way of knowing the new layout except partition_zte.mbn (I hope all of that made sense).