SEUS has just updated their program so instead of seeing a long file like this "FILE_277344675_1271909822000_1271909822000_277398125_114906833_INFILE_LONGTERM" , instead of that, it is shortened like this "FILE_277398125".
After overwriting the two files according to the tutorial, the SEUS keeps downloading the firmware files over the ones which have been overwritten.
I thought the SEUS is OK last weekend, but now, they changed their program. Anyone tried and find a solution for this issue?
Man im stuck with the same problem...someone pls help !!
Use Omnius instead? Quick and easy to use.
Download
Set up account online
Enter account details in Omnius
Then follow instructions below on how to flash
http://forum.xda-developers.com/showpost.php?p=6789689&postcount=324
Hope this helps.
wingz85 said:
Use Omnius instead? Quick and easy to use.
Download
Set up account online
Enter account details in Omnius
Then follow instructions below on how to flash
http://forum.xda-developers.com/showpost.php?p=6789689&postcount=324
Hope this helps.
Click to expand...
Click to collapse
yea ur intrustions are for the the SIn reconstructions, what if i want to reinstal using my bak ups from the seus dump (blog.fs) before i debranded??
exekias said:
yea ur intrustions are for the the SIn reconstructions, what if i want to reinstal using my bak ups from the seus dump (blog.fs) before i debranded??
Click to expand...
Click to collapse
i have the same problem . i want brand to my original A1(Austria) branded files.
now i have R2BA023 root + market fix.
and i have the 2 original A1 files ( File_ xxxxxxxxxxxxxxx_infile_longterm).
but how does omnius work with those files?
what is the application file and what the customize file?
kind regards DauL
can someone help me`` how to flash rooted phone back to A1 ( Austria) branded witfh omnius ? i have the two original files, but i dont know which file i should take for the application and the customize file
kind regards
wingz85 said:
Use Omnius instead? Quick and easy to use.
Download
Set up account online
Enter account details in Omnius
Then follow instructions below on how to flash
http://forum.xda-developers.com/showpost.php?p=6789689&postcount=324
Hope this helps.
Click to expand...
Click to collapse
Hi,Thank you for your sugestion. However, I am still failed to flash by Omnius.
Finally got error and Yellow exclamation mark on my phone after reboot it.
Here is the result after I flash the x10 with Omnious.
Code:
Action journal
22:29:08 Flash
22:29:08 Allows to change languages supported by the phone and upgrade its firmware.
22:29:08 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
22:29:08 Application version: 0.07.2279 (beta)
22:29:08 . The action name is 'Flash'
22:29:08 Selected phone type: Xperia™ X10
22:29:08 i Instructions
22:29:08 i 1. Make sure the phone battery is charged to at least 50%.
22:29:08 i 2. Switch off the phone!
22:29:08 i 3. Remove the phone battery and wait at least 5 seconds before reinserting it!
22:29:08 i 4. Press and hold the return back button, then connect the cable to the phone!
22:29:08 . The action started waiting for the user
22:29:25 . The action finished waiting for the user
22:29:25 Connecting via SEMC USB Flash Device (USB3)...
22:29:25 Device driver version: 2.2.0.5
22:29:25 Detected chipset: QSD8250
22:29:25 Boot mode: EROM
22:29:25 IMEI: [email protected]@@
22:29:25 Sending loader...
22:29:26 Establishing connection to the server...
22:29:29 Receiving news...
22:29:34 i No news
22:29:34 Actual credit: 0.00
22:29:40 Writing file phone.zip...
22:30:18 Writing file X10i_GENERIC_1234_8465R8A_R1FB001.zip...
22:33:38 e Failed!
22:33:38 . The action entered shutdown phase
22:33:38 . The action reported failure
Error code
# E39CDD9F86C3082E
Error details
---
61 C6 C0 A4 65 CB CD 00 FF 08 E1 72 F3 9F B5 AE
13 9B E7 8D E5 86 63 FA 78 BD E4 7E ED 5F 85 68
09 52 D0 4B 3E 18 6D E0 61 94 3A D6 3F 7D 06 ED
11 DB BB C5 11 03 FE 12 A2 17 E5 DB 4F B0 1E 0D
C5 5C E6 DF 47 8B A0 93 02 E4 6C 19 80 4D 59 91
46 C1 3B 15 F6 69 01 6B CA 64 A3 13 2E 26 7A 7C
7E AD 9A 9E 1D EB 00 E8 80 F0 7A 96 0F 25 D0 BA
D5 FD 93 6D 4B 5B 30 D9 6C D7 4D 92 B4 C0 04 64
F7 56 66 50 2A AA 3B E5 F3 13 07 8D EE A3 41 61
48 50 E9 72 04 6F 71 F5 55 D4 0A 0C 6D 2F 05 E8
77 58 E8 34 2A 17 BD A1 E1 9A FF 0A ED 48 D5 09
C7 38 25 15 95 C7 43 B0 6F 20 0C E7 BD 5C 0B 29
17 8E 39 EE F3 F9 7F 69 EF 5B A1 DC B3 74 21 FF
19 DE A7 ED 25 46 5D DE 0F B6 8F 34 FD F2 BB 58
E7 3F D9 C4 D5 24 2D E1 A1 DA BF 44 5B 79 BB 34
F9 22 57 42 85 66 03 14 99 C1 7C 7F
---
It still works via SEUS but some steps have changed due to the new SESU release.
Follow THIS revised tutorial and all will work again.
I know it works as I have been doing it and even used this yesterday.
Candy[MAN] said:
It still works via SEUS but some steps have changed due to the new SESU release.
Follow THIS revised tutorial and all will work again.
I know it works as I have been doing it and even used this yesterday.
Click to expand...
Click to collapse
Yes, I know the new method. however, I have already bricked my x10 and now it show me a Yellow exclamation mark after rebooting.
I have tried the new method, it did not work for my case.
http://www.canyoucrackit.co.uk/
Not Evo related, but still fun. It's stage 1 of a challenge, that is said to be a GCHQ Recruitment Test.
I don't know why this is under the HTC Supersonic but here is the hex data, so you don't have to manually type it in yourself:
Code:
eb 04 af c2 bf a3 81 ec 00 01 00 00 31 c9 88 0c
0c fe c1 75 f9 31 c0 ba ef be ad de 02 04 0c 00
d0 c1 ca 08 8a 1c 0c 8a 3c 04 88 1c 04 88 3c 0c
fe c1 75 e8 e9 5c 00 00 00 89 e3 81 c3 04 00 00
00 5c 58 3d 41 41 41 41 75 43 58 3d 42 42 42 42
75 3b 5a 89 d1 89 e6 89 df 29 cf f3 a4 89 de 89
d1 89 df 29 cf 31 c0 31 db 31 d2 fe c0 02 1c 06
8a 14 06 8a 34 1e 88 34 06 88 14 1e 00 f2 30 f6
8a 1c 16 8a 17 30 da 88 17 47 49 75 de 31 db 89
d8 fe c0 cd 80 90 90 e8 9d ff ff ff 41 41 41 41
(I'll edit this post if you find any transcription errors)
Suspicious sequences are:
00 01 and 00 00 at offset 0x08
deadbeef at 0x18
5c 58 3d 41 41 41 41 75 43 58 3d 42 42 42 42 75 3b 5a ("\X=AAAAuCX=BBBBu;Z") at 0x41
47 49 75 at 0x89
41 41 41 41 ("AAAA") at 0x9c
ff ff ff at 0x99
00 00 00 at offset 0x36 and again at 0x3e
The first few bytes look like x86 assembly code. Trying http:/ stackoverflow.com/questions/1737095/how-do-i-disassemble-raw-x86-code (sorry, can't actually make that a link due to forum rules)
I think it's not 16-bit real mode code, so here's a static analysis of the code treated as ia32 linux code - because of the int $0x80 at the end.
Code:
objdump -D -b binary -mi386 (raw bytes here)
start:
0: eb 04 jmp 0x6
might_be_data1:
2: af scas %es:(%edi),%eax
3: c2 bf a3 ret $0xa3bf
init:
6: 81 ec 00 01 00 00 sub $0x100,%esp
c: 31 c9 xor %ecx,%ecx
search_for_zero_byte:
e: 88 0c 0c mov %cl,(%esp,%ecx,1)
11: fe c1 inc %cl
13: 75 f9 jne 0xe
15: 31 c0 xor %eax,%eax
17: ba ef be ad de mov $0xdeadbeef,%edx
checksum_loop:
1c: 02 04 0c add (%esp,%ecx,1),%al
1f: 00 d0 add %dl,%al
21: c1 ca 08 ror $0x8,%edx ; first time through, %edx = $0xdeadbe
24: 8a 1c 0c mov (%esp,%ecx,1),%bl
27: 8a 3c 04 mov (%esp,%eax,1),%bh
2a: 88 1c 04 mov %bl,(%esp,%eax,1) ; swap byte values
2d: 88 3c 0c mov %bh,(%esp,%ecx,1) ; swap byte values
30: fe c1 inc %cl ; run the loop until %cl wraps to 0
32: 75 e8 jne 0x1c
34: e9 5c 00 00 00 jmp 0x95
sub_39:
39: 89 e3 mov %esp,%ebx
3b: 81 c3 04 00 00 00 add $0x4,%ebx
41: 5c pop %esp
42: 58 pop %eax
43: 3d 41 41 41 41 cmp $0x41414141,%eax
48: 75 43 jne 0x8d
4a: 58 pop %eax
4b: 3d 42 42 42 42 cmp $0x42424242,%eax
50: 75 3b jne 0x8d
52: 5a pop %edx
53: 89 d1 mov %edx,%ecx
55: 89 e6 mov %esp,%esi
57: 89 df mov %ebx,%edi
59: 29 cf sub %ecx,%edi
5b: f3 a4 rep movsb %ds:(%esi),%es:(%edi)
5d: 89 de mov %ebx,%esi
5f: 89 d1 mov %edx,%ecx
61: 89 df mov %ebx,%edi
63: 29 cf sub %ecx,%edi
65: 31 c0 xor %eax,%eax
67: 31 db xor %ebx,%ebx
69: 31 d2 xor %edx,%edx
6b: fe c0 inc %al
6d: 02 1c 06 add (%esi,%eax,1),%bl
70: 8a 14 06 mov (%esi,%eax,1),%dl
73: 8a 34 1e mov (%esi,%ebx,1),%dh
76: 88 34 06 mov %dh,(%esi,%eax,1)
79: 88 14 1e mov %dl,(%esi,%ebx,1)
7c: 00 f2 add %dh,%dl
7e: 30 f6 xor %dh,%dh
80: 8a 1c 16 mov (%esi,%edx,1),%bl
83: 8a 17 mov (%edi),%dl
85: 30 da xor %bl,%dl
87: 88 17 mov %dl,(%edi)
89: 47 inc %edi
8a: 49 dec %ecx
8b: 75 de jne 0x6b
8d: 31 db xor %ebx,%ebx
8f: 89 d8 mov %ebx,%eax
91: fe c0 inc %al
93: cd 80 int $0x80
95: 90 nop
96: 90 nop
97: e8 9d ff ff ff call 0x39
9c: 41 inc %ecx
9d: 41 inc %ecx
9e: 41 inc %ecx
9f: 41 inc %ecx
X=AAAAuCX=BBBBu;
Before i found this page, i wrote a little tool to convert hex into a readable string in pascal..
s:=#$E3+#$81+#$C3+#$04+#$00+#$00+#$00+'\X=AAAAuCX=BBBBu;Z'+#$89+#$D1+#$89+#$E6+#$89+#$DF+')'+#$CF+#$F3+#$A4+#$89+#$DE+#$89+#$D1+#$89+#$DF+')'+#$CF+'1'+#$C0+'1'+#$DB+'1'+#$D2+#$FE+#$C0+#$02+#$1C+#$06+#$8A+#$14+#$06+#$8A+'4'+#$1E+#$88+'4'+#$06+#$99+#$14+#$1E+#$00+#$F2+'0'+#$F6+#$8A+#$1C+#$16+#$8A+#$17+'0'+#$DA+#$88+#$17+'GIu'+#$DE+'1'+#$DB+#$89+#$D8+#$FE+#$C0+#$CD+#$80+#$90+#$90+#$EB+#$9D+#$FF+#$FF+#$FF+'AAAA';
and manually typed in every hex value.. before finding this site.
anyway (annoyed wasting that 20 minutes now)
\X=AAAAuCX=BBBBu;Z
That looks like a cookie?
let's suppose they are opcodes, this does not look like 0x86 have you tried a 16bit disassembler mode?
Question, is this disassemble code? or is this a captured packet? or a packet made to look like either but instead is just random crap generated by a program with a unique identifier that can be decoded...
some clue would be nice...
---------- Post added at 08:15 PM ---------- Previous post was at 08:05 PM ----------
oh and could someone move this thread? it's got nothing to do with htc lol
Here you go :-
www.canyoucrackit.co.uk/soyoudidit.asp
Sent from my GT-S5570 using xda premium
lol, that's just cheating, forget brute force, bruteforce the http request strings to find page you get sent to if you get the answer ...
shakes head, they spent all that time and they never even bothered to stop to consider producing a link on the fly after getting the answer right then deleting the computer generated webpage (tmp file)...
they need help after all! no wonder they're in need of hackers christ....
Anyway thanks for that link, but the answer would be nice, i guess we'll found out soon enough
Cheers!
So i got it.
Passphrase: Pr0t3ct!on#[email protected]*12.2011+
solution to part #1 of canyoucrackit
part2.h will be published along with solutions to the subsequent levels after 12 December 2011
#include <stdio.h>
#include <stdint.h>
#include <malloc.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <time.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <sys/utsname.h>
#include "part2.h" // see information above
static char part1[] = {
0xeb, 0x04, 0xaf, 0xc2, 0xbf, 0xa3, 0x81, 0xec, 0x00, 0x01, 0x00, 0x00, 0x31, 0xc9, 0x88, 0x0c,
0x0c, 0xfe, 0xc1, 0x75, 0xf9, 0x31, 0xc0, 0xba, 0xef, 0xbe, 0xad, 0xde, 0x02, 0x04, 0x0c, 0x00,
0xd0, 0xc1, 0xca, 0x08, 0x8a, 0x1c, 0x0c, 0x8a, 0x3c, 0x04, 0x88, 0x1c, 0x04, 0x88, 0x3c, 0x0c,
0xfe, 0xc1, 0x75, 0xe8, 0xe9, 0x5c, 0x00, 0x00, 0x00, 0x89, 0xe3, 0x81, 0xc3, 0x04, 0x00, 0x00,
0x00, 0x5c, 0x58, 0x3d, 0x41, 0x41, 0x41, 0x41, 0x75, 0x43, 0x58, 0x3d, 0x42, 0x42, 0x42, 0x42,
0x75, 0x3b, 0x5a, 0x89, 0xd1, 0x89, 0xe6, 0x89, 0xdf, 0x29, 0xcf, 0xf3, 0xa4, 0x89, 0xde, 0x89,
0xd1, 0x89, 0xdf, 0x29, 0xcf, 0x31, 0xc0, 0x31, 0xdb, 0x31, 0xd2, 0xfe, 0xc0, 0x02, 0x1c, 0x06,
0x8a, 0x14, 0x06, 0x8a, 0x34, 0x1e, 0x88, 0x34, 0x06, 0x88, 0x14, 0x1e, 0x00, 0xf2, 0x30, 0xf6,
0x8a, 0x1c, 0x16, 0x8a, 0x17, 0x30, 0xda, 0x88, 0x17, 0x47, 0x49, 0x75, 0xde, 0x31, 0xdb, 0x89,
0xd8, 0xfe, 0xc0, 0xcd, 0x80, 0x90, 0x90, 0xe8, 0x9d, 0xff, 0xff, 0xff, 0x41, 0x41, 0x41, 0x41,
};
// code to dump the decrypted memory:
static const char dump_mem[] = {
0xba, 0x31, 0x00, 0x00, 0x00, // mov edx, 0x40
0x8d, 0x4f, 0xce, // lea ecx, [edi-0x32]
0x31, 0xdb, // xor ebx, ebx
0x43, // inc ebx (stdout)
0x31, 0xc0, // xor eax, eax
0xb0, 0x04, // add al, 0x4 - sys_write
0xcd, 0x80, // int 0x80
0x31, 0xdb, // xor ebx,ebx
0x43, // inc ebx
0x31, 0xd2, // xor edx,edx
0x42, // inc edx
0x68, 0x0a, 0x00,0x00, 0x00, // push 0xa
0x8d, 0x0c, 0x24, // lea ecx,[esp]
0xb8, 0x04, 0x00,0x00, 0x00, // mov eax, 0x4
0xcd, 0x80, // int 0x80 - sys_write
0x31, 0xdb, // xor ebx,ebx
0x31, 0xc0, // xor eax,eax
0x40, // inc eax
0xcd, 0x80, // int 0x80 - sys_exit
};
uint32_t patch_mem(char *ptr, size_t size)
{
uint32_t i;
for (i = 0; i < size; i++) {
if (*(uint16_t *)&ptr == 0x80cd) {
*(uint16_t *)&ptr = 0x45eb;
return 0;
}
}
return 1;
}
uint32_t check_arch(void)
{
struct utsname kernel_info;
uname(&kernel_info);
return strcmp(kernel_info.machine, "i686") ? 1 : 0;
}
int main(int argc, char **argv)
{
void *mem;
if (check_arch()) {
printf("[-] this program must run on a 32-bit architecture\n");
return 1;
}
printf("[*] allocating page aligned memory\n");
mem = memalign(4096, 4096);
if (!mem) {
printf("[-] error: %s\n", strerror(errno));
return 1;
}
memset(mem, 0, 4096);
printf("[*] setting page permissions\n");
if (mprotect(mem, 4096, PROT_READ | PROT_WRITE | PROT_EXEC)) {
printf("[-] error: %s\n", strerror(errno));
return 1;
}
printf("[*] copying payload\n");
memcpy(mem, part1, sizeof(part1));
memcpy(mem + sizeof(part1), part2, sizeof(part2));
memcpy(mem + sizeof(part1) + sizeof(part2), dump_mem, sizeof(dump_mem));
printf("[*] adding dump_mem payload\n");
if (patch_mem(mem, sizeof(part1))) {
printf("[-] failed to patch memory\n");
return 0;
}
printf("[*] executing payload..\n\n");
((int(*)(void))mem)();
return 0;
}
CHEERS
Craig Capel said:
lol, that's just cheating, forget brute force, bruteforce the http request strings to find page you get sent to if you get the answer ...
shakes head, they spent all that time and they never even bothered to stop to consider producing a link on the fly after getting the answer right then deleting the computer generated webpage (tmp file)...
they need help after all! no wonder they're in need of hackers christ....
Anyway thanks for that link, but the answer would be nice, i guess we'll found out soon enough
Cheers!
Click to expand...
Click to collapse
Pr0t3ct!on#[email protected]*12.2011+
that's the answer
But easy way to do it.... just use ip scaner...and put the adress below... then you see many updates in adress...2 hours of reading...but i found it
Sorry for my bad English ...
CHEERS
thx. Interesting way to learn how this works without visiting strange sites...
(although it does not seem to fit this forums purpose)
Well like the rest of you I want to unlock and root this device.
I'm sure this is going to be a long road for all of us but I really like this device so personally I will do what i can to help figure out how to unlock and root this thing.
As a single soul this could take months or even a year but with combined efforts of this community I think we can pull it off. We all have our strengths and if we combine them with your help and the help of others it might turn out to be quite easy.
Don't be fooled and believe that fastboot is removed from the bootloader. It is there im sure we just need to figure out how to access it.
On a good note I already have a method to overcome update.zip signing that I developed for the alcatel one touch fierce 2. When using the recovery to flash the phone things actually become simpler. I would expect though that the recovery image is signed as well meaning we dont simply have the ability to flash the recovery. Unless we can unlock the boot loader first.
In reality to do any of this we are going to need temp root. At this time i have no idea how were going to get that but if you can get temp root even just enough to pull a backup from the device that will be a huge step forward.
To do anything useful we need a device backup. Or a update.zip.
If you can find a way to copy the update from this device before it is installed that would be wonderful.
My device already updated so if you have a brand new device that is not updated let us know so we can get our hands on the update.
In the meantime ( Until we get some firmware to reverse engineer ) I will document all the data I can get and how to get it.
The very first thing we need is to know all of the partitions on the device. If I can get the full GPT Partition Table that would be best.
So without further adieu I will start this journey.
Some of my post will be fairly basic to some and very complex to others.
I'm going to start by seeing what all boot modes i can get into.
Then see what I can get with ADB without root permissions.
Map out the partition scheme, and see how much of the security scheme I can determine is in place. All the fun stuff like what files are signed, how the boot chain is verified. I have seen it before where overcoming the initial security mechanism opens up a whole world of possibilities.
Programmers get lazy and to save money if they think your blocked out of a vulnerable area period they may lax on harder to bypass security.
Ok after a day of research and some gleaning of info from my blade x max I have a direction to move in anyway.
The closest device and one of the only devices zte allowed unlocked is the ZTE axom7.
We can study the Axom7 and get some Ideas on what will work on the BladeXMax.
First fastboot is crippled initially.
But this is easily overcome by swapping a few bytes on the right partition.
Thats my theory anyway. I'm in the process of proving it.
After Fastboot receives its prosthetic Limb oem unlock is as simple as 1 command.
Once the bootloader is unlocked the device will allow for a unsigned TWRP to run.
Now of course we need to compile our own TWRP. And then we can root.
Obviously we need the ability to write to this fastboot partition.
And we need to be able to flash TWRP.
Without Root how???
Just like the axon 7. EDL mode.
ZTE seems EDL Mode Friendly.
And the flash programmer (Firehose) is not signed.
Miflash can write partitions on the zte devices.
The only issue right now is we need the files of of the Blade x max.
And the GPT partition table.
Seeing that axom7tool can backup partitions from the axon7 in edl mode.......
Knowing that miflash works.
One of us that knows the protocol of miflash ( saraha ??? )
Can write a tool for linux that uses the same protocol.
Once this tool exists we can backup all the partitions and the GPT without root.
Once i have the files from the blade it should be possible to edit the fastboot partition and un-cripple the Fastboot.
So if any of you know the guys that wrote the axon 7 tool he can help us with a tool.
Other than that were stuck writing the tool ourself.
On a good not the sahara protocol and other edl protocols are very well documented.
If you seriously want in this Blade this is the way to go.
Well my theory about fastboot is correct.
I guess its obvious that versions of the axon 7 fastboot would be different.
The unlocked and the locked fastboot.
I'm going to hexdump and diff all the fastboot images i can find but so far it looks like this.
It seems that ZTE has used the same fastboot partition for a while.
If you boot into recovery on the blade x max and view the recovery log. Last log
You will find a list of all the parttion names on our device.
system
cache
persist
data
sdcard
boot
recovery
misc
aboot
apdp
bluetooth
carrier
cdt
cmnlib
cmnlib64
cryptkey
DDR
devcfg
devcfgbak
devinfo
dip
dpo
dsp
echarge
fastboot
fbop
fingerid
fsc
fsg
hyp
keymaster
keystore
lksecapp
mdtp
modem
msadp
persistent
pmic
reserve
rpm
sbl1
sec
splash
ssd
sti
tz
xbl
xblbak
ztecfg
tmp
Yep you can see we have the fastboot partition.
But the fbop partition is an important important one.
If we look at the updater scripts of the firmware upgrade packages we see.
FROM Partition.xml
<data><program SECTOR_SIZE_IN_BYTES="4096" file_sector_offset="0" filename="fastboot.img" label="fbop" num_partition_sectors="32" partofsingleimage="false" physical_partition_number="0" readbackverify="false" size_in_KB="128.0" sparse="false" start_byte_hex="0x321a8000" start_sector="205224"/></data>
FROM Update Zip
getprop("ro.product.device") == "ailsa_ii" || abort("E3004: This package is for "ailsa_ii" devices; this is a "" + getprop("ro.product.device") + "".");
assert(getprop("ro.product.name") == "P996A01_N");
ui_print("Target: ZTE/P996A01_N/ailsa_ii:7.1.1/NMF26F/20170301.161705:user/release-keys");
show_progress(0.650000, 0);
ui_print("Patching system image unconditionally...");
block_image_update("/dev/block/bootdevice/by-name/system", package_extract_file("system.transfer.list"), "system.new.dat", "system.patch.dat") ||
abort("E1001: Failed to update system image.");
show_progress(0.050000, 5);
package_extract_file("boot.img", "/dev/block/bootdevice/by-name/boot");
package_extract_file("ddr.img", "/dev/block/bootdevice/by-name/ddr");
package_extract_file("keymaster.mbn", "/dev/block/bootdevice/by-name/xblbak");
package_extract_file("lksecapp.mbn", "/dev/block/bootdevice/by-name/lksecapp");
package_extract_file("rpm.mbn", "/dev/block/bootdevice/by-name/rpm");
package_extract_file("tz.mbn", "/dev/block/bootdevice/by-name/tz");
package_extract_file("echarge.img", "/dev/block/bootdevice/by-name/echarge");
package_extract_file("mdtp.img", "/dev/block/bootdevice/by-name/mdtp");
package_extract_file("xbl.elf", "/dev/block/bootdevice/by-name/xbl");
package_extract_file("cmnlib64.mbn", "/dev/block/bootdevice/by-name/cmnlib64");
package_extract_file("adspso.bin", "/dev/block/bootdevice/by-name/dsp");
package_extract_file("recovery.img", "/dev/block/bootdevice/by-name/recovery");
package_extract_file("sec.dat", "/dev/block/bootdevice/by-name/sec");
package_extract_file("NON-HLOS.bin", "/dev/block/bootdevice/by-name/modem");
package_extract_file("pmic.elf", "/dev/block/bootdevice/by-name/pmic");
package_extract_file("devcfg.mbn", "/dev/block/bootdevice/by-name/devcfg");
package_extract_file("emmc_appsboot.mbn", "/dev/block/bootdevice/by-name/aboot");
package_extract_file("fastboot.img", "/dev/block/bootdevice/by-name/fbop");
package_extract_file("splash.img", "/dev/block/bootdevice/by-name/splash");
package_extract_file("hyp.mbn", "/dev/block/bootdevice/by-name/hyp");
package_extract_file("BTFM.bin", "/dev/block/bootdevice/by-name/bluetooth");
package_extract_file("cmnlib.mbn", "/dev/block/bootdevice/by-name/cmnlib");
show_progress(0.200000, 10);
show_progress(0.100000, 10);
format("ext4", "EMMC", "/dev/block/bootdevice/by-name/userdata", "0", "/data");
set_progress(1.000000);
Here we can conclude that the fastboot.img is flashed to the fob partition which is where the flags to enable the full fastboot commands. It's basically a security partition.
Is the Whole Partition different??
Is it just a few bytes difference??
Its actually not much and seeing that this identical partition has been used for several years
We can hope our fastboot image is the same or very similar. But remember it is the fob partition.
Here is the difference.
[email protected]:~$ hexdump -C -v /home/bigcountry907/Desktop/ZTE/FB-UL-EDL/A2017U_FASTBOOT_UNLOCK_EDL/fastboot.img > /home/bigcountry907/Desktop/ZTE/FB-UL-EDL/fbunlck.txt
[email protected]:~$ diff home/bigcountry907/Desktop/ZTE/FB-UL-EDL/fbunlck.txt /home/bigcountry907/Desktop/ZTE/stock/fbstock.txt
diff: home/bigcountry907/Desktop/ZTE/FB-UL-EDL/fbunlck.txt: No such file or directory
[email protected]:~$ hexdump -C -v /home/bigcountry907/Desktop/ZTE/FB-UL-EDL/A2017U_FASTBOOT_UNLOCK_EDL/fastboot.img > /home/bigcountry907/Desktop/ZTE/FB-UL-EDL/fbunlck.txt
[email protected]:~$ diff /home/bigcountry907/Desktop/ZTE/FB-UL-EDL/fbunlck.txt /home/bigcountry907/Desktop/ZTE/stock/fbstock.txt
257c257
< 00001000 01 00 00 00 78 56 34 12 00 00 00 00 01 00 00 00 |....xV4.........|
---
> 00001000 00 00 00 00 78 56 34 12 00 00 00 00 00 00 00 00 |....xV4.........|
579,595c579,595
< 00002420 62 6f 6f 74 02 02 20 00 04 82 01 00 04 e0 4f a3 |boot.. .......O.|
< 00002430 b8 c0 79 df 98 9a ce 8b 47 ed f6 23 61 e8 3e 4d |..y.....G..#a.>M|
< 00002440 7a 43 fc 4b d4 39 60 c5 5a a6 96 ea c0 4d e2 52 |zC.K.9`.Z....M.R|
< 00002450 27 3e b6 d0 21 72 72 c8 59 03 44 90 ff 4a 86 3b |'>..!rr.Y.D..J.;|
< 00002460 29 2c 16 7a 04 2b 36 07 6f 8f 04 8e 35 7c f2 9f |),.z.+6.o...5|..|
< 00002470 cc 29 e5 0b 74 30 e9 0c ec cd 23 4b 19 84 c7 d1 |.)..t0....#K....|
< 00002480 f7 46 9b 7d dc 8b 6b bb 01 d3 f0 0a ab 96 ca 7e |.F.}..k........~|
< 00002490 a2 6e 91 6b d9 38 d6 d6 2e 4f 50 3e 2d 17 55 e3 |.n.k.8...OP>-.U.|
< 000024a0 e5 50 e4 1f dc 03 26 9e e9 22 19 dc 60 e1 0b a0 |.P....&.."..`...|
< 000024b0 b5 06 25 bd e4 08 24 4f 7b dd 42 29 82 55 06 84 |..%...$O{.B).U..|
< 000024c0 a1 5f d7 c1 99 3f 83 30 5d 10 59 5e 9d 2a 31 3f |._...?.0].Y^.*1?|
< 000024d0 f9 87 54 55 1e 82 40 68 5b c8 e4 18 98 80 d1 ec |[email protected][.......|
< 000024e0 df d7 01 d1 ec a5 a2 e4 c1 86 76 63 e0 82 13 35 |..........vc...5|
< 000024f0 61 30 63 d7 cd e8 21 33 73 e9 c4 93 ad 65 68 77 |a0c...!3s....ehw|
< 00002500 3e eb 3e 90 8a bb 8b 07 1b 26 ff d5 0d 37 a4 6c |>.>......&...7.l|
< 00002510 ec c6 69 30 dd 22 1b 9f 69 79 47 69 22 ba 9e c8 |..i0."..iyGi"...|
< 00002520 0c 23 96 f8 cf 66 74 74 11 98 d6 e4 |.#...ftt....|
---
> 00002420 62 6f 6f 74 02 02 20 00 04 82 01 00 a8 e0 dd 69 |boot.. ........i|
> 00002430 5b b2 47 12 bf 74 41 7a 00 37 a0 b8 10 15 d4 4e |[.G..tAz.7.....N|
> 00002440 a6 59 74 9b 7d a4 df 95 eb 3f 1a 29 1c 60 23 7c |.Yt.}....?.).`#||
> 00002450 91 37 2a 07 d3 e9 45 17 ac ac ab a9 ba b4 42 70 |.7*...E.......Bp|
> 00002460 46 5f 67 22 f7 37 1f de 46 f9 67 44 74 d7 26 42 |F_g".7..F.gDt.&B|
> 00002470 49 9c e8 ee 98 78 89 2b b2 1e c3 58 a8 d2 3a 7f |I....x.+...X..:.|
> 00002480 39 7d 22 09 c6 01 c5 0f 95 65 57 1e af 79 d9 d6 |9}"......eW..y..|
> 00002490 8d 99 84 4f 24 ff 55 b2 b0 20 07 00 39 e6 9a 27 |...O$.U.. ..9..'|
> 000024a0 a0 bc 97 dd 27 7d f2 a2 88 b6 b5 53 4a ba 7a 8e |....'}.....SJ.z.|
> 000024b0 65 98 f6 ef 4d 7e 2e 91 01 66 35 9e e1 da 15 c4 |e...M~...f5.....|
> 000024c0 fe a4 d2 26 a1 99 88 a3 55 2f ac 65 71 f8 5f 86 |...&....U/.eq._.|
> 000024d0 a7 79 f8 b5 61 b5 da 2c 7b 89 39 3b ff 45 a3 7f |.y..a..,{.9;.E..|
> 000024e0 dc 92 d5 4e 8b df 68 c0 e9 43 18 7b 60 5a 03 60 |...N..h..C.{`Z.`|
> 000024f0 18 da 96 84 e7 97 a7 09 a9 1a 2d b6 5b d3 d2 f6 |..........-.[...|
> 00002500 c8 33 a2 8f ef 32 5e 6a 45 39 66 b5 a6 a4 35 0f |.3...2^jE9f...5.|
> 00002510 03 0c 9d 57 79 28 43 09 9a 3e 7b 01 8c 6e 66 b2 |...Wy(C..>{..nf.|
> 00002520 1a f3 3d 92 d1 66 91 04 4a 3e 79 69 |..=..f..J>yi|
[email protected]:~$ hexdump -C -v /home/bigcountry907/Desktop/ZTE/Fastboot-UL/fastboot.img > /home/bigcountry907/Desktop/ZTE/Fastboot-UL/fbul2.txt
[email protected]:~$ diff /home/bigcountry907/Desktop/ZTE/FB-UL-EDL/fbunlck.txt /home/bigcountry907/Desktop/ZTE/Fastboot-UL/fbul2.txt
[email protected]:~$
There's definitely more to come but this is enough to think about for now.
Here are all the partition block sizes and labels for the blade x max
30535680 mmcblk0 EMMC CHIP
4096 mmcblk0p1
4096 mmcblk0p2
4096 mmcblk0p3
4096 mmcblk0p4
4096 mmcblk0p5
4096 mmcblk0p6
4096 mmcblk0p7
16384 mmcblk0p8
16384 mmcblk0p9
16384 mmcblk0p10
4096 mmcblk0p11
4096 mmcblk0p12
4096 mmcblk0p13
4096 mmcblk0p14
4096 mmcblk0p15
4096 mmcblk0p16
4096 mmcblk0p17
4096 mmcblk0p18
32768 mmcblk0p19
4096 mmcblk0p20
94208 mmcblk0p21
65536 mmcblk0p22
65536 mmcblk0p23
4096 mmcblk0p24
4096 mmcblk0p25
4096 mmcblk0p26
4096 mmcblk0p27
4096 mmcblk0p28
4096 mmcblk0p29
4096 mmcblk0p30
4096 mmcblk0p31
4096 mmcblk0p32
4096 mmcblk0p33
32768 mmcblk0p34
4096 mmcblk0p35
4096 mmcblk0p36
4096 mmcblk0p37
4096 mmcblk0p38
65536 mmcblk0p39
4096 mmcblk0p40
4096 mmcblk0p41
4096 mmcblk0p42
4096 mmcblk0p43
65536 mmcblk0p44
1048576 mmcblk0p45 cache
5242880 mmcblk0p46 system
23629807 mmcblk0p47 data
4096 mmcblk0rpmb
31166976 mmcblk1 SD CARD
31165935 mmcblk1p1 SD CARD Storage
Old codehead (emphasis on the "old"), and I have this device... unfortunately, it's been updated, so there's not a whole lot I could offer...
With an at least rudimentary how-to provided, though... as long as I can get the device back to square-one, if things go tits-up and it's necessary... bitter experience... not a few Cricket LG G Stylo paperweights at hand... I'l like to offer myself as an alpha-tester for whatever you find out...
Just bought this lovely new home in Albuquerque, and, until a few things settle down, don't have a lot of cash... but I'll offer mine as a test-bed of sorts...
I'm fascinated with the work you are doing, and I really dig this phone for pretty much every reason except Cricket's bullheadedness, and am looking forward to watching you work...
I'm also kinda horrified that, seeing your log dumps upthread, I could actually understand it... can take the boy out of the tech, but some things seem to be stuck in the little grey cells forever.... *chuckle*
My tech chops tended more towards xBASE and Delphi, and still do... was what I learned, along with COBOL and RPig...
Have been trying, over the past few years, to get some C++ and Java under my belt, but it's more important to me to finish my BA in the up coming spring semester, and do UNM School of Law... Renaissance man wanna-be here... *grin*
Just wondering, good madam or sir, what progress you've been able to do... I don't mean to push, as we all have lives away from this forum (at least I do hope so.. *smile*), but, as I love to learn, and now in my 60's, found my Java, C and C++ texts, have downloaded and installed all my preferred tools, and would just really dig seeing some journaling of your progress on this rather fascinating device... more internal RAM than I would have ever expected on a smart phone, and, as such, space is not at such a premium that I'm required to use Apps2SD Pro (although I paid for it), Titanium (although I paid for it), but just damn...
I'm disgusted that Cricket would be so paranoid against their paying customers that they insist on absolute control... just damn...
Sorry... woolgathering on a Friday afternoon, while installing other dev tools... <smile>
Firmware update downloaded
My phone has the firmware downloaded please let me know if there is a way to pull it for R&D
---------- Post added at 03:31 AM ---------- Previous post was at 02:55 AM ----------
This phone just force installed nevermind
Update not installed
I have the update downloaded but not installed. The phone is trying to force update but it can't because my battery is too low, I'll try and leave it that way. Do we have a way to find and extract the update?
Scratch that. Force install starts at 20% battery or so. Accidently over charged haha.
We need to post the way to pull the update
We need to post a way to extract the update so that the next person who has it but it is not installed can pull it for us any help from more experienced individuals would be greatly appreciated
Update ready to dl
Any ideas how to pull it from the phone
If you have an update.zip signing bypass, I could leverage that to get a dump of the partition table.
Z983 Root Method Development
Hello world of XDA,
We want to root this device. Yes? Well, as of right now, 01-27-2018, there is no working method available on the internet. We have to do this ourselves. Ive rooted literally hundereds of phones, but this one, Crickets down played version of the Blade Zmax, re-dubbed Blade XMax Z983..
First, we need the boot loader. I am willing to team up with some people, to make this happen. Any takers?
Has anyone been able to get the last update files, about a week ago i think, off the phone before applying the update. If anyone has those we may be in business, at least further along than we were. That last update was a decent size update, and if it had anything to do with the spectre/meldown patch, that update would have had the partition layout, how the bootloader has been hidden and so on and so fourth. So if anyone was able to grab the update please post here, as the thread creator and a few others seem to know what to do from there.
Can I start by modifying tye system UI apk?
Hey so I've got this device and it's FRP locked. If anybody is willing to work on this still these days (for root, frp, various unlocks, etc) then let's make it happen. Can't say for sure if I'll have the device for very long, but I'm definitely down to try while I have it. Lmk if there's anything I can do to help the progress.
dammi.forza0910 said:
Hello world of XDA,
We want to root this device. Yes? Well, as of right now, 01-27-2018, there is no working method available on the internet. We have to do this ourselves. Ive rooted literally hundereds of phones, but this one, Crickets down played version of the Blade Zmax, re-dubbed Blade XMax Z983..
First, we need the boot loader. I am willing to team up with some people, to make this happen. Any takers?
Click to expand...
Click to collapse
You know how bad I wish I could take you up on this? I just don't have the experience or the knowledge. I'd love to learn but I don't even know where to start.
Okay, so I have successfully copied the boot animation.zip and have attatched it as proof. I believe, i can actuall copy the firmware because I found the file locatiom after an exhausting amount of trial and error with different approaches. Usong Debian (wheezy) ,and a combination of file explores, and modifying apk's through luck patcher, I was able to view the device tree and so on. Anybody willing to guide me to the next step?
Z983 Firmware .img files found and uploaded
Okay, I found the firmware files and when I moved them to my external SD card, they combined automatically and was labled update.zip. This is it guys, help me!
Device Tree
Can anyone let me know if this is helping, or if everyone gave up....?
dammi.forza0910 said:
Okay, I found the firmware files and when I moved them to my external SD card, they combined automatically and was labled update.zip. This is it guys, help me!
Click to expand...
Click to collapse
Downloading the files when I get off work and will look at them as best I can, maybe we can get the bootloader to show up in the recovery, Cricket did something to the flags that bypasses the bootloader, maybe we can reflag and get it to show up again. Good work, hopefully some progress can be made now.