03 April, 2017

Restoring MTK based phones from Sp Flash Tool Readback image

It is very easy to back up an MTK based phone with SP Flash Tool, but restoring is not so easy. For older chip versions MTKDroidTools was an automatic tool, but with newer ones it is not working anymore. Keep reading, to learn, how to create a flashable image from the backup you made with SP Flash Tool.
The method of backing up the phone with Sp Flash Tool is easy, you backup the boot1, boot2 and user MMC partitions to separate files, and then you have all your data stored in these 3 files. However recovering is not so easy as the SP Flash Tool requires that you have the firmware file splitted and converted to special formats for each android partition.

I have done all my tests with a Lenovo P-70A which has a Mediatek MT6752 chipset, everything written here works with that phone, but may not be valid for other phone types.

Getting to know what to back up

To decide what to back up, you need to know the internal memory sizes. To determine this, start SP Flash Tool, select memory test, unclick everything except RAM Test and click the start button. Now connect the switched off phone and you will get a list of installed memory. For Lenovo P-70A you get this:

============ Memory Detection Report ===========
Internal RAM:

External RAM:
 Type = DRAM
 Size = 0x80000000 (2048MB/16384Mb)

NAND Flash:
 ERROR: NAND Flash was not detected!

EMMC: 
  EMMC_PART_BOOT1  Size = 0x0000000000400000(4MB)
  EMMC_PART_BOOT2  Size = 0x0000000000400000(4MB)
  EMMC_PART_RPMB  Size = 0x0000000000400000(4MB)
  EMMC_PART_GP1   Size = 0x0000000000000000(0MB)
  EMMC_PART_GP2   Size = 0x0000000000000000(0MB)
  EMMC_PART_GP3   Size = 0x0000000000000000(0MB)
  EMMC_PART_GP4   Size = 0x0000000000000000(0MB)
  EMMC_PART_USER  Size = 0x00000003a3e00000(14910MB)

UFS: 
 ERROR: UFS was not detected!

From this you can see that you have 0x400000 in the boot areas and you have 0x3a3e00000 in the user data section so when you are doing Readback backup, then you should select these areas to read back.

Linux environment for working with Firmware images

For managing the image files we need a Linux operating system, personally I used Ubuntu 1404 Server version. I copied the files with Samba to the Linux machine, used command line to do the manipulation and again Samba to get back the files. You can also use a live Linux image as well and you can use WinSCP to transfer files to your Linux machine if you do not want to bother with setting up Samba.

Getting/creating the scatter file

For the P-70 I did not had to manually create the scatter file, I could download a suitable one from the internet. If you need to make one, then you can use the following procedure to create one by your own:
  1. To get the actual partition layout load your backed up user partition to the parted program in Linux
  2. List the partitions to see how your firmware is structured
Here you can see a sample output for P-70A, where User is the file name of the saved USER area.

laco@boss:/media/hd/Adatok/laco/1704$ parted User
WARNING: You are not superuser.  Watch out for permissions.
GNU Parted 2.3
Using /media/hd/Adatok/laco/1704/User
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) print
Warning: Not all of the space available to /media/hd/Adatok/laco/1704/User
appears to be used, you can fix the GPT to use all of the space (an extra 991
blocks) or continue with the current setting?
Fix/Ignore? i
Model:  (file)
Disk /media/hd/Adatok/laco/1704/User: 15.6GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt

Number  Start   End     Size    File system  Name       Flags
 1      524kB   3670kB  3146kB               proinfo    msftdata
 2      3670kB  8913kB  5243kB               nvram      msftdata
 3      8913kB  19.4MB  10.5MB  ext4         protect1   msftdata
 4      19.4MB  29.9MB  10.5MB  ext4         protect2   msftdata
 5      29.9MB  30.1MB  262kB                seccfg     msftdata
 6      30.1MB  30.5MB  393kB                lk         msftdata
 7      30.5MB  47.3MB  16.8MB               boot       msftdata
 8      47.3MB  64.1MB  16.8MB               recovery   msftdata
 9      64.1MB  70.4MB  6291kB               secro      msftdata
10      70.4MB  70.9MB  524kB                para       msftdata
11      70.9MB  79.3MB  8389kB               logo       msftdata
12      79.3MB  89.8MB  10.5MB               expdb      msftdata
13      89.8MB  95.0MB  5243kB               tee1       msftdata
14      95.0MB  100MB   5243kB               tee2       msftdata
15      100MB   134MB   33.9MB               metadata   msftdata
16      134MB   2282MB  2147MB  ext4         system     msftdata
17      2282MB  2726MB  445MB   ext4         cache      msftdata
18      2726MB  15.6GB  12.9GB  ext4         userdata   msftdata
19      15.6GB  15.6GB  16.8MB               flashinfo  msftdata

(parted) unit b
(parted) print
Model:  (file)
Disk /media/hd/Adatok/laco/1704/User: 15634268160B
Sector size (logical/physical): 512B/512B
Partition Table: gpt

Number  Start         End           Size          File system  Name       Flags
 1      524288B       3670015B      3145728B                   proinfo    msftdata
 2      3670016B      8912895B      5242880B                   nvram      msftdata
 3      8912896B      19398655B     10485760B     ext4         protect1   msftdata
 4      19398656B     29884415B     10485760B     ext4         protect2   msftdata
 5      29884416B     30146559B     262144B                    seccfg     msftdata
 6      30146560B     30539775B     393216B                    lk         msftdata
 7      30539776B     47316991B     16777216B                  boot       msftdata
 8      47316992B     64094207B     16777216B                  recovery   msftdata
 9      64094208B     70385663B     6291456B                   secro      msftdata
10      70385664B     70909951B     524288B                    para       msftdata
11      70909952B     79298559B     8388608B                   logo       msftdata
12      79298560B     89784319B     10485760B                  expdb      msftdata
13      89784320B     95027199B     5242880B                   tee1       msftdata
14      95027200B     100270079B    5242880B                   tee2       msftdata
15      100270080B    134217727B    33947648B                  metadata   msftdata
16      134217728B    2281701375B   2147483648B   ext4         system     msftdata
17      2281701376B   2726297599B   444596224B    ext4         cache      msftdata
18      2726297600B   15616966655B  12890669056B  ext4         userdata   msftdata
19      15616966656B  15633743871B  16777216B                  flashinfo  msftdata

(parted)


As you can see, I changed the units to bytes, to be able to exactly see the partition sizes.

This is an example entry in the scatter file, you have to customize them all to correspond to your ROM:

- partition_index: SYS17
  partition_name: system
  file_name: system.img
  is_download: true
  type: EXT4_IMG
  linear_start_addr: 0x8000000
  physical_start_addr: 0x8000000
  partition_size: 0x80000000
  region: EMMC_USER
  storage: HW_STORAGE_EMMC
  boundary_check: true
  is_reserved: false
  operation_type: UPDATE
  reserve: 0x00
  1. Partition index is just auto incremented
  2. Partition name, you can get from the parted dump
  3. File name, use whatever you like
  4. Is download, set to true, if you would like to update this part of the ROM with your file
  5. You can adjust the partition type:  EXT4_IMG - sparse ext4 filesystem, SV5_BL_BIN - bootloader, NORMAL_ROM - binary partition.
  6. Change the memory start addr values to correspond to your ROM layout, from the parted listing
  7. Region is always EMMC_USER, except for the bootloader
  8. Storage is always HW_STORAGE_EMMC
  9. Set operation type on any of the following: BOOTLOADERS, UPDATE, BINREGION, INVISIBLE, PROTECTED, RESERVED (I do not know all the meanings, UPDATE is what you normally download to the ROM, BOOTLOADERS is the bootloader, BINREGION is the NVRAM, the rest are somehow hidden/protected).
  10. The boundary check, is reserved and reserve should not be changed. (is reserved, in my scatter file is only set for flashinfo and sgpt partitions).
Partition types and converting them

As we could see above there are 3 different types of partitions, which are handled differently.

SV5_BL_BIN

The SV5_BL_BIN bootloader is in the boot1 file and you need to cut off the first 2048 bytes from the bakcup file, to get the downloadable version. In Linux you can do this:

dd bs=512 skip=4 if=Boot1 of=preboot.img

NORNAL_ROM

The NORMAL_ROM is a binary image from a partition. To get them you should mount the whole User file with the following Linux command:

sudo kpartx -a -v User

after this, the partitions listed by the parted command will be available at /dev/mapper/loop0p1 to /dev/mapper/loop0p19.

To get for example the nvram; enter the following command:

sudo dd if=/dev/mapper/loop0p2 of=nvram.img

This will copy the contents of the 2nd (nvram) partition to the nvram.img in the actual folder.

You need to do this kind of copy for the following partitions: 6 - lk, 7 - boot, 8 - recovery, 9 - secro, 11 - logo, 13 - tee1, 14 - tee2

EXT4_IMG

Ext4 sparse images are specially compressed ext4 images. After mounting the partitions you can create them the following way:

sudo ext2simg -v /dev/mapper/loop0p16 system.img


You need to do this for the following partitions: 16 - system, 17 - cache, 18 - userdata.

Not needed partitions

From the original P-70A scatter file it seems that the following partitions are not needed for ROM upgrade: proinfo, protect1, protect2, seccfg, para, expdb, metadata, flashinfo

Putting everything together

When you have your scatter file, and you have all your partition file, then after checking that the file names are correct, the only thing that remains is to launch SP Flash Tool and download the new image you have created.

Adding checksums

To round up the whole work you can add a  Checksum.ini file, if it exists SP_Flash_Tool checks the firmware files against it's contents, to avoid download errors. The checksum is a simple 16 bit checksum, the CheckSum_V2 is a 128 bit MD5 hash, you can calculate them, for example, with Hex Workshop. Get hold on one sample Checksum.ini, to get started.

Installing needed programs on Ubuntu

You can quickly install the needed kpartx with:

sudo apt-get install kpartx

and ext2simg with:

sudo apt-get install android-tools-fsutils





No comments: