Custom Firmware on Lenovo P70A
I have been using my Lenovo P70A for almost one year until now, but recently I get more and more feedback from my partners, that they do not hear what I am saying, when we are talking over the phone. This is some kind of audio problem of the phone, so I thought that this can be fixed by upgrading the firmware of the phone, so I started to experiment with custom firmware. In this blog I explain all the details of upgrading firmware, making backup of your actual firmware and data, and about the tools related to the firmware upgrading.
This is an old post, not fully verified, use it at your own risk.
This post is divided into 3 parts, the first is a longer description about the firmware and the theory of upgrading, the second is a practical guide on how to do it and the third is a list of useful external links.
General information about flashing
Before you begin be aware that the custom ROMs that you download from the web are a potential security risk, because you never know if somebody has put anything malicious in the firmware. So if you do a nice firmware update, an a bit later all your creditcard numbers are stolen, do not blame me for it.
In addition I copy the CyanogenMod custom ROM disclaimer, I have not written it, but it is funny and I agree with it :-)
In addition to this I am not responsible if your girlfriend is leaving you, because you spend more time with your phone than with her.
Now back to flashing custom firmware.
General information about P-70 firmware and ROM layout.
As you probably know P-70 is a very powerful computer, which instead of a hard disk or an SSD drive uses its internal ROM to store its operating system and user data.
The built in ROM is divided into 4 majors parts:
When we are doing firmware updates then actually we are replacing the contents of some parts of the ROM or some partitions on the User Area.
How can we write the partitions
In this guide we will do the firmware upgrade in 3 steps
Security backup with SP_Flash_Tool
Before you begin to do anything it is a good idea to do a full backup of your phone. This backup is easy to do, but not so easy to restore, but it has the complete ROM of your phone and if later anything gets wrong. helps you restore your phone.
Downloading and installing SP Flash Tool
First download the USB drivers and the SP Flash tools from this links.
Install the USB drivers, you may need to enable show hidden devices in Device Manager and you may need to enable installing non signed drivers. (Here is one link on how to install SP Flash Tool).
Unzip the SP Flash Tool and start the flash_tool.exe. On the Download tab select a scatter file corresponding to your phone firmware version. Then go to the Readback tab and click add, then doubleclick on the new line added. First you need to add the file name, then the ROM region and ROM address. Set up 3 regions to save according to the following list:
After doing all this backups, we are ready to install any new custom firmware, and we can start with the Cyanogen 12.1, which is a 2016 February ROM repackaged for easy install. You can download it from here.
The installation is very straightforward:
If during download you get an error message: "PMT changed for the ROM; it must be downloaded" then select the alternate scatter file from the ROM directory.
Useful links:
NeedROM Lenovo P70A section
LenovoRoot P70A ROMS
AndroidMTK ROM Flashing
This is an old post, not fully verified, use it at your own risk.
This post is divided into 3 parts, the first is a longer description about the firmware and the theory of upgrading, the second is a practical guide on how to do it and the third is a list of useful external links.
General information about flashing
Before you begin be aware that the custom ROMs that you download from the web are a potential security risk, because you never know if somebody has put anything malicious in the firmware. So if you do a nice firmware update, an a bit later all your creditcard numbers are stolen, do not blame me for it.
In addition I copy the CyanogenMod custom ROM disclaimer, I have not written it, but it is funny and I agree with it :-)
#include/* * Your warranty is now void. * * I am not responsible for bricked devices, dead SD cards, * thermonuclear war, or you getting fired because the alarm app failed. Please * do some research if you have any concerns about features included in this ROM * before flashing it! YOU are choosing to make these modifications, and if * you point the finger at me for messing up your device, I will laugh at you. */
In addition to this I am not responsible if your girlfriend is leaving you, because you spend more time with your phone than with her.
Now back to flashing custom firmware.
General information about P-70 firmware and ROM layout.
As you probably know P-70 is a very powerful computer, which instead of a hard disk or an SSD drive uses its internal ROM to store its operating system and user data.
The built in ROM is divided into 4 majors parts:
| Name | Size (hex) | Size (dec) |
| Boot1 | 0x400000 | 4 194 304 |
| Boot2 | 0x400000 | 4 194 304 |
| RPMB | 0x400000 | 4 194 304 |
| User (UA) | 0x3a3e00000 | 15 634 268 160 |
| Total: | 15 646 851 072 |
As you can see the built in ROM is not 16 Gigabyte as stated in the specification but only 15,65 Gigs.
Back to the point, boot1 is where the boot normal loader is located, boot2 and RPMB (Replay Protected Memory Block) I do not know what are they used for and the User Area is where the actual firmware is located.
The UA is again divided into a lot of partitions. The UA has a standard GPT type partition table, and the contents for the official S139 Lollipop ROM is the following:
Disk /media/ROM20170208: 15.6GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Number Start End Size File system Name Flags
1 524kB 3670kB 3146kB proinfo msftdata
2 3670kB 8913kB 5243kB nvram msftdata
3 8913kB 19.4MB 10.5MB ext4 protect1 msftdata
4 19.4MB 29.9MB 10.5MB ext4 protect2 msftdata
5 29.9MB 30.1MB 262kB seccfg msftdata
6 30.1MB 30.5MB 393kB lk msftdata
7 30.5MB 47.3MB 16.8MB boot msftdata
8 47.3MB 64.1MB 16.8MB recovery msftdata
9 64.1MB 70.4MB 6291kB secro msftdata
10 70.4MB 70.9MB 524kB para msftdata
11 70.9MB 79.3MB 8389kB logo msftdata
12 79.3MB 89.8MB 10.5MB expdb msftdata
13 89.8MB 95.0MB 5243kB tee1 msftdata
14 95.0MB 100MB 5243kB tee2 msftdata
15 100MB 134MB 33.9MB metadata msftdata
16 134MB 2282MB 2147MB ext4 system msftdata
17 2282MB 2458MB 176MB ext4 cache msftdata
18 2458MB 15.6GB 13.2GB ext4 userdata msftdata
19 15.6GB 15.6GB 16.8MB flashinfo msftdata
1 524kB 3670kB 3146kB proinfo msftdata
2 3670kB 8913kB 5243kB nvram msftdata
3 8913kB 19.4MB 10.5MB ext4 protect1 msftdata
4 19.4MB 29.9MB 10.5MB ext4 protect2 msftdata
5 29.9MB 30.1MB 262kB seccfg msftdata
6 30.1MB 30.5MB 393kB lk msftdata
7 30.5MB 47.3MB 16.8MB boot msftdata
8 47.3MB 64.1MB 16.8MB recovery msftdata
9 64.1MB 70.4MB 6291kB secro msftdata
10 70.4MB 70.9MB 524kB para msftdata
11 70.9MB 79.3MB 8389kB logo msftdata
12 79.3MB 89.8MB 10.5MB expdb msftdata
13 89.8MB 95.0MB 5243kB tee1 msftdata
14 95.0MB 100MB 5243kB tee2 msftdata
15 100MB 134MB 33.9MB metadata msftdata
16 134MB 2282MB 2147MB ext4 system msftdata
17 2282MB 2458MB 176MB ext4 cache msftdata
18 2458MB 15.6GB 13.2GB ext4 userdata msftdata
19 15.6GB 15.6GB 16.8MB flashinfo msftdata
From this partitions the system is where the operating system is stored, the userdata is where the user data is stored, nvram stores the general settings for your phone.
When we are doing firmware updates then actually we are replacing the contents of some parts of the ROM or some partitions on the User Area.
How can we write the partitions
There are 4 basic methods to write the partitions.
SP_Flash_Tool
This is an official MediaTek tool, to flash devices based on MediaTek chips. It can be run from a Windows computer and can save the contents of the ROM to hard disk or flash firmware from computer to the ROM. It has some additional functions, use it with care as you can damage your phone with it.
The advantage of the Flash Tool is that it is working with the phone independently of what SW it has on it. If you upload a bad firmware and your phone doesn't start, with the Flash Tool you can flash a new firmware to it and recover it.
In this guide we will mostly use this method to flash firmware to the phone.
In this guide we will mostly use this method to flash firmware to the phone.
Flashing from custom Recovery Images
Android phones have a recovery system on them, which is actually stored in the recovery partition. The official recovery system is not very useful for normal users but you can flash for example the custom built TWRP recovery, which has a graphical interface and it can install firmware and additional programs, make backups of your system and all kind of other useful things.
Flashing with android applications
There are some android applications which allow you to flash ROMS from an application, if you have already rooted your phone.
Flashing from the command line
Android is a version of linux, so there are possibilities to use it from the command line. If you have rooted your phone then either trough an USB connection to your phone with adb shell or with some helper application trough the network you can access the commend line and you can read or write the partitions in the ROM. Actually the Recovery images are also providing adb shell command line access, so you can use there the command line without risking that the filesystem is modified by android, while you are copying the partitions.
Data formats for SP_Flash_Tool and Recovery
Flash tool data formats
The Flash tool needs a so called scatter file, which is basically a text file describing the position of the partitions for a given firmware, and the files which has to be flashed to that partition. The same phone can have more different scatter files, in the P70A for example the Lollipop firmware has a different partition layout than the Kitkat one.
Now let's check one partition entry in the scatter file:
- partition_index: SYS17
partition_name: system
file_name: system.img
is_download: true
type: EXT4_IMG
linear_start_addr: 0x8000000
physical_start_addr: 0x8000000
partition_size: 0x80000000
region: EMMC_USER
storage: HW_STORAGE_EMMC
boundary_check: true
is_reserved: false
operation_type: UPDATE
reserve: 0x00
As we can see there are plenty of options to set, most importantly the storage and region used (for P70A storage is always HW_STORAGE_EMMC). If you give a file name, then it will be offered to download. The type can be EXT4_IMG - sparse ext4 filesystem, SV5_BL_BIN - bootloader, NORMAL_ROM - binary partition.
You can edit the content of the file with a text editor. I have found two tools claiming to be able to handle scatter files, but none of them worked for me for the P70A Scatter File Editor or Scatter File Analyzer.
If you look into the ROM layout for the Lolipop and Kitkat versions, the difference is the cache partition size. In the Kitkat version the size is 0xA800000 (approximately 170 Mbytes) in the Lolipop case it is 0x1A80000, this is approximately 440 Mbytes. When you are using the SP_FLash_Tool if you try to flash firmware with a scatter file containing different partition layout than what is in your phones the flash tool gives error: "PMT changed for the ROM; it must be downloaded." This means that the Partition Master Table is not suiting your scatter file. You can solve this by selecting "Format All + Download", but in this case you are losing also the NVRAM portion of your ROM which contains critical information, for example the IMEI numbers of your phone. This means that select "Format All + Download" only if you have backed up your NVRAM.
The actual format of the image files can be of 3 different types:
SV5_BL_BIN: preloader binary format, it is actually the part of the loader starting from 0x800. If you are doing a Readback backup of the EMMC_BOOT1, you should cut the first 2048 bytes from the image.
NORMAL_ROM: this is simply the binary image of the partition
EXT4_IMG: Sparse ext4 image of the partition.
In the firmware folder there can be a Checksum.ini file, if it exists SP_Flash_Tool checks the firmware files against it's contents. The checksum is a simple 16 bit checksum, the CheckSum_V2 is a 128 bit MD5 has, can calculate it for example with Hex Workshop. Or you can delete the Checksum.ini file if you do not want to bother with this.
TWRP Backup data formats
When you are backing up your phone TWRP is doing its backup in several files with the extension WIN. The actual format of the WIN file depends on the type of the partition, for ext4 filesystems it is creating simple tar.gz files, split up in parts to honor the 4 Gbyte limit of FAT formatted SD cards. For other partition types it is a plain partition dump.
ZIP firmware update format
The ZIP image format is a format, what can be installed with TWRP. In this format in the ZIP file there are files or partitions images to install and also a script file, which tells how to install the firmware. In the ZIP file, in the directory /META-INF/com/google/android there is a file called updater-script, this has the instructions for installing the data.
Here you can find a tutorial on how to make your own update.zip.
And here is a complete list of commands available.
Practical guide to install custom firmwareFlash tool data formats
The Flash tool needs a so called scatter file, which is basically a text file describing the position of the partitions for a given firmware, and the files which has to be flashed to that partition. The same phone can have more different scatter files, in the P70A for example the Lollipop firmware has a different partition layout than the Kitkat one.
Now let's check one partition entry in the scatter file:
- partition_index: SYS17
partition_name: system
file_name: system.img
is_download: true
type: EXT4_IMG
linear_start_addr: 0x8000000
physical_start_addr: 0x8000000
partition_size: 0x80000000
region: EMMC_USER
storage: HW_STORAGE_EMMC
boundary_check: true
is_reserved: false
operation_type: UPDATE
reserve: 0x00
As we can see there are plenty of options to set, most importantly the storage and region used (for P70A storage is always HW_STORAGE_EMMC). If you give a file name, then it will be offered to download. The type can be EXT4_IMG - sparse ext4 filesystem, SV5_BL_BIN - bootloader, NORMAL_ROM - binary partition.
You can edit the content of the file with a text editor. I have found two tools claiming to be able to handle scatter files, but none of them worked for me for the P70A Scatter File Editor or Scatter File Analyzer.
If you look into the ROM layout for the Lolipop and Kitkat versions, the difference is the cache partition size. In the Kitkat version the size is 0xA800000 (approximately 170 Mbytes) in the Lolipop case it is 0x1A80000, this is approximately 440 Mbytes. When you are using the SP_FLash_Tool if you try to flash firmware with a scatter file containing different partition layout than what is in your phones the flash tool gives error: "PMT changed for the ROM; it must be downloaded." This means that the Partition Master Table is not suiting your scatter file. You can solve this by selecting "Format All + Download", but in this case you are losing also the NVRAM portion of your ROM which contains critical information, for example the IMEI numbers of your phone. This means that select "Format All + Download" only if you have backed up your NVRAM.
The actual format of the image files can be of 3 different types:
SV5_BL_BIN: preloader binary format, it is actually the part of the loader starting from 0x800. If you are doing a Readback backup of the EMMC_BOOT1, you should cut the first 2048 bytes from the image.
NORMAL_ROM: this is simply the binary image of the partition
EXT4_IMG: Sparse ext4 image of the partition.
In the firmware folder there can be a Checksum.ini file, if it exists SP_Flash_Tool checks the firmware files against it's contents. The checksum is a simple 16 bit checksum, the CheckSum_V2 is a 128 bit MD5 has, can calculate it for example with Hex Workshop. Or you can delete the Checksum.ini file if you do not want to bother with this.
TWRP Backup data formats
When you are backing up your phone TWRP is doing its backup in several files with the extension WIN. The actual format of the WIN file depends on the type of the partition, for ext4 filesystems it is creating simple tar.gz files, split up in parts to honor the 4 Gbyte limit of FAT formatted SD cards. For other partition types it is a plain partition dump.
ZIP firmware update format
The ZIP image format is a format, what can be installed with TWRP. In this format in the ZIP file there are files or partitions images to install and also a script file, which tells how to install the firmware. In the ZIP file, in the directory /META-INF/com/google/android there is a file called updater-script, this has the instructions for installing the data.
Here you can find a tutorial on how to make your own update.zip.
And here is a complete list of commands available.
In this guide we will do the firmware upgrade in 3 steps
- Do a full backup of the phone with SP_Flash_Tool
- Install TWRP and do a backup again with TWRP
- Install the actual custom firmware
Security backup with SP_Flash_Tool
Before you begin to do anything it is a good idea to do a full backup of your phone. This backup is easy to do, but not so easy to restore, but it has the complete ROM of your phone and if later anything gets wrong. helps you restore your phone.
Downloading and installing SP Flash Tool
First download the USB drivers and the SP Flash tools from this links.
Install the USB drivers, you may need to enable show hidden devices in Device Manager and you may need to enable installing non signed drivers. (Here is one link on how to install SP Flash Tool).
Unzip the SP Flash Tool and start the flash_tool.exe. On the Download tab select a scatter file corresponding to your phone firmware version. Then go to the Readback tab and click add, then doubleclick on the new line added. First you need to add the file name, then the ROM region and ROM address. Set up 3 regions to save according to the following list:
- EMMC_BOOT1 0x0000000000 0x000400000 - boot1
- EMMC_BOOT2 0x0000000000 0x000400000 - boot2
- EMMC_USER 0x0000000000 0x3a3e00000 - user
Press the ReadBack button and connect your switched off phone to the computer with an USB cable. If everything is working then after some seconds the SP flash tool starts to read the contents of the ROM and saves to the computer. This process takes about 40 minutes.
Install TWRP
There are 32bit and 64 bit versions of TWRP and you should always use the one, which corresponds to your firmware. To install it, start SP_Flash_Tool and select the scatter file corresponding to your actual ROM layout, (don't worry, if you select a wrong one you just get the error message "PMT changed for the ROM; it must be downloaded", if you get this message just select the other scatter file) , then select click on the recovery line in SP_Flash_Tool and select the TWRP version corresponding to your firmware (here again you don't need to worry, if the selected recovery won't start, just teh same way install the other). When done with this, press donwload and connect the switched off phone to your computer.
If flashing went Ok, then press and the volume up button on the phone, and switch it on until you see a selection menu, where you can select to start the recovery mode.
A guide on how to use the TWRP can be found here.
Based on that guide, back up you ROM again to an SD card, and pay special attention to backing up the NVRAM part.
Install custom firmware
After doing all this backups, we are ready to install any new custom firmware, and we can start with the Cyanogen 12.1, which is a 2016 February ROM repackaged for easy install. You can download it from here.
The installation is very straightforward:
- download the ROM
- unzip it
- start SP_Flash_Tool
- load the scatter file from the downloaded ROM directory
- press download button
- connect the switched of phone
After successful download just switch on the phone and you have it.
If during download you get an error message: "PMT changed for the ROM; it must be downloaded" then select the alternate scatter file from the ROM directory.
Useful links:
NeedROM Lenovo P70A section
LenovoRoot P70A ROMS
AndroidMTK ROM Flashing
Comments