Thursday, April 19, 2012

Creating a ROM dump of your MT65x3 device

Well, I have decided to create this tutorial for those that wish to create a backup of the stock ROM installed on their MT65x3 based smartphones. This is actually the only working method for non-rooted phones.

I assume that you are already familiar with SP Flash Tool, but if not, just read my MT65x3 flashing tutorial.

First of all, you have to know the MTD partition table of your device. If you already have ADB installed on your computer, launch a Command Prompt / Terminal window on your computer and enter the following commands:

adb shell
cat /proc/mtd

The result should be something like this (please note that it can be different on your phone):


Copy the output into a file named firmware.info or alternatively, simply run the following commands to create that file on your SD card:

adb shell
cat /proc/mtd > /sdcard/firmware.info

After that, use MT65xx ROM Studio (thanks to linerty) to load firmware.info and generate the corresponding scatter file that will be needed for SP Flash Tool.


Make sure that the latest MT65x3 USB VCOM drivers are installed, open SP Flash Tool and mark USB Mode under Options tab.


Load the previously generated scatter file (MT6573_Android_scatter.txt) and ignore any message that may appear.


It can be noticed that every partition has it's begin address... Using a hexadecimal calculator you can easily determine the size of each partition. For example, let's say that you wish to backup the boot image (BOOTIMG partition), taking into consideration that it begins on 0x00480000 and the next partition begins on 0x00A80000, then the partition size is 0x00600000.

After having determined the partition size, select the "Read back" tab and this screen should appear:


Now you should edit the entry, enter a name for the backup file and the details that were previously determined (start address and length). Be sure to select the correct read method: Read Page Only.


Close the window and press F10 (or hit Read back button - the third one with an arrow). Now, with your phone completely turned off (to make sure your phone is completely turned off, remove the battery and replace it after a few seconds), hold VOL-UP button and connect the USB data cable into your phone. The process will start as soon as you see the red progress bar.


Followed by the blue progress bar...


When finished, you should see the green circle.


There you go, you have successfully made a backup of your boot.img. If you wish to backup more NAND partitions, just add more entries to the read back list.


Attention: Please follow the instructions carefully. I will not take any responsibility on whatever may happen with your phone.

53 comments:

  1. Thanks for your very detailed tutorial. I am totally new to the whole smartphone flashing, etc. issues and thus having problems getting started on the right foot. I.e. I do not want to brick my smartphone.

    But I am having problems already with the first step of your tutorial. My smartphone is connected via USB to my Win7 PC. I have installed Java EE - Eclipse with the Android SDK Manager. But now I am stuck.

    How do I get to run ADB?
    How do I get access to the firmware info?

    Your ADB screenshot seems to be from a Linux OS?

    ReplyDelete
    Replies
    1. Yes, my screenshot is from a Linux terminal, but you can use ADB on your Windows machine as well. Please read this in order to know how to install ADB.

      Delete
    2. Thanks, that worked; now I can run adb and access the phone.

      However, when I run the command to store the output on the sdcard I get: cannot create /sdcard/firmware.info: read-only file system.

      In any case, the firmware info is exactly the same you show in your example.

      Delete
    3. That is probably because your device is not rooted...

      If the partition table is the same as the one shown on the example, then the scatter file distributed along with SP Flash Tool that you can get from my 4shared folder works for your phone.

      Delete
    4. Do I need to root my phone? And what does it mean?

      If I load the scatter file and download (flash?) "recovery", what actually happens? Is that the ClockworkMod recovery?

      When would I use: adb reboot recovery ?


      What I actually wanted to do: save my current OS somewhere so I can get back to it if the new modified OS failes on my phone.

      Sorry to keep pestering you with questions; I hope you understand.

      Delete
    5. "Close the window and press F10 (or hit Read back button - the third one with an arrow). Now, with your phone completely turned off (to make sure your phone is completely turned off, remove the battery and replace it after a few seconds), hold VOL-UP button and connect the USB data cable into your phone. The process will start as soon as you see the red progress bar."

      I followed this procedure exactly but I never got to the red progress bar; it just sits and does nothing.

      Delete
    6. What is the phone that you have? Have you tried to hold any other key instead of VOL-UP when connecting your phone into the computer? At least, that is the way to do it for G11i Pro and HD7.

      Delete
    7. My phone is a
      H7300 16GB MTK6573 WCDMA GSM 4.3 capacitance screen Android 2.3

      I also tried VOL-DOWN.
      I use VOL-DOWN to get into the phone's recovery mode.

      Delete
    8. I think I know where my problem is but I do not know how to fix it.

      I am running Win7-64. When I connect the H7300 Win7 assigns it usb port com4 or 5. But the FlashTool wants to communicate on usb com1.

      Delete
  2. what about rooted phones ? if I buy the phone with the Stock ROM and I want to install one of your ROMs how can I take a copy of the stock ROM , I've read that NANdroid backup only works only if the the same ROM exists !

    ReplyDelete
    Replies
    1. This obviously also applies to rooted phones. The main purpose of this tutorial was to show how to make a dump of the ROM, specially in those cases that the ROM was not yet made public on the web.

      In case you have a custom recovery, based on CWM, then you can use nandroid backup to backup your actual ROM as well. But please also note that this is the only method that allows you to backup all your NAND partitions.

      Delete
  3. Great job!!! Thank you so much for this :-)

    ReplyDelete
  4. Hello bgcngm.
    Thanks for the superb tutorial.
    I could dump, unpack, edit, repack and reflash boot.img and recovery.img all thanks to your detailed write up.
    But for the live of me, i can't seem to dump the system.img correctly. Well i could dump it, but i can't unpack it, or even reflash back to the phone.

    Could you give me a pointer of what i should try next ?

    Sorry about the english >.<

    Once again, thanks for the splendid tut ^_^

    ReplyDelete
  5. I can't start my G11 pressing POWER button. And I got EBOOT ERROR 14013 when I flash it with SP Flash Tool. What can I do then ?

    ReplyDelete
  6. Caan i done these without root???

    ReplyDelete
    Replies
    1. You wouldn't be asking that question if you had read the tutorial carefully... I have wrote: "This is actually the only working method for non-rooted phones."

      Delete
    2. Sorry, the reason I asked you is these, i tried but i got these error, "bootrom command failed via USB, try USB download" these is what i got, how to do USB download???

      Delete
  7. I have a problem, maybe with drivers.
    http://img802.imageshack.us/img802/6637/p1070709.jpg

    I tried to do it with "Preloader USB VCom", "Mediatek USB VCom" and "Modified by MobileUncle" without success.

    Is it necessary to "Disable DA Download All" in Options?
    In the MTK ROM Studio appear the Part Address (=Start Address) and the size (=Lenght) right?

    ReplyDelete
  8. Thanks for the great step by step tutorial.

    I did a read back of the recovery image.
    Then I did a CWM backup and compared both files but the file size was different.
    Instead of read method "Read Page Only" i tried "Read Page With ECC" and then
    both files compared equal.

    I wanted to go all the way so i tried to download the file to my phone
    Select "Download" in the Flash Tool
    Check "Recovery"
    Double click "Recovery" and select the recovery.img from the "read back"
    Click "Download"
    Plug in phone (powered off)

    I have an error saying :

    EBOOT ERROR : (16008)
    [Android Partition size changed!
    [HINT]
    Partial images download error.
    The following partitions must be downloaded all together.

    Something i did wrong?

    Thanks

    ReplyDelete
    Replies
    1. I know why i have the 16008 error, the recovery.img file generated during the 'read back' does not have the correct size. The file size should be 6291456 bytes (600000 hex as specified in the scatterfile), while it is only 6144000 bytes long.
      This must be something in Windows 7 because i have downloaded a .rar file packed with a recovery.img for my device, 7Zip shows the unpacked correct file size of 6291456 bytes and when i unpack it it is only 6144000 bytes long.
      I am puzzled...

      Delete
    2. I have EBOOT ERROR 16008 too, but i don't know why.

      I have succesfully read back the boot.img, recovery.img etc for some MKT6773 phones, last succes was with Alcatel 918, wich is quite similar with Alcatel 985.
      I've created a new scatter file from the last phone, but i cannot flash-back any modified, or unmodified images.

      Delete
  9. I am currently trying to revive a phone which is bricked. I do have a romdump of this phone but don't have the scatter file. The phone is a i-Mobile i695. Is there anyway I can re-create the scatter file from the romdump?

    Thanks

    ReplyDelete
    Replies
    1. Can you still boot into recovery mode? If so, you can connect to an adb shell and find out the MTD partition table.

      Delete
  10. Just a question, I once succeeded in destroying a pc bios from an asus mainboard by online updating the bios.
    The problem was the asus update program made a mess because of my 64 bit operating system.
    Will flashing a phone work with a 64 bit operating system (win7)?

    ReplyDelete
    Replies
    1. There is no problem related to the use of Windows 7 x64. I use it since the first MT6516 phone that I got and flashed many others, based on MT65x3 and MT6575.

      Delete
  11. I have a rooted phone (came with a stock shell root), is it possible to simply dump the partitions with dd to some folder on sdcard? Somebody posted a script on XDA that does exactly that, but also uses some mkyaffs2image utility to convert /system /data and /cache.
    I only have linux installed and it seems SP Flash Tool doesn't work from a virtual machine. How to backup my phone?

    ReplyDelete
    Replies
    1. Yes, that is also an option, you can use that script. Another option is to use MTK Droid Root & Tools (by rua1).

      Delete
    2. OK I'm a bit confused as to why those 3 partitions need special care. Bruno, could you shed some light? Is it because they're proprietary filesystems?

      If so, my dd backup of ALL partitions wouldn't actually work when I dd them back, would they?

      Delete
  12. Thank you for quick response.
    Just to clarify, that is the script from "MTK-6573-BakUpTool.rar":
    http://forum.xda-developers.com/showthread.php?t=1683883
    Dumped the ROM manually via the script but was a bit worried about the yaffs partition conversion thing, what is that all about?
    Generated scatter file, checked the positions with the hex calc and I guess the phone is backed up now :-)
    MTK Droid Root & Tools is also a windows app :-(
    Now if I may be a little OT, but how do I flash back the partitions if the need arises? Found about mobile uncle tools, but it is for flashing CWM recovery only.

    ReplyDelete
    Replies
    1. Correct, that is the script. The yaffs2 utility that you refer is needed in order to create the yaffs2 images (system, userdata and cache). In order to flash it backup you need SP Flash Tool.

      By the way, if you have a custom recovery (CWM-based, for example) you can also create a backup of your current ROM and restore (Nandroid backup/restore feature).

      Delete
    2. Not for phones with "custpack" partition. neither manually by SP Flash Tool nor the script above nor CWM...for this models its NOT possible to make a 100% backup!!

      Delete
  13. Is it possible to flash back all nand partitions? Including DSP_BL and Preloader?

    ReplyDelete
  14. hi bruno, thanks for your blog, i wonder and curious.
    in your experience, can this post implemented to a MTK 6575 device?

    thanks in advance

    ReplyDelete
    Replies
    1. I haven't tried this method on any MT6575 based device, but SP Flash Tool should be able to read flash partitions the same way. Another backup method you can try is to use MTK Droid & Root Tools (say thanks to rua1).

      Delete
  15. kindly explain me in detail .. how to determine the size of each partition.

    give me full example of each partition beginning and ending address.

    thanks
    Bluffmaster

    ReplyDelete
  16. I can only boot my MT6573 device in recovery, but I can't manage to connect to it to create the scatter file in order to root it and try to write a rom.
    please help.

    ReplyDelete
    Replies
    1. If you are able to boot into recovery then you can still manage to get MTD partition table from your device.

      Delete
  17. Removed the VCOM drivers, and reattempted the whole thing of plugging in USB while keeping VOL-UP pressed, to start the "readback", but didn't go through.

    Used Nirsoft USBDeview to watch for the "PreLoader USB VCOM (Android)" device, to see what is going on. Realized that when I plug-in the USB cable, the device turns green (become Active), momentarily, but then again becomes inactive. The VCOM driver is identified as COM66. Keeping the VOL-UP pressed (or not), doesn't seem to have any difference, in terms of the outcome. Alternatively doing the same keeping VOL-UP and POWER button pressed does nothing either, i.e. the Readback doesn't seem to start.

    As mentioned in my previous post, the peculiarity of this device is that to enter Recovery-mode, I need to press POWER, keeping VOL-UP and VOL-DN pressed as well (simultaneously). Tried even that sequence, and still no progress.



    ReplyDelete
    Replies
    1. Well, I have the same problem with my phone. I got a updated version of SP Flash Tool (version 3). Now I got an error BROM ERROR: S_BROM_CMD_STARTCMD_FAIL (2005)
      [BROM] Can not pass bootrom start command via USB cable!

      I don't know if there is a secret button or something kind of, because the HINT it gaves me is 'Step3. Press USB download key and do not loose it'. O.o

      Delete
  18. Hi,

    I've tried to flash my ot-991 (based on mtk 6573) using SP Flash Tool. After then my phone is dead and when I try to flash again I have a message like : BROM ERROR : S_DL_GET_DRAM_SETTING_FAIL (5054). Doing memory test I have the same problem, but it works fine when I 'Read back' the boot image. Can you have any idea ?

    Thank you for your help

    ReplyDelete
  19. Hi all!

    Where can i find the MT65xx ROM Studio? I havent got active link to download it.

    thanks

    ReplyDelete
    Replies
    1. The link has just been updated. It is working now!

      Delete
  20. Hello bgcngm!thanks for the tutorial.I get stuck in the adb command.i cant see the partition tables.
    http://img694.imageshack.us/img694/3650/screenshot069n.jpg

    i have installed drivers and debuging is on.

    ReplyDelete
    Replies
    1. It means that your phone doesn't have a MTD partition structure. Only MT65x3 based devices (and some MT657x) have that structure. Almost all devices based on MT6575 / MT6577 have eMMC partition tables and the process is a bit different.

      Delete
    2. Indeed, MT6577 uses eMMC. A restricted set of ROM structure is available via /proc/emmc. The full ROM info can be checked with MobileUncleTools. I can do a dump for /proc/emmc or a MU screenshot, if it is anyone interested.

      Delete
  21. hi bgcngm, when i type the command cat /proc/mtd, I only see the header only. The data is blank. My device is MTK 6577. How can I check the MTD partition for my phone?

    ReplyDelete
    Replies
    1. Please note that the tutorial is specific for MT65x3 based devices. As far as I know, MT6577 devices have eMMC partitions, not MTD partitions. I advise you to try MTK Droid Root & Tools (by rua1) to create your backup.

      Delete
  22. My device N9330 is rooted using your method. However when I use MTK Droid, it was not recognised as rooted. I run the ROOT command,it got an error "ERROR : /data/local.prop: No such file or directory". And when I use ADB, it got error

    adb root
    adb server is out of date. killing...
    * daemon started successfully *
    adbd cannot run as root in production builds

    I have no problem accessing any of the system files using Root Explorer. Anything missing here?

    ReplyDelete
    Replies
    1. Your problem is that you still have a secured shell. If you have a CWM based recovery, (most likely unsecured) you can boot into recovery mode and then use MTK Droid Root & Tools.

      To get your device unsecured, edit default.prop on your boot.img ramdisk and change ro.secure=1 property to ro.secure=0.

      Delete
  23. good tutorial ..
    how to make use of this dump ? how to flash it back ?

    ReplyDelete
    Replies
    1. Flash it back using the exact same tool.

      Delete
  24. I have adb installed. All drivers of the phone, everything correctly. When I write the command "adb shell" and then "cat / proc / mtd". There appears a list of files. Just writing appears dev: size: erasesize: name: and nothing underneath. I type "adb shell cat / proc / mtd> / sdcard / firmware.info." And it saves the aquivo "firmware.info" the sdcard. But when I open the file with the "MTK Rom Studio" is all blank. Nothing appears in the list. See the images. Could anyone help me? I use the "Windows 7 64bits"

    Image 01: http://upload.crazzy.com.br/pictures/d95076c187e7987d82706b695229c2a6.jpg
    Image 02: http://upload.crazzy.com.br/pictures/1c35fa8781557b0293167f783af59193.jpg
    Image 03: http://upload.crazzy.com.br/pictures/623c1ecb9086d8c02567e257a7732d63.jpg

    ReplyDelete
    Replies
    1. It seems that your device is not based on MT65x3 because it does not contains a MTD partition table. Search MTK Droid Root & Tools and use it to make your backup.

      Delete