Here is the partition layout together with filesystem information about all MC7010 units:
MC7010-7010CA-7010(mmWave)-7010(China)
| Dev | Size | Erase Size | Name |
|---|---|---|---|
| mtd0 | 00280000 | 00040000 | "sbl" |
| mtd1 | 00280000 | 00040000 | "mibib" |
| mtd2 | 00b00000 | 00040000 | "efs2" |
| mtd3 | 00600000 | 00040000 | "efs2bak" |
| mtd4 | 001c0000 | 00040000 | "tz" |
| mtd5 | 00100000 | 00040000 | "tz_devcfg" |
| mtd6 | 00180000 | 00040000 | "ddr" |
| mtd7 | 00100000 | 00040000 | "apdp" |
| mtd8 | 00100000 | 00040000 | "xbl_config" |
| mtd9 | 00100000 | 00040000 | "multi_image" |
| mtd10 | 00100000 | 00040000 | "aop" |
| mtd11 | 00100000 | 00040000 | "qhee" |
| mtd12 | 00100000 | 00040000 | "abl" |
| mtd13 | 00280000 | 00040000 | "uefi" |
| mtd14 | 00180000 | 00040000 | "toolsfv" |
| mtd15 | 00180000 | 00040000 | "loader_sti" |
| mtd16 | 00d00000 | 00040000 | "boot" |
| mtd17 | 00100000 | 00040000 | "scrub" |
| mtd18 | 06640000 | 00040000 | "modem" |
| mtd19 | 001c0000 | 00040000 | "misc" |
| mtd20 | 00180000 | 00040000 | "devinfo" |
| mtd21 | 00d00000 | 00040000 | "recovery" |
| mtd22 | 001c0000 | 00040000 | "fota" |
| mtd23 | 02b00000 | 00040000 | "recoveryfs" |
| mtd24 | 00100000 | 00040000 | "sec" |
| mtd25 | 08700000 | 00040000 | "zterw" |
| mtd26 | 0a100000 | 00040000 | "system" |
MC7010D
| Dev | Size | Erase Size | Name |
|---|---|---|---|
| mtd0 | 00280000 | 00040000 | "sbl" |
| mtd1 | 00280000 | 00040000 | "mibib" |
| mtd2 | 00b00000 | 00040000 | "efs2" |
| mtd3 | 00600000 | 00040000 | "efs2bak" |
| mtd4 | 001c0000 | 00040000 | "tz" |
| mtd5 | 00100000 | 00040000 | "tz_devcfg" |
| mtd6 | 00180000 | 00040000 | "ddr" |
| mtd7 | 00100000 | 00040000 | "apdp" |
| mtd8 | 00100000 | 00040000 | "multi_image" |
| mtd9 | 00100000 | 00040000 | "aop" |
| mtd10 | 00100000 | 00040000 | "qhee" |
| mtd11 | 00100000 | 00040000 | "abl" |
| mtd12 | 00280000 | 00040000 | "uefi" |
| mtd13 | 00180000 | 00040000 | "toolsfv" |
| mtd14 | 00180000 | 00040000 | "loader_sti" |
| mtd15 | 00d00000 | 00040000 | "boot" |
| mtd16 | 00100000 | 00040000 | "scrub" |
| mtd17 | 06640000 | 00040000 | "modem" |
| mtd18 | 001c0000 | 00040000 | "misc" |
| mtd19 | 00180000 | 00040000 | "devinfo" |
| mtd20 | 00d00000 | 00040000 | "recovery" |
| mtd21 | 001c0000 | 00040000 | "fota" |
| mtd22 | 02b00000 | 00040000 | "recoveryfs" |
| mtd23: | 00100000 | 00040000 | "sec" |
| mtd24: | 08680000 | 00040000 | "zterw" |
| mtd25: | 000c0000 | 00040000 | "ipa_fw" |
| mtd26: | 00100000 | 00040000 | "usb_qti" |
| mtd27: | 0a0c0000 | 00040000 | "system" |
The most important partitions that usally need to be swapped between different firmwares are: efs2, uefi, modem, boot and system:
- efs2 contains all baseband configuration (IMEI, BB settings and so on..). Be careful and make a backup of the whole partition using Qualcomm Tool (QPST to backup as QCN file);
- uefi contains the rexOS system that is loaded by the baseband. It will read all DSP firmwares from the modem partition (AKA NON-HLOS) to initialize all radio stuff;
- modem contains all DSP firmwares loaded by UEFI;
- boot is the Linux Kernel used by the AP processor to load embedded drivers and start everything from Root FS;
- zterw is used by Root FS to store all settings that should be persistent across reboots. When you factory reset the CPE, by using either the physical or WebUI button, the volumes inside this UBI will be formatted;
- system is the Linux Root FS where all binaries are stored and ran at boot after kernel startup.
system & modem partitions are created using UBIFS on top of an UBI layout. Both can be accessed in read-write mode after having enabled SSH or TELNET on a stock unit, so changes on the filesystem are possible.
system contains 2 volumes:
| Volume Name | Description |
|---|---|
| rootfs | Contains all Linux and ZTE executables, it can modified to add sshd/telnetd and other tools |
| zte_data | Contains EFS default configuration used after the device has been reset; web server pages; default AND custom parameters used by ZTE binaries, like admin password, IP, CPE mode and so on |
These two volumes can be extracted using ubireader, here is a little break down on how to extract and repack them:
Run all commands as root beacuse there are some special files (like /dev directory) that need to be created
- Install the ubireader tool (see the link above for a how-to guide)
- Copy the sdxprairie-sysfs.ubi file into a directory, then run
ubireader_extract_files sdxprairie-sysfs.ubi - This will create two folders, with path
ubifs-root/IMAGE_ID/rootfs|ztedata - Run
ubireader_display_info sdxprairie-sysfs.ubi | grep Sequenceagain on sdxprairie-sysfs.ubi and take note of the big number after the string (called ID_FROM_UBI_DISPLAY_INFO from now on), this is to be used when UBI is repacked. - All modifications are to be done inside the rootfs|ztedata folders (like changing password hash, adding scripts, adding tools and so on)
- Re-create the two UBIFS with these commands:
- rootfs:
/usr/sbin/mkfs.ubifs -m 4096 -e 253952 -c 2146 -x lzo -f 8 -k r5 -p 1 -l 4 -F -r rootfs rootfs_vol.ubifs - ztedata:
/usr/sbin/mkfs.ubifs -m 4096 -e 253952 -c 68 -x lzo -f 8 -k r5 -p 1 -l 4 -F -r ztedata ztedata_vol.ubifs
- rootfs:
- Now create a file called ubi.ini with this content:
[rootfs]
mode = ubi
image = rootfs_vol.ubifs
vol_type = dynamic
vol_id = 0
vol_name = rootfs
vol_alignment = 1
vol_size = 141705216
[ztedata]
mode = ubi
image = ztedata_vol.ubifs
vol_type = dynamic
vol_flags = autoresize
vol_id = 1
vol_name = ztedata
vol_alignment = 1
vol_size = 8888320
- Finally create the new sdxprairie-sysfs.ubi using
/usr/sbin/ubinize -p 262144 -m 4096 -O 4096 -s 4096 -x 1 -Q ID_FROM_UBI_DISPLAY_INFO -o mod_sdxprairie-sysfs.ubi ubi.ini - This file now can be replaced in your QFIL package and flashed on the unit
If you want to modify rootfs\ztedata without having to use QFIL to flash the firmware every time, erasing the boot partiton is possible, so the abl (Android Boot Loader) will automatically start in fastboot mode, making it possible to boot your own kernel or to flash other partitions without needing to set the CPE in EDL mode. For instance, to reflash the system each time, you can simply run these commands:
fastboot erase system
fastboot flash system mod_sdxprairie-sysfs.ubi
When finished, boot the kernel with the command: fastboot boot sdxprairie-boot.img.
If everything is fine, just reboot the unit and permanently flash the kernel with the command: fastboot flash boot sdxprairie-boot.img.