Toturial

Important partitions of Qualcomm mobile phones

persist partition: account information, DRM (Digital Rights Management) related files, sensor registry, essential for our wifi, Bluetooth, mac address.

Please note that restoring factory settings cannot clear the persist partition. In addition, the online flash package does not include the persist partition. Once a problem occurs, we need to repair it manually.

Modem&radio baseband partition: the partition that controls mobile phone communication functions. Once this partition is damaged, communication-related functions will most likely be lost. Specific manifestations include card failure, imei loss, etc.

fsg

fsc

modemst1

modemst2

These 4 partitions must be backed up

FRP (factory reset protect)

dsp

bluetooth

modem

persistsec

Select backup

misc partition

Recovery uses this partition to save some information about the upgrade to deal with the device power failure and restart during the upgrade process.

When the bootloader starts, it will read the information in this partition to determine whether the system will enter Recovery System or Main System.

fastboot –disable-verity –disable-verification flash vbmeta vbmeta.img

As the name suggests, FRP is used to protect factory settings. For example, if your phone is lost, the thief will usually restore it to factory settings to bypass the lock screen password so that it can be used. But if you log in with a Google account, you still have to enter your password or Google account at the boot time. This is using FRP. If the factory reset is triggered from the settings, FRP will not be triggered. Maybe Google thought during the design that it can be entered into the settings to operate. At this time, the desktop has been unlocked, so it is most likely thought to be the owner of the machine, so it will not be triggered.

LABEL PURPOSE OF THIS PARTITION
Modem Partition for modem
fsc Cookie partition to store Modem File System’s cookies.
Ssd Partition for ssd diag module. stores the encrypted RSA keys
sbl1 Partition for secondary boot loader
Sbl1bak Back up Partition for secondary boot loader
Rpm Partition for rpm image
Rpmbak Back up Partition for rpm image
Tz Partition for tz image
Tzbak Back up Partition for tz image
Hyp Partition for hypervisor image
Hypbak Back up Partition for hypervisor image
Dsp Partition for adsp dymanic loaders image
Modemst1 Copy of Modem File System (Encrypted)
Modemst2 Copy of Modem File System (Encrypted)
DDR Partition for DDR.
fsg Golden copy or backup of Modem File System (Encrypted) . Also used to pre-populate the file system.
Sec Sec.dat contains fuse settings, mainly for secure boot and oem setting
Splash The splash screen is displayed during the apps bootloader (also called the LK). The display driver in LK will read the splash image data from a separate eMMC partition named as ‘splash’
Aboot Partition for apps boot loader
Abootbak Back up Partition for apps boot loader
Boot This is the boot partition of your android device,It includes the android kernel and the ramdisk.
Recovery This is specially designed for backup. The recovery partition can be considered as an alternative boot partition
Devinfo Device information including:iis_unlocked, is_tampered, is_verified, charger_screen_enabled, display_panel, bootloader_version, radio_version All these attirbutes are set based on some specific conditions and written on devinfo partition,.
System This partition contains the entire Android OS, other than the kernel and the ramdisk. This includes the Android GUI and all the system applications that come pre-installed on the device
Cache This is the partition where Android stores frequently accessed data and app components
Persist Partition entry for persist image. which contains data which shouldn’t be changed after the device shipped, for example: calibration data of chips(wifi, bt, camera, etc.) , certificates and other security related files.
Misc This partition contains miscellaneous system settings in form of on/off switches. These settings may include CID (Carrier or Region ID), USB configuration and certain hardware settings etc
Keystore Partition for keystore service.
Config Partition needed during display panel initialization. More info at Display_panel_configuration_in_Device_Tree
OEM “It is meant for storing OEM specific info. Customer in this case can decide whether he wants to keep this partition or not typically reserved partitions are kept for future use
Limits Partition to store LMh params on 8976 target. LMh (Limits management) driver in SBL writes the LMh HW trimmed data into separate partition and uses the same data for later reboots
Mota Backup partition for M ota upgrade
Devcfg Partition needed by TZ for M upgrades.
Dip Partition needed for SafeSwitch, feature (FR26255) designed to allow OEMs and carriers to address new smartphone theft bill issues.
mdtp Partition needed for SafeSwitch, feature (FR26255) designed to allow OEMs and carriers to address new smartphone theft bill issues.
Userdata Partition for userdata image
Cmnlib Verified boot feature introduced in M ​​needLK to load cmnlib corresponding partitions
Keymaster Verified boot feature introduced in M ​​needs LK to load keymaster from corresponding partitions
Syscfg Syscfg is internal testing for Vmin and CPR characterization
f All MBNs place holder in flash. Specific MBN would be loaded by mcfg image based on the SIM/Carrier.
msadp Used for modem debug policy
Apdp Used for persisting the debug policy. “Debug policy” is used to better support development and debug on secure/fuse-blown devices One instance of the debug policy will be signed for the AP
Dpo This partition will store a policy override

After the 5G parameters and IMEI are written to the Modemst1 partition,
copy all data in the Modemst1 partition to the FSG partition for storage;

Check whether the Modemst1 partition is reading and writing normally after each boot:

  1. When the Modemst1 partition reads and writes abnormally, clear the Modemst1 partition;
  2. When the Modemst1 partition is empty, copy the FSG partition to the Modemst1 partition for recovery;
  3. When the Modemst1 partition is read and written normally, the subsequent normal boot process is completed.

The advantage is that it makes full use of the storage space of the FSG partition and exists as a shadow of the Modemst1 partition, which improves partition utilization and enables IoT devices to completely restore factory settings
. It cleverly circumvents the previous problem that the Modemst1 partition cannot be reset after leaving the factory, and avoids the defect of having to return to the factory for repair due to abnormal 5G parameters.

The working partition of NV is defined by Qualcomm platform as modemst1 or modemst2. The working modemst1 partition or modemst2 partition is equivalent

The 5G parameters are always saved in the modemst1 partition when leaving the factory. The router continuously reads and writes with the modemst1 partition during operation.

The partition that stores the NV parameter initialization value is the FSG partition. The Qualcomm platform will create an image file containing the NV parameter initialization value and download this image file to the FSG partition.

The basis for the Qualcomm platform to copy the FSG partition to the modemst1 partition during the startup process is to determine whether the current NV working modemst1 partition is empty. If it is empty, the NV parameter initialization value in the image file in the FSG partition is updated to the modemst1 partition. middle.

Generally, after the 5G device downloads the software for the first time, because the modemst1 partition is empty, the NV parameter initialization value in the FSG partition will be written to the modemst1 partition. Then during the production process, important 5G parameters such as calibration parameters and IEMI will be written to the modemst1 partition, causing the modemst1 partition to be unable to be erased later. Because the modemst1 partition cannot be erased, it will naturally no longer be empty, and the data in the FSG partition will no longer have the opportunity to be written to the modemst1 partition. The reason why the modemst1 partition cannot be erased is not that the partition cannot be read and written, but that after the partition data is erased, the calibration parameters, IEMI and other important 5G parameters written at the factory will be lost. If these important 5G parameters are not returned to the factory for repair, there will be no backup on the IoT device.

First, download the software and install the soft system on the empty chip. The working mechanism of the Qualcomm platform will copy all the NV parameter initialization values ​​stored in the FSG partition to the modemst1 partition when the modemst1 partition is empty.

Then write various factory settings and parameters to the modemst1 partition, for example, in order: write the single board number, write the calibration comprehensive test parameters, write the single board current parameters, write the single board functions, write the whole machine current, and couple Operations such
as writing , writing complete machine functions, and writing IMEI

Finally, copy the modemst1 partition that has been completed above to the FSG partition to complete the saving of 5G parameters of the IoT device.

IoT devices do not operate the fsg partition during normal use, and the fsg partition parameters are always the initial state when the device leaves the factory.

When an IoT device goes online and registers for a 5G network, it reads the parameters of the modemst1 partition as needed, and the operating status is written to the modemst1 partition of the device. Therefore, it continuously interacts with the modemst1 partition during operation.

Frequent data interaction naturally greatly increases the probability of errors in 5G parameters. When an abnormality occurs in reading and writing the modemst1 partition, the reading and writing exception affects the device registration network and the normal operation of the modem. At this time, the modemst1 partition needs to be restored to the factory state.

Users only need to restart the abnormal IoT device twice to solve the problem.

The first time is to clear the Modemst1 partition, and the second time is to completely Reset the Modemst1 partition (that is, copy fsg to moemst1)

After each boot, the IoT device checks the read and write functions of the modemst1 partition. There are three possibilities at this time: one is empty, the other is normal, and the third is abnormal.

1) When the Modemst1 partition reads and writes abnormally, clear the Modemst1 partition;

2) When the Modemst1 partition is empty, copy the FSG partition to the Modemst1 partition for recovery;
3) When the Modemst1 partition is read and written normally, complete the subsequent normal boot process.

fastboot flash fsg fsg.mbn

fastboot erase modemst1

fastboot erase modemst2

Production of Qualcomm Platform EFS

The machine used to make EFS is called A, and the machine used to verify EFS is called B.
1.
 Add the following three lines to modem_proc/core/storage/efs/inc/fs_config_i.h:
#ifndef FEATURE_EFS_ENABLE_FACTORY_IMAGE_SECURITY_HOLE
#define FEATURE_EFS_ENABLE_FACTORY_IMAGE_SECURITY_HOLE
#endif
2. For devices that do not enable secure boot, add the following in modem_proc/core/storage/fs _tar/ Add a line to src/fs_tar.c:
#define FEATURE_FS_TAR_ALLOW_DUMMY_KEY
enables the secure boot device, and there is no need to define the above macro.
3. Clear the modem and recompile. After compilation, enter the common/build directory to execute the script python update_common_info.py, and burn the newly generated common/build/bin/asic/NON-HLOS.bin file into the modem partition of the phone through fastboot.
4. Restart the phone, open the QPST Software Download software, switch to the Restore page, connect the phone via USB, and burn the QCN file (the QCN file is configured with several NV items) into the phone, and the phone will automatically restart.
5. After the restart is ready, connect the USB cable to the mobile phone, make sure the QPST Software Download software is open, put the modem_proc/core/storage/tools/efsreadimage.pl file in the C:\Users\yuntaohe\Desktop\EFS directory, and open it on Windows cmd window, enter the C:\Users\yuntaohe\Desktop\EFS directory, execute perl efsreadimage.pl -z, a new file fs_image.tar.gz will be generated in the current directory.
6. Upload fs_image.tar.gz to the modem_proc/core/storage/tools/qdst/ directory of ubuntu, and execute python QDSTMBN.py fs_image.tar.gz in this directory to generate fs_image.tar.gz.mbn
7. Copy fs_image.tar.gz.mbn and modem_proc/build/ms/bin/8909.gen.prod/efs_image_meta.bin to the modem_proc/core/bsp/efs_image_header/tools directory, and execute python efs_image_create.py efs_image_meta in this directory .bin fs_image.tar.gz.mbn, generate fs_image.tar.gz.mbn.img.
At this point, EFS production is completed. The verification process of EFS is as follows:
1.
 For devices that do not have secure boot enabled, add a line in modem_proc/core/storage/fs_tar/src/fs_tar.c:
#define FEATURE_FS_TAR_ALLOW_DUMMY_KEY
with secure boot enabled device, there is no need to define the above macro.
2. Clear the modem and recompile. After compilation, enter the common/build directory and execute the script python update_common_info.py to regenerate the common/build/bin/asic/NON-HLOS.bin file.
3. Generate a binary file with all 0s: execute dd if=/dev/zero of=zero.bin under Linux bs=<modem_st1 size> count=1, for modem_st1 size, please refer to the rawprogram0_unspare.xml file: <program SECTOR_SIZE_IN_BYTES=”512
  ″ file_sector_offset=”0″ filename=”zero.bin” label=”modemst1″ num_partition_sectors=”3072″ physical_partition_number=”0″ size_in_KB=”1536.0″ sparse=”false” start_byte_hex=”0x8680000″ start_sector=”275456″ />
this In the example, modem_st1 size = 1536 * 1024 = 1572864.
4. Put the NON-HLOS.bin generated in step 2, the zero.bin generated in step 3, and the fs_image.tar.gz.mbn.img generated by EFS into the flash package.
5. Modify the rawprogram0_unspare.xml file in the flash package:
-<program SECTOR_SIZE_IN_BYTES=”512″ file_sector_offset=”0″ filename=”” label=”modemst1″ num_partition_sectors=”3072″ physical_partition_number=”0″ size_in_KB=”1536.0″ sparse =”false” start_byte_hex=”0x8680000″ start_sector=”275456″ />
-<program SECTOR_SIZE_IN_BYTES=”512″ file_sector_offset=”0″ filename=”” label=”modemst2″ num_partition_sectors=”3072″ physical_partition_number=”0″ size_in_KB= ”1536.0″ sparse=”false” start_byte_hex=”0x8800000″ start_sector=”278528″ />
-<program SECTOR_SIZE_IN_BYTES=”512″ file_sector_offset=”0″ filename=”” label=”fsg” num_partition_sectors=”3072″ physical_partition_number=”0″ size_in_KB=”1536.0″ sparse=”false” start_byte_hex=”0xc008000″ start_sector=” 393280″ />
+<program SECTOR_SIZE_IN_BYTES=”512″ file_sector_offset=”0″ filename=”zero.bin” label=”modemst1″ num_partition_sectors=”3072″ physical_partition_number=”0″ size_in_KB=”1536.0″ sparse=”false” start_byte_hex =”0x8680000″ start_sector=”275456″ />
+<program SECTOR_SIZE_IN_BYTES=”512″ file_sector_offset=”0″ filename=”zero.bin” label=”modemst2″ num_partition_sectors=”3072″ physical_partition_number=”0″ size_in_KB=”1536.0 ″ sparse=”false” start_byte_hex=”0x8800000″ start_sector=”278528″ />
+<program SECTOR_SIZE_IN_BYTES=”512″ file_sector_offset=”0″ filename=”fs_image.tar.gz.mbn.img” label=”fsg” num_partition_sectors =”3072″ physical_partition_number=”0″ size_in_KB=”1536.0″ sparse=”false” start_byte_hex=”0xc008000″ start_sector=”393280″ /> 6. After flashing the machine with QFIL, connect the USB to the PC and use QXDM to check whether some NVs are
effective .

Note: If secure boot is enabled on machine B, the generated EFS file fs_image.tar.gz.mbn.img needs to be signed and put into the flash package.

Leave a Reply

Your email address will not be published. Required fields are marked *

Check Also
Close
Back to top button