├── data_efs_per_VoLTE
├── ds_dsd_attach_profile.txt
├── ds_andsf_config.txt
├── andsf.xml
└── default_andsf.xml
├── asset
├── edl_win_port.jpg
├── teraterm_ati.png
├── restore_qcn_1.png
├── restore_qcn_2.png
├── MF289F_EDL_point.jpg
├── efs_explorer_connect.png
├── teraterm_at_commands.png
├── modem_after_first_restore.png
├── teraterm_at_configuration.png
├── efs_explorer_restore_config.png
├── modem_after_config_restore.png
├── zte_before_flash_select_driver_1.png
├── zte_before_flash_select_driver_2.png
├── zte_before_flash_select_driver_3.png
├── zte_before_flash_select_driver_4.png
├── zte_after_flash_DIAG_port_driver_1.png
├── zte_after_flash_DIAG_port_driver_2.png
├── zte_after_flash_NMEA_port_driver_1.png
├── zte_after_flash_NMEA_port_driver_2.png
├── zte_before_flash_DIAG_port_driver_1.png
├── zte_before_flash_DIAG_port_driver_2.png
├── zte_before_flash_NMEA_port_driver_1.png
└── zte_before_flash_NMEA_port_driver_2.png
├── cacombo.md
├── LICENSE
├── enter_edl_brick.md
├── README.md
├── swver.md
├── swap_firmware.md
├── enable_volte.md
├── fs.md
├── recovery_brick_windows.md
└── edl.md
/data_efs_per_VoLTE/ds_dsd_attach_profile.txt:
--------------------------------------------------------------------------------
1 | Attach_Profile_ID:2;
2 |
--------------------------------------------------------------------------------
/asset/edl_win_port.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stich86/ZTE-MF289F-Recovery/HEAD/asset/edl_win_port.jpg
--------------------------------------------------------------------------------
/asset/teraterm_ati.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stich86/ZTE-MF289F-Recovery/HEAD/asset/teraterm_ati.png
--------------------------------------------------------------------------------
/asset/restore_qcn_1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stich86/ZTE-MF289F-Recovery/HEAD/asset/restore_qcn_1.png
--------------------------------------------------------------------------------
/asset/restore_qcn_2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stich86/ZTE-MF289F-Recovery/HEAD/asset/restore_qcn_2.png
--------------------------------------------------------------------------------
/asset/MF289F_EDL_point.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stich86/ZTE-MF289F-Recovery/HEAD/asset/MF289F_EDL_point.jpg
--------------------------------------------------------------------------------
/asset/efs_explorer_connect.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stich86/ZTE-MF289F-Recovery/HEAD/asset/efs_explorer_connect.png
--------------------------------------------------------------------------------
/asset/teraterm_at_commands.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stich86/ZTE-MF289F-Recovery/HEAD/asset/teraterm_at_commands.png
--------------------------------------------------------------------------------
/asset/modem_after_first_restore.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stich86/ZTE-MF289F-Recovery/HEAD/asset/modem_after_first_restore.png
--------------------------------------------------------------------------------
/asset/teraterm_at_configuration.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stich86/ZTE-MF289F-Recovery/HEAD/asset/teraterm_at_configuration.png
--------------------------------------------------------------------------------
/asset/efs_explorer_restore_config.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stich86/ZTE-MF289F-Recovery/HEAD/asset/efs_explorer_restore_config.png
--------------------------------------------------------------------------------
/asset/modem_after_config_restore.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stich86/ZTE-MF289F-Recovery/HEAD/asset/modem_after_config_restore.png
--------------------------------------------------------------------------------
/asset/zte_before_flash_select_driver_1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stich86/ZTE-MF289F-Recovery/HEAD/asset/zte_before_flash_select_driver_1.png
--------------------------------------------------------------------------------
/asset/zte_before_flash_select_driver_2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stich86/ZTE-MF289F-Recovery/HEAD/asset/zte_before_flash_select_driver_2.png
--------------------------------------------------------------------------------
/asset/zte_before_flash_select_driver_3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stich86/ZTE-MF289F-Recovery/HEAD/asset/zte_before_flash_select_driver_3.png
--------------------------------------------------------------------------------
/asset/zte_before_flash_select_driver_4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stich86/ZTE-MF289F-Recovery/HEAD/asset/zte_before_flash_select_driver_4.png
--------------------------------------------------------------------------------
/asset/zte_after_flash_DIAG_port_driver_1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stich86/ZTE-MF289F-Recovery/HEAD/asset/zte_after_flash_DIAG_port_driver_1.png
--------------------------------------------------------------------------------
/asset/zte_after_flash_DIAG_port_driver_2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stich86/ZTE-MF289F-Recovery/HEAD/asset/zte_after_flash_DIAG_port_driver_2.png
--------------------------------------------------------------------------------
/asset/zte_after_flash_NMEA_port_driver_1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stich86/ZTE-MF289F-Recovery/HEAD/asset/zte_after_flash_NMEA_port_driver_1.png
--------------------------------------------------------------------------------
/asset/zte_after_flash_NMEA_port_driver_2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stich86/ZTE-MF289F-Recovery/HEAD/asset/zte_after_flash_NMEA_port_driver_2.png
--------------------------------------------------------------------------------
/asset/zte_before_flash_DIAG_port_driver_1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stich86/ZTE-MF289F-Recovery/HEAD/asset/zte_before_flash_DIAG_port_driver_1.png
--------------------------------------------------------------------------------
/asset/zte_before_flash_DIAG_port_driver_2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stich86/ZTE-MF289F-Recovery/HEAD/asset/zte_before_flash_DIAG_port_driver_2.png
--------------------------------------------------------------------------------
/asset/zte_before_flash_NMEA_port_driver_1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stich86/ZTE-MF289F-Recovery/HEAD/asset/zte_before_flash_NMEA_port_driver_1.png
--------------------------------------------------------------------------------
/asset/zte_before_flash_NMEA_port_driver_2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/stich86/ZTE-MF289F-Recovery/HEAD/asset/zte_before_flash_NMEA_port_driver_2.png
--------------------------------------------------------------------------------
/data_efs_per_VoLTE/ds_andsf_config.txt:
--------------------------------------------------------------------------------
1 | andsf_rule_mgr_active:1;
2 | lte_meas_alpha:50;
3 | lte_sampling_interval:1000;
4 | lte_avg_interval:5000;
5 | wifi_meas_alpha:65;
6 | wifi_sampling_interval:1000;
7 | wifi_avg_interval:5000;
8 | cdma_1x_meas_alpha:50;
9 | cdma_1x_avg_interval:6000;
10 | cdma_1x_acq_hyst_interval:3000;
11 | cdma_1x_lost_hyst_interval:3000;
12 | cdma_1x_sampling_interval:2000;
--------------------------------------------------------------------------------
/cacombo.md:
--------------------------------------------------------------------------------
1 | # LTE CA Combo
2 |
3 | Here is a list of links to the most common firmware's LTE Combos:
4 |
5 | ## LTE
6 |
7 | | Device | Firmware | LTE CAP |
8 | |-------------|----------------------------------------|-------------------------------------------------------------------------------------------|
9 | | ZTE MF289F | VDF_DE_MF289F1MODV1.0.0B05 | [LTE CAP Link](https://uecapability.smartphonecombo.it/view/multi/?id=e2678120-ca1c-4fd6-9c8b-ac65b4058098) |
10 | | ZTE MF289F1 | TMO_PL_MF289F1MODV1.0.0B03 | [LTE CAP Link](https://uecapability.smartphonecombo.it/view/multi/?id=30b2137a-c875-407a-ad89-0937bdec41c3) |
11 | | ZTE MF289F1 | DNA_FI_MF289F1MODV1.0.0B11 | [LTE CAP Link](https://uecapability.smartphonecombo.it/view/multi/?id=91ba7a55-98ea-4989-8d9a-9da54d34c4f8) |
12 |
--------------------------------------------------------------------------------
/data_efs_per_VoLTE/andsf.xml:
--------------------------------------------------------------------------------
1 | Default Profileinternet111ims311211hos311210123440
2 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2024 Giammarco
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/enter_edl_brick.md:
--------------------------------------------------------------------------------
1 | # Enter 'Emergency Download Mode' (EDL) if your unit is bricked
2 |
3 | In case of soft bricked unit (usually ZTE device with VID/PID *19d2:0076*) or fully bricked (no sign of life), there is another way to enter the module into ***EDL Mode***.
4 |
5 | Here is an image of internal module, the **EDL BOOT POINTS** are the two one with the red arrows
6 |
7 | 
8 | Special thanks to user checkin665 from eko.pl forum
9 |
10 |
11 | ##
12 | Use a paperclip or tweezer to short these two points, keep them shorted and attach the module to the USB.
13 | You should see into *Device Manager* (Windows) or `lsusb` (Linux) a device in ***EDL Mode***:
14 | - For Windows users, you will have this COM port:
15 |
16 | 
17 |
18 |
19 | - For Linux users you will have this output:
20 | ```
21 | Bus 004 Device 032: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)
22 | ```
23 |
24 | Remove the paperclip/tweezer and use **QFIL** or **edl** to flash firmware back into the module.
25 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # The specifications of the internal **MF289F/F1** module are as follows:
2 |
3 | The [MF289F](https://ztedevices.com/en-gl/mf289f/) router is a 4G indoor unit produced by ZTE with that has an internal LTE modem with these specs:
4 |
5 | - Network support: 4G LTE Networks TDD/FDD + WCDMA
6 | - Chipset: Qualcomm SDX24 Platform
7 | - CPU: 1x Cortex A7 up to 1.4GHz
8 | - RAM: 256MB
9 | - NAND: 512MB
10 | - 4G LTE Cat: 20 downlink & 13 uplink
11 | - 4G LTE Speed: 2Gbit downlink & 316Mbit uplink
12 | - Connectivity:
13 | - USB over MiniPCIe Header, operates in two modes:
14 | - Normal mode with QMI+DIAG+ADB+NMEA
15 | - Mode with only DIAG+NMEA+AT
16 | - Flashing requires an adapter for your PC, such as [this one](https://www.amazon.it/wireless-scheda-adattatore-modulo-testing/dp/B00YAOL4NE/ref=sr_1_3?__mk_it_IT=%C3%85M%C3%85%C5%BD%C3%95%C3%91&crid=JRM39EDJSU8Z&keywords=mini+pcie+to+usb+sim&qid=1704221380&sprefix=minipcie+to+usb+sim%2Caps%2C105&sr=8-3).
17 | - When the module is on its router board, the bus speed is 3.0, on the adapter, it operates at 2.0.
18 |
19 |
20 | # Useful Stuff
21 |
22 | - [Software Revision](swver.md)
23 | - [Partition & Filesystem Info](fs.md)
24 | - [LTE Combos](cacombo.md)
25 | - [Play with EDL tools and partitions](edl.md)
26 | - [Enter 'Emergency Download Mode' (EDL) if your module is bricked](enter_edl_brick.md)
27 | - [Recovery module that is hard-bricked - WINDOWS ONLY](recovery_brick_windows.md)
28 | - [Swap Firmware on the module](swap_firmware.md)
29 | - [Enable VoLTE for a Provider that is not supported](enable_volte.md)
30 |
31 | ⚠️ Certain links in this repo will lead to other repositories which are not under my control.
32 | You accept that I have no control over and accepts no liability in respect of materials, products or services available externally of this repo. ⚠️
33 |
34 | Any help is really appreciated, feel free to open a PR to fix or add informations 😊
35 |
--------------------------------------------------------------------------------
/swver.md:
--------------------------------------------------------------------------------
1 | # SW Revisions (Currently Known)
2 |
3 | | SW Revision | HW Revision | Description | Support VoLTE |
4 | |--------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------|---------------|
5 | | VDF_IT_MF289FMODV1.0.0B07 (Build Date: 2021-07-16) | A.T1 | The first hardware version sold in Italy, supporting both VoLTE/VoIP by changing parameters inside the module and into `EFS` partition. | ❌ (Not OOB) |
6 | | VDF_IT_MF289F1MODV1.0.0B02 (Build Date: 2021-07-16) | A.T2 | The second hardware version sold in Italy, supporting only VoIP. It requires changing the `config` to enable the RJ-11 port when in `VOICE` mode. | ❌ (Not OOB) |
7 | | VDF_DE_MF289F1MODV1.0.0B05 (Build Date: 2022-05-11) | A.T2 | The only known hardware revision sold as "GigaCube" in Germany. It supports VoLTE/VoIP by changing parameters inside the modules and also supports B20 aggregation OOB. | ✅ |
8 | | TMO_PL_MF289F1MODV1.0.0B03 (Build Date: 2021-10-14) | A.T2 | The only known hardware revision sold in Poland, supporting both VoLTE/VoIP by changing parameters inside the module and into `EFS` partition. | ❌ (Not OOB) |
9 | | DNA_FI_MF289F1MODV1.0.0B11 (Build Date: 2022-05-25) | A.T2 | The only known hardware revision sold in Finland by DNA, voice seems disabled on EFS | ❌ (Not OOB) |
10 |
11 |
12 | The Italian revision doesn't support B20 aggregation; you have to remove a prune file from the EFS. You can refer to this [link](https://forum.fibra.click/d/32421-zte-mf289f-vodafone-fwa-sblocco-aggregazione-b20-su-modello-vfit) for instructions (sorry, it's in Italian).
13 |
14 | All other variants can be found on the [ZTE ECCN](https://www.zte.com.cn/global/about/eccn.html) site.
15 |
--------------------------------------------------------------------------------
/data_efs_per_VoLTE/default_andsf.xml:
--------------------------------------------------------------------------------
1 |
2 | Default Profile
3 |
4 |
5 |
6 |
7 | internet
8 |
9 |
10 | 1
11 | 1
12 |
13 |
14 | 1
15 |
16 |
17 | ims
18 |
19 |
20 | 3
21 | 1
22 |
23 |
24 | 1
25 | 2
26 |
27 |
28 | 1
29 | 1
30 |
31 |
32 | hos
33 |
34 |
35 | 3
36 | 1
37 |
38 |
39 | 1
40 | 2
41 |
42 |
43 | 1
44 |
45 |
46 | 0
47 | 12344
48 | 0
49 |
50 |
51 |
52 |
--------------------------------------------------------------------------------
/swap_firmware.md:
--------------------------------------------------------------------------------
1 | # Swap firmware using Fastboot
2 |
3 | ## ⚠️ **READ CAREFULLY!** ⚠️
4 | ## The files you are downloading are not under my control. You accept the risk of using them. If your device or module were to break or even catch fire, I do not hold any responsibility in any way. Therefore, proceed at your own risk!
5 |
6 | ⚠️ Make sure to have a good backup of your QCN before proceeding! ⚠️
7 |
8 | **Prerequisite**: Ensure that you have the adb and fastboot tools installed on your system. If you are using Windows OS, also download the `Google USB Drivers` from [here](https://developer.android.com/studio/run/win-usb)
9 |
10 | Download the desired software version, including a dummy QCN file and the `config` file, from this [MEGA folder](https://mega.nz/folder/KlhwlR5C#K0q2i7tdBYPFvdSESDUrPQ)
11 |
12 | ## If you want to change firmware on your module (not hard-bricked) follow these steps:
13 |
14 | - Enter module shell using `adb shell`
15 | - Type the command `flash_erase /dev/mtd16 0 0` - this will erase the boot partition and force the module to boot directly into ***FASTBOOT Mode***
16 | - Reboot it using command `reboot`
17 |
18 | After a few seconds, it should appear as `Android ADB`. On Windows, it may not be recognized out of the box. Point to the folder where you extracted `Google USB Drivers` and select `Android Composite ADB Interface`.
19 |
20 | Check if the device is recognized by running the command `fastboot devices`. If it is recognized, proceed.
21 |
22 | Now navigate to the folder where you downloaded the firmware (use `CMD` prompt on Windows or Terminal on *\*NIX OS*) and run the following commands:
23 |
24 | ## Erase partitions
25 |
26 | ```
27 | fastboot erase ZTERW
28 | fastboot erase uefi
29 | fastboot erase system
30 | fastboot erase modem
31 | ```
32 |
33 | ## Write new firmware
34 |
35 | ```
36 | fastboot flash uefi uefi.elf
37 | fastboot flash modem NON-HLOS.ubi
38 | fastboot flash boot sdxpoorwills-boot.img
39 | fastboot flash system sdxpoorwills-sysfs.ubi
40 | ```
41 |
42 | ## Reboot module
43 | `fastboot reboot`
44 |
45 | If everthing was fine, module should run with the new firmware
46 |
47 | ## Optional step, replace `config` file to match the firmware
48 |
49 | After swapping the firmware, using `EFS Explorer`, replace the `config` file in the EFS root with the one corresponding to the firmware you are running. This will update the exposed version in `ATI` commands and, in some cases, enable RJ-11 ports on modules that support only `VoIP Mode`.
50 |
--------------------------------------------------------------------------------
/enable_volte.md:
--------------------------------------------------------------------------------
1 | # Enable VoLTE for a Provider that is not supported
2 |
3 | You can enable VoLTE (Voice Over LTE) on this module for unsupported providers OOB by adding certain files to the EFS and ensuring the execution of specific AT commands
4 |
5 | Prerequisites: This has been tested only with the `dummy_IMEI_vfde.qcn` QCN file and the **T-Mobile\Vodafone DE AT.2** `config` file, which enables the `RJ-11` port even when in `VOICE` mode. Therefore, before starting, you need to erase your EFS and follow all the necessary steps, as outlined in the [recovery guide](https://github.com/stich86/ZTE-MF289F-Recovery/blob/main/recovery_brick_windows.md#restore-module-configuration-efs-and-nv-items)) and check if your SIM card has VoLTE enabled (ask your telco provider
6 |
7 | If the module is in `VOIP` mode, just change it issuing these commands over `adb` session:
8 |
9 | ```
10 | adb shell
11 | cfg set voice_work_type=VOICE
12 | cfg save
13 | ```
14 |
15 | If it reverts back to `VOIP` mode after a reboot, update `custom_parameter` using these commands:
16 |
17 | ```
18 | adb shell
19 | mount -o remount,rw /usr/zte_web
20 | sed -i 's/VOIP/VOICE/g' /usr/zte_web/web/copy/custom_parameter
21 | ```
22 |
23 | Once you have successfully uploaded the EFS configuration, attach the module to Windows and open `EFS Explorer`. Copy the contents of the [`data_efs_per_VoLTE` folder](https://github.com/stich86/ZTE-MF289F-Recovery/tree/main/data_efs_per_VoLTE) folder into the `/data` folder of EFS
24 |
25 | --- PUT IMAGE ---
26 |
27 | Open TeraTerm and connect to `NMEA` port, then run these commands:
28 |
29 | ```
30 | AT+CGDCONT=2,"IPV4V6","ims"
31 | AT+CGDCONT=3,"IPV4V6","sos"
32 | AT$QCPDPIMSCFGE=2,1
33 | AT$QCPDPIMSCFGE=3,1
34 | ```
35 |
36 | Verify that the APN and IMS configurations have been successfully applied by executing the following commands and checking the corresponding output:
37 |
38 | **APN**
39 | ```
40 | AT+CGDCONT?
41 | +CGDCONT: 1,"IPV4V6","","0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0",0,0,0,0
42 | +CGDCONT: 2,"IPV4V6","ims","0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0",0,0,0,0
43 | +CGDCONT: 3,"IPV4V6","sos","0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0",0,0,0,0
44 |
45 | OK
46 | ```
47 |
48 | **IMS Configuration** (note the "1" after APN ID)
49 | ```
50 | AT$QCPDPIMSCFGE?
51 | $QCPDPIMSCFGE: 1 , 0 , 0 , 0
52 | $QCPDPIMSCFGE: 2 , 1 , 0 , 0
53 | $QCPDPIMSCFGE: 3 , 1 , 0 , 0
54 |
55 | OK
56 | ```
57 |
58 | Restart module with the usual AT command `AT+CFUN=1,1`
59 |
60 | When the module is back online, reopen TeraTerm on the `NMEA` port and check if the `IMS APN` is connected and has an assigned IP using the following command:
61 |
62 | ```
63 | AT+CGCONTRDP
64 | +CGCONTRDP: 2,5,ims,10.76.206.157,,,,10.178.76.2,10.178.77.194
65 |
66 | OK
67 | ```
68 |
69 | Now you can try make/receive call and check if the modem is still in 4G using the usual OpenWRT tools such as the excellent [3ginfo-lite](https://github.com/4IceG/luci-app-3ginfo-lite) by @4IceG
70 |
71 | Here is a recap table with all the tests conducted by me and other individuals using this module. If you achieve success with another ISP, please feel free to open a pull request (PR) and add it:
72 |
73 | | ISP | VoLTE Working | SW Version |
74 | |---------------------------------|--------------------- |----------------------------------------------------------------------------------|
75 | | TIM (IT) and relative MVNO | ✅ ⁽¹⁾ | VDF_IT_MF289FMODV1.0.0B07
VDF_DE_MF289F1MODV1.0.0B05 |
76 | | Vodafone (IT) and relative MVNO | ✅ ⁽²⁾ | VDF_IT_MF289FMODV1.0.0B07
VDF_DE_MF289F1MODV1.0.0B05
TMO_PL_MF289F1MODV1.0.0B03 |
77 | | Wind (IT) and relative MVNO | ✅ ⁽²⁾ | VDF_IT_MF289FMODV1.0.0B07
VDF_DE_MF289F1MODV1.0.0B05
TMO_PL_MF289F1MODV1.0.0B03 |
78 | | Iliad (IT) | ❌ ⁽³⁾ | VDF_IT_MF289FMODV1.0.0B07
VDF_DE_MF289F1MODV1.0.0B05
TMO_PL_MF289F1MODV1.0.0B03 |
79 | | Plus (PL) | ✅ ⁽²⁾ | VDF_DE_MF289F1MODV1.0.0B05 |
80 | | Play (PL) | ✅ ⁽²⁾ | VDF_DE_MF289F1MODV1.0.0B05 |
81 | | T-Mobile (PL) | ✅ ⁽²⁾ | VDF_DE_MF289F1MODV1.0.0B05 |
82 | | Cosmote (GR) | ✅ ⁽²⁾ | VDF_IT_MF289FV1.0.0B07 |
83 |
84 |
85 | ⁽¹⁾ Working OOB
86 | ⁽²⁾ You need to implement this working procedure to enable VoLTE
87 | ⁽³⁾ They don't support VoLTE, and the 2G fall-back isn't working either
88 |
--------------------------------------------------------------------------------
/fs.md:
--------------------------------------------------------------------------------
1 | # Partition Layout & Filesystem Information
2 |
3 | Below is the partition layout along with filesystem information for the MF289F module:
4 |
5 | | Dev | Size | Erase Size | Name |
6 | |--------|----------|------------|---------------|
7 | | mtd0 | 00280000 | 00040000 | "sbl" |
8 | | mtd1 | 00280000 | 00040000 | "mibib" |
9 | | mtd2 | 00b00000 | 00040000 | "efs2" |
10 | | mtd3 | 00600000 | 00040000 | "efs2bak" |
11 | | mtd4 | 001c0000 | 00040000 | "tz" |
12 | | mtd5 | 00100000 | 00040000 | "tz_devcfg" |
13 | | mtd6 | 00180000 | 00040000 | "ddr" |
14 | | mtd7 | 00100000 | 00040000 | "apdp" |
15 | | mtd8 | 00100000 | 00040000 | "xbl_config" |
16 | | mtd9 | 00100000 | 00040000 | "multi_image" |
17 | | mtd10 | 00100000 | 00040000 | "aop" |
18 | | mtd11 | 00100000 | 00040000 | "qhee" |
19 | | mtd12 | 00100000 | 00040000 | "abl" |
20 | | mtd13 | 00280000 | 00040000 | "uefi" |
21 | | mtd14 | 00180000 | 00040000 | "toolsfv" |
22 | | mtd15 | 00180000 | 00040000 | "loader_sti" |
23 | | mtd16 | 00b40000 | 00040000 | "boot" |
24 | | mtd17 | 00100000 | 00040000 | "scrub" |
25 | | mtd18 | 04b40000 | 00040000 | "modem" |
26 | | mtd19 | 001c0000 | 00040000 | "misc" |
27 | | mtd20 | 00180000 | 00040000 | "devinfo" |
28 | | mtd21 | 00d00000 | 00040000 | "recovery" |
29 | | mtd22 | 001c0000 | 00040000 | "fota" |
30 | | mtd23 | 03000000 | 00040000 | "recoveryfs" |
31 | | mtd24 | 00100000 | 00040000 | "sec" |
32 | | mtd25 | 00a00000 | 00040000 | "ztefile" |
33 | | mtd26 | 09600000 | 00040000 | "zterw" |
34 | | mtd27 | 0a1c0000 | 00040000 | "system" |
35 |
36 |
37 | The most important partitions that usually need to be swapped between different firmwares are: **efs2, uefi, modem, boot, and system**:
38 |
39 | | Partition Name | Description |
40 | |----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
41 | | **efs2** | Contains all baseband configurations (IMEI, BB settings, etc.). Be careful and make a backup of the whole partition using Qualcomm Tool (QPST) to backup as QCN file. |
42 | | **uefi** | Contains the [RexOS](https://en.wikipedia.org/wiki/REX_OS) system that is loaded by the baseband. It will read all DSP firmwares from the modem partition (AKA NON-HLOS) to initialize all radio-related functions. |
43 | | **modem** | Contains all DSP firmwares loaded by UEFI. |
44 | | **boot** | It's the Linux Kernel used by the AP processor to load embedded drivers and start everything from Root FS. |
45 | | **zterw** | Used by Root FS to store all settings that should be persistent across reboots. When you factory reset the module, either using the physical or WebUI button, the volumes inside this **UBI** will be formatted. |
46 | | **system** | It's the Linux Root FS where all binaries are stored and run at boot after kernel startup. |
47 |
48 | **system** and **modem** partitions are created using **UBIFS** on top of a **UBI** image layout. Both can be accessed in read-write mode using ADB, so changes on the filesystem are possible.
49 |
50 | **system** contains 2 volumes:
51 |
52 | | Volume Name | Description |
53 | |-------------|----------------------------------------------------------------------------------------------------------|
54 | | **rootfs** | Contains all Linux and ZTE executables; it can be modified to add sshd/telnetd and other tools. |
55 | | **zte_data** | Contains EFS default configuration used after the device has been reset; default AND custom parameters used by ZTE binaries, like enabled bands or APNs |
56 |
57 | These two volumes can be extracted using [ubireader](https://github.com/onekey-sec/ubi_reader).
58 |
59 | If you want to dig into it, please refer to [my ZTE MC7010 instructions](https://github.com/stich86/ZTE-MC7010/blob/main/fs.md) on how to repack sysfs and modem.
60 |
--------------------------------------------------------------------------------
/recovery_brick_windows.md:
--------------------------------------------------------------------------------
1 | # Recovery module from an hard brick (Windows only)
2 |
3 |
4 | ## ⚠️ READ CAREFULLY! ⚠️
5 | ## The files you are downloading are not under my control. You accept the risk of using them. If your device or module were to break or even catch fire, I do not hold any responsibility in any way. Therefore, proceed at your own risk!
6 |
7 | ⚠️ Download and install [these](https://mega.nz/file/ao5TXRiC#Wmbf1dqILKKxXf_uPVHFzIksWK_HdSwvLmI3hGIBTb0) drivers, [QPST](https://qpsttool.com/qpst-tool-v2-7-496) and [TeraTerm](https://github.com/TeraTermProject/teraterm/releases/tag/v5.1) before connect the module to your pc.
8 | Be sure to have your module in ***EDL Mode*** before go ahead.
9 | If cannot be enter it using `adb`, follow instruction to use the [EDL short points](https://github.com/stich86/ZTE-MF289F-Recovery/blob/main/enter_edl_brick.md) ⚠️
10 |
11 |
12 | Download `base QFIL package` from [here](https://mega.nz/folder/q5xl0RCJ#DX-kzPZ3SzQBxm-Q5D1e9w) and software version (with also dummy QCN file and `config` file) you want to run this [MEGA folder](https://mega.nz/folder/KlhwlR5C#K0q2i7tdBYPFvdSESDUrPQ)
13 |
14 | After you have chosen which software version to run, move the following files into same folder of `base QFIL package`:
15 |
16 | ```
17 | NON-HLOS.ubi
18 | sdxpoorwills-boot.img
19 | sdxpoorwills-sysfs.ubi
20 | uefi.elf
21 | ```
22 |
23 | Now click on `flash.cmd` file and enter the `9008` COM port (just the number). Let's wait until module is flashed, when complete the module will be rebooted.
24 |
25 | If everything was fine, your module should appear in the **Device Manager** in `3 TTY` mode (Modem Port, Diagnostic Port, NMEA Port) like this screen:
26 |
27 | 
28 |
29 | ## Restore module configuration (EFS and NV items)
30 |
31 | Now it's time to restore EFS partition using the `dummy_IMEI_vfde.qcn` file. This QCN contains **zeroed IMEI**, please refer to [EFS Professional](https://xdaforums.com/t/tool-updated-29-12-14-efs-professional-v2-1-80b-also-for-non-samsung-devices.1308546/) on how to load and modify it, I will not give you instructions on how to do, sorry :-)
32 |
33 | When your QCN is filled with your own IMEI, launch `Software Download` program, click on `Restore` tab, load your QCN (select `QCN NV Memory Files` and not XML one) and restore it. When process termiante, the module will be rebooted.
34 |
35 | 
36 |
37 | 
38 |
39 | After module is back online, run `EFS Explorer` and copy `config` file into EFS root:
40 |
41 | 
42 |
43 | 
44 |
45 | Open TeraTerm and connect to `NMEA` port, then run these commands to put modem back to `4 TTY + QMI` mode:
46 |
47 | 
48 |
49 | ```
50 | AT+ZCDRUN=8
51 | AT+ZCDRUN=F
52 | AT+ZSNT=6,0,0
53 | AT+CFUN=1,1
54 | ```
55 |
56 | 
57 |
58 | Last reboot and in less than two minutes module should be back in `4 TTY + QMI` mode. From now you can access it again with `adb`
59 |
60 | In case you don't get device automatically recognized, just select these one and install relative drivers using option **"Let me pick from a list of available device drivers on my computer"**, select **"All Devices"** and the **"Ports (COM & LPT)"** (Keep attention on instance path!):
61 |
62 | ## ⚠️ This composition is for VF-DE Firmware ⚠️
63 |
64 | 
65 | 
66 | 
67 | 
68 |
69 | **DIAG PORT** (instance 0000)
70 |
71 | 
72 | 
73 |
74 | **NMEA PORT** (instance 0001)
75 |
76 | 
77 | 
78 |
79 | Check if `config` and IMEI were written correctly launching again TeraTerm, connect to `NMEA` port and issue `ATI` command:
80 |
81 | 
82 |
83 | That's it!
84 |
--------------------------------------------------------------------------------
/edl.md:
--------------------------------------------------------------------------------
1 | # Steps to put module in EDL Mode (on Linux) and play with partitions
2 |
3 | Before starting, be sure you have [Bjoern Kerler's EDL tools](https://github.com/bkerler/edl) and sg3-utils already installed on your machine.
4 |
5 | Please use this [prog_firehose.mbn](https://mega.nz/file/6g5nQSDD#mr1E2x2sG2sMmNuRYVa1kisY6ZQ1XYG-xKSpwgBHHkg) as loader to interact with the module.
6 |
7 | ⚠️ All commands must be run as ***root*** to avoid any issues with permissions ⚠️
8 |
9 | Connect the module to your PC using a mPCIe-to-USB adapter, when you can see the module with the command `adb devices`:
10 |
11 | ```
12 | List of devices attached
13 | P685M135MZTED000000 device
14 | ```
15 |
16 | Then type `adb reboot edl` to put it in ***EDL mode***
17 |
18 | Use `lsusb` to check the following entry is available:
19 |
20 | ```
21 | lsusb | grep 9008
22 | Bus 004 Device 032: ID 05c6:9008 Qualcomm, Inc. Gobi Wireless Modem (QDL mode)
23 | ```
24 |
25 | If everything worked, the module is now in ***EDL mode*** :-)
26 |
27 | # Let's play with the edl tools
28 |
29 | With the module in ***EDL mode***, edl commands can be used to check, dump, erase or write partitions.
30 |
31 | Run this command to show the current layout of the firmware's partitions:
32 |
33 | `edl printgpt --memory=NAND --loader=/path/to/prog_firehose.mbn`
34 |
35 | Output example:
36 |
37 | ```
38 | Qualcomm Sahara / Firehose Client V3.61 (c) B.Kerler 2018-2023.
39 | main - Using loader prog_firehose_mf289f.mbn ...
40 | main - Waiting for the device
41 | main - Device detected :)
42 | sahara - Protocol version: 2, Version supported: 1
43 | main - Mode detected: sahara
44 | sahara -
45 | ------------------------
46 | HWID: 0x000960e100000000 (MSM_ID:0x000960e1,OEM_ID:0x0000,MODEL_ID:0x0000)
47 | CPU detected: "SDX24"
48 | PK_HASH: 0xd4xxxxxxxxx
49 | Serial: 0x0xxxxxxxxxx
50 |
51 | sahara - Protocol version: 2, Version supported: 1
52 | sahara - Uploading loader prog_firehose_mf289f.mbn ...
53 | sahara - 32-Bit mode detected.
54 | sahara - Firehose mode detected, uploading...
55 | sahara - Loader successfully uploaded.
56 | main - Trying to connect to firehose loader ...
57 | firehose_client
58 | firehose_client - [LIB]: No --memory option set, we assume "eMMC" as default ..., if it fails, try using "--memory" with "UFS","NAND" or "spinor" instead !
59 | firehose
60 | firehose - [LIB]: Couldn't detect MaxPayloadSizeFromTargetinBytes
61 | firehose
62 | firehose - [LIB]: Couldn't detect TargetName
63 | firehose - TargetName=Unknown
64 | firehose - MemoryName=eMMC
65 | firehose - Version=1
66 | firehose - Trying to read first storage sector...
67 | firehose - Running configure...
68 | firehose
69 | firehose - [LIB]: Memory type eMMC doesn't seem to match (Failed to init). Trying to use NAND instead.
70 | firehose
71 | firehose - [LIB]: Couldn't detect MaxPayloadSizeFromTargetinBytes
72 | firehose
73 | firehose - [LIB]: Couldn't detect TargetName
74 | firehose - TargetName=Unknown
75 | firehose - MemoryName=nand
76 | firehose - Version=1
77 | firehose - Trying to read first storage sector...
78 | firehose - Running configure...
79 | firehose
80 | firehose - [LIB]: Couldn't detect MaxPayloadSizeFromTargetinBytes
81 | firehose
82 | firehose - [LIB]: Couldn't detect TargetName
83 | firehose - TargetName=Unknown
84 | firehose - MemoryName=nand
85 | firehose - Version=1
86 | firehose - Trying to read first storage sector...
87 | firehose - Running configure...
88 | firehose - Storage report:
89 | firehose - total_blocks:2048
90 | firehose - block_size:262144
91 | firehose - page_size:4096
92 | firehose - num_physical:1
93 | firehose - manufacturer_id:44
94 | firehose - serial_num:0
95 | firehose - fw_version:
96 | firehose - mem_type:NAND
97 | firehose - prod_name:
98 | firehose_client - Supported functions:
99 | -----------------
100 | firehose - Nand storage detected.
101 | firehose - Scanning for partition table ...
102 | Progress: |██████████| 100.0% Scanning (Sector 0x400 of 0x400, ) 0.00 MB/s
103 | firehose - Found partition table at sector 640 :)
104 | oneplus
105 | oneplus - [LIB]: No module named 'qrcode'
106 | firehose - Nand storage detected.
107 | firehose - Scanning for partition table ...
108 |
109 | Parsing Lun 0:
110 | Name Offset Length Attr Flash
111 | -------------------------------------------------------------
112 | sbl 00000000 00280000 0xff/0x1/0x0 0
113 | mibib 00280000 00280000 0xff/0x1/0xff 0
114 | efs2 00500000 00B00000 0xff/0x1/0xff 0
115 | efs2bak 01000000 00600000 0xff/0x1/0xff 0
116 | tz 01600000 001C0000 0xff/0x1/0x0 0
117 | tz_devcfg 017C0000 00100000 0xff/0x1/0x0 0
118 | ddr 018C0000 00180000 0xff/0x1/0xff 0
119 | apdp 01A40000 00100000 0xff/0x1/0x0 0
120 | xbl_config 01B40000 00100000 0xff/0x1/0x0 0
121 | multi_image 01C40000 00100000 0xff/0x1/0x0 0
122 | aop 01D40000 00100000 0xff/0x1/0x0 0
123 | qhee 01E40000 00100000 0xff/0x1/0x0 0
124 | abl 01F40000 00100000 0xff/0x1/0x0 0
125 | uefi 02040000 00280000 0xff/0x1/0x0 0
126 | toolsfv 022C0000 00180000 0xff/0x1/0x0 0
127 | loader_sti 02440000 00180000 0xff/0x1/0x0 0
128 | boot 025C0000 00B40000 0xff/0x1/0x0 0
129 | scrub 03100000 00100000 0xff/0x1/0x0 0
130 | modem 03200000 04B40000 0xff/0x1/0x0 0
131 | misc 07D40000 001C0000 0xff/0x1/0x0 0
132 | devinfo 07F00000 00180000 0xff/0x1/0x0 0
133 | recovery 08080000 00B00000 0xff/0x1/0x0 0
134 | fota 08B80000 001C0000 0xff/0x1/0x0 0
135 | recoveryfs 08D40000 03000000 0xff/0x1/0x0 0
136 | sec 0BD40000 00100000 0xff/0x1/0x0 0
137 | ztefile 0BE40000 00A00000 0xff/0x1/0x0 0
138 | zterw 0C840000 09600000 0xff/0x1/0x0 0
139 | system 15E40000 0A1C0000 0xff/0x1/0x0 0
140 | ```
141 |
142 | ## Reading, erasing and writing partitions
143 |
144 | Each time a partition is modified using EDL, re-writing the **SBL** *(secondary boot loader)* and partition layout (used re-calculate all CRCs) is necessary. To do this, this command can be used (use **SBL1+P-Layout** based on your QFIL package):
145 |
146 | ⚠️ **IF SBL1 AND PARTITONS LAYOUT ARE ERASED, YOUR UNIT WILL ALWAYS BOOT IN EDL MODE** ⚠️
147 |
148 | Erase SBL1+Partition-Layout using this command:
149 | ```
150 | edl es 0 639 --memory=NAND --sectorsize=4096 --loader=/path/to/prog_firehose.mbn
151 | edl es 640 1279 --memory=NAND --sectorsize=4096 --loader=/path/to/prog_firehose.mbn
152 | ```
153 |
154 | Write back SBL1+Partition-Layout using this command:
155 | ```
156 | edl ws 640 partition_complete_p4K_b256K.mbn --memory=NAND --sectorsize=4096 --loader=/path/to/prog_firehose.mbn
157 | edl ws 0 sbl1.mbn --memory=NAND --sectorsize=4096 --loader=/path/to/prog_firehose.mbn
158 | ```
159 |
160 | Read a single partition using this command:
161 | ```
162 | edl r system test_system.bin --memory=NAND --loader=/path/to/prog_firehose.mbn
163 | ```
164 |
165 | Erase a single partition using this command:
166 | ```
167 | edl e system --memory=NAND --loader=/path/to/prog_firehose.mbn
168 | ```
169 |
170 | Write a single partition using this command:
171 | ```
172 | edl w system system.bin --memory=NAND --loader=/path/to/prog_firehose.mbn
173 | ```
174 |
175 | Make a backup of an entire partition using this command:
176 | ```
177 | mkdir dump_dir
178 | edl rl dump_dir --memory=NAND --loader=/path/to/prog_firehose.mbn
179 | ```
180 | These files cannot be rewritten as is, they need to be refectored.
181 |
182 | Reset the unit, making it boot back to normal mode, using this command:
183 | ```
184 | edl reset --resetmode=reset --loader=/path/to/prog_firehose.mbn
185 | ```
186 |
187 | In case the unit is stuck in DIAG mode (3 TTY), open an AT session to the relative port (usually `/dev/ttyUSB1` or `/dev/ttyUSB2`) and type:
188 | ```
189 | AT+ZCDRUN=8
190 | AT+ZCDRUN=F
191 | AT+CFUN=1,1
192 | ```
193 |
194 | # Force module to boot in FASTBOOT
195 |
196 | Use these commands to erase `boot` partition and make module boots into ***fastboot*** mode
197 |
198 | ```
199 | edl e boot --memory=NAND --loader=/path/to/prog_firehose.mbn
200 | edl reset --resetmode=reset --loader=/path/to/prog_firehose.mbn
201 | ```
202 |
203 | After you have erased ***boot*** partition, you can erase and write partitions with **fastboot** and avoid rewriting **SBL1** each time.
204 |
--------------------------------------------------------------------------------