FX2000 INFO & HACKING THREAD
- Rich Hathaway
- Posts: 622
- Joined: Mon Mar 08, 2021 2:41 pm
- Has thanked: 12 times
- Been thanked: 214 times
FX2000 INFO & HACKING THREAD
FX2000 / FX2000-3
This is the downsized version of the fg2000 is a lot easier to work on than the fg, for one it does not need to be disassembled to find bootloader/fastboot mode,.
I have 2 of these both are the fx2000-3 variant so all the info below in this post is based on that model.
I was able to make full firmware for all parts without taking it apart.
it is similar to other Inseego / Novatel devices as far as
root pass, IMEI, MEID, ESN, TTL, FID etc.
it is also similar in that it is Linux/android based on one side and the other is a triple-layered stack of ubi over ubifs over mtd filesystem, other recent Inseego devices are the same.
Below is some of the pertinent ubi info
UBI version: 1
Count of UBI devices: 2
UBI control device major/minor: 10:54
Present UBI devices: ubi0, ubi1
ubi0
Volumes count: 1
Logical eraseblock size: 253952 bytes, 248.0 KiB
Total amount of logical eraseblocks: 1096 (278331392 bytes, 265.4 MiB)
Amount of available logical eraseblocks: 0 (0 bytes)
Maximum count of volumes 128
Count of bad physical eraseblocks: 0
Count of reserved physical eraseblocks: 80
Current maximum erase counter value: 9
Minimum input/output unit size: 4096 bytes
Character device major/minor: 504:0
Present volumes: 0
Volume ID: 0 (on ubi0)
Type: dynamic
Alignment: 1
Size: 1012 LEBs (256999424 bytes, 245.1 MiB)
State: OK
Name: rootfs
Character device major/minor: 504:1
===================================
ubi1
Volumes count: 1
Logical eraseblock size: 253952 bytes, 248.0 KiB
Total amount of logical eraseblocks: 429 (108945408 bytes, 103.9 MiB)
Amount of available logical eraseblocks: 0 (0 bytes)
Maximum count of volumes 128
Count of bad physical eraseblocks: 0
Count of reserved physical eraseblocks: 80
Current maximum erase counter value: 3
Minimum input/output unit size: 4096 bytes
Character device major/minor: 503:0
Present volumes: 0
Volume ID: 0 (on ubi1)
Type: dynamic
Alignment: 1
Size: 345 LEBs (87613440 bytes, 83.6 MiB)
State: OK
Name: modem
Character device major/minor: 503:1
/ #
It is a 26 partitioned based system layout
dev: size erasesize name
mtd0: 00280000 00040000 "sbl"
mtd1: 00280000 00040000 "mibib"
mtd2: 01500000 00040000 "efs2"
mtd3: 001c0000 00040000 "tz"
mtd4: 00100000 00040000 "tz_devcfg"
mtd5: 00180000 00040000 "ddr"
mtd6: 00100000 00040000 "apdp"
mtd7: 00100000 00040000 "xbl_config"
mtd8: 00100000 00040000 "multi_image"
mtd9: 00100000 00040000 "aop"
mtd10: 00100000 00040000 "qhee"
mtd11: 00100000 00040000 "abl"
mtd12: 00280000 00040000 "uefi"
mtd13: 00180000 00040000 "toolsfv"
mtd14: 00180000 00040000 "loader_sti"
mtd15: 00d00000 00040000 "boot"
mtd16: 00100000 00040000 "scrub"
mtd17: 06b40000 00040000 "modem"
mtd18: 001c0000 00040000 "misc"
mtd19: 00180000 00040000 "devinfo"
mtd20: 01900000 00040000 "recovery"
mtd21: 001c0000 00040000 "fota"
mtd22: 02b00000 00040000 "recoveryfs"
mtd23: 00100000 00040000 "sec"
mtd24: 00100000 00040000 "fotacookie"
mtd25: 11200000 00040000 "system"
and from the /dev view
major minor #blocks name
1 0 4096 ram0
1 1 4096 ram1
1 2 4096 ram2
1 3 4096 ram3
1 4 4096 ram4
1 5 4096 ram5
1 6 4096 ram6
1 7 4096 ram7
1 8 4096 ram8
1 9 4096 ram9
1 10 4096 ram10
1 11 4096 ram11
1 12 4096 ram12
1 13 4096 ram13
1 14 4096 ram14
1 15 4096 ram15
31 0 2560 mtdblock0
31 1 2560 mtdblock1
31 2 21504 mtdblock2
31 3 1792 mtdblock3
31 4 1024 mtdblock4
31 5 1536 mtdblock5
31 6 1024 mtdblock6
31 7 1024 mtdblock7
31 8 1024 mtdblock8
31 9 1024 mtdblock9
31 10 1024 mtdblock10
31 11 1024 mtdblock11
31 12 2560 mtdblock12
31 13 1536 mtdblock13
31 14 1536 mtdblock14
31 15 13312 mtdblock15
31 16 1024 mtdblock16
31 17 109824 mtdblock17
31 18 1792 mtdblock18
31 19 1536 mtdblock19
31 20 25600 mtdblock20
31 21 1792 mtdblock21
31 22 44032 mtdblock22
31 23 1024 mtdblock23
31 24 1024 mtdblock24
31 25 280576 mtdblock25
for me, it works well on Verizon AT&T and Tmobile with the proper adjustments/magic
I am hoping someone else has the fx2000 variant and will post similar info for that variant for comparison in this thread.
This is the downsized version of the fg2000 is a lot easier to work on than the fg, for one it does not need to be disassembled to find bootloader/fastboot mode,.
I have 2 of these both are the fx2000-3 variant so all the info below in this post is based on that model.
I was able to make full firmware for all parts without taking it apart.
it is similar to other Inseego / Novatel devices as far as
root pass, IMEI, MEID, ESN, TTL, FID etc.
it is also similar in that it is Linux/android based on one side and the other is a triple-layered stack of ubi over ubifs over mtd filesystem, other recent Inseego devices are the same.
Below is some of the pertinent ubi info
UBI version: 1
Count of UBI devices: 2
UBI control device major/minor: 10:54
Present UBI devices: ubi0, ubi1
ubi0
Volumes count: 1
Logical eraseblock size: 253952 bytes, 248.0 KiB
Total amount of logical eraseblocks: 1096 (278331392 bytes, 265.4 MiB)
Amount of available logical eraseblocks: 0 (0 bytes)
Maximum count of volumes 128
Count of bad physical eraseblocks: 0
Count of reserved physical eraseblocks: 80
Current maximum erase counter value: 9
Minimum input/output unit size: 4096 bytes
Character device major/minor: 504:0
Present volumes: 0
Volume ID: 0 (on ubi0)
Type: dynamic
Alignment: 1
Size: 1012 LEBs (256999424 bytes, 245.1 MiB)
State: OK
Name: rootfs
Character device major/minor: 504:1
===================================
ubi1
Volumes count: 1
Logical eraseblock size: 253952 bytes, 248.0 KiB
Total amount of logical eraseblocks: 429 (108945408 bytes, 103.9 MiB)
Amount of available logical eraseblocks: 0 (0 bytes)
Maximum count of volumes 128
Count of bad physical eraseblocks: 0
Count of reserved physical eraseblocks: 80
Current maximum erase counter value: 3
Minimum input/output unit size: 4096 bytes
Character device major/minor: 503:0
Present volumes: 0
Volume ID: 0 (on ubi1)
Type: dynamic
Alignment: 1
Size: 345 LEBs (87613440 bytes, 83.6 MiB)
State: OK
Name: modem
Character device major/minor: 503:1
/ #
It is a 26 partitioned based system layout
dev: size erasesize name
mtd0: 00280000 00040000 "sbl"
mtd1: 00280000 00040000 "mibib"
mtd2: 01500000 00040000 "efs2"
mtd3: 001c0000 00040000 "tz"
mtd4: 00100000 00040000 "tz_devcfg"
mtd5: 00180000 00040000 "ddr"
mtd6: 00100000 00040000 "apdp"
mtd7: 00100000 00040000 "xbl_config"
mtd8: 00100000 00040000 "multi_image"
mtd9: 00100000 00040000 "aop"
mtd10: 00100000 00040000 "qhee"
mtd11: 00100000 00040000 "abl"
mtd12: 00280000 00040000 "uefi"
mtd13: 00180000 00040000 "toolsfv"
mtd14: 00180000 00040000 "loader_sti"
mtd15: 00d00000 00040000 "boot"
mtd16: 00100000 00040000 "scrub"
mtd17: 06b40000 00040000 "modem"
mtd18: 001c0000 00040000 "misc"
mtd19: 00180000 00040000 "devinfo"
mtd20: 01900000 00040000 "recovery"
mtd21: 001c0000 00040000 "fota"
mtd22: 02b00000 00040000 "recoveryfs"
mtd23: 00100000 00040000 "sec"
mtd24: 00100000 00040000 "fotacookie"
mtd25: 11200000 00040000 "system"
and from the /dev view
major minor #blocks name
1 0 4096 ram0
1 1 4096 ram1
1 2 4096 ram2
1 3 4096 ram3
1 4 4096 ram4
1 5 4096 ram5
1 6 4096 ram6
1 7 4096 ram7
1 8 4096 ram8
1 9 4096 ram9
1 10 4096 ram10
1 11 4096 ram11
1 12 4096 ram12
1 13 4096 ram13
1 14 4096 ram14
1 15 4096 ram15
31 0 2560 mtdblock0
31 1 2560 mtdblock1
31 2 21504 mtdblock2
31 3 1792 mtdblock3
31 4 1024 mtdblock4
31 5 1536 mtdblock5
31 6 1024 mtdblock6
31 7 1024 mtdblock7
31 8 1024 mtdblock8
31 9 1024 mtdblock9
31 10 1024 mtdblock10
31 11 1024 mtdblock11
31 12 2560 mtdblock12
31 13 1536 mtdblock13
31 14 1536 mtdblock14
31 15 13312 mtdblock15
31 16 1024 mtdblock16
31 17 109824 mtdblock17
31 18 1792 mtdblock18
31 19 1536 mtdblock19
31 20 25600 mtdblock20
31 21 1792 mtdblock21
31 22 44032 mtdblock22
31 23 1024 mtdblock23
31 24 1024 mtdblock24
31 25 280576 mtdblock25
for me, it works well on Verizon AT&T and Tmobile with the proper adjustments/magic
I am hoping someone else has the fx2000 variant and will post similar info for that variant for comparison in this thread.
-
- Posts: 5
- Joined: Wed Jun 07, 2023 12:08 am
- Has thanked: 1 time
- Been thanked: 0
Re: FX2000 INFO & HACKING THREAD
anyway to repair imei on this would like to use on att and band lock?
- Rich Hathaway
- Posts: 622
- Joined: Mon Mar 08, 2021 2:41 pm
- Has thanked: 12 times
- Been thanked: 214 times
Re: FX2000 INFO & HACKING THREAD
Yes it is possible but you have to enable the ports first so further work can be done to it, I did it by making modified firmware
with the ports enabled on it, maybe you can find an easier way or do the same
with the ports enabled on it, maybe you can find an easier way or do the same
-
- Posts: 5
- Joined: Wed Jun 07, 2023 12:08 am
- Has thanked: 1 time
- Been thanked: 0
Re: FX2000 INFO & HACKING THREAD
Ok what is all involved with that could i use your firmware or could you mod mine?
Re: FX2000 INFO & HACKING THREAD
greetings and salutations great ones
I come with n00b questions from an old bricker/breaker.
So these new cell devices are adb accessible? I'm seeing that more and more. It just blows my mind (not that it takes much but I was screwin with basebands on the original moto's)
I haven't tried going into debug with my inseego yet. Before I do are there any words of caution you more experienced folks could give? Does debug normally come on by default or will I need to use something like a modern buspirate to try to get some uboot action?
any firmwares I can binwalk out there at all would be appreciated. my model is a TMobile. I would love to dump the partitions using fastboot or whatever .. but probably wouldn't we all? ROFL. It can't be that easy off the rip can it?
Thanks and respect to those with knowledge/skills and any inclination to share.
ph0d
I come with n00b questions from an old bricker/breaker.
So these new cell devices are adb accessible? I'm seeing that more and more. It just blows my mind (not that it takes much but I was screwin with basebands on the original moto's)
I haven't tried going into debug with my inseego yet. Before I do are there any words of caution you more experienced folks could give? Does debug normally come on by default or will I need to use something like a modern buspirate to try to get some uboot action?
any firmwares I can binwalk out there at all would be appreciated. my model is a TMobile. I would love to dump the partitions using fastboot or whatever .. but probably wouldn't we all? ROFL. It can't be that easy off the rip can it?
Thanks and respect to those with knowledge/skills and any inclination to share.
ph0d
Re: FX2000 INFO & HACKING THREAD
I'm a noob to this forum, but this is the only place I've been able to find info on this device. I got a used FX2000 for a good deal, and was wondering if it was possible to change the IMEI and how to do that.
Re: FX2000 INFO & HACKING THREAD
Hi , I have two dead inseego FX2000 .Rich Hathaway wrote: Tue May 30, 2023 2:25 pm
I was able to make full firmware for all parts without taking it apart.
First after plug power only red light turn on ,and it is in this mode forever .
Seccond after 10s red light turn off , and on USB device 05c6:900e Qualcomm, Inc. QUSB_BULK_SN apear , with is in some way download mode.
Do you have a working loader for that devices ? And maybe you know ,how to make first device to download mode ?
- Rich Hathaway
- Posts: 622
- Joined: Mon Mar 08, 2021 2:41 pm
- Has thanked: 12 times
- Been thanked: 214 times
Re: FX2000 INFO & HACKING THREAD
But fastboot don't see any device ...Rich Hathaway wrote: Sat Apr 20, 2024 10:19 am you need to load from bootloader (fastboot) not from download mode
Also i cant change the driver , in Windows it is detect it as Qualcoom HS-USB Diagnostics 900E (COM7) , and can replace it as Google USB ( as i know devices with this driver is detected via fastboot).
- Rich Hathaway
- Posts: 622
- Joined: Mon Mar 08, 2021 2:41 pm
- Has thanked: 12 times
- Been thanked: 214 times
Re: FX2000 INFO & HACKING THREAD
900E is download mode, not bootloader.
fastboot mode on these is hold reset button pop in battery keep holding reset and plug in usb and keep holding reset for 5 seconds or until your pc dings then will be in fastboot mode.
fastboot mode on these is hold reset button pop in battery keep holding reset and plug in usb and keep holding reset for 5 seconds or until your pc dings then will be in fastboot mode.
Re: FX2000 INFO & HACKING THREAD
FX2000 don't have battery , but i understand that 12V power will do the same...
However this gives nothing , first device still apear as 900E , and second not apear in usb at all....
However this gives nothing , first device still apear as 900E , and second not apear in usb at all....
- Rich Hathaway
- Posts: 622
- Joined: Mon Mar 08, 2021 2:41 pm
- Has thanked: 12 times
- Been thanked: 214 times
Re: FX2000 INFO & HACKING THREAD
Oh ya my bad this one just hold reset and plug in power while usb is connected and hold for 5 seconds after that,
sorry I have been in sierra threads today and was thinking sierra not inseego lol.
If you still only get 900E it means the boot part is borked and you will need to use a testpoint or need a working loader to load it from 9008 mode
sorry I have been in sierra threads today and was thinking sierra not inseego lol.
If you still only get 900E it means the boot part is borked and you will need to use a testpoint or need a working loader to load it from 9008 mode
- Rich Hathaway
- Posts: 622
- Joined: Mon Mar 08, 2021 2:41 pm
- Has thanked: 12 times
- Been thanked: 214 times
Re: FX2000 INFO & HACKING THREAD
I have factory loader but it is not working, there is no known working loader for this device leaked or patched yet.
- Rich Hathaway
- Posts: 622
- Joined: Mon Mar 08, 2021 2:41 pm
- Has thanked: 12 times
- Been thanked: 214 times
Re: FX2000 INFO & HACKING THREAD
That depends on what you mean by edl, edl to me means the mode (emergency download mode which is 9008)
if you mean edl as in BK's tools then I do not know I dont use BK's edl tools except for the keygen.
if you mean edl as in BK's tools then I do not know I dont use BK's edl tools except for the keygen.
- Rich Hathaway
- Posts: 622
- Joined: Mon Mar 08, 2021 2:41 pm
- Has thanked: 12 times
- Been thanked: 214 times
Re: FX2000 INFO & HACKING THREAD
900E is download mode which needs the loader NPRG-SDX55 (Normal Program Mode)
9008 is emergency mode which needs the loader ENPRG-SDX55 (Emergency Program Mode)
9008 is emergency mode which needs the loader ENPRG-SDX55 (Emergency Program Mode)