[Q] How to edit Skrilax_CZ or Mioze7Ae's OpenRecovery to work on XT711?

Search This thread

telnet777

Senior Member
Feb 17, 2012
133
38
:confused:

I have a moto XT711 which is a chinese version of XT720 and still android 2.1.
Miserably, most users in china buy XT720 which is from overseas, there are no custom roms or open recovery for XT711 in chinese android phone forum.

I've found Skrilax_CZ or Mioze7Ae's OpenRecovery for XT720 and I don't know how to edit their open recovery to let it fit for XT711. And I found no big difference between Skrilax_CZ's OpenRecovery for XT720 and OpenRecovery for XT701. Who can nicely help me to do this?

Simultaneously, I'm very much puzzled by another question. The bootloader of XT720 is still locked. Why XT720 can flash third-party ROMs such as andriod 2.3.7? Does XT711 can do the same thing?

Thanks a lot in advance!
 

telnet777

Senior Member
Feb 17, 2012
133
38
I've found an explaination about bootloader as below:"Because moto locked bootloader, bootstrap is the only way to install third party recovery."

Since XT720 can install open recovery via bootstrap, XT711 can install too.
Who can nicely tell me how to change the open recovery to install it successfully?
 

Mioze7Ae

Retired Recognized Developer
Dec 27, 2010
2,153
2,053
Queen City of the West
Google Pixel 7
The very first thing to do is to make sure you have a sbf and that you can restore your phone to factory state. I have more to post later, but I don't have time at the moment. Basically, we need to figure out how to port the switch part.

Does "fastboot boot" work on XT711? If so try the fastboot recovery (but don't do anything once booted, just check if you get to the OpenRecovery menu). If that works, it should be really easy.

http://xdaforums.com/showthread.php?t=1477752

[REF] Fastboot to OpenRecovery and how to dump more partitions
 
Last edited:

telnet777

Senior Member
Feb 17, 2012
133
38
The very first thing to do is to make sure you have a sbf and that you can restore your phone to factory state. I have more to post later, but I don't have time at the moment. Basically, we need to figure out how to port the switch part.

Does "fastboot boot" work on XT711? If so try the fastboot recovery (but don't do anything once booted, just check if you get to the OpenRecovery menu). If that works, it should be really easy.

http://xdaforums.com/showthread.php?t=1477752

[REF] Fastboot to OpenRecovery and how to dump more partitions

Mioze7Ae,thank you for timely reply!
I did have a version of STOCK ROM for XT711 which is "XT711_V10.16.0_ROM" . It includes two files:
the bootloader:BL_8099_umts_sholestabletcu_refresh_Consumer_replacer.sbf
the Full Flash:RSTCU_U2_10.16.0_SIGNED_USASHLSTAB125P2XAPCNCU035.0R_HWp3_1FF.sbf

And I've tried to flash this two file to my XT711 successfully using RSD_Lite.
The bootloader version of XT711 before that is already 80.99

I don't understand some technical terms below:
The first, "and that you can restore your phone to factory state" . Does it means flash 'the Full Flash' as I did? Or just restore to factory state in setting?

The second, "port the switch part". Does it means "dump_image system /sdcard/system.img"?

The third, "fastboot boot". How to enter it? By press some button and then power on? Do you mean this command:
1) Enable USB Debugging
2) adb reboot bootloader
3) fastboot boot openrecovery-fastboot.img

The fourth, " You still need to put the relevant parts of OpenRecovery on the sdcard", which version of OpenRecovery should be put to sdcard? OpenRecovery_v1_46_STR.rar or OpenRecovery-XT720-01.zip? Anyone is ok?

The fifth,if openrecovery-fastboot.img can work on XT711, which command should be executed? And what's the meaning of reconstruct a sbf? What's the relationship between this work and editing OpenRecovery-XT720-01.zip to let it fit for XT711?
 
Last edited:
  • Like
Reactions: Mioze7Ae

telnet777

Senior Member
Feb 17, 2012
133
38
BTW, I've a friend who has upgrade XT711 to 2.3.5 with the help of a XDA's expert. But it can't reboot. There appears 'boot loader err'. They used img files of XT701 android 2.1
 

Mioze7Ae

Retired Recognized Developer
Dec 27, 2010
2,153
2,053
Queen City of the West
Google Pixel 7
Have you tried installing the XT720 OpenRecovery? What happens?

Mioze7Ae,thank you for timely reply!
I did have a version of STOCK ROM for XT711 which is "XT711_V10.16.0_ROM" . It includes two files:
the bootloader:BL_8099_umts_sholestabletcu_refresh_Consumer_replacer.sbf
the Full Flash:RSTCU_U2_10.16.0_SIGNED_USASHLSTAB125P2XAPCNCU035.0R_HWp3_1FF.sbf

And I've tried to flash this two file to my XT711 successfully using RSD_Lite.
The bootloader version of XT711 before that is already 80.99

I don't understand some technical terms below:
The first, "and that you can restore your phone to factory state" . Does it means flash 'the Full Flash' as I did? Or just restore to factory state in setting?
That's all I wanted--just to make sure you can recover your phone if it becomes unbootable.

The second, "port the switch part". Does it means "dump_image system /sdcard/system.img"?
No, there's a script called switch.sh--part of the openrecovery bootstrap that "switches" from openrecovery lite to full openrecovery from the sdcard. Part of that detects which device you're on and runs the next step. XT720 is detected as "STR". Others are "SHOLS" and "STCU". I'm trying to figure out if XT711 is already detected as "STR".

The third, "fastboot boot". How to enter it? By press some button and then power on? Do you mean this command:
1) Enable USB Debugging
2) adb reboot bootloader
3) fastboot boot openrecovery-fastboot.img
Yes. Your bootloader is newer than XT720's, it may not work.
The fourth, " You still need to put the relevant parts of OpenRecovery on the sdcard", which version of OpenRecovery should be put to sdcard? OpenRecovery_v1_46_STR.rar or OpenRecovery-XT720-01.zip? Anyone is ok?

The fifth,if openrecovery-fastboot.img can work on XT711, which command should be executed? And what's the meaning of reconstruct a sbf? What's the relationship between this work and editing OpenRecovery-XT720-01.zip to let it fit for XT711?

Ignore the dump/reconstruct stuff. I just want to know if you see the OpenRecovery menu. Don't do anything there especially on the fastboot one, it's hardcoded for XT720 partition structure (they may be the same on XT711, but I don't know).

BTW, I've a friend who has upgrade XT711 to 2.3.5 with the help of a XDA's expert. But it can't reboot. There appears 'boot loader err'. They used img files of XT701 android 2.1

I'm not too surprised by that. XT701 has disabled bootloader security and doesn't sign partitions.
 
Last edited:
  • Like
Reactions: hhcat and telnet777

telnet777

Senior Member
Feb 17, 2012
133
38
Have you tried installing the XT720 OpenRecovery? What happens?


That's all I wanted--just to make sure you can recover your phone if it becomes unbootable.


No, there's a script called switch.sh--part of the openrecovery bootstrap that "switches" from openrecovery lite to full openrecovery from the sdcard. Part of that detects which device you're on and runs the next step. XT720 is detected as "STR". Others are "SHOLS" and "STCU". I'm trying to figure out if XT711 is already detected as "STR".


Yes. Your bootloader is newer than XT720's, it may not work.


Ignore the dump/reconstruct stuff. I just want to know if you see the OpenRecovery menu. Don't do anything there especially on the fastboot one, it's hardcoded for XT720 partition structure (they may be the same on XT711, but I don't know).



I'm not too surprised by that. XT701 has disabled bootloader security and doesn't sign partitions.

hhcat had tried installing the XT720 OpenRecovery. But he failed, and I don’t know what happens because he has not mentioned and I've no XT711 in hand at the moment.

hhcat said he'll try to enter the OpenRecovery menu using the way you mentioned in these two days. I'm waiting for a good news from him.

I've three question about OpenRecovery and switch.sh

First:"STR" is a parameter transferred by updater-script when running switch.sh
Why do you say XT720 is detected as "STR"?Does the phone itself will detect it is which device when switch.sh is running?

Second:How does the OpenRecovery works? I've reviewed install_script.sh under directory orbootstrap. I don't understand why it can “hijack” boot procedure when reboot. Someone said it utilized a defect of XT720's recovery.

Third:The bootloader is not unlocked. Why can we flash custom roms such as 2.3.7 via OpenRecovery? Why bootloader not check signature?

Thank you!
 

Mioze7Ae

Retired Recognized Developer
Dec 27, 2010
2,153
2,053
Queen City of the West
Google Pixel 7
First:"STR" is a parameter transferred by updater-script when running switch.sh
Why do you say XT720 is detected as "STR"?Does the phone itself will detect it is which device when switch.sh is running?

I re-checked and you're right. I was remembering a different step where it runs "/system/persistent/orbootstrap/utils/install.%s.btsh" and the %s is detected. I think that is always install.mapphone_umts.rc. The STR is selected when you run the OpenRecovery install.sh, so it's not probed. Sorry for incorrect info.

Second:How does the OpenRecovery works? I've reviewed install_script.sh under directory orbootstrap. I don't understand why it can “hijack” boot procedure when reboot. Someone said it utilized a defect of XT720's recovery.
The hijack is done in /system/bin/sh

Basically if you look at /init.mapphone_umts.rc, very early in boot it runs a script called /init_prep_keypad.sh. init_prep_keypad.sh is a shell script that is run by /system/bin/sh (the first line of /init_prep_keypad.sh is #!/system/bin/sh, so /system/bin/sh is started to read the commands from /init_prep_keypad.sh). This is the first time during boot that anything from /system is executed (/system isn't signature checked). Skrilax_CZ's hijacked /system/bin/sh does the following things:

1. If the volume up key is down *or* /cache/.boot_to_or file is present it runs /system/persistent/orbootstrap/utils/install.mapphone_umts.btsh
2. (On my version) if volume down is pressed -- reboot to fastboot bootloader
3. Check if /system/bin/sh_hijack.sh exists, if so run that
4. Otherwise it just runs /init_prep_keypad.sh

/system/persistent/orbootstrap/utils/install.mapphone_umts.btsh defaults to "OpenRecovery Lite". If /sdcard/OpenRecovery.zip is available that is applied and it "switches" to full OpenRecovery.

/system/bin/sh_hijack.sh reconfigures the / filesystem (on XT720 and A853 usually just by copying the contents of /system/etc/rootfs) and eventually calls /system/bin/2nd-init which restarts /init. This is how we get around the signature check. The / filesystem comes from boot.img so we can't modify it. But it is read into RAM at boot and we can modify it in RAM once we have control.

The source for the hijacked sh is here:
http://gitorious.org/droid/openrecovery/blobs/master/src/bootable/open_recovery/btsh/main.c

There's a somewhat confusing description of what 2nd-init does by cvpcs here: http://cvpcs.org/blog/2011-06-14/2nd-init._what_it_is_and_how_it_works

NOTE: which binary to hijack varies by phone--some hijack mot_boot_mode, some hijack logwrapper--it all depends on what the stock boot does. On Milestone A853, Milestone XT720 and Motoroi XT720, the sh-hijack is the correct one.

I hope that makes sense, but I may be too comfortable with it.

Third:The bootloader is not unlocked. Why can we flash custom roms such as 2.3.7 via OpenRecovery? Why bootloader not check signature?
/system is only check during the first boot after sbf flash of the system partition. The init_prep_keypad.sh script in particular can modify /system so signatures there can be quickly invalid under normal operation.

There's a lot of very good information about the bootloader security on www.droid-developers.org

I also like this blog post by [mbm] http://blog.opticaldelusion.org/2010/08/clearly-you-have-no-idea-what-efuse-is.html -- this is what cleared things up for me initially.

In the CDT partition table, partitions that are "type 1" are checked each boot, and "type 5" is only checked once immediately after sbf flash:
http://www.droid-developers.org/wiki/CDT_Milestone
I think that information about whether the type 5 partitions have been checked is stored in sp (CG41). Anyway, the take away message is boot.img is always checked, system.img is checked once and may be modified afterwards.
 
Last edited:

telnet777

Senior Member
Feb 17, 2012
133
38
Mioze7Ae, I'm digesting what your said. It is out of my range to understand all of these.

Thank you for your detailed reply and the effort for XT711.
 
  • Like
Reactions: Mioze7Ae

telnet777

Senior Member
Feb 17, 2012
133
38
Hi,Mioze7Ae, I've a good news to tell you. It will spirit up those peoples who brought XT711.
We tried "fastboot boot openrecovery-fastboot.img" and entered into the open recovery!
 

telnet777

Senior Member
Feb 17, 2012
133
38
With the help of "小⑨一只", We installed open recovery for XT720 on XT711 and tested fastboot mode successfully on XT711. Much thanks to her. She is now studying in high school.

Details below:
The first thing we do is installing open recovery for XT720 on XT711 which is "OpenRecovery-XT720-01.zip" originally from Mioze7Ae.
The installation is successful.
attachment.php

But error occurs when entering open recovery.
"E:Can't open /cache/recovery/command" appears on the screen.
attachment.php


The second thing wo do is testing fastboot mode with command "fastboot boot openrecovery-fastboot.img" successfully.
attachment.php
 
Last edited:

telnet777

Senior Member
Feb 17, 2012
133
38
Mioze7Ae, how to edit the openrecovery to work on XT711? Do you need any further information? What shall we do?

And I've two questions to ask.
The first: XT720's BL is locked. Its kernel is still 2.2 or 2.1. Why some custom ROMs named android 2.3.7? Does the rom is "pseudo-" android 2.3.7?Why some rom contains boot.img? If XT711 entered open recovery, can we upgrade it to android 2.2 although XT711's kernel is still android 2.1?What things can we do with XT711 after entering open recovery?

The second:where can I find the boot procedure of moto's Android phone? I want to know what is the phone doing step one by one(or which script it execute?) when in bootloader mode, recovery mode, fastboot mode and normal reboot or power on.

Thank you in advance.
 
Last edited:

Mioze7Ae

Retired Recognized Developer
Dec 27, 2010
2,153
2,053
Queen City of the West
Google Pixel 7
With the help of "小⑨一只", We installed open recovery for XT720 on XT711 and tested fastboot mode successfully on XT711. Much thanks to her. She is now studying in high school.

Details below:
The first thing we do is installing open recovery for XT720 on XT711 which is "OpenRecovery-XT720-01.zip" originally from Mioze7Ae.
The installation is successful.
attachment.php

But error occurs when entering open recovery.
"E:Can't open /cache/recovery/command" appears on the screen.
attachment.php
Great! That's good news. That "E:Can't open /cache/recovery/command" always happens on XT720. It's harmless. The /cache/recovery/command file passes command line parameters from Android to recovery. It's used to auto-install OTA updates. ROM Manager (doesn't work on XT720) uses a similar file on other phones.

The second thing wo do is testing fastboot mode with command "fastboot boot openrecovery-fastboot.img" successfully.
attachment.php

Good!

Mioze7Ae, how to edit the openrecovery to work on XT711? Do you need any further information? What shall we do?

It sounds like it already works, so I don't think you need to do anything more.

And I've two questions to ask.
The first: XT720's BL is locked. Its kernel is still 2.2 or 2.1. Why some custom ROMs named android 2.3.7? Does the rom is "pseudo-" android 2.3.7?Why some rom contains boot.img?

On Milestone XT720, there are essentially two versions of the kernel. The old one with lower default clock rate (550MHz) and the newer one at higher clock rate (720MHz). Actually, in OpenRecovery, flashing boot.img does nothing...

Don't use the fastboot recovery until I get a chance to double check the partition structure. There are two ways that the phone gets partitions:

(1) passed as command line parameters (tags) from the CDT partition
(2) hard coded into the kernel

Normal boot uses the tags to get the partition structure dynamically from the partition table. Stock recovery's kernel has hardcoded partition structure. The dynamic tags don't include all partitions and the boot partition is marked read-only. Since bootstrapped openrecovery uses normal boot, it doesn't see some partitions and the boot partition is read-only.

The fastboot recovery also uses normal boot, but it includes a custom kernel module that modifies the kernel's partition data structures. The changes are hard coded for Milestone XT720 and there's a good chance those changes are incorrect on XT711. Don't use fastboot OpenRecovery on XT711 until I know more about your partition structure--it could send you back to RSD if they don't match. There should be no problems using bootstrap OpenRecovery.

If XT711 entered open recovery, can we upgrade it to android 2.2 although XT711's kernel is still android 2.1?What things can we do with XT711 after entering open recovery?
Yes. In fact, Motorola's 2.2 for the Korean Motoroi XT720 used the eclair kernel. The kernel is a very small part of things. On Milestone XT720 we're stuck with 2.1 kernel.

At this point, I think I would just try one of the XT720 CyanogenMods (fjfalcon's latest CM7 or my CM 6.3.6.2) and see what happens. The Motoroi XT720 and Milestone XT720 have slightly different sensors. So, if it boots check the sensors. If it doesn't boot we'll have to do some debugging using adb.

The second:where can I find the boot procedure of moto's Android phone? I want to know what is the phone doing step one by one(or which script it execute?) when in bootloader mode, recovery mode, fastboot mode and normal reboot or power on.

Thank you in advance.

The best place to learn about this is on www.droid-developers.org in pages about the booting chain. http://www.droid-developers.org/wiki/Booting_chain
The Milestone A853 people have reverse-engineered their bootloaders and put their findings there. From what I can tell XT720's bootloader is similar, except the Milestone A853 doesn't have working "fastboot boot".
 
Last edited:

telnet777

Senior Member
Feb 17, 2012
133
38
Thank you for your timely reply!
You mentioned "There should be no problems using bootstrap OpenRecovery."
Do you mean the open recovery works well on XT711? We got no further for safety when seeing error occurs. How to entering open recovery? Does press camera button when selecting "apply sdcard:update.zip " ? So I can backup my phone using open recovery?

If this is true, then the next step is to test a rom which can works well on XT711. I think hhcat is the best one who can play a part in it because his wife has a XT711. Who can help us to develop a stable rom for XT711? I can't wait for it! It's a very good news to those who had brought it because MOTO has disappointed us for a long time. They are unwilling to unlock BL and never considering upgrade phones they had selled out.
 

Mioze7Ae

Retired Recognized Developer
Dec 27, 2010
2,153
2,053
Queen City of the West
Google Pixel 7
Thank you for your timely reply!
You mentioned "There should be no problems using bootstrap OpenRecovery."
Do you mean the open recovery works well on XT711? We got no further for safety when seeing error occurs. How to entering open recovery? Does press camera button when selecting "apply sdcard:update.zip " ? So I can backup my phone using open recovery?

Hmm. That doesn't sound like OpenRecovery--that sounds like Motorola's stock recovery. If you press and hold volume-up while powering on (hold until you see the boot animation or OpenRecovery menu), does your phone boot to Android or OpenRecovery? OpenRecovery will say

Motorola MILESTONE XT720 Open Recovery
Version 1.46
Created by Skrilax_CZ

on the top and boots straight to the main menu.
 
Last edited:
  • Like
Reactions: telnet777

telnet777

Senior Member
Feb 17, 2012
133
38
Hmm. That doesn't sound like OpenRecovery--that sounds like Motorola's stock recovery. If you press and hold volume-up while powering on (hold until you see the boot animation or OpenRecovery menu), does your phone boot to Android or OpenRecovery? OpenRecovery will say

Motorola MILESTONE XT720 Open Recovery
Version 1.46
Created by Skrilax_CZ

on the top and boots straight to the main menu.

Do you mean it is not the time to say open recovery for XT720 works well on XT711? Because I don't know how to enter open recovery when reboot, we press media button and power on which entered stock recovery. I will retry to enter it by volume up and power on asap.

Does the fastboot boot works on XT711 is still a good news? I think it can help to do something.
 

telnet777

Senior Member
Feb 17, 2012
133
38
We are trying to enter open recovery.
It seems that we entered a lite version of open recovery.
The installation is successful. Then power off. Press and hold volumn-up then power on. The phone stopped at moto logo. Release all button, then the screen is off and the phone reboot normally. Then we power off and try again. It still stopped at moto logo.It is all we can see.

Then we tried OpenRecovery.apk.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 5
    First:"STR" is a parameter transferred by updater-script when running switch.sh
    Why do you say XT720 is detected as "STR"?Does the phone itself will detect it is which device when switch.sh is running?

    I re-checked and you're right. I was remembering a different step where it runs "/system/persistent/orbootstrap/utils/install.%s.btsh" and the %s is detected. I think that is always install.mapphone_umts.rc. The STR is selected when you run the OpenRecovery install.sh, so it's not probed. Sorry for incorrect info.

    Second:How does the OpenRecovery works? I've reviewed install_script.sh under directory orbootstrap. I don't understand why it can “hijack” boot procedure when reboot. Someone said it utilized a defect of XT720's recovery.
    The hijack is done in /system/bin/sh

    Basically if you look at /init.mapphone_umts.rc, very early in boot it runs a script called /init_prep_keypad.sh. init_prep_keypad.sh is a shell script that is run by /system/bin/sh (the first line of /init_prep_keypad.sh is #!/system/bin/sh, so /system/bin/sh is started to read the commands from /init_prep_keypad.sh). This is the first time during boot that anything from /system is executed (/system isn't signature checked). Skrilax_CZ's hijacked /system/bin/sh does the following things:

    1. If the volume up key is down *or* /cache/.boot_to_or file is present it runs /system/persistent/orbootstrap/utils/install.mapphone_umts.btsh
    2. (On my version) if volume down is pressed -- reboot to fastboot bootloader
    3. Check if /system/bin/sh_hijack.sh exists, if so run that
    4. Otherwise it just runs /init_prep_keypad.sh

    /system/persistent/orbootstrap/utils/install.mapphone_umts.btsh defaults to "OpenRecovery Lite". If /sdcard/OpenRecovery.zip is available that is applied and it "switches" to full OpenRecovery.

    /system/bin/sh_hijack.sh reconfigures the / filesystem (on XT720 and A853 usually just by copying the contents of /system/etc/rootfs) and eventually calls /system/bin/2nd-init which restarts /init. This is how we get around the signature check. The / filesystem comes from boot.img so we can't modify it. But it is read into RAM at boot and we can modify it in RAM once we have control.

    The source for the hijacked sh is here:
    http://gitorious.org/droid/openrecovery/blobs/master/src/bootable/open_recovery/btsh/main.c

    There's a somewhat confusing description of what 2nd-init does by cvpcs here: http://cvpcs.org/blog/2011-06-14/2nd-init._what_it_is_and_how_it_works

    NOTE: which binary to hijack varies by phone--some hijack mot_boot_mode, some hijack logwrapper--it all depends on what the stock boot does. On Milestone A853, Milestone XT720 and Motoroi XT720, the sh-hijack is the correct one.

    I hope that makes sense, but I may be too comfortable with it.

    Third:The bootloader is not unlocked. Why can we flash custom roms such as 2.3.7 via OpenRecovery? Why bootloader not check signature?
    /system is only check during the first boot after sbf flash of the system partition. The init_prep_keypad.sh script in particular can modify /system so signatures there can be quickly invalid under normal operation.

    There's a lot of very good information about the bootloader security on www.droid-developers.org

    I also like this blog post by [mbm] http://blog.opticaldelusion.org/2010/08/clearly-you-have-no-idea-what-efuse-is.html -- this is what cleared things up for me initially.

    In the CDT partition table, partitions that are "type 1" are checked each boot, and "type 5" is only checked once immediately after sbf flash:
    http://www.droid-developers.org/wiki/CDT_Milestone
    I think that information about whether the type 5 partitions have been checked is stored in sp (CG41). Anyway, the take away message is boot.img is always checked, system.img is checked once and may be modified afterwards.
    4
    The very first thing to do is to make sure you have a sbf and that you can restore your phone to factory state. I have more to post later, but I don't have time at the moment. Basically, we need to figure out how to port the switch part.

    Does "fastboot boot" work on XT711? If so try the fastboot recovery (but don't do anything once booted, just check if you get to the OpenRecovery menu). If that works, it should be really easy.

    http://xdaforums.com/showthread.php?t=1477752

    [REF] Fastboot to OpenRecovery and how to dump more partitions
    4
    I think it should be safe to use the fastboot recovery on XT720. I extracted the recovery.img from

    RSTCU_U2_00.13.0_USASHLSTAB125P2XAPCNCU032.0R_HWp3_1FF.sbf
    RSTCU_U2_10.16.0_SIGNED_USASHLSTAB125P2XAPCNCU035.0R_HWp3_1FF.sbf

    I then extracted the recovery kernel command line to get the partitions structure (it was identical in these two sbfs):

    console=ttyS2,115200n8 rw mem=244M@0x80C00000 init=/init ip=off motobldlabel=none mtdparts=omap2-nand.0:128k(mbmloader),640k(mbm),640k(mbmbackup),384k(bploader),384k(cdt),1536k(pds),384k(lbl),384k(lbl_backup),384k(cid),1536k(sp),384k(devtree),640k(logo),384k(misc),3584k(boot),3840k(bpsw),4608k(recovery),8960k(cdrom),384k(unused0),179840k(system),384k(unused1),106m(cache),203392k(userdata),384k(unused2),2m(kpanic),512k(rsv)

    Here's a comparison with XT720 (2.1 and 2.2 and modsbf).
    Code:
       Motoroi XT720 2.1          Motoroi XT720 2.2
      Milestone XT720 2.1           modXT720.sbf               XT711 2.1
     ----------------------    ----------------------    ---------------------- 
     mtdparts=omap2-nand.0:    mtdparts=omap2-nand.0:    mtdparts=omap2-nand.0:	 
         128k(mbmloader),          ...                       ...              
         640k(mbm),                ...                       ...                   
         640k(mbmbackup),          ...                       ...                   
         384k(bploader),           ...                       ...  
         384k(cdt),                ...                       ...  
       * 1536k(pds),               ...                       ...  
         384k(lbl),                ...                       ...  
         384k(lbl_backup),         ...                       ...  
       * 384k(cid),                ...                       ...  
         1536k(sp),                ...                       ...  
         384k(devtree),            ...                       ...  
       * 640k(logo),               ...                   !!! ..., but not atags
       * 384k(misc),               ...                       ...
       * 3584k(boot),              ...                       ...  
         3840k(bpsw),              ...                       ...  
       * 4608k(recovery),          ...                       ...  
       * 8960k(cdrom),             ...                       ...  
         384k(unused0),            ...                       ...  
       * 204416k(system),        * 173696k(system),        * 179840k(system),       
         384k(unused1),            384k(unused1),            384k(unused1),         
       * 106m(cache),            * 50m(cache),             * 106m(cache),   
       * 177280k(userdata),      * 265344k(userdata),      * 203392k(userdata),     
       * 1536k(cust),              ...                   !!! (missing)                                         
         384k(unused2),            ...                       ...  
       * 2m(kpanic),               ...                       ...  
         512k(rsv)                 ...                       ...
    "..." means identical to the first column. The "*" means the partition is defined in atags structure passed from the bootloader to the kernel (they come from the CDT partition). Any partition loaded by atags is not touched by the version of part-STR.ko in the fastboot recovery. The part-STR.ko in OpenRecoveryXT720 is identical to the one in OpenRecovery and never worked (segfault on insmod).

    Observations:
    • /system, /cache, /data partitions are different. This is OK because /system, /cache, and /data come from atags. part-STR.ko doesn't do anything with these.
    • /cust is missing on XT711 -- also not a problem because /cust is loaded from atags on XT720 and part-STR.ko doesn't do anything with it.
    • /logo does not get set by atags on XT711 and part-STR.ko doesn't do anything with logo, so nandroid of logo probably doesn't work on XT711 without fixing part-STR.ko
    • The total size of XT720 system+cache+unused1+userdata+cust == XT711 system+cache+unused1+userdata:
      204416+384+(106*1024)+177280+1536 = 492160
      173696+384+(50*1024)+265344+1536 = 492160
      179840+384+(106*1024)+203392 = 492160
    • Everything before system and after unused2 has the same size

    Conclusion: everything should work fine in fastboot-openrecovery except for nandroid of logo and cust won't work (and I think that can be fixed if necessary).

    FYI: The source code for the part-STR.ko used in the fastboot openrecovery is here:
    https://github.com/CyanogenModXT720/xt720_modules_eclair/blob/master/mtdhack/mtd-hack.c

    Prebuilt modules here: https://github.com/CyanogenModXT720/xt720_modules_eclair/tree/master/prebuilt (mtd-hack.ko is part-STR.ko)
    3
    Also, the reason I'm cautious about partitions is I think XT711 might not have /cust --based on looking at an XT711 sbf I downloaded at some point. XT720 has /cust but it's never used, so missing /cust isn't surprising, but it probably shifts the others.
    3
    I finally got xt711 phone, and dump some information about the phone:
    cat /proc/mtd
    dev: size erasesize name
    mtd0: 00180000 00020000 "pds"
    mtd1: 00060000 00020000 "cid"
    mtd2: 00060000 00020000 "misc"
    mtd3: 00380000 00020000 "boot"
    mtd4: 00480000 00020000 "recovery"
    mtd5: 008c0000 00020000 "cdrom"
    mtd6: 0afa0000 00020000 "system"
    mtd7: 06a00000 00020000 "cache"
    mtd8: 0c6a0000 00020000 "userdata"
    mtd9: 00200000 00020000 "kpanic"

    There are some minor difference from xt720. Shall we have to get a new part-STR.ko for xt711?

    Ok! part-STR.ko work fine for XT711 as well.
    I used fastboot to boot to OR, and insmod part-STR.ko. With the module, I was able to see some hidden partitions.
    Further, I tired to backup system, data, cache with OR. All work completed sucessfully. And unyaffs those generated img files, all looks good. :)
    Now the only issue is OR's bootstrap.