Root LG Tribute Stock ZV5 Deodexed & Unmodified [4.4.2]

[WarrantyVoider]

So its not a wise idea to cherry pick?

Honestly, I don't know. The modem/firmware, if it's related to the radio, is probably the only thing we need, but I haven't studied it enough to even guess whether it can be applied or used by itself.

From what I've learned the key is AES-256 bit and the kernel is set to verify the system against the manufacturer security key and fail secure boot in the event of a mismatch. Its possible to change this, and set a new key to be used, however it would still need to be placed into a wrapper that contained the original key in x509.pem. So, unfortunately this method is useless to us. I'm also starting to see reports on xda of the zv6 update for other lg phones making permanent changes to the boot loader. As in, locking down the bump exploit. I'm confident what ever they did can be reversed, and that the info to do it is in the zv6 update somewhere. We maybe able to create something that looks like an ota update to make changes to the bootloader is what I'm thinking. I'm just not sure how to go about it yet.

Yeah, you would need to have LG's private key to sign the image. It's an ongoing battle to unlock the bootloader for some high-end devices, so it's not something I would bother with. Is it possible to flash the zv5 radio.img to re-enable the bump key? What about enabling fastboot to issue the bootloader unlock command? I am not suggesting you try to do either, but since I'm new to this device, I'd like to know what options we have going forward if someone knows the answer.

BTW, there's a partition called abootb (and rpmb, tzb, etc.), which could be a backup of aboot. On my unmodified device, those two partitions have basically the same data. Is abootb also changed by the update, or does it contain the old aboot?

 

[modhatter6811]

Honestly, I don't know. The modem/firmware, if it's related to the radio, is probably the only thing we need, but I haven't studied it enough to even guess whether it can be applied or used by itself.


Yeah, you would need to have LG's private key to sign the image. It's an ongoing battle to unlock the bootloader for some high-end devices, so it's not something I would bother with. Is it possible to flash the zv5 radio.img to re-enable the bump key? What about enabling fastboot to issue the bootloader unlock command? I am not suggesting you try to do either, but since I'm new to this device, I'd like to know what options we have going forward if someone knows the answer.

BTW, there's a partition called abootb (and rpmb, tzb, etc.), which could be a backup of aboot. On my unmodified device, those two partitions have basically the same data. Is abootb also changed by the update, or does it contain the old aboot?

Not sure about abootb. I was looking through emmc_appsboot.mbn, well what I can look at anyhow (don't know it's encryption), and I found what appears to be code that outlines our download mode, fastboot, and oem unlock/relock, I honestly think it outlines how to enter fastboot mode and the menus associated with it too. Its got me very excited to say the least.

 

[WarrantyVoider]

Not sure about abootb. I was looking through emmc_appsboot.mbn, well what I can look at anyhow (don't know it's encryption), and I found what appears to be code that outlines our download mode, fastboot, and oem unlock/relock, I honestly think it outlines how to enter fastboot mode and the menus associated with it too. Its got me very excited to say the least.

abootb is a partition on the device. You'd need to pull it from the device. You can use dd or cat to save it as an image and copy that image to a PC, or if you have ADB with root, you can get it directly by "adb pull /dev/block/platform/msm_sdcc.1/by-name/abootb abootb.img". Anyway, if you know how to grab it, great. If not, don't worry about it.

On some other devices, you can get fastboot by zeroing out the laf partition. Apparently, when aboot tries to load laf to enter the download mode but fails, it falls back to fastboot. So once in fastboot, the bootloader could be unlocked if it doesn't require some key. I have no idea whether this works for the Tribute with Sprint/VM though.

 

[modhatter6811]

abootb is a partition on the device. You'd need to pull it from the device. You can use dd or cat to save it as an image and copy that image to a PC, or if you have ADB with root, you can get it directly by "adb pull /dev/block/platform/msm_sdcc.1/by-name/abootb abootb.img". Anyway, if you know how to grab it, great. If not, don't worry about it.

On some other devices, you can get fastboot by zeroing out the laf partition. Apparently, when aboot tries to load laf to enter the download mode but fails, it falls back to fastboot. So once in fastboot, the bootloader could be unlocked if it doesn't require some key. I have no idea whether this works for the Tribute with Sprint/VM though.

I think you're right about fastboot. Check this out. Especially the last several lines...

 

[modhatter6811]

Any idea how to look at a dumped system partition? Can I unpack them like a boot.img? They didn't lock everything down. I managed to dump aboot, abootb, and the misc partition. From what I could get at in emmc_appsboot.mbn, it looks as though the bootmode is controlled by mmblk0p13, or "Misc" by-name. I wanna look inside it. XD

 

[WarrantyVoider]

Any idea how to look at a dumped system partition? Can I unpack them like a boot.img? They didn't lock everything down. I managed to dump aboot, abootb, and the misc partition. From what I could get at in emmc_appsboot.mbn, it looks as though the bootmode is controlled by mmblk0p13, or "Misc" by-name. I wanna look inside it. XD

The "system" partition is just an ext4 volume, unless you meant something else.

The "misc" partition, as far as I can tell, is normally empty (full of zeros). I am not certain, but I think it's populated and used by LG's OTA update mechanism to install radio.img. The bootloop fix by @HasH_BrowN wipes the "misc" partition in order to return it to normal after an unsuccessful/partial OTA update. My guess is the OTA update code puts some code to "misc" and the bootloader (aboot) invokes that code to do actual updates of those special partitions contained in radio.img. I don't know what format "misc" is supposed to be in. The fstab file shows its type as emmc, which just means a raw partition. "boot" and "recovery" are also listed as emmc, and they contain kernel boot images. To find out, maybe grab the image of "misc" from a device bootlooped by an ota update (or maybe it doesn't need to be bootlooped if "misc" is never wiped after update) and take a look.

I am not sure what you meant by "bootmode". Maybe like regular boot, recovery mode, download/laf mode, ota update mode, factory test mode, etc.? If so, then I'd say there's an external trigger. Regular boot is just what boots by default. Recovery mode can be triggered by vol.down+power or by a command. Download/laf mode can be triggered by vol.up+usb. I don't know about the other modes, but they seem to be triggered by internal commands. If you're really interested in that, you can probably reverse-engineer by reading the disassembly code to see how everything works.

I don't know enough to really help. Hopefully others can chime in.

 

[modhatter6811]

The "system" partition is just an ext4 volume, unless you meant something else.

The "misc" partition, as far as I can tell, is normally empty (full of zeros). I am not certain, but I think it's populated and used by LG's OTA update mechanism to install radio.img. The bootloop fix by @HasH_BrowN wipes the "misc" partition in order to return it to normal after an unsuccessful/partial OTA update. My guess is the OTA update code puts some code to "misc" and the bootloader (aboot) invokes that code to do actual updates of those special partitions contained in radio.img. I don't know what format "misc" is supposed to be in. The fstab file shows its type as emmc, which just means a raw partition. "boot" and "recovery" are also listed as emmc, and they contain kernel boot images. To find out, maybe grab the image of "misc" from a device bootlooped by an ota update (or maybe it doesn't need to be bootlooped if "misc" is never wiped after update) and take a look.

I am not sure what you meant by "bootmode". Maybe like regular boot, recovery mode, download/laf mode, ota update mode, factory test mode, etc.? If so, then I'd say there's an external trigger. Regular boot is just what boots by default. Recovery mode can be triggered by vol.down+power or by a command. Download/laf mode can be triggered by vol.up+usb. I don't know about the other modes, but they seem to be triggered by internal commands. If you're really interested in that, you can probably reverse-engineer by reading the disassembly code to see how everything works.

I don't know enough to really help. Hopefully others can chime in.

That's some awesome insight. Yes, that's exactly what I meant about bootmodes. It looks like misc, recovery and boot are all connected to each other, it's hard for me to look at things the way I want using windows though... Did you happen to look at the factory_ramdisk.img inside the radio.img? Its got leftovers from what I guess is a miniature LG factory testing OS. It basically has... not much of anything, and looks like some sort of barebones kernel for testing hardware. I don't know if it has any use, but it might considering what I think it was used for. I also found our download mode setup in there, our battery icons, and a screen called MiniOS, which is what I guess the factory test OS is. They left some interesting crap in that update, some of which, I don't the they intended to. (Lazy programmers I mean.) When I'm not in such a financial hard spot, I'll try zeroing out my laf partition and see if it pulls up fastboot.

Edit; It seems I still have plenty to learn. This is fun stuff though! And thanks for correcting my thinking where it's wrong. Its really helping a lot, and giving me better ways to look at things. I still miss the thanks button.

 

[modhatter6811]

I have some ideas I'm going to test.

1. I want to try renaming the factory_ramdisk.img to boot.img and installing it to see what happens. Could be interesting, and may give us access to useful things... Or just not boot haha.
2. I'm going to try installing the bumped boot.img into into the stock ZV6 odex, just to make sure it's the source of the security error.
3. If that doesn't work, I'm going to try replacing my boot.img in my zv6 back up with the bumped one, see if it'll "restore" it.

 

[nannycrick]

Your difficulties maybe due to Windows not allowing your Note++ edits to stick.(protocols not working) Three quick checks..
1..Control Panel>Programs>Turn On Windows Features. A small popup box with a protocol list will appear. If you have almost everything unchecked, your Windows OS isn't "unpacked, and you have system protocols dissabled until you turn them on!
2...Control Panel>Appearence>Files & Folder. You'll need to check the "Show Hidden Files" box.
3..Update Java!!
If you need Windows custom tweaks, or the best fixes..
Microsoft TechNet blogs...posted by actual Windows techs. A fantastic resource!
Feel free to pm me, if you need!
I do Windows. For Android..I ask you guys!

 

[modhatter6811]

It's mostly a language and knowledge problem. I need to know more about our phones, and their file systems. Kernel work is only mildly familiar to me, and I've only just begun to dabble in it. The other side of things is, there's a language barrier between Androids and Windows. You can do a lot for an Android on Windows, but Linux is it's real home and speaks it's language far better. Its the reason why they build on a Linux distro and not Windows, even though it is technically possible as far as I know. I don't have the ability to manipulate certain Unix based file types. ELF is one of them, there's a few others who's names escape me though.

 

[nannycrick]

Ubuntu works for composing for Android. I used to keep a Dell netbook running Ubuntu just for fixing Android phone issues. I think that's why keeping Java up to date is so important. It's the "shared" language between Windows and Android! It's their "translator" so to speak!
And..some folks experiencing issues between Android & Windows are usually x64 bit users. X86 is Microsoft's original architecture and shares a common structure with Android , 32 bit! I quit using x64 when Win7 came out. X86 or 32 bit will be better for fixing Androids!

Don't tell my professors I know this..they thought I was snoozing through their boring classes! LOL!

 

[modhatter6811]

We should hopefully see some major progress soon. LG is now fully embracing open development. They're now allowing certain phones to get their boot loader unlocked. Hopefully our device gets added to the list. Last I checked they only had one phone listed. They're due to add many more though over the next few months. I went ahead and set up a developer account to keep an eye on things.

 

[WarrantyVoider]

Did you happen to look at the factory_ramdisk.img inside the radio.img?

Yes, briefly. That's how I got my info for post #197.

2. I'm going to try installing the bumped boot.img into into the stock ZV6 odex, just to make sure it's the source of the security error.
3. If that doesn't work, I'm going to try replacing my boot.img in my zv6 back up with the bumped one, see if it'll "restore" it.

Sorry, I'm kinda new here and I haven't kept up with everything. So you still have a secure booting error? That means you have no custom recovery? If TWRP works (assuming that's what you use for your zv6 backup), then a bumped image should still pass the signature check.

By the way, if you need Linux to do certain things, you could set up a virtual machine. For example, running "file *" on the files in radio.img under Linux gives me:

Spoiler: output of 'file *'

emmc_appsboot.mbn:   Hitachi SH big-endian COFF object, not stripped
factory_ramdisk.img: Android bootimg, kernel (0x8000), ramdisk (0x2000000), page size: 2048, cmdline (console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 user_debu)
laf.img:             Android bootimg, kernel (0x8000), ramdisk (0x2000000), page size: 2048, cmdline (console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 user_debu)
NON-HLOS.bin:        DOS/MBR boot sector
rpm.mbn:             ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped
sdi.mbn:             data
tz.mbn:              ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped

 

[modhatter6811]

TWRP still works, and will still install on ZV6, but a bumbed boot.img won't. It always gives me a security error. Deodexing stock ZV6 will give me the same error, even with the stock boot.img. My only guess is that there's now multiple signature checks in place, or at least 2 rather, one for system apps, and another for the boot image. If anyone else has a working ZV6 deodexed, I'd love to try flashing it just to confirm it isn't somehow my own error that's causing it.

 

[WarrantyVoider]

TWRP still works, and will still install on ZV6, but a bumbed boot.img won't. It always gives me a security error. Deodexing stock ZV6 will give me the same error, even with the stock boot.img. My only guess is that there's now multiple signature checks in place, or at least 2 rather, one for system apps, and another for the boot image. If anyone else has a working ZV6 deodexed, I'd love to try flashing it just to confirm it isn't somehow my own error that's causing it.

Since TWRP can boot, the bump key must still work to bypass the bootloader's signature check. I don't know what the security error looks like, but my guess is the error is coming from the kernel because some system files don't pass SELinux's permission checks. As far as I know, there is no change between boot.img of ZV5 and that of ZV6, other than some version number change(s). I've never studied deodexing, but I thought deodexing is applied only to system apks? If so, you should be able to use the boot image of SuperR's ZV5 rom (with his permissioin) as a base.

 

[modhatter6811]

Since TWRP can boot, the bump key must still work to bypass the bootloader's signature check. I don't know what the security error looks like, but my guess is the error is coming from the kernel because some system files don't pass SELinux's permission checks. As far as I know, there is no change between boot.img of ZV5 and that of ZV6, other than some version number change(s). I've never studied deodexing, but I thought deodexing is applied only to system apks? If so, you should be able to use the boot image of SuperR's ZV5 rom (with his permissioin) as a base.

Yeah, Deodexing applies to the system apps. I honestly don't know what the cause is at this point. All I can tell you, is the following...
1. Twrp works
2. Any bumped boot image will not work.
3. Deodexing with or without changing the boot image, also will not work.
4. This is the strangest crap I've seen in awhile...

Also maybe worth noting, my misc partition is not empty, and hasn't been since taking the update. Its 16mb when dumped.

Edit: Pic of the screen that bootloops forever.

 

[WarrantyVoider]

Yeah, Deodexing applies to the system apps. I honestly don't know what the cause is at this point. All I can tell you, is the following...
1. Twrp works
2. Any bumped boot image will not work.
3. Deodexing with or without changing the boot image, also will not work.
4. This is the strangest crap I've seen in awhile...

Also maybe worth noting, my misc partition is not empty, and hasn't been since taking the update. Its 16mb when dumped.

Edit: Pic of the screen that bootloops forever.

OK. I don't have all the information. There's a lot of guess work on my part, but I hope the info can provide you with a clue. Hopefully this is not too off-topic, or maybe we need a separate thread for further discussions.

TWRP is a bumped recovery image. So the security error is not coming from the bootloader. The image you posted looks exactly like /res/images/errorlogo.png. That's inside the kernel ramdisk (in the boot image). If we search for "errorlogo" within the ramdisk files, we see the only reference comes from /sbin/wallpaper. Peeking inside "wallpaper," we see some text about security and crypto. So it's likely that's where security checks occur. Next, search within the ramdisk to see how "wallpaper" gets invoked. We see this line "exec /sbin/wallpaper -ap" in "/init.lge.rc". If we check "init.lge.rc", we see the comment "#CAPP_SECUREBOOT" right above the "wallpaper" line. So there it is. A big neon sign. Now, I don't know if that's all there is, but start by commenting out "exec /sbin/wallpaper -ap" or by removing "/sbin/wallpaper" to see where you'd get.

As for the bootloop/nonempty-misc, @HasH_BrowN has a solution for that. I think "misc" is normally empty (zeros). The OTA update puts something in there (which becomes bootable from the bootloader) to install radio.img. Again, I am guessing here. After installing radio.img, the stock recovery is supposed to finish up and clean up. With TWRP, that doesn't happen, so you end up with a TWRP bootloop because the bootloader is actually trying to call the stock recovery (which has been replaced by TWRP). Zeroing out "misc" (and/or "fota") stops the cycle. I don't know what the stock recovery would normally do after installing radio.img though. In the script, it does show "Patching remaining system files..." where it updates /system/build.prop. So do people who apply the update with TWRP get a patched /system/build.prop? Or are there significant changes to even care?

BTW, I wonder what "misc" and "fota" partitions contain in a device that's bootlooping after the update. If you don't mind sharing (assuming it's not uniquely tied to each device), it would be great to get a copy, publicly or privately.

 

[modhatter6811]

OK. I don't have all the information. There's a lot of guess work on my part, but I hope the info can provide you with a clue. Hopefully this is not too off-topic, or maybe we need a separate thread for further discussions.

TWRP is a bumped recovery image. So the security error is not coming from the bootloader. The image you posted looks exactly like /res/images/errorlogo.png. That's inside the kernel ramdisk (in the boot image). If we search for "errorlogo" within the ramdisk files, we see the only reference comes from /sbin/wallpaper. Peeking inside "wallpaper," we see some text about security and crypto. So it's likely that's where security checks occur. Next, search within the ramdisk to see how "wallpaper" gets invoked. We see this line "exec /sbin/wallpaper -ap" in "/init.lge.rc". If we check "init.lge.rc", we see the comment "#CAPP_SECUREBOOT" right above the "wallpaper" line. So there it is. A big neon sign. Now, I don't know if that's alblown!re is, but start by commenting out "exec /sbin/wallpaper -ap" or by removing "/sbin/wallpaper" to see where you'd get.

As for the bootloop/nonempty-misc, @HasH_BrowN has a solution for that. I think "misc" is normally empty (zeros). The OTA update puts something in there (which becomes bootable from the bootloader) to install radio.img. Again, I am guessing here. After installing radio.img, the stock recovery is supposed to finish up and clean up. With TWRP, that doesn't happen, so you end up with a TWRP bootloop because the bootloader is actually trying to call the stock recovery (which has been replaced by TWRP). Zeroing out "misc" (and/or "fota") stops the cycle. I don't know what the stock recovery would normally do after installing radio.img though. In the script, it does show "Patching remaining system files..." where it updates /system/build.prop. So do people who apply the update with TWRP get a patched /system/build.prop? Or are there significant changes to even care?

BTW, I wonder what "misc" and "fota" partitions contain in a device that's bootlooping after the update. If you don't mind sharing (assuming it's not uniquely tied to each device), it would be great to get a copy, publicly or privately.

Mind blown! I think you might be on to something. Zv6 thread? We should do that. This could take some time, and it's definitely a better approach.

 

[daffyducknj]

Mind blown! I think you might be on to something. Zv6 thread? We should do that. This could take some time, and it's definitely a better approach.

Will mention this once here. Anyone working on a ZV6 deodex rom? I was using the ZV6 update, rooted, but for some reason got a lot of ANR's/force closes on it. Decided to rebuild my phone, and installed the debloated, deodexed ZV5 rom. To get around the Stagefright issue, I still keep auto downloads of attachments off for MMS, and installed CM Security for virus scanning. I don't run any themes, but I find the deodexed ROM easier to maintain.

 

[HasH_BrowN]

Will mention this once here. Anyone working on a ZV6 deodex rom? I was using the ZV6 update, rooted, but for some reason got a lot of ANR's/force closes on it. Decided to rebuild my phone, and installed the debloated, deodexed ZV5 rom. To get around the Stagefright issue, I still keep auto downloads of attachments off for MMS, and installed CM Security for virus scanning. I don't run any themes, but I find the deodexed ROM easier to maintain.

I would NOT use CM security, nothing but adware and malware. Plus all the other "things" (services, backgroud receivers, and activities) that they have running in the background. There have been a couple of wtite ups (sorry cant get link right now - @ work) that have been done on CM Security, all are bad or extremely bad.
Seriously though, I use the deodexed ROM, Xposed (w/12 modules), link2sd, MyAndroidTools, AdAway, and have 163 user apps installed.

 

[daffyducknj]

I would NOT use CM security, nothing but adware and malware. Plus all the other "things" (services, backgroud receivers, and activities) that they have running in the background. There have been a couple of wtite ups (sorry cant get link right now - @ work) that have been done on CM Security, all are bad or extremely bad.
Seriously though, I use the deodexed ROM, Xposed (w/12 modules), link2sd, MyAndroidTools, AdAway, and have 163 user apps installed.

Okay, so perhaps CM Security is bad. Anyone else here care to back up that claim? I haven't had any issues in using it. I know that it does push some of its other apps via popups from time to time. I wouldn't mind using adaway, but I use a few apps that come from indie devs that use some ads (like Virgin Mobile Minutes), so I'm reluctant to completely block ads as these guys depend on them to remain functional. I also have Link2SD. Briefly tried Bonick's apps2sd, but found it slow and kludgy... probably the reason I rebuilt my phone in the first place. I'll definitely look into using MyAndroidTools. That app would be great with my Samsung Tab 4. Thanks for the advice.

 

[btravis786tb]

THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU THANK YOU Very Much.

 

[cdog1019]

Okay so, ill state the main problem and do my rant about how it came about afterward, so its optional (nice guy cdog)
I am trying to get back to the stock lg tribute os (rooted or unrooted doesnt matter, i can re root it) and im getting an error about binary, i can do the log if necassary. ive tried the stock and deodexed.

Im new to flashing os's and stuff, (First time actualy and then i get problems :/ figures) and i flashed cyanogen 12 to my tribute because i was trying to use that bluetooth controller app for the ps3, which didnt even end up working. Now i cant get it to flash back to stock and im having all kinds of problems with cyanogen. Its running on sprints service instead of virgin mobiles (while they are the same company, sprints service is horrible near my home, no idea why) and texts and such arent working for me, not to mention the known issues with it. Any help to get the stock os back is appreciated.

Edit/extra details

I made a supposed Nandroid backup of my phone before making any changes visa vi flashing a new OS to my phone but it hasnt worked for me to recover from

 

[bkttk2]

Do you have TWRP recovery installed?
If so download stock zip from OP to sd card. Use computer if unable to download via phone.
Follow steps in OP
This will get you back to zv5 stock.
Once back to stock ensure you select activate phone (just in case) and then update PRL and update network

This should at least get you up and running.

Good luck

 

[cdog1019]

Do you have TWRP recovery installed?
If so download stock zip from OP to sd card. Use computer if unable to download via phone.
Follow steps in OP
This will get you back to zv5 stock.
Once back to stock ensure you select activate phone (just in case) and then update PRL and update network

This should at least get you up and running.

Good luck

Ok, i finaly got one of the files from OP to actualy finish without the binary error. Ive been sitting at my boot screen for about 5-10 minutes now. Anything i should do?