• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root Question...

Z

zeest

Android Enthusiast
Just a thought... What would happen if I were to boot my phone, use adb to completely nuke the filesystem except for the kernel, bootloader, and boot (this should be enough to have at least basics working, right?), then replace it with the filesystem from another phone that is unlocked? Is this possible? If so, when I have some money, I might buy a used motion and give it a shot...
 
Yes, the phone would still be locked, but we could then modify our bootloader to be unlocked, without the Secure Bootloader checks getting in our way.
 
No, replace the bootchain. SBL1-3, maybe TZ (if it is bootchain/loader-specific), then the bootloader once we know this works. In theory, I believe this should work, but it is extremely risky. It was done for the LG Spectrum (http://androidforums.com/spectrum-a...oot-cwm-lg-spectrum-4g-ics-linux-install.html). One mistake, one thing goes wrong, or one thing just doesn't match up and, to the best of my knowledge, there is no recovering unless you happen to have a jtag. Even then, it's questionable. Does anyone happen to have a diagram for a jtag that works with our phone and that is fairly cheap to make (~$10)? Also, pm'ed you back.
 
A device with an unlocked bootloader who's aboot tz rpm and sbl partition reside in the same block (perhaps the g I know many blocks are the same) and I think its more than with a shot. However out emode prolly resides in rpm block?
 
i am new to this forum and don't know how to post my questions
can youyhelp me out?
i have some problems...
my galaxr samsung back camera and flash light doesn't works...
android version 4.1.9 jelly
 
omgbossis21 said:
A device with an unlocked bootloader who's aboot tz rpm and sbl partition reside in the same block (perhaps the g I know many blocks are the same) and I think its more than with a shot. However out emode prolly resides in rpm block?
Click to expand...

I'll ask the people in the Optimus G irc about their block locations. If one of the guys from the team that created freegee are there, I'll talk to them, they seem to know what they are doing, much more than I do.

@me_tuyuu
I sent you a message.




EDIT:
Thank you google!
http://pastebin.com/v5cHuWM9
http://androidforums.com/5240284-post437.html

Looks good to me :D

EDIT2:
http://pastebin.com/7QJ706KA
Sizes are the same too :D

Now to get the partitions, then will it be the hard part.
 
well...
[11:45] <zeest> Since the partitions are the same, would it brick because of hardware differences?
[11:46] <@autoprime> same size partitions doesnt really mean much. i suppose yes.. it would notice the hard ware diffs.
[11:46] <zeest> Hmm... and it wouldn't be a recoverable brick, would it?
[11:46] <@autoprime> the only reason the lg optimus g can use nexus 4 sbl stack and bootloader is because hardware is 100% the same
[11:46] <zeest> Couldn't just flash firmware
[11:47] <@autoprime> to recover.. you would need jtag
[11:47] <@autoprime> download mode and all other modes wouldnt work
[11:47] <zeest> Do you have a jtag diagram that would work?
[11:47] <@autoprime> i do not
[11:47] <zeest> Been trying to find one anyway
[11:47] <zeest> hmm, ok
[11:48] <zeest> Do you happen to know which phone has the closest hardware to the motion, other than the spirit, that has an unlocked bootloader?
[11:48] <@autoprime> zeest, i do not. perhaps someone else in here does
[11:48] <@autoprime> i only pay attention to lgog
[11:49] <zeest> Ok, well thanks for the info :D
Click to expand...

Anyone here have a jtag diagram? I know someone had a jtag, just can't remember who...
 
Partition: MODEM at 0x000000800000
Partition: SBL1 at 0x000004800000
Partition: SBL2 at 0x000004880000
Partition: SBL3 at 0x000004900000
Partition: ABOOT at 0x000004A00000
Partition: RPM at 0x000004A80000
Partition: TZ at 0x000006000000
Partition: PAD at 0x000006080000
Partition: MODEMST1 at 0x000006080400
Partition: MODEMST2 at 0x000006380400
Partition: SNS at 0x000006800000
Partition: MISC at 0x000007000000
Partition: SYSTEM at 0x000008000000
Partition: USERDATA at 0x000048000000
Partition: PERSIST at 0x0001B3C00000
Partition: CACHE at 0x0001B4400000
Partition: TOMBSTONES at 0x0001C5000000
Partition: RECOVERY at 0x0001C9800000
Partition: FSG at 0x0001CA400000
Partition: SSD at 0x0001CA700000
Partition: DRM at 0x0001CA800000
Partition: FOTA at 0x0001CB000000
Partition: MPT at 0x0001CD000000
Partition: TZBAK at 0x0001CF000000
Partition: RPMBAK at 0x0001CF080000
Partition: ENCRYPT at 0x0001CF100000
Partition: RESERVED at 0x0001CF800000
Partition: GROW at 0x0001D0800000

by kanishk619

is it this what your looking for?
 
No, I need a jtag diagram so I can replace stuff without fear of bricking. Although you did help me by telling me the name of the person with the jtag, thanks lol.
 
It was kanishk who made. The jag work supposedly though he refused to share the pinout but with the right ms8960 guide you may have the pinouts
 
Just so you know, I've already bricked my Spirit trying this. And good luck with jtag. I know it's disabled in the bootloader on the Spirit.

QHSUSB recovery will also not work until we a copy of the HEX and MBN files for our phone(s) signed by LG.
 
Maybe he refuses to share the pinout because he (dramatic pause) works for LG! He is undercover, watching our progress and reporting it to LG... lol, jk (hopefully)
 
If the phone is dissasembled it should be easy to identify with the released msm8960 files. They show the pin out I believe
 
omgbossis21 said:
If the phone is dissasembled it should be easy to identify with the released msm8960 files. They show the pin out I believe
Click to expand...

The phone does not need to be disassembled to get to the jtag pins. Take your battery out, pull up the sticker with your phone info, and they are right there. Of course, AquerMang could always be right.

@AquerMang Do you know which qfuse disables JTAG? If so, I can check if it is blown.
 
zeest said:
The phone does not need to be disassembled to get to the jtag pins. Take your battery out, pull up the sticker with your phone info, and they are right there. Of course, AquerMang could always be right.

@AquerMang Do you know which qfuse disables JTAG? If so, I can check if it is blown.
Click to expand...

Qfuses are apparently read-only in usermode with this kernel/bootchain (haven't diagnosed the cause as kernel or APP/SBL yet), so this doesn't matter. It's QFPROM_DEBUG_ENABLE and it is definitely blown (at least on the Spirit, I don't own a Motion).
 
LG Motion QFUSES

Fuse Name
Physical Location
Blown?

QFPROM_HW_KEY_STATUS
0x702050​
Yes​
QFPROM_SECURE_BOOT_ENABLE
0x700310​
Yes​
QFPROM_OEM_CONFIG
0x700230​
Yes​
QFPROM_DEBUG_ENABLE
0x700220​
Yes​
QFPROM_SECONDARY_HW_KEY
0x7002A0​
Yes​
QFPROM_READ_PERMISSION
0x7000A8​
Yes​
QFPROM_WRITE_PERMISSION
0x7000B0​
Yes​
QFPROM_OVERRIDE_REG
0x7060C0​
Yes​
QFPROM_CHECK_HW_KEY
0x123456​
Yes​
SEC_HW_KEY_BLOWN
0x00000001​
Yes​
PRIM_HW_KEY_BLOWN
0x00000002​
Yes​
HW_KEYS_BLOCKED
0x00000004​
Yes​

QFUSE names and locations obtained from https://android.googlesource.com/ke...f6e/arch/arm/mach-msm/lge/lge_qfprom_access.c
QFUSE blown status obtained from LG Motion 4G through wallpaper binary.


Either LG is fuse-blow happy or the locations are wrong.

EDIT: Sorry about everything being angled, it's the way the forum handles alignment tags *sigh*
 
No, those are supposed to be blown in a production device. That's disabling JTAG and locking everything down via Secure Boot 3.0.

CHECK_HW_KEY and everything below it is unused (hence the garbage addresses).
 
zeest said:
Does QFPROM_OEM_CONFIG have anything to do with "fastboot oem unlock"?
Click to expand...

A.) it's oem-unlock
B.) not from anything I can see in the bootloader.

I am only just learning ARM assembly (come from an x86/game-hacking background) so I could be wrong, but I don't see the QFPROM_OEM_CONFIG address reference anywhere in the fastboot portion of the bootloader. Just in the Secure Boot 3.0 verification codepath.
 
What section of the assembly code for the aboot is for fastboot? I have seen commands referenced, but I believe I have just found the reference strings.
 
You must log in or register to reply here.
Back
Top Bottom