Root Root this phone without needing MSL (maybe)

giantpune · Jul 8, 2012

As I understand it, we only need the MSL from our phone to get to the menu to enable the "DIAG" mode (as far as rooting it is concerned). I think I have got us a way to get to that screen now without needing the MSL. I have it working on my device which was already rooted, but I believe it should be working on a stock device.

Can somebody think of another place we need this MSL besides entering the menu that I have forgotten about? And if not, is there somebody that has not been able to get the MSL or just wants to help verify if this method works?

EDIT:
Here's a video for installation and running of the app.
http://www.youtube.com/watch?v=pWcyxjhn_mc

mysticalnyte · Jul 8, 2012

I believe you need your MSL when your using LGNPST early on from what I can remember while in the rooting process.

kwknott · Jul 8, 2012

Yeah Lgnpst needs your msl to be able to backup your nvram at beginning of process

giantpune · Jul 8, 2012

Ok. Thanks for the info. I'll keep poking around with it then. This same little bypass allows editing all the menuss that usually are asking for the MSL along with the Diag mode. I'm guessing that somewhere in all this the MSL is waiting for us to find it.

giantpune · Jul 8, 2012

Ok, so I think I see a way to get the phone to print the MSL over adb or something like that. But it involves messing with some possibly important system files that I'm not really comfortable doing without a solid recovery. This is the section of the phone stuff where it gives you a dialog to enter your code, then it compares the value you entered against a known string and if it doesn't match, it checks to see if you have already attempted and if so, it will reboot the phone. My plan is to patch the bit around line 217 where it creates the toast message to display the actual MSL code instead of their hardcoded message.

So, I guess for now I'm not going to mess with it because I'm liking this phone and don't want to kill it. But once we get a dummy-resistant recovery method, I'll be more liberal about what I do with it. If there is somebody else out here that is braver than myself and tries this, I'd like to hear the results.

Code:

.class com/lge/SprintHiddenMenu/sprintspec/RTN$2
.super java/lang/Object
.source RTN.java
.implements android/text/TextWatcher

.enclosing method com/onListItemClick(Landroid/widget/ListView;Landroid/view/View;IJ)V
.field final this$0 Lcom/lge/SprintHiddenMenu/sprintspec/RTN;

.method <init>(Lcom/lge/SprintHiddenMenu/sprintspec/RTN;)V
.limit registers 2
; this: v0 (Lcom/lge/SprintHiddenMenu/sprintspec/RTN$2;)
; parameter[0] : v1 (Lcom/lge/SprintHiddenMenu/sprintspec/RTN;)
.line 161
	iput-object	v1,v0,com/lge/SprintHiddenMenu/sprintspec/RTN$2.this$0 Lcom/lge/SprintHiddenMenu/sprintspec/RTN;
	invoke-direct	{v0},java/lang/Object/<init>	; <init>()V
	return-void	
.end method

.method public afterTextChanged(Landroid/text/Editable;)V
.limit registers 7
; this: v5 (Lcom/lge/SprintHiddenMenu/sprintspec/RTN$2;)
; parameter[0] : v6 (Landroid/text/Editable;)
	const/4	v4,6
	const/4	v3,2
	const/4	v2,0
.line 163
	invoke-interface	{v6},android/text/Editable/length	; length()I
	move-result	v0
	if-ne	v0,v4,l1df60
	invoke-virtual	{v6},java/lang/Object/toString	; toString()Ljava/lang/String;
	move-result-object	v0
	invoke-static	{},com/lge/SprintHiddenMenu/sprintspec/RTN/access$300	; access$300()Ljava/lang/String;
	nop	
	move-result-object	v1
	invoke-virtual	{v0,v1},java/lang/String/equals	; equals(Ljava/lang/Object;)Z
	move-result	v0
	if-eqz	v0,l1df60
.line 164
	new-instance	v0,android/app/AlertDialog$Builder
	iget-object	v1,v5,com/lge/SprintHiddenMenu/sprintspec/RTN$2.this$0 Lcom/lge/SprintHiddenMenu/sprintspec/RTN;
	invoke-direct	{v0,v1},android/app/AlertDialog$Builder/<init>	; <init>(Landroid/content/Context;)V
	const	v1,2131230939	; 0x7f0800db
	invoke-virtual	{v0,v1},android/app/AlertDialog$Builder/setTitle	; setTitle(I)Landroid/app/AlertDialog$Builder;
	move-result-object	v0
	const	v1,2131230940	; 0x7f0800dc
	invoke-virtual	{v0,v1},android/app/AlertDialog$Builder/setMessage	; setMessage(I)Landroid/app/AlertDialog$Builder;
	move-result-object	v0
	const	v1,2131230852	; 0x7f080084
	new-instance	v2,com/lge/SprintHiddenMenu/sprintspec/RTN$2$2
	invoke-direct	{v2,v5},com/lge/SprintHiddenMenu/sprintspec/RTN$2$2/<init>	; <init>(Lcom/lge/SprintHiddenMenu/sprintspec/RTN$2;)V
	invoke-virtual	{v0,v1,v2},android/app/AlertDialog$Builder/setPositiveButton	; setPositiveButton(ILandroid/content/DialogInterface$OnClickListener;)Landroid/app/AlertDialog$Builder;
	move-result-object	v0
	const	v1,2131230853	; 0x7f080085
	new-instance	v2,com/lge/SprintHiddenMenu/sprintspec/RTN$2$1
	invoke-direct	{v2,v5},com/lge/SprintHiddenMenu/sprintspec/RTN$2$1/<init>	; <init>(Lcom/lge/SprintHiddenMenu/sprintspec/RTN$2;)V
	invoke-virtual	{v0,v1,v2},android/app/AlertDialog$Builder/setNegativeButton	; setNegativeButton(ILandroid/content/DialogInterface$OnClickListener;)Landroid/app/AlertDialog$Builder;
	move-result-object	v0
	invoke-virtual	{v0},android/app/AlertDialog$Builder/show	; show()Landroid/app/AlertDialog;
.line 195
	invoke-interface	{v6},android/text/Editable/clear	; clear()V
.line 196
	invoke-static	{},com/lge/SprintHiddenMenu/sprintspec/RTN/access$500	; access$500()Landroid/app/Dialog;
	nop	
	move-result-object	v0
	invoke-virtual	{v0},android/app/Dialog/dismiss	; dismiss()V
l1df5e:
.line 221
	return-void	
l1df60:
.line 198
	invoke-interface	{v6},android/text/Editable/length	; length()I
	move-result	v0
	if-ne	v0,v4,l1df5e
	invoke-virtual	{v6},java/lang/Object/toString	; toString()Ljava/lang/String;
	move-result-object	v0
	invoke-static	{},com/lge/SprintHiddenMenu/sprintspec/RTN/access$300	; access$300()Ljava/lang/String;
	nop	
	move-result-object	v1
	invoke-virtual	{v0,v1},java/lang/String/equals	; equals(Ljava/lang/Object;)Z
	move-result	v0
	if-nez	v0,l1df5e
.line 205
	sget	v0,com/sprint/util/HiddenMenu.spcErrCnt I
	add-int/lit8	v0,v0,1
	sput	v0,com/sprint/util/HiddenMenu.spcErrCnt I
.line 206
	sget	v0,com/sprint/util/HiddenMenu.spcErrCnt I
	if-lt	v0,v3,l1dfc8
.line 208
	invoke-interface	{v6},android/text/Editable/clear	; clear()V
.line 209
	iget-object	v0,v5,com/lge/SprintHiddenMenu/sprintspec/RTN$2.this$0 Lcom/lge/SprintHiddenMenu/sprintspec/RTN;
	const-string	v1,"Excess SPC failure,Phone will power off."
	invoke-static	{v0,v1,v2},android/widget/Toast/makeText	; makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;
	move-result-object	v0
	invoke-virtual	{v0},android/widget/Toast/show	; show()V
.line 211
	invoke-static	{v3},com/android/lge/lgsvcitems/LgSvcCmd/onSendOprtMode	; onSendOprtMode(I)Z
.line 212
	const/4	v0,7
	invoke-static	{v0},com/android/lge/lgsvcitems/LgSvcCmd/onSendOprtMode	; onSendOprtMode(I)Z
	goto	l1df5e
l1dfc8:
.line 216
	invoke-interface	{v6},android/text/Editable/clear	; clear()V
.line 217
	iget-object	v0,v5,com/lge/SprintHiddenMenu/sprintspec/RTN$2.this$0 Lcom/lge/SprintHiddenMenu/sprintspec/RTN;
	const-string	v1,"Error security code.Please try again"
	invoke-static	{v0,v1,v2},android/widget/Toast/makeText	; makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;
	move-result-object	v0
	invoke-virtual	{v0},android/widget/Toast/show	; show()V
	goto	l1df5e
.end method

.method public beforeTextChanged(Ljava/lang/CharSequence;III)V
.limit registers 5
; this: v0 (Lcom/lge/SprintHiddenMenu/sprintspec/RTN$2;)
; parameter[0] : v1 (Ljava/lang/CharSequence;)
; parameter[1] : v2 (I)
; parameter[2] : v3 (I)
; parameter[3] : v4 (I)
.line 224
	return-void	
.end method

.method public onTextChanged(Ljava/lang/CharSequence;III)V
.limit registers 5
; this: v0 (Lcom/lge/SprintHiddenMenu/sprintspec/RTN$2;)
; parameter[0] : v1 (Ljava/lang/CharSequence;)
; parameter[1] : v2 (I)
; parameter[2] : v3 (I)
; parameter[3] : v4 (I)
.line 227
	return-void	
.end method

BliND123 · Jul 8, 2012

giantpune said:

Ok, so I think I see a way to get the phone to print the MSL over adb or something like that. But it involves messing with some possibly important system files that I'm not really comfortable doing without a solid recovery. This is the section of the phone stuff where it gives you a dialog to enter your code, then it compares the value you entered against a known string and if it doesn't match, it checks to see if you have already attempted and if so, it will reboot the phone. My plan is to patch the bit around line 217 where it creates the toast message to display the actual MSL code instead of their hardcoded message.

So, I guess for now I'm not going to mess with it because I'm liking this phone and don't want to kill it. But once we get a dummy-resistant recovery method, I'll be more liberal about what I do with it. If there is somebody else out here that is braver than myself and tries this, I'd like to hear the results.

Code:

.class com/lge/SprintHiddenMenu/sprintspec/RTN$2
.super java/lang/Object
.source RTN.java
.implements android/text/TextWatcher

.enclosing method com/onListItemClick(Landroid/widget/ListView;Landroid/view/View;IJ)V
.field final this$0 Lcom/lge/SprintHiddenMenu/sprintspec/RTN;

.method <init>(Lcom/lge/SprintHiddenMenu/sprintspec/RTN;)V
.limit registers 2
; this: v0 (Lcom/lge/SprintHiddenMenu/sprintspec/RTN$2;)
; parameter[0] : v1 (Lcom/lge/SprintHiddenMenu/sprintspec/RTN;)
.line 161
    iput-object    v1,v0,com/lge/SprintHiddenMenu/sprintspec/RTN$2.this$0 Lcom/lge/SprintHiddenMenu/sprintspec/RTN;
    invoke-direct    {v0},java/lang/Object/<init>    ; <init>()V
    return-void    
.end method

.method public afterTextChanged(Landroid/text/Editable;)V
.limit registers 7
; this: v5 (Lcom/lge/SprintHiddenMenu/sprintspec/RTN$2;)
; parameter[0] : v6 (Landroid/text/Editable;)
    const/4    v4,6
    const/4    v3,2
    const/4    v2,0
.line 163
    invoke-interface    {v6},android/text/Editable/length    ; length()I
    move-result    v0
    if-ne    v0,v4,l1df60
    invoke-virtual    {v6},java/lang/Object/toString    ; toString()Ljava/lang/String;
    move-result-object    v0
    invoke-static    {},com/lge/SprintHiddenMenu/sprintspec/RTN/access$300    ; access$300()Ljava/lang/String;
    nop    
    move-result-object    v1
    invoke-virtual    {v0,v1},java/lang/String/equals    ; equals(Ljava/lang/Object;)Z
    move-result    v0
    if-eqz    v0,l1df60
.line 164
    new-instance    v0,android/app/AlertDialog$Builder
    iget-object    v1,v5,com/lge/SprintHiddenMenu/sprintspec/RTN$2.this$0 Lcom/lge/SprintHiddenMenu/sprintspec/RTN;
    invoke-direct    {v0,v1},android/app/AlertDialog$Builder/<init>    ; <init>(Landroid/content/Context;)V
    const    v1,2131230939    ; 0x7f0800db
    invoke-virtual    {v0,v1},android/app/AlertDialog$Builder/setTitle    ; setTitle(I)Landroid/app/AlertDialog$Builder;
    move-result-object    v0
    const    v1,2131230940    ; 0x7f0800dc
    invoke-virtual    {v0,v1},android/app/AlertDialog$Builder/setMessage    ; setMessage(I)Landroid/app/AlertDialog$Builder;
    move-result-object    v0
    const    v1,2131230852    ; 0x7f080084
    new-instance    v2,com/lge/SprintHiddenMenu/sprintspec/RTN$2$2
    invoke-direct    {v2,v5},com/lge/SprintHiddenMenu/sprintspec/RTN$2$2/<init>    ; <init>(Lcom/lge/SprintHiddenMenu/sprintspec/RTN$2;)V
    invoke-virtual    {v0,v1,v2},android/app/AlertDialog$Builder/setPositiveButton    ; setPositiveButton(ILandroid/content/DialogInterface$OnClickListener;)Landroid/app/AlertDialog$Builder;
    move-result-object    v0
    const    v1,2131230853    ; 0x7f080085
    new-instance    v2,com/lge/SprintHiddenMenu/sprintspec/RTN$2$1
    invoke-direct    {v2,v5},com/lge/SprintHiddenMenu/sprintspec/RTN$2$1/<init>    ; <init>(Lcom/lge/SprintHiddenMenu/sprintspec/RTN$2;)V
    invoke-virtual    {v0,v1,v2},android/app/AlertDialog$Builder/setNegativeButton    ; setNegativeButton(ILandroid/content/DialogInterface$OnClickListener;)Landroid/app/AlertDialog$Builder;
    move-result-object    v0
    invoke-virtual    {v0},android/app/AlertDialog$Builder/show    ; show()Landroid/app/AlertDialog;
.line 195
    invoke-interface    {v6},android/text/Editable/clear    ; clear()V
.line 196
    invoke-static    {},com/lge/SprintHiddenMenu/sprintspec/RTN/access$500    ; access$500()Landroid/app/Dialog;
    nop    
    move-result-object    v0
    invoke-virtual    {v0},android/app/Dialog/dismiss    ; dismiss()V
l1df5e:
.line 221
    return-void    
l1df60:
.line 198
    invoke-interface    {v6},android/text/Editable/length    ; length()I
    move-result    v0
    if-ne    v0,v4,l1df5e
    invoke-virtual    {v6},java/lang/Object/toString    ; toString()Ljava/lang/String;
    move-result-object    v0
    invoke-static    {},com/lge/SprintHiddenMenu/sprintspec/RTN/access$300    ; access$300()Ljava/lang/String;
    nop    
    move-result-object    v1
    invoke-virtual    {v0,v1},java/lang/String/equals    ; equals(Ljava/lang/Object;)Z
    move-result    v0
    if-nez    v0,l1df5e
.line 205
    sget    v0,com/sprint/util/HiddenMenu.spcErrCnt I
    add-int/lit8    v0,v0,1
    sput    v0,com/sprint/util/HiddenMenu.spcErrCnt I
.line 206
    sget    v0,com/sprint/util/HiddenMenu.spcErrCnt I
    if-lt    v0,v3,l1dfc8
.line 208
    invoke-interface    {v6},android/text/Editable/clear    ; clear()V
.line 209
    iget-object    v0,v5,com/lge/SprintHiddenMenu/sprintspec/RTN$2.this$0 Lcom/lge/SprintHiddenMenu/sprintspec/RTN;
    const-string    v1,"Excess SPC failure,Phone will power off."
    invoke-static    {v0,v1,v2},android/widget/Toast/makeText    ; makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;
    move-result-object    v0
    invoke-virtual    {v0},android/widget/Toast/show    ; show()V
.line 211
    invoke-static    {v3},com/android/lge/lgsvcitems/LgSvcCmd/onSendOprtMode    ; onSendOprtMode(I)Z
.line 212
    const/4    v0,7
    invoke-static    {v0},com/android/lge/lgsvcitems/LgSvcCmd/onSendOprtMode    ; onSendOprtMode(I)Z
    goto    l1df5e
l1dfc8:
.line 216
    invoke-interface    {v6},android/text/Editable/clear    ; clear()V
.line 217
    iget-object    v0,v5,com/lge/SprintHiddenMenu/sprintspec/RTN$2.this$0 Lcom/lge/SprintHiddenMenu/sprintspec/RTN;
    const-string    v1,"Error security code.Please try again"
    invoke-static    {v0,v1,v2},android/widget/Toast/makeText    ; makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;
    move-result-object    v0
    invoke-virtual    {v0},android/widget/Toast/show    ; show()V
    goto    l1df5e
.end method

.method public beforeTextChanged(Ljava/lang/CharSequence;III)V
.limit registers 5
; this: v0 (Lcom/lge/SprintHiddenMenu/sprintspec/RTN$2;)
; parameter[0] : v1 (Ljava/lang/CharSequence;)
; parameter[1] : v2 (I)
; parameter[2] : v3 (I)
; parameter[3] : v4 (I)
.line 224
    return-void    
.end method

.method public onTextChanged(Ljava/lang/CharSequence;III)V
.limit registers 5
; this: v0 (Lcom/lge/SprintHiddenMenu/sprintspec/RTN$2;)
; parameter[0] : v1 (Ljava/lang/CharSequence;)
; parameter[1] : v2 (I)
; parameter[2] : v3 (I)
; parameter[3] : v4 (I)
.line 227
    return-void    
.end method

What about with aLogcat https://play.google.com/store/apps/...t#?t=W251bGwsMSwxLDEsIm9yZy5qdGIuYWxvZ2NhdCJd after installing your apps? I read there was a way to see the MSL with aLogcat on other phones but didn't work on this one, but maybe with your apps installed it will show it? Just a thought.

giantpune · Jul 9, 2012

I already tried looking at the logcat. The msl was only printed there in some cases because the sprint/lg people left in one line of debugging text. But apparently they are able to read the internet and they saw that somebody found that and they removed that debug text sometime before our phone left the factory.

But that is basically my idea. The first idea is to put that debug text back in. but in order to create a call to Log.e(), it takes you 3 lines

Code:

	const-string	v0,"LG_HIDDEN_DATA"
	const-string	v1,"get phone Failed"
	invoke-static	{v0,v1},android/util/Log/e	; e(Ljava/lang/String;Ljava/lang/String;)I

and you also have to go through the trouble of reading that log. I'm thinking that patching this call to the toast system can be done by changing 1 line, which means not having to add any lines, which may simplify things. And toast messages show up right on the screen, so you wont need logcat to read it.

giantpune · Jul 9, 2012

Ok, I have managed to get my phone to spit outs its MSL in plain text without needing root. The process I used requires that the phone is tossed into diag mode, which we can do with the method I used in the first post. But there is no modification needed to the phone's system files at all.

I actually stumbled onto this accidentally while trying to do something else, so the method is not refined at all. Basically all you need to do is sniff your USB traffic while you connect LGNPST to your phone. That's it - I was sniffing the traffic while LGNPST.exe was running and plugged in my phone to the usb cable. In the 2 or 3 seconds it takes the program to initialize your phone and stuff, it sends several hundred packets and one of them contains your MSL in plain text. The packet containing the MSL is (obviously) sent from the phone to the computer, and it is the only packet in the whole transaction that is 103 bytes.

This wireshark filter seems to hide most of the traffic except for 2 of them. And the one that is 103 bytes is the one with the MSL in it, starting at 0x44 within the packet.

Code:

frame contains "Jan 16 2012"

I'm going to see if I can clean this method up a bit, but for now, anybody with the ability to sniff the usb traffic can get their code.

giantpune · Jul 10, 2012

So I spent a couple hours and whipped up a minimalist USB driver for our phone using libusb-1.0. It supports a basic init if the phone while in Diag Mode, and then issues some commands that are sent from the LG software, and coaxes the phone to spit out its MSL. So far, its only tested on my phone and under linux. It may require fixing some of the hardcoded values, but we won't know until that issue comes up.

The program itself takes about 3 seconds or less to run and spit out the MSL, and its working 100% of the time ( at least for me

).

http://pastie.org/private/4o9lwhdfjrs4danttq5ghq

As far as getting into the DIAG Mode without first having the MSL, what I did was create an apk with the permission "com.lge.permission.SPRINTHIDDEN". And in the apk, I run the shell command "am start -n com.lge.SprintHiddenMenu/.sprintspec.DIAG".

So, here's the whole rundown, assuming you are using *buntu
1) Either create your own .apk as I described, or you can try mine. Download LG_Diag.tar.gz from Sendspace.com - send big files the easy way .
2) Enable the Diag mode on your phone
3) Compile the code for the minimal driver/MSL dumper. It needs libusb-1.0, libpthread, and librt dev packages which are all in the package manager.
4) Plug your phone into your computer.
5) Run the MSL dumper and hope it works. If it doesn't, and you really want to help, you can provide some usb dumps and I'll see if I can find the issue.
6) Disable the DIAG mode on your phone when you're done with it. It creates quite a bit of overhead.

polyhedral · Jul 10, 2012

You sir, are an upstanding gentleman and a true scholar. I tip my hat to you sir.

giantpune · Jul 11, 2012

I spent another couple hours today working on figuring out their USB protocol. This time, I focused on the download mode. I was successful in adding in support to my little driver for the stuff you can do with that QPST Memory Debug tool -

detect a phone in download mode
read the baseband version
get a list of available memory including filenames, addresses, sizes, and descriptions
dump the memory
reset the phone out of the download mode

Anybody that spent days on end messing with that stupid QPST trying to get it to create proper dumps may appreciate some of the stuff I learned. First, the program says that 3 of the files are mandatory, and it will always dump those, which are combined over 512MiB. However, this is only a limitation of that program. I have dumped only the ebi0_cs0.bin file several times in a row now without any of the other 'mandatory' ones and it works fine. I am also able to dump the 'recommended' memory regions without having to dump the 'mandatory' ones.

Second, the phone lets you dump only chunks of certain regions. QPST is dumping the entire 521 MiB in many small 0xff0 byte chunks (each one is just under 4KiB). I am able to select one of these chunks at random and read it fine. It means that you don't need to dump the full 256MiB section if you only want to look at 1 single spot.

Third, there is some performance issue with the QPST. My average time to dump a full 256MiB region is now only 1:05. With the QPST, each one took like 3 - 5 minutes and you were forced to do them both.

Forth, the issue with getting all the 0x00 and 0xff chunks when dumping the ram has absolutely nothing at all to do with the driver or the program. Installing them again and again, running the program as administrator, and taking ownership of the .dlls will have no effect whatsoever. This is its very own driver, and I am running it under linux so it completely takes QPST and its dlls out of the equation and I can still get those 'messed up' dumps. Weather or not I get useful information in the dumps or not depends entirely on how I put the phone into download mode. I have verified that several times with consistent results.

kwknott · Jul 11, 2012

Hey great job figuring all this out! Wish I was able to do it. Keep up the good work

giantpune · Jul 11, 2012

Also, I think it is entirely possible to flash this phone without ever having to get the MSL. I have looked at how LGNPST does all its dirty work. The commands it sends to flash the phone are very straight forward, so it isn't rocket science to send those commands from our own program and simply never ask the end user for the MSL code. However, I don't plan on trying to write any code which flashes my phone without a reliable method to fix the phone when I forget some little detail and brick the thing. Honestly, my butthole still puckers up just flashing the phone so I can log the usb traffic in the first place.

Once we get a bulletier-proofier recovery method, or a decent supply of phones which we can brick without consequence then we could use this code to at least create an automated FW flasher and fully ditch the qualcomm/LG software.

Guurak · Jul 11, 2012

There's no way you could compile that program? I'm not that good at compiling things.

giantpune · Jul 11, 2012

Here's a binary that just prints the MSL built for 64bit linux. I don't have all the stuff setup right now to build for other platforms. Download lgoeMSL from Sendspace.com - send big files the easy way

giantpune · Jul 12, 2012

Ok, I have got my program cleaned up and it appears to be working. The code is available here optimus1337 - Tool to messing with my LG Optimus Elite - Google Project Hosting and requires the ($ free) Qt SDK to build. There are some screenshots on the project site that show some of what it can do so far, which include

- switching the phone between download and diag mode
- getting the list of memory regions
- dumping complete regions
- dumping arbitrary memory regions and showing the contents without an external hex editor

giantpune · Jul 20, 2012

Alright, I have a new development. I have found a chmod exploit in the LG/sprint code. Using this exploit, I am able to chmod "/data" to 0666, which is supposed to give write access to everybody. But for some reason, I still cannot create a "/data/local.prop" file. Does anybody have any suggestions for another file/directory to make writable that we may use to get a root adb shell?

I tried "/default.prop", but it doesn't work. This file is owned by root/root, while "/data" is owned by 1000/1000. So it looks like the kernel module that is doing the chmodding is running as 1000 (system).

After some tinkering around, I have successfully gained a root adb shell using the ole chmod. So, I am thinking that now we have a method to root the phone which doesn't require flashing a whole firmware, getting the MSL, and should work on both Sprint and VM models. If there is anybody out there who wouldn't mind messing with adb shell a bit, I would like to check this out on another phone and work out any kinks.

Hashtag · Jul 20, 2012

giantpune said:
Alright, I have a new development. I have found a chmod exploit in the LG/sprint code. Using this exploit, I am able to chmod "/data" to 0666, which is supposed to give write access to everybody. But for some reason, I still cannot create a "/data/local.prop" file. Does anybody have any suggestions for another file/directory to make writable that we may use to get a root adb shell?

I tried "/default.prop", but it doesn't work. This file is owned by root/root, while "/data" is owned by 1000/1000. So it looks like the kernel module that is doing the chmodding is running as 1000 (system).

After some tinkering around, I have successfully gained a root adb shell using the ole chmod. So, I am thinking that now we have a method to root the phone which doesn't require flashing a whole firmware, getting the MSL, and should work on both Sprint and VM models. If there is anybody out there who wouldn't mind messing with adb shell a bit, I would like to check this out on another phone and work out any kinks.

I'll do it. Ubuntu 12.0.4 here. I still havn't been able to root it so I'd love it if a non-flashing root could be aquired

HOW IN THE HELL DID YOU GET CHMOD TO GIVE YOU ADB SHELL ROOT?!?! I've been messing with it for days and I can't get any combination of chmods to give it to me. And no combinatino of sudo, sudo -i, su or adb root has made a difference for me. Very nice job with that

giantpune · Jul 20, 2012

I have included a binary built for 64bit linux, and the source code is available for other platforms. The readme should be pretty correct with the commands needed. If you find part that doesnt work, let me know and I'll try to correct it. Download rootIt.tar.gz from Sendspace.com - send big files the easy way

I was also staring at this for a couple days. Then last night I started implementing some more parts of their Diag driver in the project linked in post #16. I was basically reading the source code for the kernel module and writing the PC side which would talk to it. I found several bugs which could be exploited, but most of them would have been quite a job to turn into a working exploit. Then this morning, I started reading "/kernel/arch/arm/mach-msm/lge/lge_diag_icd.c". And low-and-behold, right there on line 1041 was a big fat chmod( ..., 0666 ). In "/init.target.rc" on the phone, they create a directory belonging to shell. And then line 1023 in lge_diag_igd.c is where they create that file and then chmod it not far afterwards.

Hashtag · Jul 20, 2012

giantpune said:
I have included a binary built for 64bit linux, and the source code is available for other platforms. The readme should be pretty correct with the commands needed. If you find part that doesnt work, let me know and I'll try to correct it. Download rootIt.tar.gz from Sendspace.com - send big files the easy way

I was also staring at this for a couple days. Then last night I started implementing some more parts of their Diag driver in the project linked in post #16. I was basically reading the source code for the kernel module and writing the PC side which would talk to it. I found several bugs which could be exploited, but most of them would have been quite a job to turn into a working exploit. Then this morning, I started reading "/kernel/arch/arm/mach-msm/lge/lge_diag_icd.c". And low-and-behold, right there on line 1041 was a big fat chmod( ..., 0666 ). In "/init.target.rc" on the phone, they create a directory belonging to shell. And then line 1023 in lge_diag_igd.c is where they create that file and then chmod it not far afterwards.

This

Hashtag · Jul 20, 2012

Whenever I get to "$ stat /data/img" it pops out with "stat: permission denied" :/

giantpune · Jul 20, 2012

Can you cd to that directory? It should still work, as that /init.target.rc creates that directory and gives ownership of it to shell (2000).

Also, they have some helper program installed on the phone. When you run it, it creates a file in that folder belonging to you. You can run that program and see if it creates the raw dump.

Code:

$ ls -l /data/img
$ /system/bin/slate_screencap
$ ls -l /data/img
-------r-x shell    shell      614400 2012-07-20 17:51 img.raw

EDIT:
Nevermind, it looks like they didnt deem you cool enough to own the stat program. This is something that got installed by busybox. I was just assuming that it came with android. That "Permission denied" error happens when you try to run a program which is not installed.

Code:

$ stat `which stat`
  File: '/system/bin/stat' -> '/system/bin/busybox'
  Size: 19              Blocks: 0          IO Block: 4096   symbolic link
Device: b30ch/45836d    Inode: 1203        Links: 1
Access: (0777/lrwxrwxrwx)  Uid: (    0/ UNKNOWN)   Gid: (    0/ UNKNOWN)
Access: 2012-07-05 04:31:09.000000000
Modify: 2012-07-05 04:31:09.000000000
Change: 2012-07-05 04:31:09.000000000

$ poopie
poopie: permission denied

Hashtag · Jul 20, 2012

giantpune said:
Can you cd to that directory? It should still work, as that /init.target.rc creates that directory and gives ownership of it to shell (2000).

Also, they have some helper program installed on the phone. When you run it, it creates a file in that folder belonging to you. You can run that program and see if it creates the raw dump.

Code:

$ ls -l /data/img $ /system/bin/slate_screencap $ ls -l /data/img -------r-x shell shell 614400 2012-07-20 17:51 img.raw

Kay, I was able to get all that taken care of. Now I'm at the step 3, where I have to make it. What exactly do you mean? I ran ./Makefile and it said permission denied. Then I ran make and it popped up with this "/home/hayden/Desktop/rootIt/source/main.cpp:32:20: fatal error: libusb.h: No such file or directory
compilation terminated.
make[1]: *** [main.o] Error 1
make: *** [build] Error 2
root@hayden-RS780:/home/hayden/Desktop/rootIt#"

Sorry, I'm a noob.

giantpune · Jul 20, 2012

That is meant to be used on a PC, not on android. It creates a program called "lgoeExploit" which runs on your computer and talks to the phone in a similar fashion as adb. On *buntu, I think you can install the required packages with

Code:

sudo apt-get install build-essential libusb-1.0.0-dev

and then cd to the directory which contains my makefile and type

Code:

make

Hashtag · Jul 20, 2012

giantpune said:
That is meant to be used on a PC, not on android. It creates a program called "lgoeExploit" which runs on your computer and talks to the phone in a similar fashion as adb. On *buntu, I think you can install the required packages with

Code:

sudo apt-get install build-essential libusb-1.0.0-dev

and then cd to the directory which contains my makefile and type

Code:

make

Wow. I'm stupid. Well, I did that, it popped out the one thing all good, and I was able to do the rest of the steps, up until the reboot. I rebooted it, and when I did it went into a boot loop. And for some reason, adb can't detect it. At all. What now?

Root Root this phone without needing MSL (maybe)

Android Enthusiast

Well-Known Member

Android Expert

Android Enthusiast

Android Enthusiast

Member

Android Enthusiast

Android Enthusiast

Android Enthusiast

Newbie

Android Enthusiast

Android Expert

Android Enthusiast

Newbie

Android Enthusiast

Android Enthusiast

Android Enthusiast

Android Enthusiast

Android Enthusiast

Android Enthusiast

Android Enthusiast

Android Enthusiast

Android Enthusiast

Android Enthusiast

Android Enthusiast