• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root Tried to port Loki and failed

hroark13

hroark13

Android Expert
Recognized Developer
Hi all

So you all know djrbliss right ? If you are serious about Android development, then you should.
For you people who are new to the hobby, djrbliss is one of the Root Gods of the community, and has recently become one of the Boot Loader Gods, what this means is he has found vulnerabilities in the vendor software of a lot of phones and developed exploits to allow us to be able to use our phones the way we want to, like loading custom roms, kernels, recoveries and such, with out these exploits, we just can not make these changes to these phones. So we all owe him big thanks for what he has done, and the many many many hours of time he has spent doing it.

One of his more recent exploits that he developed is called “Loki”. Loki was designed for the Samsung Galaxy S4, to work around the locked boot loader, and be able to load custom kernels and recoveries.

You can read about Loki here

Azimuth Security: Exploiting Samsung Galaxy S4 Secure Boot

and can review the Loki source code here

https://github.com/djrbliss/loki

Some people from the LG Motion community asked if he can port Loki to the LG Motion, but he is a very busy busy person with his business, and family and just does not have the time to do it, I completely understand that, this hobby eats up so much time, I barely have any free time myself to be messing with Android lately, but occasionally I do.

Anyway, I asked djrbliss if he would mind if I tried to port Loki to the LG motion, and if I succeed release it, and he said “by all means”

Well I spent the weekend trying to port it, and I did not succeed, I failed, but I thought it would be a good idea for me to share my findings, and try to explain what I did, and then maybe some of you can help, or see if I made a mistake.

After many hours of reviewing code, and scratching my head while looking at a hex editor, I think I have a better understanding of this, but I do not know why it is not working.




So if it is possible to get this to work on the Motion there are some things that I think we need to change in Dan’s loki_patch.c

ABOOT_BASE
HDR
CHECK SIGS ADDRESS
PATTERN
PATCH



.
 
Let’s start with ABOOT_BASE because I am pretty certain that I got this one right.

For the S4 devices bliss has

[HIGH]#define ABOOT_BASE 0x88dfffd8 [/HIGH]and if we examine the Galaxy S4 (SC04) aboot.mbn with a hex editor, we will see this at the top


[HIGH]Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000000 05 00 00 00 03 00 00 00 00 00 00 00 00 00 E0 88 ..............
 
Now lets try to figure out the HDR address, and I am really not sure if I go this right

Here is the Galaxy S4 SC04 HDR info


[HIGH].vendor = "DoCoMo",
.build = "JDQ39.SC04EOMUAMDI",
.check_sigs = 0x88e0fcd8,
.hdr = 0x88f0b2fc,
[/HIGH]Lets search the SC04 aboot.mbn file and see what we find, remember it is Little Endian so we will search for

fcb2f088

and we find

[HIGH]Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00013C70 00 C3 F0 88 FC B2 F0 88 84 D0 EF 88 F0 B2 F0 88 .
 
The CHECK SIGS ADDRESS is very questionable because our aboot file does not use the
same code / function as the Galaxy S4, but there is similar code, so lets look for it.


When we boot our phone with an unsigned boot or recovery image we get the "boot certification verify" error

Lets search for that string

[HIGH]Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
0002F800 63 61 74 69 6F 6E 00 00 45 52 52 4F 52 3A 20 62 cation..ERROR: b
0002F810 6F 6F 74 20 63 65 72 74 69 66 69 63 61 74 69 6F oot certificatio
0002F820 6E 20 76 65 72 69 66 79 0A 00 00 00 62 6F 6F 74 n verify....boot
0002F830 20 63 65 72 74 69 66 69 63 61 74 69 6F 6E 20 76 certification v
0002F840 65 72 69 66 79 00 00 00 53 65 63 75 72 65 20 62 erify...Secure b[/HIGH]we find

0002F808 \ ERROR: boot certification verify

lets add our ABOOT_BASE "0x88efffd8" and then we will reverse it
0002F808 + 0x88efffd8 = 88F2F7E0

reversed = E0F7F288


now if we search the LG Motion aboot file for E0F7F288 it is found at 0000c794


[HIGH]Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
0000C790 48 F7 F2 88 E0 F7 F2 88 04 F8 F2 88 C4 F6 F2 88 H
 
My head!!
Even after being explained how this works I'm lost :(

But anyways, thanks for explaining :D
I'm really hoping someone comes around and figures this out.
 
sammyz said:
My head!!
Even after being explained how this works I'm lost :(

But anyways, thanks for explaining :D
I'm really hoping someone comes around and figures this out.
Click to expand...


lol

This would be easier if I could de-compile the aboot, and I have tried, but I am new to this stuff, so right now I feel a bit more comfortable with a hex editor then I do with Ida
 
So.. did it not work, or is it just unfinished?

EDIT: Also, do you have a link to the S4 aboot?

EDIT2: What is HDR?
 
zeest said:
So.. did it not work, or is it just unfinished?

EDIT: Also, do you have a link to the S4 aboot?

EDIT2: What is HDR?
Click to expand...


did not work, and not really finished either, me thinks it would be best for us to get aboot de-compiled, so we have a better understanding of the code

here is the S4 SC04 boot files

https://dl.dropboxusercontent.com/u/40177430/SC04E/sc04e_filles.zip

hdr would be the address location in memory / ram that the the boot.img or recovery.img header should be loaded / found (i think)
 
I assume the Loki Flash has to be built with a gcc cross-compiler? I was able to get a .lok file, not sure if you also were.
 
GcGzZZl.jpg

I couldn't even pretend to understand.
Just reminds me of how little I know about anything.

I have no idea how I could help. But if you need testers and what not I'm in.
 
zeest said:
I assume the Loki Flash has to be built with a gcc cross-compiler? I was able to get a .lok file, not sure if you also were.
Click to expand...


i have not used Loki Flash, I have just been using dd

here is how I have been testing

!!!!!!!WARNING YOUR DATA ON YOUR PHONE WILL BE WIPED!!!!!!!!

I have my LG Motion hooked to the USB port of my Android Build computer

The Motion is booted into 2nd init recovery, and the external SD is set, and mounted


open terminal on your computer

git clone https://github.com/hroark13/loki -b MS77010f lokilgm

[HIGH]
cd lokilgm[/HIGH][HIGH]gcc loki_patch.c -o loki_patch_lgm[/HIGH][HIGH]./loki_patch_lgm recovery MS77010f_bootfiles/5-aboot-f.mbn MS77010f_bootfiles/19-recovery-f.img MS77010f_bootfiles/19-recovery-f.lok[/HIGH][HIGH]
adb push MS77010f_bootfiles/19-recovery-f.lok /sdcard/[/HIGH][HIGH]adb shell[/HIGH][HIGH]dd if=/sdcard/19-recovery-f.lok of=/dev/block/mmcblk0p19[/HIGH][HIGH]reboot recovery[/HIGH]You will get the

Secure booting error
cause : boot certification verify

but you can pull the battery and the phone will boot android, and you can try again, but as I mentioned your data will be wiped since you tried to boot into recovery








tumblr_lsbocvSWGt1qkz08go1_400.gif





.
 
All loki flash does is flash? Surprises me that djrbliss wrote a whole application to do this. But looking at it now, it appears to have a lot of fail-safes, which is probably why he wrote it.
 
zeest said:
All loki flash does is flash? Surprises me that djrbliss wrote a whole application to do this. But looking at it now, it appears to have a lot of fail-safes, which is probably why he wrote it.
Click to expand...


yes, he probably did not want people flashing the wrong .lok file to the wrong phone and bricking them selves, and then they would probably blame him
 
Whatever modification(s) loki made to the boot image, it passed the secure boot test for me, flashed as boot, not recovery.

EDIT: Nevermind, realized I pushed it to the recovery partition and did a normal boot. I do get a secure boot error.
 
hi hroark13, if i give u the aboot.img are you able to help to get the check_sig and hdr?
I'm using LG Isai with KK with root bit cannot install rec due aboot security check.
 
You must log in or register to reply here.
Back
Top Bottom