• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root [WIP][DEV] Custom Recovery/Bootloader unlocking Work In Progress Thread

zeest said:
Oh, didn't know that, I thought we were just getting an error before we are even able to flash it.
Click to expand...

unfortunately no :/

thats the secure boot screen that AFAIK first appeared on the lg p700, and has since been on every new lg device. earlier attempts were done via DD and writing directly to the partition which would throw the same error. its why the work towards a bootstrap CWM began.

im fairly confident once i get my motion i can get bootstrap working on it, which would mean at least a form of recovery. i would however like to find this "wallpaper" and see if we couldnt use it to better suit our own needs. obviously the stock boot.img calls for it during boot, why not have it run init.d scripts? then you could enjoy things like the supercharger script etc.
 
Exactly, and we can then bypass the security. I'm running a full scan for any file called "wallpaper" on my phone right now, I have a feeling they changed the name though.

EDIT:
Yep, all I got is wallpaper_land.png and wallpaper.png, which means I know get to decompile and comb through a ton of apks/scripts looking for this thing.
 
The security used in the boot loader is called "Secure Boot 3.0"

It is a security feature of Qualcom/Code Aurora Forum's "Little Kernel" and each MSM CPU is a bit different. It is found in the CAF sources in bootable/bootloader/lk

It seems LG is taking this code and adding there own to it "there utility we see if we unbrick" especially this file bootable/bootloader/lk/app/aboot/aboot.c

aboot is not the only boot loader, but it is the one that checks to see if the kernel needs/has a correct signature.

The other boot loaders are sbl1 sbl2 sbl3 maybe more

When those load they check the qfuses to see if security is enforced, you can use the utility viewmem to see this, if you have pushed it to your xbin folder


C:\adb>adb shell
shell@android:/ $ su
su
shell@android:/ # viewmem 0x706000 0x100 |hexdump -C
viewmem 0x706000 0x100 |hexdump -C
[INFO] Reading 256 bytes at 0x706000...
00000000 00 00 00 00 a1 00 20 00 00 00 00 00 01 00 40 7e |...... .......@~|
00000010 67 5d 00 00 00 10 20 00 00 00 00 00 80 00 00 00 |g].... .........|
00000020 00 60 00 00 00 00 f8 1b 00 00 00 00 00 00 31 00 |.`............1.|
00000030 00 00 00 00 0f 00 00 00 20 01 00 00 00 01 00 00 |........ .......|
00000040 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 |................|
*
000000a0 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 |................|
000000b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000c0 00 00 00 00 00 00 00 00 43 00 00 00 00 00 00 00 |........C.......|
000000d0 00 00 00 00 00 00 00 00 55 34 d2 ef 88 00 00 00 |........U4......|
000000e0 e1 10 6b 40 00 00 31 00 00 00 00 00 01 00 00 00 |..k@..1.........|
000000f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000100
shell@android:/ #

That is is from my LG Motion, so since that qfuse, that 20 that I high lighted in red is set to 20 it means secured boot is enforced, which means the signatures for sbl1, sbl2, sbl3 are checked

I think what would need to be done, is set that 20 to 00 somehow, modify sbl3 so it does not sig check aboot, modify aboot so that it does not sig check boot.img/recovery.img

or

Figure out what Private key LG is using and figure out how to sign the boot.img and recovery.img

or

Keep nagging LG to release a boot loader that does not require sigs, this is probably going to be the only way to get this done the boot loader way

or

The 2nd init / recovery strap does not rely on the bootloaders, but is not really a true recovery

I have no clue how to do this, and I am not even sure if what I said in this post is 100 percent accurate, but this is what I was able gather from E:V:A's informative thread over at XDA

http://forum.xda-developers.com/showthread.php?t=1856327














.
 
ok, I'm talking to a couple guys from project Codefire (the team that unlocked the optimus G) and one of them said that our phone might be open for a similair exploit. I have found wallpaper and am currently working on bypassing it.
 
zeest said:
ok, I'm talking to a couple guys from project Codefire (the team that unlocked the optimus G) and one of them said that our phone might be open for a similair exploit. I have found wallpaper and am currently working on bypassing it.
Click to expand...

:D

Sent from my potato
 
Ok, next problem. Deleting our recovery causes a factory reset which happens instantly, taking no time at all. I think it's time to modify the recovery partition now.
 
zeest said:
ok, I'm talking to a couple guys from project Codefire (the team that unlocked the optimus G) and one of them said that our phone might be open for a similair exploit. I have found wallpaper and am currently working on bypassing it.
Click to expand...

Cool :D I got a $50 MasterCard gift card for an early Christmas present. If I can get 100 more, I can buy a Motion :D hopefully we get this thing unlocked soon. If not, I'll be willing to test whatever when I get a Motion.
 
zeest said:
ok, I'm talking to a couple guys from project Codefire (the team that unlocked the optimus G) and one of them said that our phone might be open for a similair exploit. I have found wallpaper and am currently working on bypassing it.
Click to expand...


I downloaded the project freegee, and was looking and the aboot files it has, and it is for the MSM8960, so it is very possible that this will work








,
 
Plus our phone has more security, urrg. Modified boot.img to remove wallpaper, got the security error :/ time to unpack the bootloader.

EDIT:
Well, android kitchen can't unpack aboot, which is where it appears the problem is :/ Purged wallpaper from recovery, didn't give me any problem during a reboot, did the same with boot, got the error. Any ideas?
 
Well, I found these all near eachother in our bootloader.

Device UnLock ... READ_UNLOCK_DEVICE_CERTIFICATE .. UNLOCK_DEVICE_AUTHENTICATION ... BACKDOOR

So, my guesses: LG has an unlock tool they are keeping from us, they have a certificate they put somewhere in boot.img to bypass the security check, or ... key combinations?
What I'm going to try: Get the security check to lock me out again, then key combinations, every one in existence.
 
Well, key combos didn't work



cretinoid said:
The security used in the boot loader is called "Secure Boot 3.0"

It is a security feature of Qualcom/Code Aurora Forum's "Little Kernel" and each MSM CPU is a bit different. It is found in the CAF sources in bootable/bootloader/lk

It seems LG is taking this code and adding there own to it "there utility we see if we unbrick" especially this file bootable/bootloader/lk/app/aboot/aboot.c

aboot is not the only boot loader, but it is the one that checks to see if the kernel needs/has a correct signature.

The other boot loaders are sbl1 sbl2 sbl3 maybe more

When those load they check the qfuses to see if security is enforced, you can use the utility viewmem to see this, if you have pushed it to your xbin folder


C:\adb>adb shell
shell@android:/ $ su
su
shell@android:/ # viewmem 0x706000 0x100 |hexdump -C
viewmem 0x706000 0x100 |hexdump -C
[INFO] Reading 256 bytes at 0x706000...
00000000 00 00 00 00 a1 00 20 00 00 00 00 00 01 00 40 7e |...... .......@~|
00000010 67 5d 00 00 00 10 20 00 00 00 00 00 80 00 00 00 |g].... .........|
00000020 00 60 00 00 00 00 f8 1b 00 00 00 00 00 00 31 00 |.`............1.|
00000030 00 00 00 00 0f 00 00 00 20 01 00 00 00 01 00 00 |........ .......|
00000040 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 |................|
*
000000a0 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 |................|
000000b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000c0 00 00 00 00 00 00 00 00 43 00 00 00 00 00 00 00 |........C.......|
000000d0 00 00 00 00 00 00 00 00 55 34 d2 ef 88 00 00 00 |........U4......|
000000e0 e1 10 6b 40 00 00 31 00 00 00 00 00 01 00 00 00 |..k@..1.........|
000000f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000100
shell@android:/ #

That is is from my LG Motion, so since that qfuse, that 20 that I high lighted in red is set to 20 it means secured boot is enforced, which means the signatures for sbl1, sbl2, sbl3 are checked

I think what would need to be done, is set that 20 to 00 somehow, modify sbl3 so it does not sig check aboot, modify aboot so that it does not sig check boot.img/recovery.img

or

Figure out what Private key LG is using and figure out how to sign the boot.img and recovery.img

or

Keep nagging LG to release a boot loader that does not require sigs, this is probably going to be the only way to get this done the boot loader way

or

The 2nd init / recovery strap does not rely on the bootloaders, but is not really a true recovery

I have no clue how to do this, and I am not even sure if what I said in this post is 100 percent accurate, but this is what I was able gather from E:V:A's informative thread over at XDA

http://forum.xda-developers.com/showthread.php?t=1856327

.
Click to expand...

I'm going to try replacing that immediately after I restore my firmware/root. Will post back when done.


EDIT:
Oh, nevermind. I thought that was simply a hex dump of aboot
 
Just wanted to let you guys know, I found this in our recovery. Hoping someone will know what to do with those, maybe they are the keys that the boot or aboot or something is signed with? Also, just donwloaded our phone's kernel source, hopefully that will help as well.
 

Attachments

zeest said:
Just wanted to let you guys know, I found this in our recovery. Hoping someone will know what to do with those, maybe they are the keys that the boot or aboot or something is signed with? Also, just donwloaded our phone's kernel source, hopefully that will help as well.
Click to expand...


There are public keys and private keys

We would need the private key, which will not be found on the phone, may be leaked by some disgruntled LG employee

Even if I did have the key I am not sure how to generate the sig and attach it to the boot.img/recovery.img
 
zeest said:
EDIT:
Oh, nevermind. I thought that was simply a hex dump of aboot
Click to expand...

i am pretty sure that is is a shadow of some of the memory that is inside the cpu chip

E:V:A mentioned there may be so type of qfuse reader / writer, most of the stuff in his thread was way over my head
 
Does anyone, anyone at all, know someone at LG? I've been trying everything I can think of, but until I hear back from someone at codefire, I'm at a standstill.
Also, can anyone explain what the 2ndinit is, if it is on our phone, and where I can find it?
 
zeest said:
EDIT:
Well, android kitchen can't unpack aboot, which is where it appears the problem is :/ Purged wallpaper from recovery, didn't give me any problem during a reboot, did the same with boot, got the error. Any ideas?
Click to expand...


it is not packed, it is called "Little Kernel" but it really is not like the regular kernel, that is packed with a ramdisk

I have tried compiling my own aboot from the CAF source, I did one with out changing anything, then I went and changed a "1" to a "0" in the aboot.c files, and compiled again, afterwards I compared the two compiled files and there were a lot of differences, and all I did was changed one little thing
 
You must log in or register to reply here.
Back
Top Bottom