• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root [WIP][DEV] Custom Recovery/Bootloader unlocking Work In Progress Thread

zeest said:
Any takers?
Click to expand...


well I read threw the irc log you posted and also the pasite that IOMonster_work linked to (written by jonasl of XDA)

#5348883 - Pastie

I started to look threw the misc partition image I have with a hex editor

There is not a lot of stuff in there, but trying to figure out what it is for does not seem like it would be too easy
 
Misc is literally just a giant file of information, literally just the hex code, not a compiled program or anything. The other parts of the system link to it using an offset and length system for data retrieval.
 
:confused:

Well I am unbelievably happy that you guys are on our team with this....it all goes way beyond my knowledge gained from YouTube tutorials
 
cretinoid said:
it boot looped because of the netd file that was replaced, you could of got your system booting again, by pushing the original netd file back
Click to expand...
FWIW I replaced their netd with ours and it still boot looped. I tried changing the unsecure boot script to reflect services on our Motion, replaced their boot ramdisk with ours, and replaced recovery ramdisk with one made from our recovery built on Jenkins. Seems like we've got to figure out where in the chain we must hijack the process to keep it from noticing and resetting the device.
 
enigmadroid said:
FWIW I replaced their netd with ours and it still boot looped. I tried changing the unsecure boot script to reflect services on our Motion, replaced their boot ramdisk with ours, and replaced recovery ramdisk with one made from our recovery built on Jenkins. Seems like we've got to figure out where in the chain we must hijack the process to keep it from noticing and resetting the device.
Click to expand...

I played around with this thing a few months ago, so my memory is not too clear on it

but the way I remembered how it worked, was that it renamed the current netd file to netd.bin and then copied its own netd file which is sh script

i may be wrong on that one
 
cretinoid said:
well I read threw the irc log you posted and also the pasite that IOMonster_work linked to (written by jonasl of XDA)

#5348883 - Pastie

I started to look threw the misc partition image I have with a hex editor

There is not a lot of stuff in there, but trying to figure out what it is for does not seem like it would be too easy
Click to expand...

well I can verify that jonasl was right about the fastboot oem unlock

that did not work

also the entire aboot partition is not sig checked, I was able to add stuff to the end of the file, so I guess it is just checking the first part of it

I tried adding an unlock cert to the last 1024 bytes, the phone still booted fine, but it was not unlocked


grr
 
omgbossis21 said:
# alright, let's do this as safely as possible.
# nuke boot and recovery first, that way if we get interrupted, you still get fastboot
echo "Erasing recovery and boot..."
echo "out of space errors are normal, dont worry about those."
dd if=/dev/zero of=/dev/block/platform/msm_sdcc.1/by-name/recovery
dd if=/dev/zero of=/dev/block/platform/msm_sdcc.1/by-name/boot
echo ""
# time to install our new bootloader!
echo "Erasing bootloader, and installing new one..."
dd if=/dev/zero of=/dev/block/platform/msm_sdcc.1/by-name/aboot
dd if=/data/local/tmp/freegee-working/aboot-$VARIANT-freegee.img of=/dev/block/platform/msm_sdcc.1/by-name/aboot
echo ""
# now, let's put in our recovery and boot.imgs
echo "Installing CWM and modified boot image for stock ROM..."
dd if=/data/local/tmp/freegee-working/recovery-$VARIANT-freegee.img of=/dev/block/platform/msm_sdcc.1/by-name/recovery
dd if=/data/local/tmp/freegee-working/boot-$VARIANT-freegee.img of=/dev/block/platform/msm_sdcc.1/by-name/boot

I seen in a thread theres a phone to be relaesed similar to the motion but I dont remember what it was. There was little to no info about it at the time i read it.
Click to expand...


They wipe recovery and about.
 
zeest said:
Ya, then they replace them with unlocked ones, this is the same thing I am trying to do, maybe a little different. If anyone knows any programmers, can you ask them about ASM (assembly language), and if they know it, point them to this thread please? Also, my email chrisvanderjagt@yahoo.com
Click to expand...

I think I found someone. Geko from www.electro-tech-online.com.

I just googled "someone who knows ASM" and came across this: http://www.electro-tech-online.com/...ows-asm-please-add-something-prog-please.html post 2, 4, and 6 shows he clearly knows about ASM. He is online now I think....

Sent from my potato
 
cretinoid said:
Hi zeest, I admire your dedication to this, but could you explain what your are trying to accomplish with ASM
Click to expand...
With ASM, we can find where the bootloader looks in the misc file for the flag telling it whether or not to check for a certificate. We change this flag to 0 to disable it, we can now flash rom's ;) (in theory)
 
zeest said:
With ASM, we can find where the bootloader looks in the misc file for the flag telling it whether or not to check for a certificate. We change this flag to 0 to disable it, we can now flash rom's ;) (in theory)
Click to expand...


ok thanks

I was taking a look at the Optimus G bootloader unlock method "freegee"

and nothing in any of the scripts does anything with the misc partition

I know they want to keep secret how they did it, but I am pretty sure they are just using a new bootloader, either from a similar phone, or maybe someone had access to an engineering/development model that they pulled the aboot from

I know that IO_Monster is knowledgeable, and what he told you on IRC is good information, but did you tell him that our phone has the MSM8960L and that it uses "Secure Boot 3.0"

They only reason I ask, is that I am not sure if Secure Boot 3.0 uses the misc partition

Either way the more we learn the better, and if we have a de-compiled aboot to look at we may learn something critical

I am not so sure that you need ASM to de-compile the aboot, I think you can do it with Ida Pro, just like jonasl did



,
 
zeest said:
With ASM, we can find where the bootloader looks in the misc file for the flag telling it whether or not to check for a certificate. We change this flag to 0 to disable it, we can now flash rom's ;) (in theory)
Click to expand...


my misc partition is mostly 0s or Fs but there is some data there

here is a condensed version of what is found in my misc partition

00000800 42 53 50 20 46 6F 72 65 76 65 72 00 00 00 00 00 BSP Forever.....
00001000 06 00 00 00 A1 11 F0 88 04 00 00 00 A1 11 F0 88 ....
 
cretinoid said:
ok thanks

I was taking a look at the Optimus G bootloader unlock method "freegee"

and nothing in any of the scripts does anything with the misc partition

I know they want to keep secret how they did it, but I am pretty sure they are just using a new bootloader, either from a similar phone, or maybe someone had access to an engineering/development model that they pulled the aboot from

I know that IO_Monster is knowledgeable, and what he told you on IRC is good information, but did you tell him that our phone has the MSM8960L and that it uses "Secure Boot 3.0"

They only reason I ask, is that I am not sure if Secure Boot 3.0 uses the misc partition

Either way the more we learn the better, and if we have a de-compiled aboot to look at we may learn something critical

I am not so sure that you need ASM to de-compile the aboot, I think you can do it with Ida Pro, just like jonasl did
Click to expand...

What they did with the Optimus was much, much more complicated than what I am willing to do. They completely reassembled it from scratch, exactly the same, except leaving out the check. IOMonster had me use some commands in fastboot, he said the results were the same as with their phone, along with the error message when trying to flash, etc. LG probably didn't feel like making a new bootloader and just based them off eachother/Secure Boot.

IDA=Interactive disassembler=assembly
I am working on using IDA right now, I must be doing something wrong though, as I am only getting nonsense, repetitive code that does absolutely nothing. Also, I have sent an email to jonasl, asking for his assistance.
 
cretinoid said:
my misc partition is mostly 0s or Fs but there is some data there

here is a condensed version of what is found in my misc partition

00000800 42 53 50 20 46 6F 72 65 76 65 72 00 00 00 00 00 BSP Forever.....
00001000 06 00 00 00 A1 11 F0 88 04 00 00 00 A1 11 F0 88 ....
Click to expand...
 
If anyone is able to get our aboot properly disassembled (I can't seem to get it to disassemble properly) would they mind uploading it for me somewhere? psuedo code or c would be even better than ASM, but I'll settle for either.
 
zeest said:
What they did with the Optimus was much, much more complicated than what I am willing to do. They completely reassembled it from scratch, exactly the same, except leaving out the check.
Click to expand...

I did a bit of research on this, and I am going to have to agree with what Shabby has stated in post 414 about the Nexus 4, not that I ever doubted him, I just wanted to check for myself since there were 2 people saying 2 different things.

So they did not re-assemble from scratch, they just got very lucky.

I do not think we will have the same luck
 
zeest said:
BSP = Binary Space Partitioning?...that's a weird string to have in a data/reference file. I am going to assume the 0 is equivalent to binary 0, and F is equivalent to binary 1.
Click to expand...

I am not sure if that is what the BSP means

hex 0 = binary 0 = decimal 0
hex F = binary 1111 = decimal 15

When a file is filled with 0s or Fs its usually just empty space or padding

That is why I did not include it all, it would of took up too much space, and there is no important info in it

I posted all the data, and the offsets that it was located at so that someone can look at it quickly and see if the data makes any sense to them, because most of it makes no sense to me
 
You must log in or register to reply here.
Back
Top Bottom