• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root [WIP][DEV] Custom Recovery/Bootloader unlocking Work In Progress Thread

Zeest I have unpacked modified and repacked both the recovery and boot. Img files. Repushing them and trying to boot does not throw a security error (In fsstboot reboot into bootloader and run the fastboot OEM unlock command which returns the okay status. I'm not sure if it matters but I didn't test it without). I would like to build those images up with a dummy file to the same size as the stock images in case its failing a file check size. If your interested pm me I will dropbox you the modified ones and you could try it. Since I moved I haven't had time to get back to it.
 
omgbossis21 said:
Zeest I have unpacked modified and repacked both the recovery and boot. Img files. Repushing them and trying to boot does not throw a security error (In fsstboot reboot into bootloader and run the fastboot OEM unlock command which returns the okay status. I'm not sure if it matters but I didn't test it without). I would like to build those images up with a dummy file to the same size as the stock images in case its failing a file check size. If your interested pm me I will dropbox you the modified ones and you could try it. Since I moved I haven't had time to get back to it.
Click to expand...

Your wasting your time. :p

The Motion and all the other LG msm8960 phones use qfuses, just like the Motorola msm8960 bootloader. Once the qfuse is blown correctly, then we'll have an unlocked bootloader. The LG bootloader was made by the same company as the moto bootloader. I'm not sure how to communicate with the QFuse, but if anyone knew, it would be candoopa since he bricked 1 phone trying to unlock his phone by trying to blow the Qfuse. If you brick by blowing the wrong qfuse, you will be perma-bricked and there is no way to undo it...so JTAG won't save you. Flashing all these other aboot files aren't going to help us.
If LG unlocked one msm8960 phone, they know that it will unlock all of them with the same tool since they are all using qfuses. The optimus vu 2 has a qfuse too, but doesn't seem to check for a blown qfuse, therefore that bootloader knows that the optimus vu 2 is already unlocked.

Optimus Vu 2 bootloader has these lines in different parts of the Hex code (in aboot.img):
Code: 
QFPROMblown
qfuse

LG Motion has these lines in different parts of the Hex code (in aboot.img):
Code: 
qfprom mem alloc fail
qfprom get ftm item fail
qfprom magic string
QFPROMblown
qfuse magic not match
qfuse magic match
qfuse

I may be wrong about what I'm saying though.
 
sammyz said:
Your wasting your time. :p

The Motion and all the other LG msm8960 phones use qfuses, just like the Motorola msm8960 bootloader. Once the qfuse is blown correctly, then we'll have an unlocked bootloader. The LG bootloader was made by the same company as the moto bootloader. I'm not sure how to communicate with the QFuse, but if anyone knew, it would be candoopa since he bricked 1 phone trying to unlock his phone by trying to blow the Qfuse. If you brick by blowing the wrong qfuse, you will be perma-bricked and there is no way to undo it...so JTAG won't save you. Flashing all these other aboot files aren't going to help us.
If LG unlocked one msm8960 phone, they know that it will unlock all of them with the same tool since they are all using qfuses. The optimus vu 2 has a qfuse too, but doesn't seem to check for a blown qfuse, therefore that bootloader knows that the optimus vu 2 is already unlocked.

Optimus Vu 2 bootloader has these lines in different parts of the Hex code (in aboot.img):
Code: 
QFPROMblown
qfuse

LG Motion has these lines in different parts of the Hex code (in aboot.img):
Code: 
qfprom mem alloc fail
qfprom get ftm item fail
qfprom magic string
QFPROMblown
qfuse magic not match
qfuse magic match
qfuse

I may be wrong about what I'm saying though.
Click to expand...

So to me it looks like there is 3 q fuse or maybe jus two, but what im really trying to ask is all we have to do is blow one of these fuses and the bootloader will be unlocked? Or its there a special way to blow one of these fuse and then the bootloader unlocks?
 
Sure its most likely not gonna work but since its not to time consuming it may as well be tried. They are all signed along these lines :
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:00:00:00:00:01:15:4b:5a:c3:94
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
Validity
Not Before: Sep 1 12:00:00 1998 GMT
Not After : Jan 28 12:00:00 2028 GMT
Subject: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:da:0e:e6:99:8d:ce:a3:e3:4f:8a:7e:fb:f1:8b:
83:25:6b:ea:48:1f:f1:2a:b0:b9:95:11:04:bd:f0:
63:d1:e2:67:66:cf:1c:dd:cf:1b:48:2b:ee:8d:89:
8e:9a:af:29:80:65:ab:e9:c7:2d:12:cb:ab:1c:4c:
70:07:a1:3d:0a:30:cd:15:8d:4f:f8:dd:d4:8c:50:
15:1c:ef:50:ee:c4:2e:f7:fc:e9:52:f2:91:7d:e0:
6d:d5:35:30:8e:5e:43:73:f2:41:e9:d5:6a:e3:b2:
89:3a:56:39:38:6f:06:3c:88:69:5b:2a:4d:c5:a7:
54:b8:6c:89:cc:9b:f9:3c:ca:e5:fd:89:f5:12:3c:
92:78:96:d6:dc:74:6e:93:44:61:d1:8d:c7:46:b2:
75:0e:86:e8:19:8a:d5:6d:6c:d5:78:16:95:a2:e9:
c8:0a:38:eb:f2:24:13:4f:73:54:93:13:85:3a:1b:
bc:1e:34:b5:8b:05:8c:b9:77:8b:b1:db:1f:20:91:
ab:09:53:6e:90:ce:7b:37:74:b9:70:47:91:22:51:
63:16:79:ae:b1:ae:41:26:08:c8:19:2b:d1:46:aa:
48:d6:64:2a:d7:83:34:ff:2c:2a:c1:6c:19:43:4a:
07:85:e7:d3:7c:f6:21:68:ef:ea:f2:52:9f:7f:93:
90:cf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B
Signature Algorithm: sha1WithRSAEncryption
d6:73:e7:7c:4f:76:d0:8d:bf:ec:ba:a2:be:34:c5:28:32:b5:
7c:fc:6c:9c:2c:2b:bd:09:9e:53:bf:6b:5e:aa:11:48:b6:e5:
08:a3:b3:ca:3d:61:4d:d3:46:09:b3:3e:c3:a0:e3:63:55:1b:
f2:ba:ef:ad:39:e1:43:b9:38:a3:e6:2f:8a:26:3b:ef:a0:50:
56:f9:c6:0a:fd:38:cd:c4:0b:70:51:94:97:98:04:df:c3:5f:
94:d5:15:c9:14:41:9c:c4:5d:75:64:15:0d:ff:55:30:ec:86:
8f:ff:0d:ef:2c:b9:63:46:f6:aa:fc:df:bc:69:fd:2e:12:48:
64:9a:e0:95:f0:a6:ef:29:8f:01:b1:15:b5:0c:1d:a5:fe:69:
2c:69:24:78:1e:b3:a7:1c:71:62:ee:ca:c8:97:ac:17:5d:8a:
c2:f8:47:86:6e:2a:c4:56:31:95:d0:67:89:85:2b:f9:6c:a6:
5d:46:9d:0c:aa:82:e4:99:51:dd:70:b7:db:56:3d:61:e4:6a:
e1:5c:d6:f6:fe:3d:de:41:cc:07:ae:63:52:bf:53:53:f4:2b:
e9:c7:fd:b6:f7:82:5f:85:d2:41:18:db:81:b3:04:1c:c5:1f:
a4:80:6f:15:20:c9:de:0c:88:0a:1d:d6:66:55:e2:fc:48:c9:
29:26:69:e0
SHA1 Fingerprint=B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C
 
Has anyone checked out androids secrets it a app in the play store it might help for unlocking the bootloader its pretty awesome check it out you'll be amazed.
 
johnnyl1111 said:
been awhile since i had an unlocked phone but if i remember correctly
phones that are unlocked have the ability to enter a recovery type mode with a key combo at start that lets you flash update.zip on a stock phone
Click to expand...

I am going to assume that even if the phone was unlocked you would not get into recovery.
If you run
getprop
In terminal there is flash recovery service not running
If you can get a fresh last_kmsg after boot
It will state that the service is disabled because install_recovery.sh is not found
I made an empty .sh file with that name and last_kmsg after boot no longer showed disabling the service.
Now if we had the install_recovery.sh with the proper scripting i dont know what would happen.
But its there i have also seen it other files such as an .ini i believe.
 
rhino889a said:
I am going to assume that even if the phone was unlocked you would not get into recovery.
If you run
getprop
In terminal there is flash recovery service not running
If you can get a fresh last_kmsg after boot
It will state that the service is disabled because install_recovery.sh is not found
I made an empty .sh file with that name and last_kmsg after boot no longer showed disabling the service.
Now if we had the install_recovery.sh with the proper scripting i dont know what would happen.
But its there i have also seen it other files such as an .ini i believe.
Click to expand...

Nope, we have a recovery image its just set to factory reset as soon as its booted, we'd need to flash a custom recovery to the recovery partition and that would work if it passed the bootloader signature check, install_recovery.sh is something htc uses that on boot up if you dont remove it,it reflashes stock recovery, so if you fastboot flash recovery, you can boot into recovery and it seems like everything is good,but if you didnt flash a rom itll go right back to stock recovery when it boots up to the stock rom.
Also, a phone having a recovery you can flash images with has absolutely nothing to do with the bootloader being unlocked, all the bootloader being locked does is it checks signatures and if they arent matching what it expects,boot fails. This is why a lot of phones end up using 2nd init, you can flash the rom but if you flash a kernel you have a no boot situation, so essentially you let the bootloader start the stock kernel then kick it out of ram and start the kernel you want after bootup has started.
 
I have tried this, all it seems to do is print the current values of the phone's register and disconnect fastboot. Although the fastboot screen stays up, fastboot doesn't recognize the phone.
 
I believe that the qfuse unlock tool used for the Motorola msm8960's should work for our phone. Anyone who wants to give it a try, pm me. I would love to try it myself, but I have no money to replace my phone. Someone with a backup "development" phone/who doesn't mind the possibility of bricking their phone, please PM me!
 
I would try it but i dont pay for metro service so i cant get it replaced
I already bricked one down to qhusb_dload mode.lg gladly fixed for me free of charge
I will recieve it via fedex tomorrow.
Only costs 16 bucks for being boxed up and 1 way shipping
But takes about 15 days from shipped to recieve
 
zeest said:
I believe that the qfuse unlock tool used for the Motorola msm8960's should work for our phone. Anyone who wants to give it a try, pm me. I would love to try it myself, but I have no money to replace my phone. Someone with a backup "development" phone/who doesn't mind the possibility of bricking their phone, please PM me!
Click to expand...

do believe its been tried and failed. ;)
 
From what I read, he was just experimenting with different qfuses, not using a method tested on another device. I have, however, PM'ed him, and am waiting for a response.
 
You must log in or register to reply here.
Back
Top Bottom