Root [WIP][DEV] Custom Recovery/Bootloader unlocking Work In Progress Thread

[Spec2nirvash]

wow thats useful.....

Just showing what it does LOL... Nothing. Perhaps I could have just said it does nothing, eh? WTF does lk mean anyway?

 

[zeest]

It has something to do with the kernel your phone uses. Our phone returns the same.

@zimlocks: Looking at the decompiled aboot, I think you may be right. I found the strings for oem unlock, oem device-lock, and oem device-info, and as far as I can tell, they simply return.

Now this is interesting, and I will be spending some time looking at this:

ROM:00030BAC aRead_modem_ima DCB "READ_MODEM_IMAGE_CERTIFICATE",0
ROM:00030BC9                 DCB    0
ROM:00030BCA                 DCB    0
ROM:00030BCB                 DCB    0
ROM:00030BCC aRead_applicati DCB "READ_APPLICATION_CERTIFICATE",0
ROM:00030BE9                 DCB    0
ROM:00030BEA                 DCB    0
ROM:00030BEB                 DCB    0
ROM:00030BEC aRead_boot_cert DCB "READ_BOOT_CERTIFICATE",0
ROM:00030C02 ; ---------------------------------------------------------------------------
ROM:00030C02                 MOVS    R0, R0
ROM:00030C02 ; ---------------------------------------------------------------------------
ROM:00030C04 aRead_oemboot1_ DCB "READ_OEMBOOT1_CERTIFICATE",0
ROM:00030C1E ; ---------------------------------------------------------------------------
ROM:00030C1E                 MOVS    R0, R0
ROM:00030C1E ; ---------------------------------------------------------------------------
ROM:00030C20 aRead_unlock_de DCB "READ_UNLOCK_DEVICE_CERTIFICATE",0
ROM:00030C3F                 DCB    0
ROM:00030C40 aModme_image_au DCB "MODME_IMAGE_AUTHENTICATION",0
ROM:00030C5B                 DCB    0
ROM:00030C5C aApplication_im DCB "APPLICATION_IMAGE_AUTHENTICATION",0
ROM:00030C7D                 DCB    0
ROM:00030C7E                 DCB    0
ROM:00030C7F                 DCB    0
ROM:00030C80 aBoot_image_aut DCB "BOOT_IMAGE_AUTHENTICATION",0
ROM:00030C9A                 DCB    0
ROM:00030C9B                 DCB    0
ROM:00030C9C aOemboot1_image DCB "OEMBOOT1_IMAGE_AUTHENTICATION",0
ROM:00030CBA                 DCB    0
ROM:00030CBB                 DCB    0
ROM:00030CBC aUnlock_device_ DCB "UNLOCK_DEVICE_AUTHENTICATION",0
ROM:00030CD9                 DCB    0
ROM:00030CDA                 DCB 0
ROM:00030CDB                 DCB    0
ROM:00030CDC aAnti_rollback  DCB "ANTI_ROLLBACK",0
ROM:00030CEA ; ---------------------------------------------------------------------------
ROM:00030CEA                 MOVS    R0, R0
ROM:00030CEA ; ---------------------------------------------------------------------------
ROM:00030CEC aBackdoor       DCB "BACKDOOR",0

 

[omgbossis21]

Now compare that with our secure certificates. Fastboot getvar all didn't even do anything for me.. I was hoping for a bit of bootloader info out of it.

 

[zeest]

Which secure certificates? Does anyone know how to pull info from a specific address in our phone's memory? aboot references outside locations quite often, and it would really help if I could get a look at what they are.

 

[sammyz]

This is what I get:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Rich>adb devices
List of devices attached
M931-33975fb8   device


C:\Documents and Settings\Rich>adb reboot bootloader

C:\Documents and Settings\Rich>fastboot oem unlock
...
OKAY [  0.000s]
finished. total time: 0.000s

C:\Documents and Settings\Rich>fastboot getvar all
all:
finished. total time: 0.000s

C:\Documents and Settings\Rich>fastboot getvar kernel
kernel: lk
finished. total time: 0.000s

C:\Documents and Settings\Rich>

Which firmware are you running?? Cuz adb reboot bootloader would always just reboot device and not go into fastboot for me...

 

[zeest]

Spec2nirvash has a different phone than us.

 

[omgbossis21]

I was on d and reboot bootloader maintained fastboit. System/etc/security/cacerts is our certificates

 

[sammyz]

I was on d and reboot bootloader maintained fastboit. System/etc/security/cacerts is our certificates

A firmware that's able to go into fastboot with adb reboot bootloader is always helpful

 

[Spec2nirvash]

This is what I get:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Rich>adb devices
List of devices attached
[COLOR=Red]M931[/COLOR]-33975fb8   device [COLOR=Red]<--------------------[/COLOR]


C:\Documents and Settings\Rich>adb reboot bootloader

C:\Documents and Settings\Rich>fastboot oem unlock
...
OKAY [  0.000s]
finished. total time: 0.000s

C:\Documents and Settings\Rich>fastboot getvar all
all:
finished. total time: 0.000s

C:\Documents and Settings\Rich>fastboot getvar kernel
kernel: lk
finished. total time: 0.000s

C:\Documents and Settings\Rich>

Huawei Premia.

 

[PlayfulGod]

I was on d and reboot bootloader maintained fastboit. System/etc/security/cacerts is our certificates

d eh???

 

[sammyz]

Huawei Premia.

Spoiler

Get out of here, you don't belong

 

[PlayfulGod]

Huawei Premia.

pssst wrong phone

 

[Spec2nirvash]

pssst wrong phone

Yeah yeah I know.... Keeping an eye on you misfits to try unlocking my phone LOL... We share the same chipset, so there must be something I can use here or vice versa.

Fine, I'll leave

Oh wait....

Spoiler

<----- I have a Motion I have yet to unlock, I'm still gonna stalk y'all

 

[sammyz]

/me lol

 

[PlayfulGod]

Yeah yeah I know.... Keeping an eye on you misfits to try unlocking my phone LOL... We share the same chipset, so there must be something I can use here or vice versa.

Fine, I'll leave

Oh wait....

Spoiler

<----- I have a Motion I have yet to unlock, I'm still gonna stalk y'all

eh, we dont have the crayons huawei does, so prolly no help at all. lol

 

[zeest]

the PBL ("Primary Bootloader"), which resides in mask ROM, verifies the integrity of the SBL1 ("Secondary Bootloader") via a SHA1 hash. Each stage of the boot chain verifies the next stage using RSA signatures

Well, there is the "LG" signature we have all been hoping for.

 

[chrisjohn]

http://forum.xda-developers.com/showthread.php?p=30781353 alot of info here

 

[zeest]

Already reading it. Believe it has been linked at least twice today...

 

[chrisjohn]

Already reading it. Believe it has been linked at least twice today...

Oh ok i didnt knw my bad

 

[plasticarmyman]

Oh ok i didnt knw my bad

:smokingsomb:

VVVVVVVVVVV

 

[sammyz]

Wonder if this will help us??
http://androidforums.com/motion-4g-all-things-root/719272-getting-out-qhusb-mode.html

 

[Spec2nirvash]

An excerpt from the LG bootloader discussion group-

"Ok gentlemen, moving on to Qfuses! Oh.... Wait. I'll be right back"

 

[omgbossis21]

Lol nice one

 

[zimlokks]

It has something to do with the kernel your phone uses. Our phone returns the same.

@zimlocks: Looking at the decompiled aboot, I think you may be right. I found the strings for oem unlock, oem device-lock, and oem device-info, and as far as I can tell, they simply return.

Now this is interesting, and I will be spending some time looking at this:

ROM:00030BAC aRead_modem_ima DCB "READ_MODEM_IMAGE_CERTIFICATE",0
ROM:00030BC9                 DCB    0
ROM:00030BCA                 DCB    0
ROM:00030BCB                 DCB    0
ROM:00030BCC aRead_applicati DCB "READ_APPLICATION_CERTIFICATE",0
ROM:00030BE9                 DCB    0
ROM:00030BEA                 DCB    0
ROM:00030BEB                 DCB    0
ROM:00030BEC aRead_boot_cert DCB "READ_BOOT_CERTIFICATE",0
ROM:00030C02 ; ---------------------------------------------------------------------------
ROM:00030C02                 MOVS    R0, R0
ROM:00030C02 ; ---------------------------------------------------------------------------
ROM:00030C04 aRead_oemboot1_ DCB "READ_OEMBOOT1_CERTIFICATE",0
ROM:00030C1E ; ---------------------------------------------------------------------------
ROM:00030C1E                 MOVS    R0, R0
ROM:00030C1E ; ---------------------------------------------------------------------------
ROM:00030C20 aRead_unlock_de DCB "READ_UNLOCK_DEVICE_CERTIFICATE",0
ROM:00030C3F                 DCB    0
ROM:00030C40 aModme_image_au DCB "MODME_IMAGE_AUTHENTICATION",0
ROM:00030C5B                 DCB    0
ROM:00030C5C aApplication_im DCB "APPLICATION_IMAGE_AUTHENTICATION",0
ROM:00030C7D                 DCB    0
ROM:00030C7E                 DCB    0
ROM:00030C7F                 DCB    0
ROM:00030C80 aBoot_image_aut DCB "BOOT_IMAGE_AUTHENTICATION",0
ROM:00030C9A                 DCB    0
ROM:00030C9B                 DCB    0
ROM:00030C9C aOemboot1_image DCB "OEMBOOT1_IMAGE_AUTHENTICATION",0
ROM:00030CBA                 DCB    0
ROM:00030CBB                 DCB    0
ROM:00030CBC aUnlock_device_ DCB "UNLOCK_DEVICE_AUTHENTICATION",0
ROM:00030CD9                 DCB    0
ROM:00030CDA                 DCB 0
ROM:00030CDB                 DCB    0
ROM:00030CDC aAnti_rollback  DCB "ANTI_ROLLBACK",0
ROM:00030CEA ; ---------------------------------------------------------------------------
ROM:00030CEA                 MOVS    R0, R0
ROM:00030CEA ; ---------------------------------------------------------------------------
ROM:00030CEC aBackdoor       DCB "BACKDOOR",0

it looks like they could prevent rolling back to older firmware, but decided not to. i wonder why?

questions guys,

Spoiler

are all the bootloader's for the motion the same md5sums wise?...if not they had to may applied something to make them different, maybe patching it to prevent unlocking, if so a side by side comparison will revile the new stings or fixed stings wouldn't it? if thats not the case what makes them different?

 

[zeest]

Maybe added security, patching possible exploits. This is why I have been using version C for all my work. If we can get A/B, I would be using that one.