• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root [WIP][DEV] Custom Recovery/Bootloader unlocking Work In Progress Thread

Taken from a recovery log that I can't locate at the minute. My computer was unplugged while running and now the Ubuntu dual boot menu doesn't show it just keeps rebooting. Windows detects no start up problems but its showing it on the wrong drive and restore went through but still nothing. Currently very unhappy
 
Anybody got as far with Ida pro as seeing the android code? Did the Motorola have an aboot or is our aboot the same as their emmc appsboot.mbn? It seems they are the same as their fastboot unlock strings are located there and ours is in the aboot. I need it disassembled furthur to see what they trigger. Also our trustzone passes the same arguments as the Motorola in accordance with our arch/ Mach-msm/scm.c file.
 
omgbossis21 said:
Anybody got as far with Ida pro as seeing the android code? Did the Motorola have an aboot or is our aboot the same as their emmc appsboot.mbn? It seems they are the same as their fastboot unlock strings are located there and ours is in the aboot. I need it disassembled furthur to see what they trigger. Also our trustzone passes the same arguments as the Motorola in accordance with our arch/ Mach-msm/scm.c file.
Click to expand...

Bliss said to me that our bootloader is nothing like Moto's, but I have a feeling it may as well be.

But yea, Moto also has aboot.
 
Thanks sammy. We don't have a emmc appsboot partition so its another I need to find to furthur look into those fastboot commands. I'm going to need a partition list from one of those Motorola's to compare with ours. I believe their quite similar and that their secure monitor call is likely our secure morning call. LG renamed some things and changed a few locations.
 
I think a few people have compiled kernels but you need one with a change made to be sure its working (ie kernel name/version). Also shoot angablade a pm since he is the one who claimed to of gotten kexec working. From what I can tell you could use our recovery partition to store it all.
 
zeest said:
Picture above. I need kernel source that has been compiled so that I can compile kexec as a module.
Click to expand...

dl the cm10 src, copy your kernel src to android/system/kernel/lge/ and then follow instructions in the readme from the zip.

There were no edits needed to get it to compile at all, so any issues you are having are on you and how you are attempting to compile it, not the src. ;)
 
reboot with lge specific reboot command (0x%08x)
this needs to be tried......

Also this phone can be unlocked because hard reset runs this command :
device unlocked: %s
however instead of a qfuse I think lg left unlocking the bootloader to a signed certificate as various statements from a hard reset and others are :
secure boot started
error: cannot read unlock certification
error boot certification verify
Device Unlock!!!
ERROR: Could not do normal boot. Reverting to fastboot mode.
Now some fastboot commands (most we already know but they are all recognized :
flash,erase etc the usual +
oem unlock oem device-info oem device-lock androidboot.emmc=true androidboot.mode=--bnr_recovery (whats this?) androidboot.mode=chargerlogo androidboot.authorized_kernel=true

The Motorola was unlocked by finding a string in the emmc_appsboot.mbn but we don't have that partition however a recovery error from our phone is :
Error: unable to read shared memory for apps boot info %d

however I also found this :
security_interface_command = 0x%x result = %d
which is then followed by :
device unlock
Now in a list of device certificate read commands and image authentication commands I found this :
Read_Unlock_Device_certificate

What does all this gibberish mean (for noobs) :
I suspect that if our bootloader is not qfused (though I have found many references to a qfuse and there are some near bootloader references) I am thinking that a secure certificate from lg that passes the secure key will be needed to unlock (or easiest). Sorry for sloppy post im on my way out the door.
 
If you pasted from the location in our aboot that i think you just did, it is simply a string list, meaning those lines are reference, like a variable, so they didn't have to be typed out every time.
 
Hey i caught a bootloop and turned phone off
Right as i turned it back on i pushed back and home at same time and pushed them many times in a row ,like we do to factory reset,and it went directly into recovery!
I dont know if anyone else knew this ?
 
You must log in or register to reply here.
Back
Top Bottom