-
After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.
Root [WIP][DEV] Custom Recovery/Bootloader unlocking Work In Progress Thread
- Thread starter plasticarmyman
- Start date
-
- Tags
- lg motion 4g
brooklyn227
Well-Known Member
We buy our phones for full price, we can do what we please...... By law.
sammyz
LG Whiz Kid
Look into the permissions granted to MetroPCS hidden menu. That thing has the clearance to snap and send photos of you. For why, who knows LOL but its there
It's Uncle Sam! He's watching you
Makes me glad I'm on CM10 and hidden menus are gone.
If somebody had pictures of your child on their phone, you would want the authorities to have every piece pf evidence to fry that slimeball. Just saying.
Spdfreak34
Android Enthusiast
Wouldn't scanning my phone for illegal activity without a warrant violate my constitutional rights?
brooklyn227
Well-Known Member
That's irrelevant........ They don't, and won't as long as i'm responsible for them, but what i wouldn't want is my government local, or federal spying on me for any reason other than me committing a criminal act that they can prove before they proceed to spy on me.
omgbossis21
Android Enthusiast
IMO yes. Just like their collection of our phone data they have :-\ apparantly the government/nsa see things different and what we want as long been out of the picture.
Krlypumaa
Android Expert
law enforcement go by reasonable doubt. meaning.. if they think they hav reasons that's all a yakes.. but you r right in a way.. we can do whatever we want w/it, it longest we do not brake the law.. we are fine
but lets get back to subject.. lets get this bootloader unlock.. Shhhtttttttt
@OMGBSS21... i appreciate all ur effort...
Scorpion7867
Well-Known Member
George Orwell 1984...
DirtyDee
Android Expert
Yes it would, but chances are "terrorists" don't have rights. All they have to do is say is "terrorist activity" and "your rights" are forfeit... This may have some thing to do with the patriot act...
Purnuced Dur-Tee-Dee
This thread seems to be taking on a political discussion and lets steer clear of that here o.k.? 
Thanks!
Thanks!
omgbossis21
Android Enthusiast
0x700310 is linked to one of our qfuses. It also happens to be the one that fuses the g bootloader ;-)
omgbossis21
Android Enthusiast
Wow the optimus g bootloader is so insanely similar. I hope some are still following this b/c here comes a bombshell :
#define LGE_QFPROM_INTERFACE_NAME "lge-msm8960-qfprom"
/* service ID inside tzbsp */
#define QFPROM_SVC_ID 8
#define QFPROM_WRITE_CMD 0x3
#define QFPROM_READ_CMD 0x5
#define QFPROM_PRNG_CMD 0x7
#define QFPROM_OVERRIDE_CMD 0x8
/* qfprom read type */
#define QFPROM_ADDR_SPACE_RAW 0
#define QFPROM_ADDR_SPACE_CORR 1
#define QFPROM_CLOCK (0x40*1000)
/* QFPROM address to blow */
#define QFPROM_HW_KEY_STATUS 0x702050
#define QFPROM_SECURE_BOOT_ENABLE 0x700310
#define QFPROM_OEM_CONFIG 0x700230
#define QFPROM_DEBUG_ENABLE 0x700220
#define QFPROM_SECONDARY_HW_KEY 0x7002A0
#define QFPROM_READ_PERMISSION 0x7000A8
#define QFPROM_WRITE_PERMISSION 0x7000B0
#define QFPROM_OVERRIDE_REG 0x7060C0
#define QFPROM_CHECK_HW_KEY 0x123456
0x700310 must be blown, same qfuse as the optimus g. Most read/write commands are the same as the g (if not all, not taking time to compare right now). We must blow 0x700310 and we are unlocked :
{ QFPROM_SECURE_BOOT_ENABLE, 0x00000020, 0x00000000}, /* SECURE ENABLE */
Anybody still wondering about jtagging out device? Sorry the dubug feature is also qfused which disables jtag support :
{ QFPROM_DEBUG_ENABLE, 0xC1000000, 0x0000006F}, /* JTAG DISABLE */
I am releasing this info as to hopes someone steps in and helps out. I have countless hours and nights into the research (and endless log searching) to the work I have put into this. Before I began this I did not even know what a bootloader was but with previous programming experience and much research I have moved along. I've reached out to a few people to see if they are interested in help. Unless you know what you are doing I INSIST you do NOT attempt at this on your own. I do not have a backup phone to attempt to blow this qfuse but if metro doesn't straigten out and im stuck on this phone at 1x service till the next bill is due I will be moving on and have no issue blowing (or attempting) the qfuse on my phone. If your interested in this and believe you can help PM me and I will send you a file regarding all qfuse commands/locations etc. Im not sure how to get a donation button or Id ask somebody to buy me a beer for all this ;-)
#define LGE_QFPROM_INTERFACE_NAME "lge-msm8960-qfprom"
/* service ID inside tzbsp */
#define QFPROM_SVC_ID 8
#define QFPROM_WRITE_CMD 0x3
#define QFPROM_READ_CMD 0x5
#define QFPROM_PRNG_CMD 0x7
#define QFPROM_OVERRIDE_CMD 0x8
/* qfprom read type */
#define QFPROM_ADDR_SPACE_RAW 0
#define QFPROM_ADDR_SPACE_CORR 1
#define QFPROM_CLOCK (0x40*1000)
/* QFPROM address to blow */
#define QFPROM_HW_KEY_STATUS 0x702050
#define QFPROM_SECURE_BOOT_ENABLE 0x700310
#define QFPROM_OEM_CONFIG 0x700230
#define QFPROM_DEBUG_ENABLE 0x700220
#define QFPROM_SECONDARY_HW_KEY 0x7002A0
#define QFPROM_READ_PERMISSION 0x7000A8
#define QFPROM_WRITE_PERMISSION 0x7000B0
#define QFPROM_OVERRIDE_REG 0x7060C0
#define QFPROM_CHECK_HW_KEY 0x123456
0x700310 must be blown, same qfuse as the optimus g. Most read/write commands are the same as the g (if not all, not taking time to compare right now). We must blow 0x700310 and we are unlocked :
{ QFPROM_SECURE_BOOT_ENABLE, 0x00000020, 0x00000000}, /* SECURE ENABLE */
Anybody still wondering about jtagging out device? Sorry the dubug feature is also qfused which disables jtag support :
{ QFPROM_DEBUG_ENABLE, 0xC1000000, 0x0000006F}, /* JTAG DISABLE */
I am releasing this info as to hopes someone steps in and helps out. I have countless hours and nights into the research (and endless log searching) to the work I have put into this. Before I began this I did not even know what a bootloader was but with previous programming experience and much research I have moved along. I've reached out to a few people to see if they are interested in help. Unless you know what you are doing I INSIST you do NOT attempt at this on your own. I do not have a backup phone to attempt to blow this qfuse but if metro doesn't straigten out and im stuck on this phone at 1x service till the next bill is due I will be moving on and have no issue blowing (or attempting) the qfuse on my phone. If your interested in this and believe you can help PM me and I will send you a file regarding all qfuse commands/locations etc. Im not sure how to get a donation button or Id ask somebody to buy me a beer for all this ;-)
omgbossis21
Android Enthusiast
Also looking at free g it flashes aboot and boot. Img. Did the older .3 version flash that also or just aboot? Reason I ask is if we just flash aboot our boot. Img is not changed to be unsecure so perhaps that's why it wouldn't boot?
Yep it sure did. Guess I will unpack the boot. Img and remove security check then flash new aboot and boot. Img. First I will compare all their qfuses with our to verify but I think there's a good chance of it working.
Yep it sure did. Guess I will unpack the boot. Img and remove security check then flash new aboot and boot. Img. First I will compare all their qfuses with our to verify but I think there's a good chance of it working.
I posted some of this info a long time ago "as cretinoid"
http://androidforums.com/motion-4g-...ng-work-in-progress-thread-8.html#post5238496
and posted info on XDA about it (as hroark13)
http://forum.xda-developers.com/showthread.php?p=34772926
omgbossis21 I did not mean to be a Debbie Downer or to rain on your parade or anything.
The way the qfuse works is that you can only increment them.
If a qfuse is 00, you can change it to 01, 02 03 all the way to FF (hex)
You can never make it 00 again
So 0x700310 is set to 20, you can make it 21 - FF but you can not make it 00
and any value other than 00 basically tells it to enable secure boot, which enforces sig checking, I hope this make sense to you
The way the qfuse works is that you can only increment them.
If a qfuse is 00, you can change it to 01, 02 03 all the way to FF (hex)
You can never make it 00 again
So 0x700310 is set to 20, you can make it 21 - FF but you can not make it 00
and any value other than 00 basically tells it to enable secure boot, which enforces sig checking, I hope this make sense to you
omgbossis21
Android Enthusiast
OK I'm following you. Wish I had seen that xda thread awhile back, just bookmarked it.
sammyz
LG Whiz Kid
Well, since a blown fuse = bootloader locked and an unblown fuse = unlocked bootloader.....we will need to use loki. That's our only option.
it may be able to be ported to the Motion
I have tried to De-compile the aboot to understandable code, but failed
If you guys want Loki, I would suggest you ask Bliss very nicely if he would consider doing it, if a Motion was donated plus some type of bounty, and only ask him once, and do not have a bunch of people nag him and stuff. He is a very cool person, but he probably gets thousands of requests per day to root phones and unlock boot loaders, and he is a very busy person with his company and personal life.
He may not do it at all, and if not that is OK, because he has already contributed so much to the Android community with all his root exploits and boot loader unlocks, we all owe him our thanks for what he has already done.
If he does not wish to help, I think the first thing we should do is de-compile aboot to readable code, I have tried and failed, but maybe someone with more experience than me with IDA Pro with Hexrays, can get this accomplished
omgbossis21
Android Enthusiast
I haven't had much luck decompiling it either. Loki would likely work but its not something I can do.
sammyz
LG Whiz Kid
Yea, I asked Bliss in IRC already if he would help with loki after showing him the thread where someone is still giving a free motion away to a dev who will unlock it. He declined.
I think he's too busy to help, but if the mods are ok with starting a bounty, go for it
The bounty will have to be to unlock all LG msm8960 processor phones by making a compatible loki source to compile for them all.
It would have to show up in each forum for each and every LG phone that has the msm8960 processor. Otherwise we won't get far with making that big of a bounty. I know some phones that haven't been released yet that are also getting this processor and are still locked.
If the bounty thread is allowed to be started, I'll start listing out the list of phones that this bounty would apply to.
Yea, I asked Bliss in IRC already if he would help with loki after showing him the thread where someone is still giving a free motion away to a dev who will unlock it. He declined.
I think he's too busy to help, but if the mods are ok with starting a bounty, go for it
The bounty will have to be to unlock all LG msm8960 processor phones by making a compatible loki source to compile for them all.
It would have to show up in each forum for each and every LG phone that has the msm8960 processor. Otherwise we won't get far with making that big of a bounty. I know some phones that haven't been released yet that are also getting this processor and are still locked.
If the bounty thread is allowed to be started, I'll start listing out the list of phones that this bounty would apply to.
If he has been asked already, it is best not to bother him anymore about it.
Maybe if he sees that we are making an effort to try and do this, he will give us some pointers or something.
I am not interested in starting and maintaining a Bounty thread, but I am interested in learning how to de-compile the aboot.
I feel that if you want to reverse engineer something, you should know how it was engineered in the first place (compile an aboot)
I know how to do this and can write some instructions on it, if you guys / gals think it will help you at all
The aboot that it would make can not be used at all except for learning purposes