• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root [WIP][DEV] Custom Recovery/Bootloader unlocking Work In Progress Thread

Actually, here's a list:
MS770
AS870
VS870
MS870
LG870
LW770
LS860
AS780
US780 -Unreleased phone
P870
P875
F260 -released in Korea...maybe it has an unlocked bootloader? Currently downloading this firmware.
Any version of LG Optimus F7/F5/F3
VS950 That's msm8660, LG did a typo......
F200
LS720 -Unreleased
VM720 -Unreleased

I'm probably still missing a bunch of phones in this list.
 
candoopa said:
it may be able to be ported to the Motion

I have tried to De-compile the aboot to understandable code, but failed

If you guys want Loki, I would suggest you ask Bliss very nicely if he would consider doing it, if a Motion was donated plus some type of bounty, and only ask him once, and do not have a bunch of people nag him and stuff. He is a very cool person, but he probably gets thousands of requests per day to root phones and unlock boot loaders, and he is a very busy person with his company and personal life.

He may not do it at all, and if not that is OK, because he has already contributed so much to the Android community with all his root exploits and boot loader unlocks, we all owe him our thanks for what he has already done.

If he does not wish to help, I think the first thing we should do is de-compile aboot to readable code, I have tried and failed, but maybe someone with more experience than me with IDA Pro with Hexrays, can get this accomplished
Click to expand...


I have had recent correspondence with him, and although he has looked at the LG bootloader, he does not intend to work on it at this time.
 
Looking at the code omgbossis21 posted a few days ago, is it possible that secure boot is enabled ONLY when the qfuse is at 0x20, and not just anything above 0x0? If it could be anything above 0x0, it seems strange that they would just "choose" to use 0x20, instead of just 0x1. If someone is willing to test it, pm me and I will guide you through blowing a qfuse. I am not responsible for any damages.
 
sammyz said:
Actually, here's a list:
MS770
AS870
VS870
MS870
LG870
LW770
LS860
AS780
US780 -Unreleased phone
P870
P875
F260 -released in Korea...maybe it has an unlocked bootloader? Currently downloading this firmware.
Any version of LG Optimus F7/F5/F3
VS950 That's msm8660, LG did a typo......
F200
LS720 -Unreleased
VM720 -Unreleased

I'm probably still missing a bunch of phones in this list.
Click to expand...

and bliss would have to add support for each one of these devices, with each firmware update to loki to have support, hence why he said too many devices and not worth the time.

obviously i dont speak for him, but he asked that the sgs4 bounty be donated to teh red cross and that was over a grand. my point is money isnt the best way to motivate him, he is a super smart guy and very cool. i consider myself very lucky to be one of the few people he trusts.
 
Zeest the fuse is blown so changing it won't help. It is highly possible that another qfuse determines the unlock option like the Motorola. We either determine the trustzone location like the moto trick did and overwrite the memory address or use the Loki trick but we need an Ida pro for that.
 
It is blown, but we can blow it higher. What if the bootloader ONLY reads 0x20 as locked, and, for example, 0x21 is not equal to 0x20, so it decides that secure boot is disabled. At the same time, it could be that it checks for 0x0 as unlocked, in which case any value would enable secure boot.
 
omgbossis21 said:
Zeest the fuse is blown so changing it won't help. It is highly possible that another qfuse determines the unlock option like the Motorola. We either determine the trustzone location like the moto trick did and overwrite the memory address or use the Loki trick but we need an Ida pro for that.
Click to expand...
Has anyone check Y is it the removing
Google play movie giv us that morning error and it freeze @ bootup
 
who ever locked the bootloader knows that the common rooter will try to delete bloat instead of freezing or disabling an app which a regular user wouldn't be able to do. that's my thoughts.
 
zeest said:
It is blown, but we can blow it higher. What if the bootloader ONLY reads 0x20 as locked, and, for example, 0x21 is not equal to 0x20, so it decides that secure boot is disabled. At the same time, it could be that it checks for 0x0 as unlocked, in which case any value would enable secure boot.
Click to expand...


I may have been wrong about what I said, I just tried writing 0x21 to 700310

and it did not change, I could of swore that I was able to increment other fuses for some reason


[HIGH]C:\adb>adb shell
root@android:/ # wallpaper -framework
wallpaper -framework
------------------------------------------------------------------
Welcome Security Framework!!

01. Error Dispaly Test
02. Application Certificate Test
03. Crypto Library Test
04. TrustZone QFPROM Test
05. TrustZone SFS Test
06. TrustZone H/W Crypto Engine Test
exit -To exit this test application
------------------------------------------------------------------

Please enter Test number? 4
4

04. TrustZone QFPROM Test
------------------------------------------------------------------
Please Select? [read or write] : read
read
------------------------------------------------------------------
Please Read QFPROM Address [HEX] : 0x700310
700310
------------------------------------------------------------------
Read QFPROM Address : 0x700310
Read QFPROM Value [LSB] [MSB] : 0x20 0x0
------------------------------------------------------------------
------------------------------------------------------------------
TrustZone QFPROM Test Successful
------------------------------------------------------------------
------------------------------------------------------------------
Welcome Security Framework!!

01. Error Dispaly Test
02. Application Certificate Test
03. Crypto Library Test
04. TrustZone QFPROM Test
05. TrustZone SFS Test
06. TrustZone H/W Crypto Engine Test
exit -To exit this test application
------------------------------------------------------------------

Please enter Test number? 4
4

04. TrustZone QFPROM Test
------------------------------------------------------------------
Please Select? [read or write] : write
write
------------------------------------------------------------------
Please Write QFPROM Address [HEX] : 0x700310
700310
Please enter Write value LSB ? [HEX] : 0x21
21
Please enter Write value MSB ? [HEX] : 0x0
0
------------------------------------------------------------------
Write QFPROM Address : 0x700310
Write QFPROM Value [LSB] [MSB] : 0x20 0x0
------------------------------------------------------------------
------------------------------------------------------------------
TrustZone QFPROM Test Successful
------------------------------------------------------------------
------------------------------------------------------------------
Welcome Security Framework!!

01. Error Dispaly Test
02. Application Certificate Test
03. Crypto Library Test
04. TrustZone QFPROM Test
05. TrustZone SFS Test
06. TrustZone H/W Crypto Engine Test
exit -To exit this test application
------------------------------------------------------------------

Please enter Test number? 4
4

04. TrustZone QFPROM Test
------------------------------------------------------------------
Please Select? [read or write] : read
read
------------------------------------------------------------------
Please Read QFPROM Address [HEX] : 0x700310
700310
------------------------------------------------------------------
Read QFPROM Address : 0x700310
Read QFPROM Value [LSB] [MSB] : 0x20 0x0
------------------------------------------------------------------
------------------------------------------------------------------
TrustZone QFPROM Test Successful
------------------------------------------------------------------
------------------------------------------------------------------
Welcome Security Framework!!

01. Error Dispaly Test
02. Application Certificate Test
03. Crypto Library Test
04. TrustZone QFPROM Test
05. TrustZone SFS Test
06. TrustZone H/W Crypto Engine Test
exit -To exit this test application
------------------------------------------------------------------

Please enter Test number? 4
4

04. TrustZone QFPROM Test
------------------------------------------------------------------
Please Select? [read or write] : write
write
------------------------------------------------------------------
Please Write QFPROM Address [HEX] : 0x700310
700310
Please enter Write value LSB ? [HEX] : 0x22
22
Please enter Write value MSB ? [HEX] : 0x0
0
------------------------------------------------------------------
Write QFPROM Address : 0x700310
Write QFPROM Value [LSB] [MSB] : 0x20 0x0
------------------------------------------------------------------
------------------------------------------------------------------
TrustZone QFPROM Test Successful
------------------------------------------------------------------
------------------------------------------------------------------
Welcome Security Framework!!

01. Error Dispaly Test
02. Application Certificate Test
03. Crypto Library Test
04. TrustZone QFPROM Test
05. TrustZone SFS Test
06. TrustZone H/W Crypto Engine Test
exit -To exit this test application
------------------------------------------------------------------

Please enter Test number? 4
4

04. TrustZone QFPROM Test
------------------------------------------------------------------
Please Select? [read or write] : read
read
------------------------------------------------------------------
Please Read QFPROM Address [HEX] : 0x700310
700310
------------------------------------------------------------------
Read QFPROM Address : 0x700310
Read QFPROM Value [LSB] [MSB] : 0x20 0x0
------------------------------------------------------------------
------------------------------------------------------------------
TrustZone QFPROM Test Successful
------------------------------------------------------------------
------------------------------------------------------------------
Welcome Security Framework!!

01. Error Dispaly Test
02. Application Certificate Test
03. Crypto Library Test
04. TrustZone QFPROM Test
05. TrustZone SFS Test
06. TrustZone H/W Crypto Engine Test
exit -To exit this test application
------------------------------------------------------------------

Please enter Test number?[/HIGH]
 
How would I go about checking on where a symlink calls? The are all visible in ksymall, some phones hide them with another module. It also list their address. Mainly interested in the trust zones and qfprom symlink.
Edit : also came across this link, its not for our phone but the idea is pretty simple. A module that overrides our cpufreq tables allowing real-time overclocking. Must be set again on reboot but this may be plausable.
 
omgbossis21 said:
How would I go about checking on where a symlink calls? The are all visible in ksymall, some phones hide them with another module. It also list their address. Mainly interested in the trust zones and qfprom symlink.
Edit : also came across this link, its not for our phone but the idea is pretty simple. A module that overrides our cpufreq tables allowing real-time overclocking. Must be set again on reboot but this may be plausable.
Click to expand...

your condition is a result of your choices
 
Wallpaper won't change any qfuse values I tried. With that said qfprom write command is qfused and the values differ from the config file...
 
Aboot may not disassemble well with Ida but wallpaper does. As far as the qfprom framework commands go all qforom test check the parameters in sys/devices/platform/lge-msm8960-qfprom.
 
omgbossis21 said:
Wallpaper won't change any qfuse values I tried. With that said qfprom write command is qfused and the values differ from the config file...
Click to expand...


i definately wrote to some qfuses with wallpaper, but they where at zero, and I changed them, to 22, then to 33

maybe the ones that are factory blown can not be changed

what we want is to de-compile to C which is more understandable than assembler code
 
You must log in or register to reply here.
Back
Top Bottom