omgbossis21
Android Enthusiast
Pop edit
-
After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.
Root [WIP][DEV] Custom Recovery/Bootloader unlocking Work In Progress Thread
- Thread starter plasticarmyman
- Start date
-
- Tags
- lg motion 4g
omgbossis21
Android Enthusiast
I don't believe I found a qfuse that was 00 and if I recall correct some had a letter and number like c0 for example.
C0 would be hex code for 192. In hex, 1-9 are normal, then a=10 b=11, etc until f, then you would start again at 10(16)... 1a(26) ...1f(31)...20(32) etc.
EDIT: and you can tell wallpaper that any location is a qfuse and it will believe you, and keep your changes. Haven't checked if they persist through reboot though.
EDIT: and you can tell wallpaper that any location is a qfuse and it will believe you, and keep your changes. Haven't checked if they persist through reboot though.
omgbossis21
Android Enthusiast
It kept none of my changes I checked with read after write. I'm switching service so soon I won't hold back on testing things. I will look at which qfuses held a alphanumeric value and convert it. Thanks for the tip I didn't pay much attention to them or think about it until I post it.
TheAmazingDave
Android Expert
If someone could do that, I might be helpful, although my experience is mostly C++
omgbossis21
Android Enthusiast
Thus far I can only easily break it down like this :
const unsigned char abootto264[] = {
0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xd2,
0x3f, 0xc9, 0xfa, 0x04, 0x00, 0xc9, 0x52, 0x04, 0x00, 0xc9, 0x52,
0xc6, 0x3f, 0x00, 0x01, 0x00, 0x00, 0xc9, 0x3f, 0xc6, 0x3f, 0x00,
0x18, 0x00, 0x00, 0x06, 0x00, 0x00, 0xcb, 0x25, 0x28, 0x00, 0xcb,
0x2b, 0x28, 0x00, 0xcb, 0x31, 0x28, 0x00, 0xcb, 0x37, 0x28, 0x00,
0xcb, 0x3d, 0x28, 0x00, 0xcb, 0x3d, 0x28, 0x00, 0xcb, 0x54, 0x28,
0x00, 0xcb, 0x10, 0x0f, 0x11, 0xcf, 0x0b, 0x0a, 0xe1, 0xc7, 0x05
That's the first 7 lines....
I have the first 500 lines or so broke down like this but we need to know exactly what we are looking for....
edit :Here is the full aboot broken down :
https://www.dropbox.com/s/vw56lczrrayibkv/aboot.h
also in this what is the 6f? { QFPROM_DEBUG_ENABLE, 0xC1000000, 0x0000006F}, /* JTAG DISABLE */
const unsigned char abootto264[] = {
0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xd2,
0x3f, 0xc9, 0xfa, 0x04, 0x00, 0xc9, 0x52, 0x04, 0x00, 0xc9, 0x52,
0xc6, 0x3f, 0x00, 0x01, 0x00, 0x00, 0xc9, 0x3f, 0xc6, 0x3f, 0x00,
0x18, 0x00, 0x00, 0x06, 0x00, 0x00, 0xcb, 0x25, 0x28, 0x00, 0xcb,
0x2b, 0x28, 0x00, 0xcb, 0x31, 0x28, 0x00, 0xcb, 0x37, 0x28, 0x00,
0xcb, 0x3d, 0x28, 0x00, 0xcb, 0x3d, 0x28, 0x00, 0xcb, 0x54, 0x28,
0x00, 0xcb, 0x10, 0x0f, 0x11, 0xcf, 0x0b, 0x0a, 0xe1, 0xc7, 0x05
That's the first 7 lines....
I have the first 500 lines or so broke down like this but we need to know exactly what we are looking for....
edit :Here is the full aboot broken down :
https://www.dropbox.com/s/vw56lczrrayibkv/aboot.h
also in this what is the 6f? { QFPROM_DEBUG_ENABLE, 0xC1000000, 0x0000006F}, /* JTAG DISABLE */
BobZhome
Android Enthusiast
check out second post: http://forum.xda-developers.com/showthread.php?t=2338816
I just check and both the Motion & Spirit have Spiritbud!
I just check and both the Motion & Spirit have Spiritbud!
omgbossis21
Android Enthusiast
Well that's easier anyway lol
Part of our tz (trustzone) partition
A few secures and non-secures in there.
Code:
ROM:00009106 sub_9106 ; CODE XREF: sub_C33C+CCp
ROM:00009106 ; sub_C33C+EAp
ROM:00009106
ROM:00009106 var_10 = -0x10
ROM:00009106 var_C = -0xC
ROM:00009106 var_4 = -4
ROM:00009106
ROM:00009106 STR.W LR, [SP,#var_4]!
ROM:0000910A MOV R12, R0
ROM:0000910C SUB SP, SP, #0xC
ROM:0000910E MOV R3, R2
ROM:00009110 MOV R0, 0xFFFFFFFC
ROM:00009114 CMP.W R12, #0
ROM:00009118 MOV.W R2, #1
ROM:0000911C BEQ loc_9152
ROM:0000911E CMP.W R12, #1
ROM:00009122 BEQ loc_913E
ROM:00009124 CMP.W R12, #3
ROM:00009128 BNE loc_9138
ROM:0000912A MOVS R0, #0xC8 ; '+'
ROM:0000912C STR R2, [SP,#0x10+var_10]
ROM:0000912E STR R2, [SP,#0x10+var_C]
ROM:00009130 MOV R2, R1
ROM:00009132 ADR R1, (aGspiTimer+1)
ROM:00009134 BL sub_BB44
ROM:00009138
ROM:00009138 loc_9138 ; CODE XREF: sub_9106+22j
ROM:00009138 ADD SP, SP, #0xC
ROM:0000913A LDR.W PC, [SP+4+var_4],#4
ROM:0000913E ; ---------------------------------------------------------------------------
ROM:0000913E
ROM:0000913E loc_913E ; CODE XREF: sub_9106+1Cj
ROM:0000913E MOVS R0, #0x13
ROM:00009140 STR R2, [SP,#0x10+var_10]
ROM:00009142 STR R2, [SP,#0x10+var_C]
ROM:00009144 MOV R2, R1
ROM:00009146 ADR R1, aPpiGptSecure ; "PPI GPT Secure"
ROM:00009148 BL sub_BB44
ROM:0000914C ADD SP, SP, #0xC
ROM:0000914E LDR.W PC, [SP+4+var_4],#4
ROM:00009152 ; ---------------------------------------------------------------------------
ROM:00009152
ROM:00009152 loc_9152 ; CODE XREF: sub_9106+16j
ROM:00009152 MOVS R0, #0x12
ROM:00009154 STR R2, [SP,#0x10+var_10]
ROM:00009156 STR R2, [SP,#0x10+var_C]
ROM:00009158 MOV R2, R1
ROM:0000915A ADR R1, aPpiGptNonSecur ; "PPI GPT Non Secure"
ROM:0000915C BL sub_BB44
ROM:00009160 ADD SP, SP, #0xC
ROM:00009162 LDR.W PC, [SP+4+var_4],#4
ROM:00009162 ; End of function sub_9106
ROM:0000939A loc_939A ; CODE XREF: ROM:00009340j
ROM:0000939A ; ROM:00009354j ...
ROM:0000939A BLX loc_1F3D4
ROM:0000939E MOV R0, R4
ROM:000093A0 MOV R1, R5
ROM:000093A2 POP {R4-R6,PC}
ROM:000093A4 ; ---------------------------------------------------------------------------
ROM:000093A4 STR.W LR, [SP,#-4]!
ROM:000093A8 MOV R12, R0
ROM:000093AA SUB SP, SP, #0xC
ROM:000093AC MOV R3, R2
ROM:000093AE MOV R0, 0xFFFFFFFC
ROM:000093B2 CMP.W R12, #0
ROM:000093B6 MOV.W R2, #1
ROM:000093BA BEQ loc_93F0
ROM:000093BC CMP.W R12, #1
ROM:000093C0 BEQ loc_93DC
ROM:000093C2 CMP.W R12, #3
ROM:000093C6 BNE loc_93D6
ROM:000093C8 MOVS R0, #0xC9 ; '+'
ROM:000093CA STR R2, [SP]
ROM:000093CC STR R2, [SP,#4]
ROM:000093CE MOV R2, R1
ROM:000093D0 ADR R1, aSpiWdogBark ; "SPI WDog Bark"
ROM:000093D2 BL sub_BB44
ROM:000093D6
ROM:000093D6 loc_93D6 ; CODE XREF: ROM:000093C6j
ROM:000093D6 ADD SP, SP, #0xC
ROM:000093D8 LDR.W PC, [SP],#4
ROM:000093DC ; ---------------------------------------------------------------------------
ROM:000093DC
ROM:000093DC loc_93DC ; CODE XREF: ROM:000093C0j
ROM:000093DC MOVS R0, #0x15
ROM:000093DE STR R2, [SP]
ROM:000093E0 STR R2, [SP,#4]
ROM:000093E2 MOV R2, R1
ROM:000093E4 ADR R1, aPpiWdtSecure ; "PPI WDT Secure"
ROM:000093E6 BL sub_BB44
ROM:000093EA ADD SP, SP, #0xC
ROM:000093EC LDR.W PC, [SP],#4
ROM:000025B8 sub_25B8 ; CODE XREF: sub_11672+34p
ROM:000025B8
ROM:000025B8 var_20 = -0x20
ROM:000025B8 var_1C = -0x1C
ROM:000025B8
ROM:000025B8 PUSH {R4-R7,LR}
ROM:000025BA SUB SP, SP, #0xC
ROM:000025BC BLX sub_1F3E4
ROM:000025C0 MOV.W R4, #0
ROM:000025C4 MOVW R6, #0x6C6C
ROM:000025C8 MOV.W R5, #1
ROM:000025CC MOVT.W R6, #0x2A02
ROM:000025D0 CBZ R0, loc_2614
ROM:000025D2 LDRB R0, [R6]
ROM:000025D4 CBZ R0, loc_25EE
ROM:000025D6 MOVW R2, #0x28AF
ROM:000025DA MOVS R3, #0
ROM:000025DC MOVS R0, #0x14
ROM:000025DE STR R5, [SP,#0x20+var_20]
ROM:000025E0 MOVT.W R2, #0x2A00
ROM:000025E4 STR R5, [SP,#0x20+var_1C]
ROM:000025E6 ADR R1, aPpiWdtNonSec_0 ; "PPI WDT NON Secure"
ROM:000025E8 BL sub_BB44
ROM:000025EC MOV R4, R0
ROM:000025EE
ROM:000025EE loc_25EE ; CODE XREF: sub_25B8+1Cj
ROM:000025EE MOVW R2, #0x28F7
ROM:000025F2 MOVS R3, #0
ROM:000025F4 MOVS R0, #0xF
ROM:000025F6 STR R5, [SP,#0x20+var_20]
ROM:000025F8 MOVT.W R2, #0x2A00
ROM:000025FC STR R5, [SP,#0x20+var_1C]
ROM:000025FE ADR R1, aSgiWdtReset ; "SGI WDT Reset"
ROM:00002600 BL sub_BB44
ROM:00002604 ORR.W R0, R0, R4
ROM:00002608
ROM:00002608 loc_2608 ; CODE XREF: sub_25B8+E6j
ROM:00002608 CMP R0, #0
ROM:0000260A BEQ loc_26A0
ROM:0000260C MOV.W R0, #0xFFFFFFFF
ROM:00002610 ADD SP, SP, #0xC
ROM:00002612 POP {R4-R7,PC}
ROM:00002614 ; ---------------------------------------------------------------------------
ROM:00002614
ROM:00002614 loc_2614 ; CODE XREF: sub_25B8+18j
ROM:00002614 MOVS R7, #0
ROM:00002616 MOVW R2, #0x20FF
ROM:0000261A MOVS R0, #0xD7 ; '+'
ROM:0000261C STR R7, [SP,#0x20+var_20]
ROM:0000261E MOV R3, R7
ROM:00002620 STR R5, [SP,#0x20+var_1C]
ROM:00002622 MOVT.W R2, #0x2A00
ROM:00002626 ADR R1, aSpiXpu ; "SPI XPU"
ROM:00002628 BL sub_BB44
ROM:0000262C MOV R4, R0
ROM:0000262E MOVW R2, #0x20FF
ROM:00002632 STR R7, [SP,#0x20+var_20]
ROM:00002634 MOV R3, R7
ROM:00002636 STR R5, [SP,#0x20+var_1C]
ROM:00002638 MOVT.W R2, #0x2A00
ROM:0000263C ADR R1, aSpiTopImem ; "SPI TOP IMEM"
ROM:0000263E MOV.W R0, #0x7B ; '{'
ROM:00002642 BL sub_BB44
ROM:00002646 ORR.W R4, R0, R4
ROM:0000264A MOVW R2, #0x20FF
ROM:0000264E STR R7, [SP,#0x20+var_20]
ROM:00002650 MOV R3, R7
ROM:00002652 STR R5, [SP,#0x20+var_1C]
ROM:00002654 MOVT.W R2, #0x2A00
ROM:00002658 ADR R1, aPpiMmssImemXpu ; "PPI MMSS IMEM XPU"
ROM:0000265A MOV.W R0, #0x6E ; 'n'
ROM:0000265E BL sub_BB44
ROM:00002662 ORR.W R4, R0, R4
ROM:00002666 LDRB R0, [R6]
ROM:00002668 CBZ R0, loc_2684
ROM:0000266A MOVW R2, #0x28AF
ROM:0000266E MOVS R3, #0
ROM:00002670 MOVS R0, #0x14
ROM:00002672 STR R5, [SP,#0x20+var_20]
ROM:00002674 MOVT.W R2, #0x2A00
ROM:00002678 STR R5, [SP,#0x20+var_1C]
ROM:0000267A ADR R1, aPpiWdtNonSec_0 ; "PPI WDT NON Secure"
ROM:0000267C BL sub_BB44
ROM:00002680 ORR.W R4, R0, R4
ROM:00002684
ROM:00002684 loc_2684 ; CODE XREF: sub_25B8+B0j
ROM:00002684 MOVW R2, #0x28F7
ROM:00002688 MOVS R3, #0
ROM:0000268A MOVS R0, #0xF
ROM:0000268C STR R5, [SP,#0x20+var_20]
ROM:0000268E MOVT.W R2, #0x2A00
ROM:00002692 STR R5, [SP,#0x20+var_1C]
ROM:00002694 ADR R1, aSgiWdtReset ; "SGI WDT Reset"
ROM:00002696 BL sub_BB44
ROM:0000269A ORR.W R0, R0, R4
ROM:0000269E B loc_2608
ROM:000026A0 ; ---------------------------------------------------------------------------
ROM:000026A0
ROM:000026A0 loc_26A0 ; CODE XREF: sub_25B8+52j
ROM:000026A0 MOVS R0, #0
ROM:000026A2 ADD SP, SP, #0xC
ROM:000026A4 POP {R4-R7,PC}
ROM:000026A4 ; End of function sub_25B8
ROM:000026A4
ROM:000026A6
ROM:000026A6 ; =============== S U B R O U T I N E =======================================
ROM:000026A6
ROM:000026A6
ROM:000026A6 sub_26A6 ; CODE XREF: ROM:000029E6p
ROM:000026A6
ROM:000026A6 var_10 = -0x10
ROM:000026A6 var_C = -0xC
ROM:000026A6 var_4 = -4
ROM:000026A6
ROM:000026A6 STR.W LR, [SP,#var_4]!
ROM:000026AA
ROM:000026AA loc_26AA ; CODE XREF: ROM:00002B86j
ROM:000026AA SUB SP, SP, #0xC
ROM:000026AC MOVW R1, #0x6C6C
ROM:000026B0 MOV.W R0, #1
ROM:000026B4 MOVT.W R1, #0x2A02
ROM:000026B8 STRB R0, [R1]
ROM:000026BA MOV.W R1, #1
ROM:000026BE MOVW R2, #0x28AF
ROM:000026C2 MOVT.W R1, #0x4000
ROM:000026C6 STR R0, [SP,#0x10+var_C]
ROM:000026C8 MOV.W R3, #0
ROM:000026CC STR R1, [SP,#0x10+var_10]
ROM:000026CE
ROM:000026CE loc_26CE ; CODE XREF: sub_2BA0+Aj
ROM:000026CE MOVT.W R2, #0x2A00
ROM:000026D2 ADR R1, aPpiWdtNonSec_0 ; "PPI WDT NON Secure"
ROM:000026D4 MOV.W R0, #0x14
ROM:000026D8 BL sub_BB44
ROM:000026DC CBZ R0, loc_26E8
ROM:000026DE
ROM:000026DE loc_26DE ; CODE XREF: sub_2BA0+1Aj
ROM:000026DE MOV.W R0, #0xFFFFFFFF
ROM:000026E2 ADD SP, SP, #0xC
ROM:000026E4 LDR.W PC, [SP+4+var_4],#4
ROM:000026E8 ; ---------------------------------------------------------------------------
ROM:000026E8
ROM:000026E8 loc_26E8 ; CODE XREF: sub_26A6+36j
ROM:000026E8 MOVS R0, #0
ROM:000026EA ADD SP, SP, #0xC
ROM:000026EC LDR.W PC, [SP+4+var_4],#4
ROM:000026EC ; End of function sub_26A6A few secures and non-secures in there.
Found these in SBL1. They look like.. source code files?
Code:
ROM:000146B4 aHome001Hans_15 DCB "/home001/hanseog.kim/msm8960_ics_release_mpcs/non_HLOS/boot_imag"
ROM:000146B4 DCB "es/core/boot/secboot3/msm8960/sbl1/sbl1_mc.c",0
ROM:00014721 DCB 0
ROM:00014722 DCB 0
ROM:00014723 DCB 0
ROM:00014724 aHome001Hans_14 DCB "/home001/hanseog.kim/msm8960_ics_release_mpcs/non_HLOS/boot_imag"
ROM:00014724 DCB "es/core/boot/secboot3/msm8960/sbl1/sbl1_hw.c",0
ROM:00014791 DCB 0
ROM:00014792 DCB 0
ROM:00014793 DCB 0
ROM:00014794 aHome001Hans_13 DCB "/home001/hanseog.kim/msm8960_ics_release_mpcs/non_HLOS/boot_imag"
ROM:00014794 DCB "es/core/boot/secboot3/common/boot_pbl_v1.c",0
ROM:000147FF DCB 0
ROM:00014800 aHome001Hans_12 DCB "/home001/hanseog.kim/msm8960_ics_release_mpcs/non_HLOS/boot_imag"
ROM:00014800 DCB "es/core/boot/secboot3/common/boot_clobber_prot.c",0
ROM:00014871 DCB 0
ROM:00014872 DCB 0
ROM:00014873 DCB 0
ROM:00014874 aHome001Hans_11 DCB "/home001/hanseog.kim/msm8960_ics_release_mpcs/non_HLOS/boot_imag"
ROM:00014874 DCB "es/core/boot/secboot3/common/boot_error_handler.c",0
ROM:000148E6 DCB 0
ROM:000148E7 DCB 0
ROM:000148E8 aHome001Hans_10 DCB "/home001/hanseog.kim/msm8960_ics_release_mpcs/non_HLOS/boot_imag"
ROM:000148E8 DCB "es/core/boot/secboot3/common/boot_config.c",0
ROM:00014953 DCB 0
ROM:00014954 DCB 0xD5 ; +
ROM:00014955 DCB 0x85 ;
AquerMang
Well-Known Member
Ahyep. And I've been looking at the 8960 (Spirit) bootloader. Already got a couple of ideas. Just waiting for LG to send me my Spirit back. Had to RMA it after bricking it playing musical bootchains.
Well, we can get the lk source, but it has been modified by LG. The basics are the same though. I've downloaded it through git, rar'ed it, and uploaded it here. https://dl.dropboxusercontent.com/u/85247405/lk.rar
omgbossis21
Android Enthusiast
Dunno if anyone is still interested but check under system/lib for a libunlock file. Dunno if motion has it but theirs one on the l9 and the "rumored flag" is stored on the NV partition....
Xt51
Android Enthusiast
Couldnt find anything
Krlypumaa
Android Expert
I couldn't find it either.. But is a Libgenlock.?????
omgbossis21
Android Enthusiast
Pull it and host it I will disassemble it and see if its boot loader related ...