Database Users

Reasons to DOWNgrade Bootloader

Hi!
I have Siemens SX56.
Are there any reasons to DOWNGRADE my BootLoader from current version 5.22 to 5.15?
What is mechanism of downgrade?
Is this dangerous?
Thank You!

I am sking because I can NOT uograde my SX56 from 2002 to 2003

pmemdump 0x80001880 0x40
80001880 20 00 00 00 20 72 30 00 ff ff 00 f1 e0 07 1f 00 ... r0.........
80001890 00 00 00 00 20 20 20 20 56 35 2e 32 32 20 20 20 .... V5.22
800018a0 20 00 00 00 20 20 42 6f 6f 74 6c 6f 61 64 65 72 ... Bootloader
800018b0 20 00 00 00 20 57 41 4c 4c 41 42 59 20 00 00 00
...WALLABY ...
Help! How can I downgrade my bootloader?
I tried:
pnewbootloader.exe bl515.nb0
Unable to find flash info offset, cannot disable bootloader writeprotect
I have been read all forum, but I can't solve my problem
I have 5.22 boot loader and can not upgrade to 2003

Have you tried the "fix broken bootloader" option in xdatools.

cruisin-thru said:
Have you tried the "fix broken bootloader" option in xdatools.
Click to expand...
Click to collapse
How to do?
I tried:
pnewbootloader.exe bl515.nb0

look at the picture
http://wiki.xda-developers.com/wiki/XDAtools

Rudegar said:
look at the picture
http://wiki.xda-developers.com/wiki/XDAtools
Click to expand...
Click to collapse
This script have the same line:
pnewbootloader bootloader_v5_15.nb0
ERROR: ITReadProcessMemory -
Unable to find flash info offset, cannot disable bootloader writeprotect

I have exactly the same problem.. Anyone find the solution to this problem??I am not able to downgrade my bootloader.. I want to do this because I want to go from Xda SE rom back to ppc2002..
helpp... anyone...

I posted an updated pnewbootloader in another thread which addresses this.
http://forum.xda-developers.com/viewtopic.php?t=11417
Which ROM version do you have ?

I apparently did not have the pput.exe program. I downloaded the zip file with the pput.exe and it downgraded my bootloader successfully !
very very cool.. now if only i can figure out how to get the bootloader to restore from my sd card. Whenever i soft-reset by holding the power button it takes me to the bootloader screen and then to diagnostics... where in the world is the restore from SD option.. or is it doing that because I have the SD car (256 MB in the wrong format). I did write the card using xdatools.. hmm..

I am assuming you downgraded to 5.15
If your image is written to SD card 1k header format it should automatically see the image and display the menu.

Ok..Using XDArit1.exe fixed the problem.. There seems to be some issue with using OSImageTool (from XDATools) to write to the SD card.. maybe i used the wrong option.. but anyway I got the XDA to boot and upgrade from the SD card .. now I have the PPC2002 ROM running successfully..

Add Cities to Weather-Tab?

Hi, Weather Database Editor doesnt work with my Girlfriends Touch 3G (german).
Is there any Solution to manually add Cities?
Thanks. =)

Same problem here

Try this one..
http://forum.xda-developers.com/showpost.php?p=2488224&postcount=73

Thanks but it does no show any cities...

yepp, seems that the database has another filename...
i try investigating this...

Ok, found the Database. =)
Its HH_0407_WeatherCities.xml (for German Users i think).
Bad news:
Its hidden/system/in rom
Any ideas how to rename it?
I copied it to the PC and edited the Cities in but i cant copy it back to the phone...

You can easily overwrite the file with resco explorer after disabling touchflo from the today screen but I have yet to find a way to copy the file to the pc. Could you share your xml please?

Ok I am getting nearer.
Disable touchflo
Copy HH_0407_WeatherCities.xml from the /windows folder to your pc.
Edit the xml to include your new city.
Copy it back to the phone into somewhere like "My Documents" then use resco explorer to move it to /windows and overwrite the original file.
Copy manil2d.exe from windows to your pc,
download XVI32 from http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm
download sign code from N2A's site http://weather.not2advanced.com/files/SignCode.zip
Open manila2d.exe in XVI32 and do a search for "weather.manila1.htc.com" ( make sure Unicode check box is checked )
You will see the update URL in unicode , which means that if you want to replace it , there has to be a hex 00 between every letter !
It needs to be changed to something like weather.not2advanced.com/htcweather/forecastdata.php?locCode=%s%s%s
save manila2d.exe and sign it using N2A's batch file
Copy it back to the phone into somewhere like "My Documents" then use resco explorer to move it to /windows and overwrite the original file.
Now I have the new city listed but when I update, all the temperatures = 0
I'm not sure what I have done wrong but I think the URL is wrong.
Any ideas?

Ok, the URL was different for me.
Done that but without the %s%s%s.
Still not working.
I can select the cities but i cant see them in the tab.
Update says that it cannot get updates for the selected city.

Hi Vibez
I reply here instead of the PM , so the others can read it aswell
I don't have a touch 3G so I cannot experiment for you , but 1 thing is sure ,
people had the same issue on the Diamond ( cities not updating after hex-edit ) when the hex-edit was not done 100% correctly ...
So 2 questions :
1) Did any of you try the reigistry hack from the diamond ?
In stock ROM, the URL used to update the weather is a specific Accuweather URL. WDE change it to point to N2A'website ( http://weather.not2advanced.com/ ).
Registry key=HKEY_CURRENT_USER\Software\HTC\Manila
String value Name=Weather.ServerURLOverride
Click to expand...
Click to collapse
2) when u tried patching , did the replacement weather string have EXACTLY the same length as the original ? On the diamond , it was an absolute no-go when the length was different
Open manila exe in XVI32 and do a search for "weather.manila1.htc.com" ( make sure Unicode check box is checked )
You will see the update URL in unicode , which means that if you want to replace it , there has to be a hex 00 between every letter !
I then replaced : http://weather.manila1.htc.com/widget/htc/forecast-data_v3.asp?locCode=%1s&?ac=TR2cra9U
with : http://weather.not2advanced.com/htcweather/forecastdata.php?locCode=%1s&ac=XDADevs1234
Those two lines have exactely the same length upto there ( That's why i added 1234 to the XDAdevs , thankfully that's ok with N2A's site ) so the rest of the URL ( &device=innovation etc.. ) can remain unchanged !
Click to expand...
Click to collapse
If that fails to work , send me a copy of the manila app ( modded and original maybe so I can see what u did ) , I'll look at it , patch it & send it back for you to try ...
I can't promise anything of course , but I'm on holidays this week , so I've got a little time to spare ;-)
cheers,
Claude

Thanks for the info!
Unicode-Strings should be NULL-terminated to, so all i've done was to zero out the remaining chars.
I give it a try and answer here asap.
//edit:
Ok, works but Temps are at 0°C.
Seems that the XML-Format has been changed.
BTW: String used for Patching Mainila2D.exe was:
000D8858 68 00 74 00 74 00 70 00 3A 00 2F 00 2F 00 77 00 65 00 61 00 74 00 68 00 h.t.t.p.:././.w.e.a.t.h.
000D8870 65 00 72 00 2E 00 6E 00 6F 00 74 00 32 00 61 00 64 00 76 00 61 00 6E 00 e.r...n.o.t.2.a.d.v.a.n.
000D8888 63 00 65 00 64 00 2E 00 63 00 6F 00 6D 00 2F 00 68 00 74 00 63 00 77 00 c.e.d...c.o.m./.h.t.c.w.
000D88A0 65 00 61 00 74 00 68 00 65 00 72 00 2F 00 66 00 6F 00 72 00 65 00 63 00 e.a.t.h.e.r./.f.o.r.e.c.
000D88B8 61 00 73 00 74 00 64 00 61 00 74 00 61 00 2E 00 70 00 68 00 70 00 3F 00 a.s.t.d.a.t.a...p.h.p.?.
000D88D0 6C 00 6F 00 63 00 43 00 6F 00 64 00 65 00 3D 00 25 00 31 00 73 00 00 00 l.o.c.C.o.d.e.=.%.1.s...

Ahw F...!
Tested the original URL:
first, city in original database:
http://htc.accuweather.com/widget/htc/forecast-data.asp?ac=TR2cra9U&locCode=EUR|DE|GM011|AACHEN
second, city manually added:
http://htc.accuweather.com/widget/h...ac=TR2cra9U&locCode=EUR|DE|GM017|SCHMALKALDEN
second URL does NOT give any information back in the XML...
Seems that the database is also online and it trys to find the city there...
OK, tried the not2advanced URL, XML Format has changed heavily...
*sniff*

Garfield1970,
Thanks for helping out.
The registry trick did not work.
I did find a patched version of manila2d.exe from another rom that works perfect on our phone, but ideally I would like to see how to patch the original version that our phone ships with. The hex surrounding the URL string in our manilla2d.exe looks a little different. I'm not 100% there is enough room to fit the full N2A url in!
I will post all 3 versions later for you to play with.

Weltherrscher said:
Ahw F...!
Tested the original URL:
first, city in original database:
http://htc.accuweather.com/widget/htc/forecast-data.asp?ac=TR2cra9U&locCode=EUR|DE|GM011|AACHEN
Click to expand...
Click to collapse
Ok
second, city manually added:
http://htc.accuweather.com/widget/h...ac=TR2cra9U&locCode=EUR|DE|GM017|SCHMALKALDEN
second URL does NOT give any information back in the XML...
Seems that the database is also online and it trys to find the city there...
Click to expand...
Click to collapse
That's normal as that city is unknown to the HTC Server
OK, tried the not2advanced URL, XML Format has changed heavily...
*sniff*
Click to expand...
Click to collapse
Indeed , I just compared the XML Outputs for Aachen from HTC & N2A , they changed the format .... But if you ask N2A very very nicely and if he has some time to spare , he might eventually adapt a version of his script to reflect the other XML format
You can clearly see the differences between the following two outputs :
http://weather.not2advanced.com/htc...hp?locCode=EUR|DE|GM011|AACHEN&ac=XDADevs1234
is the Diamond compatible format
http://htc.accuweather.com/widget/htc/forecast-data.asp?ac=TR2cra9U&locCode=EUR|DE|GM011|AACHEN
is the format the touch 3g seems to need ....
I'll crosspost the URL's to N2A's main thread so he can maybe have a look
Claude

Just for info the XML format that ships with our ROM works fine with N2A.
To me it seems N2A provides extra elements which I assume is for compatibility with HTC home.
So no need as far as I can tell to ask him to change anything.
Unless i'm getting confused in what you are saying?

vibez said:
Just for info the XML format that ships with our ROM works fine with N2A.
To me it seems N2A provides extra elements which I assume is for compatibility with HTC home.
So no need as far as I can tell to ask him to change anything.
Unless i'm getting confused in what you are saying?
Click to expand...
Click to collapse
Are you sure that the N2A output works for you ?
Because if you look at the XML's , what your device expects is to see includes blocks titled :
Today
Tonight
Tomorrow
and then the following weekdays
whereas on my Diamond it's just current and the different Weekdays being reported
Claude

I'm 100% sure it works with this version of manila2d.exe that i'm using. Now it may be that this version I have uses the old format.
We don't have
Today
Tonight
Tomorrow
we just have current temp, and hi, lo for each day

You mean using the patched manila from the other rom that you mentionned earlier ?
Might be that the format switch has happened between differen Rom versions ?
Claude

Garfield1970 said:
You mean using the patched manila from the other rom that you mentionned earlier ?
Might be that the format switch has happened between differen Rom versions ?
Claude
Click to expand...
Click to collapse
Yes it could be that. Although the end result is the same. The original version only showed Current and hi/lo temps

Ok i've attached the files
Manila2D_original.exe
This is the original unpatched file
Manila2D_original_patched_not_working.exe
This the original file I tried to patch without success
Manila2D_patched_ok.exe
This is the patched file from another rom that works ok.

Bricked or dead?

I recently just re-flashed the rom on my elf, it got to 100% and windows said it completed. I now try to turn the phone on and nothing happens? the battery isnt dead either, help please

tjeaton said:
I recently just re-flashed the rom on my elf, it got to 100% and windows said it completed. I now try to turn the phone on and nothing happens? the battery isnt dead either, help please
Click to expand...
Click to collapse
hmmm, not sure if this helps (coz i arrived at it through a different process). but my device couldn't be turned on. no light even as charger was plugged in. but i did the "hold Camera button and poke the reset hole" then i got into boot into bootloader

please help
my htc touch p3452 is dead becoz i flash but something is wrong and then it was dead now it will on on bootloder mode(red,green,blue) here is my detail please tell ,me what to do
it show..
IPL 3.07.0002
SPL 3.07.0000
DEVICE ID= ELF010050
CID= DOPOD001
45 4C 46 30 31 30 30 35 30 00 00 00 00 00 00 00 ELF010050.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
44 4F 50 4F 44 30 30 31 00 00 00 00 00 00 00 00 DOPOD001........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
i also tryed to flash "DID-ELF010050_CID-DOPOD001_ROM-2.20.721.2B" but is not flashed it gave "error 270 update error" something please tell me where is the problem and how to solve please guys

You have to cid unlock first before flashing any rom...

vicky.9871 said:
my htc touch p3452 is dead becoz i flash but something is wrong and then it was dead now it will on on bootloder mode(red,green,blue) here is my detail please tell ,me what to do
it show..
IPL 3.07.0002
SPL 3.07.0000
DEVICE ID= ELF010050
CID= DOPOD001
45 4C 46 30 31 30 30 35 30 00 00 00 00 00 00 00 ELF010050.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
44 4F 50 4F 44 30 30 31 00 00 00 00 00 00 00 00 DOPOD001........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
i also tryed to flash "DID-ELF010050_CID-DOPOD001_ROM-2.20.721.2B" but is not flashed it gave "error 270 update error" something please tell me where is the problem and how to solve please guys
Click to expand...
Click to collapse
ok.. maybe you should try this.. hope it helps..

tito12 said:
You have to cid unlock first before flashing any rom...
Click to expand...
Click to collapse
Yup by the prob its showin, the CID is definitely locked, so 1st unlock the CID & then flash the ROM of your choice..!!!
Do remember also upgrade the "IPL & HSPL"..!!!
Njoy the FLASHING..!!!

thankyou but tell me
how to downgrade or upgrade my ips and spl my device already in bootloder mode please tell me

to upgrade your SPL (or flash HardSPL) u first need to have your device "alive" again as flashing the HardSPL is done by using ActiveSync.. I would suggest you try a hard reset (by holding the Call & End buttons and reseting with the stylus).. if that didn't work and you still can't load into WinMo interface.. then you might want to try the method I mentioned above..
hope this helps..

Ok just some info about the phone:
I already CID unlocked it, so that couldnt have been the problem as i was running onyx rom
I have tried getting into the three colours screen and still nothing happens, the battery isn't dead
Led used to turn on when it was charging now it doesn't :/
On button doesn't seem to make the device do anything either

tjeaton said:
Ok just some info about the phone:
I already CID unlocked it, so that couldnt have been the problem as i was running onyx rom
I have tried getting into the three colours screen and still nothing happens, the battery isn't dead
Led used to turn on when it was charging now it doesn't :/
On button doesn't seem to make the device do anything either
Click to expand...
Click to collapse
Did you flash an original or shipped ROM?? sometimes that causes problems when used with HardSPL..

Yeah it was an original backup of the factory rom that was already on it, is their anyway of actually recovering my phone to a normal state again, at least the tri color or even led's when charging

tjeaton said:
Yeah it was an original backup of the factory rom that was already on it, is their anyway of actually recovering my phone to a normal state again, at least the tri color or even led's when charging
Click to expand...
Click to collapse
srry man.. but I can't help you.. flashing an original ROM over HardSPL can brick your phone.. and I don't want to disappoint you but I don't know how to recover it.. still I'm a not a pro.. :S:S

anyone else out there on xda can help, it would be great if you could thanks for the help so far people

i'm no sure that u have a software problem but if it is, then your only hope is jtag.
check this: http://forum.xda-developers.com/showthread.php?t=602233
too bad there is no more information anywhere, but at least those jtags are easy to solder!
g00d luck!

btw, have you tried the voodoo reset posted by aonellbicho in the jtag thread? any luck with it?
I've never seen it before, and u will probably need as many hands as Shiva has to do it...

guess i can give it a go, what else could go wrong lol

yeah the voodoo reset doesn't work, i think its a fake its pretty hard to press all of those things at once

Information on how to root the T-Mobile G6 [NOT A GUIDE]

Hey guys, Honestly Annoying here! I worked on rooting the G5 for about 9 months last year, and finally got it after receiving a userdebug kernel.
I spent a lot of time researching and talking with tons of different devs, and here is a list of all of the information I have collected.
UNLOCK.BIN
First of all, this is ONLY for the devices that LG officially unlocks. It is processed by fastboot (aboot partition) and unless LG unlocks it officially, it will not recognize the "fastboot flash unlock unlock.bin" command. At this point there is no point in talking about this because the T-Mobile variant does NOT accept an unlock.bin to unlock, it accepts the oem fastboot command.
TL;DR: The unlock.bin is useless for any American G6. Don't waste your time trying to spoof it.
If you still want to attempt and spoof it (for some reason), it isn't possible. Some great explanations on how it is coded and works are posted in this thread here, make sure to leave those guys a thanks.
TOT INJECTING
For the G5, this was the only way T-Mobile users could achieve root before dirtyc0w. Unfortunately, this is not a liable option for the G6 (or v20) anymore, as LG is now signing the TOTs and the LAF partition will brick the device if an unsigned TOT is flashed. I have a theory on why this is the case, but don't want to accuse anyone of something if I am wrong (if you do a bit of research about this you will understand). I would not recommend trying this out as it will brick your device.
LG LAF BACKDOOR
If you have been with the LG scene for a while, you may know about the LAF backdoor. It has been documented publicly here (PLEASE leave him a thanks!), and there are a few other things that I have discovered with this as well that are not public as of now as I am not exactly sure what to do with them (PM for details). LG did patch this tool, but part of the code still works and with some work we could possibly figure out the new code. At this point I believe this is the most likely way to flash TWRP (use the dd command), but I have not been able to look at the new LAF commands as I do not own the G6.
TL;DR: LF LAF Backdoor probably still exists, it will just take work to find it out. If someone does figure out the new codes TWRP is easily flashable
DIRTYC0W
This was patched in December/November. Don't waste your time trying this out, as it has been confirmed not to work.
This is all of the information I can think of right now, I will continue to update this thread as I can think of other things to not waste time testing.

man, good thing i didn't sell my 3t , i kind of , sort of, can't live without molesting my device.

what are the chances the at&t version will be rooted? just got mine today, really like it but no root ill be taking it back.

I believe we are on the same page of why the tot files are being signature enforced now...
Sent from my LG-H918 using XDA-Developers Legacy app

fix-this! said:
what are the chances the at&t version will be rooted? just got mine today, really like it but no root ill be taking it back.
Click to expand...
Click to collapse
I think you will be taking it back...unless you dont mind waiting for a long time.
I really like the G6. i think LG nailed it this time but for me its a paperweight since it was likely to be BL locked.
Sent from my Note 7, S7 Edge or S6

Just a heads up, carrier locked LG G5's are still unrooted. I would imagine that the G6 would follow a similar fate.

henryjumbo said:
Just a heads up, carrier locked LG G5's are still unrooted. I would imagine that the G6 would follow a similar fate.
Click to expand...
Click to collapse
I couldn't agree more. T-Mobile is the only one that allowed oem unlock in the us of all carriers so naturally it was eventually rootable.

This thread shows how to enable disabled fastboot commands on the Alcatel OneTouch Idol 3, maybe we could also use this method: https://forum.xda-developers.com/idol-3/development/6039-guide-how-to-return-fastboot-t3201077

nima0003 said:
This thread shows how to enable disabled fastboot commands on the Alcatel OneTouch Idol 3, maybe we could also use this method: https://forum.xda-developers.com/idol-3/development/6039-guide-how-to-return-fastboot-t3201077
Click to expand...
Click to collapse
Link doesn't work

Josh McGrath said:
Link doesn't work
Click to expand...
Click to collapse
Just clicked on it and it worked, you might have to go back to the first page though.

nima0003 said:
Just clicked on it and it worked, you might have to go back to the first page though.
Click to expand...
Click to collapse
That's weird, it still doesn't work for me :/ oh well, no biggie

Honestly Annoying said:
LG LAF BACKDOOR
If you have been with the LG scene for a while, you may know about the LAF backdoor. It has been documented publicly here (PLEASE leave him a thanks!), and there are a few other things that I have discovered with this as well that are not public as of now as I am not exactly sure what to do with them (PM for details). LG did patch this tool, but part of the code still works and with some work we could possibly figure out the new code. At this point I believe this is the most likely way to flash TWRP (use the dd command), but I have not been able to look at the new LAF commands as I do not own the G6.
TL;DR: LF LAF Backdoor probably still exists, it will just take work to find it out. If someone does figure out the new codes TWRP is easily flashable
Click to expand...
Click to collapse
Thank you for the information. I'd be open to trying to flash TWRP using lglaf. But too much, including my job, depends on my having a functional, non-bricked phone. If I were to give this a shot and it turns out that my phone decides it wants to punch me in the eye, would I be able to use LGUP and flash the stock KDZ and have a functioning phone again? Obviously, nobody can really give a certain "Yes" to such a question, but I'd be happy with something along the lines of, "Unless you shoot yourself in the foot and/or your phone gets struck by lightning during the flash process, you should be good."
That said, I have another question. To be honest, I don't really care if my phone is rooted or not. In fact, I like using Android Pay. All I really want to do is have a usable phone in my home, where I have almost zero mobile signal. Unfortunately, that requires making a few small changes to /system/etc/wifi/WCNSS_qcom_cfg.ini.
Last time I was in LG Land, I don't think there was yet an "lglalf" utility. There was the "send_command" utility instead. Regardless, I seem to recall using this utility to mount /system/ RW, making the changes I wanted to /system/etc/wifi/WCNSS_qcom_cfg.ini, rebooting, and having an unrooted V10 that even took OTA updates, retained my changes to that file, and had working WiFi as a result.
Any thoughts on using the same methodology with the lglaf utility on the G6? My concern is that the bootloader or some other process may be doing some kind of checksum and, if the hash doesn't match what it expects to see, it will basically crap itself and tell me my phone is not safe, etc.
P.S. I spend many work days staring at wireshark captures trying to find the source of spanning tree goofiness on networks that are /20 and /21 in size. So, staring at USB packet dumps to try to make heads or tails out of what is going on would not bother me in the slightest, should you wish to give me a push in the right direction.

I spent some time messing around with the lglaf tool today. The normal version doesn't work, most commands give error code 0x8000010a. Apparently, that is the result of some additional security LG added to the process, in the form of a handshake. I found a pull request that adds an --unlock option here: https://github.com/Lekensteyn/lglaf/pull/12 - note that the code in the pull request is not compatible with python 3, so you'll need to be on python 2 to run it. The --unlock switch is not a bootloader unlock, but it triggers the authentication handshake. Unfortunately, neither of the keys provided along with that worked with the G6. So, if there are no other changes to the laf other than a new key, figuring out the new key might be enough to make some additional progress.

any peoples out there have access to:
extra G6 boards...
or broken G6..
or bad esn/imei G6..
or bricked G6.. etc?
Would love to start poking this device but I'm still paying off my G5.
Every now n then a repair tech or service center worker comes along.. and sometimes they have access to damaged/broken devices that are just collecting dust. I'm not looking for donations or anything like that.. just need a G6 board to work with.
Hit me up on my Twitter or something if you might have access to these things... https://twitter.com/@utoprime

autoprime said:
any peoples out there have access to:
extra G6 boards...
or broken G6..
or bad esn/imei G6..
or bricked G6.. etc?
Would love to start poking this device but I'm still paying off my G5.
Every now n then a repair tech or service center worker comes along.. and sometimes they have access to damaged/broken devices that are just collecting dust. I'm not looking for donations or anything like that.. just need a G6 board to work with.
Hit me up on my Twitter or something if you might have access to these things... https://twitter.com/@utoprime
Click to expand...
Click to collapse
Autoprime, after you pay off that G5, you can call T-Mobile or contact them from Twitter and they can do JOD. 3 upgrades a year. I just paid off my G4 and am doing that now and got the S8+. Then I can jump to the V30, then jump to the Pixel 2 possible all this year.
Sent from my SM-G955U using Tapatalk

MicroMod777 said:
Autoprime, after you pay off that G5, you can call T-Mobile or contact them from Twitter and they can do JOD. 3 upgrades a year. I just paid off my G4 and am doing that now and got the S8+. Then I can jump to the V30, then jump to the Pixel 2 possible all this year.
Sent from my SM-G955U using Tapatalk
Click to expand...
Click to collapse
not a bad idea.. it's a great way to get multiple phones in a year. the only thing keeping me from hopping on JOD is that I'd probably regret giving the phones back.. never know when you need to revisit an old phone to test something. But doing something like JOD may be the only way I can get multiple phones.. we shall see when it comes time to pay off my G5
I don't even use these phones as my main device.. they never leave my desk and often never even have a sim card put in them. So if I could get my hands on just a board.. or broken phone or something that'd be most ideal for my situation. But.. we can't always get what we want now can we? :crying:

hendusoone said:
I spent some time messing around with the lglaf tool today. The normal version doesn't work, most commands give error code 0x8000010a. Apparently, that is the result of some additional security LG added to the process, in the form of a handshake. I found a pull request that adds an --unlock option here: - note that the code in the pull request is not compatible with python 3, so you'll need to be on python 2 to run it. The --unlock switch is not a bootloader unlock, but it triggers the authentication handshake. Unfortunately, neither of the keys provided along with that worked with the G6. So, if there are no other changes to the laf other than a new key, figuring out the new key might be enough to make some additional progress.
Click to expand...
Click to collapse
Yeah, I ran into some of the same error message. Check out the thread for Issue #7. (Sorry, too "new" to post a link, but it's here: https://github.com/Lekensteyn/lglaf/issues/7 ) This provides some clues as to how to possibly go about getting the right keys. I will mess around with this tomorrow.
I also noticed something about the HELO command. The protocol documentation states that arg1 is the protocol version and states, "(resp must match req.)" without further details being provided. As the documentation states, lglaf is sending a value of 0x01000001 (\1\0\0\1), but the response does not match. The response that is being sent back by the device is (little-endian) 0x01000005 (\5\0\0\1). Yet, neither the lglaf utility nor the device balk, as noted by the ability to subsequently run '!INFO GPRO \x08\x0b\0\0' and/or '!CTRL RSET'
Also, the second argument is minimum version. The device is sending a response that indicates the minimum version is 0x10000001 (\1\0\0\10). It would appear that the device is saying its minimum version is higher than our version, which is 0x01000001.
And again, not sure if it means anything at all since it does seem to be working, but for science, at least:
host to 2.2.2 (request): HELO version 0x01000001
Code:
0000 48 45 4c 4f [COLOR="Blue"][B]01[/B] 00 00 01[/COLOR] 00 00 00 00 00 00 00 00 HELO............
0010 00 00 00 00 00 00 00 00 5c b1 00 00 b7 ba b3 b0 ........\.......
2.2.3 to host (response): HELO version 0x01000005 min version 0x10000001
Code:
0000 48 45 4c 4f [COLOR="DarkOrange"][B]05[/B] 00 00 01[/COLOR] [COLOR="Red"]01 00 00 [B]10[/B][/COLOR] 00 00 80 00 HELO............
0010 02 00 00 00 00 00 00 00 9e 3c 00 00 b7 ba b3 b0 .........<......

ariesgeek said:
Yeah, I ran into some of the same error message. Check out the thread for Issue #7. (Sorry, too "new" to post a link, but it's here: https://github.com/Lekensteyn/lglaf/issues/7 ) This provides some clues as to how to possibly go about getting the right keys. I will mess around with this tomorrow.
I also noticed something about the HELO command. The protocol documentation states that arg1 is the protocol version and states, "(resp must match req.)" without further details being provided. As the documentation states, lglaf is sending a value of 0x01000001 (\1\0\0\1), but the response does not match. The response that is being sent back by the device is (little-endian) 0x01000005 (\5\0\0\1). Yet, neither the lglaf utility nor the device balk, as noted by the ability to subsequently run '!INFO GPRO \x08\x0b\0\0' and/or '!CTRL RSET'
Also, the second argument is minimum version. The device is sending a response that indicates the minimum version is 0x10000001 (\1\0\0\10). It would appear that the device is saying its minimum version is higher than our version, which is 0x01000001.
And again, not sure if it means anything at all since it does seem to be working, but for science, at least:
host to 2.2.2 (request): HELO version 0x01000001
Code:
0000 48 45 4c 4f [COLOR="Blue"][B]01[/B] 00 00 01[/COLOR] 00 00 00 00 00 00 00 00 HELO............
0010 00 00 00 00 00 00 00 00 5c b1 00 00 b7 ba b3 b0 ........\.......
2.2.3 to host (response): HELO version 0x01000005 min version 0x10000001
Code:
0000 48 45 4c 4f [COLOR="DarkOrange"][B]05[/B] 00 00 01[/COLOR] [COLOR="Red"]01 00 00 [B]10[/B][/COLOR] 00 00 80 00 HELO............
0010 02 00 00 00 00 00 00 00 9e 3c 00 00 b7 ba b3 b0 .........<......
Click to expand...
Click to collapse
I have the KILO commands here... this is the work of @FluffyMittens and our findings by using a serial port sniffer while running a word generator that sent different commands through a serial connection.
KILOCENT (this is the handshake, cleaned up)
Code:
4B 49 4C 4F 43 45 4E 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BE E3 7B 00 00 BE B4 BE B6 BE B3 BE B0
RAW HEXIDECIMAL
Code:
0x4B 0x49 0x4C 0x4F 0x43 0x45 0x4E 0x54 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 (insert byte) 0xE3 0x7B 0x00 0x00 (insert byte) 0xB4
(insert byte) 0xB6 (insert byte) 0xB3 (insert byte) 0xB0
KILOMETR (cleaned up)
Code:
4B 49 4C 4F 4D 45 54 52 00 00 00 00 02 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 BE B4 BE B6 BE B3 BE B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
RAW HEXIDECIMAL
Code:
0x4B 0x49 0x4C 0x4F 0x4D 0x45 0x54 0x52 0x00 0x00 0x00 0x00 0x02 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x10 0x00 0x00 0x00 0x00 0x00 0x00 0x00 (insert byte) 0xB4 (insert byte) 0xB6 (insert byte) 0xB3 (insert byte) 0xB0
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
KILOGRAM (key)
Code:
dqoev)ohnsWu\\bk`oiicmZ_lpqe\\ealp
I don't exactly know how to use these. I know that these are supposed to be "secret" but since the LG scene has gone down recently here they are. Hopefully this helps, if anyone needs anything more I have some more commands as well.

So... I tried lglaf.py with that new kilogram key, but it didn't work. Then, I went back and took another stab at updating the version with --unlock to be compatible with python 3. I was a bit more successful this time, and it is able to complete the handshake and execute commands (like ls) without erroring out. It's using the old key - the new one you provided errors out. I don't know of a safe way to test writing data to the G6, so I will leave that to someone a bit more experienced.
I have attached my updated lglaf.py to this post. Extract it to your lglaf directory overwriting the existing lglaf.py. If you don't have lglaf yet, get it here first: https://github.com/Lekensteyn/lglaf
Requirements:
Install python3, then run: pip install pycryptodomex
Once that's done, you should be able to execute commands like this:
python lglaf.py --unlock --debug -c "!EXEC ls -l /system/\0"
Note that partitions.py is not working.

hendusoone said:
So... I tried lglaf.py with that new kilogram key, but it didn't work. Then, I went back and took another stab at updating the version with --unlock to be compatible with python 3. I was a bit more successful this time, and it is able to complete the handshake and execute commands (like ls) without erroring out. It's using the old key - the new one you provided errors out. I don't know of a safe way to test writing data to the G6, so I will leave that to someone a bit more experienced.
I have attached my updated lglaf.py to this post. Extract it to your lglaf directory overwriting the existing lglaf.py. If you don't have lglaf yet, get it here first: https://github.com/Lekensteyn/lglaf
Requirements:
Install python3, then run: pip install pycryptodomex
Once that's done, you should be able to execute commands like this:
python lglaf.py --unlock --debug -c "!EXEC ls -l /system/\0"
Note that partitions.py is not working.
Click to expand...
Click to collapse
Can it run any other commands besides "ls"? Try out "id" and "whoami"

VS995 - Error using Uppercut - Cannot decide device boot mode. set Unknown Mode

I recently acquired a Verizon-branded LG V20 (VS995) and I my eventual goal is to put TWRP and LineageOS on it like my last phone. The first step is to downgrade it to a vulnerable stock image using UPPERCUT. However, I'm finding that LGUP is unable to begin to perform the flash.
My setup/procedure is as such:
1. Fresh Windows 7 x64 installation in Virtualbox 5.2.16 on Arch Linux
1a. USB filter setup so that USB 1004:633a is always passed through to Windows 7
2. Installed drivers: LGMobileDriver_WHQL_Ver_4.2.0.exe
3. Installed LGUP 1.14: LGUP_Store_Frame_Ver_1_14_3.msi
4. Insert battery into LG V20 VS995
5. Insert USB into computer
6. Hold VOLUP while inserting USB-C into V20
7. Wait as "download mode" message appears and then changes to "Firmware Update" screen.
8. Wait for Windows to install all drivers, ensuring devmgmt.msc shows COM port
9. Launch UPPERCUT v1.0.0.0, granting admin permissions
10. Wait for LGUP to launch, initialize, and show a VS9951CA device
11. Select the December 2016 KDZ: VS99512A_06_1114_ARB00.kdz
12. Select UPGRADE and hit Start
After waiting for the 15 second initialization period, LGUP displays the error "Cannot decide device boot mode. set Unknown". If left in this state for several minutes, LGUP will eventually bring up a dialog saying "Error: 0x2000, Port open error (COMX)". LGUP sometimes says it is on a step which I have not transcribed correctly but resembles "_prepareAndDL" before showing the "Cannot decide device boot mode. set Unknown" error, but I've only seen this step once or twice.
SHA1 sums of the files I'm using:
eac54e3e0cfe6e8d7cd395e245170e13de4fcd67 lgmobiledriver_whql_ver_4.2.0.exe
f7b41f77047698bc8e030dddf4ef6fbdb5c3af41 lgup_store_frame_ver_1_14_3.msi
46c9a349d62287d81c94ce7148233c0922604273 uppercut_1.0.0.0.zip
3104b93b7243e3274932b2c56b8383cdecf7ede3 vs99512a_06_1114_arb00.kdz
Is UPPERCUT still the recommended tool to flash stock firmware for this model? Should I be installing it via fastboot instead (if so, is there a thread to follow)? Is the 1CA update no longer downgradable?
--------------------
I tried to use the patched LGUP tool instead of UPPERCUT to see if that helped at all. I did not try to flash the KDZ, but rather just tried to DUMP the existing partitions. I ran into the same error as the post title again.
Procedure:
0. In the LGUP program files directory:
1. Copy the original LGUP.exe to LGUP.original.exe
2. Copy the patched LGUP.exe into it's place
3. Copy in the 'model/common' directory from the patched LGUP zip
4. Steps 4->8 from above
9. Launch patched LGUP (no UPPERCUT)
10. Same as above
11. Select DUMP, hit start, select dump location
SHA1 sum of additional files:
242640ddb023308b9a103e0a767f27511c9a2db0 lgup_v20dll_patched.zip

I captured a trace of the USB communication with wireshark. I used the LG LAF protocol plugin (can't post links yet: github com/Lekensteyn/lglaf/blob/master/lglaf.lua) and it didn't find any USB frames that matched the protocol. I'm no USB wire protocol expert, but it looks like the phone is sending a response:
Code:
0000 1b 00 10 b0 62 03 80 fa ff ff 00 00 00 00 09 00 ...°b..úÿÿ......
0010 01 02 00 01 00 83 03 97 00 00 00 ef a0 00 00 00 ...........ï*...
0020 00 00 56 53 39 39 35 00 00 00 00 00 56 53 39 39 ..VS995.....VS99
0030 35 31 43 41 00 00 00 00 00 00 00 00 00 00 00 00 51CA............
0040 00 00 00 00 00 00 00 00 00 00 01 33 35 39 39 36 ...........35996
0050 38 30 37 32 39 39 39 30 37 36 00 00 00 00 00 60 8072999076.....`
0060 1e 41 6e 64 72 6f 69 64 00 00 00 37 2e 30 00 00 .Android...7.0..
0070 00 00 00 00 00 3X 3X 3X 3X 3X 3X 3X 3X 3X X9 00 .....XXXXXXXXXX.
0080 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................
0090 00 00 00 00 00 00 31 63 6f 6d 6d 6f 6e 00 00 00 ......1common...
00a0 56 5a 57 31 00 00 00 00 00 00 00 00 00 00 7d 5d VZW1..........}]
00b0 86 7e .~
There were five such frames, all essentially identical less a byte or two. I suspect if I had let the capture go they would have continued to arrive at an interval. So it's possible the LGUP tool just is not recognizing the ping that the phone is sending?

Install the VirtualBox extension pack and set your USB config for that VM to 2.0 or 3.1, and you should be good.
1CA is definitely downgradable. This is a USB communication problem.
-- Brian

I re-confirmed that I had the guest extensions installed (VM has no nic and all files were transferred in via shared folders, which requires guest extensions). But it turns out I did have the USB bus set to USB 2.0. After setting that to USB 3.0 and installing the Intel USB3 drivers for Windows, LGUP started the download without issue. This is still the patched LGUP (no UPPERCUT) and using the UPGRADE option with the KDZ mentioned in the OP. Oddly enough, it did not clear my data, as it asked for my encryption passphrase when it rebooted. It did successfully downgrade me, so I just did a factory reset to clear my old data and apps. As a reminder, the LG out-of-the-box experience starts checking for OTA updates as soon as the phone starts up, so remove your SIM before you start.
1. Remove SIM
2. Do one of the following:
CLI:
Code:
vboxmanage modifyvm $vmname --usbehci off && vboxmanage modifyvm $vmname --usbxhci on
UI: Right click VM > Settings > USB > USB 3.0 (XHCI) Controller