Related
I found this post on a blog about a vulnerability with the Qualcomm boot. I can't even begin to explain it but could this help us find a way to root?
LINK: https://bits-please.blogspot.com/20...howComment=1462371232579#c7966216604060424834
Fredo2000 said:
I found this post on a blog about a vulnerability with the Qualcomm boot. I can't even begin to explain it but could this help us find a way to root?
LINK: https://bits-please.blogspot.com/20...howComment=1462371232579#c7966216604060424834
Click to expand...
Click to collapse
This is a trustzone vulnerability that requires root to exploit it. No way to gain root through it
jcase said:
This is a trustzone vulnerability that requires root to exploit it. No way to gain root through it
Click to expand...
Click to collapse
Ah damn. Thanks for letting me know anyways
Not so - this vulnerability requires "mediaserver" permissions to execute and can be used to achieve root (see latest blog post).
Also, I'm releasing another exploit which allows escalation from zero permissions to "mediaserver" which works on all Android versions and phones.
Wow that's an impressive exploit. Congrats for finding it and explaining it in your write up. Have you been able to use it on an unrooted device like ours to gain root? What about the S7 edge that is chained down at the moment? Sounds like you might have an opportunity to cash in on the large bounties for both devices! Once again great work!!
Sent from my LG-H830 using XDA-Developers mobile app
Thanks. I've used the exploit to gain kernel code execution (better than root, since you can disable SELinux, etc.). The QSEE payload I provided should work as-in, since it's symbol-less (finds all the symbols directly in memory). As for the QSEE exploit; you'll need to change the symbols (under symbols.h) to match the Widevine application on your phone. As for the S7 edge - I know nothing about it (have never checked), but I can take a look in a couple of days when I'm at home.
How long did it take to discover and work on this exploit? I'm just a lay person that likes to root phones but I imagine this takes a ton of time to work on. I hope you submit your work and publish a root method and cash in on ~$5000 worth of bounties for all your hard work. And I hope Google implements your fixes soon to patch the holes you have discovered.
Sent from my LG-H830 using XDA-Developers mobile app
laginimaineb said:
Thanks. I've used the exploit to gain kernel code execution (better than root, since you can disable SELinux, etc.). The QSEE payload I provided should work as-in, since it's symbol-less (finds all the symbols directly in memory). As for the QSEE exploit; you'll need to change the symbols (under symbols.h) to match the Widevine application on your phone. As for the S7 edge - I know nothing about it (have never checked), but I can take a look in a couple of days when I'm at home.
Click to expand...
Click to collapse
Wow... This is all some seriously great stuff! If you have some time I would love to talk with you about how to get this working on the Sprint G5
laginimaineb said:
Thanks. I've used the exploit to gain kernel code execution (better than root, since you can disable SELinux, etc.). The QSEE payload I provided should work as-in, since it's symbol-less (finds all the symbols directly in memory). As for the QSEE exploit; you'll need to change the symbols (under symbols.h) to match the Widevine application on your phone. As for the S7 edge - I know nothing about it (have never checked), but I can take a look in a couple of days when I'm at home.
Click to expand...
Click to collapse
If you can modify the kernel, can you disable dm-verity?
If so, I think you might have just found root for our device...
I suggest that you first check if the G5 is even vulnerable to the QSEE vulnerability I disclosed... (extract the "system_" files from the KDZ and the DZ and search for the string "PRDiag"). Since I disclosed the vulnerability a few months ago, it could be patched on the latest version, but might still be vulnerable on previous ones.
Also, as for dm-verity - the QSEE exploit allows full system memory RW (which allows you to patch a running kernel and basically inject arbitrary code). But (!) you probably want to disable dm-verity at boot, which would require a bootloader unlock.
...Which brings me to my last point - If the LG G5 is vulnerable to the QSEE exploit I disclosed, I'm also releasing a QSEE to TZBSP (TrustZone kernel) exploit, which means you can blow any QFuse you like (which is the standard way to disable secure boot).
laginimaineb said:
I suggest that you first check if the G5 is even vulnerable to the QSEE vulnerability I disclosed... (extract the "system_" files from the KDZ and the DZ and search for the string "PRDiag"). Since I disclosed the vulnerability a few months ago, it could be patched on the latest version, but might still be vulnerable on previous ones.
Also, as for dm-verity - the QSEE exploit allows full system memory RW (which allows you to patch a running kernel and basically inject arbitrary code). But (!) you probably want to disable dm-verity at boot, which would require a bootloader unlock.
...Which brings me to my last point - If the LG G5 is vulnerable to the QSEE exploit I disclosed, I'm also releasing a QSEE to TZBSP (TrustZone kernel) exploit, which means you can blow any QFuse you like (which is the standard way to disable secure boot).
Click to expand...
Click to collapse
My god... you are the MAN!!! I'll check for the files ASAP (currently doing mother's day stuff) and report back.
Also, how can I donate to you?
jcase said:
This is a trustzone vulnerability that requires root to exploit it. No way to gain root through it
Click to expand...
Click to collapse
so you are wrong then? this CAN be used to get root?
laginimaineb said:
Not so - this vulnerability requires "mediaserver" permissions to execute and can be used to achieve root (see latest blog post).
Also, I'm releasing another exploit which allows escalation from zero permissions to "mediaserver" which works on all Android versions and phones.
Click to expand...
Click to collapse
Correct, bad wording on my part. However on this phone it really makes no difference, it is actually easier to gain execution as root than it is on mediaserver. This phone is /BAD/ as far as security is concerned. Multiple bootchain backdoors, beyond broke backup system, known kernel vulns left unpatched, heavily (and poorly) modified stagefright as well. We already have root on the phone, root was never the issue, issue was code signing (which was being worked on until someone shared my root knowing i didnt want it shared). LG is enforcing signature validation and dm-verity on this device, just a heads up.
If you release anything compatible with this phone, make sure the users know not to alter laf/recovery/boot/system. They will anyways, and blame you, but at least you warn them.
I sold my G5 after the drama here, so I am no longer working on it.
Syndicate0315 said:
so you are wrong then? this CAN be used to get root?
Click to expand...
Click to collapse
I was technically be wrong, but really makes little difference if the starting point is media server or root. It is honestly easier to get exec as root on this phone than media server. I have already demonstrated that root is not an issue on this device, issue is code signing. This vulnerability does not give you what you guys want, similar to the one of mine that everyone is passing around and emailing me daily about after I put in the read me that it will not do what you want. No one listens.
laginimaineb said:
I suggest that you first check if the G5 is even vulnerable to the QSEE vulnerability I disclosed... (extract the "system_" files from the KDZ and the DZ and search for the string "PRDiag"). Since I disclosed the vulnerability a few months ago, it could be patched on the latest version, but might still be vulnerable on previous ones.
Also, as for dm-verity - the QSEE exploit allows full system memory RW (which allows you to patch a running kernel and basically inject arbitrary code). But (!) you probably want to disable dm-verity at boot, which would require a bootloader unlock.
...Which brings me to my last point - If the LG G5 is vulnerable to the QSEE exploit I disclosed, I'm also releasing a QSEE to TZBSP (TrustZone kernel) exploit, which means you can blow any QFuse you like (which is the standard way to disable secure boot).
Click to expand...
Click to collapse
Blowing fuses is the standard way of enabling secure boot, not disabling. These phones already have that fuse blown. The more recent LG phones have used a signed blob to "unlock" (as far as the ones I've looked at), they are not following the motorola method of blowing a fuse.
The TMobile LG G5 is actually unlocked, all these guys need to do is pack twrp into a TOT (pretty much a raw image with a header) and flash it in download mode.
Fredo2000 said:
If you can modify the kernel, can you disable dm-verity?
If so, I think you might have just found root for our device...
Click to expand...
Click to collapse
He can modify the kernel at run time with this exploit, but not the binary image of it, nor the ram disk that has the settings to enforce dm-verity. It would still need an exploit to get exec in the proper user/context as well as a codesigning exploit
jcase said:
Correct, bad wording on my part. However on this phone it really makes no difference, it is actually easier to gain execution as root than it is on mediaserver. This phone is /BAD/ as far as security is concerned. Multiple bootchain backdoors, beyond broke backup system, known kernel vulns left unpatched, heavily (and poorly) modified stagefright as well. We already have root on the phone, root was never the issue, issue was code signing (which was being worked on until someone shared my root knowing i didnt want it shared). LG is enforcing signature validation and dm-verity on this device, just a heads up.
If you release anything compatible with this phone, make sure the users know not to alter laf/recovery/boot/system. They will anyways, and blame you, but at least you warn them.
I sold my G5 after the drama here, so I am no longer working on it.
I was technically be wrong, but really makes little difference if the starting point is media server or root. It is honestly easier to get exec as root on this phone than media server. I have already demonstrated that root is not an issue on this device, issue is code signing. This vulnerability does not give you what you guys want, similar to the one of mine that everyone is passing around and emailing me daily about.
Click to expand...
Click to collapse
sorry if this is me just being ignorant, but if we gain root on a device with an unlocked bootloader (t mobile), can't we flash root from an app on the phone, boot into recovery, and then flash the disable-dm-verity zip provided on the other thread?
And also, how is gaining root not a problem? Is it through the LAF backdoor?
Syndicate0315 said:
sorry if this is me just being ignorant, but if we gain root on a device with an unlocked bootloader (t mobile), can't we flash root from an app on the phone, boot into recovery, and then flash the disable-dm-verity zip provided on the other thread?
And also, how is gaining root not a problem? Is it through the LAF backdoor?
Click to expand...
Click to collapse
Pack TWRP in tot, flash in download mode. I've said this since day one, you dont need an exploit to root the tmobile variant. Writing an exploit for tmobile lg g5 is a waste of time and resources. Pack TWRP in TOT, flash tot, be done.
Root isn't a problem because the device has multiple publicly known vulnerabilities (and at least one written exploit) that work on it.
jcase said:
Pack TWRP in tot, flash in download mode. I've said this since day one, you dont need an exploit to root the tmobile variant. Writing an exploit for tmobile lg g5 is a waste of time and resources. Pack TWRP in TOT, flash tot, be done.
Root isn't a problem because the device has multiple publicly known vulnerabilities (and at least one written exploit) that work on it.
Click to expand...
Click to collapse
ahhhh OK that makes MUCH sense...
i have the Sprint variant, what would be the best way for me to go about finding a permanent root? would any of these methods work?
Syndicate0315 said:
ahhhh OK that makes MUCH sense...
i have the Sprint variant, what would be the best way for me to go about finding a permanent root? would any of these methods work?
Click to expand...
Click to collapse
Dig through the bootchain, looking for a vulnerability you can use to bypass the secureboot (or otherwise bypass signing requirement of boot.img), or look at LG's code in regards to unlock, i wouldnt be surprised if a route existed there, LG is notoriously bad at "security" features.
jcase said:
Pack TWRP in tot, flash in download mode. I've said this since day one, you dont need an exploit to root the tmobile variant. Writing an exploit for tmobile lg g5 is a waste of time and resources. Pack TWRP in TOT, flash tot, be done.
Root isn't a problem because the device has multiple publicly known vulnerabilities (and at least one written exploit) that work on it.
Click to expand...
Click to collapse
hate to see you've sold your G5. unfortunately, there is no tot for h830. however, sprint has one. I am unsure as to how one can create a tot.
Since we are using engboot, write protection seems to be off, so it appears you can use dd to write to normally write protected partitions such as the bootloaders (ex: "dd if=/sdcard/aboot of=/dev/block/sdd10"). In my testing I was successfully "dd" a backed up aboot (secondary bootloader) partition and also write to the modem partition and have it stick (which means write protection should be off akaik). If you were to "dd" the Chinese bootloaders, you might be able to flash and re-partition onto the Chinese firmware and then use the CROM service to unlock the bootloader from there. I personally don't know too much about this type of stuff and haven't tried to actually "dd" the Chinese bootloader, but for those more knowledgeable, could this potentially work?
Partitions likely needed are:
- rpm (Resource and Power Manager / Primary Bootloader) located at /dev/block/sdd1 (/dev/block/bootdevice/by-name/rpm)
- aboot (AP Bootloader / Secondary Bootloader) located at /dev/block/sdd10 (/dev/block/bootdevice/by-name/aboot)
- xbl (Extended Bootloader) located at /dev/block/sdb1 (/dev/block/bootdevice/by-name/xbl)
- ? located at /dev/block/sdc1
Modifying the bootloader is dangerous and could permanently brick your device. I take no responsibility if you try this and it breaks your device.
Edit 5: Additional Details
qwewqa said:
Since we are using engboot, write protection seems to be off, so it appears you can use dd to write to normally protected partitions (ex: "dd if=/sdcard/aboot of=/dev/block/sdd10"). In my testing I was successfully dd a backed up aboot (secondary bootloader) partition and also write zeros to the modem partition and have it stick (which means write protection should be off). If you were to dd a Chinese bl/ap, you might be able to flash/re-partition onto the Chinese firmware and then use the CROM service to unlock the bootloader from there. I personally don't know too much about and haven't tried to actually dd the Chinese bootloader, but for those more knowledgeable, would this work?
Edit: Modem partition sticks after reboot.
Click to expand...
Click to collapse
@Binary100100 you probably know somebody that knows little bit more about this, tell them to check it out
Magnifik81 said:
@Binary100100 you probably know somebody that knows little bit more about this, tell them to check it out
Click to expand...
Click to collapse
Nope. Don't know anyone specific.
Wish I had the $175 for my insurance deductible, I'd give it a try. All in all, it should work. The hardware is the same.
thescorpion420 said:
Wish I had the $175 for my insurance deductible, I'd give it a try. All in all, it should work. The hardware is the same.
Click to expand...
Click to collapse
Well, if it WORKS, I'm sure the bounty on unlocking the bootloader is a lot higher than $175! ?
DOMF said:
Well, if it WORKS, I'm sure the bounty on unlocking the bootloader is a lot higher than $175!
Click to expand...
Click to collapse
Lets start a thread . . . I am willing to contribute $25.00 :good: into a pool with others here at XDA to the developer who can produce an unlocked bootloader that is rooted with a decent rom that works great and better than stock, something that will fix all of the untold bugs and address the known issues.
Anyone else?
serendipityguy said:
Lets start a thread . . . I am willing to contribute $25.00 :good: into a pool with others here at XDA to the developer who can produce an unlocked bootloader that is rooted with a decent rom that works great and better than stock, something that will fix all of the untold bugs and address the known issues.
Anyone else?
Click to expand...
Click to collapse
$25? Hell think about how much we spend on the phone itself and bill every month.. I'd easily pledge $100 for an unlocked bootloader with twrp support.
That's the 1 thing I don't understand.. this is the most highly sought after phone right now with 0 developer support. I understand the limitations with the locked bootloader but other phones have overcome the same through the works of various motivated individuals. There is no one even interested in trying it seems on ANY carrier forum. Instead we have countless threads with people more interested in getting the nougat update early which will hardly provide anything useful compared to an unlocked bootloader with working root.
serendipityguy said:
Lets start a thread . . . I am willing to contribute $25.00 :good: into a pool with others here at XDA to the developer who can produce an unlocked bootloader that is rooted with a decent rom that works great and better than stock, something that will fix all of the untold bugs and address the known issues.
Anyone else?
Click to expand...
Click to collapse
"Start?" It was started ages ago and it thousands of dollars. https://forum.xda-developers.com/tmobile-s7-edge/how-to/bounty-unlocked-bootloader-s7edge-t3339857
bdvince said:
$25? Hell think about how much we spend on the phone itself and bill every month.. I'd easily pledge $100 for an unlocked bootloader with twrp support.
That's the 1 thing I don't understand.. this is the most highly sought after phone right now with 0 developer support. I understand the limitations with the locked bootloader but other phones have overcome the same through the works of various motivated individuals. There is no one even interested in trying it seems on ANY carrier forum. Instead we have countless threads with people more interested in getting the nougat update early which will hardly provide anything useful compared to an unlocked bootloader with working root.
Click to expand...
Click to collapse
Root right now is just too impractical for most people. I'm still rooted, but for most people it isn't worth the hassle and trade-offs, for many it's worse than stock. I think most people who are really into root probably switched devices. Switching to android N could actually prevent bootloader unlock in this way, unless root for N comes out. That is if this unlock method could actually work, hard to say without anyone experienced in bootloaders and write protection though.
I'd like to find someone with a sm-g9350 to DD a dump of sdd10.
thescorpion420 said:
I'd like to find someone with a sm-g9350 to DD a dump of sdd10.
Click to expand...
Click to collapse
Sdd1 is the primary bootloader, probably also necessary.
Came to the realization that the Chinese bootloader is v2 where all US models are v4. I'd imagine the Chinese nougat update will make it v4, so we wait to try.
Don't want to a be downer or anything but I'm pretty sure you can't just replace the bootloader, even if write protection is off on the Eng kernel. Even if you did replace it you'll have probably bricked your phone.
Sent from my SM-G935T using Tapatalk
dogredwing1 said:
Don't want to a be downer or anything but I'm pretty sure you can't just replace the bootloader, even if write protection is off on the Eng kernel. Even if you did replace it you'll have probably bricked your phone.
Click to expand...
Click to collapse
The thinking is that since the devices are virtually the same hardware wise, there is a chance the bootloader could be replaced. I do agree that there is a good chance of hard bricking though. I haven't done any testing other than apparently successfully dding a backed up version of the same bootloader.
If I wasn't on nougat I would try it if someone posted instructions and devs confirmed the directions are correct..
Sent from my SM-G935T using Tapatalk
I was actually playing with the bootloader, and found this thread when I went to post. I'm going to be pulling fastboot commands also to see if I can find anything interesting. I'm tired of not being able to use a custom kernel
My device is on nougat. Bit I can easily downgrade and test if someone has a rock solid idea. I don't mind bricking as the device has a cracked screen and I have my s6 edge plus to use until the s8 drops...
Sent from my SM-G935T using Tapatalk
Count me in as well!
I have a theory that we can open the BL file in WinRAR and extract the rpm.mbn file from G9350 odin file,
and flash to our device. But I cannot determine which one is for aboot. I have not tested this yet.
aaron007 said:
Count me in as well!
I have a theory that we can open the BL file in WinRAR and extract the rpm.mbn file from G9350 odin file,
and flash to our device. But I cannot determine which one is for aboot. I have not tested this yet.
Click to expand...
Click to collapse
What I know is:
RPM = Resource and Power Manager = Primary Bootloader
ABoot = AP Bootloader = Secondary Bootloader
I believe the boot process is "RPM > ABoot > boot.img (Main OS)", so both the rpm and aboot file would be needed. Also I think the partition layout in the Chinese version is slightly different, so a flash and repartition would be needed after replacing bootloader to actually root. I don't know what the chances success are though, the devices are virtually the same hardware wise, and the Chinese rom with the U.S. bootloader works according to the Verizon fourm, but there is a chance there are other differences what might prevent this from working.
Flippy125 said:
I was actually playing with the bootloader, and found this thread when I went to post. I'm going to be pulling fastboot commands also to see if I can find anything interesting. I'm tired of not being able to use a custom kernel
Click to expand...
Click to collapse
Isn't fastboot disabled on the s7. Also, were your results the same?
qwewqa said:
What I know is:
Isn't fastboot disabled on the s7. Also, were your results the same?
Click to expand...
Click to collapse
Yes, found that out when I started playing with it more. I'm currently reading sdd10 line by line. I did find an entry "Device is unlocked! Skipping verification...". I'm starting to think we need to look into recovery-side exploits. I'm too scared to try and mess with the bootloader too much.
EDIT: If we can find a way to get fastboot working, possibly piggybacking off of Odin, I found a command written in the aboot code 'fastboot oem unlock-go'
EDIT2: Using that command requires some sort of key. May be a dead end.
EDIT3: I'd be willing to test modifying the recovery image to see if it triggers the bootloader's hash checking. If anything, this could lead to writing a custom boot image that would open TWRP.
Appears to just be latest Google security updates.. (April 2017).. 700mb or so.. not much info from Verizon or LG on this.
Doesn't look like the kernel changed but maybe a new baseband.
Can someone try and snag a system image of it?
Just a heads up, the latest verizon update 14b patches the DirtySanta exploit. But it's not a huge deal, one can simply downgrade back to 12a or 13a with the kdz files and uppercut, then gain root access (I just did this, works fine).
Other than that exploit patch are there any reasons not to update?
Thanks.
bond32 said:
Just a heads up, the latest verizon update 14b patches the DirtySanta exploit. But it's not a huge deal, one can simply downgrade back to 12a or 13a with the kdz files and uppercut, then gain root access (I just did this, works fine).
Click to expand...
Click to collapse
Thanks I was about to ask if I can downgrade my wife so I can root and unlock. Thanks for taking the risk. ?
Running Weta-Werewolf 4.8.5-1.0 VS995 hyb
666syco said:
Thanks I was about to ask if I can downgrade my wife so I can root and unlock. Thanks for taking the risk. ?
Running Weta-Werewolf 4.8.5-1.0 VS995 hyb
Click to expand...
Click to collapse
Yeah, it would be nice if we could get a system image of the 14b. Don't have a clue how though
Guide?
bond32 said:
Just a heads up, the latest verizon update 14b patches the DirtySanta exploit. But it's not a huge deal, one can simply downgrade back to 12a or 13a with the kdz files and uppercut, then gain root access (I just did this, works fine).
Click to expand...
Click to collapse
Is there a guide on how to do this?
Fresh Micks said:
Is there a guide on how to do this?
Click to expand...
Click to collapse
I replied to your other thread... https://forum.xda-developers.com/v20/help/help-rooting-lg-v20-verizon-14b-software-t3630575
Download Uppercut, LG UP, and USB drivers from here:
https://www.google.com/amp/s/forum.x...-t3511295/amp/
Download the 12a kdz from here: https://lg-firmwares.com/lg-vs995-firmwares/
Install USB drivers to PC. Turn phone off. Hold volume up while phone is off and plug in USB cable to PC. Turn off antivirus stuff including Windows defender. Run Uppercut according to directions from thread and using the 12a kdz. When Uppercut loads, make sure to select "upgrade". Then you're good.
It won't wipe your data so when your phone reboots it will have a force close panic attack. What you do from here varies, but you're now on 12a which is exploit-able. What I would do is push past the force closes and go into settings to factory reset. Then let your phone do its thing. When it's back to set up, just bypass the setup as quick as possible and put the phone into airplane mode - this will keep the phone from trying to download Verizon bloatware (dtignite) and updates as this happens regardless of entering your account info in or not. Make sure you enable USB debugging and verify ADB is functioning and you can do the exploit from here.
Hello, I was searching for KDZ and was able to stumble into this model LG V20 H910PR.
Since I don't have a H910 model to test this. Anyone here who has a bricked ATT H910 that would like to test if this KDZ would work.
Link: https://lg-firmwares.com/lg-h910pr-firmwares/
Its been tested. It breaks radio
me2151 said:
Its been tested. It breaks radio
Click to expand...
Click to collapse
Can you unroot / get it back to stock though? *even if it breaks radio?*
tcanute said:
Can you unroot / get it back to stock though? *even if it breaks radio?*
Click to expand...
Click to collapse
Yes but its pointless without radio. BTW when I say radio I'm talking about cell service. You will get no service and its impossible to fix while in the stock state. That's why its pointless
me2151 said:
Its been tested. It breaks radio
Click to expand...
Click to collapse
glad to hear that. there's still hope for those who bricked their device from faulty OTA updates
Edit: aww i thought it was music radio. too bad.
h910pr
i have successfully restored to the h910pr kdz with working radio (cell signal). id love to get back to a rooted firmware but for now it was at least a viable way to debrick my phone.
HOW!
predheadtx said:
i have successfully restored to the h910pr kdz with working radio (cell signal). id love to get back to a rooted firmware but for now it was at least a viable way to debrick my phone.
Click to expand...
Click to collapse
How!? Is your phone an h910 running on at&t? Is there anything specific you did when restoring the kdz or did you follow a specific guide? What does your "About Phone" show your phone as being?
Sorry for all the questions, that's just kinda exciting to hear
tcanute said:
How!? Is your phone an h910 running on at&t? Is there anything specific you did when restoring the kdz or did you follow a specific guide? What does your "About Phone" show your phone as being?
Yes im on at&t and have had no issues with data, text, or calling. my damn watch still wont sync to my phone but that was a prior issue as well. i scoured the internet for everything i could get my hands on and what i received was a bunch of guesses mostly lol. so i modified the h918 lgup dll to allow me to flash my h910. it accepted the h910pr software without issues. other than being back on a locked boot-loader with no way out in sight. if you can deal with a rare instance of a notification being in spanish then go for it. ask and ill post my tools folder somewhere, so you can try the exact versions of lgup i used and the tweaked dll
Click to expand...
Click to collapse
predheadtx said:
Yes im on at&t and have had no issues with data, text, or calling. my damn watch still wont sync to my phone but that was a prior issue as well. i scoured the internet for everything i could get my hands on and what i received was a bunch of guesses mostly lol. so i modified the h918 lgup dll to allow me to flash my h910. it accepted the h910pr software without issues. other than being back on a locked boot-loader with no way out in sight. if you can deal with a rare instance of a notification being in spanish then go for it. ask and ill post my tools folder somewhere, so you can try the exact versions of lgup i used and the tweaked dll
Click to expand...
Click to collapse
Sure if you don't mind. That would be great.
tcanute said:
Sure if you don't mind. That would be great.
Click to expand...
Click to collapse
okay, uploading at 600kb/s :/ ill edit this post with the link when its done. just install lgup and the lg mobile drivers, then paste this lgup folder over the lgup folder in your program files. what ive done is used components from different version of lgup and renamed the h918.dll to lgcommon.dll and placed it in a common folder, then created an h910 folder as well. then put the phone in download mode and lgup will recognize it as an h910 but will allow you to flash the h910pr.kdz. it was a simple little hack together that anyone can replicate. maybe someone could write up a good tutorial on it.
@predheadtx Just curious why you didn't flash the H915 KDZ since the H910 and H915 are the same phone: https://fccid.io/document.php?id=3134555 <-- notice additional model names.
At least you can root H915...
-- Brian
This thread doesn't belong in development. Needs to be moved to general.
runningnak3d said:
@predheadtx Just curious why you didn't flash the H915 KDZ since the H910 and H915 are the same phone: https://fccid.io/document.php?id=3134555 <-- notice additional model names.
At least you can root H915...
-- Brian
Click to expand...
Click to collapse
hmm hadn't realized the h910/918/915 were all the same. i only knew about the 918 being the same. does it use the same mobile bands as att? i guess ill give it a try.
With the stock firmware installed, they must use the same frequencies, or the FCC would have to test them separately.
As far as I know the H915 (In addition to being the Canadian model) is also the AT&T Go Phone. So it is to AT&T was the MSXXX (for example MS631 (Metro) and H631 (identical phone with T-Mobile firmware) are to MetroPCS / T-Mobile.
When I had MetroPCS, I would flash T-Mobile firmware because they usually got the updates quicker than Metro did.
In this case it looks like LG made generic GSM/LTE model for the H910/H915/H918. What is funny is that their carrier free phone US996 is different.
This weekend I plan on flashing H918 since I use T-Mobile, and then I can root without having this effed up bootloader.
On a different note, I 100% agree with @12MaNy that this thread does not belong here.
runningnak3d said:
With the stock firmware installed, they must use the same frequencies, or the FCC would have to test them separately.
As far as I know the H915 (In addition to being the Canadian model) is also the AT&T Go Phone. So it is to AT&T was the MSXXX (for example MS631 (Metro) and H631 (identical phone with T-Mobile firmware) are to MetroPCS / T-Mobile.
When I had MetroPCS, I would flash T-Mobile firmware because they usually got the updates quicker than Metro did.
In this case it looks like LG made generic GSM/LTE model for the H910/H915/H918. What is funny is that their carrier free phone US996 is different.
This weekend I plan on flashing H918 since I use T-Mobile, and then I can root without having this effed up bootloader.
On a different note, I 100% agree with @12MaNy that this thread does not belong here.
Click to expand...
Click to collapse
im attempting to flash the 915 .kdz right now, im looking for a workaround to lgup telling me the model numbers are mismatched. ill make attempts with the 918 firmware as well.
predheadtx said:
im attempting to flash the 915 .kdz right now, im looking for a workaround to lgup telling me the model numbers are mismatched. ill make attempts with the 918 firmware as well.
Click to expand...
Click to collapse
to anyone concerned here is the files i promise. ive hat not luck with the 915 or 918 firmware from the 910pr, maybe im missing something but nothing i do works.
https://mega.nz/#!YLxDlDBA!4SNhULZB-5rWCIUk6EJK0GB9Yul3uxGx3d_vSa4TnI8
Have you tried: https://forum.xda-developers.com/lg-g5/development/uppercut-lgup-loader-g5-variants-t3511295
I have not found a phone yet that can't be spoofed with it...
honestly now that ive seen that post, i had mistakenly thought the version of lgup i was using had been patched WITH LGuppercut. thank you for correcting me!
have been messing with uppercut. not finding any way to "spoof" anything.
edited again- luckily i had already gotten att to warranty the phone for a defect it had, but trying to flash h915 using the port 41 trick has officially bricked my phone. IT does absolutely nothing now. when plugged in to a computer windows recognizes as a qualcom usb qloader but the phone does nothing else.
Spoof was probably the wrong word to use. I mean that I have never had an LG phone that LGUP alone would not recognize, but when launched with Uppercut also would not be recognized.
You may have a corrupt misc partition. I have had to wipe the misc and the fota partitions several times due to bad flashes:
If using a confirmed working device with UPPERCUT but your device is still not detected in LGUP you may have a "corrupted" misc partition...
as a last resort it has been confirmed in post #70 that wiping misc then booting into download mode allows the device to be detected with UPPERCUT + LGUP 1.14. This may not always work. And without root you cannot do this.
Click to expand...
Click to collapse
Since that requires root, you may be in a pickle.
runningnak3d said:
Spoof was probably the wrong word to use. I mean that I have never had an LG phone that LGUP alone would not recognize, but when launched with Uppercut also would not be recognized.
You may have a corrupt misc partition. I have had to wipe the misc and the fota partitions several times due to bad flashes:
Since that requires root, you may be in a pickle.
Click to expand...
Click to collapse
having lgup recognizing the device has never been the issue. its cross flashing firmware's that it refuses to do.
So Ive been trying to root v20 for some time now. Ive followed instructions up to point of step 4. I type in terminal emulator applypatch /system/bin/atd /storage/emulated/0/dirtysanta. Nothing happens
Next it reads
Filenames may be of the form
MTD:<partition>:<len_1>:<sha1_1>:<len_2>:<sha1_2>:...
to specify reading from or writing to an MTD partition.
Have I done something wrong? Has something changed? any help would be greatly appreciated.
You are patched. No root for you.
ZV5 or earlier only.
Lg v20 vs995
So I"ve been trying to root v20 for some time now. I've followed instructions up to point of step 4. I type in terminal emulator applypatch /system/bin/atd /storage/emulated/0/dirtysanta. Nothing happens
Next it reads
Filenames may be of the form
MTD:<partition>:<len_1>:<sha1_1>:<len_2>:<sha1_2>: ...
to specify reading from or writing to an MTD partition.
I've tried it alot of times again and again but it says same all the time
Please help me
Roll back to a version that has the December 2016 security patch or earlier. There are several threads around here that tell you what version you need to be on (heck I wrote one of them) -- search is your friend.
-- Brian
runningnak3d said:
Roll back to a version that has the December 2016 security patch or earlier. There are several threads around here that tell you what version you need to be on (heck I wrote one of them) -- search is your friend.
-- Brian
Click to expand...
Click to collapse
Can I roll back from ZVD? I SEARCHE AND COULDN'T FIND ANYTHING. Multiple sources have told me its impossible.
rayulove69 said:
Can I roll back from ZVD? I SEARCHE AND COULDN'T FIND ANYTHING. Multiple sources have told me its impossible.
Click to expand...
Click to collapse
No you can't roll back and if you try anyway you will brick. Theres basically no hope of post zv7 ls997 getting rooted ever
runningnak3d said:
It has been confirmed that If you have the engineering bootloader, AND have a fusing device (which AFAIK all LS997 are), AND install firmware that is ARB 1 or greater, it will brick your phone.
If you are ARB 1 or greater, and install the eng. bootloader -- brick.
When I was doing testing on ARB and the engineering bootloader, I was doing it on a non-fusing device, so my results are null and void.
So, we need a method of unlocking the production bootloader -- and there is, just not the LS997 aboot. It would require flashing either the H915 or US996 aboot, and you can't do that due to ARB.
Unless an engineering aboot leaks that is ARB 1 or an engineering boot leaks that has dm-verity disabled, or a flaw is found in the current aboot, I do not see the LS997 getting root.
EDIT: not trying to keep too much hope alive, but if when Oreo is released, they increment ARB on either the H915 or US996 and DON'T increment it on the LS997, then you would be able to flash either aboot and root....
-- Brian
Click to expand...
Click to collapse