lglaf
lglaf copied to clipboard
Lekensteyn
MISCWTRE AND IOCT AND COPY my researtch need complate
hi I am new but I sniffed LG LS775 7.0 singed firmware and it use MISCWTRE instead of WRTE command because when you MAKE WTRE command it gives fail any one has explain
@xnoxcdm This is awesome. What tool did you flash with that gave you this sniff?
A will post the capture so first explain
At new devices firmware when you wont to write data.
You have to use 1-MISCWRTE 2-IOCT 3-COPY 4-IOCT again
IOCT enables and disables write protection. I need to see the full packet dump, but it is my guess that the arguments are enable/disable and the partition number. So 61 disables write protection, and 12 is the partition number. But this is a guess. I really need to see the full capture. Also what program did you use to flash and obtain this sniff?
@xnoxcdm What program did you use to flash with? Nevermind, figured it out from the sniff.
I do need to know what partition you were flashing though.
Because of endianness, that is 0x4FE00 which in decimal is 327168 -- does that number match up with anything you were flashing? From my tests, that argument doesn't seem to come into play, but I am testing on an LG V20 which has UFS storage and not eMMC storage.
If you can give me more information on the partition being flashed, and your partition layout (run partition.py --list) then I might be able to help you.
-- Brian
found and success 00 04 fe 00 is spicafic for ls777 i tried ls993 and gove difrent but i come back and trief ls777 it goves 0004fe00
now sucssess write partitions carrier and modem
i made it delphi source
i will post photo for sucsess
https://m.facebook.com/100011929454652/posts/pcb.562937024076624/?photo_id=349164365491209&mds=%2Fphotos%2Fviewer%2F%3Fphotoset_token%3Dpcb.562937024076624%26photo%3D349164365491209%26profileid%3D100011929454652%26source%3D48%26refid%3D8%26_ft_%3Dqid.6537049980222839542%253Amf_story_key.8877227715649958190%253Asrc.22%26__tn__%3DEH-R%26cached_data%3Dfalse%26ftid%3D&mdf=1
I have a ls770 (Sprint). I would love to see documentation of what you did. I am unable to see the photo. I have been able to pull my partitions but have yet to feel comfortable to alter, root or put TWRP on the device. I cannot stress how frustrated with the bloat on the system, the annoying emulated sd card garbage.
On Sun, Mar 25, 2018, 6:51 PM xnoxcdm [email protected] wrote:
found and success 00 04 fe 00 is spicafic for ls777 i tried ls993 and gove difrent but i come back and trief ls777 it goves 0004fe00
now sucssess write partitions carrier and modem
i made it delphi source
i will post photo for sucsess
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Lekensteyn/lglaf/issues/48#issuecomment-376018103, or mute the thread https://github.com/notifications/unsubscribe-auth/AAgK6CU6i41Gq52RMBCQI9f33lsjCrhPks5tiDuggaJpZM4SvBN1 .
So, here are most of the unknowns:
MISC WRTE,misc_offset,size // misc_offset specifies the offset within the misc partition that you want to start writing. You can verify that by dumping misc after a write, or just use: MISC READ,misc_offset,size
COPY fd_num,src_offset,size,dst_offset // src_offset being a 512 byte block for eMMC or 4096 byte block for UFS
That leaves IOCT -- and this seems to be where the magic happens.
IOCT fd_num,unk // Need to figure out what the unk is. I believe it is what enables a block device for copying, and then actually forces the copy. But I have nothing to back this up, and the value from the original sniff that was posted does not work on UFS devices.
-- Brian
@xnoxcdm As I have a ls777 I'd definitely like to know what you've figured out too. Post your Delphi code. Someone, myself included, can port it to Python and/or Java.
Sent from my LG Stylo3 using FastHub
@shinobisoft writing solved. Please see: https://github.com/steadfasterX/lglaf
He needs to merge the PR, but you can clone the repo and merge it manually.
PLEASE read the instructions. Not all phones have misc in the same location, and for now it is hardcoded. I included instructions on how to get the values for misc_offset and chunksize.
EDIT: you do need to have an unlocked bootloader, or you will bootloop if you modify recovery or boot.
-- Brian
@Mr-nerd It has personal info and I don't feel like scrubbing it, but here is what you need to know:
On Nougat versions of lafd, LG now enforces KDZ v3 only. That means no more TOT flashing, or flashing KDZ v1 or v2 since they lack the SIGN payload.
Starting with v3 KDZs, LG pregenerates AND signs with an RSA cert a payload that is sent with the SIGN opcode. You can't modify it since it is signed, and lafd will not flash using the WRTE opcode (it returns fsync fail) if the SIGN payload has not been sent.
So, we need to abuse the crap out of MISC WRTE. MISC WRTE was intended to make changes to the misc partition. Mainly to remove the string that causes the phone to boot to recovery when an OTA has been taken. Luckily, it doesn't have any hash checks.
So, we can write to misc, but what good does that do? Well, IF you have a version of lafd that still has the COPY opcode, then we can copy from misc to the final destination partition.
So, you get the location and size of misc, and break what you are flashing up into chunks that don't exceed miscs size.
After the first chunk is written to misc, you copy it over to the final partition, then write the next chunk and copy it over, wash, rinse, repeat...
The arguments for MISC WRTE, COPY, and IOCT are as follows:
MISC WRTE,offset,size // offset is in blocks. For eMMC it is 512, for UFS 4096. size is in bytes COPY fd_num,src_offset,size,dst_offset // src and dst offset are in blocks, size is in bytes IOCT fd_num,command // param is an encoded ioctl command. The only currently known command is 0x1261 to toggle write protection.
Notice that MISC WRTE doesn't have an fd_num. lafd knows where misc is located, so no OPEN is needed, and so no fd_num. If your misc partition was 8192 bytes, and what you wanted to flash was 32768 bytes, and you misc partition was located at LBA 10000, and the partition you were flashing was at LBA 20000, this is what it would look like:
OPEN
MISC WRTE,0,8192
IOCT fd_num,0x1261
COPY fd_num,10000,8192,20000
IOCT fd_num,0x1261
MISC WRTE,0,8192
IOCT fd_num,0x1261
COPY fd_num,10000,8192,28192
IOCT fd_num,0x1261
MISC WRTE,0,8192
IOCT fd_num,0x1261
COPY fd_num,10000,8192,36384
IOCT fd_num,0x1261
MISC WRTE,0,8192
IOCT fd_num,0x1261
COPY fd_num,10000,8192,44576
IOCT fd_num,0x1261
CLSE fd_num
Hopefully that gives you what you want if you want to write your own implementation.
-- Brian
fd_num is file descriptor. When you OPEN a block device, lafd gives you the file descriptor that is now associated with that device. By default, when you issue an OPEN, the block device is opened in read only mode -- that is why you need to issue the IOCT.
LBA is Logical Block Address. In this case, it is the start or end of a partition. If you issue a ./partitions.py --list you get the start and end LBAs for each partition.
The 0 in the MISC WRTE means start at offset zero which is the very beginning of the misc partition. Since it is so small, we want to use all of it, or writing with this method would be very slow.
Lastly, because your misc partition will be overwritten, you need to back it up first, and restore it afterwards.
Also, because there is no hash checking done with MISC WRTE, you must do it yourself. If you are writing to a critical partition, and you have a write failure -- you have just bricked your device.
So, you need to write to the *bak partitions first. For example laf and lafbak, aboot and abootbak, recovery, and recoverybak. You write to the bak partition, then dump it. Hash check what was written to what you were writing. If it matches, THEN issue the COPY from the bak partition to the main. So, from recoverybak to recovery.
I am currently adding all of this to my repo, and I will do a pull request here with all the updates. Not to mention the fact that @tuxuser will lol at my horrid Python -- but hey, it gets the job done.
And it does get the job done. If you have a hash failure, then only thing that is "ruined" is your backup partition because the COPY doesn't happen until the hash matches.
-- Brian
@runningnak3d all that is great but there is still three missing pieces One is that how can I get fd num if I type !OPEN lsof It returns with nothing . How can I know it and is it the same for all blocks .
Two if I want to flash aboot for example and I have the aboot on lglaf folder how is it going to transfer the aboot from the computer to the misc partition in order to copy it to my final destination .
And last what did you meant by dividing into chunks .. did you meant to repeat the process until I am done or an actual division .
Can you clear that out for me
You can't use lglaf.py for writing files -- that isn't what it was designed for. That is just the communication interface / library that partitions.py uses. See the code here: https://github.com/steadfasterX/lglaf
He has merged it. That code will work on any eMMC device, but you must change the misc_start and chunksize values since they are hard coded for an LG G4.
Can we chat personally on what's app .
I'd appreciate it man 😘 @runningnak3d
I only do IRC. If you want to join #lglaf on irc.freenode.net I will be happy to talk to you.
-- Brian
I cannot READ/WRTE from MISC partition or using commands. Please help!! Model: LG G Vista (D631)
python3 lglaf.py --debug --rawshell -cr -c 'MISC READ' LGLAF.py: DEBUG: product id in CR list: >G4< LGLAF.py: DEBUG: Device is: 633a, G4. Enabling Challenge/Response! LGLAF.py: DEBUG: Using endpoints 83 (IN), 02 (OUT) LGLAF.py: DEBUG: Using Protocol version: 0x1000003 LGLAF.py: DEBUG: CR detection: 1 LGLAF.py: DEBUG: Hello done, proceeding with commands LGLAF.py: DEBUG: Challenge: b'23d73d4e' LGLAF.py: DEBUG: Response: b'64f2f050aa2ca0c5437c527e811f908c' LGLAF.py: DEBUG: KILO METR Response -> Header: b'4b494c4f4d455452000000000200000000000000000000002f5d0000b4b6b3b0', Body: b''
Has anyone got bootloader unlocked on the ls 775 I have one that can cause it uses the zv3 which has booloader mode enabled it not mine my wife's mine is same phone but on zv4 which is has booatloader disabled I want root but my PC down and still very novis at all this any help be appreciated thanks
