LG GW620 Development/Kernel hacking (Have LG source mods + trying to get 2.0 working)

Search This thread
By:
Advanced…
H

harnish

Member
Nov 25, 2009
16
2
Zacpod said:
Wow, you're way more hardcore with Perl than I am! ...
Click to expand...
Click to collapse

LOL. It's regex to be honest ... I tried doing it with sed but ran into issue trying to identify unprintable characters (ie: 0xFF). It was just easier to do with PERL.

Zacpod said:
... You can get console output with ...
Click to expand...
Click to collapse

:) That will be most helpful. If the issue is the ramdisk, the ramdisk.img is gziped cpio archive so we should be able to easily modify it.

Zacpod said:
Code: 
...
init: cannot find '/system/bin/sh', disabling 'console'
init: cannot find '/system/bin/servicemanager', disabling 'servicemanager'
init: cannot find '/system/bin/vold', disabling 'vold'
init: cannot find '/system/bin/debuggerd', disabling 'debuggerd'
init: cannot find '/system/bin/rild', disabling 'ril-daemon'
init: cannot find '/system/bin/app_process', disabling 'zygote'
init: cannot find '/system/bin/mediaserver', disabling 'media'
init: cannot find '/system/bin/playmp3', disabling 'bootsound'
init: cannot find '/system/bin/dbus-daemon', disabling 'dbus'
init: cannot find '/system/bin/installd', disabling 'installd'
init: cannot find '/system/etc/install-recovery.sh', disabling 'flash_recovery'
init: cannot find '/system/bin/keystore', disabling 'keystore'
init: cannot find '/system/etc/init.goldfish.sh', disabling 'goldfish-setup'
init: cannot find '/system/bin/qemud', disabling 'qemud'
init: cannot find '/system/bin/logcat', disabling 'goldfish-logcat'
...
Click to expand...
Click to collapse

HOWEVER, that looks more like it can't read the system directory at all ... I left my micro-usb cable at home today so I can't check ... but I'm fairly certain sh is in the /system/bin directory if nothing else.
 
H

harnish

Member
Nov 25, 2009
16
2
This might be redundant but ...

I've opened up the ramdisk for the emulator and confirmed that the init.rc file controls what is mounted, with what options, in what mode, owned by whom. Modification to this file from the Eve firmware (and figuring out a way to flash it back on) would easily give us root without ever touching the system partition (which, I admit, isn't going well).
 
Last edited:
V

vinnybobdog

New member
Dec 3, 2009
1
0
From a gw620 owner I just wanted you to let you guys know that I'm watching this thread with trepidation and thank you for all the time and hard work!
 
Z

Zacpod

Senior Member
Nov 17, 2009
321
50
Toronto, ON
harnish said:
Modification to this file from the Eve firmware (and figuring out a way to flash it back on) would easily give us root without ever touching the system partition (which, I admit, isn't going well).
Click to expand...
Click to collapse

Sweet - that's where I'll concentrate my efforts then. Perhaps LG used a modified gzip, or some other compression method, to pack the ramdisk. Assuming the header is correct, I'll work on trying to decompress the ramdisk.
 
F

fugdup

Member
Dec 3, 2009
22
0
Like the rest of us watching you guys work your magic. I am as well a GW620 owner and I just want to take my hat off to you. I have been in contact with both LG canada and Rogers re: possible Android OS 1.6 or 2.0 upgrades and they are both giving me the run around. So once again thanks for all your hard work, we can't wait to see you break this phone(in a good way of course).
 
Z

Zacpod

Senior Member
Nov 17, 2009
321
50
Toronto, ON
I'm not having any more luck extracting the ramdisk.
I've tried a few different extraction methods, including manually calculating offsets and pulling the data directly out of the mbn with a hex editor, and nothing is working. The offsets listed in the header don't match up with gzip magic numbers, and the places in the file where gzip magic numbers do appear don't continue on with a valid gzip header.
I tried using lha to decompress a few sections, as I know some linux kernels use lha instead of gzip, but had no luck. Frustrated.
 
Last edited:
O

ouinouin

Member
Dec 4, 2009
16
2
tryin with lzma ?

did someone tried to do the extraction with lzma, i now its in use in latest linux initrd's.

i hope this phone will be rooted soon. its certainly the best android-keyboard device at this time.
 
Z

Zacpod

Senior Member
Nov 17, 2009
321
50
Toronto, ON
ouinouin said:
did someone tried to do the extraction with lzma, i now its in use in latest linux initrd's.
Click to expand...
Click to collapse

Ah! Thanks! I was thinking LHA and LZMA were the same for some reason!

I'm booted up in MacOS right now, so the LZMA tools I have access to are a little feeble and don't give any feedback. I'll reboot in to Linux a little later and see if I have any luck.
 
Z

Zacpod

Senior Member
Nov 17, 2009
321
50
Toronto, ON
Though, actually...
I just created a test archive using lzma with a port of 7zip.
Using the file command, it correctly identifies the file as a 7zip archive.
Using the file command on the ramdisk results in it identifying the file as "data"

Hrm... I wonder if it's a squashfs or something similar... If it's an pre-compressed file system would there be any need to cpio/gzip it? Maybe we can mount it directly as a squashfs. I'll try that too when I reboot.
 
O

ouinouin

Member
Dec 4, 2009
16
2
squashfs possible or jffs.

you can try squashfs or jffs widely used in openwrt distros and other embedded environments.

is it possible to share the file you extracted , i dont have a windows to proceed to extraction of the mbn file.
 
Z

Zacpod

Senior Member
Nov 17, 2009
321
50
Toronto, ON
Ya, I'm actually compiling OpenWRT as we speak - that's why I was thinking of squashfs. :)

I've zipped up the extracted MBNs and have uploaded it to my webhost. Here's the link. :)

Glad to have more help!
 
Last edited:
O

ouinouin

Member
Dec 4, 2009
16
2
what i think about the stuff

helle , thanks for your archive.zip
i m not a developper but i ve got good general linux knowledge, (openwrt and debian like systems.

the system looks divieded in multiple sections :

one bootloader binary i assume its the amss.mbn

some config binary data like

partition.mbn (i assume like in the redboot environment, we can find the memory offsets of the given partitions ..)

the zImage_ramdisk.mbn contains certainly the kernel AND the ramdisk filesystem so you have to split this file at the good place and i assume you will find a ramdisk filesystem structure preceeded by the kernel. (lets remember historically, the max size of the kernel was 1.44mB due to the floppy limits. and a X86 kernel compiled to work on a lot of different machines sizes about 700KB so we can assume the split is under 700KB

maybe the file exctractmagic table is here to show us how the files are splitted.

having a look at a redboot bootloader structure can help for whom who doesnt know about embedded bootloaders.
 
O

ouinouin

Member
Dec 4, 2009
16
2
doc on arm bootloaders

http://www.simtec.co.uk/products/SWLINUX/files/booting_article.html#section_other_bootloaders


interresting details saying in the arm code, the initrd can be appended to the zImage file.
(for memory, the ramdisk could be in cramfs format.)

im trying to boot the file via qemu maybe it ll give me more.

it sounds the method employed is named bootpimage, to append the initrt to the kernel, its a common method in arm world, im trying to find the definition of the bootpimage over the net, but im not a coder, and cant read a lot of source code to find how to handle the file.

after search maybe the split between kernel and ramdisk image is at offset : 1f 8b 08 (just after the words booting the kernel in a hex editor :D :)
 
Last edited:
Z

Zacpod

Senior Member
Nov 17, 2009
321
50
Toronto, ON
Ya, that's one of the first places we tried. Offset 17927 where the gzip magic numbers 1f8b08 start. Sadly, the result is not a valid gzip file. :(
 
O

ouinouin

Member
Dec 4, 2009
16
2
strange, the magic is repeated multiple times in the file.
the first occurence probably corresponds to the gzipped part of the kernel itself.
maybe have a look at the second one

i think a part of the solution is in the make bootpImage scripts used in the kernel source for arm , which strips kernel and ramdisk alltogether.

y also tried to mount system.mbn after havin burned it with nandsim and mtd tools, mount is possible with yaffs2 module but seeing nothing in the mount point.

here is the beginning of a dmesg , showing once decompressed, we have got yaffs, we can also see the mtd partitions mapping. once uncompresed, the initrd takes 586kB of memory.

the usb port can be in 4 modes : mass storage, adb, modem and diag!!??
two additional modes come after : ethernet and nmea.
the qualcomm 7200A also support usb on the go, maybe its possible to plug goodies like usb>serial ports and so on.

physically, there is five test points just above the simcard contacts. maybe its a serial port

<5>Linux version 2.6.27 (builder@new1) (gcc version 4.2.1) #6 PREEMPT Wed Oct 28 20:58:37 KST 2009
<4>CPU: ARMv6-compatible processor [4117b362] revision 2 (ARMv6TEJ), cr=00c5387f
<4>Machine: Eve Board (LGE GW650)
<6>Partition (from atag) usd -- Offset:23a0000 Size:80000
<6>Partition (from atag) pkg -- Offset:2420000 Size:580000
<6>Partition (from atag) boot -- Offset:3200000 Size:6e0000
<6>Partition (from atag) system -- Offset:38e0000 Size:c800000
<6>Partition (from atag) userdata -- Offset:143a0000 Size:bc40000
<6>Partition (from atag) lgdrm -- Offset:100e0000 Size:2c0000
<6>Partition (from atag) cache -- Offset:103a0000 Size:4000000
<4>Memory policy: ECC disabled, Data cache writeback
<7>On node 0 totalpages: 57088
<7>free_area_init_node: node 0, pgdat c03808ec, node_mem_map c0470000
<7> DMA zone: 56642 pages, LIFO batch:15
<6>allocating 8388608 bytes at c0635000 (10635000 physical)for pmem
<6>allocating 10485760 bytes at c1093000 (11093000 physical)for camera pmem
<6>allocating 8388608 bytes at c1a93000 (11a93000 physical)for adsp pmem
<6>allocating 8388608 bytes at c2300000 (12300000 physical)for gpu1 pmem
<6>allocating 8388608 bytes at c2b00000 (12b00000 physical) for fb
<4>CPU0: D VIPT write-back cache
<4>CPU0: I cache: 32768 bytes, associativity 4, 32 byte lines, 256 sets
<4>CPU0: D cache: 32768 bytes, associativity 4, 32 byte lines, 256 sets
<4>Built 1 zonelists in Zone order, mobility grouping on. Total pages: 56642
<5>Kernel command line: root=/dev/mtdblock1 rootfstype=yaffs2 lpj=1912832 console=/dev/null
<4>PID hash table entries: 1024 (order: 10, 4096 bytes)
<4>Console: colour dummy device 80x30
<6>Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
<6>Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
<6>Memory: 223MB = 223MB total
<5>Memory: 177920KB available (3220K code, 1167K data, 112K init)
<6>Calibrating delay loop (skipped) preset value.. 382.56 BogoMIPS (lpj=1912832)
<4>Mount-cache hash table entries: 512
<6>CPU: Testing write buffer coherency: ok
<6>net_namespace: 288 bytes
<4>[PWR] pm_init() ftm_state:0x0
<6>NET: Registered protocol family 16
<4>[HW] eve_get_hw_rev() HW version is 8
<6>acpu_clock_init()
<4>Suboptimal up stepping for CPU freq 245760 KHz.
<6>ACPU running at 528000 KHz
<6>CPU-Freq PLL DIV AHB-Freq ADIV AXI-Freq Dn Up
<6> 19200 -1 1 19200 1 30720 -1 10
<6> 61440 0 4 61440 1 30720 -1 8
<6> 81920 0 3 40960 2 61440 -1 8
<6> 96000 1 8 48000 2 61440 -1 9
<6> 122880 0 2 61440 2 61440 -1 8
<6> 128000 1 6 64000 2 61440 -1 12
<6> 176000 2 6 88000 2 61440 -1 11
<6> 192000 1 4 64000 3 61440 -1 12
<6> 245760 0 1 81920 3 61440 -1 12
<6> 256000 1 3 128000 2 128000 -1 12
<6> 264000 2 4 88000 3 128000 -1 11
<6> 352000 2 3 88000 4 128000 6 -1
<6> 384000 1 2 128000 3 128000 5 -1
<6> 528000 2 2 132000 4 128000 11 -1
<6>5 scaling frequencies supported.
<3>sdcc_gpio_init: Failed to configure GPIO -5
<6>eve_init_i2c_backlight:
<6>eve_init_i2c_backlight: 0
<4>diyu1: Function : eve_init_accel
<4>Function : eve_init_i2c_compass start.
<4>Function : eve_init_i2c_compass processing.
<4>diyu1: Function : eve_init_touch
<4>diyu1: Function : eve_init_prox
<6>msm_i2c_probe
<3>msm_i2c msm_i2c.0: platform data not initialized
<4>msm_i2c: probe of msm_i2c.0 failed with error -38
<6>Bluetooth: Core ver 2.13
<6>NET: Registered protocol family 31
<6>Bluetooth: HCI device and connection manager initialized
<6>Bluetooth: HCI socket layer initialized
<6>NET: Registered protocol family 2
<7>Switched to high resolution mode on CPU 0
<6>IP route cache hash table entries: 2048 (order: 1, 8192 bytes)
<6>TCP established hash table entries: 8192 (order: 4, 65536 bytes)
<6>TCP bind hash table entries: 8192 (order: 3, 32768 bytes)
<6>TCP: Hash tables configured (established 8192 bind 8192)
<6>TCP reno registered
<6>NET: Registered protocol family 1
<6>Unpacking initramfs... done
<6>Freeing initrd memory: 586K
<3>check_and_connect: init rpc failed! rc = -113
<6>smd_init()
<6>smd_core_init()
<6>smd_core_init() done
<6>smd_alloc_channel() 'DS' cid=0
<6>smd_alloc_channel() 'DIAG' cid=1
<6>smd_alloc_channel() 'RPCCALL' cid=2
<6>smd_alloc_channel() 'DATA1' cid=7
<6>smd_alloc_channel() 'DATA2' cid=8
<6>smd_alloc_channel() 'DATA3' cid=9
<6>smd_alloc_channel() 'DATA4' cid=10
<6>smd_alloc_channel() 'DATA5' cid=11
<6>smd_alloc_channel() 'DATA6' cid=12
<6>smd_alloc_channel() 'DATA7' cid=13
<6>smd_alloc_channel() 'DATA11' cid=17
<6>smd_alloc_channel() 'DATA5_CNTL' cid=38
<6>smd_alloc_channel() 'DATA6_CNTL' cid=39
<6>smd_alloc_channel() 'DATA7_CNTL' cid=40
<6>SMD Control Port Driver Initialized.
<6>SMD: ch 2 CLOSED -> OPENING
<6>SMD: ch 2 OPENING -> OPENED
<6>ADSP: rs3000000a:00010000 -- 0
<6>hw3d: 0 init
<3>rpcrouter:Server create rejected, version = 0program (30000012)
<3>rpcrouter:Server create rejected, version = 0program (3000fe00)
<6>ashmem: initialized
<4>yaffs Oct 28 2009 18:02:43 Installing.
<6>io scheduler noop registered
<6>io scheduler anticipatory registered (default)
<6>msm_fb_probe: resource fbram = 0xcf000000 phys=0x12b00000
<3>rpcrouter:Server create rejected, version = 0program (30000066)
<6>MDP HW Base Address = 0xaa200000
<6>RPC_TIME_TOD_SET_APPS_BASES:
<6> tick = 140539
<6> stamp = 3204483277
<6>primary mddi base address = 0xaa6000a3
<4>Console: switching to colour frame buffer device 40x30
<6>FrameBuffer[0] 320x480 size=614400 bytes is registered successfully!
<6>Registered led device: lcd-backlight
<6>diagfwd initializing ..
<6>SMD: ch 1 CLOSED -> OPENING
<6>diag opened SMD port ; r = 0
<6>SMD: ch 1 OPENING -> OPENED
<6>diagchar initializing ..
<6>diagchar initialized
<6>msm_serial: detected port #2
<6>msm_serial_probe: 6 root=/dev/mtdblock1 rootfstype=yaffs2 lpj=1912832 console=/dev/null
<6>msm_serial.2: ttyMSM2 at MMIO 0xa9c00000 (irq = 11) is a MSM
<6>msm_serial: driver initialized
<6>msm_serial_hs.0: ttyHS0 at MMIO 0xa0200000 (irq = 45) is a MSM HS UART
<6>msm_serial_hs module loaded
<6>loop: module loaded
<6>pmem_camera: 0 init
<6>pmem: 1 init
<6>pmem_adsp: 0 init
<6>pmem_gpu0: 0 init
<6>pmem_gpu1: 0 init
<6>logger: created 64K log 'log_main'
<6>logger: created 256K log 'log_events'
<6>logger: created 64K log 'log_radio'
<6>ram_console: got buffer at 1df00000, size 20000
<6>ram_console_init: start
<6>ram_console_init: 0
<6>ram_console_init: 2
<6>ram_console_init: 3
<6>ram_console_init: ,ce140000, c, ce15f7f0
<6>ram_console: error in header, 1
<6>ram_console: no valid data in buffer (sig = 0x00000000)
<6>console [ram-1] enabled
<6>input: Slide Hall-ic as /devices/platform/hall-ic/input/input0
<3>android-hall_ic: hall_ic_probe: Done
<4>android-vibrator: init
<3>android-vibrator: vibrator_probe: Done
<4>atcmd_probe:eve_atcmd
<6>SLIP: version 0.8.4-NET3.019-NEWTTY (dynamic channels, max=256) (6 bit encapsulation enabled).
<6>CSLIP: code copyright 1989 Regents of the University of California.
<6>Linux video capture interface: v2.00
<4>mv9319_probe_init: called
<4>mv9319: init
<4>/home/builder/Eve_ORG/cupcake/GW620_20091028/kernel/drivers/media/video/msm/mv9319.c mv9319_probe_init:2377
<6>msm_v4l2: msm_v4l2_init
<6>allocated dma buffer at ffc2e000, dma_addr 1dad9000
<6>ONFI probe : CRC Check failed on ONFI Parameter data
<6>status: e00020
<6>nandid: 5510bcad maker ad device bc
<6>Found a supported NAND device
<6>NAND Id : 0x5510bcad
<6>Buswidth : 16 Bits
<6>Density : 512 MByte
<6>Pagesize : 2048 Bytes
<6>Erasesize: 131072 Bytes
<6>Oobsize : 64 Bytes
<6>CFG0 Init : 0xe85408c0
<6>CFG1 Init : 0x0004745e
<6>ECCBUFCFG : 0x00000203
<5>Creating 7 MTD partitions on "msm_nand":
<5>0x023a0000-0x02420000 : "usd"
<5>0x02420000-0x029a0000 : "pkg"
<5>0x03200000-0x038e0000 : "boot"
<5>0x038e0000-0x100e0000 : "system"
<5>0x143a0000-0x1ffe0000 : "userdata"
<5>0x100e0000-0x103a0000 : "lgdrm"
<5>0x103a0000-0x143a0000 : "cache"
<6>msm_hsusb_rpc_connect: rpc connect success vers = 10001
<6>msm_chg_rpc_connect: rpc connect success vers = 10001
<6>usb_set_composition: composition set to product id = 6000
<6>phy info:(2)
<6>usb_probe() io=ce108000, irq=47, dma=ffc2f000(1dbb1000)
<6>msm_hsusb_reset_rework_installed: rework: (0)
<6>usb_probe: reset rework is not installed
<6>Created the sysfs entry successfully
<6>usb_function_register: name = 'adb', map = 3
<6>usb_function_register: name = 'mass_storage', map = 4
<6>usb_function_register: name = 'diag', map = 1
<6>usb_function_register: name = 'modem', map = 0
<6>usb_set_composition: composition set to product id = 6000
<3>msm_hsusb_is_serial_num_null: rpc call success
<3>msm_hsusb_send_productID: rpc call success
<6>msm_hsusb: functions bound. starting.
<6>usb_bind_func() (modem)
<6>usb_bind_func() (diag)
<6>usb_start: pm_app_rpc connect failed
<3>msm_pm_app_rpc_close: rpc_close failed before call, rc = 0
<6>usb_function_register: name = 'nmea', map = 2
<6>usb_function_register: name = 'ethernet', map = 5
<6>msm_hsusb_phy_reset
<4>qwerty_kbd_irqsetup
<6>input: eve_qwerty as /devices/platform/eve_qwerty/input/input1
<4>diyu synaptics_ts_init
<4>diyu ts_probe
<6>input: msm_touch as /devices/platform/msm_touch.0/input/input2
<6>GPIO Matrix Keypad Driver: Start keypad matrix for eve_keypad in interrupt mode
<6>input: eve_keypad as /devices/virtual/input/input3
<4>pm_set_led_intensity() tyep : 0, value : 0
<7>RTC Registering with rs30000048:00010000
<7>msm_rtc: dev (254:0)
<6>rs30000048:00010000 rs30000048:00010000: rtc core: registered msm_rtc as rtc0
<7>msm_rtc_secure: dev (254:1)
<6>rs30000048:00010000 rs30000048:00010000: rtc core: registered msm_rtc_secure as rtc1
<6>i2c /dev entries driver
<6>i2c-gpio i2c-gpio.2: using pins 85 (SDA) and 84 (SCL)
<6>eve_amp_ctl_probe()
<6>i2c-gpio i2c-gpio.4: using pins 17 (SDA) and 27 (SCL)
<4>mv9319_probe called!
<4>mv9319_probe: device = mv9319, client addr = 0x50, adapter = 0xcdb60600
<4>mv9319_init_client: called
<4>mv9319_probe successed! rc = 0
<4>mv9319_probe called!
<4>mv9319_probe: device = mv9319_firmware, client addr = 0x40, adapter = 0xcdb60600
<6>i2c-gpio i2c-gpio.3: using pins 61 (SDA) and 60 (SCL)
<6>i2c-gpio i2c-gpio.1: using pins 23 (SDA) and 33 (SCL)
<6>i2c-gpio i2c-gpio.7: using pins 2 (SDA) and 1 (SCL)
<4>diyu synaptics_ts_probe
<4>[Touch] synaptics_ts_set_vreg() onoff:1
<4>Touch-key REV.1.0
<4>gpio(20): 10
<4> initial_chip
<6>input: synaptics-touch-button as /devices/virtual/input/input4
<4>diyu synaptics_ts_probe: client->irq : 84
<4>diyu synaptics_ts_irq_handler
<6>synaptics_ts_probe: Start touchscreen synaptics-touch-button in interrupt mode
<4>i2c_PRESSURE - ret : 0/ 0 / 0 / 0
<6>i2c-gpio i2c-gpio.5: using pins 41 (SDA) and 42 (SCL)
<6>input: proximity as /devices/virtual/input/input5
<4>diyu/yong p = 0 disable
<6>i2c-gpio i2c-gpio.6: using pins 89 (SDA) and 90 (SCL)
<6>input: compass as /devices/virtual/input/input6
<4>diyu - bma150_probe
<4>Bosch Sensortec Device detected!
<4>BMA150/SMB380 registered I2C driver!
<6>BMA150 device create ok
<6>Bluetooth: HCI UART driver ver 2.2
<6>Bluetooth: HCI H4 protocol initialized
<6>Bluetooth: HCI BCSP protocol initialized
<6>Bluetooth: MSM Sleep Mode Driver Ver 1.0
<3>bluesleep_probe: ____host_wake_irq=147 ext_wake=92 host_wake=83
<3>
<7>hsuart_power: hsuart_power : 1
<7>bluesleep_hostwake_isr: ======= INT
<7>bluetooth_power_init
<7>bt_power_probe
<7>bluetooth_power(0)
<7>on_off: 0
<7>msmsdcc_platform_status_irq: 99
<6>mmc0: Qualcomm MSM SDCC at 0x00000000a0400000 irq 24,99 dma 8
<6>mmc0: 4 bit data mode enabled
<6>mmc0: polling status mode disabled
<6>mmc0: MMC clock 144000 -> 49152000 Hz, PCLK 64000000 Hz
<6>mmc0: Slot eject status = 1
<6>mmc0: Power save feature enable = 1
<6>mmc0: DM non-cached buffer at ffc31000, dma_addr 0x1db90000
<6>mmc0: DM cmd busaddr 0x1db90000, cmdptr busaddr 0x1db90300
<7>msmsdcc_platform_status_irq: 94
<6>mmc1: Slot status change detected (0 -> 1)
<6>mmc1: Qualcomm MSM SDCC at 0x00000000a0500000 irq 26,94 dma 8
<6>mmc1: 4 bit data mode enabled
<6>mmc1: polling status mode disabled
<6>mmc1: MMC clock 144000 -> 49152000 Hz, PCLK 64000000 Hz
<6>mmc1: Slot eject status = 0
<6>mmc1: Power save feature enable = 1
<6>mmc1: DM non-cached buffer at ffc32000, dma_addr 0x1db92000
<6>mmc1: DM cmd busaddr 0x1db92000, cmdptr busaddr 0x1db92300
<4>hs_probe :h2w
<4>hs:0
<4>hs:0
<6>TCP cubic registered
<6>NET: Registered protocol family 17
<6>Bluetooth: L2CAP ver 2.11
<6>Bluetooth: L2CAP socket layer initialized
<6>Bluetooth: SCO (Voice Link) ver 0.6
<6>Bluetooth: SCO socket layer initialized
<6>Bluetooth: RFCOMM socket layer initialized
<6>Bluetooth: RFCOMM TTY layer initialized
<6>Bluetooth: RFCOMM ver 1.10
<6>Bluetooth: BNEP (Ethernet Emulation) ver 1.3
<6>Bluetooth: BNEP filters: protocol multicast
<6>Bluetooth: HIDP (Human Interface Emulation) ver 1.2
<6>clock_late_init() disabled 16 unused clocks
Click to expand...
Click to collapse
 
Last edited:
Z

Zacpod

Senior Member
Nov 17, 2009
321
50
Toronto, ON
Nice! Did you pull that dmesg out of the firmware?

Diag mode... I wonder if that's the mode it's in when you hold down 1 at power-up...
 
O

ouinouin

Member
Dec 4, 2009
16
2
i did a dmesg > /sdcard/dmesg.txt in my phone, using connectbot for command lines.

i also tried to do a cat /dev/mtd/mtd0 mtd1 to mtd6

and the only partitions i ca dump are filled with FF FF FF FF..... (mtd0 and mtd1) the system cant let me read the others.

i also tried to gunzip the ramdisk.img furbished with the android sdk, it starts with the gzip magic but i cant decompress it. so may be the first to to is to find the right method against the cupcacke sdk ramdisk.img
 
R

routehero

Senior Member
Nov 12, 2009
77
23
Toronto
OK, have root on the LG GW620:

1) enable USB Debugging:

Settings -> Applications -> Development -> USB Debugging

2) Install Android SDK

3) Install Android ADB driver for LG USB Modem

4) Enter Hidden Menu on handset: 3845#*620#

5) Module Test -> Stability Test -> Enable Root Permission

6) run adb shell

7) type id:

Code: 
C:\android-sdk-windows\tools>adb shell
# id
id
uid=0(root) gid=0(root)
#

8) get init.rc:

Code: 
on init

sysclktz 0

loglevel 3

# setup the global environment
    export PATH /sbin:/system/sbin:/system/bin:/system/xbin
    export LD_LIBRARY_PATH /system/lib
    export ANDROID_BOOTLOGO 1
    export ANDROID_ROOT /system
    export ANDROID_ASSETS /system/app
    export ANDROID_DATA /data
    export EXTERNAL_STORAGE /sdcard
    export BOOTCLASSPATH /system/framework/core.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/android.policy.jar:/system/framework/services.jar

# Backward compatibility
    symlink /system/etc /etc

# create mountpoints and mount tmpfs on sqlite_stmt_journals
    mkdir /sdcard 0077 system system # LGE_CHANGE_S [bluerti@lge.com] 2009-09-18 <Change permission of /sdcard partition as G1/Hero>
    mkdir /system
    mkdir /data 0771 system system
    mkdir /lgdrm 0770 lgdrm lgdrm_acc
    mkdir /cache 0770 system cache
    mkdir /sqlite_stmt_journals 01777 root root
    mount tmpfs tmpfs /sqlite_stmt_journals size=4m

    mount rootfs rootfs / ro remount

    write /proc/sys/kernel/panic_on_oops 1
    write /proc/sys/kernel/hung_task_timeout_secs 0
    write /proc/cpu/alignment 4
    write /proc/sys/kernel/sched_latency_ns 10000000
    write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000

# mount mtd partitions
    # Mount /system rw first to give the filesystem a chance to save a checkpoint
    mount yaffs2 mtd@system /system 
    mount yaffs2 mtd@system /system ro remount

    # We chown/chmod /data again so because mount is run as root + defaults
    mount yaffs2 mtd@userdata /data nosuid nodev
    chown system system /data
    # LGE_CHANGE_S [bluerti@lge.com] 2009-09-18 <Change /data partition as G1/Hero>
    chmod 0771 /data
    
# ricky_kwak@lge.com 2009.08.05
# change init logo image permission
    chmod 0777 /initlogo.rle
    # We chown/chmod mtd0, mtd1 again so because mount is run as root + defaults
    chown system system /dev/mtd/mtd0
    chmod 0777   /dev/mtd/mtd0
    chown system system /dev/mtd/mtd1
    chmod 0777   /dev/mtd/mtd1
    

    # We chown/chmod /lgdrm again so because mount is run as root + defaults
    mount yaffs2 mtd@lgdrm /lgdrm nosuid nodev
    chown lgdrm lgdrm_acc /lgdrm
    chmod 0770 /lgdrm
    
    # Same reason as /data above
    mount yaffs2 mtd@cache /cache nosuid nodev
    chown system cache /cache
    chmod 0770 /cache

    # This may have been created by the recovery system with odd permissions
    chown system system /cache/recovery
    chmod 0770 /cache/recovery


	# LGE_CHANGE_S [bluerti@lge.com] For Factory Reset
	mkdir /data/nv 
	chmod 0777 /data/nv
	# LGE_CHANGE_E
	
# create basic filesystem structure
    mkdir /data/misc 01771 system misc
    mkdir /data/misc/hcid 0770 bluetooth bluetooth
    mkdir /data/local 0771 shell shell
    mkdir /data/local/tmp 0771 shell shell
    mkdir /data/data 0771 system system
    chmod 0771 /data/data
    mkdir /data/app-private 0771 system system
    mkdir /data/app 0771 system system
    mkdir /data/property 0700 root root

    # create dalvik-cache and double-check the perms
    mkdir /data/dalvik-cache 0771 system system
    chown system system /data/dalvik-cache
    chmod 0771 /data/dalvik-cache

    # create the lost+found directories, so as to enforce our permissions
    mkdir /data/lost+found 0770
    mkdir /cache/lost+found 0770

    # double check the perms, in case lost+found already exists, and set owner
    chown root root /data/lost+found
    chmod 0770 /data/lost+found
    chown root root /cache/lost+found
    chmod 0770 /cache/lost+found
    # create LGDRM dirs if not exist
    mkdir /data/lgdrm 0770 lgdrm lgdrm_acc
    mkdir /data/lgdrm/cert 0770 lgdrm lgdrm_acc
    mkdir /data/wmdrm 0770 lgdrm lgdrm_acc
    mkdir /data/arcsoftDivx 0770 lgdrm lgdrm_acc
    chmod 0777 /dev/oncrpc/3000008e:fd348c74


   # create 3rd_party dir if not exist 
    mkdir /data/local/tmp/3rd_party 0777
    mkdir /data/local/tmp/3rd_party/ArcSoft 0777
    mkdir /data/local/tmp/3rd_party/ArcSoft/MediaGallery 0777
    mkdir /data/local/tmp/3rd_party/ArcSoft/MediaPlayer 0777
    mkdir /data/local/tmp/3rd_party/ArcSoft/Camera 0777

# LGE_CHANGE_S, [jinwoonam@lge.com] 2009-08-05, <Add debugfs for test & test app>
    mkdir /data/debug 0777 system system
    mount debugfs mtd@debugfs /data/debug
# LGE_CHANGE_E, [jinwoonam@lge.com] 2009-08-05, <Add debugfs for test & test app>

on boot
# basic network init
    ifup lo
    hostname localhost
    domainname localdomain

# set RLIMIT_NICE to allow priorities from 19 to -20
    setrlimit 13 40 40

# Set timeout value for rmnet stats.
    write /sys/devices/virtual/net/rmnet0/timeout_suspend 5000000

# Define the oom_adj values for the classes of processes that can be
# killed by the kernel.  These are used in ActivityManagerService.
    setprop ro.FOREGROUND_APP_ADJ 0
    setprop ro.VISIBLE_APP_ADJ 1
    setprop ro.SECONDARY_SERVER_ADJ 2
    setprop ro.HOME_APP_ADJ 4
    setprop ro.HIDDEN_APP_MIN_ADJ 7
    setprop ro.CONTENT_PROVIDER_ADJ 14
    setprop ro.EMPTY_APP_ADJ 15

# Define the memory thresholds at which the above process classes will
# be killed.  These numbers are in pages (4k).
    setprop ro.FOREGROUND_APP_MEM 1536
    setprop ro.VISIBLE_APP_MEM 2048
    setprop ro.SECONDARY_SERVER_MEM 4096
    setprop ro.HOME_APP_MEM 4096
    setprop ro.HIDDEN_APP_MEM 5120
    setprop ro.CONTENT_PROVIDER_MEM 5632
    setprop ro.EMPTY_APP_MEM 6144

    setprop ro.com.google.location_feature 1
# Write value must be consistent with the above properties.
# Note that the driver only supports 6 slots, so we have HOME_APP at the
# same memory level as services.
    write /sys/module/lowmemorykiller/parameters/adj 0,1,2,7,14,15

    write /proc/sys/vm/overcommit_memory 1
    write /proc/sys/vm/min_free_order_shift 4
    write /sys/module/lowmemorykiller/parameters/minfree 1536,2048,4096,5120,5632,6144

    # Set init its forked children's oom_adj.
    write /proc/1/oom_adj -16

    # Permissions for System Server and daemons.
    chown radio system /sys/android_power/state
    chown radio system /sys/android_power/request_state
    chown radio system /sys/android_power/acquire_full_wake_lock
    chown radio system /sys/android_power/acquire_partial_wake_lock
    chown radio system /sys/android_power/release_wake_lock
    chown radio system /sys/power/state
    chown radio system /sys/power/wake_lock
    chown radio system /sys/power/wake_unlock
    chmod 0660 /sys/power/state
    chmod 0660 /sys/power/wake_lock
    chmod 0660 /sys/power/wake_unlock
    # princlee@lge.com add permission to handle in Application 2009.08.26
    chown system system /sys/devices/platform/i2c-gpio.6/i2c-adapter/i2c-6/6-0044/enable
    chmod 0666 /sys/devices/platform/i2c-gpio.6/i2c-adapter/i2c-6/6-0044/enable
    chown system system /sys/class/timed_output/vibrator/enable
    chown system system /sys/class/leds/keyboard-backlight/brightness
    chown system system /sys/class/leds/lcd-backlight/brightness
    chown system system /sys/class/leds/button-backlight/brightness
    chown system system /sys/class/leds/jogball-backlight/brightness
    chown system system /sys/class/leds/red/brightness
    chown system system /sys/class/leds/green/brightness
    chown system system /sys/class/leds/blue/brightness
    chown system system /sys/class/leds/red/device/grpfreq
    chown system system /sys/class/leds/red/device/grppwm
    chown system system /sys/class/leds/red/device/blink
    chown system system /sys/class/leds/red/brightness
    chown system system /sys/class/leds/green/brightness
    chown system system /sys/class/leds/blue/brightness
    chown system system /sys/class/leds/red/device/grpfreq
    chown system system /sys/class/leds/red/device/grppwm
    chown system system /sys/class/leds/red/device/blink
    chown system system /sys/class/timed_output/vibrator/enable
    chown system system /sys/module/sco/parameters/disable_esco
    chown system system /sys/kernel/ipv4/tcp_wmem_min
    chown system system /sys/kernel/ipv4/tcp_wmem_def
    chown system system /sys/kernel/ipv4/tcp_wmem_max
    chown system system /sys/kernel/ipv4/tcp_rmem_min
    chown system system /sys/kernel/ipv4/tcp_rmem_def
    chown system system /sys/kernel/ipv4/tcp_rmem_max
    chown root radio /proc/cmdline
    chown bluetooth bluetooth /sys/module/bluetooth_power/parameters/power
    chown bluetooth bluetooth /proc/bluetooth/sleep/proto
    chown system system /sys/module/sco/parameters/disable_esco
    chmod 0660 /sys/module/bluetooth_power/parameters/power
    chmod 0660 /proc/bluetooth/sleep/proto
    chown bluetooth bluetooth /dev/ttyHS0
    chmod 0660 /dev/ttyHS0
    chmod 0666 /dev/msm_snd
    chown system system /dev/akm8973_daemon
    chown system system /dev/akm8973_aot
    chmod 0666 /dev/akm8973_daemon
    chmod 0666 /dev/akm8973_aot
#add by kimeh@lge.com
	chown radio system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
    chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq

# Define TCP buffer sizes for various networks
#   ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax,
    setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208
    setprop net.tcp.buffersize.wifi    4095,87380,110208,4096,16384,110208
    setprop net.tcp.buffersize.umts    4094,87380,110208,4096,16384,110208
    setprop net.tcp.buffersize.edge    4093,26280,35040,4096,16384,35040
    setprop net.tcp.buffersize.gprs    4092,8760,11680,4096,8760,11680

    class_start default

## Daemon processes to be run by init.
##
service console /system/bin/sh
    console

# adbd is controlled by the persist.service.adb.enable system property
service adbd /sbin/adbd
    disabled

# adbd on at boot in emulator
#on property:ro.kernel.qemu=1
#    start adbd

on property:persist.service.adb.enable=1
    start adbd

on property:persist.service.adb.enable=0
    stop adbd

#ln -s /dev/oncrpc/30000002:00010000 /dev/oncrpc/30000002:00010001

service servicemanager /system/bin/servicemanager
    user system
    critical
    onrestart restart zygote
    onrestart restart media

service vold /system/bin/vold
    socket vold stream 0660 root mount

service debuggerd /system/bin/debuggerd

service ril-daemon /system/bin/rild
    socket rild stream 660 root radio
    socket rild-debug stream 660 radio system
    user root
    group radio cache inet misc

service akmd2 /system/bin/akmd2
    
service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server
    socket zygote stream 666
    onrestart write /sys/android_power/request_state wake
    onrestart write /sys/power/state on

service media /system/bin/mediaserver
    user media
    group system audio camera graphics inet net_bt net_bt_admin lgdrm_acc

service bootsound /system/bin/playmp3
    user media
    group audio
    oneshot

service dbus /system/bin/dbus-daemon --system --nofork
    socket dbus stream 660 bluetooth bluetooth
    user bluetooth
    group bluetooth net_bt_admin

# BTLA modification adding start on 20090602
# Make sure we startup btld before hcid
service btld /system/bin/logwrapper /system/bin/btld -hb 4000000 
    user root
    group bluetooth net_bt_admin
    disabled
    oneshot

# Start DTUN HCID
service hcid /system/bin/logwrapper /system/bin/hcid
    socket bluetooth stream 660 bluetooth bluetooth
    socket dbus_bluetooth stream 660 bluetooth bluetooth
    # init.rc does not yet support applying capabilities, so run as root and
    # let hcid drop uid to bluetooth with the right linux capabilities
    group bluetooth net_bt_admin misc
    disabled
    oneshot
# BTLA modification adding end on 20090602

#### original block start-comment out for BTLA ,not BlueZ on 20090602
#service hcid /system/bin/hcid -s -n -f /etc/bluez/hcid.conf
#    socket bluetooth stream 660 bluetooth bluetooth
#    socket dbus_bluetooth stream 660 bluetooth bluetooth
#    # init.rc does not yet support applying capabilities, so run as root and
#    # let hcid drop uid to bluetooth with the right linux capabilities
#    group bluetooth net_bt_admin misc
#    disabled
#### original block end-comment out for BTLA ,not BlueZ

service hfag /system/bin/sdptool add --channel=10 HFAG
    user bluetooth
    group bluetooth net_bt_admin
    disabled
    oneshot

service hsag /system/bin/sdptool add --channel=11 HSAG
    user bluetooth
    group bluetooth net_bt_admin
    disabled
    oneshot

service installd /system/bin/installd
    socket installd stream 600 system system

# Added by Sinverse to reduce factory reset time. 20090820.
service lgesystemd /system/bin/lgesystemd
    socket lgesystemd stream 600 system system

service flash_recovery /system/bin/flash_image recovery /system/recovery.img
    oneshot

busybox --install
 
  • Like
Reactions: sol-invictus
You must log in or register to reply here.

Similar threads

spocky12
[LG Ks20] [20Oct09] WM6.1 KisS20.5b Rom (5.2.20755) [WWE]
Replies
2K
Views
714K
backlashsid
backlashsid
yasmeene
[how to] flash LG KS20 with new rom, all included
Replies
670
Views
383K
A
Al-e-xa
N
  • Poll
[UNIVERSAL GUIDE] Root Any Android Device Manually !
Replies
349
Views
744K
Anon1onexp
Anon1onexp
spocky12
[LG GM730/GM735/GM750] Custom roms experiment
Replies
481
Views
245K
D
DaywalkerPrad
spocky12
[LG Incite] [21Jun09] WM6.5 xCite3 Rom (5.2.21815) UC [WWE]
Replies
722
Views
201K
M
Miahotrod

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 11
    R
    raburton
    And since we're giving away secrets, here is a handy tool to extract those system.mbn files LG ships. This allows you to extract and browse the filesystem easily without having to flash your phone. It's based on unyaffs because that's basically what the filesystem is, but the LG ones don't use OOB data for the fs, but do have some extra data in them (probably checksums) which needs to be skipped.

    Edit: updated unyaffsmbn to preserve uid & guid (if run as root) and timestamps
    View
    2
    Z
    Zacpod
    raisage said:
    It depends which firmware you need, but maybe these links will help:

    http://cyanogenroms.com/gw_620/
    (http://cyanogenroms.com/wp-content/uploads/metainfo/repo/gw620/firmware/10fstock.zip)

    http://theunlockr.com/2012/11/07/how-to-unroot-the-lg-gw620-eve/

    Hope that helps!
    Click to expand...
    Click to collapse

    I also have V10T - not sure if it's stable or not tho... It's been a looong time since I looked at a 620. http://www.zacpod.com/files/V10T.zip

    Have you checked out OpenEtna? They had some Cyanogen ports that were actually pretty decent.
    View
    2
    D
    Dragon Kim
    introduce Open eve

    Hi,

    Let me introduce openeve firmware.

    http://code.google.com/p/openeve/

    This firmware from the South Korea.

    Openeve has the two version firmware.

    Froyo & Ginger bread

    Froyo verion is Stable version.
    Ginger bread is Test version.

    based on LG official kernel 2.6.32

    So, Fast and Stable.

    But, careful. Openeve made for Korean user.

    Do take care of your regional settings.
    View
    1
    H
    harnish
    Decompressing the KDZ

    Okay, it took me a while to find the right version of the LG-Utils program to decompress the KDZ file. From those of you following along at home, you want at least version 0.4.2 (the most common version is 0.4.0, which is great if you want to flash your phone with the firmware it appears).

    Okay, for those looking at this thread for the first time, here are a quick set of instructions to get you caught up to ZacPod (as of the 19th anyway).

    (1) Download the firmware: http://csmg.lgmobile.com:9002/swdata/WEBSW/GW620R/ARGSBK/V10c_00/V10C_00.kdz
    (2) Download LG-Utils 0.4.2: http://www.assembla.com/spaces/ks36...eJe5afGb/download?filename=LG-Utils-0.4.2.zip
    (3) Run KP500-Utils-EN.exe (or whatever language you prefer out of the available choices) and select I to extract the KDZ.
    (4) Open the resulting CAB file and extract the DZ file.
    (5) Download DZExtract: http://www.frenchcoder.com/upload/DZExtract-V0.2.zip
    (5) Use DZExtract to extract the MBN files:
    Code: 
    DZExtract -x GW620RAT-V10c-OCT-21-2009-RGS-CA_DZ+0.dz C:\extractedTo\

    Voila, lots of MBN files: amss.mbn (8717kb), partition.mbn (0kb), qcsblhd_cfgdata.mbn (0kb), qcsbl.mbn (32kb), oemsblhd.mbn (0kb), oemsbl.mbn (150kb), amsshd.mbn (0kb), appsboothd.mbn (0kb), appsboot.mbn (215kb), zImage_Ramdisk.mbn (2030kb), System.mbn_0 (95089kb), System.mbn_1 (12158kb)

    Now, the zImage_Ramdisk likely contains the kernel. The question is if there is anything else in there. In a hex editor, it starts with the string "ANDROID!" and later on has "mem=88M console=ttyMSM0 androidboot.console=ttyMSM0". Running strings on the mbn files might yield interesting tidbits.

    System appears to be too big and was broken into two pieces ... I suspect it needs to be put together again before it will be of any use.

    amss.mbn is intriguing ... it starts with the string ELF, which is common of linux executables. Not sure what the smss.mbn is. There are also page after page of "empty" sections (all null's). Are there multiple files in here? I don't think this is a filesystem ...

    partition.mbn is kind of interesting too. It contains the strings MIBIB, WALLPAPER, OEMSBL2, DLOAD, AMSS, APPSBL, FOTAUSD, FOTAPKG, ZIMAGE, SYSTEM, DRM, CACHE, and USERDATA. I'm assuming it defines the partition tables.

    The question really is, what are these mbn files? They don't look like filesystems, but I'm not really familiar with YAFFS2.

    This thread here:
    http://xdaforums.com/showthread.php?t=399249
    Talks a lot about the DZ file format and there is some discussion about MBN files.

    However, it doesn't appear they are in any special format so I tracked down the YAFFS specs (http://www.yaffs.net/yaffs-spec). I'm hoping they might shed some light on what these files really are. Some notes on YAFFS2 are here: http://www.yaffs.net/yaffs-2-specification-and-development-notes, but they are rather out of date.
    View
    1
    S
    sol-invictus
    Since this thread got revived I may add my 2 cents to the discussion!

    First of all, it seems that the homepage of http://openetna.com/ went down (also the forum and wiki) - i will try to contact cwhchew to find out what happend...

    Secondly, there has been some development for the LG GW620, so this i want to sum up here:

    OpenEtna - the last version based on Android 2.2.1 available on http://code.google.com/p/openetna/ is Openetna V6.3-rc7

    But there has been also some development on Android 2.3.7, there was a project started called openEve.

    OpenEve - There is a port of CyanogenMod 7.2.0-RC0 on the page http://code.google.com/p/openeve/ - also there is a alpha port of Android 4.0.3 available there (CM9 ICS 4.0.3) dated on 2012-01-13

    And finaly there is a project called openEve-continues which is based on the released CyanogenMod 7.2.0 available here: http://code.google.com/p/open-eve-continues/ - it is dated on 2012-07-27

    I hope this helps someone to find the right custom firmware for the good old GW620!

    I also started a entry for the LG GW620 on the XDA wiki: http://xdaforums.com/wiki/LG_GW620
    View

New posts