Optimus 4x bootloader / bct / flash.cfg dump from kdz

wkpark · Oct 28, 2012

This is the Optimus 4x bootloader / bct / flash.cfg dump from kdz
http://cafe.naver.com/androidhacker/487 (in Korean)

kdz file can be extracted with LGExtract.exe
The extracted *.dz file is very similar with the old style dz file.
So I can extract it manually (please see the above link)
the old style dz file format: http://www.frenchcoder.com/dzextract-lg-dz-file-format-and-extract-tool-lg-ks20/

Im not sure It is worth for Optimus 4x
(I don't have Optimus 4x and I can't test it)
but you can try the following recent nvflash crack~
http://androidroot.mobi/2012/05/27/introducing-wheelie-nvflash-for-asus-transformer-tf101-b70/

happy hacking~
Changes
●dzextract script added
●flash.bct.encrypt file added

-----

EDIT:

SBK Detector for Transformer by lilstevie@xda
~~http://xdaforums.com/showthread.php?t=1232612 v1~~
http://xdaforums.com/showthread.php?t=1290503 v2
See also http://www.xda-developers.com/android/sbk-detection-tool-for-the-asus-transformer/

SBK is leaked for Transformer...

reas0n · Oct 28, 2012

nice, someone is testing it? cause i don't have a linux (downloading now, lol)

@down nah, f*ck.

Dexter_nlb · Oct 28, 2012

wkpark said:
This is the Optimus 4x bootloader / bct / flash.cfg dump from kdz
http://cafe.naver.com/androidhacker/487 (in Korean)

so now we just need the secret SBK key, which is somewhere in the kdz or in the upgrade modem firmware as well.
otherwise those files are worthless, since you cannot boot without a SBK.
and that is IF you get the sbk extracted and they got the device open and you got the driver in place.

wkpark · Oct 28, 2012

Dexter_nlb said:
so now we just need the secret SBK key, which is somewhere in the kdz or in the upgrade modem firmware as well.
otherwise those files are worthless, since you cannot boot without a SBK.
and that is IF you get the sbk extracted and they got the device open and you got the driver in place.

Yes the hardest part! already mentioned at androidroot.mobi
http://androidroot.mobi/technical/tf-secure-boot-key/

_RSAobj · Oct 28, 2012

wkpark said:
This is the Optimus 4x bootloader / bct / flash.cfg dump from kdz
http://cafe.naver.com/androidhacker/487 (in Korean)

kdz file can be extracted with LGExtract.exe
The extracted *.dz file is very similar with the old style dz file.
So I can extract it manually (please see the above link)
the old style dz file format: http://www.frenchcoder.com/dzextract-lg-dz-file-format-and-extract-tool-lg-ks20/

Im not sure It is worth for Optimus 4x
(I don't have Optimus 4x and I can't test it)
but you can try the following recent nvflash crack~
http://androidroot.mobi/2012/05/27/introducing-wheelie-nvflash-for-asus-transformer-tf101-b70/

happy hacking~

Thanks for the info. I will start doing some hacking

Dexter_nlb · Oct 28, 2012

_RSAobj said:
Thanks for the info. I will start doing some hacking

the bootloader do seem to contain "unlock" functionality, and it does also seem to support blob files , so one of the partitions should be able to contain a flashable blob like on prime. but still without unlocking mechanism, those blob's need signing too.

TheNakedGun · Oct 28, 2012

Dexter_nlb said:
the bootloader do seem to contain "unlock" functionality, and it does also seem to support blob files , so one of the partitions should be able to contain a flashable blob like on prime. but still without unlocking mechanism, those blob's need signing too.

thanks to all of you guys for your passion and for your help in trying to make the 4x an even better phone!

reas0n · Oct 28, 2012

Hm, i hope we'll get the early christmas present soon

It's really good that we've a clue

@The Troll Like u see, it works, but it needs sth to work, like Dexter said

Sent from my LG-P880 using xda premium

The Troll · Oct 28, 2012

did anyone extract and confirm?
i tried dz-extract loonnnggg ago but didnt seem to work
too sleepy atm to check..

temme what to do in the morning
i got ubuntu installed and v10c and f downloaded aleady

c0ldz3r0 · Oct 29, 2012

The Troll said:
did anyone extract and confirm?
i tried dz-extract loonnnggg ago but didnt seem to work
too sleepy atm to check..

temme what to do in the morning
i got ubuntu installed and v10c and f downloaded aleady

Yes, I managed to extract it. Thanks to the hint above.

For the first, got the flash.cfg and bootloader.bin. Will continue tomorrow.

Croaker24 · Oct 29, 2012

I love this community!!!

The Troll · Oct 29, 2012

so we got the bootloader..
what are the chances of it being unlocked?
i mean suppose we find the sbk keys in there..
what else will we need? and how do we get it?

wkpark · Oct 29, 2012

The Troll said:
did anyone extract and confirm?
i tried dz-extract loonnnggg ago but didnt seem to work
too sleepy atm to check..

temme what to do in the morning
i got ubuntu installed and v10c and f downloaded aleady

ok Ive just added my dzextact script
and dump "flash.bct.encrypt" file found at the BCT_ENCRYPT subfile entry.

The Troll said:
so we got the bootloader..
what are the chances of it being unlocked?
i mean suppose we find the sbk keys in there..
what else will we need? and how do we get it?

I guess P880 have "fused" SBK that's why the flash.bct.encrypt found in the kdz.

See also http://www.sourceconference.com/publications/bos12pubs/android-modding-source.pdf

wkpark · Oct 29, 2012

LG's old tegra2 devices have no SBK (P990/P999/SU660)

and some fuse information can be obtained via sysfs

(for kernel 2.6.39)

arch/arm/mach-tegra/tegra_odm_fuses.c

http://nv-tegra.nvidia.com/gitweb/?...62fd10ddbae8bed780ca80204efe11ee8;hb=rel-14r7

for SU660(P990 variant)

Code:

# busybox uname -a
Linux localhost 2.6.39.4-gb348b1e #1 SMP PREEMPT Sun Oct 28 01:37:22 KST 2012 armv7l unknown
# ls /sys/firmware/fuse
device_key
ignore_dev_sel_straps
jtag_disable
odm_production_mode
odm_reserved
sec_boot_dev_cfg
sec_boot_dev_sel
secure_boot_key
sw_reserved

Code:

shell@android:/sys/firmware/fuse # cat secure_boot_key
0x00000000000000000000000000000000

How about P880 ?

----
Edit:
See also http://xdaforums.com/showthread.php?t=1847950

I guess the fuse information work correctly only for a developer version

The Troll · Oct 29, 2012

is fused a good news or bad?
what are the chances of this being unlocked? :/
should i sell it off or not? :/

_RSAobj · Oct 29, 2012

wkpark said:
LG's old tegra2 devices have no SBK (P990/P999/SU660)

and some fuse information can be obtained via sysfs

(for kernel 2.6.39)

arch/arm/mach-tegra/tegra_odm_fuses.c

http://nv-tegra.nvidia.com/gitweb/?...62fd10ddbae8bed780ca80204efe11ee8;hb=rel-14r7

for SU660(P990 variant)

Code:

# busybox uname -a Linux localhost 2.6.39.4-gb348b1e #1 SMP PREEMPT Sun Oct 28 01:37:22 KST 2012 armv7l unknown # ls /sys/firmware/fuse device_key ignore_dev_sel_straps jtag_disable odm_production_mode odm_reserved sec_boot_dev_cfg sec_boot_dev_sel secure_boot_key sw_reserved

Code:

shell@android:/sys/firmware/fuse # cat secure_boot_key 0x00000000000000000000000000000000

How about P880 ?

----
Edit:
See also http://xdaforums.com/showthread.php?t=1847950

I guess the fuse information work correctly only for a developer version

Code:

shell@android:/sys/firmware/fuse # ls -la
-rw-rw-r-- radio    system       4096 2012-10-29 07:21 device_key
-rw-rw-r-- radio    system       4096 2012-10-29 07:21 ignore_dev_sel_straps
-rw-rw-r-- radio    system       4096 2012-10-29 07:21 jtag_disable
-rw-rw-r-- radio    system       4096 2012-10-29 07:21 odm_production_mode
-rw-rw-r-- radio    system       4096 2012-10-29 07:21 odm_reserved
-rw-rw-r-- radio    system       4096 2012-10-29 07:21 sec_boot_dev_cfg
-rw-rw-r-- radio    system       4096 2012-10-29 07:21 sec_boot_dev_sel
-rw-rw-r-- radio    system       4096 2012-10-29 07:21 secure_boot_key
-rw-rw-r-- radio    system       4096 2012-10-29 07:21 sw_reserved

Code:

shell@android:/sys/firmware/fuse $ su
shell@android:/sys/firmware/fuse # cat secure_boot_key                         
shell@android:/sys/firmware/fuse #

Code:

shell@android:/sys/firmware/fuse # cat device_key                              
0xffffffff

shell@android:/sys/firmware/fuse # cat ignore_dev_sel_straps
0x00000001

shell@android:/sys/firmware/fuse # cat jtag_disable
0x00000000
shell@android:/sys/firmware/fuse # cat odm_production_mode
0x00000001
shell@android:/sys/firmware/fuse # cat odm_reserved
0x0000000000000000000000000000000000000000000000000000000000000000
shell@android:/sys/firmware/fuse # cat sec_boot_dev_cfg
0x00000011
shell@android:/sys/firmware/fuse # cat sec_boot_dev_sel
0x00000000
shell@android:/sys/firmware/fuse # cat secure_boot_key
shell@android:/sys/firmware/fuse # cat sw_reserved
0x00000000

Dexter_nlb · Oct 29, 2012

wkpark said:
Code:

shell@android:/sys/firmware/fuse # cat secure_boot_key 0x00000000000000000000000000000000

How about P880 ?

i believe life is not that simple. secret are to remain secrets until revealed by improper handling , this would have been plain stupid to enable if it was shown here.

wkpark · Oct 29, 2012

Dexter_nlb said:
i believe life is not that simple. secret are to remain secrets until revealed by improper handling , this would have been plain stupid to enable if it was shown here.

I just make it clear

anyway LG sometime do stupid things like as leaking their RSA keys for some locked omap4 devices

The Troll · Oct 29, 2012

so.. can someone temme whats with the fused sbk?
and if its even possible to get it?

scamex · Oct 29, 2012

Hi there.
I want to buy this phone and was just around on this forum for some weeks. Now i have an optimus black and in our forum an user made a tool for extracting al tables and content from kdz files. I dont know if it will work for 4x hd but have a look here and maybe dexter or other devs will come with some ideas.
http://xdaforums.com/showthread.php?t=1566532
And here for an attemp to boot from sdcard http://xdaforums.com/showthread.php?t=1960047.

Sorry for my awfull english.

Optimus 4x bootloader / bct / flash.cfg dump from kdz

Senior Member

Attachments

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Member

Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Similar threads

Top Liked Posts