FORUMS
Remove All Ads from XDA

[Tutorial] How to root D838 that cannot enter recovery mode

17 posts
Thanks Meter: 44
 
By pcfree, Junior Member on 14th April 2014, 11:43 PM
Post Reply Email Thread
For those who own G Pro 2 D838 that cannot enter stock recovery to run adb sideload option (ioroot25), this tutorial teaches you how to grant root access through normal adb (ioroot24).

After long time investigating LG TOT file structure, I've found the way to partially flash a partition. And if you flash, for example, F350K kernel into a D838, you can run modified ioroot24 batch file by adding LG-D838 in the model option list.

The steps are as follows:

0. Backup your critical data. Flashing TOT will do factory reset automatically. All user data except Ext-SD will be erased.
1. Find and download the firmware exactly matching your D838 (16GB or 32GB model, HK or TW model), and the DLL file (or extract from KDZ).
2. Find and download old version F350 firmware such as F350K 10d version (only old versions are compatible with ioroot24 method).
3. Download my sample TOT header file below (myboothdr.bin). This file is verified on D838 16GB Taiwan. May not work for 32GB version.
4. Download any KDZ/TOT extractor you like.
5. Download any CRC32 checksum program you like. I use HashMyFiles. And download any hex editor you like. I use xvi32.
6. Extract D838 firmware to get PrimaryGPT.bin (partition table), boot.bin (kernel) and the DLL file if KDZ.
7. Extract F350 firmware to get boot.bin. Rename it as boot350.bin
8. In Windows command prompt, combine PrimaryGPT.bin and boot.bin into d838body.bin by the following command:
copy /b PrimaryGPT.bin+boot.bin d838body.bin
Don't forget the argument "/b". It's very important to use the flag to do "binary mode" copy.
9. Calculate d838body.bin CRC32 checksum by your checksum program. This should be a 32-bit nubmer.
10. In sample header file "myboothdr.bin", Fill the CRC32 value at file offset 0x08. Please note that the file store number in little-endian order, so the byte order of the 32-bit CRC32 value should be reversed. For example, a calculated CRC32 value 0x12345678 should be filled as 78 56 34 12 in file offset 0x08, 0x09, 0x0a, 0x0b.
11. Combine header and body by the following command (the result file must be in "tot" file extension):
copy /b myboothdr.bin+d838body.bin d838kernel.tot
12. Repeat steps 8~11 but replace boot.bin with boot350.bin and d838kernel.tot with f350k4d848.tot.

Now you have two kernel TOT files for your D838.

13. Use LG Flash Tool to flash f350k4d838.tot with your D838 DLL ffile.
14. Manually run adb command similar with ioroot24 for F350. However, unplug and plug USB cable did not work for me. Switching between "Changing Only" and "MTP" works.
15. Use LG Flash Tool to flash back d838kernel.tot with your D838 DLL file.

The file "myboothdr.bin" contains some offset / size values which may not work for other region and/or 32GB D838. Make sure the size of boot.bin is 12058624 bytes. And try to investigate your partition table file PrimaryGPT.bin to make sure "boot" partition starting at 0x40000.

It is assumed that all 16GB models have the same partition geometry and same size of kernel image (boot.bin), so I GUESS all 16GB D838 could use this header file. But I am not responsible to this. To custom the header file for you D838 16GB or 32GB model, check the following items and modify the header if necessary:
1. Check you partition table file (PrimaryGPT.bin) to find the location of your kernel image partition. In D838 TW model, the kernel partition entry is at offset 0x700 (totally 0x80 bytes, 0x700~0x77f), offset 0x700+0x38 contains partition name 0x62,0x00,0x6F,0x00,0x6F,0x00, 0x74,0x00 (UTF16-LE string "boot"). And offset 0x700+0x20 contains kernel partition starting sector 0x00, 0x00, 0x04, 0x00 (32-bit number 0x00040000). If your D838 model has different value from 0x00040000, please modify my header file offset 0x2020 to your value.
2. Verify the files size of you boot.bin (and boot350.bin) to make sure if it is 12058624 bytes (0xb80000). If not, please stop here. Some calculation is required to modify my header file, and some partition size verification has to be made for your case.

Because the resulting tot files contain partition info and kernel image. You'd better use your own tot files. If you want to use others, please make sure it's for the same model, kernel version, ROM size (16 or 32GB), and region (TW, HK or SG).


Thanks:
autoprime's great ioroot tools
Attached Files
File Type: zip myboothdr.zip - [Click for QR Code] (1.2 KB, 934 views)
The Following 15 Users Say Thank You to pcfree For This Useful Post: [ View ] Gift pcfree Ad-Free
 
 
15th April 2014, 04:58 AM |#2  
Junior Member
Thanks Meter: 6
 
More
You are the man! I
Feel proud to be a Taiwanese
這才是愛台灣

humble suggestion, probably move this thread to development?
The Following 2 Users Say Thank You to sanven For This Useful Post: [ View ] Gift sanven Ad-Free
15th April 2014, 09:21 AM |#3  
stupc's Avatar
Member
Thanks Meter: 19
 
More
Quote:
Originally Posted by pcfree

For those who own G Pro 2 D838 that cannot enter stock recovery to run adb sideload option (ioroot25), this tutorial teaches you hot to grant root access through normal adb (ioroot24).

After long time investigating LG TOT file structure, I've found the way to partially flash a partition. And if you flash, for example, F350K kernel into a D838, you can run modified ioroot24 batch file by adding LG-D838 in the model option list.

The steps are as follows:

0. Backup your critical data. Flash TOT will do factory reset automatically.
1. Find and download the firmware exactly matching your D838 (16GB or 32GB model, HK or TW model), and the DLL file (or extract from KDZ).
2. Find and download old version F350 firmware such as F350K 10d version (only old versions are compatible with ioroot24 method).
3. Download my sample TOT header file below (myboothdr.bin). This file is verified on D838 16GB Taiwan. May not work for 32GB version.
4. Download any KDZ/TOT extractor you like.
5. Download any CRC32 checksum program you like. I use HashMyFiles.
6. Download any hex editor.
6. Extract D838 firmware to get PrimaryGPT.bin (partition table), boot.bin (kernel) and the DLL file if KDZ.
7. Extract F350 firmware to get boot.bin. Rename it as boot350.bin
8. In Windows command prompt, combine PrimaryGPT.bin and boot.bin into d838body.bin by the following command:
copy /b PrimaryGPT.bin+boot.bin d838body.bin
9. Calculate d838body.bin CRC32 checksum.
10. In sample header file "myboothdr.bin", Fill the CRC32 value at file offset 0x08.
11. Combine header and body by the following command (the result file must be in "tot" file extension):
copy /b mybootheader.bin+d838body.bin d838kernel.tot
12. Repeat steps 8~11 but replace boot.bin with boot350.bin and d838kernel.tot with f350k4d848.tot.

Now you have two kernel TOT files for your D838.

13. Use LG Flash Tool to flash f350k4d838.tot.
14. Manually run adb command similar with ioroot24 for F350. However, unplug and plug USB cable did not work for me. Switching between "Changing Only" and "MTP" works.
15. Use LG Flash Tool to flash back d838kernel.tot.

The file "myboothdr.bin" contains some offset / size values which may not work for other region and/or 32GB D838. Make sure the size of boot.bin is 12058624 bytes. And try to investigate your partition table file PrimaryGPT.bin to make sure "boot" partition starting at 0x40000.

Nice work! But speaking as a non-technical guy, do you think there'll be an easier, less scary, way of rooting the D838 soon?
I've rooted and flashed all my previous phones but these instructions sound very complicated indeed...
15th April 2014, 10:07 AM |#4  
Junior Member
Thanks Meter: 1
 
More
Thumbs up
Appreciate your amazing work,
You're the miracle creator!!

我也要說…這才是愛台灣啦+1 ~^^
The Following User Says Thank You to ando1.tw For This Useful Post: [ View ] Gift ando1.tw Ad-Free
15th April 2014, 10:33 AM |#5  
Junior Member
Thanks Meter: 4
 
More
Thumbs up
It's true.
The procedure is too complicate for beginner to root the D838.
But be honestly, this is one small step for a man, a giant leap for D838 device owners.

I believe author will try to reform the procedure into a simple way.
It just takes time to improve it.

Again, thanks for your great work on D838.
15th April 2014, 01:27 PM |#6  
Senior Member
Flag Sydney
Thanks Meter: 26
 
More
So close, but the LGFlashTool doesn't want to recognise my D838, even after trying every driver I could find... So I'm stuck at unlucky step 13!

Sent from my LG-D838 using Tapatalk
16th April 2014, 01:00 AM |#7  
Senior Member
Thanks Meter: 32
 
More
Quote:
Originally Posted by sub69

So close, but the LGFlashTool doesn't want to recognise my D838, even after trying every driver I could find... So I'm stuck at unlucky step 13!

Sent from my LG-D838 using Tapatalk

Do you get the message "Failed previousLoad()"? This seems to be caused by an invalid tot file.

OP any chance you can just up the tot files?
16th April 2014, 01:11 AM |#8  
Senior Member
Flag Sydney
Thanks Meter: 26
 
More
Quote:
Originally Posted by thelestat

Do you get the message "Failed previousLoad()"? This seems to be caused by an invalid tot file.

I did, but I think as an LG n00b it's a PEBKAC error. I'll keep reading and let you know when it works...


Sent from my LG-D838 using Tapatalk
16th April 2014, 01:22 AM |#9  
Junior Member
Thanks Meter: 6
 
More
Wrong check sum
16th April 2014, 03:43 AM |#10  
Junior Member
Thanks Meter: 4
 
More
According to above tutorial.
Someone had reply that the checksum is inccorect.
The correct checksum is 30252AC8 for d838body.bin
and E5ED3232 for f350body.bin
That's another tutorial by Taiwan developer named "z30152" had simplified the procedure which much easier for most user.
You can refer to http://www.mobile01.com/topicdetail....&t=3864486&p=1
The Following User Says Thank You to jc042982 For This Useful Post: [ View ] Gift jc042982 Ad-Free
16th April 2014, 04:28 AM |#11  
Senior Member
Flag Sydney
Thanks Meter: 26
 
More
Quote:
Originally Posted by jc042982

According to above tutorial.
Someone had reply that the checksum is inccorect.
The correct checksum is 30252AC8 for d838body.bin
and E5ED3232 for f350body.bin
That's another tutorial by Taiwan developer named "z30152" had simplified the procedure which much easier for most user.
You can refer to http://www.mobile01.com/topicdetail....&t=3864486&p=1

Yeah, not sure what I'm doing wrong - I'm sure I've input the CRC correctly, but it's just not playing ball. Will have a look at the other tutorial later...

Thinking about it, it's possibly failing because I'm using a 16Gb HKG phone with the .kdz of the HKG firmware, but I expected the process to be the same, even if the CRC's are different...

The Following User Says Thank You to sub69 For This Useful Post: [ View ] Gift sub69 Ad-Free
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes