FORUMS
Remove All Ads from XDA

LG GW620 Development/Kernel hacking (Have LG source mods + trying to get 2.0 working)

321 posts
Thanks Meter: 50
 
By Zacpod, Senior Member on 17th November 2009, 09:15 PM
Post Reply Email Thread
Important: For all general posts, please use the forums at OpenEtna.com. PLEASE leave this thread clear for developers.

-Please try to keep this thread clear for discussions of the ongoing effort to get the 2.6.29 kernel + Android 2.0 working on this device. For all general questions please use the dedicated forums at AndroidNetwork.org. Thanks.

Update 13: Oct 12th 2010
Froyo is running on the Eve! Polytheus modded the kernel enough so that it would run, and the OpenEtna project has been started at Google code. Please check there for all updates! Great work everyone!!!

Update 12: Feb 4th 2010
  • Yahoo! LG is making 1.6 for the Eve - which will include kernel 2.6.29 - which will make it 1000x easier to port AOSP on to this beasty! Waiting patiently for 1.6 to be released this spring sometime.

Update 11: Jan 30th 2010
  • CyrilLD located the GW620's serial port. I've soldered a lead on to it and am trying to find it's device name so we can have the kernel output debug messages to it at bootup. Hopefully this will let us see why the kernel isn't booting.
  • Enkoopa request for the source for RILD (the radio deamon) from LG was denied. They can't give it out as it would violate their NDA with Qualcomm.

Update 10: Jan 14th 2010
  • After days of hard work a few of us managed to get the LG changes folded in to various flavours of the 2.6.29 kernel. I folded them in to the stock Android kernel, and CyrilLD folded them in to the CodeAura tree. Sadly, it doesn't want to boot right now. It just hangs at "Booting Linux..." and we're all frustrated.
  • Enkoopa has requested the source for RILD (the radio deamon) from LG, or at least a version of rild and libril compiled against 2.6.29

Update 9: Jan 6th 2010
  • Happy New Year!!!
  • We now have the GW620's GPL source code in hand!
  • We can now move forward trying to get the kernel upgraded and running properly against Android 2.0. We're still going to have some fun getting the radio to work as the LG mods to the rild source is under the apache licence and therefore hasn't been released to us. We'll have to do some magic to get the existing rild working on whatever build we end up with. Any volunteer magicians?
  • I've made an Apps2SD image that seems to be fit for general consumption. You can read details about it waaay down in the posts here (somewhere around page 55) or at www.zacpod.com. It's pre-rooted and has some nifty features - including storing your apps on the sd card if you create an ext2 partition on it.
  • It's going to be an exciting few months as we work towards getting 2.0 running fully!

Update 8: Dec 29th 2009
  • The Wiki is growing nicely - has a lot more info in it now.
  • We've heard from LG and have gained access to their commercial collaboration site, but we still don't have access to the req'd kernel source
  • Progress has been slow over the holidays. The new year should bring some good things though - especially if LG comes thru with the source.

Update 7: Dec 20th 2009
  • We have a modified Nandroid for Eve that's working for backup/restore. See post 394 for the req'd files and instructions.
  • Radio in 2.0 is still failing, but Routehero is making progress
  • I'm trying to get the Audio subsystem and/or wifi running under 2.0
  • No word yet from LG about releasing the kernel sources as req'd under the GPL

Update 6: We're still working away at getting 2.0 working on this device.
  • Routehero is making steady progress getting 2.0 to boot on the stock kernel.
  • A few folks are communicating with LG with the hopes of getting LG to release their kernel changes for this device to Android Trunk
  • I'm working on getting a functional backup process in place so we don't have to keep reflashing to factory
  • enkoopa got a process sorted to install all the various drivers for windows
  • The wiki page is growing, though it doesn't yet contain all the juicy goodness from this thread.

Update 5: Success! Routehero figure out a way to root without reflashing anything! See the end of page 6 - Post #60 for the key (Thanks Routehero!!!) or my post near the top of page 11 for a step by step guide.

Update 4: The exploit path is closed for now, until a new 'sploit comes along to try. Meanwhile, we're working on breaking in the the boot image's ramdisk. If we can get in to that, make some changes, and then flash the resulting firmware to the phone we'll be in business. We're having some issues decompressing the ramdisk though - it seems LG didn't use glip to compress the ramdisk. We need to figure out how it's compressed if we want to break this baby open this way.

Update 3: I got the PoC code compiling, but it looks like the Eve's kernel is protected against this exploit.

Update 2: Looks like my original idea is a dead end. I can't easily extract the yaffs2 filesystem from the MBN file, so I can't work on it to give default root. Even if I could, it turns out that production android devices require the firmware image to be signed - something I wouldn't be able to do without LGs keys. Soooo, I'm heading down a different alley in to exploit territory. It looks like kernel exploit CVE-2009-3547 was discovered after the Eve's default firmware was released. I'm currently working on trying to get the proof-of-concept code for it compiling for Android. If I can get it running, and it works, then we'll have a root hack similar to the "Asroot2" program for the Dream.

Update: I have a flash file extracted, and am working on getting it mounted so I can mod it for root access. Once that's done, I'll need to repack the files and get the resulting file flashed on to the phone. I'll keep updating this as I progress. Eventually, and ideally, I'd like to have a rooted Android 2.0 running on this device.

Original message:
Hiya Folks,
I'm looking for some advice about where to start trying to root this phone.

I've been trying to get in to recovery mode, but am not having much luck. I've tried powering on with home, back, menu, volume up, volume down, and camera keys held down. Menu booted me in to safe mode, but nothing else seems to have any effect.

I'm VERY computer literate, and am comfortable compiling a custom firmware. I've played with OpenWRT extensively on my routers at home, but have never hacked around on phones before.

I'd love to root this beasty, and hopefully get 'droid 2.0 on to it, but am beginning to think that I might be stuck with 1.5.

I'm still within the first 15 days of my contract, so I'm not afraid of bricking this thing as I can get it replaced easily.

Thanks in advance for any advice.
The Following User Says Thank You to Zacpod For This Useful Post: [ View ] Gift Zacpod Ad-Free
 
 
18th November 2009, 04:38 PM |#2  
OP Senior Member
Flag Toronto, ON
Thanks Meter: 50
 
More
Unhappy Progress so far
I still can't get this beasty to boot in to anything other than normal and safe modes.

I've tried the asroot2 method, but the process gets killed.

I've tried the Recovery Flasher tool. It identifies my device as a EBIO/32B but fails with a "Backup FAILED: Could not run command" error.

I think the Recovery Flasher uses asroot2, and this is a pretty new device, so no surprise that they've fixed that hole.

I tried using "adb root" but it won't run as root on a production device.

I tried using "adb reboot bootloader" and "adb reboot recovery" and they both fail with something along the lines of "Command stopped"

Not sure what else to try. I may have to resort to rebooting the thing and holding down a different key every time. Ugh.

Anyone have any advice or pointers?
19th November 2009, 12:42 AM |#3  
OP Senior Member
Flag Toronto, ON
Thanks Meter: 50
 
More
A little more progress:

I don't know enough about hacking to break in to root on the phone, so I'm not trying a different tactic. I've found a firmware .kdz file and am working on extracting the filesystem from that. If I can get the filesystem mounted on a linux box I can make the required modifications to allow root access to work. Then I just need to repack the firmware back in to a kdz, and fiddle with the lg update process to force it to use my firmware instead of the one it downloads. Fingers crossed!

So far, I have extracted the kdz and have the resulting dll and dz.
However, I'm not able to extract the dz. I get the first few files and then it bails as below.
Code:
C:\Users\Zac\Desktop\DZExtract>DZExtract.exe GW620R.dz
DZExtract v0.2 by jp

Header informations
--------------------------------------------------------------------------------

  Checking magic code.............................Ok (MSTXMETX)
  Checking hash...................................Ok (E88C-6D55-CA9A-6E41-CAF9-2
36F-BCD6-F6AD)
  Phone model.....................................GW620R
  ROM name........................................V10c
  Chip model......................................MSM7200
  OS name.........................................kuvic0611
  Internal filename...............................GW620RAT-01-V10c-302-72-OCT-21
-2009-RGS-CA+0-DZ.dz

C:\Users\Zac\Desktop\DZExtract>DZExtract.exe -x GW620R.dz dz
DZExtract v0.2 by jp

Extracting subfiles...
--------------------------------------------------------------------------------

Reading sub-header @0x13c
  Checking magic number...........................Ok
  Checking hash...................................Ok (779D-3AF8-DE8A-57F9-04BC-2
093-441A-CAB0)
  Extracting 'amss.mbn' (8717 kb).................Ok
  Inflating...
Unhandled Exception: System.BadImageFormatException: An attempt was made to load
 a program with an incorrect format. (Exception from HRESULT: 0x8007000B)
   at DZExtract.ZLib.gzopen(String path, String mode)
   at DZExtract.DZFile.Inflate(String srcPath, String srcDest, Byte[] md5Hash)
   at DZExtract.DZFile.ExtractSubFile(FileStream hFile, Int64 nPosition)
   at DZExtract.DZFile.ExtractContent(String sOutputDir)
   at DZExtract.Program.Main(String[] args)
It may be because I'm running dzextract on a 64 bit win7 box. I may have to try to find an old 32 bit WinXP junker to see if it fares any better.
19th November 2009, 07:27 AM |#4  
OP Senior Member
Flag Toronto, ON
Thanks Meter: 50
 
More
Yep, it's because it was running on 64 bit. I ran the extract on a 32 bit terminal server at work, and now I have a nice chunk of flash files. Next up is getting the one I need to mod mounted on a linux box - but I'll leave that for tomorrow.
Here's the log of the extract, if anyone is interested.
Code:
C:\Documents and Settings\xxxxxxx\Desktop>DZExtract.exe -x GW620R.dz
DZExtract v0.2 by jp

Extracting subfiles...
--------------------------------------------------------------------------------

Reading sub-header @0x13c
  Checking magic number...........................Ok
  Checking hash...................................Ok (779D-3AF8-DE8A-57F9-04BC-2093-441A-CAB0)
  Extracting 'amss.mbn' (8717 kb).................Ok
  Inflating.......................................Ok
  Checking subfile hash...........................Ok (09BD-F19B-5A5F-9318-8E09-3433-802C-2147)
--------------------------------------------------------------------------------

Reading sub-header @0x883846
  Checking magic number...........................Ok
  Checking hash...................................Ok (2956-B022-40A3-2CD7-8D3B-2E2A-0A6D-A93E)
  Extracting 'partition.mbn' (0 kb)...............Ok
  Inflating.......................................Ok
  Checking subfile hash...........................Ok (E292-7080-307E-BB0C-2FF4-3F79-3D31-8492)
--------------------------------------------------------------------------------

Reading sub-header @0x8839e7
  Checking magic number...........................Ok
  Checking hash...................................Ok (CCA4-E7AB-288B-A566-654C-E7DC-CAC8-7065)
  Extracting 'qcsblhd_cfgdata.mbn' (0 kb).........Ok
  Inflating.......................................Ok
  Checking subfile hash...........................Ok (1AC2-9240-DCFE-6BC3-A97D-1982-395D-A261)
--------------------------------------------------------------------------------

Reading sub-header @0x883e1d
  Checking magic number...........................Ok
  Checking hash...................................Ok (E443-9E6E-6405-E900-4AEC-25D6-73EC-9176)
  Extracting 'qcsbl.mbn' (32 kb)..................Ok
  Inflating.......................................Ok
  Checking subfile hash...........................Ok (422B-0D5B-6FBF-9B5F-344F-ADC7-4DD5-399B)
--------------------------------------------------------------------------------

Reading sub-header @0x88bfa8
  Checking magic number...........................Ok
  Checking hash...................................Ok (EE96-6604-A9B4-C510-4AC6-23EA-0420-7310)
  Extracting 'oemsblhd.mbn' (0 kb)................Ok
  Inflating.......................................Ok
  Checking subfile hash...........................Ok (97B7-3AE9-E699-66D2-11AE-239A-0442-1482)
--------------------------------------------------------------------------------

Reading sub-header @0x88c092
  Checking magic number...........................Ok
  Checking hash...................................Ok (1251-FB46-F52A-A135-EA4F-6587-D4CB-8BC4)
  Extracting 'oemsbl.mbn' (150 kb)................Ok
  Inflating.......................................Ok
  Checking subfile hash...........................Ok (9266-D1A5-E903-4DA9-D4FD-FD82-DBE6-F0E6)
--------------------------------------------------------------------------------

Reading sub-header @0x8b1a3d
  Checking magic number...........................Ok
  Checking hash...................................Ok (A2DE-B04A-D432-5A41-D172-6516-F19C-976F)
  Extracting 'amsshd.mbn' (0 kb)..................Ok
  Inflating.......................................Ok
  Checking subfile hash...........................Ok (8B5F-6543-042E-D21B-FABC-75C8-806E-1AB9)
--------------------------------------------------------------------------------

Reading sub-header @0x8b1b28
  Checking magic number...........................Ok
  Checking hash...................................Ok (C803-0584-0556-CBB6-D84E-9E92-37E0-6DF6)
  Extracting 'appsboothd.mbn' (0 kb)..............Ok
  Inflating.......................................Ok
  Checking subfile hash...........................Ok (46D7-EDE5-E2E6-8DCA-935F-0861-AE04-83EF)
--------------------------------------------------------------------------------

Reading sub-header @0x8b1c0f
  Checking magic number...........................Ok
  Checking hash...................................Ok (D524-7715-2D8F-E19E-D7EF-ED94-EE1F-AA34)
  Extracting 'appsboot.mbn' (215 kb)..............Ok
  Inflating.......................................Ok
  Checking subfile hash...........................Ok (B0A6-3E4F-F285-D9F3-2611-FF3F-9F6C-0925)
--------------------------------------------------------------------------------

Reading sub-header @0x8e7bd0
  Checking magic number...........................Ok
  Checking hash...................................Ok (81FF-6E9F-0DC0-FE9D-C9A5-E0FC-0C93-3EFE)
  Extracting 'zImage_Ramdisk.mbn' (2030 kb).......Ok
  Inflating.......................................Ok
  Checking subfile hash...........................Ok (84B3-A910-5C02-E0D0-6767-50DB-C627-569E)
--------------------------------------------------------------------------------

Reading sub-header @0xae3700
  Checking magic number...........................Ok
  Checking hash...................................Ok (0C8D-72E4-E649-5E84-9A4B-A34F-C555-36D6)
  Extracting 'System.mbn_0' (95089 kb)............Ok
  Inflating.......................................Ok
  Checking subfile hash...........................Ok (54EB-94B0-7145-2142-6820-7D85-C7B0-040C)
--------------------------------------------------------------------------------

Reading sub-header @0x67bfe3f
  Checking magic number...........................Ok
  Checking hash...................................Ok (2DBB-3DDF-361D-6F98-F551-DDD7-F022-8A79)
  Extracting 'System.mbn_1' (12158 kb)............Ok
  Inflating.......................................Ok
  Checking subfile hash...........................Ok (1AAE-AE6E-CCCB-107D-AC4D-1EBA-DB64-8247)
--------------------------------------------------------------------------------

Reading sub-header @0x739f892
  Checking magic number...........................This is an offset table, skipping end of file

C:\Documents and Settings\xxxxxxx\Desktop>
20th November 2009, 03:26 AM |#5  
OP Senior Member
Flag Toronto, ON
Thanks Meter: 50
 
More
Not much progress today. It's been a while since I booted in to Linux, and I had a tonne of updates to apply, and then I had to recompile my kernel to support the yaffs2 filesystem.
I think I have the file decompressed and it's now a yaffs2 fs ready to mount. It has a MBN extension, but I think it's just a binary blob that would normally be written to flash. I hope I'll be able to either mount it directly as a loopback yaffs2, or mount it indirectly as yaffs2 via a MTD emulator.
If I can't mount it I'm going to need something to pull the filesystem out of the MBN. Should be interesting either way.
20th November 2009, 09:10 AM |#6  
OP Senior Member
Flag Toronto, ON
Thanks Meter: 50
 
More
Question MBN headaches
Well,
I got my kernel recompiled, and yaffs is working. That, unfortunately, is the extent of my success.

I can not mount the Sytem.mbn file as a yaffs2 volume via loopback. Can't seem to find any info on the format of that file, or any tools to extract data from it. Ugh.

Can anyone shed some light, or point me in the right direction?
Do I need to use a virtual MTD and 'burn' the MBN to it, and then mount the /dev/mtd/mtd1 as yaffs2? That's what my instinct is telling me at this point, but that's just a stab in the dark really.
20th November 2009, 03:50 PM |#7  
surfdev's Avatar
Member
Thanks Meter: 4
 
More
Thanks for keeping us posted about your progress! Although nobody else is posting in this thread, I am sure there are many of us keeping an eye on it. (like me!)
I already have the device and know for sure that this beast has SO much potential once rooted!

I'll keep my fingers crossed and you keep up the good work
20th November 2009, 09:57 PM |#8  
OP Senior Member
Flag Toronto, ON
Thanks Meter: 50
 
More
Ohoh!
I just found out that the G1 requires a signed file before it'll burn the new rom. if the LG utility wants something similar before it'll burn the image I'm creating then this method may be out of reach. I'm going to keep trying and at least get the rom ready to burn. Can't hurt to try, right.

I'll continue to keep y'all posted as I progress.

Thanks for the encouragment Surfdev!
21st November 2009, 03:03 AM |#9  
Junior Member
Thanks Meter: 0
 
More
Like Surfdev said, I am also watching this thread and would like to thank you for the updates. If you do end up accomplishing this task, would it be possible for you to make a easier way of updating the phone? As I am not that computer illiterate.

Thanks alot
21st November 2009, 03:18 AM |#10  
OP Senior Member
Flag Toronto, ON
Thanks Meter: 50
 
More
Of course! If I manage to crack the firmware I'll make it available online.

Some good news - I found out how to get in to emergency mode - which I think is fastboot mode. Take the battery out, hold down 1, put the battery back in, and then hit power while still holding down 1. Yay!

I also have an MTD (flash) emulator running, and have tried to copy the MBN to it, but the file is the wrong size. I think I need to extract the filesystem from system.mbn, but none of the tools I've seen work. Ugh. I really need to hunt down some specs for this filetype.
21st November 2009, 03:34 AM |#11  
madmack's Avatar
Senior Member
Flag Boston, MA
Thanks Meter: 4,768
 
Donate to Me
More
Just wanted to say that I'm also watching this thread very closely.

God speed Zacpod ! Thanks for your "blog-like" posts.

Ah, the possibilities of having this phone rooted..
Post Reply Subscribe to Thread

Tags
lg gw620, rogers, root access

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes