How to modify Anti Rollback ARB version in a TOT file?

[rizkhan999]

Hi All !

Given a TOT file, can we edit it (lets say with any hex editor) to change its Anti Roll-Back i.e. ARB value from, say, 00 to 02 or 03?

 

[steadfasterX]

Hi All !

Given a TOT file, can we edit it (lets say with any hex editor) to change its Anti Roll-Back i.e. ARB value from, say, 00 to 02 or 03?

100% no this is not possible. Change a single bit the signatures get invalid which will brick your device.




Sent from my LG-H815 using XDA Labs

 

[rizkhan999]

What about hex-editing .IMG files?

100% no this is not possible. Change a single bit the signatures get invalid which will brick your device.

Thanks sir. And what about editing ARB version or anything else in the rooted system image .IMG file? Will the signature hurdle be encountered here as well, or not?

 

[steadfasterX]

Thanks sir. And what about editing ARB version or anything else in the rooted system image .IMG file? Will the signature hurdle be encountered here as well, or not?

Check my post here: http://tinyurl.com/antirollg4

If you go through the details at the beginning and follow the links you may understand better.

In short: the ARB is implemented in the bootloader and to be more clear in the certificates within. There is 100% no chance to change this other then when you break the signature algo or find a bug in the implementation.




Sent from my LG-H815 using XDA Labs

 

[rizkhan999]

Check my post here: http://tinyurl.com/antirollg4

If you go through the details at the beginning and follow the links you may understand better.

In short: the ARB is implemented in the bootloader and to be more clear in the certificates within. There is 100% no chance to change this other then when you break the signature algo or find a bug in the implementation.

Okay sir. But really sorry to take from your precious time, actually what I am trying to do is to change (via hex editor) the echo value of 1 to 0 wherever the following instances occur in the rooted system image .IMG files:
/sys/devices/system/cpu/cpu5/online
/sys/devices/system/cpu/cpu6/online
/sys/devices/system/cpu/cpu7/online
This is in the spirit to disable two big cores.

But I have the following questions regarding this:
1. Would the IMG file still be valid and correctly flashable after changing the above mentioned values from 1 to 0?
2. Would the changes be effective only after the phone has booted into the OS or... from the powering-on of the phone and onwards?
3. What is "cpu7" in IMG files, while G4 is only hex-core (i.e. cpu1 to cpu6)?

 

[steadfasterX]

Okay sir. But really sorry to take from your precious time, actually what I am trying to do is to change (via hex editor) the echo value of 1 to 0 wherever the following instances occur in the rooted system image .IMG files:
/sys/devices/system/cpu/cpu5/online
/sys/devices/system/cpu/cpu6/online
/sys/devices/system/cpu/cpu7/online
This is in the spirit to disable two big cores.

But I have the following questions regarding this:
1. Would the IMG file still be valid and correctly flashable after changing the above mentioned values from 1 to 0?
2. Would the changes be effective only after the phone has booted into the OS or... from the powering-on of the phone and onwards?
3. What is "cpu7" in IMG files, while G4 is only hex-core (i.e. cpu1 to cpu6)?

sys files are created and changed on boot you can't change them in the system image even if they would be there. Those are created and changed in the ram disk which is part of the boot image.

You can't change the boot image as this makes the signature invalid .

You can change the system image especially on LL when rooted. Here you can implement the disabling of the cores e.g. implemented as an init script.. but it will have an effect after booted only.
The boot process will still use all cpu cores.

You have no cpu7 on a g4. The reason is that it starts from 0 to count. Cpu0 to cpu3 are the first 4 cpus.

there is success reported with many devices to install the unofficial official v29 beta for nougat. This beta contains at least for the boot the disabling of the big cores but I don't know if your device model is supported by it or not but check this maybe.





Sent from my LG-H815 using XDA Labs

 

[rizkhan999]

sys files are created and changed on boot you can't change them in the system image even if they would be there. Those are created and changed in the ram disk which is part of the boot image.

You can't change the boot image as this makes the signature invalid .

You can change the system image especially on LL when rooted. Here you can implement the disabling of the cores e.g. implemented as an init script.. but it will have an effect after booted only.
The boot process will still use all cpu cores.

You have no cpu7 on a g4. The reason is that it starts from 0 to count. Cpu0 to cpu3 are the first 4 cpus.

there is success reported with many devices to install the unofficial official v29 beta for nougat. This beta contains at least for the boot the disabling of the big cores but I don't know if your device model is supported by it or not but check this maybe.

By LL i guess you mean LP (lollipop).

In rooted system image IMG files as well as in the TOT files, there is a mention of seven cpu's from cpu1 through cpu7. And this cpu7 is always mentioned along with cpu5 and cpu6 under the comment of A57 cores. While the rest four are A53 cores. So i wonder what this cpu7 really denotes on a hexcore processor!

I also have h815 (international variant) and using Nougat A29a rom from here. And i have flashed titan kernel with no big cores over it, from the same developer. I recovered this phone from bootloop by initially flashing the 4mb ILAPO FIX TOT file with LGUP. But the traditional TWRP from twrp official website is working fine for me. I didnt have to use custom TWRP that doesnt use two big cores.

Anyways. Thanks alot for all your time and support.

 

[steadfasterX]

By LL i guess you mean LP (lollipop).

In rooted system image IMG files as well as in the TOT files, there is a mention of seven cpu's from cpu1 through cpu7. And this cpu7 is always mentioned along with cpu5 and cpu6 under the comment of A57 cores. While the rest four are A53 cores. So i wonder what this cpu7 really denotes on a hexcore processor!

I also have h815 (international variant) and using Nougat A29a rom from here. And i have flashed titan kernel with no big cores over it, from the same developer. I recovered this phone from bootloop by initially flashing the 4mb ILAPO FIX TOT file with LGUP. But the traditional TWRP from twrp official website is working fine for me. I didnt have to use custom TWRP that doesnt use two big cores.

Anyways. Thanks alot for all your time and support.

There is no cpu7.. Even no cpu6. The thing is you have to differ between what happens on os site and what on app site.
Some apps like kernel Adiutor starts to count from 1 instead but in the background it's still from 0..5

SoC: Qualcomm Snapdragon 808 MSM8992
CPU: 2x 1.8 GHz ARM Cortex-A57, 4x 1.44 GHz ARM Cortex-A53, Cores: 6


0-3 are a53
4-5 are a57







Sent from my LG-H815 using XDA Labs

 

[rizkhan999]

There is no cpu7.. Even no cpu6. The thing is you have to differ between what happens on os site and what on app site.
Some apps like kernel Adiutor starts to count from 1 instead but in the background it's still from 0..5

SoC: Qualcomm Snapdragon 808 MSM8992
CPU: 2x 1.8 GHz ARM Cortex-A57, 4x 1.44 GHz ARM Cortex-A53, Cores: 6

0-3 are a53
4-5 are a57

Actually the file /etc/dir/init.qcom.post_boot.sh does contain mentions of only six cores from cpu0 through cpu5. However all the IMG and TOT files contain mentions of seven cores from cpu1 through cpu7.

The first screenshot shows one of such mention of all seven cores, as highlighted in it. The second screenshot shows the mention of cpu5, cpu6 and cpu7 under A57 cores which shows that cpu7 is also treated as a big core. That's why I was asking what this seventh core mean in a hex-core device?

 

[steadfasterX]

Actually the file /etc/dir/init.qcom.post_boot.sh does contain mentions of only six cores from cpu0 through cpu5. However all the IMG and TOT files contain mentions of seven cores from cpu1 through cpu7.

The first screenshot shows one of such mention of all seven cores, as highlighted in it. The second screenshot shows the mention of cpu5, cpu6 and cpu7 under A57 cores which shows that cpu7 is also treated as a big core. That's why I was asking what this seventh core mean in a hex-core device?

Its there but it's useless.

Mount the system image instead of using a hexeditor then grep on the files like this

grep -r cpu7 /path/

I can't verify this atm as I'm on vacation but I strongly believe this is just a leftover from another device made by LG. Keep in mind that developers are lazy and so they copy things which is ok but this also means they may copy too much without verifying . Actually this doesn't harm anything in this case (if cpu6 or 7 are not there an error is thrown and maybe shown in dmesg but that's all) so they may just don't care.


.

 

[rizkhan999]

100% no this is not possible. Change a single bit the signatures get invalid which will brick your device.

I tried flashing my H815 with H810 10o TOT file using LGUP. It gave out the invalid file error as expected. Then I modified the mentioned H810 10o TOT file by replacing all occurances of H810 with H815 and flashed it on H815 using LGUP. The phone got bricked, as also expected and became dead. No display, no download mode.

Then when I long pressed the power and vol down buttons together the phone got detected as QFUSE in Device Manager but it happened only once.

Now when I long press power and vol down buttons, the phone always vibrates but remains undetected.

I have tried this memory card unbrick method as well as tried installing qualcomm drivers after uninstalling all phones drivers using this guide but same status.

Any other unbrick guide that may work?

 

[steadfasterX]

I tried flashing my H815 with H810 10o TOT file using LGUP. It gave out the invalid file error as expected. Then I modified the mentioned H810 10o TOT file by replacing all occurances of H810 with H815 and flashed it on H815 using LGUP. The phone got bricked, as also expected and became dead. No display, no download mode.

Then when I long pressed the power and vol down buttons together the phone got detected as QFUSE in Device Manager but it happened only once.

Now when I long press power and vol down buttons, the phone always vibrates but remains undetected.

I have tried this memory card unbrick method as well as tried installing qualcomm drivers after uninstalling all phones drivers using this guide but same status.

Any other unbrick guide that may work?

ok you hard bricked (hard not hard-hard which means you can recover).
you can recover from that hard brick by using QFIL and the RIGHT files (beware of the dragons!)

download & install QPST: https://www.androidfilehost.com/?fid=673368273298970431
download & install QPST drivers: https://www.androidfilehost.com/?fid=673368273298970430
download & extract H815 QFIL recover files: https://www.androidfilehost.com/?fid=745425885120762427

1. Start QFIL.exe within the Qualcomm QPST installation folder
2. Select Build Type: > Flat <
3. Browse to > prog_emmc_firehose_8992_lite.mbn <
4. Click Load XML button and select: > rawprogram0.xml <
5. then: > patch0.xml <
6. Take a deep breath......
7. Click > Download <

Wait until it finishes. Unplug USB, remove battery, put battery back and go into download mode for a full recovery by flashing a h815 KDZ

sfX

 

[rizkhan999]

ok you hard bricked (hard not hard-hard which means you can recover).
you can recover from that hard brick by using QFIL and the RIGHT files (beware of the dragons!)

download & install QPST: https://www.androidfilehost.com/?fid=673368273298970431
download & install QPST drivers: https://www.androidfilehost.com/?fid=673368273298970430
download & extract H815 QFIL recover files: https://www.androidfilehost.com/?fid=745425885120762427

1. Start QFIL.exe within the Qualcomm QPST installation folder
2. Select Build Type: > Flat <
3. Browse to > prog_emmc_firehose_8992_lite.mbn <
4. Click Load XML button and select: > rawprogram0.xml <
5. then: > patch0.xml <
6. Take a deep breath......
7. Click > Download <

Wait until it finishes. Unplug USB, remove battery, put battery back and go into download mode for a full recovery by flashing a h815 KDZ

sfX

Awesome. There is some progress. The screenshot shows that my phone is properly connected in QDloader 9008 mode but the QFIL during the flash process gives the error that the phone is not in the FireHose mode. Any ideas?

 

[steadfasterX]

Awesome. There is some progress. The screenshot shows that my phone is properly connected in QDloader 9008 mode but the QFIL during the flash process gives the error that the phone is not in the FireHose mode. Any ideas?

well.. yea the 9008 mode is a PITA. The thing is 9008 is not 9008.. plus that mode is very sensitive: means u need to know some things:

timing: when you wait too long (lets say.. 5 min or longer) the 9008 mode will stop working. The device gets still detected but QFIL will not work.
so best is: prepare QFIL so you just need to click the Download button and before actually doing so pull out battery , unplug USB and plugin again. once detected in QFIL press download.
Usually u have at least 1 min or even more after the device brings up the 9008 mode so no need to hurry that much but if you wait too long it will fail.

second: when you used QFIL once you HAVE to reboot bc otherwise the firehose programmer will not fit into memory anymore and so it will fail as well.
always start the 9008 mode fresh for every try.

third: best is to pull out the battery and just plugin the USB cable. If you device is detected this way in QFIL: perfect! do it like this as this can be different from the result when the battery is in and its recommended to have not the battery in for the 9008 mode actions

fourth: last but not least: the only 100% way to bring up a 100% valid 9008 mode is by either erasing a partition (u cant do that atm) or by shorten 2 PINs on the mainboard.
this will be the last option when all the above wont help you out.

(All the above is the result of a looooong try & error process I've done during my unlocking attempts)

sfX

 

[rizkhan999]

well.. yea the 9008 mode is a PITA. The thing is 9008 is not 9008.. plus that mode is very sensitive: means u need to know some things: sfX

Thanks alot for your detailed reply. My phone has stopped getting detected by computer, as it happened a few days ago as well. And no vibrations either. So I have left it with battery removed. Will try it again after a few days. May be it starts getting detected again.

 

[rizkhan999]

download & extract H815 QFIL recover files: https://www.androidfilehost.com/?fid=745425885120762427

Btw do you also have qfil recover files of h810 and h811 variants? Can u plz upload them too? Thanx in advance.

 

[rizkhan999]

No success still...

well.. yea the 9008 mode is a PITA. The thing is 9008 is not 9008.. plus that mode is very sensitive: means u need to know some things:

Sine the phone was undetected for days, I kept it in the freezer for the night. And it has started getting detected in 9008 mode again . But I have tried it flashing while keeping the mind all the instructions, like connecting it without the battery and with battery as well, and keeping the QFIL ready and pressing the Download button as soon as the device gets detected, but I have received the same error that the phone is not in the firehose mode.

The QFIL version you shared was 2.7 with build 425. I have also tried build 437 as well and got the following error (log attached herewith):
ERROR: OpenPort:4197 It took 160.07800000 seconds to open port. Which is longer than 3.000. This indicates your target is not stable

I also tried the build 422 which gave out the same error of phone not being in the firehose mode eventhough I disconnected and connected it afresh. I think the phone is either not in the pure 9008 mode (as you also said) or that it enters the mode for a very short period of time so that the QFIL flashing fails.

Any solutions now?

 

[steadfasterX]

Sine the phone was undetected for days, I kept it in the freezer for the night. And it has started getting detected in 9008 mode again . But I have tried it flashing while keeping the mind all the instructions, like connecting it without the battery and with battery as well, and keeping the QFIL ready and pressing the Download button as soon as the device gets detected, but I have received the same error that the phone is not in the firehose mode.

The QFIL version you shared was 2.7 with build 425. I have also tried build 437 as well and got the following error (log attached herewith):
ERROR: OpenPort:4197 It took 160.07800000 seconds to open port. Which is longer than 3.000. This indicates your target is not stable

I also tried the build 422 which gave out the same error of phone not being in the firehose mode eventhough I disconnected and connected it afresh. I think the phone is either not in the pure 9008 mode (as you also said) or that it enters the mode for a very short period of time so that the QFIL flashing fails.

Any solutions now?

Then your device may is in the R.I.P. 9008 mode. Devices who have the mainboard issue goes through several steps. The last one is being detected as 9008 only without any chance to use qfil anymore.

Only fix known is written in my bootloop fix it list (see signature) and means replacing the mainboard or for the advanced ones doing some soldering.




Sent from my LG-H815 using XDA Labs

 

[rizkhan999]

Then your device may is in the R.I.P. 9008 mode. Devices who have the mainboard issue goes through several steps. The last one is being detected as 9008 only without any chance to use qfil anymore.

Yeah thats possible. Because the phone is getting detected in 9008 only with the battery now. While without the battery it either gives the blank battery with ? indication, while sometimes the blue screen as well (similar to G3's Blue Screen of Death).

Only fix known is written in my bootloop fix it list (see signature) and means replacing the mainboard or for the advanced ones doing some soldering.

Do you have any link to any of such kind of soldering tutorial? I can have it done from any hardware guy in the market.

 

[steadfasterX]

Yeah thats possible. Because the phone is getting detected in 9008 only with the battery now. While without the battery it either gives the blank battery with ? indication, while sometimes the blue screen as well (similar to G3's Blue Screen of Death).



Do you have any link to any of such kind of soldering tutorial? I can have it done from any hardware guy in the market.

I have updated my bootloop fix it list. Scroll down to the Advanced disassemble method(s)




Sent from my LG-H815 using XDA Labs