Lg g4 vs986 bootloader unlock (not steps)

[Neco Carmello]

so i want to *try* unlocking the bootloader on an lg g4 vs986. my question is how is bootloader unlocking done
(not steps to go through to do it, iv done it on an old lg i had a few years ago. but whats going on 'under the hood' when a phones bl is unlocked?) Im kinda hoping to learn a little from this. if i figure it out ill post instructions.

 

[TheMadScientist]

so i want to *try* unlocking the bootloader on an lg g4 vs986. my question is how is bootloader unlocking done
(not steps to go through to do it, iv done it on an old lg i had a few years ago. but whats going on 'under the hood' when a phones bl is unlocked?) Im kinda hoping to learn a little from this. if i figure it out ill post instructions.

There is no unlock lg. Is the only one. Its not locked but encrypted with 256 bit encryption un brutable. Only way is to find a way to flash images that apear to be signed by lg. Kinda like bump and loki.
This has been exlained a million times. But good luck.

 

[Neco Carmello]

Thanks. At least i have a place to start . that sounds much less complicated than i thought it would be. How hard would it be to fake a signiture to make the phone thinks its an origiinal lg(or verizon) signiture?
Or pretty much copy/paste a signiture?

 

[TheMadScientist]

Thanks. At least i have a place to start . that sounds much less complicated than i thought it would be. How hard would it be to fake a signiture to make the phone thinks its an origiinal lg(or verizon) signiture?
Or pretty much copy/paste a signiture?

Thats the million dollar question. As of rite now no one has been able to do it.
If im not mistaken how it works is say u modify the boot image the signature is broken.
And lg and in my case sprint is the only ones who know it.
Me and countless others have been throught weeks worth of hex files. Moding and bricking secure boot errors. The whole nine yards. Technicly the pot for donations on a bootloader hack os still up for grabs

 

[Neco Carmello]

Thats the million dollar question. As of rite now no one has been able to do it.
If im not mistaken how it works is say u modify the boot image the signature is broken.
And lg and in my case sprint is the only ones who know it.
Me and countless others have been throught weeks worth of hex files. Moding and bricking secure boot errors. The whole nine yards. Technicly the pot for donations on a bootloader hack os still up for grabs

Did u mount the boot partition directly in android or make a .img and mount that (in android linux windows)
And how did u do it.


P.s. on a related note: wouldnt it be theoretically possible to create a rom w/out modifying the bootloader e.g. port cyanaganmod using the origional bootloader?

 

[TheMadScientist]

Did u mount the boot partition directly in android or make a .img and mount that (in android linux windows)
And how did u do it.


P.s. on a related note: wouldnt it be theoretically possible to create a rom w/out modifying the bootloader e.g. port cyanaganmod using the origional bootloader?

There are roms for the sprint varient even a few not rooted ones but all stock based cm dont boot with stock boot image.
I personally didnt try the steps u stated but im sure someone has. We had some killer devs at one point in time. Dont get me wrong we still do but most have givin up on this project

 

[lowkeyst4tus]

There are roms for the sprint varient even a few not rooted ones but all stock based cm dont boot with stock boot image.
I personally didnt try the steps u stated but im sure someone has. We had some killer devs at one point in time. Dont get me wrong we still do but most have givin up on this project

I have 2 good questions.. Has anyone tried the irreversible option of switching the fastboot partition over the recovery partition? From what i read down & power boots fastboot after the swap which we can use to fastboot boot fishtwrp.img ( twrp for locked bl).. Just a theory.. Or i extracted the genesis rom. It supposedly flashes over any rom from what it reads. The tot only has the system.bin, primarygpt.bin ( partition file) & some bin file i dont recognize.. In theory it only changes the system files for modified versions. Keeps boot and everything original. No root but can we change the gpt.bin, build.prop and any other dependencies, then flash it safely over ls991zve or ls991zvf? Im extracting the files still to dig deep and see what we can play with..

 

[TheMadScientist]

I have 2 good questions.. Has anyone tried the irreversible option of switching the fastboot partition over the recovery partition? From what i read down & power boots fastboot after the swap which we can use to fastboot boot fishtwrp.img ( twrp for locked bl).. Just a theory.. Or i extracted the genesis rom. It supposedly flashes over any rom from what it reads. The tot only has the system.bin, primarygpt.bin ( partition file) & some bin file i dont recognize.. In theory it only changes the system files for modified versions. Keeps boot and everything original. No root but can we change the gpt.bin, build.prop and any other dependencies, then flash it safely over ls991zve or ls991zvf? Im extracting the files still to dig deep and see what we can play with..

I am on zv6 rooted. Best way i see as of now is the locked twrp with efi droid ported in. To either dual boot into a unlocked setup from intern mem or ext sd. Fastboot on ls991 even zv6 dont acknowlede realy any fastboot commands other than reboot. Cant even get identifier token. Been there.

 

[steadfasterX]

Lollipop boot chain
---------------------------------------------

Bootloader --> aboot (validated by bootloader) --> boot/kernel (validated by aboot) --> ROM (no validation)


Bootloader --> aboot (validated by bootloader) --> recovery (validated by aboot)


Marshmallow boot chain
------------------------------------------------

Bootloader --> aboot (validated by bootloader) --> boot/kernel (validated by aboot) --> ROM (validated by boot img!!! )

That means no root since MM anymore (Samsung makes a difference because they had implemented the MM behavior since 5.1.x).

Before MM it was possible to modify the system partition to gain root. This way you are able to get root even on a locked bootloader. This stops to work as you can see in the above boot chain illustration.



###################################


While my hacking tests regarding unlocking the g4 bootloader aboot I've seen no encryption nowhere. Only signed images. But keep in mind that this is totally enough to validate the boot chain!
There is no need for encryption.

The validation happens by signing with a well proven mechanism with the relevant content or even the whole image. If you find a way to break this in general you will become prominent world wide in a second.

The only other chance is to find a vuln within the LG implementation either of the signing or validating.

Best option for a hack is the aboot because here you could disable the validation to fully unlock. You would dump this partition and then disassemble it on your PC with e.g. ida pro then trying to hack.

The problem is that any modification will void the signature. So you need to find a way to exploit, find a wrong implementation which can be used to workaround further validation or breaking the signature algo. And you need good C knowledge

Good luck.


.




Sent from my LG-H815 using XDA Labs

 

[Neco Carmello]

,

Lollipop boot chain
---------------------------------------------

Bootloader --> aboot (validated by bootloader) --> boot/kernel (validated by aboot) --> ROM (no validation)


Bootloader --> aboot (validated by bootloader) --> recovery (validated by aboot)


Marshmallow boot chain
------------------------------------------------

Bootloader --> aboot (validated by bootloader) --> boot/kernel (validated by aboot) --> ROM (validated by boot img!!! )

That means no root since MM anymore (Samsung makes a difference because they had implemented the MM behavior since 5.1.x).

Before MM it was possible to modify the system partition to gain root. This way you are able to get root even on a locked bootloader. This stops to work as you can see in the above boot chain illustration.



###################################


While my hacking tests regarding unlocking the g4 bootloader aboot I've seen no encryption nowhere. Only signed images. But keep in mind that this is totally enough to validate the boot chain!
There is no need for encryption.

The validation happens by signing with a well proven mechanism with the relevant content or even the whole image. If you find a way to break this in general you will become prominent world wide in a second.

The only other chance is to find a vuln within the LG implementation either of the signing or validating.

Best option for a hack is the aboot because here you could disable the validation to fully unlock. You would dump this partition and then disassemble it on your PC with e.g. ida pro then trying to hack.

The problem is that any modification will void the signature. So you need to find a way to exploit, find a wrong implementation which can be used to workaround further validation or breaking the signature algo. And you need good C knowledge

Good luck.


.

Thanks thats perfect! Im ganna try doing that in virtualbox with all the partition .img files from my phone mounted and boot that way just in case i brick it

Edit: how doci mark this thread solved in the android app

 

[Neco Carmello]

Lollipop boot chain
---------------------------------------------

Bootloader --> aboot (validated by bootloader) --> boot/kernel (validated by aboot) --> ROM (no validation)


Bootloader --> aboot (validated by bootloader) --> recovery (validated by aboot)


Marshmallow boot chain
------------------------------------------------

Bootloader --> aboot (validated by bootloader) --> boot/kernel (validated by aboot) --> ROM (validated by boot img!!! )

That means no root since MM anymore (Samsung makes a difference because they had implemented the MM behavior since 5.1.x).

Before MM it was possible to modify the system partition to gain root. This way you are able to get root even on a locked bootloader. This stops to work as you can see in the above boot chain illustration.



###################################


While my hacking tests regarding unlocking the g4 bootloader aboot I've seen no encryption nowhere. Only signed images. But keep in mind that this is totally enough to validate the boot chain!
There is no need for encryption.

The validation happens by signing with a well proven mechanism with the relevant content or even the whole image. If you find a way to break this in general you will become prominent world wide in a second.

The only other chance is to find a vuln within the LG implementation either of the signing or validating.

Best option for a hack is the aboot because here you could disable the validation to fully unlock. You would dump this partition and then disassemble it on your PC with e.g. ida pro then trying to hack.

The problem is that any modification will void the signature. So you need to find a way to exploit, find a wrong implementation which can be used to workaround further validation or breaking the signature algo. And you need good C knowledge

Good luck.


.

Actually........(sorry of this is another reapeted question)
You wrote

"Bootloader --> aboot (validated by bootloader) --> boot/kernel (validated by aboot) --> ROM (no validation)"

If aboot was moddified to not verify the kernel then the bootloader was moddified to not verify aboot then there would be no verifications being done then this phone could boot pretty much anything compiled for it...right?

Also if the internal storage (all of them not just "internal sd") were somehow completely repartitioned (or all but boot or boot and recovery idk) and linux installed couldnt it boot?

 

[steadfasterX]

Actually........(sorry of this is another reapeted question)
You wrote

"Bootloader --> aboot (validated by bootloader) --> boot/kernel (validated by aboot) --> ROM (no validation)"

If aboot was moddified to not verify the kernel then the bootloader was moddified to not verify aboot then there would be no verifications being done then this phone could boot pretty much anything compiled for it...right?

Also if the internal storage (all of them not just "internal sd") were somehow completely repartitioned (or all but boot or boot and recovery idk) and linux installed couldnt it boot?

The trick is: you cannot modify the bootloader (easily). It is on a chip in the device and normally read only. There will be a way to make it writeable but this requires to shortcut whatever on the mainboard afaik. Then normally you can't just write something on it you have to use a special tool for this as well. But yes. If you can modify the bootloader to not verify aboot you have won as well.

Regarding your Linux question:
No. Changing partitions is not enough You need a "trampoline" (a hook which executes your own boot code) for this. That's why I developed android FIsH (see my signature)!! It was developed and works for locked devices.

The current development direction is to boot either efidroid or multirom with FIsH. Would be great if you wanna join this approach

With FIsH you could even boot Linux btw..


.

Sent from my LG-H815 using XDA Labs

 

[Neco Carmello]

The trick is: you cannot modify the bootloader (easily). It is on a chip in the device and normally read only. There will be a way to make it writeable but this requires to shortcut whatever on the mainboard afaik. Then normally you can't just write something on it you have to use a special tool for this as well. But yes. If you can modify the bootloader to not verify aboot you have won as well.

Regarding your Linux question:
No. Changing partitions is not enough You need a "trampoline" (a hook which executes your own boot code) for this. That's why I developed android FIsH (see my signature)!! It was developed and works for locked devices.

The current development direction is to boot either efidroid or multirom with FIsH. Would be great if you wanna join this approach

With FIsH you could even boot Linux btw..


.

I think ill try fish, id love to have arch linux arm on my phone... But can u post a link plz i feal like if i try googling it i wont find anything close to it

Also... Could fish allow me to multiboot linux and android (or maybe fish and multirom) or just multiple android roms?


Edit: yup lmao a search for "android fish" gave me nothing but games... And oddly enough the f.lux app but thats it so i link would be greatly appreciated

 

[steadfasterX]

I think ill try fish, id love to have arch linux arm on my phone... But can u post a link plz i feal like if i try googling it i wont find anything close to it

Also... Could fish allow me to multiboot linux and android (or maybe fish and multirom) or just multiple android roms?


Edit: yup lmao a search for "android fish" gave me nothing but games... And oddly enough the f.lux app but thats it so i link would be greatly appreciated

LOL

Just read carefully all the stuff here

https://tinyurl.com/FISHatXDA

It should hopefully answer all your questions



Sent from my LG-H815 using XDA Labs

 

[Neco Carmello]

Thanks ill check it out later today. I got a niece to watch :laugh:

 

[Neco Carmello]

Ok so I downloaded fish. havent compiled it or anything but i did skim through the install file. it looks like it might be a good "work around". I did notice the mount commands are a little off for this particular phone ( i use [mount -o rw,remount ext4 /system] to mount /system as rw. Ur commands have a little different syntax) so id have to tweak it a bit for this phone but thatll be fairly straight forward. ima look through the code to learn whats doing what and tweak it a little before compiling. are there any instructions anywhere for compiling and inatalling it? Im just scrathing the surface with code and never really compiled myself (iv used frontends that do it for u but thats it really).
Once i have fish working ill look into booting archlinuxarm w/ it.

 

[steadfasterX]

Ok so I downloaded fish. havent compiled it or anything but i did skim through the install file. it looks like it might be a good "work around". I did notice the mount commands are a little off for this particular phone ( i use [mount -o rw,remount ext4 /system] to mount /system as rw. Ur commands have a little different syntax) so id have to tweak it a bit for this phone but thatll be fairly straight forward. ima look through the code to learn whats doing what and tweak it a little before compiling. are there any instructions anywhere for compiling and inatalling it? Im just scrathing the surface with code and never really compiled myself (iv used frontends that do it for u but thats it really).
Once i have fish working ill look into booting archlinuxarm w/ it.

Really do you have read the whole thread? I mean it is all their how it works and so on...
Not for compiling stuff ok but for the rest..

.

Sent from my LG-H815 using XDA Labs

 

[Neco Carmello]

Iv skimmed through it but im not doing anything just yet (just research) ill read through it when i have the time

also i just noticed my phone has the command "chattr", is the bootloader on this thing some derivative of grub or is it specific to android (0r Lg\Verizon)?

 

[steadfasterX]

Iv skimmed through it but im not doing anything just yet (just research) ill read through it when i have the time

also i just noticed my phone has the command "chattr", is the bootloader on this thing some derivative of grub or is it specific to android (0r Lg\Verizon)?

https://linux.die.net/man/1/chattr

I use it only for the immutable bit..

Sent from my LG-H815 using XDA Labs

 

[happysmash27]

So did you get it to work safely?

I am stuck with this version of this phone and was wondering if it can indeed be safely rooted to install another ROM, when one becomes available. Is it possible?