LG GW620 Development/Kernel hacking (Have LG source mods + trying to get 2.0 working)

[Zacpod]

Important: For all general posts, please use the forums at OpenEtna.com. PLEASE leave this thread clear for developers.

-Please try to keep this thread clear for discussions of the ongoing effort to get the 2.6.29 kernel + Android 2.0 working on this device. For all general questions please use the dedicated forums at AndroidNetwork.org. Thanks.

Update 13: Oct 12th 2010
Froyo is running on the Eve! Polytheus modded the kernel enough so that it would run, and the OpenEtna project has been started at Google code. Please check there for all updates! Great work everyone!!!

Update 12: Feb 4th 2010

• Yahoo! LG is making 1.6 for the Eve - which will include kernel 2.6.29 - which will make it 1000x easier to port AOSP on to this beasty! Waiting patiently for 1.6 to be released this spring sometime.

Update 11: Jan 30th 2010

• CyrilLD located the GW620's serial port. I've soldered a lead on to it and am trying to find it's device name so we can have the kernel output debug messages to it at bootup. Hopefully this will let us see why the kernel isn't booting.
• Enkoopa request for the source for RILD (the radio deamon) from LG was denied. They can't give it out as it would violate their NDA with Qualcomm.

Update 10: Jan 14th 2010

• After days of hard work a few of us managed to get the LG changes folded in to various flavours of the 2.6.29 kernel. I folded them in to the stock Android kernel, and CyrilLD folded them in to the CodeAura tree. Sadly, it doesn't want to boot right now. It just hangs at "Booting Linux..." and we're all frustrated.
• Enkoopa has requested the source for RILD (the radio deamon) from LG, or at least a version of rild and libril compiled against 2.6.29

Update 9: Jan 6th 2010

• Happy New Year!!!
• We now have the GW620's GPL source code in hand!
• We can now move forward trying to get the kernel upgraded and running properly against Android 2.0. We're still going to have some fun getting the radio to work as the LG mods to the rild source is under the apache licence and therefore hasn't been released to us. We'll have to do some magic to get the existing rild working on whatever build we end up with. Any volunteer magicians?
• I've made an Apps2SD image that seems to be fit for general consumption. You can read details about it waaay down in the posts here (somewhere around page 55) or at www.zacpod.com. It's pre-rooted and has some nifty features - including storing your apps on the sd card if you create an ext2 partition on it.
• It's going to be an exciting few months as we work towards getting 2.0 running fully!

Update 8: Dec 29th 2009

• The Wiki is growing nicely - has a lot more info in it now.
• We've heard from LG and have gained access to their commercial collaboration site, but we still don't have access to the req'd kernel source
• Progress has been slow over the holidays. The new year should bring some good things though - especially if LG comes thru with the source.

Update 7: Dec 20th 2009

• We have a modified Nandroid for Eve that's working for backup/restore. See post 394 for the req'd files and instructions.
• Radio in 2.0 is still failing, but Routehero is making progress
• I'm trying to get the Audio subsystem and/or wifi running under 2.0
• No word yet from LG about releasing the kernel sources as req'd under the GPL

Update 6: We're still working away at getting 2.0 working on this device.

• Routehero is making steady progress getting 2.0 to boot on the stock kernel.
• A few folks are communicating with LG with the hopes of getting LG to release their kernel changes for this device to Android Trunk
• I'm working on getting a functional backup process in place so we don't have to keep reflashing to factory
• enkoopa got a process sorted to install all the various drivers for windows
• The wiki page is growing, though it doesn't yet contain all the juicy goodness from this thread.

Update 5: Success! Routehero figure out a way to root without reflashing anything! See the end of page 6 - Post #60 for the key (Thanks Routehero!!!) or my post near the top of page 11 for a step by step guide.

Update 4: The exploit path is closed for now, until a new 'sploit comes along to try. Meanwhile, we're working on breaking in the the boot image's ramdisk. If we can get in to that, make some changes, and then flash the resulting firmware to the phone we'll be in business. We're having some issues decompressing the ramdisk though - it seems LG didn't use glip to compress the ramdisk. We need to figure out how it's compressed if we want to break this baby open this way.

Update 3: I got the PoC code compiling, but it looks like the Eve's kernel is protected against this exploit.

Update 2: Looks like my original idea is a dead end. I can't easily extract the yaffs2 filesystem from the MBN file, so I can't work on it to give default root. Even if I could, it turns out that production android devices require the firmware image to be signed - something I wouldn't be able to do without LGs keys. Soooo, I'm heading down a different alley in to exploit territory. It looks like kernel exploit CVE-2009-3547 was discovered after the Eve's default firmware was released. I'm currently working on trying to get the proof-of-concept code for it compiling for Android. If I can get it running, and it works, then we'll have a root hack similar to the "Asroot2" program for the Dream.

Update: I have a flash file extracted, and am working on getting it mounted so I can mod it for root access. Once that's done, I'll need to repack the files and get the resulting file flashed on to the phone. I'll keep updating this as I progress. Eventually, and ideally, I'd like to have a rooted Android 2.0 running on this device.

Original message:
Hiya Folks,
I'm looking for some advice about where to start trying to root this phone.

I've been trying to get in to recovery mode, but am not having much luck. I've tried powering on with home, back, menu, volume up, volume down, and camera keys held down. Menu booted me in to safe mode, but nothing else seems to have any effect.

I'm VERY computer literate, and am comfortable compiling a custom firmware. I've played with OpenWRT extensively on my routers at home, but have never hacked around on phones before.

I'd love to root this beasty, and hopefully get 'droid 2.0 on to it, but am beginning to think that I might be stuck with 1.5.

I'm still within the first 15 days of my contract, so I'm not afraid of bricking this thing as I can get it replaced easily.

Thanks in advance for any advice.

 

[Zacpod]

Progress so far

I still can't get this beasty to boot in to anything other than normal and safe modes.

I've tried the asroot2 method, but the process gets killed.

I've tried the Recovery Flasher tool. It identifies my device as a EBIO/32B but fails with a "Backup FAILED: Could not run command" error.

I think the Recovery Flasher uses asroot2, and this is a pretty new device, so no surprise that they've fixed that hole.

I tried using "adb root" but it won't run as root on a production device.

I tried using "adb reboot bootloader" and "adb reboot recovery" and they both fail with something along the lines of "Command stopped"

Not sure what else to try. I may have to resort to rebooting the thing and holding down a different key every time. Ugh.

Anyone have any advice or pointers?

 

[Zacpod]

A little more progress:

I don't know enough about hacking to break in to root on the phone, so I'm not trying a different tactic. I've found a firmware .kdz file and am working on extracting the filesystem from that. If I can get the filesystem mounted on a linux box I can make the required modifications to allow root access to work. Then I just need to repack the firmware back in to a kdz, and fiddle with the lg update process to force it to use my firmware instead of the one it downloads. Fingers crossed!

So far, I have extracted the kdz and have the resulting dll and dz.
However, I'm not able to extract the dz. I get the first few files and then it bails as below.

C:\Users\Zac\Desktop\DZExtract>DZExtract.exe GW620R.dz
DZExtract v0.2 by jp

Header informations
--------------------------------------------------------------------------------

  Checking magic code.............................Ok (MSTXMETX)
  Checking hash...................................Ok (E88C-6D55-CA9A-6E41-CAF9-2
36F-BCD6-F6AD)
  Phone model.....................................GW620R
  ROM name........................................V10c
  Chip model......................................MSM7200
  OS name.........................................kuvic0611
  Internal filename...............................GW620RAT-01-V10c-302-72-OCT-21
-2009-RGS-CA+0-DZ.dz

C:\Users\Zac\Desktop\DZExtract>DZExtract.exe -x GW620R.dz dz
DZExtract v0.2 by jp

Extracting subfiles...
--------------------------------------------------------------------------------

Reading sub-header @0x13c
  Checking magic number...........................Ok
  Checking hash...................................Ok (779D-3AF8-DE8A-57F9-04BC-2
093-441A-CAB0)
  Extracting 'amss.mbn' (8717 kb).................Ok
  Inflating...
Unhandled Exception: System.BadImageFormatException: An attempt was made to load
 a program with an incorrect format. (Exception from HRESULT: 0x8007000B)
   at DZExtract.ZLib.gzopen(String path, String mode)
   at DZExtract.DZFile.Inflate(String srcPath, String srcDest, Byte[] md5Hash)
   at DZExtract.DZFile.ExtractSubFile(FileStream hFile, Int64 nPosition)
   at DZExtract.DZFile.ExtractContent(String sOutputDir)
   at DZExtract.Program.Main(String[] args)

It may be because I'm running dzextract on a 64 bit win7 box. I may have to try to find an old 32 bit WinXP junker to see if it fares any better.

 

[Zacpod]

Yep, it's because it was running on 64 bit. I ran the extract on a 32 bit terminal server at work, and now I have a nice chunk of flash files. Next up is getting the one I need to mod mounted on a linux box - but I'll leave that for tomorrow.
Here's the log of the extract, if anyone is interested.

C:\Documents and Settings\xxxxxxx\Desktop>DZExtract.exe -x GW620R.dz
DZExtract v0.2 by jp

Extracting subfiles...
--------------------------------------------------------------------------------

Reading sub-header @0x13c
  Checking magic number...........................Ok
  Checking hash...................................Ok (779D-3AF8-DE8A-57F9-04BC-2093-441A-CAB0)
  Extracting 'amss.mbn' (8717 kb).................Ok
  Inflating.......................................Ok
  Checking subfile hash...........................Ok (09BD-F19B-5A5F-9318-8E09-3433-802C-2147)
--------------------------------------------------------------------------------

Reading sub-header @0x883846
  Checking magic number...........................Ok
  Checking hash...................................Ok (2956-B022-40A3-2CD7-8D3B-2E2A-0A6D-A93E)
  Extracting 'partition.mbn' (0 kb)...............Ok
  Inflating.......................................Ok
  Checking subfile hash...........................Ok (E292-7080-307E-BB0C-2FF4-3F79-3D31-8492)
--------------------------------------------------------------------------------

Reading sub-header @0x8839e7
  Checking magic number...........................Ok
  Checking hash...................................Ok (CCA4-E7AB-288B-A566-654C-E7DC-CAC8-7065)
  Extracting 'qcsblhd_cfgdata.mbn' (0 kb).........Ok
  Inflating.......................................Ok
  Checking subfile hash...........................Ok (1AC2-9240-DCFE-6BC3-A97D-1982-395D-A261)
--------------------------------------------------------------------------------

Reading sub-header @0x883e1d
  Checking magic number...........................Ok
  Checking hash...................................Ok (E443-9E6E-6405-E900-4AEC-25D6-73EC-9176)
  Extracting 'qcsbl.mbn' (32 kb)..................Ok
  Inflating.......................................Ok
  Checking subfile hash...........................Ok (422B-0D5B-6FBF-9B5F-344F-ADC7-4DD5-399B)
--------------------------------------------------------------------------------

Reading sub-header @0x88bfa8
  Checking magic number...........................Ok
  Checking hash...................................Ok (EE96-6604-A9B4-C510-4AC6-23EA-0420-7310)
  Extracting 'oemsblhd.mbn' (0 kb)................Ok
  Inflating.......................................Ok
  Checking subfile hash...........................Ok (97B7-3AE9-E699-66D2-11AE-239A-0442-1482)
--------------------------------------------------------------------------------

Reading sub-header @0x88c092
  Checking magic number...........................Ok
  Checking hash...................................Ok (1251-FB46-F52A-A135-EA4F-6587-D4CB-8BC4)
  Extracting 'oemsbl.mbn' (150 kb)................Ok
  Inflating.......................................Ok
  Checking subfile hash...........................Ok (9266-D1A5-E903-4DA9-D4FD-FD82-DBE6-F0E6)
--------------------------------------------------------------------------------

Reading sub-header @0x8b1a3d
  Checking magic number...........................Ok
  Checking hash...................................Ok (A2DE-B04A-D432-5A41-D172-6516-F19C-976F)
  Extracting 'amsshd.mbn' (0 kb)..................Ok
  Inflating.......................................Ok
  Checking subfile hash...........................Ok (8B5F-6543-042E-D21B-FABC-75C8-806E-1AB9)
--------------------------------------------------------------------------------

Reading sub-header @0x8b1b28
  Checking magic number...........................Ok
  Checking hash...................................Ok (C803-0584-0556-CBB6-D84E-9E92-37E0-6DF6)
  Extracting 'appsboothd.mbn' (0 kb)..............Ok
  Inflating.......................................Ok
  Checking subfile hash...........................Ok (46D7-EDE5-E2E6-8DCA-935F-0861-AE04-83EF)
--------------------------------------------------------------------------------

Reading sub-header @0x8b1c0f
  Checking magic number...........................Ok
  Checking hash...................................Ok (D524-7715-2D8F-E19E-D7EF-ED94-EE1F-AA34)
  Extracting 'appsboot.mbn' (215 kb)..............Ok
  Inflating.......................................Ok
  Checking subfile hash...........................Ok (B0A6-3E4F-F285-D9F3-2611-FF3F-9F6C-0925)
--------------------------------------------------------------------------------

Reading sub-header @0x8e7bd0
  Checking magic number...........................Ok
  Checking hash...................................Ok (81FF-6E9F-0DC0-FE9D-C9A5-E0FC-0C93-3EFE)
  Extracting 'zImage_Ramdisk.mbn' (2030 kb).......Ok
  Inflating.......................................Ok
  Checking subfile hash...........................Ok (84B3-A910-5C02-E0D0-6767-50DB-C627-569E)
--------------------------------------------------------------------------------

Reading sub-header @0xae3700
  Checking magic number...........................Ok
  Checking hash...................................Ok (0C8D-72E4-E649-5E84-9A4B-A34F-C555-36D6)
  Extracting 'System.mbn_0' (95089 kb)............Ok
  Inflating.......................................Ok
  Checking subfile hash...........................Ok (54EB-94B0-7145-2142-6820-7D85-C7B0-040C)
--------------------------------------------------------------------------------

Reading sub-header @0x67bfe3f
  Checking magic number...........................Ok
  Checking hash...................................Ok (2DBB-3DDF-361D-6F98-F551-DDD7-F022-8A79)
  Extracting 'System.mbn_1' (12158 kb)............Ok
  Inflating.......................................Ok
  Checking subfile hash...........................Ok (1AAE-AE6E-CCCB-107D-AC4D-1EBA-DB64-8247)
--------------------------------------------------------------------------------

Reading sub-header @0x739f892
  Checking magic number...........................This is an offset table, skipping end of file

C:\Documents and Settings\xxxxxxx\Desktop>

 

[Zacpod]

Not much progress today. It's been a while since I booted in to Linux, and I had a tonne of updates to apply, and then I had to recompile my kernel to support the yaffs2 filesystem.
I think I have the file decompressed and it's now a yaffs2 fs ready to mount. It has a MBN extension, but I think it's just a binary blob that would normally be written to flash. I hope I'll be able to either mount it directly as a loopback yaffs2, or mount it indirectly as yaffs2 via a MTD emulator.
If I can't mount it I'm going to need something to pull the filesystem out of the MBN. Should be interesting either way.

 

[Zacpod]

MBN headaches

Well,
I got my kernel recompiled, and yaffs is working. That, unfortunately, is the extent of my success.

I can not mount the Sytem.mbn file as a yaffs2 volume via loopback. Can't seem to find any info on the format of that file, or any tools to extract data from it. Ugh.

Can anyone shed some light, or point me in the right direction?
Do I need to use a virtual MTD and 'burn' the MBN to it, and then mount the /dev/mtd/mtd1 as yaffs2? That's what my instinct is telling me at this point, but that's just a stab in the dark really.

 

[surfdev]

Thanks for keeping us posted about your progress! Although nobody else is posting in this thread, I am sure there are many of us keeping an eye on it. (like me!)
I already have the device and know for sure that this beast has SO much potential once rooted!

I'll keep my fingers crossed and you keep up the good work

 

[Zacpod]

Ohoh!
I just found out that the G1 requires a signed file before it'll burn the new rom. if the LG utility wants something similar before it'll burn the image I'm creating then this method may be out of reach. I'm going to keep trying and at least get the rom ready to burn. Can't hurt to try, right.

I'll continue to keep y'all posted as I progress.

Thanks for the encouragment Surfdev!

 

[panesingh]

Like Surfdev said, I am also watching this thread and would like to thank you for the updates. If you do end up accomplishing this task, would it be possible for you to make a easier way of updating the phone? As I am not that computer illiterate.

Thanks alot

 

[Zacpod]

Of course! If I manage to crack the firmware I'll make it available online.

Some good news - I found out how to get in to emergency mode - which I think is fastboot mode. Take the battery out, hold down 1, put the battery back in, and then hit power while still holding down 1. Yay!

I also have an MTD (flash) emulator running, and have tried to copy the MBN to it, but the file is the wrong size. I think I need to extract the filesystem from system.mbn, but none of the tools I've seen work. Ugh. I really need to hunt down some specs for this filetype.

 

[madmack]

Just wanted to say that I'm also watching this thread very closely.

God speed Zacpod ! Thanks for your "blog-like" posts.

Ah, the possibilities of having this phone rooted..

 

[routehero]

Another forum has some interesting info on this device:

http://www.devfrustrated.com/devBlog/how-to-upgrade-the-fw-of-lg-eve-gw620/

Long story short: enter in 3845#*620# in the dialer to get in to LG's hidden menu.

 

[Zacpod]

Oh, the hidden menu is neat! Doesn't look like there's too much in there that'll help me, but it'll be good for testing stuff. Thanks!

I'm still trying to find out how to extract the yaffs2 file structure from the MBN. I've found a few tools for extracting filesystems from MBNs, but they all seem to be for WinMob devices and are therefore looking for a fat/fat32 filesystem. It's looking more and more like I'm going to have to code up a custom extractor but I need info on the format before I can start that.
I may be able to start with something simple - if I can figure out what the start of a yaffs2 in on a mtd looks like I may be able to scan the MBN for that, and extract from there. That, however, will be a one-way operation. I'll need the full specs on the MBN format before I can write something that would pack the filesystem back in to a file that the LG utility will flash on to the device.

I've also started looking at an exploit that I'm not sure has been tried from the console yet.
CVE-2009-3547 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3547) can give local root access, and was discovered after the Eve's firmware was produced, so it may not be patched. I found some proof-of-concept code online and will probably spend a few cycles seeing if I can get it to compile under the android sdk. If it works, that would be way easier than my original approach given the lack of information/tools for extracting and repackaging the files.

 

[Zacpod]

Been working on getting the CVE-2009-3547 expoit compiled for Android.
I have a cross compiling environment set up, and have been able to compile some simple programs that run from the Android console, but the expoit proof of concept code uses some inline x86 assembler, and I have almost no idea how to convert that to ARM code. I know a little x86 assembly, but the last time I did any real coding in assembly was on a Commodore 64 with 6502 assembly. I've never played with ARM machine code before, so this is going to be interesting. I may just have to see if I can convert it to C.

Here's the code in question if anyone who knows arm assembly wants to help.

static inline void *get_4kstack_top()
{
        void *stack;

        __asm__ __volatile__ (
        "movl $0xfffff000,%%eax ;"
        "andl %%esp, %%eax ;"
        "movl %%eax, %0 ;"
        : "=r" (stack)
        );
        return stack;
}

static inline void *get_8kstack_top()
{
        void *stack;

        __asm__ __volatile__ (
        "movl $0xffffe000,%%eax ;"
        "andl %%esp, %%eax ;"
        "movl %%eax, %0 ;"
        : "=r" (stack)
        );
        return stack;
}

As near as I can tell the code allocates a 4k or 8k stack. I tried commenting out the assembly and just letting the program use the stack as-is. but it segfaulted almost immediately. Can't say I was too surprised.

 

[Zacpod]

Actually - looking at the the x86 code it looks like it's just taking the stack pointer, cutting it so it's at a 4k or 8k address boundary, and returning the result.

Could I not do the same thing in C with something along the lines of:

void *get_4kstack_top()
 {
  int local_vars_are_stored_on_the_stack;
  return (&local_vars_are_stored_on_the_stack && $0xffffe000);
  }

Since local variables are stored on the stack, this should give us the same thing as the x86 assembly, and probably on be a few cycles slower...
At least I think local vars are stored on the stack - it's been a while since I've had to know stuff like that, lol.

I'm going to try this. I'll let y'all know what happens.

 

[Zacpod]

No worky.

This exploit isn't going to work.

To quote to PoC source:

error("this box haz a motherf***in mmap_min_addr-like stuff! burn it if u can [email protected]#*");

Soooo.... Now what? I'm basically out of ideas.

 

[abatrour]

I found another way to get into emergency mode if you are interested.

After installing a 3rd party app for sms, i went into the settings for the default sms app and disabled everything.

Afterwards my phone crashed and asked if I wanted to perform a ramdump or go into emergency mode.

 

[Grank]

just wanted to say, thanks for all your work on this so far! I'm as interested as everyone else in this thread seems to be in rooting this phone.
There's got to be a way... Keep trying!
I'm not much of a linux power-user (I'm a .NET developer; my experience in this stuff is limited to pre-built OpenWRT images) but I would love to help in any way I can.

 

[Zacpod]

Thanks, but unless someone has any other ideas I think I'm at the end of my attempt. I'm keeping an eye out for other explots that would be valid against this version of the kernel, but so far it looks like it's just going to be a waiting game.

 

[Grank]

I might be way out to lunch here, but let me muse out loud:
Apparently the MBN file format is just a standard flash BIN file that's been renamed. The M probably, as you mentioned, points out that it's been encrypted and signed. It would be worth it, though, to create a standard BIN file and rename it to MBN and see if somehow we can make the phone accept it without the LG signing...