[RECOVERY][v500] TWRP 2.8.6.0 - No loki needed

[fefifofum]

Team Win Recovery Project 2.x, or twrp2 for short, is a custom recovery built with ease of use and customization in mind. Its a fully touch driven user interface no more volume rocker or power buttons to mash. The GUI is also fully XML driven and completely theme-able. You can change just about every aspect of the look and feel.

TWRP 2.8.6.0 Changelog: http://teamw.in/site/update/2015/03/26/twrp-2.8.6.0-released.html


Why another thread of TWRP?

This build of TWRP doesn't need loki to bypass the bootloader, and it works with both 4.2 and 4.4 bootloaders. It also has the advantage that when you boot the device into recovery it doesn't show that nasty bootloader warning. The kernel in this build is based on cm-12.1 official, but it has the backlight adapted for 4.4 bootloader. You can also use it with a 4.2 bootloader, but you'll probably have brightness issues.


Image: https://www.androidfilehost.com/?fid=95916177934551824

Flashable zip: https://www.androidfilehost.com/?fid=95916177934551825


Install instructions: flash the zip from recovery or install the image using THIS APP (needs root).


XDA:DevDB Information
TWRP v500, Tool/Utility for the LG G Pad 8.3

Contributors
jsevi83
Source Code: https://github.com/awifi-dev/twrp_device_lge_v500


Version Information
Status: Stable

Created 2015-04-07
Last Updated 2015-04-30

 

[DiGiCouSTiC]

Thanks! Working so far...

 

[Deltadroid]

This is very cool. How does Bump work? Is Bump a utility, similar to loki?

Are you using Open Bump?
http://forum.xda-developers.com/lg-g2/orig-development/tool-bump-sign-boot-images-t2950595

 

[fefifofum]

This is very cool. How does Bump work? Is Bump a utility, similar to loki?

Are you using Open Bump?
http://forum.xda-developers.com/lg-g2/orig-development/tool-bump-sign-boot-images-t2950595

Open Bump. It's just a python script. As you can see, it's very easy to implement, I think every custom rom/recovery should be using this.

This is how I added it to my recovery repo: https://github.com/awifi-dev/twrp_device_lge_v500/commit/090f1930fe5b0feaada35b6ba1abc5cbd05a8f72

This is how I added it to my cm repo: https://github.com/awifi-dev/androi...mmit/7a8418e656cbc0862a23e3a95ece02cd3c6c277d

 

[Deltadroid]

That is awesome. I see that python script has some magic signing key from lg embedded in it. Does Open Bump require any modifications to work with our device images?
It would be super cool if there was c based version so that I could create a flashable script to remove loki from the boot image and sign with bump to remove that ugly boot loader error message on boot up.

Something I could flash after applying a nightly update. Just like the script I just made for setting the kernel into permissive mode.

 

[ASW1]

I can't seem to flash roms with this.
E: Errror executing updater binary in zip xxxx

 

[Deltadroid]

@jsevi83
Do you have more commits for v500 to change the cm kernel update system to remove the loki stuff? Great work!

---------- Post added at 12:25 PM ---------- Previous post was at 12:22 PM ----------

Everyone flashing this should realize that your aboot must still be loki exploitable because of the way cm installs it's kernel. I believe that the cm install script calls loki to install the boot.img.

 

[luisbraz]

So, this works on stock 20d version with root (Towelroot) and Flashify? I didn't get TWRP with the tons of the methods found here on xda, and also softbricked the tablet.
I will not try again unless this method really works!

 

[Deltadroid]

Flashify will try to use loki. Don't use that. Use the command line with the dd command.

---------- Post added at 12:30 PM ---------- Previous post was at 12:27 PM ----------

Btw, stock 20d won't work on cm without an exploitable aboot.

 

[ASW1]

E: Errror executing updater binary in zip

I keep getting this error no matter what ROM I try to flash.
I am basically stuck now with a tablet that will only boot into TWRP 2.8.6, I messed up the system so TWRP is all I have now.
Any suggestions about what to do?
Should I maybe use TWRP to flash CMW and try that instead?

edit: tried flashing CMW but it won't work; even then I get the same error message.
So all I have now is TWRP that fails to flash anything....

 

[luisbraz]

I keep getting this error no matter what ROM I try to flash.
I am basically stuck now with a tablet that will only boot into TWRP 2.8.6, I messed up the system so TWRP is all I have now.
Any suggestions about what to do?
Should I maybe use TWRP to flash CMW and try that instead?

edit: tried flashing CMW but it won't work; even then I get the same error message.
So all I have now is TWRP that fails to flash anything....

See this
http://forum.xda-developers.com/showthread.php?p=48942830
When I softbricked my tablet this solved my problem.

 

[Deltadroid]

I can confirm that this method works beautifully. Many many thanks to the OP.

I just wanted to also confirm that the current state of the Open Bump project requires the following patch to work properly with v500 kernel parameters.

--- open_bump.py	2014-11-23 21:56:00.000000000 +0100
+++ open_bump.v500.py	2015-04-08 21:28:17.098864000 +0200
@@ -27,6 +27,10 @@
 # Proof of Concept
 POC = False
 
+if POC:
+    from Crypto.Cipher import AES
+    import hashlib
+
 
 usage = """\
 Usage: open_bump.py [-ha] "<image_file>" "<output_image>"
@@ -35,22 +39,29 @@
   -a/--apend image_file  - <required> if in append mode, the <image_file> is appended rather than <output_file> being generated\
 """
 
+lg_key = "b5e7fc2010c4a82d6d597ba040816da7832e0a5679c81475a0438447b711140f"
+lg_iv = "[email protected]|[email protected]"
 lg_magic = "41a9e467744d1d1ba429f2ecea655279"
+lg_dec_magic = "696e6877612e77651000000047116667"
 
 
-def get_kernel_size(image_name):
-    page_size = get_page_size(image_name)
-    f_image = open(image_name, 'a+b')
-    paged_kernel_size = get_size_from_kernel(f_image, page_size, 8)
-    paged_ramdisk_size = get_size_from_kernel(f_image, page_size, 16)
-    paged_second_size = get_size_from_kernel(f_image, page_size, 24)
-    if paged_second_size <= 0:
-        paged_second_size = 0
-    paged_dt_size = get_size_from_kernel(f_image, page_size, 40)
-    if paged_dt_size <= 0:
-        paged_dt_size = 0
-    f_image.close()
-    return page_size + paged_kernel_size + paged_ramdisk_size + paged_second_size + paged_dt_size
+def generate_signature(image_hash):
+    # the iv and key were extracted from the lg g2 aboot.img. I can explain how to find it on request.
+    iv = lg_iv
+    key = binascii.unhexlify(lg_key)
+    # this "magic" number was found after decrypting the bumped images
+    # Without codefire, this would not have been possible as I can find no reference in
+    # the images of the g2 or the g3
+    magic = binascii.unhexlify(lg_magic)
+    image_hash = binascii.unhexlify(image_hash)  # insert your hash here
+    # the structure of the signature in bump starts with a magic number, then seemingly random
+    # bytes. 2 zeros follow, then the hash of the image, then 6 zeros, then 512 bytes of random data again
+    data = magic + os.urandom(16) + '\x00'*2 + image_hash + '\x00'*6 + os.urandom(512)
+    # this is then padded to fill the needed 1024 bytes
+    padded_data = data + '\x00'*(1024-len(data))
+    # AES-256 is then used to encrypt the above data
+    cipher = AES.new(key, AES.MODE_CBC, iv)
+    return cipher.encrypt(padded_data)
 
 
 def bumped(image_data):
@@ -80,10 +91,18 @@
     image_size = os.path.getsize(image_name)
     num_pages = image_size / page_size
 
-    calculated_size = get_kernel_size(image_name)
-
     f_image = open(image_name, 'a+b')
 
+    paged_kernel_size = get_size_from_kernel(f_image, page_size, 8)
+    paged_ramdisk_size = get_size_from_kernel(f_image, page_size, 16)
+    paged_second_size = get_size_from_kernel(f_image, page_size, 24)
+    if paged_second_size <= 0:
+        paged_second_size = 0
+    paged_dt_size = get_size_from_kernel(f_image, page_size, 40)
+    if paged_dt_size <= 0:
+        paged_dt_size = 0
+    calculated_size = page_size + paged_kernel_size + paged_ramdisk_size + paged_second_size + paged_dt_size
+
     if calculated_size > image_size:
         print("Invalid image: %s: calculated size greater than actual size" % image_name)
         f_image.close()
@@ -91,8 +110,7 @@
     if image_size > calculated_size:
         difference = image_size - calculated_size
         if difference not in [page_size, page_size*2]:
-            if difference not in [1024, page_size + 1024, 2 * page_size + 1024, 
-                                  16, page_size + 16, 2 * page_size + 16]:
+            if difference not in [1024, page_size + 1024, 2 * page_size + 1024]:
                 print("Image already padded. Attempting to remove padding...")
                 print("Beware: this may invalidate your image.")
                 i = num_pages - 1
@@ -128,7 +146,11 @@
         print("Image already bumped")
         finish(out_image)
     pad_image(out_image)
-    magic = binascii.unhexlify(lg_magic)
+    if POC:
+        sha1sum = get_sha1(out_image)
+        magic = generate_signature(sha1sum)
+    else:
+        magic = binascii.unhexlify(lg_magic)
     with open(out_image, 'a+b') as f_out_image:
         f_out_image.write(magic)
     finish(out_image)

 

[ASW1]

I keep getting this error no matter what ROM I try to flash.
I am basically stuck now with a tablet that will only boot into TWRP 2.8.6, I messed up the system so TWRP is all I have now.

Something else I noticed after a failed flash:
"assert failed: run_program("/tmp/loki/sh") == 0

(I did use flashify to install 2.8.6.0)

 

[annoyingduck]

Fyi for those new to bump... (I have a g3, been with it from the beginning). Bump rom flashing requires the rom zip boot (kernel) to be bumped. All rom developers will need to adopt this if we are going to switch from loki to bump. All current lp builds for other lg devices do not have "bumpable" bootloaders due to bump being open sourced (cooperation with lg failed with its open release and they patched it), so once the lp updates become standard, the jb boots may cause problems for aosp while the kk one is working, so this will likely be the preferred method for us down the road, but all new roms will need to be updated accordingly. I can already see this is going to get messy for many that aren't up to speed, and some new guides will need to be made once we get the methods working.

 

[Deltadroid]

Fyi for those new to bump... (I have a g3, been with it from the beginning). Bump rom flashing requires the rom zip boot (kernel) to be bumped. All rom developers will need to adopt this if we are going to switch from loki to bump. All current lp builds for other lg devices do not have "bumpable" bootloaders due to bump being open sourced (cooperation with lg failed with its open release and they patched it), so once the lp updates become standard, the jb boots may cause problems for aosp while the kk one is working, so this will likely be the preferred method for us down the road, but all new roms will need to be updated accordingly. I can already see this is going to get messy for many that aren't up to speed, and some new guides will need to be made once we get the methods working.

Officially, cm will never adopt this method because of the keys that it contains. But, my goal is to make a flashable zip that will automatically convert a loki kernel to a bumped kernel.

We just need to convert this python script to a standalone c application so that I can package it.

---------- Post added at 10:45 AM ---------- Previous post was at 10:30 AM ----------

Something else I noticed after a failed flash:
"assert failed: run_program("/tmp/loki/sh") == 0

(I did use flashify to install 2.8.6.0)

You still need to have a loki exploitable aboot to install official CyanogenMod.

 

[odjinan]

@Deltadroid: you told us to not use flashify to update twrp... so best method is flash twrp-(bump edition) inside twrp (loki edition)?

and then flash only bump compliant rom? (like euphoria-os, sure other dev will convert their rom to this new method, except CM official build as you mentioned earlier)

 

[Deltadroid]

@Deltadroid: you told us to not use flashify to update twrp... so best method is flash twrp-(bump edition) inside twrp (loki edition)?

and then flash only bump compliant rom? (like euphoria-os, sure other dev will convert their rom to this new method, except CM official build as you mentioned earlier)

If you already have a custom recovery installed, then the safest method is to use the flashable zip to install the bumped version of twrp. Just flash it in your recovery to install the new bumped recovery.

If you don't have a custom recovery installed yet, but you have root, then you can use the dd command to flash the boot image to your boot partition.

---------- Post added at 02:12 PM ---------- Previous post was at 01:21 PM ----------

The ROMs you flash don't need to be "bump compliant" if you have a loki exploitable aboot.

 

[odjinan]

thank for the quick reply!
I flashed the zip version from OP and it working well. No more alert on boot screen~

 

[fefifofum]

Fyi for those new to bump... (I have a g3, been with it from the beginning). Bump rom flashing requires the rom zip boot (kernel) to be bumped. All rom developers will need to adopt this if we are going to switch from loki to bump. All current lp builds for other lg devices do not have "bumpable" bootloaders due to bump being open sourced (cooperation with lg failed with its open release and they patched it), so once the lp updates become standard, the jb boots may cause problems for aosp while the kk one is working, so this will likely be the preferred method for us down the road, but all new roms will need to be updated accordingly. I can already see this is going to get messy for many that aren't up to speed, and some new guides will need to be made once we get the methods working.

The best option would be to use kitkat bootloader and bump for all custom roms and recoveries. It's very easy, I already shared the commits needed to implement this, and I could make a flashable zip with kitkat bootloader so everyone can easily install it.

Officially, cm will never adopt this method because of the keys that it contains. But, my goal is to make a flashable zip that will automatically convert a loki kernel to a bumped kernel.

We just need to convert this python script to a standalone c application so that I can package it.

---------- Post added at 10:45 AM ---------- Previous post was at 10:30 AM ----------


You still need to have a loki exploitable aboot to install official CyanogenMod.

That's not true, some LG devices like v400 already use bump in CyanogenMod (officially), check this:

https://github.com/CyanogenMod/andr...mmit/6a647d5664df1bada7d1a36abe8faad79e0096cb

If they have it we could also get it.

 

[ckret]

I can confirm that this method works beautifully. Many many thanks to the OP.

I just wanted to also confirm that the current state of the Open Bump project requires the following patch to work properly with v500 kernel parameters.

--- open_bump.py	2014-11-23 21:56:00.000000000 +0100
+++ open_bump.v500.py	2015-04-08 21:28:17.098864000 +0200
@@ -27,6 +27,10 @@
 # Proof of Concept
 POC = False
 
+if POC:
+    from Crypto.Cipher import AES
+    import hashlib
+
 
 usage = """\
 Usage: open_bump.py [-ha] "<image_file>" "<output_image>"
@@ -35,22 +39,29 @@
   -a/--apend image_file  - <required> if in append mode, the <image_file> is appended rather than <output_file> being generated\
 """
 
+lg_key = "b5e7fc2010c4a82d6d597ba040816da7832e0a5679c81475a0438447b711140f"
+lg_iv = "[email protected]|[email protected]"
 lg_magic = "41a9e467744d1d1ba429f2ecea655279"
+lg_dec_magic = "696e6877612e77651000000047116667"
 
 
-def get_kernel_size(image_name):
-    page_size = get_page_size(image_name)
-    f_image = open(image_name, 'a+b')
-    paged_kernel_size = get_size_from_kernel(f_image, page_size, 8)
-    paged_ramdisk_size = get_size_from_kernel(f_image, page_size, 16)
-    paged_second_size = get_size_from_kernel(f_image, page_size, 24)
-    if paged_second_size <= 0:
-        paged_second_size = 0
-    paged_dt_size = get_size_from_kernel(f_image, page_size, 40)
-    if paged_dt_size <= 0:
-        paged_dt_size = 0
-    f_image.close()
-    return page_size + paged_kernel_size + paged_ramdisk_size + paged_second_size + paged_dt_size
+def generate_signature(image_hash):
+    # the iv and key were extracted from the lg g2 aboot.img. I can explain how to find it on request.
+    iv = lg_iv
+    key = binascii.unhexlify(lg_key)
+    # this "magic" number was found after decrypting the bumped images
+    # Without codefire, this would not have been possible as I can find no reference in
+    # the images of the g2 or the g3
+    magic = binascii.unhexlify(lg_magic)
+    image_hash = binascii.unhexlify(image_hash)  # insert your hash here
+    # the structure of the signature in bump starts with a magic number, then seemingly random
+    # bytes. 2 zeros follow, then the hash of the image, then 6 zeros, then 512 bytes of random data again
+    data = magic + os.urandom(16) + '\x00'*2 + image_hash + '\x00'*6 + os.urandom(512)
+    # this is then padded to fill the needed 1024 bytes
+    padded_data = data + '\x00'*(1024-len(data))
+    # AES-256 is then used to encrypt the above data
+    cipher = AES.new(key, AES.MODE_CBC, iv)
+    return cipher.encrypt(padded_data)
 
 
 def bumped(image_data):
@@ -80,10 +91,18 @@
     image_size = os.path.getsize(image_name)
     num_pages = image_size / page_size
 
-    calculated_size = get_kernel_size(image_name)
-
     f_image = open(image_name, 'a+b')
 
+    paged_kernel_size = get_size_from_kernel(f_image, page_size, 8)
+    paged_ramdisk_size = get_size_from_kernel(f_image, page_size, 16)
+    paged_second_size = get_size_from_kernel(f_image, page_size, 24)
+    if paged_second_size <= 0:
+        paged_second_size = 0
+    paged_dt_size = get_size_from_kernel(f_image, page_size, 40)
+    if paged_dt_size <= 0:
+        paged_dt_size = 0
+    calculated_size = page_size + paged_kernel_size + paged_ramdisk_size + paged_second_size + paged_dt_size
+
     if calculated_size > image_size:
         print("Invalid image: %s: calculated size greater than actual size" % image_name)
         f_image.close()
@@ -91,8 +110,7 @@
     if image_size > calculated_size:
         difference = image_size - calculated_size
         if difference not in [page_size, page_size*2]:
-            if difference not in [1024, page_size + 1024, 2 * page_size + 1024, 
-                                  16, page_size + 16, 2 * page_size + 16]:
+            if difference not in [1024, page_size + 1024, 2 * page_size + 1024]:
                 print("Image already padded. Attempting to remove padding...")
                 print("Beware: this may invalidate your image.")
                 i = num_pages - 1
@@ -128,7 +146,11 @@
         print("Image already bumped")
         finish(out_image)
     pad_image(out_image)
-    magic = binascii.unhexlify(lg_magic)
+    if POC:
+        sha1sum = get_sha1(out_image)
+        magic = generate_signature(sha1sum)
+    else:
+        magic = binascii.unhexlify(lg_magic)
     with open(out_image, 'a+b') as f_out_image:
         f_out_image.write(magic)
     finish(out_image)

so for a bumped kernel to work we need to use your modified version of the script?
i still dont get the concept